ThreatHunter.ai Blog

ThreatHunter.ai Blog https://www.threathunter.ai/blog Expert insights on threat hunting, identity attacks, vulnerability management, and cybersecurity trends from the ThreatHunter.ai team. en-us Tue, 09 Jun 2026 17:51:37 GMT Pull the Power Cord: FIRESTARTER, AR26-113A, and a Backdoor That Survives Your Patches https://www.threathunter.ai/blog/firestarter-cisco-asa-ftd-backdoor-ar26-113a https://www.threathunter.ai/blog/firestarter-cisco-asa-ftd-backdoor-ar26-113a CISA and NCSC co-released a Malware Analysis Report today on a Cisco ASA/Firepower backdoor that patching does not remove. Here is what it does, why Sigma will not save you, and what to do this week. Thu, 23 Apr 2026 00:00:00 GMT info@threathunter.ai (James McMurry) Detection Engineering Stryker, Handala, MOIS, and MuddyWater: The Full Kill Chain and the Unified Detection Pack (v3) https://www.threathunter.ai/blog/iran-handala-stryker-detection-pack-v3 https://www.threathunter.ai/blog/iran-handala-stryker-detection-pack-v3 The definitive brief on the Stryker attack. Two MOIS teams, one kill chain: MuddyWater pre-positioned for weeks, Handala pulled the trigger via Intune. Detection Pack v3 ships 25 rules covering every phase. Full IOC set and configuration hardening included. Thu, 16 Apr 2026 00:00:00 GMT info@threathunter.ai (James McMurry) Detection Engineering We Built JAXBERT Because Small Defense Contractors Deserve Better Than a $200K Consulting Bill https://www.threathunter.ai/blog/we-built-jaxbert https://www.threathunter.ai/blog/we-built-jaxbert The CMMC Level 2 deadline is real. Consulting firms charge $80K-$200K to hand you a binder. JAXBERT is a purpose-built platform that walks defense contractors through every step of compliance, from assessment to C3PAO package. Thu, 09 Apr 2026 00:00:00 GMT info@threathunter.ai (James McMurry) Product Updates CISA Got It Partially Right. Here\'s What They Missed. https://www.threathunter.ai/blog/cisa-got-it-partially-right-heres-what-they-missed https://www.threathunter.ai/blog/cisa-got-it-partially-right-heres-what-they-missed CISA published an advisory on endpoint management hardening after the Stryker wipe. Their Multi Admin Approval recommendation is a speed bump, not a wall. Here is what actually stops a Global Admin compromise: no standing privileges, PIM with Authentication Context, FIDO2 hardware keys, and automated session revocation. Thu, 19 Mar 2026 00:00:00 GMT info@threathunter.ai (James McMurry) Threat Intelligence The Setup Was Already in Your Logs https://www.threathunter.ai/blog/iran-stryker-setup-already-in-your-logs https://www.threathunter.ai/blog/iran-stryker-setup-already-in-your-logs Iran was inside before the war started. How the March 6 server report connects to the Stryker wipe. The two-team MOIS playbook. What the 72-hour intelligence confirms. And the PIM Authentication Context gap that made it possible. Sat, 14 Mar 2026 00:00:00 GMT info@threathunter.ai (James McMurry) Detection Engineering, Threat Intelligence Handala Detection Pack v2: Pre-Positioning, PIM Gap, and Bulk Wipe Controls https://www.threathunter.ai/blog/iran-handala-stryker-detection-pack-v2 https://www.threathunter.ai/blog/iran-handala-stryker-detection-pack-v2 Five new Sigma rules and KQL queries for Microsoft Sentinel covering MuddyWater pre-positioning IOCs, the PIM Authentication Context gap, three-layer bulk wipe prevention, stale session detection, and Rclone exfil to MuddyWater cloud infrastructure. Sat, 14 Mar 2026 00:00:00 GMT info@threathunter.ai (James McMurry) Detection Engineering Iranian Threat Actor: Tools, Techniques, IOCs, and IOAs https://www.threathunter.ai/blog/iranian-threat-actor-tools-techniques-iocs-ioas https://www.threathunter.ai/blog/iranian-threat-actor-tools-techniques-iocs-ioas Full disclosure of a live Iranian operational server. Open directory on active threat actor infrastructure revealed custom attack tools, 11 CVEs, confirmed victims including EgyptAir and the Portuguese Immigration Service, and 280+ Israeli targets. Sat, 14 Mar 2026 00:00:00 GMT info@threathunter.ai (James McMurry) Threat Intelligence The Snowflake Breach: How Missing MFA Handed Attackers the Keys to Everything https://www.threathunter.ai/blog/snowflake-breach-missing-mfa-handed-attackers-keys https://www.threathunter.ai/blog/snowflake-breach-missing-mfa-handed-attackers-keys Scattered Spider walked into Snowflake environments at Ticketmaster, AT&T, and Santander using stolen credentials. No zero-days. No malware. Just accounts without MFA. Here is the attack chain, what to look for in your logs, and what to fix. Wed, 11 Mar 2026 00:00:00 GMT info@threathunter.ai (Ivan W.) Threat Intel Iran-Linked Handala Wipes 56,000-Employee Medical Device Giant. Here\'s the Detection Pack. https://www.threathunter.ai/blog/iran-handala-stryker-wiper-detection-pack https://www.threathunter.ai/blog/iran-handala-stryker-wiper-detection-pack Handala weaponized Microsoft Intune to remotely wipe Stryker Corporation across 61 countries. We built 10 Sigma rules, KQL queries, and OpenSearch queries covering the full attack chain. Download the detection pack. Thu, 12 Mar 2026 00:00:00 GMT info@threathunter.ai (James McMurry) Detection Engineering Infostealers Are the Biggest Story in Cybersecurity Right Now. Your MFA Will Not Save You. https://www.threathunter.ai/blog/infostealers-biggest-story-cybersecurity-mfa-wont-save-you https://www.threathunter.ai/blog/infostealers-biggest-story-cybersecurity-mfa-wont-save-you Infostealer malware is everywhere — in Chrome extensions, WhatsApp, fake AI tools, and GitHub repos. Attackers are not breaking your MFA. They steal what comes after it. The target is the session. Mon, 16 Feb 2026 00:00:00 GMT info@threathunter.ai (James McMurry) Threat Intel America's Cyber Defense Agency Is Burning Down and Nobody's Coming to Put It Out https://www.threathunter.ai/blog/americas-cyber-defense-agency-burning-down https://www.threathunter.ai/blog/americas-cyber-defense-agency-burning-down CISA lost a third of its staff and its acting leader uploaded sensitive docs to public ChatGPT — while China sits inside U.S. critical infrastructure. Fri, 13 Feb 2026 00:00:00 GMT info@threathunter.ai (James McMurry) Threat Intel A Love Letter That Broke the Internet: The ILOVEYOU Worm, 26 Years Later https://www.threathunter.ai/blog/love-letter-broke-internet-iloveyou-worm-26-years-later https://www.threathunter.ai/blog/love-letter-broke-internet-iloveyou-worm-26-years-later The ILOVEYOU worm infected 50 million machines in 10 days. Full technical breakdown and why the same attack pattern still works today. Tue, 10 Feb 2026 00:00:00 GMT info@threathunter.ai (James McMurry) Threat Intel The News Cycle Is Burning. Threat Actors Are Still Working. https://www.threathunter.ai/blog/news-cycle-burning-threat-actors-still-working https://www.threathunter.ai/blog/news-cycle-burning-threat-actors-still-working This has been our busiest week of 2026 so far. Chaos is cover. Confusion is opportunity. Fatigue is the best vulnerability scanner ever invented. Fri, 06 Feb 2026 00:00:00 GMT info@threathunter.ai (James McMurry) Threat Intel How to Detect AiTM Phishing Attacks https://www.threathunter.ai/blog/how-to-detect-aitm-phishing-attacks https://www.threathunter.ai/blog/how-to-detect-aitm-phishing-attacks AiTM attacks bypass MFA completely — attackers steal sessions while your tools see nothing wrong. Here is how to detect them. Sun, 25 Jan 2026 00:00:00 GMT info@threathunter.ai (ThreatHunter.ai Team) Technical What is Threat Hunting? A Complete Guide https://www.threathunter.ai/blog/what-is-threat-hunting-complete-guide https://www.threathunter.ai/blog/what-is-threat-hunting-complete-guide Learn what threat hunting is, why it matters for your organization, and how proactive detection differs from traditional security monitoring. Mon, 15 Dec 2025 00:00:00 GMT info@threathunter.ai (ThreatHunter.ai Team) Education How MILBERT AI Stops Authentication Attacks Before They Happen https://www.threathunter.ai/blog/milbert-ai-stops-authentication-attacks https://www.threathunter.ai/blog/milbert-ai-stops-authentication-attacks Discover how our agentic AI platform detects credential stuffing, password spraying, and other authentication attacks in real-time. Fri, 28 Nov 2025 00:00:00 GMT info@threathunter.ai (ThreatHunter.ai Team) Product 2024 Threat Landscape: Key Trends We\'re Seeing https://www.threathunter.ai/blog/2024-threat-landscape-key-trends https://www.threathunter.ai/blog/2024-threat-landscape-key-trends Our hunt teams share the most significant attack patterns and threat actor behaviors observed across our client base this year. Sun, 20 Oct 2024 00:00:00 GMT info@threathunter.ai (ThreatHunter.ai Team) Threat Intel Browser-in-the-Browser Attacks Are the New Phishing Kit https://www.threathunter.ai/blog/browser-in-the-browser-attacks-new-phishing-kit https://www.threathunter.ai/blog/browser-in-the-browser-attacks-new-phishing-kit Browser-in-the-Browser (BitB) attacks make URL-checking advice useless. The URL looks perfect because the entire browser window is fake. Here is how they work, why your security stack misses them, and what defenders must monitor. Thu, 05 Mar 2026 00:00:00 GMT info@threathunter.ai (Ivan W.) Threat Intel Q1 2026 Threat Landscape: The Pace Has Not Slowed https://www.threathunter.ai/blog/q1-2026-threat-landscape-pace-has-not-slowed https://www.threathunter.ai/blog/q1-2026-threat-landscape-pace-has-not-slowed Ransomware, phishing, and malware through the first 68 days of 2026. We tracked 2,522 ransomware claims across 81 groups, the continued rise of infostealers, and why the attack chain is running at scale. Mon, 09 Mar 2026 00:00:00 GMT info@threathunter.ai (James McMurry) Threat Intel Microsoft Patch Tuesday March 2026: 86 CVEs, 2 Zero-Days, and a SQL Server Escalation You Cannot Ignore https://www.threathunter.ai/blog/microsoft-patch-tuesday-march-2026 https://www.threathunter.ai/blog/microsoft-patch-tuesday-march-2026 March 2026 Patch Tuesday delivers 86 CVEs including 10 Critical and 2 publicly disclosed zero-days. A SQL Server privilege escalation grants sysadmin over the network, and a Microsoft Authenticator info disclosure threatens MFA integrity. Here is what to patch first. Tue, 10 Mar 2026 00:00:00 GMT info@threathunter.ai (ThreatHunter.ai Team) Patch Tuesday Microsoft Patch Tuesday April 2026: 167 CVEs, Active SharePoint Zero-Day, and Wormable Networking RCEs https://www.threathunter.ai/blog/microsoft-patch-tuesday-april-2026 https://www.threathunter.ai/blog/microsoft-patch-tuesday-april-2026 April 2026 Patch Tuesday is the largest in years: 167 CVEs from Microsoft plus 344 released throughout the month for 512 total updates. An actively exploited SharePoint zero-day, wormable RCEs in Remote Desktop and Active Directory, and preview-pane Office exploits demand immediate action. Tue, 14 Apr 2026 00:00:00 GMT info@threathunter.ai (ThreatHunter.ai Team) Patch Tuesday The November 2026 Cliff Is Real. The Small Shops Are Going Over It First. https://www.threathunter.ai/blog/november-2026-cmmc-cliff-small-defense-contractors https://www.threathunter.ai/blog/november-2026-cmmc-cliff-small-defense-contractors Phase 2 of CMMC begins November 10, 2026. No Level 2 certification means no contract, no option year, no extension. The small shops that actually build America’s weapons do not have six-person compliance teams. They have Dave. Here is what we built for them. Tue, 21 Apr 2026 00:00:00 GMT info@threathunter.ai (James McMurry) Compliance CMMC Domain 1: Access Control, the One Everyone Underestimates https://www.threathunter.ai/blog/cmmc-domain-1-access-control-the-one-everyone-underestimates https://www.threathunter.ai/blog/cmmc-domain-1-access-control-the-one-everyone-underestimates Post one of fourteen. Access Control is the foundation. If you mess it up, none of the other thirteen domains save you, because the bad guy is already inside your environment looking at CUI. Tue, 28 Apr 2026 00:00:00 GMT info@threathunter.ai (James McMurry) CMMC