December 12, 2025 4 Minute Read

LevelBlue SpiderLabs is the threat intelligence unit of LevelBlue and includes a global team of threat researchers and data scientists who, combined with proprietary technology in data analytics and machine learning (ML), analyze one of the largest and most diverse collections of threat data in the world. 

Our research team delivers tactical threat intelligence that powers resilient threat detection and response — even as an organization’s attack surface expands, technology evolves, and adversaries change their tactics, techniques, and procedures.

LevelBlue SpiderLabs is the threat intelligence unit of LevelBlue and includes a global team of threat researchers and data scientists who, combined with proprietary technology in data analytics and machine learning (ML), analyze one of the largest and most diverse collections of threat data in the world. Our research team delivers tactical threat intelligence that powers resilient threat detection and response — even as an organization’s attack surface expands, technology evolves, and adversaries change their tactics, techniques, and procedures.

The LevelBlue SpiderLabs update gives you the latest threat news, including recent updates to USM Anywhere detections and new threat intelligence published in the LevelBlue SpiderLabs Open Threat Exchange (OTX), one of the largest open threat intelligence sharing communities in the world.

LevelBlue SpiderLabs Threat Intelligence News

Npm Supply Chain Attack: Shai-Hulud Strikes Again

Back on September 23, 2025, CISA alerted of a widespread Supply Chain compromise impacting 500 npm packages. The self-replicating worm was named "Shai-Hulud" after a repository’s name used to upload the credentials. This month, the Shai-Hulud 2.0 worm has returned and is making the JavaScript ecosystem face one of its most aggressive supply chain compromises, with over 700 npm packages infected.

Between November 21–24, the threat actors behind Shai-Hulud trojanized hundreds of popular packages—including those from Zapier, ENS Domains, PostHog, Postman, and AsyncAPI—injecting malicious preinstall scripts that execute before installation completes. Initially reported by Wiz. This tactic allowed early access to developer environments and CI/CD pipelines, enabling credential theft at scale. Stolen secrets included GitHub tokens, npm credentials, and multi-cloud API keys, which were exfiltrated to attacker-controlled GitHub repositories labeled “Shai-Hulud: The Second Coming.”

The impact has been exponential when compared to the first one: over 25,000 repositories compromised, hundreds of npm packages infected, and thousands of secrets exposed. The worm’s self-propagating nature turns each victim into an amplifier—republishing malicious versions and injecting rogue GitHub workflows for remote command execution. This attack represents a systemic risk to open-source ecosystems, as even a single compromised dependency can cascade across thousands of downstream projects. Organizations are urged to audit dependencies, clear npm caches, rotate all credentials, enforce MFA, and harden CI/CD pipelines to prevent further spread.

Operation Endgame: Rhadamanthys Infostealer Dismantled

In mid-November, law enforcement agencies delivered a major blow to the cybercrime ecosystem by dismantling the infrastructure behind Rhadamanthys, one of the most prolific information-stealing malware families. Coordinated under Operation Endgame, Europol and Eurojust—alongside authorities from 11 countries and over 30 private-sector partners—seized 1,025 servers and 20 domains between November 10–14. The disrupted infrastructure supported hundreds of thousands of infected systems and contained millions of stolen credentials and access to over 100,000 cryptocurrency wallets, potentially worth millions of euros.

Rhadamanthys operated as a malware-as-a-service platform, offering subscription models to cybercriminals for credential theft, browser data harvesting, and crypto wallet exfiltration. Its stealth and scalability made it a cornerstone for ransomware operators and access brokers.

Tracking, Detection & Hunting Capabilities

The LevelBlue SpiderLabs team created the following Adversary Trackers to automatically identify and detect malicious infrastructure deployed: ClearFake, ValleyRAT, SystemBC, PureLogs, TinyLoader. Additionally, the following trackers were updated: StealC, Tycoon2FA, and XWorm.

• ClearFake is a malicious JavaScript framework deployed on compromised websites, most commonly WordPress, to deliver deceptive browser-update prompts and fake verification pages, such as FakeCAPTCHA. This malware relies on a large and fast-moving infrastructure. Since being added as a tracked at the month’s start, ClearFake’s activity has surged, dominating the tracker’s statistics with nearly three-quarters of all IOCs. Its scale and adaptability make it one of the most prominent web-based malware campaigns currently observed.

The team has identified the following malware/threat actors as the most active during the month of November.

Figure 1: November 2025 Malware Trend.

The LevelBlue trackers have identified over 11.616 new IOCs for the different families it tracks, with the biggest push coming from ClearFake. The busiest trackers during the month of November have been: 

Figure 2: November 2025 New IOCs from LevelBlue Trackers.

USM Anywhere Detection Improvements

In November, LevelBlue SpiderLabs added or updated 18 USM Anywhere detections and 5 NIDS detections. Here are a few examples of improvements and new elements LevelBlue SpiderLabs developed:

• New ruleset to include new detections for 1password detections, like impossible travel, successful authentication after brute force or disabling MFA.
• New detection to identify the modification of the registry key LocalAccountTokenFilterPolicy to gain privileged access.
• NIDS detections for Gh0stKCP protocol and Danabot activity.

Please visit the LevelBlue Success Center for a full list of improvements, new elements, issues found, and tasks created.

LevelBlue SpiderLabs Open Threat Exchange

New OTX Pulses

The LevelBlue SpiderLabs team is continuously publishing new pulses in OTX based on their research and discoveries. Pulses are interactive and researchable repositories of information about threats, threat actors, campaigns, and more. This includes indicators of compromise (IoCs) that are useful to members. In November, 99 new Pulses were created by the Labs team, providing coverage for the latest threats and campaigns. Here are a few examples of the most relevant new Pulses:

• Shai-hulud 2.0 Campaign Targets Cloud and Developer Ecosystems
• RONINGLOADER: DragonBreath's New Path to PPL Abuse
• Russian RomCom Utilizing SocGholish to Deliver Mythic Agent to U.S. Companies Supporting Ukraine.