Defender Operations
45 articles
Detection engineering, incident response, SOC operations, and hardening work.
HIGHMetasploit Adds Vim Plugin Persistence, Exploits for Three CVEs
Rapid7's Metasploit Framework adds Vim plugin persistence, exploits for CVE-2025-6793 (Marvell QConvergeConsole), CVE-2024-48760 (GestioIP), and CVE-2023-30253 (Dolibarr).
HIGHSignal Adds In-App Warnings to Block Russian-Linked Phishing Attacks
Signal introduced new in-app confirmations and warnings to counter phishing attacks linked to Russian state hackers who abused the Linked Device feature to hijack high-profile...
CRITICALInstructure Pays Ransom to ShinyHunters After Canvas Breach
Instructure paid ShinyHunters after two Canvas intrusions stole data from 9,000 institutions. Congress launched an investigation into the ed-tech vendor's incident response.
HIGHActive Directory Password Resets Fail to Expel Attackers
Specops Software explains how cached credentials, Kerberos tickets, and ACL persistence let attackers survive password resets in AD and hybrid Entra ID environments.
HIGHNWHStealer Uses Bun JavaScript Runtime to Evade Detection
Attackers repurpose the Bun JavaScript runtime to distribute NWHStealer, a Rust-based infostealer targeting browsers, crypto wallets, and FTP apps via game lures and fake software.
HIGHTrellix Source Code Breach Exposes Security Product Internals
Attackers stole source code from Trellix, exposing detection logic and control locations in its security products. The breach amplifies supply chain risks for enterprise customers.
MEDIUMMicrosoft Defender False Positives Flag DigiCert Certs as Trojans
Microsoft Defender is flagging legitimate DigiCert root certificates as Trojan:Win32/Cerdigent.A!dha, triggering false-positive alerts and certificate removal on Windows systems.
HIGHTrellix Breach: Source Code Repository Compromised
Trellix confirmed attackers accessed a portion of its source code repository. The firm engaged forensic experts and notified law enforcement. No customer data impact disclosed.
HIGHEx-Incident Responders Sentenced to 4 Years for Ransomware Attacks
Two cybersecurity incident responders who abused client access to deploy ransomware were sentenced to 4 years in prison — a rare case of responders turning attackers.
MEDIUMUK Cyber Agency Warns AI Will Trigger 'Patch Wave' of Urgent Fixes
NCSC warns organizations to brace for a surge of urgent patches as AI accelerates vulnerability discovery, raising exploitation risk. No specific CVEs cited.
HIGHAnthropic Launches Claude Security for AI-Driven Exploit Defense
Anthropic released Claude Security, a defensive AI suite to counter autonomous exploit tools like Mythos that weaponize zero-days in minutes. Targets enterprise SOCs.
HIGHCISA Details FCEB Agency Breach Response Lessons Learned
CISA's incident response at a U.S. federal agency uncovered gaps in EDR alert triage, credential hygiene, and network segmentation — three lessons for all defenders.
HIGHDeepfake Voice Attacks Outpace Defenses, Bypass MFA
Adaptive Security finds 3 seconds of audio enough to clone a voice for fraud; deepfake calls tricked employees into wiring $243K in one case. No detection tool caught the attack.
INFORMATIONALESET: SMBs Gain Defensive Edge via Threat Research, MDR
ESET Threat Research Director Jean-Ian Boutin explains how SMBs leverage MDR and threat intel to detect intrusions faster, citing 3.5-day median dwell time reduction.
HIGHMythos AI Finds Bugs Faster Than Teams Can Patch
Anthropic's Claude Mythos Preview identifies vulnerabilities at scale since April 7, but organizations lack the triage and patching capacity to keep pace, researchers warn.
HIGHVoidLink Rootkit Framework Combines LKM and eBPF for Linux Persistence
Elastic Security Labs dissects VoidLink, a Linux rootkit framework that blends Loadable Kernel Modules with eBPF hooks to evade detection and maintain stealthy persistence on…
HIGHTeamPCP Container Attack Chain Detailed by Elastic Security
Elastic Security Labs publishes a real-world walkthrough of TeamPCP's multi-stage container compromise, showing how runtime signals across each attack phase are detected by…
INFORMATIONALElastic Security Backs UK MoD Defence Cyber Marvel 2026 Exercise
Elastic Security Labs deployed AI-driven detection pipelines for the UK Ministry of Defence's Defence Cyber Marvel 2026 exercise, processing 1.2TB of telemetry across 50 simulated…
CRITICALFortiGate SSO Bypass CVE-2025-59718 Exploited in Active Attacks
Rapid7 IR confirms active exploitation of CVE-2025-59718 — a 9.8-CVSS FortiGate SSO bypass — enabling attackers to gain persistent admin access on unpatched appliances.
HIGHPalo Alto Networks Zealot AI Agent Autonomously Hacks Cloud Systems
Palo Alto Networks researchers built Zealot, a multi-agent AI penetration testing PoC that autonomously performs reconnaissance, exploitation, and data exfiltration on cloud…
HIGHLotus Wiper Targets Venezuelan Energy Sector Before US Intervention
Lotus Wiper malware targeted Venezuela's state-owned energy firm PDVSA, destroying data by overwriting drives and deleting files before a US-led intervention in March 2026.
INFORMATIONALIPQS Combines Identity, Device, and Network Signals for Frictionless Fraud
IPQS details a 3-layer fraud detection strategy using identity, device, and network signals to block 99.5% of automated attacks without adding user friction for legitimate customers.
HIGHNGate Malware Uses AI to Evade Detection in Trojanized NFC Apps
NGate malware version 2.0, built with AI assistance, hides in a trojanized NFC payment app to steal SMS, contacts, and crypto wallet data from Android devices while evading security software.
HIGHPureRAT Malware Evades Detection with PNG-Stashed Payloads
PureRAT hides its Windows PE payloads inside PNG files and executes them filelessly in memory, a technique detailed by cybersecurity researchers analyzing a new sophisticated campaign.
HIGHOpenClaw AI Agent Poses Autonomous Threat via Package Masquerade
Qualys ETM detected the OpenClaw AI agent disguised as a routine package on a Windows Server, correlating endpoint, exposure, and identity telemetry to reveal an active, autonomous threat.
INFORMATIONALNAKIVO Backup & Replication v11.2 Adds Ransomware Defense and Proxmox Support
NAKIVO Inc. has released version 11.2 of its Backup & Replication platform, introducing a ransomware defense module, support for Proxmox VE 9.0, and performance enhancements for VMware vSphere 9 environments.
INFORMATIONALGitLab 18.11 Expands Agentic AI to Security Remediation and CI Pipelines
GitLab 18.11 integrates agentic AI across the software lifecycle, automating security fix generation and CI/CD pipeline configuration, aiming to address the 'AI paradox' of rapid code creation outpacing security and delivery.
HIGHPayouts King Ransomware Deploys QEMU VMs as Stealthy Reverse SSH Backdoors
The Payouts King ransomware group is deploying the open-source QEMU emulator to create hidden virtual machines on compromised hosts, establishing a persistent reverse SSH backdoor that evades conventional endpoint detection.
HIGHPhishing Remains Primary Attack Vector as MSPs Struggle with Evolving Threats
Phishing continues to be the dominant initial attack vector for cybercrime, driving a surge in incidents that managed service providers (MSPs) and their clients are struggling to contain with traditional defenses.
INFORMATIONALAI SOC Tools Criticized for Automating Triage, Not Reducing Analyst Workload
A new analysis argues most AI-powered security operations center tools merely accelerate alert triage without reducing the underlying workload for analysts, failing to deliver on promises of true automation.
HIGHFake Adobe Reader Downloads Deploy ScreenConnect via In-Memory Loader
A new campaign delivers ConnectWise ScreenConnect by masquerading malware as an Adobe Acrobat Reader installer, using advanced in-memory execution and defense evasion to avoid detection.
HIGHPowMix Botnet Targets Czech Workforce with Randomized C2 Traffic
Cisco Talos researchers identify the PowMix botnet, active since December 2025, targeting Czech workers with randomized C2 beaconing to evade detection and deploy additional payloads.
INFORMATIONALBitdefender Unifies Endpoint and Email Security in GravityZone Platform
Bitdefender has integrated continuous email threat protection into its GravityZone platform, combining endpoint detection and response (EDR) with email security to combat phishing, BEC, and ransomware.
INFORMATIONALLegitify Open-Source Tool Scans GitHub, GitLab for Security Misconfigurations
Legit Security releases Legitify, an open-source scanner that identifies security misconfigurations in GitHub and GitLab organizations, repositories, and CI/CD runners to combat software supply chain risks.
HIGHMicrosoft Edge WebView2 Runtime Abused for Proxy Execution and Defense Evasion
Offensive security researchers detail how the trusted Microsoft Edge WebView2 Runtime is being weaponized for proxy execution, allowing attackers to load malicious code under a legitimate, signed Microsoft process to evade detection.
HIGHEDR-Killer Ecosystem Expands, Leveraging BYOVD Attacks to Evade Detection
A growing ecosystem of threat actors is using Bring-Your-Own-Vulnerable-Driver attacks to disable security software, requiring enhanced kernel-level protections.
INFORMATIONALMITRE F3 Framework Bridges Cybersecurity and Fraud Analysis
MITRE released the Fight Fraud Framework (F3), a unified knowledge base mapping the intersection of cyber attack tactics and financial fraud, aiming to close the operational gap between security and fraud teams.
HIGHVIPERTUNNEL Python Backdoor Evades Detection via Fake DLL and Obfuscated Loader
Threat actors deploy VIPERTUNNEL, a Python backdoor, using a fake DLL and multi-stage obfuscated loader to establish stealthy SOCKS5 proxy tunnels for persistent network access.
HIGHAPT41 Deploys Stealthy Backdoor to Harvest Cloud Credentials
China-linked threat actor APT41 is deploying a novel, low-detection backdoor against AWS, Google, Azure, and Alibaba Cloud to harvest credentials and establish persistence.
MEDIUMBooking.com Confirms Data Breach via Social Engineering Attack
Booking.com confirms a data breach where attackers used social engineering to compromise employee accounts and access customer travel booking information. The company states the incident has been contained.
HIGHSANS Stormcast: Exploits Target Ivanti, Fortinet, and VMware Flaws
The SANS Internet Storm Center reports active exploitation of vulnerabilities in Ivanti, Fortinet, and VMware products, alongside a new phishing campaign using malicious OneNote attachments.
HIGHThreat Actors Weaponize MSBuild LOLBin for Fileless Windows Attacks
Cybercriminals are abusing the legitimate Microsoft Build Engine (MSBuild.exe) to execute malicious .NET code directly in memory, evading traditional detection by avoiding file drops.
CRITICALJuniper Patches Critical RCE Flaw in Junos OS, Dozens of Other Vulnerabilities
Juniper Networks has released patches for a critical, pre-authentication remote code execution vulnerability in Junos OS, alongside dozens of other security fixes.
INFORMATIONALMetasploit Framework Expands with Cisco, osTicket Exploits and LDAP Enhancements
The latest Metasploit Framework release introduces exploit modules for Cisco Catalyst SD-WAN and osTicket, alongside significant improvements to LDAP/ADCS data collection and Windows persistence techniques.
HIGHCredential-Based Attacks Blur Line Between Breach and Normal Activity
Modern attackers are exploiting valid credentials and living-off-the-land techniques to make breaches indistinguishable from legitimate user activity, rendering traditional perimeter and anomaly detection ineffective.
Stay Updated
Get the latest cybersecurity news delivered to your inbox.