DFIR, deception, detection. Posts I wrote, intel my pipeline summarized, and redacted writeups from the fleet.
Elastic has introduced capabilities to manage security detection rules and exceptions as code using the Elastic Stack Terraform provider. This enables DevOps and platform teams to integrate detection lifecycle management into broader infrastructure-as-code pipelines, complementing existing detection engineering workflows.
Iranian-linked threat actors consistently utilize a core set of cost-effective initial access techniques, including social engineering, rapid exploitation of known vulnerabilities, and credential abuse. These groups frequently leverage legitimate RMM tools and trusted cloud services to establish persistence and evade detection, highlighting the need for robust identity management, prompt patching, and perimeter security.
CISA has added two actively exploited vulnerabilities affecting Google Skia (CVE-2026-3909) and Google Chromium V8 (CVE-2026-3910) to its Known Exploited Vulnerabilities (KEV) Catalog, urging immediate remediation across all organizations.
The cybercrime-as-a-service ecosystem is evolving rapidly, characterized by a shift towards trading live session tokens, the integration of generative AI for dynamic payload generation, and a preference for data exfiltration over encryption. Defenders must adapt by prioritizing identity monitoring, rapid session revocation, and recognizing the blurring lines between commodity cybercrime and state-aligned operations.
Storm-2561 is conducting a credential theft campaign leveraging SEO poisoning to distribute fake enterprise VPN clients. The attack utilizes digitally signed payloads and DLL side-loading to deploy the Hyrax infostealer, which harvests VPN credentials and configuration data before redirecting victims to legitimate software to evade detection.
Node.js is transitioning from a biannual to an annual major release cycle starting with version 27, retiring the legacy odd/even LTS model. This strategic shift aims to reduce maintainer fatigue, streamline security backports, and align with industry-standard predictable release schedules.
MicroStealer is a newly identified, fast-spreading infostealer that targets sensitive corporate and personal data, including browser credentials, session cookies, and cryptocurrency wallets. It employs a sophisticated NSIS to Electron to Java execution chain, combined with obfuscation and anti-analysis checks, to maintain a low detection rate across security vendors.
The UK's National Cyber Security Centre (NCSC) has announced the speaker lineup and core themes for the CYBERUK 2026 conference in Glasgow. The event will bring together international security leaders to discuss accelerating global cyber defenses against evolving threats over the next decade.
Handala Hack, an Iranian MOIS-affiliated threat actor also known as Void Manticore, conducts destructive wiping and hack-and-leak operations against US, Israeli, and Albanian targets. The group leverages compromised VPN credentials for initial access, uses NetBird for internal tunneling, and deploys multiple parallel wiping techniques—including custom MBR wipers, PowerShell scripts, and VeraCrypt—distributed via Active Directory Group Policy.
GCVE, operated by CIRCL, has launched a decentralized vulnerability publishing ecosystem utilizing Vulnerability-Lookup 4.1.0 to address the limitations of the centralized CVE system. The federated model allows organizations to act as autonomous publishers (GNAs) while synchronizing vulnerability intelligence, sightings, and KEV data globally.
A China-nexus threat actor, assessed with medium confidence as Mustang Panda, targeted the Persian Gulf region using a multi-stage attack chain themed around the Middle East conflict. The campaign leverages LNK and CHM files to execute a heavily obfuscated shellcode loader via DLL sideloading, ultimately deploying a PlugX backdoor capable of HTTPS and DNS-over-HTTPS (DoH) C2 communications.
Threat actors are increasingly weaponizing the legitimate Telegram Bot API to establish Command and Control (C2) channels and exfiltrate stolen data. This technique is widely adopted across credential phishing campaigns and malware families like Agent Tesla and Pure Logs Stealer, allowing attackers to bypass traditional network defenses by blending malicious traffic with legitimate Telegram communications.
Trail of Bits identified six common vulnerability patterns in ERC-4337 smart accounts during their audits. These vulnerabilities, ranging from incorrect access controls and incomplete signature validation to state modification issues and replay attacks, can allow attackers to drain funds or hijack account ownership.
The rapid proliferation of GitHub Security Advisories (GHSAs) for the OpenClaw AI agent has highlighted a significant gap in vulnerability tracking, as many GHSAs lack corresponding CVE identifiers. This discrepancy creates critical blind spots for enterprise security tools that rely exclusively on CVEs, prompting debate over the future of decentralized vulnerability disclosure and the need for multi-source advisory tracking.
Threat actors are evolving 'ClickFix' social engineering campaigns to target macOS users with the MacSync infostealer. Recent iterations bypass traditional security controls by tricking users into executing obfuscated terminal commands that deploy fileless, API-gated AppleScript payloads designed to harvest credentials, browser data, and cryptocurrency wallet seed phrases.
CISA has added CVE-2025-68613, an Improper Control of Dynamically-Managed Code Resources vulnerability in n8n, to its Known Exploited Vulnerabilities (KEV) Catalog due to evidence of active exploitation. Organizations are strongly urged to prioritize remediation to reduce exposure to cyberattacks.
A coordinated supply chain attack on the Rust ecosystem involved five malicious crates masquerading as time utilities. These crates silently exfiltrated .env files containing sensitive developer credentials to a threat actor-controlled lookalike domain using background curl processes.
The threat actor ShinyHunters is leveraging a modified version of the AuraInspector tool to exploit misconfigured Salesforce Experience sites. By targeting overly permissive guest user profiles, attackers can interact with backend Aura endpoints to enumerate and exfiltrate sensitive corporate data without requiring authentication.
Trend Micro MDR uncovered an ongoing campaign by the KongTuke threat group utilizing compromised WordPress sites and fake CAPTCHA lures to trick users into executing malicious PowerShell commands. The attack leverages living-off-the-land binaries like finger.exe to deploy a Python-based backdoor known as modeloRAT, which focuses on enterprise environments for potential lateral movement and establishes persistence via scheduled tasks and registry keys.
The Sednit threat group (APT28) has deployed a modernized espionage toolkit targeting Ukrainian military personnel. The toolkit consists of custom implants SlimAgent and BeardShell, alongside a heavily modified version of the Covenant framework, utilizing legitimate cloud storage providers for resilient Command and Control (C&C).
