Expel
@expelsecurity.bsky.social
Glass-box MDR that shows you exactly what we see. 24x7 SOC monitoring, comprehensive coverage across your threat landscape, and sub-20-minute MTTR on critical incidents. Your tools. Our expertise. Real protection.
🔗 expel.com
🔗 expel.com
Your analysts are drowning. You can't hire fast enough. And even if you could, the math doesn't work.
The economics of running a 24×7 SOC have changed. Use our free calculator that shows you what your team needs whether that's building, buying, or augmenting: expel.com/blog/buildin...
The economics of running a 24×7 SOC have changed. Use our free calculator that shows you what your team needs whether that's building, buying, or augmenting: expel.com/blog/buildin...
Why building a 24x7 SOC is getting harder (and what actually works instead)
The math on building an in-house SOC has changed, including the real costs, why retention is brutal, and what actually works.
expel.com
December 29, 2025 at 6:09 PM
Your analysts are drowning. You can't hire fast enough. And even if you could, the math doesn't work.
The economics of running a 24×7 SOC have changed. Use our free calculator that shows you what your team needs whether that's building, buying, or augmenting: expel.com/blog/buildin...
The economics of running a 24×7 SOC have changed. Use our free calculator that shows you what your team needs whether that's building, buying, or augmenting: expel.com/blog/buildin...
In the SOC, you get used to the noise. But a couple weeks ago, a single string cut through the noise: SHA1HULUD. It felt like seeing a ghost.
We traced the activity to a public GitHub repository where the customer's private cloud keys and secrets were exposed for anyone to grab.
We traced the activity to a public GitHub repository where the customer's private cloud keys and secrets were exposed for anyone to grab.
December 23, 2025 at 5:52 PM
In the SOC, you get used to the noise. But a couple weeks ago, a single string cut through the noise: SHA1HULUD. It felt like seeing a ghost.
We traced the activity to a public GitHub repository where the customer's private cloud keys and secrets were exposed for anyone to grab.
We traced the activity to a public GitHub repository where the customer's private cloud keys and secrets were exposed for anyone to grab.
Expel MDR now supports Panther.
We integrate with your cloud-native SIEM, bringing our detections, 24x7 monitoring, and incident response to work alongside what you've already built.
Use the tools that work for you. We'll make them work harder. expel.com/blog/more-si...
We integrate with your cloud-native SIEM, bringing our detections, 24x7 monitoring, and incident response to work alongside what you've already built.
Use the tools that work for you. We'll make them work harder. expel.com/blog/more-si...
More SIEM flexibility: Expel MDR adds support for Panther
Expel announces support for Panther's cloud-native SIEM as the latest in our long list of advanced integrations.
expel.com
December 16, 2025 at 5:51 PM
Expel MDR now supports Panther.
We integrate with your cloud-native SIEM, bringing our detections, 24x7 monitoring, and incident response to work alongside what you've already built.
Use the tools that work for you. We'll make them work harder. expel.com/blog/more-si...
We integrate with your cloud-native SIEM, bringing our detections, 24x7 monitoring, and incident response to work alongside what you've already built.
Use the tools that work for you. We'll make them work harder. expel.com/blog/more-si...
⚠️ Attackers are buying Google Ads that appear when looking up how to troubleshoot your Mac. The ad takes you to a shared ChatGPT chat that tells you to copy-paste some code. You've just executed malware.
Kroll has a solid write-up on the mechanics: www.kroll.com/en/publicati...
Kroll has a solid write-up on the mechanics: www.kroll.com/en/publicati...
December 9, 2025 at 5:50 PM
⚠️ Attackers are buying Google Ads that appear when looking up how to troubleshoot your Mac. The ad takes you to a shared ChatGPT chat that tells you to copy-paste some code. You've just executed malware.
Kroll has a solid write-up on the mechanics: www.kroll.com/en/publicati...
Kroll has a solid write-up on the mechanics: www.kroll.com/en/publicati...
Part two of our QTR, Q3 2025 just dropped: malware disguised as apps that actually work.
BaoLoader hides backdoors in PDF editors and browsers. TamperedChef is a recipe app with hidden command codes. These apps function as promised, which is why users don't suspect anything.
BaoLoader hides backdoors in PDF editors and browsers. TamperedChef is a recipe app with hidden command codes. These apps function as promised, which is why users don't suspect anything.
November 6, 2025 at 4:03 PM
Part two of our QTR, Q3 2025 just dropped: malware disguised as apps that actually work.
BaoLoader hides backdoors in PDF editors and browsers. TamperedChef is a recipe app with hidden command codes. These apps function as promised, which is why users don't suspect anything.
BaoLoader hides backdoors in PDF editors and browsers. TamperedChef is a recipe app with hidden command codes. These apps function as promised, which is why users don't suspect anything.
Imagine searching for Microsoft Teams, visiting the link at the top of the results, & getting hit with malware. That's the malvertising campaign that the Rhysida ransomware gang has been running.
Expel Intel is tracking this campaign. Here's what we've uncovered: www.theregister.com/2025/10/31/r...
Expel Intel is tracking this campaign. Here's what we've uncovered: www.theregister.com/2025/10/31/r...
Ransomware gang runs ads for Microsoft Teams to pwn victims
: You click and think you're getting a download page, but get malware instead
www.theregister.com
November 5, 2025 at 3:49 PM
Imagine searching for Microsoft Teams, visiting the link at the top of the results, & getting hit with malware. That's the malvertising campaign that the Rhysida ransomware gang has been running.
Expel Intel is tracking this campaign. Here's what we've uncovered: www.theregister.com/2025/10/31/r...
Expel Intel is tracking this campaign. Here's what we've uncovered: www.theregister.com/2025/10/31/r...
Q3 2025 Threat Report is out. We analyzed thousands of real incidents across customer environments.
Here’s what stood out: 73.9% of all incidents were identity-based attacks. Up from 67.6% last quarter.
Let’s dive into the Q3 numbers 🧵
Here’s what stood out: 73.9% of all incidents were identity-based attacks. Up from 67.6% last quarter.
Let’s dive into the Q3 numbers 🧵
November 5, 2025 at 2:52 PM
Q3 2025 Threat Report is out. We analyzed thousands of real incidents across customer environments.
Here’s what stood out: 73.9% of all incidents were identity-based attacks. Up from 67.6% last quarter.
Let’s dive into the Q3 numbers 🧵
Here’s what stood out: 73.9% of all incidents were identity-based attacks. Up from 67.6% last quarter.
Let’s dive into the Q3 numbers 🧵
The Rhysida ransomware gang (formerly Vice Society) is running the same playbook as last year—buying Bing ads to deliver fake Microsoft Teams, PuTTy, and Zoom downloads.
Click the wrong sponsored result? You’ve just installed OysterLoader, their initial access malware.
Click the wrong sponsored result? You’ve just installed OysterLoader, their initial access malware.
October 31, 2025 at 2:33 PM
The Rhysida ransomware gang (formerly Vice Society) is running the same playbook as last year—buying Bing ads to deliver fake Microsoft Teams, PuTTy, and Zoom downloads.
Click the wrong sponsored result? You’ve just installed OysterLoader, their initial access malware.
Click the wrong sponsored result? You’ve just installed OysterLoader, their initial access malware.
⚠️Attackers are actively exploiting CVE-2025-59287, a recently identified vulnerability in WSUS. Successful exploitation allows an attacker to run code using SYSTEM privileges. Expel caught & contained incidents related to this in two customer environments this AM.
Details: expel.com/blog/wsus-re...
Details: expel.com/blog/wsus-re...
October 24, 2025 at 6:13 PM
⚠️Attackers are actively exploiting CVE-2025-59287, a recently identified vulnerability in WSUS. Successful exploitation allows an attacker to run code using SYSTEM privileges. Expel caught & contained incidents related to this in two customer environments this AM.
Details: expel.com/blog/wsus-re...
Details: expel.com/blog/wsus-re...
Attackers found a clever way to abuse legitimate, digitally signed software to load malware and it's working.
Expel Intel’s Marcus Hutchins (@malwaretech.com) breaks down a campaign that weaponizes Greenshot, a legit screenshot tool, to evade detection at multiple layers. 🧵
Expel Intel’s Marcus Hutchins (@malwaretech.com) breaks down a campaign that weaponizes Greenshot, a legit screenshot tool, to evade detection at multiple layers. 🧵
October 23, 2025 at 4:48 PM
Attackers found a clever way to abuse legitimate, digitally signed software to load malware and it's working.
Expel Intel’s Marcus Hutchins (@malwaretech.com) breaks down a campaign that weaponizes Greenshot, a legit screenshot tool, to evade detection at multiple layers. 🧵
Expel Intel’s Marcus Hutchins (@malwaretech.com) breaks down a campaign that weaponizes Greenshot, a legit screenshot tool, to evade detection at multiple layers. 🧵
Halloween might be the spookiest day in October but this month's Patch Tuesday is a close second.
175 new CVEs from Microsoft, 8 marked critical, 6 zero-days, 2 already exploited in the wild.
But not to fear, our threat intel team breaks down the 3 you should patch first. expel.com/blog/patch-t...
175 new CVEs from Microsoft, 8 marked critical, 6 zero-days, 2 already exploited in the wild.
But not to fear, our threat intel team breaks down the 3 you should patch first. expel.com/blog/patch-t...
Patch Tuesday: October 2025 (Expel’s version)
This month, we're highlighting top critical vulnerabilities, including six zero-day vulnerabilities, and one in Cisco IOS.
expel.com
October 15, 2025 at 4:30 PM
Halloween might be the spookiest day in October but this month's Patch Tuesday is a close second.
175 new CVEs from Microsoft, 8 marked critical, 6 zero-days, 2 already exploited in the wild.
But not to fear, our threat intel team breaks down the 3 you should patch first. expel.com/blog/patch-t...
175 new CVEs from Microsoft, 8 marked critical, 6 zero-days, 2 already exploited in the wild.
But not to fear, our threat intel team breaks down the 3 you should patch first. expel.com/blog/patch-t...
⚠️ Our threat intel team just caught attackers using a clever new trick to bypass security tools: cache smuggling.
Instead of downloading malware, they hide it in fake images that browsers automatically cache. Then PowerShell extracts and runs it—no web requests needed.
Instead of downloading malware, they hide it in fake images that browsers automatically cache. Then PowerShell extracts and runs it—no web requests needed.
October 8, 2025 at 6:38 PM
⚠️ Our threat intel team just caught attackers using a clever new trick to bypass security tools: cache smuggling.
Instead of downloading malware, they hide it in fake images that browsers automatically cache. Then PowerShell extracts and runs it—no web requests needed.
Instead of downloading malware, they hide it in fake images that browsers automatically cache. Then PowerShell extracts and runs it—no web requests needed.
The security industry is drowning in threat feeds that don't actually help you stop attacks. We've been working to fix that for years.
Today, we’re taking the wraps off our expanded threat intel program: Expel Intel.
(1/7)
Today, we’re taking the wraps off our expanded threat intel program: Expel Intel.
(1/7)
October 8, 2025 at 1:01 PM
The security industry is drowning in threat feeds that don't actually help you stop attacks. We've been working to fix that for years.
Today, we’re taking the wraps off our expanded threat intel program: Expel Intel.
(1/7)
Today, we’re taking the wraps off our expanded threat intel program: Expel Intel.
(1/7)
50k events/day. 0.1% true positive rate. 50 real threats buried.
That's what happens when you optimize for integration count, not detection quality. Vendors brag about "300+ integrations" while analysts burn out investigating false positives.
Start counting what matters: expel.com/blog/stop-co...
That's what happens when you optimize for integration count, not detection quality. Vendors brag about "300+ integrations" while analysts burn out investigating false positives.
Start counting what matters: expel.com/blog/stop-co...
October 2, 2025 at 6:46 PM
50k events/day. 0.1% true positive rate. 50 real threats buried.
That's what happens when you optimize for integration count, not detection quality. Vendors brag about "300+ integrations" while analysts burn out investigating false positives.
Start counting what matters: expel.com/blog/stop-co...
That's what happens when you optimize for integration count, not detection quality. Vendors brag about "300+ integrations" while analysts burn out investigating false positives.
Start counting what matters: expel.com/blog/stop-co...
Your email security quarantined the malicious email. 🚨📧 Victory, right?
Not quite so. Several employees already clicked the link and installed attacker-controlled tools.
Not quite so. Several employees already clicked the link and installed attacker-controlled tools.
September 29, 2025 at 7:34 PM
Your email security quarantined the malicious email. 🚨📧 Victory, right?
Not quite so. Several employees already clicked the link and installed attacker-controlled tools.
Not quite so. Several employees already clicked the link and installed attacker-controlled tools.
Chinese threat actors were building a network of SOHO routers and marking their territory with TLS certs that spoofed the LAPD.
Our threat hunters found them anyway. 🕵️
Our threat hunters found them anyway. 🕵️
September 25, 2025 at 5:39 PM
Chinese threat actors were building a network of SOHO routers and marking their territory with TLS certs that spoofed the LAPD.
Our threat hunters found them anyway. 🕵️
Our threat hunters found them anyway. 🕵️
⚠️ We’ve recently witnessed new activity in the realm of potentially unwanted programs (PUPs), which are dropping malware, executing commands, and turning your machine into someone else's proxy network.
Read our ongoing investigation here: expel.com/blog/you-don...
Read our ongoing investigation here: expel.com/blog/you-don...
You don’t find ManualFinder, ManualFinder finds you
We're investigating ManualFinder, a trojan malware we're seeing in new activity, likely coming from potentially unwanted programs (PUPs).
expel.com
August 22, 2025 at 11:19 PM
⚠️ We’ve recently witnessed new activity in the realm of potentially unwanted programs (PUPs), which are dropping malware, executing commands, and turning your machine into someone else's proxy network.
Read our ongoing investigation here: expel.com/blog/you-don...
Read our ongoing investigation here: expel.com/blog/you-don...
🚨 A NEW trojan on the block spotted by our threat intel team 👀
We saw files with the code-signing signature “GLINT SOFTWARE SDN. BHD.” due to a JavaScript dropping “ManualFinder”
One of their signed files, a PDF editor, turns your device into a residential proxy—ew. 🧵👇
We saw files with the code-signing signature “GLINT SOFTWARE SDN. BHD.” due to a JavaScript dropping “ManualFinder”
One of their signed files, a PDF editor, turns your device into a residential proxy—ew. 🧵👇
August 21, 2025 at 4:29 PM
🚨 A NEW trojan on the block spotted by our threat intel team 👀
We saw files with the code-signing signature “GLINT SOFTWARE SDN. BHD.” due to a JavaScript dropping “ManualFinder”
One of their signed files, a PDF editor, turns your device into a residential proxy—ew. 🧵👇
We saw files with the code-signing signature “GLINT SOFTWARE SDN. BHD.” due to a JavaScript dropping “ManualFinder”
One of their signed files, a PDF editor, turns your device into a residential proxy—ew. 🧵👇
⚠️ We’ve noticed a campaign leveraging SEO poisoning to drop a small loader. If you’ve seen the lure in the watering hole, we’d love to know. A copy of the malware can be found on VirusTotal as MD5 hash 6af56c606b4ece68b4d38752e7501457.
Here’s what we’re seeing 🧵
Here’s what we’re seeing 🧵
August 1, 2025 at 9:22 PM
⚠️ We’ve noticed a campaign leveraging SEO poisoning to drop a small loader. If you’ve seen the lure in the watering hole, we’d love to know. A copy of the malware can be found on VirusTotal as MD5 hash 6af56c606b4ece68b4d38752e7501457.
Here’s what we’re seeing 🧵
Here’s what we’re seeing 🧵
Reposted by Expel
What Fortune 100s are getting wrong about cybersecurity hiring
📖 Read more: www.helpnetsecurity.com/2025/07/17/c...
#cybersecurity #cybersecuritynews #burnout #certification @expelsecurity.bsky.social
📖 Read more: www.helpnetsecurity.com/2025/07/17/c...
#cybersecurity #cybersecuritynews #burnout #certification @expelsecurity.bsky.social
What Fortune 100s are getting wrong about cybersecurity hiring - Help Net Security
New research reveals cybersecurity hiring trends for 2025, showing how rigid job requirements and low flexibility are driving talent away.
www.helpnetsecurity.com
July 17, 2025 at 7:32 AM
What Fortune 100s are getting wrong about cybersecurity hiring
📖 Read more: www.helpnetsecurity.com/2025/07/17/c...
#cybersecurity #cybersecuritynews #burnout #certification @expelsecurity.bsky.social
📖 Read more: www.helpnetsecurity.com/2025/07/17/c...
#cybersecurity #cybersecuritynews #burnout #certification @expelsecurity.bsky.social
Spotted in NYC ❎👀
Took cloud security so seriously we actually ended up in the clouds. ☁️ Thanks for having us, Nasdaq!
Took cloud security so seriously we actually ended up in the clouds. ☁️ Thanks for having us, Nasdaq!
June 30, 2025 at 5:20 PM
Spotted in NYC ❎👀
Took cloud security so seriously we actually ended up in the clouds. ☁️ Thanks for having us, Nasdaq!
Took cloud security so seriously we actually ended up in the clouds. ☁️ Thanks for having us, Nasdaq!
⚠️ We’ve been keeping a close eye on the US-Israel-Iran geopolitical situation. Many resources are providing a ton of information and data but not a lot of analysis.
Our take: things are not likely to intensify in the cyber realm.
Here's what to do and what Expel is doing:
Our take: things are not likely to intensify in the cyber realm.
Here's what to do and what Expel is doing:
What we're seeing from Iran (and what it means for you)
Here's Expel's take on what the geopolitical issues between the US, Israel, and Iran look like for the cybersecurity community to date.
expel.com
June 26, 2025 at 5:50 PM
⚠️ We’ve been keeping a close eye on the US-Israel-Iran geopolitical situation. Many resources are providing a ton of information and data but not a lot of analysis.
Our take: things are not likely to intensify in the cyber realm.
Here's what to do and what Expel is doing:
Our take: things are not likely to intensify in the cyber realm.
Here's what to do and what Expel is doing:
📂💥 When a malicious file hits your environment, every second counts.
Expel's “delete malicious file” response action enables our SOC to permanently remove a confirmed malicious file directly from an affected host, using the EDRs and security tools you already have. expel.com/blog/explore...
Expel's “delete malicious file” response action enables our SOC to permanently remove a confirmed malicious file directly from an affected host, using the EDRs and security tools you already have. expel.com/blog/explore...
Explore Expel’s auto remediations: Delete malicious file
In this series, we explore Expel's auto remediations so you understand how they work. Let's explore delete malicious file.
expel.com
June 23, 2025 at 6:04 PM
📂💥 When a malicious file hits your environment, every second counts.
Expel's “delete malicious file” response action enables our SOC to permanently remove a confirmed malicious file directly from an affected host, using the EDRs and security tools you already have. expel.com/blog/explore...
Expel's “delete malicious file” response action enables our SOC to permanently remove a confirmed malicious file directly from an affected host, using the EDRs and security tools you already have. expel.com/blog/explore...
⚠️🕷️ Scattered Spider is acting with a heightened amount of activity. We're seeing them pivot from credential harvesting to directly targeting IT help desks, using social engineering to reset passwords and bypass MFA.
Get the full 411 on Scattered Spider's heightened activity:
Get the full 411 on Scattered Spider's heightened activity:
Emerging threat: Scattered Spider’s heightened activity—here’s the 411
Threat group Scattered Spider is making headlines again as they increase targeting for financial services and insurance orgs.
expel.com
June 20, 2025 at 6:50 PM
⚠️🕷️ Scattered Spider is acting with a heightened amount of activity. We're seeing them pivot from credential harvesting to directly targeting IT help desks, using social engineering to reset passwords and bypass MFA.
Get the full 411 on Scattered Spider's heightened activity:
Get the full 411 on Scattered Spider's heightened activity: