Category: Sekoia.io Blog

Cybersecurity has a control problem. Most providers force you into a corner, where you must either accept their ‘black box’ ecosystems… or go without elite protection. It’s a choice between being safe and staying in control. And it’s a choice…

Read more →

This blogpost covers the tooling and methodology we use at TDR to reverse engineer .NET malware. In our daily work, we encounter a wide range of malware, sophisticated or not, and a significant portion of it is written in .NET.…

Read more →

A TLP:AMBER version of this post was originally distributed as a private FLINT report to our customers on 30 March 2026. Introduction As detailed in our previous blog post New widespread EvilTokens kit: device code phishing as-a-service – Part 1,…

Read more →

Security teams do not struggle with a lack of data. They struggle with a lack of context. Alerts fire. Vulnerabilities pile up. Suspicious activity appears across endpoints, identities, cloud services, and SaaS applications. But when every signal lives in a…

Read more →

This post was originally distributed as a private FLINT report to our customers on 25 March 2026. Introduction In March 2026, through our monitoring of phishing-focused cybercrime communities, Sekoia’s Threat Detection & Research (TDR) team uncovered EvilTokens, a new turnkey…

Read more →

Since early 2025, TDR has focused on tracking Silver Fox, a China-based intrusion set. Originally known for financially motivated attacks, the group has been shifting toward more sophisticated, APT-style operations since at least 2024. This dual focus reflects a broader…

Read more →

Since early 2025, TDR has focused on tracking Silver Fox, a China-based intrusion set. Originally known for financially motivated attacks, the group has been shifting toward more sophisticated, APT-style operations since at least 2024. This dual focus reflects a broader…

Read more →

In multiple incident response engagements over the past few years, one detail keeps repeating: the first compromised system wasn’t the one the SOC was watching. It wasn’t visible in the EDR console, it wasn’t tracked in the CMDB, and it…

Read more →

Today, we are pleased to celebrate a major achievement for Sekoia with the attainment of the SOC2 Type 1 certification for its entire infrastructure. In this blog post, we’ll explain the journey to this high-end certification. What is the SOC2…

Read more →

Today, we are pleased to celebrate a major achievement for Sekoia with the attainment of the SOC2 Type 1 certification for its entire infrastructure. In this blog post, we’ll explain the journey to this high-end certification. What is the SOC2…

Read more →

Introduction OysterLoader, also known as Broomstick and CleanUp, is a malware developed in C++, composed of multiple stages, belonging to the loader (A.k.a.: downloader) malware family. First reported in June 2024 by Rapid7, it is mainly distributed via web sites…

Read more →

This post was originally distributed as a private FLINT report to our customers on 6 January 2026. Introduction In November 2025, during our threat hunting routine for unveiling emerging adversary clusters, TDR analysts identified a widespread malware distribution campaign leveraging…

Read more →

Introduction During our daily tracking and analysis routine at Sekoia TDR team (Threat Detection & Research), we are always searching for new relevant detection opportunities on various perimeters. Given the predominance of Linux-based systems on the server side, we decided…

Read more →

In the third part of our series ‘Advent of Configuration Extraction’, we dissect a lightweight Linux backdoor, that is derived from an open-source backdoor called TinySHell. It is designed to provide silent, persistent remote access to compromised servers. The malware…

Read more →

Sekoia.io delivered its technology and expertise to the NATO CCDCOE’s Crossed Swords 2025 (XS25) exercise to gather critical insights and validate our defensive capabilities in a military-grade environment. Hosted by the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE) in…

Read more →

In the third part of our series “Advent of Configuration Extraction”, we dissect SNOWLIGHT, a lightweight ELF downloader designed to retrieve and execute a remote payload on Linux systems.  To extract the SNOWLIGHT configuration, and specifically the Command and Control…

Read more →

Introduction The European Union (EU) continues to solidify its cybersecurity landscape through ambitious, horizontal regulations. In addition to the NIS 2 Directive and the Digital Operational Resilience Act (DORA), the Cyber Resilience Act (CRA) establishes a comprehensive framework aimed at…

Read more →

In the second part of our “Advent of Configuration Extraction” series, we unwrap QuasarRAT, a popular .NET remote access trojan (RAT), and show how to extract its encrypted configuration out of the binary. The article begins by detailing the environment:…

Read more →

Some portions of this article were first distributed as a private report to our customers in June 2025. In May and June 2025, TDR team analysts were contacted by two organisations — including the French NGO Reporters Without Borders (RSF)…

Read more →

This article is the opening chapter of a four-part Advent of Configuration Extraction series. The series outlines the methodology we employ at Sekoia’s Threat Detection & Research (TDR) team to automate the extraction of malware configuration data, from initial analysis…

Read more →