LATEST POST
Weekly Threat Trends — Week Commencing 9th February 2026
The second week of February 2026 shows ransomware pivoting back to hard encryption, government and payment pipelines under pressure, unmanaged edge VMs being used as footholds, and consumer/IoT devices feeding some of...
FEATURED
Remcos Goes Fileless (Again): Remote Templates, Equation Editor RCE, and .NET-in-Image Loading
Malware in the Subtitles: A Fake Movie Torrent That Assembles Agent Tesla via Layered PowerShell
ClickFix Gets Sneaky: Lumma & Rhadamanthys Hiding in PNG Pixels
AI-Powered Malware: Dynamic Code Generation and the Rise of Adaptive Threats
PREVIOUS POSTS
Myth: “New Domain = Malicious” (What Actually Matters)
A domain being ‘new’ to your environment is a weak signal on its own—sometimes useful, often misleading. This post breaks down why defenders overvalue ‘new domain’ alerts, what signals actually separate malicious infr...
Detection Diary: Catching Loaders With 3 Correlations
Loaders are built to blend in: a fake installer, a LOLBin hop, quiet persistence, then a clean HTTPS beacon. If you alert on single events, you drown. If you correlate three things, you catch the chain early. Here are...
Weekly Threat Trends — Week Commencing 2nd February 2026
The first week of February 2026 brings a clean picture of where the fight is headed: selective supply-chain compromises of dev tooling, hypervisor and mail-server exploits wired into ransomware playbooks, AI platforms...
Credential Theft Without Malware: When the Browser Is the Battlefield
Credential theft does not always require a classic malware payload. In many real intrusions, the browser is the prize-cookies, session tokens, saved passwords, and synced identities. This post walks through how attack...
Rundll32 Abuse: The 5 Command Lines I Treat as 'Stop and Look'
rundll32.exe is a legitimate Windows binary, which is exactly why it gets abused. Most rundll32 execution is normal. Some is a gift-wrapped incident waiting to happen. This post lists five high-signal rundll32 command...
Weekly Threat Trends — Week Commencing 26 Jan 2026
AI-led intrusion campaigns, identity-layer attacks, ICS advisories, and high-impact data breaches defined the week of 26 January 2026. This roundup walks defenders through what mattered and what to prioritise next.
Beacon or Telemetry? A Practical Way to Tell in 10 Minutes
Not all periodic traffic is C2. And not all C2 looks scary. This post gives a fast, practical method to separate beaconing from benign telemetry using only what most SOCs already have: timing, URI structure, headers, ...
One Artifact: Scheduled Tasks (Why They’re the King of Persistence)
If I had to bet on one persistence mechanism showing up again and again in real incidents, it’s scheduled tasks. They’re reliable, flexible, easy to camouflage, and often under-monitored. This post breaks down how att...
Weekly Threat Trends — Week Commencing 19th January 2026
The third week of January shows how long ransomware and data breaches echo: late-2025 intrusions are turning into 2026 mega-leaks, OT advisories are landing off the back of a failed wiper attack on Poland’s grid, and ...
