Threat Hunting

Analysis of a device code phishing operation built on the open-source GraphSpy tool, extended with a custom phish page generator and Cloudflare tunnel infrastructure, found via an exposed open directory and unauthenticated operator panel.

A deep dive into Device Code Lab, a professional grade, device code phishing platform, with numerous defense evasion and post-exploitation features.

Uncovering an undocumented Microsoft 365 account takeover panel using Evilginx API integration for easy token reuse and account compromise.

A deep dive into a newly discovered C2 framework, Nexus C2 — its features, operational flaws, and the implications of AI-generated malware in the wild.

A look at hunting C2 frameworks in the wild, including identifying a previously unknown C2 framework.

A follow-up investigation mapping 1,337 phishing URLs across 326 workers.dev hostnames, confirming a PhaaS multi-tenant architecture, encrypted client-side payloads, and new lure variants targeting Adobe, DocuSign, and Outlook branding.

Uncovering a phishing campaign abusing Microsoft Device Code Authentication and Cloudflare Worker Pages, with detection hunts for Entra and Microsoft 365.

A look into automating the hunt for malicious NPM packages, using AI for package review.

A look at a new phishing campaign, ConsentFix which utilises click-fix style techniques to steal auth tokens.

A walkthrough of different Token Theft Scenarios with Detections

Detecting abuse of VSCode Remote Tunnels for C2 and persistence by threat actors

How threat actors abuse Microsoft Dev Tunnels for C2 communication and detection strategies

A practical guide to implementing threat hunting in a SOC environment and moving beyond reactive detection