Red Canary, a Zscaler company

Next Tuesday, we’re live on SecOps Weekly with Senior Intelligence Analyst Stef Rand! 👏 Stef joins us to preview June’s Intelligence Insights Report and share fresh findings from the Threat Intelligence team. Which threats do you think made the Top 10? Don’t miss it! 👉 https://t.co/UFvSxxwBCu

The goal of scaling a threat hunting program is not just finding more threats but making those findings actionable. 🔁 This continuous feedback loop ensures that insights gained from proactive hunting directly strengthens the organization’s defensive posture, making it more resilient in the long run. Read our new blog to earn how to level up your hunts: https://t.co/wdMrso26GV

Zscaler ThreatLabz discovered a new sophisticated malware family that we named MLTBackdoor, which is likely used by an initial access broker for ransomware attacks. Similar to Cobalt Strike, MLTBackdoor provides post-exploitation capabilities on demand with a BOF loader alongside remote filesystem access. Most MLTBackdoor samples are heavily obfuscated with control flow flattening (CFF), mixed boolean-arithmetic (MBA), stack-based strings, indirect system calls, and imports are resolved by hash. In addition, the code checks for virtual machines and analysis environments. MLTBackdoor implements a date-based DGA as a backup C2 channel. Network communications are encrypted using ECDH with NIST curve P-256 and AES-256-GCM. An MLTBackdoor DGA script is available here: https://t.co/4SStkNhHtR Read the full analysis here: https://t.co/OIZICAHYhQ

If your tech stack is a force multiplier, but your “human tool” is at zero, what exactly are you multiplying? 🤨 Join Keith McCammon and Katie Nickels live on SecOps Weekly to hear how to lead your SOC team through the anxiety of the agentic AI shift—and how better prioritization can help. Join us live tomorrow at 1 p.m. ET/ 10 a.m. PT 👉 https://t.co/ujAK6KQ18H

Assistive AI agents aren’t always so helpful—it all depends on whose behalf they're working. 🥸 The final installment of our series on suspicious AI workflows in Microsoft Entra ID highlights an "on behalf of" authentication workflow. 🪵 Take a look at the logs: https://t.co/hxlwolWIFC

🚨 ThreatLabz identified a malicious Python package in PyPI named "parsimonius" that was designed to impersonate the legitimate parsimonious package through typosquatting. The threat actor selected a package name differing by a single character and assigned it a version number intended to appear newer than the legitimate release, increasing the likelihood of inadvertent installation by developers. Before its removal from the package repository, the malicious package was downloaded 2,474 times within a matter of days. ThreatLabz analysis revealed that the package incorporated the legitimate parsimonious parsing functionality to avoid suspicion while simultaneously deploying a Telegram-based backdoor. Once installed, the backdoor provided attackers with remote access capabilities and facilitated the theft of sensitive data, including .env files and bot authentication tokens. The SHA1 hash of the malicious package is a01c2a21f24db63cb01a67016519aebeca438089.

Tomorrow we're live at 1 p.m. ET / 10 a.m. PT for our latest episode of SecOps Weekly! Phil Hagen and Chris Brook are hopping on to chat about the latest security trends and answer audience questions from our mailbag. Join us live to hear their take and learn what you and your team should be paying attention to. 👀 https://t.co/d6iwrQo7TP

👣 AI agents leave footprints that traditional identity security solutions might miss. If an autonomous agent performed a privileged action in your Entra tenant, what would that look like in the logs? Read the first installment of our new blog series about suspicious AI workflows in Microsoft Entra ID: https://t.co/C3TwnkwosA

ClearFake is one of the OG paste-and-run threats Red Canary has observed in the last few years, and it finds itself at the top of this month's top 10 dropping a new payload: ACR Stealer. 💡 Get detection opportunities and more in this month's Intelligence Insights: https://t.co/7wTqY0b7kv

What does it take to turn malicious package analysis into actionable behavioral logic? On the May 26 episode of SecOps Weekly, Tony Lambert and Keith McCammon will explore how security teams can move beyond spotting suspicious packages to understanding the behaviors that matter most. Join the conversation for insights on how this approach can strengthen detection, investigations, and response. 📅 Tune in live on May 26: https://t.co/m1nmRN9KBI

🔜 Next Tuesday at 1 p.m. ET/ 10 a.m. PT, catch Senior Intelligence Analyst Stef Rand on SecOps Weekly! She’ll be joining Keith McCammon LIVE to preview this month’s Intelligence Insights report and break down the findings. See which threats hit the Top 10, learn about the newcomers to the list, and give your team the edge they need to outpace the bad guys. You won't want to miss this convo! 👉 https://t.co/pZaNAWPuIa

This week on SecOps Weekly, Red Canary's Keith McCammon and Brian Donohue took audience questions in a special AMA edition of the show. 🎙️ Their list of the most pressing security issues might not surprise you—but Keith and Brian aren't here to shock you. They’re here to help you tackle them. 🛠️ Watch the full episode on demand on our YouTube channel! 👉 https://t.co/Vdc3APTvQ9

Our latest blog is a primer on an often untapped source of telemetry in Linux investigations: cgroups. The Linux kernel exposes cgroups in a unified, nested hierarchy that defenders can reference while looking into malicious or suspicious processes. 📜 We've even included a Golang script for collecting this data to help you get started. Dive in: https://t.co/jvaBmAwYsu

Still stuck in the "query-and-wait" loop? Tomorrow on SecOps Weekly, we’re talking about high-performance threat hunting. Red Canary’s Brittany Sattler and Andrew Sharpe join Keith McCammon to discuss: ✅ Shifting from manual tasks to structured workflows. ✅ Using high-performance data tools like DuckDB to speed up investigations. ✅ Moving to a hypothesis-driven hunting model. Don't just hunt harder—hunt smarter. 🔴 Tune in LIVE tomorrow at 1 p.m. ET / 10 a.m. PT: https://t.co/9OGDkqoVj4