Skip to content

feat: CTI pipeline hunts — 2026-07-11#338

Draft
triw0lf wants to merge 1 commit into
mainfrom
feat/cti-pipeline-2026-07-11
Draft

feat: CTI pipeline hunts — 2026-07-11#338
triw0lf wants to merge 1 commit into
mainfrom
feat/cti-pipeline-2026-07-11

Conversation

@triw0lf

@triw0lf triw0lf commented Jul 11, 2026

Copy link
Copy Markdown
Collaborator

Source articles

New hunts

From "GigaWiper: Anatomy of a destructive backdoor"

  • H222 — Destructive disk wipe via raw physical-drive writes and IOCTL_DISK_CREATE_DISK partition reinitialization (T1561.001, T1561.002)

From "Recovering Active ADFS Signing Keys via Machine DPAPI"

  • H223 — AD FS active token-signing key theft from machine DPAPI enabling Golden SAML forgery (T1606.002, T1552.004)

From "Cavern Manticore: Iran-Linked Modular C2 Framework"

  • H224 — Cavern Agent C2 detection via encoded HTTP protocol fingerprint (X-User-token…00, fixed URIs) (T1132.001)

From "FSB's matryoshka #3/3: Gamaredon's GammaSteel"

  • H225 — USB-triggered document collection via WMI removable-drive event subscription (T1120, T1025)

From "The Sharp Taste of Mimo'lette: Mimo targeting Craft CMS"

  • H226 — Linux residential-proxy bandwidth hijacking (proxyjacking) via proxyware ELF execution (T1496.002)

From "UAT-7810 continues building ORB networks"

  • M027 — Perimeter device acting as an ORB external-proxy relay, volumetric detection (T1090.002)

From "No Manners Here: The Gentlemen Ransomware"

  • B030 — Baseline internal SMB/NTLM authentication to surface coerced/reflected auth, CVE-2025-33073 (T1210)

Category breakdown

  • Flames: 5 · Embers: 1 · Alchemy: 1

Source articles:
- Microsoft Threat Intelligence — GigaWiper: Anatomy of a destructive backdoor (2026-07-09)
- Mandiant / Google Threat Intelligence — Recovering Active ADFS Signing Keys via Machine DPAPI (2026-07-07)
- Check Point Research — Cavern Manticore: Iran-Linked Modular C2 Framework (2026-07-06)
- Cisco Talos — UAT-7810 continues building ORB networks using new malware (2026-07-07)
- Unit 42 — No Manners Here: The Rise of The Gentlemen Ransomware (2026-07-10)
- Sekoia — FSB's matryoshka #3/3: Gamaredon's GammaSteel (2026-06-04)
- Sekoia — The Sharp Taste of Mimo'lette: Mimo targeting Craft CMS (2025-05-27)

New hunts: H222 (T1561.001/.002), H223 (T1606.002/T1552.004), H224 (T1132.001),
H225 (T1120/T1025), H226 (T1496.002), M027 (T1090.002), B030 (T1210)

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant