LATEST THREAT INTELLIGENCE.
Chasing the Silver Fox: Cat & Mouse in Kernel Shadows
Description: Check Point Research uncovered an ongoing campaign by the Silver Fox APT group exploiting a previously unknown vulnerable driver to evade endpoint protection. The attackers used a Microsoft-signed WatchDog Antimalware driver to terminate protected processes on fully updated Windows systems. A dual-driver strategy ensured compatibility across Windows versions. Following disclosure, the vendor released a patched driver, but attackers quickly adapted by modifying it to bypass blocklists while preserving its valid signature. The campaign delivered ValleyRAT as the final payload, demonstrating sophisticated evasion techniques and highlighting the growing trend of weaponizing signed-but-vulnerable drivers to bypass security measures.
Created at: 2025-08-28T13:26:31.396000
Updated at: 2025-09-17T06:17:59.086000
AI-Driven Deepfake Military ID Fraud Campaign
Description: The Kimsuky APT group has launched a sophisticated spear-phishing campaign using AI-generated deepfake military ID cards to target South Korean defense institutions. The attack impersonates military employee ID issuance processes and exploits ChatGPT to create convincing fake ID images. The malware employs obfuscated batch files and AutoIt scripts to evade detection, connecting to command and control servers for further payload deployment. The campaign demonstrates the evolving tactics of state-sponsored threat actors in leveraging AI technologies for cyber espionage. Analysis reveals connections to previous Kimsuky operations targeting unification researchers and government agencies, highlighting the persistent nature of the threat.
Created at: 2025-09-15T08:00:48.951000
Updated at: 2025-09-16T17:27:43.359000
AppSuite, OneStart & ManualFinder: The Nexus of Deception
Description: This analysis reveals connections between three seemingly distinct malicious programs: AppSuite, OneStart, and ManualFinder. The investigation uncovers shared server infrastructure and similar installation patterns, indicating that these programs are likely created by the same threat actor. OneStart, initially a browser based on Chromium, evolved from earlier versions that used node.exe to run malicious JavaScript. The actors behind these programs have been active for years, distributing malware disguised as various utilities such as games, recipe finders, and manual finders. The report highlights the adaptability of these threat actors, who easily morph their software to take new forms and evade detection.
Created at: 2025-09-16T14:42:09.789000
Updated at: 2025-09-16T17:01:12.637000
Infrastructure of Interest: Medium Confidence Detection
Description: These indicators of compromise (IOCs) were identified through LevelBlue Labs' proprietary collection and threat hunting processes, leveraging AI-driven heuristics to detect anomalous patterns, behavioral analysis of malicious activity, and cross-referenced intelligence from endpoint telemetry and external sources. Use this data to enhance detection rules, block malicious infrastructure, or correlate with existing incident investigations. These indicators have been assigned a medium confidence level regarding their maliciousness. They are therefore subject to further review, and feedback is greatly appreciated.
Created at: 2025-08-07T07:39:42.586000
Updated at: 2025-09-16T16:34:30.853000
Infrastructure of Interest: Medium Confidence InfoStealer
Description: These indicators of compromise (IOCs) were identified through LevelBlue Labs' proprietary collection and threat hunting processes, leveraging AI-driven heuristics to detect anomalous patterns, behavioral analysis of malicious activity, and cross-referenced intelligence from endpoint telemetry and external sources. The IOCs included in this pulse are associated with infostealer malware, designed to harvest sensitive data such as credentials, cookies, and financial information from compromised systems. Use this data to enhance detection rules, block malicious infrastructure, or correlate with existing incident investigations involving data theft. These indicators have been assigned a medium confidence level regarding their maliciousness. They are therefore subject to further review, and feedback is greatly appreciated.
Created at: 2025-08-07T07:31:55.617000
Updated at: 2025-09-16T16:33:49.920000
Infrastructure of Interest: Medium Confidence Command And Control
Description: These indicators of compromise (IOCs) were identified through LevelBlue Labs' proprietary collection and threat hunting processes, leveraging AI-driven heuristics to detect anomalous patterns, behavioral analysis of malicious activity, and cross-referenced intelligence from endpoint telemetry and external sources. The IOCs included in this pulse are associated with command and control (C2) infrastructure, facilitating malware communication, data exfiltration, and persistent threat actor operations. Use this data to enhance detection rules, block malicious infrastructure, or correlate with existing incident investigations. These indicators have been assigned a medium confidence level regarding their maliciousness. They are therefore subject to further review, and feedback is greatly appreciated.
Created at: 2025-08-07T07:29:37.542000
Updated at: 2025-09-16T16:33:48.852000
Infrastructure of Interest: Medium Confidence Phishing
Description: These indicators of compromise (IOCs) were identified through LevelBlue Labs' proprietary collection and threat hunting processes, leveraging AI-driven heuristics to detect anomalous patterns, behavioral analysis of malicious activity, and cross-referenced intelligence from endpoint telemetry and external sources. The IOCs included in this pulse are associated with phishing campaigns, targeting credential theft and fraudulent resource access. Use this data to enhance detection rules, block malicious infrastructure, or correlate with existing incident investigations. These indicators have been assigned a medium confidence level regarding their maliciousness. They are therefore subject to further review, and feedback is greatly appreciated.
Created at: 2025-08-07T07:20:01.253000
Updated at: 2025-09-16T16:33:39.587000
FileFix in the wild! New FileFix campaign goes beyond POC and leverages steganography
Description: A sophisticated FileFix attack campaign has been discovered, marking the first use of this technique beyond proof-of-concept. The attack employs a complex phishing infrastructure, including a multilingual site mimicking Facebook security. It uses steganography to conceal malicious code in images, with a multistage payload delivery system featuring layered obfuscation and evasion techniques. The final payload deploys a StealC infostealer targeting various applications and credentials. The campaign has evolved rapidly over two weeks, indicating a global targeting strategy with potential victims in multiple countries. This attack represents a significant advancement in *Fix attack sophistication, combining FileFix with advanced tradecraft to maximize both evasion and impact.
Created at: 2025-09-16T14:29:35.721000
Updated at: 2025-09-16T14:31:43.779000
August 2025 Infostealer Trend Report
Description: This analysis examines Infostealer trends in August 2025, focusing on distribution volume, methods, and disguises. AhnLab's automated systems collect and analyze malware, providing real-time IOC services. Infostealers, often disguised as cracks, are distributed through SEO poisoning. Notable variants include LummaC2, ACRStealer, and Rhadamanthys. Distribution methods evolved from personal blogs to legitimate websites, bypassing search engine restrictions. Malware is primarily distributed as EXE files (89.7%) or through DLL-SideLoading (10.3%). Two significant trends emerged: mass distribution via Slack Marketplace and ACRStealer's domain masquerading technique, which now targets security company domains to evade detection.
Created at: 2025-09-16T13:40:14.461000
Updated at: 2025-09-16T14:24:07.749000
August 2025 APT Attack Trends Report
Description: In August 2025, APT attacks in South Korea primarily utilized spear phishing techniques, with LNK files being the most prevalent method. Two main types of attacks were observed: Type A, which used compressed CAB files containing malicious scripts for information exfiltration and additional malware downloads, and Type B, which executed RAT malware like XenoRAT and RoKRAT using Dropbox API or Google Drive. The attacks targeted various sectors, employing sophisticated social engineering tactics and decoy documents to increase credibility. The malware performed actions such as keylogging, taking screenshots, and executing commands based on the threat actor's instructions. The report highlights the continuous evolution of APT tactics and the importance of vigilance against targeted phishing campaigns.
Created at: 2025-09-16T13:40:47.715000
Updated at: 2025-09-16T14:21:49.786000
