Threat-Intelligence

The cybercriminal group known as Silver Fox has been identified orchestrating a “false flag” operation to imitate a Russian threat group. This tactic seeks to camouflage its attacks directed at organizations in China. The SEO poisoning campaign uses Microsoft Teams lures to trick unsuspecting users into downloading a malicious installation file. This file eventually deploys ValleyRAT (Winos 4.0), a malware associated with Chinese cybercrime groups. The activity has been taking place since November 2025. ...

Microsoft has quietly fixed a security vulnerability that has been exploited by multiple threat actors since 2017. The fix was included in the November 2025 Patch Tuesday updates. The vulnerability, tracked as CVE-2025-9491 (CVSS score: 7.8/7.0), is a “misinterpretation of the Windows shortcut file (LNK) user interface” flaw that could lead to remote code execution. Vulnerability Details (CVE-2025-9491) The vulnerability lies in how Windows handles .LNK files. The main problem is that a shortcut file can be manipulated to hide malicious commands from the user who inspects the file through the user interface. ...

Phishing kits typically have distinctive signatures in their delivery methods and infrastructure, making attribution easier. However, analysts have recently observed an overlap between two phishing kits such as Salty2FA and Tycoon2FA, marking a significant change that complicates detection. ANY.RUN observed a sudden drop in Salty2FA activity, followed by the appearance of Tycoon2FA indicators within Salty attack chains. Finally, unique payloads were detected that combined code from both frameworks. This convergence weakens kit-specific detection rules and gives threat actors more leeway to evade early detection. ...

Threat actors linked to the Iranian state have launched a new series of attacks against Israeli entities in various sectors, deploying a previously undocumented backdoor known as MuddyViper. The activity has been attributed to MuddyWater (also known as Mango Sandstorm or TA450), a hacking group allegedly affiliated with Iran’s Ministry of Intelligence and Security (MOIS). The attacks not only focused on Israel, but also on a technology company based in Egypt. Affected sectors in Israel include academia, engineering, local government, manufacturing, technology, transportation and public services. ...

North Korean threat actors responsible for the “Contagious Interview” campaign have flooded the npm registry with 197 additional malicious packages since last month. According to a Socket analysis, these packages have accumulated more than 31,000 downloads and are designed to distribute a variant of OtterCookie that combines features from BeaverTail and previous versions of OtterCookie. Infection Mechanism and Malware Capabilities The malware, once executed, performs various evasion actions, profiles the compromised machine and establishes a command and control (C2) channel. This channel provides attackers with remote shell and data theft capabilities, including: ...

Ontinue security researchers have discovered a “cross-tenant blind spot” in Microsoft Teams that allows attackers to bypass Microsoft Defender for Office 365 protections using the guest access feature. The problem is that when a user operates as a guest in an external tenant, their security protections are determined entirely by the hosting environment, and not by the security policies of their home organization. This fundamental architectural gap opens the door to attack scenarios where users become unprotected guests in a malicious environment controlled by the attacker. ...

Threat actors linked to the RomCom group have been observed using the SocGholish JavaScript loader to deliver the Mythic Agent to a US-based civil engineering company. This event marks the first time that a RomCom payload distributed through SocGholish has been detected. The attack has been attributed with medium-high confidence to Unit 29155 of the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU). The targeted entity is a company that had previously worked for a city with close ties to Ukraine. ...