LATEST POST
Scheduled Tasks: The Persistence Mechanism That Never Dies
If I had to bet on one persistence mechanism showing up again and again in real incidents, it’s scheduled tasks. They’re reliable, flexible, easy to camouflage, and often under-monitored. This post breaks down how att...
FEATURED
Implementing the ASD Essential Eight: Practical Hardening for Windows & Linux
Malware in the Subtitles: A Fake Movie Torrent That Assembles Agent Tesla via Layered PowerShell
ClickFix Gets Sneaky: Lumma & Rhadamanthys Hiding in PNG Pixels
AI-Powered Malware: Dynamic Code Generation and the Rise of Adaptive Threats
PREVIOUS POSTS
Weekly Threat Trends — Week Commencing 19th January 2026
The third week of January shows how long ransomware and data breaches echo: late-2025 intrusions are turning into 2026 mega-leaks, OT advisories are landing off the back of a failed wiper attack on Poland’s grid, and ...
You Have 6 Artifacts—Reconstruct the Kill Chain
No PCAP. No full disk. No luxury. Just six artifacts from endpoint and network telemetry. Your job: reconstruct the kill chain and decide what to do next. In this analyst challenge, I’ll give you the evidence first, t...
Remcos Goes Fileless (Again): Remote Templates, Equation Editor RCE, and .NET-in-Image Loading
FortiGuard Labs documented a 2026 Remcos campaign abusing remote Word templates, CVE-2017-11882, VBScript/WMI execution, and a fileless chain that reflectively loads a .NET module hidden inside an ‘image’—then process...
Weekly Threat Trends — Week Commencing 12th January 2026
The second full week of 2026 is already busy: actively exploited vulnerabilities in core infrastructure and developer tooling, targeted ransomware against healthcare and claims processors, major breaches in education ...
Casefile: The Fake Browser Update That Dropped a Loader
A user clicks what looks like a routine browser update. Within minutes, a ‘legit’ installer chain pivots into rundll32 execution, persistence via scheduled tasks, and outbound beaconing to fresh infrastructure. This c...
Weekly Threat Trends — Week Commencing 5th January 2026
The first full week of 2026 is already shaping up around three themes: AI and identity converging into a single attack surface, data leaking through 'Shadow AI' and cloud abuse, and old-school ransomware and malware q...
Initial Access Brokers & Ransomware Chains
Commodity loaders and infostealers do not exist in a vacuum. They feed a market of Initial Access Brokers and ransomware affiliates who specialise in buying, packaging, and weaponising footholds into full-scale extort...
Weekly Threat Trends — Week Commencing 29th December 2025
This half-week at the end of 2025 and the first days of 2026 are a good moment to take stock: AI-driven intrusion chains, identity-led attacks, data extortion, and the growing role of DFIR all reshaped how defenders w...
Stealer-as-a-Service & the Credential Ecosystem
Infostealers are no longer just one-off binaries dropped by random phishing emails. They are part of a mature Stealer-as-a-Service ecosystem where logs are harvested, packaged, traded, and weaponised for everything fr...
