CVE and campaign-tied detection query packs — deploy as soon as a new CVE drops or campaign goes active. 10 query packs · 40 queries across KQL · Sigma · XQL · SPL
All (10) Recent CVEs (4) Active Campaigns (6) Threat Actors (6)
10 query packs · 40 queries across KQL · Sigma · XQL · SPL
CVE-2026-41940 — cPanel Harvester Toolkit HIGH Harvester toolkit targeting cPanel admin panels via unauthenticated API injection. Deploys web shell and exfiltrates hosting credentials.
CVE-2026-41823 — Exchange RCE CRITICAL Pre-auth remote code execution in Exchange Server OWA component. Chained SSRF to deserialisation in ECP endpoint.
CVE-2026-41290 — Log4Shell Variants CRITICAL New Log4Shell bypass variants targeting patched 2.17.1+ installations. JNDI LDAP injection via message lookup conversion pattern.
LockBit 3.0 Ransomware — Active Campaign HIGH Active LockBit 3.0 campaign leveraging PsExec lateral movement and custom encryptor. Targets Windows + ESXi environments.
CLOP MOVEit Exploitation — Ongoing CRITICAL Ongoing CLOP ransomware exploitation of MOVEit Transfer SQLi vulnerability. Data exfiltration via HTTPS to known CLOP infrastructure.
APT29 — SolarWinds Post-Exploit CRITICAL APT29 post-compromise activity on SolarWinds Orion deployments. SAML token forging, Azure AD persistence, and mailbox exfiltration.
BlackCat/ALPHV — Encryptor Deployment HIGH ALPHV ransomware encryptor deployment via Rust-based binary. Uses intermittent encryption for speed and AppLocker bypass.
Lazarus — Crypto Bridge Heists HIGH Lazarus targeting cryptocurrency bridge smart contracts. Social engineering of developers followed by malicious npm packages for persistent access.
Scattered Spider — SaaS TTPs MEDIUM Scattered Spider social-engineering campaigns targeting SaaS help desks. SIM swapping, MFA fatigue, and impersonation of IT staff.
CVE-2026-40123 — CitrixBleed CRITICAL Citrix ADC/Gateway buffer overflow allowing unauthenticated RCE. Mass exploitation by multiple ransomware groups for initial access.