Category: Threats

3 July 2026
Spotting API access in DDoS-as-a-Service panels

DDoS-as-a-Service platforms rarely hide what they are doing; the panel, the payment flow, and the API tend to sit out in the open. I pay more attention to the selling machinery than the noise, because that is usually where the operator’s real intent shows through.

Read more
2 July 2026
Malware delivery through chatgpt.com/s links

ChatGPT share links can look boringly legitimate, which is exactly the problem. Once a trusted domain starts rendering attacker-controlled HTML, I stop trusting the address bar and start checking where the download button really goes.

Read more
26 June 2026
Web shell persistence in BadIIS loaders

BadIIS is not clever, just persistent, and that is what makes it unpleasant. It survives IIS restarts, rewrites selected traffic, and leaves behind enough build artefacts, like demo.pdb, to give itself away if you know where to look.

Read more
25 June 2026
Operational threat intelligence for IIS hijacking

IIS hijacking is boring until it is not, which is exactly why a threat intelligence programme has to watch for the awkward bits, not the headline alert. When redirects, 503 spikes, and odd proxying line up with strange binary artefacts, I stop guessing and start digging.

Read more
24 June 2026
Data exfiltration signs from signed Setup.exe flows

Signed `Setup.exe` did not fool me for long, because the runtime behaviour was wrong from the start. The interesting bit in cloud environment exfiltration is usually the small `.config` file beside it, the one that quietly changes what trusted code does next.

Read more
10 June 2026
Call-tracking data in tech support fraud

Call-tracking data is useful until it is not, and tech support fraud knows that better than most. Rotate enough numbers, split the complaints, and the abuse starts to look like ordinary churn, which is exactly the sort of mess I have seen providers tolerate far too long.

Read more
2 June 2026
React Server Components DoS patterns and WAF limits

Some Next.js Server Components vulnerabilities are crude enough for a WAF to catch, but the awkward ones sit in routing, cache behaviour, and middleware. I prefer patching first, because a broad block that breaks valid traffic is just another incident with better paperwork.

Read more
19 May 2026
Fraud detection signs in redirector and payment domains

website fraud toolchains are rarely clever at first glance, which is why I trust the ugly details, the redirects, duplicate card prompts, and any thank-you page that appears after a decline. Once you start logging the full path, the whole thing looks less like a shop and more like a trap.

Read more
18 May 2026
Outlook Junk folder link preview bypass

Outlook Junk Folder link preview bypass is a neat reminder that preview text is not validation. I trust the HTML, or I do not trust the mail at all; anything in between is how people get caught out.

Read more
18 May 2026
Reading exploit trends from ISC Stormcast

ISC Stormcast is only useful if you treat it as live signal, not background noise. I watch for repeated behaviour around the same service or exploit family, because that is what changes patch prioritisation and tells me which hosts deserve a closer look in the logs.

Read more
10 May 2026
Operational indicators from ISC Stormcast to check

ISC Stormcast is useful when you strip away the diary clutter and look only at the indicators that survive a second glance. I trust hostnames, paths, dates and hashes far more than the banner around them, because metadata has a habit of looking authoritative while telling you very little.

Read more
7 May 2026
Prioritising patches from Stormcast threat signals

ISC Stormcast is useful when it changes the queue, not when it just adds another tab to the pile. I care less about loud advisories than about whether a service is exposed, reachable, and already showing signs of use; that is where the patching gets real.

Read more
3 April 2026
Using IP Reputation Data from Operation Synergia in Your Botnet Firewall Rules

Operation Synergia III sinkholed 45,000 botnet and malware IPs across 72 countries with law enforcement backing. That chain of custody makes the data worth blocking at your firewall; the catch is that C2 operators rotate fast, so treat it as a high-confidence historical list, not a live feed.

Read more
25 October 2025
Validating threat intelligence in a firewall setup

Getting Started with Third-Party Threat Feeds Understanding the role of threat intelligence Third-party threat feeds add outside data that a firewall can use to spot malicious IPs, domains or other indicators. They do not replace your rules. They sit alongside them. Treat them as another signal for logging, investigation and, where the confidence...

Read more
26 August 2025
ADFS-Based Phishing: What It Looks Like and How to Cut the Risk

Learn the hidden truths of ADFS phishing and key protection strategies. Secure your organization against sophisticated attacks today!

Read more
23 June 2025
China's Cyber Threats to UK Telecoms

With networks becoming ever more interconnected, the repercussions of these cyber threats may extend well beyond simply losing a few gigabytes of data; it could lead to serious implications for public safety and trust in telecoms.

Read more
15 June 2025
Understanding Cyber Espionage Tactics

Explore the dark world of cyber espionage, revealing the tactics of Middle Eastern groups like Stealth Falcon and Horus. Safeguard your data from hidden threats.

Read more
6 June 2025
New Malware Trends in Cybersecurity Threats

As cyber threats multiply, businesses must stay vigilant. Discover the rising tide of sophisticated malware and how to protect your organization in this evolving landscape.

Read more