匚ㄚ乃乇尺ㄖᐯ乇尺ㄥㄖ卂ᗪ

Falco Operator v0.2.0 is here. The Falco Operator just added a new Components CRD. Earlier, you had to manage Falco using the Operator and deploy Falcosidekick separately with Helm. Two different approaches. More moving parts. Now, one operator manages everything. No need for separate Helm charts for Falcosidekick or the UI. You define everything using Falco’s custom resources, and the operator handles the rest. 𝗥𝗲𝗹𝗲𝗮𝘀𝗲 𝗻𝗼𝘁𝗲𝘀: github.com/falcosecurity/… If you are working on runtime security in Kubernetes, this is worth trying. #Kubernetes #Falco #DevOps #Security

Abusing Cortex XDR Live Terminal as C2 We reverse-engineered the IR payload and found ways to route EDR traffic to attacker-controlled tenants or custom servers. Living off the Land #LOTL with EDRs. Full write-up by @p0w1_ 👇labs.infoguard.ch/posts/abusing_…

Possible #Vidar #Stealer C2: 216.126.236[.]17 CMD: GoogleUpdate.exe --exec 216.126.236[.]17 hxxps://cloudaxis[.]cc/gsmft/yueu/fkvqld/tvqqwh/ushu/update[.]exe hxxps://cloudaxis[.]cc/gsmft/yueu/fkvqld/tvqqwh/ushu/22[.]exe hxxps://t[.]me/flufff6262

@500mk500 #APT #Gamaredon #PrimitiveBear #TridentUrsa #UAC0010 🤡 🔴IOCs *[.]pernicious[.]workers[.]dev *[.]pgffe70962-268[.]workers[.]dev *[.]fewfgwegf[.]workers[.]dev *[.]go0glee[.]workers[.]dev *[.]tmwco85016[.]workers[.]dev *[.]warker[.]workers[.]dev *[.]wznye68531[.]workers[.]dev

#APT #Gamaredon #PrimitiveBear #TridentUrsa #UAC0010 🤡 🎯Keep your eyes on this: *[.]loophole[.]site 🔴IOCs perspicacious[.]ru notathird[.]online moressa[.]online ansowhat[.]online oclouds[.]online *[.]drunk-bear[.]workers[.]dev *[.]yahhoo[.]workers[.]dev cc @500mk500

@500mk500 #APT #Gamaredon #PrimitiveBear #TridentUrsa #UAC0010 🤡 🔴IOCs *[.]npvcr24265[.]workers[.]dev *[.]avhcz36777[.]workers[.]dev *[.]dpbki57860[.]workers[.]dev *[.]yojyk05723[.]workers[.]dev *[.]lgrpl85754[.]workers[.]dev *[.]rgrem29013[.]workers[.]dev *[.]rspqf54995[.]workers[.]dev

**OFFICIAL** EDR Tier List for 2026! Based on nothing but the people in chat, vibes, guests, opinions and limited experience. Thanks to @EmericNasi @ShitSecure @_JohnHammond and @domchell for jumping in a guests to help me out this time around!

'ПІДТВЕРДЖЕННЯ_ОПЛАТИ_ТРАНЗАКЦІЯ_ЗАВЕРШЕНА.lzh' seen from Ukraine @abuse_ch bazaar.abuse.ch/sample/6ebfdf7… @skocherhan @500mk500

Cloudflare Zero day 💀

#UAC0190 #LaundryBear #VoidBlizzard

For malware analysts, or nerds who care: Initial access script SHA256: aa3a9ed1e3b21845a6a0dfd5cef12661becbdb738e2a78adecbb2421785795c9 Payload SHA256: 58ed7f9d65b10b2501e5d080217ae79cd0d88ae0d784896ceac67abda03ab3ed Delivery domain: mscfg[.]cfd C2: hov[.]kievholod[.]kiev[.]ua t[.]me/gal17d

MongoBleed (CVE-2025-14847) is basically Heartbleed for MongoDB - unauthenticated memory disclosure - public POC, trivial to exploit - leaks creds, tokens, cloud keys straight from RAM - huge exposed surface on the internet Good writeups and technical details here: doublepulsar.com/merry-christma… ox.security/blog/attackers… blog.ecapuano.com/p/hunting-mong… Patch fast, rotate secrets, and assume exposed instances were scanned(!)

🫨 #APT #Android #Spyware #Exploit #SpecialGroups

Web-based SSH console and key management github.com/bastillion-io/…

It’s wild how little sticks around when someone hits a server with the #React RCE payload. All the interesting parts of the POST request live for a moment in memory, get decoded, executed (or rejected), and vanish. Nothing hits a log, nothing lands on disk. You can scan process memory for patterns, sure, but you’ll mostly catch scanners, broken requests, bots, random noise. A clean “this was a successful exploit” signal isn’t really possible here. The only reliable detection is post-exploitation activity on the box. Super fun vuln to hunt for… not 😅

#ESETresearch analyzed the #Gamaredon VBScript payload recently flagged by @ClearskySec. It wipes registry Run keys, scheduled tasks, and kills processes – however, our assessment is that this is likely to clean researchers’ machines, not a shift to destructive ops. x.com/ClearskySec/st… 1/4

#Elastic Security Capture the Flag: Hunt the Adversary👾 events.elastic.co/elasticsecurit…

A new wiper attack has been identified by ClearSky Cyber Security affecting Ukraine. We named this wiper "GamaWiper" (VBS-based wiper). The intrusion chain begins with the exploitation of a vulnerable WinRAR version (CVE-2025-80880). We assess with moderate confidence that this activity is linked to the Gamaredon APT group. This marks the first observed instance of Gamaredon conducting destructive operations rather than its traditional espionage activities. Related IoCs: 95262c4094a9a5e589a218e354ef54b3800aa0abc3b6a343bbcfdcbf021fc04f – initial ZIP with vulnerability CVE-2025-80880 68e21d7599d20444232415a7e74214ce50d7b4643215d83b8320e74c95a9dfd3 – downloaded VBA aafa4c206495163a5e408aa5c296139fe9f330a9f819a226c6934921493de9c6 – downloaded (padded+base64) wiper d4ce4776bdad9b741a1e8345b41737245b80f4cf8d361ebb1ae5415c7a4fe1eb – base64 encrypted wiper 9a39423ec90dc06a3058279cd744c08d83252d1c7096633b9853e435cc205755 – deobfuscated wiper Network: dears[.]serveirc[.]com whitesalad[.]zzrak08526[.]workers[.]dev

If you’re trying to use Wazuh for threat hunting or incident response, stop wasting your time. Wazuh is fine for compliance and system visibility, but that’s where it ends. If you want to actually see what’s happening on an endpoint and run proper investigations to play around in a lab, use Elastic Stack. Deploy Fleet (which is just one agent install), enable real telemetry, or enable the Elastic Security agent from the integrations console and get actual EDR-level visibility. That’s where you’ll learn something.