LATEST THREAT INTELLIGENCE.
GachiLoader: Defeating Node.js Malware with API Tracing
Description: A new malware distribution campaign utilizing compromised YouTube accounts to spread infostealers has been identified. The campaign employs GachiLoader, a heavily obfuscated Node.js loader, to deploy the Rhadamanthys infostealer. GachiLoader implements anti-analysis techniques and uses a novel PE injection method called Vectored Overloading. To aid analysis, researchers developed an open-source Node.js tracer tool. The campaign has affected over 100 videos with 220,000 views across 39 compromised accounts since December 2024. The malware evades detection, elevates privileges, and disables Windows Defender before retrieving its payload.
Created at: 2025-12-17T21:22:38.282000
Updated at: 2026-01-16T21:02:53.878000
BlueDelta’s Persistent Campaign Against UKR.NET
Description: Between June 2024 and April 2025, a sustained credential-harvesting campaign targeting UKR.NET users was identified, attributed to the Russian state-sponsored threat group BlueDelta. The group deployed multiple credential-harvesting pages themed as UKR.NET login portals, leveraging free web services and proxy tunneling platforms to collect user credentials. BlueDelta distributed PDF lures with embedded links to evade detection. The campaign demonstrates the group's adaptability and persistent focus on Ukrainian user credentials for intelligence purposes. Infrastructure changes, including the transition to ngrok and Serveo, reflect responses to takedown efforts. The activity highlights the GRU's continued interest in compromising Ukrainian credentials amid ongoing conflict.
Created at: 2025-12-17T20:07:25.299000
Updated at: 2026-01-16T20:00:05.146000
UAT-9686 actively targets Cisco Secure Email Gateway and Secure Email and Web Manager
Description: A Chinese-nexus advanced persistent threat actor, UAT-9686, is actively targeting Cisco AsyncOS Software for Secure Email Gateway and Secure Email and Web Manager. The campaign, ongoing since late November 2025, exploits non-standard configurations to execute system-level commands and deploy a persistent Python-based backdoor called AquaShell. Additional tools observed include AquaTunnel for reverse SSH tunneling, chisel for TCP/UDP tunneling, and AquaPurge for log clearing. The attackers can execute encoded commands in the system shell and create reverse connections to attacker-controlled servers. This sophisticated attack aligns with tactics used by other Chinese APT groups, raising concerns about potential widespread impact on email security infrastructure.
Created at: 2025-12-17T20:07:24.241000
Updated at: 2026-01-16T20:00:05.146000
Infrastructure of Interest: Medium Confidence Detection
Description: These indicators of compromise (IOCs) were identified through LevelBlue Labs' proprietary collection and threat hunting processes, leveraging AI-driven heuristics to detect anomalous patterns, behavioral analysis of malicious activity, and cross-referenced intelligence from endpoint telemetry and external sources. Use this data to enhance detection rules, block malicious infrastructure, or correlate with existing incident investigations. These indicators have been assigned a medium confidence level regarding their maliciousness. They are therefore subject to further review, and feedback is greatly appreciated.
Created at: 2025-08-07T07:39:42.586000
Updated at: 2026-01-16T17:03:22.543000
Parked Domains Become Weapons with Direct Search Advertising
Description: Parked domains are increasingly being weaponized through direct search advertising, posing significant risks to users. The investigation found that over 90% of visits to parked domains led to scams, malware, or unwanted content. Three key actors were identified: one using lookalike domains and mail collection, another employing sophisticated 'double fast flux' techniques, and a third exploiting DNS configuration typos. These actors actively profile visitors and selectively redirect traffic to malicious advertisers. The complexity of the advertising ecosystem makes it difficult to trace the origin of threats. Recent policy changes and the rise of AI may inadvertently increase risks associated with parked domains.
Created at: 2025-12-17T14:28:37.531000
Updated at: 2026-01-16T14:00:22.030000
Targets critical infrastructure sectors in North America
Description: UAT-8837, assessed as a China-nexus advanced persistent threat actor, has been targeting critical infrastructure sectors in North America since 2025. The group exploits vulnerabilities, including zero-days, to gain initial access and deploys open-source tools for reconnaissance, credential harvesting, and lateral movement. Their toolkit includes GoTokenTheft, Earthworm, DWAgent, SharpHound, Impacket, GoExec, Rubeus, and Certipy. UAT-8837 conducts extensive domain and Active Directory reconnaissance, creates backdoor accounts, and exfiltrates sensitive data. The actor's focus on obtaining initial access to high-value organizations and their use of sophisticated tools and techniques indicate a significant threat to critical infrastructure sectors.
Created at: 2026-01-16T13:31:45.589000
Updated at: 2026-01-16T13:33:50.134000
HUMINT Operations Uncover Cryptojacking Campaign: Discord-Based Distribution of Clipboard Hijacking Malware Targeting Cryptocurrency Communities
Description: A sophisticated cryptocurrency theft operation, orchestrated by the threat actor 'RedLineCyber', has been uncovered. The actor distributes a malicious executable named 'Pro.exe', a Python-based clipboard hijacking trojan designed for silent cryptocurrency theft. This malware continuously monitors the Windows clipboard for cryptocurrency wallet addresses and substitutes them with attacker-controlled addresses. The threat actor exploits trust within Discord communities focused on gaming, gambling, and cryptocurrency streaming. The malware demonstrates moderate technical complexity, using obfuscated Python bytecode and base64-encoded regular expressions for wallet detection. It targets cryptocurrency streamers, casino gaming communities, and users who frequently handle digital asset transactions during live broadcasts. The operation has successfully compromised multiple victims across six major cryptocurrencies.
Created at: 2026-01-15T17:16:58.457000
Updated at: 2026-01-16T13:27:20.266000
A new campaign by the ForumTroll APT group
Description: The ForumTroll APT group has launched a new targeted phishing campaign against Russian political scientists, exploiting plagiarism reports as bait. The attackers used sophisticated techniques, including a well-prepared domain and personalized emails, to deliver the Tuoni framework malware. This campaign follows their spring attacks, which targeted organizations using zero-day vulnerabilities. The fall campaign relied on social engineering, using emails posing as a scientific library to trick victims into downloading malicious archives. The final payload was delivered through a PowerShell script and established persistence using COM Hijacking. Despite being less technically sophisticated than the spring campaign, this operation demonstrates the group's continued focus on Russian and Belarusian targets.
Created at: 2025-12-17T12:52:27.864000
Updated at: 2026-01-16T12:04:33.861000
BlindEagle Targets Colombian Government Agency with Caminho and DCRAT
Description: A spear phishing campaign targeting a Colombian government agency under the Ministry of Commerce, Industry and Tourism was discovered in September 2025. The attack, attributed to BlindEagle, utilized a compromised email account within the organization to bypass security controls. The campaign employed a sophisticated multi-layer attack chain, including a fake web portal, nested JavaScript and PowerShell scripts, steganography, and the deployment of Caminho as a downloader for DCRAT. The attack leveraged legal-themed lures, in-memory execution, and abuse of legitimate services like Discord. BlindEagle's evolution in tactics and use of new tools like Caminho demonstrates their ongoing threat to Colombian institutions.
Created at: 2025-12-17T02:49:03.062000
Updated at: 2026-01-16T02:04:22.506000
CastleLoader Malware Analysis: Full Execution Breakdown
Description: CastleLoader is a sophisticated malware loader designed to deliver and install malicious components, primarily targeting government entities and critical infrastructure. It employs a multi-stage execution chain involving Inno Setup, AutoIt, and process hollowing to evade detection. The loader delivers information stealers and RATs, enabling credential theft and persistent access. The analysis reveals its stealthy nature, relying on memory-only payloads and API resolution via hashing. The malware's configuration, including C2 infrastructure, was extracted through reverse engineering, providing high-confidence indicators of compromise for detection and analysis.
Created at: 2026-01-15T15:37:01.484000
Updated at: 2026-01-15T15:39:04.442000
