Expel

Iran's cyber capabilities — ransomware, data wipers, infrastructure targeting — aren’t theoretical. James Shank of Expel Intel and Iran intel expert Steph Shample break down what security teams actually need to know right now. okt.to/c5VYgH

Fake Claude Code install guides push infostealers in InstallFix attacks bleepingcomputer.com/news/security/… bleepingcomputer.com/news/security/…

This same activity was seen again today using the new domain: https[:]//claude[.]update-version[.]com/claude

The following is guidance from Microsoft to disable external senders: learn.microsoft.com/en-us/microsof… When disabled, your organization will need to whitelist which external organizations can send unsolicited messages. This is a much safer configuration. 5/5

We’ve built out our detections around this activity, but orgs still need to tighten their own controls. The attack tactic has been around for years now: actors send a Teams message, request access via QuickAssist, and then create additional backdoors to the network. 4/5

We continue to see high volumes of targeted phishing via Microsoft Teams. The following are malicious senders just from this past week: Corporat[@]HelpDeskFoundation[.]onmicrosoft[.]com service[@]helpdeskfoundation[.]onmicrosoft[.]com helpdesk[@]omkarcis[.]online 1/5

The takeaway for 2026: speed wins. Most detections hit during initial access and execution—before exfiltration, before ransomware. Early detection isn't a metric. It's the difference between a contained incident and a breach. Full report: expel.com/annual-threat-… 🧵 6/6

Attackers aren't breaking in. They're logging in. Our SOC triaged nearly a million alerts in 2025. Here's what we learned. 🧵 1/6

Attacks against cloud infrastructure remain a low volume (2.5%) but high impact threat. This is where your data lives and your applications run. Exposed secrets, misconfigurations, and supply chain compromises dominated. 🧵 5/6

Speaking of malware, ClickFix tactics accounted for 35.4% of all malware driven incidents. By tricking users into executing a script on their own system, attackers bypass the browser sandbox entirely. They’ve turned your employees into their malware installers. 🧵 4/6

When it comes to endpoints, 63.9% of incidents involved malware that has evaded our customer’s first lines of defense. More on this in a sec. The second most common (21.4%) were opportunistic attacks, attackers entering through a wide array of security gaps. 🧵 3/6

47.7% of identity incidents ended with attackers successfully accessing accounts. Most of the time, no further malicious activity was observed. But in 6% of incidents, they went further, often using BEC to target users and steal sensitive information. 🧵 2/6

These vulnerabilities are now on the CISA KEV catalog. Exploitation is trivial and requires no credentials. Any internet-facing EPMM instance is a high-priority target. Full technical details and remediation guidance: expel.com/blog/security-… 3/3

Immediate actions req’d: 1. Emergency patch: Apply version-specific RPMs immediately 2. If compromise confirmed: Hard reset—rebuild the instance/restore from pre-compromise backup. DON’T attempt manual OS cleanup. 3. Rotate all service accts, local admin passwords, and certs 2/3

Critical zero-day alert for Ivanti EPMM users Two command injection vulnerabilities (CVE-2026-1281 & CVE-2026-1340) are under active exploitation. CVSS 9.8. No authentication required. Here’s what security teams need to know right now. 🧵 1/3

Marcus Hutchins analyzed the whole attack chain to explain how the actors leverage legitimate infrastructure  to evade detection and highlight their new living-off-the-land technique: okt.to/gY610i 2/2

ClearFake is a malware campaign that displays fake CAPTCHA challenges on compromised websites. Their use of legitimate infrastructure has its consequences. 1/2

Expel's Marcus Hutchins details recently updated techniques used in the ClearFake malware campaign: the campaign has adopted much more evasive tactics such as leveraging Proxy Execution to run PowerShell commands via a trusted Window feature. expel.com/blog/clearfake…

Expel's Aaron Walto shows how Gootloader uses a deliberately malformed ZIP archive to bypass detection. The ZIP is correctly extracted by the default tool built into Windows systems but not by specialized tools like 7zip and WinRAR. expel.com/blog/gootloade…