HunterStrategy 🇺🇦

🔥 This Is Fine | Building a Security Culture "Culture can make or break an organization."    Security isn’t just about tools, controls, or compliance frameworks. It’s about people. In this episode, host Matt Triner (Founder of Hunter Strategy) is joined by Russell Eubanks (Cyverity Co-Founder and SANS Principal Instructor) and Andrew King (Hunter Strategy CISO and IANS Faculty Member) to discuss what it takes to build a lasting security culture inside organizations. From leadership alignment to employee engagement, the conversation explores how organizations can move beyond checkbox security and create environments where security becomes part of how the business operates. Because strong security programs aren’t just implemented. They’re adopted. 🎧 Listen here: https://t.co/Dt7DQmwH9f #CyberSecurity #SecurityCulture #EnterpriseSecurity #SecurityLeadership

North Korean threat group Kimsuky isn't slowing down - and their latest HTTPSpy campaign is a good reminder of how sophisticated social engineering has become. In their most recent activity (observed through March and April 2026), Kimsuky masqueraded as legitimate B2B software installers and a spoofed Cisco Webex troubleshooting page to get victims to run malicious droppers. Once inside, HTTPSpy hands the attacker full remote control: command execution, file exfiltration, screenshots, process injection, and clean self-deletion. They also wired in stolen meeting schedules to redirect targets into real Webex rooms, making the lure look entirely authentic. What makes this campaign notable isn't just the malware - it's the operational discipline. Kimsuky is using legitimate infrastructure (Visual Studio Code Remote Tunnels, Cloudflare Quick Tunnels, DWAgent) to blend covert access into normal IT operations. No noisy C2 traffic. No obvious red flags. For defenders, the takeaway is clear: scrutinize your remote access channels, harden against script-based droppers, and keep a close eye on certificate stores and GPKI paths. The attack surface they're targeting isn't exotic, it's the trust you extend to everyday tools. Read the full breakdown on our blog - get the link in the comments.  #CyberSecurity #ThreatIntelligence #NationStateCyber #Kimsuky #DefensiveOps

Webworm's whole strategy is betting your environment is too noisy to notice. Echocreep lives in your event logs. Graphworm looks like normal cloud traffic. Together they just... wait. Spoiler: they're usually right. 🔗Get the whole story here: https://t.co/rIYBmAj1j2 #Cybersecurity #ThreatIntelligence #Webworm #DetectionEngineering

This malware didn't steal your credentials or lock your files. It just quietly started robbing you. The consumer details made headlines. The operational details are what security leaders should be paying attention to. A carrier billing fraud campaign ran for ten months across four countries, operating nearly 250 malicious applications, before researchers caught it. The attackers weren't sloppy. They validated carrier environments before activating, automated multi-stage subscription workflows to avoid detection, and monitored successful compromises in real time through a private Telegram channel. This was a managed revenue operation, not a smash-and-grab. The people running this weren't simply writing malware. They were running a business. Most enterprise security stacks are well-instrumented for endpoint and network threats. Mobile environments are a different story. The visibility gap is real, it's broadly underestimated, and campaigns like this one are built specifically to exploit it. The question worth asking isn't whether your organization uses official app stores. It's whether you'd know if something like this was operating inside your mobile environment right now. If the honest answer is "probably not" - that's where we start. 🔗 Full post here: https://t.co/wMqHa4lONk #CyberSecurity #MobileSecurity #ThreatIntelligence #SecurityLeadership #EnterpriseSecurity

New attack strategy: don't hack the code. Hack the robot that builds the code. Megalodon hit 5,561 GitHub repos by poisoning CI/CD workflows - commits disguised as "build-bot" and "pipeline-bot." The damage? - Credentials exfiltrated - npm packages backdoored - Downstream devs none the wiser Your automation layer is a trust boundary now. Get the story and suggested fixes on the Hunter Strategy: https://t.co/7fNS64GRzT  #Cybersecurity #DevSecOps #GitHubActions

Originally called Decoration Day, Memorial Day has been a day of remembrance since May 30, 1868 - when General John A. Logan, of the Grand Army of the Republic, called on the nation to honor those who gave everything in the Civil War. That first national commemoration drew 5,000 people to Arlington National Cemetery to decorate the graves of more than 20,000 soldiers buried there. After World War I, the occasion expanded to honor the fallen from all of America's wars. In 1971, Congress formalized it as the last Monday of May. Today, a small American flag is placed on every grave at Arlington and a wreath is laid at the Tomb of the Unknown Soldier. At Hunter Strategy, we build and defend the systems used by those who serve this country. This weekend, we're setting down the keyboards and honoring the ones who make our mission worth having. To all who have served, thank you and happy Memorial Day. #MemorialDay #NeverForget #MilitaryAppreciation

A public, working exploit for a Linux kernel privilege escalation flaw is out. PinTheft turns any local foothold into root - one command, minimal skill required. "Local-only" isn't the reassurance it used to be when your containers, cloud hosts, and developer boxes all run Linux. Patch first. If you can't patch yet, disable vulnerable RDS functionality and treat every local account on an unpatched host as a potential root until you do. Arch has patched. The question is whether your inventory has. Get the details on our blog: https://t.co/2JlqGQ6a5S #Cybersecurity #Linux #PatchManagement

Threat actors have apparently decided phishing is too much work. Why craft a suspicious email when you can just... rank higher than the real vendor? Kong RAT is riding fake FinalShell and Xshell download pages straight onto admin workstations. No red flags. Just a search result that looked fine. Block these: finalshell-ssh[.]com, xshell-cn[.]com, quickq-cn[.]com 🔗 https://t.co/xK2nF4GrIg #CyberSecurity #SEOPoisoning #ThreatIntel

The victim did everything right. They searched for a tool they use every day, found what looked like the official download page, and clicked it. That is the campaign. Attackers are using SEO poisoning to push fake download pages for FinalShell, Xshell, QuickQ, and Clash above legitimate results, particularly targeting Chinese-speaking users. The fake sites copy branding, layout, and language closely enough to pass a quick visual check. When the victim runs the installer, Kong RAT installs silently in the background, phones home to attacker-controlled infrastructure, and hands over remote access to the machine. The problem is which machine. These are not random endpoints. FinalShell and Xshell users tend to be developers and administrators - people whose workstations already hold SSH keys, saved credentials, terminal profiles, and direct routes to production infrastructure. One bad download on one of those systems is worth more to an attacker than a hundred compromised user laptops. Several domains tied to this campaign - finalshell-ssh[.]com, xshell-cn[.]com, and quickq-cn[.]com - should be treated as hostile and blocked immediately. Any device that downloaded from those sites warrants investigation now, not after something moves. The technical fix is straightforward. The process fix is harder. If your organization expects employees to 'just download the official tool' without a controlled path to do so, this campaign is a stress test you are not ready for.Approved software catalogs, bookmarked vendor URLs, and a firm no-search-link policy for remote access tools are not bureaucratic overhead. They are the difference between a near-miss and an incident report. This is what a successful compromise looks like. Orderly. Dignified. Both parties present. The damage already done. 🔗 Read more: https://t.co/eu1jXNHnTN  #CyberSecurity #SocialEngineering #SEOPoisoning #DevSecOps #ThreatIntelligence

A worm is stealing your secrets and publishing them as your own packages. The Shai Hulud campaign hits npm & PyPI - credentials stolen, backdoored packages published under victim accounts, and hundreds of packages affected with tens of millions of weekly downloads. The supply chain attack you don't see coming already has your keys. And it's not slowing down anytime soon. 🔗 https://t.co/4Kw4O7jHsA #CyberSecurity #SupplyChainSecurity #DevSecOps

Patch Tuesday: 138 vulnerabilities. No zero-days. Microsoft's May 2026 Patch Tuesday is the rare month where defenders get to patch on their terms instead of in full crisis mode. That doesn't mean it's a slow month. Critical RCE flaws in Windows Netlogon, the DNS Client, and the TCP/IP stack are the kind of findings that keep security teams up at night - not because they're being exploited today, but because they become very interesting to attackers the moment a reliable path opens up. Throw in multiple Word-based RCE bugs (yes, still) and a Critical code-injection fix in Dynamics 365, and you've got a full queue even without the fire alarm going off. The real story here is the attack chain. Almost half of this month's fixes are elevation-of-privilege bugs. That's not an accident - that's a reflection of how modern intrusions actually work. Get in through a phishing lure or an exposed service, then ride a local priv-esc to SYSTEM. The initial access is just the door. The EoP is how you own the house. No zero-days means no excuse not to patch. Get the full story in the link below.  #Cybersecurity #PatchTuesday #Microsoft #VulnerabilityManagement #EnterpriseSecurity

🔥 This Is Fine | Nation State Cyber Operations "If you're not purple teaming, you're literally shooting yourself in the foot." Nation-state cyber activity continues to reshape the global threat landscape. In this episode, Jake Williams, Andrew King, and Jordan Lazo discuss how offensive cyber operations conducted by nation states affect governments, defense contractors, and critical infrastructure. From strategic threat posture to defensive readiness, the conversation explores how organizations can better understand and respond to evolving cyber threats. Because in cybersecurity, understanding the adversary is part of defense. Link to the episode below 👇 #CyberSecurity #NationalSecurity #ThreatIntelligence #GovTech

🔥 This Is Fine | Coming Tomorrow "30-foot walls create a market for 32-foot ladders." Jake Williams didn't come to play nice with your security assumptions. Nation-state threat actors aren't waiting for your defenses to have a bad day - they're engineering around them. This week on This Is Fine: AJ King, Jake Williams, and Jordan Lazo break down the realities of nation-state offensive cyber operations, what detection engineering actually looks like, and why your pen test results aren't the flex you think they are. #CyberSecurity #NationalSecurity #ThreatIntelligence #GovTech

🔥 Turns out "this is fine" was not fine. ClaudeBleed - a newly disclosed flaw in the Claude Chrome extension - allowed a malicious extension to co-opt Claude's trusted messaging flow and issue commands as if they came from the user, allowing it to: 📤 Read your emails 📂 Share your Drive files ➡️ Push to your repos All through an AI that already had the keys. The fix is reportedly merged. The lesson is permanent: AI browser assistants are high-privilege agents, and they need to be treated accordingly. We broke it down on the Hunter Strategy blog. Worth a read before you add another extension. Get the link below.  #Cybersecurity #AI #ClaudeBleed #BrowserSecurity

12PM: Gone Phishin' 🎣 Your calendar feels like yours. You built it. You know what your meetings look like, who sends them, how they're titled, which platform they use. Attackers know that too. Calendar phishing works because it doesn't feel like phishing. It feels like a 12pm sync that got buried between two real meetings. Your brain is already in a rhythm. The invite looks close enough. You click join. How it works: 🔥 Sandwiched between real meetings so your brain stays on autopilot. 🔥 Bypasses email security entirely - it's already on your calendar before your filter fires. 🔥 Looks like John's typical meeting. Same title format. Same urgency. Same platform. One campaign hit 300 organizations with over 4,000 fake Google Calendar invites. And here's the part that stings - even if your email filter catches the original message, the calendar event can survive. The trap is already set before your defenses even fire. Check who's actually sending your next meeting invite. More details at https://t.co/5CfN2uEprA #CyberAwareness #Phishing #InfoSec #Cybersecurity