LATEST THREAT INTELLIGENCE.
New Tomiris tools and techniques: multiple reverse shells, Havoc, AdaptixC2
Description: Kaspersky researchers uncovered new malicious operations by the Tomiris threat actor targeting foreign ministries, intergovernmental organizations, and government entities. The attacks, which began in early 2025, show a shift in tactics with increased use of implants leveraging public services like Telegram and Discord as command-and-control servers. The group employs various programming languages including Go, Rust, C/C#/C++, and Python to develop reverse shell tools. Some infections lead to the deployment of open-source post-exploitation frameworks such as Havoc and AdaptixC2. The campaign primarily focuses on Russian-speaking users and entities, with additional targets in Central Asian countries.
Created at: 2025-11-28T08:31:24.854000
Updated at: 2025-12-28T08:01:08.411000
Dragons in Thunder
Description: This report details the activities of two hacker groups, QuietCrabs and Thor, targeting Russian companies. QuietCrabs exploited RCE vulnerabilities in Microsoft SharePoint and Ivanti Endpoint Manager Mobile, using KrustyLoader and Sliver malware. Thor employed more common tools and techniques, attacking around 110 Russian companies across various sectors. Both groups utilized recent vulnerabilities, with QuietCrabs acting within hours of exploit publications. The report highlights the groups' tactics, tools, and targeted industries, emphasizing the need for robust cybersecurity measures to counter such sophisticated attacks.
Created at: 2025-11-28T07:33:13.437000
Updated at: 2025-12-28T08:01:08.411000
The Mystery OAST Host Behind a Regionally Focused Exploit Operation
Description: A long-running, attacker-operated OAST service on Google Cloud has been observed driving a focused exploit operation. The actor combines stock Nuclei templates with custom payloads to expand their reach. All observed activity targeted canaries deployed in Brazil, indicating a deliberate regional focus. The operation involves roughly 1,400 exploit attempts spanning more than 200 CVEs. The attacker uses a private OAST domain, detectors-testing.com, which has been active for at least a year. The infrastructure is hosted on US-based Google Cloud, providing practical benefits for the attacker. The actor demonstrates willingness to modify common exploit components, as evidenced by a custom Fastjson payload. This sustained scanning effort suggests a more structured operation than typical exploit spraying.
Created at: 2025-11-28T02:45:43.478000
Updated at: 2025-12-28T08:01:08.411000
Analysis of the Lumma infostealer
Description: The Lumma infostealer is a sophisticated malware distributed as Malware-as-a-Service, targeting Windows systems. It primarily steals sensitive data such as browser credentials, cryptocurrency wallets, and VPN/RDP accounts. Lumma is often used in the initial stages of multi-vector attacks, including ransomware and network breaches. The malware is distributed through phishing sites, disguised as pirated software, and uses complex techniques like NSIS packaging, AutoIt scripts, and process hollowing to evade detection. To combat this threat, organizations should implement behavior-based detection systems and integrate threat intelligence into their security strategies.
Created at: 2025-11-27T18:43:56.824000
Updated at: 2025-12-27T18:01:22.463000
ShadowV2 Casts a Shadow Over IoT Devices
Description: A new Mirai variant called ShadowV2 has been observed spreading through IoT vulnerabilities during a global AWS disruption. The malware targeted multiple countries and industries worldwide, exploiting vulnerabilities in devices from vendors like DD-WRT, D-Link, Digiever, TBK, and TP-Link. ShadowV2 is designed for IoT devices and uses a XOR-encoded configuration to connect to a C2 server for receiving DDoS attack commands. The malware supports various attack methods, including UDP floods, TCP-based floods, and HTTP-level floods. This incident highlights the ongoing vulnerability of IoT devices and the need for timely firmware updates, robust security practices, and continuous threat monitoring.
Created at: 2025-11-27T07:37:54.726000
Updated at: 2025-12-27T08:05:27.053000
How NTLM is being abused in 2025 cyberattacks
Description: NTLM, a legacy authentication protocol, remains prevalent in Windows environments despite known vulnerabilities. Threat actors continue to exploit both old and newly discovered flaws in NTLM for credential theft, privilege escalation, and lateral movement. Recent vulnerabilities like CVE-2024-43451, CVE-2025-24054, and CVE-2025-33073 have been actively exploited in various campaigns. Attacks involve hash leakage, coercion-based techniques, credential forwarding, and man-in-the-middle approaches. Threat groups like BlindEagle and Head Mare have leveraged these vulnerabilities to distribute malware and target specific regions. To mitigate risks, organizations are advised to disable or limit NTLM usage, implement message signing, enable Extended Protection for Authentication, and monitor NTLM traffic closely.
Created at: 2025-11-26T14:09:22.317000
Updated at: 2025-12-26T14:01:03.043000
Infrastructure of Interest: Medium Confidence Detection
Description: These indicators of compromise (IOCs) were identified through LevelBlue Labs' proprietary collection and threat hunting processes, leveraging AI-driven heuristics to detect anomalous patterns, behavioral analysis of malicious activity, and cross-referenced intelligence from endpoint telemetry and external sources. Use this data to enhance detection rules, block malicious infrastructure, or correlate with existing incident investigations. These indicators have been assigned a medium confidence level regarding their maliciousness. They are therefore subject to further review, and feedback is greatly appreciated.
Created at: 2025-08-07T07:39:42.586000
Updated at: 2025-12-26T10:02:37.438000
Inside DPRK's Fake Job Platform Targeting U.S. AI Talent
Description: This analysis details a sophisticated DPRK-linked operation called Contagious Interview, which uses a fake job platform to target U.S. AI talent. The campaign mimics legitimate recruitment processes, offering job listings from well-known tech companies to lure victims. The platform, hosted at lenvny[.]com, is designed to appear as a legitimate AI-powered interview tool. It employs various techniques to establish credibility, including professional design, fake testimonials, and comparisons with real companies. The attack culminates in a malware delivery through a clipboard hijacking technique, triggered when victims attempt to record a video introduction. This operation specifically targets high-value professionals in AI and cryptocurrency sectors, aiming to gain access to strategic information and financial assets.
Created at: 2025-11-26T10:07:38
Updated at: 2025-12-26T10:02:02.477000
Silver Fox Targeting India Using Tax Themed Phishing Lures
Description: A sophisticated campaign by the Chinese APT group Silver Fox is targeting Indian entities with authentic-looking Income Tax phishing lures. The attack leverages a complex kill chain involving DLL hijacking and the modular Valley RAT to ensure persistence. The campaign uses a multi-stage infection process, starting with a malicious email containing a PDF decoy. The payload is delivered through an NSIS installer, which drops a legitimate Thunder.exe binary and a malicious libexpat.dll for DLL hijacking. The final stage involves the Valley RAT, which uses a two-stage configuration loading mechanism and implements a 3-tier C2 communication loop. The RAT's modular plugin architecture allows for dynamic capability extension and persistence through registry-based storage.
Created at: 2025-12-24T21:10:40.201000
Updated at: 2025-12-26T10:00:02.556000
Tracking RondoDox: Malware Exploiting Many IoT Vulnerabilities
Description: A new threat actor is distributing the RondoDox malware, a variant of Mirai, targeting IoT devices. The actor uses residential IP addresses for distribution and employs over a dozen exploits to target various IoT vulnerabilities. The malware's first stage is a shell script that attempts to disable security measures, remove competing malware, and download architecture-specific second-stage binaries. The campaign has been active since July 2025, with consistent use of a handful of distribution points. The actor targets home routers and other IoT devices using multiple CVEs and generic command injection attempts.
Created at: 2025-11-26T09:54:18.707000
Updated at: 2025-12-26T09:04:47.114000
