Security’s Blind Spot: Physical Keyloggers That Bypass Antivirus Entirely

Keyloggers: A Persistent Threat Nowadays, virtually all digital services rely on logins and authentication, from email inboxes to help desks. These involve login credentials to prove identity, typically at least a username and a password. Initially, this information is confidential from a potential attacker. While a username can be relatively easy to guess in a … Continue reading Security’s Blind Spot: Physical Keyloggers That Bypass Antivirus Entirely →

The Axios npm supply chain incident: fake dependency, real backdoor

On March 31, 2026, two malicious Axios versions (1.14.1 and 0.30.4) were briefly published to npm via a compromised maintainer account. The only change performed was the addition of a trojanized dependency, whose postinstall script deployed a cross‑platform RAT (for macOS, Windows, and Linux). Although the Axios packages were removed within hours, multiple hits were … Continue reading The Axios npm supply chain incident: fake dependency, real backdoor →

Ivanti EPMM ‘Sleeper Shells’ not so sleepy?

In late January 2026 an advisory covering two remote code execution vulnerabilities (CVE-2026-1281 & CVE-2026-1340) in Ivanti Endpoint Manager Mobile (EPMM) was published. Shortly after reports (in example by tenable) mentioned publicly available proof-of-concept exploits. On 09th February 2026, Defused published a blog post mentioning a specific webshell being deployed on EPMM devices via this … Continue reading Ivanti EPMM ‘Sleeper Shells’ not so sleepy? →

Capture the Kerberos Flag: Detecting Kerberos Anomalies

Kerberos is one of the most common protocols in organizations that utilize Windows Active Directory, and an essential part of Windows authentication used to verify the identity of a user or a host [1]. As such, Kerberos is often a target for adversaries trying to either steal or forge Kerberos tickets [2]. In this blog … Continue reading Capture the Kerberos Flag: Detecting Kerberos Anomalies →

ConsentFix (a.k.a. AuthCodeFix): Detecting OAuth2 Authorization Code Phishing

ConsentFix (a.k.a.AuthCodeFix) is the latest variant of the fix-type phishing attacks, initially identified by Push Security. In this technique, the adversary tricks the victim into generating an OAuth authorization code that is part of a localhost URL, by signing in to the Azure CLI instance (or other vulnerable applications). Then, the victim is instructed to copy that URL and paste it into a phishing website, essentially handing over the authorization code to the adversary, who is now able to exchange it for an access token. Using the access token, the adversary gets access to the victim's Microsoft account.

The Detection & Response Chronicles: Exploring Telegram Abuse

Adversaries utilizing popular messaging apps throughout different attack phases is nothing new. Telegram, in particular, has constantly been the subject of abuse by multiple threat actors, favoured for its anonymity, accessibility, resilience, and operational advantages. In this blog, we explore popular Telegram Bot APIs, recent campaigns involving Telegram abuse, and provide detection and hunting opportunities.