Published by The RSM Defense Threat Hunting Team Author: Justin Dolgos - Sr. Threat Hunter MITRE ATT&CK: T1204.002 · T1059 · T1218 · T1219 · T1222 ⚠ TLDR Executive Summary Our threat hunters built a custom detection that fires the moment a browser or Windows Explorer spawns a script or suspicious executable from a user-writable directory. In a recent ... READ MORE
Blog
Fake Captcha Chains – Portable Behaviors, Practical Detections, And Field Notes
Executive Summary RSM Defense’s Threat Hunting Team performed a focused investigation after reviewing recent intelligence on the “Fake CAPTCHA” campaign. Our hypothesis was: “If the actor is in the environment, we may observe escaped or obfuscated PowerShell commands (for example h^t^t^p) used to download and stage payloads.” The hunt confirmed activity that occurred over a ... READ MORE
Threat Hunt Report: CORNFLAKE.V3 Backdoor with Remote Code Execution Capability
Executive Summary This document presents the results of a targeted threat hunt conducted in search of tactics, techniques, and procedures (TTPs) associated with the CORNFLAKE.V3 backdoor. During the investigation, a backdoor with remote code execution capabilities was discovered; however, its direct connection to CORNFLAKE.V3 remains unconfirmed. The report details the ... READ MORE
Threat Hunting Win: Uncovering Multi-Stage Malware from RMM Abuse
At RSM Defense, we embrace a proactive approach to cybersecurity. Instead of waiting for alerts to trigger a response, our Threat Hunting team regularly conducts hypothesis-driven investigations. These investigations are designed to uncover subtle threats hiding within behavior that might seem legitimate. In late May 2025, our proactive approach paid off when we uncovered an ... READ MORE
Securing Tomorrow: Evaluating Cyber Catastrophe
On each Friday for the month of February, RSM’s Julia Polyak will be providing an article on the future of cyber-attacks and cyber-warfare, and how organizations can remain aware of emerging threats in this landscape. Please note that the views expressed in this article are opinionated and reflect the author’s perspective, and readers are encouraged to consider multiple ... READ MORE
The Weakest Link: Bridging the Gap Between Tech and People
On each Friday for the month of February, RSM’s Julia Polyak will be providing an article on the future of cyber-attacks and cyber-warfare, and how organizations can remain aware of emerging threats in this landscape. In the continuous struggle to keep our digital world safe and secure, it’s important to understand that behind every cyber event, there are roles that human’s ... READ MORE
From Borders to Bytes: Cyber as the New Global Commons
On each Friday for the month of February, RSM’s Julia Polyak will be providing an article on the future of cyber-attacks and cyber-warfare, and how organizations can remain aware of emerging threats in this landscape. For many years, there has been an ongoing debate among policymakers, scholars, and international organizations on whether cyberspace should be considered a ... READ MORE
Emerging Threats on the Horizon: Current Threat Intelligence Trends, Threats, and Mitigation Strategies
On each Friday for the month of February, RSM's Julia Polyak will be providing an article on the future of cyber-attacks and cyber-warfare, and how organizations can remain aware of emerging threats in this landscape. Cyber-attacks have become a persistent threat in today’s digital age. With the increasing dependence on technology in our personal and professional lives, the ... READ MORE
Microsoft and HPE targeted by Cozy Bear in seemingly unrelated attacks
Over the past week, Microsoft and Hewlett Packard Enterprise (HPE) disclosed successful campaigns targeting the organizations by Russian-based threat actor Cozy Bear (aka Midnight Blizzard, aka APT29). Both campaigns conducted successfully obtained access to emails for both companies, including emails for senior leadership and cybersecurity positions. Neither Microsoft nor HPE ... READ MORE
Active Directory Certificate Services: Common Misconfigurations and Escalation Attacks
Active Directory Certificate Services (AD CS) is a Microsoft product that performs public key infrastructure (PKI) functionality that provides for encrypting file systems and user authentication. AD CS integrates with Active Directory (AD) and enables the issuing of certificates, which can be use for authentication purposes. The information that is included in a certificate ... READ MORE