Blog & Insights

The security industry has historically relied on monitoring parent-child process trees to identify malicious execution. If Microsoft Word spawns a command shell, a static rule triggers. However, advanced adversaries - particularly those operating in high-stakes financial and telecommunications sectors - are fully aware of these static registries.

Fileless malware is one of the most dangerous and evasive attack techniques. Unlike traditional malware, it leaves no files on disk; instead, it hides inside the system's own trusted processes and tools, making it nearly invisible to conventional security software. In this article, we break down how fileless and process-based attacks work, how attackers use built-in Windows utilities like PowerShell and WMI to execute malicious code entirely in memory, and what defenders need to do to detect and stop them before it's too late.

In mid-September 2025, Anthropic's Threat Intelligence team detected and disrupted a cyber espionage campaign attributed with high confidence to a Chinese state-sponsored group designated GTG-1002. It's considered the first documented AI-orchestrated cyberattack at this scale (Involving all phases of a cyber kill chain majorly done by AI). The attackers manipulated Claude Code into acting as an autonomous attack agent by social engineering it. They built a framework using Claude Code and Model Context Protocol (MCP) tools to run the attack largely without human involvement. The AI handled 80–90% of all tactical operations, including reconnaissance, vulnerability discovery, exploitation, credential harvesting, lateral movement, and data exfiltration. Human operators only stepped in at strategic decision points like approving escalation to active exploitation or authorizing final data exfiltration.

MITRE ATT&CK v19.1 introduces significant updates across the Enterprise, Mobile, and ICS domains, enhancing the framework’s ability to model modern adversary behavior. Key changes include the introduction of the new Defense Impairment tactic, the renaming of Defense Evasion to Stealth, expanded threat intelligence coverage with new threat groups, software, and campaigns, and the addition of ICS sub-techniques for greater analytical granularity. This article explores the major differences between ATT&CK v18.1 and v19.1, highlighting the impact of these changes on threat intelligence, detection engineering, and cybersecurity operations.

APC Injection had been written off as a solved issue, one for which detection existed in multiple variations; however, it has seen a resurgence since 2024 which has allowed to it cause havoc in small attacks and looks like it will only increase in importance. Process injection sits at the top of the MITRE ATT\&CK heap for the second year running. This blog talks about how it is necessary to track the newer variants of the injection method and the methods offered for the same.

Threat Research & Intelligence (TRI) team at Bloo performs profiling and ongoing monitoring of threat actors and their related campaigns to keep a track of the latest Advanced Persistent Threats (APTs). To support threat research and detection engineering, the APT tracking task includes threat actor profiling and attribution, campaign tracking and analysis, infrastructure mapping, Tactics, Techniques, and Procedures (TTPs) analysis, historical activity correlation, and geographic attribution. This tracking framework systematically captures and analyzes key parameters for each identified campaign, including the year of activity, campaign involved, malware or tools deployed by the threat actor, malware classification, targeted sectors or victims, assessed motivation, and critical Indicators of Compromise (IOCs) such as malware hashes, command-and-control (C2) infrastructure details, and associated network artifacts.

Copy Fail is a nearly decade-old Linux kernel vulnerability that allows any local user to escalate to root by exploiting an unsafe 2017 optimization in the kernel's crypto API. Most Linux distributions have patched it, but WSL2 users need to apply a manual workaround. The root cause highlights a broader problem in large open-source projects: when subsystems are maintained in isolation, dangerous cross-subsystem interactions can go unnoticed for years.

The Threat Research & Intelligence (TRI) team at Bloo conducted a structured evaluation of Linux payloads from the Metasploit Framework. The objective of this detonation & analysis is to observe how these payloads behave at runtime (specifically the local privilege escalation modules) and to collect high-quality endpoint telemetry that could directly support the Detection Engineering (DE) team.

Threat Research & Intelligence (TRI) team at Bloo performs profiling and ongoing monitoring of threat actors and their related campaigns to keep a track of the latest Advanced Persistent Threats (APTs). To support threat research and detection engineering, the APT tracking task includes threat actor profiling and attribution, campaign tracking and analysis, infrastructure mapping, Tactics, Techniques, and Procedures (TTPs) analysis, historical activity correlation, and geographic attribution. This tracking framework systematically captures and analyzes key parameters for each identified campaign, including the year of activity, campaign involved, malware or tools deployed by the threat actor, malware classification, targeted sectors or victims, assessed motivation, and critical Indicators of Compromise (IOCs) such as malware hashes, command-and-control (C2) infrastructure details, and associated network artifacts.

**RondoDox is a Mirai-based IoT botnet that emerged in mid-2025, rapidly weaponizing ~170 exploits to target routers, DVRs, and network devices across 18 architectures, the post talks about its tactics including anti-sandbox evasion, persistence via scripts and crontabs as well as its follow up on Mirai.**

Why attack the bank when you can attack the open-source library the bank's vendor's vendor depends on? AI just made deep supply chain attacks economical.

When any teenager with API access can execute attacks previously requiring nation-state resources, 'who did this' becomes nearly meaningless.

We've been saying the perimeter is dead for fifteen years while operating as if it weren't. AI vulnerability discovery just made the bluff impossible.

The 40-year shield protecting software vendors from liability becomes politically untenable when AI proves most bugs were findable all along.

Defenders use AI under audits, change management, and model risk reviews. Attackers don't. The same capability is force-multiplied for offense.

Mythos found a 27-year-old OpenBSD bug. Every line of code written under human-only review just got dramatically more dangerous.

What happens when an AI agent finds 4,000 bugs in your product in a weekend? The CVE infrastructure was built for human-scale flow rates.

When attackers find their own zero-days at scale, public CVEs become a sideshow. Here's why patch-and-pray is now structurally inadequate.

Agentic AI security tools fail without persistent memory. AI agents need structured, long-term telemetry to reason correctly.

Enterprise AI agents need persistent, structured memory to reason correctly. Telemetry is the infrastructure foundation.

Security log retention mandates vary by regulation, industry, and threat model. This reference covers what you must retain, for how long, and in what form.

Enterprise telemetry includes logs, events, metrics, and traces. Treated as exhaust, it expires. Treated as memory, it compounds.

SIEM costs rise with data volume, creating a dangerous tradeoff. Discover the full TCO of legacy SIEM and predictable-cost alternatives.

Cutting SIEM spend doesn't have to mean cutting visibility. Five strategies to reduce costs while retaining full telemetry coverage.

SIEM ingestion costs compound as data volumes grow. The pricing model creates dangerous incentives. Here is the alternative.

Security telemetry is the raw material of detection and response. Unstructured, it's noise. Here's what structure enables.

I attended Nullcon Goa 2026 this year across Day Zero and the CXO track, representing Bloo Systems. What stood out wasn’t a single “hot” exploit or a single vendor pitch – it was a consistent convergence: leaders and practitioners are no longer debating whether attacks are sophisticated; they’re debating whether our defense organizations are fast, […]

In 2026, the marketing gloss of “AI-Powered Security” has finally started to wear off, leaving organizations with a stark reality: we are no longer just managing logs; we are managing automated logic. As Agentic AI becomes a native participant in our Security Operations Centers (SOC), the decision to “AI” your SIEM is no longer a […]

Executive Summary In the ever-evolving landscape of cybersecurity, adversaries continuously refine their techniques to evade detection. One of the most challenging threats to detect is low-and-slow data exfiltration – attacks that deliberately mimic legitimate traffic patterns to avoid triggering security controls. This blog post presents a research methodology for distinguishing between legitimate TCP streams and […]

The Threat Research & Intelligence (TRI) team at Bloo conducted a structured evaluation of Windows payloads from the Metasploit Framework. The intent was not exploitation for its own sake, but defensive research to observe how these payloads behave at runtime and to collect high-quality endpoint telemetry that could directly support the  Detection Engineering (DE) team. […]

The Core Concept: Radar to Response The Micro-Doppler Effect refers to frequency modulations around the main Doppler shift caused by small periodic movements (e.g., a rotating helicopter blade). In physics, these modulations reveal a target’s unique characteristic signature. From Counter-UAV Defense to Cyber Defense My inspiration comes directly from Defense Radar Signature Analysis. In a […]

Shai Hulud 2.0 represents a paradigm shift in supply chain attack sophistication. Through analysis of 569 compromised repositories and 1,273 decoded artifacts on December 02, 2025 10:30 IST, we’ve an analysis that provides defenders with actionable intelligence, detection signatures, and mitigation strategies. Key Findings Attack Overview: How Shai Hulud 2.0 Works Shai Hulud 2.0 follows […]

Introduction This Detection engineering brief is based on the analysis of an advanced North Korean APT multi-stage malware framework (EPOINT-AES) documented in my previous blog. The malware represents a sophisticated attack chain incorporating AES-encrypted payloads, Donut-generated shellcode, AMSI bypass techniques, and memory-only execution patterns. The framework is designed for covert operations with multiple evasion techniques […]

Introduction This analysis documents a sophisticated multi-stage malware framework discovered during an investigation into North Korean Advanced Persistent Threat (APT) activities. The framework was identified as part of a broader campaign targeting critical infrastructure and high-value intelligence targets. The technical assessment in this document results from reverse engineering efforts performed on malware samples recovered from […]

The PowerShell script analyzed in this document (shell.ps1) was recovered from an unprecedented takedown operation of North Korean APT infrastructure, security researchers gained access to actual malware and operational tools used by Kimsuky/APT43. This rare opportunity allows us to analyze authentic, state-sponsored malware rather than samples collected from targeted organizations. This analysis provides insight into […]

Introduction This technical analysis is derived from the groundbreaking “APT Down, The North Korea Files” published in Phrack Magazine Issue 72. Our security team gained unprecedented access to the actual infrastructure, logs, and code of Kimsuky/APT43, a North Korean state-sponsored threat actor, following a major takedown operation. This rare opportunity to analyze real attacker […]

Executive Summary This final blog in the series focuses on advanced network detection techniques, cross-variant behavioral analysis, and validation strategies for njRAT detection rules. We provide field-ready simulation plans and operational guidance for SOC teams. High-Fidelity Network Detection for njRAT JA3/JA3S Fingerprints for njRAT Variants Collection Point: Network traffic capture at SPAN port or proxy […]

Executive Summary This blog provides operational detection engineering guidance for njRAT, focusing on high-fidelity telemetry analysis and deployable detection rules. Based on observed campaign telemetry, we present specific detection opportunities that can be implemented immediately in enterprise environments. Kill Chain Mapping (Exact Telemetry Anchors) Kill Chain Mapping Initial Access Execution Persistence Privilege Escalation Defense Evasion […]

Executive Summary njRAT remains one of the most persistent and adaptable remote access trojans in the cybercriminal ecosystem, with continued evolution in evasion techniques and targeting patterns. This blog provides a comprehensive analysis of njRAT’s threat landscape, delivery vectors, and operational evolution based on observed telemetry and campaign analysis. Current Threat Context Recent Campaigns and […]

Introduction Interlock ransomware is a Malware-As-A-Service (Maas) group which provides its affiliates with variations and evolutions of the Interlock malware. Having emerged in the late stages of 2024, it is a relatively new group to the ransomware scene. With operations similar to Lockbit but nowhere near the advertisement and self-promotion, they’ve chosen to lie low […]

This final blog in the series provides essential network detection techniques and validation strategies for Lumma Stealer. We focus on high-fidelity network indicators and practical validation approaches that can be implemented immediately. High-Fidelity Network Detection JA3 Fingerprinting Lumma’s TLS handshakes can be identified by a unique JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1. This fingerprint corresponds to specific TLS […]

In this blog, we focus on operational detection engineering guidance for Lumma Stealer, focusing on high-fidelity telemetry analysis and deployable detection rules. Based on observed campaign telemetry, we present specific detection opportunities that can be implemented immediately in enterprise environments. Kill Chain Mapping (Exact Telemetry Anchors) Initial Access Lumma Stealer’s campaigns often begin with social […]

This is a set of two CVEs which affect On-Prem Microsoft SharePoint users. Both these CVEs are a rehash of 2 recent CVEs that were disclosed in May 2025 as a part of Pwn2Own Berlin by researchers and was supposedly patched by Microsoft in its Patch Tuesday update on 9th July 2025. The original CVEs […]

In this article we talk about using Call Stacks to detect malware at a deeper level and further our understanding of malware behaviour. The reason we take this approach is to work beyond just detecting behaviour on the basis of which programs are triggered or actions are performed; but also working to determine which functions […]

This is a two-part blog series where I share my journey of turning a Windows machine into a publicly exposed honeypot designed to lure, log, and learn from real-world attackers. Whether you’re a red teamer, defender, or just curious about cybersecurity, this series gives you a close-up look at the reality of life on the […]

This is Part 2 of the “The Art of Digital Deception” series, where theory meets chaos. In this post, we go beyond the build. The honeypot was live and open to the world, and within hours, it began drawing in curious crawlers, brute-force bots, and opportunistic threat actors from across the globe. From SSH brute-forcing […]

In the rapidly evolving world of cyber threats, kernel-level rootkits continue to pose a critical challenge to system security. One such example is “KoviD,” a highly stealthy Loadable Kernel Module (LKM) rootkit for Linux Kernel version 5 and above. This blog breaks down how KoviD works, the mechanisms it abuses, and what defenders should learn […]

In today’s mobile-first world, malware authors are adapting rapidly, and few demonstrate this better than the Anatsa malware, also known as TeaBot. Disguised as legitimate utility apps and distributed through the Google Play Store, Anatsa is a dangerous Android banking trojan designed to steal credentials, hijack accounts, and perform unauthorized transactions with alarming stealth. What […]

Lumma Stealer has emerged as one of the most prolific infostealer threats in the cybercriminal ecosystem, with a 369% increase in infections from early to late 2024. This blog provides a comprehensive analysis of Lumma’s threat landscape, delivery vectors, and operational evolution based on observed telemetry and campaign analysis. Over the past year, Lumma Stealer […]

We’re delighted to welcome Sharad Sanghi to Bloo’s Strategic Advisory Board. A pioneering force in India’s tech infrastructure, he founded Netmagic in 1998, effectively building the country’s first data center, and guided it to become the leading managed cloud services provider under his leadership When you’re building a cybersecurity platform that needs to process millions […]

We’re thrilled to welcome Dr. Gaurav Raina to Bloo’s Strategic Advisory Board. A systems thinker, academic leader, and mentor to innovators, Dr. Raina brings deep expertise in networks, control theory, and large-scale systems design. When I first met Dr. Gaurav Raina, I was struck by his ability to make complex technical concepts feel human and […]

The Next Level: Memory Address Analysis In my previous article, we explored how DLL sequence analysis can detect process injection attempts. But what if we could go deeper? What if we could analyze not just which DLLs are loaded, but where in memory they’re being accessed? This is where terminal ntdll.dll memory offset analysis comes in. […]

The Problem: Why Call Stack Analysis Matters In the world of endpoint detection, we’re constantly chasing the next big thing. But sometimes, the most powerful detection capabilities are hiding in plain sight. Take Sysmon Event ID 10 (Process Access), it’s not just about which process accessed what. The real gold is in the CallTrace […]

In today’s rapidly evolving threat landscape, attackers are constantly innovating to bypass endpoint defenses. One such sophisticated method involves tampering with process creation notifications at the kernel level, leveraging Windows’ internal APIs. In particular, the `PsSetCreateProcessNotifyRoutine` function has become a tool of choice for advanced attackers aiming to disable Endpoint Detection and Response (EDR) systems. […]

Cybersecurity is an ever expanding field where more domains keep getting added as we progress with technology. These domains try to address very specific problems that may arise, for example Container Security or Application Security seek to address issues with Containers and Applications (Web/Android/iOS etc.) respectively. It is however important to remember that all of […]

I arrive at the office, make a cup of coffee and sit down to browse the latest Cybersecurity news. I have a daily brief to cover for the company where I talk about whatever is the most important, alarming or interesting news for the day. While browsing I see the mention of APT41 once again, […]

Today, in the digital world, cyber-attacks are no longer a matter of “if”, “but” “when”. Attacks happen every minute, from phishing to sophisticated ransomware campaigns. It is no longer sufficient to only respond to breaches. Cybersecurity professionals must understand “how” and “why” an attack occurs. This is where the “Cyber Kill Chain” comes into play, […]

As a Cybersecurity Analyst, staying ahead of the ever-evolving threat landscape is a non-negotiable part of the job. But in a fast-paced environment, manually looking through multiple sources for the latest cybersecurity news can be inefficient and unsustainable. That’s what sparked the idea for the “Threat Intel Automation” project: an initiative to automate the entire […]

In the previous article we covered the topic of Domain Generation Algorithm (DGA) and our subsequent efforts to detect the same using the Shannon Entropy formula by using the randomness of the characters in the domain itself to detect a suspected malicious domain. In this blog we move onto another security evil which seems to […]

At DNIF Hypercloud, a cybersecurity company processing millions of security events per second, data is at the core of everything we do. Our workloads are incredibly data-intensive, which means managing our data lake infrastructure on AWS is crucial for both performance and cost efficiency. This blog post shares the key insights and strategies that enabled […]

It’s June 16, 2025 – today, we’re launching Bloo, a cybersecurity company born from a simple but frustrating truth: Despite decades of investment in tools, platforms, and MDR services, threat detection still fails when it matters most. The Gap We See Security teams don’t struggle because they lack alerts. They struggle because they lack assurance. […]

Bloo is inspired by the defenders. The name draws from Blue Teams, those who stand guard over infrastructure, data, and people. But it also nods to Blue Ocean Strategy: a belief that the best way forward isn’t to fight in saturated markets, but to build new paths through deep innovation and clarity of purpose. And […]

One of the earliest realizations I had while working in cybersecurity is how easy it is to get trapped in the loop of ticking off tasks, closing support tickets, finishing extractor builds, or deploying detection rules. For a long time, that’s how I measured productivity: the more tasks completed, the better the team’s performance. […]

Managed Detection and Response (MDR) has become a cornerstone of modern cybersecurity, offering organizations a lifeline in the face of increasingly sophisticated attacks. However, the effectiveness of any MDR service hinges on the quality of its detections. Too often, organizations find themselves reliant on MDR providers that utilize unproven or poorly validated detections, leaving them […]

When I first got involved in detection engineering, I saw it the way most practitioners do, writing correlation rules, refining signatures, and responding to alerts. The job felt structured, almost mechanical at times. But over the years, as I spent more time analyzing real-world threats and observing how attackers operate, a persistent thought kept […]

When I first started working closely with threat intelligence, I realized how often it sits in organizations as a passive function, subscriptions to feeds, lists of indicators, and reports that get read but rarely acted upon. It felt more like a checkbox exercise than something driving real value. Over time, though, my perspective evolved. […]

In today’s world, Managed Detection and Response (MDR) has become essential for strong cybersecurity, giving organizations a way to defend themselves against increasingly complex attacks. However, the truth is that an MDR service is only as good as its detections. All too often, organizations find themselves depending on MDR providers that use unproven or poorly […]

As someone who has been navigating the cybersecurity landscape for quite some time, I’ve seen the evolution of threat detection and response firsthand. From the days of basic antivirus programs to today’s sophisticated Endpoint Detection and Response (EDR) and Managed Detection and Response (MDR) solutions, it’s clear that artificial intelligence (AI) plays a pivotal role […]

There are a few moments in your professional journey that truly shake your perspective, moments that force you to pause, rethink, and rewire your approach. For me, that moment came when we ran our first adversarial simulation exercise against our own detection content. We’ve always taken pride in the detection logic we build, […]

As AI continues to evolve, the future of security operations lies in effective collaboration between human analysts and AI systems.

Financial technology companies face unique challenges in balancing innovation with security and compliance requirements.

Effective threat detection requires more than out-of-the-box rules. Learn how to build and maintain detection rules that address real threats to your organization.

Modern enterprises face an unprecedented challenge in managing and making sense of their log data. While traditional SIEM solutions have served as the backbone of security logging for years, today’s threat landscape demands a more sophisticated approach.