Threat Intel

Cyber Threat Intelligence — Analysis, Research & Detection

Filter:
KQL Daily APT Supply Chain

Daily Threat Intelligence Brief: 03 Jun 2026

Jun 3, 2026 32 min read

Windows Netlogon RCE CVE-2026-41089 (CVSS 9.8) under active exploitation — half-patched AD forests are not a defensible state. TeamPCP Miasma worm poisons 31+ @redhat-cloud-services npm packages (~80,000 weekly downloads); preinstall hook exfiltrates GitHub Actions secrets, npm tokens, AWS/GCP/Azure credentials and self-propagates. PHANTOMPULSE RAT (REF6598) uses Ethereum/Base/Optimism blockchain transactions as C2 resolver — traditional IOC blocking is ineffective. Citrix NetScaler CVE-2026-3055 large-scale exploitation confirmed by Fortinet. CISA adds Android CVE-2025-48595 and Linux cgroups CVE-2022-0492 to KEV. HP Poly VoIP CVE-2026-0826 Metasploit module now public. Includes 7 KQL hunting queries and 4 high-fidelity detection rules.

Read more →
KQL Daily

Daily Threat Intelligence Brief: 02 Jun 2026

Jun 2, 2026 20 min read

Belgium CCB confirmed active exploitation of CVE-2026-41089 (Windows Netlogon RCE, CVSS 9.8) on 1 June — pre-auth stack overflow in BuildSamLogonResponse, unauthenticated domain controller SYSTEM compromise. Acros Security micropatches for EOL Windows Server 2008R2/2012/2012R2. PAN-OS GlobalProtect CVE-2026-0257 exploitation continues post-CISA deadline — Rapid7 MDR 8 of 10 environments affected. TrapDoor AI framework supply chain active at 14,000+ downstream projects. Includes 8 KQL hunting queries and 4 high-fidelity detection rules.

Read more →
KQL Daily APT Ransomware

Daily Threat Intelligence Brief: 01 Jun 2026

Jun 1, 2026 28 min read

PAN-OS GlobalProtect CVE-2026-0257 (CVSS 9.1) CISA federal deadline today — Rapid7 MDR confirms 8 of 10 environments accepted forged authentication cookies. Interlock ransomware exploits Cisco FMC CVE-2026-20131 (CVSS 10.0) via Java deserialization, dropping a memory-resident web shell over RC4-encrypted WebSocket C2. TrapDoor AI supply chain: SlowMist calls it one of 2026’s largest — LangChain, LlamaIndex, LangFlow, MetaGPT, OpenHands all targeted via ddjidd564. Iranian ICS campaign expanded with Dark Engine, Sector 16, and NoName057(16). Includes 8 KQL hunting queries and 5 high-fidelity detection rules.

Read more →
KQL Daily Ransomware ICS

Daily Threat Intelligence Brief: 29 May 2026

May 29, 2026 30 min read

CISA releases ten ICS advisories covering ABB EIBPORT (unauthenticated RCE, hard-coded creds), Schneider Electric EcoStruxure HVAC (command injection), USR IOT, CP Plus NVR, and MacGregor VDR. Exchange CVE-2026-42897 and LiteSpeed CVE-2026-48172 CISA federal deadlines are today. Silent Ransom Group / Luna Moth expands to physical social engineering — operatives posing as IT support insert USB payloads at law firm offices. GHOST STADIUM FIFA fraud exceeds 300 domains. Includes 8 KQL hunting queries and 5 high-fidelity detection rules.

Read more →