29
https://www.reddit.com/r/blueteamsec/ Thanks to @reddit2telegram and @r_channels
Beyond Borders: How Threat Intelligence Provenance Can Save Global Cybersecurity From Geopolitical Fragmentation
https://www.internetgovernance.org/2026/02/23/beyond-borders-how-threat-intelligence-provenance-can-save-global-cybersecurity-from-geopolitical-fragmentation/
https://redd.it/1rh4mvm
@r_blueteamsec
Working through a PureCoder 6 month breach on a network of systems
I did a breakdown as the hash had no VT and significant encryption and obfuscation - C2s were also unreported.
https://www.derp.ca/plog-rat-analysis/
This'll be the first in the chain, lots more to go through.
https://redd.it/1rbm2a7
@r_blueteamsec
Pre-ransomware AD discovery burst detection in Elastic/Sigma (systeminfo, nltest, net.exe) + triage workflow
Built a short lab walkthrough focused on early detection before encryption, specifically catching a discovery burst on a Windows host and triaging the resulting alerts in Elastic.
What I demonstrated:
Running common discovery commands (`systeminfo`, `nltest`, `net.exe`, `whoami`)
Reviewing the resulting Sigma-backed alerts in Elastic
Using process tree + follow-on activity to decide whether this is normal admin behavior or pre-ransomware staging
Escalating severity when user/group changes appear after discovery
https://redd.it/1rb8vmb
@r_blueteamsec
Bybit exploit 12 months on: the DPRK threat continues
https://www.elliptic.co/blog/bybit-exploit-12-months-on-the-dprk-threat-continues
https://redd.it/1ratrxe
@r_blueteamsec
sage: Lightweight Agent Detection & Response (ADR) layer for AI agents — guards commands, files, and web requests
https://github.com/avast/sage
https://redd.it/1rax9xi
@r_blueteamsec
Nidhogg v2.0 - Nidhogg is a multi-functional rootkit to showcase the variety of operations that can be done from kernel space. The goal of Nidhogg is to provide an all-in-one and easy-to-use rootkit with multiple helpful functionalities for operations.
https://github.com/Idov31/Nidhogg/releases/tag/v2.0
https://redd.it/1rau9q8
@r_blueteamsec
Manage the live response file library in Microsoft Defender for Endpoint - Microsoft Defender for Endpoint
https://learn.microsoft.com/en-us/defender-endpoint/configure-libraries-live-response
https://redd.it/1ratfm3
@r_blueteamsec
Paged Out! Feb '26 issue
https://pagedout.institute/webview.php?issue=8&page=1
https://redd.it/1raosak
@r_blueteamsec
CTO at NCSC Summary: week ending February 22nd
https://ctoatncsc.substack.com/p/cto-at-ncsc-summary-week-ending-february-e3f
https://redd.it/1ranwdw
@r_blueteamsec
The Readiness Illusion. Why Tabletop Exercises fail without TTP Replays.
https://www.lares.com/blog/ttx-and-ttp-replay-combo/
https://redd.it/1r9zl87
@r_blueteamsec
Cline CLI Compromised: Hijacked npm Package Silently Installed OpenClaw on Developer Machines
https://awesomeagents.ai/news/cline-npm-supply-chain-attack/
https://redd.it/1ra8tk6
@r_blueteamsec
Unpacking the New “Matryoshka” ClickFix Variant: Typosquatting Campaign Delivers macOS Stealer
https://www.intego.com/mac-security-blog/matryoshka-clickfix-macos-stealer/
https://redd.it/1r6fwr7
@r_blueteamsec
A Wave of Unexplained Bot Traffic Is Sweeping the Web
https://www.wired.com/story/made-in-china-niche-websites-are-seeing-a-surge-of-mysterious-traffic-from-china/
https://redd.it/1r60mpn
@r_blueteamsec
Hunting Kerberos: Decode TGT TicketOptions with KQL
https://blog.nviso.eu/2026/02/12/capture-the-kerberos-flag-detecting-kerberos-anomalies/
https://redd.it/1r56edx
@r_blueteamsec
Inside Bashe: The Interview with the Ransomware Group Known as APT73
https://www.suspectfile.com/inside-bashe-the-interview-with-the-ransomware-group-known-as-apt73/
https://redd.it/1r5gyhd
@r_blueteamsec
CTO at NCSC Summary: week ending March 1st
https://ctoatncsc.substack.com/p/cto-at-ncsc-summary-week-ending-march-a25
https://redd.it/1rgyuig
@r_blueteamsec
Treasury Announces Public-Private Initiative to Strengthen Cybersecurity and Risk Management for AI
https://home.treasury.gov/news/press-releases/sb0395
https://redd.it/1rbgo44
@r_blueteamsec
Six More Defendants Charged in International “ATM Jackpotting” Scheme
https://www.justice.gov/opa/pr/six-more-defendants-charged-international-atm-jackpotting-scheme
https://redd.it/1ratq7u
@r_blueteamsec
The Anonymous Reverse Mapping – We need to maintain a bridge in the opposite direction; physical to virtual memory - this bridge is called the ‘reverse memory mapping’,
https://blogs.oracle.com/linux/anonymous-reverse-mapping
https://redd.it/1ray4e7
@r_blueteamsec
AI in the Middle: Turning Web-Based AI Services into C2 Proxies & The Future Of AI Driven Attacks
https://research.checkpoint.com/2026/ai-in-the-middle-turning-web-based-ai-services-into-c2-proxies-the-future-of-ai-driven-attacks/
https://redd.it/1rau2sd
@r_blueteamsec
Almost Impossible: Java Deserialization Through Broken Crypto in OpenText Directory Services
https://slcyber.io/research-center/almost-impossible-java-deserialization-through-broken-crypto-in-opentext-directory-services/
https://redd.it/1raucoi
@r_blueteamsec
Silicon Valley Engineers Charged With Stealing Trade Secrets From Leading Tech Companies And Transferring Confidential Data To Unauthorized Locations, Including Iran
https://www.justice.gov/usao-ndca/pr/silicon-valley-engineers-charged-stealing-trade-secrets-leading-tech-companies-and
https://redd.it/1ranyus
@r_blueteamsec
VPN Used by US Government Failed to Stop China State-Sponsored Hackers - How Private Equity Debt Left a Leading VPN Open to Chinese Hackers - Layoffs at Pulse Secure accelerated as financial pressure mounted
https://www.bloomberg.com/news/features/2026-02-19/vpn-used-by-us-government-failed-to-stop-china-state-sponsored-hackers
https://redd.it/1rap7cq
@r_blueteamsec
Red Team Infrastructure The Full Picture: From Domain to Beacon
https://0xdbgman.github.io/posts/red-team-infrastructure-the-full-picture/
https://redd.it/1r9mleh
@r_blueteamsec
Built a web proxy that fingerprints tech stacks and suggests relevant attack modules in real time
https://github.com/SIA-IOTechnology/Kittysploit-framework
https://redd.it/1r9zwfq
@r_blueteamsec
Praetorian open sourced Titus, a secrets scanner with live credential validation (Go, 450+ rules, scans binaries too)
Praetorian released Titus today as open source.
What makes it useful from a blue team perspective:
The validation feature is the most interesting part. Instead of just pattern matching and handing you a list of maybes, it can make controlled API calls to check whether detected credentials are actually live. Results come back tagged as confirmed, denied, or unknown. If you're running this against your own repos or infrastructure, that distinction between "this AWS key is live right now" vs "this was rotated two years ago" saves a lot of triage time.
It also scans binary file formats, not just plaintext. Office docs, PDFs, Jupyter notebooks, SQLite databases, and archives (zip, tar, jar, apk, ipa, etc.) with recursive extraction. Worth considering if you're auditing file shares or artifact repositories where credentials end up in places like exported spreadsheets or bundled mobile apps.
450+ detection rules covering the usual cloud providers, CI/CD tokens, SaaS API keys, database connection strings, etc. Rules are pulled from both the original Nosey Parker project and MongoDB's Kingfisher fork.
Interfaces: CLI, Go library, Burp Suite extension, and a Chrome extension (compiled to WASM). The CLI outputs SARIF, so it plugs into CI/CD pipelines if you want to run it as part of a pre-commit or scheduled scan.
Where I see this fitting for defenders:
Scheduled scanning of internal repos and file shares for credential hygiene
Validating whether secrets flagged by other tools are actually still live
Auditing binary artifacts (mobile builds, exported documents, notebook servers) that most scanners skip
CI/CD pipeline integration to catch secrets before they hit production
The rule format is the same as Nosey Parker, so if you're already maintaining custom rules for that, they carry over.
Repo: https://github.com/praetorian-inc/titus
Blog post with full details: https://www.praetorian.com/blog/titus-open-source-secret-scanner/
https://redd.it/1ra60rd
@r_blueteamsec
I built a Chrome extension that scans for malicious extensions (yes, I see the irony)
A few weeks ago I published an open-source database of malicious browser extensions that got removed from the Chrome/Edge stores. Now there's an extension that uses it.
MalExt Sentry pulls from that database and scans your installed extensions against known threats. Runs automatically every 6 hours in the background. Everything is local, no telemetry, no data collection, just a one-way fetch of the public database.
Chrome Web Store:
https://chromewebstore.google.com/detail/malext-sentry/bpohikihiogjgmebpnbgnloipjaddibe
Database repo: https://github.com/toborrm9/malicious\_extension\_sentry
Open to feedback if anyone tries it out.
https://redd.it/1r6gzdy
@r_blueteamsec
ClickOnceBlobber: ClickOnce AppDomainManager Injection Toolkit
https://github.com/dazzyddos/ClickOnceBlobber
https://redd.it/1r574lq
@r_blueteamsec
Tech impersonators: ClickFix and MacOS infostealers
https://securitylabs.datadoghq.com/articles/tech-impersonators-clickfix-and-macos-infostealers/
https://redd.it/1r56cb3
@r_blueteamsec
Manipulating AI memory for profit: The rise of AI Recommendation Poisoning
https://www.microsoft.com/en-us/security/blog/2026/02/10/ai-recommendation-poisoning/
https://redd.it/1r56dx1
@r_blueteamsec