Expel
@expelsecurity.bsky.social
Glass-box MDR that shows you exactly what we see. 24x7 SOC monitoring, comprehensive coverage across your threat landscape, and sub-20-minute MTTR on critical incidents. Your tools. Our expertise. Real protection.
🔗 expel.com
🔗 expel.com
Security and finance leaders think they're aligned. Our new research with 300 of them says otherwise.
54% of finance leaders need strategic alignment metrics. Security's giving them maturity metrics instead. The language barrier is real—and fixable. expel.com/blog/new-res...
54% of finance leaders need strategic alignment metrics. Security's giving them maturity metrics instead. The language barrier is real—and fixable. expel.com/blog/new-res...
January 14, 2026 at 5:48 PM
Security and finance leaders think they're aligned. Our new research with 300 of them says otherwise.
54% of finance leaders need strategic alignment metrics. Security's giving them maturity metrics instead. The language barrier is real—and fixable. expel.com/blog/new-res...
54% of finance leaders need strategic alignment metrics. Security's giving them maturity metrics instead. The language barrier is real—and fixable. expel.com/blog/new-res...
We just dropped a new AI upgrade 🫳
Now you get plain-English explanations for every detection rule. See exactly which rules are firing, how your coverage evolves, and what's actually protecting you. Transparency isn't a feature, it's how MDR should work. expel.com/blog/new-exp...
Now you get plain-English explanations for every detection rule. See exactly which rules are firing, how your coverage evolves, and what's actually protecting you. Transparency isn't a feature, it's how MDR should work. expel.com/blog/new-exp...
New Expel AI upgrade: “Pop the hood” on our detection strategies
Expel added new AI-generated descriptions to our detection rules, written in plain English, to improve transparency and understanding.
expel.com
January 9, 2026 at 6:16 PM
We just dropped a new AI upgrade 🫳
Now you get plain-English explanations for every detection rule. See exactly which rules are firing, how your coverage evolves, and what's actually protecting you. Transparency isn't a feature, it's how MDR should work. expel.com/blog/new-exp...
Now you get plain-English explanations for every detection rule. See exactly which rules are firing, how your coverage evolves, and what's actually protecting you. Transparency isn't a feature, it's how MDR should work. expel.com/blog/new-exp...
We're seeing XMRig cryptominers popping up everywhere recently. Threat actors love them because they’re a simple way to make money, and they can go unnoticed.
Here's how to spot them and shut them down before threat actors start monetizing: expel.com/blog/on-the-...
Here's how to spot them and shut them down before threat actors start monetizing: expel.com/blog/on-the-...
On the radar: Weeding out XMRig
XMRig is a cryptocurrency miner considered less malicious than other threats, but it's still worth prioritizing.
expel.com
January 7, 2026 at 7:47 PM
We're seeing XMRig cryptominers popping up everywhere recently. Threat actors love them because they’re a simple way to make money, and they can go unnoticed.
Here's how to spot them and shut them down before threat actors start monetizing: expel.com/blog/on-the-...
Here's how to spot them and shut them down before threat actors start monetizing: expel.com/blog/on-the-...
Our security leaders made their (brutally honest) 2026 predictions. The one thing they agree on? AI isn’t going anywhere, and it’s bringing new capabilities and threats into the new year.
Read all of their unfiltered takes: expel.com/blog/cyberse...
Read all of their unfiltered takes: expel.com/blog/cyberse...
Our cybersecurity predictions for 2026
Our experts and leaders are sharing their predictions for cybersecurity trends in 2026 to help you start strategizing.
expel.com
January 2, 2026 at 6:32 PM
Our security leaders made their (brutally honest) 2026 predictions. The one thing they agree on? AI isn’t going anywhere, and it’s bringing new capabilities and threats into the new year.
Read all of their unfiltered takes: expel.com/blog/cyberse...
Read all of their unfiltered takes: expel.com/blog/cyberse...
Your analysts are drowning. You can't hire fast enough. And even if you could, the math doesn't work.
The economics of running a 24×7 SOC have changed. Use our free calculator that shows you what your team needs whether that's building, buying, or augmenting: expel.com/blog/buildin...
The economics of running a 24×7 SOC have changed. Use our free calculator that shows you what your team needs whether that's building, buying, or augmenting: expel.com/blog/buildin...
Why building a 24x7 SOC is getting harder (and what actually works instead)
The math on building an in-house SOC has changed, including the real costs, why retention is brutal, and what actually works.
expel.com
December 29, 2025 at 6:09 PM
Your analysts are drowning. You can't hire fast enough. And even if you could, the math doesn't work.
The economics of running a 24×7 SOC have changed. Use our free calculator that shows you what your team needs whether that's building, buying, or augmenting: expel.com/blog/buildin...
The economics of running a 24×7 SOC have changed. Use our free calculator that shows you what your team needs whether that's building, buying, or augmenting: expel.com/blog/buildin...
In the SOC, you get used to the noise. But a couple weeks ago, a single string cut through the noise: SHA1HULUD. It felt like seeing a ghost.
We traced the activity to a public GitHub repository where the customer's private cloud keys and secrets were exposed for anyone to grab.
We traced the activity to a public GitHub repository where the customer's private cloud keys and secrets were exposed for anyone to grab.
December 23, 2025 at 5:52 PM
In the SOC, you get used to the noise. But a couple weeks ago, a single string cut through the noise: SHA1HULUD. It felt like seeing a ghost.
We traced the activity to a public GitHub repository where the customer's private cloud keys and secrets were exposed for anyone to grab.
We traced the activity to a public GitHub repository where the customer's private cloud keys and secrets were exposed for anyone to grab.
Expel MDR now supports Panther.
We integrate with your cloud-native SIEM, bringing our detections, 24x7 monitoring, and incident response to work alongside what you've already built.
Use the tools that work for you. We'll make them work harder. expel.com/blog/more-si...
We integrate with your cloud-native SIEM, bringing our detections, 24x7 monitoring, and incident response to work alongside what you've already built.
Use the tools that work for you. We'll make them work harder. expel.com/blog/more-si...
More SIEM flexibility: Expel MDR adds support for Panther
Expel announces support for Panther's cloud-native SIEM as the latest in our long list of advanced integrations.
expel.com
December 16, 2025 at 5:51 PM
Expel MDR now supports Panther.
We integrate with your cloud-native SIEM, bringing our detections, 24x7 monitoring, and incident response to work alongside what you've already built.
Use the tools that work for you. We'll make them work harder. expel.com/blog/more-si...
We integrate with your cloud-native SIEM, bringing our detections, 24x7 monitoring, and incident response to work alongside what you've already built.
Use the tools that work for you. We'll make them work harder. expel.com/blog/more-si...
⚠️ Attackers are buying Google Ads that appear when looking up how to troubleshoot your Mac. The ad takes you to a shared ChatGPT chat that tells you to copy-paste some code. You've just executed malware.
Kroll has a solid write-up on the mechanics: www.kroll.com/en/publicati...
Kroll has a solid write-up on the mechanics: www.kroll.com/en/publicati...
December 9, 2025 at 5:50 PM
⚠️ Attackers are buying Google Ads that appear when looking up how to troubleshoot your Mac. The ad takes you to a shared ChatGPT chat that tells you to copy-paste some code. You've just executed malware.
Kroll has a solid write-up on the mechanics: www.kroll.com/en/publicati...
Kroll has a solid write-up on the mechanics: www.kroll.com/en/publicati...
Part two of our QTR, Q3 2025 just dropped: malware disguised as apps that actually work.
BaoLoader hides backdoors in PDF editors and browsers. TamperedChef is a recipe app with hidden command codes. These apps function as promised, which is why users don't suspect anything.
BaoLoader hides backdoors in PDF editors and browsers. TamperedChef is a recipe app with hidden command codes. These apps function as promised, which is why users don't suspect anything.
November 6, 2025 at 4:03 PM
Part two of our QTR, Q3 2025 just dropped: malware disguised as apps that actually work.
BaoLoader hides backdoors in PDF editors and browsers. TamperedChef is a recipe app with hidden command codes. These apps function as promised, which is why users don't suspect anything.
BaoLoader hides backdoors in PDF editors and browsers. TamperedChef is a recipe app with hidden command codes. These apps function as promised, which is why users don't suspect anything.
Imagine searching for Microsoft Teams, visiting the link at the top of the results, & getting hit with malware. That's the malvertising campaign that the Rhysida ransomware gang has been running.
Expel Intel is tracking this campaign. Here's what we've uncovered: www.theregister.com/2025/10/31/r...
Expel Intel is tracking this campaign. Here's what we've uncovered: www.theregister.com/2025/10/31/r...
Ransomware gang runs ads for Microsoft Teams to pwn victims
: You click and think you're getting a download page, but get malware instead
www.theregister.com
November 5, 2025 at 3:49 PM
Imagine searching for Microsoft Teams, visiting the link at the top of the results, & getting hit with malware. That's the malvertising campaign that the Rhysida ransomware gang has been running.
Expel Intel is tracking this campaign. Here's what we've uncovered: www.theregister.com/2025/10/31/r...
Expel Intel is tracking this campaign. Here's what we've uncovered: www.theregister.com/2025/10/31/r...
Q3 2025 Threat Report is out. We analyzed thousands of real incidents across customer environments.
Here’s what stood out: 73.9% of all incidents were identity-based attacks. Up from 67.6% last quarter.
Let’s dive into the Q3 numbers 🧵
Here’s what stood out: 73.9% of all incidents were identity-based attacks. Up from 67.6% last quarter.
Let’s dive into the Q3 numbers 🧵
November 5, 2025 at 2:52 PM
Q3 2025 Threat Report is out. We analyzed thousands of real incidents across customer environments.
Here’s what stood out: 73.9% of all incidents were identity-based attacks. Up from 67.6% last quarter.
Let’s dive into the Q3 numbers 🧵
Here’s what stood out: 73.9% of all incidents were identity-based attacks. Up from 67.6% last quarter.
Let’s dive into the Q3 numbers 🧵
The Rhysida ransomware gang (formerly Vice Society) is running the same playbook as last year—buying Bing ads to deliver fake Microsoft Teams, PuTTy, and Zoom downloads.
Click the wrong sponsored result? You’ve just installed OysterLoader, their initial access malware.
Click the wrong sponsored result? You’ve just installed OysterLoader, their initial access malware.
October 31, 2025 at 2:33 PM
The Rhysida ransomware gang (formerly Vice Society) is running the same playbook as last year—buying Bing ads to deliver fake Microsoft Teams, PuTTy, and Zoom downloads.
Click the wrong sponsored result? You’ve just installed OysterLoader, their initial access malware.
Click the wrong sponsored result? You’ve just installed OysterLoader, their initial access malware.
⚠️Attackers are actively exploiting CVE-2025-59287, a recently identified vulnerability in WSUS. Successful exploitation allows an attacker to run code using SYSTEM privileges. Expel caught & contained incidents related to this in two customer environments this AM.
Details: expel.com/blog/wsus-re...
Details: expel.com/blog/wsus-re...
October 24, 2025 at 6:13 PM
⚠️Attackers are actively exploiting CVE-2025-59287, a recently identified vulnerability in WSUS. Successful exploitation allows an attacker to run code using SYSTEM privileges. Expel caught & contained incidents related to this in two customer environments this AM.
Details: expel.com/blog/wsus-re...
Details: expel.com/blog/wsus-re...
Attackers found a clever way to abuse legitimate, digitally signed software to load malware and it's working.
Expel Intel’s Marcus Hutchins (@malwaretech.com) breaks down a campaign that weaponizes Greenshot, a legit screenshot tool, to evade detection at multiple layers. 🧵
Expel Intel’s Marcus Hutchins (@malwaretech.com) breaks down a campaign that weaponizes Greenshot, a legit screenshot tool, to evade detection at multiple layers. 🧵
October 23, 2025 at 4:48 PM
Attackers found a clever way to abuse legitimate, digitally signed software to load malware and it's working.
Expel Intel’s Marcus Hutchins (@malwaretech.com) breaks down a campaign that weaponizes Greenshot, a legit screenshot tool, to evade detection at multiple layers. 🧵
Expel Intel’s Marcus Hutchins (@malwaretech.com) breaks down a campaign that weaponizes Greenshot, a legit screenshot tool, to evade detection at multiple layers. 🧵
Halloween might be the spookiest day in October but this month's Patch Tuesday is a close second.
175 new CVEs from Microsoft, 8 marked critical, 6 zero-days, 2 already exploited in the wild.
But not to fear, our threat intel team breaks down the 3 you should patch first. expel.com/blog/patch-t...
175 new CVEs from Microsoft, 8 marked critical, 6 zero-days, 2 already exploited in the wild.
But not to fear, our threat intel team breaks down the 3 you should patch first. expel.com/blog/patch-t...
Patch Tuesday: October 2025 (Expel’s version)
This month, we're highlighting top critical vulnerabilities, including six zero-day vulnerabilities, and one in Cisco IOS.
expel.com
October 15, 2025 at 4:30 PM
Halloween might be the spookiest day in October but this month's Patch Tuesday is a close second.
175 new CVEs from Microsoft, 8 marked critical, 6 zero-days, 2 already exploited in the wild.
But not to fear, our threat intel team breaks down the 3 you should patch first. expel.com/blog/patch-t...
175 new CVEs from Microsoft, 8 marked critical, 6 zero-days, 2 already exploited in the wild.
But not to fear, our threat intel team breaks down the 3 you should patch first. expel.com/blog/patch-t...
⚠️ Our threat intel team just caught attackers using a clever new trick to bypass security tools: cache smuggling.
Instead of downloading malware, they hide it in fake images that browsers automatically cache. Then PowerShell extracts and runs it—no web requests needed.
Instead of downloading malware, they hide it in fake images that browsers automatically cache. Then PowerShell extracts and runs it—no web requests needed.
October 8, 2025 at 6:38 PM
⚠️ Our threat intel team just caught attackers using a clever new trick to bypass security tools: cache smuggling.
Instead of downloading malware, they hide it in fake images that browsers automatically cache. Then PowerShell extracts and runs it—no web requests needed.
Instead of downloading malware, they hide it in fake images that browsers automatically cache. Then PowerShell extracts and runs it—no web requests needed.
The security industry is drowning in threat feeds that don't actually help you stop attacks. We've been working to fix that for years.
Today, we’re taking the wraps off our expanded threat intel program: Expel Intel.
(1/7)
Today, we’re taking the wraps off our expanded threat intel program: Expel Intel.
(1/7)
October 8, 2025 at 1:01 PM
The security industry is drowning in threat feeds that don't actually help you stop attacks. We've been working to fix that for years.
Today, we’re taking the wraps off our expanded threat intel program: Expel Intel.
(1/7)
Today, we’re taking the wraps off our expanded threat intel program: Expel Intel.
(1/7)
50k events/day. 0.1% true positive rate. 50 real threats buried.
That's what happens when you optimize for integration count, not detection quality. Vendors brag about "300+ integrations" while analysts burn out investigating false positives.
Start counting what matters: expel.com/blog/stop-co...
That's what happens when you optimize for integration count, not detection quality. Vendors brag about "300+ integrations" while analysts burn out investigating false positives.
Start counting what matters: expel.com/blog/stop-co...
October 2, 2025 at 6:46 PM
50k events/day. 0.1% true positive rate. 50 real threats buried.
That's what happens when you optimize for integration count, not detection quality. Vendors brag about "300+ integrations" while analysts burn out investigating false positives.
Start counting what matters: expel.com/blog/stop-co...
That's what happens when you optimize for integration count, not detection quality. Vendors brag about "300+ integrations" while analysts burn out investigating false positives.
Start counting what matters: expel.com/blog/stop-co...
Your email security quarantined the malicious email. 🚨📧 Victory, right?
Not quite so. Several employees already clicked the link and installed attacker-controlled tools.
Not quite so. Several employees already clicked the link and installed attacker-controlled tools.
September 29, 2025 at 7:34 PM
Your email security quarantined the malicious email. 🚨📧 Victory, right?
Not quite so. Several employees already clicked the link and installed attacker-controlled tools.
Not quite so. Several employees already clicked the link and installed attacker-controlled tools.
Chinese threat actors were building a network of SOHO routers and marking their territory with TLS certs that spoofed the LAPD.
Our threat hunters found them anyway. 🕵️
Our threat hunters found them anyway. 🕵️
September 25, 2025 at 5:39 PM
Chinese threat actors were building a network of SOHO routers and marking their territory with TLS certs that spoofed the LAPD.
Our threat hunters found them anyway. 🕵️
Our threat hunters found them anyway. 🕵️
⚠️ We’ve recently witnessed new activity in the realm of potentially unwanted programs (PUPs), which are dropping malware, executing commands, and turning your machine into someone else's proxy network.
Read our ongoing investigation here: expel.com/blog/you-don...
Read our ongoing investigation here: expel.com/blog/you-don...
You don’t find ManualFinder, ManualFinder finds you
We're investigating ManualFinder, a trojan malware we're seeing in new activity, likely coming from potentially unwanted programs (PUPs).
expel.com
August 22, 2025 at 11:19 PM
⚠️ We’ve recently witnessed new activity in the realm of potentially unwanted programs (PUPs), which are dropping malware, executing commands, and turning your machine into someone else's proxy network.
Read our ongoing investigation here: expel.com/blog/you-don...
Read our ongoing investigation here: expel.com/blog/you-don...
🚨 A NEW trojan on the block spotted by our threat intel team 👀
We saw files with the code-signing signature “GLINT SOFTWARE SDN. BHD.” due to a JavaScript dropping “ManualFinder”
One of their signed files, a PDF editor, turns your device into a residential proxy—ew. 🧵👇
We saw files with the code-signing signature “GLINT SOFTWARE SDN. BHD.” due to a JavaScript dropping “ManualFinder”
One of their signed files, a PDF editor, turns your device into a residential proxy—ew. 🧵👇
August 21, 2025 at 4:29 PM
🚨 A NEW trojan on the block spotted by our threat intel team 👀
We saw files with the code-signing signature “GLINT SOFTWARE SDN. BHD.” due to a JavaScript dropping “ManualFinder”
One of their signed files, a PDF editor, turns your device into a residential proxy—ew. 🧵👇
We saw files with the code-signing signature “GLINT SOFTWARE SDN. BHD.” due to a JavaScript dropping “ManualFinder”
One of their signed files, a PDF editor, turns your device into a residential proxy—ew. 🧵👇
⚠️ We’ve noticed a campaign leveraging SEO poisoning to drop a small loader. If you’ve seen the lure in the watering hole, we’d love to know. A copy of the malware can be found on VirusTotal as MD5 hash 6af56c606b4ece68b4d38752e7501457.
Here’s what we’re seeing 🧵
Here’s what we’re seeing 🧵
August 1, 2025 at 9:22 PM
⚠️ We’ve noticed a campaign leveraging SEO poisoning to drop a small loader. If you’ve seen the lure in the watering hole, we’d love to know. A copy of the malware can be found on VirusTotal as MD5 hash 6af56c606b4ece68b4d38752e7501457.
Here’s what we’re seeing 🧵
Here’s what we’re seeing 🧵
Reposted by Expel
What Fortune 100s are getting wrong about cybersecurity hiring
📖 Read more: www.helpnetsecurity.com/2025/07/17/c...
#cybersecurity #cybersecuritynews #burnout #certification @expelsecurity.bsky.social
📖 Read more: www.helpnetsecurity.com/2025/07/17/c...
#cybersecurity #cybersecuritynews #burnout #certification @expelsecurity.bsky.social
What Fortune 100s are getting wrong about cybersecurity hiring - Help Net Security
New research reveals cybersecurity hiring trends for 2025, showing how rigid job requirements and low flexibility are driving talent away.
www.helpnetsecurity.com
July 17, 2025 at 7:32 AM
What Fortune 100s are getting wrong about cybersecurity hiring
📖 Read more: www.helpnetsecurity.com/2025/07/17/c...
#cybersecurity #cybersecuritynews #burnout #certification @expelsecurity.bsky.social
📖 Read more: www.helpnetsecurity.com/2025/07/17/c...
#cybersecurity #cybersecuritynews #burnout #certification @expelsecurity.bsky.social