DFIR, deception, detection. Posts I wrote, intel my pipeline summarized, and redacted writeups from the fleet.
Polymorphic phishing campaigns utilize constant variation across all email elements and infrastructure to evade traditional, signature-based security controls. AI accelerates these attacks by increasing their volume and realism, necessitating a shift towards context-based detection and layered defenses that include human insight.
Void Dokkaebi (Famous Chollima) is conducting a self-propagating supply chain campaign targeting software developers via fake job interviews. By tricking victims into cloning malicious repositories, the attackers deploy the DEV#POPPER RAT and weaponize the victim's own code contributions to infect downstream developers and organizational repositories.
Huntress has observed an uptick in threat actors exploiting CVE-2026-1731 in outdated Bomgar RMM instances to compromise organizations and their downstream clients. Attackers utilize this access to establish persistence via secondary RMM tools, evade defenses using BYOVD techniques, and ultimately deploy LockBit ransomware.
Elastic Security Labs conducted research on the capabilities of Large Language Models (LLMs), specifically Claude Opus 4.6, to reverse engineer obfuscated binaries. The research demonstrates that while LLMs can defeat traditional obfuscation, novel techniques targeting LLM weaknesses—such as context window limits, budget caps, and shortcut biases—can effectively and cheaply disrupt automated static analysis pipelines.
Socket has announced a new integration with Jira Cloud to streamline vulnerability management and remediation workflows. The integration enables security and engineering teams to automatically or manually sync Socket security alerts into Jira issues, complete with customizable routing and two-way state synchronization.
This article is a corporate announcement detailing Socket's recognition as a top sales organization by RepVue. It includes a brief Q&A with an Account Executive regarding company culture and highlights ongoing hiring efforts.
Threat actors are actively deploying Nightmare-Eclipse proof-of-concept tools, including BlueHammer, RedSun, and UnDefend, in real-world intrusions to exploit Windows Defender race conditions for privilege escalation. The attacks, likely originating from compromised FortiGate VPN access, culminate in the deployment of BeigeBurrow, a Go-based reverse tunnel agent used for persistent command and control.
ESET researchers identified a new variant of the NGate Android malware that trojanizes the legitimate HandyPay application to facilitate NFC relay attacks and steal payment card PINs. Targeting users in Brazil through social engineering and fake app stores, the malware allows attackers to conduct unauthorized ATM cash-outs while requiring no suspicious device permissions.
Lazarus Group is conducting a new ClickFix campaign targeting macOS users in high-value sectors via Telegram. The attackers trick victims into executing a terminal command that deploys 'Mach-O Man,' a multi-stage Go-based malware kit designed to steal credentials, browser data, and macOS Keychain secrets, exfiltrating the data via Telegram.
The article details how threat actors can leverage native macOS binaries and protocols (Living-off-the-Land) to execute code, move laterally, and transfer tools while evading traditional security telemetry. By abusing Remote Application Scripting (RAS), Spotlight metadata, and built-in networking utilities, attackers can orchestrate fleet-wide compromises that bypass standard SSH-centric monitoring.
The rapid adoption of agentic AI in enterprise environments introduces significant security risks by amplifying existing software supply chain and identity management vulnerabilities. Threat actors can leverage prompt engineering, input manipulation, and malicious packages to weaponize AI agents, necessitating zero-trust principles, robust IAM for non-human identities, and human-in-the-loop safeguards.
The Gentlemen is an emerging Ransomware-as-a-Service (RaaS) operation that provides affiliates with versatile, multi-platform lockers. Recent incident response telemetry reveals affiliates utilizing Cobalt Strike and SystemBC for post-exploitation and C2, culminating in highly automated, domain-wide ransomware deployment via Group Policy and built-in lateral movement mechanisms.
The CEO of the UK's National Cyber Security Centre (NCSC) warns of a 'perfect storm' in cyber security fueled by AI advancements and geopolitical conflicts. The majority of significant incidents are now driven by nation-states, requiring a fundamental cultural shift across all organizations to prioritize cyber resilience and adapt to AI-accelerated vulnerability exploitation.
The Canadian Centre for Cyber Security issued an advisory regarding multiple vulnerabilities in Mozilla Firefox and Firefox ESR. Organizations are urged to update their browser deployments to Firefox 150, Firefox ESR 115.35, or Firefox ESR 140.10 to ensure protection against potential security risks.
A Linux endpoint compromised by multiple threat actors deploying cryptominers was further complicated when the user utilized OpenAI's Codex to troubleshoot system issues. The AI agent generated commands that structurally resembled malicious activity, triggering EDR alerts and creating significant noise that hindered SOC triage and incident response.
Threat actors are actively exploiting CVE-2025-29635, a command injection vulnerability in end-of-life D-Link DIR-823X routers, to deploy a Mirai botnet variant. The campaign utilizes malicious HTTP POST requests to download and execute shell scripts that fetch the final Mirai payload, while also targeting vulnerabilities in TP-Link and ZTE devices.
On April 19, 2026, Vercel disclosed a critical security breach originating from a compromised third-party AI tool, Context.ai. The threat actor, ShinyHunters, utilized an infostealer to harvest OAuth tokens, bypassed MFA to access Vercel's Google Workspace, and pivoted via SSO to bulk-extract customer environment variables containing highly sensitive cloud, database, and source code credentials.
A supply chain attack leveraging a compromised third-party OAuth application (Context.ai) allowed threat actors to breach Vercel's internal systems. The attackers exploited Vercel's environment variable sensitivity model to enumerate and expose unencrypted customer secrets, leading to potential downstream credential abuse across multiple cloud and SaaS platforms.
Security researchers identified a signal-reentrancy weakness in a signed macOS OpenSSL wrapper binary. The vulnerability arises from the intersection of legacy TLS capabilities and async-unsafe POSIX functions, which can be exploited via race conditions and forced TLS downgrades to cause Denial of Service (DoS) or potential memory corruption.
A software supply chain compromise impacted the Axios npm package, injecting a malicious dependency (plain-crypto-js@4.2.1) into versions 1.14.1 and 0.30.4. This dependency downloads multi-stage payloads, including a Remote Access Trojan (RAT), which communicates with a known malicious C2 domain.
