LATEST POST
New Domain ≠ Malicious: The Signals That Matter
A domain being ‘new’ to your environment is a weak signal on its own—sometimes useful, often misleading. This post breaks down why defenders overvalue ‘new domain’ alerts, what signals actually separate malicious infr...
FEATURED
Remcos Goes Fileless (Again): Remote Templates, Equation Editor RCE, and .NET-in-Image Loading
Malware in the Subtitles: A Fake Movie Torrent That Assembles Agent Tesla via Layered PowerShell
ClickFix Gets Sneaky: Lumma & Rhadamanthys Hiding in PNG Pixels
AI-Powered Malware: Dynamic Code Generation and the Rise of Adaptive Threats
PREVIOUS POSTS
Detection Diary: Catching Loaders With 3 Correlations
Loaders are built to blend in: a fake installer, a LOLBin hop, quiet persistence, then a clean HTTPS beacon. If you alert on single events, you drown. If you correlate three things, you catch the chain early. Here are...
Weekly Threat Trends — Week Commencing 2nd February 2026
The first week of February 2026 brings a clean picture of where the fight is headed: selective supply-chain compromises of dev tooling, hypervisor and mail-server exploits wired into ransomware playbooks, AI platforms...
Credential Theft Without Malware: When the Browser Is the Battlefield
Credential theft does not always require a classic malware payload. In many real intrusions, the browser is the prize-cookies, session tokens, saved passwords, and synced identities. This post walks through how attack...
Rundll32 Abuse: The 5 Command Lines I Treat as 'Stop and Look'
rundll32.exe is a legitimate Windows binary, which is exactly why it gets abused. Most rundll32 execution is normal. Some is a gift-wrapped incident waiting to happen. This post lists five high-signal rundll32 command...
Weekly Threat Trends — Week Commencing 26 Jan 2026
AI-led intrusion campaigns, identity-layer attacks, ICS advisories, and high-impact data breaches defined the week of 26 January 2026. This roundup walks defenders through what mattered and what to prioritise next.
Beacon or Telemetry? A Practical Way to Tell in 10 Minutes
Not all periodic traffic is C2. And not all C2 looks scary. This post gives a fast, practical method to separate beaconing from benign telemetry using only what most SOCs already have: timing, URI structure, headers, ...
One Artifact: Scheduled Tasks (Why They’re the King of Persistence)
If I had to bet on one persistence mechanism showing up again and again in real incidents, it’s scheduled tasks. They’re reliable, flexible, easy to camouflage, and often under-monitored. This post breaks down how att...
Weekly Threat Trends — Week Commencing 19th January 2026
The third week of January shows how long ransomware and data breaches echo: late-2025 intrusions are turning into 2026 mega-leaks, OT advisories are landing off the back of a failed wiper attack on Poland’s grid, and ...
You Have 6 Artifacts—Reconstruct the Kill Chain
No PCAP. No full disk. No luxury. Just six artifacts from endpoint and network telemetry. Your job: reconstruct the kill chain and decide what to do next. In this analyst challenge, I’ll give you the evidence first, t...
