Expel
@expelsecurity.bsky.social
The leading MDR provider trusted by some of the world’s most renowned brands to expel adversaries, minimize risk, and build security resilience.
🔗 expel.com
🔗 expel.com
We tracked BaoLoader through code-signing certificates across dozens of companies in the US, Panama, and Malaysia. It made up 13% of all commodity malware we identified this quarter. TamperedChef had 34,000+ downloads.
November 6, 2025 at 4:03 PM
We tracked BaoLoader through code-signing certificates across dozens of companies in the US, Panama, and Malaysia. It made up 13% of all commodity malware we identified this quarter. TamperedChef had 34,000+ downloads.
Industry breakdown shows distinct patterns:
• Manufacturing: highest total incident volume (overtook financial services)
• Healthcare: disproportionately hit by non-targeted malware
• Pharma & chemical: highest proportion of identity attacks in top 10
• Manufacturing: highest total incident volume (overtook financial services)
• Healthcare: disproportionately hit by non-targeted malware
• Pharma & chemical: highest proportion of identity attacks in top 10
November 5, 2025 at 2:52 PM
Industry breakdown shows distinct patterns:
• Manufacturing: highest total incident volume (overtook financial services)
• Healthcare: disproportionately hit by non-targeted malware
• Pharma & chemical: highest proportion of identity attacks in top 10
• Manufacturing: highest total incident volume (overtook financial services)
• Healthcare: disproportionately hit by non-targeted malware
• Pharma & chemical: highest proportion of identity attacks in top 10
Cloud infrastructure attacks remain low volume (1.1% of total incidents) but are diversifying.
Biggest increase: secret key exposure, up 7.8 percentage points from Q2 to 26.8% of cloud incidents. Keys exposed through hardcoded credentials or supply chain attacks like Shai Hulud.
Biggest increase: secret key exposure, up 7.8 percentage points from Q2 to 26.8% of cloud incidents. Keys exposed through hardcoded credentials or supply chain attacks like Shai Hulud.
November 5, 2025 at 2:52 PM
Cloud infrastructure attacks remain low volume (1.1% of total incidents) but are diversifying.
Biggest increase: secret key exposure, up 7.8 percentage points from Q2 to 26.8% of cloud incidents. Keys exposed through hardcoded credentials or supply chain attacks like Shai Hulud.
Biggest increase: secret key exposure, up 7.8 percentage points from Q2 to 26.8% of cloud incidents. Keys exposed through hardcoded credentials or supply chain attacks like Shai Hulud.
Endpoints tell a different story
Non-targeted malware dominates at 64.7% of endpoint incidents. This swung back up from 50.2% in Q2.
Attackers are still using traditional tactics—malware, compromising public-facing systems—to get onto devices.
Non-targeted malware dominates at 64.7% of endpoint incidents. This swung back up from 50.2% in Q2.
Attackers are still using traditional tactics—malware, compromising public-facing systems—to get onto devices.
November 5, 2025 at 2:52 PM
Endpoints tell a different story
Non-targeted malware dominates at 64.7% of endpoint incidents. This swung back up from 50.2% in Q2.
Attackers are still using traditional tactics—malware, compromising public-facing systems—to get onto devices.
Non-targeted malware dominates at 64.7% of endpoint incidents. This swung back up from 50.2% in Q2.
Attackers are still using traditional tactics—malware, compromising public-facing systems—to get onto devices.
While identity attacks increased QoQ, 54.9% of those attacks were stopped when compromised credentials were entered—meaning controls blocked access before account takeover.
Modern identity controls (MFA, conditional access, monitoring) are working when implemented properly.
Modern identity controls (MFA, conditional access, monitoring) are working when implemented properly.
November 5, 2025 at 2:52 PM
While identity attacks increased QoQ, 54.9% of those attacks were stopped when compromised credentials were entered—meaning controls blocked access before account takeover.
Modern identity controls (MFA, conditional access, monitoring) are working when implemented properly.
Modern identity controls (MFA, conditional access, monitoring) are working when implemented properly.
These malicious ads don't just show up in search results. Windows 11 serves Bing ads directly in the Start menu. That "sponsored" PuTTy result with the lowercase Ts? Yeah, that won’t lead to the real PuTTy; that’ll download OysterLoader.
October 31, 2025 at 2:33 PM
These malicious ads don't just show up in search results. Windows 11 serves Bing ads directly in the Start menu. That "sponsored" PuTTy result with the lowercase Ts? Yeah, that won’t lead to the real PuTTy; that’ll download OysterLoader.
⚠️Attackers are actively exploiting CVE-2025-59287, a recently identified vulnerability in WSUS. Successful exploitation allows an attacker to run code using SYSTEM privileges. Expel caught & contained incidents related to this in two customer environments this AM.
Details: expel.com/blog/wsus-re...
Details: expel.com/blog/wsus-re...
October 24, 2025 at 6:13 PM
⚠️Attackers are actively exploiting CVE-2025-59287, a recently identified vulnerability in WSUS. Successful exploitation allows an attacker to run code using SYSTEM privileges. Expel caught & contained incidents related to this in two customer environments this AM.
Details: expel.com/blog/wsus-re...
Details: expel.com/blog/wsus-re...
When launched, the trojanized Greenshot shows a fake compliance progress bar for 3 seconds, then confirms "All compliance checks passed!"
Meanwhile, the malicious DLL loads updater.dll, which creates persistence via scheduled task and decrypts shellcode from logo.ico.
Meanwhile, the malicious DLL loads updater.dll, which creates persistence via scheduled task and decrypts shellcode from logo.ico.
October 23, 2025 at 4:48 PM
When launched, the trojanized Greenshot shows a fake compliance progress bar for 3 seconds, then confirms "All compliance checks passed!"
Meanwhile, the malicious DLL loads updater.dll, which creates persistence via scheduled task and decrypts shellcode from logo.ico.
Meanwhile, the malicious DLL loads updater.dll, which creates persistence via scheduled task and decrypts shellcode from logo.ico.
The attack chain, continued ⛓️
↳ Indirect syscalls evade EDR hooks by calculating system call numbers from unhooked functions
↳ C2 traffic masquerading as jQuery library requests to dodge TLS inspection
↳ Indirect syscalls evade EDR hooks by calculating system call numbers from unhooked functions
↳ C2 traffic masquerading as jQuery library requests to dodge TLS inspection
October 23, 2025 at 4:48 PM
The attack chain, continued ⛓️
↳ Indirect syscalls evade EDR hooks by calculating system call numbers from unhooked functions
↳ C2 traffic masquerading as jQuery library requests to dodge TLS inspection
↳ Indirect syscalls evade EDR hooks by calculating system call numbers from unhooked functions
↳ C2 traffic masquerading as jQuery library requests to dodge TLS inspection
The attack chain ⛓️
↳ Cache smuggling delivers the payload
↳ DLL sideloading uses the legitimate signed Greenshot.exe to load malicious code
↳ Fake UI shows a "FortiClient compliance checker" progress bar while malware runs
↳ Cache smuggling delivers the payload
↳ DLL sideloading uses the legitimate signed Greenshot.exe to load malicious code
↳ Fake UI shows a "FortiClient compliance checker" progress bar while malware runs
October 23, 2025 at 4:48 PM
The attack chain ⛓️
↳ Cache smuggling delivers the payload
↳ DLL sideloading uses the legitimate signed Greenshot.exe to load malicious code
↳ Fake UI shows a "FortiClient compliance checker" progress bar while malware runs
↳ Cache smuggling delivers the payload
↳ DLL sideloading uses the legitimate signed Greenshot.exe to load malicious code
↳ Fake UI shows a "FortiClient compliance checker" progress bar while malware runs
The webpage fetches what claims to be an image (Content-Type: image/jpeg). Browser dutifully caches it.
Open it in a hex editor? No JPG header. Just a zip archive wrapped in those magic strings, sitting in your cache waiting to be extracted.
Open it in a hex editor? No JPG header. Just a zip archive wrapped in those magic strings, sitting in your cache waiting to be extracted.
October 8, 2025 at 6:38 PM
The webpage fetches what claims to be an image (Content-Type: image/jpeg). Browser dutifully caches it.
Open it in a hex editor? No JPG header. Just a zip archive wrapped in those magic strings, sitting in your cache waiting to be extracted.
Open it in a hex editor? No JPG header. Just a zip archive wrapped in those magic strings, sitting in your cache waiting to be extracted.
Here's where it gets interesting: The PowerShell script doesn't download anything. It searches your browser's cache for data wrapped between two strings: "bTgQcBpv" and "mX6o0lBw"
That data? A zip file the page already smuggled into your cache as a fake JPG.
That data? A zip file the page already smuggled into your cache as a fake JPG.
October 8, 2025 at 6:38 PM
Here's where it gets interesting: The PowerShell script doesn't download anything. It searches your browser's cache for data wrapped between two strings: "bTgQcBpv" and "mX6o0lBw"
That data? A zip file the page already smuggled into your cache as a fake JPG.
That data? A zip file the page already smuggled into your cache as a fake JPG.
When you click "Open File Explorer," it copies what looks like a harmless file path to your clipboard:
\Public\Support\VPN\ForticlientCompliance.exe
But 139 spaces are hiding a PowerShell command above it that your eyes never see.
\Public\Support\VPN\ForticlientCompliance.exe
But 139 spaces are hiding a PowerShell command above it that your eyes never see.
October 8, 2025 at 6:38 PM
When you click "Open File Explorer," it copies what looks like a harmless file path to your clipboard:
\Public\Support\VPN\ForticlientCompliance.exe
But 139 spaces are hiding a PowerShell command above it that your eyes never see.
\Public\Support\VPN\ForticlientCompliance.exe
But 139 spaces are hiding a PowerShell command above it that your eyes never see.
⚠️ Our threat intel team just caught attackers using a clever new trick to bypass security tools: cache smuggling.
Instead of downloading malware, they hide it in fake images that browsers automatically cache. Then PowerShell extracts and runs it—no web requests needed.
Instead of downloading malware, they hide it in fake images that browsers automatically cache. Then PowerShell extracts and runs it—no web requests needed.
October 8, 2025 at 6:38 PM
⚠️ Our threat intel team just caught attackers using a clever new trick to bypass security tools: cache smuggling.
Instead of downloading malware, they hide it in fake images that browsers automatically cache. Then PowerShell extracts and runs it—no web requests needed.
Instead of downloading malware, they hide it in fake images that browsers automatically cache. Then PowerShell extracts and runs it—no web requests needed.
The security industry is drowning in threat feeds that don't actually help you stop attacks. We've been working to fix that for years.
Today, we’re taking the wraps off our expanded threat intel program: Expel Intel.
(1/7)
Today, we’re taking the wraps off our expanded threat intel program: Expel Intel.
(1/7)
October 8, 2025 at 1:01 PM
The security industry is drowning in threat feeds that don't actually help you stop attacks. We've been working to fix that for years.
Today, we’re taking the wraps off our expanded threat intel program: Expel Intel.
(1/7)
Today, we’re taking the wraps off our expanded threat intel program: Expel Intel.
(1/7)
50k events/day. 0.1% true positive rate. 50 real threats buried.
That's what happens when you optimize for integration count, not detection quality. Vendors brag about "300+ integrations" while analysts burn out investigating false positives.
Start counting what matters: expel.com/blog/stop-co...
That's what happens when you optimize for integration count, not detection quality. Vendors brag about "300+ integrations" while analysts burn out investigating false positives.
Start counting what matters: expel.com/blog/stop-co...
October 2, 2025 at 6:46 PM
50k events/day. 0.1% true positive rate. 50 real threats buried.
That's what happens when you optimize for integration count, not detection quality. Vendors brag about "300+ integrations" while analysts burn out investigating false positives.
Start counting what matters: expel.com/blog/stop-co...
That's what happens when you optimize for integration count, not detection quality. Vendors brag about "300+ integrations" while analysts burn out investigating false positives.
Start counting what matters: expel.com/blog/stop-co...
(3/4) If you run ManualFinder in a sandbox, you get an app that actually helps find manuals. Why is this being installed by OneStart? Looking at the website, it describes a free app but no means to download the software willingly.
OneStart has been a consistently sketchy app.
OneStart has been a consistently sketchy app.
August 21, 2025 at 4:29 PM
(3/4) If you run ManualFinder in a sandbox, you get an app that actually helps find manuals. Why is this being installed by OneStart? Looking at the website, it describes a free app but no means to download the software willingly.
OneStart has been a consistently sketchy app.
OneStart has been a consistently sketchy app.
(2/4) We observed the activity due to the persistence from OneStart Browser: it made a scheduled task to run a JS file from the user’s temp directory.
Eventually, that JS reaches out to mka3e8[.]com and similar domains to download an app “ManualFinder,” also signed.
Eventually, that JS reaches out to mka3e8[.]com and similar domains to download an app “ManualFinder,” also signed.
August 21, 2025 at 4:29 PM
(2/4) We observed the activity due to the persistence from OneStart Browser: it made a scheduled task to run a JS file from the user’s temp directory.
Eventually, that JS reaches out to mka3e8[.]com and similar domains to download an app “ManualFinder,” also signed.
Eventually, that JS reaches out to mka3e8[.]com and similar domains to download an app “ManualFinder,” also signed.
🚨 A NEW trojan on the block spotted by our threat intel team 👀
We saw files with the code-signing signature “GLINT SOFTWARE SDN. BHD.” due to a JavaScript dropping “ManualFinder”
One of their signed files, a PDF editor, turns your device into a residential proxy—ew. 🧵👇
We saw files with the code-signing signature “GLINT SOFTWARE SDN. BHD.” due to a JavaScript dropping “ManualFinder”
One of their signed files, a PDF editor, turns your device into a residential proxy—ew. 🧵👇
August 21, 2025 at 4:29 PM
🚨 A NEW trojan on the block spotted by our threat intel team 👀
We saw files with the code-signing signature “GLINT SOFTWARE SDN. BHD.” due to a JavaScript dropping “ManualFinder”
One of their signed files, a PDF editor, turns your device into a residential proxy—ew. 🧵👇
We saw files with the code-signing signature “GLINT SOFTWARE SDN. BHD.” due to a JavaScript dropping “ManualFinder”
One of their signed files, a PDF editor, turns your device into a residential proxy—ew. 🧵👇
Clicking on the “Dragons Guide” sent us to Bing instead. From Bing, we were able to view one of the several Link-pits we found. We found other sites by looking for webpages with the same “dodecadragons-guide” in the URL.
August 1, 2025 at 9:22 PM
Clicking on the “Dragons Guide” sent us to Bing instead. From Bing, we were able to view one of the several Link-pits we found. We found other sites by looking for webpages with the same “dodecadragons-guide” in the URL.
We also found a few hosting the SEO poisoning. Here are some examples: graduatetutor[.]org, theyansweredthecall[.]com, traykin[.]com, and mediagin[.]net.
These websites are “Link-pits.” They hold a large number of pages and keywords to arrive high in search results.
These websites are “Link-pits.” They hold a large number of pages and keywords to arrive high in search results.
August 1, 2025 at 9:22 PM
We also found a few hosting the SEO poisoning. Here are some examples: graduatetutor[.]org, theyansweredthecall[.]com, traykin[.]com, and mediagin[.]net.
These websites are “Link-pits.” They hold a large number of pages and keywords to arrive high in search results.
These websites are “Link-pits.” They hold a large number of pages and keywords to arrive high in search results.
We did some digging and found a bunch of these JavaScript files. The name is always “FULL DOCUMENT.JS” but they come in a ZIP file with the name from the SEO poisoning. The ZIPs were named like the examples below.
August 1, 2025 at 9:22 PM
We did some digging and found a bunch of these JavaScript files. The name is always “FULL DOCUMENT.JS” but they come in a ZIP file with the name from the SEO poisoning. The ZIPs were named like the examples below.
The JS file contains the following content.
It calls GetObject() with content that decodes to "scriptlet:http[:]//0x3e3cb218/vag"
That hex? That’s an IP address 👀 62.60.178[.]24
When the script executes, it downloads a remote payload and starts the malware infection.
It calls GetObject() with content that decodes to "scriptlet:http[:]//0x3e3cb218/vag"
That hex? That’s an IP address 👀 62.60.178[.]24
When the script executes, it downloads a remote payload and starts the malware infection.
August 1, 2025 at 9:22 PM
The JS file contains the following content.
It calls GetObject() with content that decodes to "scriptlet:http[:]//0x3e3cb218/vag"
That hex? That’s an IP address 👀 62.60.178[.]24
When the script executes, it downloads a remote payload and starts the malware infection.
It calls GetObject() with content that decodes to "scriptlet:http[:]//0x3e3cb218/vag"
That hex? That’s an IP address 👀 62.60.178[.]24
When the script executes, it downloads a remote payload and starts the malware infection.
Spotted in NYC ❎👀
Took cloud security so seriously we actually ended up in the clouds. ☁️ Thanks for having us, Nasdaq!
Took cloud security so seriously we actually ended up in the clouds. ☁️ Thanks for having us, Nasdaq!
June 30, 2025 at 5:20 PM
Spotted in NYC ❎👀
Took cloud security so seriously we actually ended up in the clouds. ☁️ Thanks for having us, Nasdaq!
Took cloud security so seriously we actually ended up in the clouds. ☁️ Thanks for having us, Nasdaq!
In media (and cloud) we trust 🫡
Join Pierre Noel on 3rd June at #Infosec2025 for insights on overcoming common cloud transformation challenges in a changing digital media ecosystem. And don't forget to come see us at stand C85 for custom AI portraits and swag. expel.com/infosecurity...
Join Pierre Noel on 3rd June at #Infosec2025 for insights on overcoming common cloud transformation challenges in a changing digital media ecosystem. And don't forget to come see us at stand C85 for custom AI portraits and swag. expel.com/infosecurity...
May 27, 2025 at 6:46 PM
In media (and cloud) we trust 🫡
Join Pierre Noel on 3rd June at #Infosec2025 for insights on overcoming common cloud transformation challenges in a changing digital media ecosystem. And don't forget to come see us at stand C85 for custom AI portraits and swag. expel.com/infosecurity...
Join Pierre Noel on 3rd June at #Infosec2025 for insights on overcoming common cloud transformation challenges in a changing digital media ecosystem. And don't forget to come see us at stand C85 for custom AI portraits and swag. expel.com/infosecurity...