Cyber Threat Intelligence — Analysis, Research & Detection
Building a threat intelligence indicator gatherer with Claude Code: a desktop Python and tkinter app that stores, searches, and enriches IOCs from documents, web pages, screen captures, and manual entry, with lookups against VirusTotal, AbuseIPDB, and AlienVault OTX.
Read more →APT28 is conducting DNS hijacking campaigns against SOHO routers to perform adversary-in-the-middle attacks, intercepting credentials and communications at the network layer. This post covers 8 KQL detections across network telemetry, DNS, authentication, and device vulnerability data.
Read more →This week's highlights: BRICKSTORM defender guide from Google Threat Intelligence, Storm-1175 Medusa ransomware operations from Microsoft, UNC6783 social engineering via lookalike domains, Fortinet and Cisco CVE exploitation in the wild, and the BlueHammer zero-day disclosure.
Read more →Storm-1175 is a financially motivated actor operating high-velocity Medusa ransomware campaigns, weaponising N-day vulnerabilities within days of disclosure. The group has targeted healthcare, education, finance, and professional services across Australia, the UK, and the US, moving from initial exploitation to full ransomware deployment in under 24 hours. This post covers 8 KQL detections across the full attack chain.
Read more →