Skip to content
Bulwark Black Bulwark Black

Cyber Threat Intelligence

Daily threat reporting, custom software, and remote tech help from a veteran-owned (SDVOSB) studio.

Updated most weekdays

The Feed

Latest Threat Intelligence

Cyber Security Blog
Vidar Stealer Campaign Shows Why File Size and Fake Signatures Still Beat Weak Controls
Cyber Security Blog·

Vidar Stealer Campaign Shows Why File Size and Fake Signatures Still Beat Weak Controls

Unit 42 reported a Vidar stealer and XMRig campaign using malvertising, fake cracked-software lures, misleading certificate metadata, oversized binaries, and commodity loader infrastructure. Here is what SMBs and government contractors should take away.

Cyber Security Blog
ADFS Signing Keys Show Why Federation Servers Are Tier-Zero Identity Infrastructure
Cyber Security Blog·

ADFS Signing Keys Show Why Federation Servers Are Tier-Zero Identity Infrastructure

Mandiant shows how ADFS certificate drift and Machine DPAPI can expose active signing keys. Here is what SMBs and government contractors should do now.

Chinese Cyber Threat Intelligence
UAT-7810 Shows Edge Devices Are Becoming China-Nexus Relay Infrastructure
Chinese Cyber Threat Intelligence·

UAT-7810 Shows Edge Devices Are Becoming China-Nexus Relay Infrastructure

Cisco Talos reports UAT-7810 is expanding ORB relay infrastructure using compromised edge and embedded devices. Here is what SMBs and government contractors should do now.

Cyber Security Blog
FortiBleed Shows Firewall Credentials Are Ransomware Fuel
Cyber Security Blog·

FortiBleed Shows Firewall Credentials Are Ransomware Fuel

SOCRadar linked the FortiBleed FortiGate credential-harvesting campaign to INC and Lynx ransomware operations. Here is what SMBs and government contractors should do next.

Cyber Security Blog
NetNut and Popa Takedown Shows Residential Proxies Are Now Attack Infrastructure
Cyber Security Blog·

NetNut and Popa Takedown Shows Residential Proxies Are Now Attack Infrastructure

The FBI and industry partners disrupted NetNut and the Popa botnet. Here is why residential proxy abuse matters for SMBs, government contractors, and defenders.

Cyber Security Blog
Vect and TeamPCP Show Supply-Chain Credentials Are Ransomware Fuel
Cyber Security Blog·

Vect and TeamPCP Show Supply-Chain Credentials Are Ransomware Fuel

Sophos CTU reports that Vect and TeamPCP have linked ransomware deployment with supply-chain credential theft. Here is what SMBs and government contractors should harden now.

Cyber Security Blog
Ousaban Shows Banking Trojans Are Learning to Hide From Sandboxes
Cyber Security Blog·

Ousaban Shows Banking Trojans Are Learning to Hide From Sandboxes

Ousaban’s Spain and Portugal campaign shows how banking trojans use geofencing, phishing PDFs, steganography, and daily-changing C2 to evade sandbox-heavy defenses.

Cyber Security Blog
NUT upsmon Command Injection Shows UPS Monitoring Belongs in the Patch Queue
Cyber Security Blog·

NUT upsmon Command Injection Shows UPS Monitoring Belongs in the Patch Queue

CVE-2026-54161 in Network UPS Tools upsmon shows why UPS monitoring, notification scripts, and power-infrastructure control paths need patching, segmentation, and process monitoring.

Cyber Security Blog
ARToken Shows Microsoft 365 Tokens Are the New BEC Control Plane
Cyber Security Blog·

ARToken Shows Microsoft 365 Tokens Are the New BEC Control Plane

Cisco Talos uncovered ARToken, an EvilTokens-linked phishing-as-a-service panel built around Microsoft 365 token theft, device-code phishing, mailbox access, SharePoint operations, and BEC automation. The practical lesson: treat identity tokens, inbox rules, and cloud collaborati

Newsletter

The Bulwark Brief.

Cyber threat intel, AI, and tech worth your attention, what we're tracking that day, with a "why it matters" line on every item. Most weekdays. No fluff.