LATEST THREAT INTELLIGENCE.
Sandworm behind cyberattack on Poland's power grid in late 2025
Description: In late 2025, Poland's energy system was targeted by a major cyberattack, now attributed to the Russia-aligned APT group Sandworm by ESET Research. The attack involved data-wiping malware named DynoWiper, detected as Win32/KillFiles.NMO. While the full impact is still under investigation, researchers noted the attack's timing coincided with the 10th anniversary of Sandworm's 2015 attack on Ukraine's power grid. Sandworm continues to target critical infrastructure, particularly in Ukraine, with regular wiper attacks. The group's history of disruptive cyberattacks and the similarities in tactics, techniques, and procedures led to a medium-confidence attribution of this latest incident to Sandworm.
Created at: 2026-01-23T22:47:09.688000
Updated at: 2026-01-23T22:57:59.767000
Watering Hole Attack Targets EmEditor Users With Information-Stealing Malware
Description: A compromised EmEditor installer was used in a software supply chain attack to deliver multistage malware. The attack, discovered in late December 2025, targeted users of this widely-used text editor. The malware performs credential theft, data exfiltration, and enables lateral movement. It uses obfuscated PowerShell scripts and geofencing techniques, suggesting possible Russian origin. The malware disables security features, gathers system information, and exfiltrates data to a command-and-control server. This incident highlights the importance of validating installer integrity, monitoring PowerShell usage, preserving endpoint telemetry, and enforcing least privilege principles. Software publishers are advised to secure download infrastructure and prepare incident response plans.
Created at: 2026-01-23T11:47:40.016000
Updated at: 2026-01-23T22:53:38.943000
Silver Fox Targeting India Using Tax Themed Phishing Lures
Description: A sophisticated campaign by the Chinese APT group Silver Fox is targeting Indian entities with authentic-looking Income Tax phishing lures. The attack leverages a complex kill chain involving DLL hijacking and the modular Valley RAT to ensure persistence. The campaign uses a multi-stage infection process, starting with a malicious email containing a PDF decoy. The payload is delivered through an NSIS installer, which drops a legitimate Thunder.exe binary and a malicious libexpat.dll for DLL hijacking. The final stage involves the Valley RAT, which uses a two-stage configuration loading mechanism and implements a 3-tier C2 communication loop. The RAT's modular plugin architecture allows for dynamic capability extension and persistence through registry-based storage.
Created at: 2025-12-24T21:10:40.201000
Updated at: 2026-01-23T21:04:49.672000
Infrastructure of Interest: Medium Confidence Detection
Description: These indicators of compromise (IOCs) were identified through LevelBlue Labs' proprietary collection and threat hunting processes, leveraging AI-driven heuristics to detect anomalous patterns, behavioral analysis of malicious activity, and cross-referenced intelligence from endpoint telemetry and external sources. Use this data to enhance detection rules, block malicious infrastructure, or correlate with existing incident investigations. These indicators have been assigned a medium confidence level regarding their maliciousness. They are therefore subject to further review, and feedback is greatly appreciated.
Created at: 2025-08-07T07:39:42.586000
Updated at: 2026-01-23T19:24:46.943000
Infrastructure of Interest: Medium Confidence InfoStealer
Description: These indicators of compromise (IOCs) were identified through LevelBlue Labs' proprietary collection and threat hunting processes, leveraging AI-driven heuristics to detect anomalous patterns, behavioral analysis of malicious activity, and cross-referenced intelligence from endpoint telemetry and external sources. The IOCs included in this pulse are associated with infostealer malware, designed to harvest sensitive data such as credentials, cookies, and financial information from compromised systems. Use this data to enhance detection rules, block malicious infrastructure, or correlate with existing incident investigations involving data theft. These indicators have been assigned a medium confidence level regarding their maliciousness. They are therefore subject to further review, and feedback is greatly appreciated.
Created at: 2025-08-07T07:31:55.617000
Updated at: 2026-01-23T19:23:21.174000
Infrastructure of Interest: Medium Confidence Phishing
Description: These indicators of compromise (IOCs) were identified through LevelBlue Labs' proprietary collection and threat hunting processes, leveraging AI-driven heuristics to detect anomalous patterns, behavioral analysis of malicious activity, and cross-referenced intelligence from endpoint telemetry and external sources. The IOCs included in this pulse are associated with phishing campaigns, targeting credential theft and fraudulent resource access. Use this data to enhance detection rules, block malicious infrastructure, or correlate with existing incident investigations. These indicators have been assigned a medium confidence level regarding their maliciousness. They are therefore subject to further review, and feedback is greatly appreciated.
Created at: 2025-08-07T07:20:01.253000
Updated at: 2026-01-23T19:23:17.771000
December 2025 Security Issues in Korean & Global Financial Sector
Description: This comprehensive analysis covers cyber threats and security issues in the financial industry, both in Korea and globally. It examines malware and phishing cases, lists top malware strains, and provides statistics on leaked Korean accounts. Key issues on the deep and dark web are highlighted, including a major database leak from Indonesia's largest bank, exposing sensitive financial data of approximately 3 million customers. A ransomware attack on a leading African financial services company by INC Ransom group is also detailed, with 100GB of data reportedly stolen. The report emphasizes the potential for widespread damage and chain attacks, urging proactive measures among financial institutions and related companies.
Created at: 2026-01-22T13:15:09.293000
Updated at: 2026-01-23T14:29:05.781000
Evasive Panda APT poisons DNS requests to deliver MgBot
Description: The Evasive Panda APT group conducted highly-targeted campaigns from November 2022 to November 2024, employing adversary-in-the-middle attacks and DNS poisoning techniques. They developed a new loader that evades detection and uses hybrid encryption for victim-specific implants. The group utilized fake updaters for popular applications to deliver malware, including a multi-stage shellcode execution process. A secondary loader, disguised as a legitimate Windows library, was used to achieve stealthier loading. The attackers employed a custom hybrid encryption method combining DPAPI and RC5 to secure payloads. Victims were detected in Türkiye, China, and India, with some systems compromised for over a year. The campaign showcases the group's advanced capabilities and continuous improvement of tactics.
Created at: 2025-12-24T13:36:09.131000
Updated at: 2026-01-23T13:01:21.086000
Analyzing React2Shell Threat Actors
Description: This report analyzes the exploitation of CVE-2025-55182, known as React2Shell, a critical vulnerability in React Server Components. It examines various attack payloads, including credential harvesters, reverse shells, and botnet loaders. The analysis reveals rapid weaponization of the vulnerability, with attackers employing sophisticated techniques like fileless downloaders, raw TCP stagers, and creative use of framework errors. The report also highlights the top 10 exploited CVEs for December, with React2Shell quickly rising to the second most targeted vulnerability. Key indicators of compromise and recommended mitigation strategies are provided to help organizations defend against these threats.
Created at: 2026-01-17T13:17:08.090000
Updated at: 2026-01-23T11:54:00.907000
Tracking the VS Code Tasks Infection Vector
Description: The Contagious Interview campaign, attributed to North Korea, continues to target software developers through fake recruitment schemes. A new technique in their arsenal leverages Microsoft Visual Studio Code task files to execute malicious code when a project is opened. The report documents observations of this vector, presents GitHub-based discovery methods, highlights findings including a new malicious NPM package, and outlines detection opportunities. The campaign exploits VS Code's Task feature, using the runOptions property to automatically execute malicious shell commands when a workspace is opened. Various obfuscation techniques are employed, including hiding commands with whitespace and masquerading payloads as image or font files.
Created at: 2026-01-23T10:13:28.154000
Updated at: 2026-01-23T10:46:59.277000
