This Threat Analysis report is part of the “Purple Team Series” in which the LevelBlue Global Security Operations Center (GSOC) provides a technical overview of some of the methods that threat actors are using to compromise their victims.
LevelBlue’s Security Services issues Threat Analysis reports to inform on impacting threats. The Threat Analysis reports investigate these threats and provide practical recommendations for protecting against them.
Explore the latest trends, techniques, and procedures (TTPs) our incident response (IR) experts are actively facing with the TTP Briefing Q1 2026, a report built on frontline threat intelligence from our global incident response investigations across LevelBlue.
Vect ransomware, a new group that emerged in January 2026, has recently begun attracting attention in the cybersecurity space for its strategic partnerships, which are helping it expand. One notable collaboration is with TeamPCP, with evidence already surfacing as the latest victims on Vect's leak site appear to have been posted on behalf of TeamPCP.
LevelBlue SpiderLabs’ Cyber Threat Intelligence Team continues to observe a progressive convergence between traditional cybercrime activity and attacks targeting cryptocurrency users.
For almost three decades now, threat actors have used remote access trojans (RATs) to monitor user activity and steal sensitive information and credentials. The RAT’s surreptitious nature has cemented its spot in malicious actors’ malware arsenal, and over the years, it has evolved to include advanced functionalities, including remote code execution, browser decryption, C2 communication, and reconnaissance.
In early 2026, phishing attacks are still among the top contributors to the true positive detections in security operation centers (SOCs). Adversaries constantly come up with new ways of luring users into traps, concealing their actual intents and stacking anti-detection features. LevelBlue’s Global Threat Operations (GTO) team continuously tracks those behaviors and analyzes how the attacks evolve over months. One of the most recent investigations led to the identification of a previously unseen, niche attack vector that can lead to user account compromise.
A newly disclosed zero-day vulnerability, dubbed RedSun, is raising fresh concerns for organizations relying on Microsoft Defender as a core layer of endpoint protection. Early indicators suggest similarities to the recently patched BlueHammer vulnerability (CVE-2026-33825), reinforcing a troubling trend: attackers are increasingly targeting the very tools designed to stop them.
One of the fastest growing initial access techniques we are seeing right now is Okta vishing: voice-based social engineering designed to compromise the identity provider rather than the inbox.
Recent reporting has identified a trojanized version of the CPUID HWMonitor installer being used to deliver a multi-stage, fileless malware chain leveraging trusted Windows binaries. Upon execution, the installer initiates a sequence involving PowerShell, MSBuild, and regsvr32, ultimately leading to the execution of malicious scriptlet files such as Clippy.sct and a secondary launcher scriptlet. These scriptlets utilize ActiveX (WScript.Shell) to silently invoke:
The LevelBlue SpiderLabs team examined the latest version of ErrTraffic, which emerged in early 2026. In a recently observed campaign, the team found that ErrTraffic primarily targets WordPress websites by deploying a PHP backdoor script in the must-use plugin (mu-plugin) that captures administrator credentials and ensures persistence on compromised sites. On the infected website, the backdoor injects malicious inline scripts that leverage both XOR and Base64 obfuscation to evade detection. ErrTraffic utilizes the Traffic Distribution System (TDS) to filter site visitors and redirect them to ClickFix lures.
On March 30, 2026, two malicious versions of the widely used axios HTTP client library were published to npm; axios@1.14.1 and axios@0.30.4. The malicious versions inject a new dependency, plain-crypto-js@4.2.1, which, in turn, downloads a Remote Access Toolkit (RAT).
I came up with a theory (based on science) that it may be possible to passively track wireless devices even though they are making use of the defense that is MAC Address Randomization.
As Apple computer’s market share continues to grow, threat actors are increasingly shifting their focus toward MacOS environments. Today, surging enterprise adoption and a user base of high-value targets, such as software engineers, executives, and cryptocurrency investors, attackers now see Macs as a highly profitable target.
This report expands LevelBlue’s ongoing investigation into a multi-stage fileless malware campaign in which a network of compromised legitimate websites redirects victims to fake CAPTCHA verification pages delivering credential-stealing payloads through a ClickFix social engineering mechanism.
This blog is the latest in a series that delves into the deep research conducted daily by the LevelBlue SpiderLabs team on major threat actor groups currently operating globally. It is an overview of the findings.
Talk about dodging the insider threat from hell. From August 15 to 25, 2025, the SpiderLabs threat intel team, through the integration of LevelBlue OTX threat intelligence with Cybereason XDR behavioral analytics, detected a North Korea attempt to infiltrate an organization by replying to a help wanted ad.
On March 11, 2026, the medical technology vendor Stryker disclosed a global cyberattack affecting its Microsoft environment. The company said there was no indication of ransomware or malware, but the full scope and restoration timeline were unknown.
In 2024, threat actors were already abusing URL rewriting mechanisms in phishing campaigns to mask malicious domains. Between the second and fourth quarters of 2025, LevelBlue SpiderLabs identified a notable escalation in this tactic, with adversaries deliberately constructing multi‑layered URL rewriting as redirectors, chaining together multiple trusted providers to further obscure the final malicious domain and evade traditional email security controls.
Entrar