Profero - The CISO Breach Platform on Profero | Rapid-IR

Senior Incident Responder

Mon, 01 Jan 0001 00:00:00 +0000

Profero seeks a Senior Incident Responder for our global IR team. This individual will lead sophisticated cyber investigations and provide technical direction during active security incidents while managing customer relationships.

Core Responsibilities

Direct complex incident response investigations from start to finish
Offer technical guidance to IR analysts during active breaches
Execute advanced forensic analysis across endpoints, networks, and cloud systems
Determine root causes and establish remediation strategies
Communicate directly with clients through updates and findings presentations
Draft and review incident response reports for technical and executive audiences
Refine IR methodologies and processes
Coach junior and mid-level team members
Maintain on-call availability including non-standard hours

Required Qualifications

5+ years in Incident Response or Digital Forensics/Incident Response (DFIR)
Demonstrated success managing high-pressure cyber investigations
Proficiency with Windows, Linux/Unix, and macOS systems
Expert-level endpoint forensics knowledge
Network architecture understanding
Cloud environment and web application experience
Malware analysis capabilities
Large-scale data analysis skills
Strong technical writing and customer presentation abilities
English fluency (written and verbal)
Remote collaboration competence

Preferred Qualifications

Prior team leadership or mentoring experience
Application/web security background
IR simulation facilitation experience
Contributions to tool development or automation

Benefits

Fully remote employment
Exposure to significant real-world incidents
Professional development opportunities
Technical leadership pathways
Flexible time off and schedule accommodation

Contact

To apply, please send your resume to careers@profero.io.

Incident Responder

Mon, 01 Jan 0001 00:00:00 +0000

Profero seeks an IR professional for our 24/7 operations team. The role involves managing a diverse range of environments and tools while supporting customers during emergencies and conducting security assessments.

Key Responsibilities

Conduct incident response investigations and security breach resolutions
Perform forensic inspections to identify root causes
Develop and implement incident response procedures
Analyze security vulnerabilities with customers
Monitor emerging cyber threats and technologies
Collaborate with global research and IR professionals

Requirements

Experience & Technical Skills

Minimum 3 years IR experience (military and/or industry)
Network fundamentals and Internet protocol knowledge
System security controls across Windows, Linux/Unix, and macOS
Host-based forensics and OS artifact analysis expertise
Data analysis and malware analysis capabilities
Digital forensics knowledge
Technical report writing proficiency
Application security (AppSec) and web security (WebSec) understanding
Fluent English (written/spoken); additional languages preferred

Personal Attributes

Quick-thinking versatility with task transitions
Self-starter mentality with cybersecurity drive
Team-oriented with independent work capability
Comfort with remote work arrangements
Availability for late-night and weekend incidents

Benefits

Fully remote, permanent arrangement
Home office allowance
Flexible vacation policy
Knowledge-sharing culture
Collaborative global team environment

Contact

To apply, please send your resume to careers@profero.io.

Senior Frontend Engineer

Mon, 01 Jan 0001 00:00:00 +0000

Profero seeks an experienced frontend engineer to join our incident response platform team. The company specializes in Rapid-IR and proactive breach response services.

Key Responsibilities

Architect and implement efficient, secure frontend code
Lead complete feature development and UI component creation
Build contemporary, adaptable user interfaces
Partner with Product, Design, and Backend teams for superior user experiences
Perform code reviews, mentor engineers, and establish quality standards
Produce maintainable, documented code following industry best practices
Foster continuous learning and knowledge exchange

Required Qualifications

5+ years of professional experience in frontend development
Strong TypeScript and React capabilities
Solid skills in HTML and CSS
Modern tooling expertise (Webpack/Vite, Babel, ESLint)
Frontend architecture and state management proficiency
Component libraries/design systems experience (Material UI preferred)
Figma collaboration skills
Strong interpersonal and teamwork abilities
Self-directed and detail-oriented approach

Preferred Qualifications

Legacy codebase modernization experience
Code quality and testing standards expertise
Frontend testing implementation (unit, integration)
Process improvement track record
Analytics integration experience
Design systems and composable component expertise

Benefits

Fully remote work arrangement
Flexible time-off policy
Home office stipend
Knowledge sharing and community involvement support

Contact

To apply, please send your resume to careers@profero.io.

Profero Congratulates Jet Bank on the Launch of Albania's First 100% Digital Bank

Wed, 17 Jun 2026 00:00:00 +0000

This Thursday, 18 June 2026, marks a defining moment for Albanian finance: the official launch of Jet Bank, the country’s first fully digital bank. Profero is proud to have served as Jet Bank’s preemptive incident response partner throughout this journey, deploying our Rapid-IR platform to help secure the bank and protect its customers from the very first day of operations.

For a digital-first bank, customer trust is built on the security and resilience working behind the scenes. Working closely with the Jet Bank team, we helped embed proactive threat detection and rapid response capabilities into the bank’s operations so that innovation and protection move forward together.

We Said Wait. The Wait Is Over.

Sat, 06 Jun 2026 00:00:00 +0000

TL;DR: The math changed. Two papers published in March 2026 showed that breaking elliptic curve encryption now requires far fewer qubits than previously thought, close enough to be a near-term engineering problem, not a distant physics one. Post-quantum standards are finalized and ready to deploy. If you store or transmit sensitive data protected by asymmetric cryptography, your migration plan should already exist. If you had a breach and encrypted data was taken, that data may be on a future decryption queue. Move off AES-128. Check your HSMs. Start now.

We Added a Detection Rule. We Were Not Expecting This.

Mon, 01 Jun 2026 00:00:00 +0000

Most users never see the command line Claude Desktop runs under the hood. It’s not hidden; it’s just buried in a process list. But if you look, you’ll find something alarming:

/path/to/claude --output-format stream-json --verbose --input-format stream-json --max-thinking-tokens 31999 --effort high --model claude-opus-4-7[1m] --debug-file /path/to/debug.log --permission-prompt-tool stdio --resume <session-id> --allowedTools Task,TaskCreate,TaskUpdate,TaskGet,TaskList,TaskStop,WebSearch,Skill,ToolSearch,Read,Edit,Write,Glob,Grep,AskUserQuestion --disallowedTools Bash,NotebookEdit,REPL,JavaScript,WebFetch --tools Task,Glob,Grep,Read,Edit,Write,TaskCreate,TaskUpdate,TaskGet,TaskList,TaskStop,WebSearch,Skill,AskUserQuestion,ToolSearch --permission-mode default --allow-dangerously-skip-permissions

--allow-dangerously-skip-permissions: the flag that triggered our rule

That last flag is what triggered our EDR rule. We’ve written about what happens when this trust model breaks in practice (real incidents, real damage) in From Friend to Foe: AI-Induced Destruction. This post is about what it actually means, what the process it lives in can and can’t do, and one attack chain that doesn’t need shell access at all.

The AI Incident Response Framework: When Your Agent Is the Threat

Mon, 25 May 2026 00:00:00 +0000

On April 25, 2026, a developer at PocketOS gave a Cursor agent a routine task: fix a credential mismatch in a staging environment. Nine seconds later, the production database was gone. All volume-level backups were gone with it. Railway stores them in the same volume they protect. The most recent recoverable backup was three months old. Rental businesses couldn’t process Saturday morning reservations.

The agent had found a Railway CLI token in an unrelated file. It used the token to call Railway’s GraphQL API: volumeDelete. It didn’t ask. It didn’t confirm. It optimized toward its goal and resolved the obstacle in front of it.

The War Between Wars: How an IRGC Cyber Front Runs Destructive OT and IT Attacks Under Cover of a Ceasefire

Sun, 24 May 2026 00:00:00 +0000

A ceasefire on the front line is not a ceasefire on the network. Through 2025 and 2026, an Iranian state-directed persona has spent the quiet stretches breaking machines, spoiling food, and wiping disks across Israeli industry. This is how one of those operations unfolded, and how to find the actor before it reaches your plant floor.

Profero Threat Intelligence | May 2026

The first sign was not a security alert. It was a temperature reading.

The AI produced malware kill switch

Fri, 01 May 2026 00:00:00 +0000

In part one we walked through WindowsAudit.exe, the .NET apphost backdoor we found running as LocalSystem on our client’s network. We covered how it got onto the host, how it persisted, and the surface area of what it could do once it was there.

This is part two. Part one was the malware. Part two is everything that came after: what we did with the binary in front of us, the other organizations we ended up identifying as victims of the same attacker, and the architectural decision in the C2 protocol that we only noticed once the rest of the work was already done.

WindowsAudit Backdoor: Inside a .NET RAT That Hides in Discord

Tue, 28 Apr 2026 00:00:00 +0000

Advisory: Profero has observed this campaign active across multiple environments, and based on observed patterns and tradecraft, it may be positioning for escalation toward a broader ransomware operation. Profero has notified the Israeli National Cyber Directorate (INCD) of this activity. Organizations that identify any of the indicators of compromise (IOCs) listed below in their environments are encouraged to take prompt investigative action. If you would like to confirm whether your organization appears among the environments where this activity has been observed, or to discuss the IOCs further, please contact our team at contact@profero.io.

Everyone's Talking About Mythos. Here's What's Actually Going On.

Mon, 13 Apr 2026 00:00:00 +0000

If you’ve been anywhere near a security Slack in the last week, you’ve seen the headlines. Anthropic dropped Claude Mythos on April 7th and the internet did what the internet does — breathless coverage, doomsday takes, and a 30-page community briefing co-signed by what looks like the entire US cybersecurity establishment telling CISOs to restructure their security programs starting Monday morning.

We’ve been watching this space closely. Here’s our honest read.

The Theater of Cyber War: How Russian "Hacktivists" Are Performing for Iran Without Actually Hacking Anything

Fri, 10 Apr 2026 00:00:00 +0000

Executive Summary

Since the Iran-Israel conflict escalated in early March 2026, Russian-aligned hacktivist groups have flooded Telegram with claims of breaching Israeli critical infrastructure. Groups called Cardinal (now rebranded as Monarch), Russian Legion, and RuskiNet claim access to everything from Israel’s Iron Dome to IDF personnel databases to nuclear facility control panels.

Every single claim is fake. The “evidence” consists of AI-generated graphics of fictional systems, government documents signed by people who left office years ago, and recycled data from old breaches repackaged as fresh leaks.

The Claude Code Leak: What One Missing File Cost Anthropic, and How to Check If You're Exposed

Thu, 02 Apr 2026 00:00:00 +0000

On March 31, 2026, Anthropic shipped the complete source code of Claude Code to every npm mirror on the planet. Not through a breach. Not through a compromised pipeline. Through a missing .npmignore file.

Version 2.1.88 of @anthropic-ai/claude-code included a 59.8 MB source map containing 512,000 lines of unobfuscated TypeScript across ~1,900 files. The full agent architecture, 44 unreleased feature flags, internal model codenames, system prompts, and safety guardrails were now public. Within hours the code was forked over 41,500 times. A clean-room rewrite hit 50,000 GitHub stars in two hours.

Why We Reforged Rapid-IR From the Ground Up

Mon, 30 Mar 2026 00:00:00 +0000

When an incident hits at 2 AM, most organizations start from zero. Hunting through PDFs, guessing which findings matter, assembling scattered tools while the clock runs down.

None of that qualifies as rapid response.

Years of casework taught us: fast recovery doesn’t come from big security teams. It comes from tested playbooks, pre-mapped environments, and readiness that someone maintains every single week. Updating runbooks, re-validating credentials, retesting detection rules, keeping everything current as the environment shifts. Most organizations can’t sustain that constant grinding.

The Key Was on the Floor: How the FBI Director's Personal Accounts Were Already Exposed

Sat, 28 Mar 2026 00:00:00 +0000

We don’t know exactly how Handala got into Kash Patel’s accounts. I’m not going to claim we do.

But from years of responding to MOIS-linked intrusions, the answer is almost never what people expect. No zero-day. No exotic iMessage exploit. No nation-state malware. In case after case, the access was simpler: credential dumps, stealer logs, data sitting in breach databases for years. Waiting for someone to query the right name.

Hijacked at the Source: AppsFlyer's Trusted Marketing SDK Distributes a Crypto Stealer

Wed, 11 Mar 2026 00:00:00 +0000

Executive Summary

On March 9, 2026, Profero began investigating a suspected compromise of the AppsFlyer SDK following customer requests. AppsFlyer is a mobile attribution and marketing analytics platform integrated into thousands of applications. The investigation confirmed that the SDK delivered obfuscated malicious JavaScript alongside legitimate code — a cryptocurrency wallet hijacker that intercepted addresses and replaced them with attacker-controlled values.

While the full scope remains unverified, the incident demonstrates how threat actors exploit trust in third-party SDKs. AppsFlyer has acknowledged an “availability issue” but provided no official confirmation of the compromise.

P4Tr!0T3CH Channel Doxxing & Disinfo Assessment

Wed, 04 Mar 2026 00:00:00 +0000

Executive Summary

On March 3, 2026, the Hebrew-language Telegram channel P4Tr!0T3CH published a post (Message ID 639) claiming to release doxxing data and breach material targeting Iranian judiciary figures, IRGC intelligence operations, and APT35 cyber units.

The post included alleged doxxing packages (home addresses, daily routines, safe houses), an APT35 operator persona (0xAlphaWolf / Behnam Pouladi), and claims of access to SWIFT logs, telecom databases, airport records, and a German medical clinic. It also named a backdoored Persian messaging app called Payvast.

địt mẹ mày morphisec: When Malware Authors Taunt Security Researchers

Sat, 24 Jan 2026 00:00:00 +0000

Executive Summary

The complete analysis of Vietnamese Stealer - a Python-based info stealer using Telegram as a C2. What started as a CrowdStrike alert with a suspicious file led to uncovering a sophisticated multi-stage attack with Vietnamese threat actor attribution. This write-up follows our analysis journey chronologically, breakthroughs, and the decision-making process at each stage.

Vietnamese Stealer is a Vietnamese-attributed information stealer that targets browser credentials, cookies, and cryptocurrency wallets. The malware is delivered through DLL sideloading using a legitimate Adobe binary, with social engineered lures in Korean to target multiple regions. It employs a 4-layer obfuscation scheme and uses Telegram as both its command-and-control channel and exfiltration destination, leveraging a Dead Drop Resolver technique to dynamically retrieve C2 infrastructure. Persistence is maintained through a scheduled task disguised as a Microsoft Edge update. Attribution to Vietnamese threat actors is supported by language indicators in the code and Telegram operator metadata.

AtomicStealer Spreading via Fake Apple Support Websites

Wed, 27 Aug 2025 00:00:00 +0000

Executive Summary

Recently Profero uncovered an AtomicStealer campaign using a fake Apple Support website designed to trick users into running a malicious bash command, infecting their machine with the stealer payload. This method of distribution is interesting as it marks a change in tactics used by the cybercrime group, known as Cookie Spider, to compromise MacOS devices.

AtomicStealer was first identified in 2023 and quickly gained notoriety as one of the most common information stealers used by threat actors to target MacOS devices. The stealer collects a large amount of data from various sources on infected hosts including keychain credentials, certificates, cryptocurrency wallets, and passwords saved in browser password managers. Atomic is often used as the first payload delivered to newly compromised hosts and historically has been spread via mass email spam campaigns and backdoored fake software installs. It has primarily been used by attackers to harvest valuable credentials such as those for corporate VPN or email access which would allow them to further compromise an organizations network.

The $5 Million Letter: When Physical Mail Becomes Digital Extortion

Tue, 19 Aug 2025 00:00:00 +0000

The Letter That Started a Crisis

It was 7:43 AM on a Monday when the CEO’s secretary walked into his office with an unusual envelope marked “TIME SENSITIVE - READ IMMEDIATELY.”

Inside was a letter claiming to be from the notorious BianLian ransomware group. The demand was simple: $5 million in Bitcoin within 10 days, or they would release stolen customer data and internal documents to the media.

The company went into full crisis mode. The board was convened. The incident response team was activated.

New Attack Vector - AI - Induced Destruction

Tue, 12 Aug 2025 00:00:00 +0000

From Friend to Foe: A New Era of Cybersecurity Incidents

How “helpful” AI assistants are accidentally destroying production systems - and what we’re doing about it.

The 2 AM Call That Changed Everything

It was 2:17 AM when our incident response hotline rang. Another ransomware attack? Nation-state actors? No. This time, the “attacker” was Claude Code, an AI coding assistant that had just deleted an entire production codebase. Welcome to 2025, where your biggest security threat might be the AI assistant you just gave admin privileges to.

From Drone Strike to File Recovery: Outsmarting a Nation State

Sun, 10 Aug 2025 00:00:00 +0000

Setting the stage

On January 28, 2023, an ammunition factory belonging to the Iranian Defence Ministry in Isfahan was attacked by three drones. Iran later claimed that the drones had caused only minor damage to a building and were shot down. During the same night, an oil refinery in Tabriz caught fire and there were additional reports of explosions and fires in Karaj, as well as an explosion at an oil facility in Azarshahr. Israel had no comment regarding the attacks; however, intelligence agencies in the West, as well as in Iran, claimed that the attacks were conducted by Israel as part of an ongoing sabotage campaign against Iran. After these attacks, an Iranian affiliated account gave statements vowing to destroy Israel and the following was posted to Telegram:

The Blurring Lines Between Financially Motivated Attacks and Nation-State Cyber Operations

Sun, 15 Jun 2025 00:00:00 +0000

Since the outset of the Russia-Ukraine war in early 2022, our Incident Response Team at Profero has been engaged in multiple investigations involving Russian threat actors across Europe, ranging from ransomware intrusions to credential theft. Over the past 12 months Western Europe has seen a marked surge in both the volume and sophistication of incidents targeting organisations of every size. In particular, these attacks were affiliated with notorious Russian ransomware groups that have been forced out of their apolitical zone.

Live Forensic Collection from Ivanti EPMM Appliances (CVE-2025-4427 & CVE-2025-4428)

Wed, 21 May 2025 00:00:00 +0000

Why This Matters

In May 2025, Profero responded to multiple security incidents stemming from the active exploitation of two zero-day vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM):

CVE-2025-4427 – Authentication Bypass
CVE-2025-4428 – Remote Code Execution

These vulnerabilities, when chained, allow unauthenticated attackers to gain full remote command execution on exposed EPMM appliances. Profero has observed multiple threat actors leveraging public proof-of-concept (PoC) exploits — and in some cases, private tooling — to gain initial access, extract sensitive data, move laterally, and deploy post-exploitation malware including KrustyLoader[1], a known loader for Sliver backdoors. ‍ Organizations must act with urgency. Patching alone is not sufficient if an EPMM appliance was already compromised — and even patching combined with credential rotation may not fully neutralize the threat. Once inside EPMM, threat actors often use it as an internal foothold, harvesting credentials, accessing integrated systems (such as LDAP, exchange and SQL), and then pivoting into the broader environment.

Unmasking a Sophisticated Phishing Campaign: Profero IRT’s Deep Dive into a Global Microsoft Identity Attack

Mon, 28 Apr 2025 00:00:00 +0000

Over the past month, the Profero Incident Response Team (IRT) conducted an exhaustive forensic investigation into a global phishing campaign targeting Microsoft 365 identities, specifically Azure Active Directory and Office 365 accounts across multiple sectors.

This campaign, characterized by its use of low-code/no-code platforms, automated phishing toolkits, and advanced evasion techniques, successfully bypassed traditional security controls to harvest credentials and authentication tokens. Here’s a detailed breakdown of the attack, our findings, and actionable defenses to neutralize this threat.

Understanding Quantum Cryptography: Separating Fact from Fiction

Sun, 06 Apr 2025 00:00:00 +0000

Hello, tech enthusiasts! Today, we’re going to explore the intriguing world of quantum cryptography. With all the buzz about quantum computers potentially jeopardizing current security systems, it’s easy to feel overwhelmed. Let’s cut through the noise and clarify what’s truly happening—without any fear, uncertainty, or doubt (FUD).

What is Quantum Cryptography?

At its essence, quantum cryptography primarily addresses two aspects:

The potential for quantum computers to break established cryptographic protocols (such as RSA or ECC) that we had previously considered secure.

A Breach Is Inevitable: Why Organizations Are Failing in Proactive Threat Detection

Wed, 05 Mar 2025 00:00:00 +0000

In today’s cyber security reality, security teams are drowning in acronyms. CTEM, CSPM, IDM and more: all are parts of a common defense lineup aiming to create robust protection around digital infrastructure. Organizations are spending billions of dollars on a wide range of security tools, many of which promise bulletproof protection- yet breaches still occur.

Threat actors are accelerating their tactics at an alarming pace. The duration from initial access to data encryption, which once spanned weeks, has now been reduced to mere hours. This rapid evolution necessitates equally swift detection and response capabilities to effectively counteract these threats. In this blog post, we will argue that fancy tools are not enough: Organizations must adapt by implementing robust real-time monitoring and quick incident response strategies to stay ahead in this high-stakes race.

Behind the Scenes: How Pager Apps Power 24/7 Incident Response Operations

Wed, 26 Feb 2025 00:00:00 +0000

Behind the Scenes: How Pager Apps Power 24/7 Incident Response Operations

In a surprising 90s-throwback, pagers have been making headlines lately. In this blog post, I want to discuss pager apps such as Pager Duty, Splunk on-call (Victorops),OpsGenie, and others that are critical for incident responders.

Last year, I joined Profero as the IR Projects Manager. In this role, I oversee our globally distributed Incident Response (IR) team to ensure seamless operations both day-to-day and during critical incidents. So far, I’ve managed hundreds of incidents worldwide. Pager apps are deeply integrated into our internal teamwork, ongoing communication with customers, and Rapid-IR, our bespoke readiness platform.

MITRE ATT&CK: A Guidebook for the Cyber Jungle

Tue, 04 Feb 2025 00:00:00 +0000

Some people go out into nature with a plant guide or a bird handbook to better understand what they see in front of them. Such a guide includes a catalogue organized by families (raptors, waterfowl, etc.), beak or wing shape, what the bird feeds on, whether it is an early bird or nocturnal,and where it is likely to be seen.

The cyber field is one big jungle teeming with various attack groups, tactics, tools, and motivations. This jungle also has its own “guide:” MITRE ATT&CK. This non-profit initiative, founded in 2013, aims to be a continuously-updated and accessible knowledge base for cyber threats based on field observations of attacks and attack groups. All major cybersecurity companies contribute the most current information to it,creating a uniform language in the world of information security.

Secrets leakage – A rising threat. Development Practices to Safeguard Your Secrets

Tue, 23 Jul 2024 00:00:00 +0000

Introduction

During 2024 Profero’s research and incident response teams tracked a trend of cyber-attacks that are based on security misconfigurations and leaking of secrets into the production environment.

In today’s world, developers need to manage a large number of secrets; credentials, API keys, tokens, and passwords, and those secrets are essential for the operation of modern applications. And as the number of these secrets increases, the challenges associated with their secure storage increase as well.

Why Cyberattacks Spike During Holidays and How to be IR Ready

Wed, 03 Jul 2024 00:00:00 +0000

Introduction

Every year, as we deck the halls and prepare to celebrate major holidays like July 4th, cybercriminals are also planning their own “celebrations.” Unfortunately, these festivities come in the form of cyberattacks aimed at businesses and organizations. But why do we see a rise in attacks during holidays? How can organizations be prepared? Let’s dig deeper.

Why Holidays?

Cybercriminals are opportunistic by nature, and they are well aware that during the holidays, many companies operate with reduced staff as employees take time off to be with their families. Some key people in the organization - management or tech leaders - might be out of reach. Attackers are also trained in taking advantages of time differences between territories. This can result in slower response times to anomalies and potential breaches.

Cloud Security Alliance Conference: Attacker Perspective Panel Overview

Mon, 24 Jun 2024 00:00:00 +0000

At the recent Cloud Security Alliance Conference, a compelling panel on cloud security from an attacker’s perspective brought together industry experts to discuss emerging threats and defense strategies. The panel featured Omri Segev Moyal (CEO of Profero Inc.), Dima Fomberg (Security Architect at Google Cloud Security), Shira Shamban (CEO and Co-founder of Solvo), and Michal Kolotov (Founder of BlueTM).

Highlights from the Panel:

Targeting Cloud Environments: Attackers are shifting focus to cloud environments due to the potential for large-scale breaches.
Misconfigurations: These remain a major vulnerability, highlighting the need for diligent security practices.
Leveraging Native Tools: Emphasized the importance of using native cloud security tools and robust identity and access management.
Continuous Education: The panel underscored the need for ongoing education and collaboration between security and development teams to stay ahead of attackers.

Key Insights:

“Instead of hacking thousands of customers one by one, attackers now target a single vendor in the cloud. It’s the holy grail.” - Omri Segev Moyal

Microsoft Windows Endpoint Forensics Readiness Booster

Sun, 16 Jun 2024 00:00:00 +0000

This short blog post will run through a few ways the IT/Security teams can configure their existing Windows environment in order to improve forensics readiness using existing operating system capabilities. We will focus on critical forensics readiness artifacts and logs which incident response (IR) teams can utilize for quick triage and accurate remediation. The scope of this cheat sheet was narrowed down to avoid external utilities such as Endpoint Detection and Response and meant to serve as a reference for every organization, not just enterprises.

Profero is now Certified for SOC 2 (type 2) and ISO 27001

Sun, 19 May 2024 00:00:00 +0000

At Profero, trust is the cornerstone of our relationships with clients. As a leading incident response company, we are entrusted with sensitive data and conduct sensitive operations. That’s why we have taken the necessary steps to validate our robust security controls through third-party assessments and certification.

We are pleased to announce that we have successfully been certified for the SOC-2 Type 2 and hthe ISO 27001.

In our ongoing efforts to provide transparency, we have launched a trust portal. This platform offers insights into our security practices and protocols, as well as the steps we’ve taken and certification awarded. https://trust.profero.io ‍ For more information on our SOC-2 Type 2 and ISO 27001 certification, or to request a copy of our SOC-2 or ISO 27001 certificate, please follow the instructions at the trust portal.

The 10.0 Rated CVE in xz-utils Jeopardizing SSH Security

Tue, 02 Apr 2024 00:00:00 +0000

On March 29th, 2024, our security team was alerted to a newly identified CVE, assigned a critical severity rating of 10.0. This vulnerability was found in xz-utils, a crucial component deeply embedded within Linux Distributions. Given the extensive use of Linux systems within organizations, the potential scale and impact of this vulnerability could rival, if not surpass, that of Log4J.

Amplifying the seriousness of the situation was the unsettling discovery that this vulnerability was intentionally embedded into the codebase as a backdoor by a developer responsible for maintaining this open-source project.

SysAid On-Prem Vulnerability Disclosure

Tue, 07 Nov 2023 00:00:00 +0000

CVE-2023-47246

On Nov 2nd, our security team received reports regarding a potential vulnerability in our on-premise software which was being actively exploited. We immediately initiated our incident response protocol and began proactively communicating with our on-premise customers to ensure they could implement a mitigation solution we had identified. We engaged Profero, a cyber security incident response company, to assist us in our investigation. The investigation determined that there was a zero-day vulnerability in the SysAid on-premises software. We urge all customers with SysAid on-prem server installations to ensure that your SysAid systems are updated to version 23.3.36, which remediates the identified vulnerability, and conduct a comprehensive compromise assessment of your network to look for any indicators further discussed below. Should you identify any indicators, take immediate action and follow your incident response protocols.

CyberWeek RedAlert 2023 Focus Shift: Parallels between Europe and Israel's Cyber Incident Response Preparedness

Mon, 10 Jul 2023 00:00:00 +0000

Focus Shift: Parallels between Europe and Israel’s Cyber Incident Response Preparedness

TL;DR

During CyberWeek 2023 I’ve had the opportunity to share our thoughts on Europe/Israel learnings. The panel was engaging and we felt that it was worth diving deeper to some of the issues raised.

Cybersecurity is an ever-evolving field that requires organizations to be prepared for potential incidents. To do so, they must have access to the latest threat intelligence feeds and knowledgeable personnel who can develop effective incident response plans. Companies should also pre-approve data sharing guidelines beforehand so that access is granted quickly in the event of an incident. Additionally, utilizing Israeli cybersecurity specialists can help businesses find solutions that balance cyber security needs and legal compliance requirements when dealing with sensitive customer information. By taking these measures into consideration, companies can better protect themselves from malicious actors while minimizing any financial losses or disruption of services caused by a breach.

Malicious Extensions - What They Are And How To Fight Them

Sun, 02 Jul 2023 00:00:00 +0000

Introduction

According to DebugBear, there were about 1.7 billion users with installed Chrome extensions in 2020, out of more than 2.5 billion users of Chrome. Those browser extensions exist on every operating system and are available in almost any web browser. Browser extensions have vast numbers of users because they enhance the browsing experience, fill gaps, and offer functionalities that support everyday tasks.

Behind the scenes, different types of groups put enormous effort into convincing users to install extensions. Some are companies that base their businesses on extensions, and some are developers that just want to share their new product features. In between, there are a lot of groups that either try to make money by hijacking search or displaying ads, and others that actually use the platform to steal sensitive user information. Extensions can access many user resources, so imagination is almost the only limitation for sensitive data theft.

LastPass Breach - and your SSO

Mon, 27 Feb 2023 00:00:00 +0000

see our previous blog post

On Feb 28th, 2023, new information disclosed by LastPass revealed that users of their organizational product relying on SSO are also at risk.

TL;DR:

in order to compromise your vault protected by SSO the attacker needs access to a single employee in your organization
if you did not rotate your passwords or followed our other recommendations, now is the time
it looks like the only way to do proper key rotation is to “re-federate” your organization, namely, rebuild your SSO data

Background

The attackers want access to the encrypted values stored inside the organizational vaults. To achieve that, they would need to succeed in the following steps:

LastPass Breach - What went wrong?

Tue, 03 Jan 2023 00:00:00 +0000

disclaimer: this is based on our experience, expertise, and public sources

What is a password manager?

A password manager is a place to store your passwords more securely than using a post-it on your computer screen. Password managers became prominent when security people educated the public about password reuse.

Password reuse was a big issue a couple of years ago, as a breach in a single service would allow attackers to use the same password from that breach on other sites, hoping that the user “reused” his password. As the need for more passwords and remembering them became greater, systems to manage many passwords were needed - and thus, password managers were born.

Online Programming Learning Sites Can Be Manipulated By Hackers To Launch Cyberattacks

Wed, 06 Jul 2022 00:00:00 +0000

Introduction

Hackers commonly launch their attacks using compromised machines rather than directly from owned devices, which allows them to conceal their origin. In recent incident response, Profero’s Incident Response Team investigated a possible scenario where we assumed that threat actors used Datacamp’s online IDE to launch an attack against a cloud infrastructure. However, the reason was a simple lousy attribution, a mix between Datacamp, the ISP, and the online IDE. We were intrigued by the idea of using cloud IDEs to hide the origins of an attack and initiated a research project to explore this strategy.

Multi-factor Authentication In-The-Wild bypass methods

Sun, 05 Jun 2022 00:00:00 +0000

Introduction

Two-factor authentication (2FA) or multi-factor authentication ( MFA ) is a method to authenticate through a service that requires at least two proofs of recognition.

Today, most cloud services require the typical user to use 2FA methods, such as Google, Microsoft, Okta, and AWS (with some exceptions).

The easiest way to implement 2FA is using a one-time password (OTP). OTPs can be delivered in several ways:

SMS message
physical OTP device (small display with changing tokens)
authenticator app — such as Google authenticator
physical device — a card with a specific private key (256 characters long), such as YubiKey

The IT industry puts a lot of faith in MFA, but it’s not bulletproofed. There have been many attacks that bypass this solution over the years, and we’re seeing more now than ever.

Static unpacker and decoder for Hello Kitty Packer

Sun, 24 Apr 2022 00:00:00 +0000

During a recent incident response engagement, the Profero IR team observed a sample of Hello Kitty ransomware. This version of ransomware is intriguing as this sample is packed with a packer written in Go. This packer decrypts the final Hello Kitty payload, which is written in C++, before executing it in memory. The Hello Kitty ransomware is written as a simple tool that an attacker can use to encrypt data on the victim’s machine and not as a full-fledged malware with persistence methods of its own. This malware has been covered by previous researchers in-depth, however, there is much less information about the packer used by this ransomware gang.

OSS Getting Hammered for BigCorp Failures

Sun, 19 Dec 2021 00:00:00 +0000

Everyone heard of log4j by now

You might not know what the log4j vulnerability is, or what it means — but the memes are everywhere!

The log4j vulnerability has developed to nothing less than a wide scale catastrophe. it seemed that anywhere you look, new issues revolving log4j are found in anything that runs Java. And to make things worse, its as if there is no one to blame as this is open source.

log4jScanner

Wed, 15 Dec 2021 00:00:00 +0000

Background

Our customers faced a serious issue, they did not know which servers on their internal network were vulnerable to log4j, and were reluctant to send information about vulnerable internal servers to 3rd parties.

We rose to the challenge and created a scanner to help find vulnerable web servers in their internal networks.

Introduction

Log4j vulnerability (CVE-2021–44228) discovery

On Thursday, December 09, 2021, a new zero-day vulnerability was disclosed by the Apache Log4j project. This exploit enables adversaries potentially to execute code remotely on the server. The exploitation occurs when the attacker logs a specific string value on the endpoint. The vulnerability type is remote code execution (RCE) on the Log4j Java library, an open-source library. The vulnerable versions are 2.08-beta9 to 2.14.1 and already has been exploited online since the vulnerability was disclosed. Based on unverified publications, the initial discovery (and\or exploitation) was seen on a Minecraft server.

Log4Shell & massive Kinsing deployment

Sat, 11 Dec 2021 00:00:00 +0000

On December 9th, 2021 news broke about a newly discovered vulnerability affecting the java logging library, Log4j.

Since this news broke out, threat actors around the world have rushed to take advantage of this easy-to-exploit vulnerability and wide-scale attacks are now ongoing.

There are plenty of high popularity applications vulnerable to this exploit, such as Salesforce, Apache, Atlassian. And many more.

What is “Log4Shell”, and why has it become a global problem?

This vulnerability is a remote code execution (RCE) based on a simple JNDI (Java Naming and Directory Interface) injection flaw which is easily exploitable. JNDI allows Java applications to discover and lookup data and resources via URLs. When a message is logged via a vulnerable version of Log4j that contains a JNDI locator the JNDI will be resolved and the content at the URL will be fetched from an attacker-controlled location. From there the attacker server can return a specifically crafted java class which the vulnerable application will load and execute.

From the Trenches: Common-Sense Measures to Prevent Cloud Incidents

Sat, 20 Nov 2021 00:00:00 +0000

Introduction

As an incident response team, we see a lot of cloud breaches that could have been prevented. Adequate protection requires in-depth knowledge of the cloud provider and its APIs and ample preparation. In cases when a company face time constraints, or its engineers have not received up-to-date training after a cloud migration, vulnerabilities open up. Whatever the reason, many cloud attacks can be easily avoided — in the following case studies, we offer advice on how.

RansomEXX, Fixing Corrupted Ransom

Wed, 29 Sep 2021 00:00:00 +0000

Since the sudden disappearance of the REvil ransomware operation, there has been a rise in other “ransomware as a service” (RaaS) operators attempting to claim their piece of the RaaS market share left behind. Among the most prominent of these groups is RansomEXX / RansomX. They have become infamous not only for their high-profile attacks, but also for the leak site they use to name and shame their victims who don’t adhere to their ransom demands, and for their deployment of ransomware payloads for both Windows and Linux devices.

Secrets Behind Ever101 Ransomware

Mon, 21 Jun 2021 00:00:00 +0000

A victim called the incident response teams of Global Threat Center, reporting a seemingly new stream of ransomware attack. Upon investigation, we determined the extension of the encrypted files was certainly new, but the malware displayed significant similarities with several ransomware families — a combination that made attribution an interesting and difficult riddle. The attack’s signature was a Music folder containing an arsenal of tools, which the malware dropped and executed on each of the encrypted machines. Throughout our investigation, we primarily focused on the toolset utilized by the threat actor, in order to build an in-depth profile of the incident in hopes of making an attribution. While many of the tools used by the threat actor were not custom, we were still able to assemble a temporary portfolio of tactics, techniques, and procedures (TTPs), which pointed us to potential links to a few existing ransomware groups with similar TTPs. This portfolio was particularly helpful during the negotiation process, as we were able to gain vital information, such as assessing the reliability of the threat actor in terms of providing a working decryption tool. In fact, during the negotiation, the attackers offered a video documenting the decryption process, which also revealed they used a free software from BandiCam and WinRAR, in what seems to be Arabic.

Cuba Ransomware Group on a Roll

Tue, 04 May 2021 00:00:00 +0000

At the end of 2020, our team made up of SecurityJoes and Profero incident responders, led an investigation into a complex attack in which hundreds of machines were encrypted, knocking the victim company offline completely. The threat actors behind the attack deployed the Cuba ransomware across the corporate network, using a mixture of PowerShell scripts, SystemBC, and Cobalt Strike to propagate it. Cuba Ransomware utilizes the symmetric ChaCha20 algorithm for encrypting files, and the asymmetric RSA algorithm for encrypting key information. As a result, the files could not be decrypted without the threat actor’s private RSA key. In the days following the attack, our incident responders investigated the modus operandi of the threat actors, their malicious software, and lateral movement tools. Simultaneously, we initiated negotiations with the attackers, who over the course of the investigation, we discovered are Russian speakers, due to a simple translation mistake on their part. Unfortunately, due to several essential missing links, we were unable to approximate the attackers’ location, and as a result, their whereabouts remain unknown. Negotiations concluded with the ransom being paid, and with the successful receipt of a decryptor. After we determined the decryptor contained no malicious code within and confirmed that it did in fact decrypt the encrypted files, we deployed it across the network, allowing operations to resume. The discovered ransomware binary was generic. It utilized implemented algorithms for encryption and stored strings in plaintext — however, it was wrapped with several layers of obfuscation and packers. Based on these factors, we believe the attackers are not state-sponsored, instead of operating simply as a threat group. They are fast-acting, and seem to prefer to communicate via email — they generally launch their attacks by setting up email accounts to initiate communication a few days in advance of deploying ransomware. Additionally, based on ransom notes we’ve discovered through pivoting, it’s clear the actors often use ProtonMail as their primary email host.

APT27 Turns to Ransomware

Sun, 03 Jan 2021 00:00:00 +0000

At the peak of the COVID-19 pandemic and economic crisis, our Global Incident Response and Cyber Crisis Management teams were engaged on several fronts around the world, fighting cybercrime, and even nation-state actors.

The following report tells the story of one of these engagements and how again, the thin line between nation-states and cybercrime was crossed.

The full report “APT27 Turns to Ransomware” can be downloaded directly (un-gated) from the following link:

20 Minutes. Guaranteed.

Mon, 01 Jan 0001 00:00:00 +0000

Access & Quick Share: Secure Credential and Evidence Exchange

Mon, 01 Jan 0001 00:00:00 +0000

All Features | Profero Rapid-IR

Mon, 01 Jan 0001 00:00:00 +0000

Breach Monitoring | Profero Rapid-IR

Mon, 01 Jan 0001 00:00:00 +0000

Brenton Morris

Mon, 01 Jan 0001 00:00:00 +0000

Brenton Morris is an incident responder at Profero with expertise in malware analysis and digital forensics. His work spans macOS and Windows threat landscapes, including investigation of info-stealer campaigns and nation-state level incidents.

Brenton has published research on AtomicStealer campaigns spreading via fake Apple Support websites, and has contributed to complex investigations involving file recovery operations in adversarial nation-state contexts.

Cookie Policy

Mon, 01 Jan 0001 00:00:00 +0000

Last Updated: January 11, 2026

Segev-Magen Technologies Ltd. and Segev-Magen Technologies Inc. (collectively “Profero”, “we”, “us”, or “our”) operate https://profero.io/ (the “Website”). This Cookie Policy explains how we use cookies and similar technologies in the course of our business. It explains what these technologies are, why we use them, and your rights to control our use of them.

1. What Are Cookies?

Cookies are small text files that a website asks your browser to save on your device when you visit the website, to remember your device upon revisiting the website or during the session.

Deep Breach Focus: Proprietary AI Built from Real Breaches

Mon, 01 Jan 0001 00:00:00 +0000

Emergency Contact

Mon, 01 Jan 0001 00:00:00 +0000

External Attack Surface: Continuous Perimeter Monitoring

Mon, 01 Jan 0001 00:00:00 +0000

GenAI Readiness Assessment

Mon, 01 Jan 0001 00:00:00 +0000

Get Started

Mon, 01 Jan 0001 00:00:00 +0000

Guy Barnhart-Magen

Mon, 01 Jan 0001 00:00:00 +0000

With nearly 25 years of experience in the cyber-security industry, and as the Co-Founder and CTO of the Incident Response company Profero, his focus is making incident response fast and scalable, harnessing the latest technologies and a cloud-native approach.

Guy leads Profero’s technical innovation and security architecture, driving the development of automated incident response capabilities. His work spans open-source security research, quantum cryptography analysis, and advanced forensic recovery operations.

Intelligence | Profero Rapid-IR

Mon, 01 Jan 0001 00:00:00 +0000

Investigator: Unified Forensic & Containment Tool

Mon, 01 Jan 0001 00:00:00 +0000

Jonathan Haldarov

Mon, 01 Jan 0001 00:00:00 +0000

Jonathan Haldarov is an incident responder at Profero with deep expertise in investigating nation-state cyber operations and financially motivated attacks. His work covers threat analysis across European organizations, with particular focus on Russian threat actor campaigns.

Jonathan has published research on the blurring lines between financially motivated attacks and nation-state cyber operations, as well as forensic collection methodologies for Ivanti EPMM appliances in response to zero-day exploitation.

Jonathan Haldarov & Carl Breindel

Mon, 01 Jan 0001 00:00:00 +0000

Jonathan Haldarov and Carl Breindel are incident responders at Profero who collaborate on complex security investigations and forensic analysis.

Together they have published research on live forensic collection from Ivanti EPMM appliances in response to the active exploitation of zero-day vulnerabilities (CVE-2025-4427 and CVE-2025-4428), providing the cybersecurity community with practical guidance for responding to these critical threats.

Omri Segev Moyal

Mon, 01 Jan 0001 00:00:00 +0000

Omri Segev Moyal is a highly successful entrepreneur, nationally recognized speaker and a Forbes 30 under 30 achiever as well as a malware researcher and threat intelligence expert with global experience in military, industrial, intelligence, communication and financial organizations.

As CEO and Co-Founder of Profero, Omri leads the company’s mission to revolutionize how businesses handle cyber incidents with a preemptive approach. He is a recognized thought leader in cloud security and has spoken at industry events including the Cloud Security Alliance Conference on attacker perspectives in cloud environments.

Or Rimon

Mon, 01 Jan 0001 00:00:00 +0000

Or Rimon is a security researcher at Profero, focusing on emerging attack vectors and the intersection of artificial intelligence with cybersecurity threats.

Or has published research on AI-induced destruction as a new attack vector, exploring how adversaries can leverage AI systems to cause harm and the implications for organizational security posture.

Partner with Profero | IR That Makes Your Recommendation Look Good

Mon, 01 Jan 0001 00:00:00 +0000

Pre-Emptive IR as a Service

Mon, 01 Jan 0001 00:00:00 +0000

Privacy Policy

Mon, 01 Jan 0001 00:00:00 +0000

Last Updated: April 9, 2025

Segev-Magen Technologies Ltd. and Segev-Magen Technologies Inc. (collectively “Profero”) operate https://profero.io/. This Privacy Policy describes practices regarding information collection, usage, and user rights. It supplements the Website Terms of Use.

Users must accept this Privacy Policy before accessing the Website. By accessing the Website, you agree to the terms and conditions set forth in this Privacy Policy, including the collection and processing of your personal information. Users provide personal information voluntarily and acknowledge Profero may collect and use it per this policy and applicable laws.

Profero IRT

Mon, 01 Jan 0001 00:00:00 +0000

The Profero Incident Response Team (IRT) is a dedicated group of cybersecurity experts providing 24/7 incident response services. The team handles complex cyber incidents across diverse technology stacks and environments, from cloud infrastructure to on-premises systems.

The IRT has published research on critical vulnerabilities including the 10.0-rated CVE in xz-utils, secrets leakage in production environments, Windows endpoint forensics readiness, and emerging threats such as physical mail-based digital extortion campaigns.

Profero IRT: The IR Team That Built the Platform

Mon, 01 Jan 0001 00:00:00 +0000

Rapid-IR: The CISO Breach Platform

Mon, 01 Jan 0001 00:00:00 +0000

Ron Benisty

Mon, 01 Jan 0001 00:00:00 +0000

Ron Benisty is a security researcher at Profero, specializing in threat intelligence and forensic investigations. His work focuses on uncovering sophisticated attack campaigns and analyzing advanced malware techniques.

Ron has led deep-dive investigations into global phishing campaigns targeting Microsoft 365 identities, and has published detailed analyses of malware families including Vietnamese Stealer, a Python-based info stealer leveraging Telegram as a command-and-control channel.

Terms of Service

Mon, 01 Jan 0001 00:00:00 +0000

Website Terms of Use Last revised: January 15, 2024

1. Acceptance of the Terms

By accessing the Website at https://profero.io/, users acknowledge reading and understanding the Terms of Use and Privacy Policy. Users agree to comply with all applicable laws. IF YOU DO NOT AGREE TO THESE TERMS, PLEASE DO NOT ENTER, CONNECT TO, ACCESS OR USE THE WEBSITE IN ANY MANNER.

2. The Website

The Website provides informational pages about Profero and includes forms for: (i) “Contact Us” to connect with the company, and (ii) “Careers” to apply for employment opportunities.

War Room: Real-Time Incident Command Center

Mon, 01 Jan 0001 00:00:00 +0000

WARP: Encrypted File Exchange for IR

Mon, 01 Jan 0001 00:00:00 +0000

Yehonatan Reut

Mon, 01 Jan 0001 00:00:00 +0000

Yehonatan Reut is an incident responder at Profero, contributing to 24/7 incident response operations and the operational infrastructure that enables rapid response to cyber threats.

Yehonatan has published insights on how pager apps and on-call systems power around-the-clock incident response operations, sharing behind-the-scenes knowledge of the tools and processes that keep IR teams effective at all hours.

Yossi Donat

Mon, 01 Jan 0001 00:00:00 +0000

Yossi Donat is a security researcher at Profero, focusing on proactive threat detection and organizational security posture. His work examines why traditional defensive approaches often fall short and how organizations can shift toward more effective security strategies.

Yossi has published research on the inevitable nature of breaches and why organizations are failing in proactive threat detection, analyzing the challenges facing security teams across modern defensive tooling such as CTEM, CSPM, and IDM.