CTI Analysis · Unpatched Windows Vulnerability MiniPlasma: Chaotic Eclipse Reopens cldflt.sys and Revives the Question of Microsoft Patch Durability A fifth uncoordinated public disclosure in six weeks, a PoC targeting the Windows Cloud Files Mini Filter Driver, and an extraordinary claim: the CVE-2020-17103 patch would not be present on fully patched Windows 11 and Windows…
CTI Analysis · Disclosure Doctrine The Embargo Isn’t Dead Everywhere: What the AMD-SB-7052 Disclosure Reminds Us Seven months of embargo, no leak, successful multi-actor coordination. In the middle of a series documenting the erosion of responsible disclosure, the AMD-SB-7052 case deserves to be read for what it is: a demonstration that the classical model still…
CTI Analysis · Disclosure Doctrine The Embargo Is No Longer a Protection: What AI Is Changing in Responsible Disclosure Six dnsmasq CVEs, a maintainer exhausted by the tsunami of AI-generated bug reports, and the public admission of a major doctrinal pivot. Reading a weak signal that could foreshadow the end of a model thirty years…
CTI Analysis · Critical Vulnerability BitLocker Is No Longer a Promise: What the YellowKey Case Reveals Two Windows zero-days disclosed without coordination, a researcher openly challenging Microsoft, and a phantom component in the Windows Recovery Environment whose true nature, bug or backdoor, no one can yet determine. Published May 14, 2026 Reading time 15 minutes…
Remote code execution via the Reading Pane, without user interaction Executive summary On May 12, 2026, as part of the monthly Patch Tuesday cycle, Microsoft released a fix for CVE-2026-40361, a critical use-after-free vulnerability (CWE-416) officially classified by the vendor as a “Microsoft Office Word Remote Code Execution Vulnerability” (1) (2). Researcher Haifei Li, founder…
TLP:CLEAR | CTI Team | Updated: March 2026 1. IDENTIFICATION & ATTRIBUTION Designations (vendor aliases) The group is tracked under the following designations: Agrius (SentinelLabs), Agonizing Serpens (Palo Alto Networks Unit 42), Pink Sandstorm (Microsoft, formerly Americium), Marshtreader (Security.com), BlackShadow (public hack-and-leak persona), DEV-0022 (Microsoft pre-attribution). Additional alias: G1030 (MITRE ATT&CK). Origin Iran. Presumed sponsor…
TLP:CLEAR | CTI Team | Updated: March 2026 1. IDENTIFICATION & ATTRIBUTION Designations (vendor aliases) The group is tracked under the following designations by vendors: APT42 (Mandiant/Google TI, reference designation : first public documentation September 2022), Damselfly (Mandiant internal), UNC788 (Mandiant pre-attribution), CALANQUE (Google Threat Analysis Group), OwlSandstorm (Microsoft), Yellow Garuda (PwC), ITG18 (IBM X-Force).…
TLP:CLEAR | CTI Team | Updated: March 2026 1. IDENTIFICATION & ATTRIBUTION Designations (vendor aliases) The group is tracked under the following designations by vendors: MERCURY (Microsoft, historical designation), MuddyWater (ClearSky, common usage designation), Mango Sandstorm (Microsoft, current designation), Seedworm (Symantec/Broadcom), Static Kitten (CrowdStrike), Earth Vetala (Trend Micro), TEMP.Zagros (Mandiant/FireEye pre-attribution), TA450 (Proofpoint), Boggy Serpens…
TLP:CLEAR | CTI Team | Updated: March 2026 1. IDENTIFICATION & ATTRIBUTION Designations (vendor aliases) The group is tracked under the following designations by vendors: APT39 (Mandiant/Google TI, reference designation), Chafer (Symantec, CrowdStrike), REMIX KITTEN (CrowdStrike), Burgundy Sandstorm (Microsoft), Radio Serpens (ESET), COBALT HICKMAN (SecureWorks), ITG07 (IBM X-Force), TA454 (Proofpoint), Cadelspy (Symantec), Remexi (Kaspersky). Additional…
TLP:CLEAR | CTI Team | Updated: March 2026 1. IDENTIFICATION & ATTRIBUTION Denominations (known aliases by vendor) The group is tracked under the following denominations: APT35 (Mandiant/Google TI, reference designation), Phosphorus / Mint Sandstorm (Microsoft), TA453 (Proofpoint), Charming Kitten (ClearSky), Ballistic Bobcat (ESET), ITG18 (IBM X-Force), Yellow Garuda (PwC), NewsBeef (Kaspersky). Additional documented aliases: Ajax…
