LATEST POST
Rundll32: Five Command Lines That Should Trigger Triage
rundll32.exe is a legitimate Windows binary, which is exactly why it gets abused. Most rundll32 execution is normal. Some is a gift-wrapped incident waiting to happen. This post lists five high-signal rundll32 command...
FEATURED
Implementing the ASD Essential Eight: Practical Hardening for Windows & Linux
Malware in the Subtitles: A Fake Movie Torrent That Assembles Agent Tesla via Layered PowerShell
ClickFix Gets Sneaky: Lumma & Rhadamanthys Hiding in PNG Pixels
AI-Powered Malware: Dynamic Code Generation and the Rise of Adaptive Threats
PREVIOUS POSTS
Weekly Threat Trends — Week Commencing 26 Jan 2026
AI-led intrusion campaigns, identity-layer attacks, ICS advisories, and high-impact data breaches defined the week of 26 January 2026. This roundup walks defenders through what mattered and what to prioritise next.
Beacon or Telemetry? A Practical Way to Tell in 10 Minutes
Not all periodic traffic is C2. And not all C2 looks scary. This post gives a fast, practical method to separate beaconing from benign telemetry using only what most SOCs already have: timing, URI structure, headers, ...
One Artifact: Scheduled Tasks (Why They’re the King of Persistence)
If I had to bet on one persistence mechanism showing up again and again in real incidents, it’s scheduled tasks. They’re reliable, flexible, easy to camouflage, and often under-monitored. This post breaks down how att...
Weekly Threat Trends — Week Commencing 19th January 2026
The third week of January shows how long ransomware and data breaches echo: late-2025 intrusions are turning into 2026 mega-leaks, OT advisories are landing off the back of a failed wiper attack on Poland’s grid, and ...
You Have 6 Artifacts—Reconstruct the Kill Chain
No PCAP. No full disk. No luxury. Just six artifacts from endpoint and network telemetry. Your job: reconstruct the kill chain and decide what to do next. In this analyst challenge, I’ll give you the evidence first, t...
Remcos Goes Fileless (Again): Remote Templates, Equation Editor RCE, and .NET-in-Image Loading
FortiGuard Labs documented a 2026 Remcos campaign abusing remote Word templates, CVE-2017-11882, VBScript/WMI execution, and a fileless chain that reflectively loads a .NET module hidden inside an ‘image’—then process...
Weekly Threat Trends — Week Commencing 12th January 2026
The second full week of 2026 is already busy: actively exploited vulnerabilities in core infrastructure and developer tooling, targeted ransomware against healthcare and claims processors, major breaches in education ...
Casefile: The Fake Browser Update That Dropped a Loader
A user clicks what looks like a routine browser update. Within minutes, a ‘legit’ installer chain pivots into rundll32 execution, persistence via scheduled tasks, and outbound beaconing to fresh infrastructure. This c...
Weekly Threat Trends — Week Commencing 5th January 2026
The first full week of 2026 is already shaping up around three themes: AI and identity converging into a single attack surface, data leaking through 'Shadow AI' and cloud abuse, and old-school ransomware and malware q...
