Every Way We Measured the July 4th Weekend Said 'Quiet' — Including Our Own Edge. It Was the Instruments Going Dark, Not the Attackers.
- Patrick Duggan
- 40 minutes ago
- 4 min read
It's the Monday after the July 4th weekend, and the honest first question about a long holiday is always the same: did anything happen, or was it quiet? So we went looking — not at the headlines, which are their own kind of unreliable, but at our own instruments. What we found is a lesson worth more than the answer: every gauge we own said "quiet," and every one of them was lying to us for a different reason. Here is the work, including the number we almost reported and shouldn't have.
The naive read: everything is down
We measure threat activity two ways internally. Over the holiday window (Friday July 3 through Sunday the 5th), both fell:
Our auto-blocker logged 12,735 decisions, against 17,196 the prior weekend — down 26 percent. Our edge block events came in at 2,263, against 3,404 the weekend before — down 34 percent. Two independent gauges, both pointing the same direction. The easy blog post writes itself: threats dropped a third over the holiday. That post would be wrong, and the reason it's wrong is the whole point.
Why both gauges lied
When two instruments agree, the temptation is to trust them. But agreement isn't accuracy if they share a hidden dependency. They do.
Our auto-blocker's decision volume is coupled to third-party feeds. The dominant inputs over the weekend were ThreatFox and the Feodo tracker — community-maintained intelligence feeds whose human contributors are, like everyone else, off for the holiday. Fewer submissions upstream means fewer decisions downstream. The 26 percent drop measured the feeds going quiet, not the attackers.
Our edge block count is coupled to our own traffic. Blocks fire when requests hit our infrastructure and match the blocklist. Our own site traffic dipped over the holiday — fewer visitors, fewer requests to evaluate, fewer blocks. The 34 percent drop measured our own popularity taking a long weekend, not the world's threat level. We are a small shop in Minnesota, not a representative sample of the internet's front door.
So the two gauges didn't corroborate each other. They failed together, for unrelated reasons, and produced a matching wrong answer. That is the most dangerous kind of quiet.
Three layers of the same illusion
Step back and the pattern is bigger than us. The holiday dimmed the threat picture at three independent layers, none of them related to what attackers were actually doing:
The press went home — reporters and researchers don't file over a long weekend, and companies do not push breach notifications into a holiday. CISA ran a skeleton schedule; its last Known-Exploited-Vulnerabilities addition landed July 1 and then went silent. The feeds went home, as above. And our own edge went quiet on traffic. Three gauges, three shutters, one false impression of calm.
The uncomfortable truth underneath all three: long holiday weekends are the preferred breach window, precisely because everyone watching is understaffed. The intrusion happens Saturday, when the SOC is running on one analyst; the disclosure lands Tuesday through Thursday, when legal and comms come back. Light headlines on a holiday Monday are disclosure lag, not safety. If you are waiting for the news to tell you the weekend was bad, you are reading a gauge with a three-day delay built into it.
The herd we can still count
Here is what survives the distortion. We cannot reliably census attack intensity over a holiday — every counter is decayed — but we can absolutely enumerate who was active, because the malware and command-and-control attributions on the indicators we did process are real regardless of volume. The weekend herd was fully present and notably diverse.
The loudest was ClearFake, the fake-browser-update injection campaign we have tracked since the spring, sitting at the top of the list. Behind it, SmartApeSG, the same drive-by class. The DDoS botnets were exactly where you'd expect — Aisuru and Mirai, both IoT-fueled, both genuinely indifferent to the calendar; a botnet does not observe federal holidays. Ransomware showed as BianLian. Credential and session theft showed as Evilginx, the adversary-in-the-middle phishing proxy. And the stealer-and-RAT pack ran deep: XWorm, DanaBot, DCRat, QakBot, Vidar.
The tell we'd flag for anyone doing detection engineering is in the command-and-control frameworks. Cobalt Strike was present, as always — but so were a cluster of newer, open-source alternatives: AdaptixC2, DeimosC2, and VShell. The post-exploitation toolkit landscape is diversifying past the one framework everyone built detections for. If your rules key on Cobalt Strike beacons alone, that spread is the thing to watch.
The point, which is about us as much as them
The reason this is worth a post is not the bull list, though the bull list is useful. It is that we caught our own gauges lying, on our own infrastructure, and said so instead of publishing the flattering wrong number. A dashboard that reads "quiet" is not evidence of calm; it is a claim that has to be audited like any other. The instruments that measure a threat can go dark for reasons that have nothing to do with the threat — and a holiday dims all of them at once. The discipline is to distrust the quiet, inspect the gauge, and separate what you can honestly say (the herd was there, and here is its shape) from what you cannot (that it was any smaller than usual).
We hold this at about 95 percent, as we hold everything. The composition is solid — those attributions are real. The intensity is the part we are explicitly declining to quantify, because the honest answer is that no instrument we own, or that anyone owns, can measure it cleanly across a long weekend. Knowing which of your numbers you're allowed to trust is not a limitation of the analysis. It is the analysis.
Sources: DugganUSA internal indices — auto-blocker decision log and edge block events, holiday window July 3–5 2026 versus the June 26–28 baseline, queried directly. Malware and C2 attributions from our indicator corpus. CISA KEV cadence per the published catalog (last addition July 1). All numbers are ours and reproducible against our own feed.
Every indicator in this post is in the feed. Free.
1.58M+ IOCs, STIX 2.1 / TAXII, 88% novel vs ThreatFox, exploited-CVE leads ahead of CISA. No credit card — a free API key in 30 seconds, and you can audit every claim above against the live endpoints.
