Kostas

Launching today: Threat Hunting Labs private threat intelligence feed THL enterprise customers now get access to a dedicated intel feed built around high-fidelity IOCs curated by our team, structured in STIX 2.1 and delivered over TAXII 2.1. It integrates directly with your SIEM or security tooling. Signed webhooks if you want push delivery. No noise layers on top. Included free for enterprise customers in year one. If you're already a THL customer, reach out and we'll get you set up. If you're not, this is a good time to ask what that looks like. 👉 intel.threathuntinglabs.com

Anthropic released Mythos on Tuesday. By Sunday, 60+ security leaders had written the briefing the community needed. "The window between discovery and weaponization has collapsed into hours." — @RobTLee, SANS Institute 181 working Firefox exploits. The previous best model managed 2. Read the blog → go.sans.org/Bw3mxJ Read the briefing → labs.cloudsecurityalliance.org/mythos-ciso/ Join us Thu 4/16 at 12PM ET → go.sans.org/DM0LjN #Cybersecurity #AIRisk

We’ve also come across this macOS intrusion shared by @malwrhunterteam & @L0Psec where the attacker came prepared with a purpose-built collector 👀 • Execution: initial bash script • Download: payload from 193.233.128.50 → hidden temp file • Staging: ~/Library/Caches/com.apple.coreservices/com.apple.periodic → quarantine removed • C2: beacon to 95.163.152.79:8133/api/t (unique run ID) Discovery: • Hardware, OS, memory, IP, locale, keyboard • Running processes Collection: • Safari (cookies, autofill, history) • Chrome cookies • Apple Notes • SSH known_hosts • Keychain-related temp files • Env dumps (FileGrabber/EnvFiles) Second stage (~4.5 min): • ~/Library/Caches/com.apple.softwareupdate/SoftwareUpdate • Dropped + quarantine stripped Fake macOS prompt via osascript used for credential harvesting (see SS)👇 We have the complete intuition collected and we'll be sharing it through the @ThruntingLabs sometime soon.

Another interesting one shared by @malwrhunterteam. Initial bash script sets up the comms with C2 (193.233.128\.50 - RU), does other stuff(readable), and grabs the next stage (intel or arm go binary). e9524affd1366c5cd33527d87f7ef273706cfee1269fa43cd88d22e53bdd58e4 1 VT hit 🧵

Your employees are already using AI without your approval. They’re feeding it sensitive data. They don’t understand the risk. They’re doing it because you haven’t given them better tools. @joswr1ght at RSAC: “We have an ongoing issue where workers don’t have the tools they need, and now they’re saying, ‘I can get AI to help me without approval,’ without understanding what kind of data they’re sending into systems or what the risk is.” @edskoudis hinted shadow AI may appear in next year’s Top 5 Most Dangerous. 📣 You heard it here first. go.sans.org/nTAdXo @OneRSAC | #RSAC #Cybersecurity

The Threat Hunting Labs leaderboard is heating up. Shoutout to the top performers putting in serious work across the tracks: 1. DCAMINADA — 400 pts 2. MARIS_KLH — 356 pts 3. KOIFSEC — 315 pts 4. CHICKEN0248 — 279 pts 5. HUSS3_WL — 224 pts 6. NIK___ — 214 pts 7. SEAN_4 — 207 pts 8. SANCLOGIC — 184 pts 9. CAMOXD — 74 pts 10. LETITGO_900 — 50 pts These are practitioners working through real intrusion data, not CTF puzzles. The gap between first and fifth is tighter than it looks. Still plenty of labs to go. If you want to compete or just learn based on real intrusions and real logs, head on to threathuntinglabs.com