Friday, July 10, 2026 | Jonathan Lockhart
This edition examines a recurring feature of the current threat landscape: attackers increasingly operate through legitimate security tools, trusted cloud infrastructure, ordinary identity workflows, collaboration services and open-source software ecosystems.
Several stories are current July 2026 developments. Others are deliberately included as historical case studies because the techniques they document—red-team tool abuse, cloud-hosted command and control, endpoint telemetry suppression and exploitation of trusted administrative platforms—are reappearing in newer operations.
RedTiger Turns Discord Theft Into a Commodity Malware Feature
Attackers have repackaged the open-source RedTiger red-team tool into infostealers disguised as Discord utilities, game-related programs and other software likely to attract users of gaming and social platforms.
The resulting malware can collect Discord authentication tokens, account information and payment details. Some versions also search browsers for stored credentials, target cryptocurrency wallets and collect gaming-account information.
The importance of Discord token theft extends beyond the immediate victim. A stolen token may allow an attacker to assume control of an account without completing a conventional password login. The compromised identity can then be used to send malicious files or links to friends, impersonate the victim and reach private communities in which the account is already trusted.
RedTiger does not represent a major technical breakthrough. It demonstrates how quickly an openly available security tool can become the foundation of a polished theft product. The attacker gains credential collection, persistence and exfiltration functions without having to develop the complete malware independently.
Organizations should treat Discord-focused stealers as part of the wider browser and identity-theft ecosystem rather than as a problem confined to gaming communities. Application controls, browser credential protection and monitoring for unexpected access to Discord and browser data directories remain more useful than Discord-specific awareness alone.
References: BleepingComputer investigation into RedTiger-based Discord account theft; RedTiger project documentation and associated malware-analysis reporting.
HexStrike-AI Compresses the Path from Disclosure to Exploitation
HexStrike-AI is an offensive-security orchestration framework that connects large language models with more than 150 security tools. Its architecture allows an AI agent to translate a high-level objective into scanner selection, command execution, result interpretation and follow-up actions.
The framework attracted attention after Check Point researchers observed underground discussion about using it against newly disclosed Citrix NetScaler vulnerabilities. Those discussions established attacker interest and included claims of successful use, but they did not independently prove that HexStrike-AI was responsible for every compromise being advertised.
That distinction is essential. HexStrike-AI does not automatically transform every vulnerability description into a reliable exploit, nor does it create zero-days through language-model intuition. Its practical value is orchestration: it can reduce the manual effort required to combine reconnaissance, vulnerability validation, exploit selection and post-exploitation tools.
This is enough to change defensive timelines. An attacker no longer needs to move manually between numerous interfaces or understand every option exposed by each tool. Agentic orchestration can turn familiar methods into faster, more repeatable workflows and help less experienced operators use capabilities that previously required deeper technical knowledge.
For administrators, the response is not a new class of “AI firewall.” It is faster exposure discovery, temporary isolation of vulnerable edge systems and patch validation conducted in parallel rather than as a slow sequence of separate decisions.
References: Check Point Research analysis of HexStrike-AI and its discussion in criminal forums; HexStrike-AI project documentation describing its multi-tool orchestration architecture.
Ghost Calls Moves Command Traffic Inside Conferencing Infrastructure
Praetorian’s Ghost Calls research demonstrated how command-and-control traffic could be tunneled through TURN relay infrastructure used by Zoom and Microsoft Teams.
TURN services relay audio, video and other real-time traffic when two endpoints cannot communicate directly. Because businesses generally permit conferencing traffic, an attacker using the same relay architecture may be able to pass through network restrictions that would block an unfamiliar command-and-control domain.
Ghost Calls does not rely on a vulnerability in Zoom or Microsoft Teams. The technique uses legitimate relay functionality, temporary credentials and WebRTC-related protocols to make hostile communications resemble ordinary conferencing traffic.
The research became more operationally significant in June 2026 when Symantec described a DragonForce intrusion involving Backdoor.Turn, a custom Go-based remote-access tool. Symantec said the malware used Microsoft Teams TURN servers to obscure command communications during an intrusion at a major U.S. services company. Backdoor.Turn is Symantec’s detection name, not a generic name for every implementation of the technique.
The defensive problem is that blocking all Teams or Zoom relay infrastructure is unlikely to be operationally acceptable. Detection therefore needs to focus on process and behavioral context: which process initiated the relay connection, whether conferencing software was active, how long the traffic persisted and what endpoint activity accompanied it.
Trusted cloud infrastructure should not be confused with trusted application behavior.
References: Praetorian Ghost Calls research on TURN-relay command and control; Symantec threat-intelligence reporting on DragonForce and Backdoor.Turn.
MacroPack Documents Became Loaders for Brute Ratel and Havoc
This 2024 case remains relevant because it documents a pattern that continues across the current tool-abuse landscape.
Cisco Talos identified malicious documents generated with MacroPack that delivered Brute Ratel, Havoc and PhantomCore payloads. MacroPack is designed to help red teams create obfuscated Office documents and related payload formats. Its automation and obfuscation functions can also reduce the work required to construct malicious delivery files.
Talos found samples submitted from multiple countries and using different lure themes. The available evidence did not support treating them as one centrally managed campaign. The stronger conclusion was that several actors had independently adopted the same red-team generator.
Brute Ratel and Havoc provide mature post-exploitation capabilities intended to simulate sophisticated adversaries. Once those frameworks are operating, defenders may be confronting encrypted command traffic, in-memory execution and deliberate evasion of endpoint controls.
The more reliable detection opportunity is often earlier in the chain: a document spawning a script interpreter, unusual DLL loading, encoded command execution, process injection or a new outbound connection immediately after the document is opened.
The use of a legitimate red-team generator does not make the execution chain legitimate. It means defenders must detect behavior rather than depend on a simple classification of the original tool.
References: Cisco Talos research on MacroPack-generated documents delivering Brute Ratel, Havoc and PhantomCore; supporting technical reporting on Brute Ratel and Havoc post-exploitation behavior.
Google’s GC2 Demonstrates the Limits of Domain Reputation
Google Command and Control, or GC2, is an open-source framework that can receive commands through Google Sheets and transfer stolen files through Google Drive. Later variants also incorporated Microsoft SharePoint services.
Google’s Threat Analysis Group documented China-linked APT41 activity using GC2 against a Taiwanese media organization in October 2022. Related activity had previously targeted an Italian job-search organization.
The technique was effective because Google Workspace traffic was already permitted in the victim environments. The malicious destination was not an attacker-owned domain with a poor reputation. It was a legitimate Google service used through an attacker-controlled document or account.
This is the central problem with cloud-hosted command and control. Domain reputation becomes weak evidence when the destination is trusted but the account, file, API request or process using it is hostile.
Enterprises should monitor which applications access Google APIs, whether command-line or unsigned processes communicate with Sheets or Drive, and whether endpoints upload unusual archives or large datasets. Cloud audit logs should also be examined for newly created documents, unfamiliar service identities and access patterns inconsistent with the user’s normal role.
The GC2 case is historical, but the defensive lesson is increasingly current. Google Drive, Microsoft 365, GitHub, Telegram and conferencing services have all become attractive because defenders cannot block them as casually as disposable criminal infrastructure.
References: Google Cloud Threat Horizons reporting on APT41 use of GC2; GC2 project documentation; BleepingComputer coverage of Google-service abuse for command and control.
AI-Assisted Post-Exploitation Framework Automates EDR Testing and AD Discovery
Sophos X-Ops investigated a threat actor using generative AI while developing and testing a modular post-exploitation framework.
The recovered material included Active Directory discovery functions, Cobalt Strike profiles, Python shellcode-injection scripts, Telegram-based command communications and a Cloudflare Worker used as a redirector. The actor also maintained an environment for testing payloads against endpoint products including Microsoft Defender, CrowdStrike and Sophos.
Some reporting described the project as an AI-built ransomware toolkit. The more defensible description is an AI-assisted post-exploitation and ransomware-oriented framework. Sophos observed development, testing and evasion activity; that does not establish that an autonomous AI system independently designed and operated a complete ransomware campaign.
The realistic threat is more immediate than the autonomous-malware narrative. Generative systems can help operators write scripts, debug integrations, translate code between languages and automate repeated testing. They may also enable technically weaker actors to assemble modules that would previously have required a larger development team.
Defenders should expect more rapidly changing payloads, uneven code quality and shorter signature lifecycles. Identity telemetry, process behavior and network evidence will become more valuable as individual payload hashes and static patterns expire more quickly.
References: Sophos X-Ops investigation into AI-assisted post-exploitation development and EDR testing; BleepingComputer coverage of the associated ransomware-oriented toolkit.
EDRSilencer Attacks the Reporting Channel Instead of the Sensor
EDRSilencer is an open-source red-team tool designed to interfere with endpoint detection and response communications through the Windows Filtering Platform.
Rather than terminating an EDR process, the tool identifies security-product processes and creates filtering rules intended to block their outbound communications. The endpoint service may continue running while the management platform stops receiving alerts or telemetry.
Trend Micro reported in October 2024 that threat actors were attempting to integrate EDRSilencer into malicious operations. This makes EDR health monitoring more complicated than checking whether an agent process or Windows service is present.
A silent sensor can create false confidence. The console may show an enrolled device even though the endpoint has stopped transmitting the evidence required for detection and investigation.
Security teams need alerts for missed heartbeats, abrupt reductions in event volume, unexpected Windows Filtering Platform rules and policy changes affecting known security destinations. Network telemetry and identity logs should provide an independent source of evidence when endpoint visibility is disrupted.
The broader lesson is architectural. A defense that depends on one agent using one reporting path also needs a mechanism for detecting when that path has been blocked.
References: Trend Micro research on EDRSilencer and threat-actor attempts to disrupt endpoint-security communications.
HotCobalt Could Disrupt Cobalt Strike Servers but Not Dismantle Them
In 2021, SentinelOne disclosed CVE-2021-36798, a denial-of-service vulnerability affecting Cobalt Strike team servers.
The flaw allowed a party capable of communicating with the server to register a fake Beacon and send abnormally large fabricated screenshots. Repeated requests could exhaust memory and crash the Java process supporting the team server. Cobalt Strike corrected the issue in version 4.4.
Contemporary headlines sometimes described the vulnerability as allowing defenders to “take down” attacker infrastructure. That characterization requires qualification.
Crashing a Cobalt Strike server does not seize it, identify its operator, remove malware from compromised endpoints or prevent the attacker from restoring the service elsewhere. It may also destroy intelligence opportunities by warning the operator or causing the infrastructure to disappear before investigators can observe it.
The case remains important because it reverses the usual relationship between victim and offensive framework. Attacker infrastructure also has software vulnerabilities, exposed services and operational mistakes that can support detection, attribution or authorized disruption.
Active interference with hostile infrastructure nevertheless carries legal and operational risks. It belongs with law enforcement, infrastructure providers and organizations possessing explicit authority—not with improvised corporate counterattacks.
References: SentinelOne HotCobalt research; Cobalt Strike advisory for CVE-2021-36798 and the version 4.4 correction.
Exploited Zimbra XSS Remains a Legacy Exposure Problem
CVE-2025-27915 is a stored cross-site scripting vulnerability in the Zimbra Collaboration Suite Classic Web Client.
A malicious calendar file embedded in an email could contain HTML that was not adequately sanitized. When the message was viewed in a vulnerable Classic Web Client, JavaScript could execute in the user’s authenticated webmail session.
The vulnerability affected Zimbra 9.0, 10.0 and 10.1 release lines. Corrected releases included 9.0.0 Patch 44, 10.0.13 and 10.1.5. CISA added the flaw to the Known Exploited Vulnerabilities Catalog on October 7, 2025, with an October 28 federal remediation deadline.
This is not a newly disclosed July 2026 vulnerability. It remains relevant because self-hosted mail servers frequently survive long after the organization believes they have been retired, and internet-accessible Zimbra systems have historically remained unpatched after exploitation becomes public.
The original severity score was moderate, but environment and victim role matter. JavaScript executing inside an administrator’s or senior employee’s webmail session may read messages, access contacts, steal session information or modify mailbox rules.
Administrators should verify actual installed versions, inspect calendar-related messages and review forwarding rules, filters and delegated mailbox access. Directing users to the Modern Web Client may reduce exposure temporarily, but it is not a replacement for installing the corrected release.
References: Zimbra security advisories for CVE-2025-27915; NVD record for CVE-2025-27915; CISA Known Exploited Vulnerabilities Catalog entry and remediation deadline.
OpenMandriva Alleges Destructive Action by a Former Contributor
OpenMandriva has publicly accused a former contributor of using retained administrative access to damage project resources following an internal dispute.
According to the project’s July 8 statement, part of a GitHub repository was deleted and an empty package was placed in the Cooker repository with metadata that obsoleted GNOME and COSMIC packages. OpenMandriva said this could have damaged systems using those desktop environments and that it was restoring the repositories and package functionality.
The project also stated that a subsequent audit found no additional violations beyond the removed packages.
These are OpenMandriva’s allegations. The complete account of the accused contributor has not been established through independent evidence, and the incident should not be narrated as a judicially proven act of sabotage.
The security lesson does not depend on resolving the interpersonal dispute. Volunteer software projects often grant broad access through accumulated personal trust while maintaining relatively informal offboarding procedures. Repository, signing, packaging and infrastructure privileges may remain active after a contributor’s responsibilities change.
Open-source projects need the same access discipline expected of commercial software providers: individual accounts, hardware-backed authentication, protected branches, independent audit logs and immediate revocation when a maintainer departs or enters a serious dispute with the project.
Destructive package operations should also require review or produce alerts outside the infrastructure being modified.
References: OpenMandriva public statement regarding attempted distribution sabotage; independent coverage from The Register, Phoronix and Linuxiac.
Helix Uses Vishing and Device Codes to Reach SharePoint Data
ReliaQuest has identified a data-extortion cluster operating under the name Helix.
The group’s initial-access pattern combines voice phishing with Microsoft device-code authentication. In a confirmed case, the caller spoofed the name of the target’s manager and guided the employee through a legitimate Microsoft authentication flow. The attacker then used the resulting session, registered a new Microsoft Authenticator method and began accessing cloud resources.
Helix subsequently enumerated SharePoint sites and used automated tooling to download large quantities of data. ReliaQuest observed the same hosted IP address and Python user-agent pattern during automated collection across multiple incidents.
The operation is notable because malware is not required. The victim participates in a genuine Microsoft authorization process, and the attacker operates through legitimate cloud sessions. A password change alone may therefore be insufficient unless active sessions and newly registered authentication methods are also removed.
ReliaQuest describes similarities with tradecraft associated with BlackFile and ShinyHunters operations but does not establish that Helix is definitively the same group. Shared methods and infrastructure can indicate personnel overlap, copied playbooks or access to a common criminal service.
Disabling device-code authentication where it is unnecessary is the highest-impact preventive measure. Organizations should also alert on authentication-method registration from unmanaged devices, session use immediately following registration, SharePoint-wide search queries and bulk downloads from unfamiliar hosted infrastructure.
References: ReliaQuest threat spotlight on Helix, device-code phishing and SharePoint exfiltration; supporting reporting from BleepingComputer and SC Media.
AI-Discovered Windows Flaws Will Increase Patch Volume
Microsoft says customers should expect a larger number of security corrections as the company expands AI-assisted vulnerability discovery inside Windows and other products.
The company’s Multi-Model Agentic Scanning Harness, known as MDASH, coordinates more than 100 specialized agents and multiple models. The system is designed to discover potential vulnerabilities, validate whether they are reachable and demonstrate exploitability before findings are passed to engineers.
Microsoft has reported strong results in controlled benchmarks and has begun integrating the system into production security work. A separate Windows-specific validation process is intended to reduce false positives before human engineers investigate and approve fixes.
The immediate significance is not that AI is autonomously repairing Windows. Microsoft says human review remains part of the release process. The meaningful change is discovery capacity: automated systems can examine more code paths and revisit related components after one vulnerability is found.
More security updates do not necessarily mean Windows code is becoming less secure. They may indicate that flaws which previously remained hidden are being found before attackers discover them.
The operational burden nevertheless falls on customers. Enterprises already struggle to test cumulative updates across legacy applications, identity systems and server roles. Higher vulnerability-discovery output will require better test rings, more representative staging environments and dependable rollback procedures.
AI may improve upstream discovery while making weak downstream patch programs more visible.
References: Microsoft Security reporting on MDASH and multi-model agentic vulnerability discovery; Microsoft follow-up reporting on production deployment and benchmark performance; BleepingComputer coverage of expected increases in Windows security updates.
Forg365 Industrializes Microsoft 365 Account Theft
Forg365 is a phishing-as-a-service platform designed around Microsoft 365 account takeover.
Researchers from ZeroBEC who examined the service reported support for device-code phishing, adversary-in-the-middle phishing, OAuth application configuration, token management and AI-assisted email generation. The dashboard allows an affiliate to build campaigns and manage infrastructure without developing the entire phishing platform independently.
The service also advertises a browser extension called ForgCookie. Reporting indicates that it is intended to manage or refresh stolen Microsoft authentication cookies and support post-compromise access. Because these capabilities come partly from criminal service claims, they should be treated as reported platform features rather than independently proven performance guarantees.
Artificial intelligence is not the main technical innovation. It lowers the cost of producing customized language, translating messages and adapting lures to different organizations. The account compromise still depends on established identity attacks: intercepting sessions, abusing legitimate authorization and persuading users to complete an attacker-controlled authentication flow.
Forg365 reflects the continued maturation of Microsoft 365 compromise as a commercial criminal service. An affiliate can purchase campaign management, lure creation and token-handling capabilities much as earlier criminals rented exploit kits or commodity malware loaders.
Defenders should restrict device-code authentication, require phishing-resistant methods for sensitive accounts and monitor new OAuth applications, consent grants, authentication-method changes and token use from unmanaged devices. Password resets should be accompanied by session revocation and review of added authentication methods.
References: ZeroBEC research into Forg365; BleepingComputer reporting on Forg365’s device-code, adversary-in-the-middle and AI-assisted phishing capabilities.
AssuranceAmerica Breach Affects 6,998,886 Drivers
AssuranceAmerica has begun notifying 6,998,886 individuals following a cyberattack against company systems.
The insurer said it detected suspicious activity on March 17, 2026, associated with malicious activity that began the previous day and targeted an employee. The company removed the attackers, reset passwords, increased monitoring and contacted law enforcement.
Information involved may include names, contact details, insurance policy and account information, vehicle and driver data, claims information and driver’s-license numbers. The precise affected-person count comes from regulatory breach reporting rather than an estimate rounded by media coverage.
At the time of the initial disclosure, no criminal group had publicly claimed the intrusion and the stolen dataset had not been confirmed as published. Those facts can change, but they should not be replaced with speculation about ransomware attribution.
Automobile insurance records are valuable because they combine identity, address, vehicle, policy and claims information. That data can support convincing payment fraud, accident-related impersonation and targeted phishing in which the attacker already knows details the victim expects only an insurer to possess.
Affected people should independently contact the insurer using trusted information rather than respond to unsolicited calls or messages quoting accurate policy details. Organizations should warn customer-service and financial teams that authentic personal information is no longer reliable proof of identity.
References: AssuranceAmerica breach notification and regulatory filings; Maine Attorney General data-breach record; reporting from BleepingComputer and other breach-monitoring outlets.
Microsoft Patches the RoguePlanet Defender Privilege-Escalation Flaw
Microsoft has released a correction for CVE-2026-50656, a Microsoft Malware Protection Engine elevation-of-privilege vulnerability publicly known as RoguePlanet.
The flaw affects engine versions earlier than 1.1.26060.3008. A local attacker with low-privilege code execution could exploit it to gain NT AUTHORITY\SYSTEM privileges. Public proof-of-concept material was available before Microsoft released the corrected engine.
Microsoft assigns the issue a CVSS v3.1 score of 7.8. NVD’s independent analysis scores it 7.0 because it assesses greater attack complexity. The difference should not be flattened into one supposedly universal score.
RoguePlanet is a local privilege-escalation vulnerability, not remote initial access. The attacker must first execute code on the system. Its significance comes from Microsoft Defender’s ubiquity and privileged position: a compromised application, browser process or low-privilege user could use the flaw to obtain complete local control.
The researcher has been identified in reporting under the aliases Nightmare-Eclipse and Chaotic Eclipse. Microsoft’s official advisory does not publicly credit that researcher, so the attribution should remain separate from the vendor record.
The correction is delivered through the Malware Protection Engine update channel. Administrators should verify that endpoints are running engine version 1.1.26060.3008 or later rather than assuming that installation of a Windows cumulative update proves remediation.
No confirmed in-the-wild exploitation was established in the available official sources. Public proof-of-concept availability and prior disclosure make rapid engine-version verification appropriate without overstating the exploitation status.
References: Microsoft Security Update Guide entry for CVE-2026-50656; NVD record for CVE-2026-50656; technical analysis from Malwarebytes, ThreatLocker, Cyderes and Picus.
Mount Royal University Confirms Theft and Deletion of Stored Data
Mount Royal University in Calgary has confirmed that attackers accessed its network, copied data and then deleted information from file-storage systems.
The university identified its H drive, which contained employee and student information, among the affected resources. Reporting also identified departmental data stored on the J drive as part of the investigation.
A criminal organization has claimed responsibility for the attack. The group’s statements about the amount or exact contents of stolen data should remain separate from what the university has independently confirmed.
The deletion of shared storage is important even where the attacker’s primary objective is extortion through stolen information. It shows that availability remains at risk in data-theft operations and that an extortion actor may destroy accessible files after collection.
Universities are particularly difficult environments to defend. They combine open collaboration, decentralized technical ownership, personal information, research data and large numbers of temporary or changing users. Shared drives can also accumulate sensitive material without consistent retention or access controls.
Recovery systems must be isolated from ordinary administrative credentials and tested through actual restoration. Cloud synchronization and snapshots can help, but neither is a dependable backup if the attacker can delete synchronized data or alter the same administrative plane controlling recovery.
References: Mount Royal University breach disclosures; reporting from BleepingComputer and SecurityWeek; statements concerning the affected H and J drives and the continuing investigation.
Fake Paysafe, Skrill and Neteller Packages Steal Developer Secrets
Socket identified 17 malicious packages published across npm and PyPI that typosquatted software-development kits associated with Paysafe, Skrill and Neteller.
The packages were published in a coordinated burst and presented interfaces resembling legitimate payment integrations. Behind the fake SDK functionality, they collected credentials, tokens and environment variables and exfiltrated the information to attacker-controlled infrastructure hosted in AWS.
Some packages returned fabricated successful responses. This could allow a developer or automated build to continue without immediately revealing that the payment integration was not genuine.
The campaign targeted development environments rather than individual payment customers directly. A compromised workstation or CI runner may hold cloud credentials, package-registry tokens, source-code access, payment secrets and deployment keys. Theft at that point can become the first stage of a wider supply-chain intrusion.
Organizations should search dependency manifests, lock files, package-manager caches and CI logs for the package names documented by Socket. Any environment that installed one of them should be treated as exposed, with relevant secrets rotated rather than merely deleting the dependency.
The incident also shows why package selection cannot be based on name similarity alone. Publisher history, repository links, release chronology, package contents and provenance need scrutiny—especially when integrating financial or authentication services.
References: Socket research into the npm and PyPI typosquatting campaign targeting Paysafe, Skrill and Neteller; supporting reporting from BleepingComputer and Developer Tech.
China-Aligned Operators Chain Roundcube Flaws Against Academic Researchers
Proofpoint has identified a campaign targeting physics and engineering departments at universities in the United States and Canada.
The activity cluster, tracked as UNK_MassTraction, has been operating since at least May 2026 and is assessed as likely China-aligned. Targets included administrators and professors working in areas such as astrophysics, particle physics and research connected to national-security interests.
The intrusion begins with CVE-2024-42009, a Roundcube cross-site scripting vulnerability. A crafted email can execute JavaScript when opened in a vulnerable Roundcube webmail session. The injected loader retrieves a second-stage tool Proofpoint calls IceCube, which can access the Roundcube session and steal mailbox information.
The chain then attempts to exploit CVE-2025-49113, a Roundcube deserialization vulnerability. Successful exploitation can install a PHP webshell called SquareShell. If that route fails, the operation can use a fallback shell script to deploy a loader and the VShell backdoor.
This is more than a browser-session theft campaign. The first vulnerability provides access through the victim’s webmail session; the second can turn that access into compromise of the Roundcube server itself.
Proofpoint’s attribution remains an analytical judgment. Chinese-language artifacts, targeting and overlap with previously observed tooling support a China-aligned assessment, but they do not publicly establish the exact government organization or operator behind the campaign.
Universities running Roundcube should verify remediation for both CVE-2024-42009 and CVE-2025-49113. Investigations should include malicious message content, web-access logs, unexpected PHP files, the identified webshell path, anomalous Roundcube sessions and suspicious Linux processes or outbound connections.
Academic email is a strategic intelligence target. It contains unpublished research, grant applications, government and industry relationships, international collaboration and access to technical communities whose work may not yet be publicly available.
References: Proofpoint research on UNK_MassTraction, IceCube, SquareShell and the Roundcube exploit chain; supporting reporting from BleepingComputer, The Register and The Hacker News.
Jonathan Lockhart is a cybersecurity researcher and investigative journalist at bordercybergroup.com.
If you would like to support our work — useful, well-researched, ad-free cybersecurity intelligence — subscribe, comment, or buy us a coffee! Thanks.
Member discussion: