Day One on the Vendor Blog Watcher: 695 IOCs in 3.2 Seconds
- Patrick Duggan
- 3 minutes ago
- 5 min read
May 3, 2026 · DugganUSA LLC
We shipped a new cron job today. It runs every thirty minutes, pulls the RSS feeds for Mandiant, Unit 42, CrowdStrike, Microsoft Security, Elastic Security Labs, Volexity, and Cisco Talos, regex-extracts indicators of compromise from every fresh post, and writes them straight into our STIX feed with the originating vendor and the post URL preserved as provenance. Three point two seconds, end to end. Six hundred ninety-five IOCs on the first run.
Here is what landed in the feed in those three seconds.
Volexity — five active APT operations, one pull
Volexity yielded one hundred eleven IOCs across post titles that read like the table of contents of a quarterly threat report:
"Multiple Russian Threat Actors Targeting Microsoft Device Code Authentication" — active campaign abusing the Azure AD device-code authorization flow. If your tenant allows device-code login from arbitrary locations, this is the post you wanted to read this morning.
"The Nearest Neighbor Attack: How A Russian APT Weaponized Nearby Wi-Fi Networks for Covert Access" — a novel TTP. Compromise a target organization's Wi-Fi-adjacent neighbor, pivot through their wireless to reach the target. Because it does not require the attacker to be on the target's network in the first place, traditional perimeter monitoring does not see it.
"BrazenBamboo Weaponizes FortiClient Vulnerability to Steal VPN Credentials via DEEPDATA" — Chinese APT, named tooling, FortiClient as the entry point, DEEPDATA as the credential-theft module. If your perimeter is a FortiClient VPN, the IOCs for this campaign are now in our feed.
"StormBamboo Compromises ISP to Abuse Insecure Software Update Mechanisms" — Chinese APT, ISP-level man-in-the-middle of software updates. Same family as the Asus update compromise but attacking at the carrier layer.
"DISGOMOJI Malware Used to Target Indian Government" — Pakistani APT.
Two fresh MD5s among the indicators: ee28b3137d65d74c0234eea35fa536af, 6abf9a7926415dc00bcb482456cc9467. If either of these hashes hits your sandbox or EDR, you are seeing one of the campaigns above.
Microsoft Security — the validation we have been waiting for
Forty-two IOCs, but the headline is the post itself: "Cross-tenant helpdesk impersonation to data exfiltration: A human-operated intrusion playbook." That is the exact UNC6040 / ShinyHunters playbook we documented on April 19. Four to twenty-nine days before each of the named victims got hit. We wrote a separate post on the validation today; the short version is Microsoft is the eighth or ninth voice publicly confirming what was on our blog and in our feed weeks earlier.
Other Microsoft posts pulled today: "AI-powered defense for an AI-accelerated threat landscape," "Email threat landscape: Q1 2026 trends and insights," "Simplifying AWS defense with Microsoft Sentinel UEBA."
Cisco Talos — the n8n abuse pattern, named
Seventy-one IOCs and a post title that is going to launch a hundred customer emails: "The n8n n8mare: How threat actors are misusing AI workflow automation." Workflow expression injection. Remote code execution. The specific class of attack against exposed n8n instances that hit CISA KEV in March as CVE-2025-68613.
Other Talos posts: "PowMix botnet targets Czech workforce" (a fresh botnet writeup), "Bad Apples: Weaponizing native macOS primitives for movement and execution" (LOLBin chain on macOS), and the April Patch Tuesday Snort rule digest.
Elastic Security Labs — the rootkit framework
Three hundred sixty-three IOCs from twenty fresh posts. The single most actionable: "Illuminating VoidLink: Technical analysis of the VoidLink rootkit framework." A new rootkit family with a published technical writeup. The IOCs are now in our feed.
Other Elastic posts: container attack scenarios, security automation walkthroughs, SOC visualizations. Less directly actionable but useful for benchmarking detection coverage.
Unit 42, CrowdStrike, Mandiant — the gaps to close
Unit 42 returned fifteen posts with zero IOCs extracted. CrowdStrike returned ten posts with zero IOCs. Mandiant returned zero posts. These are not vendor failures. They are RSS-feed shape problems. Several of these vendors publish only the title and a one-paragraph teaser in the RSS body, with the indicators living in the full HTML post. Our regex extractor only sees the RSS body. Tomorrow's iteration adds a follow-up fetch to the full post URL when the body returns no matches, which closes the gap on these three vendors specifically. We will publish a follow-up when it ships.
What this is, mechanically, in one paragraph
Cron runs at seventeen and forty-seven minutes past every hour. Pulls the seven RSS feeds in parallel. Parses each item, dedupes against post GUIDs we have already seen. For every fresh post, runs five regexes — IPv4, MD5, SHA1, SHA256, and a domain pattern — against the post body. Filters out vendor-own domains and a few common false-positive shapes (file extensions like .exe and .dll will be added in tomorrow's patch since the first run flagged a few of those as domains). Writes to our iocs Meilisearch index with source=vendor-blog/<slug>, the post URL as a reference, and a confidence score keyed off vendor reliability. Customers querying our STIX feed see the new indicators within minutes.
Why this matters for defenders
Conflict-window threat intelligence has a publication-order problem. When something major is happening — an Iran-Israel kinetic exchange, a Russia-NATO cyber move, a major ransomware brand pivoting — the named-vendor blogs publish hours before automated commercial feeds catch up. During the March 2026 Iran cyber escalation we watched the IOC gap firsthand: Unit 42 had Handala's infrastructure indexed twelve hours before the auto-feeds carried it. Our feed had it two hours after Unit 42 because we were manually scraping. That gap, multiplied across every conflict window in the year, is hours of attacker head start.
This cron closes that gap to thirty minutes worst case, three minutes typical. For every customer we have ever told "we catch threats early," this is what early actually looks like once the pipeline runs continuously.
What we built today, end-to-end
This was one of nine gaps we closed in a single paranoid-mode session today. The full receipt is in our public gap ledger at the repo, but the highlights:
STIX feed delivery — the customer-facing CSV exports were missing ninety-nine percent of our IP corpus and twenty-one hours stale on domains. Fixed. Customers pulling the feed now see indicators that landed in our index minutes ago, not weeks.
Cron history — every scheduled job's run history now persists across container deploys instead of being wiped on every push. The platform is now genuinely set-and-forget instead of set-and-cross-fingers.
Pagination caps — thirteen Meilisearch indexes were silently truncating sort-by-date queries to the first thousand entries because of a default cap. Fixed across the board. Anyone running operational queries against our index now sees the actual most-recent data.
Vendor blog watcher — this post.
Zero-result query miner — daily cron that mines our search history for queries that returned no hits, clusters them, and feeds the prioritized list to tomorrow's hunting work. The first run surfaced one cluster with two hundred ninety-four hits from a single attacker IP probing whether we had cataloged their fresh .lat rotation. They are watching us watch them. We are flattered.
The platform is humming. The receipts are queryable. The IOCs are in the feed.
If you want them in your SIEM by tomorrow morning, register at analytics.dugganusa.com/stix. Twenty-five queries a day at the free tier. Ninety-nine dollars a month for two thousand. Splunk ES, OPNsense, and TAXII 2.1 plugins are native.
— Patrick Duggan, DugganUSA LLC. The vendor blog watcher cron and the platform gap ledger are public; reach out to [email protected] if you want a copy.
How do AI models see YOUR brand?
AIPM has audited 250+ domains. 15 seconds. Free while still in beta.