When Forensics Becomes Offensive: Abuse of FTK Imager in the STAC3725 Tradecraft

Medium

Bypass, Campaign

Defense Evasion

EDR, Sysmon, Windows

When Forensics Becomes Offensive: Abuse of FTK Imager in the STAC3725 Tradecraft

STAC3725 campaign leveraging FTK Imager abuse to evade defenses, highlighting a stealthy technique repurposing forensic tools for low-noise persistence in […]

Learn more

RedSun: Turning Microsoft Defender into a Path to SYSTEM-Level Privilege Escalation

Medium

Bypass

Privilege Escalation

Sysmon, Windows

RedSun: Turning Microsoft Defender into a Path to SYSTEM-Level Privilege Escalation

Developed by Nightmare-Eclipse, the same researcher of BlueHammer, RedSun is an unpatched local privilege escalation zero-day. It weaponizes Microsoft Defender’s […]

Learn more

Medium

Bypass

Privilege Escalation

EDR, Sysmon, Windows

BlueHammer windows Zero-Day

On April 3rd, 2026 a security researcher operating under the alias "Chaotic Eclipse" dropped a fully functional Windows local privilege […]

Learn more

Weaponizing Windows Toast Notifications Abuse of ToastNotify.exe for Phishing and Credential Coercion

Medium

Bypass

Defense Evasion

EDR, Sysmon, Windows

Weaponizing Windows Toast Notifications: Abuse of ToastNotify.exe for Phishing and Credential Coercion

In the evolving landscape of Windows credential harvesting, the ToastNotify impersonation attack stands out as a masterclass in abusing native […]

Learn more

SplitDrop: Inside the Iran-linked APT group Dust Specter campaign

Medium

APT, Campaign, Malware

Defense Evasion, Execution

EDR, Sysmon, Windows

SplitDrop: Inside the Iran-linked APT group Dust Specter campaign

SplitDrop exposes how alleged Iran-linked group Dust Specter abused DLL sideloading to advance execution and evade security controls mantaining persistence, […]

Learn more

NTDS.dit Dumping via Print Spooler Abuse

Medium

Campaign, LOLBin

Defense Evasion

EDR, Sysmon, Windows

NTDS.dit Dumping via Print Spooler Abuse

In early 2026, threat actors exploited vulnerabilities in SolarWinds Web Help Desk, including CVE-2025-40551 and CVE-2025-40536, to gain initial access […]

Learn more

Rhysida’s OysterLoader: Multi-Stage Fake Installer Campaign

Medium

Campaign, CyberCrime, Malware

Persistence

EDR, Sysmon, Windows

Rhysida’s OysterLoader: Multi-Stage Fake Installer Campaign

The Rhysida ransomware group leverages search engine malvertising and code-signed fake installers to distribute OysterLoader, a multi-stage C++ backdoor. It […]

Learn more

Medium

Bypass, CVE

Defense Evasion

Linux, Sysmon

Telnet cve-2026-24061

Telnet is a legacy network protocol for remote command-line access over TCP/IP, but it's insecure due to unencrypted traffic. The […]

Learn more

PureLog Stealer distributed via trojanized TaskScheduler targets Italy

Medium

Campaign, LOLBin, Malware

Defense Evasion

Network, Windows

PureLog Stealer distributed via trojanized TaskScheduler targets Italy

A sophisticated phishing campaign targets manufacturing/government sectors in Italy, Finland, and Saudi Arabia via trojanized TaskScheduler loader. It abuses RegAsm.exe […]

Learn more

Matanbuchus 3.0: Advanced C++ Loader Evolving MaaS

Medium

Campaign, Malware

Defense Evasion

EDR, Sysmon, Windows

Matanbuchus 3.0: Advanced C++ Loader Evolving MaaS

Matanbuchus 3.0 is a C++-based Malware-as-a-Service loader that represents a major evolutionary step from earlier Matanbuchus branches. First observed as […]

Learn more

1 2 3 4 Next »

Labs

Security begins from Hunting

Subscribe

The weekly report on threat hunting

Filters

When Forensics Becomes Offensive: Abuse of FTK Imager in the STAC3725 Tradecraft

RedSun: Turning Microsoft Defender into a Path to SYSTEM-Level Privilege Escalation

BlueHammer windows Zero-Day

Weaponizing Windows Toast Notifications: Abuse of ToastNotify.exe for Phishing and Credential Coercion

SplitDrop: Inside the Iran-linked APT group Dust Specter campaign

NTDS.dit Dumping via Print Spooler Abuse

Rhysida’s OysterLoader: Multi-Stage Fake Installer Campaign

Telnet cve-2026-24061

PureLog Stealer distributed via trojanized TaskScheduler targets Italy

Matanbuchus 3.0: Advanced C++ Loader Evolving MaaS

Contacts

Get in touch with us

Labs

Security begins from Hunting

Subscribe

The weekly report on threat hunting

Filters

When Forensics Becomes Offensive: Abuse of FTK Imager in the STAC3725 Tradecraft

RedSun: Turning Microsoft Defender into a Path to SYSTEM-Level Privilege Escalation

BlueHammer windows Zero-Day

Weaponizing Windows Toast Notifications: Abuse of ToastNotify.exe for Phishing and Credential Coercion

SplitDrop: Inside the Iran-linked APT group Dust Specter campaign

NTDS.dit Dumping via Print Spooler Abuse

Rhysida’s OysterLoader: Multi-Stage Fake Installer Campaign

Telnet cve-2026-24061

PureLog Stealer distributed via trojanized TaskScheduler targets Italy

Matanbuchus 3.0: Advanced C++ Loader Evolving MaaS

Contacts

Get in touch with us

Security begins from Hunting