Threat Research

  • Cavern Manticore: Exposing Iran-Linked Modular C2 Framework

    Cavern Manticore: Exposing Iran-Linked Modular C2 Framework

    Check Point Research tracked Cavern Manticore, an Iran-nexus threat actor targeting Israeli government and IT organizations using a modular .NET C2 framework with strong anti-analysis features and RMM abuse for initial access. The report also details related infrastructure, legacy Cav3rn samples, and multiple post-exploitation modules for reconnaissance, file access, LDAP, SQL, networking, and tunneling. #CavernManticore #MuddyWater #Lyceum #SysAid #uxtheme.dll #n-HTCommp.dll

  • Entra Agent ID: Protect, detect, respond

    Entra Agent ID: Protect, detect, respond

    The article explains how to secure Entra Agent ID by restricting blueprint-related permissions, reducing risky secrets, and reviewing third-party blueprints to limit the blast radius of a compromise. It also covers how to detect suspicious agent activity and how to disable or delete compromised agent identities and blueprints in Entra ID. #EntraID #AgentID #DatadogCloudSIEM #MicrosoftGraph

  • From Phishing to Persistence: A CrySome RAT Infection Chain Analysis

    From Phishing to Persistence: A CrySome RAT Infection Chain Analysis

    LevelBlue detected and contained a multi-stage intrusion that used a logistics-themed spear-phishing lure to deliver the CrySome RAT through staged downloads, PowerShell abuse, AMSI bypass, and Defender tampering. The operation ended with persistent remote access, browser credential theft, and C2 communication to 193.26.115[.]42:5555, while reusing tools and infrastructure such as WinDefCtl, signindat[.]com, and kvckiller.sys. #CrySomeRAT #WinDefCtl #signindatcom #kvckillersys #LevelBlue

  • macOS ClickFix Campaign Delivers AMOS and Other Infostealers: A DNS Deep Dive

    macOS ClickFix Campaign Delivers AMOS and Other Infostealers: A DNS Deep Dive

    Microsoft analyzed a ClickFix campaign that targeted macOS users with Macsync, Shub Stealer, and AMOS, using malicious commands hosted on blog and other user-generated content platforms to lure people seeking macOS help. The investigation identified 140 network IoCs and uncovered extensive DNS-related infrastructure, including typosquatting groups, likely malicious registrations, victim-related IP communications, and many email-connected domains later weaponized for attacks. #Macsync #ShubStealer #AMOS #ClickFix #Microsoft

  • Integrations of the Month

    Integrations of the Month

    Silent Push describes how its preemptive threat data and Indicators of Future Attack (IOFAs) integrate with Splunk SIEM & SOAR, Tines, and ServiceNow to surface staged infrastructure before it is used. The article also explains how Context Graph, Traffic Origin, and Threat Check help teams enrich alerts, automate response, and close…

  • Photo Zip Campaign Targeting Hospitality Industry Delivers Node.js Implant Persistent Access

    Photo Zip Campaign Targeting Hospitality Industry Delivers Node.js Implant Persistent Access

    Microsoft Threat Intelligence identified a multi-stage campaign targeting hospitality and hotel organizations across Europe and Asia that uses photo-themed ZIP archives, fake image shortcut files, obfuscated PowerShell, Node.js implants, and dual registry persistence. The campaign abuses Calendly and Google redirect infrastructure for phishing delivery, evolves across two waves with added .NET…

  • Chromium Extension Uses “Airelated” Branding Redirect Browser Search

    Chromium Extension Uses “Airelated” Branding Redirect Browser Search

    Microsoft Threat Intelligence identified a malicious Chromium extension impersonating Perplexity AI to intercept search traffic and collect user input through a typosquatted domain and attacker-controlled infrastructure. The extension was reported to Google and removed, and Microsoft highlighted the risk of AI-themed branding being abused for social engineering, query interception, and profiling….

  • Sold to the Highest Bidder: The Escalation of ADINT from Geolocation Tracking to Intrusion Vector

    Sold to the Highest Bidder: The Escalation of ADINT from Geolocation Tracking to Intrusion Vector

    The report explains how AdTech mechanisms such as RTB and SDKs have evolved into advertisement-based intelligence (ADINT) tools for passive profiling, active geolocation, and offensive zero-click intrusion. It also documents commercial surveillance vendors and products including NSO Group, Pegasus, Intellexa, Predator, Rayzone, Patternz, Babel Street, Locate X, and Insanet as examples of this expanding ecosystem. #NSOGroup #Pegasus #Intellexa #Predator #Rayzone #Patternz #BabelStreet #LocateX #Insanet

  • Armored Likho digging a snake pit: inside the covert BusySnake Stealer campaign

    Armored Likho digging a snake pit: inside the covert BusySnake Stealer campaign

    Researchers uncovered Armored Likho, a previously unknown APT also linked to Eagle Werewolf, running phishing campaigns against government and electric power targets in Russia, Brazil, and Kazakhstan. The group deploys BusySnake Stealer, an AI-assisted Python infostealer with browser credential theft, cookie theft, reverse SSH tunneling, and scheduled-task persistence, while Kaspersky detects and blocks the activity. #ArmoredLikho #EagleWerewolf #BusySnakeStealer #AquilaRAT #Go2Tunnel #RustDesk

  • Boss Scam: Don’t Trust Every “Urgent” Message from Your Boss!

    Boss Scam: Don’t Trust Every “Urgent” Message from Your Boss!

    This Boss Scam campaign abuses WhatsApp Web trust by delivering ZIP archives that hide a signed executable and a malicious DLL, enabling DLL sideloading, persistence, session theft, and data exfiltration. The attackers target executives and trusted employees to hijack WhatsApp Web sessions, spread fraudulent messages inside organizations, and steal browser artifacts such as cookies, tokens, and encryption keys. #I4C #WhatsAppWeb #ReserveBankofIndia #Tarexe #libfabricdll

  • Indirect Prompt Injection in Web Content Targets AI Agents

    Indirect Prompt Injection in Web Content Targets AI Agents

    Zscaler ThreatLabz analyzed two indirect prompt injection campaigns that used hidden instructions, SEO poisoning, CSS, HTML, and JSON-LD to manipulate AI agents visiting malicious websites. The campaigns impersonated a fake payment/API-key site and a typosquatting DeBank clone, and testing across 26 LLMs showed several models could be tricked into misclassification or unauthorized payment actions. #Zscaler #ThreatLabz #DeBank #Open-Agent-Utilities

  • Don’t Eat The ChocoPoCs! How Vulnerability Researchers Were Repeatedly Targeted By Trojanised Exploits

    Don’t Eat The ChocoPoCs! How Vulnerability Researchers Were Repeatedly Targeted By Trojanised Exploits

    YesWeHack and Sekoia TDR uncovered ChocoPoC, a Python RAT hidden in fake CVE PoC repositories and malicious PyPI dependencies used to target vulnerability researchers and pentesters. The campaign abused GitHub, PyPI, and Mapbox infrastructure to deliver payloads, persist in Python environments, and steal data, with at least 7 lure repositories identified and the malware still active. #ChocoPoC #YesWeHack #SekoiaTDR #Mapbox #frint #skytext

  • Chrome and Firefox Extensions Posing as Free VPNs Add Clipboard Stealers via Malicious Updates

    Chrome and Firefox Extensions Posing as Free VPNs Add Clipboard Stealers via Malicious Updates

    Socket’s Threat Research Team found malicious Chrome and Firefox VPN extensions that posed as free privacy tools while secretly stealing clipboard contents through staged updates. The campaign used shared infrastructure, browser-specific proxy features, and hardcoded endpoints to exfiltrate copied secrets from users of VPN Go: Free VPN and Free VPN by VPN GO. #VPNGo #FreeVPNbyVPNGO #SocketThreatResearchTeam #178236252133 #77291123187 #178236252161

  • AsyncRAT and Remcos Delivered in Multi-Stage Phishing Campaign

    AsyncRAT and Remcos Delivered in Multi-Stage Phishing Campaign

    LevelBlue SpiderLabs tracked a global phishing campaign using malicious Excel attachments to deliver multi-stage payloads that ultimately deployed Remcos and AsyncRAT. The operators used heavy obfuscation, disposable infrastructure, and themed HTA filenames to hide activity across multiple industries and countries. #Remcos #AsyncRAT #CloudflareWorkers #workersdev

  • Context Engineering | Compaction & Agent Memory for Automated Malware Analysis

    Context Engineering | Compaction & Agent Memory for Automated Malware Analysis

    SentinelLABS evaluated OpenAI’s native Responses API compaction for long-running malware analysis workflows and found it cut input tokens by about 86% with no measurable change in overall evaluation score. The study concluded that compaction can reduce noise and cost while preserving task quality, though it may slightly weaken domain object modeling in some cases. #OpenAI #ResponsesAPI #SentinelLABS

  • Linux Backdoor Targeting iKuai Routers

    MalwareHunterTeam identified an ELF backdoor uploaded from Japan to VirusTotal with zero detections, disguised as libjson_script.so.0 and targeting Linux-based iKuai routers. The sample uses encrypted C2 communications, task-based command execution, and device profiling to control compromised systems via 47.80.111[.]129:7380. #iKuai #OpenWrt #libjson_script.so.0 #47.80.111.129

  • Backdoors & Breaches: New scenarios and adaptations

    Backdoors & Breaches: New scenarios and adaptations

    Datadog introduced its Backdoors & Breaches expansion pack at DASH 2026, adding new starter scenarios, gameplay variations, and consultant-assisted exercises for incident response training. The four scenarios focus on current threat trends such as supply chain compromise, exposed cloud credentials, Kubernetes abuse, prompt injection, and GitHub Actions compromise. #BackdoorsBreaches #Datadog #DASH2026 #SecurityHQ #Kubernetes #GitHubActions

  • Missed incidents, persistent threats, and response gaps: Insights from compromise assessment projects

    Missed incidents, persistent threats, and response gaps: Insights from compromise assessment projects

    Kaspersky’s 2025 compromise assessments show that many serious intrusions went undetected for months or even years, with the oldest missed incident dating back four years. The report highlights recurring abuse of web shells, LoLBins, remote management tools, and named campaigns and actors such as NSABuffMiner, PurpleFox, LionTail, Scarred Manticore, Impacket, Cobalt Strike, Mimikatz, and ClipBanker. #NSABuffMiner #PurpleFox #LionTail #ScarredManticore #Impacket #CobaltStrike #Mimikatz #ClipBanker

  • From CI/CD to Cloud Data: How Shai Hulud Persistence Leads to Redshift Breach

    From CI/CD to Cloud Data: How Shai Hulud Persistence Leads to Redshift Breach

    Shai Hulud is a supply chain worm attributed to TeamPCP that targets npm and PyPI packages to steal CI/CD credentials and pivot into cloud environments such as AWS. FortiCNAPP linked compromised Jenkins runner activity to AWS abuse, where attackers escalated privileges, accessed Amazon Redshift and Aurora resources, staged S3 exfiltration, and prepared SES-based outbound email operations. #ShaiHulud #TeamPCP #Jenkins #AmazonRedshift #AWS #FortiCNAPP

  • JADEPUFFER: Agentic ransomware for automated database extortion

    JADEPUFFER: Agentic ransomware for automated database extortion

    Sysdig TRT reports what it assesses to be the first documented case of agentic ransomware, where an LLM-driven operator dubbed JADEPUFFER executed an end-to-end extortion campaign. The attack used CVE-2025-3248 against Langflow, then pivoted to a production MySQL/Nacos environment to create persistence, exfiltrate data, and encrypt and destroy configuration records. #JADEPUFFER #Langflow #CVE-2025-3248 #Nacos #MySQL

For the sites below, automatic FETCH cannot be performed
(i need to monitor it manual, will be delay 3-7 days)

Bellow are other reference, but for some reason i’m not fetching it automatically
(i need to review the article manually, will be delay 3-5 days)

  • cleafy.com/labs (update 1-2 months)
  • guidepointsecurity.com/blog/ > category: threat advisory
  • research.openanalysis.net
  • blog.phylum.io/tag/research/
  • shadowstackre.com/analysis/
  • mssplab.github.io
  • farghlymal.github.io
  • asec.ahnlab.com/ko/
  • blog.bushidotoken.net
  • kroll.com/en/insights/publications/cyber
  • Sentinelone.com
  • blog.lumen.com

Update

Update January, 2025

“Due to copyright reasons, starting January 2025, this site will no longer display the full content of sourced articles. Only Summaries, Key Points, MITRE Tactics for Threat Research, and selected IoCs will be provided. To read the full article, please click on the ‘source’ link to view it on the original website.”