Archive

When the Dash Hits the Fan: Artificial Intelligence Exposes the Homoglyph Hustle

Lee Kirkpatrick
Blog, GRIT® Blog, News, Threat Advisory

September 17, 2025 It began with an unassuming executable named calendaromatic.exe. At first glance, it appeared to be a harmless desktop application wrapped in a friendly calendar UI.

Automating CloudFront C2 with AI – Reduce Errors & Save Time 

Kevin Murphy
AI Security, Blog, Security Awareness & Education, Vulnerability Management & Penetration Testing

August 27, 2025 A well-known red team tactic for blending Command-and-Control (C2) traffic in with legitimate network traffic involves utilizing Amazon Web Services (AWS) CloudFront redirectors to mas…

Prompt Injection: The AI Vulnerability We Still Can’t Fix

Sarah Kent
AI Security, Blog, Cybersecurity, Security Awareness & Education

August 13, 2025 Where It All Started The Artificial Intelligence (AI) industry is approaching a peculiar anniversary.

GRITREP: Observed Malicious Driver Use Associated with Akira SonicWall Campaign

Jason Baker
GRIT® Blog, News, Technical

August 5, 2025 Bottom-Line Up Front (BLUF): We have observed Akira affiliates exploiting two common drivers as part of a suspected AV/EDR evasion effort following initial access involving SonicWall ab…

The Birth and Death of “LoopyTicket” – Our Story on CVE-2025-33073

Cameron Stish
Blog, News, Security Awareness & Education, Technical, Threat & Attack Simulation

June 27, 2025 Sometimes the best discoveries happen when you’re not even looking for them.

Breaking Basta: Insights from Black Basta’s Leaked Ransomware Chats

Jason Baker
Cybersecurity, GRIT® Blog, News, Security Awareness & Education

March 6, 2025 Key Takeaways During the period covered by the Black Basta leaked chat logs (18 September 2023 – 28 September 2024), we observed the following We observed at least 47 cryptocurrency wa…

RansomHub Affiliate leverages Python-based backdoor

Andrew Nelson
GRIT® Blog, News, Technical

January 15, 2025 In an incident response in Q4 of 2024, GuidePoint Security identified evidence of a threat actor utilizing a Python-based backdoor to maintain access to compromised endpoints.

Update from the Trenches

Hermes Bojaxhi
GRIT® Blog, News

Ivanti CSA Investigation/Detection Details   October 9, 2024 Authors: Rui Ataide, Andrew Nelson, and Hermes Bojaxhi GuidePoint Security has recently been engaged on several incidents related to f…

SCCM Exploitation: Evading Defenses and Moving Laterally with SCCM Application Deployment

GuidePoint Security
Blog, Cybersecurity, Threat & Attack Simulation, Vulnerability Management & Penetration Testing

June 20, 2024 TL;DR: Compromise of an SCCM administrator account can easily lead to compromise of every machine managed by SCCM.

BianLian GOs for PowerShell After TeamCity Exploitation

GuidePoint Security
Blog, Cybersecurity, GRIT® Blog, Incident Response & Threat Intelligence, News, Threat Advisory

March 8, 2024 Contributors: Justin Timothy, Threat Intelligence Consultant, Gabe Renfro, DFIR Advisory Consultant, Keven Murphy, DFIR Principal Consultant Introduction Ever since Avast released a decr…

Tunnel Vision: CloudflareD AbuseD in the WilD

GuidePoint Security
Blog, Cybersecurity, GRIT® Blog, Incident Response & Threat Intelligence, Network & Infrastructure Security

August 3, 2023 Introduction Across the cybersecurity community, defenders are constantly finding threat actors using novel and innovative techniques to further their exploitation efforts against targe…

GuidePoint Security researcher discovers vulnerability in the integrity of common HMI client-server protocol

GuidePoint Security
Blog, Cybersecurity, Network & Infrastructure Security, News, Technical, Threat Advisory

December 1, 2022 What if you could no longer trust the critical process values displayed on your HMI screen? Executive Summary When operating an Industrial Control System (ICS), the operator relies on…