In case you've missed it, we have a blog! Every week, a Hunter Strategy expert shares their tips, opinions, and advice in an article. These blog posts can help expand your knowledge and give you tools for success! Read more here: medium.com/hunter-strategy #blog #hunterstrategy #IT

Love when the "work faster" feature becomes the "attackers work faster" feature. ServiceNow's AI agents can be hijacked to impersonate admins, chain into lateral movement, and do your adversary's job for them. 🤡 Details what to do about it: f.mtr.cool/sfacbdpstg

🔥 Compliance isn't a moment in time. It's a continuous process. New episode on continuous monitoring and risk assessment — from FISMA mandates to real-time validation, why point-in-time compliance is no longer enough and what a modern risk posture actually looks like. 🎧f.mtr.cool/srlqofxvlk #CyberSecurity #ContinuousMonitoring #RiskManagement

Meta's AI support bot was socially engineered into resetting Instagram account passwords. No zero-day or database breach. Simply a chatbot that was designed to reduce friction - and did exactly that, just not for the intended user. The exploit was straightforward: spoof a VPN location near the target, initiate a password reset, route to the AI support assistant, and ask it to link a new email. The bot complied. A one-time code followed. Account seized. The accounts of the Obama White House and the Chief Master Sergeant of the U.S. Space Force were briefly defaced with pro-Iranian content before Meta patched the flow. The takeaway isn't a "bad" bot. It's that AI support layers inherit the same social engineering risks as human support teams but with faster throughput and no gut instinct to hold them back. One thing stopped this attack cold: MFA. Accounts with any form of multi-factor authentication enabled were untouched. Enable it. Enforce it. No exceptions. 🔗Source: f.mtr.cool/lbayrwbewr #Cybersecurity #SocialEngineering #AI #MFA #InfoSec

Nothing says "advanced threat actor" like asking politely for your password and getting it.  Reaper infostealer fakes an Apple security prompt via Script Editor - and if you fall for it, it takes everything. Keychain, browsers, crypto wallets, the works. Full breakdown: f.mtr.cool/kjhgkueygk #Cybersecurity #MacOS #InfoStealer

Friendly reminder that your GitHub OAuth token isn't scoped to one repo. It's scoped to all of them. And apparently, one click is all it takes to hand it over. Full breakdown on the blog: f.mtr.cool/bqykgehwhl #GitHub #AppSec #CyberSecurity #DevSecOps

🔥 This Is Fine | Building a Security Culture "Culture can make or break an organization."    Security isn’t just about tools, controls, or compliance frameworks. It’s about people. In this episode, host Matt Triner (Founder of Hunter Strategy) is joined by Russell Eubanks (Cyverity Co-Founder and SANS Principal Instructor) and Andrew King (Hunter Strategy CISO and IANS Faculty Member) to discuss what it takes to build a lasting security culture inside organizations. From leadership alignment to employee engagement, the conversation explores how organizations can move beyond checkbox security and create environments where security becomes part of how the business operates. Because strong security programs aren’t just implemented. They’re adopted. 🎧 Listen here: f.mtr.cool/zsazzacrcr #CyberSecurity #SecurityCulture #EnterpriseSecurity #SecurityLeadership

North Korean threat group Kimsuky isn't slowing down - and their latest HTTPSpy campaign is a good reminder of how sophisticated social engineering has become. In their most recent activity (observed through March and April 2026), Kimsuky masqueraded as legitimate B2B software installers and a spoofed Cisco Webex troubleshooting page to get victims to run malicious droppers. Once inside, HTTPSpy hands the attacker full remote control: command execution, file exfiltration, screenshots, process injection, and clean self-deletion. They also wired in stolen meeting schedules to redirect targets into real Webex rooms, making the lure look entirely authentic. What makes this campaign notable isn't just the malware - it's the operational discipline. Kimsuky is using legitimate infrastructure (Visual Studio Code Remote Tunnels, Cloudflare Quick Tunnels, DWAgent) to blend covert access into normal IT operations. No noisy C2 traffic. No obvious red flags. For defenders, the takeaway is clear: scrutinize your remote access channels, harden against script-based droppers, and keep a close eye on certificate stores and GPKI paths. The attack surface they're targeting isn't exotic, it's the trust you extend to everyday tools. Read the full breakdown on our blog - get the link in the comments.  #CyberSecurity #ThreatIntelligence #NationStateCyber #Kimsuky #DefensiveOps

Typosquatted npm packages. Stolen cloud credentials. Backdoored CI pipelines. Now, they're poisoning AI coding assistants, too. Supply chain attacks leveled up. Has your pipeline security? 🔗: f.mtr.cool/dmasappebn #CyberSecurity #SupplyChainSecurity #DevSecOps

Webworm's whole strategy is betting your environment is too noisy to notice. Echocreep lives in your event logs. Graphworm looks like normal cloud traffic. Together they just... wait. Spoiler: they're usually right. 🔗Get the whole story here: f.mtr.cool/ekvzxbmsnc #Cybersecurity #ThreatIntelligence #Webworm #DetectionEngineering

Effective security frameworks need both technical alignment and organizational maturity.🔥 New episode on Zero Trust principles, NIST 800-53r5 & the intersection of federal compliance and modern security architecture, featuring guests @MalwareJake, @ScrumWhat, and Alex Sharpe. 🎧 f.mtr.cool/gzbibsahel  #ZeroTrust #NIST80053 #CyberSecurity

This malware didn't steal your credentials or lock your files. It just quietly started robbing you. The consumer details made headlines. The operational details are what security leaders should be paying attention to. A carrier billing fraud campaign ran for ten months across four countries, operating nearly 250 malicious applications, before researchers caught it. The attackers weren't sloppy. They validated carrier environments before activating, automated multi-stage subscription workflows to avoid detection, and monitored successful compromises in real time through a private Telegram channel. This was a managed revenue operation, not a smash-and-grab. The people running this weren't simply writing malware. They were running a business. Most enterprise security stacks are well-instrumented for endpoint and network threats. Mobile environments are a different story. The visibility gap is real, it's broadly underestimated, and campaigns like this one are built specifically to exploit it. The question worth asking isn't whether your organization uses official app stores. It's whether you'd know if something like this was operating inside your mobile environment right now. If the honest answer is "probably not" - that's where we start. 🔗 Full post here: f.mtr.cool/dysxtcmhah #CyberSecurity #MobileSecurity #ThreatIntelligence #SecurityLeadership #EnterpriseSecurity

New attack strategy: don't hack the code. Hack the robot that builds the code. Megalodon hit 5,561 GitHub repos by poisoning CI/CD workflows - commits disguised as "build-bot" and "pipeline-bot." The damage? - Credentials exfiltrated - npm packages backdoored - Downstream devs none the wiser Your automation layer is a trust boundary now. Get the story and suggested fixes on the Hunter Strategy: f.mtr.cool/inxghahcbk  #Cybersecurity #DevSecOps #GitHubActions

Originally called Decoration Day, Memorial Day has been a day of remembrance since May 30, 1868 - when General John A. Logan, of the Grand Army of the Republic, called on the nation to honor those who gave everything in the Civil War. That first national commemoration drew 5,000 people to Arlington National Cemetery to decorate the graves of more than 20,000 soldiers buried there. After World War I, the occasion expanded to honor the fallen from all of America's wars. In 1971, Congress formalized it as the last Monday of May. Today, a small American flag is placed on every grave at Arlington and a wreath is laid at the Tomb of the Unknown Soldier. At Hunter Strategy, we build and defend the systems used by those who serve this country. This weekend, we're setting down the keyboards and honoring the ones who make our mission worth having. To all who have served, thank you and happy Memorial Day. #MemorialDay #NeverForget #MilitaryAppreciation

A public, working exploit for a Linux kernel privilege escalation flaw is out. PinTheft turns any local foothold into root - one command, minimal skill required. "Local-only" isn't the reassurance it used to be when your containers, cloud hosts, and developer boxes all run Linux. Patch first. If you can't patch yet, disable vulnerable RDS functionality and treat every local account on an unpatched host as a potential root until you do. Arch has patched. The question is whether your inventory has. Get the details on our blog: f.mtr.cool/bzxzqjrrfn #Cybersecurity #Linux #PatchManagement

🔥 This Is Fine | The State of Pen Testing "If you talk to a dozen pen testers and ask them what a pen test is, you're going to get a dozen different answers." Penetration testing has long been a cornerstone of enterprise security — but the landscape continues to evolve. In this episode of the Hunter Strategy podcast, AJ King (@ScrumWhat), Jake Williams (@MalwareJake), and Joshua Marpet (@quadling - Sr. Product Security Consultant at Finite State, Faculty Member at IANS) discuss how penetration testing fits into modern enterprise risk management strategies. From compliance requirements to real-world security validation, the conversation explores how organizations can approach testing with both technical rigor and business context. Good security isn’t theoretical. It’s tested. Get the full episode ➡️ f.mtr.cool/qfolyvslha  #CyberSecurity #PenTesting #SecurityTesting #EnterpriseSecurity

Threat actors have apparently decided phishing is too much work. Why craft a suspicious email when you can just... rank higher than the real vendor? Kong RAT is riding fake FinalShell and Xshell download pages straight onto admin workstations. No red flags. Just a search result that looked fine. Block these: finalshell-ssh[.]com, xshell-cn[.]com, quickq-cn[.]com 🔗 f.mtr.cool/hffrxvwypu #CyberSecurity #SEOPoisoning #ThreatIntel

The victim did everything right. They searched for a tool they use every day, found what looked like the official download page, and clicked it. That is the campaign. Attackers are using SEO poisoning to push fake download pages for FinalShell, Xshell, QuickQ, and Clash above legitimate results, particularly targeting Chinese-speaking users. The fake sites copy branding, layout, and language closely enough to pass a quick visual check. When the victim runs the installer, Kong RAT installs silently in the background, phones home to attacker-controlled infrastructure, and hands over remote access to the machine. The problem is which machine. These are not random endpoints. FinalShell and Xshell users tend to be developers and administrators - people whose workstations already hold SSH keys, saved credentials, terminal profiles, and direct routes to production infrastructure. One bad download on one of those systems is worth more to an attacker than a hundred compromised user laptops. Several domains tied to this campaign - finalshell-ssh[.]com, xshell-cn[.]com, and quickq-cn[.]com - should be treated as hostile and blocked immediately. Any device that downloaded from those sites warrants investigation now, not after something moves. The technical fix is straightforward. The process fix is harder. If your organization expects employees to 'just download the official tool' without a controlled path to do so, this campaign is a stress test you are not ready for.Approved software catalogs, bookmarked vendor URLs, and a firm no-search-link policy for remote access tools are not bureaucratic overhead. They are the difference between a near-miss and an incident report. This is what a successful compromise looks like. Orderly. Dignified. Both parties present. The damage already done. 🔗 Read more: f.mtr.cool/fyatfbqoba  #CyberSecurity #SocialEngineering #SEOPoisoning #DevSecOps #ThreatIntelligence

A worm is stealing your secrets and publishing them as your own packages. The Shai Hulud campaign hits npm & PyPI - credentials stolen, backdoored packages published under victim accounts, and hundreds of packages affected with tens of millions of weekly downloads. The supply chain attack you don't see coming already has your keys. And it's not slowing down anytime soon. 🔗 f.mtr.cool/dmzghdoyqp #CyberSecurity #SupplyChainSecurity #DevSecOps