LATEST THREAT INTELLIGENCE.
Funnull Resurfaces: Exposing RingH23 Arsenal and MacCMS Supply Chain Attacks
Description: The report details the resurgence of the Funnull cybercriminal group, now utilizing a new arsenal called RingH23. It exposes their tactics, including compromising GoEdge CDN nodes, poisoning the MacCMS supply chain, and deploying sophisticated malware components like Badredis2s, Badnginx2s, and Badhide2s. The group has expanded its operations to inject malicious JavaScript, hijack cryptocurrency transactions, and redirect traffic to fraudulent sites. The campaign's impact is estimated to affect millions of users daily. The report also highlights Funnull's use of a suspicious new CDN infrastructure, CDN1.AI, likely created to evade detection.
Created at: 2026-03-02T17:39:22.702000
Updated at: 2026-03-03T17:05:44.175000
Dust Specter APT Targets Government Officials in Iraq
Description: A suspected Iran-nexus threat actor, dubbed Dust Specter, targeted Iraqi government officials in January 2026. The campaign involved impersonating Iraq's Ministry of Foreign Affairs and using compromised government infrastructure to host malicious payloads. Two attack chains were identified, utilizing previously undocumented malware including SPLITDROP, TWINTASK, TWINTALK, and GHOSTFORM. The malware employed creative evasion techniques, leveraged generative AI for development, and used file-based polling mechanisms for command execution. The campaign also incorporated ClickFix-style attacks and social engineering lures. Attribution to an Iran-nexus group is based on code similarities, victimology, and overlapping tactics with known Iranian APT groups.
Created at: 2026-03-02T17:44:28.393000
Updated at: 2026-03-03T17:02:37.446000
OAuth redirection abuse enables phishing and malware delivery
Description: Microsoft has discovered phishing campaigns exploiting OAuth's redirection mechanisms to bypass conventional defenses. Attackers create malicious applications with redirect URIs pointing to malicious domains, then distribute phishing links prompting targets to authenticate. The attack abuses OAuth's error handling to redirect users from trusted providers to attacker-controlled sites for phishing or malware delivery. Campaigns targeted government and public sectors using e-signature, financial, and political lures. Some attacks led to malware downloads and endpoint compromise via PowerShell and DLL side-loading. Mitigation involves governing OAuth apps, limiting user consent, reviewing permissions, and implementing cross-domain detection across email, identity, and endpoint.
Created at: 2026-03-02T21:58:21.579000
Updated at: 2026-03-03T17:00:32.776000
Threat Brief: March 2026 Escalation of Cyber Risk Related to Iran
Description: A significant joint offensive by the US and Israel has triggered a multi-vector retaliatory campaign from Iran, leading to an escalation in cyberattacks. Iran's limited internet connectivity is likely hindering state-aligned threat actors' ability to coordinate sophisticated attacks. Hacktivist groups are targeting perceived adversaries, while other nation-state actors may exploit the situation. Observed activities include phishing campaigns, DDoS attacks, data exfiltration, and wiper attacks. Multiple Iranian state-aligned personas and collectives have claimed responsibility for various disruptive operations. Pro-Russian hacktivist groups have also been active, targeting Israeli systems and infrastructure. The situation remains fluid, and organizations are advised to implement multi-layered defenses and focus on foundational security hygiene.
Created at: 2026-03-03T06:39:44.267000
Updated at: 2026-03-03T16:58:24.623000
SloppyLemming Deploys BurrowShell and Rust-Based RAT to Target Pakistan and Bangladesh
Description: An extensive cyber espionage campaign conducted by SloppyLemming, an India-nexus threat actor, targeted government entities and critical infrastructure in Pakistan and Bangladesh from January 2025 to January 2026. The campaign used two attack vectors: PDF lures with ClickOnce execution chains and macro-enabled Excel documents. It deployed a custom x64 shellcode implant named BurrowShell and a Rust-based keylogger. The attackers extensively abused Cloudflare Workers for C2 and payload delivery, registering 112 domains impersonating government entities. The campaign focused on nuclear, defense, telecommunications, energy, and financial sectors, aligning with regional strategic competition in South Asia.
Created at: 2026-03-03T11:11:14.916000
Updated at: 2026-03-03T16:55:56.297000
RedAlert Trojan Campaign: Fake Emergency Alert App Spread via SMS Spoofing Israeli Home Front Command
Description: A malicious SMS spoofing campaign is spreading a fake version of Israel's 'Red Alert' emergency app amid ongoing conflict. The trojanized Android app, disguised as a trusted warning platform, can steal SMS, contacts, and location data while appearing legitimate. The campaign exploits public fear during crises to deploy mobile spyware. The malware uses sophisticated techniques to bypass security checks, including package manager hooking and dynamic payload loading. It mirrors the official app's interface but requests high-risk permissions. The malware continuously tracks GPS coordinates and exfiltrates data to attacker-controlled infrastructure, posing severe strategic and physical security risks. This campaign erodes trust in emergency response systems and could potentially be used for targeted attacks or to optimize missile targeting.
Created at: 2026-03-03T15:42:04.089000
Updated at: 2026-03-03T16:51:31.749000
Web-Based Indirect Prompt Injection Observed in the Wild: Fooling AI Agents
Description: This article analyzes real-world instances of indirect prompt injection (IDPI) attacks targeting AI agents and large language models integrated into web systems. The researchers identify 22 distinct techniques used by attackers to embed malicious prompts in webpages, including visual concealment, obfuscation, and dynamic execution methods. They categorize attacker intents ranging from low-severity disruptions to critical data destruction attempts. Notable findings include the first observed case of AI-based ad review evasion and attempts at search engine optimization manipulation. The article presents a taxonomy of web-based IDPI attacks and provides insights into attack trends based on telemetry data. The researchers emphasize the need for proactive, web-scale defenses to detect IDPI and distinguish between benign and malicious prompts.
Created at: 2026-03-03T15:42:04.592000
Updated at: 2026-03-03T16:45:07.485000
Coruna: The Mysterious Journey of a Powerful iOS Exploit Kit
Description: A sophisticated iOS exploit kit named Coruna has been discovered, targeting iPhones running iOS 13.0 to 17.2.1. The kit contains five full iOS exploit chains and 23 exploits, using advanced techniques and mitigation bypasses. Initially used by a surveillance vendor, it was later employed in targeted attacks against Ukrainian users and broad-scale campaigns by a Chinese financially motivated group. The kit's proliferation suggests an active market for second-hand zero-day exploits. The exploits are well-engineered and documented, with the most advanced using non-public techniques. The ending payload, PLASMAGRID, focuses on stealing financial information and cryptocurrency wallet data.
Created at: 2026-03-03T15:42:06.180000
Updated at: 2026-03-03T16:40:18.815000
An AI-Powered Bot Actively Exploiting GitHub Actions - Microsoft, DataDog, and CNCF Projects Hit So Far
Description: A week-long automated attack campaign targeted CI/CD pipelines across major open source repositories, achieving remote code execution in multiple targets. The attacker, an autonomous bot called hackerbot-claw, used five different exploitation techniques and successfully exfiltrated a GitHub token with write permissions from one of the most popular repositories on GitHub. The campaign targeted repositories belonging to Microsoft, DataDog, CNCF, and other popular open source projects. The attacks included token theft via poisoned Go scripts, direct script injection, branch name injection, filename injection, and AI prompt injection. The most severe attack resulted in a full repository compromise of Aqua Security's Trivy project. The campaign highlights the growing threat of AI-powered bots targeting software supply chains and the need for automated security controls in CI/CD pipelines.
Created at: 2026-03-03T15:48:42.997000
Updated at: 2026-03-03T16:36:57.673000
Infrastructure of Interest: Medium Confidence FastFlux
Description: These indicators of compromise (IOCs) were identified through LevelBlue Labs' proprietary collection and threat hunting processes, leveraging AI-driven heuristics to detect anomalous DNS patterns, behavioral analysis of rapid IP rotation, and cross-referenced intelligence from global sinkhole data and network telemetry. The IOCs included in this pulse are associated with Fastflux networks, characterized by constantly changing IP addresses and DNS records to evade detection while maintaining resilient malicious infrastructure for phishing, malware delivery, or C2 operations. Use this data to enhance DNS-based detection rules, identify flux parent domains, and disrupt threat actor network resilience. These indicators have been assigned a medium confidence level regarding their maliciousness. They are therefore subject to further review, and feedback is greatly appreciated.
Created at: 2025-08-07T07:34:03.778000
Updated at: 2026-03-03T12:20:51.468000
