Threat Hunting & Intel

Category BLOG Featured Now Live: The CrowdStrike 2026 Financial Services Threat Landscape Report May 14, 2026 Falcon AIDR Detects Threats at the Prompt Layer in Kubernetes AI Applications May 13, 2026 May 2026 Patch Tuesday: 30 Critical Vulnerabilities Among 130 CVEs May 12, 2026 Inside CrowdStrike Automated Leads: A Transformative Approach to Threat Detections May 11, 2026 Recent Video Video Highlights the 4 Key Steps to Successful Incident Response Dec 02, 2019 Helping Non-Security Stakeholders Understand ATT&CK in 10 Minutes or Less [VIDEO] Feb 21, 2019 Analyzing Targeted Intrusions Through the ATT&CK Framework Lens [VIDEO] Jan 22, 2019 Qatar’s Commercial Bank Chooses CrowdStrike Falcon®: A Partnership Based on Trust [VIDEO] Aug 20, 2018 Agentic SOC How Charlotte AI AgentWorks Fuels Security's Agentic Ecosystem 03/25/26 CrowdStrike Services and Agentic MDR Put the Agentic SOC in Reach 03/24/26 4 Ways Businesses Use CrowdStrike Charlotte AI to Transform Security Operations 03/12/26 Inside the Human-AI Feedback Loop Powering CrowdStrike’s Agentic Security 02/10/26 Cloud & Application Security 05/13/26 CrowdStrike Named a Leader in Frost & Sullivan 2026 Radar for Cloud-Native Application Protection Platforms 04/27/26 CrowdStrike Expands Real-Time Cloud Detection and Response to Google Cloud 04/22/26 CrowdStrike Falcon Cloud Security Delivered 264% ROI Through Unified Cloud Protection Threat Hunting & Intel 05/14/26 CrowdStrike Named a Leader in the First-Ever Gartner® Magic Quadrant™ for Cyberthreat Intelligence Technologies 05/06/26 CrowdStrike Launches Falcon OverWatch for Defender 05/05/26 Tune In: The Future of AI-Powered Vulnerability Discovery 05/01/26 Endpoint Security & XDR 05/11/26 CrowdStrike Falcon Platform Achieves 441% ROI in Three Years 04/21/26 Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management 04/01/26 Enhanced Network Visibility: A Dive into the Falcon macOS Sensor's New Capabilities 03/11/26 Engineering & Tech EMBER2024: Advancing the Training of Cybersecurity ML Models Against Evasive Malware 09/03/25 Falcon Platform Prevents COOKIE SPIDER’s SHAMOS Delivery on macOS 08/20/25 CrowdStrike’s Approach to Better Machine Learning Evaluation Using Strategic Data Splitting 08/11/25 CrowdStrike Researchers Develop Custom XGBoost Objective to Improve ML Model Release Stability 03/20/25 Executive Viewpoint Frontier AI Is Collapsing the Exploit Window.

Here’s How Defenders Must Respond. 04/20/26 Frontier AI for Defenders: CrowdStrike and OpenAI TAC 04/16/26 Anthropic Claude Mythos Preview: The More Capable AI Becomes, the More Security It Needs 04/06/26 The Architecture of Agentic Defense: Inside the Falcon Platform 01/16/26 From The Front Lines CrowdStrike Technical Risk Assessments Reveal Common Exposure Patterns 05/04/26 Introducing the CrowdStrike Shadow AI Visibility Service CrowdStrike Flex for Services Expands Access to Elite Security Expertise From Scanner to Stealer: Inside the trivy-action Supply Chain Compromise 03/20/26 Next-Gen Identity Security Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse 03/31/26 CrowdStrike FalconID Brings Phishing-Resistant MFA to Falcon Next-Gen Identity Security 02/26/26 CrowdStrike Named a Customers’ Choice in 2026 Gartner® Peer Insights™ Voice of the Customer for User Authentication 02/12/26 CrowdStrike to Acquire Seraphic to Secure Work in Any Browser 01/13/26 Next-Gen SIEM & Log Management Falcon Next-Gen SIEM Supports Third-Party EDR Tools, Starting with Microsoft Defender 03/23/26 Falcon Next-Gen SIEM Simplifies Onboarding with Sensor-Native Log Collection 03/06/26 Exposing Insider Threats through Data Protection, Identity, and HR Context 02/18/26 How to Scale SOC Automation with Falcon Fusion SOAR 02/11/26 Public Sector CrowdStrike Innovates to Modernize National Security and Protect Critical Systems 03/18/26 Falcon Platform for Government Now Offers Falcon for XIoT to Secure Connected Assets CrowdStrike Achieves FedRAMP® High Authorization 03/19/25 NHS Matures Healthcare Cybersecurity with NCSC’s CAF Assurance Model 03/13/25 Exposure Management 05/12/26 April 2026 Patch Tuesday: Two Zero-Days and Eight Critical Vulnerabilities Among 164 CVEs 04/14/26 How CrowdStrike Is Accelerating Exposure Evaluation as Adversaries Gain Speed 04/05/26 March 2026 Patch Tuesday: Eight Critical Vulnerabilities and Two Publicly Disclosed Among 82 CVEs Patched 03/10/26 Securing AI CrowdStrike Expands ChatGPT Enterprise Integration with Enhanced Audit Logging and Activity Monitoring 04/28/26 New CrowdStrike Innovations Secure AI Agents and Govern Shadow AI Across Endpoints, SaaS, and Cloud Secure Homegrown AI Agents with CrowdStrike Falcon AIDR and NVIDIA NeMo Guardrails 03/19/26 Introducing "AI Unlocked: Decoding Prompt Injection," a New Interactive Challenge Data Security Falcon Data Security Secures Data Wherever It Lives and Moves Falcon Data Protection for Cloud Extends DSPM into Runtime 11/20/25 CrowdStrike Stops GenAI Data Leaks with Unified Data Protection 09/18/25 Q&A: How Mastronardi Produce Secures Innovation with CrowdStrike 02/14/25 Start Free Trial May 14, 2026 Counter Adversary Operations The financial services industry is the fourth most-targeted sector globally, accounting for 12% of all observed activity. eCrime and nation-state adversaries spanning all motivations target these orga[…] May 06, 2026 Counter Adversary Operations CrowdStrike has been named a Leader in the inaugural 2026 Gartner® Magic Quadrant™ for Cyberthreat Intelligence Technologies and positioned furthest to the right in Completeness of Vision among all ve[…] May 05, 2026 Counter Adversary Operations CrowdStrike is excited to announce Falcon OverWatch for Defender, a new offering that extends our elite managed threat hunting to Microsoft Defender environments.

The need for proactive threat hunting[…] May 01, 2026 CrowdStrike AI is reshaping the future of vulnerability research. Advanced AI models are capable of discovering vulnerabilities at machine speed, far faster than organizations can patch them. The consequences for[…] Defending Against CORDIAL SPIDER and SNARKY SPIDER with Falcon Shield April 30, 2026 Falcon Shield - Counter Adversary Operations Since October 2025, CrowdStrike Counter Adversary Operations has observed a shift in intrusion tradecraft: Threat actors are executing high-speed, SaaS-centric attacks that bypass traditional endpoint[…] STARDUST CHOLLIMA Likely Compromises Axios npm Package April 01, 2026 Counter Adversary Operations On March 31, 2026, a threat actor used stolen maintainer credentials to compromise the widely used HTTP client library Axios Node Package Manager (npm) package and deploy platform-specific ZshBucket v[…] Tycoon2FA Phishing-as-a-Service Platform Persists Following Takedown March 20, 2026 Falcon Complete Team - Counter Adversary Operations On March 4, 2026, Europol announced the technical disruption of Tycoon2FA, a subscription-based phishing-as-a-service (PhaaS) platform that enabled cybercriminals to bypass multifactor authentication […] CrowdStrike 2026 Global Threat Report: The Evasive Adversary Wields AI February 24, 2026 Adam Meyers As cyber defenses become stronger, adversaries continue to evolve their tactics to succeed.

In 2025, the year of the evasive adversary, the threat landscape was defined by attacks that targeted truste[…] The Art of Deception: How Threat Actors Master Typosquatting Campaigns to Bypass Detection February 23, 2026 Alen Peric Typosquatting is a deceptive technique in which threat actors register misspelled or look-alike domains of legitimate organizations to trick users into visiting fraudulent sites.

It remains one of the[…] LABYRINTH CHOLLIMA Evolves into Three Adversaries January 29, 2026 Rob Bruner LABYRINTH CHOLLIMA has evolved into three distinct adversaries with specialized malware, objectives, and tradecraft: GOLDEN CHOLLIMA and PRESSURE CHOLLIMA now likely operate separately from the core L[…] How CrowdStrike’s Malware Analysis Agent Detects Malware at Machine Speed January 06, 2026 Rob Horrigan - Thuy Nguyen At Fal.Con 2025, CrowdStrike introduced Threat AI, an agentic threat intelligence system of autonomous agents that reason across data, hunt for threats, and take action.

As part of our vision for the […] Unveiling WARP PANDA: A New Sophisticated China-Nexus Adversary December 04, 2025 Counter Adversary Operations Throughout 2025, CrowdStrike has identified multiple intrusions targeting VMware vCenter environments at U.S.-based entities, in which newly identified China-nexus adversary WARP PANDA deployed BRICKS[…] CrowdStrike Research: Security Flaws in DeepSeek-Generated Code Linked to Political Triggers November 20, 2025 Stefan Stein In January 2025, China-based AI startup DeepSeek (深度求索) released DeepSeek-R1, a high-quality large language model (LLM) that allegedly cost much less to develop and operate than Western competitors’ a[…] CrowdStrike 2025 European Threat Landscape Report: Extortion Rises, Nation-State Activity Intensifies November 03, 2025 Counter Adversary Operations Europe remains a prime target for global adversaries.

Financially motivated eCrime groups continue to target the region as espionage and hacktivism escalate amid geopolitical turmoil stemming from ong[…] CrowdStrike 2025 APJ eCrime Landscape Report: A New Era of Threats Emerges October 20, 2025 Counter Adversary Operations The eCrime threat landscape in the Asia Pacific and Japan (APJ) region is quickly evolving, driven by a mix of regional and global adversaries.

From Chinese-language underground marketplaces facilitat[…] CrowdStrike Identifies Campaign Targeting Oracle E-Business Suite via Zero-Day Vulnerability (now tracked as CVE-2025-61882) October 06, 2025 Counter Adversary Operations CrowdStrike is tracking a mass exploitation campaign almost certainly leveraging a novel zero-day vulnerability — now tracked as CVE-2025-61882 — targeting Oracle E-Business Suite (EBS) applications f[…] Announcing Threat AI: Security’s First Agentic Threat Intelligence System September 17, 2025 Adam Meyers CrowdStrike is unveiling groundbreaking innovations across Counter Adversary Operations.

Threat AI, a system of AI-powered agents built on the CrowdStrike Falcon® platform, is the industry’s first age[…] MURKY PANDA: A Trusted-Relationship Threat in the Cloud August 21, 2025 Counter Adversary Operations Since late 2024, CrowdStrike Counter Adversary Operations has observed significant activity conducted by MURKY PANDA, a China-nexus adversary that has targeted government, technology, academic, legal,[…] August 20, 2025 Maddie Stewart - Suweera De Souza - Ash Leslie - Doug Brown Between June and August 2025, the CrowdStrike Falcon® platform successfully blocked a sophisticated malware campaign that attempted to compromise over 300 customer environments.

The campaign deployed […] CrowdStrike Tailors Adversary Intelligence to Customer Environments August 05, 2025 Thuy Nguyen A new release of CrowdStrike Falcon® Adversary Intelligence delivers automatically prioritized threat intelligence tailored to each unique customer environment. By surfacing the right intelligence at […] CrowdStrike 2025 Threat Hunting Report: AI Becomes a Weapon and a Target August 04, 2025 Counter Adversary Operations Today’s enterprising adversaries are weaponizing AI to scale operations, accelerate attacks, and target the autonomous AI agents quickly transforming modern businesses.

The CrowdStrike 2025 Threat Hun[…] CrowdStrike Services Observes SCATTERED SPIDER Escalate Attacks Across Industries July 02, 2025 Counter Adversary Operations SCATTERED SPIDER, an eCrime adversary, has recently broadened its target scope to include the aviation sector, in addition to its established focus on the insurance and retail industries, as observed […] CrowdStrike and Microsoft Unite to Harmonize Cyber Threat Attribution June 02, 2025 Adam Meyers In cybersecurity, understanding an adversary’s identity, capabilities, and intent is critical to intelligent cyber defense.

Attribution matters. Despite cyber threat intelligence tracking a multitude […] CrowdStrike Collaborates with U.S. Department of Justice on DanaBot Takedown May 22, 2025 Counter Adversary Operations Introduction Effective collaboration is essential when confronting today's sophisticated cyber adversaries, particularly those operating with state tolerance or direction. At CrowdStrike, we routinely[…] CrowdStrike 2025 Latin America Threat Landscape Report: A Deep Dive into an Evolving Region May 19, 2025 Counter Adversary Operations Latin America has quickly become a hotspot for cyber activity.

The region’s rapid digitalization, expanding cloud adoption, and evolving geopolitical friction have drawn the attention of both financia[…] CrowdStrike Advances Next-Gen SIEM with Threat Hunting Across Data Sources, AI-Driven UEBA April 28, 2025 Thuy Nguyen - Paola Miranda CrowdStrike is launching new innovations to power the AI-native security operations center (SOC) and help teams hunt and resolve threats with speed and accuracy.

A new solution, CrowdStrike Falcon® Ad[…] Intelligence-Led Threat Hunting: The Key to Fighting Cross-Domain Attacks March 03, 2025 Thuy Nguyen - Dana Larson Cross-domain attacks have become a defining challenge in modern cybersecurity, with adversaries exploiting gaps across endpoints, identity systems, and cloud environments to achieve their objectives. […] CrowdStrike 2025 Global Threat Report: Beware the Enterprising Adversary February 27, 2025 Adam Meyers Today’s adversaries have long been accelerating and evolving their operations.

Now they are developing a business-like structure, refining and scaling their successful strategies, and exploring new te[…] Naming Names: How Adversary Taxonomies Strengthen Global Security February 12, 2025 Rob Sheldon - Adam Meyers Last month, during testimony on global cyber threats before the U.S. Committee on Homeland Security, a longstanding debate resurfaced: Why do vendors name different cyber threat actors, and can’t we d[…] CrowdStrike Insider Risk Services Defend Against the Threats Within January 15, 2025 Tom Etheridge Insider threats are among the most elusive and damaging forms of cybersecurity risk.

According to the Ponemon Institute, 71% of organizations experienced between 21 and 41 insider incidents in 2023, u[…] Recruitment Phishing Scam Imitates CrowdStrike Hiring Process January 08, 2025 Counter Adversary Operations On January 7, 2025, CrowdStrike identified a phishing campaign exploiting its recruitment branding to deliver malware disguised as an "employee CRM application." The attack begins with a phishing emai[…] A Look Back: The Evolution of Latin American eCrime Malware in 2024 December 16, 2024 Kevin Ratto The Latin American (LATAM) cybercrime landscape continues to evolve as adversaries refine their tactics, techniques and procedures (TTPs) to bypass defenses and expand their reach.

Last year, we wrote[…] Unveiling LIMINAL PANDA: A Closer Look at China's Cyber Threats to the Telecom Sector November 19, 2024 Counter Adversary Operations On Tuesday, November 19, 2024, Adam Meyers, CrowdStrike Senior Vice President of Counter Adversary Operations, will testify in front of the U.S. Senate Judiciary Subcommittee on Privacy, Technology, a[…] U.S. Department of Justice Indicts Hacktivist Group Anonymous Sudan for Prominent DDoS Attacks in 2023 and 2024 October 16, 2024 Counter Adversary Operations Collaboration is critical to take down today’s most advanced adversaries.

CrowdStrike regularly works with law enforcement agencies and industry leaders to identify, track and stop cyber threats. We r[…] International Authorities Indict, Sanction Additional INDRIK SPIDER Members and Detail Ties to BITWISE SPIDER and Russian State Activity October 01, 2024 Counter Adversary Operations CrowdStrike often collaborates with law enforcement agencies to identify, track and stop cyber threats.

We recently worked with law enforcement stakeholders within the U.K.’s National Crime Agency as […] How CrowdStrike Hunts, Identifies and Defeats Cloud-Focused Threats September 26, 2024 Counter Adversary Operations Adversaries’ persistent efforts to evade advancements in threat awareness and defense have shaped a cyber threat landscape dominated by their stealthy, fast-moving tactics. As they expand into the clo[…] Malicious Inauthentic Falcon Crash Reporter Installer Delivers LLVM-Based Mythic C2 Agent Named Ciro July 30, 2024 Counter Adversary Operations On July 24, 2024, an unattributed threat actor distributed a password-protected installer masquerading as an inauthentic Falcon Crash Reporter Installer to a German entity in an unattributed spear-phi[…] Malicious Inauthentic Falcon Crash Reporter Installer Distributed to German Entity via Spearphishing Website July 25, 2024 Counter Adversary Operations Summary On July 24, 2024, CrowdStrike Intelligence identified an unattributed spearphishing attempt delivering an inauthentic CrowdStrike Crash Reporter installer via a website impersonating a German […] Hacktivist Entity USDoD Claims to Have Leaked CrowdStrike’s Threat Actor List The threat intel data noted in this report is available to tens of thousands of customers, partners and prospects – and hundreds of thousands of users.

Adversaries exploit current events for attention[…] Lumma Stealer Packed with CypherIt Distributed Using Falcon Sensor Update Phishing Lure July 24, 2024 Counter Adversary Operations Summary On July 23, 2024, CrowdStrike Intelligence identified the phishing domain crowdstrike-office365[.]com, which impersonates CrowdStrike and delivers malicious ZIP and RAR files containing a Micr[…] Threat Actor Distributes Python-Based Information Stealer Using a Fake Falcon Sensor Update Lure July 23, 2024 Counter Adversary Operations Summary On July 23, 2024, CrowdStrike Intelligence identified a malicious ZIP file containing a Python-based information stealer now tracked as Connecio.

A threat actor distributed this file days afte[…] Threat Actor Uses Fake CrowdStrike Recovery Manual to Deliver Unidentified Stealer July 22, 2024 Counter Adversary Operations On July 22, 2024, CrowdStrike Intelligence identified a Word document containing macros that download an unidentified stealer now tracked as Daolpu. The document impersonates a Microsoft recovery manu[…] Likely eCrime Actor Uses Filenames Capitalizing on July 19, 2024, Falcon Sensor Content Issues in Operation Targeting LATAM-Based CrowdStrike Customers July 20, 2024 Counter Adversary Operations Summary On July 19, 2024, an issue present in a single content update for the CrowdStrike Falcon® sensor impacting Windows operating systems was identified, and a fix was deployed.1 CrowdStrike Intell[…] Falcon Sensor Content Issue from July 19, 2024, Likely Used to Target CrowdStrike Customers July 18, 2024 Counter Adversary Operations Updated 2024-07-26 1830 UTC On July 19, 2024, an issue present in a single content update for the CrowdStrike Falcon® sensor impacting Windows operating systems was identified, and a fix was deployed.[…] CrowdStrike’s One-Click Hunting Simplifies Threat Hunting for Security Teams July 01, 2024 Bart Lenaerts-Bergmans Adversaries are not breaking in; they are logging in.

The CrowdStrike 2024 Global Threat Report highlights an alarming trend: In 75% of cyberattacks detected in 2023, adversaries gained initial access[…] Secure Your Staff: How to Protect High-Profile Employees' Sensitive Data on the Web April 18, 2024 Ben Termeer - Brian Bunyard - Keith Mason Organizations are increasingly concerned about high-profile employees’ information being exposed on the deep and dark web.

The CrowdStrike Counter Adversary Operations team is often asked to find fake[…] Still Alive: Updates for Well-Known Latin America eCrime Malware Identified in 2023 February 22, 2024 Kevin Ratto Latin America (LATAM) is a growing market, and threat actors have used numerous eCrime malware variants to target users in this region. Over the past few years, many researchers have characterized the[…] CrowdStrike 2024 Global Threat Report: Adversaries Gain Speed and Stealth February 21, 2024 Adam Meyers The CrowdStrike Global Threat Report, now in its tenth iteration, examines how adversaries’ behavior poses an ever-expanding risk to the security of organizations’ data and infrastructure.

Armed with […] How Malicious Insiders Use Known Vulnerabilities Against Their Organizations December 07, 2023 Jaime Duque - Bobby Dean - Alex Merriam - Damon Duncan - Nicolas Zilio Between January 2021 and April 2023, CrowdStrike Counter Adversary Operations and the CrowdStrike Falcon® Complete managed detection and response (MDR) team identified multiple incidents in which an i[…] 5 Tips to Defend Against Access Brokers This Holiday Season November 16, 2023 Bart Lenaerts-Bergmans The holiday season brings a shift in how people and businesses operate: Some companies may partially shut down, leaving only a skeleton crew to manage their IT environments, while others head into the[…] IMPERIAL KITTEN Deploys Novel Malware Families in Middle East-Focused Operations November 09, 2023 Counter Adversary Operations CrowdStrike Counter Adversary Operations has been investigating a series of cyberattacks and strategic web compromise (SWC) operations targeting organizations in the transportation, logistics and tech[…] Automation Advancements in Falcon Intelligence Recon: Disrupt the Adversary and Reduce Risk September 26, 2023 Bart Lenaerts-Bergmans Adversaries are continuing to expand their attacks by adding tactics like domain abuse, multifactor authentication (MFA) fatigue and unique crafted exploit kits acquired from underground forums.

Typos[…] Announcing CrowdStrike Falcon Counter Adversary Operations Elite September 21, 2023 Thuy Nguyen CrowdStrike is raising the bar for proactive detection and response with the introduction of CrowdStrike Falcon® Counter Adversary Operations Elite, the industry’s first and only white-glove service c[…] eCriminals Share Ways to Impersonate School Staff to Steal Paychecks September 07, 2023 Counter Adversary Operations CrowdStrike Counter Adversary Operations monitors for and attempts to disrupt eCrime threat actors across a broad spectrum of malicious activity, ranging from sophisticated ransomware campaigns to sim[…] Amid Sharp Increase in Identity-Based Attacks, CrowdStrike Unveils New Threat Hunting Capability August 24, 2023 Counter Adversary Operations Adversaries are doubling down on identity-based attacks.

According to Nowhere to Hide: CrowdStrike 2023 Threat Hunting Report, we’ve seen an alarming 583% year-over-year increase in Kerberoasting atta[…] Discovering and Blocking a Zero-Day Exploit with CrowdStrike Falcon Complete: The Case of CVE-2023-36874 August 10, 2023 Nicolas Zilio - Ken Balint - Marco Ortisi CrowdStrike Counter Adversary Operations is committed to analyzing active exploitation campaigns and detecting and blocking zero-days to protect our customers.

In July 2023, the CrowdStrike Falcon® Co[…] CrowdStrike Debuts Counter Adversary Operations Team to Fight Faster and Smarter Adversaries as Identity-Focused Attacks Skyrocket August 08, 2023 Counter Adversary Operations CrowdStrike is proud to announce the launch of CrowdStrike Counter Adversary Operations, a newly formed, first-of-its kind team that brings together CrowdStrike Falcon® Intelligence and the CrowdStrik[…] CrowdStrike Named a Leader that “Delivers World-Class Threat Intelligence” in 2023 Forrester Wave August 03, 2023 Kurt Baker We’re excited to share that Forrester has named CrowdStrike a Leader in The Forrester Wave™: External Threat Intelligence Services Providers, Q3 2023.

CrowdStrike received the highest ranking of all v[…] Making Sense of the Dark Web with Falcon Intelligence Recon+ June 09, 2023 Ben Termeer - Brian Bunyard - Keith Mason The vastness of the deep and dark web can easily turn attempts to monitor for cyber threats into a firehose of useless information. Part of the problem is the nature of the data streams that need to b[…] Hypervisor Jackpotting, Part 3: Lack of Antivirus Support Opens the Door to Adversary Attacks May 15, 2023 CrowdStrike Services - CrowdStrike Intelligence Editor’s Note: VMware updated its knowledge base article, “Deployment of 3rd Party Agents and Anti-virus software on the ESXi Hypervisor,” noting that the content is outdated and should be considered […] CrowdStrike Falcon Platform Detects and Prevents Active Intrusion Campaign Targeting 3CXDesktopApp Customers March 29, 2023 CrowdStrike Note: Content from this post first appeared in r/CrowdStrike 3/31 UPDATE After review and reverse engineering by the CrowdStrike Intelligence team, the signed MSI (aa124a4b4df12b34e74ee7f6c683b2ebec4c[…] QakBot eCrime Campaign Leverages Microsoft OneNote Attachments March 17, 2023 Robert Dean - Anthony Witten In November 20211 and February 2022,2 Microsoft announced that by default it would block Excel 4 and VBA macros in files that were downloaded from the internet.

Following these changes, CrowdStrike In[…] How to Mature Your Threat Intelligence Program March 09, 2023 Kurt Baker With so many threat intelligence solutions on the market today, it raises the question: What is threat intelligence and why do you need it? I won’t go into detail about what threat intelligence is; yo[…] Exploiting CVE-2021-3490 for Container Escapes January 18, 2023 Karsten Konig Today, containers are the preferred approach to deploy software or create build environments in CI/CD lifecycles.

However, since the emergence of container solutions and environments like Docker and K[…] SCATTERED SPIDER Exploits Windows Security Deficiencies with Bring-Your-Own-Vulnerable-Driver Tactic in Attempt to Bypass Endpoint Security January 10, 2023 CrowdStrike Intelligence Team In December 2022, CrowdStrike reported on a campaign by SCATTERED SPIDER, targeting organizations within the telecom and business process outsourcing (BPO) sectors with an end objective of gaining acc[…] CrowdStrike Named a Leader in Frost & Sullivan’s 2022 Frost Radar for Cyber Threat Intelligence December 20, 2022 Kurt Baker CrowdStrike is excited to announce we have been recognized by Frost & Sullivan as a global leader in the Frost Radar™ Global Cyber Threat Intelligence Market, 2022 analysis.

Earlier this year, CrowdSt[…] Expose and Disrupt Adversaries Beyond the Perimeter with CrowdStrike Falcon Intelligence Recon December 15, 2022 Bart Lenaerts-Bergmans - Josh Shapiro Cybercriminals continuously adapt to stay a step ahead of the organizations they target. Over more than a decade, CrowdStrike has carefully tracked the evolution of eCrime tactics and capabilities and[…] ’Tis the Season for eCrime November 17, 2022 Bart Lenaerts-Bergmans Financially motivated criminal activities, aka “eCrime,” happen in waves.

They come and go as adversaries develop new tools and target vulnerable victims. Similar to how investors track stock market a[…] Evicting Typosquatters: How CrowdStrike Protects Against Domain Impersonations November 14, 2022 jackie.abrams Threat actors constantly unleash phishing attacks that use emails or text messages containing domains or URLs, all designed to impersonate well-known companies and trick users into visiting fake websi[…] CrowdStrike Falcon® Platform Identifies Supply Chain Attack via a Trojanized Comm100 Chat Installer September 30, 2022 CrowdStrike Intelligence Team The CrowdStrike Falcon® platform, leveraging a combination of advanced machine learning and artificial intelligence, identified a new supply chain attack during the installation of a chat-based custom[…] Adversary Quest 2022 Walkthrough, Part 3: Four PROTECTIVE PENGUIN Challenges August 23, 2022 Max Julian Hofmann - Hanno Heinrichs In July 2022, the CrowdStrike Intelligence Advanced Research Team hosted the second edition of our Adversary Quest.

As in the previous year, this “capture the flag” event featured 12 information secur[…] Adversary Quest 2022 Walkthrough, Part 2: Four TABLOID JACKAL Challenges August 09, 2022 Max Julian Hofmann - Lukas Kupczyk - Karsten Koenig Adversary Quest 2022 Walkthrough, Part 1: Four CATAPULT SPIDER Challenges August 03, 2022 Benjamin Grap - Karsten Koenig - Lutz Wolf Callback Malware Campaigns Impersonate CrowdStrike and Other Cybersecurity Companies July 08, 2022 CrowdStrike Intelligence Team Today CrowdStrike sent the following Tech Alert to our customers: On July 8, 2022, CrowdStrike Intelligence identified a callback phishing campaign impersonating prominent cybersecurity companies, inc[…] Tales from the Dark Web: How Tracking eCrime’s Underground Economy Improves Defenses June 30, 2022 Bart Lenaerts-Bergmans Cybercriminals are constantly evolving their operations, the methods they use to breach an organization's defenses and their tactics for monetizing their efforts.

In the CrowdStrike 2022 Global Threat[…] Capture the Flag: CrowdStrike Intelligence Adversary Quest 2022 June 16, 2022 Max Julian Hofmann The Adversary Quest is back! From July 11 through July 25, 2022, the CrowdStrike Intelligence Advanced Research Team invites you to go head-to-head with three unique adversaries during our second annu[…] For the Common Good: How to Compromise a Printer in Three Simple Steps June 07, 2022 Benjamin Grap - Hanno Heinrichs - Lukas Kupczyk In August 2021, ZDI announced Pwn2Own Austin 2021, a security contest focusing on phones, printers, NAS devices and smart speakers, among other things.

The Pwn2Own contest encourages security research[…] Naming Adversaries and Why It Matters to Your Security Team May 31, 2022 Bart Lenaerts-Bergmans What is it with these funny adversary names such as FANCY BEAR, WIZARD SPIDER and DEADEYE JACKAL? You read about them in the media and see them on CrowdStrike t-shirts and referenced by MITRE in the A[…] Quadrant Knowledge Solutions Names CrowdStrike a Leader in the 2022 SPARK Matrix for Digital Threat Intelligence Management May 26, 2022 Kurt Baker “CrowdStrike is capable of catering to the diverse customer needs across industry verticals, with its comprehensive capabilities, compelling customer references, comprehensive roadmap and vision, clou[…] Follow the Money: How eCriminals Monetize Ransomware May 13, 2022 Bart Lenaerts-Bergmans The transaction details and monetization patterns of modern eCrime reveal critical insights for organizations defending against ransomware attacks.

Cybercrime has evolved over the past several years f[…] Who is EMBER BEAR? March 30, 2022 CrowdStrike Threat Intel Team 4/4/22 Editor’s note: The hearing described below has been rescheduled for 10 a.m. EST on Tuesday, April 5. On Wednesday, March 30, 2022, Adam Meyers, CrowdStrike Senior Vice President of Intelligence[…] A Tale of Two Cookies: How to Pwn2Own the Cisco RV340 Router March 24, 2022 Benjamin Grap - Hanno Heinrichs - Lukas Kupczyk PROPHET SPIDER Exploits Citrix ShareFile Remote Code Execution Vulnerability CVE-2021-22941 to Deliver Webshell March 07, 2022 Chris Nguyen - Eric Loui At the start of 2022, CrowdStrike Intelligence and CrowdStrike Services investigated an incident in which PROPHET SPIDER exploited CVE-2021-22941 — a remote code execution (RCE) vulnerability impactin[…] Decryptable PartyTicket Ransomware Reportedly Targeting Ukrainian Entities March 01, 2022 CrowdStrike Intelligence Team Summary On Feb. 23, 2022, destructive attacks were conducted against Ukrainian entities.

Industry reporting has claimed the Go-based ransomware dubbed PartyTicket (or HermeticRansom) was identified at[…] Access Brokers: Who Are the Targets, and What Are They Worth? February 23, 2022 CrowdStrike Intelligence Team Access brokers have become a key component of the eCrime threat landscape, selling access to threat actors and facilitating myriad criminal activities. Many have established relationships with big gam[…] Lessons Learned From Successive Use of Offensive Cyber Operations Against Ukraine and What May Be Next January 28, 2022 CrowdStrike Intelligence Team Disruptive and destructive cyber operations have been levied against elements of Ukrainian society by adversaries attributed to the Russian government — or groups highly likely to be controlled by the[…] Technical Analysis of the WhisperGate Malicious Bootloader January 19, 2022 CrowdStrike Intelligence Team On Jan. 15, 2022, a set of malware dubbed WhisperGate was reported to have been deployed against Ukrainian targets.

The incident is widely reported to contain three individual components deployed by t[…] Log4j2 Vulnerability "Log4Shell" (CVE-2021-44228) December 10, 2021 CrowdStrike Intelligence Team Log4j2 is an open-source, Java-based logging framework commonly incorporated into Apache web servers. Between late November and early December 2021, a critical vulnerability (CVE-2021-44228) impacting[…] Critical Hit: How DoppelPaymer Hunts and Kills Windows Processes December 07, 2021 Shaun Hurley In a July 2019 blog post about DoppelPaymer, Crowdstrike Intelligence reported that ProcessHacker was being hijacked to kill a list of targeted processes and gain access, delivering a “critical hit.” […] A Foray into Fuzzing November 17, 2021 Max Julian Hofmann One useful method in a security researcher’s toolbox for discovering new bugs in software is called “fuzz testing,” or just “fuzzing.” Fuzzing is an automatic software testing approach where the softw[…] Ploutus ATM Malware Case Study: Automated Deobfuscation of a Strongly Obfuscated .NET Binary November 10, 2021 Antonio Parata One of the most tedious tasks in malware analysis is to get rid of the obfuscated code.

Nowadays, almost every malware uses obfuscation to hinder the analysis and try to evade detection. In some cases[…] Scheming with URLs: One-Click Attack Surface in Linux Desktop Environments November 09, 2021 Lukas Kupczyk - Max Julian Hofmann The Advanced Research Team at CrowdStrike Intelligence discovered multiple vulnerabilities affecting libvncclient. In some widely used desktop environments, such as GNOME, these vulnerabilities can be[…] CARBON SPIDER Embraces Big Game Hunting, Part 2 November 04, 2021 Eric Loui - Josh Reynolds In 2020, CARBON SPIDER began conducting big game hunting (BGH) ransomware campaigns with PINCHY SPIDER’s REvil before introducing Darkside.

The adversary later opened up Darkside to affiliates through[…] ECX: Big Game Hunting on the Rise Following a Notable Reduction in Activity October 12, 2021 CrowdStrike Intelligence Team This announcement is part of the Fal.Con 2021 CrowdStrike Cybersecurity Conference, Oct. 12-14. Register now for free to learn all about our exciting new products, partnerships and latest intel! The e[…] Big Game Hunting TTPs Continue to Shift After DarkSide Pipeline Attack September 14, 2021 CrowdStrike Intelligence Team The eCrime ecosystem is an active and diverse economy of financially motivated threat actors engaging in a myriad of criminal activities to generate revenue.

With the CrowdStrike eCrime Index (ECX), C[…] Sidoh: WIZARD SPIDER’s Mysterious Exfiltration Tool August 31, 2021 alexander.hanel WIZARD SPIDER is an established, high-profile and sophisticated eCrime group, originally known for the creation and operation of the TrickBot banking Trojan. This Russia-based eCrime group originally […] CARBON SPIDER Embraces Big Game Hunting, Part 1 August 30, 2021 Eric Loui - Josh Reynolds Throughout 2020, CARBON SPIDER dramatically overhauled their operations.

In April 2020, the adversary abruptly shifted from narrow campaigns focused entirely on companies operating point-of-sale (POS)[…] PROPHET SPIDER Exploits Oracle WebLogic to Facilitate Ransomware Activity August 04, 2021 Falcon OverWatch - CrowdStrike Intelligence - CrowdStrike IR CrowdStrike Intelligence, Falcon OverWatch™ and CrowdStrike Incident Response teams have observed multiple campaigns by the eCrime actor PROPHET SPIDER where the adversary has exploited Oracle WebLogi[…] CrowdStrike Announces CrowdStrike Falcon Intelligence Recon+ to Combat Cybercriminals July 28, 2021 Kurt Baker Cybercriminals Are Raking in Billions Cybercrime is big business.

Security industry analysts project annual global cybercrime damages to reach $6 trillion USD in 2021 (according to Cybersecurity Ventu[…] The Evolution of PINCHY SPIDER from GandCrab to REvil July 07, 2021 AdamM For years, ransomware was a nuisance that impacted individuals who were unfortunate enough to encounter it via banking trojans, exploit kits or phishing attacks and resulted in a large number of small[…] Adversary Quest 2021 Walkthrough, Part 3: Four PROTECTIVE PENGUIN Challenges June 02, 2021 Hanno Heinrichs - Lukas Kupczyk - Max Julian Hofmann At the end of January 2021, the CrowdStrike Intelligence Advanced Research Team hosted our first-ever Adversary Quest.

This “capture the flag” event featured 12 information security challenges in thre[…] DarkSide Pipeline Attack Shakes Up the Ransomware-as-a-Service Landscape May 28, 2021 CrowdStrike Threat Intel Team The repercussions from the Colonial Pipeline DarkSide ransomware incident have garnered global attention and caused major shifts in the ransomware ecosystem. Many criminal forums have now banned ranso[…] Increasing Relevance of Access Broker Market Shown in Improved ECX Model April 22, 2021 CrowdStrike Intelligence Team The eCrime ecosystem is an active and diverse economy of financially motivated threat actors that engage in a myriad of criminal activities in order to generate revenue.

With the eCrime Index (ECX), C[…] Adversary Quest 2021 Walkthrough, Part 2: Four SPACE JACKAL Hacktivist Challenges April 07, 2021 Max Julian Hofmann - Hanno Heinrichs Adversary Quest 2021 Walkthrough, Part 1: Four CATAPULT SPIDER eCrime Challenges March 31, 2021 Benjamin Grap - Max Julian Hofman - Lutz Wolf Forrester Names CrowdStrike a Leader in the 2021 Wave for External Threat Intelligence March 23, 2021 Kurt Baker “The quality of technical intelligence and expertise of the dedicated analysts were noted by multiple customer references.

One customer specifically felt like CrowdStrike was a ‘true partner of their […] INDRIK SPIDER Supersedes WastedLocker with Hades Ransomware to Circumvent OFAC Sanctions March 18, 2021 Adam Podlosky - Brendon Feeley Introduction In December 2019, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) took action against the Russia-based cybercriminal group INDRIK SPIDER, also known as Evil Corp, a[…] Hypervisor Jackpotting, Part 1: CARBON SPIDER and SPRITE SPIDER Target ESXi Servers With Ransomware to Maximize Impact February 26, 2021 Eric Loui - Sergei Frankoff This is Part 1 of a three-part blog series.

Read Part 2 and Part 3. Targeted large-scale ransomware campaigns, referred to as big game hunting (BGH), remained the primary eCrime threat to organization[…] Explore the Adversary Universe February 21, 2021 Adam Meyers Since the beginning of CrowdStrike’s history, we have relentlessly pursued cyber adversaries across the internet, because we knew back when we started the company as we do now, it doesn’t matter wheth[…] Pwn2Own: A Tale of a Bug Found and Lost Again January 27, 2021 Hanno Heinrichs - Lukas Kupczyk - Max Julian Hofmann In October 2020, the Pwn2Own Tokyo 2020 announcement caught our attention.

Even though originally we hadn’t planned to participate, we checked out the target list and decided to take a look at one of […] Join the Challenge: CrowdStrike Intelligence Adversary Quest 2021 January 12, 2021 Lutz Wolf Are you interested in information security and do you enjoy working on technical challenges? Then put this CrowdStrike event on your calendar and join the fun. On January 18-29, 2021, the CrowdStrike®[…] SUNSPOT: An Implant in the Build Process January 11, 2021 CrowdStrike Intelligence Team In December 2020, the industry was rocked by the disclosure of a complex supply chain attack against SolarWinds, Inc., a leading provider of network performance monitoring tools used by organizations […] Hacking Farm to Table: Threat Hunters Uncover Rise in Attacks Against Agriculture November 18, 2020 Falcon OverWatch and CrowdStrike Intelligence Teams Life on the farm isn’t what it used to be.

With overall cyberattacks on the rise, even agriculture has found itself in the crosshairs of cyber threat actors. In fact, during the last ten months alone,[…] New Podcast Series: The Importance of Cyber Threat Intelligence in Cybersecurity October 29, 2020 Kurt Baker A new CrowdStrike® podcast series hosted by Cybercrime Magazine focuses on the critical role cyber threat intelligence (CTI) plays in an effective cybersecurity strategy.

The series features CrowdStri[…] WIZARD SPIDER Update: Resilient, Reactive and Resolute October 16, 2020 The CrowdStrike Intel Team Double Trouble: Ransomware with Data Leak Extortion, Part 2 October 06, 2020 The CrowdStrike Intel Team As data leak extortion swiftly became the new norm for big game hunting (BGH) ransomware operators since late 2019, various criminal adversaries began innovating in this area.

This includes collaborat[…] Double Trouble: Ransomware with Data Leak Extortion, Part 1 September 24, 2020 The CrowdStrike Intel Team The most prominent eCrime trend observed so far in 2020 is big game hunting (BGH) actors stealing and leaking victim data in order to force ransom payments and, in some cases, demand two ransoms. Data[…] Who Is PIONEER KITTEN? August 31, 2020 Alex Orleans PIONEER KITTEN at a Glance Origins Islamic Republic of Iran Target Nations Israel, Middle East North Africa (MENA), North America, United States Last Known Activity July 2020 (earliest: 2017) Target I[…] Exploiting GlobalProtect for Privilege Escalation, Part Two: Linux and macOS April 23, 2020 Hanno Heinrichs This is the second blog in a two-part series covering the exploitation of the Palo Alto Networks GlobalProtect VPN client running on Linux and macOS.

The first blog covered this exploitation on Window[…] Exploiting GlobalProtect for Privilege Escalation, Part One: Windows April 21, 2020 Hanno Heinrichs The CrowdStrike® Intelligence Advanced Research Team discovered two distinct vulnerabilities in the Windows, Linux and macOS versions of the Palo Alto Networks GlobalProtect VPN client (CVE-2019-17435[…] Targeted Dharma Ransomware Intrusions Exhibit Consistent Techniques April 16, 2020 Eric Loui - Karl Scheuerman - Aaron Pickett - Brendon Feeley Since at least 2018, criminal actors have been conducting big game hunting (BGH) campaigns, deploying ransomware on a targeted scale against large corporations or governments in pursuit of lucrative p[…] Situational Awareness: Cyber Threats Heightened by COVID-19 and How to Protect Against Them March 24, 2020 Adam Meyers Please Note: Check this blog for frequent updates on adversary activity related to COVID-19.

June 24, 2020: Observed Activity Update As the COVID-19 pandemic continues to take hold in various geograph[…] Who is REFINED KITTEN? December 12, 2019 AdamM Common Aliases REFINED KITTEN may also be identified by the following pseudonyms: APT33 Elfin Magnallium Holmium REFINED KITTEN’s Origins REFINED KITTEN is a nation-state-based threat actor whose acti[…] WIZARD SPIDER Adds New Features to Ryuk for Targeting Hosts on LAN November 01, 2019 Alexander Hanel and Brett Stone-Gross CrowdStrike® Intelligence analyzed variants of Ryuk (a ransomware family distributed by WIZARD SPIDER) with new functionality for identifying and encrypting files on hosts in a local area network (LAN[…] Ransomware Increases the Back-to-School Blues September 17, 2019 AdamM As students all over the United States donned their backpacks and packed their lunches to go back to school this year, the all-to-familiar impact of ransomware created confusion and disarray for schoo[…] Who is Salty Spider (Sality)?

September 06, 2019 AdamM Common Aliases SALTY SIDER is most commonly identified with the botnet it maintains (Sality) and it’s associated pseudonyms: KuKu SalLoad Kookoo SaliCode Kukacka SALTY SPIDER’s Origins SALTY SPIDER is[…] CrowdStrike Mobile Threat Report Offers Trends and Recommendations for Securing Your Organization July 30, 2019 AdamM The universal adoption of mobile devices in business environments has created new attack vectors that organizations struggle to address.

A new report from CrowdStrike, the “Mobile Threat Landscape Rep[…] BitPaymer Source Code Fork: Meet DoppelPaymer Ransomware and Dridex 2.0 July 12, 2019 bsg.sf.bh CrowdStrike® Intelligence has identified a new ransomware variant identifying itself as BitPaymer. This new variant was behind a series of ransomware campaigns beginning in June 2019, including attack[…] New Evidence Proves Ongoing WIZARD SPIDER / LUNAR SPIDER Collaboration March 20, 2019 Brendon.Feeley.Brett.Stone-Gross On March 17, 2019, CrowdStrike® Intelligence observed the use of a new BokBot (developed and operated by LUNAR SPIDER) proxy module in conjunction with TrickBot (developed and operated by WIZARD SPIDE[…] PINCHY SPIDER Affiliates Adopt “Big Game Hunting” Tactics to Distribute GandCrab Ransomware March 06, 2019 brendon.bex.sergei CrowdStrike® Intelligence has recently observed PINCHY SPIDER affiliates deploying GandCrab ransomware in enterprise environments, using lateral movement techniques and tooling commonly associated wit[…] "Sin”-ful SPIDERS: WIZARD SPIDER and LUNAR SPIDER Sharing the Same Web February 15, 2019 Brendon.Feeley.and.Bex.Hartley CrowdStrike® Intelligence observed a new campaign from a LUNAR SPIDER affiliate to distribute WIZARD SPIDER's TrickBot malware on Feb. 7, 2019.

However, this latest campaign is somewhat unique due to […] Who is FANCY BEAR (APT28)? February 12, 2019 Editorial Team The nation-state adversary group known as FANCY BEAR (also known as APT28 or Sofacy) has been operating since at least 2008 and represents a constant threat to a wide variety of organizations around t[…] Enhancing Secure Boot Chain on Fedora 29 February 11, 2019 Hanno Heinrichs and Florent Hochwelker This blog is from the CrowdStrike Intelligence Advanced Research Team Motivation What is worse than a failing system?

A (silently) compromised, yet operational system! While there are many attack vect[…] Widespread DNS Hijacking Activity Targets Multiple Sectors January 25, 2019 mattdahl CrowdStrike® Intelligence™ has been researching reports of widespread DNS hijacking activity since information on the attacks became publicly available earlier this month.1 The information allowed for[…] Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware January 10, 2019 alexander.hanel WIZARD SPIDER is a sophisticated eCrime group that has been operating the Ryuk ransomware since August 2018, targeting large organizations for a high-ransom return.

This methodology, known as “big gam[…] Farewell to Kelihos and ZOMBIE SPIDER December 05, 2018 Brett.Stone-Gross.Tillmann.Werner.and.Bex.Hartley The Kelihos peer-to-peer botnet was one of the largest and longest-operating cybercrime infrastructures in existence. Its origins can be traced back to the Storm Worm, a botnet that emerged in 2007 an[…] Meet CrowdStrike’s Adversary of the Month for November: HELIX KITTEN November 27, 2018 AdamM HELIX KITTEN is likely an Iranian-based adversary group, active since at least late 2015, targeting organizations in the aerospace, energy, financial, government, hospitality and telecommunications bu[…] Big Game Hunting: The Evolution of INDRIK SPIDER From Dridex Wire Fraud to BitPaymer Targeted Ransomware November 14, 2018 sergei.frankoff.and.bex.hartley INDRIK SPIDER is a sophisticated eCrime group that has been operating Dridex since June 2014.

In 2015 and 2016, Dridex was one of the most prolific eCrime banking trojans on the market and, since 2014[…] Meet CrowdStrike’s Adversary of the Month for October: DUNGEON SPIDER October 26, 2018 AdamM DUNGEON SPIDER is a criminal group operating the ransomware most commonly known as Locky, which has been active since February 2016 and was last observed in late 2017. Locky is a ransomware tool that […] Cutwail Spam Campaign Uses Steganography to Distribute URLZone October 25, 2018 sebeschbretstobexhar CrowdStrike® CrowdStrike Falcon® Intelligence™ has observed a new Cutwail spam campaign from NARWHAL SPIDER on 24 October 2018.

NARWHAL SPIDER is the adversary name designated by Falcon Intelligence f[…] Two Birds, One STONE PANDA August 30, 2018 kozy Introduction In April 2017, a previously unknown group calling itself IntrusionTruth began releasing blog posts detailing individuals believed to be associated with major Chinese intrusion campaigns. […] Meet CrowdStrike’s Adversary of the Month for August: GOBLIN PANDA August 29, 2018 AdamM CrowdStrike® first observed GOBLIN PANDA activity in September 2013 when indicators of its activity were discovered on the network of a technology company operating in multiple sectors.

Malware varian[…] Arrests Put New Focus on CARBON SPIDER Adversary Group August 01, 2018 paul.moon In an indictment unsealed by the U.S. Department of Justice (DoJ) on Aug. 1, 2018, three Ukrainian nationals have been charged with conspiracy, wire fraud, computer hacking, access device fraud and ag[…] Meet CrowdStrike’s Adversary of the Month for July: WICKED SPIDER July 26, 2018 AdamM WICKED SPIDER (PANDA) is a suspected China-based adversary that likely operates as an exploitation group for hire.

The use of two cryptonyms for this group exemplifies how this adversary has demonstra[…] Meet CrowdStrike’s Adversary of the Month for June: MUSTANG PANDA June 15, 2018 Adam Meyers The June 2018 adversary spotlight is on MUSTANG PANDA, a China-based adversary that has demonstrated an ability to rapidly assimilate new tools and tactics into its operations, as evidenced by its use[…] Meet CrowdStrike’s Adversary of the Month for April: STARDUST CHOLLIMA April 06, 2018 AdamM STARDUST CHOLLIMA is a targeted intrusion adversary with a likely nexus to the Democratic People’s Republic of Korea (DPRK).

This adversary is typically involved in operations against financial instit[…] Why North Korean Cyberwarfare is Likely to Intensify March 28, 2018 Michael Busselen Despite a parade of issues battling for headlines today, the impending negotiations between the United States and the Democratic People's Republic of North Korea (DPRK) have been widely covered, with […] Software Supply Chain Attacks Gained Traction in 2017 and Are Likely to Continue March 20, 2018 Michael Busselen One of the important topics covered in the CrowdStrike® 2018 Global Threat Report is the increase in supply chain attacks in 2017.

This topic was also highlighted in a recent webcast featuring CrowdSt[…] Meet CrowdStrike's Adversary of the Month for February: MUMMY SPIDER February 08, 2018 AdamM In continuance of our monthly blog post to introduce a new threat actor, February 2018 features a criminally motivated actor we call MUMMY SPIDER. This actor is associated with the malware commonly kn[…] CrowdStrike's January Adversary of the Month: VOODOO BEAR January 29, 2018 AdamM For the past several years, CrowdStrike® has published a yearly calendar that includes international holidays, working days of the most prevalent threat actors, and significant geopolitical events.

Ev[…] Malicious Spear-Phishing Campaign Targets Upcoming Winter Olympics in South Korea January 10, 2018 Falcon Intelligence Team A malicious campaign has been identified targeting suspected victims involved in or supporting the February 2018 Olympic Winter Games in Pyeongchang, South Korea. Open source reporting indicates this […] An End to “Smash-and-Grab” and a Move to More Targeted Approaches December 20, 2017 kozy In late October and early November, 2017, CrowdStrike® Falcon Intelligence™ observed People’s Republic of China (PRC)-based actors conducting espionage-driven targeted attacks against at least four We[…] Full Decryption of Systems Encrypted by Petya/NotPetya October 17, 2017 Sebastian Eschweiler As demonstrated in the previous blog post about decryption of Petya/NotPetya, almost the complete Master File Table (MFT) can be decrypted.

In this post, we describe our approach to collect more keyst[…] Software Supply Chain Attacks on the Rise, Undermining Customer Trust October 11, 2017 AdamM On June 27, 2017, a destructive payload dubbed “NotPetya” by researchers, was deployed covertly using a legitimate software package employed by organizations operating in Ukraine. The attack was perpe[…] Protecting the Software Supply Chain: Deep Insights into the CCleaner Backdoor October 04, 2017 karansood The term “supply chain attacks” means different things to different people.

To the general business community, it refers to attacks targeting vulnerable third-parties in a larger organization’s supply[…] Decrypting NotPetya/Petya: Tools for Recovering Your MFT After an Attack August 23, 2017 Sebastian Eschweiler Making the world a better place has always been a core goal of CrowdStrike. In this blog post, we are making our findings, and tools, for decrypting NotPetya/Petya available to the general public.

Wit[…] CrowdStrike Protects Against NotPetya Attack June 28, 2017 Falcon Intelligence Team Update: Due to naming convention consistency in the industry, CrowdStrike is now calling this variant of Petya - NotPetya. On June 27 at approximately 10:30 UTC, a new ransomware family began propagat[…] Falcon Intelligence Report: Wanna Ransomware Spreads Rapidly; CrowdStrike Falcon® Prevents the Attack May 12, 2017 Falcon Intelligence Team Wanna Decryption Ransom Screen Wanna (also known as WannaCry, WCry, WanaCrypt and WanaCrypt0r) ransomware exploded onto the ransomware scene on May 12, 2017, with a mass campaign impacting organizatio[…] Inside the Takedown of ZOMBIE SPIDER and the Kelihos Botnet April 13, 2017 Falcon Intelligence Team This figure shows a snapshot of systems infected with Kelihos communicating with the sinkhole created to disable it.

The arrest of Russian cybercriminal Pyotr Levashov (aka Peter Severa, or threat act[…] VirusTotal Lookups Are Back in CrowdInspect, CrowdStrike’s Popular Free Tool February 15, 2017 Robin CrowdStrike CrowdInspect version 1.5.0.0 has arrived. Many of you are familiar with CrowdInspect, a simple-to-use and understand Windows application that lists processes running on your computer, alon[…] Blocking Malicious PowerShell Downloads February 06, 2017 Ryan Wegner As a next-gen endpoint protection solution, uniquely unifying next-gen antivirus with endpoint detection and response, CrowdStrike Falcon®™ provides a unique view of malicious activity, making hunting[…] Danger Close: Fancy Bear Tracking of Ukrainian Field Artillery Units December 22, 2016 AdamM Update - As of March 2017, the estimated losses of D-30 howitzer platform have been amended.

According to an update provided by the International Institute for Strategic Studies (IISS) Research Associ[…] Bear Hunting: Tracking Down COZY BEAR Backdoors September 27, 2016 Ryan McCombs As a follow-up to the CrowdStrike blog entry "Bears in the Midst" on June 15, 2016, we will walk through the methods leveraged by CrowdStrike to recover a COZY BEAR WMI backdoor. The recovery of the b[…] CrowdStrike’s New Methodology for Tracking eCrime August 01, 2016 AdamM At our inception, CrowdStrike coined the phrase, “You don’t have a malware problem, you have an adversary problem.” Behind every attack -- whether it is the most advanced nation state conducting espio[…] M&A – Buying While Cyber Blind?

April 15, 2016 jweissert Mergers and acquisitions: Many organizations utilize these activities to move their business forward by expanding into different market segments or gaining competitive advantage with a unique offering[…] Cyber Skirmish: Russia v. Turkey April 13, 2016 AdamM On the morning of 24 November 2015 an F-16 operated by the Turkish Air Force dropped into position behind a Russian Su-24 Fencer and dispatched an air-to-air Sidewinder missile that sliced into the Ru[…] Using OS X FSEvents to Discover Deleted Malicious Artifacts March 13, 2016 William Tan File System Events (FSEvents) in OS X 10.7+ introduced the capability to monitor changes to a directory.

FSevents are logged by the file system events daemon (fseventsd) process; the daemon writes the[…] Investigating PowerShell: Command and Script Logging February 18, 2016 ChadT PowerShell is becoming ubiquitous in the Microsoft ecosystem, and, while it simplifies administration, it opens up a nearly unprecedented suite of capabilities for attackers. Nearly every malicious ac[…] Nothing else is working.

Why not memory forensics? November 18, 2015 danbrown I ran across a couple of blog posts recently that were espousing the virtues of memory forensics. Having developed a framework very similar to Volatility from the ground up under a government contract[…] Sakula Reloaded November 18, 2015 mattdahl Often during the investigation of sophisticated threat actors, the demarcation between the different attackers and campaigns are blurry.

Researchers need to rely on tradecraft and analytic rigor to un[…] How to Learn from Adversaries as they Test Attack Strategies October 26, 2015 editorialteam According to a recent Harvard Business Review report, 84 percent of enterprises have increased their Cloud usage in the past year. Fueling this major business migration to the Cloud are the well-docum[…] Blurring of Commodity and Targeted Attack Malware October 16, 2015 christian.dietrich As malware and its authors continue to evolve, deciphering the purpose of specific malware-driven attacks has become more challenging.

While some malware still has a feature-specific design such as DD[…] Falcon Zero-Day Flash Detection July 27, 2015 jaronbradley In the wake of the Hacking Team leaks in early July, a result of an intrusion into the company’s network, various zero-day vulnerabilities that affect multiple platforms and software configurations we[…] Rhetoric Foreshadows Cyber Activity in the South China Sea June 01, 2015 kozy As the increasingly aggressive rhetoric surrounding the conflict in the South China Sea (SCS) continues to dominate both Western and Chinese media headlines, multiple outlets and normally rational Chi[…] VENOM Vulnerability Details May 15, 2015 editorialteam Recently, I discovered a vulnerability in QEMU's virtual Floppy Disk Controller (FDC), exploitation of which may allow malicious code inside a virtual machine guest to perform arbitrary code execution[…] 3 Tips for Operationalizing Cyber Intelligence May 04, 2015 AdamM In 2014 it became abundantly clear that threat intelligence provides a decisive advantage in protecting your enterprise.

Using threat intelligence, savvy security practitioners can reduce the time to […] RSA 2015 Hacking Exposed: CrowdResponse Update Released April 21, 2015 Robin George Kurtz, Dmitri Alperovitch and Elia Zaitsev have just finished up the Hacking Exposed: Beyond the Malware session at the RSA 2015 Conference. In the session, they demonstrated how to conduct an […] Operational threat intelligence with Maltego Transform Hub April 17, 2015 AdamM “I’m drowning in data, but starving for information.” Ever feel that way?

Recently, I heard a CISO use this as a description of his company’s information security posture. Today, enterprises are litte[…] Adversaries Set Their Sights on Oil and Gas Sector April 08, 2015 AdamM With high profile breaches in the financial, healthcare and retail sectors making news almost daily, it’s no secret that those industries are in the adversary’s crosshairs. However, while it may get l[…] Chopping packets: Decoding China Chopper Web shell traffic over SSL March 30, 2015 William Tan Introduction The Chopper Web shell is a widely used backdoor by Chinese and other malicious actors to remotely access a compromised Web server.

Deployment of the Chopper shell on the server is fairly […] Surgeon with a Shotgun! - Memory Forensics March 23, 2015 DevinGergen With the ever-increasing need for speed and accuracy for digital investigations and incident response, it is imperative that organizations are able to provide answers quickly. These organizations rely[…] Cyber Kung-Fu: The Great Firewall Art of DNS Poisoning February 23, 2015 kozy Wing Chun (咏春拳), the first Chinese martial art learned by the legendary Bruce Lee, is often best known for its principles of simultaneous attack and defense.

This experience later inspired him to crea[…] Parsing Sysmon Events for IR Indicators February 23, 2015 mchurchill Intro and Installation A dedicated endpoint monitoring tool is quickly becoming a necessity among organizations to increase visibility, logging, and alerting to combat targeted attacks and commodity m[…] Sheep Year Kernel Heap Fengshui: Spraying in the Big Kids’ Pool December 31, 2014 AlexI The State of Kernel Exploitation The typical write-what-where kernel-mode exploit technique usually relies on either modifying some key kernel-mode data structure, which is easy to do locally on Windo[…] Advanced Falconry: Seeking Out the Prey with Machine Learning December 16, 2014 Sven Krasser Interest in machine learning is on the rise.

This was evidenced by the attendance of our recent CrowdCast on the topic — if you haven’t seen it yet, head over to our CrowdCast Channel and take a quick[…] I am Ironman: DEEP PANDA Uses Sakula Malware to Target Organizations in Multiple Sectors November 24, 2014 mattdahl Over the last few months, the CrowdStrike Intelligence team has been tracking a campaign of highly targeted events focused on entities in the U.S.

Defense Industrial Base (DIB), healthcare, government[…] Peering Around the Corner November 10, 2014 AdamM After the better part of a decade chasing adversaries around the Internet, there are a few things I know to be true about targeted intrusion actors operating in the interests of various nation states.[…] CVE-2014-1761 - The Alley of Compromise October 29, 2014 christian.dietrich A significant fraction of targeted attacks involve spear phishing emails with malicious lure documents that, when opened, exploit a vulnerability in the document viewer application to invoke a backdoo[…] Mitigating Bash ShellShock October 08, 2014 DevinGergen Following the frenzy of patch releases in reaction to the CVE-2014-6271 Bash Vulnerability (ShellShock), several blogs and articles were published detailing the vulnerability, but there has been less […] Occupy Central: The Umbrella Revolution and Chinese Intelligence October 02, 2014 kozy First observed in late 2013, the People’s Republic of China (PRC) has steadily increased the use of its intelligence services and cyber operations in Hong Kong as part of a response to the growing pro[…] Registry Analysis with CrowdResponse August 28, 2014 ChadT The third release of the free CrowdResponse incident response collection tool is now available!

This time around we include plugins that facilitate the collection of Windows registry data. Our inspira[…] Hat-tribution to PLA Unit 61486 June 09, 2014 NH Attribution is a key component of cyber-intelligence, by knowing the adversary you can effectively understand their intentions and objectives. Deep understanding of the adversary allows organizations […] Gameover June 04, 2014 AdamM On Friday May 30, 2014, an unprecedented botnet disruption was initiated by the United States Department of Justice (DOJ) in coordination with numerous law enforcement and industry partners.

This coor[…] New CrowdResponse Modules May 20, 2014 ChadJustin During his talk at this year’s RSA conference, George Kurtz introduced a new free community tool named CrowdResponse. CrowdResponse is a robust data-gathering platform that we intend to continue impro[…] Cat Scratch Fever: CrowdStrike Tracks Newly Reported Iranian Actor as FLYING KITTEN May 13, 2014 mattdahl Today, our friends at FireEye released a report on an Iran-based adversary they are calling Saffron Rose.

CrowdStrike Intelligence has also been tracking and reporting internally on this threat group […] CrowdStrike Heartbleed Scanner - Update April 22, 2014 Robin This is a followup to our original blog post for the CrowdStrike Heartbleed Scanner. Due to popular demand and acting on feedback we have received, today we have updated our free Heartbleed Scanner vu[…] Mo' Shells Mo' Problems - Network Detection March 28, 2014 DannyLungstrom and AndySchworer Disclaimer: CrowdStrike derived this information from investigations in non-classified environments.

Since we value our client's privacy and interests, some data has been redacted or sanitized. In pre[…] Mo' Shells Mo' Problems - Web Server Log Analysis March 19, 2014 ChadT Disclaimer: CrowdStrike derived this information from investigations in unclassified environments. Since we value our clients’ privacy and interests, some data has been redacted or sanitized. Web shel[…] Mo' Shells Mo' Problems - File List Stacking March 07, 2014 RyanJ Mo' Shells Mo' Problems - Deep Panda Web Shells February 19, 2014 RyanJ Native Java Bytecode Debugging without Source Code February 12, 2014 editorialteam At CrowdStrike, we’ve seen a moderate increase in Java-based malware recently, with Remote Access Tools (RATs) like Adwind becoming increasingly prevalent.

Reverse engineering Java is typically very s[…] Through the Window: Creative Code Invocation February 05, 2014 christian.dietrich Recently, while analyzing a targeted attack, CrowdStrike observed an interesting code invocation technique that we want to describe here. This particular technique can be used to invoke code that has […] Protected Processes Part 3: Windows PKI Internals (Signing Levels, Scenarios, Signers, Root Keys, EKUs & Runtime Signers) January 08, 2014 AlexI In this last part of our series on protected processes in Windows 8.1, we’re going to be taking a look at the cryptographic security that protects the system from the creation or promotion of arbitrar[…] The Evolution of Protected Processes Part 2: Exploit/Jailbreak Mitigations, Unkillable Processes and Protected Services December 11, 2013 AlexI In this continuing series on the improvements of the protected process mechanism in Windows, we’ll move on past the single use case of LSASS protection and pass-the-hash mitigation through the Protect[…] Analysis of a CVE-2013-3906 Exploit December 10, 2013 editorialteam Many of CrowdStrike’s customers are often targeted by email phishing campaigns and strategic web compromises (also known as watering-hole attacks).

These attacks use exploits to take advantage of vuln[…] The Evolution of Protected Processes - Part 1: Pass-the-Hash Mitigations in Windows 8.1 November 25, 2013 AlexI It was more than six years ago that I first posted on the concept of protected processes, making my opinion of this poorly thought-out DRM scheme clear in the title alone: “Why Protected Processes Are[…] VICEROY TIGER Delivers New Zero-Day Exploit November 06, 2013 AdamM On November 5, 2013, Microsoft announced that a vulnerability in the Microsoft Graphics Component could allow Remote Code Execution (RCE).

This announcement attracted immediate interest from the secur[…] DNS - The Lifeblood of your Domain August 30, 2013 AdamM As the situation on the ground in Syria continues to deteriorate, the Syrian Electronic Army (SEA) has made quite a few waves by conducting an attack against the Domain Name System (DNS) infrastructur[…] Rare Glimpse into a Real-Life Command-and-Control Server June 07, 2013 jphillips Recently, CrowdStrike has been tracking the activities of an adversary we’ve named Viceroy Tiger.

During our research, we happened upon an interesting file written in Microsoft’s Visual Basic 6 (VB6).[…] Who is Samurai Panda April 12, 2013 AdamM This week we’re back to our old friends with a Chinese nexus. To recount the last few weeks of our adversary blog posts, we first introduced Anchor Panda, an adversary we attribute to China and associ[…] Who is Clever Kitten April 04, 2013 AdamM Over the last several weeks, CrowdStrike has been discussing some of the dozens of adversaries that the CrowdStrike Intelligence team tracks every day.

We revealed a Chinese-based adversary we crypt a[…] Whois Numbered Panda March 29, 2013 AdamM Last week's Intelligence blog post featured Anchor Panda, one of the many adversary groups that CrowdStrike tracks. The adversary is the human component in an attack that one should focus on. It is no[…] Who is Anchor Panda March 22, 2013 AdamM Anchor Panda is an adversary that CrowdStrike has tracked extensively over the last year targeting both civilian and military maritime operations in the green/brown water regions primarily in the area[…] Free Community Tool: CrowdInspect February 28, 2013 Robin CrowdInspect is a free community tool for Microsoft Windows systems from CrowdStrike aimed to help alert you to the presence of potential malware that communicates over the network that may exist on y[…] HTTP iframe Injecting Linux Rootkit November 18, 2012 George Kurtz On Tuesday, November 13, 2012, a previously unknown Linux rootkit was posted to the Full Disclosure mailing list by an anonymous victim.

The rootkit was discovered on a web server that added an unknow[…] Unpacking Dynamically Allocated Code October 29, 2012 editorialteam Background Today, most malware is obfuscated to make it more difficult for traditional antivirus engines to detect the malicious code and to make it more arduous for analysts to understand the malware[…] CrowdStrike Intelligence - Adversary-based Approach June 08, 2012 AdamM Treating the problem, not the symptoms Having spent the better part of the last 10 years dealing with various cyber adversaries, it is frustrating to see so many organizations focus on the symptoms of[…] Categories CONNECT WITH US FEATURED ARTICLES May 06, 2026 May 05, 2026 SUBSCRIBE Sign up now to receive the latest notifications and updates from CrowdStrike.

Sign Up See CrowdStrike Falcon ® in Action Detect, prevent, and respond to attacks— even malware-free intrusions—at any stage, with next-generation endpoint protection. See Demo Privacy Request Info Contact Us 1.888.512.8906 Accessibility