Inteligencia-De-Amenazas

Recent research has revealed the existence of four distinct threat activity groups that are leveraging a malware loader known as CastleLoader. This evidence reinforces previous assessment that the tool is offered to other cybercriminals under a malware-as-a-service (MaaS) model. The threat actor behind CastleLoader has been identified by Recorded Future’s Insikt Group as GrayBravo, previously tracked as TAG-150. GrayBravo’s Profile GrayBravo is a threat actor characterized by: Rapid development cycles. Technical sophistication. Responsiveness to public reports. An expansive and constantly evolving infrastructure. Tools and Frameworks GrayBravo’s toolset includes several key pieces of malware: ...

Two hacking groups linked to China have been detected weaponizing the newly disclosed vulnerability in React Server Components (RSC), known as React2Shell. The exploit was observed just hours after the existence of the flaw was made public, underscoring how quickly threat actors integrate new exploits into their campaigns. The React2Shell Vulnerability (CVE-2025-55182) The vulnerability in question is CVE-2025-55182, which has received a CVSS score of 10.0, indicating its maximum severity. This flaw allows unauthenticated remote code execution (RCE). ...

Cloudflare has announced the detection and mitigation of a distributed denial of service (DDoS) attack that peaked at 29.7 terabits per second (Tbps), the largest ever recorded by the company. The attack, lasting 69 seconds, was launched by the botnet for hire known as AISURU. The AISURU Botnet: The Engine of the Attack Cloudflare identified that the attack came from the AISURU botnet, a cybercrime network that has been linked to numerous hypervolume DDoS attacks over the past year. The AISURU botnet is estimated to be powered by a massive network of between 1 and 4 million infected hosts worldwide. ...

The cybercriminal group known as Silver Fox has been identified orchestrating a “false flag” operation to imitate a Russian threat group. This tactic seeks to camouflage its attacks directed at organizations in China. The SEO poisoning campaign uses Microsoft Teams lures to trick unsuspecting users into downloading a malicious installation file. This file eventually deploys ValleyRAT (Winos 4.0), a malware associated with Chinese cybercrime groups. The activity has been taking place since November 2025. ...

Threat actors linked to the Iranian state have launched a new series of attacks against Israeli entities in various sectors, deploying a previously undocumented backdoor known as MuddyViper. The activity has been attributed to MuddyWater (also known as Mango Sandstorm or TA450), a hacking group allegedly affiliated with Iran’s Ministry of Intelligence and Security (MOIS). The attacks not only focused on Israel, but also on a technology company based in Egypt. Affected sectors in Israel include academia, engineering, local government, manufacturing, technology, transportation and public services. ...

North Korean threat actors responsible for the “Contagious Interview” campaign have flooded the npm registry with 197 additional malicious packages since last month. According to a Socket analysis, these packages have accumulated more than 31,000 downloads and are designed to distribute a variant of OtterCookie that combines features from BeaverTail and previous versions of OtterCookie. Infection Mechanism and Malware Capabilities The malware, once executed, performs various evasion actions, profiles the compromised machine and establishes a command and control (C2) channel. This channel provides attackers with remote shell and data theft capabilities, including: ...

Threat actors linked to the RomCom group have been observed using the SocGholish JavaScript loader to deliver the Mythic Agent to a US-based civil engineering company. This event marks the first time that a RomCom payload distributed through SocGholish has been detected. The attack has been attributed with medium-high confidence to Unit 29155 of the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU). The targeted entity is a company that had previously worked for a city with close ties to Ukraine. ...