It's a CRITICAL day on the PreCog board. Five of eleven precursor signals are elevated. The dominant pattern is staging — anonymization layer being...

On March 12, 2026, the FBI issued advisory PSA260312. The subject: criminal actors and nation-state operators are systematically abusing residential proxy...

On March 20, 2026, the FBI, CISA, NSA, and allied agencies issued joint advisory PSA260320. The subject: Russia's SVR and FSB have developed a reliable...

193.24.123.42. PROSPERO OOO. Autonomous System 200593. Saint Petersburg, Russia. That single IP block is responsible for 83% of the active exploitation traffic we've observed against Ivanti Connect Secure, Policy Secure, and ZTA Gateways. Not 83% of all IVanti traffic. Eighty-three percent of the malicious exploitation attempts, concentrated in one Russian commercial hosting provider. CISA added CVE-2025-22457 and CVE-2025-0282 to the Known Exploited Vulnerabilities catalog.

Everyone is writing about Salt Typhoon. Volt Typhoon. Silk Typhoon. The Typhoon family hits American infrastructure and gets Congressional testimony and front-page coverage. UAT-9244 hit telecom providers across South America with three custom malware families, 208 confirmed C2 IPs, and the kind of operational patience that suggests long-term presence — not smash-and-grab. It got a Cisco Talos report and then mostly silence. I want to fix that. UAT-9244 deployed three purpose

GlassWorm didn't write a zero-day. It didn't exploit a memory corruption bug in VS Code. It read the documentation. The extensionPack and extensionDependencies fields in the Open VSX manifest format exist so extension authors can bundle related tools — install one extension, get three more automatically. It's a convenience feature. GlassWorm turned it into a malware delivery mechanism. Install one poisoned extension, and VS Code silently pulls two or three more from the regis

On March 5, 2026, our automated ingest pipeline flagged a domain: cyber-node.tectoniview.in.net. Two independent feeds confirmed it within 24 hours — Abuse.ch's SSLBL and our own OTX pulse authored under the pduggusa handle. Classification: Cyber Av3ngers command-and-control infrastructure. Confidence: high. Timestamp: immutable. Thirty days later, on April 7, 2026, CISA published their advisory warning that Cyber Av3ngers — the operational arm of Iran's Islamic Revolutionary

I ran a sweep of the major security vendor blogs tonight. Unit 42, Check Point, Microsoft, SentinelOne, Recorded Future, Talos, ESET, Mandiant. Eight...

We've published two posts in the last 36 hours about a researcher going by kaleth4 — first the BlueHammer / Chaotic Eclipse Defender attack family, then the Windows TCP/IP unauthenticated RCE that nobody is talking about we covered earlier today. Both of those posts characterized kaleth4's output as 2-3 high-severity CVE PoCs in a tight window. We were undercounting. When we mined kaleth4's GitHub account directly, the actual disclosure cadence is more aggressive and more dan

We pulled and indexed nineteen Tor consensus snapshots between April 20 and April 26 as the first real dataset for our Tor Infrastructure Attribution Framework. The framework is doing what we built it for — clustering exit relays by operator, ASN, and country to give defenders a picture of who runs the network they sometimes need to make trust decisions about. This post is the first analysis pass against that dataset, and the finding is worth publishing. A note on what we are

A week ago we published Mustang Panda's New Bait: Fake Claude Installers. 22 Seconds to PlugX C2. and a Mandarin sibling for the Chinese-reading audience. The post documented 60 Claude-themed indicators in our IOC index attributable to Mustang Panda's PlugX C2 chain. That post was correct and necessary, and it was also the smallest cluster in a much larger story we had not yet pulled out of our own indexes. Correction (Apr 27, 2026 ~22:35 UTC, ~30 min after publish): We surfa

We have 48 published posts on Handala Hack Team. We have 145 indicators of compromise on their infrastructure indexed and live in our STIX feed. We have tracked their March escalation campaign in real time across We Started With 85 Handala IOCs. We Ended With 145. Here's How., the Stryker breach, the Lockheed Martin claim, and the April 12 Dubai government wiper that destroyed six petabytes. We are publishing this forecast because we have earned the right to make it. Here is

There is a meta-game in dark-market threat actor branding that almost nobody publishes about, and it is fairly accessible to play if you know what to look for. Every threat actor brand — ransomware crew, vishing-as-a-service operator, exit-node operator, whatever — moves through the same four phases. Trust building. Proving period. Proven market. Then either compromise or exit-scam roll. Each phase has observable public signals. Each transition has predictable triggers. Namin

ShinyHunters or whoever is using the ShinyHunters name has hit six named companies in the last seven days. The attack chain is the same in every case. A help desk gets a phone call from someone claiming to be an employee. The caller asks for an MFA reset on the employee's Okta single sign-on. The help desk obliges. The attacker logs in, walks into the company's Salesforce instance, and exports the customer file as a CSV. By the time anyone notices, the data is on a Tor leak s

Last Tuesday, Microsoft pushed a patch for CVE-2026-33827. The advisory landed on the MSRC update guide, got a CVSS 8.1, and largely got ignored because everyone was talking about BlueHammer — the Defender local privilege escalation that CISA added to KEV on April 22. CVE-2026-33827 is the bigger one. Here is why and here is what it costs you to know about things like this when they happen. CVE-2026-33827 is a remote code execution vulnerability in the Windows TCP/IP stack it

A researcher going by Chaotic Eclipse dropped a Microsoft Defender 0day on April 7, 2026. The vulnerability, now tracked as CVE-2026-33825 and named BlueHammer, is a TOCTOU race condition in Defender's malware cleanup engine. It allows a low-privileged user to escalate to SYSTEM on fully-patched Windows 10 and Windows 11. CVSS 7.8. Microsoft eventually patched it in Defender Antimalware Platform version 4.18.26050.3011. CISA added it to the Known Exploited Vulnerabilities cat

People keep asking us "do you support X". We do. We support all of X. Here is the field guide to every documented integration we ship today, what each one ingests, what it costs you, and what the named competitor charges for the same thing. The feed itself is the same in every direction. STIX 2.1, TAXII 2.1, and a clean CSV fallback for the SIEMs whose vendors decided in 2019 that custom HTTP headers were too much to ask. Authentication is Authorization: Bearer <your-key> for

Four organizations got compromised last week that we want to talk about. Two of them were in our feed before the breach happened. One of them was a same-day publication on the same attacker methodology we wrote about a day earlier. The fourth tracks the same pattern as the third. None of them subscribed to our STIX feed. All of them paid for someone else's threat intel that did not have these indicators in time. Here is the math. ACN Healthcare. Hit by Lynx ransomware. April

Most threat intel reads like horoscopes. Vague enough to be unfalsifiable, hedged enough to never be wrong, vendor-flavored enough to sell next quarter's product. We hate that. So we are going Kalshi mode for the next two weeks. Seven binary YES or NO contracts on stories from the past seven days. Each one has a probability we believe, a deadline by which it resolves, the receipts that drove the number, and what would flip us. You can grade us in real time. We will publish a