Someone Bought 30 WordPress Plugins and Planted a Backdoor in All of Them Thanks to a very helpful reply from the author, I have more IoCs and details. The Plugins I was able to find the plugins and related changes to the code on GitHub: Pick any repo and you’ll likely find the same code Austin mentioned in the original blog post. Here’s a random example, with the Git Blame putting the change on 2025-11-12. Not sure why the date discrepancy with Austin’s timeline, but perhaps GitHub changes were mirrored from someplace else. Now, onto the blockchain. ...

Following up on an excellent blog post we discovered (linked in thread), we dug a little deeper on a recent #WordPress plugin compromise. We have more IoCs, and evidence of initial access auctions via the blockchain.

discourse.ifin.netwo...

#ThreatIntel #ThreatIntelligence #ThreatHunting #IFIN

RobinReach

APT37 ran a months long espionage campaign that started with a Facebook friend request, built trust, then delivered malware inside legitimate software. No email to filter, no link to block. Automated defences catch technical indicators, not trust.

Never Hunt Alone

#Cyber #ThreatHunting #APT37

21 IPs generated nearly half of all RDP scanning on the internet in 48 hours. Then vanished — for the second time in 30 days.

🔗 www.greynoise.io/blog/ip-addresses-behind...

#ThreatIntel #RDP #CyberSecurity #InfoSec #ThreatHunting

Just 21 IP Addresses Are Now Behind Nearly Half of All RDP Scanning on the Internet GreyNoise uncovers a concentrated RDP scanning campaign, revealing infrastructure patterns, rapid traffic shifts that impact detection, and recommendations for defenders.

21 IPs generated nearly half of all RDP scanning on the internet in 48 hours. Then vanished — for the second time in 30 days.

🔗 www.greynoise.io/blog/ip-addr...

#ThreatIntel #RDP #CyberSecurity #InfoSec #ThreatHunting

What vibe hunting gets right about AI threat hunting, and where it breaks down

What vibe hunting gets right about AI threat hunting, and where it breaks down

📖 Read more: www.helpnetsecurity.com/2026/04/10/a...

#cyebersecurity #cybersecuritynews #AI #LLMs #threathunting

The cybersecurity certification landscape - Negative PID Certifications have become the professional currency of cybersecurity. Whether you’re a penetration tester, incident responder, compliance analyst, or

The cybersecurity certification landscape
negativepid.blog/the...

#defensiveSecurity #threatHunting #forensics #offensiveSecurity #ethicalHacking #cybersecurityCareers #cybersecurityCerts #certifications #Cybersecurity #ITcareers #onlineSecurity #negativepid

Cracks in the Bedrock: Agent God Mode Unit 42 reveals "Agent God Mode" in Amazon Bedrock AgentCore. Broad IAM permissions lead to privilege escalation and data exfiltration risks. The post Cracks in the Bedrock: Agent God Mode appeared first on Unit 42.

Originally from Unit 42: Cracks in the Bedrock: Agent God Mode ( :-{ı▓ #unit42 #threathunting #cyberresearch

Cracks in the Bedrock: Escaping the AWS AgentCore Sandbox Unit 42 uncovers critical vulnerabilities in Amazon Bedrock AgentCore's sandbox, demonstrating DNS tunneling and credential exposure. The post Cracks in the Bedrock: Escaping the AWS AgentCore Sandbox appeared first on Unit 42.

Originally from Unit 42: Cracks in the Bedrock: Escaping the AWS AgentCore Sandbox ( :-{ı▓ #unit42 #threathunting #cyberresearch

RobinReach

Nation state group TA416 changed attack approaches multiple times per campaign and stayed hidden for 600+ days.

Can autonomous SOCs keep up? Analysts can, with the right tools guiding them. That is what Huntbase was built for.

Never Hunt Alone

#Dwell #Cyber #ThreatHunting

Understanding Current Threats to Kubernetes Environments Unit 42 uncovers escalating Kubernetes attacks, detailing how threat actors exploit identities and critical vulnerabilities to compromise cloud environments. The post Understanding Current Threats to Kubernetes Environments appeared first on Unit 42.

Originally from Unit 42: Understanding Current Threats to Kubernetes Environments ( :-{ı▓ #unit42 #threathunting #cyberresearch

I just published Hunting APT29 Part 3: I Traced the Process Tree Back to the Beginning systemweakness.com/hunting-apt2...

#Cybersecurity #Substack #APT #ThreatHunting #DetectionEngineering #Splunk #Analysis

New article soon 👀🐱🐭 Cat and mouse, but make it cyber. Security chases what it can see. The attacker slips underneath it all with the laptop.

#Cybersecurity #DFIR #BlueTeam #RedTeam #VMware #vSphere #ThreatHunting #DetectionEngineering #InfoSec #IncidentResponse

Qilin and Warlock Ransomware Use Vulnerable Drivers to Disable 300+ EDR Tools Threat actors associated with Qilin and Warlock ransomware operations have been observed using the bring your own vulnerable driver (BYOVD) technique to silence security tools running on compromised hosts, according to findings from Cisco Talos and Trend Micro. Qilin attacks analyzed by Talos have been found to deploy a malicious DLL named "msimg32.dll,"

iT4iNT SERVER Qilin and Warlock Ransomware Use Vulnerable Drivers to Disable 300+ EDR Tools VDS VPS Cloud #Ransomware #CyberSecurity #EDR #ThreatHunting #Malware

Double Agents: Exposing Security Blind Spots in GCP Vertex AI Unit 42 uncovers a "double agent" flaw in Google Cloud's Vertex AI, demonstrating how overprivileged AI agents can compromise cloud environments. The post Double Agents: Exposing Security Blind Spots in GCP Vertex AI appeared first on Unit 42.

Originally from Unit 42: Double Agents: Exposing Security Blind Spots in GCP Vertex AI ( :-{ı▓ #unit42 #threathunting #cyberresearch

When an Attacker Meets a Group of Agents: Navigating Amazon Bedrock's Multi-Agent Applications Unit 42 research on multi-agent AI systems on Amazon Bedrock reveals new attack surfaces and prompt injection risks. Learn how to secure your AI applications. The post When an Attacker Meets a Group of Agents: Navigating Amazon Bedrock's Multi-Agent Applications appeared first on Unit 42.

Originally from Unit 42: When an Attacker Meets a Group of Agents: Navigating Amazon Bedrock's Multi-Agent Applications ( :-{ı▓ #unit42 #threathunting #cyberresearch

L'Attacco alla Supply Chain di Axios e il RAT Multipiattaforma di Sapphire Sleet - LobSec Analisi tecnica dell'attacco alla supply chain di Axios su npm. Scopri le meccaniche di infezione del RAT Sapphire Sleet e le strategie di mitigazione SOC.

🔗 blog.lobsec.com/2026...

#Cybersecurity #DevSecOps #MalwareAnalysis #npm #InfoSec #ThreatHunting

Threat Brief: Widespread Impact of the Axios Supply Chain Attack Unit 42 discusses the supply chain attack targeting Axios. Learn about the full attack chain, from the dropper to forensic cleanup. The post Threat Brief: Widespread Impact of the Axios Supply Chain Attack appeared first on Unit 42.

Originally from Unit 42: Threat Brief: Widespread Impact of the Axios Supply Chain Attack ( :-{ı▓ #unit42 #threathunting #cyberresearch

BSides Luxembourg talk announcement!

🐧🚨 𝗡𝗢𝗧 𝗦𝗢 𝗛𝗔𝗥𝗠𝗟𝗘𝗦𝗦: 𝗧𝗛𝗘 𝗛𝗜𝗗𝗗𝗘𝗡 𝗪𝗢𝗥𝗟𝗗 𝗢𝗙 𝗟𝗜𝗡𝗨𝗫 𝗣𝗔𝗖𝗞𝗘𝗥𝗦 𝗔𝗡𝗗 𝗗𝗘𝗧𝗘𝗖𝗧𝗜𝗢𝗡 𝗖𝗛𝗔𝗟𝗟𝗘𝗡𝗚𝗘𝗦 - 𝗠𝗔𝗦𝗦𝗜𝗠𝗢 𝗕𝗘𝗥𝗧𝗢𝗖𝗖𝗛𝗜 🛡️🔍

Linux packers and loaders are a sneaky blind spot in cybersecurity. They hide code with encryption and obfuscation […]

[Original post on infosec.exchange]

RobinReach

Happy Easter to those that celebrate!

From all at Huntbase ❤️

Never Hunt Alone

#CyberSecurity #InfoSec #ThreatHunting #HappyEaster

Weaponizing the Protectors: TeamPCP’s Multi-Stage Supply Chain Attack on Security Infrastructure TeamPCP continues its string of supply chain attacks, and announces a partnership with Vect ransomware group. The post Weaponizing the Protectors: TeamPCP’s Multi-Stage Supply Chain Attack on Security Infrastructure appeared first on Unit 42.

Originally from Unit 42: Weaponizing the Protectors: TeamPCP’s Multi-Stage Supply Chain Attack on Security Infrastructure ( :-{ı▓ #unit42 #threathunting #cyberresearch

Everyone’s bragging about faster MTTR while attackers sit in SaaS via tokens and “trusted” OAuth apps. You don’t fix that with more alerts; you fix it with a small set of hunts you actually run.

#ThreatHunting #AlphaHunt

RobinReach

A new RSAC report maps eight phases of modern intrusions. One thing is consistent: attacks aren't at the perimeter anymore. They exploit the gap between what your tools see and what's actually happening.

That's a threat hunting problem.

#ThreatHunting #InfoSec #CyberSecurity

The cybersecurity certification landscape - Negative PID Certifications have become the professional currency of cybersecurity. Whether you’re a penetration tester, incident responder, compliance analyst, or

The cybersecurity certification landscape
negativepid.blog/the...

#defensiveSecurity #threatHunting #forensics #offensiveSecurity #ethicalHacking #cybersecurityCareers #cybersecurityCerts #certifications #Cybersecurity #ITcareers #onlineSecurity #negativepid

Hunting APT29 Part 2: I Searched One ProcessID. 1,129 Events Came Back. Inside The Breach #3

PART 2 is LIVE: open.substack.com/pub/manishra...

#Substack #Bluesky #Sysmon #Splunk #Cybersecurity #ThreatHunting #DetectionEngineering #APT29

Just Announced for BSides Luxembourg 2026!

𝗔𝗗𝗩𝗔𝗡𝗖𝗘𝗗 𝗧𝗛𝗥𝗘𝗔𝗧 𝗛𝗨𝗡𝗧𝗜𝗡𝗚: 𝗦𝗧𝗔𝗬𝗜𝗡𝗚 𝗢𝗡𝗘 𝗦𝗧𝗘𝗣 𝗔𝗛𝗘𝗔𝗗 𝗢𝗙 𝗔𝗗𝗩𝗘𝗥𝗦𝗔𝗥𝗬 - Alex Holden

Cyber defenders must go beyond reactive security as attackers constantly evolve their tactics. This session dives into real-world attack […]

[Original post on infosec.exchange]

Converging Interests: Analysis of Threat Clusters Targeting a Southeast Asian Government Unit 42 uncovers multiple clusters of cyberespionage targeting a Southeast Asian government organization with USBFect, RATs and loaders. The post Converging Interests: Analysis of Threat Clusters Targeting a Southeast Asian Government appeared first on Unit 42.

Originally from Unit 42: Converging Interests: Analysis of Threat Clusters Targeting a Southeast Asian Government ( :-{ı▓ #unit42 #threathunting #cyberresearch

RobinReach

GlassWorm hides behind trusted dev accounts, legit services and a fake Google Docs extension. Every stage looks clean on its own. The attack only surfaces when you connect the dots.

That's a threat hunting problem.

#ThreatHunting #GlassWorm #InfoSec

Your SOC isn’t understaffed—it’s just fashionably late. While headlines scream disruption, attackers are still winning with OAuth, tokens, and “normal” exports. Revoking in 22 min beats writing a 22-page postmortem. 🚨😏

#AlphaHunt #CyberSecurity #ThreatHunting #IdentitySecurity

GitHub - TensionFund/splunk-threat-hunt-botsv1 Contribute to TensionFund/splunk-threat-hunt-botsv1 development by creating an account on GitHub.

14 days later → Cerber ransomware.

Full hunt + IR report + every SPL query:
github.com/TensionFund/...

#cybersecurity #threathunting #splunk #infosec