LATEST THREAT INTELLIGENCE.
Evasive Panda APT poisons DNS requests to deliver MgBot
Description: The Evasive Panda APT group conducted highly-targeted campaigns from November 2022 to November 2024, employing adversary-in-the-middle attacks and DNS poisoning techniques. They developed a new loader that evades detection and uses hybrid encryption for victim-specific implants. The group utilized fake updaters for popular applications to deliver malware, including a multi-stage shellcode execution process. A secondary loader, disguised as a legitimate Windows library, was used to achieve stealthier loading. The attackers employed a custom hybrid encryption method combining DPAPI and RC5 to secure payloads. Victims were detected in Türkiye, China, and India, with some systems compromised for over a year. The campaign showcases the group's advanced capabilities and continuous improvement of tactics.
Created at: 2025-12-24T13:36:09.131000
Updated at: 2026-01-23T13:01:21.086000
Analyzing React2Shell Threat Actors
Description: This report analyzes the exploitation of CVE-2025-55182, known as React2Shell, a critical vulnerability in React Server Components. It examines various attack payloads, including credential harvesters, reverse shells, and botnet loaders. The analysis reveals rapid weaponization of the vulnerability, with attackers employing sophisticated techniques like fileless downloaders, raw TCP stagers, and creative use of framework errors. The report also highlights the top 10 exploited CVEs for December, with React2Shell quickly rising to the second most targeted vulnerability. Key indicators of compromise and recommended mitigation strategies are provided to help organizations defend against these threats.
Created at: 2026-01-17T13:17:08.090000
Updated at: 2026-01-23T11:54:00.907000
Tracking the VS Code Tasks Infection Vector
Description: The Contagious Interview campaign, attributed to North Korea, continues to target software developers through fake recruitment schemes. A new technique in their arsenal leverages Microsoft Visual Studio Code task files to execute malicious code when a project is opened. The report documents observations of this vector, presents GitHub-based discovery methods, highlights findings including a new malicious NPM package, and outlines detection opportunities. The campaign exploits VS Code's Task feature, using the runOptions property to automatically execute malicious shell commands when a workspace is opened. Various obfuscation techniques are employed, including hiding commands with whitespace and masquerading payloads as image or font files.
Created at: 2026-01-23T10:13:28.154000
Updated at: 2026-01-23T10:46:59.277000
Restless Spirit: New Attacks on Russian Companies
Description: PhantomCore, a hacking group targeting Russian and Belarusian companies since 2022, launched a new wave of malicious email campaigns on January 19 and 21, 2026. The attacks targeted various sectors including utilities, finance, urban infrastructure, aerospace, consumer digital services, chemical industry, construction, consumer goods manufacturing, and e-commerce. The campaign used phishing emails with malicious attachments, leveraging compromised legitimate email addresses. The malware operates in multiple stages, including downloading decoy documents, executing PowerShell scripts, and establishing persistence through scheduled tasks. The second stage malware, similar to previously known PhantomCore.PollDL, communicates with command and control servers to receive and execute commands.
Created at: 2026-01-23T10:12:00.002000
Updated at: 2026-01-23T10:39:48.716000
ShadowRelay: New Modular Backdoor in the Public Sector
Description: A new modular backdoor called ShadowRelay was discovered on a compromised Exchange server in a government organization. The backdoor allows loading different plugins and demonstrates sophisticated design indicative of well-prepared attackers. It uses packet injection to hide network activity and can spy covertly in protected network segments by communicating through infected machines. The backdoor can inject itself into other processes and uses plugins to load additional functionality, allowing it to evade detection. These capabilities suggest the attackers aim for long-term covert presence and espionage, typical of state-sponsored APT groups. The backdoor was found alongside tools from other known threat actors, complicating attribution.
Created at: 2026-01-23T10:10:12.656000
Updated at: 2026-01-23T10:39:48.241000
Osiris: New Ransomware, Experienced Attackers?
Description: A new ransomware called Osiris was used in an attack on a major food service franchisee operator in Southeast Asia in November 2025. The ransomware shares similarities with previous Inc ransomware attacks, including the use of Wasabi buckets for data exfiltration and a specific version of Mimikatz. Osiris has typical ransomware functions, uses a hybrid encryption scheme, and drops a ransom note. The attack chain involved data exfiltration using Rclone, deployment of dual-use tools, and the use of a malicious driver called Abyssworker or Poortry. The attackers employed bring-your-own-vulnerable-driver (BYOVD) techniques to disable security software. While the impact of Osiris on the ransomware landscape remains uncertain, it appears to be wielded by experienced attackers with potential links to Inc ransomware or its affiliates.
Created at: 2026-01-23T10:08:47.995000
Updated at: 2026-01-23T10:17:31.481000
I scan, you scan, we all scan for... knowledge?
Description: This intelligence report emphasizes the importance of understanding one's own network environment and not ignoring reconnaissance events in cybersecurity. It highlights the increasing sophistication of bad actors in reconnaissance, both in network scanning and social engineering, aided by AI tools. The report warns against dismissing reconnaissance alerts in favor of focusing solely on attack signals, stressing that initial access brokers excel at understanding target environments. Recent vulnerability discoveries in various software applications are mentioned, along with key security headlines including phishing campaigns, ransomware attacks, and nation-state hacking activities. The report also provides information on prevalent malware files and upcoming security events.
Created at: 2026-01-23T00:03:21.835000
Updated at: 2026-01-23T09:49:28.452000
December 2025 Security Issues in Korean & Global Financial Sector
Description: This comprehensive analysis covers cyber threats and security issues in the financial industry, both in Korea and globally. It examines malware and phishing cases, lists top malware strains, and provides statistics on leaked Korean accounts. Key issues on the deep and dark web are highlighted, including a major database leak from Indonesia's largest bank, exposing sensitive financial data of approximately 3 million customers. A ransomware attack on a leading African financial services company by INC Ransom group is also detailed, with 100GB of data reportedly stolen. The report emphasizes the potential for widespread damage and chain attacks, urging proactive measures among financial institutions and related companies.
Created at: 2026-01-22T13:15:09.293000
Updated at: 2026-01-22T20:35:51.123000
KONNI Adopts AI to Generate PowerShell Backdoors
Description: A North Korea-linked threat actor known as KONNI has been observed conducting a phishing campaign targeting software developers and engineering teams, particularly those with blockchain expertise. The campaign uses AI-generated PowerShell backdoors and targets a broader range of countries in the APAC region. The infection chain begins with a Discord-hosted link downloading a ZIP archive containing a PDF lure and a malicious LNK file. The LNK file deploys additional components, including the AI-generated PowerShell backdoor. The backdoor employs various anti-analysis techniques and establishes persistence through scheduled tasks. This campaign demonstrates KONNI's evolution in tactics and tooling, including the adoption of AI-assisted malware development.
Created at: 2026-01-22T18:22:30.740000
Updated at: 2026-01-22T20:33:32.653000
Infrastructure of Interest: Medium Confidence Detection
Description: These indicators of compromise (IOCs) were identified through LevelBlue Labs' proprietary collection and threat hunting processes, leveraging AI-driven heuristics to detect anomalous patterns, behavioral analysis of malicious activity, and cross-referenced intelligence from endpoint telemetry and external sources. Use this data to enhance detection rules, block malicious infrastructure, or correlate with existing incident investigations. These indicators have been assigned a medium confidence level regarding their maliciousness. They are therefore subject to further review, and feedback is greatly appreciated.
Created at: 2025-08-07T07:39:42.586000
Updated at: 2026-01-22T17:10:17.434000
