Expel
@expelsecurity.bsky.social
The leading MDR provider trusted by some of the world’s most renowned brands to expel adversaries, minimize risk, and build security resilience.
🔗 expel.com
🔗 expel.com
Part two of our QTR, Q3 2025 just dropped: malware disguised as apps that actually work.
BaoLoader hides backdoors in PDF editors and browsers. TamperedChef is a recipe app with hidden command codes. These apps function as promised, which is why users don't suspect anything.
BaoLoader hides backdoors in PDF editors and browsers. TamperedChef is a recipe app with hidden command codes. These apps function as promised, which is why users don't suspect anything.
November 6, 2025 at 4:03 PM
Part two of our QTR, Q3 2025 just dropped: malware disguised as apps that actually work.
BaoLoader hides backdoors in PDF editors and browsers. TamperedChef is a recipe app with hidden command codes. These apps function as promised, which is why users don't suspect anything.
BaoLoader hides backdoors in PDF editors and browsers. TamperedChef is a recipe app with hidden command codes. These apps function as promised, which is why users don't suspect anything.
Imagine searching for Microsoft Teams, visiting the link at the top of the results, & getting hit with malware. That's the malvertising campaign that the Rhysida ransomware gang has been running.
Expel Intel is tracking this campaign. Here's what we've uncovered: www.theregister.com/2025/10/31/r...
Expel Intel is tracking this campaign. Here's what we've uncovered: www.theregister.com/2025/10/31/r...
Ransomware gang runs ads for Microsoft Teams to pwn victims
: You click and think you're getting a download page, but get malware instead
www.theregister.com
November 5, 2025 at 3:49 PM
Imagine searching for Microsoft Teams, visiting the link at the top of the results, & getting hit with malware. That's the malvertising campaign that the Rhysida ransomware gang has been running.
Expel Intel is tracking this campaign. Here's what we've uncovered: www.theregister.com/2025/10/31/r...
Expel Intel is tracking this campaign. Here's what we've uncovered: www.theregister.com/2025/10/31/r...
Q3 2025 Threat Report is out. We analyzed thousands of real incidents across customer environments.
Here’s what stood out: 73.9% of all incidents were identity-based attacks. Up from 67.6% last quarter.
Let’s dive into the Q3 numbers 🧵
Here’s what stood out: 73.9% of all incidents were identity-based attacks. Up from 67.6% last quarter.
Let’s dive into the Q3 numbers 🧵
November 5, 2025 at 2:52 PM
Q3 2025 Threat Report is out. We analyzed thousands of real incidents across customer environments.
Here’s what stood out: 73.9% of all incidents were identity-based attacks. Up from 67.6% last quarter.
Let’s dive into the Q3 numbers 🧵
Here’s what stood out: 73.9% of all incidents were identity-based attacks. Up from 67.6% last quarter.
Let’s dive into the Q3 numbers 🧵
The Rhysida ransomware gang (formerly Vice Society) is running the same playbook as last year—buying Bing ads to deliver fake Microsoft Teams, PuTTy, and Zoom downloads.
Click the wrong sponsored result? You’ve just installed OysterLoader, their initial access malware.
Click the wrong sponsored result? You’ve just installed OysterLoader, their initial access malware.
October 31, 2025 at 2:33 PM
The Rhysida ransomware gang (formerly Vice Society) is running the same playbook as last year—buying Bing ads to deliver fake Microsoft Teams, PuTTy, and Zoom downloads.
Click the wrong sponsored result? You’ve just installed OysterLoader, their initial access malware.
Click the wrong sponsored result? You’ve just installed OysterLoader, their initial access malware.
⚠️Attackers are actively exploiting CVE-2025-59287, a recently identified vulnerability in WSUS. Successful exploitation allows an attacker to run code using SYSTEM privileges. Expel caught & contained incidents related to this in two customer environments this AM.
Details: expel.com/blog/wsus-re...
Details: expel.com/blog/wsus-re...
October 24, 2025 at 6:13 PM
⚠️Attackers are actively exploiting CVE-2025-59287, a recently identified vulnerability in WSUS. Successful exploitation allows an attacker to run code using SYSTEM privileges. Expel caught & contained incidents related to this in two customer environments this AM.
Details: expel.com/blog/wsus-re...
Details: expel.com/blog/wsus-re...
Attackers found a clever way to abuse legitimate, digitally signed software to load malware and it's working.
Expel Intel’s Marcus Hutchins (@malwaretech.com) breaks down a campaign that weaponizes Greenshot, a legit screenshot tool, to evade detection at multiple layers. 🧵
Expel Intel’s Marcus Hutchins (@malwaretech.com) breaks down a campaign that weaponizes Greenshot, a legit screenshot tool, to evade detection at multiple layers. 🧵
October 23, 2025 at 4:48 PM
Attackers found a clever way to abuse legitimate, digitally signed software to load malware and it's working.
Expel Intel’s Marcus Hutchins (@malwaretech.com) breaks down a campaign that weaponizes Greenshot, a legit screenshot tool, to evade detection at multiple layers. 🧵
Expel Intel’s Marcus Hutchins (@malwaretech.com) breaks down a campaign that weaponizes Greenshot, a legit screenshot tool, to evade detection at multiple layers. 🧵
Halloween might be the spookiest day in October but this month's Patch Tuesday is a close second.
175 new CVEs from Microsoft, 8 marked critical, 6 zero-days, 2 already exploited in the wild.
But not to fear, our threat intel team breaks down the 3 you should patch first. expel.com/blog/patch-t...
175 new CVEs from Microsoft, 8 marked critical, 6 zero-days, 2 already exploited in the wild.
But not to fear, our threat intel team breaks down the 3 you should patch first. expel.com/blog/patch-t...
Patch Tuesday: October 2025 (Expel’s version)
This month, we're highlighting top critical vulnerabilities, including six zero-day vulnerabilities, and one in Cisco IOS.
expel.com
October 15, 2025 at 4:30 PM
Halloween might be the spookiest day in October but this month's Patch Tuesday is a close second.
175 new CVEs from Microsoft, 8 marked critical, 6 zero-days, 2 already exploited in the wild.
But not to fear, our threat intel team breaks down the 3 you should patch first. expel.com/blog/patch-t...
175 new CVEs from Microsoft, 8 marked critical, 6 zero-days, 2 already exploited in the wild.
But not to fear, our threat intel team breaks down the 3 you should patch first. expel.com/blog/patch-t...
Reposted by Expel
We encountered a unique variant of the ClickFix malware technique. The catch? The user is social engineered into running a PowerShell script which downloads no files, makes no web requests, and embeds no payload.
Regardless, it's still able to install a malicious loader.
expel.com/blog/cache-s...
Regardless, it's still able to install a malicious loader.
expel.com/blog/cache-s...
Cache smuggling: When a picture isn’t a thousand words
We recently observed an innovative campaign using the ClickFix attack tactic for cache smuggling. Here's what you need to know.
expel.com
October 8, 2025 at 4:38 PM
We encountered a unique variant of the ClickFix malware technique. The catch? The user is social engineered into running a PowerShell script which downloads no files, makes no web requests, and embeds no payload.
Regardless, it's still able to install a malicious loader.
expel.com/blog/cache-s...
Regardless, it's still able to install a malicious loader.
expel.com/blog/cache-s...
⚠️ Our threat intel team just caught attackers using a clever new trick to bypass security tools: cache smuggling.
Instead of downloading malware, they hide it in fake images that browsers automatically cache. Then PowerShell extracts and runs it—no web requests needed.
Instead of downloading malware, they hide it in fake images that browsers automatically cache. Then PowerShell extracts and runs it—no web requests needed.
October 8, 2025 at 6:38 PM
⚠️ Our threat intel team just caught attackers using a clever new trick to bypass security tools: cache smuggling.
Instead of downloading malware, they hide it in fake images that browsers automatically cache. Then PowerShell extracts and runs it—no web requests needed.
Instead of downloading malware, they hide it in fake images that browsers automatically cache. Then PowerShell extracts and runs it—no web requests needed.
The security industry is drowning in threat feeds that don't actually help you stop attacks. We've been working to fix that for years.
Today, we’re taking the wraps off our expanded threat intel program: Expel Intel.
(1/7)
Today, we’re taking the wraps off our expanded threat intel program: Expel Intel.
(1/7)
October 8, 2025 at 1:01 PM
The security industry is drowning in threat feeds that don't actually help you stop attacks. We've been working to fix that for years.
Today, we’re taking the wraps off our expanded threat intel program: Expel Intel.
(1/7)
Today, we’re taking the wraps off our expanded threat intel program: Expel Intel.
(1/7)
50k events/day. 0.1% true positive rate. 50 real threats buried.
That's what happens when you optimize for integration count, not detection quality. Vendors brag about "300+ integrations" while analysts burn out investigating false positives.
Start counting what matters: expel.com/blog/stop-co...
That's what happens when you optimize for integration count, not detection quality. Vendors brag about "300+ integrations" while analysts burn out investigating false positives.
Start counting what matters: expel.com/blog/stop-co...
October 2, 2025 at 6:46 PM
50k events/day. 0.1% true positive rate. 50 real threats buried.
That's what happens when you optimize for integration count, not detection quality. Vendors brag about "300+ integrations" while analysts burn out investigating false positives.
Start counting what matters: expel.com/blog/stop-co...
That's what happens when you optimize for integration count, not detection quality. Vendors brag about "300+ integrations" while analysts burn out investigating false positives.
Start counting what matters: expel.com/blog/stop-co...
Your email security quarantined the malicious email. 🚨📧 Victory, right?
Not quite so. Several employees already clicked the link and installed attacker-controlled tools.
Not quite so. Several employees already clicked the link and installed attacker-controlled tools.
September 29, 2025 at 7:34 PM
Your email security quarantined the malicious email. 🚨📧 Victory, right?
Not quite so. Several employees already clicked the link and installed attacker-controlled tools.
Not quite so. Several employees already clicked the link and installed attacker-controlled tools.
Chinese threat actors were building a network of SOHO routers and marking their territory with TLS certs that spoofed the LAPD.
Our threat hunters found them anyway. 🕵️
Our threat hunters found them anyway. 🕵️
September 25, 2025 at 5:39 PM
Chinese threat actors were building a network of SOHO routers and marking their territory with TLS certs that spoofed the LAPD.
Our threat hunters found them anyway. 🕵️
Our threat hunters found them anyway. 🕵️
⚠️ We’ve recently witnessed new activity in the realm of potentially unwanted programs (PUPs), which are dropping malware, executing commands, and turning your machine into someone else's proxy network.
Read our ongoing investigation here: expel.com/blog/you-don...
Read our ongoing investigation here: expel.com/blog/you-don...
You don’t find ManualFinder, ManualFinder finds you
We're investigating ManualFinder, a trojan malware we're seeing in new activity, likely coming from potentially unwanted programs (PUPs).
expel.com
August 22, 2025 at 11:19 PM
⚠️ We’ve recently witnessed new activity in the realm of potentially unwanted programs (PUPs), which are dropping malware, executing commands, and turning your machine into someone else's proxy network.
Read our ongoing investigation here: expel.com/blog/you-don...
Read our ongoing investigation here: expel.com/blog/you-don...
🚨 A NEW trojan on the block spotted by our threat intel team 👀
We saw files with the code-signing signature “GLINT SOFTWARE SDN. BHD.” due to a JavaScript dropping “ManualFinder”
One of their signed files, a PDF editor, turns your device into a residential proxy—ew. 🧵👇
We saw files with the code-signing signature “GLINT SOFTWARE SDN. BHD.” due to a JavaScript dropping “ManualFinder”
One of their signed files, a PDF editor, turns your device into a residential proxy—ew. 🧵👇
August 21, 2025 at 4:29 PM
🚨 A NEW trojan on the block spotted by our threat intel team 👀
We saw files with the code-signing signature “GLINT SOFTWARE SDN. BHD.” due to a JavaScript dropping “ManualFinder”
One of their signed files, a PDF editor, turns your device into a residential proxy—ew. 🧵👇
We saw files with the code-signing signature “GLINT SOFTWARE SDN. BHD.” due to a JavaScript dropping “ManualFinder”
One of their signed files, a PDF editor, turns your device into a residential proxy—ew. 🧵👇
⚠️ We’ve noticed a campaign leveraging SEO poisoning to drop a small loader. If you’ve seen the lure in the watering hole, we’d love to know. A copy of the malware can be found on VirusTotal as MD5 hash 6af56c606b4ece68b4d38752e7501457.
Here’s what we’re seeing 🧵
Here’s what we’re seeing 🧵
August 1, 2025 at 9:22 PM
⚠️ We’ve noticed a campaign leveraging SEO poisoning to drop a small loader. If you’ve seen the lure in the watering hole, we’d love to know. A copy of the malware can be found on VirusTotal as MD5 hash 6af56c606b4ece68b4d38752e7501457.
Here’s what we’re seeing 🧵
Here’s what we’re seeing 🧵
Reposted by Expel
What Fortune 100s are getting wrong about cybersecurity hiring
📖 Read more: www.helpnetsecurity.com/2025/07/17/c...
#cybersecurity #cybersecuritynews #burnout #certification @expelsecurity.bsky.social
📖 Read more: www.helpnetsecurity.com/2025/07/17/c...
#cybersecurity #cybersecuritynews #burnout #certification @expelsecurity.bsky.social
What Fortune 100s are getting wrong about cybersecurity hiring - Help Net Security
New research reveals cybersecurity hiring trends for 2025, showing how rigid job requirements and low flexibility are driving talent away.
www.helpnetsecurity.com
July 17, 2025 at 7:32 AM
What Fortune 100s are getting wrong about cybersecurity hiring
📖 Read more: www.helpnetsecurity.com/2025/07/17/c...
#cybersecurity #cybersecuritynews #burnout #certification @expelsecurity.bsky.social
📖 Read more: www.helpnetsecurity.com/2025/07/17/c...
#cybersecurity #cybersecuritynews #burnout #certification @expelsecurity.bsky.social
Spotted in NYC ❎👀
Took cloud security so seriously we actually ended up in the clouds. ☁️ Thanks for having us, Nasdaq!
Took cloud security so seriously we actually ended up in the clouds. ☁️ Thanks for having us, Nasdaq!
June 30, 2025 at 5:20 PM
Spotted in NYC ❎👀
Took cloud security so seriously we actually ended up in the clouds. ☁️ Thanks for having us, Nasdaq!
Took cloud security so seriously we actually ended up in the clouds. ☁️ Thanks for having us, Nasdaq!
⚠️ We’ve been keeping a close eye on the US-Israel-Iran geopolitical situation. Many resources are providing a ton of information and data but not a lot of analysis.
Our take: things are not likely to intensify in the cyber realm.
Here's what to do and what Expel is doing:
Our take: things are not likely to intensify in the cyber realm.
Here's what to do and what Expel is doing:
What we're seeing from Iran (and what it means for you)
Here's Expel's take on what the geopolitical issues between the US, Israel, and Iran look like for the cybersecurity community to date.
expel.com
June 26, 2025 at 5:50 PM
⚠️ We’ve been keeping a close eye on the US-Israel-Iran geopolitical situation. Many resources are providing a ton of information and data but not a lot of analysis.
Our take: things are not likely to intensify in the cyber realm.
Here's what to do and what Expel is doing:
Our take: things are not likely to intensify in the cyber realm.
Here's what to do and what Expel is doing:
📂💥 When a malicious file hits your environment, every second counts.
Expel's “delete malicious file” response action enables our SOC to permanently remove a confirmed malicious file directly from an affected host, using the EDRs and security tools you already have. expel.com/blog/explore...
Expel's “delete malicious file” response action enables our SOC to permanently remove a confirmed malicious file directly from an affected host, using the EDRs and security tools you already have. expel.com/blog/explore...
Explore Expel’s auto remediations: Delete malicious file
In this series, we explore Expel's auto remediations so you understand how they work. Let's explore delete malicious file.
expel.com
June 23, 2025 at 6:04 PM
📂💥 When a malicious file hits your environment, every second counts.
Expel's “delete malicious file” response action enables our SOC to permanently remove a confirmed malicious file directly from an affected host, using the EDRs and security tools you already have. expel.com/blog/explore...
Expel's “delete malicious file” response action enables our SOC to permanently remove a confirmed malicious file directly from an affected host, using the EDRs and security tools you already have. expel.com/blog/explore...
⚠️🕷️ Scattered Spider is acting with a heightened amount of activity. We're seeing them pivot from credential harvesting to directly targeting IT help desks, using social engineering to reset passwords and bypass MFA.
Get the full 411 on Scattered Spider's heightened activity:
Get the full 411 on Scattered Spider's heightened activity:
Emerging threat: Scattered Spider’s heightened activity—here’s the 411
Threat group Scattered Spider is making headlines again as they increase targeting for financial services and insurance orgs.
expel.com
June 20, 2025 at 6:50 PM
⚠️🕷️ Scattered Spider is acting with a heightened amount of activity. We're seeing them pivot from credential harvesting to directly targeting IT help desks, using social engineering to reset passwords and bypass MFA.
Get the full 411 on Scattered Spider's heightened activity:
Get the full 411 on Scattered Spider's heightened activity:
It’s Patch Tuesday! 🩹 This month, Microsoft released 66 CVEs including CVE-2025-33053 and CVE-2025-33070.
Of the vulnerabilities, here are the three that caught our eye as the highest priority due to the vulnerability exploitation risk factors 👀🚨 expel.com/blog/patch-t...
Of the vulnerabilities, here are the three that caught our eye as the highest priority due to the vulnerability exploitation risk factors 👀🚨 expel.com/blog/patch-t...
Patch Tuesday: June 2025 (Expel's version)
The June 2025 edition of Patch Tuesday is live, and this month we're highlighting a handful of Ivanti critical vulnerabilities.
expel.com
June 10, 2025 at 7:44 PM
It’s Patch Tuesday! 🩹 This month, Microsoft released 66 CVEs including CVE-2025-33053 and CVE-2025-33070.
Of the vulnerabilities, here are the three that caught our eye as the highest priority due to the vulnerability exploitation risk factors 👀🚨 expel.com/blog/patch-t...
Of the vulnerabilities, here are the three that caught our eye as the highest priority due to the vulnerability exploitation risk factors 👀🚨 expel.com/blog/patch-t...
You’ve invested in your SIEM, now our goal is to make that investment 𝘸𝘰𝘳𝘬.
We’re doubling down on our position as a leader in MDR flexibility by announcing the expansion of our SIEM coverage. We’ve launched advanced support for Palo Alto Networks Cortex XSIAM this month. 👏
We’re doubling down on our position as a leader in MDR flexibility by announcing the expansion of our SIEM coverage. We’ve launched advanced support for Palo Alto Networks Cortex XSIAM this month. 👏
June 10, 2025 at 5:58 PM
You’ve invested in your SIEM, now our goal is to make that investment 𝘸𝘰𝘳𝘬.
We’re doubling down on our position as a leader in MDR flexibility by announcing the expansion of our SIEM coverage. We’ve launched advanced support for Palo Alto Networks Cortex XSIAM this month. 👏
We’re doubling down on our position as a leader in MDR flexibility by announcing the expansion of our SIEM coverage. We’ve launched advanced support for Palo Alto Networks Cortex XSIAM this month. 👏
Acquisitions happen. But when your security vendor gets bought out, it's not just business as usual. Are you ready to ask the hard questions? Because you need to.
Our CSO Greg Notch lays out the 5 questions you need to ask when your security vendor gets acquired: expel.com/blog/5-quest...
Our CSO Greg Notch lays out the 5 questions you need to ask when your security vendor gets acquired: expel.com/blog/5-quest...
5 questions to ask when your security vendor gets acquired
Whether your MDR provider is going through a merger or acquisition, here are five questions you'll want to ask your new point of contact.
expel.com
June 9, 2025 at 4:16 PM
Acquisitions happen. But when your security vendor gets bought out, it's not just business as usual. Are you ready to ask the hard questions? Because you need to.
Our CSO Greg Notch lays out the 5 questions you need to ask when your security vendor gets acquired: expel.com/blog/5-quest...
Our CSO Greg Notch lays out the 5 questions you need to ask when your security vendor gets acquired: expel.com/blog/5-quest...
In 7 minutes you can...
🏃 run a darn good mile
🤳 doom scroll before your next meeting
🖥️ or onboard Expel
That's right. The onboarding even includes time to validate the connection within Expel Workbench™ and to test the connection. Watch the full demo and follow along! expel.com/blog/how-to-...
🏃 run a darn good mile
🤳 doom scroll before your next meeting
🖥️ or onboard Expel
That's right. The onboarding even includes time to validate the connection within Expel Workbench™ and to test the connection. Watch the full demo and follow along! expel.com/blog/how-to-...
How to onboard with Expel in 7 minutes (No, really. We'll show you.)
See with your own eyes how Expel MDR is up and running in less than seven minutes, from API connection to immeidate protection.
expel.com
June 6, 2025 at 7:47 PM
In 7 minutes you can...
🏃 run a darn good mile
🤳 doom scroll before your next meeting
🖥️ or onboard Expel
That's right. The onboarding even includes time to validate the connection within Expel Workbench™ and to test the connection. Watch the full demo and follow along! expel.com/blog/how-to-...
🏃 run a darn good mile
🤳 doom scroll before your next meeting
🖥️ or onboard Expel
That's right. The onboarding even includes time to validate the connection within Expel Workbench™ and to test the connection. Watch the full demo and follow along! expel.com/blog/how-to-...