banner
LightNews
expelsecurity.bsky.social
Expel
@expelsecurity.bsky.social
49 followers 4 following 130 posts
The leading MDR provider trusted by some of the world’s most renowned brands to expel adversaries, minimize risk, and build security resilience. 🔗 expel.com
Posts Media Videos Starter Packs
Reposted by Expel
malwaretech.com
Marcus Hutchins @malwaretech.com · 4d
We encountered a unique variant of the ClickFix malware technique. The catch? The user is social engineered into running a PowerShell script which downloads no files, makes no web requests, and embeds no payload.

Regardless, it's still able to install a malicious loader.

expel.com/blog/cache-s...
Cache smuggling: When a picture isn’t a thousand words
We recently observed an innovative campaign using the ClickFix attack tactic for cache smuggling. Here's what you need to know.
expel.com
6 14 64
expelsecurity.bsky.social
Expel @expelsecurity.bsky.social · 4d
This technique isn't widespread yet but we've seen it before. Part 2 drops soon; we'll show you how attackers abuse a legitimate signed executable to load highly evasive shellcode.

Full analysis by Marcus Hutchins (@malwaretech.com), Principal Threat Researcher: expel.com/blog/cache-s...
Cache smuggling: When a picture isn’t a thousand words
We recently observed an innovative campaign using the ClickFix attack tactic for cache smuggling. Here's what you need to know.
expel.com
expelsecurity.bsky.social
Expel @expelsecurity.bsky.social · 4d
Defense recommendations:
→ Alert on unexpected processes touching browser cache
→ Restrict PowerShell to users who need it
→ Monitor for suspicious PowerShell execution patterns
→ Block newly created/newly seen domains
→ Educate users on ClickFix social engineering
1
expelsecurity.bsky.social
Expel @expelsecurity.bsky.social · 4d
This bypasses a lot of security tools:
• No explicit file downloads to scan
• No PowerShell web requests to flag
• Just an "image" getting cached (normal behavior) and a script reading local files (also normal)

Simple. Effective. Evasive.
1
expelsecurity.bsky.social
Expel @expelsecurity.bsky.social · 4d
The webpage fetches what claims to be an image (Content-Type: image/jpeg). Browser dutifully caches it.

Open it in a hex editor? No JPG header. Just a zip archive wrapped in those magic strings, sitting in your cache waiting to be extracted.
1
expelsecurity.bsky.social
Expel @expelsecurity.bsky.social · 4d
Here's where it gets interesting: The PowerShell script doesn't download anything. It searches your browser's cache for data wrapped between two strings: "bTgQcBpv" and "mX6o0lBw"

That data? A zip file the page already smuggled into your cache as a fake JPG.
1
expelsecurity.bsky.social
Expel @expelsecurity.bsky.social · 4d
When you click "Open File Explorer," it copies what looks like a harmless file path to your clipboard:

\Public\Support\VPN\ForticlientCompliance.exe

But 139 spaces are hiding a PowerShell command above it that your eyes never see.
1
expelsecurity.bsky.social
Expel @expelsecurity.bsky.social · 4d
The lure pretends to be a Fortinet VPN Compliance Checker. Makes sense. Fortinet's VPN is used by enterprises so compromising it means access to corporate networks.

The page looks unassuming. The command doesn't.
1
expelsecurity.bsky.social
Expel @expelsecurity.bsky.social · 4d
⚠️ Our threat intel team just caught attackers using a clever new trick to bypass security tools: cache smuggling.

Instead of downloading malware, they hide it in fake images that browsers automatically cache. Then PowerShell extracts and runs it—no web requests needed.
1
expelsecurity.bsky.social
Expel @expelsecurity.bsky.social · 4d
This evolution builds on our foundation of integrating actionable threat intel into daily operations. We’re accelerating our capabilities, dedicating expert resources to surface context that benefits customers and the security community.

Learn more: expel.com/intel
(7/7)
Expel Intel | Cybersecurity threat intelligence
Expel’s dedicated threat intelligence team and program, transforming real-world incident findings into actionable defense strategies.
expel.com
2
expelsecurity.bsky.social
Expel @expelsecurity.bsky.social · 4d
We're also bringing @malwaretech.com into the mix. Marcus’ expertise in malware analysis and reverse engineering adds serious firepower to our ability to understand and counter evolving threats. 👀 Read his first blog post with Expel: expel.com/blog/cache-s...
(6/7)
Cache smuggling: When a picture isn’t a thousand words
We recently observed an innovative campaign using the ClickFix attack tactic for cache smuggling. Here's what you need to know.
expel.com
1 1 15
expelsecurity.bsky.social
Expel @expelsecurity.bsky.social · 4d
Our threat intelligence isn't academic. It’s built by operators, for operators. We share what we learn from stopping real attacks. The community gets stronger when we all learn from the same adversaries.
(5/7)
1 2
expelsecurity.bsky.social
Expel @expelsecurity.bsky.social · 4d
Our approach: When our SOC identifies threats across customer environments, Expel Intel digs deeper, documents what matters, and publishes the findings. When zero-days emerge, we hunt and share results. When attack patterns shift, we explain what's happening and what to do.
(4/7)
1 2
expelsecurity.bsky.social
Expel @expelsecurity.bsky.social · 4d
For years, our threat intel team has been behind the scenes turning real incidents into actionable defense strategies for our customers. We're expanding our focus to share what we're learning with the broader security community.
(3/7)
1 2
expelsecurity.bsky.social
Expel @expelsecurity.bsky.social · 4d
You’ve likely seen some of our work.

👉 Added clarity around a specific trojan (ManualFinder): www.reddit.com/r/cybersecur...
👉 Distinguished BaoLoader from other malware via code-signing certificates: expel.com/blog/the-his...
👉 Investigating Latrodectus malware: x.com/ExpelSecurit...
(2/7)
1 1
expelsecurity.bsky.social
Expel @expelsecurity.bsky.social · 4d
The security industry is drowning in threat feeds that don't actually help you stop attacks. We've been working to fix that for years.

Today, we’re taking the wraps off our expanded threat intel program: Expel Intel.
(1/7)
1 2
expelsecurity.bsky.social
Expel @expelsecurity.bsky.social · 10d
50k events/day. 0.1% true positive rate. 50 real threats buried.

That's what happens when you optimize for integration count, not detection quality. Vendors brag about "300+ integrations" while analysts burn out investigating false positives.

Start counting what matters: expel.com/blog/stop-co...
expelsecurity.bsky.social
Expel @expelsecurity.bsky.social · 13d
While traditional tools may not tell the difference between a user who is compromised and one who isn’t, Expel MDR for Email can. Our email MDR coverage correlates unusual login locations, suspicious contacts, and deleted emails. Learn more: expel.com/blog/stories...
Stories from the SOC: When threats come from inside the house
MDR email coverage is more than just flagging spam to contain threats. Here's what happens when malicious emails come from within an org.
expel.com
expelsecurity.bsky.social
Expel @expelsecurity.bsky.social · 13d
Your email gateway is designed to catch threats from outside. But when attackers compromise a legitimate employee account and send phishing emails internally, most detection tools fail. Internal phishing is harder to detect because the senders are trusted.
1 1
expelsecurity.bsky.social
Expel @expelsecurity.bsky.social · 13d
Your email security quarantined the malicious email. 🚨📧 Victory, right?

Not quite so. Several employees already clicked the link and installed attacker-controlled tools.
1
expelsecurity.bsky.social
Expel @expelsecurity.bsky.social · 17d
We immediately alerted customers and reported findings to the Department of Energy.

Full analysis with IOCs: expel.com/blog/gonzo-t...
Gonzo threat hunting: LapDogs & ShortLeash
Follow along as a senior detection & response engineer locates threat actors using SOHO devices & ORB networks, Gonzo-style.
expel.com
expelsecurity.bsky.social
Expel @expelsecurity.bsky.social · 17d
We took public threat intelligence about "LapDogs" malware, ran it through our customer environments, and discovered compromised home routers connecting to corporate networks including devices belonging to critical infrastructure employees.
1 1
expelsecurity.bsky.social
Expel @expelsecurity.bsky.social · 17d
Chinese threat actors were building a network of SOHO routers and marking their territory with TLS certs that spoofed the LAPD.

Our threat hunters found them anyway. 🕵️
1
expelsecurity.bsky.social
Expel @expelsecurity.bsky.social · Aug 22
⚠️ We’ve recently witnessed new activity in the realm of potentially unwanted programs (PUPs), which are dropping malware, executing commands, and turning your machine into someone else's proxy network.

Read our ongoing investigation here: expel.com/blog/you-don...
You don’t find ManualFinder, ManualFinder finds you
We're investigating ManualFinder, a trojan malware we're seeing in new activity, likely coming from potentially unwanted programs (PUPs).
expel.com
expelsecurity.bsky.social
Expel @expelsecurity.bsky.social · Aug 21
(4/4)
PDF Editor with proxy: d09b667391cb6f58585ead314ad9c599

ManualFinder: 1efaffcd54fd2df44ab55023154bec9b

OneStart: 27fb60fa0e002bdb628ecf23296884d3
C2: mka3e8[.]com, y2iax5[.]com