Long-form analyst writeups

The KV-botnet is a cluster of compromised end-of-life SOHO routers — principally Cisco RV320/RV325 dual-WAN devices, NetGear ProSAFE series, and Axis network cameras — that the PRC state-sponsored group Microsoft tracks…

APT29 / Midnight Blizzard demonstrated in the SolarWinds post-compromise phase (Dec 2020 – Jan 2021) that an attacker who extracts an on-prem ADFS token-signing certificate can forge SAML 2.0 assertions for any identity…

AcidRain is a statically-linked MIPS ELF wiper deployed against Viasat KA-SAT satellite modems on 24 February 2022 — approximately one hour before Russian ground forces crossed into Ukraine. Executing on the modems' emb…

On **3 April 2026**, a researcher publishing under the aliases **Chaotic Eclipse** and **Nightmare-Eclipse** dropped a working proof-of-concept on GitHub for an unpatched Windows local privilege escalation now tracked a…

VersaMem is a custom Java web shell observed by Lumen Technologies' Black Lotus Labs in August 2024, attached as a malicious agent to the Apache Tomcat process running on Versa Director — the centralised management plan…

On 11 March 2026, **Stryker Corporation** — one of the world's largest medical-device manufacturers (~$22B revenue, 51,000 employees) — disclosed a destructive cyberattack that disrupted its global internal networks and…

Between mid-2024 and early 2026, the financially-motivated cybercrime collective tracked as **ShinyHunters** (and its sub-cluster **UNC5537** in Mandiant's reporting) executed two of the largest eCrime campaigns of the…

A People's Republic of China Ministry of State Security cluster that Microsoft tracks as Salt Typhoon (and that other vendors track as OPERATOR PANDA, RedMike, UNC5807, GhostEmperor, and FamousSparrow) spent at least th…