In the DC-area? You'd be hard-pressed to find a better use of your time than to attend #FTSCon on 🗓️ October 21 in Arlington VA. It's packed with info on the latest security tools 🔧 and 🎯 insights from incident response #threatintel #memoryforensics

Heading to Denver for #FIRSTCON26 next week? Stop by the @Volexity booth to see a demo of Volcano! We’ll show you how memory analysis with Volcano uncovers advanced threat actors and helps rapidly resolve your investigations. Come find us at Booth 7 to talk threat hunting and triage workflows with our team, including @stevenadair & @attrc! @FIRSTdotOrg #DFIR #FIRSTCON

I’m hiring a sr principal threat researcher. When big things happen on the internet, you’ll lead the threat research to hunt across our vast telemetry & write the threat briefs. Senior role w/ strong comms & collab experience. jobs.paloaltonetworks.com/en…

Check out our blog on an activity we worked related to VerdantBamboo -- aka the TA that is known for wreaking havoc on edge devices and deploying BRICKSTORM. We found BRICKSTORM for BS on a pfSense firewall, new malware families, use of a 0day privesc, and custom VPN networks!

What’s the most underrated threat intel report of all time?

POV: you're still using GitHub Copilot after June 1st, 2026

We are excited to welcome our 2026 #summerinternship students from @ND_CSE, @umdcs & @MAGEUMD! Over the next few months, they will be working alongside our engineering and threat intelligence teams on core software development and #memoryforensics research. Learn more about our program and future opportunities: volexity.com/internships/ #dfir

.@Volexity has published details from an incident response engagement in September 2025 involving multiple #BRICKSTORM variants deployed by a threat actor that Volexity tracks as VerdantBamboo. This case involved the breach of the victim organization’s MSP and multiple malware implants found on firewalls, cloud storage sync devices & NAS appliances. VerdantBamboo used a #0day privilege escalation exploit in the process and was also observed using administrative access to the victim organization's firewall to enable a custom VPN. For more details on how the incident unfolded, the malware used by the threat actor, and the end goal of the intrusion, check out the full blog post: volexity.com/blog/2026/06/04… #dfir

Codex just found a “workaround” of not having sudo on my pc…

YARA-X 1.17.0 has been released. This time with the long-awaited `--fast-scan` option. github.com/VirusTotal/yara-x…

The latest @DarknetDiaries (Ep. 174: Pacific Rim) offers a look at state-sponsored groups targeting perimeter infrastructure & edge devices. Thanks @JackRhysider for mentioning our work! @Volexity’s detection and response efforts combined network visibility, host-based analysis, #threatintelligence & #memoryforensics, enabling us to discover these complex #0days being exploited in the wild. Read our blog post for the original research mentioned: volexity.com/blog/2022/06/15…

Claude: “this project will take 2 months to complete” Me:

consider half zipping your sweater and jacket, but not your fly

And this one is human insight w/ LLM-assisted research. Took about one week to finish everything. The AI really rescued me from a lot of tedious work — excluding the part where it changed the Domain Admin password, locked me out, and claimed it got RCE 🤦

For those who are interested in learning about the recent performance improvements in YARA-X: virustotal.github.io/yara-x/…

CVE-2026-40361 (msrc.microsoft.com/update-gu…), patched today, is a critical 0-click UAF/RCE bug in Microsoft Outlook that I discovered back in Q1. You definitely want to patch this sooner rather than later. The danger of such 0-click bugs in Outlook is that they are triggered as soon as the victim reads or previews the email - no clicking of links or attachments is required. Since the bugs reside in Outlook's email rendering engine, it is difficult to mitigate or block (though specifically setting Outlook to render emails only in plain text format is a valid mitigation). Fun fact about the discovery: after the discovery of the #BadWinmail bug a decade ago, I wanted to run an experiment in Q1 to see if I could find another 0-click RCE in Outlook. The result? It wasn't easy — I even built a dedicated system for it — but I eventually found this one. :) To understand why such bugs are so critical, check out the #BadWinmail video demo I released a decade ago: youtube.com/watch?v=ngWVbcLD…. They share the same attack vector (though #BadWinmail was a working exploit, while this one was a PoC). Essentially, anyone could compromise a CEO or CFO just by sending an email. The threat perfectly bypasses enterprise firewalls and is delivered directly to the inbox. Furthermore, note that Outlook (Classic) lacks an application sandbox, making this attack vector even more dangerous. Regarding defense and detection: if you are concerned about Outlook 0-click 0-days, my EXPMON system (pub.expmon.com) provides cutting-edge detection against such advanced threats. When I designed the original system in 2020/2021, I developed this functionality specifically considering the impact of #BadWinmail. The system accepts .eml or .msg formats, and email samples are deeply tested within an Outlook sandbox. For enterprise users, emails can be "dumped" from the mail server, and EXPMON can be deployed in a private network. Contact me for more details. P.S. I just noted that the title of the Microsoft Security Update (msrc.microsoft.com/update-gu…) lists this as a Microsoft Word bug, which may or may not be entirely accurate. I demonstrated this bug to MSRC by showing that it works in a real, live Outlook Exchange Server environment. My bet is that because the bug resides in wwlib.dll — a shared DLL used heavily by both Outlook and Word — it likely affects both Outlook (via email) and Word (via a document file). Regardless of the title, it is a genuine Outlook 0-click RCE. #CVE-2026-40361 #PatchTuesday #Outlook #0click #EmailSecurity #EnterpriseSecurity #expmon #ThreatIntel #ExploitDetection

.@Volexity Volcano Server & Volcano One v26.04.27 adds memory analysis for arm64 Windows, memory-only .NET assemblies, SRUM database, Linux systemd units, history & timers from RAM. This release also adds detection of AppleScript usage, cleared Windows event logs, AV scanning of files & deployments across AWS accounts. Contact us for more information: volexity.com/company/contact… #memoryforensics #memoryanalysis #dfir

Have you noticed that those deep-dive stories about complex Windows malware have pretty much vanished, especially in recent years? It feels like the era of "blockbuster" Windows malware has just gone silent, and this blog post tries to give some answers why. r136a1.dev/2026/05/07/where-…

everybody calm down. i got this.