LevelBlue’s Security Services issues Threat Analysis reports to inform on impacting threats. The Threat Analysis reports investigate these threats and provide practical recommendations for protecting against them.
Explore the latest trends, techniques, and procedures (TTPs) our incident response (IR) experts are actively facing with the TTP Briefing Q1 2026, a report built on frontline threat intelligence from our global incident response investigations across LevelBlue.
Vect ransomware, a new group that emerged in January 2026, has recently begun attracting attention in the cybersecurity space for its strategic partnerships, which are helping it expand. One notable collaboration is with TeamPCP, with evidence already surfacing as the latest victims on Vect's leak site appear to have been posted on behalf of TeamPCP.
Internet of Things (IoT) systems in hospitality environments are often overlooked as harmless amenities, but in reality, they can operate within highly interconnected networks, turning them into surprisingly effective gateways for broader system compromise.
LevelBlue SpiderLabs’ Cyber Threat Intelligence Team continues to observe a progressive convergence between traditional cybercrime activity and attacks targeting cryptocurrency users.
For almost three decades now, threat actors have used remote access trojans (RATs) to monitor user activity and steal sensitive information and credentials. The RAT’s surreptitious nature has cemented its spot in malicious actors’ malware arsenal, and over the years, it has evolved to include advanced functionalities, including remote code execution, browser decryption, C2 communication, and reconnaissance.
In early 2026, phishing attacks are still among the top contributors to the true positive detections in security operation centers (SOCs). Adversaries constantly come up with new ways of luring users into traps, concealing their actual intents and stacking anti-detection features. LevelBlue’s Global Threat Operations (GTO) team continuously tracks those behaviors and analyzes how the attacks evolve over months. One of the most recent investigations led to the identification of a previously unseen, niche attack vector that can lead to user account compromise.
A newly disclosed zero-day vulnerability, dubbed RedSun, is raising fresh concerns for organizations relying on Microsoft Defender as a core layer of endpoint protection. Early indicators suggest similarities to the recently patched BlueHammer vulnerability (CVE-2026-33825), reinforcing a troubling trend: attackers are increasingly targeting the very tools designed to stop them.
One of the fastest growing initial access techniques we are seeing right now is Okta vishing: voice-based social engineering designed to compromise the identity provider rather than the inbox.
Recent reporting has identified a trojanized version of the CPUID HWMonitor installer being used to deliver a multi-stage, fileless malware chain leveraging trusted Windows binaries. Upon execution, the installer initiates a sequence involving PowerShell, MSBuild, and regsvr32, ultimately leading to the execution of malicious scriptlet files such as Clippy.sct and a secondary launcher scriptlet. These scriptlets utilize ActiveX (WScript.Shell) to silently invoke:
The LevelBlue SpiderLabs team examined the latest version of ErrTraffic, which emerged in early 2026. In a recently observed campaign, the team found that ErrTraffic primarily targets WordPress websites by deploying a PHP backdoor script in the must-use plugin (mu-plugin) that captures administrator credentials and ensures persistence on compromised sites. On the infected website, the backdoor injects malicious inline scripts that leverage both XOR and Base64 obfuscation to evade detection. ErrTraffic utilizes the Traffic Distribution System (TDS) to filter site visitors and redirect them to ClickFix lures.
On March 30, 2026, two malicious versions of the widely used axios HTTP client library were published to npm; axios@1.14.1 and axios@0.30.4. The malicious versions inject a new dependency, plain-crypto-js@4.2.1, which, in turn, downloads a Remote Access Toolkit (RAT).
I came up with a theory (based on science) that it may be possible to passively track wireless devices even though they are making use of the defense that is MAC Address Randomization.
Most organizations start by using Microsoft Copilot the way it looks in demos: type a question, get an answer. That works for exploration. For repeatable operational work, it gets expensive quickly.
In offensive security, the ability to blend seamlessly with legitimate traffic is vital to avoid detection. Establishing command-and-control (C2) communications can be challenging in environments fortified with security measures like perimeter firewalls and web proxies.
Recently LevelBlue SpiderLabs initiated an investigation into a multi-stage malware delivery campaign initially identified from LevelBlue’s MDR SOC through a SentinelOne detection of a suspicious Visual Basic Script (VBS) file.
As Apple computer’s market share continues to grow, threat actors are increasingly shifting their focus toward MacOS environments. Today, surging enterprise adoption and a user base of high-value targets, such as software engineers, executives, and cryptocurrency investors, attackers now see Macs as a highly profitable target.
This report expands LevelBlue’s ongoing investigation into a multi-stage fileless malware campaign in which a network of compromised legitimate websites redirects victims to fake CAPTCHA verification pages delivering credential-stealing payloads through a ClickFix social engineering mechanism.
This blog is the latest in a series that delves into the deep research conducted daily by the LevelBlue SpiderLabs team on major threat actor groups currently operating globally. It is an overview of the findings.
Entrar