Weekly Threat Advisory: Top Cyber Adversaries May 18 – 24, 2026

⚠ Weekly Threat Advisory — New Adversaries, Fresh Tradecraft, 18 – 24 May 2026

What This Advisory Covers — Read This First

This advisory is written for the full security audience — from analysts beginning their first SOC rotation, through threat hunters and detection engineers, to CISOs and security leadership. Three reading paths are supported:

• Five-minute skim: read the headline, the “This Week in Numbers” panel, and the top-10 chart. You will leave knowing the three campaigns that matter this week and the one vulnerability your patch team should accelerate.
• Twenty-minute analyst read: add the Featured Adversary Profiles, the MITRE ATT&CK Dashboard, and “How to Operationalise”. You will leave with named adversaries, mapped techniques, and a concrete action checklist.
• Forty-minute deep dive: read every section including the indicator tables. You will leave with a full operational dataset ready to ingest into your SIEM, EDR, NDR, or SOAR.

Every figure in this advisory comes from our ML-scored intelligence pipeline for the 18–24 May 2026 window. We have deliberately de-duplicated against last week’s advisory — none of the adversaries or indicators below appeared in the prior advisory, so this is a snapshot of genuinely new activity. Where a term might be unfamiliar, the glossary at the bottom provides plain-English definitions.

The Headline in Three Sentences

Three independent supply-chain compromises landed in a single week across three different developer ecosystems — a templating package on the public package registry was hijacked to redirect browsers to an iOS exploit framework, a CI/CD workflow runner had its tags silently rewritten to exfiltrate pipeline credentials, and a long-running web-server-side malware family resurfaced with a new variant. A critical authentication-bypass vulnerability (CVE-2026-20182) in SD-WAN edge appliances is under active scan — 17 distinct scanner IPs and confirmed post-compromise webshell deployment make this the highest patch priority of the week. Mobile malware reaches a new cross-platform peak: a macOS infostealer cluster, an Android banking trojan delivered through the official mobile app store, and an Android malware-as-a-service framework sold on underground forums all surfaced in the same seven-day window.

This Week in Numbers

• 22 distinct adversaries active in our pipeline this week, of which 16 are entirely new — they did not appear in last week’s advisory.
• 431 unique indicators of compromise in the filtered set (1,488 raw indicators before de-duplication). Hash artefacts lead at 303, followed by 68 multi-type artefacts, 28 URLs, 27 IPs, and 5 domains.
• Severity composition: 394 indicators (91%) at High severity, 35 at Low (the SD-WAN scanner population), 2 at Medium.
• By classification: Malware 277 · Malware Campaigns 107 · SCAN 35 · Threat Actor 10 · C2 2. The campaign concentration is the highest weekly ratio we have catalogued this quarter.
• Cross-platform malware: dedicated families surfaced this week against Windows, macOS, Android, and IIS-class web servers.

Key Trends Driving the Week

• Supply-chain compromises now read like weekly background radiation. Three distinct disclosures landed in 168 hours: a templating package on the public package registry was hijacked to deliver an iOS exploit framework; a CI/CD workflow runner had every existing tag silently moved to point at an imposter commit that exfiltrates pipeline credentials; and a long-running web-server-side malware family for IIS-class servers resurfaced with a new variant traced to a single developer alias since 2021. The common operational theme: defenders cannot any longer treat public registries, workflow marketplaces, or third-party plugin sources as trusted upstream.
• A critical SD-WAN authentication bypass is being mass-scanned. CVE-2026-20182 lets a remote, unauthenticated attacker take administrative control of affected SD-WAN edge appliances. Post-compromise activity already observed includes webshell deployment (the XenShell family in particular) and persistent operator footholds. The 17 distinct scanner IPs in this week’s feed are operator infrastructure enumerating exposed installations.
• Mobile malware reaches a multi-platform peak. Three different mobile-focused families surface in the same week. A macOS infostealer cluster that has dominated macOS-targeting reporting throughout 2025 published fresh infrastructure; an Android banking trojan delivered through a fake document-reader on the official Android app store reached more than ten thousand downloads before takedown; and an Android malware-as-a-service framework sold on underground forums by a tracked operator surfaced fresh artefacts.
• VoIP toll-fraud is back on the agenda. A tracked threat-actor cluster (INJ3CTOR3) was observed running a six-layer persistence chain against open-source VoIP server infrastructure. A previously undocumented webshell family (JOMANGY) was deployed alongside the known ZenharR webshell to route fraudulent international calls through victims’ SIP trunks. The financial-loss vector is direct — every minute of fraudulent traffic appears on the victim’s monthly telco invoice.
• A regional banking trojan with full operational lifecycle reconstruction. A Brazil-focused banking trojan was mapped end-to-end by an investigation team — polymorphic payload generation, staged deployment, fileless PowerShell execution, AES-wrapped payload obfuscation, remote-input control, keylogging, screen streaming, and Pix QR code fraud. The cluster is tracked under the identifier SHADOW-WATER-063.
• The infostealer long tail keeps growing. Five distinct stealer families surfaced this week — a310Logger, Aura Stealer, BlackSeeStealer, ApexTraderRAT, Arechclient2 — all targeting browser credentials, cookies, crypto wallet artefacts, and OS-level secrets. The volume of independent stealer families is now growing faster than any other adversary class in our pipeline.

MITRE ATT&CK Tactic Coverage — A Strategic Dashboard

Every adversary in this advisory has been mapped to the MITRE ATT&CK Enterprise Matrix (v15). The chart below shows how many of this week’s 16 new adversaries land on each of the major ATT&CK tactics. For SOC managers and detection-engineering leads, this is the dashboard view of where this week’s operational pressure is concentrated.

What this means for analysts: the heaviest concentrations this week sit on Execution, Command and Control, Credential Access, Exfiltration, and Initial Access. The supply-chain-heavy tradecraft pushes T1195 (Supply Chain Compromise) into the spotlight; the mobile-malware concentration drives Credential Access higher than recent weeks; the SD-WAN exploitation pushes T1190 (Exploit Public-Facing Application) onto the priority list.

Featured Adversary Profiles — Top 10 With Plain-English Context and MITRE Mapping

Each profile below includes a plain-English summary line (for newer analysts and non-specialist readers), a technical description, and the MITRE ATT&CK techniques mapped to the adversary.

1. BadIIS Malware — IIS Web-Server Hijacker

In plain English: A malware family that quietly installs itself onto production web servers running IIS, then hijacks visitor requests to redirect users toward malicious or illicit websites. The operator runs this as a service for hire, and a new variant has been tracked through development markers back to at least September 2021 under the alias lwxat.

Technical summary: Malware · 159 indicators · High severity · Confidence 85. The new variant is identified by embedded demo.pdb compilation markers. The operation aligns with a malware-as-a-service ecosystem associated with Chinese-speaking cybercrime communities. 152 of the 159 indicators are hash artefacts (DLL modules and IIS handler binaries); 7 are URLs to operator-controlled callback infrastructure.

MITRE ATT&CK: T1505.004 (Server Software Component: IIS Components) · T1190 (Exploit Public-Facing Application) · T1071.001 (Web Protocols) · T1105 (Ingress Tool Transfer) · T1059.001 (PowerShell) · T1027 (Obfuscated Files or Information) · T1574 (Hijack Execution Flow).

2. a310Logger — .NET Infostealer

In plain English: A credential-stealing malware family related to an earlier loader family, distributed via malicious-spam campaigns. It targets browser-saved passwords, email-client credentials, and other secrets on infected Windows machines, sending the loot back to operators for resale or follow-on fraud.

Technical summary: Malware · 71 indicators · High severity · Confidence 85. C# implementation, observed in malspam delivery chains. Exfiltrates browser and email-client credential stores. Industry impact: enterprises, individuals, financial services.

MITRE ATT&CK: T1566 (Phishing) · T1204.002 (User Execution: Malicious File) · T1555.003 (Credentials from Web Browsers) · T1555 (Credentials from Password Stores) · T1005 (Data from Local System) · T1041 (Exfiltration Over C2 Channel).

3. Compromised CI/CD Workflow Runner — Pipeline Credential Exfiltration

In plain English: A popular open-source CI/CD workflow component was tampered with so that every project pulling it would silently exfiltrate the credentials inside its build environment to attackers. The attack is particularly insidious because the workflow’s tags appeared unchanged but were silently re-pointed at malicious commits invisible in the normal commit history.

Technical summary: Malware Campaign · 69 indicators · High severity · Confidence 80. Every existing tag in the affected repository was moved to point to an imposter commit that does not appear in the action’s normal commit history. The malicious commit exfiltrates credentials from CI/CD pipelines that run the action.

MITRE ATT&CK: T1195.002 (Compromise Software Supply Chain) · T1554 (Compromise Host Software Binary) · T1078 (Valid Accounts) · T1213.003 (Data from Information Repositories: Code Repositories) · T1552.004 (Unsecured Credentials: Private Keys) · T1041 (Exfiltration Over C2 Channel).

4. Compromised npm Templating Package — iOS Exploit Delivery

In plain English: A widely-used JavaScript templating package on the public registry was taken over by attackers, who then published new versions containing a backdoor. The backdoor secretly redirects users browsing affected sites toward a watering-hole page that delivers an iOS Safari exploit framework targeting iPhones running specific iOS versions.

Technical summary: Malware Campaign · 38 indicators · High severity · Confidence 80. The packaged backdoor pushes affected browsers to a malicious watering-hole that hosts an iOS exploit framework. The original maintainer’s account appears to have been compromised; warning issues on the project’s tracker were deleted by the new maintainer to suppress discovery.

MITRE ATT&CK: T1195.001 (Compromise Software Dependencies and Development Tools) · T1189 (Drive-by Compromise) · T1190 (Exploit Public-Facing Application) · T1204.001 (User Execution: Malicious Link) · T1608.004 (Drive-by Target) · T1071.001 (Web Protocols).

5. CVE-2026-20182 — SD-WAN Authentication Bypass (Active Scanning)

In plain English: A critical security flaw in certain enterprise SD-WAN edge appliances lets attackers bypass authentication entirely and take administrative control without credentials. Mass scanning is happening right now; post-compromise activity already includes webshell deployment for persistent access.

Technical summary: SCAN · 35 indicators · Low severity · Confidence 22. Authentication-bypass vulnerability in SD-WAN edge products allows remote attackers to gain administrative access without credentials. Post-compromise activity observed includes webshell deployment (the XenShell family) and persistent footholds. The 35 indicators in this week’s feed are scanner infrastructure.

MITRE ATT&CK: T1595.002 (Active Scanning: Vulnerability Scanning) · T1190 (Exploit Public-Facing Application) · T1078 (Valid Accounts via authentication bypass) · T1505.003 (Server Software Component: Web Shell) · T1133 (External Remote Services).

6. INJ3CTOR3 — VoIP Toll-Fraud Threat Cluster

In plain English: A financially-motivated hacker cluster that has been targeting VoIP server infrastructure since 2019. They install layered persistence and use compromised systems to route unauthorised international phone calls through victims’ phone lines — the victim’s monthly telco bill picks up the fraud.

Technical summary: Threat Actor · 10 indicators · High severity · Confidence 97. The campaign deploys a six-layer Bash dropper that installs a previously-undocumented PHP webshell family named JOMANGY alongside the known ZenharR webshell. Both tools route unauthorised calls through victims’ SIP trunks for direct financial gain. Target sector: organisations operating open-source VoIP server platforms.

MITRE ATT&CK: T1190 (Exploit Public-Facing Application) · T1505.003 (Web Shell) · T1059.004 (Unix Shell) · T1546 (Event Triggered Execution) · T1071.001 (Web Protocols) · T1657 (Financial Theft) · T1090 (Proxy via SIP trunking).

7. BlackShades — Surveillance and Data-Theft RAT

In plain English: A remote-access trojan that gives attackers full control of infected machines — webcam access, file theft, screen monitoring, keylogging. Long-running family that re-emerged with fresh hashes this week.

Technical summary: Malware · 9 indicators · High severity · Confidence 85. Surveillance-focused RAT supporting webcam access, file theft, system monitoring, and persistent remote control on Windows hosts.

MITRE ATT&CK: T1059 (Command and Scripting Interpreter) · T1071 (Application Layer Protocol) · T1041 (Exfiltration Over C2 Channel) · T1056.001 (Keylogging) · T1113 (Screen Capture) · T1125 (Video Capture) · T1547.001 (Boot or Logon Autostart Execution).

8. AMOS — macOS Information Stealer

In plain English: The leading macOS-targeting malware family of 2025 — accounting for roughly 40% of macOS-protection updates last year. Sold as a malware-as-a-service product, it steals Keychain data, browser credentials, cookies, and cryptocurrency wallet artefacts from Mac users for rapid account-takeover monetisation.

Technical summary: Malware · 8 indicators · High severity · Confidence 85. Distributed under a malware-as-a-service model. Active in public reporting since at least April 2023; variants have been delivered via poisoned search results, fake AI-assistant download pages, and other social-engineering vectors throughout 2024–2026.

MITRE ATT&CK: T1566.002 (Spearphishing Link) · T1608.006 (Stage Capabilities: SEO Poisoning) · T1204.002 (Malicious File) · T1555.001 (Credentials from Keychain) · T1555.003 (Credentials from Web Browsers) · T1539 (Steal Web Session Cookie) · T1041 (Exfiltration Over C2 Channel).

9. Banana RAT — Brazilian Banking Trojan

In plain English: A banking trojan targeting Brazilian financial institutions, including the Pix instant-payment system. End-to-end intrusion model reconstructed: it generates a unique polymorphic payload per victim, hides itself via fileless PowerShell execution, then takes remote control of the victim’s session to commit Pix QR-code fraud.

Technical summary: Malware · 8 indicators · High severity · Confidence 85. Attributed to the tracked cluster SHADOW-WATER-063. Delivery involves polymorphic payload generation, staged deployment, fileless PowerShell execution. Capabilities include remote-input control, keylogging, screen streaming, and Pix QR code fraud. Layered obfuscation and AES-wrapped payloads frustrate endpoint detection.

MITRE ATT&CK: T1566 (Phishing) · T1059.001 (PowerShell) · T1027 (Obfuscated Files or Information) · T1027.002 (Software Packing) · T1056.001 (Keylogging) · T1113 (Screen Capture) · T1185 (Browser Session Hijacking) · T1657 (Financial Theft).

10. Anatsa — Android Banking Trojan via Official App Store

In plain English: A long-running Android banking trojan that keeps finding its way onto the official Android app store. This week’s vehicle was a fake document-reader app that reached over ten thousand downloads before being removed.

Technical summary: Malware · 6 indicators · High severity · Confidence 85. Distributed via a fake document-reader application on the official Android marketplace; 10,000+ downloads before takedown. Targets banking and financial-services credentials on Android devices.

MITRE ATT&CK (Mobile Matrix): T1660 (Phishing) · T1404 (Exploitation for Privilege Escalation) · T1417.001 (Input Capture: Keylogging) · T1417.002 (GUI Input Capture) · T1412 (Capture SMS Messages) · T1641 (Data Manipulation) · T1437.001 (Application Layer Protocol: Web Protocols).

State-Sponsored and Tracked-Actor Activity

The week is dominated by financially-motivated tradecraft, with one notable tracked-actor cluster:

INJ3CTOR3 — VoIP Toll-Fraud Operator

Tracked since 2019, primarily targeting VoIP server infrastructure for direct financial theft via toll fraud. The campaign documented this week deploys a multi-layer persistence chain combined with two distinct PHP webshells (JOMANGY and ZenharR). The financial-loss vector is unusual — defenders detect the attack first on their telco invoices, not their SIEM dashboards.

SHADOW-WATER-063 — Brazil-Focused Banking Cluster (Banana RAT)

Newer tracked cluster targeting Brazilian financial institutions with a polymorphic, fileless banking trojan. The end-to-end operational model — payload generation, staged deployment, PowerShell execution, Pix QR-code fraud — represents the highest level of operational discipline we have observed in regional banking malware reporting this year.

LARVA-398 — AntiDot Operator

Underground-forum operator selling the AntiDot Android botnet as a malware-as-a-service product. The framework is packaged as a three-in-one solution including loader, packer, and botnet infrastructure — lowering the barrier-to-entry for downstream criminal affiliates.

Three Independent Supply-Chain Compromises in One Week

Three distinct supply-chain disclosures landed within the 18–24 May window, each touching a different developer ecosystem. The common operational theme: defenders cannot any longer treat public registries, workflow marketplaces, or third-party plugin sources as trusted upstream.

1. Public Package Registry — Templating Library Hijack

A widely-used JavaScript templating package on the public npm registry was taken over after the original maintainer’s project was compromised. The new maintainer published malicious versions and deleted issues on the project’s tracker that warned about suspicious behaviour. The packaged backdoor redirects affected browsers to a watering-hole that delivers an iOS exploit framework targeting iPhones running specific iOS versions. MITRE: T1195.001 · T1189 · T1608.004 · T1204.001.

2. CI/CD Workflow Action — Tag-Rewriting Credential Theft

An open-source CI/CD workflow action used by many projects had every existing tag silently moved to point to an imposter commit that does not appear in the action’s normal commit history. The malicious commit exfiltrates credentials from any CI/CD pipeline that runs the action. The tag-rewriting technique is particularly insidious — projects pinning to a specific tag still pull the malicious code, even if they thought they were locked to a known-good version. MITRE: T1195.002 · T1554 · T1213.003 · T1552.004 · T1078.

3. IIS Web-Server Module — Long-Running Server-Side Hijack

The BadIIS family resurfaced with a new variant whose embedded compilation markers show continuous development from September 2021 through January 2026 by a developer alias known as lwxat. The malware hijacks web-server request handling and redirects visitors to illicit destinations — a server-side supply-chain pattern that affects every visitor to a compromised site, not just developers pulling a malicious dependency. MITRE: T1505.004 · T1190 · T1071.001 · T1574.

Critical Vulnerability of the Week — CVE-2026-20182

In plain English: If your network uses SD-WAN edge appliances from a major enterprise networking vendor, this is the patch that must happen this week. The vulnerability lets remote attackers become administrators of your network edge without needing a password.

Technical summary: CVE-2026-20182 is an authentication-bypass vulnerability affecting specific SD-WAN edge appliance products. Successful exploitation grants unauthenticated remote attackers complete administrative access. Post-compromise activity already observed in the wild includes webshell deployment (the XenShell family) and persistent operator footholds. The 35 SCAN-classified indicators in this week’s feed represent operator scanner infrastructure actively enumerating exposed installations. Operators of affected SD-WAN environments should treat patching as the highest priority of the week. Network teams should verify their inventory of affected appliances and confirm that management interfaces are not internet-reachable.

Mobile Threats — A Cross-Platform Surge

Anatsa — Android Banking Trojan

Delivered via a fake document-reader on the official Android marketplace; over ten thousand downloads before removal. Long-running family that has repeatedly found ways past official app-store review. MITRE (Mobile): T1660 · T1404 · T1417.001 · T1417.002 · T1412.

AntiDot — Android Malware-as-a-Service

Three-in-one Android botnet sold on underground forums by the operator LARVA-398. Bundle includes loader, packer, and botnet infrastructure — designed to lower the operational barrier for downstream criminal affiliates. Capabilities include accessibility-service abuse for screen recording, SMS interception, and application-log theft. MITRE (Mobile): T1417.001 · T1417.002 · T1412 · T1414 · T1637 · T1041.

AMOS — macOS Information Stealer

The leading macOS-focused malware family of 2025; sold as malware-as-a-service. Steals Keychain data, browser credentials, cookies, autofill information, and cryptocurrency wallet artefacts. Distribution channels observed include poisoned search results, fake AI-assistant download pages, and other social-engineering vectors. MITRE: T1566.002 · T1608.006 · T1204.002 · T1555.001 · T1555.003 · T1539 · T1041.

Geographic Targeting This Week

• Brazil: Banana RAT financial-trojan operations against Brazilian banking and Pix payment infrastructure.
• Global: AMOS (macOS), Anatsa (Android), a310Logger, BlackShades, ApexTraderRAT, Arechclient2, BlackSeeStealer, Aura Stealer — all broad-spectrum operations without specific regional targeting.
• Chinese-speaking cybercrime ecosystem: BadIIS server-side hijacker (Chinese-speaking developer alignment).
• Public package and CI/CD ecosystems: the supply-chain disclosures are inherently global.
• VoIP infrastructure operators worldwide: INJ3CTOR3 toll-fraud campaign.

How to Operationalise This Advisory in Your Environment

1. Patch SD-WAN edge appliances against CVE-2026-20182 this week. The combination of unauthenticated remote exploitation, confirmed active scanning, and confirmed post-compromise webshell deployment makes this the single highest patch priority of the week for any organisation operating affected appliances.
2. Audit your CI/CD workflow inventory immediately. Identify every workflow action pulled from third-party sources. Confirm the action’s commit history matches what you expect (tags should point to verifiable commits in the normal history, not imposter commits). Where possible, pin actions to specific commit SHAs rather than mutable tags.
3. Lock down public-package-registry consumption. Maintain an internal mirror or curated allow-list for production dependencies. Treat every package update as a small change-control event.
4. Inventory IIS-class web servers and validate request-handler modules. Compare loaded modules against a known-good baseline. Unexplained handler registrations are a high-fidelity signal of BadIIS-family compromise.
5. Push the AMOS and Anatsa indicator sets into enterprise mobile-management blocklists. Both campaigns are predominantly URL and hash-driven — the detection cost is trivial and the lift is substantial.
6. Baseline VoIP / SIP trunk usage. If your organisation runs internal VoIP infrastructure, monitor outbound call volume and international-call patterns. INJ3CTOR3-class toll fraud surfaces first on the telco invoice; defenders running their own VoIP should see it sooner.
7. Pair this advisory with the kill-chain hunts in our VPC Flow Log series. Specifically: adaptive C2 beacon detection, TLS fingerprinting, and DGA and DNS-tunnel hunting.

Full Weekly IOC Summary — All 16 Unique Adversaries

The complete dataset is available on request via the contact page — we make this intelligence available to qualified SOC and CERT teams free of charge.

Top 20 Indicators Per Type — Unique to This Week

Ranking combines severity (High over Medium over Low) and ML-derived confidence score, breaking ties by most-recent detection. All values shown are new — none appear in last week’s reporting.

Top 20 IP Addresses

Top Domains

Top 20 File Hashes

Top 20 URLs

Glossary — Terms Used in This Advisory

• IOC (Indicator of Compromise): a piece of evidence — an IP, domain, file hash, URL, or email — that suggests a system has been compromised.
• APT (Advanced Persistent Threat): a well-resourced, typically state-sponsored cyber-attack group that maintains long-term access to compromised environments.
• RAT (Remote Access Trojan): malware that gives a remote operator interactive control over an infected machine.
• MaaS (Malware-as-a-Service): a business model where a core team builds the malware and sells operational access to downstream criminal affiliates.
• C2 / Command and Control: the infrastructure an attacker uses to communicate with their malware after it has infected a target.
• Supply-chain attack: an attack that compromises a trusted upstream dependency — a public package, a CI/CD workflow, or a third-party plugin — so that downstream consumers automatically pull the malicious code.
• Webshell: a piece of code uploaded to a compromised web server that gives the attacker a persistent remote shell through the server’s normal HTTP interface.
• MITRE ATT&CK: a globally-used knowledge base of adversary tactics and techniques. Each technique has an identifier like T1190.
• CVE (Common Vulnerabilities and Exposures): a unique identifier for a publicly-disclosed security vulnerability. Format: CVE-YYYY-NNNNN.
• CVSS (Common Vulnerability Scoring System): a 0.0–10.0 score quantifying how severe a CVE is. 9.0+ is “critical.”
• SD-WAN: Software-Defined Wide-Area Network — enterprise networking technology that runs on edge appliances, replacing traditional MPLS-based connectivity.
• SOC (Security Operations Centre): the team responsible for detecting and responding to security incidents.
• SIEM / EDR / NDR / XDR / SOAR: classes of detection and response tooling, focused on log aggregation (SIEM), endpoints (EDR), network (NDR), unified (XDR), and automation (SOAR).
• VoIP / SIP trunk: Voice-over-IP infrastructure and the signalling/routing trunks that connect VoIP servers to the public telephone network.
• Pix: the Brazilian central-bank-operated instant payment system; high-frequency target for regional banking trojans.
• Confidence score: a 0–100 value our ML pipeline assigns to each indicator based on source reliability, corroboration, and intrinsic indicator quality.

Related Reading on HACKFORLAB

• Previous Weekly Threat Advisory — 11 to 17 May 2026
• Earlier Weekly Threat Advisory — 04 to 10 May 2026
• Adaptive C2 Beacon Detection: FFT and DBSCAN on VPC Flow Logs
• DGA and DNS-Tunnel Hunting at Scale on VPC Flow Logs
• TLS Fingerprinting (JA3, JA4, JARM) for Encrypted C2 Hunting
• Living-off-the-Cloud Attack-Chain Detection: CloudTrail and VPC Flow Fusion
• Living-off-the-Land Kill Chain Detection with Markov Chains
• Threat Hunting for Cloud Attacks
• Hunting AWS Identity Attacks
• AWS Bedrock Threat Hunting: A CloudTrail Log Analysis Playbook

HACKFORLAB Threat Hunt Intelligence Platform

Every adversary, indicator, and technique referenced in this advisory is operational right now on our hosted threat-hunting workbench. SOC, CERT, MSSP, and detection-engineering teams use the platform to pivot indicators against live telemetry, enrich on demand, query historical adversary attribution, and track campaign evolution week over week.

Sign in to start hunting: https://huntintel.hackforlab.com/login.html

Happy Threat Hunting

If this advisory sharpened your team’s posture this week, share it with your peers, subscribe to the feed, and send us your war stories — the sharper our reader signal, the sharper the next edition becomes. Stay paranoid. Stay patched. Happy threat hunting.

#threathunting #threatintelligence #cybersecurity #threatactor #malware #ransomware #phishing #threatadvisory #CTI #IOC #CyberThreatIntel #TTPs #OSINT #CyberDefense #weeklythreatbriefing #SupplyChainAttack #INJ3CTOR3 #BadIIS #AMOS #Anatsa #AntiDot #BananaRAT #SDWANCVE #MITREATTACK #SOC #BlueTeam