DFIR, deception, detection. Posts I wrote, intel my pipeline summarized, and redacted writeups from the fleet.
Infoblox Threat Intel uncovered a thriving underground economy on Telegram dedicated to unlocking stolen iPhones. Threat actors utilize specialized Windows binaries to extract device information and deploy targeted smishing campaigns via Apple lookalike domains to steal iCloud credentials, allowing them to bypass Activation Lock, wipe the device, and resell the hardware.
An 18-month Agent Tesla campaign is targeting LATAM enterprises, particularly in Chile, using procurement-themed phishing lures. The attack chain employs a multi-stage loader protected by .NET Reactor 6.x, utilizing process hollowing into aspnet_compiler.exe to execute the credential-stealing payload entirely in memory. Stolen data is exfiltrated via cleartext FTP to compromised legitimate infrastructure.
Kimsuky (APT43) has updated its arsenal with new PebbleDash and AppleSeed malware variants, including the Rust-based HelloDoor and httpMalice backdoors. The group is increasingly utilizing legitimate services like VSCode Remote Tunnels, Cloudflare Quick Tunnels, and DWAgent for covert C2 and post-exploitation access, primarily targeting South Korean entities and global defense sectors.
FrostyNeighbor, a Belarus-aligned threat actor, has updated its toolset to target Ukrainian governmental organizations with a multi-stage compromise chain. The attack utilizes spearphishing with malicious PDFs that redirect to a RAR archive containing a JavaScript dropper, which ultimately deploys a Cobalt Strike beacon via the PicassoLoader malware following strict server-side and manual victim validation.
A recent leak of internal communications and backend data from 'The Gentlemen' RaaS operation has revealed the group's highly structured operational model and mature toolset. The threat actors actively exploit edge appliances and NTLM relay vulnerabilities for initial access, followed by extensive use of red-team tools and custom EDR evasion techniques to deploy their cross-platform ransomware.
Microsoft's May 2026 Patch Tuesday release addresses 132 CVEs, including 29 Critical vulnerabilities and 14 with a CVSS score of 9.0 or higher. Key threats include a critical authentication bypass in the Microsoft SSO Plugin for Jira & Confluence, unauthorized RCEs in Windows Netlogon and DNS Client, and multiple Office RCEs exploitable via the Preview Pane.
Project Zero researchers developed a 0-click exploit chain for the Google Pixel 10 by chaining a known Dolby vulnerability (CVE-2025-54957) with a newly discovered, trivial local privilege escalation flaw in the device's VPU driver. The VPU vulnerability allowed unbounded physical memory mapping via the mmap syscall, granting arbitrary read/write access to the kernel image and enabling full device compromise.
The GemStuffer campaign leverages the RubyGems package registry as an unconventional data exfiltration channel. Threat actors deploy Ruby scripts that scrape UK local government portals, package the harvested data into valid .gem archives, and push them to RubyGems using hardcoded API keys. The malware demonstrates defense evasion by overriding the HOME environment variable to a /tmp directory to isolate its credential environment, or by bypassing the gem CLI entirely to perform direct API POST requests.
The Canadian Centre for Cyber Security issued an advisory (AV26-457) highlighting multiple vulnerabilities in HPE Aruba Networking Operating Systems AOS-8 and AOS-10. Organizations utilizing affected ArubaOS versions are advised to review HPE's security bulletins (HPESBNW05048 and HPESBNW05049) and apply the recommended updates.
TeamPCP (SHADOW-WATER-058) executed a sophisticated supply chain campaign compromising developer toolchains across multiple ecosystems, including Docker Hub, PyPI, and GitHub Actions. The attacks leveraged CI/CD trust, such as unsanitized PR comments and stolen publisher tokens, to distribute credential-harvesting payloads via Python .pth files and the Bun runtime, targeting over 80 credential types and abusing live AWS APIs.
A maintainer access dispute in the widely used fsnotify Go library sparked supply chain security concerns, though no malicious code was introduced. The incident underscores the risks of ambiguous open-source governance and the heightened downstream sensitivity to sudden maintainer changes following recent supply chain attacks like the xz-utils backdoor.
A sophisticated threat actor compromised a third-party IT services provider to abuse legitimate HPE Operations Agent infrastructure, enabling stealthy execution and discovery. The attackers established persistence and harvested credentials using malicious network provider and password filter DLLs on domain controllers, while utilizing web shells and ngrok tunnels to maintain long-term, undetected access.
In Q1 2026, the ransomware ecosystem experienced significant consolidation, with top groups like Qilin, Akira, The Gentlemen, and LockBit 5.0 dominating the landscape. Notably, The Gentlemen leveraged a massive stockpile of pre-exploited FortiGate devices (CVE-2024-55591) to rapidly scale operations, while LockBit 5.0 returned with multi-platform capabilities and a strategic shift away from US targets to evade law enforcement.
A sophisticated supply-chain worm dubbed 'Mini Shai-Hulud' has compromised numerous high-profile npm and PyPI packages, including TanStack and Mistral AI. The heavily obfuscated payload targets CI/CD environments to systematically harvest credentials from GitHub, AWS, Vault, and Kubernetes. It autonomously propagates by minting npm publish tokens and committing malicious code to repositories, while exfiltrating stolen secrets via the Session P2P network.
The 2026 ransomware landscape is characterized by the adoption of post-quantum cryptography to thwart decryption efforts and a significant shift toward encryptionless, data-centric extortion. Threat actors are increasingly professionalizing their operations, standardizing EDR evasion via BYOVD (Bring Your Own Vulnerable Driver), and relying on Initial Access Brokers targeting edge infrastructure like RDWeb and VPNs.
Security researchers discovered critical vulnerabilities in three widely used Model Context Protocol (MCP) servers—Apache Doris, Apache Pinot, and Alibaba RDS—stemming from insufficient back-end security validation. These flaws include SQL injection (CVE-2025-66335), missing authentication, and unauthenticated data exposure, allowing attackers to execute arbitrary commands or exfiltrate sensitive database metadata.
Microsoft's May 2026 Patch Tuesday addresses 137 vulnerabilities, including 31 critical flaws, 16 of which are Remote Code Execution (RCE) vulnerabilities. While no active exploitation has been observed, critical flaws affect core services like Windows Netlogon, DNS Client, and Azure Managed Instances, prompting the release of Snort detection rules by Cisco Talos.
State-sponsored threat actors operate with a fundamentally different methodology than financially motivated criminals, prioritizing long-term stealth over immediate disruption. By leveraging valid credentials and living-off-the-land (LOTL) techniques such as PowerShell and WMI, these adversaries bypass traditional signature-based detections. Defending against and responding to these threats requires organizations to shift toward continuous behavioral baselines, enhanced telemetry (e.g., Event IDs 4688, 4104, Sysmon), and strategic incident response plans that account for complex containment decisions and supply chain risks.
AI agents deployed in enterprise environments are highly susceptible to indirect prompt injection attacks, enabling data theft and unauthorized actions. Security teams must adopt an 'assume breach' architecture for LLMs, focusing on blast radius reduction through agent sandboxing, credential isolation, egress restrictions, and human-in-the-loop governance.
Active Directory Certificate Services (AD CS) is increasingly targeted by threat actors to achieve privilege escalation and persistence through misconfigured certificate templates and shadow credential abuse. By leveraging tools like Certipy and Whisker, attackers can bypass traditional credential defenses, necessitating behavioral detection strategies focused on LDAP enumeration, anomalous certificate issuance, and directory modifications.
