LevelBlue’s CTI team analyzed a new ClickFix campaign that uses typosquatted LinkedIn and Indeed pages, the Finger protocol, and legitimate Windows utilities to deliver CastleLoader and a Python-based RAT. The operation relies on fileless execution, encrypted C2 traffic, and WebSocket-based control to stage payloads, evade defenses, and maintain persistence. #ClickFix #LinkedIn #Indeed #Finger #CastleLoader #kevinnotanother.com
Category: Threat Research
FortiGuard Labs identified a phishing campaign that delivers a PureLogs variant through a fake purchase-order email carrying a malicious RAR archive and JavaScript file. The attack chain uses PowerShell, process hollowing, and a downloader to load an in-memory plugin that steals browser, Discord, crypto wallet, and application data from Windows systems. #PureLogs #FortiGuardLabs #MsBuild.exe #Discord #MicrosoftEdge #FileZilla
FortiGuard Labs analyzed C0XMO, a modular Gafgyt botnet variant that exploits CVE-2021-27137 on vulnerable DD-WRT routers and uses a separate Python scanner to expand infections across Linux and IoT devices. The malware adds persistence, kills competing botnets, performs a custom C2 handshake, and supports many DDoS and exploitation capabilities targeting services such as Telnet, SSH, UPnP, ADB, and multiple HTTP vulnerabilities. #C0XMO #Gafgyt #CVE-2021-27137 #DDWRT
In May 2026, Chaotic Eclipse disclosed three Windows zero-days—YellowKey, GreenPlasma, and MiniPlasma—with PoCs published days after Microsoft’s Patch Tuesday to delay a fix window. YellowKey bypasses BitLocker through WinRE, while GreenPlasma and MiniPlasma achieve SYSTEM privileges by abusing Windows Cloud Files and related trust relationships. #YellowKey #GreenPlasma #MiniPlasma #ChaoticEclipse
Sekoia.io’s investigation details how Gamaredon, an FSB-linked intrusion set targeting Ukraine, uses a multi-stage GammaLoad chain to maintain stealthy, persistent access through loaders, droppers, and registry-cached C2 configuration. The report shows the group abusing trusted services like Telegram, Telegraph, Cloudflare, and Check-Host to retrieve payloads and ultimately deliver GammaSteel. #Gamaredon #GammaLoad #GammaSteel #Sekoiaio #Telegram #Cloudflare #CheckHost
This report details an Indian tax-themed phishing campaign that used government impersonation, a fake tax portal, and a malicious ZIP archive to deliver a multi-stage malware framework. The malware relied on DLL Search Order Hijacking, token manipulation, reflective PE loading, and WebSocket-based C2, with artifacts and infrastructure linked to #करविवरण.exe #SbieDll.dll #SbieDll.bin #43.128.54.184.
BlindEagle (APT-C-36 / AguilaCiega / TAG-144 / G0099 / APT-Q-98) is a Latin America–based threat actor that blends espionage and cybercrime, with a strong focus on Colombia and a growing spillover into the U.S. The group relies on phishing, geofenced delivery, commodity RATs, and rapid weaponization of public vulnerabilities to steal banking credentials and sensitive government data. #BlindEagle #APT-C-36 #AguilaCiega #TAG-144 #G0099 #APT-Q-98 #DCRAT #AsyncRAT #Remcos #NjRAT #LimeRAT #BlotchyQuasar #Caminho
LevelBlue SpiderLabs analyzed a Brazilian NF-e-themed lure that disguises a ZIP attachment and MSI installer to deliver a Havoc stager which then downloads the demon at runtime. The campaign overlaps with other delivery fronts and shares builder traits across multiple stager variants, while using persistence via UserInitMprLogonScript and HTTP traffic that mimics Microsoft Delivery Optimization. #Havoc #NF-e #UserInitMprLogonScript #Microsoft-Delivery-Optimization
Gamaredon, an FSB-operated Russian intrusion set, uses a highly obfuscated, fileless PowerShell stealer called GammaSteel to target Ukrainian organizations and exfiltrate documents through legitimate cloud services and fallback operator-controlled infrastructure. The campaign adds a new DPAPI-based registry-staging technique, USB propagation, real-time file surveillance, and Dead Drop Resolver-based configuration recovery to maintain persistent access and evade analysis. #Gamaredon #GammaSteel #DPAPI #Sekoia #Tebi.io #Telegram #Mastodon
Check Point Research exposed a large-scale campaign that impersonates trusted open-source and freeware projects such as Ghidra, dnSpy, and SpiderFoot to hijack download clicks and route users through a gated Traffic Distribution System. The same infrastructure was used to deliver SessionGate, RemusStealer, and AnimateClipper, showing that the operation mixed traffic monetization with downstream malware delivery. #Ghidra #dnSpy #SpiderFoot #SessionGate #RemusStealer #AnimateClipper
A five-month espionage campaign targeted a senior executive’s Outlook mailbox at a major global stock exchange, using Dropbox, OneDrive Personal, and temporary hosting services to quietly exfiltrate mailbox data in small batches. The attackers relied on masquerading binaries, scheduled tasks, and an Aspose-based OST stealer to maintain persistence and avoid detection while stealing near-continuous email content. #Dropbox #OneDrive #Aspose #Outlook #MicrosoftOneDriveSyncServiceCore
TA4922 is a highly active Chinese-speaking threat actor that has evolved its toolkit to include Atlas RAT, RomulusLoader, SilentRunLoader, and ValleyRAT/Winos4.0 while using regional HR, payroll, tax, and invoicing lures to target organizations across East Asia, Europe, and Africa. The group combines DLL sideloading, cloud hosting, trusted tools like AnyDesk and…
May saw major breaches driven by exposed credentials, weak guardrails, rapid exploitation of new vulnerabilities, and increasingly cloud-native attack methods. Incidents involving ShinyHunters, TeamPCP, MuddyWater, and multiple AI-related flaws show how quickly attackers can move from disclosure to operational impact. #ShinyHunters #TeamPCP #MuddyWater #Canvas #Instructure #CISA #marimo #PraisonAI #Langflow #NATS
Argamal is a new malware family distributed through trojanized hentai games and torrents that installs a malicious implant, then later downloads a RAT for full system compromise. It uses COM hijacking, scheduled tasks, and changing C2 infrastructure to persist, evade detection, and control infected machines while targeting victims worldwide. #Argamal #AniRena #PixelDrain #Kaspersky #freeddns #kozow #ignorelist
ESET researchers presented technical evidence that Gamaredon helped Turla access high-value Ukrainian targets, including deploying the Kazuar backdoor and restoring access after Turla lost its foothold. The presentation also examined Gamaredon’s spearphishing-driven tradecraft and the evolution of Turla’s Kazuar v2 and v3 implants. #Gamaredon #Turla #Kazuar #PteroGraphin #PteroOdd