Threat-Intelligence

Cybersecurity researchers have revealed details about a new botnet loader called Aeternum C2, which uses a blockchain-based command and control (C2) infrastructure to resist takedown efforts. Instead of relying on traditional servers or domains, Aeternum stores its instructions on the public Polygon blockchain, making its C2 infrastructure permanent and resistant to conventional takedown methods. Aeternum C2: A New Generation of Crimeware The Aeternum C2 botnet operates as a native C++ loader available in x32 and x64 builds. Its operation is based on writing commands directed to infected hosts in smart contracts on the Polygon blockchain. Infected bots read these commands by querying public remote procedure endpoints (RPCs). ...

Cybersecurity researchers have uncovered an ongoing cyber espionage campaign specifically targeting users in India. The attack utilizes a multi-stage backdoor and leverages sophisticated evasion techniques to achieve persistent access and data exfiltration from compromised systems. Initial Attack Vector and Malicious Payloads The campaign begins with phishing emails that impersonate the Income Tax Department of India. These emails trick victims into downloading a malicious archive file. The ultimate objective of the threat actors is to deploy a variant of the Blackmoon (also known as KRBanker) banking trojan and repurpose a legitimate enterprise tool, SyncFuture TSM (Terminal Security Management), for espionage purposes. ...

Cybersecurity researchers have revealed details of a new dual-vector attack campaign that leverages stolen credentials to deploy legitimate Remote Monitoring and Management (RMM) software. The goal is to establish persistent remote access to the compromised hosts. According to researchers at KnowBe4 Threat Labs, instead of deploying custom viruses, attackers are bypassing security perimeters by “weaponizing” necessary IT tools that administrators rely on. By stealing a system “master key,” they turn legitimate RMM software into a persistent backdoor. ...

This report details two threat campaigns using the PeckBirdy JavaScript framework, attributed to China-aligned advanced persistent threat (APT) actors. The campaigns, temporarily named SHADOW-VOID-044 and SHADOW-EARTH-045, demonstrate the increasing sophistication and adaptability of these groups. Analysis of the SHADOW-VOID-044 Campaign The SHADOW-VOID-044 campaign has been linked to the UNC3569 threat actor, with moderate to high confidence, based on overlapping TTPs and victims. Link to UNC3569: Observed use of the GRAYRABBIT backdoor, previously associated with UNC3569. The Command and Control (C&C) server center.myrnicrosoft.com is the same one used by UNC3569, and the campaign target (Chinese gaming industry) matches the known targets of this actor. The GRAYRABBIT implementation in this campaign uses a DLL sideloading technique combined with the UuidFromStringA PowerShell function. Link to TheWizard: The campaign also deployed the HOLODONUT backdoor. Some HOLODONUT samples connected to the same C&C server (mkdmcdn.com) used by the APT group TheWizard. TheWizard has also used the DarkNimbus backdoor, associated with the Earth Minotaur actor. Stolen Certificate: SHADOW-VOID-044 used a Cobalt Strike sample signed with a certificate stolen from a South Korean game company. This same certificate was used in the BIOPASS RAT campaign, linked to the actor Earth Lusca. Infection Detection Technique: The BIOPASS RAT and MKDOOR campaigns employ a technique to verify infection: they open a local HTTP server on a high port so that a watering hole attack script can scan and confirm the presence of the backdoor on the host. Analysis of the SHADOW-EARTH-045 Campaign This campaign focused on a Filipino educational institution in July 2024. ...

Ingram Micro Suffers Data Breach Due to Ransomware Attack Information technology giant Ingram Micro has confirmed a data breach affecting more than 42,000 people, the result of a ransomware attack detected in July 2025. The company, a global B2B service provider and technology distributor with net sales of $48 billion in 2024, launched an investigation after detecting a cybersecurity incident in its internal systems. Incident Details and Compromised Data The attack, which took place between July 2 and 3, 2025, allowed an unauthorized third party to steal files from Ingram Micro’s internal repositories. The compromised files included employee and job applicant records with a wide range of personal information, such as: ...

Ukraine’s Computer Emergency Response Team (CERT-UA) has revealed details of a series of new cyberattacks targeting its defense forces and state institutions. These attacks, which took place between October and December 2025, involve various intrusion techniques and several malware families, including one known as PLUGGYAPE. PLUGGYAPE attacks attributed to Void Blizzard Among the most notable attacks are those distributing the PLUGGYAPE malware, attributed with “medium confidence” to the Russian hacking group Void Blizzard (also known as Laundry Bear or UAC-0190), active since at least April 2024. ...

This week’s ThreatsDay newsletter highlights the continued adaptation of attackers, who are reconfiguring existing tools and finding new angles of attack on familiar systems. Small tactical changes are adding up quickly, suggesting possible directions for future security breaches. Constantly Evolving Threat Tactics The threat landscape is characterized by its fluidity, with a focus on attackers quickly adapting. Key points of this week’s activity include: Repurposing old tools: Attackers do not always develop new tools, but rather find innovative ways to use pre-existing tools or common systems for their malicious purposes. More sophisticated social engineering attacks: Recent activity shows an increase in “clever social hooks” designed to manipulate users and gain initial access. Changing attack infrastructures: A change is observed in the infrastructure used by threat actors, requiring constant monitoring to detect new patterns. Attack Patterns and Exploit Speed This week’s analysis highlights recurring patterns in how attacks evolve: ...

North Korean threat group Kimsuky has been linked to a new cyberattack campaign that uses QR codes to distribute a new variant of the DocSwap Android malware. Attackers are using phishing sites that imitate South Korean logistics company CJ Logistics to trick victims. Distribution and Deception Mechanism The campaign targets users of Android mobile devices using a sophisticated social engineering method. The attack process develops as follows: Launch of the Attack: Cybercriminals send smishing messages (phishing SMS) or emails impersonating package delivery companies to trick recipients into clicking on malicious URLs. Redirection with QR Codes: Victims who access the fraudulent URLs from a desktop computer are redirected to a page that asks them to scan a QR code with their Android device. This QR code leads to the download of the malicious application. Social Engineering to Outwit Warnings: The phishing site claims that the installation of a supposed tracking application is necessary to verify identity due to “international customs security policies.” This tactic seeks to convince victims to ignore Android security warnings about installing apps from unknown sources. DocSwap Malware Technical Analysis Analysis by South Korean cybersecurity company ENKI reveals that the new DocSwap variant features evolved capabilities: ...

The threat group known as Jewelbug, also tracked by Check Point Research as Ink Dragon, has intensified its attacks against government targets in Europe since July 2025. Although the actor, aligned with China and active since at least March 2023, continues to attack entities in Southeast Asia and South America, its focus has expanded significantly. Check Point Research has detailed the operations of this hacking group, highlighting its combination of solid software engineering, disciplined operational playbooks, and the reuse of native platform tools to blend into normal company telemetry. These tactics make their intrusions “effective and stealthy.” ...

CISA warns about WinRAR vulnerability The US Cybersecurity and Infrastructure Security Agency (CISA) has added a vulnerability affecting WinRAR compression software to its catalog of Known Exploited Vulnerabilities (KEV), citing evidence of active exploitation. The vulnerability, tracked as CVE-2025-6218 (CVSS score: 7.8), is a path traversal flaw that could allow code execution. To be exploited, it requires a target to visit a malicious web page or open a malicious file. ...