Empowering the Ecosystem: MISP’s 2025 Progress and the Open Source Future

In 2025, the MISP project hit its stride with the transition to the 2.5 branch, delivering a major UI/UX overhaul and modernized background processing to enhance platform performance. This progress was bolstered by significant updates to satellite projects, including taxonomies, objects, galaxy, misp-modules, misp-guard, and SkillAegis, ensuring that 2026 will be full of new surprises for both contributors and users as the ecosystem evolves.

Furthermore, the project is pushing forward with deep integrations into open source external tooling such as rulezet.org for rule management, FlowIntel for streamlined case management, and the newly launched CTI-Transmute.org service to ensure seamless CTI format interoperability. Central to this journey is our unwavering commitment to
a pure open-source approach and our vibrant community, ensuring that the project provides the autonomy and digital sovereignty necessary for users to control their own threat intelligence.

@misp
@circl

🔗 https://www.misp-project.org/2025/12/31/misp.2025-welcome-2026.html/

#cti #opensource #threatintel #threatintelligence #cybersecurity

Empowering the Ecosystem: MISP’s 2025 Progress and the Open Source Future

In 2025, the MISP project hit its stride with the transition to the 2.5 branch, delivering a major UI/UX overhaul and modernized background processing to enhance platform performance. This progress was bolstered by significant updates to satellite projects, including taxonomies, objects, galaxy, misp-modules, misp-guard, and SkillAegis, ensuring that 2026 will be full of new surprises for both contributors and users as the ecosystem evolves.

Furthermore, the project is pushing forward with deep integrations into open source external tooling such as rulezet.org for rule management, FlowIntel for streamlined case management, and the newly launched CTI-Transmute.org service to ensure seamless CTI format interoperability. Central to this journey is our unwavering commitment to
a pure open-source approach and our vibrant community, ensuring that the project provides the autonomy and digital sovereignty necessary for users to control their own threat intelligence.

@misp
@circl

🔗 https://www.misp-project.org/2025/12/31/misp.2025-welcome-2026.html/

#cti #opensource #threatintel #threatintelligence #cybersecurity

@GossiTheDog

off trendmicro-update[.]com i'm also giving the hairy eyeball to

update-fortinet[.]com

a year older, but same-ish fingerprint, and up until yesterday showing an A record connected to Stark.

195.16.74[.]58

trendmicro-update had moved to Linode from a Stark IP at 45.12.134[.]94

registrar: HostingConcepts / registrar[.]eu
NS: site-dns[.]com, previously openprovider[.]nl/be/eu

full pDNS and domain records for both domains (zipped CSVs):

https://drive.google.com/file/d/1cpfeBR5qCoOvDvXEp4fgR7pZlpXfIVW7/view?usp=sharing

#threatintel

GreyNoise is tracking a coordinated credential-based campaign targeting Cisco SSL VPN and Palo Alto Networks GlobalProtect.

🔗 https://www.greynoise.io/blog/credential-based-campaign-cisco-palo-alto-networks-vpn-gateways

#Cisco #PaloAltoNetworks #GreyNoise #VPN #CiscoSSLVPN #GlobalProtect #ThreatIntel

Looking to replace my Mandiant//Google Threat Intel feed as they are price jacking like they're Broadcom, trying to upsell me on something at 10x price. Any recommendations?

#threatintel

I am urgently looking for work. My unemployment ends soon and my family is approaching eviction. With Christmas near and kids in the house, the pressure has become extremely difficult. I’ve been interviewing since September and reached multiple final rounds, but have not secured a role yet.

I have over 15 years of experience in Cyber Threat Intelligence, OSINT, Social Engineering, Security Engineering, Vulnerability Management, and detection rule development. I’ve built CTI programs, developed Python automation, improved workflows, supported investigations, and authored Practical Social Engineering. I hold a US patent for a cybersecurity reconnaissance system.

I can support Sales and Sales Engineering teams as a subject matter expert when needed, adding technical depth and threat context to customer conversations. I also write white papers, blogs, and podcast material and speak regularly on security topics. Locally, I am a USCCA certified firearms instructor.

I am open to full time roles or contract work. Referrals and introductions are deeply appreciated as Christmas approaches.

#OpenToWork #Cybersecurity #JobSearch #ThreatIntel #OSINT #TechJobs

Ohh I like this... Aikdo has presented a more detailed analysis of the early steps for the Shai Hulud 2.0 worm.

Attempting to map what steps the original threat actor took to gain a foothold. Useful stuff IMHO

https://www.aikido.dev/blog/shai-hulud-2-0-unknown-wonderer-supply-chain-attack

#Infosec #Cybersecurity #ThreatIntel

In last 24-36 hrs we've seen high volume of queries to the domain perferctdmng[.]is that is attributed to the #Mirai Botnet.

Poland, the Netherlands, and Germany are among the top countries that queries are originating. The domain was submitted to us by our #threatintel partners #Ticura and #ThreatConnect.

I am urgently looking for work. My unemployment ends soon and my family is approaching eviction. With Christmas near and kids in the house, the pressure has become extremely difficult. I’ve been interviewing since September and reached multiple final rounds, but have not secured a role yet.

I have over 15 years of experience in Cyber Threat Intelligence, OSINT, Social Engineering, Security Engineering, Vulnerability Management, and detection rule development. I’ve built CTI programs, developed Python automation, improved workflows, supported investigations, and authored Practical Social Engineering. I hold a US patent for a cybersecurity reconnaissance system.

I can support Sales and Sales Engineering teams as a subject matter expert when needed, adding technical depth and threat context to customer conversations. I also write white papers, blogs, and podcast material and speak regularly on security topics. Locally, I am a USCCA certified firearms instructor.

I am open to full time roles or contract work. Referrals and introductions are deeply appreciated as Christmas approaches.

#OpenToWork #Cybersecurity #JobSearch #ThreatIntel #OSINT #TechJobs

Don’t let MFA lull you into complacency. Advanced phishing kits can still slip through.

Before the Thanksgiving holiday, one of our customers alerted us to an Evilginx MITM phishing campaign targeting university students and SSO portals. At least 18 American institutions were targeted.

We tested several approaches for large-scale detection, including analyzing web server fingerprints and HTTP artifacts. However, this proved challenging because Evilginx operates as a proxy between the victim’s browser and the legitimate login page, making its behavior and content nearly indistinguishable from the real site. In the end, we mostly relied on DNS for confirmation and classification.

Here is a short blog about the campaign and actor, including involved domains and IPs.

https://blogs.infoblox.com/threat-intelligence/dns-uncovers-infrastructure-used-in-sso-attacks/

#InfobloxThreatIntel #dns #evilginx #threatintel #threatintelligence #infosec #cybersecurity #cybercrime #infoblox #phishing #mitm #aitm #sso #mfa #university #students #proxy #login

GlassWorm has resurfaced with 24 malicious extensions posing as popular developer tools across Visual Studio Marketplace and Open VSX. The campaign uses Rust implants, Solana-based C2, and inflated download stats to slip harmful updates into trusted environments.

This wave shows how supply-chain attacks continue evolving by blending seamlessly into developer workflows.

What protections do you think dev ecosystems should prioritize next?

Follow us for consistent, unbiased cybersecurity coverage.

#infosec #glassworm #supplychainsecurity #devsecops #vscode #openvsx #malware #threatintel #securityresearch #technadu

In last 24-36 hrs we've seen high volume of queries to the domain perferctdmng[.]is that is attributed to the #Mirai Botnet.

Poland, the Netherlands, and Germany are among the top countries that queries are originating. The domain was submitted to us by our #threatintel partners #Ticura and #ThreatConnect.

GlassWorm has resurfaced with 24 malicious extensions posing as popular developer tools across Visual Studio Marketplace and Open VSX. The campaign uses Rust implants, Solana-based C2, and inflated download stats to slip harmful updates into trusted environments.

This wave shows how supply-chain attacks continue evolving by blending seamlessly into developer workflows.

What protections do you think dev ecosystems should prioritize next?

Follow us for consistent, unbiased cybersecurity coverage.

#infosec #glassworm #supplychainsecurity #devsecops #vscode #openvsx #malware #threatintel #securityresearch #technadu

Infoblox published a fantastic writeup of a recent widespread phishing/Evilginx campaign against universities. As the article notes, discovering the entire attack surface is very difficult. I recommend all academic institutions have a look for these indicators.

#ThreatIntel #ThreatIntelligence

https://blogs.infoblox.com/threat-intelligence/dns-uncovers-infrastructure-used-in-sso-attacks/

Ohh I like this... Aikdo has presented a more detailed analysis of the early steps for the Shai Hulud 2.0 worm.

Attempting to map what steps the original threat actor took to gain a foothold. Useful stuff IMHO

https://www.aikido.dev/blog/shai-hulud-2-0-unknown-wonderer-supply-chain-attack

#Infosec #Cybersecurity #ThreatIntel

Don’t let MFA lull you into complacency. Advanced phishing kits can still slip through.

Before the Thanksgiving holiday, one of our customers alerted us to an Evilginx MITM phishing campaign targeting university students and SSO portals. At least 18 American institutions were targeted.

We tested several approaches for large-scale detection, including analyzing web server fingerprints and HTTP artifacts. However, this proved challenging because Evilginx operates as a proxy between the victim’s browser and the legitimate login page, making its behavior and content nearly indistinguishable from the real site. In the end, we mostly relied on DNS for confirmation and classification.

Here is a short blog about the campaign and actor, including involved domains and IPs.

https://blogs.infoblox.com/threat-intelligence/dns-uncovers-infrastructure-used-in-sso-attacks/

#InfobloxThreatIntel #dns #evilginx #threatintel #threatintelligence #infosec #cybersecurity #cybercrime #infoblox #phishing #mitm #aitm #sso #mfa #university #students #proxy #login

Threat intel is utterly impossible. Look at this. All from a fake browser update. One person, just clicking on a website causes all of this. How do you create a threat model for this shit?

https://thehackernews.com/2025/11/romcom-uses-socgholish-fake-update.html?m=1

#threatintel #blueteam

New research out from @DomainTools Investigations today!

We took time to pull apart the "Charming Kitten" data dump and analyze it accordingly.

Always fascinating to me how different the threat actor groups can be both domestically and regionally. In APT35's case, much more militarily regimented, versus hybrid "state startup waterfall" or "criminal-state merge blend" setups.

#infosec #cybersecurity #threatintel

https://dti.domaintools.com/threat-intelligence-report-apt35-internal-leak-of-hacking-campaigns-against-lebanon-kuwait-turkey-saudi-arabia-korea-and-domestic-iranian-targets/