LATEST THREAT INTELLIGENCE.
ShadowV2 Casts a Shadow Over IoT Devices
Description: A new Mirai variant called ShadowV2 has been observed spreading through IoT vulnerabilities during a global AWS disruption. The malware targeted multiple countries and industries worldwide, exploiting vulnerabilities in devices from vendors like DD-WRT, D-Link, Digiever, TBK, and TP-Link. ShadowV2 is designed for IoT devices and uses a XOR-encoded configuration to connect to a C2 server for receiving DDoS attack commands. The malware supports various attack methods, including UDP floods, TCP-based floods, and HTTP-level floods. This incident highlights the ongoing vulnerability of IoT devices and the need for timely firmware updates, robust security practices, and continuous threat monitoring.
Created at: 2025-11-27T07:37:54.726000
Updated at: 2026-03-02T09:21:16.875000
Tracking the Expansion of ShinyHunters-Branded SaaS Data Theft
Description: Threat actors associated with ShinyHunters-branded extortion operations are expanding their tactics, targeting cloud-based SaaS applications for data theft and extortion. The attackers use sophisticated voice phishing and credential harvesting to gain initial access, then exfiltrate sensitive data from various platforms. They employ aggressive extortion tactics, including harassment and DDoS attacks. The activity involves multiple threat clusters (UNC6661, UNC6671, UNC6240) and targets a growing number of cloud platforms. The attackers leverage social engineering to bypass MFA and use tools like ToogleBox Recall to cover their tracks. This activity highlights the effectiveness of social engineering and the importance of phishing-resistant MFA methods.
Created at: 2026-01-31T08:41:02.930000
Updated at: 2026-03-02T08:03:54.313000
DynoWiper update: Technical analysis
Description: ESET researchers provide technical details on a recent data destruction incident affecting a Polish energy company. They identified new data-wiping malware named DynoWiper, attributed to the Russia-aligned threat group Sandworm with medium confidence. The tactics, techniques, and procedures observed during the DynoWiper incident resemble those seen earlier in an incident involving the ZOV wiper in Ukraine. Sandworm has a history of destructive cyberattacks, targeting various entities including energy providers. The DynoWiper samples focus on the IT environment, with no observed functionality targeting OT industrial components. The attackers deployed additional tools and attempted to use a SOCKS5 proxy. The incident represents a rare case of a Russia-aligned threat actor deploying destructive malware against an energy company in Poland.
Created at: 2026-01-30T18:42:13.717000
Updated at: 2026-03-01T18:00:46.183000
Threat Intelligence Dossier: TOXICSNAKE
Description: A multi-domain traffic distribution system (TDS) operation was discovered, centered around the domain toxicsnake-wifes.com. The infrastructure serves as a commodity cybercrime TDS farm, routing victims to phishing, scams, or malware payloads. The operation uses a first-stage JavaScript loader, followed by a second-stage that attempts to fetch upstream payloads. The cluster shares common WHOIS, DNS, and hosting patterns, indicative of bulletproof VPS usage. Multiple burner domains with similar tradecraft were identified, suggesting an organized operator cluster. The infrastructure employs obfuscation, dynamic remote injection, and disposable registration techniques. While the main payload was unreachable during analysis, historical evidence suggests the delivery of malicious content.
Created at: 2026-01-30T08:44:03.925000
Updated at: 2026-03-01T08:03:12.270000
Interlock Ransomware: New Techniques, Same Old Tricks
Description: The Interlock ransomware group continues to target organizations worldwide, particularly in the UK and US education sector. Unlike other ransomware groups, Interlock operates independently, developing and using their own malware. This article details a recent intrusion, highlighting the group's ability to adapt techniques and tooling. The attack involved multiple stages, including initial access via MintLoader, use of custom malware like NodeSnakeRAT and InterlockRAT, and deployment of a novel process-killing tool exploiting a zero-day vulnerability. The adversaries used various techniques for persistence, lateral movement, and data exfiltration before ultimately deploying ransomware. The intrusion demonstrates the importance of threat hunting and integrating threat intelligence to identify compromises before significant impact occurs.
Created at: 2026-01-30T08:23:45.232000
Updated at: 2026-03-01T08:03:12.270000
Meet IClickFix: a widespread framework using the ClickFix tactic
Description: IClickFix is a malicious framework that compromises WordPress sites to distribute malware using the ClickFix social engineering tactic. Active since December 2024, it has infected over 3,800 WordPress sites globally. The framework injects malicious JavaScript into compromised sites, leading users through a fake CAPTCHA challenge that tricks them into executing malicious code. This ultimately installs NetSupport RAT, granting attackers full control of infected systems. The campaign has evolved over time, adding traffic distribution systems and refining its lures. While initially distributing Emmenhtal Loader and XFiles Stealer, it now primarily delivers NetSupport RAT. The widespread nature of the attacks suggests opportunistic exploitation rather than targeted campaigns.
Created at: 2026-01-30T08:20:09.209000
Updated at: 2026-03-01T08:03:12.270000
Attack on *stan: Your malware, my C2
Description: A suspected state-affiliated threat actor has been targeting Kazakh and Afghan entities in a persistent campaign since at least August 2022. The attackers use a Windows-based RAT called KazakRAT, which allows for payload downloads, host data collection, and file exfiltration. The malware is delivered via .msi files and persists using the Run registry key. C2 communications are unencrypted over HTTP. The campaign also utilizes modified versions of XploitSpy Android spyware. Multiple KazakRAT variants have been observed with minor command-set changes. Victim targeting includes government and financial sector entities, particularly in Kazakhstan's Karaganda region. The operation shows low sophistication but high persistence, with similarities to APT36/Transparent Tribe activities.
Created at: 2026-01-30T08:19:02.693000
Updated at: 2026-03-01T08:03:12.270000
NFCShare Android Trojan: NFC card data theft via malicious APK
Description: A new Android trojan, named NFCShare, has been discovered targeting Deutsche Bank customers through a phishing campaign. The malware, disguised as a banking app update, prompts users to perform a fake card verification process. It exploits NFC technology to steal card data and PINs, which are then exfiltrated to a remote WebSocket endpoint. The trojan's distribution, user flow, and technical analysis are detailed, including its NFC reading capabilities and string obfuscation techniques. The malware shows links to Chinese-linked tooling and similarities to other NFC-based threats. IOCs include hashes, package details, and network indicators.
Created at: 2026-01-30T08:18:00.506000
Updated at: 2026-03-01T08:03:12.270000
Approaching Cyclone: Vortex Werewolf Attacks Russia
Description: A new cluster is spreading malware through phishing attacks targeting Russia. The attack methodology involves fake pages that imitate file downloads from Telegram. The article likely details the structure of these attacks, providing insights into how the malicious actors are exploiting user trust in the popular messaging platform to deliver their payload. This emerging threat, dubbed Vortex Werewolf, appears to be a sophisticated campaign specifically targeting Russian users or entities.
Created at: 2026-01-29T07:39:26.213000
Updated at: 2026-02-28T07:04:17.541000
Can't stop, won't stop: TA584 innovates initial access
Description: TA584, a prominent initial access broker targeting organizations globally, demonstrated significant changes in attack strategies throughout 2025. The actor expanded its global targeting, adopted ClickFix social engineering techniques, and began delivering new malware called Tsundere Bot. TA584's operational tempo increased, with monthly campaigns tripling from March to December. The actor uses various delivery methods via email, often sending from compromised individual accounts. TA584's campaigns now feature rapid succession and overlapping, with distinct lure themes and short operational lifespans. The actor has shown adaptability in social engineering, brand impersonation, and payload delivery, making static detection less effective. Recent payloads include XWorm with the 'P0WER' configuration and the newly observed Tsundere Bot, both likely part of Malware-as-a-Service offerings.
Created at: 2026-01-28T18:26:15.886000
Updated at: 2026-02-27T18:04:18.184000
