Expel
@expelsecurity.bsky.social
The leading MDR provider trusted by some of the world’s most renowned brands to expel adversaries, minimize risk, and build security resilience.
🔗 expel.com
🔗 expel.com
What actually works: strict application control policies and sanctioned tools. If users need productivity apps, give them approved options—or they'll find their own.
Full threat intel recap here: expel.com/blog/expel-q...
Full threat intel recap here: expel.com/blog/expel-q...
Expel Quarterly Threat Report, Q3 2025: Threat intel recap
Here's a refresher on the threat intel we shared throughout the third quarter of 2025. Catch up on what you missed.
expel.com
November 6, 2025 at 4:03 PM
What actually works: strict application control policies and sanctioned tools. If users need productivity apps, give them approved options—or they'll find their own.
Full threat intel recap here: expel.com/blog/expel-q...
Full threat intel recap here: expel.com/blog/expel-q...
AI is making this worse. LLMs let criminals create convincing decoy applications faster than ever. The line between malware and PUPs is blurring, and it's not coming back.
November 6, 2025 at 4:03 PM
AI is making this worse. LLMs let criminals create convincing decoy applications faster than ever. The line between malware and PUPs is blurring, and it's not coming back.
We tracked BaoLoader through code-signing certificates across dozens of companies in the US, Panama, and Malaysia. It made up 13% of all commodity malware we identified this quarter. TamperedChef had 34,000+ downloads.
November 6, 2025 at 4:03 PM
We tracked BaoLoader through code-signing certificates across dozens of companies in the US, Panama, and Malaysia. It made up 13% of all commodity malware we identified this quarter. TamperedChef had 34,000+ downloads.
Full Q3 2025 data breakdown with incident types, attack surfaces, and industry analysis: expel.com/blog/expel-q...
Expel Quarterly Threat Report, Q3 2025: Q3 by the numbers
Part I of our Quarterly Threat Report summarizes key findings and stats from Q3 of 2025. Learn what to focus on right now.
expel.com
November 5, 2025 at 2:52 PM
Full Q3 2025 data breakdown with incident types, attack surfaces, and industry analysis: expel.com/blog/expel-q...
Orgs seeing success with defending against identity attacks are the ones treating it as the primary battleground—with budget, priority, and controls that block attackers before compromise.
The trend is moving in the right direction but there's still more work to do since 45.1% aren't being blocked.
The trend is moving in the right direction but there's still more work to do since 45.1% aren't being blocked.
November 5, 2025 at 2:52 PM
Orgs seeing success with defending against identity attacks are the ones treating it as the primary battleground—with budget, priority, and controls that block attackers before compromise.
The trend is moving in the right direction but there's still more work to do since 45.1% aren't being blocked.
The trend is moving in the right direction but there's still more work to do since 45.1% aren't being blocked.
The attack surface lesson:
• Credentials → cloud services
• Malware → endpoints
• Misconfigurations → cloud infrastructure
Each surface is distinct. One defensive strategy doesn't cover all three. You need different plans for each.
• Credentials → cloud services
• Malware → endpoints
• Misconfigurations → cloud infrastructure
Each surface is distinct. One defensive strategy doesn't cover all three. You need different plans for each.
November 5, 2025 at 2:52 PM
The attack surface lesson:
• Credentials → cloud services
• Malware → endpoints
• Misconfigurations → cloud infrastructure
Each surface is distinct. One defensive strategy doesn't cover all three. You need different plans for each.
• Credentials → cloud services
• Malware → endpoints
• Misconfigurations → cloud infrastructure
Each surface is distinct. One defensive strategy doesn't cover all three. You need different plans for each.
Industry breakdown shows distinct patterns:
• Manufacturing: highest total incident volume (overtook financial services)
• Healthcare: disproportionately hit by non-targeted malware
• Pharma & chemical: highest proportion of identity attacks in top 10
• Manufacturing: highest total incident volume (overtook financial services)
• Healthcare: disproportionately hit by non-targeted malware
• Pharma & chemical: highest proportion of identity attacks in top 10
November 5, 2025 at 2:52 PM
Industry breakdown shows distinct patterns:
• Manufacturing: highest total incident volume (overtook financial services)
• Healthcare: disproportionately hit by non-targeted malware
• Pharma & chemical: highest proportion of identity attacks in top 10
• Manufacturing: highest total incident volume (overtook financial services)
• Healthcare: disproportionately hit by non-targeted malware
• Pharma & chemical: highest proportion of identity attacks in top 10
Cloud infrastructure attacks remain low volume (1.1% of total incidents) but are diversifying.
Biggest increase: secret key exposure, up 7.8 percentage points from Q2 to 26.8% of cloud incidents. Keys exposed through hardcoded credentials or supply chain attacks like Shai Hulud.
Biggest increase: secret key exposure, up 7.8 percentage points from Q2 to 26.8% of cloud incidents. Keys exposed through hardcoded credentials or supply chain attacks like Shai Hulud.
November 5, 2025 at 2:52 PM
Cloud infrastructure attacks remain low volume (1.1% of total incidents) but are diversifying.
Biggest increase: secret key exposure, up 7.8 percentage points from Q2 to 26.8% of cloud incidents. Keys exposed through hardcoded credentials or supply chain attacks like Shai Hulud.
Biggest increase: secret key exposure, up 7.8 percentage points from Q2 to 26.8% of cloud incidents. Keys exposed through hardcoded credentials or supply chain attacks like Shai Hulud.
Endpoints tell a different story
Non-targeted malware dominates at 64.7% of endpoint incidents. This swung back up from 50.2% in Q2.
Attackers are still using traditional tactics—malware, compromising public-facing systems—to get onto devices.
Non-targeted malware dominates at 64.7% of endpoint incidents. This swung back up from 50.2% in Q2.
Attackers are still using traditional tactics—malware, compromising public-facing systems—to get onto devices.
November 5, 2025 at 2:52 PM
Endpoints tell a different story
Non-targeted malware dominates at 64.7% of endpoint incidents. This swung back up from 50.2% in Q2.
Attackers are still using traditional tactics—malware, compromising public-facing systems—to get onto devices.
Non-targeted malware dominates at 64.7% of endpoint incidents. This swung back up from 50.2% in Q2.
Attackers are still using traditional tactics—malware, compromising public-facing systems—to get onto devices.
While identity attacks increased QoQ, 54.9% of those attacks were stopped when compromised credentials were entered—meaning controls blocked access before account takeover.
Modern identity controls (MFA, conditional access, monitoring) are working when implemented properly.
Modern identity controls (MFA, conditional access, monitoring) are working when implemented properly.
November 5, 2025 at 2:52 PM
While identity attacks increased QoQ, 54.9% of those attacks were stopped when compromised credentials were entered—meaning controls blocked access before account takeover.
Modern identity controls (MFA, conditional access, monitoring) are working when implemented properly.
Modern identity controls (MFA, conditional access, monitoring) are working when implemented properly.
Stay skeptical of sponsored search results. Verify downloads directly from vendor sites. We're here if you need help hunting for these indicators in your environment.
Overview of the campaign, IOCs, and file hashes: expel.com/blog/certifi...
Overview of the campaign, IOCs, and file hashes: expel.com/blog/certifi...
Certified OysterLoader: Tracking Rhysida ransomware gang activity via code-signing certificates
Rhysida ransomware gang has been using code-signing certificates to validate their malware campaigns repeatedly. Here's the latest.
expel.com
October 31, 2025 at 2:33 PM
Stay skeptical of sponsored search results. Verify downloads directly from vendor sites. We're here if you need help hunting for these indicators in your environment.
Overview of the campaign, IOCs, and file hashes: expel.com/blog/certifi...
Overview of the campaign, IOCs, and file hashes: expel.com/blog/certifi...
The campaign is accelerating, not slowing down. It works because it exploits something security tools can't easily fix: users searching for legitimate software and trusting what looks official.
October 31, 2025 at 2:33 PM
The campaign is accelerating, not slowing down. It works because it exploits something security tools can't easily fix: users searching for legitimate software and trusting what looks official.
We're tracking this across hundreds of customer environments and feeding it into our detections. When we spot these techniques, we're already hunting for early indicators in other environments—before it becomes an incident.
October 31, 2025 at 2:33 PM
We're tracking this across hundreds of customer environments and feeding it into our detections. When we spot these techniques, we're already hunting for early indicators in other environments—before it becomes an incident.
These malicious ads don't just show up in search results. Windows 11 serves Bing ads directly in the Start menu. That "sponsored" PuTTy result with the lowercase Ts? Yeah, that won’t lead to the real PuTTy; that’ll download OysterLoader.
October 31, 2025 at 2:33 PM
These malicious ads don't just show up in search results. Windows 11 serves Bing ads directly in the Start menu. That "sponsored" PuTTy result with the lowercase Ts? Yeah, that won’t lead to the real PuTTy; that’ll download OysterLoader.
They've even figured out how to abuse Microsoft's Trusted Signing service at scale despite 72-hour certificate validity designed to prevent this. Microsoft has revoked 200+ of their certificates. They keep getting new ones.
October 31, 2025 at 2:33 PM
They've even figured out how to abuse Microsoft's Trusted Signing service at scale despite 72-hour certificate validity designed to prevent this. Microsoft has revoked 200+ of their certificates. They keep getting new ones.
What makes this campaign stick: they've burned through 40+ code-signing certificates to keep detection rates low. Fresh certificates = trusted by Windows. By the time AV catches up, they've moved to the next one.
October 31, 2025 at 2:33 PM
What makes this campaign stick: they've burned through 40+ code-signing certificates to keep detection rates low. Fresh certificates = trusted by Windows. By the time AV catches up, they've moved to the next one.
Public proof-of-concepts combined in new ways create highly evasive malware. The techniques aren't novel but the execution is.
Full technical breakdown with IOCs: expel.com/blog/along-f...
Full technical breakdown with IOCs: expel.com/blog/along-f...
Along for the ride: When legitimate software becomes a signed malware loader
Analyzing a highly evasive malware loader that exploits legitimate, signed Greenshot software through DLL sideloading. See our detailed technical analysis.
expel.com
October 23, 2025 at 4:48 PM
Public proof-of-concepts combined in new ways create highly evasive malware. The techniques aren't novel but the execution is.
Full technical breakdown with IOCs: expel.com/blog/along-f...
Full technical breakdown with IOCs: expel.com/blog/along-f...
Defender takeaway: Signed executables aren't automatically safe. DLL sideloading + indirect syscalls + benign-looking traffic = multiple security layers bypassed.
Small changes to existing attack chains can be enough to slip through.
Small changes to existing attack chains can be enough to slip through.
October 23, 2025 at 4:48 PM
Defender takeaway: Signed executables aren't automatically safe. DLL sideloading + indirect syscalls + benign-looking traffic = multiple security layers bypassed.
Small changes to existing attack chains can be enough to slip through.
Small changes to existing attack chains can be enough to slip through.
The C2 server was live during investigation but never delivered a final payload—ultimate goal unclear.
Turns out this was a Red Team engagement by Intrinsec. But the techniques are real and worth understanding.
Turns out this was a Red Team engagement by Intrinsec. But the techniques are real and worth understanding.
October 23, 2025 at 4:48 PM
The C2 server was live during investigation but never delivered a final payload—ultimate goal unclear.
Turns out this was a Red Team engagement by Intrinsec. But the techniques are real and worth understanding.
Turns out this was a Red Team engagement by Intrinsec. But the techniques are real and worth understanding.
Evasion layer 2: C2 traffic masquerading as jQuery library requests.
Commands hidden in the cookie field (__cfduid), encrypted and encoded to look like normal Cloudflare cookies. Designed to slip past TLS inspection.
GET /content/js/jquery/v3.4.3/min.js
Commands hidden in the cookie field (__cfduid), encrypted and encoded to look like normal Cloudflare cookies. Designed to slip past TLS inspection.
GET /content/js/jquery/v3.4.3/min.js
October 23, 2025 at 4:48 PM
Evasion layer 2: C2 traffic masquerading as jQuery library requests.
Commands hidden in the cookie field (__cfduid), encrypted and encoded to look like normal Cloudflare cookies. Designed to slip past TLS inspection.
GET /content/js/jquery/v3.4.3/min.js
Commands hidden in the cookie field (__cfduid), encrypted and encoded to look like normal Cloudflare cookies. Designed to slip past TLS inspection.
GET /content/js/jquery/v3.4.3/min.js