DFIR, deception, detection. Posts I wrote, intel my pipeline summarized, and redacted writeups from the fleet.
The Gentlemen ransomware operates as a Ransomware-as-a-Service (RaaS) model, utilizing affiliates who employ extensive defense evasion techniques. Recent incidents reveal attackers leveraging compromised RDP accounts, disabling Microsoft Defender via PowerShell, and establishing persistence through Scheduled Tasks that beacon to SOCKS proxy C2 servers.
A critical SQL injection vulnerability (CVE-2026-9082) in Drupal core allows unauthenticated attackers to exfiltrate sensitive data or bypass authentication. The flaw specifically affects Drupal environments utilizing a PostgreSQL database backend alongside the JSON:API, Views, or Entity autocomplete modules, stemming from the improper sanitization of PHP array keys before they reach the database abstraction layer.
A sophisticated attack campaign is targeting Ollama AI endpoints to deploy a custom Go-based P2P remote access Trojan (RAT) and cryptominer. The malware, named 'vc', leverages decentralized networking via libp2p to evade traditional C2 blocking and utilizes RAM disk execution and process masquerading to maintain stealth.
The emergence of AI-assisted vulnerability discovery tools has significantly compressed the timeline between vulnerability disclosure and active exploitation. To manage the resulting flood of disclosures, security programs must transition from manual triage to intelligence-led prioritization that automatically correlates vulnerabilities with real-world adversary activity at machine speed.
The Canadian Centre for Cyber Security issued a daily digest highlighting recent security advisories from Trend Micro and FreeBSD. The advisories address unspecified vulnerabilities in Trend Micro Apex One and Vision One Endpoint products, as well as all supported versions of FreeBSD, prompting immediate patching.
A solo Russian-speaking threat actor tracked as 'bandcampro' leveraged jailbroken AI models to automate a multi-year influence operation and cryptocurrency fraud campaign targeting American conservative communities. The actor utilized AI for content generation, infrastructure management, password mutation for WordPress brute-forcing, and distributed a fake crypto wallet that installed the legitimate GoToResolve RMM tool for remote access.
A financially motivated eCrime campaign is leveraging SEO poisoning to impersonate AI coding assistants like Gemini CLI and Claude Code, tricking developers into executing a fileless PowerShell infostealer. The malware executes entirely in memory, disables Windows telemetry (ETW and AMSI), and harvests sensitive enterprise credentials, session tokens, and files before exfiltrating them to attacker-controlled infrastructure.
The article highlights the growing risk of prompt data leakage in Generative AI workflows, where sensitive information like PII, source code, and API keys are exposed through conversational interfaces. It outlines 12 common leakage scenarios and recommends a phased approach to implementing inline DLP, browser isolation, and content moderation to secure AI usage without hindering productivity.
Opportunistic threat actors continue to exploit exposed RDP, RDWeb, and vulnerable VPN configurations to gain initial access. Once inside, attackers deploy custom reverse tunnels, harvest credentials, and modify registry and firewall settings to establish persistent RDP access.
The Ransomware-as-a-Service (RaaS) ecosystem relies heavily on affiliates who dictate the actual intrusion tradecraft, meaning a single ransomware brand can be associated with vastly different attack chains. Affiliates frequently abuse legitimate Remote Monitoring and Management (RMM) tools, exposed RDP, and vulnerable edge appliances for initial access, followed by the use of LOLBins and open-source utilities for persistence and data exfiltration.
GitHub experienced an internal security incident where threat actor TeamPCP (UNC6780) compromised an employee's device using a malicious Visual Studio Code extension. The attacker harvested local developer secrets to clone approximately 3,800 internal repositories, which were subsequently listed for sale on a cybercrime forum.
A malicious Visual Studio Code extension installed on a GitHub employee's endpoint provided the threat actor TeamPCP with access to exfiltrate approximately 3,800 internal repositories. The incident underscores the critical risk of IDE extensions serving as initial access vectors for supply-chain attacks, allowing threat actors to leverage developer privileges for large-scale data exfiltration.
A long-running typosquat of a popular Go decimal library was weaponized to include a DNS-based backdoor. The malicious package, github.com/shopsprint/decimal, uses an init() function to poll a dynamic DNS subdomain via TXT records, executing the returned strings as arbitrary commands on the host system.
The Canadian Centre for Cyber Security released a daily digest of five security advisories on May 20, 2026. The advisories highlight critical and high-severity vulnerabilities across FreePBX, F5 NGINX, Google Chrome, HPE Aruba Networking products, and cPanel, urging administrators to apply vendor-supplied patches immediately to prevent potential exploitation.
Threat actors are leveraging image steganography hosted on legitimate file-sharing platforms to deliver remote access trojans and information stealers. The attack chain utilizes a JavaScript dropper to extract a Base64-encoded DotNET loader from a seemingly benign image, which then injects the final payload into memory to evade endpoint detection.
TamperedChef (also known as EvilAI) is a widespread threat campaign distributing trojanized productivity applications via malvertising. The threat actors heavily abuse legitimate code-signing certificates and employ delayed execution techniques to evade detection, ultimately deploying information stealers, RATs, or adware onto victim endpoints after a dormancy period.
CVE-2026-3102 is a critical command injection vulnerability in ExifTool versions 13.49 and earlier on macOS. By embedding a malicious payload in an image's metadata and forcing ExifTool to copy it to the FileCreateDate tag using specific flags, an attacker can execute arbitrary shell commands with the privileges of the invoking user.
The China-aligned APT group Webworm has updated its toolset in 2025, shifting focus to European and South African targets. The group deployed two new custom backdoors, EchoCreep and GraphWorm, which abuse Discord and the Microsoft Graph API respectively for command and control. Additionally, Webworm utilizes a complex network of custom proxy tools and compromised infrastructure, including GitHub and Amazon S3, to stage payloads and exfiltrate data.
Financial services are facing an escalating threat landscape characterized by massive DDoS attacks, AI-empowered botnets, and targeted web attacks against API endpoints. Attackers are increasingly exploiting overlooked DNS misconfigurations and leveraging hyperscale IoT botnets to bypass traditional IP reputation defenses, necessitating a shift toward behavioral heuristics and adaptive security architectures.
Varonis Threat Labs discovered 'GhostTree,' an evasion technique leveraging NTFS junctions to create recursive directory loops. By pointing multiple child junctions back to a parent directory, attackers can generate an exponentially large number of file paths, causing EDR and AV recursive scanners to hang and allowing malware to remain undetected.
