DFIR, deception, detection. Posts I wrote, intel my pipeline summarized, and redacted writeups from the fleet.
The CrowdStrike 2026 Global Threat Report highlights a shift toward highly evasive, malware-free attacks leveraging valid credentials, AI tools, and supply chain compromises. Adversaries are operating with unprecedented speed, with average breakout times dropping to 29 minutes, while increasingly targeting AI infrastructure, cloud environments, and network edge devices.
CISA has updated its Known Exploited Vulnerabilities (KEV) Catalog with five new actively exploited vulnerabilities affecting Apple products, Craft CMS, and Laravel Livewire. Organizations are strongly urged to prioritize timely remediation of these flaws to reduce exposure to cyberattacks.
Microsoft Threat Intelligence observed a significant increase in tax-themed phishing and malware campaigns targeting individuals and accounting professionals. These campaigns utilize sophisticated social engineering, Phishing-as-a-Service (PhaaS) platforms for credential theft, and abused legitimate Remote Monitoring and Management (RMM) tools to establish persistent remote access.
Threat actors breached a network via compromised SonicWall SSLVPN credentials and deployed a sophisticated EDR killer to blind endpoint security prior to a planned ransomware deployment. The malware utilizes a Bring Your Own Vulnerable Driver (BYOVD) technique, dropping a revoked EnCase forensic driver encoded with a novel wordlist substitution cipher to terminate 59 different security processes directly from kernel mode.
Cisco has disclosed multiple critical and high-severity vulnerabilities affecting Catalyst SD-WAN Controller and Manager, including CVE-2026-20127, a CVSS 10 authentication bypass exploited in the wild since 2023. Successful exploitation allows unauthenticated remote attackers to gain administrative privileges, manipulate network configurations, and establish persistent access, sometimes by downgrading software to exploit older vulnerabilities.
Ivanti has released a security advisory addressing two critical code injection vulnerabilities (CVE-2026-1281 and CVE-2026-1340) in Endpoint Manager Mobile (EPMM) that allow unauthenticated remote code execution. At least one of these flaws is currently being exploited in the wild, prompting urgent recommendations to secure forensic evidence and apply available hotfixes.
Cisco has disclosed a critical, unpatched vulnerability (CVE-2025-20393) affecting its Secure Email Gateway and Secure Email and Web Manager appliances. The flaw allows attackers to execute arbitrary commands with root privileges if the Spam Quarantine feature is enabled and exposed to the internet. Organizations are urged to immediately restrict internet access to this feature and contact Cisco TAC to check for indicators of compromise.
CrowdStrike has announced the integration of Falcon AI Detection and Response (AIDR) with NVIDIA NeMo Guardrails to secure enterprise AI agents against runtime attacks. The solution provides programmable guardrails to prevent prompt injection, data exposure, and unauthorized actions by applying over 75 built-in classification rules to LLM interactions.
The article details the limitations of mutational coverage-guided grammar fuzzing, specifically its tendency to produce similar samples and struggle with complex function chaining. To mitigate this, the author introduces a methodology using the Jackalope fuzzer that periodically restarts workers to combine generative and mutational fuzzing, significantly improving the discovery rate of unique crashes in targets like libxslt.
Elastic has introduced Defend for Containers (D4C) in version 9.3.0, providing runtime visibility and detection capabilities for Linux container workloads in Kubernetes environments. The integration captures process and file activity enriched with orchestration metadata, enabling detection engineers to build robust, behavior-based security policies.
Threat actors increasingly abuse legitimate native utilities, third-party tools, and cloud service clients for data exfiltration, bypassing traditional static detections. The Exfiltration Framework models the behavioral and forensic characteristics of these tools to enable detection based on execution context, network patterns, and artifact persistence rather than tool presence.
Threat actors are extensively abusing the legitimate Keitaro Tracker platform to conduct domain cloaking, facilitating large-scale, AI-driven investment and tech support scams. By combining traffic distribution systems with AI-generated deepfakes and localized lures, attackers effectively evade automated security scanners while maximizing victim engagement and conversion rates.
The GlassWorm malware campaign has evolved to deploy 'sleeper' extensions on Open VSX that are subsequently weaponized to download malicious VSIX payloads hosted on GitHub. The malware employs sophisticated evasion techniques, including Russian geofencing, source-to-compiled code mismatches, and utilizing the Solana blockchain as a dead-drop resolver for command and control, ultimately leading to arbitrary Node.js code execution across multiple developer IDEs.
Huntress has introduced a new Incident Report Timeline feature for its Managed ITDR platform to combat rapid, identity-driven data exfiltration in cloud environments. This feature provides a chronological narrative of attacker actions and response efforts, enabling faster decision-making and better communication for security teams and MSPs.
Elastic Security Labs identified a new .NET loader dubbed SILENTCONNECT, which is distributed via phishing emails and Cloudflare Turnstile CAPTCHA pages. The loader utilizes living-off-the-land binaries, PEB masquerading, and UAC bypass techniques to silently install remote monitoring and management (RMM) tools like ScreenConnect for persistent access.
Attackers are utilizing the SOAPHound enumeration tool to map Active Directory environments by querying non-existent LDAP attributes. Due to Active Directory's query optimization logic, these queries are transformed into a generic '(! (FALSE))' pattern in Event ID 1644 logs, effectively hiding the tool's signature and bypassing traditional string-based detection mechanisms.
CrowdStrike has expanded its FedRAMP High authorized Falcon Platform for Government to include Falcon for XIoT, providing federal agencies with unified visibility, AI-powered risk prioritization, and threat detection across converged IT and OT environments.
Ransomware affiliates increasingly rely on EDR killers—ranging from BYOVD exploits and abused anti-rootkits to driverless tools—to disrupt security solutions prior to deploying encryptors. This approach allows encryptors to remain simple while the EDR killers handle complex defense evasion, complicating attribution and defense strategies.
The Canadian Centre for Cyber Security issued an advisory regarding a critical vulnerability in multiple versions of the Ubiquiti UniFi Network application. Administrators are strongly encouraged to apply the latest vendor updates to mitigate potential risks.
CrowdStrike announced new product capabilities at Fal.Con Gov 2026 aimed at modernizing national security and protecting critical government systems. The updates include Falcon Flex for flexible procurement and new Charlotte AI features for automated, natural language-driven security investigations within FedRAMP-authorized environments.
