LATEST POST
No Malware Required: How Browsers Get Looted
Credential theft does not always require a classic malware payload. In many real intrusions, the browser is the prize—cookies, session tokens, saved passwords, and synced identities. This post walks through how attack...
FEATURED
Implementing the ASD Essential Eight: Practical Hardening for Windows & Linux
Malware in the Subtitles: A Fake Movie Torrent That Assembles Agent Tesla via Layered PowerShell
ClickFix Gets Sneaky: Lumma & Rhadamanthys Hiding in PNG Pixels
AI-Powered Malware: Dynamic Code Generation and the Rise of Adaptive Threats
PREVIOUS POSTS
Rundll32 Abuse: The 5 Command Lines I Treat as 'Stop and Look'
rundll32.exe is a legitimate Windows binary, which is exactly why it gets abused. Most rundll32 execution is normal. Some is a gift-wrapped incident waiting to happen. This post lists five high-signal rundll32 command...
Weekly Threat Trends — Week Commencing 26 Jan 2026
AI-led intrusion campaigns, identity-layer attacks, ICS advisories, and high-impact data breaches defined the week of 26 January 2026. This roundup walks defenders through what mattered and what to prioritise next.
Beacon or Telemetry? A Practical Way to Tell in 10 Minutes
Not all periodic traffic is C2. And not all C2 looks scary. This post gives a fast, practical method to separate beaconing from benign telemetry using only what most SOCs already have: timing, URI structure, headers, ...
One Artifact: Scheduled Tasks (Why They’re the King of Persistence)
If I had to bet on one persistence mechanism showing up again and again in real incidents, it’s scheduled tasks. They’re reliable, flexible, easy to camouflage, and often under-monitored. This post breaks down how att...
Weekly Threat Trends — Week Commencing 19th January 2026
The third week of January shows how long ransomware and data breaches echo: late-2025 intrusions are turning into 2026 mega-leaks, OT advisories are landing off the back of a failed wiper attack on Poland’s grid, and ...
You Have 6 Artifacts—Reconstruct the Kill Chain
No PCAP. No full disk. No luxury. Just six artifacts from endpoint and network telemetry. Your job: reconstruct the kill chain and decide what to do next. In this analyst challenge, I’ll give you the evidence first, t...
Remcos Goes Fileless (Again): Remote Templates, Equation Editor RCE, and .NET-in-Image Loading
FortiGuard Labs documented a 2026 Remcos campaign abusing remote Word templates, CVE-2017-11882, VBScript/WMI execution, and a fileless chain that reflectively loads a .NET module hidden inside an ‘image’—then process...
Weekly Threat Trends — Week Commencing 12th January 2026
The second full week of 2026 is already busy: actively exploited vulnerabilities in core infrastructure and developer tooling, targeted ransomware against healthcare and claims processors, major breaches in education ...
Casefile: The Fake Browser Update That Dropped a Loader
A user clicks what looks like a routine browser update. Within minutes, a ‘legit’ installer chain pivots into rundll32 execution, persistence via scheduled tasks, and outbound beaconing to fresh infrastructure. This c...
