
r/blueteamsec

Dropping Malware through Dependencies in VS Code: Inside the jsononifier npm Dropper
yeethsecurity.comCitrixBleed To Infinity And Beyond (Citrix NetScaler Pre-Auth Memory Overread CVE-2026-8451) - watchTowr Labs
labs.watchtowr.comDetecting Agentic Threats in Claude: Writing Rules on the Execution Layer
papermtn.co.ukReducing manual CISA KEV analysis with automation
I built an automation pipeline to turn added CISA Known Exploited Vulnerabilities into actionable detections with little manual work.
The workflow does the following:
- Checks the CISA KEV catalog for vulnerabilities
- Gets the CVEs
- Uses Google Gemini to create Sigma detection rules
- Maps detections to the MITRE ATT&CK framework
- Sends results to Google Sheets, Slack, email and a SIEM for analysts to review
My goal was to save time on tracking KEV updates and writing detections while still having an analyst validate the results.
I documented the process, including the workflow, prompts, integrations and implementation details. If you work in detection engineering, threat hunting or threat intelligence I'd love to hear how you use CISA KEV in your environment. If you've automated any part of it.
Blog link in the comments.
The Biometric AuthToken Heist: Cracking PINs and Bypassing CE via a Long-Ignored Attack (Android)
reddit.comDumping LSASS Without Touching Disk: Improvements to ShadowDumper
practicalsecurityanalytics.comAnonymous researcher drops “Exploitarium” : 109 files, 15 targets, zero vendor notice. I built 44 KQL detections to cover it.
A researcher going by ‘bikini’ has published a personal archive called Exploitarium - 15 vulnerability targets across 109 tracked files, dropped with no coordinated disclosure and no vendor notification.
This isn’t a polished toolkit. It reads like a personal research dump. Some of it is noise that the community has already dismissed. But not all of it.
Two findings stand out and have been independently verified:
libssh2 pre-auth heap write - CVSS 9.2. Pre-authentication. Actively exploited.
Gitea default Docker auth bypass - Also independently confirmed, also being exploited in the wild.
If you’re running either of these in your environment, treat this as live.
What I built in response:
44 KQL detection rules covering the full Exploitarium scope: 18 product folders, 6 CVEs, cross-platform (Windows, Linux, macOS, Container, Network, SaaS).
Rules for:
libssh2, Splunk, RustDesk, 7-Zip, VLC, AnyDesk, OpenVPN, c-ares and more.
All rules are live on detections.ai with language translation available for non-KQL stacks. The full repo is structured by product on GitHub.
Full intel report + IOCs in the links below.
GitHub repo: https://github.com/Ethan-Andrews/Exploitarium-Detections
Exploitarium breakdown: Threat Intel
Drop questions below, happy to walk through anything.
Introducing FortiBleed!
The SOCRadar Threat Research team just uncovered a staggering, active hacking campaign exposing over 30,000 verified Fortinet firewall credentials.
Here is the damage report:
🌍 Global Reach: 194 countries affected, with the US sitting at the #2 most targeted spot.
🏦 High-Value Targets: The victim roster includes major banks, telecom giants, and government agencies.
🛠️Full Visibility: We tracked the entire operation—the attacker infrastructure, the tools, and the complete victim list.
⚠️ Status: STILL active as of this publication.
Don't wait for an incident to react. Dive into the full discovery, grab the IoCs, and take immediate steps to mitigate the risk and strengthen your posture.
Read the full FortiBleed breakdown here: https://socradar.io/blog/fortibleed-fortinet-firewalls-compromised/
#ThreatIntelligence #Fortinet #CyberSecurity #InfoSec #SOCRadar
Black Hat Europe 2025 | The Forensic Trail On GitHub: Hunting For Supply Chain Activity
Great highly informative talk everyone with any presence on GitHub should watch.
https://www.youtube.com/watch?v=JZUV8dY7NG4
Some mentioned resources
heavener: This is what happens when you can't afford EDR licenses
blog.otterpwn.comTwo Months In: Assessing the Impact of NIST's Enrichment Cutbacks
blog.volerion.comTracking 3,900+ C2 servers, across 302 Eastern Europe providers
Over a three-month window Hunt.io mapped malicious infrastructure across 10 Eastern European countries and tracked more than 3,900 active C2 servers across 302 hosting providers.
A single Bulgarian host, Friendhosting, was running 2,100 of them, roughly 53.5% of the regional total. We also linked specific infrastructure to Cloud Atlas, ShinyHunters' PeopleSoft exploitation, and Nemesys ransomware sharing the same provider networks.
Read the full story: https://hunt.io/blog/eastern-europe-malicious-infrastructure-report
Testing AI Threat Hunting against Real-World KQL: A Side-by-Side Test
detect.fyiBitwarden C2
Using Bitwarden Infrastructure to get stuff in and get stuff out (fixed)
I made a blog that ranks log sources
I wrote down how I think about onboarding order. Basically I ranked sources by how much they actually help an investigation, not by what's easiest to ingest. For each one I went through what you need to collect, how painful the parsing is, what retention makes sense, and what you can realistically detect once it's in.