MOXFIVE

Reminder to register for our MOXFIVE Quarterly Ransomware Briefing TOMORROW 4/29 at 2pm ET! Our team has a packed agenda for this quarter so you don't want to miss out. In addition to threat actor trends from Q1, our team will cover: 🔸 Iranian Cyber Operations & Escalating Threat Landscape 🔸 LiteLLM PyPl Compromise by TeamPCP 🔸 AXIOS npm Supply Chain Attack 🔸 Claude Mythos and Project Glasswing Register Today >> https://t.co/EpWnzVN6Ta #cybersecurity #incidentresponse #ir #threatintelligence #threatintel #cyberinsurance #claudemythos #projectglasswing #supplychainattack #axios #teampcp #litellm

The MOXFIVE Monthly Insights for March 2026 is now live! March saw the highest ransomware victim counts of 2026 so far, based on data leak site activity tracked by MOXFIVE. The month also brought active zero-day exploitation targeting network management infrastructure and a growing campaign against software development pipelines. https://t.co/RpqAjXMDgn Key Findings: 🔸 Ransomware Activity: RaaS models continued to account for a large share of victim postings in March. Qilin led for the third consecutive month among groups targeting US organizations, with Inc and Akira close behind. DragonForce and Play were also among the most frequently deployed operations in March. The Gentlemen and NightSpire both saw increased activity and warrant monitoring. 🔸 Critical Zero-Day: Interlock ransomware operators exploited a critical vulnerability in Cisco Secure Firewall Management Center as a zero-day beginning January 26, 2026, more than five weeks before Cisco disclosed the patch on March 4. 🔸 Targeting the Software Supply Chain: Threat actors are using social engineering and poisoned package distribution to compromise developer credentials and gain access to source code repositories, CI/CD pipelines, and connected cloud environments. In March, TeamPCP demonstrated how quickly a single compromised tool can cascade into a month-long supply chain campaign spanning npm, PyPI, GitHub Actions, and Docker Hub. Read the full report: https://t.co/RpqAjXMDgn #ransomware #cybersecurity #ir #incidentresponse #TeamPCP #Qilin #Akira #DragonForce #Interlock #ThreatIntelligence #ThreatIntel

Q1 2026 didn't hold back. From nation-state APT activity to a sophisticated AI supply chain compromise, the threat landscape has already shifted heading into Q2. Join us for our MOXFIVE Quarterly Ransomware Briefing on Wednesday, April 29th at 2:00 PM ET as the MOXFIVE team breaks down what we're seeing so far in 2026, where the threat landscape might be headed, and considerations for your organization. https://t.co/EpWnzVN6Ta Topics we'll cover: 🔸 Q1 Threat Intelligence Trends - What's changed so far this year and where the landscape is heading 🔸  APT & Hacktivist Activity - How nation-state and ideologically motivated actors are exploiting geopolitical tensions 🔸  TeamPCP Supply Chain Attack - How AI tooling is becoming a new and dangerous vector for supply chain risk 🔸 The Gentlemen - A deep dive into this emerging ransomware group's TTPs and real-world impact Register here >> https://t.co/EpWnzVN6Ta Wednesday, April 29, 2026 2:00 – 3:00 PM ET #Ransomware #CyberSecurity #ThreatIntelligence #IncidentResponse #MOXFIVE #APT #SupplyChainSecurity #DFIR #InfoSec

Replay now available! Lee Trotter, Michael Brunetti, Kim Detwiler, and Melissa Sachs had a great discussion covering all things BEC, FTF and Data Mining on yesterday's webinar so if you couldn't make it, it's now available whenever you need it! Watch now at >> https://t.co/ljxZWY4LdG #cybersecurity #incidentresponse #BEC #FTF #dfir #eCrime

We're honored to be named a finalist for Cyber Incident Response Team of the Year in the Zywave Cyber Risk Awards again this year! This year we've continued our focus on innovation launching our Agentic Forensics Platform and are excited to share more developments throughout the year. As we've been from day one, we remain dedicated to evolving the industry and delivering effective and efficient outcomes for every client. Voting is open until May 22nd and we'd certainly appreciate your support! Check out all the categories and vote at https://t.co/W5QTOATM5K #CyberRiskAwards2026 #CyberProm #incidentresponse #ir #cybersecurity #cyberinsurance

MOXFIVE just published a Threat Actor Alert on TeamPCP's active software supply chain campaign. LiteLLM versions 1.82.7 and 1.82.8 on PyPI contain a malicious payload, the latest development in a campaign that has been running since March 19, hitting Trivy, GitHub Actions, Docker Hub, npm, and Checkmarx KICS before reaching PyPI. 🔸 March 19: Trivy compromised, 10,000+ CI/CD pipelines exposed 🔸 March 20: Stolen npm tokens seeded CanisterWorm across 64+ packages 🔸 March 22: Malicious Trivy Docker images pushed directly to Docker Hub 🔸 March 23: Checkmarx KICS GitHub Action tags hijacked 🔸 March 24: LiteLLM 1.82.7 and 1.82.8 published to PyPI with a malicious payload The full report covers the complete campaign timeline and includes resilience recommendations for organizations that may have been exposed. Read the full report: https://t.co/Ve3FLcmy2D Have questions or need help responding? Reach out to our team at [email protected] or 833-568-6695. #SupplyChainSecurity #ThreatIntelligence #IncidentResponse #Cybersecurity #IR #TeamPCP #LiteLLM #Trivy #Checkmarx

Business email compromise is much more than just a phishing problem. BEC and funds transfer fraud remain among the most persistent and costly eCrime threats facing businesses today. The attacks are sophisticated. The financial and legal fallout is real. And most organizations aren't as prepared as they think. That's why we're bringing together experts for a live panel webinar built around one goal: making sure you know exactly what to do when it matters most. Join Lee Trotter, Michael Brunetti, Kim Detwiler and Melissa Sachs on Wednesday, April 8th at 2pm ET and learn more about: 🔸 The current BEC threat landscape — what's evolved and what defenders need to know 🔸 Forensic investigation methodology and key milestones 🔸 Getting maximum value from your privacy counsel partnership 🔸 Post-investigation data mining — efficiencies and pitfalls 🔸 Real-world case studies + live Q&A Whether you're in security, legal, compliance, or risk — this is one you don't want to miss. Register Today >> https://t.co/d1KnDk3TT7 Questions? Contact us at [email protected] or 833-568-6695. #cybersecurity #incidentresponse #ir #dfir #BECs #FTF #eCrime

MOXFIVE Monthly Insights are out today! February marked a sharp escalation in the cyber threat environment. The strikes against Iran on February 28 drove an immediate surge in Iranian-aligned cyber activity, with state-sponsored intrusions confirmed on US networks and US companies experiencing destructive attacks resulting in system wipes. https://t.co/QkgTIMQPZ1 Key Findings: 🔸 Iranian Cyber Threat Landscape: State-sponsored groups including MuddyWater established access on US networks before the conflict escalated, while hacktivist groups launched coordinated DDoS, defacement, and data breach campaigns targeting US, Gulf, and allied organizations. Confirmed destructive attacks against US enterprises show the threat extends well beyond the region. 🔸 Ransomware Remained High: Qilin led for the second consecutive month, with Cl0p continuing its Oracle E-Business Suite exploitation campaign. Play, Akira, and DragonForce were all active across multiple industries, while data extortion groups ShinyHunters and World Leaks continued operations centered on theft and extortion rather than encryption. 🔸 Critical Vulnerabilities: Active exploitation was confirmed across remote access platforms, email infrastructure, and virtualization environments, including flaws in BeyondTrust remote access products, SmarterMail, and VMware ESXi systems linked to ransomware campaigns. 🔸 Most Impacted Industries: Technology and Financial organizations saw the highest impact in February, followed by Healthcare, Manufacturing and Production, and Construction and Engineering. 🔸 Defending Against Disruptive and Destructive Threats: When the threat includes wiper malware and destructive attacks, prevention alone is not enough. Patched edge devices, hardened identities, verified backups, and no default credentials on OT systems are the foundation. Business resilience and operational continuity planning determine how quickly organizations recover when prevention falls short. Read the full February report at https://t.co/QkgTIMQPZ1 for detailed analysis on Iranian threat actors, active ransomware operations, exploitation trends, and resilience controls. #ransomware #incidentresponse #ir #threatintelligence #threatintel #cybersecurity #Qilin #Akira #Play #DragonForce #Cl0p #Hacktivist #MuddyWater #Handala #OpIsrael #CottonSandstorm #zpentest #CyberAv3ngers #OilRig #APT33 #Agrius

Our latest MOXFIVE Threat Actor Spotlight is out today! Since emerging in August 2025, The Gentlemen ransomware operation has listed more than 200 victims on its data leak site, with January and February alone accounting for more than half of all posted victims. From MOXFIVE's experience, this group is methodical. They come in through compromised credentials or exploited internet-facing services, conduct targeted reconnaissance, and deploy ransomware domain-wide via Group Policy for maximum impact. A few things that set them apart: 🔸 Custom BYOVD defense evasion using ThrottleStop.sys (CVE-2025-7771) to terminate security tooling at the kernel level. 🔸 Variants for Windows, Linux, and ESXi, with encryption observed at both the hypervisor and OS level. 🔸 Data exfiltration before encryption, paired with shadow copy deletion and event log clearing to limit recovery options. 🔸 Domain-wide payload distribution via NETLOGON and SYSVOL. 🔸 Manufacturing and production organizations have been hit hardest, though targeting spans technology, financial services, healthcare, and education across across multiple regions. Read the full report: https://t.co/7yVfZna4dK If your organization has been impacted or you have questions about The Gentlemen or other threat actors, reach out to our team at [email protected] or 833-568-6695. #Ransomware #ThreatIntelligence #IncidentResponse #Cybersecurity #IR #TheGentlemen #RaaS

We're so honored to be named a finalist for both Cyber Insurance Incident Response Provider and Cyber Security Consulting Services Provider of the Year in the Intelligent Insurer Cyber Insurance Awards! Congratulations to all the finalists! Check out the full list at https://t.co/EbyYaBYL5H. #CyberInsuranceAwardsUSA #cyberinsurance #incidentresponse #ir #cybersecurity