Expel

🧐 Gentlemen Ransomware group apparently liked our blog. Reposting it so that others can check it out for themselves: expel.com/blog/code-sign…

Need a high-level overview of the latest Mini Shai Hulud? Aaron Walton breaks down how the latest supply chain attack happened, what defenders should do now, and prepare for the next one. expel.com/blog/mini-shai…[…]pl/?utm_medium=social&utm_source=twitter&utm_campaign=blog-promo

Come join our own @DennisF and our friends from @ExpelSecurity on June 1 in National Harbor for a candid, off-the-record conversation about the new era of AI-assisted vulnerability research, patching pain, and what's coming next. info.expel.com/event-mythos-u…

Full breakdown—IOCs, attack chain, and step-by-step remediation—on the Expel blog: expel.com/blog/mini-shai… (7/7)

If you suspect compromise: containment before rotation. Disable unauthorized services first, then rotate GitHub PATs, npm publish tokens, AWS access keys, and HashiCorp Vault tokens. Pin your dependencies to verified hashes going forward. (6/7)

By now you've probably seen the Mini Shai Hulud supply chain story. TeamPCP compromised 170+ npm and PyPI packages—TanStack, Mistral AI, OpenSearch, and more. Here's what you need to know if you're responding right now. (1/7)

Flash Alert: EtherRat and TukTuk C2 End in The Gentleman Ransomware In April, we observed an intrusion that began with a malicious MSI masquerading as Sysinternals RAMMap and ended in domain-wide deployment of The Gentlemen ransomware. The intrusion featured EtherRAT, Ethereum-based EtherHiding C2 configuration, TryCloudflare tunnels, GoTo Resolve, Rclone exfiltration to Wasabi, and a newer malware framework named TukTuk. TukTuk stood out for its resilient C2 design, using SaaS and cloud platforms such as ClickHouse and Supabase, with support for Ably, Dropbox, GitHub Issues, direct HTTP, Slack, and Arweave-based dead-drop configuration retrieval. Detection opportunities included! ➡️ Full report is linked in the replies. #ThreatIntel #ThreatHunting #DigitalForensics

@ug0tpwn3d Marcus figured they since they use BeaverTail malware prominently and Beavers are Rodents, he could go with "Rodent" to avoid stealing someone else's name. Since there's 6 teams, it ended up as HexagonalRodent. The funny name contributed to it being chosen.

@ExpelSecurity "HexagonalRodent" 😂 Can you drop the lore which lead to this name?

Marcus Hutchins, principal threat researcher at Expel, has been tracking the group we call HexagonalRodent, a subgroup likely affiliated with DPRK's Famous Chollima, since late 2025. 1/6

One group of hackers used AI for everything from vibe coding their malware to creating fake company websites—and stole as much as $12 million in three months. wired.com/story/ai-tools…

WIRED also has an exclusive on the story. wired.com/story/ai-tools… 6/6

The full research is on our blog. expel.com/blog/inside-la… 5/6

@NotNordgaren @NotNordgaren we referenced you in our blogpost. We also saw this actor put an HTA script in the middle of an MSIX bundle. We'd love to see the MP3 version if you have it or the hash. expel.com/blog/installfi…

Just put your vbscript inside of html and put that inside of an mp3 in the middle of some frame data and mshta will just... Fucking execute it?!?!