SpiderLabs Blog
Explore the latest threats, critical vulnerability disclosures, cutting-edge research, and intelligence from our elite global threat experts.
Crypto Drainers as a Converging Threat: Insights into Emerging Hybrid Attack Ecosystems
April 23, 2026 | Serhii Melnyk, King Orande, Cris Tomboc, Sean Shirley
Stay Informed
Sign up to receive the latest security news and trends straight to your inbox from LevelBlue.
Go With the Flow: Abusing OAuth Device Code Flow
April 20, 2026 | Jakub Wiewiorski
In early 2026, phishing attacks are still among the top contributors to the ...
Why Attackers Are Bypassing Phishing Emails and Targeting Identity Instead
April 13, 2026 | Jamie Mamroe
One of the fastest growing initial access techniques we are seeing right now is ...
Trojanized CPUID HWMonitor Installer Delivers Fileless .NET Payload via Obfuscated IPv6 Scriptlet
April 10, 2026 | Sean Shirley
Overview Recent reporting has identified a trojanized version of the CPUID ...
Err-Hiding and Seek: How ErrTraffic v3 Leverages EtherHiding in ClickFix Campaign
April 09, 2026 | King Orande and Cris Tomboc
The LevelBlue SpiderLabs team examined the latest version of ErrTraffic, which ...
Azure ServiceBus WebSockets as a C2 Channel
March 24, 2026 | Stuart White
In offensive security, the ability to blend seamlessly with legitimate traffic ...
Tracing a Multi-Vector Malware Campaign: From VBS to Open Infrastructure
March 23, 2026 | Sean Shirley
Recently LevelBlue SpiderLabs initiated an investigation into a multi-stage ...
Fake CAPTCHA Campaign: Inside a Multi-Stage Stealer Assault
March 19, 2026 | Shabtay Barel, Serhii Melnyk, Rodel Mendrez
This report expands LevelBlue’s ongoing investigation into a multi-stage ...
KongTuke: A King Among Threat Groups
March 18, 2026
This blog is the latest in a series that delves into the deep research ...
Phishing with OAuth Redirect
February 18, 2026 | Federico Cedolini
The LevelBlue SpiderLabs team identified phishing emails in January 2026 that ...
Pwning Malware with Ninjas and Unicorns
February 16, 2026 | Cade Wriglesworth
During a DFIR engagement, LevelBlue was asked to assist with reverse ...
How ClickFix Opens the Door to Stealthy StealC Information Stealer
February 12, 2026 | Rodel Mendrez
This analysis examines a complete attack chain targeting Windows systems ...
Stealerium Unmasked: Inside a Multi-Lure, Multi-Stage Stealer Campaign
February 11, 2026 | Bernard Bautista
In this investigation, we tracked a malware spam campaign that ultimately ...
Notepad-Plus Fuss: Notepad++ Supply Chain Attack Analysis
February 10, 2026 | King Orande
LevelBlue SpiderLabs’ Cyber Threat Intelligence Team investigated the ongoing ...
19 Shades of LockBit5.0, Inside the Latest Cross-Platform Ransomware’s Newest Leaked Samples: Part 3
February 05, 2026 | Alexander Sevtsov, Chen Aviani
In the first two parts of our LockBit 5.0 series, we provided a comprehensive ...
19 Shades of LockBit5.0, Inside the Latest Cross-Platform Ransomware’s Newest Leaked Samples: Part 2
February 04, 2026 | Mark Tsipershtein, Evgeny Ananin, Nikita Kazymirskyi
In the first part of our LockBit 5.0 series, where we analyzed 19 samples of ...
LockBit 5.0 Introduces New Features: ChaCha20 Encryption, Stealthy Installation, and Anti-Analysis to Target Windows, Linux, and ESXi Environments
January 30, 2026 | SpiderLabs Researcher
The prolific LockBit ransomware-as-a-service (RaaS) group shows its dedication ...
19 Shades of LockBit5.0, Inside the Latest Cross-Platform Ransomware’s Newest Leaked Samples: Part 1
January 30, 2026 | Mark Tsipershtein, Evgeny Ananin, Nikita Kazymirskyi
This three-part blog series presents an analysis of 19 samples of a ...
Threat Intelligence News from LevelBlue SpiderLabs January 2026
January 06, 2026
January 2026
Why Do Criminals Love Phishing-as-a-Service Platforms?
September 23, 2024 | Rodel Mendrez
Phishing-as-a-Service (PaaS) platforms have become the go-to tool for ...
Hypervisor Development in Rust for Security Researchers (Part 1)
September 06, 2024
In the ever-evolving field of information security, curiosity and continuous ...
Scanning the Matrix: SIEM Best Practices
June 24, 2024 | David Broggy
(A thought from The Matrix: Neo likely used a SIEM before he took the red pill ...
AsyncRAT loader: Obfuscation, DGAs, decoys and Govno
January 05, 2024 | Fernando Martinez
Executive summary LevlBlue Labs has identified a campaign to deliver AsyncRAT ...
Detecting “Effluence”, An Unauthenticated Confluence Web Shell
November 09, 2023 | Zachary Reichert
Discovering Effluence, a unique web shell accessible on every page of an ...
Mac systems turned into proxy exit nodes by AdLoad
August 10, 2023 | Fernando Martinez
AdLoad malware is still infecting Mac systems years after its first appearance ...
PRISM attacks fly under the radar
August 23, 2021 | Fernando Dominguez
LevelBlue SpiderLabs has recently discovered a cluster of Linux ELF executables ...
Automated Padding Oracle Attacks With PadBuster
September 14, 2010 | Brian Holyfield
An automated script for performing Padding Oracle attacks.