Emerging Threats

RoguePlanet and GreatXML: Detecting Local Privilege Escalation and BitLocker Security Boundary Abuse

Emerging Threats /

RoguePlanet and GreatXML: Detecting Local Privilege Escalation and BitLocker Security Boundary Abuse 2026-06-17 at 21:58 By Serhii Melnyk Following our previous research, LevelBlue SpiderLabs continued monitoring a series of Windows security component disclosures published under multiple online aliases, including Nightmare-Eclipse, Chaotic Eclipse, Dead Eclipse, and most recently MSNightmare. This article is an excerpt from LevelBlue SpiderLabs […]

RoguePlanet and GreatXML: Detecting Local Privilege Escalation and BitLocker Security Boundary Abuse Read More »

AI Is Reshaping Cyber Risk Faster Than Most Boards Realize

Artificial Intelligence, Emerging Threats, Reports /

AI Is Reshaping Cyber Risk Faster Than Most Boards Realize 2026-06-17 at 17:00 By Artificial Intelligence is no longer a future cybersecurity concern. It is actively reshaping how attacks are conducted, how organizations respond, and how business leaders must think about enterprise risk. This article is an excerpt from LevelBlue Blog View Original Source

AI Is Reshaping Cyber Risk Faster Than Most Boards Realize Read More »

ClickFix Is Now Hiring: From Job Platform Impersonation to Python-Based RAT Delivery

Emerging Threats, News /

ClickFix Is Now Hiring: From Job Platform Impersonation to Python-Based RAT Delivery 2026-06-04 at 23:11 By King Orande and Cris Tomboc The LevelBlue OpsIntel CTI team examined the latest version of the ClickFix campaign, which emerged in early May 2026. The campaign employs a multi-stage phishing delivery chain that impersonates trusted employment and professional networking platforms,

ClickFix Is Now Hiring: From Job Platform Impersonation to Python-Based RAT Delivery Read More »

macOS ClickFix Social Engineering Campaigns

Emerging Threats, Vulnerabilities /

macOS ClickFix Social Engineering Campaigns 2026-06-04 at 22:23 By Maor Gabay Overview The “ClickFix” threat landscape has undergone a significant architectural shift, transitioning from legacy Windows-based execution to sophisticated macOS-targeted campaigns. These operations prioritize social engineering over software vulnerability exploitation, systematically leveraging established user behaviors and professional workflows. By presenting deceptive “fixes,” “verifications,” or installation

macOS ClickFix Social Engineering Campaigns Read More »

The Demon Arrives Later: A Havoc Stager Hides Behind Microsoft Defender DLP

Emerging Threats, Vulnerabilities /

The Demon Arrives Later: A Havoc Stager Hides Behind Microsoft Defender DLP 2026-06-03 at 20:20 By Jose Martin In Brazil, Nota Fiscal eletrônica (NF-e) is the everyday name for an official electronic invoice. Real ones often arrive as a ZIP whose long number looks like paperwork. Criminals reused that habit: their email attachment can look

The Demon Arrives Later: A Havoc Stager Hides Behind Microsoft Defender DLP Read More »

Sapphire Sleet Targets macOS in Multi-Stage Intrusion Campaign

Emerging Threats, Threat Intelligence, Vulnerabilities /

Sapphire Sleet Targets macOS in Multi-Stage Intrusion Campaign 2026-05-28 at 17:00 By Maor Gabay We recently observed a multi-stage macOS intrusion campaign conducted by the North Korean state-sponsored threat group Sapphire Sleet (also tracked as BlueNoroff/UNC1069). This article is an excerpt from LevelBlue SpiderLabs Blog View Original Source

Sapphire Sleet Targets macOS in Multi-Stage Intrusion Campaign Read More »

From WinRE to SYSTEM: Hunting the YellowKey and MiniPlasma Attack Chain

Emerging Threats, Threat Intelligence, Vulnerabilities /

From WinRE to SYSTEM: Hunting the YellowKey and MiniPlasma Attack Chain 2026-05-22 at 22:53 By Since April 2026, LevelBlue SpiderLabs’ Cyber Threat Intelligence team has tracked a series of public zero-day disclosures targeting Microsoft Windows, attributed to an anonymous actor operating under the names Chaotic Eclipse and Nightmare Eclipse. The activity spans multiple areas of

From WinRE to SYSTEM: Hunting the YellowKey and MiniPlasma Attack Chain Read More »

YellowKey and GreenPlasma: Two New Windows Zero-Days Unveiled

Emerging Threats, Vulnerabilities /

YellowKey and GreenPlasma: Two New Windows Zero-Days Unveiled 2026-05-19 at 17:33 By James Ballantyne and Pauline Bolaños Two novel Windows zero-day vulnerabilities dubbed YellowKey, which bypasses BitLocker drive encryption, and GreenPlasma, a local privilege escalation bug that targets a trusted Windows process called CTFMON, were recently publicly released. Nightmare-Eclipse (aka Chaotic Eclipse), a researcher who

YellowKey and GreenPlasma: Two New Windows Zero-Days Unveiled Read More »

Threat Analysis: Backdoored Electron Apps Evading Defenses

Emerging Threats, penetration testing, Threat Intelligence /

Threat Analysis: Backdoored Electron Apps Evading Defenses 2026-05-08 at 18:03 By Michael Morose This Threat Analysis report is part of the “Purple Team Series” in which the LevelBlue Global Security Operations Center (GSOC) provides a technical overview of some of the methods that threat actors are using to compromise their victims. This article is an

Threat Analysis: Backdoored Electron Apps Evading Defenses Read More »

Unmasking a Multi-Stage Loader: AutoIt Abuse Leading to Vidar Stealer Command-and-Control Communication

Emerging Threats, Threat Intelligence /

Unmasking a Multi-Stage Loader: AutoIt Abuse Leading to Vidar Stealer Command-and-Control Communication 2026-05-07 at 17:34 By Mahadev Joshi LevelBlue’s Security Services issues Threat Analysis reports to inform on impacting threats. The Threat Analysis reports investigate these threats and provide practical recommendations for protecting against them. This article is an excerpt from LevelBlue SpiderLabs Blog View

Unmasking a Multi-Stage Loader: AutoIt Abuse Leading to Vidar Stealer Command-and-Control Communication Read More »

LevelBlue TTP Briefing Q1 2026: Trust Abuse Exposes Weaknesses

DFIR, Emerging Threats, Reports /

LevelBlue TTP Briefing Q1 2026: Trust Abuse Exposes Weaknesses 2026-05-05 at 17:00 By Explore the latest trends, techniques, and procedures (TTPs) our incident response (IR) experts are actively facing with the TTP Briefing Q1 2026, a report built on frontline threat intelligence from our global incident response investigations across LevelBlue. This article is an excerpt

LevelBlue TTP Briefing Q1 2026: Trust Abuse Exposes Weaknesses Read More »

Inside Vect Ransomware-as-a-Service

Emerging Threats, Vulnerabilities /

Inside Vect Ransomware-as-a-Service 2026-04-30 at 18:18 By Nathaniel Morales Vect ransomware, a new group that emerged in January 2026, has recently begun attracting attention in the cybersecurity space for its strategic partnerships, which are helping it expand. One notable collaboration is with TeamPCP, with evidence already surfacing as the latest victims on Vect’s leak site

Inside Vect Ransomware-as-a-Service Read More »

Crypto Drainers as a Converging Threat: Insights into Emerging Hybrid Attack Ecosystems

Emerging Threats, Threat Intelligence /

Crypto Drainers as a Converging Threat: Insights into Emerging Hybrid Attack Ecosystems 2026-04-23 at 17:11 By Serhii Melnyk, King Orande, Cris Tomboc, Sean Shirley LevelBlue SpiderLabs’ Cyber Threat Intelligence Team continues to observe a progressive convergence between traditional cybercrime activity and attacks targeting cryptocurrency users. This article is an excerpt from LevelBlue SpiderLabs Blog View

Crypto Drainers as a Converging Threat: Insights into Emerging Hybrid Attack Ecosystems Read More »

A Closer Look at the Novel and Stealthy KarstoRAT Malware

Emerging Threats, News, Reports /

A Closer Look at the Novel and Stealthy KarstoRAT Malware 2026-04-21 at 17:36 By Chen Aviani For almost three decades now, threat actors have used remote access trojans (RATs) to monitor user activity and steal sensitive information and credentials. The RAT’s surreptitious nature has cemented its spot in malicious actors’ malware arsenal, and over the

A Closer Look at the Novel and Stealthy KarstoRAT Malware Read More »

Go With the Flow: Abusing OAuth Device Code Flow

Emerging Threats, Threat Intelligence, Vulnerabilities /

Go With the Flow: Abusing OAuth Device Code Flow 2026-04-20 at 17:03 By Jakub Wiewiorski In early 2026, phishing attacks are still among the top contributors to the true positive detections in security operation centers (SOCs). Adversaries constantly come up with new ways of luring users into traps, concealing their actual intents and stacking anti-detection

Go With the Flow: Abusing OAuth Device Code Flow Read More »

RedSun and the Expanding Risk Window: Why Microsoft Defender Patching Can’t Wait

Emerging Threats, Vulnerabilities /

RedSun and the Expanding Risk Window: Why Microsoft Defender Patching Can’t Wait 2026-04-17 at 21:02 By A newly disclosed zero-day vulnerability, dubbed RedSun, is raising fresh concerns for organizations relying on Microsoft Defender as a core layer of endpoint protection. Early indicators suggest similarities to the recently patched BlueHammer vulnerability (CVE-2026-33825), reinforcing a troubling trend:

RedSun and the Expanding Risk Window: Why Microsoft Defender Patching Can’t Wait Read More »

Beyond the Fence: Securing Our Skies from the Drone Threat

Emerging Threats, Perspectives /

Beyond the Fence: Securing Our Skies from the Drone Threat 2026-04-14 at 17:02 By For decades, security leaders have optimized defenses in two dimensions. Doors, locks, fences, cameras, access badges, identity systems, and multi-factor authentication have all been designed to control who and what moves through physical and digital perimeters. This article is an excerpt

Beyond the Fence: Securing Our Skies from the Drone Threat Read More »

Scroll to Top