Threat intel
Threat intel | 4 min read
Beyond alert management: How threat intelligence actually helps your SOCWe're expanding our dedicated threat intel function to provide our customers with smarter, faster, threat intelligence they can use.
Rapid response | 2 min read
Security alert: WSUS remote code execution vulnerabilityA critical WSUS vulnerability (CVE-2025-59287) is under active exploitation. Learn what happened, why to care, and how to protect your org.
Threat intel | 7 min read
Along for the ride: When legitimate software becomes a signed malware loaderAnalyzing a highly evasive malware loader that exploits legitimate, signed Greenshot software through DLL sideloading. See our detailed technical analysis.
Threat intel | 2 min read
Patch Tuesday: October 2025 (Expel’s version)This month, we're highlighting top critical vulnerabilities, including six zero-day vulnerabilities, and one in Cisco IOS.
Threat intel | 6 min read
Cache smuggling: When a picture isn’t a thousand wordsWe recently observed an innovative campaign using the ClickFix attack tactic for cache smuggling. Here's what you need to know.
Threat intel | 17 min read
The history of AppSuite: the certs of the BaoLoader developerWe're tracking the malware BaoLoader and their fraudulent code-signing certificates via AppSuite-PDF and PDF editor campaigns.
Threat intel | 3 min read
Patch Tuesday: September 2025 (Expel’s version)This month, we're highlighting top critical vulnerabilities, including an SAP S/4HANA code injection vulnerability currently being exploited.
Threat intel | 10 min read
You don’t find ManualFinder, ManualFinder finds youWe're investigating ManualFinder, a trojan malware we're seeing in new activity, likely coming from potentially unwanted programs (PUPs).
Threat intel | 4 min read
Patch Tuesday: August 2025 (Expel’s version)The August 2025 edition of Patch Tuesday is live, and this month we're highlighting targeted SharePoint vulnerabilities.
Threat intel | 5 min read
Expel Quarterly Threat Report, Q2 2025: Threat intel recapHere's a refresher on the threat intel we shared throughout the second quarter of 2025. Catch up on what you missed.
Rapid response | 2 min read
Update on the SharePoint ToolShell vulnerability exploitation (CVE-2025-53770)Over the weekend, a zero-day vulnerability for SharePoint 16.0.0.0 and earlier versions was targeted. Here's what you need to know.
Threat intel | 5 min read
Expel Quarterly Threat Report, Q2 2025: Q2 by the numbersPart I of our Quarterly Threat Report summarizes key findings and stats from Q2 of 2025. Learn what to focus on right now.
Threat intel | 3 min read
Patch Tuesday: July 2025 (Expel’s version)The July 2025 edition of Patch Tuesday is live, and this month we're highlighting a couple of vulnerabilities in Citrix NetScaler.
Rapid response | 2 min read
Scattered Spider’s heightened activity—here’s the 411Threat group Scattered Spider is making headlines again as they increase targeting for financial services and insurance orgs.
Threat intel | 3 min read
Are attackers retooling?Vulnerability exploitation as an initial access vector is up year-over-year, and attackers are shifting strategies, so what gets prioritized?
Threat intel | 3 min read
Patch Tuesday: June 2025 (Expel’s version)The June 2025 edition of Patch Tuesday is live, and this month we're highlighting a handful of Ivanti critical vulnerabilities.
Threat intel | 6 min read
Following the spiders: Investigating Latrodectus malwareLatrodectus malware is the latest infostealing malware on the market utilizing the Click-Fix technique. Here's what you need to know.
Threat intel | 4 min read
Patch Tuesday (Expel’s version): May 2025The May 2025 edition of Patch Tuesday is live, and this month we highlighted a SAP NetWeaver vulnerability Expel has seen recently.
Threat intel | 4 min read
MDR insights: Malware trends from the Q1 QTRDive into the malware data our SOC collected via incidents from Q1 2025. Here's what you should know, and how to defend against it.
Rapid response | 4 min read
Phishing in Teams: the new ransomware frontlineExpel's SOC has seen a spike in Microsoft Teams phishing messages. Here's what you need to know and how to stop it.
Threat intel | 5 min read
Expel Quarterly Threat Report, Q1 2025: Cloud infrastructure trendsVolume IV of our Q1 2025 Quarterly Threat Report summarizes key findings for cloud infrastructure. Learn what to focus on right now.
Threat intel | 3 min read
Expel Quarterly Threat Report, Q1 2025: Endpoint threatsVolume III of our Q1 2025 Quarterly Threat Report summarizes key findings for endpoint threats. Learn what to focus on right now.
Threat intel | 5 min read
Expel Quarterly Threat Report, Q1 2025: Cloud-based service trendsVolume II of our Q1 2025 Quarterly Threat Report summarizes key findings for cloud-based services. Learn what to focus on right now.
Threat intel | 4 min read
Expel Quarterly Threat Report, Q1 2025: Q1 by the numbersVolume I of our Quarterly Threat Report summarizes key findings and stats from Q1 of 2025. Learn what to focus on right now.
Rapid response | 1 min read
Security alert: CVE contract expiration and option periodThe contract for the federally funded CVE program has been extended, but uncertainty remains. Here’s why it matters and what's next.
Threat intel | 4 min read
Observing Atlas Lion (part two): Winning the battle, with an eye on the warThis is part two of our series on Atlas Lion, a threat group out of Morocco that targets organizations with fraudulent gift cards.
Threat intel | 4 min read
Observing Atlas Lion (part one): Why take control when you can enroll?Cybercrime group Atlas Lion targets orgs using gift cards. Their attacks highlight the importance of secure enrollment processes for devices.
Threat intel | 5 min read
Patch Tuesday (Expel’s version): April 2025The April 2025 edition of Patch Tuesday is live, and this month we included PHP vulnerability data Expel has seen recently.
Threat intel | 5 min read
MDR insights: Tracking lateral movement in a Windows environment (part 2)This is part two of a pocket guide created by Expel's SOC analysts to track and identify lateral movement within your Windows environments.
Rapid response | 2 min read
Security alert: IngressNightmare (NGINX controller for Kubernetes)On March 24, 2025, five vulnerabilities in the Ingress NGINX controller for Kubernetes were publicly disclosed. Here's how to remediate.
Threat intel | 12 min read
Code-signing certificate abuse in the Black Basta chat leaks (and how to fight back)Ransomware gang Black Basta's chats were recently leaked, proving how they abuse code-signing certificates. Here's how to defend against it.
Rapid response | 1 min read
Security alert: Ivanti zero-day vulnerabilityIvanti disclosed a critical zero-day vulnerability impacting multiple products. Address it immediately to prevent unauthenticated remote code execution.
Threat intel | 7 min read
MDR insights: Tracking lateral movement in a Windows environment (part I)This is a pocket guide created by Expel's SOC analysts to track and identify anomalous lateral movement within your Windows environments.