Emerging Threats

Crypto Drainers as a Converging Threat: Insights into Emerging Hybrid Attack Ecosystems

Crypto Drainers as a Converging Threat: Insights into Emerging Hybrid Attack Ecosystems 2026-04-23 at 17:11 By Serhii Melnyk, King Orande, Cris Tomboc, Sean Shirley LevelBlue SpiderLabs’ Cyber Threat Intelligence Team continues to observe a progressive convergence between traditional cybercrime activity and attacks targeting cryptocurrency users. This article is an excerpt from LevelBlue SpiderLabs Blog View […]

Crypto Drainers as a Converging Threat: Insights into Emerging Hybrid Attack Ecosystems Read More »

A Closer Look at the Novel and Stealthy KarstoRAT Malware

A Closer Look at the Novel and Stealthy KarstoRAT Malware 2026-04-21 at 17:36 By Chen Aviani For almost three decades now, threat actors have used remote access trojans (RATs) to monitor user activity and steal sensitive information and credentials. The RAT’s surreptitious nature has cemented its spot in malicious actors’ malware arsenal, and over the

A Closer Look at the Novel and Stealthy KarstoRAT Malware Read More »

Go With the Flow: Abusing OAuth Device Code Flow

Go With the Flow: Abusing OAuth Device Code Flow 2026-04-20 at 17:03 By Jakub Wiewiorski In early 2026, phishing attacks are still among the top contributors to the true positive detections in security operation centers (SOCs). Adversaries constantly come up with new ways of luring users into traps, concealing their actual intents and stacking anti-detection

Go With the Flow: Abusing OAuth Device Code Flow Read More »

RedSun and the Expanding Risk Window: Why Microsoft Defender Patching Can’t Wait

RedSun and the Expanding Risk Window: Why Microsoft Defender Patching Can’t Wait 2026-04-17 at 21:02 By A newly disclosed zero-day vulnerability, dubbed RedSun, is raising fresh concerns for organizations relying on Microsoft Defender as a core layer of endpoint protection. Early indicators suggest similarities to the recently patched BlueHammer vulnerability (CVE-2026-33825), reinforcing a troubling trend:

RedSun and the Expanding Risk Window: Why Microsoft Defender Patching Can’t Wait Read More »

Beyond the Fence: Securing Our Skies from the Drone Threat

Beyond the Fence: Securing Our Skies from the Drone Threat 2026-04-14 at 17:02 By For decades, security leaders have optimized defenses in two dimensions. Doors, locks, fences, cameras, access badges, identity systems, and multi-factor authentication have all been designed to control who and what moves through physical and digital perimeters. This article is an excerpt

Beyond the Fence: Securing Our Skies from the Drone Threat Read More »

Why Attackers Are Bypassing Phishing Emails and Targeting Identity Instead

Why Attackers Are Bypassing Phishing Emails and Targeting Identity Instead 2026-04-13 at 17:31 By Jamie Mamroe One of the fastest growing initial access techniques we are seeing right now is Okta vishing: voice-based social engineering designed to compromise the identity provider rather than the inbox. This article is an excerpt from LevelBlue SpiderLabs Blog View

Why Attackers Are Bypassing Phishing Emails and Targeting Identity Instead Read More »

Trojanized CPUID HWMonitor Installer Delivers Fileless .NET Payload via Obfuscated IPv6 Scriptlet

Trojanized CPUID HWMonitor Installer Delivers Fileless .NET Payload via Obfuscated IPv6 Scriptlet 2026-04-11 at 02:20 By Sean Shirley Overview Recent reporting has identified a trojanized version of the CPUID HWMonitor installer being used to deliver a multi-stage, fileless malware chain leveraging trusted Windows binaries. Upon execution, the installer initiates a sequence involving PowerShell, MSBuild, and

Trojanized CPUID HWMonitor Installer Delivers Fileless .NET Payload via Obfuscated IPv6 Scriptlet Read More »

Axios NPM Package Supply Chain Compromise Leads to RAT Deployment

Axios NPM Package Supply Chain Compromise Leads to RAT Deployment 2026-04-09 at 23:38 By Mahadev Joshi and Sho Kishimoto KEY OBSERVATIONS Malicious Package Versions Identified: Malicious versions of the Axios npm package ([email protected] and [email protected]) were observed within a customer’s environment, indicating exposure to the supply chain compromise. Suspicious Dependency Execution: The presence of an

Axios NPM Package Supply Chain Compromise Leads to RAT Deployment Read More »

Err-Hiding and Seek: How ErrTraffic v3 Leverages EtherHiding in ClickFix Campaign

Err-Hiding and Seek: How ErrTraffic v3 Leverages EtherHiding in ClickFix Campaign 2026-04-09 at 16:17 By King Orande and Cris Tomboc TLP: AMBER+STRICT The LevelBlue SpiderLabs team examined the latest version of ErrTraffic, which emerged in early 2026. In a recently observed campaign, the team found that ErrTraffic primarily targets WordPress websites by deploying a PHP backdoor script

Err-Hiding and Seek: How ErrTraffic v3 Leverages EtherHiding in ClickFix Campaign Read More »

Major Supply Chain Compromise in the Popular axios npm Package

Major Supply Chain Compromise in the Popular axios npm Package 2026-04-03 at 17:52 By Karl Sigler On March 30, 2026, two malicious versions of the widely used axios HTTP client library were published to npm; [email protected] and [email protected]. The malicious versions inject a new dependency, [email protected], which, in turn, downloads a Remote Access Toolkit (RAT).

Major Supply Chain Compromise in the Popular axios npm Package Read More »

Using RF Power Levels to Defeat MAC Address Randomization Enabling Passive Device Tracking

Using RF Power Levels to Defeat MAC Address Randomization Enabling Passive Device Tracking 2026-03-31 at 18:01 By Tom Neaves I came up with a theory (based on science) that it may be possible to passively track wireless devices even though they are making use of the defense that is MAC Address Randomization. This article is

Using RF Power Levels to Defeat MAC Address Randomization Enabling Passive Device Tracking Read More »

“Say My Name”: How MioLab is building MacOS Stealer Empire

“Say My Name”: How MioLab is building MacOS Stealer Empire 2026-03-20 at 21:16 By Mark Tsipershtein and Evgeny Ananin As Apple computer’s market share continues to grow, threat actors are increasingly shifting their focus toward MacOS environments. Today, surging enterprise adoption and a user base of high-value targets, such as software engineers, executives, and cryptocurrency

“Say My Name”: How MioLab is building MacOS Stealer Empire Read More »

Fake CAPTCHA Campaign: Inside a Multi-Stage Stealer Assault

Fake CAPTCHA Campaign: Inside a Multi-Stage Stealer Assault 2026-03-19 at 22:28 By Shabtay Barel, Serhii Melnyk, Rodel Mendrez This report expands LevelBlue’s ongoing investigation into a multi-stage fileless malware campaign in which a network of compromised legitimate websites redirects victims to fake CAPTCHA verification pages delivering credential-stealing payloads through a ClickFix social engineering mechanism. This

Fake CAPTCHA Campaign: Inside a Multi-Stage Stealer Assault Read More »

How LevelBlue OTX and Cybereason XDR Detected a North Korea-Linked Remote IT Worker

How LevelBlue OTX and Cybereason XDR Detected a North Korea-Linked Remote IT Worker 2026-03-17 at 16:02 By Tue Luu Talk about dodging the insider threat from hell. From August 15 to 25, 2025, the SpiderLabs threat intel team, through the integration of LevelBlue OTX threat intelligence with Cybereason XDR behavioral analytics, detected a North Korea

How LevelBlue OTX and Cybereason XDR Detected a North Korea-Linked Remote IT Worker Read More »

Beware the ClickFix Trap: REMCOS RAT Hiding in “Helpful” PUAs

Beware the ClickFix Trap: REMCOS RAT Hiding in “Helpful” PUAs 2026-03-13 at 19:32 By Hema Loganathan Cybereason GSOC has observed a notable increase in infections involving REMCOS RAT, often delivered through vulnerable or potentially unwanted applications (PUAs). This article is an excerpt from LevelBlue SpiderLabs Blog View Original Source

Beware the ClickFix Trap: REMCOS RAT Hiding in “Helpful” PUAs Read More »

Weaponizing Safe Links: Abuse of Multi-Layered URL Rewriting in Phishing Attacks

Weaponizing Safe Links: Abuse of Multi-Layered URL Rewriting in Phishing Attacks 2026-03-13 at 19:32 By John Kevin Adriano In 2024, threat actors were already abusing URL rewriting mechanisms in phishing campaigns to mask malicious domains. Between the second and fourth quarters of 2025, LevelBlue SpiderLabs identified a notable escalation in this tactic, with adversaries deliberately

Weaponizing Safe Links: Abuse of Multi-Layered URL Rewriting in Phishing Attacks Read More »

Epic Fury Update: Stryker Attack Highlights Handala’s Shift from Espionage to Disruption

Epic Fury Update: Stryker Attack Highlights Handala’s Shift from Espionage to Disruption 2026-03-13 at 19:32 By Arthur Erzberger On March 11, 2026, the medical technology vendor Stryker disclosed a global cyberattack affecting its Microsoft environment. The company said there was no indication of ransomware or malware, but the full scope and restoration timeline were unknown.

Epic Fury Update: Stryker Attack Highlights Handala’s Shift from Espionage to Disruption Read More »

LevelBlue SpiderLabs Breaks Down the Role of Cyber Operations Taken in the Iran Crisis

LevelBlue SpiderLabs Breaks Down the Role of Cyber Operations Taken in the Iran Crisis 2026-03-13 at 19:32 By Gal Romano As combat operations that began on February 28 with joint US-Israeli strikes on Iran’s military and leadership continue, cybersecurity analysts are turning their attention to how this 21st-century conflict is unfolding in the digital domain.

LevelBlue SpiderLabs Breaks Down the Role of Cyber Operations Taken in the Iran Crisis Read More »

The 6 Steps Organizations Should Immediately Take to Mitigate Quantum-Related Risk

The 6 Steps Organizations Should Immediately Take to Mitigate Quantum-Related Risk 2026-03-10 at 16:00 By Lynn Burns The reality of quantum computing is not quite here, but nobody should fool themselves into believing they should not prepare ahead of time. This article is an excerpt from LevelBlue Blog View Original Source

The 6 Steps Organizations Should Immediately Take to Mitigate Quantum-Related Risk Read More »

Scroll to Top