Published Research
Threat research articles and microstories on emerging campaigns.
Published threat research articles and X/Twitter microstories. Much of my work is internal threat intelligence under TLP:AMBER.
Web Shells, Tunnels, and Ransomware: Dissecting a Warlock Attack
Deep-dive analysis of Warlock (Water Manaul) ransomware operations revealing new TTPs including persistent BYOVD techniques, TightVNC and Yuze remote access tools, and 15-day dwell time before LockBit-derived ransomware deployment.
Five New Rust-Based Ransomware Families Identified
Thread analyzing five distinct ransomware groups written in Rust identified in early December 2025, signaling an accelerated shift in how threat actors build and scale attacks.
Agenda Ransomware: Continued Linux-on-Windows Campaign
Thread on a new Agenda ransomware campaign continuing the group's use of Linux binaries on Windows systems, with new techniques and tooling building on earlier 2025 attacks.
PureRAT Campaign Targets Job Seekers, Abuses Foxit PDF Reader for DLL Side-loading
Uncovered PureRAT targeting job seekers using renamed Foxit PDF Reader for DLL side-loading and Python-based shellcode loaders.
Agenda Ransomware Deploys Linux Variant on Windows Systems Through Remote Management Tools and BYOVD Techniques
Discovered Agenda ransomware deploying Linux variants on Windows systems via remote management tools and BYOVD techniques for cross-platform evasion.
Self-Propagating Malware Spreading Via WhatsApp, Targets Brazilian Users
Identified an active campaign spreading self-propagating malware via WhatsApp ZIP attachments, targeting Brazilian users with persistence and account hijacking.
Unmasking The Gentlemen Ransomware: Tactics, Techniques, and Procedures Revealed
Analysis of a new ransomware group with adaptive defense evasion — custom-patching anti-AV tools mid-attack based on target recon.
New LockBit 5.0 Targets Windows, Linux, ESXi
Technical analysis of LockBit 5.0 — cross-platform ransomware with heavy obfuscation, anti-analysis, and geopolitical safeguards.
New Ransomware Charon Uses Earth Baxia APT Techniques to Target Enterprises
Discovered Charon ransomware using APT-grade techniques — DLL sideloading via Edge.exe, hybrid Curve25519/ChaCha20 encryption.
Crypto24 Ransomware Group Blends Legitimate Tools with Custom Malware for Stealth Attacks
Analyzed Crypto24 ransomware group's technique of blending legitimate tools with custom malware to bypass EDR and security technologies.
Chaos Ransomware Leverages Advanced Anti-EDR Techniques
Thread analyzing the Chaos ransomware campaign leveraging malicious DLL sideloading and kernel-level driver deployment for broad defense evasion against EDR solutions.
Warlock: From SharePoint Vulnerability Exploit to Enterprise Ransomware
Traced the Warlock ransomware campaign from initial SharePoint vulnerability exploit through lateral movement to enterprise-wide encryption.
Nitrogen Ransomware: Fake Updates and Malicious Browser Extensions
Thread on the rapidly evolving Nitrogen ransomware group using social engineering via fake updates and malicious browser extensions for initial access.
CVE-2025-53770 & CVE-2025-53771: SharePoint Zero-Days at Pwn2Own
Thread on CVE-2025-53770 and CVE-2025-53771 — vulnerabilities in on-premise Microsoft SharePoint servers discovered at Pwn2Own Berlin, with TippingPoint customers protected since May.
Charon Ransomware: Advanced Breach and Lateral Movement
Thread exposing the newly identified Charon ransomware and its advanced methods for breaching and spreading within organizations.
Proactive Security for CVE-2025-53770 and CVE-2025-53771 SharePoint Attacks
Provided proactive security analysis of CVE-2025-53770 and CVE-2025-53771 — SharePoint vulnerabilities enabling unauthenticated remote code execution.
Revisiting UNC3886 Tactics to Defend Against Present Risk
Revisiting the tactics of UNC3886, a China-nexus threat actor targeting network edge devices and virtualization infrastructure.
Agenda Ransomware Exploits MeshAgent and WSL for Cross-Platform Attacks
Thread on Agenda ransomware exploiting MeshAgent and Windows Subsystem for Linux (WSL) to deploy Linux payloads on Windows systems, raising the bar for cross-platform sophistication.
Agenda Ransomware Group Adds SmokeLoader and NETXLOADER to Their Arsenal
Uncovered Agenda ransomware group adopting SmokeLoader and a new loader named NETXLOADER for improved delivery and evasion.
CrazyHunter Campaign Targets Taiwanese Critical Sectors
Identified CrazyHunter targeting Taiwanese healthcare and education using 80% open-source tooling and BYOVD attacks.
AI-Assisted Fake GitHub Repositories Fuel SmartLoader and LummaStealer Distribution
Uncovered AI-generated fake GitHub repositories distributing SmartLoader and LummaStealer through convincing but malicious code projects.
Agenda Ransomware Adopts TrueSightKiller for EDR Evasion
Thread detailing how the Agenda ransomware group incorporated the open-source TrueSightKiller tool to disable antivirus and EDR systems via BYOVD techniques.
SmokeLoader Delivers W3CryptoLocker via Steganography
Thread analyzing SmokeLoader's use of steganography techniques to deliver W3CryptoLocker ransomware payloads while evading detection mechanisms.
Morpheus Ransomware Emerges with New Data-Leak Site
Thread on the emergence of the Morpheus ransomware group and its new data-leak site, with early victims including an Australian pharmaceutical firm and a German electronics company.
Agenda Ransomware Variant Uses Obfuscated .NET Loader with Reflective Loading
Thread on an Agenda ransomware variant leveraging a highly obfuscated .NET loader using Reflective Loading and .NET Reactor for defense evasion.
Silent Threat: Red Team Tool EDRSilencer Disrupting Endpoint Security Solutions
First to document EDRSilencer weaponized in the wild — a red team tool using Windows Filtering Platform to blind EDR solutions.
MedusaLocker's Sophisticated Three-Pronged Attack Strategy
Thread detailing a sophisticated new three-pronged attack strategy employed by MedusaLocker ransomware threat actors identified by the Threat Hunting team.
Play Ransomware's First Linux Variant Targets ESXi
Thread announcing the discovery of a new Linux variant of Play ransomware targeting ESXi environments, marking an expansion in the group's range and impact.
Play Ransomware Group's New Linux Variant Targets ESXi, Shows Ties With Prolific Puma
First discovery of Play ransomware's Linux variant targeting ESXi, with infrastructure ties to Prolific Puma link-shortening service.
Multistage RA World Ransomware Uses Anti-AV Tactics, Exploits GPO
Analyzed RA World using GPO-distributed payloads, Safe Mode abuse for defense evasion, and Babuk-derived encryption.
Werewolves: Investigating a New Ransomware Player
Thread investigating the newly identified Werewolves ransomware group after an external researcher's blog post caught the Threat Hunting team's attention.
Cerber Ransomware Exploits Atlassian Confluence Vulnerability CVE-2023-22518
Documented Cerber ransomware operators rapidly weaponizing CVE-2023-22518 in Atlassian Confluence for initial access and encryption deployment.
No articles match your search