Read industry-leading insights from the Profero team.
The AI produced malware kill switch
After finding a Discord bot token hardcoded into every WindowsAudit agent binary, we built a monitor, pulled the attacker's own loot dump, and identified 25+ victim organizations — before noticing the architectural flaw that handed us the entire botnet.
WindowsAudit Backdoor: Inside a .NET RAT That Hides in Discord
Profero IRT reverse engineered a .NET 8 RAT named WindowsAudit.exe recovered from a victim host in April 2026. It uses Discord as primary C2, runs as SYSTEM, tears down EDR in Safe Mode, and ships a full Active Directory attack toolkit.
Everyone's Talking About Mythos. Here's What's Actually Going On.
Anthropic dropped Claude Mythos and the internet lost its mind. We read the red team report, the community briefing, and the PR machine — here's what actually changes for defenders.
The Theater of Cyber War: How Russian "Hacktivists" Are Performing for Iran Without Actually Hacking Anything
Cardinal, Russian Legion, and RuskiNet are flooding Telegram with fabricated breach claims. We analyzed every major claim. All fake.
The Claude Code Leak: What One Missing File Cost Anthropic, and How to Check If You're Exposed
Anthropic shipped Claude Code's full source to npm because of a missing .npmignore file. Here's what was exposed, why it matters, and how to check if your organization's packages are leaking too.
Why We Reforged Rapid-IR From the Ground Up
Rapid-IR: Reforged is the IR platform built by an incident response team. Proprietary AI, continuous readiness, and a 20-minute guaranteed response.
The Key Was on the Floor: How the FBI Director's Personal Accounts Were Already Exposed
A step-by-step walkthrough of how breach databases, stealer logs, and basic OSINT revealed the FBI Director's personal credentials — and what it means for executive security.
Hijacked at the Source: AppsFlyer's Trusted Marketing SDK Distributes a Crypto Stealer
Profero IRT has uncovered a cryptocurrency wallet hijacking supply chain attack in the AppsFlyer Web SDK
P4Tr!0T3CH Channel Doxxing & Disinfo Assessment
OSINT validation of a Hebrew-language Telegram channel claiming to release doxxing data and breach material targeting Iranian judiciary figures, IRGC intelligence operations, and APT35 cyber units.
địt mẹ mày morphisec: When Malware Authors Taunt Security Researchers
The complete analysis of Vietnamese Stealer - a Python-based info stealer using Telegram as a C2.
AtomicStealer Spreading via Fake Apple Support Websites
Recently Profero uncovered an AtomicStealer campaign using a fake Apple Support website designed to trick users into running a malicious bash command, infecting their machine with the stealer payload.
The $5 Million Letter: When Physical Mail Becomes Digital Extortion
# The Letter That Started a Crisis
New Attack Vector - AI - Induced Destruction
# From Friend to Foe: A New Era of Cybersecurity Incidents
From Drone Strike to File Recovery: Outsmarting a Nation State
On January 28, 2023, an ammunition factory belonging to the Iranian Defence Ministry in Isfahan was attacked by three drones. Iran later claimed that the drones had caused only minor damage to a build
The Blurring Lines Between Financially Motivated Attacks and Nation-State Cyber Operations
Since the outset of the Russia-Ukraine war in early 2022, our Incident Response Team at Profero has been engaged in multiple investigations involving Russian threat actors across Europe, ranging from
Live Forensic Collection from Ivanti EPMM Appliances (CVE-2025-4427 & CVE-2025-4428)
In May 2025, Profero responded to multiple security incidents stemming from the active exploitation of two zero-day vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM):
Unmasking a Sophisticated Phishing Campaign: Profero IRT’s Deep Dive into a Global Microsoft Identity Attack
Over the past month, the Profero Incident Response Team (IRT) conducted an exhaustive forensic investigation into a global phishing campaign targeting Microsoft 365 identities, specifically Azure Acti
Understanding Quantum Cryptography: Separating Fact from Fiction
Hello, tech enthusiasts! Today, we're going to explore the intriguing world of quantum cryptography. With all the buzz about quantum computers potentially jeopardizing current security systems, it’s e
A Breach Is Inevitable: Why Organizations Are Failing in Proactive Threat Detection
In today's cyber security reality, security teams are drowning in acronyms. CTEM, CSPM, IDM and more: all are parts of a common defense lineup aiming to create robust protection around digital infrast
Behind the Scenes: How Pager Apps Power 24/7 Incident Response Operations
**Behind the Scenes: How Pager Apps** **Power 24/7 Incident Response Operations**
MITRE ATT&CK: A Guidebook for the Cyber Jungle
Some people go out into nature with a plant guide or a bird handbook to better understand what they see in front of them. Such a guide includes a catalogue organized by families (raptors, waterfowl, e
Secrets leakage – A rising threat. Development Practices to Safeguard Your Secrets
During 2024 Profero’s research and incident response teams tracked a trend of cyber-attacks that are based on security misconfigurations and leaking of secrets into the production environment.
Why Cyberattacks Spike During Holidays and How to be IR Ready
Every year, as we deck the halls and prepare to celebrate major holidays like July 4th,
Cloud Security Alliance Conference: Attacker Perspective Panel Overview
At the recent Cloud Security Alliance Conference, a compelling panel on cloud security from an attacker's perspective brought together industry experts to discuss emerging threats and defense strategi
Microsoft Windows Endpoint Forensics Readiness Booster
This short blog post will run through a few ways the IT/Security teams can configure their existing Windows environment in order to improve forensics readiness using existing operating system capabili
Profero is now Certified for SOC 2 (type 2) and ISO 27001
At Profero, trust is the cornerstone of our relationships with clients. As a leading incident response company, we are entrusted with sensitive data and conduct sensitive operations. That's why we hav
The 10.0 Rated CVE in xz-utils Jeopardizing SSH Security
On March 29th, 2024, our security team was alerted to a newly identified CVE, assigned a critical severity rating of 10.0. This vulnerability was found in xz-utils, a crucial component deeply embedded
SysAid On-Prem Vulnerability Disclosure
On Nov 2nd, our security team received reports regarding a potential vulnerability in our on-premise software which was being actively exploited. We immediately initiated our incident response protoco
CyberWeek RedAlert 2023 Focus Shift: Parallels between Europe and Israel's Cyber Incident Response Preparedness
## Focus Shift: Parallels between Europe and Israel's Cyber Incident Response Preparedness
Malicious Extensions - What They Are And How To Fight Them
According to [**DebugBear**](https://www.debugbear.com/blog/counting-chrome-extensions), there were about 1.7 billion users with installed Chrome extensions in 2020, out of more than 2.5 billion users
LastPass Breach - and your SSO
see our previous [**blog post**](https://profero.io/posts/lastpass_breach/)
LastPass Breach - What went wrong?
**disclaimer: this is based on our experience, expertise, and public sources**
Online Programming Learning Sites Can Be Manipulated By Hackers To Launch Cyberattacks
Hackers commonly launch their attacks using compromised machines rather than directly from owned devices, which allows them to conceal their origin. In recent incident response, Profero’s Incident Res
Multi-factor Authentication In-The-Wild bypass methods
Two-factor authentication (2FA) or multi-factor authentication ( MFA ) is a method to authenticate through a service that requires at least two proofs of recognition.
Static unpacker and decoder for Hello Kitty Packer
During a recent incident response engagement, the Profero IR team observed a sample of Hello Kitty ransomware. This version of ransomware is intriguing as this sample is packed with a packer written i
OSS Getting Hammered for BigCorp Failures
# Everyone heard of log4j by now
log4jScanner
Our customers faced a serious issue, they did not know which servers on their internal network were vulnerable to log4j, and were reluctant to send information about vulnerable internal servers to 3rd
Log4Shell & massive Kinsing deployment
On December 9th, 2021 news broke about a newly discovered vulnerability affecting the java logging library, Log4j.
From the Trenches: Common-Sense Measures to Prevent Cloud Incidents
As an incident response team, we see a lot of cloud breaches that could have been prevented. Adequate protection requires in-depth knowledge of the cloud provider and its APIs and ample preparation. I
RansomEXX, Fixing Corrupted Ransom
Since the sudden disappearance of the REvil ransomware operation, there has been a rise in other “ransomware as a service” (RaaS) operators attempting to claim their piece of the RaaS market share lef
Secrets Behind Ever101 Ransomware
A victim called the incident response teams of Global Threat Center, reporting a seemingly new stream of ransomware attack. Upon investigation, we determined the extension of the encrypted files was c
Cuba Ransomware Group on a Roll
At the end of 2020, our team made up of SecurityJoes and Profero incident responders, led an investigation into a complex attack in which hundreds of machines were encrypted, knocking the victim compa
APT27 Turns to Ransomware
At the peak of the COVID-19 pandemic and economic crisis, our Global Incident Response and Cyber Crisis Management teams were engaged on several fronts around the world, fighting cybercrime, and even