LATEST THREAT INTELLIGENCE.
Active Exploitation of Gladinet CentreStack/Triofox Insecure Cryptography Vulnerability
Description: A critical vulnerability in Gladinet's CentreStack and Triofox products has been discovered, involving hardcoded cryptographic keys in their AES implementation. This flaw allows potential access to the web.config file, enabling deserialization and remote code execution. Attackers are actively targeting this vulnerability across various organizations. The issue stems from static encryption keys derived from unchanging Chinese and Japanese text strings, allowing for decryption and creation of access tickets. Exploitation attempts have been observed across multiple sectors, with attackers using the vulnerability to obtain machine keys and perform viewstate deserialization attacks. Immediate updates to the latest version and machine key rotation are recommended for mitigation.
Created at: 2025-12-11T18:25:34.482000
Updated at: 2025-12-12T07:42:48.758000
It didn’t take long: CVE-2025-55182 is now under active exploitation
Description: A critical vulnerability (CVE-2025-55182) affecting React Server Components has been actively exploited since its disclosure on December 4, 2025. The flaw, dubbed React4Shell, allows attackers to execute commands and manipulate files on vulnerable web applications. Kaspersky honeypots detected a surge in exploitation attempts, with attackers deploying various malware, including crypto miners and the RondoDox botnet. The vulnerability affects multiple React-related packages and bundles. Threat actors are leveraging this exploit to steal credentials, compromise cloud infrastructures, and potentially launch supply chain attacks. Immediate patching and implementation of security measures are strongly recommended to mitigate risks associated with this high-severity vulnerability.
Created at: 2025-12-11T15:16:52.116000
Updated at: 2025-12-11T15:19:56.834000
GOLD SALEM tradecraft for deploying Warlock ransomware
Description: This analysis examines the evolving tactics of the GOLD SALEM cybercrime group in deploying Warlock ransomware over a six-month period across 11 incidents. The group exploited SharePoint vulnerabilities for initial access and utilized tools like Velociraptor, VMTools AV killer, and Cloudflared for various attack stages. They targeted multiple sectors, with a focus on IT, industrial, and technology. The group used Warlock, LockBit, and Babuk ransomware variants, often naming executables after victim organizations. Evidence suggests possible Chinese origins, though the group appears primarily financially motivated. GOLD SALEM demonstrated advanced technical abilities, including zero-day exploitation and repurposing of legitimate tools.
Created at: 2025-12-11T12:06:23.352000
Updated at: 2025-12-11T15:12:50.068000
Hamas-Affiliated Ashen Lepus Targets Middle Eastern Diplomatic Entities With New AshTag Malware Suite
Description: The report details a long-running espionage campaign by Ashen Lepus, a Hamas-affiliated threat group, targeting governmental and diplomatic entities in the Middle East. The group has developed a new malware suite called AshTag, which includes enhanced custom payload encryption, infrastructure obfuscation, and in-memory execution. Ashen Lepus has expanded its targeting beyond traditional geographic boundaries, now including entities in Oman and Morocco. The AshTag malware suite employs a multi-stage infection chain, utilizing decoy PDFs and RAR archives to deliver its payloads. The group has also updated its C2 architecture to evade detection and blend with legitimate traffic.
Created at: 2025-12-11T12:06:23.934000
Updated at: 2025-12-11T15:09:28.204000
VS Code extensions contain trojan-laden fake image
Description: A malicious campaign involving 19 Visual Studio Code extensions has been uncovered, hiding malware in dependency folders. Active since February 2025, the campaign abuses a legitimate npm package to avoid detection and crafts an archive containing malicious binaries disguised as a PNG image. The attackers modified the popular 'path-is-absolute' package, adding malicious files that are only present when installed through the compromised extensions. The malware is activated when VS Code starts, decoding a JavaScript dropper and executing two malicious binaries using a living-off-the-land binary. This sophisticated attack demonstrates the evolving techniques of threat actors, targeting the VS Code Marketplace and exploiting trusted components to evade detection.
Created at: 2025-12-11T12:06:21.710000
Updated at: 2025-12-11T14:54:02.949000
Infrastructure of Interest: Medium Confidence Phishing
Description: These indicators of compromise (IOCs) were identified through LevelBlue Labs' proprietary collection and threat hunting processes, leveraging AI-driven heuristics to detect anomalous patterns, behavioral analysis of malicious activity, and cross-referenced intelligence from endpoint telemetry and external sources. The IOCs included in this pulse are associated with phishing campaigns, targeting credential theft and fraudulent resource access. Use this data to enhance detection rules, block malicious infrastructure, or correlate with existing incident investigations. These indicators have been assigned a medium confidence level regarding their maliciousness. They are therefore subject to further review, and feedback is greatly appreciated.
Created at: 2025-08-07T07:20:01.253000
Updated at: 2025-12-11T14:41:18.542000
Russian Ruse: ValleyRAT Hits China via Fake Microsoft Teams Attack
Description: The Chinese APT group Silver Fox has launched an SEO poisoning campaign targeting Chinese-speaking users, impersonating Microsoft Teams. The campaign uses a modified ValleyRAT loader with Cyrillic elements to mislead attribution. Silver Fox aims to conduct espionage and financial fraud, posing a significant threat due to its dual mission. The attack chain involves a fake Teams website, malicious ZIP files, and binary data retrieval from XML and JSON files. The malware exploits rundll32.exe for binary proxy execution and establishes C2 communication. Attribution to Silver Fox is based on overlapping infrastructure and links to previous campaigns. Organizations with global operations, especially in China, are advised to implement robust security measures and logging capabilities to defend against this evolving threat.
Created at: 2025-12-10T17:22:42.524000
Updated at: 2025-12-11T09:06:26.836000
NANOREMOTE, cousin of FINALDRAFT
Description: A newly discovered Windows backdoor called NANOREMOTE shares similarities with previously known malware FINALDRAFT. NANOREMOTE's key feature is using the Google Drive API for data exfiltration and payload staging, making detection challenging. The malware includes a task management system for file transfers and incorporates functionality from open-source projects. It communicates with a hardcoded IP address over HTTP, using encrypted and compressed JSON data. NANOREMOTE has 22 command handlers enabling various capabilities such as system reconnaissance, file operations, and command execution. The malware's similarity to FINALDRAFT suggests a shared codebase and development environment between the two threats.
Created at: 2025-12-10T18:35:45.870000
Updated at: 2025-12-11T09:05:08.863000
Investigating an adversary-in-the-middle phishing campaign targeting Microsoft 365 and Okta users
Description: An active phishing campaign has been identified targeting organizations using Microsoft 365 and Okta for single sign-on. The campaign employs modern techniques to bypass multi-factor authentication and hijack legitimate SSO flows. It uses lookalike domains to impersonate Okta authentication pages and injects malicious JavaScript to steal credentials and session tokens. The attackers have also developed a sophisticated method to phish users who use Okta as an identity provider for Microsoft 365. The campaign's initial access vector involves phishing emails with lures related to compensation and benefits. The attackers use compromised mailboxes and Amazon SES to send these emails, and host their phishing infrastructure on Cloudflare.
Created at: 2025-12-10T18:35:47.040000
Updated at: 2025-12-11T09:02:18.844000
Gogs Zero-Day RCE (CVE-2025-8110) Actively Exploited
Description: A zero-day vulnerability in Gogs, a popular self-hosted Git service, has been discovered and is being actively exploited. The flaw, identified as CVE-2025-8110, is a symlink bypass of a previously patched RCE vulnerability. It allows authenticated users to overwrite files outside the repository, leading to Remote Code Execution. Over 700 compromised instances have been identified on the internet. The vulnerability affects Gogs servers (version <= 0.13.3) exposed to the internet with open-registration enabled. The attack chain involves creating a repository with a symbolic link, then using the PutContents API to overwrite sensitive files. The malware used in the attacks is based on the Supershell framework, designed for establishing reverse SSH shells.
Created at: 2025-12-10T18:35:46.448000
Updated at: 2025-12-11T08:59:36.406000
