Category: Sekoia.io Blog

Since early 2025, TDR has focused on tracking Silver Fox, a China-based intrusion set. Originally known for financially motivated attacks, the group has been shifting toward more sophisticated, APT-style operations since at least 2024. This dual focus reflects a broader…

Read more →

In multiple incident response engagements over the past few years, one detail keeps repeating: the first compromised system wasn’t the one the SOC was watching. It wasn’t visible in the EDR console, it wasn’t tracked in the CMDB, and it…

Read more →

Today, we are pleased to celebrate a major achievement for Sekoia with the attainment of the SOC2 Type 1 certification for its entire infrastructure. In this blog post, we’ll explain the journey to this high-end certification. What is the SOC2…

Read more →

Today, we are pleased to celebrate a major achievement for Sekoia with the attainment of the SOC2 Type 1 certification for its entire infrastructure. In this blog post, we’ll explain the journey to this high-end certification. What is the SOC2…

Read more →

Introduction OysterLoader, also known as Broomstick and CleanUp, is a malware developed in C++, composed of multiple stages, belonging to the loader (A.k.a.: downloader) malware family. First reported in June 2024 by Rapid7, it is mainly distributed via web sites…

Read more →

This post was originally distributed as a private FLINT report to our customers on 6 January 2026. Introduction In November 2025, during our threat hunting routine for unveiling emerging adversary clusters, TDR analysts identified a widespread malware distribution campaign leveraging…

Read more →

Introduction During our daily tracking and analysis routine at Sekoia TDR team (Threat Detection & Research), we are always searching for new relevant detection opportunities on various perimeters. Given the predominance of Linux-based systems on the server side, we decided…

Read more →

In the third part of our series ‘Advent of Configuration Extraction’, we dissect a lightweight Linux backdoor, that is derived from an open-source backdoor called TinySHell. It is designed to provide silent, persistent remote access to compromised servers. The malware…

Read more →

Sekoia.io delivered its technology and expertise to the NATO CCDCOE’s Crossed Swords 2025 (XS25) exercise to gather critical insights and validate our defensive capabilities in a military-grade environment. Hosted by the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE) in…

Read more →

In the third part of our series “Advent of Configuration Extraction”, we dissect SNOWLIGHT, a lightweight ELF downloader designed to retrieve and execute a remote payload on Linux systems.  To extract the SNOWLIGHT configuration, and specifically the Command and Control…

Read more →

Introduction The European Union (EU) continues to solidify its cybersecurity landscape through ambitious, horizontal regulations. In addition to the NIS 2 Directive and the Digital Operational Resilience Act (DORA), the Cyber Resilience Act (CRA) establishes a comprehensive framework aimed at…

Read more →

In the second part of our “Advent of Configuration Extraction” series, we unwrap QuasarRAT, a popular .NET remote access trojan (RAT), and show how to extract its encrypted configuration out of the binary. The article begins by detailing the environment:…

Read more →

Some portions of this article were first distributed as a private report to our customers in June 2025. In May and June 2025, TDR team analysts were contacted by two organisations — including the French NGO Reporters Without Borders (RSF)…

Read more →

This article is the opening chapter of a four-part Advent of Configuration Extraction series. The series outlines the methodology we employ at Sekoia’s Threat Detection & Research (TDR) team to automate the extraction of malware configuration data, from initial analysis…

Read more →

This article was originally distributed as a private report to our customers. Table of contents Introduction From Hotels to Guests: the First Breach Malicious emails ClickFix infection chain Step 1: redirection steps Step 2: ClickFix tactic Step 3: malware delivery…

Read more →

This post was originally distributed as a private FLINT report to our customers on 14 October 2025. It contains a complete list of IOCs, YARA rules, and a chapter dedicated to detection and hunting opportunities specific to this infection chain.…

Read more →

This undocumented field of sign-in events is a bitfield where each bit represents a different authentication method. La publication suivante Decoding UserAuthenticationMethod in Microsoft 365 audit logs: the bitfield mapping est un article de Sekoia.io Blog. This article has been…

Read more →

Last month, the Sekoia.io Tech & Product teams decamped in southern Brittany for our 2025 internal Hackathon. Over three intense days, seven self-organized squads took on one mission: deliver measurable, customer-centric enhancements to the AI-SOC platform. From faster page loads…

Read more →

This post was originally distributed as a private FLINT report to our customers on 15 July 2025. Introduction In early 2025, we published a blogpost reporting on a botnet we dubbed PolarEdge, first detected in January 2025, when our honeypots…

Read more →

This article on was originally distributed as a private report to our customers. Introduction The monitoring and analysis of vulnerability exploitations are among the primary responsibilities of Sekoia.io’s Threat Detection & Research (TDR) team. Using our honeypots, we monitor traffic…

Read more →