{
	"id": "09f9ed83-9f25-4fac-a503-e9ebc930266e",
	"created_at": "2026-04-06T00:17:07.802405Z",
	"updated_at": "2026-04-10T03:28:03.156595Z",
	"deleted_at": null,
	"sha1_hash": "5f428de87aec1222c4c5896f161edc672ae8604e",
	"title": "SpiderLabs Blog",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 192847,
	"plain_text": "SpiderLabs Blog\r\nArchived: 2026-04-05 16:03:38 UTC\r\nMajor Supply Chain Compromise in the Popular axios npm Package\r\nApril 03, 2026 | Karl Sigler\r\nRead More\r\nStay Informed\r\nSign up to receive the latest security news and trends straight to your inbox from LevelBlue.\r\nUsing RF Power Levels to Defeat MAC Address Randomization Enabling Passive Device Tracking\r\nMarch 31, 2026 | Tom Neaves\r\nI came up with a theory (based on science) that it may be possible to passively ...\r\nRead More\r\nThe Value of Microsoft Security Copilot: SCU Billing and Why Agent Design Matters\r\nMarch 27, 2026 | David Broggy\r\nMost organizations start by using Microsoft Copilot the way it looks in demos: ...\r\nRead More\r\nAzure ServiceBus WebSockets as a C2 Channel\r\nMarch 24, 2026 | Stuart White\r\nhttps://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/necurs-spam-uses-dns-txt-records-for-redirection/\r\nPage 1 of 6\n\nIn offensive security, the ability to blend seamlessly with legitimate traffic ...\r\nRead More\r\nTracing a Multi-Vector Malware Campaign: From VBS to Open Infrastructure \r\nMarch 23, 2026 | Sean Shirley\r\nRecently LevelBlue SpiderLabs initiated an investigation into a multi-stage ...\r\nRead More\r\n“Say My Name”: How MioLab is building MacOS Stealer Empire\r\nMarch 20, 2026 | Mark Tsipershtein and Evgeny Ananin\r\nAs Apple computer’s market share continues to grow, threat actors are ...\r\nRead More\r\nFake CAPTCHA Campaign: Inside a Multi-Stage Stealer Assault\r\nMarch 19, 2026 | Shabtay Barel, Serhii Melnyk, Rodel Mendrez\r\nThis report expands LevelBlue’s ongoing investigation into a multi-stage ...\r\nRead More\r\nKongTuke: A King Among Threat Groups\r\nMarch 18, 2026\r\nThis blog is the latest in a series that delves into the deep research ...\r\nRead More\r\nHow LevelBlue OTX and Cybereason XDR Detected a North Korea-Linked Remote IT Worker\r\nMarch 17, 2026 | Tue Luu\r\nTalk about dodging the insider threat from hell. From August 15 to 25, 2025, ...\r\nRead More\r\nEpic Fury Update: Stryker Attack Highlights Handala's Shift from Espionage to Disruption\r\nMarch 12, 2026 | Arthur Erzberger\r\nOn March 11, 2026, the medical technology vendor Stryker disclosed a global ...\r\nhttps://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/necurs-spam-uses-dns-txt-records-for-redirection/\r\nPage 2 of 6\n\nRead More\r\nWeaponizing Safe Links: Abuse of Multi-Layered URL Rewriting in Phishing Attacks\r\nMarch 12, 2026 | John Kevin Adriano\r\nIn 2024, threat actors were already abusing URL rewriting mechanisms in ...\r\nRead More\r\nBeware the ClickFix Trap: REMCOS RAT Hiding in “Helpful” PUAs\r\nMarch 09, 2026 | Hema Loganathan\r\nCybereason GSOC has observed a notable increase in infections involving REMCOS ...\r\nRead More\r\nDiscover and Exploit: Memory Corruption in CUPS (CVE-2025-61915)\r\nMarch 05, 2026 | Ariel Silver\r\nCVE-2025-61915 is a stack based out-of-bound write bug in CUPS. An unauthorized ...\r\nRead More\r\nLevelBlue SpiderLabs Breaks Down the Role of Cyber Operations Taken in the Iran Crisis\r\nMarch 04, 2026 | Gal Romano\r\nAs combat operations that began on February 28 with joint US-Israeli strikes on ...\r\nRead More\r\nOperation Epic Fury: From Regional Escalation to Global Cyber Risk\r\nMarch 03, 2026 | LevelBlue SpiderLabs\r\nIn light of escalating geopolitical tensions involving the United States, ...\r\nRead More\r\nhttps://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/necurs-spam-uses-dns-txt-records-for-redirection/\r\nPage 3 of 6\n\nFrom Shadow IT to GhostOps: The Rise of Unauthorized AI Agents in the Enterprise\r\nFebruary 24, 2026 | Grant Hutchons\r\nIf you have worked in enterprise IT for long enough, you have lived through the ...\r\nRead More\r\nPhishing with OAuth Redirect\r\nFebruary 18, 2026 | Federico Cedolini\r\nThe LevelBlue SpiderLabs team identified phishing emails in January 2026 that ...\r\nRead More\r\nPwning Malware with Ninjas and Unicorns\r\nFebruary 16, 2026 | Cade Wriglesworth\r\nDuring a DFIR engagement, LevelBlue was asked to assist with reverse ...\r\nRead More\r\nHow ClickFix Opens the Door to Stealthy StealC Information Stealer\r\nFebruary 12, 2026 | Rodel Mendrez\r\nThis analysis examines a complete attack chain targeting Windows systems ...\r\nRead More\r\nStealerium Unmasked: Inside a Multi-Lure, Multi-Stage Stealer Campaign\r\nFebruary 11, 2026 | Bernard Bautista\r\nIn this investigation, we tracked a malware spam campaign that ultimately ...\r\nRead More\r\nNotepad-Plus Fuss: Notepad++ Supply Chain Attack Analysis\r\nFebruary 10, 2026 | King Orande\r\nLevelBlue SpiderLabs’ Cyber Threat Intelligence Team investigated the ongoing ...\r\nRead More\r\n19 Shades of LockBit5.0, Inside the Latest Cross-Platform Ransomware’s Newest Leaked Samples: Part 3\r\nhttps://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/necurs-spam-uses-dns-txt-records-for-redirection/\r\nPage 4 of 6\n\nFebruary 05, 2026 | Alexander Sevtsov, Chen Aviani\r\nIn the first two parts of our LockBit 5.0 series, we provided a comprehensive ...\r\nRead More\r\n19 Shades of LockBit5.0, Inside the Latest Cross-Platform Ransomware’s Newest Leaked Samples: Part 2\r\nFebruary 04, 2026 | Mark Tsipershtein, Evgeny Ananin, Nikita Kazymirskyi\r\nIn the first part of our LockBit 5.0 series, where we analyzed 19 samples of ...\r\nRead More\r\nThe Godfather of Ransomware? Inside DragonForce’s Cartel Ambitions\r\nFebruary 03, 2026 | Mark Tsipershtein and Evgeny Ananin\r\nThe Cybereason, A LevelBlue Company, Threat Intelligence Team conducted an ...\r\nRead More\r\nLockBit 5.0 Introduces New Features: ChaCha20 Encryption, Stealthy Installation, and Anti-Analysis to\r\nTarget Windows, Linux, and ESXi Environments\r\nJanuary 30, 2026 | SpiderLabs Researcher\r\nThe prolific LockBit ransomware-as-a-service (RaaS) group shows its dedication ...\r\nRead More\r\n19 Shades of LockBit5.0, Inside the Latest Cross-Platform Ransomware’s Newest Leaked Samples: Part 1\r\nJanuary 30, 2026 | Mark Tsipershtein, Evgeny Ananin, Nikita Kazymirskyi\r\nThis three-part blog series presents an analysis of 19 samples of a ...\r\nRead More\r\nScenario 3: SOC/SIEM Takes in and Summarizes Windows Events (Log Files)\r\nJanuary 29, 2026 | Tom Neaves\r\nIn September last year I penned this blog Rogue AI Agents In Your SOCs and ...\r\nRead More\r\nThe Hard Lessons Learned by Analyzing Education Sector Cyberattacks\r\nhttps://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/necurs-spam-uses-dns-txt-records-for-redirection/\r\nPage 5 of 6\n\nJanuary 26, 2026\r\nIn the last quarter of 2025, LevelBlue SpiderLabs used telemetry from the ...\r\nRead More\r\nSource: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/necurs-spam-uses-dns-txt-records-for-redirection/\r\nhttps://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/necurs-spam-uses-dns-txt-records-for-redirection/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/necurs-spam-uses-dns-txt-records-for-redirection/"
	],
	"report_names": [
		"necurs-spam-uses-dns-txt-records-for-redirection"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "6608b798-f92b-42af-a93f-d72800eeb3a3",
			"created_at": "2023-11-30T02:00:07.292Z",
			"updated_at": "2026-04-10T02:00:03.482199Z",
			"deleted_at": null,
			"main_name": "DragonForce",
			"aliases": [],
			"source_name": "MISPGALAXY:DragonForce",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "843f4240-33a7-4de4-8dcf-4ff9f9a8c758",
			"created_at": "2025-07-24T02:05:00.538379Z",
			"updated_at": "2026-04-10T02:00:03.657424Z",
			"deleted_at": null,
			"main_name": "GOLD FLAME",
			"aliases": [
				"DragonForce"
			],
			"source_name": "Secureworks:GOLD FLAME",
			"tools": [
				"ADFind",
				"AnyDesk",
				"Cobalt Strike",
				"FileSeek",
				"Mimikatz",
				"SoftPerfect Network Scanner",
				"SystemBC",
				"socks.exe"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "4134675e-5b72-4b50-8d70-1a8f18aafbb4",
			"created_at": "2024-10-04T02:00:04.766263Z",
			"updated_at": "2026-04-10T02:00:03.715945Z",
			"deleted_at": null,
			"main_name": "Handala",
			"aliases": [],
			"source_name": "MISPGALAXY:Handala",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434627,
	"ts_updated_at": 1775791683,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5f428de87aec1222c4c5896f161edc672ae8604e.pdf",
		"text": "https://archive.orkl.eu/5f428de87aec1222c4c5896f161edc672ae8604e.txt",
		"img": "https://archive.orkl.eu/5f428de87aec1222c4c5896f161edc672ae8604e.jpg"
	}
}