LATEST THREAT INTELLIGENCE.
Analysis of APT-C-26 (Lazarus) Group's Attack Campaign Using Remote IT Disguise to Deploy Monitoring Software
Description: The report details an attack campaign by APT-C-26 (Lazarus), a highly active APT group targeting various industries globally. The group deployed a customized monitoring program with remote desktop control capabilities, likely used by remote IT personnel infiltrating target companies. The malware consists of a registration program, a daemon process, and a DLL file for core monitoring functions. It utilizes Windows Shell extension for persistence and creates a covert remote desktop environment. The analysis reveals sophisticated techniques for evading detection, including disabling Windows Defender and manipulating firewall rules. The monitoring software captures screen data, uploads it to a server, and provides remote desktop functionality. Based on the analysis and tactics used, the activity is attributed to the Lazarus group.
Created at: 2025-11-21T22:11:40.327000
Updated at: 2025-11-21T22:12:37.479000
New Tools and Techniques of ToddyCat APT
Description: The ToddyCat APT group has evolved its methods to gain covert access to corporate email. The report details their use of PowerShell-based TomBerBil for extracting browser data, TCSectorCopy for copying Outlook OST files, and attempts to steal OAuth tokens from Microsoft 365 processes. These tools allow the attackers to bypass security monitoring and access email data both on-premises and in the cloud. The group's tactics include using SMB to remotely access files, dumping process memory, and searching for access tokens. Detection recommendations are provided for each technique.
Created at: 2025-11-21T14:38:00.696000
Updated at: 2025-11-21T22:07:56.899000
Infrastructure of Interest: Medium Confidence Detection
Description: These indicators of compromise (IOCs) were identified through LevelBlue Labs' proprietary collection and threat hunting processes, leveraging AI-driven heuristics to detect anomalous patterns, behavioral analysis of malicious activity, and cross-referenced intelligence from endpoint telemetry and external sources. Use this data to enhance detection rules, block malicious infrastructure, or correlate with existing incident investigations. These indicators have been assigned a medium confidence level regarding their maliciousness. They are therefore subject to further review, and feedback is greatly appreciated.
Created at: 2025-08-07T07:39:42.586000
Updated at: 2025-11-21T20:36:30.443000
Infrastructure of Interest: Medium Confidence InfoStealer
Description: These indicators of compromise (IOCs) were identified through LevelBlue Labs' proprietary collection and threat hunting processes, leveraging AI-driven heuristics to detect anomalous patterns, behavioral analysis of malicious activity, and cross-referenced intelligence from endpoint telemetry and external sources. The IOCs included in this pulse are associated with infostealer malware, designed to harvest sensitive data such as credentials, cookies, and financial information from compromised systems. Use this data to enhance detection rules, block malicious infrastructure, or correlate with existing incident investigations involving data theft. These indicators have been assigned a medium confidence level regarding their maliciousness. They are therefore subject to further review, and feedback is greatly appreciated.
Created at: 2025-08-07T07:31:55.617000
Updated at: 2025-11-21T20:35:24.402000
Infrastructure of Interest: Medium Confidence Command And Control
Description: These indicators of compromise (IOCs) were identified through LevelBlue Labs' proprietary collection and threat hunting processes, leveraging AI-driven heuristics to detect anomalous patterns, behavioral analysis of malicious activity, and cross-referenced intelligence from endpoint telemetry and external sources. The IOCs included in this pulse are associated with command and control (C2) infrastructure, facilitating malware communication, data exfiltration, and persistent threat actor operations. Use this data to enhance detection rules, block malicious infrastructure, or correlate with existing incident investigations. These indicators have been assigned a medium confidence level regarding their maliciousness. They are therefore subject to further review, and feedback is greatly appreciated.
Created at: 2025-08-07T07:29:37.542000
Updated at: 2025-11-21T20:35:20.285000
Infrastructure of Interest: Medium Confidence Phishing
Description: These indicators of compromise (IOCs) were identified through LevelBlue Labs' proprietary collection and threat hunting processes, leveraging AI-driven heuristics to detect anomalous patterns, behavioral analysis of malicious activity, and cross-referenced intelligence from endpoint telemetry and external sources. The IOCs included in this pulse are associated with phishing campaigns, targeting credential theft and fraudulent resource access. Use this data to enhance detection rules, block malicious infrastructure, or correlate with existing incident investigations. These indicators have been assigned a medium confidence level regarding their maliciousness. They are therefore subject to further review, and feedback is greatly appreciated.
Created at: 2025-08-07T07:20:01.253000
Updated at: 2025-11-21T20:35:18.915000
PhantomCaptcha: Multi-Stage WebSocket RAT Targets Ukraine in Single-Day Spearphishing Operation
Description: A coordinated spearphishing campaign targeted NGOs and Ukrainian government administrations involved in war relief efforts. The attack used emails impersonating the Ukrainian President's Office with weaponized PDFs, employing a fake Cloudflare captcha page to execute malware. The final payload was a WebSocket RAT enabling remote command execution and data exfiltration. Despite six months of preparation, the attackers' infrastructure was only active for one day, indicating sophisticated planning and operational security. An additional mobile attack vector was discovered, using fake applications to collect data from Android devices. The campaign demonstrated extensive operational planning, compartmentalized infrastructure, and deliberate exposure control.
Created at: 2025-10-22T19:45:18.166000
Updated at: 2025-11-21T19:01:20.179000
APT24 Pivot to Multi-Vector Attacks
Description: APT24, a Chinese threat actor, has conducted a three-year cyber espionage campaign using BADAUDIO, a highly obfuscated first-stage downloader. The group has evolved from broad strategic web compromises to more sophisticated tactics, including supply chain attacks and targeted phishing. They compromised a Taiwanese digital marketing firm, affecting over 1,000 domains. APT24 uses advanced techniques like control flow flattening, fingerprinting, and covert data exfiltration. The malware integrates with Cobalt Strike Beacon and employs DLL Search Order Hijacking for execution. The campaign demonstrates the actor's persistent and adaptive capabilities, highlighting the growing sophistication of Chinese cyber threats.
Created at: 2025-11-20T19:42:45.597000
Updated at: 2025-11-21T14:48:05.907000
Jingle Thief: Inside a Cloud-Based Gift Card Fraud Campaign
Description: The Jingle Thief campaign, conducted by financially motivated threat actors from Morocco, targets global enterprises in retail and consumer services sectors to execute gift card fraud. Using phishing and smishing tactics, the attackers gain access to Microsoft 365 environments, exploiting cloud services for reconnaissance, lateral movement, and persistence. They focus on compromising gift card issuance systems, leveraging internal documentation and communication channels. The campaign demonstrates sophisticated techniques, including tailored phishing, internal email manipulation, and device registration abuse. The attackers maintain long-term access, sometimes over a year, making detection challenging. Their activities often align with holiday periods to maximize impact.
Created at: 2025-10-22T11:21:40.494000
Updated at: 2025-11-21T11:03:18.076000
Reoccurring Use of Highly Suspicious PDF Editors to Infiltrate Environments
Description: Since November 19, 2025, a surge in alerts involving a file named 'ConvertMate' has been observed. Despite its initial harmless appearance, deeper analysis reveals highly suspicious behavior. The file, downloaded from specific domains, initiates external connections, performs host queries, and creates various artifacts. A PowerShell script is executed, adding a scheduled task that repeats the suspicious behavior every 24 hours. This activity mirrors the tactics of the 'PDFEditor' campaign from two months prior, with both files signed by the same entity. The similarities strongly suggest that 'ConvertMate' is likely an initial vector for malicious activity rather than a legitimate PDF converter. Immediate isolation and removal of the software and related artifacts is recommended, along with internal training for end users to recognize and avoid malicious ads and suspicious files.
Created at: 2025-11-21T03:21:28.353000
Updated at: 2025-11-21T09:33:04.408000
