DFIR, deception, detection. Posts I wrote, intel my pipeline summarized, and redacted writeups from the fleet.
A targeted campaign is delivering the PureLog Stealer via localized copyright violation lures. The attack employs a sophisticated multi-stage infection chain, utilizing a Python-based loader to bypass AMSI, establish registry persistence, and execute the final .NET stealer entirely in memory to evade detection.
CISA has added CVE-2026-20131, a deserialization of untrusted data vulnerability affecting Cisco Secure Firewall Management Center (FMC) and Cisco Security Cloud Control (SCC), to its Known Exploited Vulnerabilities (KEV) catalog due to evidence of active exploitation.
Security researchers identified and disclosed nine methods to bypass the new Windows Administrator Protection feature by abusing the UI Access flag. These bypasses leveraged logical flaws in secure directory checks, shared user profiles, and RPC method handling to achieve arbitrary code execution and privilege escalation.
SentinelOne Labs developed a multi-agent LLM architecture using OpenClaw and Claude models to automate malware reverse engineering. By employing a serial consensus pipeline with an active rejection mandate, the system forces independent tool agents (radare2, Ghidra, Binary Ninja, IDA Pro) to cross-validate findings, significantly reducing decompiler artifacts and hallucinations.
Security researchers have identified the Keenadu backdoor embedded in the firmware of multiple low-cost Android devices. The malware compromises the core Zygote process via a trojanized shared object library, allowing it to download second-stage modules for ad fraud and potentially exposing corporate credentials on BYOD devices.
Unit 42 analyzed two malware samples leveraging Large Language Models (LLMs) for remote decision-making. One is a .NET infostealer using GPT-3.5-Turbo for superficial 'AI theater', while the other is a Golang dropper that uses GPT-4 to evaluate system telemetry and determine if the environment is safe to deploy a Sliver payload.
The GetProcessHandleFromHwnd API contains historical design flaws allowing attackers to bypass User Interface Privilege Isolation (UIPI) and hijack Protected Processes. By forcing a protected process like WerFaultSecure.exe to create a window, attackers can obtain a privileged handle to inject shellcode, a vulnerability that remains exploitable on Windows 10 and pre-24H2 Windows 11 systems.
In 2025, Insikt Group observed the continued dominance of Cobalt Strike, AsyncRAT, and infostealers like Vidar, alongside the rise of new offensive tools such as RedGuard, Ligolo, and CastleLoader. The report highlights the critical role of Threat Activity Enablers (TAEs) and the abuse of legitimate infrastructure services, such as CDNs, in sustaining cybercriminal and APT operations.
The convergence of IT and OT in electric grid infrastructure has increased the risk of lateral movement by adversaries. To protect critical operations and comply with regulations like NERC-CIP-15, organizations must implement deep east-west network visibility capable of understanding specialized industrial protocols.
Trend Micro collaborated with INTERPOL and other global law enforcement agencies in Operation Synergia III, leading to the takedown of 45,000 malicious servers and 94 arrests. The operation targeted distributed infrastructure supporting widespread cybercrime, including BEC, phishing, and extortion schemes.
Google Threat Intelligence Group discovered DarkSword, a sophisticated iOS full-chain exploit leveraging six zero-day vulnerabilities to target iOS 18.4-18.7 devices. Adopted by multiple state-sponsored actors and commercial surveillance vendors, the pure-JavaScript exploit chain bypasses modern iOS mitigations to deploy data-mining payloads like GHOSTBLADE, GHOSTKNIFE, and GHOSTSABER.
The proliferation of autonomous AI agents like OpenClaw has introduced severe security risks, including unauthorized data access and silent exfiltration via prompt injection and malicious plug-ins. To mitigate these threats, organizations must transition from local agent deployments to hardened, isolated cloud environments utilizing defense-in-depth strategies such as kernel-level eBPF monitoring and runtime prompt interception.
SnappyClient is a newly discovered C++ C2 framework implant delivered via HijackLoader, primarily designed for cryptocurrency theft and remote access. It utilizes advanced evasion techniques such as AMSI patching, Heaven's Gate, and transacted hollowing to bypass security controls, including Chromium's App-Bound Encryption, while communicating over a custom ChaCha20-Poly1305 encrypted protocol.
The TC39 committee has advanced the Temporal API to Stage 4, marking its official inclusion in the ECMAScript 2026 specification as a modern, immutable replacement for JavaScript's legacy Date object.
Cisco Talos introduced DispatchLogger, an open-source dynamic analysis tool designed to intercept and log late-bound COM automation calls. By utilizing transparent proxying and recursive object wrapping, the tool provides analysts with deep semantic visibility into script-based malware behavior, such as WMI abuse and fileless execution, effectively bypassing common script obfuscation techniques.
Threat actors exploited an exposed Spring Boot Actuator endpoint and plaintext credentials found in a spreadsheet to authenticate via the legacy ROPC flow. This allowed them to bypass MFA, obtain a Microsoft Graph access token, and exfiltrate sensitive data from SharePoint Online without deploying malware.
The Canadian Centre for Cyber Security published a daily digest of 11 security advisories on March 18, 2026. The advisories highlight vulnerabilities across various enterprise, networking, and consumer products, including a critical remote pre-auth buffer overflow in GNU InetUtils telnetd, and urge administrators to apply necessary updates and mitigations.
CISA has issued an alert regarding malicious cyber activity targeting endpoint management systems, specifically highlighting a recent attack on Stryker Corporation's Microsoft environment. The alert strongly urges organizations to harden Microsoft Intune and similar platforms by enforcing least privilege, phishing-resistant MFA, and Multi Admin Approval to prevent unauthorized high-impact administrative actions.
CISA has added CVE-2026-20963, a Microsoft SharePoint Deserialization of Untrusted Data Vulnerability, to its Known Exploited Vulnerabilities (KEV) Catalog due to evidence of active exploitation. Organizations are strongly urged to prioritize timely remediation of this flaw as part of their vulnerability management practices to reduce exposure to cyberattacks.
The Akamai 2026 SOTI report highlights the industrialization of cyberattacks, driven by automation and the convergence of API threats, web exploits, and DDoS campaigns. Key trends include a massive 104% surge in Layer 7 DDoS attacks powered by super botnets, increased risks from untested AI-generated code, and a 73% rise in web application attacks.
