DFIR, deception, detection. Posts I wrote, intel my pipeline summarized, and redacted writeups from the fleet.
The article provides a technical overview of Elastic Security XDR, detailing its capabilities in endpoint protection, cross-environment telemetry correlation, AI-driven investigations, and automated incident response workflows.
Morphisec Threat Labs analyzed a Linux variant of the Iranian-attributed Pay2Key ransomware. The malware requires root privileges to execute, utilizes a JSON configuration file, disables system defenses like SELinux and AppArmor, and employs ChaCha20 for full or partial file encryption while lacking built-in network C2 or exfiltration capabilities.
Threat actors are increasingly targeting Google Workspace as a foundational identity layer to pivot into interconnected SaaS applications. Modern attacks bypass traditional endpoint defenses by utilizing stolen credentials, OAuth abuse, and malicious inbox rules to conduct Business Email Compromise (BEC) and maintain persistent access.
This architectural analysis details the hidden mechanisms behind Google's synced passkeys, revealing a hybrid model that leverages a cloud-based authenticator (enclave.ua5v[.]com) for sensitive cryptographic operations while anchoring trust to local hardware keys. Understanding this infrastructure is critical for defenders to anticipate emerging attack vectors in passwordless authentication environments.
The Canadian Centre for Cyber Security issued a daily digest highlighting recent security updates for Google Chrome and Mozilla Firefox. Administrators are advised to update Chrome to version 146.0.7680.164/165 and Firefox to version 149 (or the respective ESR versions) to address unspecified vulnerabilities.
Cybercrime has evolved into a highly organized, corporate-style economy, complete with specialized departments and multi-million dollar revenues generated through tech support and subscription scams. Threat actors are increasingly leveraging generative AI for deepfakes and automated vishing, prompting defenders to adopt AI-driven countermeasures and behavioral tests to disrupt these social engineering operations.
Citrix has released security updates addressing two vulnerabilities in NetScaler ADC and Gateway, including a critical out-of-bounds read (CVE-2026-3055) and a high-severity race condition (CVE-2026-4368). These flaws can lead to sensitive information disclosure and user session mix-up, requiring immediate patching and session termination to prevent potential exploitation.
Oracle has disclosed a critical, unauthenticated remote code execution vulnerability (CVE-2026-21992, CVSS 9.8) affecting Oracle Identity Manager and Oracle Web Services Manager. The flaw allows attackers to gain network access via HTTP due to a lack of network-level authentication, though no active exploitation has been observed yet.
North Korean threat group NICKEL ALLEY is targeting technology professionals and Web3 developers through fake job interviews and malicious code repositories. The group employs social engineering, the ClickFix tactic, and malicious VS Code tasks to deliver remote access trojans like PyLangGhost RAT and BeaverTail, primarily aiming for cryptocurrency theft and potential supply chain compromise.
Mandiant's M-Trends 2026 report highlights a severe divergence in adversary tactics. Cybercriminals are optimizing for speed, with initial access hand-offs collapsing to 22 seconds, and focusing on recovery denial by targeting hypervisors and backup infrastructure. Conversely, espionage groups are prioritizing extreme persistence by exploiting zero-days and deploying in-memory malware on unmonitored edge devices, while voice phishing has emerged as a primary vector for bypassing MFA and compromising SaaS environments.
Cisco Talos announced a podcast episode discussing their 2025 Year in Review report, which covers major cybersecurity trends such as rapid vulnerability weaponization, identity abuse, ransomware, and APT activity.
The Canadian Centre for Cyber Security released a daily digest of 9 security advisories covering critical vulnerabilities across major enterprise, Linux, and ICS platforms. Notably, a critical vulnerability in Craft CMS (CVE-2025-32432) is being actively exploited in the wild, and Citrix has patched critical flaws in NetScaler ADC and Gateway.
CanisterWorm is a worm-enabled supply chain attack that compromises legitimate npm publisher accounts to distribute a Python backdoor. The malware establishes user-level Linux persistence via systemd and utilizes an Internet Computer Protocol (ICP) canister as a dead-drop C2 to continuously fetch and execute secondary payloads, while simultaneously harvesting npm tokens to propagate itself to other packages.
Cisco Secure Firewall Management Center (FMC) is actively being targeted by unauthenticated attackers exploiting CVE-2026-20131, a critical insecure deserialization vulnerability. Exploitation grants root access, enabling attackers to completely compromise the firewall management platform, alter security policies, and pivot into the internal network.
A sophisticated supply chain attack compromised the official Trivy GitHub Action (aquasecurity/trivy-action) by force-pushing 75 version tags to malicious commits. The injected infostealer harvests sensitive CI/CD secrets from runner memory and filesystems, exfiltrating them to a typosquat domain or a fallback GitHub repository.
Anthropic's new 'Agent Skills' feature, which uses progressive disclosure to manage AI agent context windows, introduces a novel attack surface. The article outlines the top 10 critical threats to this ecosystem, including prompt injection, supply chain manipulation, and unauthorized code execution, highlighted by the recent OpenClaw malware incident.
CVE-2026-31979 is a high-severity local privilege escalation vulnerability in the Himmelblau Linux-to-Azure integration suite. By exploiting a time-of-check to time-of-use (TOCTOU) symlink race condition in the shared /tmp directory, an unprivileged local attacker can hijack root-level file operations to take ownership of critical system files, potentially enabling lateral movement into cloud infrastructure.
The US Department of Justice, alongside international authorities and industry partners including Akamai, successfully disrupted the Aisuru and Kimwolf IoT botnets. These hyper-volumetric botnets compromised up to 4 million IoT devices to launch record-breaking DDoS attacks exceeding 30 Tbps, which were used to cripple internet infrastructure and extort victims.
Following a major law enforcement takedown of its infrastructure on March 4, 2026, the Tycoon2FA Phishing-as-a-Service (PhaaS) platform has quickly reconstituted its operations. The platform continues to enable cybercriminals to bypass multifactor authentication (MFA) using Adversary-in-the-Middle (AiTM) techniques, leading to cloud account takeovers and Business Email Compromise (BEC).
The TeamPCP threat actor targets cloud-native and containerized environments to deploy cryptominers and ransomware. The attack chain involves initial access via web server exploitation, in-memory payload execution, Kubernetes API abuse for lateral movement, and node-level escape using privileged DaemonSets.
