Posts by Aaron Walton
Rapid response | 1 min read
Notepad++ supply chain incidentThe developer of Notepad++ disclosed an incident where actors identified a means to tamper with the delivery of automatic updates.
Rapid response | 1 min read
Security alert: Critical unauthenticated RCE vulnerabilities in Ivanti EPMMTwo zero-day command injection vulnerabilities affecting Ivanti EPMM are currently being actively exploited: CVE-2026-1281 and CVE-2026-1340.
Threat intel | 12 min read
Planned failure: Gootloader’s malformed ZIP actually works perfectlyGootloader malware contains a deliberately malformed ZIP archive to bypass detection, but can also be identified by its unique formatting.
Rapid response | 2 min read
Active exploitation notice: React2Shell critical vulnerability (CVE-2025-55182)A React2Shell critical vulnerability (CVE-2025-55182) is under active exploitation. Here's what you need to know and how to identify it.
Threat intel | 3 min read
Expel Quarterly Threat Report, Q3 2025: Threat intel recapHere's a refresher on the threat intel we shared throughout the third quarter of 2025. Catch up on what you missed.
Threat intel | 4 min read
Expel Quarterly Threat Report, Q3 2025: Q3 by the numbersPart I of our Quarterly Threat Report summarizes key findings and stats from Q3 of 2025. Learn what to focus on right now.
Threat intel | 6 min read
Certified OysterLoader: Tracking Rhysida ransomware gang activity via code-signing certificatesRhysida ransomware gang has been using code-signing certificates to validate their malware campaigns repeatedly. Here's the latest.
Rapid response | 2 min read
Security alert: WSUS remote code execution vulnerabilityA critical WSUS vulnerability (CVE-2025-59287) is under active exploitation. Learn what happened, why to care, and how to protect your org.
Threat intel | 17 min read
The history of AppSuite: the certs of the BaoLoader developerWe're tracking the malware BaoLoader and their fraudulent code-signing certificates via AppSuite-PDF and PDF editor campaigns.
Threat intel | 10 min read
You don’t find ManualFinder, ManualFinder finds youWe're investigating ManualFinder, a trojan malware we're seeing in new activity, likely coming from potentially unwanted programs (PUPs).
Threat intel | 4 min read
Patch Tuesday: August 2025 (Expel’s version)The August 2025 edition of Patch Tuesday is live, and this month we're highlighting targeted SharePoint vulnerabilities.
Threat intel | 5 min read
Expel Quarterly Threat Report, Q2 2025: Threat intel recapHere's a refresher on the threat intel we shared throughout the second quarter of 2025. Catch up on what you missed.
Rapid response | 2 min read
Update on the SharePoint ToolShell vulnerability exploitation (CVE-2025-53770)Over the weekend, a zero-day vulnerability for SharePoint 16.0.0.0 and earlier versions was targeted. Here's what you need to know.
Threat intel | 5 min read
Expel Quarterly Threat Report, Q2 2025: Q2 by the numbersPart I of our Quarterly Threat Report summarizes key findings and stats from Q2 of 2025. Learn what to focus on right now.
Threat intel | 3 min read
Patch Tuesday: July 2025 (Expel’s version)The July 2025 edition of Patch Tuesday is live, and this month we're highlighting a couple of vulnerabilities in Citrix NetScaler.
Rapid response | 2 min read
Security alert: Citrix NetScaler ADC and NetScaler Gateway vulnerabilities allow unauthorized accessCitrix released two vulnerabilities (CVE-2025-5777 and CVE-2025-6543) that impact NetScaler ADC and NetScaler Gateway. Here's what to know and what to do.
Rapid response | 2 min read
Scattered Spider’s heightened activity—here’s the 411Threat group Scattered Spider is making headlines again as they increase targeting for financial services and insurance orgs.
Threat intel | 6 min read
Following the spiders: Investigating Latrodectus malwareLatrodectus malware is the latest infostealing malware on the market utilizing the ClickFix technique. Here's what you need to know.
Threat intel | 4 min read
MDR insights: Malware trends from the Q1 QTRDive into the malware data our SOC collected via incidents from Q1 2025. Here's what you should know, and how to defend against it.
Rapid response | 4 min read
Phishing in Teams: the new ransomware frontlineExpel's SOC has seen a spike in Microsoft Teams phishing messages. Here's what you need to know and how to stop it.
Threat intel | 5 min read
Expel Quarterly Threat Report, Q1 2025: Cloud infrastructure trendsVolume IV of our Q1 2025 Quarterly Threat Report summarizes key findings for cloud infrastructure. Learn what to focus on right now.
Threat intel | 3 min read
Expel Quarterly Threat Report, Q1 2025: Endpoint threatsVolume III of our Q1 2025 Quarterly Threat Report summarizes key findings for endpoint threats. Learn what to focus on right now.
Threat intel | 5 min read
Expel Quarterly Threat Report, Q1 2025: Cloud-based service trendsVolume II of our Q1 2025 Quarterly Threat Report summarizes key findings for cloud-based services. Learn what to focus on right now.
Threat intel | 4 min read
Expel Quarterly Threat Report, Q1 2025: Q1 by the numbersVolume I of our Quarterly Threat Report summarizes key findings and stats from Q1 of 2025. Learn what to focus on right now.
Threat intel | 5 min read
Patch Tuesday (Expel’s version): April 2025The April 2025 edition of Patch Tuesday is live, and this month we included PHP vulnerability data Expel has seen recently.
Threat intel | 12 min read
Code-signing certificate abuse in the Black Basta chat leaks (and how to fight back)Ransomware gang Black Basta's chats were recently leaked, proving how they abuse code-signing certificates. Here's how to defend against it.
Data & research | 2 min read
It’s here: Expel’s 2025 Annual Threat ReportThis year’s Annual Threat Report describes the major attack trends we saw last year, advice to safeguard your org, and predictions for 2025.
Rapid response | 1 min read
Security alert: Ivanti zero-day vulnerabilityIvanti disclosed a critical zero-day vulnerability impacting multiple products. Address it immediately to prevent unauthenticated remote code execution.
Rapid response | 1 min read
Security alert: Palo Alto Networks firewall vulnerabilityPalto Alto Networks (PAN) has a critical vulnerability that needs patched immediately to prevent network access via the firewall management interface.
Data & research | 8 min read
MDR insights: defense against persistent threats and Oracle WebLogic CVE-2020-14882Initial access broker (IAB) Magnet Goblin is currently targeting CVE-2020-14882 in Oracle WebLogic. Here's how to identify and stop them.
Data & research | 5 min read
Expel Quarterly Threat Report Q3 2024, volume V: Preparing for software supply chain riskVolume V of our Q3 2024 Quarterly Threat Report focuses on preparing for software supply chain risk. Learn what to focus on right now.
Data & research | 3 min read
Expel Quarterly Threat Report Q3 2024, volume IV: Suspicious infrastructure from phishing-as-a-service (PhaaS) platformsVolume IV of our Q3 2024 Quarterly Threat Report focuses on phishing-as-a-service (PaaS). Learn what to focus on right now.
Data & research | 4 min read
Expel Quarterly Threat Report Q3 2024, volume III: Malware trendsVolume III of our Q3 2024 Quarterly Threat Report focuses on malware trends. Learn what to focus on right now.
Data & research | 4 min read
Expel Quarterly Threat Report Q3 2024, volume II: CAPTCHA trick or treatVolume II of our Q3 2024 Quarterly Threat Report focuses on malicious CAPTCHAs. Learn what to focus on right now.
Data & research | 2 min read
Expel Quarterly Threat Report, volume I: Q3 2024 by the numbersVolume I of our Quarterly Threat Report summarizes key findings and stats from Q3 of 2024. Learn what to focus on right now.
Data & research | 7 min read
MDR insights: how our SOC identified & responded to CVE-2024-3400Learn how Expel's security operations center (SOC) identified and resolved CVE-2024-3400 for one of our customers.
Data & research | 5 min read
Expel Quarterly Threat Report Q2 2024 volume V: Latent-risk infostealing malwareLast up in our Q2 QTR series: we dig into infostealers and the importance of detecting, mitigating, and responding to this form of malware.
Data & research | 3 min read
Expel Quarterly Threat Report Q2 2024 volume IV: Phishing trendsPhaaS platforms make phishing easy. In this volume in our series, we share what these are, how they work, and how they can be counteracted.
Data & research | 5 min read
Expel Quarterly Threat Report Q2 2024 volume III: Malware infection trendsVolume III of our Quarterly Threat Report covers malware trends in Q2 of 2024. Learn what to focus on right now.
Data & research | 3 min read
Expel Quarterly Threat Report Q2 2024 volume II: Attackers advance with AIVolume II of our Quarterly Threat Report covers how attackers are advancing with AI in Q2 of 2024. Learn what to focus on right now.
Data & research | 3 min read
Expel Quarterly Threat Report Q2 2024 volume I: Q2 by the numbersVolume I of our Quarterly Threat Report summarizes key findings and stats from Q2 of 2024. Learn what to focus on right now.
MDR | 3 min read
How phishing threat actors are using AI: a real world exampleOur phishing team intercepted an email that appears to contain AI-generated code. Here's what it can teach you.
Data & research | 3 min read
Expel Quarterly Threat Report volume V (Q1 2024): authentication bypass vulnerabilitiesIn volume V of our Q1 2024 QTR, we cover authentication bypass vulnerabilities. Here's what our SOC found and what you should know.
Data & research | 3 min read
Expel Quarterly Threat Report volume IV (Q1 2024): suspicious authentication sourcesIn volume IV of our Q1 2024 QTR, we're covering suspicious authentication sources. Take a look at what our SOC saw to learn from it.
Data & research | 2 min read
Expel Quarterly Threat Report volume III (Q1 2024): high-risk malwareNext up in our Q1 2024 QTR series, we examine high-risk malware incidents. Here's what our SOC learned, and how you can remediate.
Data & research | 2 min read
Expel Quarterly Threat Report volume II (Q1 2024): attackers and AINext up in our Q1 2024 QTR: check out these examples of attackers using AI to advance their goals. Learn what to focus on right now.
Data & research | 3 min read
Expel Quarterly Threat Report volume I (Q1 2024): Q1 by the numbersVolume I of our Quarterly Threat Report summarizes key findings and stats from Q1 of 2024. Learn what to focus on right now.
Rapid response | 1 min read
Security alert: Palo Alto Networks PAN-OS GlobalProtect Command Injection VulnerabilityPalo Alto Networks disclosed that attackers are exploiting a vulnerability in PAN-OS for GlobalProtect. Here's what you need to know.
Current events | 2 min read
Patch Tuesday roundup for April 2024The April 2024 Patch Tuesday included 150 CVEs from Microsoft and 24 CVEs from Adobe. Here’s what our team recommends to reduce exploit risk.
Rapid response | 1 min read
Security alert: XZ Linux utility backdoorResearchers identified a backdoor into the XZ Linux utility, via supply chain compromise. Here’s what you need to know.
MDR | 3 min read
No honor among ransomware criminalsTake steps to assess your org’s security now, so you can protect yourself from ransomware gangs like BlackCat.
Current events | 2 min read
Patch Tuesday roundup for March 2024The March 2024 Patch Tuesday included 60 CVEs from Microsoft and 68 CVEs from Apple. Here’s what our team recommends to reduce exploit risk.
Rapid response | 2 min read
Security alert: Ivanti Connect Secure and Policy Secure zero-day vulnerabilitiesIvanti Connect Secure and Policy Secure zero-day vulnerabilities are being exploited. Here's how to protect against them.
Rapid response | 2 min read
Security alert: ConnectWise ScreenConnect 23.9.8 security fixVulnerabilities in ConnectWise versions 23.9.7 and prior leave some ScreenConnect instances exposed to attackers. Here’s how to fix it.
Data & research | 3 min read
2024 Annual Threat Report: findings and predictionsThis year’s Annual Threat Report shares the major attack trends from last year, advice to secure your org, and predictions for 2024.
Current events | 2 min read
Our top five cybersecurity predictions for 2024Here are our top five cybersecurity predictions for 2024 from Expel experts and leadership based on trends and current events.
Rapid response | 2 min read
Security alert: Okta “support user” data theftOkta recently determined an attacker stole user support system info in October 2023. Here’s what Okta customers need to do right now.
Data & research | 3 min read
Expel 2023 Q3 Quarterly Threat Report: the top five findingsThe 2023 Q3 Quarterly Threat Report findings are based on incidents our SOC identified. Here are a few of the top trends.
Rapid response | 1 min read
Security alert: privilege escalation vulnerability in Confluence Data Center and Server, CVE-2023-22515Here's how to mitigate a Confluence Data Center and Server vulnerability that lets attackers create admin accounts on external-facing servers.
Data & research | 2 min read
Cyberattackers evolve: the Quarterly Threat Report for Q2 2023Our Q2 2023 Quarterly Threat Report examines the rise of commodity malware, AiTM phishing techniques, and the impact of software vulnerabilities.
Rapid response | 1 min read
Security alert: critical Fortigate remote code execution vulnerabilityGet a clear breakdown of the critical Fortigate Firewall vulnerability's impact and steps you can take to reduce your risk.
Security operations | 3 min read
Security alert: MOVEit Transfer exploited vulnerabilityAttackers are exploiting a vulnerability affecting all MOVEit Transfer versions to exfiltrate data and deploy ransomware.
Rapid response | 2 min read
Security alert: high-severity vulnerability affecting OpenSSL V3 and higherTwo new security flaws affect OpenSSL v3.0 and later. Learn about the vulnerabilities and why you should upgrade to v3.0.7 as soon as it's reasonable.