ExtraHop

Meet DINDOOR: The new backdoor bypassing your EDR 👋 In early 2026, Iranian state-sponsored group MuddyWater began moving away from traditional executables and toward specialized runtimes. From U.S. financial institutions to Canadian NGOs and Israeli aerospace software firms, the reach of this campaign is global and its methods are evolving. The ExtraHop research team breaks down the latest threat on the blog: xtra.li/4eKhCx4

How did the EU Commission get breached? It started with a tool meant to improve security. 1️⃣ Attackers compromised the Trivy vulnerability scanner, turning a trusted security tool into a credential stealer. 2️⃣ Attackers then used stolen AWS API keys to enter the environment, hunt for more secrets and create new keys on existing accounts to stay under the radar. 3️⃣ Because they had valid credentials, their reconnaissance looked like normal admin activity. They spent 5 days inside before being caught by a spike in network traffic. The Result: 350GB exfiltrated. 71 clients affected. Details on the blog: xtra.li/42WHTAN

Cloud provider logs are built for *their* needs — platform uptime, billing accuracy, service reliability. Not yours. So when attackers move laterally across your environment, when subtle anomalies start stacking up, when regulators demand a precise account of a breach, you're working from a filtered, incomplete record you don't control. And you probably don't know it yet. The organizations that find out the hard way face: ❌ Longer dwell times ❌ Higher remediation costs ❌ Regulatory and legal exposure from evidence gaps The ones that get ahead of it? They stop relying on provider logs as their source of truth, and start owning the evidence layer themselves. Our co-founder Raja Mukerji breaks it down on the blog 👉 xtra.li/4tTl252

🚨 A new high-severity vulnerability Linux kernel vulnerability (CVE-2026-31431) has been identified, affecting major distributions since 2017. Dubbed "Copy Fail," it allows an attacker to gain total control of a Linux system by manipulating how the kernel handles data in real-time. Because it never modifies files on the disk, it bypasses many of the standard "gatekeeper" security tools that organizations have relied on for decades. What you need to know: → How the exploit works: It utilizes a "double-free" bug in Netfilter to gain arbitrary kernel read/write access. → Why it’s a major risk: It is highly reliable and has public exploit code available, making it a "turn-key" solution for attackers already inside a network. → The Patching Paradox: With public exploit code now widely available and highly reliable, this becomes a race against time for IT teams to move beyond "monthly" patch cycles and prioritize kernel updates for any Internet-facing or multi-user systems. More on the blog: xtra.li/4uq5DJg

When your channel managers are recognized on CRN's Women of the Channel list, it says something about what your partners are experiencing every day. Congratulations to Michelle Marchand and Virginia Ku on this well-earned recognition! Michelle and Virginia work directly with ExtraHop's partners, helping them build the expertise and confidence to guide their customers toward stronger, more resilient security postures. That kind of hands-on partnership is what turns a reseller relationship into a trusted security advisor. For our partners: this is the caliber of people in your corner. 🔗 xtra.li/48CPwzP

⚠️ IN THE HEADLINES: A sophisticated new campaign is tricking users into pasting malicious code to deploy MIMICRAT -- a RAT built for long-term espionage. MIMICRAT is built to evade detection by blending its Command and Control (C2) traffic with normal web activity and disabling EDR logging. With endpoint visibility actively compromised by the malware, defenders need network-level telemetry to keep an eye out for: → Disguised HTTP/S traffic → Domain fronting → Anomalous internal-to-external proxy activity More details here: xtra.li/3ORw5wj

A "by design" flaw in the Anthropic Model Context Protocol (MCP) allows attackers to weaponize normal AI workflows. The core issue? The protocol... ⚠️ Executes commands before validating if they are legitimate. ⚠️ Bypasses EDR and firewalls by hiding in uninspected east-west AI traffic. ⚠️ Weaponizes normal workflows to quietly exfiltrate sensitive data. Stop relying on signature-based rules. Learn the how you can better secure your agentic future: xtra.li/3P6j4PG

🫣 The Claude Mythos breakthrough changed the game for every SOC on the planet and made the reality of your attack surface even scarier. Host-based tools are essential, but they are also the first things a sophisticated AI will try to blind. While your CMDB tells you what you have, and your logs tell you what happened (assuming they weren't tampered with), neither can tell you what an autonomous threat is doing right now, what they're planning to do, or what damage they may have already caused. To defend the Post-Mythos attack surface, you have to look where the AI looks: the network. By shifting focus to real-time network behavior, you create a defensive layer that doesn't rely on agents or logs, it relies on the actual, real-time activity in your environment. Deep dive into the Post-Mythos world: xtra.li/4cAsfj3

For most CISOs, the challenge is balancing robust risk mitigation with operational costs. The latest Forrester Total Economic Impact™ study on ExtraHop proves you can do both. By accelerating investigations by 63%, the platform doesn't just catch threats... it significantly de-risks the entire enterprise. The financial evidence is compelling: → $2.1M saved in breach costs → $2.9M in cloud & legacy cost savings → 155% ROI Get the details here: xtra.li/4tuDGQE

#DYK? Your next major breach could happen simply because your AI security agent ran out of memory 🧠 When an AI’s working memory fills up, it drops the oldest context, as our co-founder Raja Mukerji explains it. If your triage, investigation, and response agents aren't sharing a continuous source of truth, no single system sees the full attack. Attackers know this, and are actively exploiting the gap: xtra.li/4crnlow

They have the keys. They have the credentials. They have the tools. The Heist has begun 🎬 We’re taking you inside the mind of the modern adversary. See how threat actors move, hide, and exfiltrate your most valuable data. The Heist only works if they stay invisible. It’s time to shine a light and deliver the ultimate plot twist: xtra.li/4em9fr6

Happy Identity Management Day! 🎉 While we celebrate, threat actors are working overtime targeting your Identity Providers. IdPs are great at handing out the keys to your network, but they struggle to monitor what users do after logging in. To catch token theft, credential abuse, and compromised AI agents, you need protocol-layer visibility that exposes the threats standard tools miss: xtra.li/4teMnhZ

⚡ Protecting the power grid just got more complex. Are you ready for FERC Order 887? With state-sponsored groups like Volt Typhoon actively targeting critical infrastructure, the old security playbook no longer works. These adversaries bypass the front door and use native system tools to hide in plain sight. Under the new regulations, utilities are now mandated to monitor their internal networks. But it doesn't stop at detection... You must also securely store network data for anywhere from 30 to 365 days to ensure you have the evidence to investigate hidden threats. Don't let your internal network remain a blind spot. Find out what it takes to meet the new technical requirements: xtra.li/48mHhYs

If your AI is resolving alerts in seconds, but you’re still falling victim to breaches or paying out ransomware demands, how useful is it? In the rush to automate the SOC, we’ve fallen for the "AI Myth" -- the dangerous assumption that speed equals safety. In reality, fast AI can often mean just making flawed decisions at a scale no human team can catch. By optimizing for the velocity of the decision rather than the integrity of the result, we aren't stopping attackers... we’re just automating our own blind spots. Co-founder and Chief Scientist Raja Mukerji shares his tips for measuring true AI success today: xtra.li/4tCVdph

🎬 The Heist is coming… The most dangerous cyberattacks don’t set off alarm bells... they blend in. They sit in the booth next to you. They hide in the traffic you've already cleared. We’re taking you inside the heist you never saw coming. Are you ready? 🕵️‍♀️💻 #ComingSoon

🆕 A major supply chain attack has hijacked Notepad++ updates to target government, aviation, and telecom organizations across the globe. Chinese state-sponsored group Lotus Blossom is using a custom backdoor called "Chrysalis." It hijacks trusted updates and runs only in memory, giving attackers full remote control without leaving a trace. The backdoor is also highly camouflaged: It mimics legitimate AI chat traffic to blend into everyday network activity. Subtle deviations, such as unusual interactive traffic from external endpoints or protocol tunneling used to exfiltrate data, are often the only signal they're in your network. Do you know what to look for? The ExtraHop threat team breaks it down on the blog: xtra.li/4tGqTKN

Stop looking for "the next big bug." It’s a distraction. 🛑 The exploit hasn't changed. The velocity has. 🔄 The Threat: Exactly what you saw last year. 🤖 The Actor: An autonomous agent moving $100x faster than your best analyst. You aren't losing because attacks got "smarter". You're losing because agentic AI has turned a manual process into a high-speed assembly line. Is your SOC built for speed? xtra.li/4m3Wh3d

How does a threat actor stay hidden for 5️⃣ years? Since 2020, Chinese-linked group CL-UNK-1068 has been quietly infiltrating the aviation, energy, and telecom sectors across Asia. Their playbook is a masterclass in stealth: 🔹 Initial access: Exploiting web servers and deploying web shells to mask presence in daily traffic. 🔹 Lateral movement: Using legitimate admin tools like Mimikatz to bypass alerts. 🔹 Persistence: Loading malicious code via trusted Python programs. 🔹 Exfiltration: Disguising stolen data as Base64-encoded text. When threat actors start blending in, they don’t trigger "red alerts." They create a series of low-priority "noise" events that look like routine maintenance. To catch an adversary this patient, you have to move beyond looking at the dots and start connecting them: xtra.li/411Nsx8

As attackers increasingly weaponize AI, defenders need a more intelligent way to see -- and stop -- sophisticated threats. From the #RSAC stage to the expo floor, the ExtraHop team was proud to lead the conversation on building the agentic SOC. Are you ready for what’s next? Stay connected with the ExtraHop crew: 1️⃣ Read EDR Evasion 101: 29 Ways Attackers Are Slipping Past Defenses: xtra.li/4bOkTYK 2️⃣ Register for the SANS Spring Cyber Solutions Fest 2026: xtra.li/3PyZKur 3️⃣ Visit us at the Gartner Security & Risk Management Summit (June 1-3): xtra.li/4c6EHrQ