Cybersecurity Threat Intelligence and Attack Analysis
Breaches don't wait.
Neither should
your understanding.
Attack breakdowns, defense strategies, and threat intelligence. No noise, no hype. Just the clarity you need to understand what's happening and what to do about it.
Latest
75 — avg. 15 min readEuropean Commission AWS Breach: 350 GB Stolen, No Ransom, Leak Threatened
On March 24, 2026, attackers compromised the European Commission’s Amazon Web Services cloud environment, stealing over 350 GB of data including multiple databases and files from the Europa.eu infrastructure. The threat actor has announced plans to publish the data rather than demand a ransom — a pattern consistent with state-adjacent pressure campaigns. Internal Commission systems were unaffected. The investigation is active.
read →GearDoor: The Backdoor That Hides Inside Google Drive
A China-linked espionage group has turned one of the world's most trusted cloud services into a covert command channel. GearDoor, a custom .NET backdoor tied to the Silver Dragon threat cluster, communicates entirely through Google Drive — leaving no suspicious server traffic for defenders to catch. APT41-linked, active since mid-2024, and confirmed across government targets in Europe and Southeast Asia.
read →CISA Adds Wing FTP CVE-2025-47813 to KEV: Server Path Leak Fuels Active Attacks
CISA added Wing FTP Server CVE-2025-47813 to its KEV catalog on March 16, 2026. The medium-severity information disclosure flaw leaks server paths and is being chained with a critical RCE vulnerability. Federal agencies face a patch deadline of March 30.
read →Iran-Linked Handala Group Wipes 200,000 Stryker Systems, Knocking NHS Defibrillator Orders Offline
Iran-linked group Handala wiped 200,000 Stryker systems in a wiper attack that knocked NHS defibrillator and medical supply orders offline across the UK.
read →CVE-2026-32746: Unpatched Telnetd Buffer Overflow Gives Attackers Root Before Login
A CVSS 9.8 pre-authentication buffer overflow in GNU InetUtils telnetd — unpatched as of March 20, 2026 — lets any unauthenticated attacker reach root on an affected system before a login prompt appears. The vulnerable code is 32 years old and present across FreeBSD, NetBSD, Citrix NetScaler, and over a dozen other platforms beyond Linux.
read →The Four-Front War: How Nation-States Now Combine Espionage, Theft, Insiders, and Ransomware Into a Single Program
Nation-states now blend espionage, billion-dollar financial theft, insider infiltration, and ransomware into unified cyber programs that no single defense strategy can stop. The Bybit heist, Lazarus Group, and Famous Chollima show why the line between criminal and state-sponsored threat is no longer operationally meaningful.
read →Camaro Dragon Hits Qatar: PlugX and Cobalt Strike Hidden Behind Fake War News
China-linked Camaro Dragon deployed PlugX and Cobalt Strike against Qatar's energy and military sectors within 24 hours of the March 2026 Middle East escalation, using conflict-related lures to turn geopolitical crisis into targeting opportunity.
read →Inside CL-STA-1087: China-Linked Hackers Spent Years Inside Southeast Asian Military Networks
A China-nexus threat group tracked as CL-STA-1087 maintained persistent access inside Southeast Asian military organizations from at least 2020 to 2025 — deploying novel backdoors including AppleChris and MemFun, harvesting credentials with a custom tool called Getpass, and routing command-and-control through Pastebin dead drop resolvers to evade detection.
read →APT55: Iran's Quiet Intelligence-Gathering Arm Targeting U.S. Energy and Defense
APT55 is an IRGC-CEC affiliated espionage group that targets energy sector and defense-adjacent personnel through precision spear-phishing and credential harvesting — not to disrupt systems, but to build the intelligence picture that Iran's other actors act on.
read →APT33: Iran's Peach Sandstorm Has Quietly Become One of the Most Dangerous Threats to Western Infrastructure
APT33 — Iran's IRGC-linked cyber unit — has escalated from spear-phishing to cloud-native attacks using Tickler malware and Azure C2, now targeting OT infrastructure.
read →LexisNexis L&P Confirms Data Breach After Hacker Leaks Stolen Information
FulcrumSec exploited an unpatched CVE-2025-55182 (React2Shell, CVSS 10.0) flaw in LexisNexis Legal & Professional's AWS infrastructure and walked away with 3.9 million database records — including accounts linked to federal judges, DOJ attorneys, and SEC staff. A single over-privileged ECS task role and a password reused five times turned a bad entry point into a full account traversal.
read →15.8 Million French Patient Records Exposed in Cegedim Santé Supply Chain Attack
Attackers compromised Cegedim Santé’s MonLogicielMedical platform and extracted 15.8 million patient records — the largest confirmed medical data breach in French history. Among the stolen files: free-text doctor annotations containing HIV status, sexual orientation, and other highly sensitive disclosures for at least 165,000 individuals.
read →Blocked by SSRF: The Vulnerability Stalling Cloud Moves and Funding Ransomware Campaigns
SSRF vulnerabilities are blocking cloud migrations and enabling credential theft at scale. Here is what the 2025 surge data means for every team still running IMDSv1.
read →Interlock Ransomware Exploited Cisco Firewall Zero-Day for 36 Days Before Anyone Knew
The Interlock group spent five weeks silently exploiting CVE-2026-20131 — a CVSS 10.0 Java deserialization flaw in Cisco Secure FMC — before Cisco published a patch. Amazon MadPot telemetry traced active exploitation to January 26, 2026. No credentials required. Root access on the management plane for every firewall under that FMC's control.
read →Passwordless Authentication Implementation for Hybrid Teams
Over 16 billion passwords compromised since 2025 — and hybrid teams face every obstacle at once: on-premises Active Directory, legacy VPN clients, RADIUS-dependent systems, and workers without corporate accounts. A full look at the FIDO2 architecture, phased rollout, the gaps nobody talks about, and what a real 2026 implementation actually requires.
read →DNS Rebinding Is Back — and This Time It’s Coming for Your AI Stack
Four critical CVEs in Ollama, the MCP TypeScript SDK, the MCP Python SDK, and Microsoft’s Playwright MCP server in 2024–2025 exposed a structural truth: localhost is not a security boundary. A technical breakdown of how DNS rebinding works, why AI tooling became the new high-value target, and what Chrome’s Local Network Access actually fixes — and what it doesn’t.
read →Apple Patches CVE-2026-20643: WebKit Cross-Origin Flaw That Could Let Malicious Sites Steal Tab Data
A cross-origin flaw in WebKit's Navigation API could allow a malicious page to bypass the Same Origin Policy and access data from other open browser sessions. Apple closed it via the first-ever public Background Security Improvement — a cryptex-based patch that applies without a full OS reinstall.
read →Shadow AI: Detecting Unauthorized Generative AI Tools on Corporate Networks
Over half of enterprise generative AI adoption is now shadow AI — ungoverned, invisible, and already producing data policy violations at scale. A full look at the five-layer detection stack, what to do after you find it, the vendor blind spot no one is talking about, and how organizations without enterprise tooling can still close the gap.
read →FCA Confirms Mandatory Cyber Incident Reporting Rules: What UK Firms Must Do by March 2027
PS26/2 is live. The FCA, PRA, and Bank of England have created a unified regime requiring financial firms to report cyber incidents within 24 hours and maintain a material third-party register submitted annually via RegData. SMF24 carries personal accountability. Enforcement begins 18 March 2027.
read →Nation-State Cyber Attacks in 2026: Salt Typhoon, APT28, Lazarus Group, and Iran's Expanding Cyber War
Salt Typhoon remains unresolved inside U.S. telecom networks, APT28 weaponized a Microsoft Office zero-day within 24 hours, North Korea's Lazarus Group pivoted from crypto heists to hospital ransomware, and Iran's Handala disrupted a U.S. medical device company across 79 countries in the first major American enterprise disruption of the 2026 Iran conflict.
read →CVE-2026-23813: HPE AOS-CX Switches Allow Unauthenticated Admin Password Reset
A CVSS 9.8 authentication bypass in the web management interface of HPE Aruba CX-series switches lets any remote attacker reset the administrator password with no credentials and no user interaction. Affects 13 hardware platforms across campus and data center tiers. Patches are available now.
read →WhatsApp View Once Has Been Bypassed Four Times. Meta Won't Patch the Latest.
A fourth bypass for WhatsApp's View Once feature has been disclosed by researcher Tal Be'ery of Zengo. Meta confirmed it won't patch it — arguing modified clients fall outside its security model. The flaw is architectural: a single client-side flag, no server enforcement, media retained for up to two weeks.
read →DeKalb County, Indiana: A 35-Day Intrusion, a Six-Month Silence, and a Federal Safety Net That Wasn't There
An unauthorized actor spent 35 days inside DeKalb County's network before anyone knew. Residents waited 164 days for notification. The breach maps to eight MITRE ATT&CK techniques across the full kill chain — and landed five days before the MS-ISAC lost its federal funding.
read →245% and Rising: The Iran Cyber Threat the Government and Researchers Can't Agree On
A 245% surge in cyberattacks followed the U.S.-Israel strikes on Iran. Stryker was wiped across 79 countries. Here is what the data shows — and where the government and researchers disagree.
read →Teamsters Local 175 Data Breach: INC RANSOM Hit Workers' SSNs and CDL Records
Teamsters Local 175 confirmed a ransomware attack by INC RANSOM exposed names, Social Security numbers, and CDL data of 24,780 workers across four states. The attack followed a documented INC RANSOM playbook: silent exfiltration through MEGASync, encryption with .inc-extension payloads, and a dark web leak site claim before the union acknowledged the incident publicly.
read →Sednit Reloaded: How APT28 Rebuilt Its Espionage Toolkit to Target Ukraine
Russia's APT28 quietly shelved its custom malware for years — then returned in 2024 with a three-component toolkit (SlimAgent, BeardShell, and a weaponized Covenant) actively targeting Ukrainian military personnel. The code traces back to implants from the 2016 DNC hack. Machines stayed under undetected surveillance for over six months.
read →238,000 Reasons Emergency Services Can't Ignore Ransomware
Medusa spent seven days undetected inside Bell Ambulance's network, exfiltrated 219.5 GB, demanded $400,000, and published everything when they didn't get it. The final count: 237,830 people's SSNs, medical records, and financial data in criminal circulation — confirmed a full year after the attack began.
read →The IDMerit KYC Leak: One Billion Identity Records, Zero Password Protection
A California identity verification company left a MongoDB database completely open on the public internet. No hack required. Inside: roughly one billion KYC records — national IDs, phone numbers, home addresses — across 26 countries. The public found out 99 days later.
read →CVE-2026-22769: The Dell RecoverPoint Backdoor That Ran for 18 Months
A CVSS 10.0 hardcoded credential in Dell RecoverPoint for VMs gave China-linked UNC6201 root-level access to enterprise backup infrastructure for 18 months. No authentication required. The credential was in a plaintext config file the entire time.
read →Your AI Assistant Was the Attack: Inside CVE-2026-0628 and the Glic Jack Chrome Exploit
A malicious Chrome extension with basic permissions could hijack Google's Gemini Live AI panel and silently inherit access to your camera, microphone, local files, and every authenticated session in your browser. The bug is patched. The architecture problem it exposed is not.
read →How Handala Turned Microsoft Intune Into a Weapon Against Stryker
Iran-linked group Handala didn't deploy malware. They logged into Stryker's Microsoft Intune console and issued factory-reset commands to 200,000+ devices across 79 countries — shutting down one of the world's largest medical technology companies without writing a single line of malicious code.
read →Microsoft March 2026 Patch Tuesday: 83 CVEs, Two Zero-Days, and a Copilot Exfiltration Flaw
Eight Critical CVEs, two publicly disclosed zero-days, and an Excel vulnerability that enables zero-click data exfiltration through Microsoft 365 Copilot. The Preview Pane RCE bugs fire before a file is opened. The Entra ID EoP touches the identity backbone of every Microsoft cloud tenant. Here is what actually needs patching first.
read →Ransomware Hits Community College of Beaver County: What Happened and Why It Keeps Happening
On the first day of spring break, unknown attackers encrypted all of CCBC's data and demanded ransom. A full account of the cryptolocker-style attack, why higher education is structurally ideal for ransomware operators, and the solutions most institutions are not actually implementing.
read →No Malware. No Alerts. 216 Servers Gone.
A threat actor registered a free Elastic Cloud trial, pushed stolen data from 216 hosts across 34 organizations into it, and used Kibana's built-in analytics to triage which victims were worth hitting harder — all without a single piece of malware touching the wire.
read →ClickFix IOCs: What Defenders Need to Hunt Right Now
A technical reference covering behavioral IOCs, PowerShell patterns, RunMRU forensics, FileFix, CrashFix, JackFix, ConsentFix, GlitchFix, nation-state TTPs, MITRE ATT&CK mappings, and Sigma and KQL detection rules — including variants that postdate most published guidance.
read →Fake Rust Crates and an AI Bot Turned Developer Pipelines Into Data Exfiltration Channels
Five malicious Rust packages quietly stole environment secrets from developer machines and CI pipelines. Simultaneously, an AI-powered bot scanned open-source repositories for misconfigured workflows and used a stolen token to push poisoned VS Code extension releases that weaponized developers' own AI coding tools against them.
read →One npm Update. Full AWS Admin Access in 72 Hours.
UNC6426 used a trojanized nx npm package and the QUIETVAULT credential stealer to steal a developer's GitHub token, then chained GitHub-to-AWS OIDC trust abuse and an overpermissive CloudFormation role into full AWS administrator access — in under three days. No zero-days required.
read →The Ericsson Data Breach: How One Phone Call Exposed 15,661 People
A vishing attack on a law firm handling Ericsson's U.S. tax matters gave attackers access to files containing the SSNs and personal data of 15,661 employees. The vendor waited six months to tell Ericsson. Affected individuals had no way to protect themselves during the entire interval.
read →Russia Is Hijacking Signal and WhatsApp Accounts. No Encryption Was Broken.
Dutch intelligence confirmed Russian state hackers are running a sustained, global campaign to seize Signal and WhatsApp accounts from government officials, military personnel, and journalists. The encryption was never touched. The attacks went straight for the person holding the phone.
read →SSH Hijacking: How Attackers Steal Sessions No One Is Watching
An attacker with a foothold on your network doesn't need your SSH password or your private key. In certain conditions, they can walk directly into an authenticated session someone else already opened — silently, in real time, leaving almost no trace in the logs that matter.
read →Weaponized AuraInspector: How Threat Actors Are Mass-Scanning Salesforce Experience Cloud
A defensive tool built to help Salesforce admins find misconfigurations has been repurposed into a mass-scanning weapon. ShinyHunters modified Mandiant's open-source AuraInspector into an automated CRM data harvester, quietly targeting hundreds of organizations since September 2025.
read →The MSG Data Breach Was the Symptom. Oracle EBS Was the Disease.
Madison Square Garden confirmed 131,070 people had their Social Security numbers stolen. The real story is Cl0p spending four months inside Oracle E-Business Suite infrastructure — hitting 100+ organizations including Harvard, The Washington Post, and Logitech — before anyone knew a patch was even needed.
read →Dust Specter: How an Iranian APT Used AI and Fake Government Portals to Compromise Iraq
An Iran-nexus APT spent months building four previously undocumented malware families, compromised a legitimate Iraqi government subdomain to host its payloads, and left AI fingerprints in the decompiled code. A full technical and geopolitical analysis of what the evidence actually reveals.
read →CVE-2026-3102: The Photo That Pwns Your Mac
A single photograph can silently execute code on your Mac without you clicking anything, opening anything, or doing anything wrong. CVE-2026-3102 is a real, patched-but-widely-unmitigated remote code execution vulnerability inside one of the most trusted tools in photography, digital forensics, and investigative journalism.
read →Already Inside: How Iran's MuddyWater APT Quietly Embedded Itself in U.S. Critical Infrastructure
Iran's MuddyWater has been embedded in the networks of a U.S. bank, a U.S. airport, a defense software supplier, and a Canadian nonprofit since February 2026 — weeks before the strikes that killed Khamenei. A full technical and strategic analysis of the Dindoor and Fakeset backdoors, three exposed C2 frameworks, and what pre-positioned access on U.S. infrastructure actually means.
read →Two Lines of Code, Four Million Downloads, Zero Authentication
This is the story of how two missing validation functions inside a well-intentioned open-source project exposed millions of developer machines to a network-adjacent attacker who needed to send exactly two HTTP requests.
read →They Didn't Steal Your Password. They Used the Login Page Against You.
A phishing campaign targeting U.S. government agencies weaponized Microsoft and Google's own OAuth infrastructure to deliver malware and capture sessions — no exploits, no stolen credentials, just a standard RFC redirect working exactly as designed. A full technical breakdown of the five-stage attack chain, EvilProxy, and Steam DLL sideloading.
read →CVE-2023-41974: The Apple iOS Kernel Flaw That Came Back to Bite
When Apple shipped iOS 17 in September 2023, the release notes included a quiet acknowledgment: a memory handling issue had been resolved in the kernel. The credit went to security researcher Félix Poulin-Bélanger. That one-line credit corresponded to CVE-2023-41974, a physical use-after-free vulnerability in Apple's XNU kernel that, when exploited, gave an attacker with app-level access the ability to read and write kernel memory — effectively owning the device.
read →33,000 Records, One Drive Full of Forgotten Data, and a Ransomware Gang Called Medusa
Clackamas Community College was hit by ransomware for the second time in two years — this time by Medusa, exposing 33,381 records including Social Security numbers, passport numbers, and medical data. A deep technical analysis of how Medusa operates, why education keeps getting hit, and what it means for everyone whose records live inside a school's servers.
read →Dohdoor: The Stealthy New Backdoor Targeting U.S. Education and Healthcare
A suspected North Korean threat actor is deploying a new backdoor that hides its command-and-control traffic inside encrypted DNS queries routed through Cloudflare, uses legitimate Windows executables to sideload its malware, and unhooks system calls to bypass EDR. Full technical analysis of the UAT-10027 campaign.
read →When Espionage Moves Next Door: UnsolicitedBooker's Pivot to Central Asian Telecom Networks
China-aligned APT group UnsolicitedBooker has pivoted from targeting a Saudi organization to telecom companies in Kyrgyzstan and Tajikistan, deploying LuciDoor and MarsSnake backdoors in a campaign that signals growing espionage interest in Central Asian telecommunications infrastructure.
read →Under Siege: The Complete History of VMware Vulnerabilities, Exploits, and Nation-State Attacks
A comprehensive technical and strategic analysis of VMware security incidents from 2021 to 2026 — covering critical CVEs, mass ransomware campaigns, nation-state zero-day exploitation, and the evolving threat landscape targeting enterprise virtualization infrastructure.
read →Autonomous AI Agents Provide a New Class of Supply Chain Attack
How threat actors are weaponizing AI plugin ecosystems, agent trust, and machine-speed social engineering to compromise systems at scale — from the Bob P2P crypto scam on ClawHub to the ClawHavoc campaign that poisoned 20% of the marketplace.
read →ShinyHunters Beats the House in Vegas: The Wynn Resorts Breach and the Gang Rewriting the Rules of Cybercrime
How a prolific extortion crew combined an Oracle PeopleSoft flaw, stolen credentials, and a $1.5 million ransom demand to hit one of Las Vegas's most iconic casino empires — and why this attack is part of a much bigger story.
read →The Exposed Number: PayPal, the Social Security Number, and the Ancient Bargain We Never Meant to Make
PayPal’s Working Capital breach exposed Social Security numbers for 165 days, revealing not just a coding error but the deep systemic failures of America’s digital identity infrastructure — built on a nine-digit number that was never designed to be secret.
read →When the AI Reads the Mail It Was Never Supposed to See: The Microsoft 365 Copilot Confidential Email Incident
A code defect in Microsoft 365 Copilot (CW1226324) silently bypassed sensitivity labels and DLP policies for weeks, summarizing confidential emails from Sent Items and Drafts — the second time in eight months that Copilot violated its own trust boundary, and no security tool in the stack caught either one.
read →When Trust Becomes the Weapon: Inside the ClickFix/MIMICRAT Campaign Redefining Cyber Threats in 2026
How attackers weaponize human trust, abuse legitimate infrastructure, and deploy a custom RAT that defeats nearly every layer of enterprise defense — from compromised websites to CloudFront C2 relays, ETW/AMSI bypass, and a 22-command native implant built from scratch.
read →CVE-2024-55591: The FortiOS Authentication Bypass That Handed Attackers the Keys to the Kingdom
How a flaw in Fortinet's Node.js WebSocket module gave unauthenticated attackers super-admin privileges — and how NightSpire ransomware turned it into a primary weapon, accumulating over 140 victims across 33 countries.
read →Your Office Phone Is a Spy: CVE-2026-2329 and the Grandstream Vulnerability Explained
A critical unauthenticated stack-based buffer overflow in Grandstream GXP1600 VoIP phones lets attackers gain root access, steal credentials, and intercept calls — silently. Metasploit modules are public, thousands remain unpatched, and the barrier to exploitation is near zero.
read →The Trust Trap: Wikipedia's 695,000-Link Problem and What It Teaches Us About Third-Party Dependency Risk
Wikipedia blacklisted every link to a web archiving service after its operator weaponized visitor browsers in a DDoS attack and tampered with archived pages. A case study in what happens when critical infrastructure is entrusted to an anonymous third party.
read →AI Did the Hacking: How a Low-Skill Attacker Compromised 600+ Firewalls in 38 Days
Amazon Threat Intelligence uncovered a Russian-speaking threat actor using commercial AI to compromise over 600 FortiGate devices across 55 countries in 38 days — scripting attacks, evading detection, and moving laterally through Active Directory without the technical skill the scale would suggest.
read →Operation CYBER GUARDIAN: Inside Singapore's Largest Cyber Defense Operation Against APT Actor UNC3886
For eleven months, over 100 cyber defenders from six government agencies worked alongside Singapore's four major telcos to hunt, contain, and evict a sophisticated nation-state threat actor that had breached all of their networks.
read →They Didn't Hack Booking.com. They Weaponized It.
How a multi-stage fraud operation turned hotel staff into unwitting attack vectors and guests into repeat victims — exploiting inherited trust, ClickFix social engineering, and an industrialized criminal marketplace built around the hospitality sector.
read →CANFAIL Malware: How a Suspected Russian Threat Actor Is Using AI to Target Ukraine's Critical Infrastructure
A previously undocumented group leverages LLM-generated phishing lures, multi-stage JavaScript payloads, and WebSocket RATs in a sustained campaign against defense, energy, and humanitarian organizations.
read →Your Backup Was the Backdoor
How a forgotten credential in Dell RecoverPoint turned your most trusted recovery tool into an 18-month espionage platform for a Chinese APT. A technical breakdown of CVE-2026-22769 and the kill chain from config file to Ghost NICs.
read →The UMMC Ransomware Attack: What Happened When Mississippi's Largest Hospital Went Dark
On February 19, 2026, ransomware tore through the University of Mississippi Medical Center's infrastructure, locking staff out of Epic, closing all 35 clinics statewide, and triggering a multi-agency federal response.
read →The Conduent Breach: 84 Days Inside a Government Contractor, 25 Million Victims
How the SafePay ransomware group spent 84 days undetected inside a company that holds sensitive data for 100 million Americans — exfiltrating 8.5 terabytes of healthcare and social services records.
read →Keenadu: The Firmware Backdoor That Ships Inside the Box
How a new Android backdoor compromises tablets at the firmware level during manufacturing, injects into Zygote to infect every app, sleeps for 2.5 months, and connects to three of the largest Android botnets ever documented.
read →The Token Is the Key: How OAuth Device Code Phishing Renders MFA Irrelevant
A deep technical breakdown of how attackers are abusing the OAuth 2.0 Device Authorization Grant to bypass Microsoft 365 MFA without intercepting a single credential.
read →Odido Breach: How a Single CRM System Handed 6.2 Million Identity Theft Starter Kits to Unknown Attackers
A compromised customer contact system at the Netherlands' largest mobile carrier exposed names, bank accounts, government IDs, and dates of birth for one-third of the Dutch population.
read →ClickFix: The Copy-Paste Attack That Turns You Into Your Own Worst Enemy
How a social engineering technique surged over 500% in 2025 by turning victims into their own attackers. Nation-state adoption from North Korea, Iran, and Russia.
read →CVE-2026-1731: BeyondTrust Pre-Auth RCE in the Same Endpoint Silk Typhoon Used
A CVSS 9.9 command injection in the same WebSocket endpoint Silk Typhoon used to breach the U.S. Treasury. PoC dropped February 10, active compromises confirmed by February 13.
read →AgreeToSteal: A Dead Outlook Add-In Became Microsoft's First Marketplace Phishing Weapon
How an attacker claimed an orphaned Vercel subdomain, inherited Microsoft's trust, and turned a dead scheduling tool into a phishing page served inside Outlook's sidebar.
read →Reversing LummaC2: Inside the Stealer That Survived a Global Takedown
A deep-dive into how LummaC2 v4.0 actually works: trigonometry-based anti-sandbox, PEB walking, Heaven's Gate, control flow flattening — and why the largest coordinated malware takedown in history only slowed it down for two days.
read →ToolShell: From Pwn2Own Demo to the Worst SharePoint Zero-Day in History
A full technical breakdown of the exploit chain that turned a $100K Pwn2Own demo into 400+ compromised organizations: auth bypass, .NET deserialization RCE, and three Chinese APTs racing to exploit it.
read →BYOVD: The Windows Kernel Internals That Let Attackers Kill Your EDR
A deep dive into EPROCESS structures, Protected Process Light, kernel callbacks, Driver Signature Enforcement gaps, and the arms race between EDR killers and Microsoft's defenses.
read →