DFIR, deception, detection. Posts I wrote, intel my pipeline summarized, and redacted writeups from the fleet.
Socket.dev has launched an experimental PHP reachability analysis tool designed to reduce vulnerability alert fatigue. By performing deep static analysis of function-level call graphs, including complex PHP dispatch patterns, the tool determines whether known CVEs in dependencies are actually executable within an application's context.
A widespread phishing campaign is leveraging the Kali365 Live Phishing-as-a-Service (PhaaS) platform to execute device code phishing and AiTM attacks. By tricking users into authorizing legitimate Microsoft device login requests, threat actors steal OAuth access and refresh tokens, bypassing traditional credential-based defenses and MFA to gain persistent access to Microsoft 365 environments.
The cybersecurity landscape is experiencing a shift towards industrialized exploitation driven by offensive AI and LLMs. These technologies act as orchestrators that rapidly discover vulnerabilities and generate exploits, necessitating defensive AI and behavioral analytics to counter machine-scale attacks.
A coordinated supply chain attack compromised official distribution channels for Checkmarx KICS and the Bitwarden CLI, pushing malicious updates designed to harvest developer credentials, cloud keys, and AI assistant configurations. The payloads exfiltrated data to a shared C2 domain and exhibited advanced techniques, including weaponizing stolen GitHub tokens to inject malicious workflows and using victim repositories as dead drops.
A novel, unpatched local privilege escalation technique dubbed PhantomRPC exploits an architectural weakness in Windows RPC. By deploying a malicious RPC server that mimics unavailable legitimate services, an attacker with SeImpersonatePrivilege can intercept high-privileged RPC calls and elevate to SYSTEM or Administrator.
Socket has introduced a new Data Exports feature for its Enterprise customers, enabling the automated daily export of security alert data to customer-owned AWS S3, Google Cloud Storage, or Azure Blob Storage buckets. This integration supports multiple formats (JSON, CSV, Parquet) and modes (Full Snapshot, Incremental) to streamline ingestion into existing SIEM platforms and internal analytics workflows.
A new phishing campaign targets Brazilian users with fake judicial summons to deliver agenteV2, a Nuitka-compiled interactive banking trojan. The malware establishes a persistent WebSocket backdoor for live screen streaming and remote shell access, enabling attackers to conduct real-time, operator-assisted financial fraud.
The article advocates for a paradigm shift in cybersecurity from manual, reactive threat intelligence to autonomous, machine-speed defense. It emphasizes the need for unified visibility across cyber operations, digital risk, third-party risk, and payment fraud to effectively counter modern, automated threats.
CISA has updated its Known Exploited Vulnerabilities (KEV) Catalog with four new actively exploited vulnerabilities affecting Samsung MagicINFO 9 Server, SimpleHelp, and D-Link DIR-823X devices. Organizations are strongly urged to prioritize patching these flaws, which include path traversal and command injection vectors, to reduce their exposure to cyberattacks.
The Bitwarden CLI npm package was compromised in a supply chain attack linked to the ongoing Checkmarx campaign. The malicious payload, injected via GitHub Actions, harvests extensive cloud and developer credentials, exfiltrating them through unauthorized GitHub repositories and a dedicated C2 server while employing a Russian locale kill switch and shell profile persistence.
Akamai researchers discovered that Microsoft's patch for an APT28 zero-day (CVE-2026-21510) was incomplete, resulting in a new zero-click authentication coercion vulnerability (CVE-2026-32202). While the patch successfully mitigated remote code execution by adding SmartScreen verification, it failed to prevent Windows Explorer from initiating an SMB connection to resolve UNC paths during icon extraction, allowing attackers to steal Net-NTLMv2 hashes without user interaction.
SentinelLABS discovered fast16, a sophisticated 2005 cyber sabotage framework that uses a Lua-based carrier and a kernel driver to selectively patch high-precision calculation software in memory. The malware subtly corrupts floating-point arithmetic in engineering and simulation tools, representing an early, state-level capability for physical-world sabotage.
Trail of Bits has released Trailmark, an open-source library that converts source code into queryable call graphs to enhance AI-assisted security analysis. By integrating with Claude Code, Trailmark enables advanced mutation testing triage, blast radius analysis, and the identification of architectural bottlenecks in cryptographic libraries.
This thought leadership article emphasizes the critical role of digital trust and proactive threat intelligence in fostering economic growth. It highlights the partnership between Recorded Future and Mastercard and underscores the need for enhanced public-private collaboration to address rising cyber threats, particularly noting the surge of ransomware incidents in Latin America.
Google Threat Intelligence Group identified UNC6692, a threat actor utilizing Microsoft Teams phishing and email bombing to deploy a custom modular malware suite. The attack chain leverages a malicious Chromium extension (SNOWBELT), a Python tunneler (SNOWGLAZE), and a Python bindshell (SNOWBASIN) to establish persistence, move laterally, and exfiltrate sensitive Active Directory data via legitimate cloud services.
The UK's National Cyber Security Centre (NCSC) has updated its official guidance to recommend passkeys as the default authentication method for consumers and businesses, replacing traditional passwords. Passkeys provide superior resilience against modern cyber threats, particularly phishing and credential theft, while offering a faster, more user-friendly login experience.
A sophisticated supply chain attack compromised official Checkmarx KICS Docker images and VS Code extensions, injecting malware designed to harvest and exfiltrate cloud, developer, and CI/CD credentials. The threat actor, believed to be TeamPCP, utilized the Bun runtime to execute the payload, subsequently abusing stolen GitHub and NPM tokens to propagate the infection through malicious GitHub Actions workflows and poisoned NPM packages.
Socket has introduced Organization Notifications, a new feature allowing security teams to subscribe to, filter, and receive batched email updates for organization-level security alerts. This capability aims to streamline vulnerability management and reduce alert fatigue by grouping updates and sending them at most every 20 minutes, with Slack and Microsoft Teams integrations planned for the future.
An international coalition of cyber agencies has issued a joint advisory warning that China-linked threat actors are leveraging covert networks of compromised edge devices to disguise their attacks. The advisory highlights the growing problem of 'IOC extinction' and urges organizations to shift towards dynamic threat filtering and behavioral baselining of edge device traffic to maintain effective defense.
Cisco Talos' Q1 2026 incident response trends highlight a resurgence in phishing as the primary initial access vector, augmented by AI tools like Softr for rapid credential harvesting. Threat actors are increasingly abusing legitimate tools such as TruffleHog to discover exposed secrets, while specific campaigns like UAT-4356 have been observed exploiting n-day vulnerabilities to deploy custom backdoors on network devices.
