LATEST THREAT INTELLIGENCE.
Infrastructure of Interest: Medium Confidence Detection
Description: These indicators of compromise (IOCs) were identified through LevelBlue Labs' proprietary collection and threat hunting processes, leveraging AI-driven heuristics to detect anomalous patterns, behavioral analysis of malicious activity, and cross-referenced intelligence from endpoint telemetry and external sources. Use this data to enhance detection rules, block malicious infrastructure, or correlate with existing incident investigations. These indicators have been assigned a medium confidence level regarding their maliciousness. They are therefore subject to further review, and feedback is greatly appreciated.
Created at: 2025-08-07T07:39:42.586000
Updated at: 2025-11-05T11:03:33.269000
Infrastructure of Interest: Medium Confidence FastFlux
Description: These indicators of compromise (IOCs) were identified through LevelBlue Labs' proprietary collection and threat hunting processes, leveraging AI-driven heuristics to detect anomalous DNS patterns, behavioral analysis of rapid IP rotation, and cross-referenced intelligence from global sinkhole data and network telemetry. The IOCs included in this pulse are associated with Fastflux networks, characterized by constantly changing IP addresses and DNS records to evade detection while maintaining resilient malicious infrastructure for phishing, malware delivery, or C2 operations. Use this data to enhance DNS-based detection rules, identify flux parent domains, and disrupt threat actor network resilience. These indicators have been assigned a medium confidence level regarding their maliciousness. They are therefore subject to further review, and feedback is greatly appreciated.
Created at: 2025-08-07T07:34:03.778000
Updated at: 2025-11-05T11:02:27.323000
Infrastructure of Interest: Medium Confidence InfoStealer
Description: These indicators of compromise (IOCs) were identified through LevelBlue Labs' proprietary collection and threat hunting processes, leveraging AI-driven heuristics to detect anomalous patterns, behavioral analysis of malicious activity, and cross-referenced intelligence from endpoint telemetry and external sources. The IOCs included in this pulse are associated with infostealer malware, designed to harvest sensitive data such as credentials, cookies, and financial information from compromised systems. Use this data to enhance detection rules, block malicious infrastructure, or correlate with existing incident investigations involving data theft. These indicators have been assigned a medium confidence level regarding their maliciousness. They are therefore subject to further review, and feedback is greatly appreciated.
Created at: 2025-08-07T07:31:55.617000
Updated at: 2025-11-05T11:02:25.955000
CLOP RANSOMWARE: DISSECTING NETWORK - THE RAVEN FILE
Description: The report analyzes the network infrastructure used by the Clop ransomware group, focusing on their exploitation of CVE-2025-61882 in Oracle EBS. It identifies 96 IP addresses associated with a specific fingerprint, with Germany, Brazil, and Panama being prominent locations. The analysis reveals significant overlap with IP subnets used in previous Clop attacks, including the MOVit and FORTRA Go-Anywhere exploits. The report highlights the group's tendency to reuse infrastructure and their shift away from Russian IPs. It also provides high-confidence fingerprints and subnet patterns associated with Clop operations, offering insights into their attack methodology and infrastructure preferences.
Created at: 2025-11-05T09:38:31.645000
Updated at: 2025-11-05T09:39:49.493000
Evasion and Persistence via Hidden Hyper-V Virtual Machines
Description: This investigation uncovered new tools and techniques used by the Curly COMrades threat actor to establish covert, long-term access to victim networks. The attackers exploited Hyper-V virtualization on compromised Windows 10 machines to create hidden remote operating environments. They deployed a minimalistic Alpine Linux-based virtual machine hosting custom malware for reverse shell and proxy operations. This approach effectively bypassed traditional host-based EDR detections. The threat actor also demonstrated persistence through PowerShell scripts, Kerberos ticket manipulation, and local account creation. International collaboration with the Georgian CERT aided in analyzing the command and control infrastructure.
Created at: 2025-11-05T09:27:48.763000
Updated at: 2025-11-05T09:30:44.973000
Update on Attacks by Threat Group APT-C-60
Description: APT-C-60 continues to target Japan and East Asia with spear-phishing attacks impersonating job seekers. The attack flow has evolved, now directly attaching malicious VHDX files to emails. The malware, including Downloader1, Downloader2, and SpyGlace, has been updated with new features and communication methods. SpyGlace versions 3.1.12, 3.1.13, and 3.1.14 were observed, with changes in Mutex values and execution paths. The attackers use GitHub for payload distribution and employ sophisticated encoding and encryption techniques. The campaign abuses legitimate services and maintains consistent behavioral patterns despite infrastructure changes.
Created at: 2025-11-05T08:16:16.697000
Updated at: 2025-11-05T08:50:46.168000
Operation SouthNet: SideWinder Expands Phishing and Malware Operations in South Asia
Description: APT SideWinder has launched a new targeted operation dubbed Operation SouthNet, focusing on the maritime sector in South Asia, particularly Pakistan and Sri Lanka. The group leverages free hosting platforms to deploy credential-harvesting portals and weaponized lure documents, while staging malware in open directories. Over 50 malicious domains were uncovered across various platforms, with Pakistan accounting for 40% of the identified domains. The campaign utilizes maritime and port-themed lures to target government and military entities. SideWinder's infrastructure overlaps with legacy C2 assets, indicating recycling across multiple years. The group maintains a high operational tempo, with new phishing domains emerging every 3-5 days.
Created at: 2025-10-06T08:11:00.647000
Updated at: 2025-11-05T08:00:35.320000
WARMCOOKIE One Year Later: New Features and Fresh Insights
Description: The WARMCOOKIE backdoor continues to evolve, with ongoing updates and new infections observed. Recent developments include new handlers for executing various file types, a string bank for defense evasion, and code optimizations. A campaign ID field has been added, providing context for operators. Infrastructure analysis reveals a default SSL certificate potentially used for WARMCOOKIE back-ends. Despite disruption attempts, the backdoor remains active in malvertising and spam campaigns. The malware's selective usage and continuous updates suggest its persistence as a threat, highlighting the need for enhanced organizational protection measures.
Created at: 2025-10-06T08:03:28.659000
Updated at: 2025-11-05T08:00:35.320000
Oracle Security Alert Advisory - CVE-2025-61882
Description: A critical security vulnerability (CVE-2025-61882) has been identified in Oracle E-Business Suite versions 12.2.3-12.2.14. This flaw is remotely exploitable without authentication, potentially leading to remote code execution. The vulnerability affects the BI Publisher Integration component of Oracle Concurrent Processing and has a CVSS v3.1 base score of 9.8. Oracle strongly advises customers to apply the provided security updates promptly. Indicators of compromise include suspicious IP addresses, specific command patterns, and file hashes. The alert also emphasizes the importance of staying on actively-supported versions and applying all security patches without delay.
Created at: 2025-10-06T07:59:14.062000
Updated at: 2025-11-05T07:02:18.726000
Massive IPTV Piracy Network Uncovered
Description: A large-scale Internet Protocol Television (IPTV) piracy network has been discovered, spanning over 1,000 domains and 10,000 IP addresses. Two companies, XuiOne and Tiyansoft, were identified as profiting from hosting pirated content. The network affects more than 20 major brands, including Prime Video, Disney Plus, and Netflix. The piracy operation generates billions of dollars annually and poses risks to users, including financial fraud and malware infections. The investigation revealed connections to the Stalker Portal project and uncovered various domains and IP addresses associated with the network. The research highlights the growing problem of digital piracy and its impact on the media industry.
Created at: 2025-09-05T17:17:10.026000
Updated at: 2025-11-04T15:15:13.897000
