Security Tips

193.24.123.42. PROSPERO OOO. Autonomous System 200593. Saint Petersburg, Russia. That single IP block is responsible for 83% of the active exploitation traffic we've observed against Ivanti Connect Secure, Policy Secure, and ZTA Gateways. Not 83% of all IVanti traffic. Eighty-three percent of the malicious exploitation attempts, concentrated in one Russian commercial hosting provider. CISA added CVE-2025-22457 and CVE-2025-0282 to the Known Exploited Vulnerabilities catalog.

Everyone is writing about Salt Typhoon. Volt Typhoon. Silk Typhoon. The Typhoon family hits American infrastructure and gets Congressional testimony and front-page coverage. UAT-9244 hit telecom providers across South America with three custom malware families, 208 confirmed C2 IPs, and the kind of operational patience that suggests long-term presence — not smash-and-grab. It got a Cisco Talos report and then mostly silence. I want to fix that. UAT-9244 deployed three purpose

GlassWorm didn't write a zero-day. It didn't exploit a memory corruption bug in VS Code. It read the documentation. The extensionPack and extensionDependencies fields in the Open VSX manifest format exist so extension authors can bundle related tools — install one extension, get three more automatically. It's a convenience feature. GlassWorm turned it into a malware delivery mechanism. Install one poisoned extension, and VS Code silently pulls two or three more from the regis

On March 5, 2026, our automated ingest pipeline flagged a domain: cyber-node.tectoniview.in.net. Two independent feeds confirmed it within 24 hours — Abuse.ch's SSLBL and our own OTX pulse authored under the pduggusa handle. Classification: Cyber Av3ngers command-and-control infrastructure. Confidence: high. Timestamp: immutable. Thirty days later, on April 7, 2026, CISA published their advisory warning that Cyber Av3ngers — the operational arm of Iran's Islamic Revolutionary

We've published two posts in the last 36 hours about a researcher going by kaleth4 — first the BlueHammer / Chaotic Eclipse Defender attack family, then the Windows TCP/IP unauthenticated RCE that nobody is talking about we covered earlier today. Both of those posts characterized kaleth4's output as 2-3 high-severity CVE PoCs in a tight window. We were undercounting. When we mined kaleth4's GitHub account directly, the actual disclosure cadence is more aggressive and more dan

We pulled and indexed nineteen Tor consensus snapshots between April 20 and April 26 as the first real dataset for our Tor Infrastructure Attribution Framework. The framework is doing what we built it for — clustering exit relays by operator, ASN, and country to give defenders a picture of who runs the network they sometimes need to make trust decisions about. This post is the first analysis pass against that dataset, and the finding is worth publishing. A note on what we are

A week ago we published Mustang Panda's New Bait: Fake Claude Installers. 22 Seconds to PlugX C2. and a Mandarin sibling for the Chinese-reading audience. The post documented 60 Claude-themed indicators in our IOC index attributable to Mustang Panda's PlugX C2 chain. That post was correct and necessary, and it was also the smallest cluster in a much larger story we had not yet pulled out of our own indexes. Correction (Apr 27, 2026 ~22:35 UTC, ~30 min after publish): We surfa

We have 48 published posts on Handala Hack Team. We have 145 indicators of compromise on their infrastructure indexed and live in our STIX feed. We have tracked their March escalation campaign in real time across We Started With 85 Handala IOCs. We Ended With 145. Here's How., the Stryker breach, the Lockheed Martin claim, and the April 12 Dubai government wiper that destroyed six petabytes. We are publishing this forecast because we have earned the right to make it. Here is

There is a meta-game in dark-market threat actor branding that almost nobody publishes about, and it is fairly accessible to play if you know what to look for. Every threat actor brand — ransomware crew, vishing-as-a-service operator, exit-node operator, whatever — moves through the same four phases. Trust building. Proving period. Proven market. Then either compromise or exit-scam roll. Each phase has observable public signals. Each transition has predictable triggers. Namin

ShinyHunters or whoever is using the ShinyHunters name has hit six named companies in the last seven days. The attack chain is the same in every case. A help desk gets a phone call from someone claiming to be an employee. The caller asks for an MFA reset on the employee's Okta single sign-on. The help desk obliges. The attacker logs in, walks into the company's Salesforce instance, and exports the customer file as a CSV. By the time anyone notices, the data is on a Tor leak s

Last Tuesday, Microsoft pushed a patch for CVE-2026-33827. The advisory landed on the MSRC update guide, got a CVSS 8.1, and largely got ignored because everyone was talking about BlueHammer — the Defender local privilege escalation that CISA added to KEV on April 22. CVE-2026-33827 is the bigger one. Here is why and here is what it costs you to know about things like this when they happen. CVE-2026-33827 is a remote code execution vulnerability in the Windows TCP/IP stack it

A researcher going by Chaotic Eclipse dropped a Microsoft Defender 0day on April 7, 2026. The vulnerability, now tracked as CVE-2026-33825 and named BlueHammer, is a TOCTOU race condition in Defender's malware cleanup engine. It allows a low-privileged user to escalate to SYSTEM on fully-patched Windows 10 and Windows 11. CVSS 7.8. Microsoft eventually patched it in Defender Antimalware Platform version 4.18.26050.3011. CISA added it to the Known Exploited Vulnerabilities cat

People keep asking us "do you support X". We do. We support all of X. Here is the field guide to every documented integration we ship today, what each one ingests, what it costs you, and what the named competitor charges for the same thing. The feed itself is the same in every direction. STIX 2.1, TAXII 2.1, and a clean CSV fallback for the SIEMs whose vendors decided in 2019 that custom HTTP headers were too much to ask. Authentication is Authorization: Bearer <your-key> for

Four organizations got compromised last week that we want to talk about. Two of them were in our feed before the breach happened. One of them was a same-day publication on the same attacker methodology we wrote about a day earlier. The fourth tracks the same pattern as the third. None of them subscribed to our STIX feed. All of them paid for someone else's threat intel that did not have these indicators in time. Here is the math. ACN Healthcare. Hit by Lynx ransomware. April

Most threat intel reads like horoscopes. Vague enough to be unfalsifiable, hedged enough to never be wrong, vendor-flavored enough to sell next quarter's product. We hate that. So we are going Kalshi mode for the next two weeks. Seven binary YES or NO contracts on stories from the past seven days. Each one has a probability we believe, a deadline by which it resolves, the receipts that drove the number, and what would flip us. You can grade us in real time. We will publish a

Between Monday April 20 and Friday April 24, CISA added 13 vulnerabilities to the Known Exploited Vulnerabilities catalog. That is a high-cadence week. The federal patching deadlines are now stacked between April 23 and May 4. If you are a US federal agency, the calendar is already past due on some of these. If you are everyone else, the active-exploitation flag is the part that matters and the vendor names tell the story. Here is the full list, in the order CISA published th

ADT confirmed a data breach this weekend. ShinyHunters claim 10 million records. ADT detected unauthorized access on April 20, terminated the intrusion the same day, and started an investigation. Five days earlier, on April 19, we published a post titled "ShinyHunters Claims Vercel. The Real ShinyHunters Says It Wasn't Them. We Checked." That post made one bet: somebody is using the ShinyHunters name without paying for the franchise. Here is what we have on the ADT incident a

CrowdStrike published an urgent advisory for CVE-2026-40050 this week. CVSS 9.8. Critical. Unauthenticated. A remote attacker can read arbitrary files from a LogScale Self-Hosted server's filesystem with no credentials at all, by hitting an exposed cluster API endpoint. They patched it in 1.235.1, 1.234.1, 1.233.1, and 1.228.2 LTS. SaaS customers were quietly protected by network-layer blocks before the public could see the advisory. LogScale is the same product CrowdStrike a

Mustang Panda（木马熊猫）换目标了。不再是蒙古的 NGO。这次是你——那个在搜索 "claude code download" 的开发者。 我们的 IOC 索引里目前坐着 82 个与 Claude 相关的指标。其中 29 个是过去 30 天内落地的。其中六个在 4 月 17 日通过一条路径串起来了——install-claude.com 释放了一个 IClickFix 加载器，配合一组 GitHub 仓库，托管着一个 PlugX 植入程序。从点击到首次 C2 回连：22 秒。 Mustang Panda 的对手档案写的是"以 PlugX 恶意软件瞄准非政府组织"。正确，但不完整。他们现在做的是伪造面向开发者的 AI 工具——仿冒 Claude，仿冒 Claude Code，仿冒 MCP 服务器。这个战术转向不是新闻稿里宣布的。它是我们在自家采集里翻出来的。 下面是他们此刻正在跑的东西。 2026 年 4 月 17 日 —— install-claude.com（IClickFix C2，置信度 90%）。github.com/Xian

If your SOC runs IBM QRadar, this is how you hook our STIX/TAXII feed into it. Fifteen minutes, two paths, neither involves calling an IBM sales engineer. I am not going to explain why you should run QRadar or why you shouldn't. If you're here, you already have it. Let's get the feed working. Step 1: Get an API key Go to analytics.dugganusa.com/stix/register and fill in the form. Free tier gives you 25 queries per day and is fine for testing. Pro tier at $99 per month is what