Cyber Threat Intelligence
Daily threat reporting, custom software, and remote tech help from a veteran-owned (SDVOSB) studio.
Updated most weekdays
The Feed
Latest Threat Intelligence

Vidar Stealer Campaign Shows Why File Size and Fake Signatures Still Beat Weak Controls
Unit 42 reported a Vidar stealer and XMRig campaign using malvertising, fake cracked-software lures, misleading certificate metadata, oversized binaries, and commodity loader infrastructure. Here is what SMBs and government contractors should take away.

ADFS Signing Keys Show Why Federation Servers Are Tier-Zero Identity Infrastructure
Mandiant shows how ADFS certificate drift and Machine DPAPI can expose active signing keys. Here is what SMBs and government contractors should do now.

UAT-7810 Shows Edge Devices Are Becoming China-Nexus Relay Infrastructure
Cisco Talos reports UAT-7810 is expanding ORB relay infrastructure using compromised edge and embedded devices. Here is what SMBs and government contractors should do now.

FortiBleed Shows Firewall Credentials Are Ransomware Fuel
SOCRadar linked the FortiBleed FortiGate credential-harvesting campaign to INC and Lynx ransomware operations. Here is what SMBs and government contractors should do next.

NetNut and Popa Takedown Shows Residential Proxies Are Now Attack Infrastructure
The FBI and industry partners disrupted NetNut and the Popa botnet. Here is why residential proxy abuse matters for SMBs, government contractors, and defenders.

Vect and TeamPCP Show Supply-Chain Credentials Are Ransomware Fuel
Sophos CTU reports that Vect and TeamPCP have linked ransomware deployment with supply-chain credential theft. Here is what SMBs and government contractors should harden now.

Ousaban Shows Banking Trojans Are Learning to Hide From Sandboxes
Ousaban’s Spain and Portugal campaign shows how banking trojans use geofencing, phishing PDFs, steganography, and daily-changing C2 to evade sandbox-heavy defenses.

NUT upsmon Command Injection Shows UPS Monitoring Belongs in the Patch Queue
CVE-2026-54161 in Network UPS Tools upsmon shows why UPS monitoring, notification scripts, and power-infrastructure control paths need patching, segmentation, and process monitoring.

ARToken Shows Microsoft 365 Tokens Are the New BEC Control Plane
Cisco Talos uncovered ARToken, an EvilTokens-linked phishing-as-a-service panel built around Microsoft 365 token theft, device-code phishing, mailbox access, SharePoint operations, and BEC automation. The practical lesson: treat identity tokens, inbox rules, and cloud collaborati
More headlines

Cyber Security Blog
CitrixBleed Keeps Returning: NetScaler SAML IdP Memory Leaks Need Edge-Control Discipline

Cyber Security Blog
SimpleHelp Exploitation Shows RMM Is a Credential Control Plane

AI (General)
Leaky iOS AI Apps Show Mobile AI Needs Real API Gateways

Cyber Security Blog
Bing SEO Poisoning Shows IT Admin Downloads Are Ransomware Initial Access

Chinese Cyber Threat Intelligence
Water Systems Are Becoming Nation-State Pressure Points

Cyber Security Blog
Fluentd Vulnerabilities Show Logging Pipelines Need Production-Grade Segmentation
Browse by category
Beyond the feed
Bulwark Black also builds
All services →Websites & Web Apps
Fast, clean marketing sites and custom web apps built for your business, not a template you have to fight. Designed, built, and deployed by the person who will maintain it.
Custom iOS Apps
Native iPhone and iPad apps built for businesses and published to the App Store. From a focused single-purpose tool to a full product, designed, developed, and shipped end to end.
AI & Automation
Practical AI setup and quiet automation that saves you real hours. We pick the right tools, wire them into how you actually work, and skip the hype when it does not fit.
Small-Business IT + Cybersecurity
Right-sized IT support and security fundamentals for small teams, delivered remotely. Backups that actually restore, hardened accounts, and someone honest to call.
Shipped · iOS
VA Disability Calc & Track
BVA-accurate combined-rating math, 900+ diagnostic codes, an encrypted document vault, and fully offline operation. Built and shipped for real users.
You may have missed

Shai Hulud Shows CI/CD Identity Is Production Cloud Identity
Fortinet’s Shai Hulud case study shows how poisoned CI/CD dependencies can become cloud identity compromise, IAM escalation, and Redshift data theft. Here is what SMBs and government contractors should harden now.

Clean Repos Can Still Burn Developer Machines When AI Agents Trust Runtime Setup
A clean-looking repository can still become dangerous when an AI coding agent follows setup instructions and executes runtime-fetched configuration. Here is how teams should defend developer workflows.

Splunk Enterprise RCE Shows SIEM Servers Are Tier-Zero Infrastructure
CVE-2026-20253 shows why Splunk and other SIEM platforms need tier-zero hardening: patch quickly, restrict management access, review service accounts, and hunt for suspicious file writes.

NAIC Breach Shows Why PeopleSoft Internet Exposure Needs Immediate Review
NAIC’s PeopleSoft-linked breach is a practical warning for SMBs and government contractors: patch CVE-2026-35273, restrict administrative endpoints, and hunt for attacker staging before extortion begins.
Newsletter
The Bulwark Brief.
Cyber threat intel, AI, and tech worth your attention, what we're tracking that day, with a "why it matters" line on every item. Most weekdays. No fluff.
