|
|
|
|
LevelBlue Labs
Threat Intelligence News
|
|
|
The LevelBlue Labs update gives you the latest threat news, including recent updates to USM Anywhere detections and new threat intelligence published in the LevelBlue Labs Open Threat Exchange (OTX), one of the largest open threat intelligence sharing communities in the world.
|
|
|
|
|
|
Latest Threat Intelligence News
|
|
|
|
|
|
|
Black Basta RaaS: Latest TTPs
|
|
|
|
Two blogs were published this month regarding Black Basta's TTPs.
The first blog, written by TrendMicro, discusses how the Black Basta and Cactus ransomware groups are leveraging BackConnect malware. Both groups gained initial access through a multi-stage social engineering attack. First, a flood of phishing emails posing as IT helpdesk were sent to the victims. They were then contacted through Microsoft Teams and persuaded to provide Quick Assist access, allowing the attacker to gain remote access into the victims’ systems. Finally, BackConnect malware was installed in the system to maintain persistent control and exfiltrate sensitive data from the compromised machines.
The second blog by EclecticIQ analyzed the internal chat logs of Black Basta RaaS leaked in February of 2025. The analysis concluded that the ransomware group was targeting vulnerable or weakly configured edge network devices to gain an initial foothold in the network. This was accomplished through a previously unknown brute forcing framework named BRUTED. This framework enables Black Basta affiliates to automate and scale these attacks, expanding their victim pool and accelerating monetization to drive ransomware operations.
|
|
|
|
VanHelsing: New RaaS
|
Checkpoint published a new blog reporting on a new RaaS named VanHelsing. Since the new service launched on March 7, 2025, Check Point has already identified two malware samples targeting Windows, and three different victims. The ransomware group doesn’t appear to target a specific operating system, as they claim to also target Linux, BSD, ARM and ESXi. The RaaS allows affiliates to participate in their activities after a $5,000 deposit. The only rule is to not target the Commonwealth of Independent States (CIS).
|
|
|
|
UNC3886 Targets Juniper Routers
|
Mandiant published a blog that deep dives into China-nexus espionage group UNC3886’s operation targeting Juniper Routers. The campaign was first identified by Mandiant in mid-2024, uncovering several backdoors built upon a basic TINYSHELL implementation for FreeBSD. These backdoors were heavily customized with unique capabilities as reported by Mandiant.
The victims were running End of Life hardware and software, but Juniper released a new image of the software in order to run a malware removal tool.
|
|
|
|
Apache Tomcat RCE (CVE-2025-24813)
|
CVE-2025-24813 is a critical path equivalence vulnerability in Apache Tomcat. Attackers could view or modify files as long as they knew the filenames. Recorded Future reported over 378,000 exposed endpoints as per their Shodan research. In certain scenarios, the vulnerability could lead to a Remote Code Execution (RCE). The conditions for the RCE are strict and significantly reduce the number of exposed devices vulnerable to it. Exploitation attempts by threat actors have been observed in the wild, as reported by Recorded Future.
|
|
|
|
Veeam Backup RCE (CVE-2025-23120)
|
Backup and recovery software provider Veeam published a security advisory on March 19, alerting on a critical RCE vulnerability (CVE-2025-23120). The vulnerability affects backup & replication systems that are domain joined.
No public Proof of Concept has been published, but Watchtowr has released technical details around the vulnerability and its similarities with the older CVE-2024-40711, which eases the path to an exploit.
|
|
|
|
|
|
Tracking, Detection & Hunting Capabilities
|
|
|
|
|
|
LevelBlue Labs has created the following Adversary Trackers to automatically identify and detect malicious infrastructure:
|
- GhostSock: This Golang-based SOCKS5 proxy malware has collaboration agreements with Lumma Infostealer to provide discounts to both of their customers.
- Kongtuke: This JavaScript downloader, previously known for its fake browser update to trick users into downloading their payloads, has recently been observed delivering fake “verify you are human” captchas that lead to the execution of malicious PowerShell scripts.
|
The following Adversary Trackers have also been updated during the month of March:
|
- Amadey
- RaccoonO365
- Brute Ratel
- Mamba2FA
- Mythic
|
The team has identified the following malware/threat actors as the most active during the month of March:
|
- SocGholish: continues to be the most relevant malware observed by LevelBlue Labs, mainly due to the amount of compromised websites and how frequently they are accessed. In addition to their usual activities, TrendMicro has reported this month on SocGholish being a key enabler in deploying RansomHub ransomware through compromised websites.
|
|
The LevelBlue trackers have identified over 2000 new IOCs for the different families it tracks. The busiest trackers during the month of March have been:
|
|
|
|
|
|
|
USM Anywhere Detection Improvements
|
|
|
|
|
|
In March, LevelBlue Labs added or updated 109 USM Anywhere detections. Here are a few examples of improvements and new elements LevelBlue Labs developed:
|
- A major refresh of the CrowdStrike ruleset with updates and additions to 46 detections. Includes updates to malware, ransomware and malicious documents rules, to specific techniques regarding persistence, evasion, and communications with C&C.
- Improvements to the ESET ruleset to improve the displayed descriptions.
- Detections for IT tools being used for malicious purposes, such as: Rsync for Shell Execution, PowerShell reverse SSH Tunnels and NTLM Relay attacks with Certipy.
|
Please visit the LevelBlue Success Center for a full list of improvements, new elements, issues found, and tasks created.
|
|
|
|
|
|
|
|
LevelBlue Labs Open Threat Exchange
|
|
|
|
|
LevelBlue Labs Open Threat Exchange (OTX) is among the world’s largest open threat intelligence sharing communities, made up of 450,000 threat researchers from 140 countries globally who publish threat information to the platform daily. LevelBlue Labs validates, analyzes, and enriches this threat intelligence. Members of OTX benefit from the collective research, can contribute to the community, analyze threats, create public and private threat intelligence sharing groups, and more.
Learn more about OTX, its benefits, and how you can join here.
|
|
|
|
|
The LevelBlue Labs team is continuously publishing new pulses in OTX based on their research and discoveries. Pulses are interactive and researchable repositories of information about threats, threat actors, campaigns, and more. This includes indicators of compromise, IoCs, that are useful to members.
In March, 117 new Pulses were created by the Labs team, providing coverage for the latest threats and campaigns. Here are a few examples of the most relevant new Pulses:
|
|
|
|
|
|
|
|
|
|
|
|
LevelBlue Labs is the threat intelligence unit of LevelBlue and includes a global team of threat researchers and data scientists who, combined with proprietary technology in data analytics and machine learning (ML), analyze one of the largest and most diverse collections of threat data in the world.
Our research team delivers tactical threat intelligence that powers resilient threat detection and response — even as an organization’s attack surface expands, technology evolves, and adversaries change their tactics, techniques, and procedures.
|
|
|
|
|
|
|
|
|
