The Detection & Response Chronicles: Covert Operations Through QEMU

Adversaries have always relied on legitimate tools to carry out their attacks. These tools are already trusted by security solutions, which allows them to blend in with normal activity, maintain a low footprint, and make detection much harder for defenders. By using these legitimate tools, adversaries can carry out a wide range of actions, such as moving laterally across networks, establishing C2 channels, or maintaining persistence, all without triggering any alerts.

Ivanti EPMM ‘Sleeper Shells’ not so sleepy?

In late January 2026, an advisory covering two remote code execution vulnerabilities (CVE-2026-1281 & CVE-2026-1340) in Ivanti Endpoint Manager Mobile (EPMM) was published. Shortly after, reports (in example by tenable) mentioned publicly available proof-of-concept exploits. On February 9th 2026, Defused published a blog post describing a specific webshell being deployed on EPMM devices via this … Continue reading Ivanti EPMM ‘Sleeper Shells’ not so sleepy? →