Skip to main content
Blog

Securonix Threat Labs Monthly Intelligence Insights – June 2026

  • July 8, 2026
  • 0 replies
  • 30 views
Dheeraj Kumar
Forum|alt.badge.img

Authors: Nitish Singh, Nikhil Kumar Chadha, and Tanmay Kumar 

Introduction: 

The Monthly Intelligence Insights report provides a summary of top threats curated, monitored, and analyzed by Securonix Threat Labs in June 2026. The report also includes a synopsis of the threats, indicators of compromise (IoCs), tactics, techniques, and procedures (TTPs), and related tags. Each threat has a comprehensive summary from Threat Labs and search queries from the Threat Research team. For additional information on Threat Labs and related search queries used via Autonomous Threat Sweeper to detect the below-mentioned threats, refer to our Threat Labs home page.

Last month, Securonix Autonomous Threat Sweeper identified and analyzed 4,566 TTPs and IoCs; identified 129 emerging threats; investigated 94 potential threats; and elevated 14 incidents. The top data sources swept against include IDS / IPS / UTM / Threat Detection, Data Loss Prevention, Endpoint Management Systems, and Email / Email Security.

Executive Summary: 

  • Mini Shai-Hulud/Miasma and easy-day-js: Supply chain activity moved from trusted npm maintainer accounts into PyPI and AI-framework packages. The operators used install-time execution, Bun-staged payloads, and GitHub-based propagation to collect developer, CI/CD, cloud, and model-access secrets. 

  • SHEET#CREEP: A diplomatic ISO lure delivered a C# RAT that used Google Sheets for command and control. The newer sample added XOR-obfuscated configuration, quieter persistence through COM, and in-process PowerShell execution. 

  • Edgecution: A Payouts King-linked access operation used a malicious Microsoft Edge extension, native messaging, a Python backdoor, and hidden headless Edge execution to turn browser compromise into host-level access. 

  • FortiBleed: The Fortinet activity is best understood as credential compromise and access brokerage, not a new zero-day event. The exposed tooling points to scanning, password testing, hash cracking, VPN validation, internal AD reconnaissance, and resale of working access. 

  • CVE-2026-20245: The Cisco Catalyst SD-WAN Manager intrusion combined rogue peering or compromised trust material with password manipulation, configuration access, local privilege escalation, and anti-forensic cleanup. 

  • The Gentlemen: The ransomware operation is investing earlier in the intrusion chain. Recent activity includes a custom Go backdoor, packet capture, BYOVD-based security tampering, GPO or PsExec deployment, and an emerging C-based locker. 

  • Dropping Elephant: The actor kept the familiar LNK-to-PowerShell delivery pattern but moved more of the payload into memory with legitimate binary side-loading, Donut shellcode, and AMSI, WLDP, and ETW patching. 

  • Click hijacking and TDS impersonation: Fake software portals now preserve believable download links while intercepting the first click and routing users through gated redirect logic. Depending on the session, victims may receive stealers, clippers, PUA, or follow-on loaders. 


Threat Overview: 

 

Securonix Threat Research & Malware Highlights:                       (Originally published in June 2026) 

  • SHEET#CREEP returns with stronger configuration obfuscation 

Securonix Threat Research identified renewed SHEET#CREEP activity using a C# remote access trojan and a diplomatic-themed ISO lure. The RAT used the Google Sheets API as its C2 channel. It authenticated with an embedded Google Cloud Platform service-account private key and used a separate spreadsheet tab for each victim to exchange commands and results. The team extracted the credentials, accessed the live spreadsheet, and found 91 active victim tabs, including one high-confidence target in Pakistan. 

The ISO was themed around "UAE-India Strategic Partnership Week." It contained a small C# dropper and a decoy PDF, with a single LNK file presented as a harmless document. Opening the LNK launched cmd.exe and started the embedded dropper. The dropper extracted the PDF to a temporary location, wrote the RAT as vaultsvc.exe under %LOCALAPPDATA%\Microsoft\Vault, marked the file as Hidden and System, and created persistence through the Task Scheduler COM API instead of schtasks.exe. The scheduled task, WindowsVaultSyncService, used a description that blended Windows, Edge, and Discord language. The dropper then removed itself and replaced the original executable path with the bait PDF, leaving few obvious disk artifacts. 

The RAT creates a victim ID from the username and hostname, enforces a single instance through a mutex, and uses Google Sheets API v4 over HTTPS for bidirectional C2. Configuration strings that appeared in plaintext in earlier activity are now XOR-obfuscated with the key "discrete." After authentication, the malware creates or reuses a victim spreadsheet tab, writes a timestamp and systeminfo output, polls for Base64-encoded commands, and writes command output back to the sheet. It runs commands through an in-process PowerShell runspace, which avoids a separate powershell.exe child process. Attribution to APT36 remains moderate confidence. 

Analyst assessment: The main change is operator refinement. The Google Sheets channel was already known, but the newer sample reduces obvious telemetry. Configuration is decrypted at runtime, persistence uses COM rather than a command-line utility, and PowerShell runs inside the RAT process. The live spreadsheet also provided useful campaign visibility by separating sandbox and research tabs from likely real targets. Forced reboots when tools such as dnSpy or Wireshark appear suggest active counter-forensics rather than a fully unattended implant. 

Defender priority: Diplomatic and government-facing organizations should investigate non-browser processes that maintain Google Sheets API access. Unexpected executables under %LOCALAPPDATA%\Microsoft\Vault, deceptive scheduled task metadata, and PowerShell execution without powershell.exe are strong hunting leads.

  • Dropping Elephant updates an older delivery pattern with a memory-resident RAT 

Dropping Elephant used a China-themed decoy document to deliver a RAT through a layered in-memory chain. The first stage was a malicious LNK disguised as a PDF about a GRES-3 energy contract notice. Opening it launched conhost.exe and an obfuscated PowerShell downloader, retrieved the decoy, and staged payload components in the background. The chain rebuilt Fondue.exe, APPWIZ.cpl, runtime files, and an encrypted payload container from junk-named downloads. It placed files in C:\Users\Public and C:\Windows\Tasks, then created a recurring scheduled task named GoogleErrorReport. Fondue.exe side-loaded APPWIZ.cpl, which decrypted editor.dat into Donut shellcode. Donut then unpacked the final RAT directly into memory. 

Before execution, the implant patched AMSI, WLDP, and ETW to reduce visibility. The final payload was a 32-bit C++ RAT with dynamic API resolution, HTTPS C2, Salsa20 field protection, host fingerprinting, directory listing, download-and-execute, screenshot capture, shell execution, and file upload. Live tasking was limited because the C2 server was unavailable, but the host profiling and beaconing logic were recoverable. Attribution to Dropping Elephant is based on shared command handling, screenshot behavior, WININET request flow, shell execution patterns, and delivery workflow, despite reduced binary similarity from refactoring and control-flow flattening. 

Analyst assessment: The actor kept the delivery workflow defenders may already know: LNK lure, PowerShell staging, scheduled task persistence, legitimate binary abuse, and side-loading. The upgrade is in the payload chain. Donut loading, layered encryption, and telemetry patching buy time against defenders who rely on disk artifacts or static signatures. The attribution case is stronger because it is grounded in workflow and code-level behavior, not lure theme alone. Victimology remains unclear; the lure is specific, but the available data does not confirm who received it or how widely it was distributed. 

Defender priority: Hunt for LNK to conhost.exe to PowerShell chains, files staged under C:\Users\Public, recurring GoogleErrorReport tasks, and Fondue.exe loading APPWIZ.cpl from an unusual path. Memory telemetry matters here because the final RAT is designed to appear after disk-based controls have lost much of their value. 

  • Search result impersonation turns software downloads into malware brokerage 

Researchers observed a software-impersonation ecosystem built around fake project sites that mimic trusted open source and freeware portals. The brands target developers, reverse engineers, and malware analysts. The deception occurs after the click. The pages keep believable download links, and in some cases still point to real GitHub releases, while CloudFront-hosted JavaScript intercepts the first eligible user interaction and sends the session into a Traffic Distribution System. The TDS applies browser checks, visit-state logic, frequency caps, VPN and datacenter filtering, and anti-bot controls before choosing the next destination. More than 100 active sites used the same staging model, with the cluster moving from suspicious impersonation infrastructure in late 2025 to active malware delivery in early 2026. 

Outcomes varied by session. Some users were routed to content lockers, unwanted extensions, or benign software offers, which supports a traffic-monetization motive. Other sessions delivered malware, including RemusStealer, AnimateClipper, and a newly observed framework called SessionGate. SessionGate uses per-session payload generation, server-side victim registration, short-lived delivery URLs, encrypted modules, and anti-analysis checks that often send researchers back to a decoy installer. The evidence does not point to narrowly targeted attacks, even though the impersonated brands appeal to technical users. The stronger read is opportunistic traffic acquisition followed by selective downstream abuse. 

Analyst assessment: These sites are not simple malware hosts. They are traffic brokers that keep trust cues intact until the first click, then hand the user to a decision engine. That makes attribution and response harder because the site operator may be separate from the stealer, clipper, or bundler operator. SessionGate is worth tracking because its one-time key release, decoy fallback, and server-tied module decryption look more mature than ordinary commodity delivery. 

Defender priority: Treat search-result software impersonation as more than a phishing problem. Users can start from a legitimate search, land on a polished page, hover over a credible link, and still be diverted on the first click. Prioritize detections for software-brand impersonation, unexpected post-click redirects, anomalous CloudFront script dependencies on download pages, and payloads reached only after browser or GEO filtering.


FortiBleed Exploitation:                                                                   (Originally published in June 2026) 

  • FortiBleed is a working access pipeline, not a mass-breach headline 

FortiBleed is not a new Fortinet zero-day. The exposed material points to credential compromise and access brokerage around internet-facing FortiGate firewalls and SSL VPN gateways. Weak passwords, credential reuse, brute force activity, and offline hash cracking drove the operation. An exposed attacker server held 319 files that covered the workflow: scanning and validation scripts, cracking infrastructure, credential and target databases, enrichment scripts, honeypot filtering, post-exploitation tooling, and at least one live SSL VPN configuration tied to a victim environment. 

The operators scanned internet-facing interfaces, tested credentials at scale, cracked hashes with a Hashtopolis deployment backed by rented GPU instances, validated working access, and then moved into internal networks. After VPN or SSH access was validated, the toolkit supported Active Directory enumeration through LDAP, internal password spraying, and share access checks. A revenue-sorted target file indicates the intended outcome: resale of working SSH and VPN access. 

The scale requires careful wording. The widely cited figure of 21,632 appears to reflect entries in an attribution database tied to device registration and related metadata, not a verified count of breached organizations. The operators own tooling showed 918 organizations with evidence of captured Kerberos traffic from inside networks. Of those, 148 cases included cracked Kerberos material with verified AD credentials. Attribution to a specific operator origin remains unresolved. 

Analyst assessment: The exposed infrastructure gives an unusually complete view of credential harvesting, validation, internal expansion, and access monetization. The most important finding is not the credential list by itself. It is the presence of post-compromise tooling and evidence of internal network access in a subset of cases. That creates a credible path from perimeter access to Active Directory reconnaissance. More verified internal compromise would strengthen the assessment. Evidence that most credentials did not lead beyond the edge device would weaken it. 

Defender priority: Treat exposed Fortinet management surfaces and reused administrator credentials as urgent investigation items. The first successful login is only the start. The stronger signal is what follows: LDAP enumeration, Kerberos spraying, SMB share access, and unusual internal activity chained from VPN or firewall access. Inclusion in a broad dataset is not proof of compromise, but it is enough reason to validate exposure and rotate credentials.

Securonix Threat Labs has also published a detailed FortiBleed analysis covering tradecraft, impact, and recommended mitigations. Refer to the full report for the complete findings. 


Cisco Catalyst Zero-Day Exploitation                                             (Originally published in June 2026) 

  • Zero-day exploitation in Cisco Catalyst SD-WAN Manager

A service provider environment experienced an intrusion involving Cisco Catalyst SD-WAN infrastructure. The actor gained unauthorized access to SD-WAN Manager devices through rogue peering connections, possible exploitation of authentication bypass vulnerabilities (CVE-2026-20127 and CVE-2026-20182), or previously compromised certificate material. After gaining administrative access, the actor authenticated through SSH and the web interface, changed administrator credentials, and accessed SD-WAN fabric configuration data. 

The actor then exploited CVE-2026-20245 by uploading a crafted CSV file named evil_tenant.csv. The file enabled arbitrary command execution with root-level privileges on the affected SD-WAN Manager device, giving the actor full control of the system. 

Analyst assessment: The intrusion chained access to SD-WAN Manager with local privilege escalation. The sequence suggests planning rather than opportunistic probing: gain privileged access, change credentials, collect fabric data, escalate to root, then remove or restore artifacts to slow investigation. Because Cisco SD-WAN Manager controls connectivity, segmentation, and security policies, compromise could let an attacker alter network configuration, preserve administrative access, and affect managed devices across the environment. 

Defender priority: Review SD-WAN peering, certificate material, credential changes, file uploads, and local privilege-escalation artifacts. Rogue peering or compromised trust material can be as dangerous as a software exploit when it gives an attacker a path into the controller. 

Securonix Threat Labs has also published a detailed Cisco Catalyst SD-WAN vulnerability analysis covering tradecraft, impact, and recommended mitigations. Refer to the full report for the complete findings.


Supply Chain Attack / NPM                                                              (Originally published in June 2026) 

  • Shai-Hulud/Miasma expands across PyPI and @immobiliarelabs npm packages

The Shai-Hulud/Miasma campaign expanded across both Python and npm ecosystems. In PyPI, attackers published 37 malicious wheel packages across 19 projects. In npm, they compromised legitimate @immobiliarelabs packages used for GitLab integration and LDAP authentication in Backstage deployments. 

The two waves used similar tradecraft. Packages executed malicious code during installation or startup, abused legitimate ecosystem features, fetched the Bun JavaScript runtime, and launched an obfuscated multi-stage JavaScript stealer. The malware targeted developer credentials, GitHub tokens, cloud identities, CI/CD secrets, and package publishing credentials. It also used GitHub repositories and GitHub Actions workflows for exfiltration and propagation. 

The activity appears to extend the Mini Shai-Hulud/Miasma family rather than introduce a new toolkit. The operators adapted npm techniques for PyPI and developer workflows. Compromised maintainer accounts, malicious updates, and republished historical versions increase the chance that developers or build systems install the payload before package removal. 

Analyst assessment: The operators are moving proven supply chain techniques across package ecosystems. They are exploiting trust in package managers, maintainer accounts, release automation, and routine dependency updates rather than relying on a single repository or language. 

The PyPI activity is important because the malware abuses Python's legitimate .pth startup mechanism, allowing code to run automatically after installation without direct package execution. The npm activity adds risk because compromised Backstage-related packages may sit near internal developer portals, GitLab integrations, LDAP authentication, and release workflows. 

The primary impact is credential theft. GitHub tokens, cloud keys, CI/CD secrets, and publishing credentials can give attackers access well beyond the original package installation. Those credentials may enable source-code theft, unauthorized package releases, cloud compromise, or additional supply chain activity. 

The watchpoint is spread. Analysts should look for movement into additional package repositories, maintainer accounts, and release pipelines, along with refinements in startup execution, GitHub Actions abuse, and Bun-based payload delivery. Confirmed downstream intrusions or named victims would strengthen the assessment. If the activity remains limited to a small set of compromised accounts, the broader risk assessment should be narrowed. 

Defender priority: Treat affected packages as possible credential exposure, not only as dependency hygiene issues. Identify installations of malicious PyPI wheels and compromised @immobiliarelabs npm versions. Review developer endpoints and build systems for suspicious Bun execution, unauthorized GitHub Actions runs, unusual repository creation, and unexpected exfiltration paths. 

Security teams should rotate any credentials that may have been available to affected developer systems or CI runners, including GitHub tokens, cloud keys, package publishing credentials, and CI/CD secrets. 

  • Mastra npm supply chain attack: 140+ packages backdoored through easy-day-js typosquat

Mastra AI was hit by a large npm supply chain attack after attackers compromised the @mastra npm organization and injected a typosquatted dependency, easy-day-js, into more than 140 packages. The attacker first published a clean dependency to build legitimacy, then replaced it with a malicious update. The malicious version used an obfuscated postinstall dropper that downloaded a second stage, executed it in the background, and deleted itself. The affected packages collectively exceeded 1.1 million weekly downloads, so any environment installing affected versions may have exposed developer credentials, cloud secrets, CI/CD tokens, and AI-related API keys. 

Analyst assessment: The operation combined organization compromise, dependency typosquatting, staged malware delivery, and automated mass publishing. The AI-development context raises the stakes because these environments often hold credentials for cloud infrastructure, source control, package registries, and LLM providers. Confirmed credential theft or follow-on intrusions would strengthen the assessment. Rapid package removal and low install volume would narrow the expected impact. 

Defender priority: Validate dependencies, use package cooldown policies for new releases, monitor outbound connections during package installation, and rotate credentials on systems that installed affected versions. AI-framework environments deserve special attention because API keys and cloud credentials are often present on the same systems.


Emerging Ransomware Activity                                                      (Originally published in June 2026) 

  • The Gentlemen ransomware operation adds custom backdoors and sharper intrusion tooling

The Gentlemen ransomware-as-a-service operation added a custom Go-based backdoor, an emerging C-based Windows ransomware variant, and stronger post-compromise tooling. The group gains access through stolen credentials or vulnerable internet-facing services, then moves into reconnaissance, security-tool bypass, lateral movement, and large-scale ransomware deployment. 

Recent activity includes BYOVD techniques to disable security tools, Active Directory reconnaissance to map environments, and GPO or PsExec to push ransomware across enterprise networks. Reported targeting spans multiple sectors, including critical infrastructure and large enterprise environments. 

Analyst assessment: The ransomware payload is only one part of the operation. The more important development is the intrusion framework around it. The Go implant gives operators persistent access before encryption begins. From that foothold, they can map the domain, weaken defenses, move laterally, and prepare broader deployment with less dependence on commodity tooling. GPO automation and domain-wide execution shorten the time between compromise and impact. 

The C-based ransomware variant suggests continued investment in proprietary tooling. The group is building its own access, evasion, and deployment stack rather than relying only on recycled malware. 

Defender priority: Shift detection earlier in the ransomware chain. Reconnaissance, privilege escalation, vulnerable-driver abuse, GPO changes, PsExec activity, packet capture, and unusual domain-wide deployment behavior may provide better opportunities to stop the attack than waiting for locker execution. 

  • Payouts King-linked access operation deploys Edgecution malware

A ransomware-linked initial access operation used Edgecution, a malicious Microsoft Edge extension, to establish persistent access through social engineering. Victims were sent to a fake Microsoft update portal that installed an obfuscated Edge extension and a Python backdoor. 

The malware abused Chrome's native messaging protocol to connect browser activity with host-level execution. That gave the operator filesystem access, process launch capability, C2 communication, and arbitrary code execution through a hidden headless Edge instance. 

Analyst assessment: Edgecution is not a browser exploit. It abuses a legitimate feature that lets extensions communicate with local applications. The tool uses a headless Edge instance, registry-based configuration, staged Python components, and per-command process spawning to blend into browser and system behavior while preserving host-level execution. Browser extensions are part of the access and persistence layer here, not only the lure. 

Defender priority: Watch for suspicious Edge or Chrome extension installs, native messaging host abuse, unusual registry keys tied to extensions, hidden headless browser activity, and unexpected Python execution launched from browser-related processes. Detections focused only on standalone executables or browser exploits may miss this tradecraft.


Securonix Threat Labs Summary: 

Based on the threats observed during June 2026, Securonix Threat Labs recommends implementing the following defensive measures to strengthen security posture and mitigate potential risks. 

Identity and Access:

  • Remove direct internet exposure for firewall, VPN, and SD-WAN administrative interfaces where possible. Restrict management access to trusted networks and require MFA for every privileged path. 

  • Rotate perimeter administrator, VPN, service-account, and remote-authentication credentials after any sign of exposure, especially if device configurations may have been exported or validated by an attacker. 

  • Review SD-WAN trust relationships, peering events, and certificate material for rogue peers, stale trust anchors, and suspicious reauthentication involving default or built-in accounts. 

  • Treat unfamiliar successful administrative logins on edge devices as possible intrusions. Verify that no backdoor accounts, altered controls, or residual attacker access remain. 

Email, Phishing, and User Awareness:

  • Block or detonate externally sourced ISO, LNK, and script-bearing archives. Prevent mounted-image execution from email, chat, and download paths unless it is explicitly approved. 

  • Train users to validate Teams-delivered "IT update" prompts, fake Microsoft update portals, and copy-paste remediation instructions through internal channels before running anything. 

  • Remind users that polished project pages, realistic branding, and legitimate-looking hover targets do not prove a download is safe. 

  • Route software acquisition and browser updates through approved enterprise sources. Discourage ad-driven search results and third-party download portals for technical tools. 

Endpoint and Remote Access:

  • Alert on hidden or system-attributed executables staged in %LOCALAPPDATA%\Microsoft\Vault, C:\Users\Public, temporary directories, and unusual browser profile locations. 

  • Hunt for misleading persistence artifacts such as WindowsVaultSyncService, GoogleErrorReport, UpdateUser, and TaskSystem, especially when they launch binaries from user-writable paths. 

  • Monitor headless Edge launches with extension-loading arguments, newly written native messaging manifests, native_host.bat creation, and Python processes spawned from browser-extension workflows. 

  • Treat netsh trace, PsExec deployment, RSAT installation, Windows Defender tampering, vulnerable-driver loads, OpenArk64, and Windows Kernel Explorer usage as likely intrusion preparation or ransomware precursor activity. 

Browser and AI Governance:

  • Use strict browser-extension allowlisting in Edge and Chrome. Restrict native messaging hosts to approved publishers, extension IDs, and validated filesystem paths. 

  • Audit AI assistants, MCP integrations, IDE plugins, and developer-browser extensions for unnecessary access to repositories, prompts, tokens, local files, and all-page browser sessions. 

  • Handle LLM API keys, GitHub tokens, package-publishing credentials, and cloud CLI profiles on developer systems as incident-response priorities when browser compromise or supply chain exposure is suspected. 

  • Review GitHub repositories, workflow artifacts, AI-tool configuration files, and extension-related persistence points for staging or secret exfiltration. 

Cloud, Developer, and Workload Security:

  • Pin GitHub Actions to immutable commit SHAs, restrict deployment-triggered workflows, and review release automation for mutable-tag abuse or unauthorized publishing paths. 

  • Detect package-install execution paths beyond obvious hooks, including binding.gyp or node-gyp indirection, executable .pth lines, remote Bun downloads, and detached child processes launched during installation. 

  • Rebuild affected CI runners and developer workstations instead of cleaning them in place. Rotate npm, PyPI, JFrog, cloud, Docker, Kubernetes, Vault, SSH, and CI/CD secrets that may have been in scope. 

  • Baseline and alert on abnormal GitHub API usage, workflow edits, .github additions, .claude or MCP configuration changes, and temp-directory staging tied to package installation or release jobs. 

Vulnerability and Exposure Management:

  • Prioritize hardening and patching for Cisco SD-WAN controllers and Fortinet edge gear. Confirm that rogue peers, stale certificates, and exposed management services are not reachable from the public internet. 

  • Upgrade FortiOS to stronger hashing support where applicable, force administrative reauthentication, and remove long-lived credentials that may still map to legacy hashes. 

  • Review edge-device upload features, configuration stores, and local logs for privilege-escalation abuse, unauthorized CSV or file uploads, and anti-forensic restoration of attacker-modified files. 

  • Treat publicly reachable management planes and verified credential datasets as possible downstream intrusion and access-resale risk, not as temporary exposure only. 

Detection Engineering and Response:

  • Correlate browser, endpoint, CI/CD, and network telemetry so lures, first-stage execution, public-service C2, and persistence can be reconstructed in one timeline. 

  • Add detections for non-browser access to Google Sheets APIs, package-install traffic to Bun release paths, GitHub API exfiltration, CloudFront-hosted redirectors, and unusual WebSocket activity from browser-extension contexts. 

  • Hunt for memory-resident tradecraft such as Donut-style loading, reflective PE execution, AMSI, WLDP, or ETW patching, and .NET-hosted PowerShell with minimal disk evidence. 

  • During containment, remove redundant access paths across tasks, extensions, services, registry runs, manifests, workflow files, dropped drivers, and staged loaders before restoring user productivity. 


Outlook for the Months Ahead:

  • Highest-confidence forecast: supply chain attacks will continue to target maintainer accounts, release automation, and AI-development stacks. These environments concentrate source code, tokens, cloud credentials, package publishing rights, and model access. 

  • Cloud and developer services will remain useful attacker infrastructure. Google Sheets, GitHub, and CDN-backed redirect layers provide normal-looking traffic, low operating cost, and flexible per-victim tasking. 

  • Credential attacks against edge appliances will remain common because exposed management planes, reused passwords, and stolen certificate material are cheaper and quieter than burning a zero-day. 

  • User-driven execution will remain a reliable first step. Fake updates, Teams-style help desk prompts, ISO and LNK lures, and first-click hijacking all move the victim into the execution chain and weaken attachment-focused controls. 

  • Browser-centered intrusions are likely to grow where extensions, native messaging, and headless browser runs can bridge web content to local execution without obvious on-screen malware behavior. 

  • Memory-resident malware and legitimate-binary abuse will continue across espionage and intrusion sets. The goal is a smaller disk footprint without giving up post-compromise control. 

  • Ransomware operators and access brokers will keep investing before encryption. Expect more custom backdoors, reconnaissance, packet capture, BYOVD, AD enumeration, and staged lateral movement before lockers run. 

  • Anti-analysis and anti-forensic hardening will increase. More samples will use obfuscated configuration, runtime checks, cleanup routines, and selective artifact removal to slow triage and reduce confidence in early evidence. 


For a full list of the search queries used on Autonomous Threat Sweeper for the threats detailed above, refer to ours Threat Labs home page. The page also references a list of relevant policies used by threat actors.  

We would like to hear from you. Please reach out to us at scia@securonix.com.  

Note: The TTPs when used in silo are prone to false positives and noise and should ideally be combined with other indicators mentioned. 

Contributors: Dheeraj Kumar