Cyber Threat Intelligence
Daily threat reporting, custom software, and remote tech help from a veteran-owned (SDVOSB) studio.
Updated most weekdays
Our Software
Explore all software →This Week in Threats
Latest Threat Intelligence
Nation-State Tracking
Intelligence by Region
Russian Threat Intelligence
View all Russian intel →Russian Router Targeting Shows Why Edge Hygiene Is a Mission Requirement
A joint CISA, NSA, FBI, and allied advisory says Russian FSB Center 16 actors continue exploiting poorly configured routers. Here is what SMBs and government contractors should prioritize now.
Water Systems Are Becoming Nation-State Pressure Points
Nation-state targeting of water systems shows why exposed OT, weak credentials, remote access, and poor IT/OT segmentation remain practical business risks—not just utility-sector problems.
Turla’s STOCKSTAY Backdoor Shows Why Espionage Defense Needs Egress Visibility
GTIG’s STOCKSTAY research shows how Turla blends modular .NET malware, WebSocket C2, and diplomatic targeting. Here are the defensive lessons for SMBs and government contractors.
Chinese Threat Intelligence
View all Chinese intel →Daxin and Stupig Show Why Legacy Access Paths Matter in Manufacturing Defense
Symantec and Carbon Black found China-linked Daxin active in a Taiwan high-tech manufacturing environment alongside a new pre-login SYSTEM backdoor. Here is what defenders should take from it.
Pakistani Police Intrusions Show Why Public-Sector Data Systems Are Strategic Targets
SentinelLabs reporting on rival espionage activity against Pakistani law enforcement is a reminder that public-sector portals, case systems, and citizen-data apps are strategic intelligence targets — even when they are not classified systems.
UAT-7810 Shows Edge Devices Are Becoming China-Nexus Relay Infrastructure
Cisco Talos reports UAT-7810 is expanding ORB relay infrastructure using compromised edge and embedded devices. Here is what SMBs and government contractors should do now.
North Korean Threat Intelligence
View all North Korean intel →Mastra npm Compromise Shows AI Frameworks Are Supply-Chain Targets
Microsoft linked the Mastra AI npm package compromise to North Korean actor Sapphire Sleet. Here is what SMBs and government contractors should do about AI framework supply-chain risk.
Void Dokkaebi’s InvisibleFerret Shift Shows Developer Endpoints Are Production Risk
Trend Micro reports North Korea-aligned Void Dokkaebi has moved InvisibleFerret into Cython-compiled Python extension modules. For SMBs and government contractors, the real risk is developer endpoint access to CI/CD, cloud, and production secrets.
DPRK Threat Actors Leverage GitHub as Command and Control Infrastructure in Multi-Stage LNK Attacks
North Korean state-sponsored threat actors have been observed targeting South Korean organizations with a sophisticated multi-stage attack chain that abuses GitHub as command and control (C2) infrastructure. Fortinet FortiGuard Labs published research on April 2, 2026 detailing t
Iranian Threat Intelligence
View all Iranian intel →Water Systems Are Becoming Nation-State Pressure Points
Nation-state targeting of water systems shows why exposed OT, weak credentials, remote access, and poor IT/OT segmentation remain practical business risks—not just utility-sector problems.
MuddyWater’s Chaos Masquerade Shows Ransomware Response Needs Attribution Discipline
Iran-linked MuddyWater activity shows why ransomware response needs to examine identity compromise, remote access, and adversary objectives instead of trusting the ransom note at face value.
Handala’s Cal Water Claim Shows OT Defense Starts With Segmentation
Handala’s California Water Service claim is a reminder that critical-infrastructure defense starts with proving separation between billing systems, telemetry platforms, and operational technology.
Browse by category
Beyond the feed
Bulwark Black also builds
All services →Websites & Web Apps
Fast, clean marketing sites and custom web apps built for your business, not a template you have to fight. Designed, built, and deployed by the person who will maintain it.
Custom iOS Apps
Native iPhone and iPad apps built for businesses and published to the App Store. From a focused single-purpose tool to a full product, designed, developed, and shipped end to end.
AI & Automation
Practical AI setup and quiet automation that saves you real hours. We pick the right tools, wire them into how you actually work, and skip the hype when it does not fit.
Small-Business IT + Cybersecurity
Right-sized IT support and security fundamentals for small teams, delivered remotely. Backups that actually restore, hardened accounts, and someone honest to call.
You may have missed
CitrixBleed Keeps Returning: NetScaler SAML IdP Memory Leaks Need Edge-Control Discipline
Citrix patched CVE-2026-8451, a NetScaler SAML IdP memory overread in the CitrixBleed family. Here is what SMBs and government contractors should do now.
SimpleHelp Exploitation Shows RMM Is a Credential Control Plane
Active exploitation of SimpleHelp CVE-2026-48558 shows why RMM platforms must be treated as privileged credential control planes, not routine support tools.
Leaky iOS AI Apps Show Mobile AI Needs Real API Gateways
A study of iOS AI chatbot apps found widespread exposure of API keys, open AI proxy access, and replayable tokens. The fix is not another client-side secret workaround; it is real backend authentication, scoped tokens, monitoring, and key isolation.
Bing SEO Poisoning Shows IT Admin Downloads Are Ransomware Initial Access
A DFIR Report case study shows how a fake ManageEngine OpManager download led from BumbleBee and AdaptixC2 to Akira ransomware. The defensive lesson: admin software downloads need control, verification, and monitoring.
Newsletter
The Bulwark Brief.
Cyber threat intel, AI, and tech worth your attention, what we're tracking that day, with a "why it matters" line on every item. Most weekdays. No fluff.