Expel
@expelsecurity.bsky.social
Glass-box MDR that shows you exactly what we see. 24x7 SOC monitoring, comprehensive coverage across your threat landscape, and sub-20-minute MTTR on critical incidents. Your tools. Our expertise. Real protection.
🔗 expel.com
🔗 expel.com
Since then, we’ve continued to see and field incidents involving compromised NPM packages.
Here's the approach we've developed to identify and stop Shai Hulud activity: expel.com/blog/the-sec...
Here's the approach we've developed to identify and stop Shai Hulud activity: expel.com/blog/the-sec...
Stories from the SOC: The second coming of Shai Hulud
A new variant of the Shai Hulud worm has been discovered, and we're sharing effective approaches to remediate the threat.
expel.com
December 23, 2025 at 5:52 PM
Since then, we’ve continued to see and field incidents involving compromised NPM packages.
Here's the approach we've developed to identify and stop Shai Hulud activity: expel.com/blog/the-sec...
Here's the approach we've developed to identify and stop Shai Hulud activity: expel.com/blog/the-sec...
What actually works: strict application control policies and sanctioned tools. If users need productivity apps, give them approved options—or they'll find their own.
Full threat intel recap here: expel.com/blog/expel-q...
Full threat intel recap here: expel.com/blog/expel-q...
Expel Quarterly Threat Report, Q3 2025: Threat intel recap
Here's a refresher on the threat intel we shared throughout the third quarter of 2025. Catch up on what you missed.
expel.com
November 6, 2025 at 4:03 PM
What actually works: strict application control policies and sanctioned tools. If users need productivity apps, give them approved options—or they'll find their own.
Full threat intel recap here: expel.com/blog/expel-q...
Full threat intel recap here: expel.com/blog/expel-q...
AI is making this worse. LLMs let criminals create convincing decoy applications faster than ever. The line between malware and PUPs is blurring, and it's not coming back.
November 6, 2025 at 4:03 PM
AI is making this worse. LLMs let criminals create convincing decoy applications faster than ever. The line between malware and PUPs is blurring, and it's not coming back.
We tracked BaoLoader through code-signing certificates across dozens of companies in the US, Panama, and Malaysia. It made up 13% of all commodity malware we identified this quarter. TamperedChef had 34,000+ downloads.
November 6, 2025 at 4:03 PM
We tracked BaoLoader through code-signing certificates across dozens of companies in the US, Panama, and Malaysia. It made up 13% of all commodity malware we identified this quarter. TamperedChef had 34,000+ downloads.
Full Q3 2025 data breakdown with incident types, attack surfaces, and industry analysis: expel.com/blog/expel-q...
Expel Quarterly Threat Report, Q3 2025: Q3 by the numbers
Part I of our Quarterly Threat Report summarizes key findings and stats from Q3 of 2025. Learn what to focus on right now.
expel.com
November 5, 2025 at 2:52 PM
Full Q3 2025 data breakdown with incident types, attack surfaces, and industry analysis: expel.com/blog/expel-q...
Orgs seeing success with defending against identity attacks are the ones treating it as the primary battleground—with budget, priority, and controls that block attackers before compromise.
The trend is moving in the right direction but there's still more work to do since 45.1% aren't being blocked.
The trend is moving in the right direction but there's still more work to do since 45.1% aren't being blocked.
November 5, 2025 at 2:52 PM
Orgs seeing success with defending against identity attacks are the ones treating it as the primary battleground—with budget, priority, and controls that block attackers before compromise.
The trend is moving in the right direction but there's still more work to do since 45.1% aren't being blocked.
The trend is moving in the right direction but there's still more work to do since 45.1% aren't being blocked.
The attack surface lesson:
• Credentials → cloud services
• Malware → endpoints
• Misconfigurations → cloud infrastructure
Each surface is distinct. One defensive strategy doesn't cover all three. You need different plans for each.
• Credentials → cloud services
• Malware → endpoints
• Misconfigurations → cloud infrastructure
Each surface is distinct. One defensive strategy doesn't cover all three. You need different plans for each.
November 5, 2025 at 2:52 PM
The attack surface lesson:
• Credentials → cloud services
• Malware → endpoints
• Misconfigurations → cloud infrastructure
Each surface is distinct. One defensive strategy doesn't cover all three. You need different plans for each.
• Credentials → cloud services
• Malware → endpoints
• Misconfigurations → cloud infrastructure
Each surface is distinct. One defensive strategy doesn't cover all three. You need different plans for each.
Industry breakdown shows distinct patterns:
• Manufacturing: highest total incident volume (overtook financial services)
• Healthcare: disproportionately hit by non-targeted malware
• Pharma & chemical: highest proportion of identity attacks in top 10
• Manufacturing: highest total incident volume (overtook financial services)
• Healthcare: disproportionately hit by non-targeted malware
• Pharma & chemical: highest proportion of identity attacks in top 10
November 5, 2025 at 2:52 PM
Industry breakdown shows distinct patterns:
• Manufacturing: highest total incident volume (overtook financial services)
• Healthcare: disproportionately hit by non-targeted malware
• Pharma & chemical: highest proportion of identity attacks in top 10
• Manufacturing: highest total incident volume (overtook financial services)
• Healthcare: disproportionately hit by non-targeted malware
• Pharma & chemical: highest proportion of identity attacks in top 10
Cloud infrastructure attacks remain low volume (1.1% of total incidents) but are diversifying.
Biggest increase: secret key exposure, up 7.8 percentage points from Q2 to 26.8% of cloud incidents. Keys exposed through hardcoded credentials or supply chain attacks like Shai Hulud.
Biggest increase: secret key exposure, up 7.8 percentage points from Q2 to 26.8% of cloud incidents. Keys exposed through hardcoded credentials or supply chain attacks like Shai Hulud.
November 5, 2025 at 2:52 PM
Cloud infrastructure attacks remain low volume (1.1% of total incidents) but are diversifying.
Biggest increase: secret key exposure, up 7.8 percentage points from Q2 to 26.8% of cloud incidents. Keys exposed through hardcoded credentials or supply chain attacks like Shai Hulud.
Biggest increase: secret key exposure, up 7.8 percentage points from Q2 to 26.8% of cloud incidents. Keys exposed through hardcoded credentials or supply chain attacks like Shai Hulud.
Endpoints tell a different story
Non-targeted malware dominates at 64.7% of endpoint incidents. This swung back up from 50.2% in Q2.
Attackers are still using traditional tactics—malware, compromising public-facing systems—to get onto devices.
Non-targeted malware dominates at 64.7% of endpoint incidents. This swung back up from 50.2% in Q2.
Attackers are still using traditional tactics—malware, compromising public-facing systems—to get onto devices.
November 5, 2025 at 2:52 PM
Endpoints tell a different story
Non-targeted malware dominates at 64.7% of endpoint incidents. This swung back up from 50.2% in Q2.
Attackers are still using traditional tactics—malware, compromising public-facing systems—to get onto devices.
Non-targeted malware dominates at 64.7% of endpoint incidents. This swung back up from 50.2% in Q2.
Attackers are still using traditional tactics—malware, compromising public-facing systems—to get onto devices.
While identity attacks increased QoQ, 54.9% of those attacks were stopped when compromised credentials were entered—meaning controls blocked access before account takeover.
Modern identity controls (MFA, conditional access, monitoring) are working when implemented properly.
Modern identity controls (MFA, conditional access, monitoring) are working when implemented properly.
November 5, 2025 at 2:52 PM
While identity attacks increased QoQ, 54.9% of those attacks were stopped when compromised credentials were entered—meaning controls blocked access before account takeover.
Modern identity controls (MFA, conditional access, monitoring) are working when implemented properly.
Modern identity controls (MFA, conditional access, monitoring) are working when implemented properly.
Stay skeptical of sponsored search results. Verify downloads directly from vendor sites. We're here if you need help hunting for these indicators in your environment.
Overview of the campaign, IOCs, and file hashes: expel.com/blog/certifi...
Overview of the campaign, IOCs, and file hashes: expel.com/blog/certifi...
Certified OysterLoader: Tracking Rhysida ransomware gang activity via code-signing certificates
Rhysida ransomware gang has been using code-signing certificates to validate their malware campaigns repeatedly. Here's the latest.
expel.com
October 31, 2025 at 2:33 PM
Stay skeptical of sponsored search results. Verify downloads directly from vendor sites. We're here if you need help hunting for these indicators in your environment.
Overview of the campaign, IOCs, and file hashes: expel.com/blog/certifi...
Overview of the campaign, IOCs, and file hashes: expel.com/blog/certifi...
The campaign is accelerating, not slowing down. It works because it exploits something security tools can't easily fix: users searching for legitimate software and trusting what looks official.
October 31, 2025 at 2:33 PM
The campaign is accelerating, not slowing down. It works because it exploits something security tools can't easily fix: users searching for legitimate software and trusting what looks official.
We're tracking this across hundreds of customer environments and feeding it into our detections. When we spot these techniques, we're already hunting for early indicators in other environments—before it becomes an incident.
October 31, 2025 at 2:33 PM
We're tracking this across hundreds of customer environments and feeding it into our detections. When we spot these techniques, we're already hunting for early indicators in other environments—before it becomes an incident.