HAIJA INTEL REPORT

Modern C2 implants use sleep masking & metamorphic code to stay hidden. We’re revealing how to unmask them using low-level runtime telemetry (ETW & CPU profiling) live in production including a POC with a lightweight sensor. My team will be presenting our research at x33fcon:

New threat brief: CVE-2026-0300, a buffer overflow vulnerability in the PAN-OS User-ID Authentication Portal. Unit 42 observed limited exploitation for unauthenticated RCE. Read our analysis for mitigation steps and Pal…

We observed a phishing campaign pivot to evade static analysis, shifting from credential theft to #OAuth device code phishing. Attackers replaced hardcoded URLs with runtime-fetched landing pages and generated images as blob URLs. Details at: https:// bit.ly/4uCtzJQ

Finally, someone exploited the http:// copy.fail I wrote a blog post about the recent copy(dot)fail bug, trying to explain some general concepts that I think were glossed over in the official article by @theori_io. https:// retr0.zip/blog/cve-2026- 31431-copy-fail.html …

Ransomware negotiator tied to $56M in attacks was sentenced, DPRK-linked fraudulent IT worker schemes were disrupted, novel PCPJack attacks cloud infrastructure to steal credentials, and a Palo Alto firewall zero-day is under active exploitation. This is the Good, Bad & Ugly.

What does it take to build the foundation for a graph that can grow beyond Active Directory? In his latest blog post, Brandon Shearin reflects on a year building OpenGraph for BloodHound, & the work of turning ambiguity into architecture. Check it out

Finally had time to add EtwInspector to the PSGallery! Check it out. PSGallery: https:// powershellgallery.com/packages/EtwIn spector/1.2.0 … GitHub: https:// github.com/jonny-jhnson/E TWInspector …

The best part of this blog is the duality section. So frigging refreshing to read that. Thanks! If you came to SOCON, you may have seen the fireside chat on Ouroboros (if you weren't too busy counting my "urm"s ). The blog post is now live, detailing how we can use Dev-Tunnels fo

With public exploit code already available, defenders should assume any local foothold on an unpatched Linux system (including from within a container) can rapidly become root access. ↳ Get the full breakdown: https:// okt.to/k93xez

There's a patch available now, that was quick! Here's my demo. I only tested it on Firefox, but any browser that doesn't support PNA is probably affected. https:// lock.cmpxchg8b.com/Ceem9iji/ankim srv.html … https:// github.com/ankitects/anki /releases …