Today, Red Canary officially joins the @zscaler family! 🎉 We are thrilled to mark this incredible milestone and join forces with the leader in cloud security to deliver unified security operations to help our customers strengthen their cyber defenses. Zscaler and Red Canary will enable the industry’s most advanced SOC capabilities, setting a new standard for the future of the security landscape. As we take this big step forward, one thing will always remain true: We got you! 💪 bit.ly/46y8BD5

Adversaries aren't just using malware—they're hiding behind your IT tools. 🔧 Remote monitoring and management (RMM) abuse has surged in the last year. Ransomware groups weaponize tools like ScreenConnect, NetSupport Manager, and SimpleHelp because they're signed, trusted, and blend right in. Our latest blog covers the most commonly abused RMM tools, how they work, and how to detect them—before it's too late: redcanary.com/blog/security-…

Next Tuesday, we’re live on SecOps Weekly with Senior Intelligence Analyst Stef Rand! 👏 Stef joins us to preview June’s Intelligence Insights Report and share fresh findings from the Threat Intelligence team. Which threats do you think made the Top 10? Don’t miss it! 👉 bit.ly/4ehzj54

The goal of scaling a threat hunting program is not just finding more threats but making those findings actionable. 🔁 This continuous feedback loop ensures that insights gained from proactive hunting directly strengthens the organization’s defensive posture, making it more resilient in the long run. Read our new blog to earn how to level up your hunts: bit.ly/4ooctxo

Zscaler ThreatLabz discovered a new sophisticated malware family that we named MLTBackdoor, which is likely used by an initial access broker for ransomware attacks. Similar to Cobalt Strike, MLTBackdoor provides post-exploitation capabilities on demand with a BOF loader alongside remote filesystem access. Most MLTBackdoor samples are heavily obfuscated with control flow flattening (CFF), mixed boolean-arithmetic (MBA), stack-based strings, indirect system calls, and imports are resolved by hash. In addition, the code checks for virtual machines and analysis environments. MLTBackdoor implements a date-based DGA as a backup C2 channel. Network communications are encrypted using ECDH with NIST curve P-256 and AES-256-GCM. An MLTBackdoor DGA script is available here: github.com/ThreatLabz/tools/… Read the full analysis here: zscaler.com/blogs/security-r…

If your tech stack is a force multiplier, but your “human tool” is at zero, what exactly are you multiplying? 🤨 Join Keith McCammon and Katie Nickels live on SecOps Weekly to hear how to lead your SOC team through the anxiety of the agentic AI shift—and how better prioritization can help. Join us live tomorrow at 1 p.m. ET/ 10 a.m. PT 👉 bit.ly/4uZjoj6

Assistive AI agents aren’t always so helpful—it all depends on whose behalf they're working. 🥸 The final installment of our series on suspicious AI workflows in Microsoft Entra ID highlights an "on behalf of" authentication workflow. 🪵 Take a look at the logs: bit.ly/4dVcpl4

🚨 ThreatLabz identified a malicious Python package in PyPI named "parsimonius" that was designed to impersonate the legitimate parsimonious package through typosquatting. The threat actor selected a package name differing by a single character and assigned it a version number intended to appear newer than the legitimate release, increasing the likelihood of inadvertent installation by developers. Before its removal from the package repository, the malicious package was downloaded 2,474 times within a matter of days. ThreatLabz analysis revealed that the package incorporated the legitimate parsimonious parsing functionality to avoid suspicion while simultaneously deploying a Telegram-based backdoor. Once installed, the backdoor provided attackers with remote access capabilities and facilitated the theft of sensitive data, including .env files and bot authentication tokens. The SHA1 hash of the malicious package is a01c2a21f24db63cb01a67016519aebeca438089.

This month's list of upcoming CFP deadlines is our longest ever! Check out @SAINTCON, @HackRedCon, and other security conferences looking for speakers. 📢 👀 Take a look: redcanary.com/blog/news-even…

Tomorrow we're live at 1 p.m. ET / 10 a.m. PT for our latest episode of SecOps Weekly! Phil Hagen and Chris Brook are hopping on to chat about the latest security trends and answer audience questions from our mailbag. Join us live to hear their take and learn what you and your team should be paying attention to. 👀 bit.ly/4o4uMaP

🤖 Your “agentic coworker” is sending suspicious messages via Microsoft Teams. It’s going to need to have a chat with the agentic HR department. 🔗 Read Part 2 of our series on investigating suspicious AI workflows in Entra ID: redcanary.com/blog/threat-de…

Some people say that defenders need to be right every time but attackers only need to be right once. Those people are wrong. 🔥 Read our hot take about pentesting and learn how to prioritize and optimize your adversary emulation strategy. redcanary.com/blog/testing-a…

👣 AI agents leave footprints that traditional identity security solutions might miss. If an autonomous agent performed a privileged action in your Entra tenant, what would that look like in the logs? Read the first installment of our new blog series about suspicious AI workflows in Microsoft Entra ID: redcanary.com/blog/threat-de…

ClearFake is one of the OG paste-and-run threats Red Canary has observed in the last few years, and it finds itself at the top of this month's top 10 dropping a new payload: ACR Stealer. 💡 Get detection opportunities and more in this month's Intelligence Insights: redcanary.com/blog/threat-in…

What does it take to turn malicious package analysis into actionable behavioral logic? On the May 26 episode of SecOps Weekly, Tony Lambert and Keith McCammon will explore how security teams can move beyond spotting suspicious packages to understanding the behaviors that matter most. Join the conversation for insights on how this approach can strengthen detection, investigations, and response. 📅 Tune in live on May 26: bit.ly/3RdnxB1

Don’t miss it! Tomorrow, Stef Rand joins SecOps Weekly to preview the May 2026 Intelligence Insights findings. Tell us: Which newcomers do you think made the list? What threat claimed the #1 spot? 🤔 Find out tomorrow at 1 p.m. ET / 10 a.m. PT ➡️ bit.ly/4tBvbCE

🔜 Next Tuesday at 1 p.m. ET/ 10 a.m. PT, catch Senior Intelligence Analyst Stef Rand on SecOps Weekly! She’ll be joining Keith McCammon LIVE to preview this month’s Intelligence Insights report and break down the findings. See which threats hit the Top 10, learn about the newcomers to the list, and give your team the edge they need to outpace the bad guys. You won't want to miss this convo! 👉 bit.ly/4tBvbCE

This week on SecOps Weekly, Red Canary's Keith McCammon and Brian Donohue took audience questions in a special AMA edition of the show. 🎙️ Their list of the most pressing security issues might not surprise you—but Keith and Brian aren't here to shock you. They’re here to help you tackle them. 🛠️ Watch the full episode on demand on our YouTube channel! 👉 bit.ly/4dclOnY

Our latest blog is a primer on an often untapped source of telemetry in Linux investigations: cgroups. The Linux kernel exposes cgroups in a unified, nested hierarchy that defenders can reference while looking into malicious or suspicious processes. 📜 We've even included a Golang script for collecting this data to help you get started. Dive in: redcanary.com/blog/threat-de…

No scripts. Just security. 🎙️ Catch Keith McCammon and Brian Donohue on SecOps Weekly for a live AMA on Tuesday, May 12. They’re breaking down the latest hot topics and taking your questions live. Bring your questions and join the conversation! bit.ly/4tZVHqj

Still stuck in the "query-and-wait" loop? Tomorrow on SecOps Weekly, we’re talking about high-performance threat hunting. Red Canary’s Brittany Sattler and Andrew Sharpe join Keith McCammon to discuss: ✅ Shifting from manual tasks to structured workflows. ✅ Using high-performance data tools like DuckDB to speed up investigations. ✅ Moving to a hypothesis-driven hunting model. Don't just hunt harder—hunt smarter. 🔴 Tune in LIVE tomorrow at 1 p.m. ET / 10 a.m. PT: bit.ly/4cXkWSV