LATEST THREAT INTELLIGENCE.
A Versatile Script Framework for LOLBins Exploitation Used by China-aligned Threat Groups
Description: PeckBirdy is a sophisticated JScript-based C&C framework employed by China-aligned APT groups since 2023. It exploits LOLBins across multiple environments to deliver advanced backdoors, targeting gambling industries and Asian government entities. The framework's versatility allows it to be used in various attack stages, from watering-hole control to lateral movement and C&C operations. Two campaigns, SHADOW-VOID-044 and SHADOW-EARTH-045, demonstrate coordinated threat group activity using PeckBirdy. The framework is complemented by two modular backdoors, HOLODONUT and MKDOOR, which extend its attack capabilities. PeckBirdy's design enables flexible deployment and execution across different environments, including browsers, MSHTA, WScript, Classic ASP, Node JS, and .NET.
Created at: 2026-01-26T20:30:56.423000
Updated at: 2026-02-26T07:03:45.621000
Unmasking Agent Tesla: A Deep Dive into a Multi-Stage Campaign
Description: This analysis examines a sophisticated multi-stage infection chain utilizing Agent Tesla malware. The attack begins with a phishing email containing a RAR file, which includes an obfuscated JSE file. This initial stage triggers a series of script-based evasions, leading to the download and decryption of a PowerShell script. The malware then employs process hollowing to inject its payload into a legitimate Windows process, evading detection. Before exfiltrating data, the malware performs anti-analysis checks to avoid security software and virtual environments. Finally, Agent Tesla harvests sensitive information, including browser cookies and contacts, exfiltrating the data via SMTP to a command-and-control server.
Created at: 2026-02-25T20:01:58.886000
Updated at: 2026-02-25T20:31:27.786000
Infrastructure of Interest: Medium Confidence InfoStealer
Description: These indicators of compromise (IOCs) were identified through LevelBlue Labs' proprietary collection and threat hunting processes, leveraging AI-driven heuristics to detect anomalous patterns, behavioral analysis of malicious activity, and cross-referenced intelligence from endpoint telemetry and external sources. The IOCs included in this pulse are associated with infostealer malware, designed to harvest sensitive data such as credentials, cookies, and financial information from compromised systems. Use this data to enhance detection rules, block malicious infrastructure, or correlate with existing incident investigations involving data theft. These indicators have been assigned a medium confidence level regarding their maliciousness. They are therefore subject to further review, and feedback is greatly appreciated.
Created at: 2025-08-07T07:31:55.617000
Updated at: 2026-02-25T16:38:40.161000
Infrastructure of Interest: Medium Confidence Command And Control
Description: These indicators of compromise (IOCs) were identified through LevelBlue Labs' proprietary collection and threat hunting processes, leveraging AI-driven heuristics to detect anomalous patterns, behavioral analysis of malicious activity, and cross-referenced intelligence from endpoint telemetry and external sources. The IOCs included in this pulse are associated with command and control (C2) infrastructure, facilitating malware communication, data exfiltration, and persistent threat actor operations. Use this data to enhance detection rules, block malicious infrastructure, or correlate with existing incident investigations. These indicators have been assigned a medium confidence level regarding their maliciousness. They are therefore subject to further review, and feedback is greatly appreciated.
Created at: 2025-08-07T07:29:37.542000
Updated at: 2026-02-25T16:38:39.123000
Infrastructure of Interest: Medium Confidence Phishing
Description: These indicators of compromise (IOCs) were identified through LevelBlue Labs' proprietary collection and threat hunting processes, leveraging AI-driven heuristics to detect anomalous patterns, behavioral analysis of malicious activity, and cross-referenced intelligence from endpoint telemetry and external sources. The IOCs included in this pulse are associated with phishing campaigns, targeting credential theft and fraudulent resource access. Use this data to enhance detection rules, block malicious infrastructure, or correlate with existing incident investigations. These indicators have been assigned a medium confidence level regarding their maliciousness. They are therefore subject to further review, and feedback is greatly appreciated.
Created at: 2025-08-07T07:20:01.253000
Updated at: 2026-02-25T16:38:36.996000
Chrome Extensions: Are you getting more than you bargained for?
Description: This analysis reveals the hidden dangers of certain Chrome extensions available on the Google Chrome Web Store. Despite the store's vetting process, some malicious extensions have slipped through, compromising user security. The study examines four examples of extensions with combined user bases exceeding 100,000, showcasing various security risks. These include undisclosed clipboard access to remote domains, data exfiltration, remote code execution capabilities, search hijacking, and cross-site scripting vulnerabilities. The extensions employ tactics such as command-and-control infrastructure with domain generation algorithms, user tracking, and brand impersonation. The research emphasizes the importance of caution when installing browser extensions, even from trusted sources, and recommends immediate uninstallation of the identified malicious extensions.
Created at: 2026-01-26T15:40:31.078000
Updated at: 2026-02-25T15:02:40.499000
Malware MoonPeak Executed via LNK Files
Description: In January 2026, IIJ observed malicious LNK files targeting Korean users to execute the MoonPeak malware, attributed to North Korean threat actors. The infection chain begins with a LNK file that runs an obfuscated PowerShell script, which checks for analysis environments, creates additional scripts, and sets up persistence. The second stage downloads and executes a payload from GitHub, which is actually the MoonPeak malware. MoonPeak is obfuscated using ConfuserEx and communicates with a C2 server. The campaign utilizes GitHub for hosting malware, a technique known as Living Off Trusted Sites (LOTS). This attack demonstrates the ongoing threat posed by North Korean actors targeting various countries and individuals worldwide.
Created at: 2026-01-26T14:28:48.027000
Updated at: 2026-02-25T14:02:21.153000
Inside the Fix: Analysis of In-the-Wild Exploit of CVE-2026-21513
Description: This analysis examines CVE-2026-21513, a security bypass vulnerability in Microsoft's MSHTML framework, patched in February 2026. The flaw, actively exploited by Russian state-sponsored actor APT28, affects all Windows versions and has a CVSS score of 8.8. Using PatchDiff-AI, researchers identified the root cause in ieframe.dll's hyperlink navigation handling, allowing arbitrary file execution outside the browser's security context. The exploit involves a crafted Windows Shortcut file embedding HTML, communicating with APT28-linked infrastructure. It bypasses security measures like Mark of the Web and IE Enhanced Security Configuration through nested iframes and DOM manipulation, ultimately invoking ShellExecuteExW for out-of-sandbox execution.
Created at: 2026-02-25T11:46:21.970000
Updated at: 2026-02-25T11:50:33.555000
Infrastructure of Interest: Medium Confidence FastFlux
Description: These indicators of compromise (IOCs) were identified through LevelBlue Labs' proprietary collection and threat hunting processes, leveraging AI-driven heuristics to detect anomalous DNS patterns, behavioral analysis of rapid IP rotation, and cross-referenced intelligence from global sinkhole data and network telemetry. The IOCs included in this pulse are associated with Fastflux networks, characterized by constantly changing IP addresses and DNS records to evade detection while maintaining resilient malicious infrastructure for phishing, malware delivery, or C2 operations. Use this data to enhance DNS-based detection rules, identify flux parent domains, and disrupt threat actor network resilience. These indicators have been assigned a medium confidence level regarding their maliciousness. They are therefore subject to further review, and feedback is greatly appreciated.
Created at: 2025-08-07T07:34:03.778000
Updated at: 2026-02-25T11:46:57.559000
Mercenary Akula Hits Ukraine-Supporting Financial...
Description: A European financial institution involved in regional development and reconstruction initiatives was targeted by a social engineering attack attributed to the Russia-aligned Mercenary Akula. The attack used a spoofed Ukrainian judicial domain to deliver an email containing a link to a remote access payload. The target was a senior legal and policy advisor involved in procurement. The attack employed a multi-stage extraction process and deployed the Remote Manipulator System, a legitimate remote administration tool. This incident suggests the adversary may be expanding beyond primarily Ukraine-based targeting, potentially probing Ukraine-supporting institutions in Western Europe. The attack aligns with Mercenary Akula's established tactics, including localized social engineering, multi-stage payload delivery, and the use of signed remote administration tools.
Created at: 2026-02-25T11:35:21.172000
Updated at: 2026-02-25T11:44:22.329000
