Inteligencia-De-Amenazas

Ukraine’s Computer Emergency Response Team (CERT-UA) has revealed details of a series of new cyberattacks targeting its defense forces and state institutions. These attacks, which took place between October and December 2025, involve various intrusion techniques and several malware families, including one known as PLUGGYAPE. PLUGGYAPE attacks attributed to Void Blizzard Among the most notable attacks are those distributing the PLUGGYAPE malware, attributed with “medium confidence” to the Russian hacking group Void Blizzard (also known as Laundry Bear or UAC-0190), active since at least April 2024. ...

This week’s ThreatsDay newsletter highlights the continued adaptation of attackers, who are reconfiguring existing tools and finding new angles of attack on familiar systems. Small tactical changes are adding up quickly, suggesting possible directions for future security breaches. Constantly Evolving Threat Tactics The threat landscape is characterized by its fluidity, with a focus on attackers quickly adapting. Key points of this week’s activity include: Repurposing old tools: Attackers do not always develop new tools, but rather find innovative ways to use pre-existing tools or common systems for their malicious purposes. More sophisticated social engineering attacks: Recent activity shows an increase in “clever social hooks” designed to manipulate users and gain initial access. Changing attack infrastructures: A change is observed in the infrastructure used by threat actors, requiring constant monitoring to detect new patterns. Attack Patterns and Exploit Speed This week’s analysis highlights recurring patterns in how attacks evolve: ...

North Korean threat group Kimsuky has been linked to a new cyberattack campaign that uses QR codes to distribute a new variant of the DocSwap Android malware. Attackers are using phishing sites that imitate South Korean logistics company CJ Logistics to trick victims. Distribution and Deception Mechanism The campaign targets users of Android mobile devices using a sophisticated social engineering method. The attack process develops as follows: Launch of the Attack: Cybercriminals send smishing messages (phishing SMS) or emails impersonating package delivery companies to trick recipients into clicking on malicious URLs. Redirection with QR Codes: Victims who access the fraudulent URLs from a desktop computer are redirected to a page that asks them to scan a QR code with their Android device. This QR code leads to the download of the malicious application. Social Engineering to Outwit Warnings: The phishing site claims that the installation of a supposed tracking application is necessary to verify identity due to “international customs security policies.” This tactic seeks to convince victims to ignore Android security warnings about installing apps from unknown sources. DocSwap Malware Technical Analysis Analysis by South Korean cybersecurity company ENKI reveals that the new DocSwap variant features evolved capabilities: ...

The threat group known as Jewelbug, also tracked by Check Point Research as Ink Dragon, has intensified its attacks against government targets in Europe since July 2025. Although the actor, aligned with China and active since at least March 2023, continues to attack entities in Southeast Asia and South America, its focus has expanded significantly. Check Point Research has detailed the operations of this hacking group, highlighting its combination of solid software engineering, disciplined operational playbooks, and the reuse of native platform tools to blend into normal company telemetry. These tactics make their intrusions “effective and stealthy.” ...

The GTG-1002 Attack: The First Autonomous Cyberspace Campaign In November 2025, Anthropic revealed details of an unprecedented cyberespionage campaign, dubbed GTG-1002. This was the first time a case of an artificial intelligence (AI) agent orchestrating real-world intrusions with minimal human intervention was documented. A Chinese state-sponsored group manipulated an Anthropic Code Assistant to run approximately 80% of a multi-target hacking campaign autonomously. Instead of simply advising cybercriminals, AI took control of key phases of the operation, including: ...

Recent research has revealed the existence of four distinct threat activity groups that are leveraging a malware loader known as CastleLoader. This evidence reinforces previous assessment that the tool is offered to other cybercriminals under a malware-as-a-service (MaaS) model. The threat actor behind CastleLoader has been identified by Recorded Future’s Insikt Group as GrayBravo, previously tracked as TAG-150. GrayBravo’s Profile GrayBravo is a threat actor characterized by: Rapid development cycles. Technical sophistication. Responsiveness to public reports. An expansive and constantly evolving infrastructure. Tools and Frameworks GrayBravo’s toolset includes several key pieces of malware: ...

Two hacking groups linked to China have been detected weaponizing the newly disclosed vulnerability in React Server Components (RSC), known as React2Shell. The exploit was observed just hours after the existence of the flaw was made public, underscoring how quickly threat actors integrate new exploits into their campaigns. The React2Shell Vulnerability (CVE-2025-55182) The vulnerability in question is CVE-2025-55182, which has received a CVSS score of 10.0, indicating its maximum severity. This flaw allows unauthenticated remote code execution (RCE). ...

Cloudflare has announced the detection and mitigation of a distributed denial of service (DDoS) attack that peaked at 29.7 terabits per second (Tbps), the largest ever recorded by the company. The attack, lasting 69 seconds, was launched by the botnet for hire known as AISURU. The AISURU Botnet: The Engine of the Attack Cloudflare identified that the attack came from the AISURU botnet, a cybercrime network that has been linked to numerous hypervolume DDoS attacks over the past year. The AISURU botnet is estimated to be powered by a massive network of between 1 and 4 million infected hosts worldwide. ...

The cybercriminal group known as Silver Fox has been identified orchestrating a “false flag” operation to imitate a Russian threat group. This tactic seeks to camouflage its attacks directed at organizations in China. The SEO poisoning campaign uses Microsoft Teams lures to trick unsuspecting users into downloading a malicious installation file. This file eventually deploys ValleyRAT (Winos 4.0), a malware associated with Chinese cybercrime groups. The activity has been taking place since November 2025. ...

Threat actors linked to the Iranian state have launched a new series of attacks against Israeli entities in various sectors, deploying a previously undocumented backdoor known as MuddyViper. The activity has been attributed to MuddyWater (also known as Mango Sandstorm or TA450), a hacking group allegedly affiliated with Iran’s Ministry of Intelligence and Security (MOIS). The attacks not only focused on Israel, but also on a technology company based in Egypt. Affected sectors in Israel include academia, engineering, local government, manufacturing, technology, transportation and public services. ...