{
  "generated": "2026-07-16",
  "source": "https://bulwarkblack.com/feeds/",
  "note": "Live indicators auto-extracted from Bulwark Black threat reporting. Verify before blocking.",
  "count": 3303,
  "indicators": [
    {
      "indicator": "34603862c5086a9063e42d79fb094e8d8",
      "type": "Bitcoin Addresses",
      "report_count": 1,
      "first_seen": "2024-01-11",
      "last_seen": "2024-01-11",
      "reports": [
        {
          "slug": "dreambus-unleashes-metabase-mayhem-with-new-exploit-module",
          "title": "DreamBus Unleashes Metabase Mayhem With New Exploit Module",
          "url": "https://bulwarkblack.com/dreambus-unleashes-metabase-mayhem-with-new-exploit-module/",
          "date": "2024-01-11"
        }
      ]
    },
    {
      "indicator": "39uchxifap4cvgzsuirom0szrrg",
      "type": "Bitcoin Addresses",
      "report_count": 1,
      "first_seen": "2026-02-23",
      "last_seen": "2026-02-23",
      "reports": [
        {
          "slug": "unit-42-exposes-active-exploitation-of-beyondtrust-cve-2026-1731-with-vshell-and-sparkrat-backdoors",
          "title": "Unit 42 Exposes Active Exploitation of BeyondTrust CVE-2026-1731 with VShell and SparkRAT Backdoors",
          "url": "https://bulwarkblack.com/unit-42-exposes-active-exploitation-of-beyondtrust-cve-2026-1731-with-vshell-and-sparkrat-backdoors/",
          "date": "2026-02-23"
        }
      ]
    },
    {
      "indicator": "3d6238e465d07a71cadfe89877df6ac",
      "type": "Bitcoin Addresses",
      "report_count": 1,
      "first_seen": "2024-01-11",
      "last_seen": "2024-01-11",
      "reports": [
        {
          "slug": "dreambus-unleashes-metabase-mayhem-with-new-exploit-module",
          "title": "DreamBus Unleashes Metabase Mayhem With New Exploit Module",
          "url": "https://bulwarkblack.com/dreambus-unleashes-metabase-mayhem-with-new-exploit-module/",
          "date": "2024-01-11"
        }
      ]
    },
    {
      "indicator": "3k7m1n9p4q2r6s8t0v5w2x4y6z8u9",
      "type": "Bitcoin Addresses",
      "report_count": 1,
      "first_seen": "2026-01-29",
      "last_seen": "2026-01-29",
      "reports": [
        {
          "slug": "google-disrupts-worlds-largest-residential-proxy-botnet",
          "title": "Google Disrupts World’s Largest Residential Proxy Botnet",
          "url": "https://bulwarkblack.com/google-disrupts-worlds-largest-residential-proxy-botnet/",
          "date": "2026-01-29"
        }
      ]
    },
    {
      "indicator": "0.0.0.0/0",
      "type": "CIDR",
      "report_count": 1,
      "first_seen": "2026-06-29",
      "last_seen": "2026-06-29",
      "reports": [
        {
          "slug": "shai-hulud-cicd-cloud-identity-redshift-defense",
          "title": "Shai Hulud Shows CI/CD Identity Is Production Cloud Identity",
          "url": "https://bulwarkblack.com/shai-hulud-cicd-cloud-identity-redshift-defense/",
          "date": "2026-06-29"
        }
      ]
    },
    {
      "indicator": "CVE-2009-2265",
      "type": "CVEs",
      "report_count": 2,
      "first_seen": "2024-01-07",
      "last_seen": "2026-02-04",
      "reports": [
        {
          "slug": "pdfsider-the-stealthy-backdoor-targeting-fortune-100-financial-institutions",
          "title": "PDFSider: The Stealthy Backdoor Targeting Fortune 100 Financial Institutions",
          "url": "https://bulwarkblack.com/pdfsider-the-stealthy-backdoor-targeting-fortune-100-financial-institutions/",
          "date": "2026-02-04"
        },
        {
          "slug": "prior-to-cyber-attack-russian-attackers-spent-months-inside-the-ukraine-telecoms-giant",
          "title": "Prior to Cyber Attack, Russian Attackers Spent Months Inside the Ukraine Telecoms Giant",
          "url": "https://bulwarkblack.com/prior-to-cyber-attack-russian-attackers-spent-months-inside-the-ukraine-telecoms-giant/",
          "date": "2024-01-07"
        }
      ]
    },
    {
      "indicator": "CVE-2016-4437",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-06-25",
      "last_seen": "2026-06-25",
      "reports": [
        {
          "slug": "strikeshark-sharkloader-cobalt-strike-defense",
          "title": "StrikeShark Shows Loader Malware Is an Edge-Exposure Problem",
          "url": "https://bulwarkblack.com/strikeshark-sharkloader-cobalt-strike-defense/",
          "date": "2026-06-25"
        }
      ]
    },
    {
      "indicator": "CVE-2017-0199",
      "type": "CVEs",
      "report_count": 2,
      "first_seen": "2024-01-07",
      "last_seen": "2026-02-04",
      "reports": [
        {
          "slug": "pdfsider-the-stealthy-backdoor-targeting-fortune-100-financial-institutions",
          "title": "PDFSider: The Stealthy Backdoor Targeting Fortune 100 Financial Institutions",
          "url": "https://bulwarkblack.com/pdfsider-the-stealthy-backdoor-targeting-fortune-100-financial-institutions/",
          "date": "2026-02-04"
        },
        {
          "slug": "prior-to-cyber-attack-russian-attackers-spent-months-inside-the-ukraine-telecoms-giant",
          "title": "Prior to Cyber Attack, Russian Attackers Spent Months Inside the Ukraine Telecoms Giant",
          "url": "https://bulwarkblack.com/prior-to-cyber-attack-russian-attackers-spent-months-inside-the-ukraine-telecoms-giant/",
          "date": "2024-01-07"
        }
      ]
    },
    {
      "indicator": "CVE-2017-11882",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-02-11",
      "last_seen": "2026-02-11",
      "reports": [
        {
          "slug": "xworm-rat-campaign-exploits-cve-2018-0802-in-multi-language-phishing-attacks-using-fileless-injection",
          "title": "XWorm RAT Campaign Exploits CVE-2018-0802 in Multi-Language Phishing Attacks Using Fileless Injection",
          "url": "https://bulwarkblack.com/xworm-rat-campaign-exploits-cve-2018-0802-in-multi-language-phishing-attacks-using-fileless-injection/",
          "date": "2026-02-11"
        }
      ]
    },
    {
      "indicator": "CVE-2017-7921",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-03-16",
      "last_seen": "2026-03-16",
      "reports": [
        {
          "slug": "iranian-threat-actors-target-hikvision-and-dahua-ip-cameras-for-kinetic-strike-coordination",
          "title": "Iranian Threat Actors Target Hikvision and Dahua IP Cameras for Kinetic Strike Coordination",
          "url": "https://bulwarkblack.com/iranian-threat-actors-target-hikvision-and-dahua-ip-cameras-for-kinetic-strike-coordination/",
          "date": "2026-03-16"
        }
      ]
    },
    {
      "indicator": "CVE-2018-0802",
      "type": "CVEs",
      "report_count": 3,
      "first_seen": "2026-02-11",
      "last_seen": "2026-02-24",
      "reports": [
        {
          "slug": "chinese-apt-unsolicitedbooker-deploys-lucidoor-and-marssnake-backdoors-against-central-asian-telecoms",
          "title": "Chinese APT UnsolicitedBooker Deploys LuciDoor and MarsSnake Backdoors Against Central Asian Telecoms",
          "url": "https://bulwarkblack.com/chinese-apt-unsolicitedbooker-deploys-lucidoor-and-marssnake-backdoors-against-central-asian-telecoms/",
          "date": "2026-02-24"
        },
        {
          "slug": "xworm-rat-campaign-exploits-7-year-old-office-vulnerability-with-fileless-techniques",
          "title": "XWorm RAT Campaign Exploits 7-Year-Old Office Vulnerability with Fileless Techniques",
          "url": "https://bulwarkblack.com/xworm-rat-campaign-exploits-7-year-old-office-vulnerability-with-fileless-techniques/",
          "date": "2026-02-13"
        },
        {
          "slug": "xworm-rat-campaign-exploits-cve-2018-0802-in-multi-language-phishing-attacks-using-fileless-injection",
          "title": "XWorm RAT Campaign Exploits CVE-2018-0802 in Multi-Language Phishing Attacks Using Fileless Injection",
          "url": "https://bulwarkblack.com/xworm-rat-campaign-exploits-cve-2018-0802-in-multi-language-phishing-attacks-using-fileless-injection/",
          "date": "2026-02-11"
        }
      ]
    },
    {
      "indicator": "CVE-2018-13379",
      "type": "CVEs",
      "report_count": 2,
      "first_seen": "2024-01-07",
      "last_seen": "2026-06-19",
      "reports": [
        {
          "slug": "fortibleed-firewall-patching-compromise-recovery",
          "title": "FortiBleed Shows Firewall Patching Is Not Compromise Recovery",
          "url": "https://bulwarkblack.com/fortibleed-firewall-patching-compromise-recovery/",
          "date": "2026-06-19"
        },
        {
          "slug": "chapter-84-in-depth-analysis-and-technical-analysis-of-lockbit-the-top-encryption-ransomware-organization-part-1",
          "title": "Chapter 84: In-depth analysis and technical analysis of LockBit, the top encryption ransomware organization (Part 1)",
          "url": "https://bulwarkblack.com/chapter-84-in-depth-analysis-and-technical-analysis-of-lockbit-the-top-encryption-ransomware-organization-part-1/",
          "date": "2024-01-07"
        }
      ]
    },
    {
      "indicator": "CVE-2020-0796",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-06-20",
      "last_seen": "2026-06-20",
      "reports": [
        {
          "slug": "operation-escaneo-latin-america-edge-device-defense",
          "title": "Operation Escaneo Shows Latin America’s Edge Devices Are Prime Intrusion Targets",
          "url": "https://bulwarkblack.com/operation-escaneo-latin-america-edge-device-defense/",
          "date": "2026-06-20"
        }
      ]
    },
    {
      "indicator": "CVE-2020-1206",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-06-20",
      "last_seen": "2026-06-20",
      "reports": [
        {
          "slug": "operation-escaneo-latin-america-edge-device-defense",
          "title": "Operation Escaneo Shows Latin America’s Edge Devices Are Prime Intrusion Targets",
          "url": "https://bulwarkblack.com/operation-escaneo-latin-america-edge-device-defense/",
          "date": "2026-06-20"
        }
      ]
    },
    {
      "indicator": "CVE-2020-1472",
      "type": "CVEs",
      "report_count": 2,
      "first_seen": "2026-05-24",
      "last_seen": "2026-06-20",
      "reports": [
        {
          "slug": "operation-escaneo-latin-america-edge-device-defense",
          "title": "Operation Escaneo Shows Latin America’s Edge Devices Are Prime Intrusion Targets",
          "url": "https://bulwarkblack.com/operation-escaneo-latin-america-edge-device-defense/",
          "date": "2026-06-20"
        },
        {
          "slug": "clop-south-staffs-water-soc-coverage-defense",
          "title": "Cl0p’s South Staffs Water Case Shows SOC Coverage Must Be Proven",
          "url": "https://bulwarkblack.com/clop-south-staffs-water-soc-coverage-defense/",
          "date": "2026-05-24"
        }
      ]
    },
    {
      "indicator": "CVE-2020-16040",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-01-27",
      "last_seen": "2026-01-27",
      "reports": [
        {
          "slug": "chinese-apt-groups-leverage-peckbirdy-javascript-c2-framework-since-2023",
          "title": "Chinese APT Groups Leverage PeckBirdy JavaScript C2 Framework Since 2023",
          "url": "https://bulwarkblack.com/chinese-apt-groups-leverage-peckbirdy-javascript-c2-framework-since-2023/",
          "date": "2026-01-27"
        }
      ]
    },
    {
      "indicator": "CVE-2020-1938",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-06-20",
      "last_seen": "2026-06-20",
      "reports": [
        {
          "slug": "operation-escaneo-latin-america-edge-device-defense",
          "title": "Operation Escaneo Shows Latin America’s Edge Devices Are Prime Intrusion Targets",
          "url": "https://bulwarkblack.com/operation-escaneo-latin-america-edge-device-defense/",
          "date": "2026-06-20"
        }
      ]
    },
    {
      "indicator": "CVE-2020-22653",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-07-07",
      "last_seen": "2026-07-07",
      "reports": [
        {
          "slug": "uat-7810-orb-relay-network-edge-device-defense",
          "title": "UAT-7810 Shows Edge Devices Are Becoming China-Nexus Relay Infrastructure",
          "url": "https://bulwarkblack.com/uat-7810-orb-relay-network-edge-device-defense/",
          "date": "2026-07-07"
        }
      ]
    },
    {
      "indicator": "CVE-2020-22658",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-07-07",
      "last_seen": "2026-07-07",
      "reports": [
        {
          "slug": "uat-7810-orb-relay-network-edge-device-defense",
          "title": "UAT-7810 Shows Edge Devices Are Becoming China-Nexus Relay Infrastructure",
          "url": "https://bulwarkblack.com/uat-7810-orb-relay-network-edge-device-defense/",
          "date": "2026-07-07"
        }
      ]
    },
    {
      "indicator": "CVE-2021-22204",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-20",
      "last_seen": "2026-05-20",
      "reports": [
        {
          "slug": "exiftool-cve-2026-3102-image-metadata-threat-model",
          "title": "ExifTool CVE-2026-3102 Shows Image Metadata Belongs in the Threat Model",
          "url": "https://bulwarkblack.com/exiftool-cve-2026-3102-image-metadata-threat-model/",
          "date": "2026-05-20"
        }
      ]
    },
    {
      "indicator": "CVE-2021-24093",
      "type": "CVEs",
      "report_count": 2,
      "first_seen": "2024-01-07",
      "last_seen": "2026-02-04",
      "reports": [
        {
          "slug": "pdfsider-the-stealthy-backdoor-targeting-fortune-100-financial-institutions",
          "title": "PDFSider: The Stealthy Backdoor Targeting Fortune 100 Financial Institutions",
          "url": "https://bulwarkblack.com/pdfsider-the-stealthy-backdoor-targeting-fortune-100-financial-institutions/",
          "date": "2026-02-04"
        },
        {
          "slug": "prior-to-cyber-attack-russian-attackers-spent-months-inside-the-ukraine-telecoms-giant",
          "title": "Prior to Cyber Attack, Russian Attackers Spent Months Inside the Ukraine Telecoms Giant",
          "url": "https://bulwarkblack.com/prior-to-cyber-attack-russian-attackers-spent-months-inside-the-ukraine-telecoms-giant/",
          "date": "2024-01-07"
        }
      ]
    },
    {
      "indicator": "CVE-2021-26855",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-06-25",
      "last_seen": "2026-06-25",
      "reports": [
        {
          "slug": "strikeshark-sharkloader-cobalt-strike-defense",
          "title": "StrikeShark Shows Loader Malware Is an Edge-Exposure Problem",
          "url": "https://bulwarkblack.com/strikeshark-sharkloader-cobalt-strike-defense/",
          "date": "2026-06-25"
        }
      ]
    },
    {
      "indicator": "CVE-2021-27076",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-06-25",
      "last_seen": "2026-06-25",
      "reports": [
        {
          "slug": "strikeshark-sharkloader-cobalt-strike-defense",
          "title": "StrikeShark Shows Loader Malware Is an Edge-Exposure Problem",
          "url": "https://bulwarkblack.com/strikeshark-sharkloader-cobalt-strike-defense/",
          "date": "2026-06-25"
        }
      ]
    },
    {
      "indicator": "CVE-2021-27137",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-06-07",
      "last_seen": "2026-06-07",
      "reports": [
        {
          "slug": "c0xmo-dd-wrt-iot-botnet-edge-exposure-defense",
          "title": "C0XMO Shows IoT Botnets Are Still an Edge Exposure Problem",
          "url": "https://bulwarkblack.com/c0xmo-dd-wrt-iot-botnet-edge-exposure-defense/",
          "date": "2026-06-07"
        }
      ]
    },
    {
      "indicator": "CVE-2021-33044",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-03-16",
      "last_seen": "2026-03-16",
      "reports": [
        {
          "slug": "iranian-threat-actors-target-hikvision-and-dahua-ip-cameras-for-kinetic-strike-coordination",
          "title": "Iranian Threat Actors Target Hikvision and Dahua IP Cameras for Kinetic Strike Coordination",
          "url": "https://bulwarkblack.com/iranian-threat-actors-target-hikvision-and-dahua-ip-cameras-for-kinetic-strike-coordination/",
          "date": "2026-03-16"
        }
      ]
    },
    {
      "indicator": "CVE-2021-36260",
      "type": "CVEs",
      "report_count": 2,
      "first_seen": "2026-03-16",
      "last_seen": "2026-06-25",
      "reports": [
        {
          "slug": "strikeshark-sharkloader-cobalt-strike-defense",
          "title": "StrikeShark Shows Loader Malware Is an Edge-Exposure Problem",
          "url": "https://bulwarkblack.com/strikeshark-sharkloader-cobalt-strike-defense/",
          "date": "2026-06-25"
        },
        {
          "slug": "iranian-threat-actors-target-hikvision-and-dahua-ip-cameras-for-kinetic-strike-coordination",
          "title": "Iranian Threat Actors Target Hikvision and Dahua IP Cameras for Kinetic Strike Coordination",
          "url": "https://bulwarkblack.com/iranian-threat-actors-target-hikvision-and-dahua-ip-cameras-for-kinetic-strike-coordination/",
          "date": "2026-03-16"
        }
      ]
    },
    {
      "indicator": "CVE-2021-4034",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-06-20",
      "last_seen": "2026-06-20",
      "reports": [
        {
          "slug": "operation-escaneo-latin-america-edge-device-defense",
          "title": "Operation Escaneo Shows Latin America’s Edge Devices Are Prime Intrusion Targets",
          "url": "https://bulwarkblack.com/operation-escaneo-latin-america-edge-device-defense/",
          "date": "2026-06-20"
        }
      ]
    },
    {
      "indicator": "CVE-2021-43890",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2024-01-09",
      "last_seen": "2024-01-09",
      "reports": [
        {
          "slug": "financially-motivated-threat-actors-misusing-app-installer",
          "title": "Financially motivated threat actors misusing App Installer",
          "url": "https://bulwarkblack.com/financially-motivated-threat-actors-misusing-app-installer/",
          "date": "2024-01-09"
        }
      ]
    },
    {
      "indicator": "CVE-2021-44228",
      "type": "CVEs",
      "report_count": 2,
      "first_seen": "2026-06-13",
      "last_seen": "2026-06-20",
      "reports": [
        {
          "slug": "operation-escaneo-latin-america-edge-device-defense",
          "title": "Operation Escaneo Shows Latin America’s Edge Devices Are Prime Intrusion Targets",
          "url": "https://bulwarkblack.com/operation-escaneo-latin-america-edge-device-defense/",
          "date": "2026-06-20"
        },
        {
          "slug": "velvet-ant-operation-highland-authentication-stack-defense",
          "title": "Velvet Ant Shows Authentication Infrastructure Is Critical Infrastructure",
          "url": "https://bulwarkblack.com/velvet-ant-operation-highland-authentication-stack-defense/",
          "date": "2026-06-13"
        }
      ]
    },
    {
      "indicator": "CVE-2021-44515",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-02-05",
      "last_seen": "2026-02-05",
      "reports": [
        {
          "slug": "dknife-cisco-talos-exposes-china-nexus-gateway-monitoring-aitm-framework-active-since-2019",
          "title": "DKnife: Cisco Talos Exposes China-Nexus Gateway-Monitoring AitM Framework Active Since 2019",
          "url": "https://bulwarkblack.com/dknife-cisco-talos-exposes-china-nexus-gateway-monitoring-aitm-framework-active-since-2019/",
          "date": "2026-02-05"
        }
      ]
    },
    {
      "indicator": "CVE-2022-0185",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2024-03-22",
      "last_seen": "2024-03-22",
      "reports": [
        {
          "slug": "china-linked-group-breaches-networks-via-connectwise-f5-software-flaws",
          "title": "China-Linked Group Breaches Networks via Connectwise, F5 Software Flaws",
          "url": "https://bulwarkblack.com/china-linked-group-breaches-networks-via-connectwise-f5-software-flaws/",
          "date": "2024-03-22"
        }
      ]
    },
    {
      "indicator": "CVE-2022-0543",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-20",
      "last_seen": "2026-05-20",
      "reports": [
        {
          "slug": "p2pinfect-kubernetes-redis-botnet-defense",
          "title": "P2Pinfect Shows Exposed Redis in Kubernetes Can Become Dormant Botnet Infrastructure",
          "url": "https://bulwarkblack.com/p2pinfect-kubernetes-redis-botnet-defense/",
          "date": "2026-05-20"
        }
      ]
    },
    {
      "indicator": "CVE-2022-20775",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-02-25",
      "last_seen": "2026-02-25",
      "reports": [
        {
          "slug": "cisco-talos-exposes-three-year-campaign-uat-8616-exploits-sd-wan-zero-day-for-critical-infrastructure-access",
          "title": "Cisco Talos Exposes Three-Year Campaign: UAT-8616 Exploits SD-WAN Zero-Day for Critical Infrastructure Access",
          "url": "https://bulwarkblack.com/cisco-talos-exposes-three-year-campaign-uat-8616-exploits-sd-wan-zero-day-for-critical-infrastructure-access/",
          "date": "2026-02-25"
        }
      ]
    },
    {
      "indicator": "CVE-2022-22972",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-06-20",
      "last_seen": "2026-06-20",
      "reports": [
        {
          "slug": "operation-escaneo-latin-america-edge-device-defense",
          "title": "Operation Escaneo Shows Latin America’s Edge Devices Are Prime Intrusion Targets",
          "url": "https://bulwarkblack.com/operation-escaneo-latin-america-edge-device-defense/",
          "date": "2026-06-20"
        }
      ]
    },
    {
      "indicator": "CVE-2022-27925",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-06-25",
      "last_seen": "2026-06-25",
      "reports": [
        {
          "slug": "strikeshark-sharkloader-cobalt-strike-defense",
          "title": "StrikeShark Shows Loader Malware Is an Edge-Exposure Problem",
          "url": "https://bulwarkblack.com/strikeshark-sharkloader-cobalt-strike-defense/",
          "date": "2026-06-25"
        }
      ]
    },
    {
      "indicator": "CVE-2022-30190",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-24",
      "last_seen": "2026-05-24",
      "reports": [
        {
          "slug": "clop-south-staffs-water-soc-coverage-defense",
          "title": "Cl0p’s South Staffs Water Case Shows SOC Coverage Must Be Proven",
          "url": "https://bulwarkblack.com/clop-south-staffs-water-soc-coverage-defense/",
          "date": "2026-05-24"
        }
      ]
    },
    {
      "indicator": "CVE-2022-3052",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2024-03-22",
      "last_seen": "2024-03-22",
      "reports": [
        {
          "slug": "china-linked-group-breaches-networks-via-connectwise-f5-software-flaws",
          "title": "China-Linked Group Breaches Networks via Connectwise, F5 Software Flaws",
          "url": "https://bulwarkblack.com/china-linked-group-breaches-networks-via-connectwise-f5-software-flaws/",
          "date": "2024-03-22"
        }
      ]
    },
    {
      "indicator": "CVE-2022-38028",
      "type": "CVEs",
      "report_count": 2,
      "first_seen": "2024-01-07",
      "last_seen": "2026-02-04",
      "reports": [
        {
          "slug": "pdfsider-the-stealthy-backdoor-targeting-fortune-100-financial-institutions",
          "title": "PDFSider: The Stealthy Backdoor Targeting Fortune 100 Financial Institutions",
          "url": "https://bulwarkblack.com/pdfsider-the-stealthy-backdoor-targeting-fortune-100-financial-institutions/",
          "date": "2026-02-04"
        },
        {
          "slug": "prior-to-cyber-attack-russian-attackers-spent-months-inside-the-ukraine-telecoms-giant",
          "title": "Prior to Cyber Attack, Russian Attackers Spent Months Inside the Ukraine Telecoms Giant",
          "url": "https://bulwarkblack.com/prior-to-cyber-attack-russian-attackers-spent-months-inside-the-ukraine-telecoms-giant/",
          "date": "2024-01-07"
        }
      ]
    },
    {
      "indicator": "CVE-2022-40684",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-06-25",
      "last_seen": "2026-06-25",
      "reports": [
        {
          "slug": "strikeshark-sharkloader-cobalt-strike-defense",
          "title": "StrikeShark Shows Loader Malware Is an Edge-Exposure Problem",
          "url": "https://bulwarkblack.com/strikeshark-sharkloader-cobalt-strike-defense/",
          "date": "2026-06-25"
        }
      ]
    },
    {
      "indicator": "CVE-2022-41082",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-06-25",
      "last_seen": "2026-06-25",
      "reports": [
        {
          "slug": "strikeshark-sharkloader-cobalt-strike-defense",
          "title": "StrikeShark Shows Loader Malware Is an Edge-Exposure Problem",
          "url": "https://bulwarkblack.com/strikeshark-sharkloader-cobalt-strike-defense/",
          "date": "2026-06-25"
        }
      ]
    },
    {
      "indicator": "CVE-2022-41328",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "chinese-apt-unc3886-breaches-singapores-four-largest-telcos-in-coordinated-espionage-campaign",
          "title": "Chinese APT UNC3886 Breaches Singapore’s Four Largest Telcos in Coordinated Espionage Campaign",
          "url": "https://bulwarkblack.com/chinese-apt-unc3886-breaches-singapores-four-largest-telcos-in-coordinated-espionage-campaign/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "CVE-2022-42475",
      "type": "CVEs",
      "report_count": 2,
      "first_seen": "2026-06-19",
      "last_seen": "2026-06-20",
      "reports": [
        {
          "slug": "operation-escaneo-latin-america-edge-device-defense",
          "title": "Operation Escaneo Shows Latin America’s Edge Devices Are Prime Intrusion Targets",
          "url": "https://bulwarkblack.com/operation-escaneo-latin-america-edge-device-defense/",
          "date": "2026-06-20"
        },
        {
          "slug": "fortibleed-firewall-patching-compromise-recovery",
          "title": "FortiBleed Shows Firewall Patching Is Not Compromise Recovery",
          "url": "https://bulwarkblack.com/fortibleed-firewall-patching-compromise-recovery/",
          "date": "2026-06-19"
        }
      ]
    },
    {
      "indicator": "CVE-2023-20198",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-06-25",
      "last_seen": "2026-06-25",
      "reports": [
        {
          "slug": "strikeshark-sharkloader-cobalt-strike-defense",
          "title": "StrikeShark Shows Loader Malware Is an Edge-Exposure Problem",
          "url": "https://bulwarkblack.com/strikeshark-sharkloader-cobalt-strike-defense/",
          "date": "2026-06-25"
        }
      ]
    },
    {
      "indicator": "CVE-2023-20593",
      "type": "CVEs",
      "report_count": 2,
      "first_seen": "2024-01-07",
      "last_seen": "2026-02-04",
      "reports": [
        {
          "slug": "pdfsider-the-stealthy-backdoor-targeting-fortune-100-financial-institutions",
          "title": "PDFSider: The Stealthy Backdoor Targeting Fortune 100 Financial Institutions",
          "url": "https://bulwarkblack.com/pdfsider-the-stealthy-backdoor-targeting-fortune-100-financial-institutions/",
          "date": "2026-02-04"
        },
        {
          "slug": "prior-to-cyber-attack-russian-attackers-spent-months-inside-the-ukraine-telecoms-giant",
          "title": "Prior to Cyber Attack, Russian Attackers Spent Months Inside the Ukraine Telecoms Giant",
          "url": "https://bulwarkblack.com/prior-to-cyber-attack-russian-attackers-spent-months-inside-the-ukraine-telecoms-giant/",
          "date": "2024-01-07"
        }
      ]
    },
    {
      "indicator": "CVE-2023-20867",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "chinese-apt-unc3886-breaches-singapores-four-largest-telcos-in-coordinated-espionage-campaign",
          "title": "Chinese APT UNC3886 Breaches Singapore’s Four Largest Telcos in Coordinated Espionage Campaign",
          "url": "https://bulwarkblack.com/chinese-apt-unc3886-breaches-singapores-four-largest-telcos-in-coordinated-espionage-campaign/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "CVE-2023-22518",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2024-03-22",
      "last_seen": "2024-03-22",
      "reports": [
        {
          "slug": "china-linked-group-breaches-networks-via-connectwise-f5-software-flaws",
          "title": "China-Linked Group Breaches Networks via Connectwise, F5 Software Flaws",
          "url": "https://bulwarkblack.com/china-linked-group-breaches-networks-via-connectwise-f5-software-flaws/",
          "date": "2024-03-22"
        }
      ]
    },
    {
      "indicator": "CVE-2023-25717",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-07-07",
      "last_seen": "2026-07-07",
      "reports": [
        {
          "slug": "uat-7810-orb-relay-network-edge-device-defense",
          "title": "UAT-7810 Shows Edge Devices Are Becoming China-Nexus Relay Infrastructure",
          "url": "https://bulwarkblack.com/uat-7810-orb-relay-network-edge-device-defense/",
          "date": "2026-07-07"
        }
      ]
    },
    {
      "indicator": "CVE-2023-27350",
      "type": "CVEs",
      "report_count": 2,
      "first_seen": "2024-01-07",
      "last_seen": "2026-02-04",
      "reports": [
        {
          "slug": "pdfsider-the-stealthy-backdoor-targeting-fortune-100-financial-institutions",
          "title": "PDFSider: The Stealthy Backdoor Targeting Fortune 100 Financial Institutions",
          "url": "https://bulwarkblack.com/pdfsider-the-stealthy-backdoor-targeting-fortune-100-financial-institutions/",
          "date": "2026-02-04"
        },
        {
          "slug": "prior-to-cyber-attack-russian-attackers-spent-months-inside-the-ukraine-telecoms-giant",
          "title": "Prior to Cyber Attack, Russian Attackers Spent Months Inside the Ukraine Telecoms Giant",
          "url": "https://bulwarkblack.com/prior-to-cyber-attack-russian-attackers-spent-months-inside-the-ukraine-telecoms-giant/",
          "date": "2024-01-07"
        }
      ]
    },
    {
      "indicator": "CVE-2023-27997",
      "type": "CVEs",
      "report_count": 2,
      "first_seen": "2026-06-19",
      "last_seen": "2026-06-20",
      "reports": [
        {
          "slug": "operation-escaneo-latin-america-edge-device-defense",
          "title": "Operation Escaneo Shows Latin America’s Edge Devices Are Prime Intrusion Targets",
          "url": "https://bulwarkblack.com/operation-escaneo-latin-america-edge-device-defense/",
          "date": "2026-06-20"
        },
        {
          "slug": "fortibleed-firewall-patching-compromise-recovery",
          "title": "FortiBleed Shows Firewall Patching Is Not Compromise Recovery",
          "url": "https://bulwarkblack.com/fortibleed-firewall-patching-compromise-recovery/",
          "date": "2026-06-19"
        }
      ]
    },
    {
      "indicator": "CVE-2023-32046",
      "type": "CVEs",
      "report_count": 2,
      "first_seen": "2024-01-07",
      "last_seen": "2026-02-04",
      "reports": [
        {
          "slug": "pdfsider-the-stealthy-backdoor-targeting-fortune-100-financial-institutions",
          "title": "PDFSider: The Stealthy Backdoor Targeting Fortune 100 Financial Institutions",
          "url": "https://bulwarkblack.com/pdfsider-the-stealthy-backdoor-targeting-fortune-100-financial-institutions/",
          "date": "2026-02-04"
        },
        {
          "slug": "prior-to-cyber-attack-russian-attackers-spent-months-inside-the-ukraine-telecoms-giant",
          "title": "Prior to Cyber Attack, Russian Attackers Spent Months Inside the Ukraine Telecoms Giant",
          "url": "https://bulwarkblack.com/prior-to-cyber-attack-russian-attackers-spent-months-inside-the-ukraine-telecoms-giant/",
          "date": "2024-01-07"
        }
      ]
    },
    {
      "indicator": "CVE-2023-32315",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-06-25",
      "last_seen": "2026-06-25",
      "reports": [
        {
          "slug": "strikeshark-sharkloader-cobalt-strike-defense",
          "title": "StrikeShark Shows Loader Malware Is an Edge-Exposure Problem",
          "url": "https://bulwarkblack.com/strikeshark-sharkloader-cobalt-strike-defense/",
          "date": "2026-06-25"
        }
      ]
    },
    {
      "indicator": "CVE-2023-33246",
      "type": "CVEs",
      "report_count": 2,
      "first_seen": "2024-01-05",
      "last_seen": "2024-01-11",
      "reports": [
        {
          "slug": "dreambus-unleashes-metabase-mayhem-with-new-exploit-module",
          "title": "DreamBus Unleashes Metabase Mayhem With New Exploit Module",
          "url": "https://bulwarkblack.com/dreambus-unleashes-metabase-mayhem-with-new-exploit-module/",
          "date": "2024-01-11"
        },
        {
          "slug": "hackers-target-apache-rocketmq-servers-vulnerable-to-rce-attacks",
          "title": "Hackers target Apache RocketMQ servers vulnerable to RCE attacks",
          "url": "https://bulwarkblack.com/hackers-target-apache-rocketmq-servers-vulnerable-to-rce-attacks/",
          "date": "2024-01-05"
        }
      ]
    },
    {
      "indicator": "CVE-2023-33538",
      "type": "CVEs",
      "report_count": 4,
      "first_seen": "2026-02-01",
      "last_seen": "2026-06-06",
      "reports": [
        {
          "slug": "pan-os-globalprotect-cve-2026-0257-vpn-log-review",
          "title": "PAN-OS GlobalProtect Exploitation Shows VPN Access Needs Log Review, Not Just Patching",
          "url": "https://bulwarkblack.com/pan-os-globalprotect-cve-2026-0257-vpn-log-review/",
          "date": "2026-06-06"
        },
        {
          "slug": "pan-os-captive-portal-zero-day-edge-device-review",
          "title": "PAN-OS Captive Portal Zero-Day Shows Why Internet-Facing Edge Devices Need Immediate Review",
          "url": "https://bulwarkblack.com/pan-os-captive-portal-zero-day-edge-device-review/",
          "date": "2026-05-08"
        },
        {
          "slug": "unit-42-exposes-active-exploitation-of-beyondtrust-cve-2026-1731-with-vshell-and-sparkrat-backdoors",
          "title": "Unit 42 Exposes Active Exploitation of BeyondTrust CVE-2026-1731 with VShell and SparkRAT Backdoors",
          "url": "https://bulwarkblack.com/unit-42-exposes-active-exploitation-of-beyondtrust-cve-2026-1731-with-vshell-and-sparkrat-backdoors/",
          "date": "2026-02-23"
        },
        {
          "slug": "iconics-suite-scada-vulnerability-enables-denial-of-service-through-privileged-file-operations",
          "title": "Iconics Suite SCADA Vulnerability Enables Denial-of-Service Through Privileged File Operations",
          "url": "https://bulwarkblack.com/iconics-suite-scada-vulnerability-enables-denial-of-service-through-privileged-file-operations/",
          "date": "2026-02-01"
        }
      ]
    },
    {
      "indicator": "CVE-2023-34048",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "chinese-apt-unc3886-breaches-singapores-four-largest-telcos-in-coordinated-espionage-campaign",
          "title": "Chinese APT UNC3886 Breaches Singapore’s Four Largest Telcos in Coordinated Espionage Campaign",
          "url": "https://bulwarkblack.com/chinese-apt-unc3886-breaches-singapores-four-largest-telcos-in-coordinated-espionage-campaign/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "CVE-2023-36884",
      "type": "CVEs",
      "report_count": 2,
      "first_seen": "2024-01-07",
      "last_seen": "2026-02-04",
      "reports": [
        {
          "slug": "pdfsider-the-stealthy-backdoor-targeting-fortune-100-financial-institutions",
          "title": "PDFSider: The Stealthy Backdoor Targeting Fortune 100 Financial Institutions",
          "url": "https://bulwarkblack.com/pdfsider-the-stealthy-backdoor-targeting-fortune-100-financial-institutions/",
          "date": "2026-02-04"
        },
        {
          "slug": "prior-to-cyber-attack-russian-attackers-spent-months-inside-the-ukraine-telecoms-giant",
          "title": "Prior to Cyber Attack, Russian Attackers Spent Months Inside the Ukraine Telecoms Giant",
          "url": "https://bulwarkblack.com/prior-to-cyber-attack-russian-attackers-spent-months-inside-the-ukraine-telecoms-giant/",
          "date": "2024-01-07"
        }
      ]
    },
    {
      "indicator": "CVE-2023-37582",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2024-01-05",
      "last_seen": "2024-01-05",
      "reports": [
        {
          "slug": "hackers-target-apache-rocketmq-servers-vulnerable-to-rce-attacks",
          "title": "Hackers target Apache RocketMQ servers vulnerable to RCE attacks",
          "url": "https://bulwarkblack.com/hackers-target-apache-rocketmq-servers-vulnerable-to-rce-attacks/",
          "date": "2024-01-05"
        }
      ]
    },
    {
      "indicator": "CVE-2023-38646",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2024-01-11",
      "last_seen": "2024-01-11",
      "reports": [
        {
          "slug": "dreambus-unleashes-metabase-mayhem-with-new-exploit-module",
          "title": "DreamBus Unleashes Metabase Mayhem With New Exploit Module",
          "url": "https://bulwarkblack.com/dreambus-unleashes-metabase-mayhem-with-new-exploit-module/",
          "date": "2024-01-11"
        }
      ]
    },
    {
      "indicator": "CVE-2023-38831",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-01-31",
      "last_seen": "2026-01-31",
      "reports": [
        {
          "slug": "winrar-cve-2025-8088-russia-china-and-cybercriminals-unite-to-exploit-path-traversal-flaw",
          "title": "WinRAR CVE-2025-8088: Russia, China, and Cybercriminals Unite to Exploit Path Traversal Flaw",
          "url": "https://bulwarkblack.com/winrar-cve-2025-8088-russia-china-and-cybercriminals-unite-to-exploit-path-traversal-flaw/",
          "date": "2026-01-31"
        }
      ]
    },
    {
      "indicator": "CVE-2023-46747",
      "type": "CVEs",
      "report_count": 2,
      "first_seen": "2024-03-22",
      "last_seen": "2026-06-25",
      "reports": [
        {
          "slug": "strikeshark-sharkloader-cobalt-strike-defense",
          "title": "StrikeShark Shows Loader Malware Is an Edge-Exposure Problem",
          "url": "https://bulwarkblack.com/strikeshark-sharkloader-cobalt-strike-defense/",
          "date": "2026-06-25"
        },
        {
          "slug": "china-linked-group-breaches-networks-via-connectwise-f5-software-flaws",
          "title": "China-Linked Group Breaches Networks via Connectwise, F5 Software Flaws",
          "url": "https://bulwarkblack.com/china-linked-group-breaches-networks-via-connectwise-f5-software-flaws/",
          "date": "2024-03-22"
        }
      ]
    },
    {
      "indicator": "CVE-2023-46805",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-06-20",
      "last_seen": "2026-06-20",
      "reports": [
        {
          "slug": "operation-escaneo-latin-america-edge-device-defense",
          "title": "Operation Escaneo Shows Latin America’s Edge Devices Are Prime Intrusion Targets",
          "url": "https://bulwarkblack.com/operation-escaneo-latin-america-edge-device-defense/",
          "date": "2026-06-20"
        }
      ]
    },
    {
      "indicator": "CVE-2023-48788",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2024-03-22",
      "last_seen": "2024-03-22",
      "reports": [
        {
          "slug": "this-week-in-security-loop-dos-flipper-responds-and-more",
          "title": "THIS WEEK IN SECURITY: LOOP DOS, FLIPPER RESPONDS, AND MORE!",
          "url": "https://bulwarkblack.com/this-week-in-security-loop-dos-flipper-responds-and-more/",
          "date": "2024-03-22"
        }
      ]
    },
    {
      "indicator": "CVE-2023-50164",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2024-01-11",
      "last_seen": "2024-01-11",
      "reports": [
        {
          "slug": "dreambus-unleashes-metabase-mayhem-with-new-exploit-module",
          "title": "DreamBus Unleashes Metabase Mayhem With New Exploit Module",
          "url": "https://bulwarkblack.com/dreambus-unleashes-metabase-mayhem-with-new-exploit-module/",
          "date": "2024-01-11"
        }
      ]
    },
    {
      "indicator": "CVE-2023-51467",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2024-01-11",
      "last_seen": "2024-01-11",
      "reports": [
        {
          "slug": "dreambus-unleashes-metabase-mayhem-with-new-exploit-module",
          "title": "DreamBus Unleashes Metabase Mayhem With New Exploit Module",
          "url": "https://bulwarkblack.com/dreambus-unleashes-metabase-mayhem-with-new-exploit-module/",
          "date": "2024-01-11"
        }
      ]
    },
    {
      "indicator": "CVE-2023-6895",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-03-16",
      "last_seen": "2026-03-16",
      "reports": [
        {
          "slug": "iranian-threat-actors-target-hikvision-and-dahua-ip-cameras-for-kinetic-strike-coordination",
          "title": "Iranian Threat Actors Target Hikvision and Dahua IP Cameras for Kinetic Strike Coordination",
          "url": "https://bulwarkblack.com/iranian-threat-actors-target-hikvision-and-dahua-ip-cameras-for-kinetic-strike-coordination/",
          "date": "2026-03-16"
        }
      ]
    },
    {
      "indicator": "CVE-2024-10470",
      "type": "CVEs",
      "report_count": 2,
      "first_seen": "2024-01-07",
      "last_seen": "2026-02-04",
      "reports": [
        {
          "slug": "pdfsider-the-stealthy-backdoor-targeting-fortune-100-financial-institutions",
          "title": "PDFSider: The Stealthy Backdoor Targeting Fortune 100 Financial Institutions",
          "url": "https://bulwarkblack.com/pdfsider-the-stealthy-backdoor-targeting-fortune-100-financial-institutions/",
          "date": "2026-02-04"
        },
        {
          "slug": "prior-to-cyber-attack-russian-attackers-spent-months-inside-the-ukraine-telecoms-giant",
          "title": "Prior to Cyber Attack, Russian Attackers Spent Months Inside the Ukraine Telecoms Giant",
          "url": "https://bulwarkblack.com/prior-to-cyber-attack-russian-attackers-spent-months-inside-the-ukraine-telecoms-giant/",
          "date": "2024-01-07"
        }
      ]
    },
    {
      "indicator": "CVE-2024-11972",
      "type": "CVEs",
      "report_count": 2,
      "first_seen": "2024-01-07",
      "last_seen": "2026-02-04",
      "reports": [
        {
          "slug": "pdfsider-the-stealthy-backdoor-targeting-fortune-100-financial-institutions",
          "title": "PDFSider: The Stealthy Backdoor Targeting Fortune 100 Financial Institutions",
          "url": "https://bulwarkblack.com/pdfsider-the-stealthy-backdoor-targeting-fortune-100-financial-institutions/",
          "date": "2026-02-04"
        },
        {
          "slug": "prior-to-cyber-attack-russian-attackers-spent-months-inside-the-ukraine-telecoms-giant",
          "title": "Prior to Cyber Attack, Russian Attackers Spent Months Inside the Ukraine Telecoms Giant",
          "url": "https://bulwarkblack.com/prior-to-cyber-attack-russian-attackers-spent-months-inside-the-ukraine-telecoms-giant/",
          "date": "2024-01-07"
        }
      ]
    },
    {
      "indicator": "CVE-2024-12356",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-02-23",
      "last_seen": "2026-02-23",
      "reports": [
        {
          "slug": "unit-42-exposes-active-exploitation-of-beyondtrust-cve-2026-1731-with-vshell-and-sparkrat-backdoors",
          "title": "Unit 42 Exposes Active Exploitation of BeyondTrust CVE-2026-1731 with VShell and SparkRAT Backdoors",
          "url": "https://bulwarkblack.com/unit-42-exposes-active-exploitation-of-beyondtrust-cve-2026-1731-with-vshell-and-sparkrat-backdoors/",
          "date": "2026-02-23"
        }
      ]
    },
    {
      "indicator": "CVE-2024-1709",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2024-03-22",
      "last_seen": "2024-03-22",
      "reports": [
        {
          "slug": "china-linked-group-breaches-networks-via-connectwise-f5-software-flaws",
          "title": "China-Linked Group Breaches Networks via Connectwise, F5 Software Flaws",
          "url": "https://bulwarkblack.com/china-linked-group-breaches-networks-via-connectwise-f5-software-flaws/",
          "date": "2024-03-22"
        }
      ]
    },
    {
      "indicator": "CVE-2024-20399",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-06-13",
      "last_seen": "2026-06-13",
      "reports": [
        {
          "slug": "velvet-ant-operation-highland-authentication-stack-defense",
          "title": "Velvet Ant Shows Authentication Infrastructure Is Critical Infrastructure",
          "url": "https://bulwarkblack.com/velvet-ant-operation-highland-authentication-stack-defense/",
          "date": "2026-06-13"
        }
      ]
    },
    {
      "indicator": "CVE-2024-21412",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2024-01-08",
      "last_seen": "2024-01-08",
      "reports": [
        {
          "slug": "deceptive-cracked-software-spreads-lumma-variant-on-youtube",
          "title": "Deceptive Cracked Software Spreads Lumma Variant on YouTube",
          "url": "https://bulwarkblack.com/deceptive-cracked-software-spreads-lumma-variant-on-youtube/",
          "date": "2024-01-08"
        }
      ]
    },
    {
      "indicator": "CVE-2024-2169",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2024-03-22",
      "last_seen": "2024-03-22",
      "reports": [
        {
          "slug": "this-week-in-security-loop-dos-flipper-responds-and-more",
          "title": "THIS WEEK IN SECURITY: LOOP DOS, FLIPPER RESPONDS, AND MORE!",
          "url": "https://bulwarkblack.com/this-week-in-security-loop-dos-flipper-responds-and-more/",
          "date": "2024-03-22"
        }
      ]
    },
    {
      "indicator": "CVE-2024-21762",
      "type": "CVEs",
      "report_count": 3,
      "first_seen": "2026-06-19",
      "last_seen": "2026-06-25",
      "reports": [
        {
          "slug": "strikeshark-sharkloader-cobalt-strike-defense",
          "title": "StrikeShark Shows Loader Malware Is an Edge-Exposure Problem",
          "url": "https://bulwarkblack.com/strikeshark-sharkloader-cobalt-strike-defense/",
          "date": "2026-06-25"
        },
        {
          "slug": "operation-escaneo-latin-america-edge-device-defense",
          "title": "Operation Escaneo Shows Latin America’s Edge Devices Are Prime Intrusion Targets",
          "url": "https://bulwarkblack.com/operation-escaneo-latin-america-edge-device-defense/",
          "date": "2026-06-20"
        },
        {
          "slug": "fortibleed-firewall-patching-compromise-recovery",
          "title": "FortiBleed Shows Firewall Patching Is Not Compromise Recovery",
          "url": "https://bulwarkblack.com/fortibleed-firewall-patching-compromise-recovery/",
          "date": "2026-06-19"
        }
      ]
    },
    {
      "indicator": "CVE-2024-21887",
      "type": "CVEs",
      "report_count": 2,
      "first_seen": "2024-01-26",
      "last_seen": "2026-06-20",
      "reports": [
        {
          "slug": "operation-escaneo-latin-america-edge-device-defense",
          "title": "Operation Escaneo Shows Latin America’s Edge Devices Are Prime Intrusion Targets",
          "url": "https://bulwarkblack.com/operation-escaneo-latin-america-edge-device-defense/",
          "date": "2026-06-20"
        },
        {
          "slug": "announcing-cvemap-from-projectdiscovery",
          "title": "Announcing cvemap from ProjectDiscovery",
          "url": "https://bulwarkblack.com/announcing-cvemap-from-projectdiscovery/",
          "date": "2024-01-26"
        }
      ]
    },
    {
      "indicator": "CVE-2024-23222",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-03-05",
      "last_seen": "2026-03-05",
      "reports": [
        {
          "slug": "coruna-ios-exploit-kit-nation-state-spyware-tools-now-targeting-crypto-wallet-users",
          "title": "Coruna iOS Exploit Kit: Nation-State Spyware Tools Now Targeting Crypto Wallet Users",
          "url": "https://bulwarkblack.com/coruna-ios-exploit-kit-nation-state-spyware-tools-now-targeting-crypto-wallet-users/",
          "date": "2026-03-05"
        }
      ]
    },
    {
      "indicator": "CVE-2024-28986",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-01-29",
      "last_seen": "2026-01-29",
      "reports": [
        {
          "slug": "solarwinds-fixes-six-critical-web-help-desk-vulnerabilities-including-rce-and-auth-bypass",
          "title": "SolarWinds Fixes Six Critical Web Help Desk Vulnerabilities Including RCE and Auth Bypass",
          "url": "https://bulwarkblack.com/solarwinds-fixes-six-critical-web-help-desk-vulnerabilities-including-rce-and-auth-bypass/",
          "date": "2026-01-29"
        }
      ]
    },
    {
      "indicator": "CVE-2024-28987",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-01-29",
      "last_seen": "2026-01-29",
      "reports": [
        {
          "slug": "solarwinds-fixes-six-critical-web-help-desk-vulnerabilities-including-rce-and-auth-bypass",
          "title": "SolarWinds Fixes Six Critical Web Help Desk Vulnerabilities Including RCE and Auth Bypass",
          "url": "https://bulwarkblack.com/solarwinds-fixes-six-critical-web-help-desk-vulnerabilities-including-rce-and-auth-bypass/",
          "date": "2026-01-29"
        }
      ]
    },
    {
      "indicator": "CVE-2024-28988",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-01-29",
      "last_seen": "2026-01-29",
      "reports": [
        {
          "slug": "solarwinds-fixes-six-critical-web-help-desk-vulnerabilities-including-rce-and-auth-bypass",
          "title": "SolarWinds Fixes Six Critical Web Help Desk Vulnerabilities Including RCE and Auth Bypass",
          "url": "https://bulwarkblack.com/solarwinds-fixes-six-critical-web-help-desk-vulnerabilities-including-rce-and-auth-bypass/",
          "date": "2026-01-29"
        }
      ]
    },
    {
      "indicator": "CVE-2024-29510",
      "type": "CVEs",
      "report_count": 2,
      "first_seen": "2024-01-07",
      "last_seen": "2026-02-04",
      "reports": [
        {
          "slug": "pdfsider-the-stealthy-backdoor-targeting-fortune-100-financial-institutions",
          "title": "PDFSider: The Stealthy Backdoor Targeting Fortune 100 Financial Institutions",
          "url": "https://bulwarkblack.com/pdfsider-the-stealthy-backdoor-targeting-fortune-100-financial-institutions/",
          "date": "2026-02-04"
        },
        {
          "slug": "prior-to-cyber-attack-russian-attackers-spent-months-inside-the-ukraine-telecoms-giant",
          "title": "Prior to Cyber Attack, Russian Attackers Spent Months Inside the Ukraine Telecoms Giant",
          "url": "https://bulwarkblack.com/prior-to-cyber-attack-russian-attackers-spent-months-inside-the-ukraine-telecoms-giant/",
          "date": "2024-01-07"
        }
      ]
    },
    {
      "indicator": "CVE-2024-3400",
      "type": "CVEs",
      "report_count": 2,
      "first_seen": "2024-01-07",
      "last_seen": "2026-02-04",
      "reports": [
        {
          "slug": "pdfsider-the-stealthy-backdoor-targeting-fortune-100-financial-institutions",
          "title": "PDFSider: The Stealthy Backdoor Targeting Fortune 100 Financial Institutions",
          "url": "https://bulwarkblack.com/pdfsider-the-stealthy-backdoor-targeting-fortune-100-financial-institutions/",
          "date": "2026-02-04"
        },
        {
          "slug": "prior-to-cyber-attack-russian-attackers-spent-months-inside-the-ukraine-telecoms-giant",
          "title": "Prior to Cyber Attack, Russian Attackers Spent Months Inside the Ukraine Telecoms Giant",
          "url": "https://bulwarkblack.com/prior-to-cyber-attack-russian-attackers-spent-months-inside-the-ukraine-telecoms-giant/",
          "date": "2024-01-07"
        }
      ]
    },
    {
      "indicator": "CVE-2024-36401",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-06-25",
      "last_seen": "2026-06-25",
      "reports": [
        {
          "slug": "strikeshark-sharkloader-cobalt-strike-defense",
          "title": "StrikeShark Shows Loader Malware Is an Edge-Exposure Problem",
          "url": "https://bulwarkblack.com/strikeshark-sharkloader-cobalt-strike-defense/",
          "date": "2026-06-25"
        }
      ]
    },
    {
      "indicator": "CVE-2024-37079",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-02-05",
      "last_seen": "2026-02-05",
      "reports": [
        {
          "slug": "cisa-confirms-vmware-esxi-flaw-cve-2025-22225-now-exploited-in-active-ransomware-campaigns",
          "title": "CISA Confirms VMware ESXi Flaw CVE-2025-22225 Now Exploited in Active Ransomware Campaigns",
          "url": "https://bulwarkblack.com/cisa-confirms-vmware-esxi-flaw-cve-2025-22225-now-exploited-in-active-ransomware-campaigns/",
          "date": "2026-02-05"
        }
      ]
    },
    {
      "indicator": "CVE-2024-38213",
      "type": "CVEs",
      "report_count": 2,
      "first_seen": "2024-01-07",
      "last_seen": "2026-02-04",
      "reports": [
        {
          "slug": "pdfsider-the-stealthy-backdoor-targeting-fortune-100-financial-institutions",
          "title": "PDFSider: The Stealthy Backdoor Targeting Fortune 100 Financial Institutions",
          "url": "https://bulwarkblack.com/pdfsider-the-stealthy-backdoor-targeting-fortune-100-financial-institutions/",
          "date": "2026-02-04"
        },
        {
          "slug": "prior-to-cyber-attack-russian-attackers-spent-months-inside-the-ukraine-telecoms-giant",
          "title": "Prior to Cyber Attack, Russian Attackers Spent Months Inside the Ukraine Telecoms Giant",
          "url": "https://bulwarkblack.com/prior-to-cyber-attack-russian-attackers-spent-months-inside-the-ukraine-telecoms-giant/",
          "date": "2024-01-07"
        }
      ]
    },
    {
      "indicator": "CVE-2024-40766",
      "type": "CVEs",
      "report_count": 2,
      "first_seen": "2024-01-07",
      "last_seen": "2026-02-04",
      "reports": [
        {
          "slug": "pdfsider-the-stealthy-backdoor-targeting-fortune-100-financial-institutions",
          "title": "PDFSider: The Stealthy Backdoor Targeting Fortune 100 Financial Institutions",
          "url": "https://bulwarkblack.com/pdfsider-the-stealthy-backdoor-targeting-fortune-100-financial-institutions/",
          "date": "2026-02-04"
        },
        {
          "slug": "prior-to-cyber-attack-russian-attackers-spent-months-inside-the-ukraine-telecoms-giant",
          "title": "Prior to Cyber Attack, Russian Attackers Spent Months Inside the Ukraine Telecoms Giant",
          "url": "https://bulwarkblack.com/prior-to-cyber-attack-russian-attackers-spent-months-inside-the-ukraine-telecoms-giant/",
          "date": "2024-01-07"
        }
      ]
    },
    {
      "indicator": "CVE-2024-42057",
      "type": "CVEs",
      "report_count": 2,
      "first_seen": "2024-01-07",
      "last_seen": "2026-02-04",
      "reports": [
        {
          "slug": "pdfsider-the-stealthy-backdoor-targeting-fortune-100-financial-institutions",
          "title": "PDFSider: The Stealthy Backdoor Targeting Fortune 100 Financial Institutions",
          "url": "https://bulwarkblack.com/pdfsider-the-stealthy-backdoor-targeting-fortune-100-financial-institutions/",
          "date": "2026-02-04"
        },
        {
          "slug": "prior-to-cyber-attack-russian-attackers-spent-months-inside-the-ukraine-telecoms-giant",
          "title": "Prior to Cyber Attack, Russian Attackers Spent Months Inside the Ukraine Telecoms Giant",
          "url": "https://bulwarkblack.com/prior-to-cyber-attack-russian-attackers-spent-months-inside-the-ukraine-telecoms-giant/",
          "date": "2024-01-07"
        }
      ]
    },
    {
      "indicator": "CVE-2024-43491",
      "type": "CVEs",
      "report_count": 2,
      "first_seen": "2024-01-07",
      "last_seen": "2026-02-04",
      "reports": [
        {
          "slug": "pdfsider-the-stealthy-backdoor-targeting-fortune-100-financial-institutions",
          "title": "PDFSider: The Stealthy Backdoor Targeting Fortune 100 Financial Institutions",
          "url": "https://bulwarkblack.com/pdfsider-the-stealthy-backdoor-targeting-fortune-100-financial-institutions/",
          "date": "2026-02-04"
        },
        {
          "slug": "prior-to-cyber-attack-russian-attackers-spent-months-inside-the-ukraine-telecoms-giant",
          "title": "Prior to Cyber Attack, Russian Attackers Spent Months Inside the Ukraine Telecoms Giant",
          "url": "https://bulwarkblack.com/prior-to-cyber-attack-russian-attackers-spent-months-inside-the-ukraine-telecoms-giant/",
          "date": "2024-01-07"
        }
      ]
    },
    {
      "indicator": "CVE-2024-44082",
      "type": "CVEs",
      "report_count": 2,
      "first_seen": "2024-01-07",
      "last_seen": "2026-02-04",
      "reports": [
        {
          "slug": "pdfsider-the-stealthy-backdoor-targeting-fortune-100-financial-institutions",
          "title": "PDFSider: The Stealthy Backdoor Targeting Fortune 100 Financial Institutions",
          "url": "https://bulwarkblack.com/pdfsider-the-stealthy-backdoor-targeting-fortune-100-financial-institutions/",
          "date": "2026-02-04"
        },
        {
          "slug": "prior-to-cyber-attack-russian-attackers-spent-months-inside-the-ukraine-telecoms-giant",
          "title": "Prior to Cyber Attack, Russian Attackers Spent Months Inside the Ukraine Telecoms Giant",
          "url": "https://bulwarkblack.com/prior-to-cyber-attack-russian-attackers-spent-months-inside-the-ukraine-telecoms-giant/",
          "date": "2024-01-07"
        }
      ]
    },
    {
      "indicator": "CVE-2024-44131",
      "type": "CVEs",
      "report_count": 2,
      "first_seen": "2024-01-07",
      "last_seen": "2026-02-04",
      "reports": [
        {
          "slug": "pdfsider-the-stealthy-backdoor-targeting-fortune-100-financial-institutions",
          "title": "PDFSider: The Stealthy Backdoor Targeting Fortune 100 Financial Institutions",
          "url": "https://bulwarkblack.com/pdfsider-the-stealthy-backdoor-targeting-fortune-100-financial-institutions/",
          "date": "2026-02-04"
        },
        {
          "slug": "prior-to-cyber-attack-russian-attackers-spent-months-inside-the-ukraine-telecoms-giant",
          "title": "Prior to Cyber Attack, Russian Attackers Spent Months Inside the Ukraine Telecoms Giant",
          "url": "https://bulwarkblack.com/prior-to-cyber-attack-russian-attackers-spent-months-inside-the-ukraine-telecoms-giant/",
          "date": "2024-01-07"
        }
      ]
    },
    {
      "indicator": "CVE-2024-49035",
      "type": "CVEs",
      "report_count": 2,
      "first_seen": "2024-01-07",
      "last_seen": "2026-02-04",
      "reports": [
        {
          "slug": "pdfsider-the-stealthy-backdoor-targeting-fortune-100-financial-institutions",
          "title": "PDFSider: The Stealthy Backdoor Targeting Fortune 100 Financial Institutions",
          "url": "https://bulwarkblack.com/pdfsider-the-stealthy-backdoor-targeting-fortune-100-financial-institutions/",
          "date": "2026-02-04"
        },
        {
          "slug": "prior-to-cyber-attack-russian-attackers-spent-months-inside-the-ukraine-telecoms-giant",
          "title": "Prior to Cyber Attack, Russian Attackers Spent Months Inside the Ukraine Telecoms Giant",
          "url": "https://bulwarkblack.com/prior-to-cyber-attack-russian-attackers-spent-months-inside-the-ukraine-telecoms-giant/",
          "date": "2024-01-07"
        }
      ]
    },
    {
      "indicator": "CVE-2024-50550",
      "type": "CVEs",
      "report_count": 2,
      "first_seen": "2024-01-07",
      "last_seen": "2026-02-04",
      "reports": [
        {
          "slug": "pdfsider-the-stealthy-backdoor-targeting-fortune-100-financial-institutions",
          "title": "PDFSider: The Stealthy Backdoor Targeting Fortune 100 Financial Institutions",
          "url": "https://bulwarkblack.com/pdfsider-the-stealthy-backdoor-targeting-fortune-100-financial-institutions/",
          "date": "2026-02-04"
        },
        {
          "slug": "prior-to-cyber-attack-russian-attackers-spent-months-inside-the-ukraine-telecoms-giant",
          "title": "Prior to Cyber Attack, Russian Attackers Spent Months Inside the Ukraine Telecoms Giant",
          "url": "https://bulwarkblack.com/prior-to-cyber-attack-russian-attackers-spent-months-inside-the-ukraine-telecoms-giant/",
          "date": "2024-01-07"
        }
      ]
    },
    {
      "indicator": "CVE-2024-50623",
      "type": "CVEs",
      "report_count": 2,
      "first_seen": "2024-01-07",
      "last_seen": "2026-02-04",
      "reports": [
        {
          "slug": "pdfsider-the-stealthy-backdoor-targeting-fortune-100-financial-institutions",
          "title": "PDFSider: The Stealthy Backdoor Targeting Fortune 100 Financial Institutions",
          "url": "https://bulwarkblack.com/pdfsider-the-stealthy-backdoor-targeting-fortune-100-financial-institutions/",
          "date": "2026-02-04"
        },
        {
          "slug": "prior-to-cyber-attack-russian-attackers-spent-months-inside-the-ukraine-telecoms-giant",
          "title": "Prior to Cyber Attack, Russian Attackers Spent Months Inside the Ukraine Telecoms Giant",
          "url": "https://bulwarkblack.com/prior-to-cyber-attack-russian-attackers-spent-months-inside-the-ukraine-telecoms-giant/",
          "date": "2024-01-07"
        }
      ]
    },
    {
      "indicator": "CVE-2024-55591",
      "type": "CVEs",
      "report_count": 2,
      "first_seen": "2026-05-13",
      "last_seen": "2026-06-19",
      "reports": [
        {
          "slug": "fortibleed-firewall-patching-compromise-recovery",
          "title": "FortiBleed Shows Firewall Patching Is Not Compromise Recovery",
          "url": "https://bulwarkblack.com/fortibleed-firewall-patching-compromise-recovery/",
          "date": "2026-06-19"
        },
        {
          "slug": "gentlemen-raas-leak-edge-device-ransomware-risk",
          "title": "The Gentlemen RaaS Leak Shows Ransomware Is Still an Edge-Device Problem",
          "url": "https://bulwarkblack.com/gentlemen-raas-leak-edge-device-ransomware-risk/",
          "date": "2026-05-13"
        }
      ]
    },
    {
      "indicator": "CVE-2024-57726",
      "type": "CVEs",
      "report_count": 2,
      "first_seen": "2024-01-07",
      "last_seen": "2026-02-04",
      "reports": [
        {
          "slug": "pdfsider-the-stealthy-backdoor-targeting-fortune-100-financial-institutions",
          "title": "PDFSider: The Stealthy Backdoor Targeting Fortune 100 Financial Institutions",
          "url": "https://bulwarkblack.com/pdfsider-the-stealthy-backdoor-targeting-fortune-100-financial-institutions/",
          "date": "2026-02-04"
        },
        {
          "slug": "prior-to-cyber-attack-russian-attackers-spent-months-inside-the-ukraine-telecoms-giant",
          "title": "Prior to Cyber Attack, Russian Attackers Spent Months Inside the Ukraine Telecoms Giant",
          "url": "https://bulwarkblack.com/prior-to-cyber-attack-russian-attackers-spent-months-inside-the-ukraine-telecoms-giant/",
          "date": "2024-01-07"
        }
      ]
    },
    {
      "indicator": "CVE-2024-57727",
      "type": "CVEs",
      "report_count": 2,
      "first_seen": "2024-01-07",
      "last_seen": "2026-02-04",
      "reports": [
        {
          "slug": "pdfsider-the-stealthy-backdoor-targeting-fortune-100-financial-institutions",
          "title": "PDFSider: The Stealthy Backdoor Targeting Fortune 100 Financial Institutions",
          "url": "https://bulwarkblack.com/pdfsider-the-stealthy-backdoor-targeting-fortune-100-financial-institutions/",
          "date": "2026-02-04"
        },
        {
          "slug": "prior-to-cyber-attack-russian-attackers-spent-months-inside-the-ukraine-telecoms-giant",
          "title": "Prior to Cyber Attack, Russian Attackers Spent Months Inside the Ukraine Telecoms Giant",
          "url": "https://bulwarkblack.com/prior-to-cyber-attack-russian-attackers-spent-months-inside-the-ukraine-telecoms-giant/",
          "date": "2024-01-07"
        }
      ]
    },
    {
      "indicator": "CVE-2024-57728",
      "type": "CVEs",
      "report_count": 2,
      "first_seen": "2024-01-07",
      "last_seen": "2026-02-04",
      "reports": [
        {
          "slug": "pdfsider-the-stealthy-backdoor-targeting-fortune-100-financial-institutions",
          "title": "PDFSider: The Stealthy Backdoor Targeting Fortune 100 Financial Institutions",
          "url": "https://bulwarkblack.com/pdfsider-the-stealthy-backdoor-targeting-fortune-100-financial-institutions/",
          "date": "2026-02-04"
        },
        {
          "slug": "prior-to-cyber-attack-russian-attackers-spent-months-inside-the-ukraine-telecoms-giant",
          "title": "Prior to Cyber Attack, Russian Attackers Spent Months Inside the Ukraine Telecoms Giant",
          "url": "https://bulwarkblack.com/prior-to-cyber-attack-russian-attackers-spent-months-inside-the-ukraine-telecoms-giant/",
          "date": "2024-01-07"
        }
      ]
    },
    {
      "indicator": "CVE-2024-7587",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-02-01",
      "last_seen": "2026-02-01",
      "reports": [
        {
          "slug": "iconics-suite-scada-vulnerability-enables-denial-of-service-through-privileged-file-operations",
          "title": "Iconics Suite SCADA Vulnerability Enables Denial-of-Service Through Privileged File Operations",
          "url": "https://bulwarkblack.com/iconics-suite-scada-vulnerability-enables-denial-of-service-through-privileged-file-operations/",
          "date": "2026-02-01"
        }
      ]
    },
    {
      "indicator": "CVE-2024-8260",
      "type": "CVEs",
      "report_count": 2,
      "first_seen": "2024-01-07",
      "last_seen": "2026-02-04",
      "reports": [
        {
          "slug": "pdfsider-the-stealthy-backdoor-targeting-fortune-100-financial-institutions",
          "title": "PDFSider: The Stealthy Backdoor Targeting Fortune 100 Financial Institutions",
          "url": "https://bulwarkblack.com/pdfsider-the-stealthy-backdoor-targeting-fortune-100-financial-institutions/",
          "date": "2026-02-04"
        },
        {
          "slug": "prior-to-cyber-attack-russian-attackers-spent-months-inside-the-ukraine-telecoms-giant",
          "title": "Prior to Cyber Attack, Russian Attackers Spent Months Inside the Ukraine Telecoms Giant",
          "url": "https://bulwarkblack.com/prior-to-cyber-attack-russian-attackers-spent-months-inside-the-ukraine-telecoms-giant/",
          "date": "2024-01-07"
        }
      ]
    },
    {
      "indicator": "CVE-2025-0282",
      "type": "CVEs",
      "report_count": 3,
      "first_seen": "2024-01-07",
      "last_seen": "2026-06-20",
      "reports": [
        {
          "slug": "operation-escaneo-latin-america-edge-device-defense",
          "title": "Operation Escaneo Shows Latin America’s Edge Devices Are Prime Intrusion Targets",
          "url": "https://bulwarkblack.com/operation-escaneo-latin-america-edge-device-defense/",
          "date": "2026-06-20"
        },
        {
          "slug": "pdfsider-the-stealthy-backdoor-targeting-fortune-100-financial-institutions",
          "title": "PDFSider: The Stealthy Backdoor Targeting Fortune 100 Financial Institutions",
          "url": "https://bulwarkblack.com/pdfsider-the-stealthy-backdoor-targeting-fortune-100-financial-institutions/",
          "date": "2026-02-04"
        },
        {
          "slug": "prior-to-cyber-attack-russian-attackers-spent-months-inside-the-ukraine-telecoms-giant",
          "title": "Prior to Cyber Attack, Russian Attackers Spent Months Inside the Ukraine Telecoms Giant",
          "url": "https://bulwarkblack.com/prior-to-cyber-attack-russian-attackers-spent-months-inside-the-ukraine-telecoms-giant/",
          "date": "2024-01-07"
        }
      ]
    },
    {
      "indicator": "CVE-2025-0921",
      "type": "CVEs",
      "report_count": 4,
      "first_seen": "2026-02-01",
      "last_seen": "2026-06-06",
      "reports": [
        {
          "slug": "pan-os-globalprotect-cve-2026-0257-vpn-log-review",
          "title": "PAN-OS GlobalProtect Exploitation Shows VPN Access Needs Log Review, Not Just Patching",
          "url": "https://bulwarkblack.com/pan-os-globalprotect-cve-2026-0257-vpn-log-review/",
          "date": "2026-06-06"
        },
        {
          "slug": "pan-os-captive-portal-zero-day-edge-device-review",
          "title": "PAN-OS Captive Portal Zero-Day Shows Why Internet-Facing Edge Devices Need Immediate Review",
          "url": "https://bulwarkblack.com/pan-os-captive-portal-zero-day-edge-device-review/",
          "date": "2026-05-08"
        },
        {
          "slug": "unit-42-exposes-active-exploitation-of-beyondtrust-cve-2026-1731-with-vshell-and-sparkrat-backdoors",
          "title": "Unit 42 Exposes Active Exploitation of BeyondTrust CVE-2026-1731 with VShell and SparkRAT Backdoors",
          "url": "https://bulwarkblack.com/unit-42-exposes-active-exploitation-of-beyondtrust-cve-2026-1731-with-vshell-and-sparkrat-backdoors/",
          "date": "2026-02-23"
        },
        {
          "slug": "iconics-suite-scada-vulnerability-enables-denial-of-service-through-privileged-file-operations",
          "title": "Iconics Suite SCADA Vulnerability Enables Denial-of-Service Through Privileged File Operations",
          "url": "https://bulwarkblack.com/iconics-suite-scada-vulnerability-enables-denial-of-service-through-privileged-file-operations/",
          "date": "2026-02-01"
        }
      ]
    },
    {
      "indicator": "CVE-2025-11953",
      "type": "CVEs",
      "report_count": 2,
      "first_seen": "2026-02-13",
      "last_seen": "2026-05-20",
      "reports": [
        {
          "slug": "p2pinfect-kubernetes-redis-botnet-defense",
          "title": "P2Pinfect Shows Exposed Redis in Kubernetes Can Become Dormant Botnet Infrastructure",
          "url": "https://bulwarkblack.com/p2pinfect-kubernetes-redis-botnet-defense/",
          "date": "2026-05-20"
        },
        {
          "slug": "metro4shell-critical-react-native-cli-vulnerability-actively-exploited-to-deploy-malware",
          "title": "Metro4Shell: Critical React Native CLI Vulnerability Actively Exploited to Deploy Malware",
          "url": "https://bulwarkblack.com/metro4shell-critical-react-native-cli-vulnerability-actively-exploited-to-deploy-malware/",
          "date": "2026-02-13"
        }
      ]
    },
    {
      "indicator": "CVE-2025-14174",
      "type": "CVEs",
      "report_count": 2,
      "first_seen": "2026-02-16",
      "last_seen": "2026-03-21",
      "reports": [
        {
          "slug": "darksword-ios-exploit-kit-russian-hackers-weaponize-six-vulnerabilities-for-full-iphone-takeover",
          "title": "DarkSword iOS Exploit Kit: Russian Hackers Weaponize Six Vulnerabilities for Full iPhone Takeover",
          "url": "https://bulwarkblack.com/darksword-ios-exploit-kit-russian-hackers-weaponize-six-vulnerabilities-for-full-iphone-takeover/",
          "date": "2026-03-21"
        },
        {
          "slug": "cve-2026-20700-apple-patches-first-zero-day-of-2026-after-extremely-sophisticated-targeted-attacks",
          "title": "CVE-2026-20700: Apple Patches First Zero-Day of 2026 After Extremely Sophisticated Targeted Attacks",
          "url": "https://bulwarkblack.com/cve-2026-20700-apple-patches-first-zero-day-of-2026-after-extremely-sophisticated-targeted-attacks/",
          "date": "2026-02-16"
        }
      ]
    },
    {
      "indicator": "CVE-2025-14847",
      "type": "CVEs",
      "report_count": 4,
      "first_seen": "2026-02-01",
      "last_seen": "2026-06-06",
      "reports": [
        {
          "slug": "pan-os-globalprotect-cve-2026-0257-vpn-log-review",
          "title": "PAN-OS GlobalProtect Exploitation Shows VPN Access Needs Log Review, Not Just Patching",
          "url": "https://bulwarkblack.com/pan-os-globalprotect-cve-2026-0257-vpn-log-review/",
          "date": "2026-06-06"
        },
        {
          "slug": "pan-os-captive-portal-zero-day-edge-device-review",
          "title": "PAN-OS Captive Portal Zero-Day Shows Why Internet-Facing Edge Devices Need Immediate Review",
          "url": "https://bulwarkblack.com/pan-os-captive-portal-zero-day-edge-device-review/",
          "date": "2026-05-08"
        },
        {
          "slug": "unit-42-exposes-active-exploitation-of-beyondtrust-cve-2026-1731-with-vshell-and-sparkrat-backdoors",
          "title": "Unit 42 Exposes Active Exploitation of BeyondTrust CVE-2026-1731 with VShell and SparkRAT Backdoors",
          "url": "https://bulwarkblack.com/unit-42-exposes-active-exploitation-of-beyondtrust-cve-2026-1731-with-vshell-and-sparkrat-backdoors/",
          "date": "2026-02-23"
        },
        {
          "slug": "iconics-suite-scada-vulnerability-enables-denial-of-service-through-privileged-file-operations",
          "title": "Iconics Suite SCADA Vulnerability Enables Denial-of-Service Through Privileged File Operations",
          "url": "https://bulwarkblack.com/iconics-suite-scada-vulnerability-enables-denial-of-service-through-privileged-file-operations/",
          "date": "2026-02-01"
        }
      ]
    },
    {
      "indicator": "CVE-2025-15467",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-03-16",
      "last_seen": "2026-03-16",
      "reports": [
        {
          "slug": "the-promptware-kill-chain-a-new-framework-for-understanding-ai-malware-attacks",
          "title": "The Promptware Kill Chain: A New Framework for Understanding AI Malware Attacks",
          "url": "https://bulwarkblack.com/the-promptware-kill-chain-a-new-framework-for-understanding-ai-malware-attacks/",
          "date": "2026-03-16"
        }
      ]
    },
    {
      "indicator": "CVE-2025-20333",
      "type": "CVEs",
      "report_count": 4,
      "first_seen": "2026-02-25",
      "last_seen": "2026-07-07",
      "reports": [
        {
          "slug": "uat-7810-orb-relay-network-edge-device-defense",
          "title": "UAT-7810 Shows Edge Devices Are Becoming China-Nexus Relay Infrastructure",
          "url": "https://bulwarkblack.com/uat-7810-orb-relay-network-edge-device-defense/",
          "date": "2026-07-07"
        },
        {
          "slug": "artoken-eviltokens-microsoft-365-bec-token-defense",
          "title": "ARToken Shows Microsoft 365 Tokens Are the New BEC Control Plane",
          "url": "https://bulwarkblack.com/artoken-eviltokens-microsoft-365-bec-token-defense/",
          "date": "2026-07-01"
        },
        {
          "slug": "cisco-sdwan-active-exploitation-edge-controller-review",
          "title": "Cisco SD-WAN Exploitation Shows Edge Controllers Need Emergency Review",
          "url": "https://bulwarkblack.com/cisco-sdwan-active-exploitation-edge-controller-review/",
          "date": "2026-05-15"
        },
        {
          "slug": "cisco-talos-exposes-three-year-campaign-uat-8616-exploits-sd-wan-zero-day-for-critical-infrastructure-access",
          "title": "Cisco Talos Exposes Three-Year Campaign: UAT-8616 Exploits SD-WAN Zero-Day for Critical Infrastructure Access",
          "url": "https://bulwarkblack.com/cisco-talos-exposes-three-year-campaign-uat-8616-exploits-sd-wan-zero-day-for-critical-infrastructure-access/",
          "date": "2026-02-25"
        }
      ]
    },
    {
      "indicator": "CVE-2025-20362",
      "type": "CVEs",
      "report_count": 4,
      "first_seen": "2026-02-25",
      "last_seen": "2026-07-07",
      "reports": [
        {
          "slug": "uat-7810-orb-relay-network-edge-device-defense",
          "title": "UAT-7810 Shows Edge Devices Are Becoming China-Nexus Relay Infrastructure",
          "url": "https://bulwarkblack.com/uat-7810-orb-relay-network-edge-device-defense/",
          "date": "2026-07-07"
        },
        {
          "slug": "artoken-eviltokens-microsoft-365-bec-token-defense",
          "title": "ARToken Shows Microsoft 365 Tokens Are the New BEC Control Plane",
          "url": "https://bulwarkblack.com/artoken-eviltokens-microsoft-365-bec-token-defense/",
          "date": "2026-07-01"
        },
        {
          "slug": "cisco-sdwan-active-exploitation-edge-controller-review",
          "title": "Cisco SD-WAN Exploitation Shows Edge Controllers Need Emergency Review",
          "url": "https://bulwarkblack.com/cisco-sdwan-active-exploitation-edge-controller-review/",
          "date": "2026-05-15"
        },
        {
          "slug": "cisco-talos-exposes-three-year-campaign-uat-8616-exploits-sd-wan-zero-day-for-critical-infrastructure-access",
          "title": "Cisco Talos Exposes Three-Year Campaign: UAT-8616 Exploits SD-WAN Zero-Day for Critical Infrastructure Access",
          "url": "https://bulwarkblack.com/cisco-talos-exposes-three-year-campaign-uat-8616-exploits-sd-wan-zero-day-for-critical-infrastructure-access/",
          "date": "2026-02-25"
        }
      ]
    },
    {
      "indicator": "CVE-2025-22224",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-02-05",
      "last_seen": "2026-02-05",
      "reports": [
        {
          "slug": "cisa-confirms-vmware-esxi-flaw-cve-2025-22225-now-exploited-in-active-ransomware-campaigns",
          "title": "CISA Confirms VMware ESXi Flaw CVE-2025-22225 Now Exploited in Active Ransomware Campaigns",
          "url": "https://bulwarkblack.com/cisa-confirms-vmware-esxi-flaw-cve-2025-22225-now-exploited-in-active-ransomware-campaigns/",
          "date": "2026-02-05"
        }
      ]
    },
    {
      "indicator": "CVE-2025-22225",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-02-05",
      "last_seen": "2026-02-05",
      "reports": [
        {
          "slug": "cisa-confirms-vmware-esxi-flaw-cve-2025-22225-now-exploited-in-active-ransomware-campaigns",
          "title": "CISA Confirms VMware ESXi Flaw CVE-2025-22225 Now Exploited in Active Ransomware Campaigns",
          "url": "https://bulwarkblack.com/cisa-confirms-vmware-esxi-flaw-cve-2025-22225-now-exploited-in-active-ransomware-campaigns/",
          "date": "2026-02-05"
        }
      ]
    },
    {
      "indicator": "CVE-2025-22226",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-02-05",
      "last_seen": "2026-02-05",
      "reports": [
        {
          "slug": "cisa-confirms-vmware-esxi-flaw-cve-2025-22225-now-exploited-in-active-ransomware-campaigns",
          "title": "CISA Confirms VMware ESXi Flaw CVE-2025-22225 Now Exploited in Active Ransomware Campaigns",
          "url": "https://bulwarkblack.com/cisa-confirms-vmware-esxi-flaw-cve-2025-22225-now-exploited-in-active-ransomware-campaigns/",
          "date": "2026-02-05"
        }
      ]
    },
    {
      "indicator": "CVE-2025-23121",
      "type": "CVEs",
      "report_count": 2,
      "first_seen": "2024-01-07",
      "last_seen": "2026-02-04",
      "reports": [
        {
          "slug": "pdfsider-the-stealthy-backdoor-targeting-fortune-100-financial-institutions",
          "title": "PDFSider: The Stealthy Backdoor Targeting Fortune 100 Financial Institutions",
          "url": "https://bulwarkblack.com/pdfsider-the-stealthy-backdoor-targeting-fortune-100-financial-institutions/",
          "date": "2026-02-04"
        },
        {
          "slug": "prior-to-cyber-attack-russian-attackers-spent-months-inside-the-ukraine-telecoms-giant",
          "title": "Prior to Cyber Attack, Russian Attackers Spent Months Inside the Ukraine Telecoms Giant",
          "url": "https://bulwarkblack.com/prior-to-cyber-attack-russian-attackers-spent-months-inside-the-ukraine-telecoms-giant/",
          "date": "2024-01-07"
        }
      ]
    },
    {
      "indicator": "CVE-2025-23304",
      "type": "CVEs",
      "report_count": 4,
      "first_seen": "2026-02-01",
      "last_seen": "2026-06-06",
      "reports": [
        {
          "slug": "pan-os-globalprotect-cve-2026-0257-vpn-log-review",
          "title": "PAN-OS GlobalProtect Exploitation Shows VPN Access Needs Log Review, Not Just Patching",
          "url": "https://bulwarkblack.com/pan-os-globalprotect-cve-2026-0257-vpn-log-review/",
          "date": "2026-06-06"
        },
        {
          "slug": "pan-os-captive-portal-zero-day-edge-device-review",
          "title": "PAN-OS Captive Portal Zero-Day Shows Why Internet-Facing Edge Devices Need Immediate Review",
          "url": "https://bulwarkblack.com/pan-os-captive-portal-zero-day-edge-device-review/",
          "date": "2026-05-08"
        },
        {
          "slug": "unit-42-exposes-active-exploitation-of-beyondtrust-cve-2026-1731-with-vshell-and-sparkrat-backdoors",
          "title": "Unit 42 Exposes Active Exploitation of BeyondTrust CVE-2026-1731 with VShell and SparkRAT Backdoors",
          "url": "https://bulwarkblack.com/unit-42-exposes-active-exploitation-of-beyondtrust-cve-2026-1731-with-vshell-and-sparkrat-backdoors/",
          "date": "2026-02-23"
        },
        {
          "slug": "iconics-suite-scada-vulnerability-enables-denial-of-service-through-privileged-file-operations",
          "title": "Iconics Suite SCADA Vulnerability Enables Denial-of-Service Through Privileged File Operations",
          "url": "https://bulwarkblack.com/iconics-suite-scada-vulnerability-enables-denial-of-service-through-privileged-file-operations/",
          "date": "2026-02-01"
        }
      ]
    },
    {
      "indicator": "CVE-2025-2492",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-07-07",
      "last_seen": "2026-07-07",
      "reports": [
        {
          "slug": "uat-7810-orb-relay-network-edge-device-defense",
          "title": "UAT-7810 Shows Edge Devices Are Becoming China-Nexus Relay Infrastructure",
          "url": "https://bulwarkblack.com/uat-7810-orb-relay-network-edge-device-defense/",
          "date": "2026-07-07"
        }
      ]
    },
    {
      "indicator": "CVE-2025-26399",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-01-29",
      "last_seen": "2026-01-29",
      "reports": [
        {
          "slug": "solarwinds-fixes-six-critical-web-help-desk-vulnerabilities-including-rce-and-auth-bypass",
          "title": "SolarWinds Fixes Six Critical Web Help Desk Vulnerabilities Including RCE and Auth Bypass",
          "url": "https://bulwarkblack.com/solarwinds-fixes-six-critical-web-help-desk-vulnerabilities-including-rce-and-auth-bypass/",
          "date": "2026-01-29"
        }
      ]
    },
    {
      "indicator": "CVE-2025-3052",
      "type": "CVEs",
      "report_count": 2,
      "first_seen": "2024-01-07",
      "last_seen": "2026-02-04",
      "reports": [
        {
          "slug": "pdfsider-the-stealthy-backdoor-targeting-fortune-100-financial-institutions",
          "title": "PDFSider: The Stealthy Backdoor Targeting Fortune 100 Financial Institutions",
          "url": "https://bulwarkblack.com/pdfsider-the-stealthy-backdoor-targeting-fortune-100-financial-institutions/",
          "date": "2026-02-04"
        },
        {
          "slug": "prior-to-cyber-attack-russian-attackers-spent-months-inside-the-ukraine-telecoms-giant",
          "title": "Prior to Cyber Attack, Russian Attackers Spent Months Inside the Ukraine Telecoms Giant",
          "url": "https://bulwarkblack.com/prior-to-cyber-attack-russian-attackers-spent-months-inside-the-ukraine-telecoms-giant/",
          "date": "2024-01-07"
        }
      ]
    },
    {
      "indicator": "CVE-2025-31277",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-03-21",
      "last_seen": "2026-03-21",
      "reports": [
        {
          "slug": "darksword-ios-exploit-kit-russian-hackers-weaponize-six-vulnerabilities-for-full-iphone-takeover",
          "title": "DarkSword iOS Exploit Kit: Russian Hackers Weaponize Six Vulnerabilities for Full iPhone Takeover",
          "url": "https://bulwarkblack.com/darksword-ios-exploit-kit-russian-hackers-weaponize-six-vulnerabilities-for-full-iphone-takeover/",
          "date": "2026-03-21"
        }
      ]
    },
    {
      "indicator": "CVE-2025-31324",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-03-07",
      "last_seen": "2026-03-07",
      "reports": [
        {
          "slug": "sap-netweaver-critical-zero-day-cve-2025-31324-under-active-exploitation-by-initial-access-brokers",
          "title": "SAP NetWeaver Critical Zero-Day (CVE-2025-31324) Under Active Exploitation by Initial Access Brokers",
          "url": "https://bulwarkblack.com/sap-netweaver-critical-zero-day-cve-2025-31324-under-active-exploitation-by-initial-access-brokers/",
          "date": "2026-03-07"
        }
      ]
    },
    {
      "indicator": "CVE-2025-32433",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-13",
      "last_seen": "2026-05-13",
      "reports": [
        {
          "slug": "gentlemen-raas-leak-edge-device-ransomware-risk",
          "title": "The Gentlemen RaaS Leak Shows Ransomware Is Still an Edge-Device Problem",
          "url": "https://bulwarkblack.com/gentlemen-raas-leak-edge-device-ransomware-risk/",
          "date": "2026-05-13"
        }
      ]
    },
    {
      "indicator": "CVE-2025-3248",
      "type": "CVEs",
      "report_count": 6,
      "first_seen": "2024-01-07",
      "last_seen": "2026-06-20",
      "reports": [
        {
          "slug": "showboat-linux-malware-telecom-persistence-defense",
          "title": "Showboat Malware Shows Telecom Linux Servers Need Rootkit-Level Monitoring",
          "url": "https://bulwarkblack.com/showboat-linux-malware-telecom-persistence-defense/",
          "date": "2026-06-20"
        },
        {
          "slug": "cve-2026-33017-critical-langflow-ai-framework-vulnerability-exploited-within-20-hours-of-disclosure",
          "title": "CVE-2026-33017: Critical Langflow AI Framework Vulnerability Exploited Within 20 Hours of Disclosure",
          "url": "https://bulwarkblack.com/cve-2026-33017-critical-langflow-ai-framework-vulnerability-exploited-within-20-hours-of-disclosure/",
          "date": "2026-03-22"
        },
        {
          "slug": "cve-2026-33017-critical-langflow-ai-platform-flaw-exploited-within-20-hours-of-disclosure",
          "title": "CVE-2026-33017: Critical Langflow AI Platform Flaw Exploited Within 20 Hours of Disclosure",
          "url": "https://bulwarkblack.com/cve-2026-33017-critical-langflow-ai-platform-flaw-exploited-within-20-hours-of-disclosure/",
          "date": "2026-03-21"
        },
        {
          "slug": "critical-langflow-ai-platform-flaw-cve-2026-33017-exploited-within-20-hours-of-disclosure",
          "title": "Critical Langflow AI Platform Flaw CVE-2026-33017 Exploited Within 20 Hours of Disclosure",
          "url": "https://bulwarkblack.com/critical-langflow-ai-platform-flaw-cve-2026-33017-exploited-within-20-hours-of-disclosure/",
          "date": "2026-03-21"
        },
        {
          "slug": "pdfsider-the-stealthy-backdoor-targeting-fortune-100-financial-institutions",
          "title": "PDFSider: The Stealthy Backdoor Targeting Fortune 100 Financial Institutions",
          "url": "https://bulwarkblack.com/pdfsider-the-stealthy-backdoor-targeting-fortune-100-financial-institutions/",
          "date": "2026-02-04"
        },
        {
          "slug": "prior-to-cyber-attack-russian-attackers-spent-months-inside-the-ukraine-telecoms-giant",
          "title": "Prior to Cyber Attack, Russian Attackers Spent Months Inside the Ukraine Telecoms Giant",
          "url": "https://bulwarkblack.com/prior-to-cyber-attack-russian-attackers-spent-months-inside-the-ukraine-telecoms-giant/",
          "date": "2024-01-07"
        }
      ]
    },
    {
      "indicator": "CVE-2025-32975",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-03-24",
      "last_seen": "2026-03-24",
      "reports": [
        {
          "slug": "hackers-exploit-cve-2025-32975-cvss-10-0-to-hijack-unpatched-quest-kace-sma-systems",
          "title": "Hackers Exploit CVE-2025-32975 (CVSS 10.0) to Hijack Unpatched Quest KACE SMA Systems",
          "url": "https://bulwarkblack.com/hackers-exploit-cve-2025-32975-cvss-10-0-to-hijack-unpatched-quest-kace-sma-systems/",
          "date": "2026-03-24"
        }
      ]
    },
    {
      "indicator": "CVE-2025-33073",
      "type": "CVEs",
      "report_count": 2,
      "first_seen": "2026-05-13",
      "last_seen": "2026-05-22",
      "reports": [
        {
          "slug": "f5-confluence-edge-identity-attack-path",
          "title": "F5-to-Confluence Intrusion Shows Edge Devices Are Identity Attack Paths",
          "url": "https://bulwarkblack.com/f5-confluence-edge-identity-attack-path/",
          "date": "2026-05-22"
        },
        {
          "slug": "gentlemen-raas-leak-edge-device-ransomware-risk",
          "title": "The Gentlemen RaaS Leak Shows Ransomware Is Still an Edge-Device Problem",
          "url": "https://bulwarkblack.com/gentlemen-raas-leak-edge-device-ransomware-risk/",
          "date": "2026-05-13"
        }
      ]
    },
    {
      "indicator": "CVE-2025-34067",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-03-16",
      "last_seen": "2026-03-16",
      "reports": [
        {
          "slug": "iranian-threat-actors-target-hikvision-and-dahua-ip-cameras-for-kinetic-strike-coordination",
          "title": "Iranian Threat Actors Target Hikvision and Dahua IP Cameras for Kinetic Strike Coordination",
          "url": "https://bulwarkblack.com/iranian-threat-actors-target-hikvision-and-dahua-ip-cameras-for-kinetic-strike-coordination/",
          "date": "2026-03-16"
        }
      ]
    },
    {
      "indicator": "CVE-2025-3710",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-03-20",
      "last_seen": "2026-03-20",
      "reports": [
        {
          "slug": "9-critical-ip-kvm-flaws-enable-unauthenticated-root-access-across-four-vendors",
          "title": "9 Critical IP KVM Flaws Enable Unauthenticated Root Access Across Four Vendors",
          "url": "https://bulwarkblack.com/9-critical-ip-kvm-flaws-enable-unauthenticated-root-access-across-four-vendors/",
          "date": "2026-03-20"
        }
      ]
    },
    {
      "indicator": "CVE-2025-3711",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-03-20",
      "last_seen": "2026-03-20",
      "reports": [
        {
          "slug": "9-critical-ip-kvm-flaws-enable-unauthenticated-root-access-across-four-vendors",
          "title": "9 Critical IP KVM Flaws Enable Unauthenticated Root Access Across Four Vendors",
          "url": "https://bulwarkblack.com/9-critical-ip-kvm-flaws-enable-unauthenticated-root-access-across-four-vendors/",
          "date": "2026-03-20"
        }
      ]
    },
    {
      "indicator": "CVE-2025-3712",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-03-20",
      "last_seen": "2026-03-20",
      "reports": [
        {
          "slug": "9-critical-ip-kvm-flaws-enable-unauthenticated-root-access-across-four-vendors",
          "title": "9 Critical IP KVM Flaws Enable Unauthenticated Root Access Across Four Vendors",
          "url": "https://bulwarkblack.com/9-critical-ip-kvm-flaws-enable-unauthenticated-root-access-across-four-vendors/",
          "date": "2026-03-20"
        }
      ]
    },
    {
      "indicator": "CVE-2025-3713",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-03-20",
      "last_seen": "2026-03-20",
      "reports": [
        {
          "slug": "9-critical-ip-kvm-flaws-enable-unauthenticated-root-access-across-four-vendors",
          "title": "9 Critical IP KVM Flaws Enable Unauthenticated Root Access Across Four Vendors",
          "url": "https://bulwarkblack.com/9-critical-ip-kvm-flaws-enable-unauthenticated-root-access-across-four-vendors/",
          "date": "2026-03-20"
        }
      ]
    },
    {
      "indicator": "CVE-2025-3714",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-03-20",
      "last_seen": "2026-03-20",
      "reports": [
        {
          "slug": "9-critical-ip-kvm-flaws-enable-unauthenticated-root-access-across-four-vendors",
          "title": "9 Critical IP KVM Flaws Enable Unauthenticated Root Access Across Four Vendors",
          "url": "https://bulwarkblack.com/9-critical-ip-kvm-flaws-enable-unauthenticated-root-access-across-four-vendors/",
          "date": "2026-03-20"
        }
      ]
    },
    {
      "indicator": "CVE-2025-40536",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-01-29",
      "last_seen": "2026-01-29",
      "reports": [
        {
          "slug": "solarwinds-fixes-six-critical-web-help-desk-vulnerabilities-including-rce-and-auth-bypass",
          "title": "SolarWinds Fixes Six Critical Web Help Desk Vulnerabilities Including RCE and Auth Bypass",
          "url": "https://bulwarkblack.com/solarwinds-fixes-six-critical-web-help-desk-vulnerabilities-including-rce-and-auth-bypass/",
          "date": "2026-01-29"
        }
      ]
    },
    {
      "indicator": "CVE-2025-40537",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-01-29",
      "last_seen": "2026-01-29",
      "reports": [
        {
          "slug": "solarwinds-fixes-six-critical-web-help-desk-vulnerabilities-including-rce-and-auth-bypass",
          "title": "SolarWinds Fixes Six Critical Web Help Desk Vulnerabilities Including RCE and Auth Bypass",
          "url": "https://bulwarkblack.com/solarwinds-fixes-six-critical-web-help-desk-vulnerabilities-including-rce-and-auth-bypass/",
          "date": "2026-01-29"
        }
      ]
    },
    {
      "indicator": "CVE-2025-40551",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-01-29",
      "last_seen": "2026-01-29",
      "reports": [
        {
          "slug": "solarwinds-fixes-six-critical-web-help-desk-vulnerabilities-including-rce-and-auth-bypass",
          "title": "SolarWinds Fixes Six Critical Web Help Desk Vulnerabilities Including RCE and Auth Bypass",
          "url": "https://bulwarkblack.com/solarwinds-fixes-six-critical-web-help-desk-vulnerabilities-including-rce-and-auth-bypass/",
          "date": "2026-01-29"
        }
      ]
    },
    {
      "indicator": "CVE-2025-40552",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-01-29",
      "last_seen": "2026-01-29",
      "reports": [
        {
          "slug": "solarwinds-fixes-six-critical-web-help-desk-vulnerabilities-including-rce-and-auth-bypass",
          "title": "SolarWinds Fixes Six Critical Web Help Desk Vulnerabilities Including RCE and Auth Bypass",
          "url": "https://bulwarkblack.com/solarwinds-fixes-six-critical-web-help-desk-vulnerabilities-including-rce-and-auth-bypass/",
          "date": "2026-01-29"
        }
      ]
    },
    {
      "indicator": "CVE-2025-40553",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-01-29",
      "last_seen": "2026-01-29",
      "reports": [
        {
          "slug": "solarwinds-fixes-six-critical-web-help-desk-vulnerabilities-including-rce-and-auth-bypass",
          "title": "SolarWinds Fixes Six Critical Web Help Desk Vulnerabilities Including RCE and Auth Bypass",
          "url": "https://bulwarkblack.com/solarwinds-fixes-six-critical-web-help-desk-vulnerabilities-including-rce-and-auth-bypass/",
          "date": "2026-01-29"
        }
      ]
    },
    {
      "indicator": "CVE-2025-40554",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-01-29",
      "last_seen": "2026-01-29",
      "reports": [
        {
          "slug": "solarwinds-fixes-six-critical-web-help-desk-vulnerabilities-including-rce-and-auth-bypass",
          "title": "SolarWinds Fixes Six Critical Web Help Desk Vulnerabilities Including RCE and Auth Bypass",
          "url": "https://bulwarkblack.com/solarwinds-fixes-six-critical-web-help-desk-vulnerabilities-including-rce-and-auth-bypass/",
          "date": "2026-01-29"
        }
      ]
    },
    {
      "indicator": "CVE-2025-41244",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-02-05",
      "last_seen": "2026-02-05",
      "reports": [
        {
          "slug": "cisa-confirms-vmware-esxi-flaw-cve-2025-22225-now-exploited-in-active-ransomware-campaigns",
          "title": "CISA Confirms VMware ESXi Flaw CVE-2025-22225 Now Exploited in Active Ransomware Campaigns",
          "url": "https://bulwarkblack.com/cisa-confirms-vmware-esxi-flaw-cve-2025-22225-now-exploited-in-active-ransomware-campaigns/",
          "date": "2026-02-05"
        }
      ]
    },
    {
      "indicator": "CVE-2025-4322",
      "type": "CVEs",
      "report_count": 2,
      "first_seen": "2024-01-07",
      "last_seen": "2026-02-04",
      "reports": [
        {
          "slug": "pdfsider-the-stealthy-backdoor-targeting-fortune-100-financial-institutions",
          "title": "PDFSider: The Stealthy Backdoor Targeting Fortune 100 Financial Institutions",
          "url": "https://bulwarkblack.com/pdfsider-the-stealthy-backdoor-targeting-fortune-100-financial-institutions/",
          "date": "2026-02-04"
        },
        {
          "slug": "prior-to-cyber-attack-russian-attackers-spent-months-inside-the-ukraine-telecoms-giant",
          "title": "Prior to Cyber Attack, Russian Attackers Spent Months Inside the Ukraine Telecoms Giant",
          "url": "https://bulwarkblack.com/prior-to-cyber-attack-russian-attackers-spent-months-inside-the-ukraine-telecoms-giant/",
          "date": "2024-01-07"
        }
      ]
    },
    {
      "indicator": "CVE-2025-43510",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-03-21",
      "last_seen": "2026-03-21",
      "reports": [
        {
          "slug": "darksword-ios-exploit-kit-russian-hackers-weaponize-six-vulnerabilities-for-full-iphone-takeover",
          "title": "DarkSword iOS Exploit Kit: Russian Hackers Weaponize Six Vulnerabilities for Full iPhone Takeover",
          "url": "https://bulwarkblack.com/darksword-ios-exploit-kit-russian-hackers-weaponize-six-vulnerabilities-for-full-iphone-takeover/",
          "date": "2026-03-21"
        }
      ]
    },
    {
      "indicator": "CVE-2025-43520",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-03-21",
      "last_seen": "2026-03-21",
      "reports": [
        {
          "slug": "darksword-ios-exploit-kit-russian-hackers-weaponize-six-vulnerabilities-for-full-iphone-takeover",
          "title": "DarkSword iOS Exploit Kit: Russian Hackers Weaponize Six Vulnerabilities for Full iPhone Takeover",
          "url": "https://bulwarkblack.com/darksword-ios-exploit-kit-russian-hackers-weaponize-six-vulnerabilities-for-full-iphone-takeover/",
          "date": "2026-03-21"
        }
      ]
    },
    {
      "indicator": "CVE-2025-43529",
      "type": "CVEs",
      "report_count": 2,
      "first_seen": "2026-02-16",
      "last_seen": "2026-03-21",
      "reports": [
        {
          "slug": "darksword-ios-exploit-kit-russian-hackers-weaponize-six-vulnerabilities-for-full-iphone-takeover",
          "title": "DarkSword iOS Exploit Kit: Russian Hackers Weaponize Six Vulnerabilities for Full iPhone Takeover",
          "url": "https://bulwarkblack.com/darksword-ios-exploit-kit-russian-hackers-weaponize-six-vulnerabilities-for-full-iphone-takeover/",
          "date": "2026-03-21"
        },
        {
          "slug": "cve-2026-20700-apple-patches-first-zero-day-of-2026-after-extremely-sophisticated-targeted-attacks",
          "title": "CVE-2026-20700: Apple Patches First Zero-Day of 2026 After Extremely Sophisticated Targeted Attacks",
          "url": "https://bulwarkblack.com/cve-2026-20700-apple-patches-first-zero-day-of-2026-after-extremely-sophisticated-targeted-attacks/",
          "date": "2026-02-16"
        }
      ]
    },
    {
      "indicator": "CVE-2025-47812",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-03-18",
      "last_seen": "2026-03-18",
      "reports": [
        {
          "slug": "cisa-adds-wing-ftp-server-information-disclosure-flaw-to-kev-catalog-amid-active-exploitation",
          "title": "CISA Adds Wing FTP Server Information Disclosure Flaw to KEV Catalog Amid Active Exploitation",
          "url": "https://bulwarkblack.com/cisa-adds-wing-ftp-server-information-disclosure-flaw-to-kev-catalog-amid-active-exploitation/",
          "date": "2026-03-18"
        }
      ]
    },
    {
      "indicator": "CVE-2025-47813",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-03-18",
      "last_seen": "2026-03-18",
      "reports": [
        {
          "slug": "cisa-adds-wing-ftp-server-information-disclosure-flaw-to-kev-catalog-amid-active-exploitation",
          "title": "CISA Adds Wing FTP Server Information Disclosure Flaw to KEV Catalog Amid Active Exploitation",
          "url": "https://bulwarkblack.com/cisa-adds-wing-ftp-server-information-disclosure-flaw-to-kev-catalog-amid-active-exploitation/",
          "date": "2026-03-18"
        }
      ]
    },
    {
      "indicator": "CVE-2025-49844",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-20",
      "last_seen": "2026-05-20",
      "reports": [
        {
          "slug": "p2pinfect-kubernetes-redis-botnet-defense",
          "title": "P2Pinfect Shows Exposed Redis in Kubernetes Can Become Dormant Botnet Infrastructure",
          "url": "https://bulwarkblack.com/p2pinfect-kubernetes-redis-botnet-defense/",
          "date": "2026-05-20"
        }
      ]
    },
    {
      "indicator": "CVE-2025-50165",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-06-27",
      "last_seen": "2026-06-27",
      "reports": [
        {
          "slug": "splunk-enterprise-cve-2026-20253-siem-tier-zero-defense",
          "title": "Splunk Enterprise RCE Shows SIEM Servers Are Tier-Zero Infrastructure",
          "url": "https://bulwarkblack.com/splunk-enterprise-cve-2026-20253-siem-tier-zero-defense/",
          "date": "2026-06-27"
        }
      ]
    },
    {
      "indicator": "CVE-2025-53521",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-22",
      "last_seen": "2026-05-22",
      "reports": [
        {
          "slug": "f5-confluence-edge-identity-attack-path",
          "title": "F5-to-Confluence Intrusion Shows Edge Devices Are Identity Attack Paths",
          "url": "https://bulwarkblack.com/f5-confluence-edge-identity-attack-path/",
          "date": "2026-05-22"
        }
      ]
    },
    {
      "indicator": "CVE-2025-54135",
      "type": "CVEs",
      "report_count": 2,
      "first_seen": "2024-01-07",
      "last_seen": "2026-02-04",
      "reports": [
        {
          "slug": "pdfsider-the-stealthy-backdoor-targeting-fortune-100-financial-institutions",
          "title": "PDFSider: The Stealthy Backdoor Targeting Fortune 100 Financial Institutions",
          "url": "https://bulwarkblack.com/pdfsider-the-stealthy-backdoor-targeting-fortune-100-financial-institutions/",
          "date": "2026-02-04"
        },
        {
          "slug": "prior-to-cyber-attack-russian-attackers-spent-months-inside-the-ukraine-telecoms-giant",
          "title": "Prior to Cyber Attack, Russian Attackers Spent Months Inside the Ukraine Telecoms Giant",
          "url": "https://bulwarkblack.com/prior-to-cyber-attack-russian-attackers-spent-months-inside-the-ukraine-telecoms-giant/",
          "date": "2024-01-07"
        }
      ]
    },
    {
      "indicator": "CVE-2025-54518",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2025-55182",
      "type": "CVEs",
      "report_count": 8,
      "first_seen": "2026-02-01",
      "last_seen": "2026-07-02",
      "reports": [
        {
          "slug": "vect-teampcp-supply-chain-ransomware-credential-defense",
          "title": "Vect and TeamPCP Show Supply-Chain Credentials Are Ransomware Fuel",
          "url": "https://bulwarkblack.com/vect-teampcp-supply-chain-ransomware-credential-defense/",
          "date": "2026-07-02"
        },
        {
          "slug": "splunk-enterprise-cve-2026-20253-siem-tier-zero-defense",
          "title": "Splunk Enterprise RCE Shows SIEM Servers Are Tier-Zero Infrastructure",
          "url": "https://bulwarkblack.com/splunk-enterprise-cve-2026-20253-siem-tier-zero-defense/",
          "date": "2026-06-27"
        },
        {
          "slug": "strikeshark-sharkloader-cobalt-strike-defense",
          "title": "StrikeShark Shows Loader Malware Is an Edge-Exposure Problem",
          "url": "https://bulwarkblack.com/strikeshark-sharkloader-cobalt-strike-defense/",
          "date": "2026-06-25"
        },
        {
          "slug": "pan-os-globalprotect-cve-2026-0257-vpn-log-review",
          "title": "PAN-OS GlobalProtect Exploitation Shows VPN Access Needs Log Review, Not Just Patching",
          "url": "https://bulwarkblack.com/pan-os-globalprotect-cve-2026-0257-vpn-log-review/",
          "date": "2026-06-06"
        },
        {
          "slug": "pan-os-captive-portal-zero-day-edge-device-review",
          "title": "PAN-OS Captive Portal Zero-Day Shows Why Internet-Facing Edge Devices Need Immediate Review",
          "url": "https://bulwarkblack.com/pan-os-captive-portal-zero-day-edge-device-review/",
          "date": "2026-05-08"
        },
        {
          "slug": "uat-10608-nexus-listener-framework-compromises-766-next-js-hosts-in-24-hour-credential-harvesting-blitz",
          "title": "UAT-10608: NEXUS Listener Framework Compromises 766 Next.js Hosts in 24-Hour Credential Harvesting Blitz",
          "url": "https://bulwarkblack.com/uat-10608-nexus-listener-framework-compromises-766-next-js-hosts-in-24-hour-credential-harvesting-blitz/",
          "date": "2026-04-03"
        },
        {
          "slug": "unit-42-exposes-active-exploitation-of-beyondtrust-cve-2026-1731-with-vshell-and-sparkrat-backdoors",
          "title": "Unit 42 Exposes Active Exploitation of BeyondTrust CVE-2026-1731 with VShell and SparkRAT Backdoors",
          "url": "https://bulwarkblack.com/unit-42-exposes-active-exploitation-of-beyondtrust-cve-2026-1731-with-vshell-and-sparkrat-backdoors/",
          "date": "2026-02-23"
        },
        {
          "slug": "iconics-suite-scada-vulnerability-enables-denial-of-service-through-privileged-file-operations",
          "title": "Iconics Suite SCADA Vulnerability Enables Denial-of-Service Through Privileged File Operations",
          "url": "https://bulwarkblack.com/iconics-suite-scada-vulnerability-enables-denial-of-service-through-privileged-file-operations/",
          "date": "2026-02-01"
        }
      ]
    },
    {
      "indicator": "CVE-2025-59287",
      "type": "CVEs",
      "report_count": 2,
      "first_seen": "2024-01-07",
      "last_seen": "2026-02-04",
      "reports": [
        {
          "slug": "pdfsider-the-stealthy-backdoor-targeting-fortune-100-financial-institutions",
          "title": "PDFSider: The Stealthy Backdoor Targeting Fortune 100 Financial Institutions",
          "url": "https://bulwarkblack.com/pdfsider-the-stealthy-backdoor-targeting-fortune-100-financial-institutions/",
          "date": "2026-02-04"
        },
        {
          "slug": "prior-to-cyber-attack-russian-attackers-spent-months-inside-the-ukraine-telecoms-giant",
          "title": "Prior to Cyber Attack, Russian Attackers Spent Months Inside the Ukraine Telecoms Giant",
          "url": "https://bulwarkblack.com/prior-to-cyber-attack-russian-attackers-spent-months-inside-the-ukraine-telecoms-giant/",
          "date": "2024-01-07"
        }
      ]
    },
    {
      "indicator": "CVE-2025-59718",
      "type": "CVEs",
      "report_count": 3,
      "first_seen": "2026-01-28",
      "last_seen": "2026-06-19",
      "reports": [
        {
          "slug": "fortibleed-firewall-patching-compromise-recovery",
          "title": "FortiBleed Shows Firewall Patching Is Not Compromise Recovery",
          "url": "https://bulwarkblack.com/fortibleed-firewall-patching-compromise-recovery/",
          "date": "2026-06-19"
        },
        {
          "slug": "fortigate-devices-exploited-as-network-entry-points-for-service-account-credential-theft",
          "title": "FortiGate Devices Exploited as Network Entry Points for Service Account Credential Theft",
          "url": "https://bulwarkblack.com/fortigate-devices-exploited-as-network-entry-points-for-service-account-credential-theft/",
          "date": "2026-03-11"
        },
        {
          "slug": "fortinet-blocks-actively-exploited-forticloud-sso-zero-day-until-patch-is-ready",
          "title": "Fortinet Blocks Actively Exploited FortiCloud SSO Zero-Day Until Patch is Ready",
          "url": "https://bulwarkblack.com/fortinet-blocks-actively-exploited-forticloud-sso-zero-day-until-patch-is-ready/",
          "date": "2026-01-28"
        }
      ]
    },
    {
      "indicator": "CVE-2025-59719",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-03-11",
      "last_seen": "2026-03-11",
      "reports": [
        {
          "slug": "fortigate-devices-exploited-as-network-entry-points-for-service-account-credential-theft",
          "title": "FortiGate Devices Exploited as Network Entry Points for Service Account Credential Theft",
          "url": "https://bulwarkblack.com/fortigate-devices-exploited-as-network-entry-points-for-service-account-credential-theft/",
          "date": "2026-03-11"
        }
      ]
    },
    {
      "indicator": "CVE-2025-64712",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-02-14",
      "last_seen": "2026-02-14",
      "reports": [
        {
          "slug": "critical-unstructured-io-vulnerability-cve-2025-64712-threatens-ai-pipelines-at-amazon-google-and-fortune-1000-enterprises",
          "title": "Critical Unstructured.io Vulnerability CVE-2025-64712 Threatens AI Pipelines at Amazon, Google, and Fortune 1000 Enterprises",
          "url": "https://bulwarkblack.com/critical-unstructured-io-vulnerability-cve-2025-64712-threatens-ai-pipelines-at-amazon-google-and-fortune-1000-enterprises/",
          "date": "2026-02-14"
        }
      ]
    },
    {
      "indicator": "CVE-2025-66478",
      "type": "CVEs",
      "report_count": 4,
      "first_seen": "2026-02-01",
      "last_seen": "2026-06-06",
      "reports": [
        {
          "slug": "pan-os-globalprotect-cve-2026-0257-vpn-log-review",
          "title": "PAN-OS GlobalProtect Exploitation Shows VPN Access Needs Log Review, Not Just Patching",
          "url": "https://bulwarkblack.com/pan-os-globalprotect-cve-2026-0257-vpn-log-review/",
          "date": "2026-06-06"
        },
        {
          "slug": "pan-os-captive-portal-zero-day-edge-device-review",
          "title": "PAN-OS Captive Portal Zero-Day Shows Why Internet-Facing Edge Devices Need Immediate Review",
          "url": "https://bulwarkblack.com/pan-os-captive-portal-zero-day-edge-device-review/",
          "date": "2026-05-08"
        },
        {
          "slug": "unit-42-exposes-active-exploitation-of-beyondtrust-cve-2026-1731-with-vshell-and-sparkrat-backdoors",
          "title": "Unit 42 Exposes Active Exploitation of BeyondTrust CVE-2026-1731 with VShell and SparkRAT Backdoors",
          "url": "https://bulwarkblack.com/unit-42-exposes-active-exploitation-of-beyondtrust-cve-2026-1731-with-vshell-and-sparkrat-backdoors/",
          "date": "2026-02-23"
        },
        {
          "slug": "iconics-suite-scada-vulnerability-enables-denial-of-service-through-privileged-file-operations",
          "title": "Iconics Suite SCADA Vulnerability Enables Denial-of-Service Through Privileged File Operations",
          "url": "https://bulwarkblack.com/iconics-suite-scada-vulnerability-enables-denial-of-service-through-privileged-file-operations/",
          "date": "2026-02-01"
        }
      ]
    },
    {
      "indicator": "CVE-2025-67644",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-06-11",
      "last_seen": "2026-06-11",
      "reports": [
        {
          "slug": "langgraph-checkpointer-sqli-rce-ai-agent-memory-defense",
          "title": "LangGraph Checkpointer Bugs Show AI Agent Memory Is Backend Attack Surface",
          "url": "https://bulwarkblack.com/langgraph-checkpointer-sqli-rce-ai-agent-memory-defense/",
          "date": "2026-06-11"
        }
      ]
    },
    {
      "indicator": "CVE-2025-68613",
      "type": "CVEs",
      "report_count": 3,
      "first_seen": "2024-01-07",
      "last_seen": "2026-03-04",
      "reports": [
        {
          "slug": "zerobot-malware-targets-n8n-automation-platform-first-active-exploitation-of-cve-2025-68613",
          "title": "Zerobot Malware Targets n8n Automation Platform: First Active Exploitation of CVE-2025-68613",
          "url": "https://bulwarkblack.com/zerobot-malware-targets-n8n-automation-platform-first-active-exploitation-of-cve-2025-68613/",
          "date": "2026-03-04"
        },
        {
          "slug": "pdfsider-the-stealthy-backdoor-targeting-fortune-100-financial-institutions",
          "title": "PDFSider: The Stealthy Backdoor Targeting Fortune 100 Financial Institutions",
          "url": "https://bulwarkblack.com/pdfsider-the-stealthy-backdoor-targeting-fortune-100-financial-institutions/",
          "date": "2026-02-04"
        },
        {
          "slug": "prior-to-cyber-attack-russian-attackers-spent-months-inside-the-ukraine-telecoms-giant",
          "title": "Prior to Cyber Attack, Russian Attackers Spent Months Inside the Ukraine Telecoms Giant",
          "url": "https://bulwarkblack.com/prior-to-cyber-attack-russian-attackers-spent-months-inside-the-ukraine-telecoms-giant/",
          "date": "2024-01-07"
        }
      ]
    },
    {
      "indicator": "CVE-2025-7544",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-03-04",
      "last_seen": "2026-03-04",
      "reports": [
        {
          "slug": "zerobot-malware-targets-n8n-automation-platform-first-active-exploitation-of-cve-2025-68613",
          "title": "Zerobot Malware Targets n8n Automation Platform: First Active Exploitation of CVE-2025-68613",
          "url": "https://bulwarkblack.com/zerobot-malware-targets-n8n-automation-platform-first-active-exploitation-of-cve-2025-68613/",
          "date": "2026-03-04"
        }
      ]
    },
    {
      "indicator": "CVE-2025-8088",
      "type": "CVEs",
      "report_count": 5,
      "first_seen": "2024-01-07",
      "last_seen": "2026-06-25",
      "reports": [
        {
          "slug": "turla-stockstay-backdoor-egress-visibility",
          "title": "Turla’s STOCKSTAY Backdoor Shows Why Espionage Defense Needs Egress Visibility",
          "url": "https://bulwarkblack.com/turla-stockstay-backdoor-egress-visibility/",
          "date": "2026-06-25"
        },
        {
          "slug": "iranian-apt-infy-resurfaces-with-new-tornado-malware-after-internet-blackout",
          "title": "Iranian APT Infy Resurfaces with New Tornado Malware After Internet Blackout",
          "url": "https://bulwarkblack.com/iranian-apt-infy-resurfaces-with-new-tornado-malware-after-internet-blackout/",
          "date": "2026-02-06"
        },
        {
          "slug": "pdfsider-the-stealthy-backdoor-targeting-fortune-100-financial-institutions",
          "title": "PDFSider: The Stealthy Backdoor Targeting Fortune 100 Financial Institutions",
          "url": "https://bulwarkblack.com/pdfsider-the-stealthy-backdoor-targeting-fortune-100-financial-institutions/",
          "date": "2026-02-04"
        },
        {
          "slug": "winrar-cve-2025-8088-russia-china-and-cybercriminals-unite-to-exploit-path-traversal-flaw",
          "title": "WinRAR CVE-2025-8088: Russia, China, and Cybercriminals Unite to Exploit Path Traversal Flaw",
          "url": "https://bulwarkblack.com/winrar-cve-2025-8088-russia-china-and-cybercriminals-unite-to-exploit-path-traversal-flaw/",
          "date": "2026-01-31"
        },
        {
          "slug": "prior-to-cyber-attack-russian-attackers-spent-months-inside-the-ukraine-telecoms-giant",
          "title": "Prior to Cyber Attack, Russian Attackers Spent Months Inside the Ukraine Telecoms Giant",
          "url": "https://bulwarkblack.com/prior-to-cyber-attack-russian-attackers-spent-months-inside-the-ukraine-telecoms-giant/",
          "date": "2024-01-07"
        }
      ]
    },
    {
      "indicator": "CVE-2026-0257",
      "type": "CVEs",
      "report_count": 4,
      "first_seen": "2026-02-01",
      "last_seen": "2026-06-06",
      "reports": [
        {
          "slug": "pan-os-globalprotect-cve-2026-0257-vpn-log-review",
          "title": "PAN-OS GlobalProtect Exploitation Shows VPN Access Needs Log Review, Not Just Patching",
          "url": "https://bulwarkblack.com/pan-os-globalprotect-cve-2026-0257-vpn-log-review/",
          "date": "2026-06-06"
        },
        {
          "slug": "pan-os-captive-portal-zero-day-edge-device-review",
          "title": "PAN-OS Captive Portal Zero-Day Shows Why Internet-Facing Edge Devices Need Immediate Review",
          "url": "https://bulwarkblack.com/pan-os-captive-portal-zero-day-edge-device-review/",
          "date": "2026-05-08"
        },
        {
          "slug": "unit-42-exposes-active-exploitation-of-beyondtrust-cve-2026-1731-with-vshell-and-sparkrat-backdoors",
          "title": "Unit 42 Exposes Active Exploitation of BeyondTrust CVE-2026-1731 with VShell and SparkRAT Backdoors",
          "url": "https://bulwarkblack.com/unit-42-exposes-active-exploitation-of-beyondtrust-cve-2026-1731-with-vshell-and-sparkrat-backdoors/",
          "date": "2026-02-23"
        },
        {
          "slug": "iconics-suite-scada-vulnerability-enables-denial-of-service-through-privileged-file-operations",
          "title": "Iconics Suite SCADA Vulnerability Enables Denial-of-Service Through Privileged File Operations",
          "url": "https://bulwarkblack.com/iconics-suite-scada-vulnerability-enables-denial-of-service-through-privileged-file-operations/",
          "date": "2026-02-01"
        }
      ]
    },
    {
      "indicator": "CVE-2026-0300",
      "type": "CVEs",
      "report_count": 4,
      "first_seen": "2026-02-01",
      "last_seen": "2026-06-06",
      "reports": [
        {
          "slug": "pan-os-globalprotect-cve-2026-0257-vpn-log-review",
          "title": "PAN-OS GlobalProtect Exploitation Shows VPN Access Needs Log Review, Not Just Patching",
          "url": "https://bulwarkblack.com/pan-os-globalprotect-cve-2026-0257-vpn-log-review/",
          "date": "2026-06-06"
        },
        {
          "slug": "pan-os-captive-portal-zero-day-edge-device-review",
          "title": "PAN-OS Captive Portal Zero-Day Shows Why Internet-Facing Edge Devices Need Immediate Review",
          "url": "https://bulwarkblack.com/pan-os-captive-portal-zero-day-edge-device-review/",
          "date": "2026-05-08"
        },
        {
          "slug": "unit-42-exposes-active-exploitation-of-beyondtrust-cve-2026-1731-with-vshell-and-sparkrat-backdoors",
          "title": "Unit 42 Exposes Active Exploitation of BeyondTrust CVE-2026-1731 with VShell and SparkRAT Backdoors",
          "url": "https://bulwarkblack.com/unit-42-exposes-active-exploitation-of-beyondtrust-cve-2026-1731-with-vshell-and-sparkrat-backdoors/",
          "date": "2026-02-23"
        },
        {
          "slug": "iconics-suite-scada-vulnerability-enables-denial-of-service-through-privileged-file-operations",
          "title": "Iconics Suite SCADA Vulnerability Enables Denial-of-Service Through Privileged File Operations",
          "url": "https://bulwarkblack.com/iconics-suite-scada-vulnerability-enables-denial-of-service-through-privileged-file-operations/",
          "date": "2026-02-01"
        }
      ]
    },
    {
      "indicator": "CVE-2026-0628",
      "type": "CVEs",
      "report_count": 2,
      "first_seen": "2024-01-07",
      "last_seen": "2026-02-04",
      "reports": [
        {
          "slug": "pdfsider-the-stealthy-backdoor-targeting-fortune-100-financial-institutions",
          "title": "PDFSider: The Stealthy Backdoor Targeting Fortune 100 Financial Institutions",
          "url": "https://bulwarkblack.com/pdfsider-the-stealthy-backdoor-targeting-fortune-100-financial-institutions/",
          "date": "2026-02-04"
        },
        {
          "slug": "prior-to-cyber-attack-russian-attackers-spent-months-inside-the-ukraine-telecoms-giant",
          "title": "Prior to Cyber Attack, Russian Attackers Spent Months Inside the Ukraine Telecoms Giant",
          "url": "https://bulwarkblack.com/prior-to-cyber-attack-russian-attackers-spent-months-inside-the-ukraine-telecoms-giant/",
          "date": "2024-01-07"
        }
      ]
    },
    {
      "indicator": "CVE-2026-0826",
      "type": "CVEs",
      "report_count": 2,
      "first_seen": "2024-03-22",
      "last_seen": "2026-03-27",
      "reports": [
        {
          "slug": "chinese-apt-red-menshen-plants-stealthy-bpfdoor-backdoors-in-global-telecom-networks",
          "title": "Chinese APT Red Menshen Plants Stealthy BPFdoor Backdoors in Global Telecom Networks",
          "url": "https://bulwarkblack.com/chinese-apt-red-menshen-plants-stealthy-bpfdoor-backdoors-in-global-telecom-networks/",
          "date": "2026-03-27"
        },
        {
          "slug": "the-updated-apt-playbook-tales-from-the-kimsuky-threat-actor-group",
          "title": "The Updated APT Playbook: Tales from the Kimsuky threat actor group",
          "url": "https://bulwarkblack.com/the-updated-apt-playbook-tales-from-the-kimsuky-threat-actor-group/",
          "date": "2024-03-22"
        }
      ]
    },
    {
      "indicator": "CVE-2026-1281",
      "type": "CVEs",
      "report_count": 6,
      "first_seen": "2026-01-31",
      "last_seen": "2026-06-06",
      "reports": [
        {
          "slug": "pan-os-globalprotect-cve-2026-0257-vpn-log-review",
          "title": "PAN-OS GlobalProtect Exploitation Shows VPN Access Needs Log Review, Not Just Patching",
          "url": "https://bulwarkblack.com/pan-os-globalprotect-cve-2026-0257-vpn-log-review/",
          "date": "2026-06-06"
        },
        {
          "slug": "pan-os-captive-portal-zero-day-edge-device-review",
          "title": "PAN-OS Captive Portal Zero-Day Shows Why Internet-Facing Edge Devices Need Immediate Review",
          "url": "https://bulwarkblack.com/pan-os-captive-portal-zero-day-edge-device-review/",
          "date": "2026-05-08"
        },
        {
          "slug": "unit-42-exposes-active-exploitation-of-beyondtrust-cve-2026-1731-with-vshell-and-sparkrat-backdoors",
          "title": "Unit 42 Exposes Active Exploitation of BeyondTrust CVE-2026-1731 with VShell and SparkRAT Backdoors",
          "url": "https://bulwarkblack.com/unit-42-exposes-active-exploitation-of-beyondtrust-cve-2026-1731-with-vshell-and-sparkrat-backdoors/",
          "date": "2026-02-23"
        },
        {
          "slug": "iconics-suite-scada-vulnerability-enables-denial-of-service-through-privileged-file-operations",
          "title": "Iconics Suite SCADA Vulnerability Enables Denial-of-Service Through Privileged File Operations",
          "url": "https://bulwarkblack.com/iconics-suite-scada-vulnerability-enables-denial-of-service-through-privileged-file-operations/",
          "date": "2026-02-01"
        },
        {
          "slug": "ivanti-patches-two-critical-epmm-zero-day-vulnerabilities-under-active-exploitation",
          "title": "Ivanti Patches Two Critical EPMM Zero-Day Vulnerabilities Under Active Exploitation",
          "url": "https://bulwarkblack.com/ivanti-patches-two-critical-epmm-zero-day-vulnerabilities-under-active-exploitation/",
          "date": "2026-01-31"
        },
        {
          "slug": "ivanti-epmm-zero-days-actively-exploited-pre-auth-rce-via-bash-arithmetic-expansion",
          "title": "Ivanti EPMM Zero-Days Actively Exploited: Pre-Auth RCE via Bash Arithmetic Expansion",
          "url": "https://bulwarkblack.com/ivanti-epmm-zero-days-actively-exploited-pre-auth-rce-via-bash-arithmetic-expansion/",
          "date": "2026-01-31"
        }
      ]
    },
    {
      "indicator": "CVE-2026-1340",
      "type": "CVEs",
      "report_count": 6,
      "first_seen": "2026-01-31",
      "last_seen": "2026-06-06",
      "reports": [
        {
          "slug": "pan-os-globalprotect-cve-2026-0257-vpn-log-review",
          "title": "PAN-OS GlobalProtect Exploitation Shows VPN Access Needs Log Review, Not Just Patching",
          "url": "https://bulwarkblack.com/pan-os-globalprotect-cve-2026-0257-vpn-log-review/",
          "date": "2026-06-06"
        },
        {
          "slug": "pan-os-captive-portal-zero-day-edge-device-review",
          "title": "PAN-OS Captive Portal Zero-Day Shows Why Internet-Facing Edge Devices Need Immediate Review",
          "url": "https://bulwarkblack.com/pan-os-captive-portal-zero-day-edge-device-review/",
          "date": "2026-05-08"
        },
        {
          "slug": "unit-42-exposes-active-exploitation-of-beyondtrust-cve-2026-1731-with-vshell-and-sparkrat-backdoors",
          "title": "Unit 42 Exposes Active Exploitation of BeyondTrust CVE-2026-1731 with VShell and SparkRAT Backdoors",
          "url": "https://bulwarkblack.com/unit-42-exposes-active-exploitation-of-beyondtrust-cve-2026-1731-with-vshell-and-sparkrat-backdoors/",
          "date": "2026-02-23"
        },
        {
          "slug": "iconics-suite-scada-vulnerability-enables-denial-of-service-through-privileged-file-operations",
          "title": "Iconics Suite SCADA Vulnerability Enables Denial-of-Service Through Privileged File Operations",
          "url": "https://bulwarkblack.com/iconics-suite-scada-vulnerability-enables-denial-of-service-through-privileged-file-operations/",
          "date": "2026-02-01"
        },
        {
          "slug": "ivanti-patches-two-critical-epmm-zero-day-vulnerabilities-under-active-exploitation",
          "title": "Ivanti Patches Two Critical EPMM Zero-Day Vulnerabilities Under Active Exploitation",
          "url": "https://bulwarkblack.com/ivanti-patches-two-critical-epmm-zero-day-vulnerabilities-under-active-exploitation/",
          "date": "2026-01-31"
        },
        {
          "slug": "ivanti-epmm-zero-days-actively-exploited-pre-auth-rce-via-bash-arithmetic-expansion",
          "title": "Ivanti EPMM Zero-Days Actively Exploited: Pre-Auth RCE via Bash Arithmetic Expansion",
          "url": "https://bulwarkblack.com/ivanti-epmm-zero-days-actively-exploited-pre-auth-rce-via-bash-arithmetic-expansion/",
          "date": "2026-01-31"
        }
      ]
    },
    {
      "indicator": "CVE-2026-15409",
      "type": "CVEs",
      "report_count": 7,
      "first_seen": "2024-01-11",
      "last_seen": "2026-03-20",
      "reports": [
        {
          "slug": "cve-2026-3564-critical-screenconnect-flaw-enables-session-hijacking-through-asp-net-machine-key-abuse",
          "title": "CVE-2026-3564: Critical ScreenConnect Flaw Enables Session Hijacking Through ASP.NET Machine Key Abuse",
          "url": "https://bulwarkblack.com/cve-2026-3564-critical-screenconnect-flaw-enables-session-hijacking-through-asp-net-machine-key-abuse/",
          "date": "2026-03-20"
        },
        {
          "slug": "blacksanta-edr-killer-campaign-targets-hr-departments-through-weaponized-resume-files",
          "title": "BlackSanta EDR Killer Campaign Targets HR Departments Through Weaponized Resume Files",
          "url": "https://bulwarkblack.com/blacksanta-edr-killer-campaign-targets-hr-departments-through-weaponized-resume-files/",
          "date": "2026-03-10"
        },
        {
          "slug": "seedworm-apt-deploys-dindoor-and-fakeset-backdoors-inside-us-critical-infrastructure-networks",
          "title": "Seedworm APT Deploys Dindoor and Fakeset Backdoors Inside US Critical Infrastructure Networks",
          "url": "https://bulwarkblack.com/seedworm-apt-deploys-dindoor-and-fakeset-backdoors-inside-us-critical-infrastructure-networks/",
          "date": "2026-03-10"
        },
        {
          "slug": "seedworm-apt-targets-us-banks-and-airports-with-new-dindoor-and-fakeset-backdoors",
          "title": "Seedworm APT Targets US Banks and Airports with New Dindoor and Fakeset Backdoors",
          "url": "https://bulwarkblack.com/seedworm-apt-targets-us-banks-and-airports-with-new-dindoor-and-fakeset-backdoors/",
          "date": "2026-03-09"
        },
        {
          "slug": "chinese-apt-exploited-dell-recoverpoint-zero-day-for-18-months-before-discovery",
          "title": "Chinese APT Exploited Dell RecoverPoint Zero-Day for 18 Months Before Discovery",
          "url": "https://bulwarkblack.com/chinese-apt-exploited-dell-recoverpoint-zero-day-for-18-months-before-discovery/",
          "date": "2026-02-23"
        },
        {
          "slug": "lockbit-5-0-ransomware-emerges-cross-platform-threat-targeting-windows-linux-and-esxi-systems",
          "title": "LockBit 5.0 Ransomware Emerges: Cross-Platform Threat Targeting Windows, Linux, and ESXi Systems",
          "url": "https://bulwarkblack.com/lockbit-5-0-ransomware-emerges-cross-platform-threat-targeting-windows-linux-and-esxi-systems/",
          "date": "2026-02-17"
        },
        {
          "slug": "review-engineering-grade-ot-security-a-managers-guide",
          "title": "Review: Engineering-grade OT security: A manager’s guide",
          "url": "https://bulwarkblack.com/review-engineering-grade-ot-security-a-managers-guide/",
          "date": "2024-01-11"
        }
      ]
    },
    {
      "indicator": "CVE-2026-15410",
      "type": "CVEs",
      "report_count": 7,
      "first_seen": "2024-01-11",
      "last_seen": "2026-03-20",
      "reports": [
        {
          "slug": "cve-2026-3564-critical-screenconnect-flaw-enables-session-hijacking-through-asp-net-machine-key-abuse",
          "title": "CVE-2026-3564: Critical ScreenConnect Flaw Enables Session Hijacking Through ASP.NET Machine Key Abuse",
          "url": "https://bulwarkblack.com/cve-2026-3564-critical-screenconnect-flaw-enables-session-hijacking-through-asp-net-machine-key-abuse/",
          "date": "2026-03-20"
        },
        {
          "slug": "blacksanta-edr-killer-campaign-targets-hr-departments-through-weaponized-resume-files",
          "title": "BlackSanta EDR Killer Campaign Targets HR Departments Through Weaponized Resume Files",
          "url": "https://bulwarkblack.com/blacksanta-edr-killer-campaign-targets-hr-departments-through-weaponized-resume-files/",
          "date": "2026-03-10"
        },
        {
          "slug": "seedworm-apt-deploys-dindoor-and-fakeset-backdoors-inside-us-critical-infrastructure-networks",
          "title": "Seedworm APT Deploys Dindoor and Fakeset Backdoors Inside US Critical Infrastructure Networks",
          "url": "https://bulwarkblack.com/seedworm-apt-deploys-dindoor-and-fakeset-backdoors-inside-us-critical-infrastructure-networks/",
          "date": "2026-03-10"
        },
        {
          "slug": "seedworm-apt-targets-us-banks-and-airports-with-new-dindoor-and-fakeset-backdoors",
          "title": "Seedworm APT Targets US Banks and Airports with New Dindoor and Fakeset Backdoors",
          "url": "https://bulwarkblack.com/seedworm-apt-targets-us-banks-and-airports-with-new-dindoor-and-fakeset-backdoors/",
          "date": "2026-03-09"
        },
        {
          "slug": "chinese-apt-exploited-dell-recoverpoint-zero-day-for-18-months-before-discovery",
          "title": "Chinese APT Exploited Dell RecoverPoint Zero-Day for 18 Months Before Discovery",
          "url": "https://bulwarkblack.com/chinese-apt-exploited-dell-recoverpoint-zero-day-for-18-months-before-discovery/",
          "date": "2026-02-23"
        },
        {
          "slug": "lockbit-5-0-ransomware-emerges-cross-platform-threat-targeting-windows-linux-and-esxi-systems",
          "title": "LockBit 5.0 Ransomware Emerges: Cross-Platform Threat Targeting Windows, Linux, and ESXi Systems",
          "url": "https://bulwarkblack.com/lockbit-5-0-ransomware-emerges-cross-platform-threat-targeting-windows-linux-and-esxi-systems/",
          "date": "2026-02-17"
        },
        {
          "slug": "review-engineering-grade-ot-security-a-managers-guide",
          "title": "Review: Engineering-grade OT security: A manager’s guide",
          "url": "https://bulwarkblack.com/review-engineering-grade-ot-security-a-managers-guide/",
          "date": "2024-01-11"
        }
      ]
    },
    {
      "indicator": "CVE-2026-1591",
      "type": "CVEs",
      "report_count": 2,
      "first_seen": "2024-01-07",
      "last_seen": "2026-02-04",
      "reports": [
        {
          "slug": "pdfsider-the-stealthy-backdoor-targeting-fortune-100-financial-institutions",
          "title": "PDFSider: The Stealthy Backdoor Targeting Fortune 100 Financial Institutions",
          "url": "https://bulwarkblack.com/pdfsider-the-stealthy-backdoor-targeting-fortune-100-financial-institutions/",
          "date": "2026-02-04"
        },
        {
          "slug": "prior-to-cyber-attack-russian-attackers-spent-months-inside-the-ukraine-telecoms-giant",
          "title": "Prior to Cyber Attack, Russian Attackers Spent Months Inside the Ukraine Telecoms Giant",
          "url": "https://bulwarkblack.com/prior-to-cyber-attack-russian-attackers-spent-months-inside-the-ukraine-telecoms-giant/",
          "date": "2024-01-07"
        }
      ]
    },
    {
      "indicator": "CVE-2026-1731",
      "type": "CVEs",
      "report_count": 5,
      "first_seen": "2026-02-01",
      "last_seen": "2026-06-06",
      "reports": [
        {
          "slug": "pan-os-globalprotect-cve-2026-0257-vpn-log-review",
          "title": "PAN-OS GlobalProtect Exploitation Shows VPN Access Needs Log Review, Not Just Patching",
          "url": "https://bulwarkblack.com/pan-os-globalprotect-cve-2026-0257-vpn-log-review/",
          "date": "2026-06-06"
        },
        {
          "slug": "pan-os-captive-portal-zero-day-edge-device-review",
          "title": "PAN-OS Captive Portal Zero-Day Shows Why Internet-Facing Edge Devices Need Immediate Review",
          "url": "https://bulwarkblack.com/pan-os-captive-portal-zero-day-edge-device-review/",
          "date": "2026-05-08"
        },
        {
          "slug": "unit-42-exposes-active-exploitation-of-beyondtrust-cve-2026-1731-with-vshell-and-sparkrat-backdoors",
          "title": "Unit 42 Exposes Active Exploitation of BeyondTrust CVE-2026-1731 with VShell and SparkRAT Backdoors",
          "url": "https://bulwarkblack.com/unit-42-exposes-active-exploitation-of-beyondtrust-cve-2026-1731-with-vshell-and-sparkrat-backdoors/",
          "date": "2026-02-23"
        },
        {
          "slug": "cve-2026-1731-critical-beyondtrust-remote-support-vulnerability-under-active-exploitation",
          "title": "CVE-2026-1731: Critical BeyondTrust Remote Support Vulnerability Under Active Exploitation",
          "url": "https://bulwarkblack.com/cve-2026-1731-critical-beyondtrust-remote-support-vulnerability-under-active-exploitation/",
          "date": "2026-02-14"
        },
        {
          "slug": "iconics-suite-scada-vulnerability-enables-denial-of-service-through-privileged-file-operations",
          "title": "Iconics Suite SCADA Vulnerability Enables Denial-of-Service Through Privileged File Operations",
          "url": "https://bulwarkblack.com/iconics-suite-scada-vulnerability-enables-denial-of-service-through-privileged-file-operations/",
          "date": "2026-02-01"
        }
      ]
    },
    {
      "indicator": "CVE-2026-20079",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-03-04",
      "last_seen": "2026-03-04",
      "reports": [
        {
          "slug": "cisco-patches-two-max-severity-secure-fmc-flaws-enabling-root-access",
          "title": "Cisco Patches Two Max Severity Secure FMC Flaws Enabling Root Access",
          "url": "https://bulwarkblack.com/cisco-patches-two-max-severity-secure-fmc-flaws-enabling-root-access/",
          "date": "2026-03-04"
        }
      ]
    },
    {
      "indicator": "CVE-2026-20093",
      "type": "CVEs",
      "report_count": 2,
      "first_seen": "2026-04-04",
      "last_seen": "2026-04-04",
      "reports": [
        {
          "slug": "critical-cisco-imc-authentication-bypass-enables-unauthenticated-admin-access",
          "title": "Critical Cisco IMC Authentication Bypass Enables Unauthenticated Admin Access",
          "url": "https://bulwarkblack.com/critical-cisco-imc-authentication-bypass-enables-unauthenticated-admin-access/",
          "date": "2026-04-04"
        },
        {
          "slug": "critical-cisco-imc-authentication-bypass-grants-remote-attackers-admin-privileges",
          "title": "Critical Cisco IMC Authentication Bypass Grants Remote Attackers Admin Privileges",
          "url": "https://bulwarkblack.com/critical-cisco-imc-authentication-bypass-grants-remote-attackers-admin-privileges/",
          "date": "2026-04-04"
        }
      ]
    },
    {
      "indicator": "CVE-2026-20122",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-15",
      "last_seen": "2026-05-15",
      "reports": [
        {
          "slug": "cisco-sdwan-active-exploitation-edge-controller-review",
          "title": "Cisco SD-WAN Exploitation Shows Edge Controllers Need Emergency Review",
          "url": "https://bulwarkblack.com/cisco-sdwan-active-exploitation-edge-controller-review/",
          "date": "2026-05-15"
        }
      ]
    },
    {
      "indicator": "CVE-2026-20127",
      "type": "CVEs",
      "report_count": 3,
      "first_seen": "2026-02-25",
      "last_seen": "2026-06-05",
      "reports": [
        {
          "slug": "cisco-sdwan-cve-2026-20245-edge-controller-defense",
          "title": "Cisco SD-WAN Zero-Day Shows Edge Controllers Need Compromise Review",
          "url": "https://bulwarkblack.com/cisco-sdwan-cve-2026-20245-edge-controller-defense/",
          "date": "2026-06-05"
        },
        {
          "slug": "cisco-sdwan-active-exploitation-edge-controller-review",
          "title": "Cisco SD-WAN Exploitation Shows Edge Controllers Need Emergency Review",
          "url": "https://bulwarkblack.com/cisco-sdwan-active-exploitation-edge-controller-review/",
          "date": "2026-05-15"
        },
        {
          "slug": "cisco-talos-exposes-three-year-campaign-uat-8616-exploits-sd-wan-zero-day-for-critical-infrastructure-access",
          "title": "Cisco Talos Exposes Three-Year Campaign: UAT-8616 Exploits SD-WAN Zero-Day for Critical Infrastructure Access",
          "url": "https://bulwarkblack.com/cisco-talos-exposes-three-year-campaign-uat-8616-exploits-sd-wan-zero-day-for-critical-infrastructure-access/",
          "date": "2026-02-25"
        }
      ]
    },
    {
      "indicator": "CVE-2026-20128",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-15",
      "last_seen": "2026-05-15",
      "reports": [
        {
          "slug": "cisco-sdwan-active-exploitation-edge-controller-review",
          "title": "Cisco SD-WAN Exploitation Shows Edge Controllers Need Emergency Review",
          "url": "https://bulwarkblack.com/cisco-sdwan-active-exploitation-edge-controller-review/",
          "date": "2026-05-15"
        }
      ]
    },
    {
      "indicator": "CVE-2026-20131",
      "type": "CVEs",
      "report_count": 6,
      "first_seen": "2026-03-04",
      "last_seen": "2026-06-27",
      "reports": [
        {
          "slug": "splunk-enterprise-cve-2026-20253-siem-tier-zero-defense",
          "title": "Splunk Enterprise RCE Shows SIEM Servers Are Tier-Zero Infrastructure",
          "url": "https://bulwarkblack.com/splunk-enterprise-cve-2026-20253-siem-tier-zero-defense/",
          "date": "2026-06-27"
        },
        {
          "slug": "critical-cisco-imc-authentication-bypass-enables-unauthenticated-admin-access",
          "title": "Critical Cisco IMC Authentication Bypass Enables Unauthenticated Admin Access",
          "url": "https://bulwarkblack.com/critical-cisco-imc-authentication-bypass-enables-unauthenticated-admin-access/",
          "date": "2026-04-04"
        },
        {
          "slug": "critical-cisco-imc-authentication-bypass-grants-remote-attackers-admin-privileges",
          "title": "Critical Cisco IMC Authentication Bypass Grants Remote Attackers Admin Privileges",
          "url": "https://bulwarkblack.com/critical-cisco-imc-authentication-bypass-grants-remote-attackers-admin-privileges/",
          "date": "2026-04-04"
        },
        {
          "slug": "interlock-ransomware-exploited-cisco-firewall-zero-day-weeks-before-public-disclosure",
          "title": "Interlock Ransomware Exploited Cisco Firewall Zero-Day Weeks Before Public Disclosure",
          "url": "https://bulwarkblack.com/interlock-ransomware-exploited-cisco-firewall-zero-day-weeks-before-public-disclosure/",
          "date": "2026-03-22"
        },
        {
          "slug": "interlock-ransomware-exploited-cisco-fmc-zero-day-for-six-weeks-before-patch-amazon-reveals-full-attack-chain",
          "title": "Interlock Ransomware Exploited Cisco FMC Zero-Day for Six Weeks Before Patch: Amazon Reveals Full Attack Chain",
          "url": "https://bulwarkblack.com/interlock-ransomware-exploited-cisco-fmc-zero-day-for-six-weeks-before-patch-amazon-reveals-full-attack-chain/",
          "date": "2026-03-20"
        },
        {
          "slug": "cisco-patches-two-max-severity-secure-fmc-flaws-enabling-root-access",
          "title": "Cisco Patches Two Max Severity Secure FMC Flaws Enabling Root Access",
          "url": "https://bulwarkblack.com/cisco-patches-two-max-severity-secure-fmc-flaws-enabling-root-access/",
          "date": "2026-03-04"
        }
      ]
    },
    {
      "indicator": "CVE-2026-20133",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-15",
      "last_seen": "2026-05-15",
      "reports": [
        {
          "slug": "cisco-sdwan-active-exploitation-edge-controller-review",
          "title": "Cisco SD-WAN Exploitation Shows Edge Controllers Need Emergency Review",
          "url": "https://bulwarkblack.com/cisco-sdwan-active-exploitation-edge-controller-review/",
          "date": "2026-05-15"
        }
      ]
    },
    {
      "indicator": "CVE-2026-20160",
      "type": "CVEs",
      "report_count": 2,
      "first_seen": "2026-04-04",
      "last_seen": "2026-04-04",
      "reports": [
        {
          "slug": "critical-cisco-imc-authentication-bypass-enables-unauthenticated-admin-access",
          "title": "Critical Cisco IMC Authentication Bypass Enables Unauthenticated Admin Access",
          "url": "https://bulwarkblack.com/critical-cisco-imc-authentication-bypass-enables-unauthenticated-admin-access/",
          "date": "2026-04-04"
        },
        {
          "slug": "critical-cisco-imc-authentication-bypass-grants-remote-attackers-admin-privileges",
          "title": "Critical Cisco IMC Authentication Bypass Grants Remote Attackers Admin Privileges",
          "url": "https://bulwarkblack.com/critical-cisco-imc-authentication-bypass-grants-remote-attackers-admin-privileges/",
          "date": "2026-04-04"
        }
      ]
    },
    {
      "indicator": "CVE-2026-20182",
      "type": "CVEs",
      "report_count": 4,
      "first_seen": "2026-02-25",
      "last_seen": "2026-07-01",
      "reports": [
        {
          "slug": "artoken-eviltokens-microsoft-365-bec-token-defense",
          "title": "ARToken Shows Microsoft 365 Tokens Are the New BEC Control Plane",
          "url": "https://bulwarkblack.com/artoken-eviltokens-microsoft-365-bec-token-defense/",
          "date": "2026-07-01"
        },
        {
          "slug": "cisco-sdwan-cve-2026-20245-edge-controller-defense",
          "title": "Cisco SD-WAN Zero-Day Shows Edge Controllers Need Compromise Review",
          "url": "https://bulwarkblack.com/cisco-sdwan-cve-2026-20245-edge-controller-defense/",
          "date": "2026-06-05"
        },
        {
          "slug": "cisco-sdwan-active-exploitation-edge-controller-review",
          "title": "Cisco SD-WAN Exploitation Shows Edge Controllers Need Emergency Review",
          "url": "https://bulwarkblack.com/cisco-sdwan-active-exploitation-edge-controller-review/",
          "date": "2026-05-15"
        },
        {
          "slug": "cisco-talos-exposes-three-year-campaign-uat-8616-exploits-sd-wan-zero-day-for-critical-infrastructure-access",
          "title": "Cisco Talos Exposes Three-Year Campaign: UAT-8616 Exploits SD-WAN Zero-Day for Critical Infrastructure Access",
          "url": "https://bulwarkblack.com/cisco-talos-exposes-three-year-campaign-uat-8616-exploits-sd-wan-zero-day-for-critical-infrastructure-access/",
          "date": "2026-02-25"
        }
      ]
    },
    {
      "indicator": "CVE-2026-20245",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-06-05",
      "last_seen": "2026-06-05",
      "reports": [
        {
          "slug": "cisco-sdwan-cve-2026-20245-edge-controller-defense",
          "title": "Cisco SD-WAN Zero-Day Shows Edge Controllers Need Compromise Review",
          "url": "https://bulwarkblack.com/cisco-sdwan-cve-2026-20245-edge-controller-defense/",
          "date": "2026-06-05"
        }
      ]
    },
    {
      "indicator": "CVE-2026-20253",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-06-27",
      "last_seen": "2026-06-27",
      "reports": [
        {
          "slug": "splunk-enterprise-cve-2026-20253-siem-tier-zero-defense",
          "title": "Splunk Enterprise RCE Shows SIEM Servers Are Tier-Zero Infrastructure",
          "url": "https://bulwarkblack.com/splunk-enterprise-cve-2026-20253-siem-tier-zero-defense/",
          "date": "2026-06-27"
        }
      ]
    },
    {
      "indicator": "CVE-2026-20700",
      "type": "CVEs",
      "report_count": 3,
      "first_seen": "2026-02-16",
      "last_seen": "2026-03-21",
      "reports": [
        {
          "slug": "darksword-ios-exploit-kit-russian-hackers-weaponize-six-vulnerabilities-for-full-iphone-takeover",
          "title": "DarkSword iOS Exploit Kit: Russian Hackers Weaponize Six Vulnerabilities for Full iPhone Takeover",
          "url": "https://bulwarkblack.com/darksword-ios-exploit-kit-russian-hackers-weaponize-six-vulnerabilities-for-full-iphone-takeover/",
          "date": "2026-03-21"
        },
        {
          "slug": "cve-2026-20700-apple-patches-first-zero-day-of-2026-after-extremely-sophisticated-targeted-attacks",
          "title": "CVE-2026-20700: Apple Patches First Zero-Day of 2026 After Extremely Sophisticated Targeted Attacks",
          "url": "https://bulwarkblack.com/cve-2026-20700-apple-patches-first-zero-day-of-2026-after-extremely-sophisticated-targeted-attacks/",
          "date": "2026-02-16"
        },
        {
          "slug": "cve-2026-2441-google-patches-first-actively-exploited-chrome-zero-day-of-2026",
          "title": "CVE-2026-2441: Google Patches First Actively Exploited Chrome Zero-Day of 2026",
          "url": "https://bulwarkblack.com/cve-2026-2441-google-patches-first-actively-exploited-chrome-zero-day-of-2026/",
          "date": "2026-02-16"
        }
      ]
    },
    {
      "indicator": "CVE-2026-20841",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-02-22",
      "last_seen": "2026-02-22",
      "reports": [
        {
          "slug": "cve-2026-20841-windows-notepad-rce-vulnerability-weaponized-with-public-poc-exploit",
          "title": "CVE-2026-20841: Windows Notepad RCE Vulnerability Weaponized with Public PoC Exploit",
          "url": "https://bulwarkblack.com/cve-2026-20841-windows-notepad-rce-vulnerability-weaponized-with-public-poc-exploit/",
          "date": "2026-02-22"
        }
      ]
    },
    {
      "indicator": "CVE-2026-21509",
      "type": "CVEs",
      "report_count": 3,
      "first_seen": "2026-02-10",
      "last_seen": "2026-03-26",
      "reports": [
        {
          "slug": "pawn-storm-deploys-prismex-malware-suite-against-ukrainian-defense-supply-chain-and-nato-allies",
          "title": "Pawn Storm Deploys PRISMEX Malware Suite Against Ukrainian Defense Supply Chain and NATO Allies",
          "url": "https://bulwarkblack.com/pawn-storm-deploys-prismex-malware-suite-against-ukrainian-defense-supply-chain-and-nato-allies/",
          "date": "2026-03-26"
        },
        {
          "slug": "apt28-exploited-cve-2026-21513-mshtml-zero-day-as-attack-vector-before-february-patch-tuesday",
          "title": "APT28 Exploited CVE-2026-21513 MSHTML Zero-Day as Attack Vector Before February Patch Tuesday",
          "url": "https://bulwarkblack.com/apt28-exploited-cve-2026-21513-mshtml-zero-day-as-attack-vector-before-february-patch-tuesday/",
          "date": "2026-03-03"
        },
        {
          "slug": "apt28-exploits-cve-2026-21509-in-operation-neusploit-stealing-emails-with-minidoor-backdoor",
          "title": "APT28 Exploits CVE-2026-21509 in Operation Neusploit: Stealing Emails with MiniDoor Backdoor",
          "url": "https://bulwarkblack.com/apt28-exploits-cve-2026-21509-in-operation-neusploit-stealing-emails-with-minidoor-backdoor/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "CVE-2026-21513",
      "type": "CVEs",
      "report_count": 2,
      "first_seen": "2026-03-03",
      "last_seen": "2026-03-26",
      "reports": [
        {
          "slug": "pawn-storm-deploys-prismex-malware-suite-against-ukrainian-defense-supply-chain-and-nato-allies",
          "title": "Pawn Storm Deploys PRISMEX Malware Suite Against Ukrainian Defense Supply Chain and NATO Allies",
          "url": "https://bulwarkblack.com/pawn-storm-deploys-prismex-malware-suite-against-ukrainian-defense-supply-chain-and-nato-allies/",
          "date": "2026-03-26"
        },
        {
          "slug": "apt28-exploited-cve-2026-21513-mshtml-zero-day-as-attack-vector-before-february-patch-tuesday",
          "title": "APT28 Exploited CVE-2026-21513 MSHTML Zero-Day as Attack Vector Before February Patch Tuesday",
          "url": "https://bulwarkblack.com/apt28-exploited-cve-2026-21513-mshtml-zero-day-as-attack-vector-before-february-patch-tuesday/",
          "date": "2026-03-03"
        }
      ]
    },
    {
      "indicator": "CVE-2026-21530",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-21666",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-03-16",
      "last_seen": "2026-03-16",
      "reports": [
        {
          "slug": "critical-veeam-backup-vulnerabilities-draw-ransomware-group-attention-seven-cvss-9-9-flaws-patched",
          "title": "Critical Veeam Backup Vulnerabilities Draw Ransomware Group Attention: Seven CVSS 9.9 Flaws Patched",
          "url": "https://bulwarkblack.com/critical-veeam-backup-vulnerabilities-draw-ransomware-group-attention-seven-cvss-9-9-flaws-patched/",
          "date": "2026-03-16"
        }
      ]
    },
    {
      "indicator": "CVE-2026-21667",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-03-16",
      "last_seen": "2026-03-16",
      "reports": [
        {
          "slug": "critical-veeam-backup-vulnerabilities-draw-ransomware-group-attention-seven-cvss-9-9-flaws-patched",
          "title": "Critical Veeam Backup Vulnerabilities Draw Ransomware Group Attention: Seven CVSS 9.9 Flaws Patched",
          "url": "https://bulwarkblack.com/critical-veeam-backup-vulnerabilities-draw-ransomware-group-attention-seven-cvss-9-9-flaws-patched/",
          "date": "2026-03-16"
        }
      ]
    },
    {
      "indicator": "CVE-2026-21668",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-03-16",
      "last_seen": "2026-03-16",
      "reports": [
        {
          "slug": "critical-veeam-backup-vulnerabilities-draw-ransomware-group-attention-seven-cvss-9-9-flaws-patched",
          "title": "Critical Veeam Backup Vulnerabilities Draw Ransomware Group Attention: Seven CVSS 9.9 Flaws Patched",
          "url": "https://bulwarkblack.com/critical-veeam-backup-vulnerabilities-draw-ransomware-group-attention-seven-cvss-9-9-flaws-patched/",
          "date": "2026-03-16"
        }
      ]
    },
    {
      "indicator": "CVE-2026-21669",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-03-16",
      "last_seen": "2026-03-16",
      "reports": [
        {
          "slug": "critical-veeam-backup-vulnerabilities-draw-ransomware-group-attention-seven-cvss-9-9-flaws-patched",
          "title": "Critical Veeam Backup Vulnerabilities Draw Ransomware Group Attention: Seven CVSS 9.9 Flaws Patched",
          "url": "https://bulwarkblack.com/critical-veeam-backup-vulnerabilities-draw-ransomware-group-attention-seven-cvss-9-9-flaws-patched/",
          "date": "2026-03-16"
        }
      ]
    },
    {
      "indicator": "CVE-2026-21670",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-03-16",
      "last_seen": "2026-03-16",
      "reports": [
        {
          "slug": "critical-veeam-backup-vulnerabilities-draw-ransomware-group-attention-seven-cvss-9-9-flaws-patched",
          "title": "Critical Veeam Backup Vulnerabilities Draw Ransomware Group Attention: Seven CVSS 9.9 Flaws Patched",
          "url": "https://bulwarkblack.com/critical-veeam-backup-vulnerabilities-draw-ransomware-group-attention-seven-cvss-9-9-flaws-patched/",
          "date": "2026-03-16"
        }
      ]
    },
    {
      "indicator": "CVE-2026-21671",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-03-16",
      "last_seen": "2026-03-16",
      "reports": [
        {
          "slug": "critical-veeam-backup-vulnerabilities-draw-ransomware-group-attention-seven-cvss-9-9-flaws-patched",
          "title": "Critical Veeam Backup Vulnerabilities Draw Ransomware Group Attention: Seven CVSS 9.9 Flaws Patched",
          "url": "https://bulwarkblack.com/critical-veeam-backup-vulnerabilities-draw-ransomware-group-attention-seven-cvss-9-9-flaws-patched/",
          "date": "2026-03-16"
        }
      ]
    },
    {
      "indicator": "CVE-2026-21672",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-03-16",
      "last_seen": "2026-03-16",
      "reports": [
        {
          "slug": "critical-veeam-backup-vulnerabilities-draw-ransomware-group-attention-seven-cvss-9-9-flaws-patched",
          "title": "Critical Veeam Backup Vulnerabilities Draw Ransomware Group Attention: Seven CVSS 9.9 Flaws Patched",
          "url": "https://bulwarkblack.com/critical-veeam-backup-vulnerabilities-draw-ransomware-group-attention-seven-cvss-9-9-flaws-patched/",
          "date": "2026-03-16"
        }
      ]
    },
    {
      "indicator": "CVE-2026-21708",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-03-16",
      "last_seen": "2026-03-16",
      "reports": [
        {
          "slug": "critical-veeam-backup-vulnerabilities-draw-ransomware-group-attention-seven-cvss-9-9-flaws-patched",
          "title": "Critical Veeam Backup Vulnerabilities Draw Ransomware Group Attention: Seven CVSS 9.9 Flaws Patched",
          "url": "https://bulwarkblack.com/critical-veeam-backup-vulnerabilities-draw-ransomware-group-attention-seven-cvss-9-9-flaws-patched/",
          "date": "2026-03-16"
        }
      ]
    },
    {
      "indicator": "CVE-2026-21992",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-03-25",
      "last_seen": "2026-03-25",
      "reports": [
        {
          "slug": "oracle-issues-rare-out-of-band-patch-for-critical-cve-2026-21992-rce-in-identity-manager",
          "title": "Oracle Issues Rare Out-of-Band Patch for Critical CVE-2026-21992 RCE in Identity Manager",
          "url": "https://bulwarkblack.com/oracle-issues-rare-out-of-band-patch-for-critical-cve-2026-21992-rce-in-identity-manager/",
          "date": "2026-03-25"
        }
      ]
    },
    {
      "indicator": "CVE-2026-22554",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-27",
      "last_seen": "2026-05-27",
      "reports": [
        {
          "slug": "mediainfolib-parser-bugs-file-metadata-execution-boundary",
          "title": "MediaInfoLib Parser Bugs Show File Metadata Is an Execution Boundary",
          "url": "https://bulwarkblack.com/mediainfolib-parser-bugs-file-metadata-execution-boundary/",
          "date": "2026-05-27"
        }
      ]
    },
    {
      "indicator": "CVE-2026-22584",
      "type": "CVEs",
      "report_count": 4,
      "first_seen": "2026-02-01",
      "last_seen": "2026-06-06",
      "reports": [
        {
          "slug": "pan-os-globalprotect-cve-2026-0257-vpn-log-review",
          "title": "PAN-OS GlobalProtect Exploitation Shows VPN Access Needs Log Review, Not Just Patching",
          "url": "https://bulwarkblack.com/pan-os-globalprotect-cve-2026-0257-vpn-log-review/",
          "date": "2026-06-06"
        },
        {
          "slug": "pan-os-captive-portal-zero-day-edge-device-review",
          "title": "PAN-OS Captive Portal Zero-Day Shows Why Internet-Facing Edge Devices Need Immediate Review",
          "url": "https://bulwarkblack.com/pan-os-captive-portal-zero-day-edge-device-review/",
          "date": "2026-05-08"
        },
        {
          "slug": "unit-42-exposes-active-exploitation-of-beyondtrust-cve-2026-1731-with-vshell-and-sparkrat-backdoors",
          "title": "Unit 42 Exposes Active Exploitation of BeyondTrust CVE-2026-1731 with VShell and SparkRAT Backdoors",
          "url": "https://bulwarkblack.com/unit-42-exposes-active-exploitation-of-beyondtrust-cve-2026-1731-with-vshell-and-sparkrat-backdoors/",
          "date": "2026-02-23"
        },
        {
          "slug": "iconics-suite-scada-vulnerability-enables-denial-of-service-through-privileged-file-operations",
          "title": "Iconics Suite SCADA Vulnerability Enables Denial-of-Service Through Privileged File Operations",
          "url": "https://bulwarkblack.com/iconics-suite-scada-vulnerability-enables-denial-of-service-through-privileged-file-operations/",
          "date": "2026-02-01"
        }
      ]
    },
    {
      "indicator": "CVE-2026-22769",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-02-23",
      "last_seen": "2026-02-23",
      "reports": [
        {
          "slug": "chinese-apt-exploited-dell-recoverpoint-zero-day-for-18-months-before-discovery",
          "title": "Chinese APT Exploited Dell RecoverPoint Zero-Day for 18 Months Before Discovery",
          "url": "https://bulwarkblack.com/chinese-apt-exploited-dell-recoverpoint-zero-day-for-18-months-before-discovery/",
          "date": "2026-02-23"
        }
      ]
    },
    {
      "indicator": "CVE-2026-23111",
      "type": "CVEs",
      "report_count": 2,
      "first_seen": "2024-01-07",
      "last_seen": "2026-02-04",
      "reports": [
        {
          "slug": "pdfsider-the-stealthy-backdoor-targeting-fortune-100-financial-institutions",
          "title": "PDFSider: The Stealthy Backdoor Targeting Fortune 100 Financial Institutions",
          "url": "https://bulwarkblack.com/pdfsider-the-stealthy-backdoor-targeting-fortune-100-financial-institutions/",
          "date": "2026-02-04"
        },
        {
          "slug": "prior-to-cyber-attack-russian-attackers-spent-months-inside-the-ukraine-telecoms-giant",
          "title": "Prior to Cyber Attack, Russian Attackers Spent Months Inside the Ukraine Telecoms Giant",
          "url": "https://bulwarkblack.com/prior-to-cyber-attack-russian-attackers-spent-months-inside-the-ukraine-telecoms-giant/",
          "date": "2024-01-07"
        }
      ]
    },
    {
      "indicator": "CVE-2026-23760",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-01-30",
      "last_seen": "2026-01-30",
      "reports": [
        {
          "slug": "smartermail-fixes-critical-unauthenticated-rce-flaw-with-cvss-9-3-score",
          "title": "SmarterMail Fixes Critical Unauthenticated RCE Flaw with CVSS 9.3 Score",
          "url": "https://bulwarkblack.com/smartermail-fixes-critical-unauthenticated-rce-flaw-with-cvss-9-3-score/",
          "date": "2026-01-30"
        }
      ]
    },
    {
      "indicator": "CVE-2026-24061",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-01-31",
      "last_seen": "2026-01-31",
      "reports": [
        {
          "slug": "cve-2026-24061-11-year-old-gnu-telnetd-vulnerability-grants-instant-root-access",
          "title": "CVE-2026-24061: 11-Year-Old GNU Telnetd Vulnerability Grants Instant Root Access",
          "url": "https://bulwarkblack.com/cve-2026-24061-11-year-old-gnu-telnetd-vulnerability-grants-instant-root-access/",
          "date": "2026-01-31"
        }
      ]
    },
    {
      "indicator": "CVE-2026-2441",
      "type": "CVEs",
      "report_count": 3,
      "first_seen": "2026-02-16",
      "last_seen": "2026-03-14",
      "reports": [
        {
          "slug": "google-patches-two-chrome-zero-days-actively-exploited-in-the-wild-cisa-adds-to-kev-catalog",
          "title": "Google Patches Two Chrome Zero-Days Actively Exploited in the Wild, CISA Adds to KEV Catalog",
          "url": "https://bulwarkblack.com/google-patches-two-chrome-zero-days-actively-exploited-in-the-wild-cisa-adds-to-kev-catalog/",
          "date": "2026-03-14"
        },
        {
          "slug": "google-patches-two-actively-exploited-chrome-zero-days-cve-2026-3909-and-cve-2026-3910",
          "title": "Google Patches Two Actively Exploited Chrome Zero-Days: CVE-2026-3909 and CVE-2026-3910",
          "url": "https://bulwarkblack.com/google-patches-two-actively-exploited-chrome-zero-days-cve-2026-3909-and-cve-2026-3910/",
          "date": "2026-03-13"
        },
        {
          "slug": "cve-2026-2441-google-patches-first-actively-exploited-chrome-zero-day-of-2026",
          "title": "CVE-2026-2441: Google Patches First Actively Exploited Chrome Zero-Day of 2026",
          "url": "https://bulwarkblack.com/cve-2026-2441-google-patches-first-actively-exploited-chrome-zero-day-of-2026/",
          "date": "2026-02-16"
        }
      ]
    },
    {
      "indicator": "CVE-2026-24423",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-01-30",
      "last_seen": "2026-01-30",
      "reports": [
        {
          "slug": "smartermail-fixes-critical-unauthenticated-rce-flaw-with-cvss-9-3-score",
          "title": "SmarterMail Fixes Critical Unauthenticated RCE Flaw with CVSS 9.3 Score",
          "url": "https://bulwarkblack.com/smartermail-fixes-critical-unauthenticated-rce-flaw-with-cvss-9-3-score/",
          "date": "2026-01-30"
        }
      ]
    },
    {
      "indicator": "CVE-2026-24858",
      "type": "CVEs",
      "report_count": 2,
      "first_seen": "2026-01-28",
      "last_seen": "2026-03-11",
      "reports": [
        {
          "slug": "fortigate-devices-exploited-as-network-entry-points-for-service-account-credential-theft",
          "title": "FortiGate Devices Exploited as Network Entry Points for Service Account Credential Theft",
          "url": "https://bulwarkblack.com/fortigate-devices-exploited-as-network-entry-points-for-service-account-credential-theft/",
          "date": "2026-03-11"
        },
        {
          "slug": "fortinet-blocks-actively-exploited-forticloud-sso-zero-day-until-patch-is-ready",
          "title": "Fortinet Blocks Actively Exploited FortiCloud SSO Zero-Day Until Patch is Ready",
          "url": "https://bulwarkblack.com/fortinet-blocks-actively-exploited-forticloud-sso-zero-day-until-patch-is-ready/",
          "date": "2026-01-28"
        }
      ]
    },
    {
      "indicator": "CVE-2026-25067",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-01-30",
      "last_seen": "2026-01-30",
      "reports": [
        {
          "slug": "smartermail-fixes-critical-unauthenticated-rce-flaw-with-cvss-9-3-score",
          "title": "SmarterMail Fixes Critical Unauthenticated RCE Flaw with CVSS 9.3 Score",
          "url": "https://bulwarkblack.com/smartermail-fixes-critical-unauthenticated-rce-flaw-with-cvss-9-3-score/",
          "date": "2026-01-30"
        }
      ]
    },
    {
      "indicator": "CVE-2026-25104",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-27",
      "last_seen": "2026-05-27",
      "reports": [
        {
          "slug": "mediainfolib-parser-bugs-file-metadata-execution-boundary",
          "title": "MediaInfoLib Parser Bugs Show File Metadata Is an Execution Boundary",
          "url": "https://bulwarkblack.com/mediainfolib-parser-bugs-file-metadata-execution-boundary/",
          "date": "2026-05-27"
        }
      ]
    },
    {
      "indicator": "CVE-2026-25253",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-06-05",
      "last_seen": "2026-06-05",
      "reports": [
        {
          "slug": "agentic-ai-failure-modes-supply-chain-controls",
          "title": "Agentic AI Failure Modes Show Why AI Tools Need Supply-Chain Controls",
          "url": "https://bulwarkblack.com/agentic-ai-failure-modes-supply-chain-controls/",
          "date": "2026-06-05"
        }
      ]
    },
    {
      "indicator": "CVE-2026-25592",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-08",
      "last_seen": "2026-05-08",
      "reports": [
        {
          "slug": "prompt-injection-rce-ai-agent-frameworks",
          "title": "Prompt Injection Just Became an RCE Problem for AI Agents",
          "url": "https://bulwarkblack.com/prompt-injection-rce-ai-agent-frameworks/",
          "date": "2026-05-08"
        }
      ]
    },
    {
      "indicator": "CVE-2026-25713",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-27",
      "last_seen": "2026-05-27",
      "reports": [
        {
          "slug": "mediainfolib-parser-bugs-file-metadata-execution-boundary",
          "title": "MediaInfoLib Parser Bugs Show File Metadata Is an Execution Boundary",
          "url": "https://bulwarkblack.com/mediainfolib-parser-bugs-file-metadata-execution-boundary/",
          "date": "2026-05-27"
        }
      ]
    },
    {
      "indicator": "CVE-2026-25815",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-06-19",
      "last_seen": "2026-06-19",
      "reports": [
        {
          "slug": "fortibleed-firewall-patching-compromise-recovery",
          "title": "FortiBleed Shows Firewall Patching Is Not Compromise Recovery",
          "url": "https://bulwarkblack.com/fortibleed-firewall-patching-compromise-recovery/",
          "date": "2026-06-19"
        }
      ]
    },
    {
      "indicator": "CVE-2026-26030",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-08",
      "last_seen": "2026-05-08",
      "reports": [
        {
          "slug": "prompt-injection-rce-ai-agent-frameworks",
          "title": "Prompt Injection Just Became an RCE Problem for AI Agents",
          "url": "https://bulwarkblack.com/prompt-injection-rce-ai-agent-frameworks/",
          "date": "2026-05-08"
        }
      ]
    },
    {
      "indicator": "CVE-2026-26129",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-26164",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-27022",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-06-11",
      "last_seen": "2026-06-11",
      "reports": [
        {
          "slug": "langgraph-checkpointer-sqli-rce-ai-agent-memory-defense",
          "title": "LangGraph Checkpointer Bugs Show AI Agent Memory Is Backend Attack Surface",
          "url": "https://bulwarkblack.com/langgraph-checkpointer-sqli-rce-ai-agent-memory-defense/",
          "date": "2026-06-11"
        }
      ]
    },
    {
      "indicator": "CVE-2026-28227",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-06-11",
      "last_seen": "2026-06-11",
      "reports": [
        {
          "slug": "langgraph-checkpointer-sqli-rce-ai-agent-memory-defense",
          "title": "LangGraph Checkpointer Bugs Show AI Agent Memory Is Backend Attack Surface",
          "url": "https://bulwarkblack.com/langgraph-checkpointer-sqli-rce-ai-agent-memory-defense/",
          "date": "2026-06-11"
        }
      ]
    },
    {
      "indicator": "CVE-2026-28277",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-06-11",
      "last_seen": "2026-06-11",
      "reports": [
        {
          "slug": "langgraph-checkpointer-sqli-rce-ai-agent-memory-defense",
          "title": "LangGraph Checkpointer Bugs Show AI Agent Memory Is Backend Attack Surface",
          "url": "https://bulwarkblack.com/langgraph-checkpointer-sqli-rce-ai-agent-memory-defense/",
          "date": "2026-06-11"
        }
      ]
    },
    {
      "indicator": "CVE-2026-28318",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-06-07",
      "last_seen": "2026-06-07",
      "reports": [
        {
          "slug": "solarwinds-servu-cve-2026-28318-file-transfer-availability",
          "title": "SolarWinds Serv-U Exploitation Shows File Transfer Availability Is Security",
          "url": "https://bulwarkblack.com/solarwinds-servu-cve-2026-28318-file-transfer-availability/",
          "date": "2026-06-07"
        }
      ]
    },
    {
      "indicator": "CVE-2026-28764",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-27",
      "last_seen": "2026-05-27",
      "reports": [
        {
          "slug": "mediainfolib-parser-bugs-file-metadata-execution-boundary",
          "title": "MediaInfoLib Parser Bugs Show File Metadata Is an Execution Boundary",
          "url": "https://bulwarkblack.com/mediainfolib-parser-bugs-file-metadata-execution-boundary/",
          "date": "2026-05-27"
        }
      ]
    },
    {
      "indicator": "CVE-2026-3055",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-07-01",
      "last_seen": "2026-07-01",
      "reports": [
        {
          "slug": "citrixbleed-netscaler-cve-2026-8451-saml-idp-defense",
          "title": "CitrixBleed Keeps Returning: NetScaler SAML IdP Memory Leaks Need Edge-Control Discipline",
          "url": "https://bulwarkblack.com/citrixbleed-netscaler-cve-2026-8451-saml-idp-defense/",
          "date": "2026-07-01"
        }
      ]
    },
    {
      "indicator": "CVE-2026-3102",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-20",
      "last_seen": "2026-05-20",
      "reports": [
        {
          "slug": "exiftool-cve-2026-3102-image-metadata-threat-model",
          "title": "ExifTool CVE-2026-3102 Shows Image Metadata Belongs in the Threat Model",
          "url": "https://bulwarkblack.com/exiftool-cve-2026-3102-image-metadata-threat-model/",
          "date": "2026-05-20"
        }
      ]
    },
    {
      "indicator": "CVE-2026-31431",
      "type": "CVEs",
      "report_count": 7,
      "first_seen": "2024-01-07",
      "last_seen": "2026-06-06",
      "reports": [
        {
          "slug": "pan-os-globalprotect-cve-2026-0257-vpn-log-review",
          "title": "PAN-OS GlobalProtect Exploitation Shows VPN Access Needs Log Review, Not Just Patching",
          "url": "https://bulwarkblack.com/pan-os-globalprotect-cve-2026-0257-vpn-log-review/",
          "date": "2026-06-06"
        },
        {
          "slug": "dirty-frag-linux-privilege-escalation-defender-guide",
          "title": "Dirty Frag Turns Linux Footholds Into Root: What Defenders Should Do Now",
          "url": "https://bulwarkblack.com/dirty-frag-linux-privilege-escalation-defender-guide/",
          "date": "2026-05-08"
        },
        {
          "slug": "pan-os-captive-portal-zero-day-edge-device-review",
          "title": "PAN-OS Captive Portal Zero-Day Shows Why Internet-Facing Edge Devices Need Immediate Review",
          "url": "https://bulwarkblack.com/pan-os-captive-portal-zero-day-edge-device-review/",
          "date": "2026-05-08"
        },
        {
          "slug": "unit-42-exposes-active-exploitation-of-beyondtrust-cve-2026-1731-with-vshell-and-sparkrat-backdoors",
          "title": "Unit 42 Exposes Active Exploitation of BeyondTrust CVE-2026-1731 with VShell and SparkRAT Backdoors",
          "url": "https://bulwarkblack.com/unit-42-exposes-active-exploitation-of-beyondtrust-cve-2026-1731-with-vshell-and-sparkrat-backdoors/",
          "date": "2026-02-23"
        },
        {
          "slug": "pdfsider-the-stealthy-backdoor-targeting-fortune-100-financial-institutions",
          "title": "PDFSider: The Stealthy Backdoor Targeting Fortune 100 Financial Institutions",
          "url": "https://bulwarkblack.com/pdfsider-the-stealthy-backdoor-targeting-fortune-100-financial-institutions/",
          "date": "2026-02-04"
        },
        {
          "slug": "iconics-suite-scada-vulnerability-enables-denial-of-service-through-privileged-file-operations",
          "title": "Iconics Suite SCADA Vulnerability Enables Denial-of-Service Through Privileged File Operations",
          "url": "https://bulwarkblack.com/iconics-suite-scada-vulnerability-enables-denial-of-service-through-privileged-file-operations/",
          "date": "2026-02-01"
        },
        {
          "slug": "prior-to-cyber-attack-russian-attackers-spent-months-inside-the-ukraine-telecoms-giant",
          "title": "Prior to Cyber Attack, Russian Attackers Spent Months Inside the Ukraine Telecoms Giant",
          "url": "https://bulwarkblack.com/prior-to-cyber-attack-russian-attackers-spent-months-inside-the-ukraine-telecoms-giant/",
          "date": "2024-01-07"
        }
      ]
    },
    {
      "indicator": "CVE-2026-32161",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-32170",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-32175",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-32177",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-32185",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-32204",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-32207",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-32209",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-32290",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-03-20",
      "last_seen": "2026-03-20",
      "reports": [
        {
          "slug": "9-critical-ip-kvm-flaws-enable-unauthenticated-root-access-across-four-vendors",
          "title": "9 Critical IP KVM Flaws Enable Unauthenticated Root Access Across Four Vendors",
          "url": "https://bulwarkblack.com/9-critical-ip-kvm-flaws-enable-unauthenticated-root-access-across-four-vendors/",
          "date": "2026-03-20"
        }
      ]
    },
    {
      "indicator": "CVE-2026-32291",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-03-20",
      "last_seen": "2026-03-20",
      "reports": [
        {
          "slug": "9-critical-ip-kvm-flaws-enable-unauthenticated-root-access-across-four-vendors",
          "title": "9 Critical IP KVM Flaws Enable Unauthenticated Root Access Across Four Vendors",
          "url": "https://bulwarkblack.com/9-critical-ip-kvm-flaws-enable-unauthenticated-root-access-across-four-vendors/",
          "date": "2026-03-20"
        }
      ]
    },
    {
      "indicator": "CVE-2026-32292",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-03-20",
      "last_seen": "2026-03-20",
      "reports": [
        {
          "slug": "9-critical-ip-kvm-flaws-enable-unauthenticated-root-access-across-four-vendors",
          "title": "9 Critical IP KVM Flaws Enable Unauthenticated Root Access Across Four Vendors",
          "url": "https://bulwarkblack.com/9-critical-ip-kvm-flaws-enable-unauthenticated-root-access-across-four-vendors/",
          "date": "2026-03-20"
        }
      ]
    },
    {
      "indicator": "CVE-2026-32293",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-03-20",
      "last_seen": "2026-03-20",
      "reports": [
        {
          "slug": "9-critical-ip-kvm-flaws-enable-unauthenticated-root-access-across-four-vendors",
          "title": "9 Critical IP KVM Flaws Enable Unauthenticated Root Access Across Four Vendors",
          "url": "https://bulwarkblack.com/9-critical-ip-kvm-flaws-enable-unauthenticated-root-access-across-four-vendors/",
          "date": "2026-03-20"
        }
      ]
    },
    {
      "indicator": "CVE-2026-32294",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-03-20",
      "last_seen": "2026-03-20",
      "reports": [
        {
          "slug": "9-critical-ip-kvm-flaws-enable-unauthenticated-root-access-across-four-vendors",
          "title": "9 Critical IP KVM Flaws Enable Unauthenticated Root Access Across Four Vendors",
          "url": "https://bulwarkblack.com/9-critical-ip-kvm-flaws-enable-unauthenticated-root-access-across-four-vendors/",
          "date": "2026-03-20"
        }
      ]
    },
    {
      "indicator": "CVE-2026-32295",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-03-20",
      "last_seen": "2026-03-20",
      "reports": [
        {
          "slug": "9-critical-ip-kvm-flaws-enable-unauthenticated-root-access-across-four-vendors",
          "title": "9 Critical IP KVM Flaws Enable Unauthenticated Root Access Across Four Vendors",
          "url": "https://bulwarkblack.com/9-critical-ip-kvm-flaws-enable-unauthenticated-root-access-across-four-vendors/",
          "date": "2026-03-20"
        }
      ]
    },
    {
      "indicator": "CVE-2026-32296",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-03-20",
      "last_seen": "2026-03-20",
      "reports": [
        {
          "slug": "9-critical-ip-kvm-flaws-enable-unauthenticated-root-access-across-four-vendors",
          "title": "9 Critical IP KVM Flaws Enable Unauthenticated Root Access Across Four Vendors",
          "url": "https://bulwarkblack.com/9-critical-ip-kvm-flaws-enable-unauthenticated-root-access-across-four-vendors/",
          "date": "2026-03-20"
        }
      ]
    },
    {
      "indicator": "CVE-2026-32297",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-03-20",
      "last_seen": "2026-03-20",
      "reports": [
        {
          "slug": "9-critical-ip-kvm-flaws-enable-unauthenticated-root-access-across-four-vendors",
          "title": "9 Critical IP KVM Flaws Enable Unauthenticated Root Access Across Four Vendors",
          "url": "https://bulwarkblack.com/9-critical-ip-kvm-flaws-enable-unauthenticated-root-access-across-four-vendors/",
          "date": "2026-03-20"
        }
      ]
    },
    {
      "indicator": "CVE-2026-32298",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-03-20",
      "last_seen": "2026-03-20",
      "reports": [
        {
          "slug": "9-critical-ip-kvm-flaws-enable-unauthenticated-root-access-across-four-vendors",
          "title": "9 Critical IP KVM Flaws Enable Unauthenticated Root Access Across Four Vendors",
          "url": "https://bulwarkblack.com/9-critical-ip-kvm-flaws-enable-unauthenticated-root-access-across-four-vendors/",
          "date": "2026-03-20"
        }
      ]
    },
    {
      "indicator": "CVE-2026-33017",
      "type": "CVEs",
      "report_count": 3,
      "first_seen": "2026-03-21",
      "last_seen": "2026-03-22",
      "reports": [
        {
          "slug": "cve-2026-33017-critical-langflow-ai-framework-vulnerability-exploited-within-20-hours-of-disclosure",
          "title": "CVE-2026-33017: Critical Langflow AI Framework Vulnerability Exploited Within 20 Hours of Disclosure",
          "url": "https://bulwarkblack.com/cve-2026-33017-critical-langflow-ai-framework-vulnerability-exploited-within-20-hours-of-disclosure/",
          "date": "2026-03-22"
        },
        {
          "slug": "cve-2026-33017-critical-langflow-ai-platform-flaw-exploited-within-20-hours-of-disclosure",
          "title": "CVE-2026-33017: Critical Langflow AI Platform Flaw Exploited Within 20 Hours of Disclosure",
          "url": "https://bulwarkblack.com/cve-2026-33017-critical-langflow-ai-platform-flaw-exploited-within-20-hours-of-disclosure/",
          "date": "2026-03-21"
        },
        {
          "slug": "critical-langflow-ai-platform-flaw-cve-2026-33017-exploited-within-20-hours-of-disclosure",
          "title": "Critical Langflow AI Platform Flaw CVE-2026-33017 Exploited Within 20 Hours of Disclosure",
          "url": "https://bulwarkblack.com/critical-langflow-ai-platform-flaw-cve-2026-33017-exploited-within-20-hours-of-disclosure/",
          "date": "2026-03-21"
        }
      ]
    },
    {
      "indicator": "CVE-2026-33109",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-33110",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-33111",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-33112",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-33117",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-33590",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-06-12",
      "last_seen": "2026-06-12",
      "reports": [
        {
          "slug": "portainer-cve-2026-33590-container-host-takeover-defense",
          "title": "Portainer CVE-2026-33590 Shows Container Admin Tools Need Least Privilege Defaults",
          "url": "https://bulwarkblack.com/portainer-cve-2026-33590-container-host-takeover-defense/",
          "date": "2026-06-12"
        }
      ]
    },
    {
      "indicator": "CVE-2026-33821",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-33823",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-33833",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-33834",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-33835",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-33837",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-33838",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-33839",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-33840",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-33841",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-33844",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-34327",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-34329",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-34330",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-34331",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-34332",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-34333",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-34334",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-34336",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-34337",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-34338",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-34339",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-34340",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-34341",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-34342",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-34343",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-34344",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-34345",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-34347",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-34350",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-34351",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-34645",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-34646",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-34647",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-34648",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-34649",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-34650",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-34651",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-34652",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-34653",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-34654",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-34655",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-34656",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-34658",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-34908",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "ubiquiti-unifi-critical-flaws-network-control-plane-defense",
          "title": "Critical UniFi Flaws Put Network Control Planes Back in the Patch Queue",
          "url": "https://bulwarkblack.com/ubiquiti-unifi-critical-flaws-network-control-plane-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "CVE-2026-34909",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "ubiquiti-unifi-critical-flaws-network-control-plane-defense",
          "title": "Critical UniFi Flaws Put Network Control Planes Back in the Patch Queue",
          "url": "https://bulwarkblack.com/ubiquiti-unifi-critical-flaws-network-control-plane-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "CVE-2026-34910",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "ubiquiti-unifi-critical-flaws-network-control-plane-defense",
          "title": "Critical UniFi Flaws Put Network Control Planes Back in the Patch Queue",
          "url": "https://bulwarkblack.com/ubiquiti-unifi-critical-flaws-network-control-plane-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "CVE-2026-3502",
      "type": "CVEs",
      "report_count": 3,
      "first_seen": "2024-01-07",
      "last_seen": "2026-04-01",
      "reports": [
        {
          "slug": "operation-truechaos-chinese-apt-exploits-trueconf-zero-day-cve-2026-3502-to-target-southeast-asian-governments",
          "title": "Operation TrueChaos: Chinese APT Exploits TrueConf Zero-Day CVE-2026-3502 to Target Southeast Asian Governments",
          "url": "https://bulwarkblack.com/operation-truechaos-chinese-apt-exploits-trueconf-zero-day-cve-2026-3502-to-target-southeast-asian-governments/",
          "date": "2026-04-01"
        },
        {
          "slug": "pdfsider-the-stealthy-backdoor-targeting-fortune-100-financial-institutions",
          "title": "PDFSider: The Stealthy Backdoor Targeting Fortune 100 Financial Institutions",
          "url": "https://bulwarkblack.com/pdfsider-the-stealthy-backdoor-targeting-fortune-100-financial-institutions/",
          "date": "2026-02-04"
        },
        {
          "slug": "prior-to-cyber-attack-russian-attackers-spent-months-inside-the-ukraine-telecoms-giant",
          "title": "Prior to Cyber Attack, Russian Attackers Spent Months Inside the Ukraine Telecoms Giant",
          "url": "https://bulwarkblack.com/prior-to-cyber-attack-russian-attackers-spent-months-inside-the-ukraine-telecoms-giant/",
          "date": "2024-01-07"
        }
      ]
    },
    {
      "indicator": "CVE-2026-35273",
      "type": "CVEs",
      "report_count": 5,
      "first_seen": "2024-01-07",
      "last_seen": "2026-06-26",
      "reports": [
        {
          "slug": "naic-peoplesoft-zero-day-cve-2026-35273",
          "title": "NAIC Breach Shows Why PeopleSoft Internet Exposure Needs Immediate Review",
          "url": "https://bulwarkblack.com/naic-peoplesoft-zero-day-cve-2026-35273/",
          "date": "2026-06-26"
        },
        {
          "slug": "showboat-linux-malware-telecom-persistence-defense",
          "title": "Showboat Malware Shows Telecom Linux Servers Need Rootkit-Level Monitoring",
          "url": "https://bulwarkblack.com/showboat-linux-malware-telecom-persistence-defense/",
          "date": "2026-06-20"
        },
        {
          "slug": "shinyhunters-peoplesoft-cve-2026-35273-erp-admin-endpoints",
          "title": "ShinyHunters PeopleSoft Exploitation Shows ERP Admin Endpoints Are Breach Surface",
          "url": "https://bulwarkblack.com/shinyhunters-peoplesoft-cve-2026-35273-erp-admin-endpoints/",
          "date": "2026-06-11"
        },
        {
          "slug": "pdfsider-the-stealthy-backdoor-targeting-fortune-100-financial-institutions",
          "title": "PDFSider: The Stealthy Backdoor Targeting Fortune 100 Financial Institutions",
          "url": "https://bulwarkblack.com/pdfsider-the-stealthy-backdoor-targeting-fortune-100-financial-institutions/",
          "date": "2026-02-04"
        },
        {
          "slug": "prior-to-cyber-attack-russian-attackers-spent-months-inside-the-ukraine-telecoms-giant",
          "title": "Prior to Cyber Attack, Russian Attackers Spent Months Inside the Ukraine Telecoms Giant",
          "url": "https://bulwarkblack.com/prior-to-cyber-attack-russian-attackers-spent-months-inside-the-ukraine-telecoms-giant/",
          "date": "2024-01-07"
        }
      ]
    },
    {
      "indicator": "CVE-2026-35415",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-35416",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-35417",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-35418",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-35419",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-35420",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-35421",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-35422",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-35423",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-35424",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-35428",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-35429",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-35432",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-35433",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-35435",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-35436",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-35438",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-35439",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-35440",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-35616",
      "type": "CVEs",
      "report_count": 3,
      "first_seen": "2024-01-07",
      "last_seen": "2026-06-02",
      "reports": [
        {
          "slug": "forticlient-ems-ekz-infostealer-delivery",
          "title": "FortiClient EMS Exploitation Turns Endpoint Management Into an Infostealer Delivery System",
          "url": "https://bulwarkblack.com/forticlient-ems-ekz-infostealer-delivery/",
          "date": "2026-06-02"
        },
        {
          "slug": "pdfsider-the-stealthy-backdoor-targeting-fortune-100-financial-institutions",
          "title": "PDFSider: The Stealthy Backdoor Targeting Fortune 100 Financial Institutions",
          "url": "https://bulwarkblack.com/pdfsider-the-stealthy-backdoor-targeting-fortune-100-financial-institutions/",
          "date": "2026-02-04"
        },
        {
          "slug": "prior-to-cyber-attack-russian-attackers-spent-months-inside-the-ukraine-telecoms-giant",
          "title": "Prior to Cyber Attack, Russian Attackers Spent Months Inside the Ukraine Telecoms Giant",
          "url": "https://bulwarkblack.com/prior-to-cyber-attack-russian-attackers-spent-months-inside-the-ukraine-telecoms-giant/",
          "date": "2024-01-07"
        }
      ]
    },
    {
      "indicator": "CVE-2026-3564",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-03-20",
      "last_seen": "2026-03-20",
      "reports": [
        {
          "slug": "cve-2026-3564-critical-screenconnect-flaw-enables-session-hijacking-through-asp-net-machine-key-abuse",
          "title": "CVE-2026-3564: Critical ScreenConnect Flaw Enables Session Hijacking Through ASP.NET Machine Key Abuse",
          "url": "https://bulwarkblack.com/cve-2026-3564-critical-screenconnect-flaw-enables-session-hijacking-through-asp-net-machine-key-abuse/",
          "date": "2026-03-20"
        }
      ]
    },
    {
      "indicator": "CVE-2026-3909",
      "type": "CVEs",
      "report_count": 2,
      "first_seen": "2026-03-13",
      "last_seen": "2026-03-14",
      "reports": [
        {
          "slug": "google-patches-two-chrome-zero-days-actively-exploited-in-the-wild-cisa-adds-to-kev-catalog",
          "title": "Google Patches Two Chrome Zero-Days Actively Exploited in the Wild, CISA Adds to KEV Catalog",
          "url": "https://bulwarkblack.com/google-patches-two-chrome-zero-days-actively-exploited-in-the-wild-cisa-adds-to-kev-catalog/",
          "date": "2026-03-14"
        },
        {
          "slug": "google-patches-two-actively-exploited-chrome-zero-days-cve-2026-3909-and-cve-2026-3910",
          "title": "Google Patches Two Actively Exploited Chrome Zero-Days: CVE-2026-3909 and CVE-2026-3910",
          "url": "https://bulwarkblack.com/google-patches-two-actively-exploited-chrome-zero-days-cve-2026-3909-and-cve-2026-3910/",
          "date": "2026-03-13"
        }
      ]
    },
    {
      "indicator": "CVE-2026-3910",
      "type": "CVEs",
      "report_count": 2,
      "first_seen": "2026-03-13",
      "last_seen": "2026-03-14",
      "reports": [
        {
          "slug": "google-patches-two-chrome-zero-days-actively-exploited-in-the-wild-cisa-adds-to-kev-catalog",
          "title": "Google Patches Two Chrome Zero-Days Actively Exploited in the Wild, CISA Adds to KEV Catalog",
          "url": "https://bulwarkblack.com/google-patches-two-chrome-zero-days-actively-exploited-in-the-wild-cisa-adds-to-kev-catalog/",
          "date": "2026-03-14"
        },
        {
          "slug": "google-patches-two-actively-exploited-chrome-zero-days-cve-2026-3909-and-cve-2026-3910",
          "title": "Google Patches Two Actively Exploited Chrome Zero-Days: CVE-2026-3909 and CVE-2026-3910",
          "url": "https://bulwarkblack.com/google-patches-two-actively-exploited-chrome-zero-days-cve-2026-3909-and-cve-2026-3910/",
          "date": "2026-03-13"
        }
      ]
    },
    {
      "indicator": "CVE-2026-39999",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-06-19",
      "last_seen": "2026-06-19",
      "reports": [
        {
          "slug": "apache-apisix-auth-bypass-plugin-review",
          "title": "Apache APISIX Auth Bypass Cluster Shows API Gateways Need Plugin-Level Review",
          "url": "https://bulwarkblack.com/apache-apisix-auth-bypass-plugin-review/",
          "date": "2026-06-19"
        }
      ]
    },
    {
      "indicator": "CVE-2026-4020",
      "type": "CVEs",
      "report_count": 2,
      "first_seen": "2024-01-07",
      "last_seen": "2026-02-04",
      "reports": [
        {
          "slug": "pdfsider-the-stealthy-backdoor-targeting-fortune-100-financial-institutions",
          "title": "PDFSider: The Stealthy Backdoor Targeting Fortune 100 Financial Institutions",
          "url": "https://bulwarkblack.com/pdfsider-the-stealthy-backdoor-targeting-fortune-100-financial-institutions/",
          "date": "2026-02-04"
        },
        {
          "slug": "prior-to-cyber-attack-russian-attackers-spent-months-inside-the-ukraine-telecoms-giant",
          "title": "Prior to Cyber Attack, Russian Attackers Spent Months Inside the Ukraine Telecoms Giant",
          "url": "https://bulwarkblack.com/prior-to-cyber-attack-russian-attackers-spent-months-inside-the-ukraine-telecoms-giant/",
          "date": "2024-01-07"
        }
      ]
    },
    {
      "indicator": "CVE-2026-40357",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-40358",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-40359",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-40360",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-40361",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-40362",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-40363",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-40364",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-40365",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-40366",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-40367",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-40368",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-40369",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-40370",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-40374",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-40377",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-40379",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-40380",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-40381",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-40382",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-40397",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-40398",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-40399",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-40401",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-40402",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-40403",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-40405",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-40406",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-40407",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-40408",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-40410",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-40413",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-40414",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-40415",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-40416",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-40417",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-40418",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-40419",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-40420",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-40421",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-41086",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-41088",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-41089",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-41094",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-41095",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-41096",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-41097",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-41100",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-41101",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-41102",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-41103",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-41105",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-41107",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-41109",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-41610",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-41611",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-41612",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-41613",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-41614",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-42823",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-42825",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-42826",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-42830",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-42831",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-42832",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-42833",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-42838",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-42891",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-42893",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-42896",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-42897",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-17",
      "last_seen": "2026-05-17",
      "reports": [
        {
          "slug": "exchange-owa-zero-day-cisa-kev-mitigation",
          "title": "Exchange OWA Zero-Day Shows Why Email Servers Need Emergency Mitigation",
          "url": "https://bulwarkblack.com/exchange-owa-zero-day-cisa-kev-mitigation/",
          "date": "2026-05-17"
        }
      ]
    },
    {
      "indicator": "CVE-2026-42898",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-42899",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-43074",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-07-09",
      "last_seen": "2026-07-09",
      "reports": [
        {
          "slug": "bad-epoll-linux-kernel-cve-2026-46242-defense",
          "title": "Bad Epoll Shows Linux Kernel LPEs Belong in the Patch Priority Queue",
          "url": "https://bulwarkblack.com/bad-epoll-linux-kernel-cve-2026-46242-defense/",
          "date": "2026-07-09"
        }
      ]
    },
    {
      "indicator": "CVE-2026-43284",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-08",
      "last_seen": "2026-05-08",
      "reports": [
        {
          "slug": "dirty-frag-linux-privilege-escalation-defender-guide",
          "title": "Dirty Frag Turns Linux Footholds Into Root: What Defenders Should Do Now",
          "url": "https://bulwarkblack.com/dirty-frag-linux-privilege-escalation-defender-guide/",
          "date": "2026-05-08"
        }
      ]
    },
    {
      "indicator": "CVE-2026-43500",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-08",
      "last_seen": "2026-05-08",
      "reports": [
        {
          "slug": "dirty-frag-linux-privilege-escalation-defender-guide",
          "title": "Dirty Frag Turns Linux Footholds Into Root: What Defenders Should Do Now",
          "url": "https://bulwarkblack.com/dirty-frag-linux-privilege-escalation-defender-guide/",
          "date": "2026-05-08"
        }
      ]
    },
    {
      "indicator": "CVE-2026-44024",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-06-29",
      "last_seen": "2026-06-29",
      "reports": [
        {
          "slug": "fluentd-vulnerabilities-log-pipeline-segmentation-defense",
          "title": "Fluentd Vulnerabilities Show Logging Pipelines Need Production-Grade Segmentation",
          "url": "https://bulwarkblack.com/fluentd-vulnerabilities-log-pipeline-segmentation-defense/",
          "date": "2026-06-29"
        }
      ]
    },
    {
      "indicator": "CVE-2026-44025",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-06-29",
      "last_seen": "2026-06-29",
      "reports": [
        {
          "slug": "fluentd-vulnerabilities-log-pipeline-segmentation-defense",
          "title": "Fluentd Vulnerabilities Show Logging Pipelines Need Production-Grade Segmentation",
          "url": "https://bulwarkblack.com/fluentd-vulnerabilities-log-pipeline-segmentation-defense/",
          "date": "2026-06-29"
        }
      ]
    },
    {
      "indicator": "CVE-2026-44160",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-06-29",
      "last_seen": "2026-06-29",
      "reports": [
        {
          "slug": "fluentd-vulnerabilities-log-pipeline-segmentation-defense",
          "title": "Fluentd Vulnerabilities Show Logging Pipelines Need Production-Grade Segmentation",
          "url": "https://bulwarkblack.com/fluentd-vulnerabilities-log-pipeline-segmentation-defense/",
          "date": "2026-06-29"
        }
      ]
    },
    {
      "indicator": "CVE-2026-44161",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-06-29",
      "last_seen": "2026-06-29",
      "reports": [
        {
          "slug": "fluentd-vulnerabilities-log-pipeline-segmentation-defense",
          "title": "Fluentd Vulnerabilities Show Logging Pipelines Need Production-Grade Segmentation",
          "url": "https://bulwarkblack.com/fluentd-vulnerabilities-log-pipeline-segmentation-defense/",
          "date": "2026-06-29"
        }
      ]
    },
    {
      "indicator": "CVE-2026-44162",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-06-29",
      "last_seen": "2026-06-29",
      "reports": [
        {
          "slug": "fluentd-vulnerabilities-log-pipeline-segmentation-defense",
          "title": "Fluentd Vulnerabilities Show Logging Pipelines Need Production-Grade Segmentation",
          "url": "https://bulwarkblack.com/fluentd-vulnerabilities-log-pipeline-segmentation-defense/",
          "date": "2026-06-29"
        }
      ]
    },
    {
      "indicator": "CVE-2026-44163",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-06-29",
      "last_seen": "2026-06-29",
      "reports": [
        {
          "slug": "fluentd-vulnerabilities-log-pipeline-segmentation-defense",
          "title": "Fluentd Vulnerabilities Show Logging Pipelines Need Production-Grade Segmentation",
          "url": "https://bulwarkblack.com/fluentd-vulnerabilities-log-pipeline-segmentation-defense/",
          "date": "2026-06-29"
        }
      ]
    },
    {
      "indicator": "CVE-2026-46242",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-07-09",
      "last_seen": "2026-07-09",
      "reports": [
        {
          "slug": "bad-epoll-linux-kernel-cve-2026-46242-defense",
          "title": "Bad Epoll Shows Linux Kernel LPEs Belong in the Patch Priority Queue",
          "url": "https://bulwarkblack.com/bad-epoll-linux-kernel-cve-2026-46242-defense/",
          "date": "2026-07-09"
        }
      ]
    },
    {
      "indicator": "CVE-2026-46300",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-08",
      "last_seen": "2026-05-08",
      "reports": [
        {
          "slug": "dirty-frag-linux-privilege-escalation-defender-guide",
          "title": "Dirty Frag Turns Linux Footholds Into Root: What Defenders Should Do Now",
          "url": "https://bulwarkblack.com/dirty-frag-linux-privilege-escalation-defender-guide/",
          "date": "2026-05-08"
        }
      ]
    },
    {
      "indicator": "CVE-2026-48172",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-26",
      "last_seen": "2026-05-26",
      "reports": [
        {
          "slug": "litespeed-cpanel-kev-shared-hosting-privilege-escalation",
          "title": "LiteSpeed cPanel KEV Shows Shared Hosting Is Privilege Escalation Terrain",
          "url": "https://bulwarkblack.com/litespeed-cpanel-kev-shared-hosting-privilege-escalation/",
          "date": "2026-05-26"
        }
      ]
    },
    {
      "indicator": "CVE-2026-48558",
      "type": "CVEs",
      "report_count": 2,
      "first_seen": "2026-06-02",
      "last_seen": "2026-06-30",
      "reports": [
        {
          "slug": "simplehelp-cve-2026-48558-taskweaver-djinn-stealer-defense",
          "title": "SimpleHelp Exploitation Shows RMM Is a Credential Control Plane",
          "url": "https://bulwarkblack.com/simplehelp-cve-2026-48558-taskweaver-djinn-stealer-defense/",
          "date": "2026-06-30"
        },
        {
          "slug": "forticlient-ems-ekz-infostealer-delivery",
          "title": "FortiClient EMS Exploitation Turns Endpoint Management Into an Infostealer Delivery System",
          "url": "https://bulwarkblack.com/forticlient-ems-ekz-infostealer-delivery/",
          "date": "2026-06-02"
        }
      ]
    },
    {
      "indicator": "CVE-2026-49938",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-06-13",
      "last_seen": "2026-06-13",
      "reports": [
        {
          "slug": "fortiportal-cve-2026-49938-network-config-data-defense",
          "title": "FortiPortal CVE-2026-49938 Shows Network Configuration Data Is a High-Value Target",
          "url": "https://bulwarkblack.com/fortiportal-cve-2026-49938-network-config-data-defense/",
          "date": "2026-06-13"
        }
      ]
    },
    {
      "indicator": "CVE-2026-5027",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-06-20",
      "last_seen": "2026-06-20",
      "reports": [
        {
          "slug": "showboat-linux-malware-telecom-persistence-defense",
          "title": "Showboat Malware Shows Telecom Linux Servers Need Rootkit-Level Monitoring",
          "url": "https://bulwarkblack.com/showboat-linux-malware-telecom-persistence-defense/",
          "date": "2026-06-20"
        }
      ]
    },
    {
      "indicator": "CVE-2026-50746",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "ubiquiti-unifi-critical-flaws-network-control-plane-defense",
          "title": "Critical UniFi Flaws Put Network Control Planes Back in the Patch Queue",
          "url": "https://bulwarkblack.com/ubiquiti-unifi-critical-flaws-network-control-plane-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "CVE-2026-50747",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "ubiquiti-unifi-critical-flaws-network-control-plane-defense",
          "title": "Critical UniFi Flaws Put Network Control Planes Back in the Patch Queue",
          "url": "https://bulwarkblack.com/ubiquiti-unifi-critical-flaws-network-control-plane-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "CVE-2026-50748",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "ubiquiti-unifi-critical-flaws-network-control-plane-defense",
          "title": "Critical UniFi Flaws Put Network Control Planes Back in the Patch Queue",
          "url": "https://bulwarkblack.com/ubiquiti-unifi-critical-flaws-network-control-plane-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "CVE-2026-52806",
      "type": "CVEs",
      "report_count": 2,
      "first_seen": "2024-03-22",
      "last_seen": "2026-03-27",
      "reports": [
        {
          "slug": "chinese-apt-red-menshen-plants-stealthy-bpfdoor-backdoors-in-global-telecom-networks",
          "title": "Chinese APT Red Menshen Plants Stealthy BPFdoor Backdoors in Global Telecom Networks",
          "url": "https://bulwarkblack.com/chinese-apt-red-menshen-plants-stealthy-bpfdoor-backdoors-in-global-telecom-networks/",
          "date": "2026-03-27"
        },
        {
          "slug": "the-updated-apt-playbook-tales-from-the-kimsuky-threat-actor-group",
          "title": "The Updated APT Playbook: Tales from the Kimsuky threat actor group",
          "url": "https://bulwarkblack.com/the-updated-apt-playbook-tales-from-the-kimsuky-threat-actor-group/",
          "date": "2024-03-22"
        }
      ]
    },
    {
      "indicator": "CVE-2026-54161",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-07-01",
      "last_seen": "2026-07-01",
      "reports": [
        {
          "slug": "nut-upsmon-cve-2026-54161-command-injection-defense",
          "title": "NUT upsmon Command Injection Shows UPS Monitoring Belongs in the Patch Queue",
          "url": "https://bulwarkblack.com/nut-upsmon-cve-2026-54161-command-injection-defense/",
          "date": "2026-07-01"
        }
      ]
    },
    {
      "indicator": "CVE-2026-5426",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-25",
      "last_seen": "2026-05-25",
      "reports": [
        {
          "slug": "knowledgedeliver-viewstate-shared-machine-key-defense",
          "title": "KnowledgeDeliver RCE Shows Shared Machine Keys Are Shared Blast Radius",
          "url": "https://bulwarkblack.com/knowledgedeliver-viewstate-shared-machine-key-defense/",
          "date": "2026-05-25"
        }
      ]
    },
    {
      "indicator": "CVE-2026-54400",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "ubiquiti-unifi-critical-flaws-network-control-plane-defense",
          "title": "Critical UniFi Flaws Put Network Control Planes Back in the Patch Queue",
          "url": "https://bulwarkblack.com/ubiquiti-unifi-critical-flaws-network-control-plane-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "CVE-2026-54402",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "ubiquiti-unifi-critical-flaws-network-control-plane-defense",
          "title": "Critical UniFi Flaws Put Network Control Planes Back in the Patch Queue",
          "url": "https://bulwarkblack.com/ubiquiti-unifi-critical-flaws-network-control-plane-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "CVE-2026-55115",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "ubiquiti-unifi-critical-flaws-network-control-plane-defense",
          "title": "Critical UniFi Flaws Put Network Control Planes Back in the Patch Queue",
          "url": "https://bulwarkblack.com/ubiquiti-unifi-critical-flaws-network-control-plane-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "CVE-2026-55116",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "ubiquiti-unifi-critical-flaws-network-control-plane-defense",
          "title": "Critical UniFi Flaws Put Network Control Planes Back in the Patch Queue",
          "url": "https://bulwarkblack.com/ubiquiti-unifi-critical-flaws-network-control-plane-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "CVE-2026-7482",
      "type": "CVEs",
      "report_count": 2,
      "first_seen": "2024-01-07",
      "last_seen": "2026-02-04",
      "reports": [
        {
          "slug": "pdfsider-the-stealthy-backdoor-targeting-fortune-100-financial-institutions",
          "title": "PDFSider: The Stealthy Backdoor Targeting Fortune 100 Financial Institutions",
          "url": "https://bulwarkblack.com/pdfsider-the-stealthy-backdoor-targeting-fortune-100-financial-institutions/",
          "date": "2026-02-04"
        },
        {
          "slug": "prior-to-cyber-attack-russian-attackers-spent-months-inside-the-ukraine-telecoms-giant",
          "title": "Prior to Cyber Attack, Russian Attackers Spent Months Inside the Ukraine Telecoms Giant",
          "url": "https://bulwarkblack.com/prior-to-cyber-attack-russian-attackers-spent-months-inside-the-ukraine-telecoms-giant/",
          "date": "2024-01-07"
        }
      ]
    },
    {
      "indicator": "CVE-2026-7896",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-7897",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-7898",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-7899",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-7900",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-7901",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-7902",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-7903",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-7904",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-7905",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-7906",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-7907",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-7908",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-7909",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-7910",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-7911",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-7912",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-7913",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-7914",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-7915",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-7916",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-7917",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-7918",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-7919",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-7920",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-7921",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-7922",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-7923",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-7924",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-7925",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-7926",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-7927",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-7928",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-7929",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-7930",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-7931",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-7932",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-7933",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-7934",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-7935",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-7936",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-7937",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-7938",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-7939",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-7940",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-7941",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-7942",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-7943",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-7944",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-7945",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-7946",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-7947",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-7948",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-7949",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-7950",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-7951",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-7952",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-7953",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-7954",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-7955",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-7956",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-7957",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-7958",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-7959",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-7960",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-7961",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-7962",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-7963",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-7964",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-7965",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-7966",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-7967",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-7968",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-7969",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-7970",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-7971",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-7972",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-7973",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-7974",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-7975",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-7976",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-7977",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-7978",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-7979",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-7980",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-7981",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-7982",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-7983",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-7984",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-7985",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-7986",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-7987",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-7988",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-7989",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-7990",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-7991",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-7992",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-7993",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-7994",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-7995",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-7996",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-7997",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-7998",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-7999",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-8000",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-8001",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-8002",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-8003",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-8004",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-8005",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-8006",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-8007",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-8008",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-8009",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-8010",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-8011",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-8012",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-8013",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-8014",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-8015",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-8016",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-8017",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-8018",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-8019",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-8020",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-8021",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-8022",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "may-2026-patch-tuesday-smb-prioritization",
          "title": "May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs",
          "url": "https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "CVE-2026-8451",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-07-01",
      "last_seen": "2026-07-01",
      "reports": [
        {
          "slug": "citrixbleed-netscaler-cve-2026-8451-saml-idp-defense",
          "title": "CitrixBleed Keeps Returning: NetScaler SAML IdP Memory Leaks Need Edge-Control Discipline",
          "url": "https://bulwarkblack.com/citrixbleed-netscaler-cve-2026-8451-saml-idp-defense/",
          "date": "2026-07-01"
        }
      ]
    },
    {
      "indicator": "CVE-2026-8732",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-31",
      "last_seen": "2026-05-31",
      "reports": [
        {
          "slug": "wp-maps-pro-admin-account-vulnerability-defense",
          "title": "WP Maps Pro Exploitation Shows Why Plugin Support Features Need Security Review",
          "url": "https://bulwarkblack.com/wp-maps-pro-admin-account-vulnerability-defense/",
          "date": "2026-05-31"
        }
      ]
    },
    {
      "indicator": "CVE-2026-9082",
      "type": "CVEs",
      "report_count": 1,
      "first_seen": "2026-05-24",
      "last_seen": "2026-05-24",
      "reports": [
        {
          "slug": "drupal-cve-2026-9082-web-asset-inventory-response",
          "title": "Drupal CVE-2026-9082 Shows Web Asset Inventory Is Emergency Response",
          "url": "https://bulwarkblack.com/drupal-cve-2026-9082-web-asset-inventory-response/",
          "date": "2026-05-24"
        }
      ]
    },
    {
      "indicator": "7goms4byw26kkbaanz5a5u5234gusot7rp5imzc3ozh66wwcvmcudjid.onion",
      "type": "Dark Web",
      "report_count": 1,
      "first_seen": "2026-06-18",
      "last_seen": "2026-06-18",
      "reports": [
        {
          "slug": "tor-crypto-clipper-usb-worm-backdoor-defense",
          "title": "Tor-Based Crypto Clipper Shows Clipboard Theft Is Now Backdoor Activity",
          "url": "https://bulwarkblack.com/tor-crypto-clipper-usb-worm-backdoor-defense/",
          "date": "2026-06-18"
        }
      ]
    },
    {
      "indicator": "cgky6bn6ux5wvlybtmm3z255igt52ljml2ngnc5qp3cnw5jlglamisad.onion",
      "type": "Dark Web",
      "report_count": 1,
      "first_seen": "2026-06-18",
      "last_seen": "2026-06-18",
      "reports": [
        {
          "slug": "tor-crypto-clipper-usb-worm-backdoor-defense",
          "title": "Tor-Based Crypto Clipper Shows Clipboard Theft Is Now Backdoor Activity",
          "url": "https://bulwarkblack.com/tor-crypto-clipper-usb-worm-backdoor-defense/",
          "date": "2026-06-18"
        }
      ]
    },
    {
      "indicator": "facebookwkhpilnemxj7asaniu7vnjjbiltxjqhye3mhbshg7kx5tfyd.onion",
      "type": "Dark Web",
      "report_count": 1,
      "first_seen": "2026-06-18",
      "last_seen": "2026-06-18",
      "reports": [
        {
          "slug": "tor-crypto-clipper-usb-worm-backdoor-defense",
          "title": "Tor-Based Crypto Clipper Shows Clipboard Theft Is Now Backdoor Activity",
          "url": "https://bulwarkblack.com/tor-crypto-clipper-usb-worm-backdoor-defense/",
          "date": "2026-06-18"
        }
      ]
    },
    {
      "indicator": "gfoqsewps57xcyxoedle2gd53o6jne6y5nq5eh25muksqwzutzq7b3ad.onion",
      "type": "Dark Web",
      "report_count": 1,
      "first_seen": "2026-06-18",
      "last_seen": "2026-06-18",
      "reports": [
        {
          "slug": "tor-crypto-clipper-usb-worm-backdoor-defense",
          "title": "Tor-Based Crypto Clipper Shows Clipboard Theft Is Now Backdoor Activity",
          "url": "https://bulwarkblack.com/tor-crypto-clipper-usb-worm-backdoor-defense/",
          "date": "2026-06-18"
        }
      ]
    },
    {
      "indicator": "he5vnov645txpcv57el2theky2elesn24ebvgwfoewlpftksxp4fnxad.onion",
      "type": "Dark Web",
      "report_count": 1,
      "first_seen": "2026-06-18",
      "last_seen": "2026-06-18",
      "reports": [
        {
          "slug": "tor-crypto-clipper-usb-worm-backdoor-defense",
          "title": "Tor-Based Crypto Clipper Shows Clipboard Theft Is Now Backdoor Activity",
          "url": "https://bulwarkblack.com/tor-crypto-clipper-usb-worm-backdoor-defense/",
          "date": "2026-06-18"
        }
      ]
    },
    {
      "indicator": "ijzn3sicrcy7guixkzjkib4ukbiilwc3xhnmby4mcbccnsd7j2rekvqd.onion",
      "type": "Dark Web",
      "report_count": 1,
      "first_seen": "2026-06-18",
      "last_seen": "2026-06-18",
      "reports": [
        {
          "slug": "tor-crypto-clipper-usb-worm-backdoor-defense",
          "title": "Tor-Based Crypto Clipper Shows Clipboard Theft Is Now Backdoor Activity",
          "url": "https://bulwarkblack.com/tor-crypto-clipper-usb-worm-backdoor-defense/",
          "date": "2026-06-18"
        }
      ]
    },
    {
      "indicator": "j3bv7g27oramhbxxuv6gl3dcyfmf44qnvju3offdyrap7hurfprq74qd.onion",
      "type": "Dark Web",
      "report_count": 1,
      "first_seen": "2026-06-18",
      "last_seen": "2026-06-18",
      "reports": [
        {
          "slug": "tor-crypto-clipper-usb-worm-backdoor-defense",
          "title": "Tor-Based Crypto Clipper Shows Clipboard Theft Is Now Backdoor Activity",
          "url": "https://bulwarkblack.com/tor-crypto-clipper-usb-worm-backdoor-defense/",
          "date": "2026-06-18"
        }
      ]
    },
    {
      "indicator": "lyhizqy2js2eh6ufngkbzntouiikdek5zsdj3qwa22b4z6knpqorgiad.onion",
      "type": "Dark Web",
      "report_count": 1,
      "first_seen": "2026-06-18",
      "last_seen": "2026-06-18",
      "reports": [
        {
          "slug": "tor-crypto-clipper-usb-worm-backdoor-defense",
          "title": "Tor-Based Crypto Clipper Shows Clipboard Theft Is Now Backdoor Activity",
          "url": "https://bulwarkblack.com/tor-crypto-clipper-usb-worm-backdoor-defense/",
          "date": "2026-06-18"
        }
      ]
    },
    {
      "indicator": "shinypogk4jjniry5qi7247tznop6mxdrdte2k6pdu5cyo43vdzmrwid.onion",
      "type": "Dark Web",
      "report_count": 1,
      "first_seen": "2026-06-18",
      "last_seen": "2026-06-18",
      "reports": [
        {
          "slug": "tor-crypto-clipper-usb-worm-backdoor-defense",
          "title": "Tor-Based Crypto Clipper Shows Clipboard Theft Is Now Backdoor Activity",
          "url": "https://bulwarkblack.com/tor-crypto-clipper-usb-worm-backdoor-defense/",
          "date": "2026-06-18"
        }
      ]
    },
    {
      "indicator": "wt26llpl5k6gok3vnaxmucwgzv2wk3l7nuibbh25clghrtus3p5ctsid.onion",
      "type": "Dark Web",
      "report_count": 1,
      "first_seen": "2026-06-18",
      "last_seen": "2026-06-18",
      "reports": [
        {
          "slug": "tor-crypto-clipper-usb-worm-backdoor-defense",
          "title": "Tor-Based Crypto Clipper Shows Clipboard Theft Is Now Backdoor Activity",
          "url": "https://bulwarkblack.com/tor-crypto-clipper-usb-worm-backdoor-defense/",
          "date": "2026-06-18"
        }
      ]
    },
    {
      "indicator": "00701111.000webhostapp.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2024-03-22",
      "last_seen": "2024-03-22",
      "reports": [
        {
          "slug": "the-updated-apt-playbook-tales-from-the-kimsuky-threat-actor-group",
          "title": "The Updated APT Playbook: Tales from the Kimsuky threat actor group",
          "url": "https://bulwarkblack.com/the-updated-apt-playbook-tales-from-the-kimsuky-threat-actor-group/",
          "date": "2024-03-22"
        }
      ]
    },
    {
      "indicator": "00857cca77b615c369f48ead5f8eb7f3.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-01-29",
      "last_seen": "2026-01-29",
      "reports": [
        {
          "slug": "google-disrupts-worlds-largest-residential-proxy-botnet",
          "title": "Google Disrupts World’s Largest Residential Proxy Botnet",
          "url": "https://bulwarkblack.com/google-disrupts-worlds-largest-residential-proxy-botnet/",
          "date": "2026-01-29"
        }
      ]
    },
    {
      "indicator": "019d442a-endpoint.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-05-16",
      "last_seen": "2026-05-16",
      "reports": [
        {
          "slug": "device-code-phishing-oauth-token-theft-defense",
          "title": "Device Code Phishing Turns Legitimate Login Flows Into Token Theft",
          "url": "https://bulwarkblack.com/device-code-phishing-oauth-token-theft-defense/",
          "date": "2026-05-16"
        }
      ]
    },
    {
      "indicator": "019d442e-endpoint.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-05-16",
      "last_seen": "2026-05-16",
      "reports": [
        {
          "slug": "device-code-phishing-oauth-token-theft-defense",
          "title": "Device Code Phishing Turns Legitimate Login Flows Into Token Theft",
          "url": "https://bulwarkblack.com/device-code-phishing-oauth-token-theft-defense/",
          "date": "2026-05-16"
        }
      ]
    },
    {
      "indicator": "019d6860-endpoint.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-05-16",
      "last_seen": "2026-05-16",
      "reports": [
        {
          "slug": "device-code-phishing-oauth-token-theft-defense",
          "title": "Device Code Phishing Turns Legitimate Login Flows Into Token Theft",
          "url": "https://bulwarkblack.com/device-code-phishing-oauth-token-theft-defense/",
          "date": "2026-05-16"
        }
      ]
    },
    {
      "indicator": "0aa0cf0637d66c0d.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-01-29",
      "last_seen": "2026-01-29",
      "reports": [
        {
          "slug": "google-disrupts-worlds-largest-residential-proxy-botnet",
          "title": "Google Disrupts World’s Largest Residential Proxy Botnet",
          "url": "https://bulwarkblack.com/google-disrupts-worlds-largest-residential-proxy-botnet/",
          "date": "2026-01-29"
        }
      ]
    },
    {
      "indicator": "0bot.qzz.io",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-03-04",
      "last_seen": "2026-03-04",
      "reports": [
        {
          "slug": "zerobot-malware-targets-n8n-automation-platform-first-active-exploitation-of-cve-2025-68613",
          "title": "Zerobot Malware Targets n8n Automation Platform: First Active Exploitation of CVE-2025-68613",
          "url": "https://bulwarkblack.com/zerobot-malware-targets-n8n-automation-platform-first-active-exploitation-of-cve-2025-68613/",
          "date": "2026-03-04"
        }
      ]
    },
    {
      "indicator": "0din.ai",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-27",
      "last_seen": "2026-06-27",
      "reports": [
        {
          "slug": "ai-coding-agent-clean-repo-runtime-payload-defense",
          "title": "Clean Repos Can Still Burn Developer Machines When AI Agents Trust Runtime Setup",
          "url": "https://bulwarkblack.com/ai-coding-agent-clean-repo-runtime-payload-defense/",
          "date": "2026-06-27"
        }
      ]
    },
    {
      "indicator": "0fdba029e6a5-endpoint.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-05-16",
      "last_seen": "2026-05-16",
      "reports": [
        {
          "slug": "device-code-phishing-oauth-token-theft-defense",
          "title": "Device Code Phishing Turns Legitimate Login Flows Into Token Theft",
          "url": "https://bulwarkblack.com/device-code-phishing-oauth-token-theft-defense/",
          "date": "2026-05-16"
        }
      ]
    },
    {
      "indicator": "1.0.0.dev",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-29",
      "last_seen": "2026-06-29",
      "reports": [
        {
          "slug": "shai-hulud-cicd-cloud-identity-redshift-defense",
          "title": "Shai Hulud Shows CI/CD Identity Is Production Cloud Identity",
          "url": "https://bulwarkblack.com/shai-hulud-cicd-cloud-identity-redshift-defense/",
          "date": "2026-06-29"
        }
      ]
    },
    {
      "indicator": "1.9.0.dev",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-21",
      "last_seen": "2026-03-22",
      "reports": [
        {
          "slug": "cve-2026-33017-critical-langflow-ai-framework-vulnerability-exploited-within-20-hours-of-disclosure",
          "title": "CVE-2026-33017: Critical Langflow AI Framework Vulnerability Exploited Within 20 Hours of Disclosure",
          "url": "https://bulwarkblack.com/cve-2026-33017-critical-langflow-ai-framework-vulnerability-exploited-within-20-hours-of-disclosure/",
          "date": "2026-03-22"
        },
        {
          "slug": "cve-2026-33017-critical-langflow-ai-platform-flaw-exploited-within-20-hours-of-disclosure",
          "title": "CVE-2026-33017: Critical Langflow AI Platform Flaw Exploited Within 20 Hours of Disclosure",
          "url": "https://bulwarkblack.com/cve-2026-33017-critical-langflow-ai-platform-flaw-exploited-within-20-hours-of-disclosure/",
          "date": "2026-03-21"
        },
        {
          "slug": "critical-langflow-ai-platform-flaw-cve-2026-33017-exploited-within-20-hours-of-disclosure",
          "title": "Critical Langflow AI Platform Flaw CVE-2026-33017 Exploited Within 20 Hours of Disclosure",
          "url": "https://bulwarkblack.com/critical-langflow-ai-platform-flaw-cve-2026-33017-exploited-within-20-hours-of-disclosure/",
          "date": "2026-03-21"
        }
      ]
    },
    {
      "indicator": "1204knos.ru",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2024-01-09",
      "last_seen": "2024-01-09",
      "reports": [
        {
          "slug": "financially-motivated-threat-actors-misusing-app-installer",
          "title": "Financially motivated threat actors misusing App Installer",
          "url": "https://bulwarkblack.com/financially-motivated-threat-actors-misusing-app-installer/",
          "date": "2024-01-09"
        }
      ]
    },
    {
      "indicator": "1204networks.ru",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2024-01-09",
      "last_seen": "2024-01-09",
      "reports": [
        {
          "slug": "financially-motivated-threat-actors-misusing-app-installer",
          "title": "Financially motivated threat actors misusing App Installer",
          "url": "https://bulwarkblack.com/financially-motivated-threat-actors-misusing-app-installer/",
          "date": "2024-01-09"
        }
      ]
    },
    {
      "indicator": "1a820b09-95ba-44eb-b350-417e8241b725-00-1lgwuuen9b77p.worf.replit.dev",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-05-15",
      "last_seen": "2026-05-15",
      "reports": [
        {
          "slug": "cisco-sdwan-active-exploitation-edge-controller-review",
          "title": "Cisco SD-WAN Exploitation Shows Edge Controllers Need Emergency Review",
          "url": "https://bulwarkblack.com/cisco-sdwan-active-exploitation-edge-controller-review/",
          "date": "2026-05-15"
        }
      ]
    },
    {
      "indicator": "1cv2f3d5s6a9w.ddnsfree.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "2117.filemail.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-05-22",
      "last_seen": "2026-05-22",
      "reports": [
        {
          "slug": "screening-serpens-recruiting-espionage-attack-surface",
          "title": "Screening Serpens Shows Recruiting Is Now an Espionage Attack Surface",
          "url": "https://bulwarkblack.com/screening-serpens-recruiting-espionage-attack-surface/",
          "date": "2026-05-22"
        }
      ]
    },
    {
      "indicator": "2dc62559e005-endpoint.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-05-16",
      "last_seen": "2026-05-16",
      "reports": [
        {
          "slug": "device-code-phishing-oauth-token-theft-defense",
          "title": "Device Code Phishing Turns Legitimate Login Flows Into Token Theft",
          "url": "https://bulwarkblack.com/device-code-phishing-oauth-token-theft-defense/",
          "date": "2026-05-16"
        }
      ]
    },
    {
      "indicator": "2rxyt8yrhq0bgj.org",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-30",
      "last_seen": "2026-06-30",
      "reports": [
        {
          "slug": "bing-seo-poisoning-bumblebee-adaptix-akira-ransomware",
          "title": "Bing SEO Poisoning Shows IT Admin Downloads Are Ransomware Initial Access",
          "url": "https://bulwarkblack.com/bing-seo-poisoning-bumblebee-adaptix-akira-ransomware/",
          "date": "2026-06-30"
        }
      ]
    },
    {
      "indicator": "2rxyt9urhq0bgj.org",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-30",
      "last_seen": "2026-06-30",
      "reports": [
        {
          "slug": "bing-seo-poisoning-bumblebee-adaptix-akira-ransomware",
          "title": "Bing SEO Poisoning Shows IT Admin Downloads Are Ransomware Initial Access",
          "url": "https://bulwarkblack.com/bing-seo-poisoning-bumblebee-adaptix-akira-ransomware/",
          "date": "2026-06-30"
        }
      ]
    },
    {
      "indicator": "31d58c226fc5a0aa976e13ca9ecebcc8.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-01-29",
      "last_seen": "2026-01-29",
      "reports": [
        {
          "slug": "google-disrupts-worlds-largest-residential-proxy-botnet",
          "title": "Google Disrupts World’s Largest Residential Proxy Botnet",
          "url": "https://bulwarkblack.com/google-disrupts-worlds-largest-residential-proxy-botnet/",
          "date": "2026-01-29"
        }
      ]
    },
    {
      "indicator": "39uchxifap4cvgzsuirom0szrrg.d65lre9sfqnlcv49317gcis6pyjsatzho.oast.pro",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-02-23",
      "last_seen": "2026-02-23",
      "reports": [
        {
          "slug": "unit-42-exposes-active-exploitation-of-beyondtrust-cve-2026-1731-with-vshell-and-sparkrat-backdoors",
          "title": "Unit 42 Exposes Active Exploitation of BeyondTrust CVE-2026-1731 with VShell and SparkRAT Backdoors",
          "url": "https://bulwarkblack.com/unit-42-exposes-active-exploitation-of-beyondtrust-cve-2026-1731-with-vshell-and-sparkrat-backdoors/",
          "date": "2026-02-23"
        }
      ]
    },
    {
      "indicator": "3k7m1n9p4q2r6s8t0v5w2x4y6z8u9.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-01-29",
      "last_seen": "2026-01-29",
      "reports": [
        {
          "slug": "google-disrupts-worlds-largest-residential-proxy-botnet",
          "title": "Google Disrupts World’s Largest Residential Proxy Botnet",
          "url": "https://bulwarkblack.com/google-disrupts-worlds-largest-residential-proxy-botnet/",
          "date": "2026-01-29"
        }
      ]
    },
    {
      "indicator": "442fe7151fb1e9b5.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-01-29",
      "last_seen": "2026-01-29",
      "reports": [
        {
          "slug": "google-disrupts-worlds-largest-residential-proxy-botnet",
          "title": "Google Disrupts World’s Largest Residential Proxy Botnet",
          "url": "https://bulwarkblack.com/google-disrupts-worlds-largest-residential-proxy-botnet/",
          "date": "2026-01-29"
        }
      ]
    },
    {
      "indicator": "4daa2aea93db-endpoint.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-05-16",
      "last_seen": "2026-05-16",
      "reports": [
        {
          "slug": "device-code-phishing-oauth-token-theft-defense",
          "title": "Device Code Phishing Turns Legitimate Login Flows Into Token Theft",
          "url": "https://bulwarkblack.com/device-code-phishing-oauth-token-theft-defense/",
          "date": "2026-05-16"
        }
      ]
    },
    {
      "indicator": "5ka8rxp6t6eup2.org",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-30",
      "last_seen": "2026-06-30",
      "reports": [
        {
          "slug": "bing-seo-poisoning-bumblebee-adaptix-akira-ransomware",
          "title": "Bing SEO Poisoning Shows IT Admin Downloads Are Ransomware Initial Access",
          "url": "https://bulwarkblack.com/bing-seo-poisoning-bumblebee-adaptix-akira-ransomware/",
          "date": "2026-06-30"
        }
      ]
    },
    {
      "indicator": "6b86b273ff34fce1.online",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-01-29",
      "last_seen": "2026-01-29",
      "reports": [
        {
          "slug": "google-disrupts-worlds-largest-residential-proxy-botnet",
          "title": "Google Disrupts World’s Largest Residential Proxy Botnet",
          "url": "https://bulwarkblack.com/google-disrupts-worlds-largest-residential-proxy-botnet/",
          "date": "2026-01-29"
        }
      ]
    },
    {
      "indicator": "6cimu4mc085em8.org",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-30",
      "last_seen": "2026-06-30",
      "reports": [
        {
          "slug": "bing-seo-poisoning-bumblebee-adaptix-akira-ransomware",
          "title": "Bing SEO Poisoning Shows IT Admin Downloads Are Ransomware Initial Access",
          "url": "https://bulwarkblack.com/bing-seo-poisoning-bumblebee-adaptix-akira-ransomware/",
          "date": "2026-06-30"
        }
      ]
    },
    {
      "indicator": "6dd5fd945b34-endpoint.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-05-16",
      "last_seen": "2026-05-16",
      "reports": [
        {
          "slug": "device-code-phishing-oauth-token-theft-defense",
          "title": "Device Code Phishing Turns Legitimate Login Flows Into Token Theft",
          "url": "https://bulwarkblack.com/device-code-phishing-oauth-token-theft-defense/",
          "date": "2026-05-16"
        }
      ]
    },
    {
      "indicator": "7-zip.org",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-02-09",
      "last_seen": "2026-02-09",
      "reports": [
        {
          "slug": "fake-7-zip-downloads-convert-home-pcs-into-residential-proxy-nodes-for-cybercriminals",
          "title": "Fake 7-Zip Downloads Convert Home PCs Into Residential Proxy Nodes for Cybercriminals",
          "url": "https://bulwarkblack.com/fake-7-zip-downloads-convert-home-pcs-into-residential-proxy-nodes-for-cybercriminals/",
          "date": "2026-02-09"
        }
      ]
    },
    {
      "indicator": "7740f766-8d1d-46ad-a6bc-onedrive.p-9jluifuu.workers.dev",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-05-16",
      "last_seen": "2026-05-16",
      "reports": [
        {
          "slug": "device-code-phishing-oauth-token-theft-defense",
          "title": "Device Code Phishing Turns Legitimate Login Flows Into Token Theft",
          "url": "https://bulwarkblack.com/device-code-phishing-oauth-token-theft-defense/",
          "date": "2026-05-16"
        }
      ]
    },
    {
      "indicator": "7806d4cf9366-endpoint.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-05-16",
      "last_seen": "2026-05-16",
      "reports": [
        {
          "slug": "device-code-phishing-oauth-token-theft-defense",
          "title": "Device Code Phishing Turns Legitimate Login Flows Into Token Theft",
          "url": "https://bulwarkblack.com/device-code-phishing-oauth-token-theft-defense/",
          "date": "2026-05-16"
        }
      ]
    },
    {
      "indicator": "7x2k9n4p1q0r5s8t3v6w0y2z4u7b9.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-01-29",
      "last_seen": "2026-01-29",
      "reports": [
        {
          "slug": "google-disrupts-worlds-largest-residential-proxy-botnet",
          "title": "Google Disrupts World’s Largest Residential Proxy Botnet",
          "url": "https://bulwarkblack.com/google-disrupts-worlds-largest-residential-proxy-botnet/",
          "date": "2026-01-29"
        }
      ]
    },
    {
      "indicator": "7zip.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-02-09",
      "last_seen": "2026-02-09",
      "reports": [
        {
          "slug": "fake-7-zip-downloads-convert-home-pcs-into-residential-proxy-nodes-for-cybercriminals",
          "title": "Fake 7-Zip Downloads Convert Home PCs Into Residential Proxy Nodes for Cybercriminals",
          "url": "https://bulwarkblack.com/fake-7-zip-downloads-convert-home-pcs-into-residential-proxy-nodes-for-cybercriminals/",
          "date": "2026-02-09"
        }
      ]
    },
    {
      "indicator": "8b21a945159f23b740c836eb50953818.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-01-29",
      "last_seen": "2026-01-29",
      "reports": [
        {
          "slug": "google-disrupts-worlds-largest-residential-proxy-botnet",
          "title": "Google Disrupts World’s Largest Residential Proxy Botnet",
          "url": "https://bulwarkblack.com/google-disrupts-worlds-largest-residential-proxy-botnet/",
          "date": "2026-01-29"
        }
      ]
    },
    {
      "indicator": "8doj8uvx604eck.org",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-30",
      "last_seen": "2026-06-30",
      "reports": [
        {
          "slug": "bing-seo-poisoning-bumblebee-adaptix-akira-ransomware",
          "title": "Bing SEO Poisoning Shows IT Admin Downloads Are Ransomware Initial Access",
          "url": "https://bulwarkblack.com/bing-seo-poisoning-bumblebee-adaptix-akira-ransomware/",
          "date": "2026-06-30"
        }
      ]
    },
    {
      "indicator": "8f00b204e9800998.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-01-29",
      "last_seen": "2026-01-29",
      "reports": [
        {
          "slug": "google-disrupts-worlds-largest-residential-proxy-botnet",
          "title": "Google Disrupts World’s Largest Residential Proxy Botnet",
          "url": "https://bulwarkblack.com/google-disrupts-worlds-largest-residential-proxy-botnet/",
          "date": "2026-01-29"
        }
      ]
    },
    {
      "indicator": "a7b37115ce3cc2eb.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-01-29",
      "last_seen": "2026-01-29",
      "reports": [
        {
          "slug": "google-disrupts-worlds-largest-residential-proxy-botnet",
          "title": "Google Disrupts World’s Largest Residential Proxy Botnet",
          "url": "https://bulwarkblack.com/google-disrupts-worlds-largest-residential-proxy-botnet/",
          "date": "2026-01-29"
        }
      ]
    },
    {
      "indicator": "a820b09-95ba-44eb-b350-417e8241b725-00-1lgwuuen9b77p.worf.replit.dev",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-05-15",
      "last_seen": "2026-05-15",
      "reports": [
        {
          "slug": "cisco-sdwan-active-exploitation-edge-controller-review",
          "title": "Cisco SD-WAN Exploitation Shows Edge Controllers Need Emergency Review",
          "url": "https://bulwarkblack.com/cisco-sdwan-active-exploitation-edge-controller-review/",
          "date": "2026-05-15"
        }
      ]
    },
    {
      "indicator": "a8d3b9e1f5c7024d6e0b7a2c9f1d83e5.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-01-29",
      "last_seen": "2026-01-29",
      "reports": [
        {
          "slug": "google-disrupts-worlds-largest-residential-proxy-botnet",
          "title": "Google Disrupts World’s Largest Residential Proxy Botnet",
          "url": "https://bulwarkblack.com/google-disrupts-worlds-largest-residential-proxy-botnet/",
          "date": "2026-01-29"
        }
      ]
    },
    {
      "indicator": "aa86a52a98162b7d.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-01-29",
      "last_seen": "2026-01-29",
      "reports": [
        {
          "slug": "google-disrupts-worlds-largest-residential-proxy-botnet",
          "title": "Google Disrupts World’s Largest Residential Proxy Botnet",
          "url": "https://bulwarkblack.com/google-disrupts-worlds-largest-residential-proxy-botnet/",
          "date": "2026-01-29"
        }
      ]
    },
    {
      "indicator": "abobe.ithr.org",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2024-01-09",
      "last_seen": "2024-01-09",
      "reports": [
        {
          "slug": "financially-motivated-threat-actors-misusing-app-installer",
          "title": "Financially motivated threat actors misusing App Installer",
          "url": "https://bulwarkblack.com/financially-motivated-threat-actors-misusing-app-installer/",
          "date": "2024-01-09"
        }
      ]
    },
    {
      "indicator": "academy.breakdev.org",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2024-01-26",
      "last_seen": "2024-01-26",
      "reports": [
        {
          "slug": "how-to-protect-evilginx-using-cloudflare-and-html-obfuscation",
          "title": "How to protect Evilginx using Cloudflare and HTML Obfuscation",
          "url": "https://bulwarkblack.com/how-to-protect-evilginx-using-cloudflare-and-html-obfuscation/",
          "date": "2024-01-26"
        }
      ]
    },
    {
      "indicator": "accesscam.org",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "admina.freeddns.org",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "adrinal.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-02-18",
      "last_seen": "2026-02-18",
      "reports": [
        {
          "slug": "threat-actors-abuse-atlassian-jira-cloud-to-bypass-email-security-and-target-government-entities",
          "title": "Threat Actors Abuse Atlassian Jira Cloud to Bypass Email Security and Target Government Entities",
          "url": "https://bulwarkblack.com/threat-actors-abuse-atlassian-jira-cloud-to-bypass-email-security-and-target-government-entities/",
          "date": "2026-02-18"
        }
      ]
    },
    {
      "indicator": "ads-parkpro.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-02",
      "last_seen": "2026-06-02",
      "reports": [
        {
          "slug": "flutterbridge-macos-malvertising-fluttershell-backdoor-defense",
          "title": "FlutterBridge Shows Why macOS Malvertising Is Backdoor Delivery, Not Just Adware",
          "url": "https://bulwarkblack.com/flutterbridge-macos-malvertising-fluttershell-backdoor-defense/",
          "date": "2026-06-02"
        }
      ]
    },
    {
      "indicator": "adsparkpro.net",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-02",
      "last_seen": "2026-06-02",
      "reports": [
        {
          "slug": "flutterbridge-macos-malvertising-fluttershell-backdoor-defense",
          "title": "FlutterBridge Shows Why macOS Malvertising Is Backdoor Delivery, Not Just Adware",
          "url": "https://bulwarkblack.com/flutterbridge-macos-malvertising-fluttershell-backdoor-defense/",
          "date": "2026-06-02"
        }
      ]
    },
    {
      "indicator": "adsparkpro.top",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-02",
      "last_seen": "2026-06-02",
      "reports": [
        {
          "slug": "flutterbridge-macos-malvertising-fluttershell-backdoor-defense",
          "title": "FlutterBridge Shows Why macOS Malvertising Is Backdoor Delivery, Not Just Adware",
          "url": "https://bulwarkblack.com/flutterbridge-macos-malvertising-fluttershell-backdoor-defense/",
          "date": "2026-06-02"
        }
      ]
    },
    {
      "indicator": "aeya388.club",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-03",
      "last_seen": "2026-06-03",
      "reports": [
        {
          "slug": "ta4922-global-hr-tax-phishing-rmm-defense",
          "title": "TA4922’s Global Expansion Shows HR and Tax Lures Are Initial Access Infrastructure",
          "url": "https://bulwarkblack.com/ta4922-global-hr-tax-phishing-rmm-defense/",
          "date": "2026-06-03"
        }
      ]
    },
    {
      "indicator": "af4760df2c08896a9638e26e7dd20aae.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-01-29",
      "last_seen": "2026-01-29",
      "reports": [
        {
          "slug": "google-disrupts-worlds-largest-residential-proxy-botnet",
          "title": "Google Disrupts World’s Largest Residential Proxy Botnet",
          "url": "https://bulwarkblack.com/google-disrupts-worlds-largest-residential-proxy-botnet/",
          "date": "2026-01-29"
        }
      ]
    },
    {
      "indicator": "afsaces.accesscam.org",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "aka.ms",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2024-01-09",
      "last_seen": "2024-01-09",
      "reports": [
        {
          "slug": "financially-motivated-threat-actors-misusing-app-installer",
          "title": "Financially motivated threat actors misusing App Installer",
          "url": "https://bulwarkblack.com/financially-motivated-threat-actors-misusing-app-installer/",
          "date": "2024-01-09"
        }
      ]
    },
    {
      "indicator": "aliyundunupdate.xyz",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-02-23",
      "last_seen": "2026-02-23",
      "reports": [
        {
          "slug": "unit-42-exposes-active-exploitation-of-beyondtrust-cve-2026-1731-with-vshell-and-sparkrat-backdoors",
          "title": "Unit 42 Exposes Active Exploitation of BeyondTrust CVE-2026-1731 with VShell and SparkRAT Backdoors",
          "url": "https://bulwarkblack.com/unit-42-exposes-active-exploitation-of-beyondtrust-cve-2026-1731-with-vshell-and-sparkrat-backdoors/",
          "date": "2026-02-23"
        }
      ]
    },
    {
      "indicator": "aluminiostramuntana.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-26",
      "last_seen": "2026-06-26",
      "reports": [
        {
          "slug": "hospitality-photo-zip-nodejs-implant-defense",
          "title": "Hospitality Photo-ZIP Campaign Shows Front Desk Workflows Are Initial Access Paths",
          "url": "https://bulwarkblack.com/hospitality-photo-zip-nodejs-implant-defense/",
          "date": "2026-06-26"
        }
      ]
    },
    {
      "indicator": "amgreetings.tech",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2024-01-09",
      "last_seen": "2024-01-09",
      "reports": [
        {
          "slug": "financially-motivated-threat-actors-misusing-app-installer",
          "title": "Financially motivated threat actors misusing App Installer",
          "url": "https://bulwarkblack.com/financially-motivated-threat-actors-misusing-app-installer/",
          "date": "2024-01-09"
        }
      ]
    },
    {
      "indicator": "amgreetings.tech-department.us",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2024-01-09",
      "last_seen": "2024-01-09",
      "reports": [
        {
          "slug": "financially-motivated-threat-actors-misusing-app-installer",
          "title": "Financially motivated threat actors misusing App Installer",
          "url": "https://bulwarkblack.com/financially-motivated-threat-actors-misusing-app-installer/",
          "date": "2024-01-09"
        }
      ]
    },
    {
      "indicator": "ampolice.org",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-03-03",
      "last_seen": "2026-03-03",
      "reports": [
        {
          "slug": "silver-dragon-apt-targets-southeast-asia-and-europe-using-geardoor-backdoor-with-google-drive-c2",
          "title": "Silver Dragon APT Targets Southeast Asia and Europe Using GearDoor Backdoor with Google Drive C2",
          "url": "https://bulwarkblack.com/silver-dragon-apt-targets-southeast-asia-and-europe-using-geardoor-backdoor-with-google-drive-c2/",
          "date": "2026-03-03"
        }
      ]
    },
    {
      "indicator": "amydeks.ithr.org",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2024-01-09",
      "last_seen": "2024-01-09",
      "reports": [
        {
          "slug": "financially-motivated-threat-actors-misusing-app-installer",
          "title": "Financially motivated threat actors misusing App Installer",
          "url": "https://bulwarkblack.com/financially-motivated-threat-actors-misusing-app-installer/",
          "date": "2024-01-09"
        }
      ]
    },
    {
      "indicator": "ancisesic.accesscam.org",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "andro.notemacro.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-03-04",
      "last_seen": "2026-03-04",
      "reports": [
        {
          "slug": "zerobot-malware-targets-n8n-automation-platform-first-active-exploitation-of-cve-2025-68613",
          "title": "Zerobot Malware Targets n8n Automation Platform: First Active Exploitation of CVE-2025-68613",
          "url": "https://bulwarkblack.com/zerobot-malware-targets-n8n-automation-platform-first-active-exploitation-of-cve-2025-68613/",
          "date": "2026-03-04"
        }
      ]
    },
    {
      "indicator": "angular-studio.ng",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-03-17",
      "last_seen": "2026-03-17",
      "reports": [
        {
          "slug": "glassworm-supply-chain-campaign-hijacks-72-open-vsx-extensions-to-target-developers",
          "title": "GlassWorm Supply Chain Campaign Hijacks 72 Open VSX Extensions to Target Developers",
          "url": "https://bulwarkblack.com/glassworm-supply-chain-campaign-hijacks-72-open-vsx-extensions-to-target-developers/",
          "date": "2026-03-17"
        }
      ]
    },
    {
      "indicator": "anthropic.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-13",
      "last_seen": "2026-06-13",
      "reports": [
        {
          "slug": "shai-hulud-ai-scanner-evasion-package-supply-chain-defense",
          "title": "Shai-Hulud Shows AI Package Scanners Need Prompt-Injection Boundaries",
          "url": "https://bulwarkblack.com/shai-hulud-ai-scanner-evasion-package-supply-chain-defense/",
          "date": "2026-06-13"
        }
      ]
    },
    {
      "indicator": "ap.org",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-03-14",
      "last_seen": "2026-03-14",
      "reports": [
        {
          "slug": "pro-iranian-hackers-expand-targeting-of-us-critical-infrastructure-as-cyber-chaos-escalates",
          "title": "Pro-Iranian Hackers Expand Targeting of US Critical Infrastructure as Cyber Chaos Escalates",
          "url": "https://bulwarkblack.com/pro-iranian-hackers-expand-targeting-of-us-critical-infrastructure-as-cyber-chaos-escalates/",
          "date": "2026-03-14"
        }
      ]
    },
    {
      "indicator": "apex.herosms.ai",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-02-09",
      "last_seen": "2026-02-09",
      "reports": [
        {
          "slug": "fake-7-zip-downloads-convert-home-pcs-into-residential-proxy-nodes-for-cybercriminals",
          "title": "Fake 7-Zip Downloads Convert Home PCs Into Residential Proxy Nodes for Cybercriminals",
          "url": "https://bulwarkblack.com/fake-7-zip-downloads-convert-home-pcs-into-residential-proxy-nodes-for-cybercriminals/",
          "date": "2026-02-09"
        }
      ]
    },
    {
      "indicator": "api.anthropic.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-13",
      "last_seen": "2026-06-13",
      "reports": [
        {
          "slug": "shai-hulud-ai-scanner-evasion-package-supply-chain-defense",
          "title": "Shai-Hulud Shows AI Package Scanners Need Prompt-Injection Boundaries",
          "url": "https://bulwarkblack.com/shai-hulud-ai-scanner-evasion-package-supply-chain-defense/",
          "date": "2026-06-13"
        }
      ]
    },
    {
      "indicator": "api.ipify.org",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-05-15",
      "last_seen": "2026-05-15",
      "reports": [
        {
          "slug": "gremlin-stealer-browser-session-resource-obfuscation",
          "title": "Gremlin Stealer Shows Why Browser Sessions Are Now High-Value Targets",
          "url": "https://bulwarkblack.com/gremlin-stealer-browser-session-resource-obfuscation/",
          "date": "2026-05-15"
        }
      ]
    },
    {
      "indicator": "api.paysafe.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "fake-payment-sdk-npm-pypi-secret-theft-defense",
          "title": "Fake Payment SDKs Show Why Dependency Risk Is Credential Risk",
          "url": "https://bulwarkblack.com/fake-payment-sdk-npm-pypi-secret-theft-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "api.store",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2024-01-09",
      "last_seen": "2024-01-09",
      "reports": [
        {
          "slug": "financially-motivated-threat-actors-misusing-app-installer",
          "title": "Financially motivated threat actors misusing App Installer",
          "url": "https://bulwarkblack.com/financially-motivated-threat-actors-misusing-app-installer/",
          "date": "2024-01-09"
        }
      ]
    },
    {
      "indicator": "api.telegram.org",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-05-15",
      "last_seen": "2026-05-15",
      "reports": [
        {
          "slug": "gremlin-stealer-browser-session-resource-obfuscation",
          "title": "Gremlin Stealer Shows Why Browser Sessions Are Now High-Value Targets",
          "url": "https://bulwarkblack.com/gremlin-stealer-browser-session-resource-obfuscation/",
          "date": "2026-05-15"
        }
      ]
    },
    {
      "indicator": "api.test.paysafe.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "fake-payment-sdk-npm-pypi-secret-theft-defense",
          "title": "Fake Payment SDKs Show Why Dependency Risk Is Credential Risk",
          "url": "https://bulwarkblack.com/fake-payment-sdk-npm-pypi-secret-theft-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "api.wigetticks.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-18",
      "last_seen": "2026-06-18",
      "reports": [
        {
          "slug": "smartapesg-okendo-widget-supply-chain-risk",
          "title": "SmartApeSG Okendo Compromise Shows Third-Party Widgets Are Supply-Chain Risk",
          "url": "https://bulwarkblack.com/smartapesg-okendo-widget-supply-chain-risk/",
          "date": "2026-06-18"
        }
      ]
    },
    {
      "indicator": "api.wizzleticks.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-18",
      "last_seen": "2026-06-18",
      "reports": [
        {
          "slug": "smartapesg-okendo-widget-supply-chain-risk",
          "title": "SmartApeSG Okendo Compromise Shows Third-Party Widgets Are Supply-Chain Risk",
          "url": "https://bulwarkblack.com/smartapesg-okendo-widget-supply-chain-risk/",
          "date": "2026-06-18"
        }
      ]
    },
    {
      "indicator": "apisix.apache.org",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-19",
      "last_seen": "2026-06-19",
      "reports": [
        {
          "slug": "apache-apisix-auth-bypass-plugin-review",
          "title": "Apache APISIX Auth Bypass Cluster Shows API Gateways Need Plugin-Level Review",
          "url": "https://bulwarkblack.com/apache-apisix-auth-bypass-plugin-review/",
          "date": "2026-06-19"
        }
      ]
    },
    {
      "indicator": "applebox.camdvr.org",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "appler.kozow.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "apps.nulab.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-03-12",
      "last_seen": "2026-03-12",
      "reports": [
        {
          "slug": "infostealer-infection-unmasks-dprk-operative-behind-polyfill-io-supply-chain-attack-and-us-crypto-exchange-infiltration",
          "title": "Infostealer Infection Unmasks DPRK Operative Behind Polyfill.io Supply Chain Attack and US Crypto Exchange Infiltration",
          "url": "https://bulwarkblack.com/infostealer-infection-unmasks-dprk-operative-behind-polyfill-io-supply-chain-attack-and-us-crypto-exchange-infiltration/",
          "date": "2026-03-12"
        }
      ]
    },
    {
      "indicator": "archicad3d.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-02-18",
      "last_seen": "2026-02-18",
      "reports": [
        {
          "slug": "threat-actors-abuse-atlassian-jira-cloud-to-bypass-email-security-and-target-government-entities",
          "title": "Threat Actors Abuse Atlassian Jira Cloud to Bypass Email Security and Target Government Entities",
          "url": "https://bulwarkblack.com/threat-actors-abuse-atlassian-jira-cloud-to-bypass-email-security-and-target-government-entities/",
          "date": "2026-02-18"
        }
      ]
    },
    {
      "indicator": "arnaudpairoto.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2024-03-22",
      "last_seen": "2024-03-22",
      "reports": [
        {
          "slug": "new-go-loader-pushes-rhadamanthys-stealer",
          "title": "New Go loader pushes Rhadamanthys stealer",
          "url": "https://bulwarkblack.com/new-go-loader-pushes-rhadamanthys-stealer/",
          "date": "2024-03-22"
        }
      ]
    },
    {
      "indicator": "asdad21ww.freeddns.org",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "assets.lumen.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-01",
      "last_seen": "2026-06-01",
      "reports": [
        {
          "slug": "showboat-jfmbackdoor-telecom-intrusion-defense",
          "title": "Showboat and JFMBackdoor Show Telecom Intrusions Are Built for Pivoting",
          "url": "https://bulwarkblack.com/showboat-jfmbackdoor-telecom-intrusion-defense/",
          "date": "2026-06-01"
        }
      ]
    },
    {
      "indicator": "atlassian.net",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-02-18",
      "last_seen": "2026-02-18",
      "reports": [
        {
          "slug": "threat-actors-abuse-atlassian-jira-cloud-to-bypass-email-security-and-target-government-entities",
          "title": "Threat Actors Abuse Atlassian Jira Cloud to Bypass Email Security and Target Government Entities",
          "url": "https://bulwarkblack.com/threat-actors-abuse-atlassian-jira-cloud-to-bypass-email-security-and-target-government-entities/",
          "date": "2026-02-18"
        }
      ]
    },
    {
      "indicator": "atsheisdomestic.org",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-02",
      "last_seen": "2026-06-02",
      "reports": [
        {
          "slug": "flutterbridge-macos-malvertising-fluttershell-backdoor-defense",
          "title": "FlutterBridge Shows Why macOS Malvertising Is Backdoor Delivery, Not Just Adware",
          "url": "https://bulwarkblack.com/flutterbridge-macos-malvertising-fluttershell-backdoor-defense/",
          "date": "2026-06-02"
        }
      ]
    },
    {
      "indicator": "attacker-db.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-27",
      "last_seen": "2026-06-27",
      "reports": [
        {
          "slug": "splunk-enterprise-cve-2026-20253-siem-tier-zero-defense",
          "title": "Splunk Enterprise RCE Shows SIEM Servers Are Tier-Zero Infrastructure",
          "url": "https://bulwarkblack.com/splunk-enterprise-cve-2026-20253-siem-tier-zero-defense/",
          "date": "2026-06-27"
        }
      ]
    },
    {
      "indicator": "au-club.top",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-01-30",
      "last_seen": "2026-01-30",
      "reports": [
        {
          "slug": "android-malware-campaign-abuses-hugging-face-ai-platform-to-distribute-rat",
          "title": "Android Malware Campaign Abuses Hugging Face AI Platform to Distribute RAT",
          "url": "https://bulwarkblack.com/android-malware-campaign-abuses-hugging-face-ai-platform-to-distribute-rat/",
          "date": "2026-01-30"
        }
      ]
    },
    {
      "indicator": "audit-report-9767d3.fullerjp09.workers.dev",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-05-16",
      "last_seen": "2026-05-16",
      "reports": [
        {
          "slug": "device-code-phishing-oauth-token-theft-defense",
          "title": "Device Code Phishing Turns Legitimate Login Flows Into Token Theft",
          "url": "https://bulwarkblack.com/device-code-phishing-oauth-token-theft-defense/",
          "date": "2026-05-16"
        }
      ]
    },
    {
      "indicator": "auraguest.lk",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-05-09",
      "last_seen": "2026-05-09",
      "reports": [
        {
          "slug": "jdownloader-site-compromise-trusted-download-verification",
          "title": "JDownloader Site Compromise Shows Why Trusted Downloads Still Need Verification",
          "url": "https://bulwarkblack.com/jdownloader-site-compromise-trusted-download-verification/",
          "date": "2026-05-09"
        }
      ]
    },
    {
      "indicator": "autoupdate.online",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "aw2o25forsbc.camdvr.org",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "awcc001jdaigfwdagdcew.giize.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "azurenetfiles.net",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-11",
      "last_seen": "2026-06-11",
      "reports": [
        {
          "slug": "shinyhunters-peoplesoft-cve-2026-35273-erp-admin-endpoints",
          "title": "ShinyHunters PeopleSoft Exploitation Shows ERP Admin Endpoints Are Breach Surface",
          "url": "https://bulwarkblack.com/shinyhunters-peoplesoft-cve-2026-35273-erp-admin-endpoints/",
          "date": "2026-06-11"
        }
      ]
    },
    {
      "indicator": "azwsappdev.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-02-15",
      "last_seen": "2026-02-15",
      "reports": [
        {
          "slug": "microsoft-exposes-dns-based-clickfix-attack-nslookup-commands-used-for-stealth-malware-staging",
          "title": "Microsoft Exposes DNS-Based ClickFix Attack: Nslookup Commands Used for Stealth Malware Staging",
          "url": "https://bulwarkblack.com/microsoft-exposes-dns-based-clickfix-attack-nslookup-commands-used-for-stealth-malware-staging/",
          "date": "2026-02-15"
        }
      ]
    },
    {
      "indicator": "b5e9a2d7f4c8e3b1a0d6f2e9c5b8a7d.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-01-29",
      "last_seen": "2026-01-29",
      "reports": [
        {
          "slug": "google-disrupts-worlds-largest-residential-proxy-botnet",
          "title": "Google Disrupts World’s Largest Residential Proxy Botnet",
          "url": "https://bulwarkblack.com/google-disrupts-worlds-largest-residential-proxy-botnet/",
          "date": "2026-01-29"
        }
      ]
    },
    {
      "indicator": "bab2o25com.accesscam.org",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "babaji.accesscam.org",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "babi5599ss.ddnsgeek.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "Backdoor.Python.Agent.br",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "badkeys.info",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-05-16",
      "last_seen": "2026-05-16",
      "reports": [
        {
          "slug": "linux-kernel-ipsec-attack-surface-reduction",
          "title": "Recent Linux Kernel Exploits Make Attack Surface Reduction a Practical Priority",
          "url": "https://bulwarkblack.com/linux-kernel-ipsec-attack-surface-reduction/",
          "date": "2026-05-16"
        }
      ]
    },
    {
      "indicator": "balabalabo.mywire.org",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "barankinyserialxud.online",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-02-18",
      "last_seen": "2026-02-18",
      "reports": [
        {
          "slug": "threat-actors-abuse-atlassian-jira-cloud-to-bypass-email-security-and-target-government-entities",
          "title": "Threat Actors Abuse Atlassian Jira Cloud to Bypass Email Security and Target Government Entities",
          "url": "https://bulwarkblack.com/threat-actors-abuse-atlassian-jira-cloud-to-bypass-email-security-and-target-government-entities/",
          "date": "2026-02-18"
        }
      ]
    },
    {
      "indicator": "basecon.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-25",
      "last_seen": "2026-06-25",
      "reports": [
        {
          "slug": "turla-stockstay-backdoor-egress-visibility",
          "title": "Turla’s STOCKSTAY Backdoor Shows Why Espionage Defense Needs Egress Visibility",
          "url": "https://bulwarkblack.com/turla-stockstay-backdoor-egress-visibility/",
          "date": "2026-06-25"
        }
      ]
    },
    {
      "indicator": "basecon.com.ua",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-25",
      "last_seen": "2026-06-25",
      "reports": [
        {
          "slug": "turla-stockstay-backdoor-egress-visibility",
          "title": "Turla’s STOCKSTAY Backdoor Shows Why Espionage Defense Needs Egress Visibility",
          "url": "https://bulwarkblack.com/turla-stockstay-backdoor-egress-visibility/",
          "date": "2026-06-25"
        }
      ]
    },
    {
      "indicator": "bdrv7wlbszfotkqf.uk",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-01-29",
      "last_seen": "2026-01-29",
      "reports": [
        {
          "slug": "google-disrupts-worlds-largest-residential-proxy-botnet",
          "title": "Google Disrupts World’s Largest Residential Proxy Botnet",
          "url": "https://bulwarkblack.com/google-disrupts-worlds-largest-residential-proxy-botnet/",
          "date": "2026-01-29"
        }
      ]
    },
    {
      "indicator": "berlin101.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-02-11",
      "last_seen": "2026-02-11",
      "reports": [
        {
          "slug": "xworm-rat-campaign-exploits-cve-2018-0802-in-multi-language-phishing-attacks-using-fileless-injection",
          "title": "XWorm RAT Campaign Exploits CVE-2018-0802 in Multi-Language Phishing Attacks Using Fileless Injection",
          "url": "https://bulwarkblack.com/xworm-rat-campaign-exploits-cve-2018-0802-in-multi-language-phishing-attacks-using-fileless-injection/",
          "date": "2026-02-11"
        }
      ]
    },
    {
      "indicator": "best-tinted.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-03-09",
      "last_seen": "2026-03-09",
      "reports": [
        {
          "slug": "boryptgrab-stealer-spreads-through-100-fake-github-repositories-in-massive-malware-campaign",
          "title": "BoryptGrab Stealer Spreads Through 100+ Fake GitHub Repositories in Massive Malware Campaign",
          "url": "https://bulwarkblack.com/boryptgrab-stealer-spreads-through-100-fake-github-repositories-in-massive-malware-campaign/",
          "date": "2026-03-09"
        }
      ]
    },
    {
      "indicator": "bggs.giize.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "bibabo.freeddns.org",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "bigflx.net",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-03-03",
      "last_seen": "2026-03-03",
      "reports": [
        {
          "slug": "silver-dragon-apt-targets-southeast-asia-and-europe-using-geardoor-backdoor-with-google-drive-c2",
          "title": "Silver Dragon APT Targets Southeast Asia and Europe Using GearDoor Backdoor with Google Drive C2",
          "url": "https://bulwarkblack.com/silver-dragon-apt-targets-southeast-asia-and-europe-using-geardoor-backdoor-with-google-drive-c2/",
          "date": "2026-03-03"
        }
      ]
    },
    {
      "indicator": "binmol.webredirect.org",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "bioth.giize.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "blackpointcyber.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-30",
      "last_seen": "2026-06-30",
      "reports": [
        {
          "slug": "simplehelp-cve-2026-48558-taskweaver-djinn-stealer-defense",
          "title": "SimpleHelp Exploitation Shows RMM Is a Credential Control Plane",
          "url": "https://bulwarkblack.com/simplehelp-cve-2026-48558-taskweaver-djinn-stealer-defense/",
          "date": "2026-06-30"
        }
      ]
    },
    {
      "indicator": "BleacherReport.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "vidar-xmrig-malvertising-file-size-code-signing-defense",
          "title": "Vidar Stealer Campaign Shows Why File Size and Fake Signatures Still Beat Weak Controls",
          "url": "https://bulwarkblack.com/vidar-xmrig-malvertising-file-size-code-signing-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "bloopencil.net",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-03-05",
      "last_seen": "2026-03-05",
      "reports": [
        {
          "slug": "uat-9244-china-nexus-apt-deploys-three-new-malware-implants-against-south-american-telecom-providers",
          "title": "UAT-9244: China-Nexus APT Deploys Three New Malware Implants Against South American Telecom Providers",
          "url": "https://bulwarkblack.com/uat-9244-china-nexus-apt-deploys-three-new-malware-implants-against-south-american-telecom-providers/",
          "date": "2026-03-05"
        }
      ]
    },
    {
      "indicator": "Boemobww.ddnsfree.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "Booking.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2024-01-07",
      "last_seen": "2026-05-24",
      "reports": [
        {
          "slug": "clop-south-staffs-water-soc-coverage-defense",
          "title": "Cl0p’s South Staffs Water Case Shows SOC Coverage Must Be Proven",
          "url": "https://bulwarkblack.com/clop-south-staffs-water-soc-coverage-defense/",
          "date": "2026-05-24"
        },
        {
          "slug": "pdfsider-the-stealthy-backdoor-targeting-fortune-100-financial-institutions",
          "title": "PDFSider: The Stealthy Backdoor Targeting Fortune 100 Financial Institutions",
          "url": "https://bulwarkblack.com/pdfsider-the-stealthy-backdoor-targeting-fortune-100-financial-institutions/",
          "date": "2026-02-04"
        },
        {
          "slug": "prior-to-cyber-attack-russian-attackers-spent-months-inside-the-ukraine-telecoms-giant",
          "title": "Prior to Cyber Attack, Russian Attackers Spent Months Inside the Ukraine Telecoms Giant",
          "url": "https://bulwarkblack.com/prior-to-cyber-attack-russian-attackers-spent-months-inside-the-ukraine-telecoms-giant/",
          "date": "2024-01-07"
        }
      ]
    },
    {
      "indicator": "bookreservphoto.pro",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-26",
      "last_seen": "2026-06-26",
      "reports": [
        {
          "slug": "hospitality-photo-zip-nodejs-implant-defense",
          "title": "Hospitality Photo-ZIP Campaign Shows Front Desk Workflows Are Initial Access Paths",
          "url": "https://bulwarkblack.com/hospitality-photo-zip-nodejs-implant-defense/",
          "date": "2026-06-26"
        }
      ]
    },
    {
      "indicator": "bots.autoupdate.online",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "botsc.autoupdate.xyz",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "botshield.vu",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-03-09",
      "last_seen": "2026-03-09",
      "reports": [
        {
          "slug": "boryptgrab-stealer-spreads-through-100-fake-github-repositories-in-massive-malware-campaign",
          "title": "BoryptGrab Stealer Spreads Through 100+ Fake GitHub Repositories in Massive Malware Campaign",
          "url": "https://bulwarkblack.com/boryptgrab-stealer-spreads-through-100-fake-github-repositories-in-massive-malware-campaign/",
          "date": "2026-03-09"
        }
      ]
    },
    {
      "indicator": "brategmaqendaalar-studio.pro",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-03-17",
      "last_seen": "2026-03-17",
      "reports": [
        {
          "slug": "glassworm-supply-chain-campaign-hijacks-72-open-vsx-extensions-to-target-developers",
          "title": "GlassWorm Supply Chain Campaign Hijacks 72 Open VSX Extensions to Target Developers",
          "url": "https://bulwarkblack.com/glassworm-supply-chain-campaign-hijacks-72-open-vsx-extensions-to-target-developers/",
          "date": "2026-03-17"
        }
      ]
    },
    {
      "indicator": "brcallletme.theworkpc.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "brw.so",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-05-23",
      "last_seen": "2026-05-23",
      "reports": [
        {
          "slug": "void-dokkaebi-invisibleferret-developer-endpoint-risk",
          "title": "Void Dokkaebi’s InvisibleFerret Shift Shows Developer Endpoints Are Production Risk",
          "url": "https://bulwarkblack.com/void-dokkaebi-invisibleferret-developer-endpoint-risk/",
          "date": "2026-05-23"
        }
      ]
    },
    {
      "indicator": "btbtutil.theworkpc.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "bthoster.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-02-05",
      "last_seen": "2026-02-05",
      "reports": [
        {
          "slug": "systembc-botnet-survives-law-enforcement-takedown-infects-over-10000-devices-worldwide",
          "title": "SystemBC Botnet Survives Law Enforcement Takedown, Infects Over 10,000 Devices Worldwide",
          "url": "https://bulwarkblack.com/systembc-botnet-survives-law-enforcement-takedown-infects-over-10000-devices-worldwide/",
          "date": "2026-02-05"
        }
      ]
    },
    {
      "indicator": "btltan.ooguy.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "BugsBounty.com",
      "type": "Domains",
      "report_count": 2,
      "first_seen": "2024-01-07",
      "last_seen": "2026-02-04",
      "reports": [
        {
          "slug": "pdfsider-the-stealthy-backdoor-targeting-fortune-100-financial-institutions",
          "title": "PDFSider: The Stealthy Backdoor Targeting Fortune 100 Financial Institutions",
          "url": "https://bulwarkblack.com/pdfsider-the-stealthy-backdoor-targeting-fortune-100-financial-institutions/",
          "date": "2026-02-04"
        },
        {
          "slug": "prior-to-cyber-attack-russian-attackers-spent-months-inside-the-ukraine-telecoms-giant",
          "title": "Prior to Cyber Attack, Russian Attackers Spent Months Inside the Ukraine Telecoms Giant",
          "url": "https://bulwarkblack.com/prior-to-cyber-attack-russian-attackers-spent-months-inside-the-ukraine-telecoms-giant/",
          "date": "2024-01-07"
        }
      ]
    },
    {
      "indicator": "Builder.ai",
      "type": "Domains",
      "report_count": 2,
      "first_seen": "2024-01-07",
      "last_seen": "2026-02-04",
      "reports": [
        {
          "slug": "pdfsider-the-stealthy-backdoor-targeting-fortune-100-financial-institutions",
          "title": "PDFSider: The Stealthy Backdoor Targeting Fortune 100 Financial Institutions",
          "url": "https://bulwarkblack.com/pdfsider-the-stealthy-backdoor-targeting-fortune-100-financial-institutions/",
          "date": "2026-02-04"
        },
        {
          "slug": "prior-to-cyber-attack-russian-attackers-spent-months-inside-the-ukraine-telecoms-giant",
          "title": "Prior to Cyber Attack, Russian Attackers Spent Months Inside the Ukraine Telecoms Giant",
          "url": "https://bulwarkblack.com/prior-to-cyber-attack-russian-attackers-spent-months-inside-the-ukraine-telecoms-giant/",
          "date": "2024-01-07"
        }
      ]
    },
    {
      "indicator": "buisness-centeral-transportation.azurewebsites.net",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-05-22",
      "last_seen": "2026-05-22",
      "reports": [
        {
          "slug": "screening-serpens-recruiting-espionage-attack-surface",
          "title": "Screening Serpens Shows Recruiting Is Now an Espionage Attack Surface",
          "url": "https://bulwarkblack.com/screening-serpens-recruiting-espionage-attack-surface/",
          "date": "2026-05-22"
        }
      ]
    },
    {
      "indicator": "Buisness-centeral-transportation.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-05-22",
      "last_seen": "2026-05-22",
      "reports": [
        {
          "slug": "screening-serpens-recruiting-espionage-attack-surface",
          "title": "Screening Serpens Shows Recruiting Is Now an Espionage Attack Surface",
          "url": "https://bulwarkblack.com/screening-serpens-recruiting-espionage-attack-surface/",
          "date": "2026-05-22"
        }
      ]
    },
    {
      "indicator": "buisness-centeral.azurewebsites.net",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-05-22",
      "last_seen": "2026-05-22",
      "reports": [
        {
          "slug": "screening-serpens-recruiting-espionage-attack-surface",
          "title": "Screening Serpens Shows Recruiting Is Now an Espionage Attack Surface",
          "url": "https://bulwarkblack.com/screening-serpens-recruiting-espionage-attack-surface/",
          "date": "2026-05-22"
        }
      ]
    },
    {
      "indicator": "bumbleshrimp.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "business-data-leaks.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-05",
      "last_seen": "2026-06-05",
      "reports": [
        {
          "slug": "unc3753-vishing-rmm-physical-intrusions-law-firms",
          "title": "UNC3753 Brings Vishing, RMM Abuse, and Physical Intrusions to U.S. Law Firms",
          "url": "https://bulwarkblack.com/unc3753-vishing-rmm-physical-intrusions-law-firms/",
          "date": "2026-06-05"
        }
      ]
    },
    {
      "indicator": "business-startup.azurewebsites.net",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-05-22",
      "last_seen": "2026-05-22",
      "reports": [
        {
          "slug": "screening-serpens-recruiting-espionage-attack-surface",
          "title": "Screening Serpens Shows Recruiting Is Now an Espionage Attack Surface",
          "url": "https://bulwarkblack.com/screening-serpens-recruiting-espionage-attack-surface/",
          "date": "2026-05-22"
        }
      ]
    },
    {
      "indicator": "business-startup.org",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-05-22",
      "last_seen": "2026-05-22",
      "reports": [
        {
          "slug": "screening-serpens-recruiting-espionage-attack-surface",
          "title": "Screening Serpens Shows Recruiting Is Now an Espionage Attack Surface",
          "url": "https://bulwarkblack.com/screening-serpens-recruiting-espionage-attack-surface/",
          "date": "2026-05-22"
        }
      ]
    },
    {
      "indicator": "Businessstartup.azurewebsites.net",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-05-22",
      "last_seen": "2026-05-22",
      "reports": [
        {
          "slug": "screening-serpens-recruiting-espionage-attack-surface",
          "title": "Screening Serpens Shows Recruiting Is Now an Espionage Attack Surface",
          "url": "https://bulwarkblack.com/screening-serpens-recruiting-espionage-attack-surface/",
          "date": "2026-05-22"
        }
      ]
    },
    {
      "indicator": "cabotcorpsupport-my.sharepoint.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2024-01-09",
      "last_seen": "2024-01-09",
      "reports": [
        {
          "slug": "financially-motivated-threat-actors-misusing-app-installer",
          "title": "Financially motivated threat actors misusing App Installer",
          "url": "https://bulwarkblack.com/financially-motivated-threat-actors-misusing-app-installer/",
          "date": "2024-01-09"
        }
      ]
    },
    {
      "indicator": "caliber-spinner-finishing.ngrok-free.dev",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "fake-payment-sdk-npm-pypi-secret-theft-defense",
          "title": "Fake Payment SDKs Show Why Dependency Risk Is Credential Risk",
          "url": "https://bulwarkblack.com/fake-payment-sdk-npm-pypi-secret-theft-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "camcampkes.ddnsfree.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "camdvr.org",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "camsqewivo.kozow.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "canal1zac1a.onrender.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-25",
      "last_seen": "2026-06-25",
      "reports": [
        {
          "slug": "turla-stockstay-backdoor-egress-visibility",
          "title": "Turla’s STOCKSTAY Backdoor Shows Why Espionage Defense Needs Egress Visibility",
          "url": "https://bulwarkblack.com/turla-stockstay-backdoor-egress-visibility/",
          "date": "2026-06-25"
        }
      ]
    },
    {
      "indicator": "casacam.net",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "cbre.tech",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2024-01-09",
      "last_seen": "2024-01-09",
      "reports": [
        {
          "slug": "financially-motivated-threat-actors-misusing-app-installer",
          "title": "Financially motivated threat actors misusing App Installer",
          "url": "https://bulwarkblack.com/financially-motivated-threat-actors-misusing-app-installer/",
          "date": "2024-01-09"
        }
      ]
    },
    {
      "indicator": "cbre.tech-department.us",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2024-01-09",
      "last_seen": "2024-01-09",
      "reports": [
        {
          "slug": "financially-motivated-threat-actors-misusing-app-installer",
          "title": "Financially motivated threat actors misusing App Installer",
          "url": "https://bulwarkblack.com/financially-motivated-threat-actors-misusing-app-installer/",
          "date": "2024-01-09"
        }
      ]
    },
    {
      "indicator": "ccammutom.ddnsgeek.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "cctest.kk5yuzmev2qbgulz.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-03-12",
      "last_seen": "2026-03-12",
      "reports": [
        {
          "slug": "infostealer-infection-unmasks-dprk-operative-behind-polyfill-io-supply-chain-attack-and-us-crypto-exchange-infiltration",
          "title": "Infostealer Infection Unmasks DPRK Operative Behind Polyfill.io Supply Chain Attack and US Crypto Exchange Infiltration",
          "url": "https://bulwarkblack.com/infostealer-infection-unmasks-dprk-operative-behind-polyfill-io-supply-chain-attack-and-us-crypto-exchange-infiltration/",
          "date": "2026-03-12"
        }
      ]
    },
    {
      "indicator": "cdn-lfs-us-1.hf.co",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-01-30",
      "last_seen": "2026-01-30",
      "reports": [
        {
          "slug": "android-malware-campaign-abuses-hugging-face-ai-platform-to-distribute-rat",
          "title": "Android Malware Campaign Abuses Hugging Face AI Platform to Distribute RAT",
          "url": "https://bulwarkblack.com/android-malware-campaign-abuses-hugging-face-ai-platform-to-distribute-rat/",
          "date": "2026-01-30"
        }
      ]
    },
    {
      "indicator": "cdn-static.okendo.io",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-18",
      "last_seen": "2026-06-18",
      "reports": [
        {
          "slug": "smartapesg-okendo-widget-supply-chain-risk",
          "title": "SmartApeSG Okendo Compromise Shows Third-Party Widgets Are Supply-Chain Risk",
          "url": "https://bulwarkblack.com/smartapesg-okendo-widget-supply-chain-risk/",
          "date": "2026-06-18"
        }
      ]
    },
    {
      "indicator": "cdnvmtools.theworkpc.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "certgraveyard.org",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-30",
      "last_seen": "2026-06-30",
      "reports": [
        {
          "slug": "bing-seo-poisoning-bumblebee-adaptix-akira-ransomware",
          "title": "Bing SEO Poisoning Shows IT Admin Downloads Are Ransomware Initial Access",
          "url": "https://bulwarkblack.com/bing-seo-poisoning-bumblebee-adaptix-akira-ransomware/",
          "date": "2026-06-30"
        }
      ]
    },
    {
      "indicator": "cfe47df26c8eaf0a7c136b50c703e173.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-01-29",
      "last_seen": "2026-01-29",
      "reports": [
        {
          "slug": "google-disrupts-worlds-largest-residential-proxy-botnet",
          "title": "Google Disrupts World’s Largest Residential Proxy Botnet",
          "url": "https://bulwarkblack.com/google-disrupts-worlds-largest-residential-proxy-botnet/",
          "date": "2026-01-29"
        }
      ]
    },
    {
      "indicator": "chamd5.org",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-05-13",
      "last_seen": "2026-05-13",
      "reports": [
        {
          "slug": "gentlemen-raas-leak-edge-device-ransomware-risk",
          "title": "The Gentlemen RaaS Leak Shows Ransomware Is Still an Edge-Device Problem",
          "url": "https://bulwarkblack.com/gentlemen-raas-leak-edge-device-ransomware-risk/",
          "date": "2026-05-13"
        }
      ]
    },
    {
      "indicator": "championships-peoples-point-cassette.trycloudflare.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-03-24",
      "last_seen": "2026-03-24",
      "reports": [
        {
          "slug": "canisterworm-wiper-weaponizes-trivy-supply-chain-to-target-iran",
          "title": "CanisterWorm Wiper Weaponizes Trivy Supply Chain to Target Iran",
          "url": "https://bulwarkblack.com/canisterworm-wiper-weaponizes-trivy-supply-chain-to-target-iran/",
          "date": "2026-03-24"
        }
      ]
    },
    {
      "indicator": "check.datatabletemplate.shop",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "checkinnhotels.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-05-09",
      "last_seen": "2026-05-09",
      "reports": [
        {
          "slug": "jdownloader-site-compromise-trusted-download-verification",
          "title": "JDownloader Site Compromise Shows Why Trusted Downloads Still Need Verification",
          "url": "https://bulwarkblack.com/jdownloader-site-compromise-trusted-download-verification/",
          "date": "2026-05-09"
        }
      ]
    },
    {
      "indicator": "checkpoint-vpn.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-03-13",
      "last_seen": "2026-03-13",
      "reports": [
        {
          "slug": "storm-2561-weaponizes-seo-poisoning-to-deploy-trojanized-vpn-clients-and-steal-enterprise-credentials",
          "title": "Storm-2561 Weaponizes SEO Poisoning to Deploy Trojanized VPN Clients and Steal Enterprise Credentials",
          "url": "https://bulwarkblack.com/storm-2561-weaponizes-seo-poisoning-to-deploy-trojanized-vpn-clients-and-steal-enterprise-credentials/",
          "date": "2026-03-13"
        }
      ]
    },
    {
      "indicator": "chincenterblandwka.pw",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2024-01-08",
      "last_seen": "2024-01-08",
      "reports": [
        {
          "slug": "deceptive-cracked-software-spreads-lumma-variant-on-youtube",
          "title": "Deceptive Cracked Software Spreads Lumma Variant on YouTube",
          "url": "https://bulwarkblack.com/deceptive-cracked-software-spreads-lumma-variant-on-youtube/",
          "date": "2024-01-08"
        }
      ]
    },
    {
      "indicator": "chkactive.online",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "ci.appveyor.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2024-01-05",
      "last_seen": "2024-01-05",
      "reports": [
        {
          "slug": "100-days-of-yara-2023",
          "title": "100 Days of YARA – 2023",
          "url": "https://bulwarkblack.com/100-days-of-yara-2023/",
          "date": "2024-01-05"
        }
      ]
    },
    {
      "indicator": "circoloesteri.elezioni.idnet.it",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-25",
      "last_seen": "2026-06-25",
      "reports": [
        {
          "slug": "turla-stockstay-backdoor-egress-visibility",
          "title": "Turla’s STOCKSTAY Backdoor Shows Why Espionage Defense Needs Egress Visibility",
          "url": "https://bulwarkblack.com/turla-stockstay-backdoor-egress-visibility/",
          "date": "2026-06-25"
        }
      ]
    },
    {
      "indicator": "cisco-secure-client.es",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-03-13",
      "last_seen": "2026-03-13",
      "reports": [
        {
          "slug": "storm-2561-weaponizes-seo-poisoning-to-deploy-trojanized-vpn-clients-and-steal-enterprise-credentials",
          "title": "Storm-2561 Weaponizes SEO Poisoning to Deploy Trojanized VPN Clients and Steal Enterprise Credentials",
          "url": "https://bulwarkblack.com/storm-2561-weaponizes-seo-poisoning-to-deploy-trojanized-vpn-clients-and-steal-enterprise-credentials/",
          "date": "2026-03-13"
        }
      ]
    },
    {
      "indicator": "claude.ai",
      "type": "Domains",
      "report_count": 7,
      "first_seen": "2026-02-04",
      "last_seen": "2026-05-23",
      "reports": [
        {
          "slug": "void-dokkaebi-invisibleferret-developer-endpoint-risk",
          "title": "Void Dokkaebi’s InvisibleFerret Shift Shows Developer Endpoints Are Production Risk",
          "url": "https://bulwarkblack.com/void-dokkaebi-invisibleferret-developer-endpoint-risk/",
          "date": "2026-05-23"
        },
        {
          "slug": "patriot-bait-ai-enabled-fraud-trust-attack-surface",
          "title": "Patriot Bait Shows AI-Enabled Fraud Can Turn Trust Into Attack Surface",
          "url": "https://bulwarkblack.com/patriot-bait-ai-enabled-fraud-trust-attack-surface/",
          "date": "2026-05-21"
        },
        {
          "slug": "ai-agent-governance-security-control",
          "title": "AI Agent Governance Is Becoming a Security Control, Not a Nice-to-Have",
          "url": "https://bulwarkblack.com/ai-agent-governance-security-control/",
          "date": "2026-05-18"
        },
        {
          "slug": "pawn-storm-deploys-prismex-malware-suite-against-ukrainian-defense-supply-chain-and-nato-allies",
          "title": "Pawn Storm Deploys PRISMEX Malware Suite Against Ukrainian Defense Supply Chain and NATO Allies",
          "url": "https://bulwarkblack.com/pawn-storm-deploys-prismex-malware-suite-against-ukrainian-defense-supply-chain-and-nato-allies/",
          "date": "2026-03-26"
        },
        {
          "slug": "boryptgrab-stealer-spreads-through-100-fake-github-repositories-in-massive-malware-campaign",
          "title": "BoryptGrab Stealer Spreads Through 100+ Fake GitHub Repositories in Massive Malware Campaign",
          "url": "https://bulwarkblack.com/boryptgrab-stealer-spreads-through-100-fake-github-repositories-in-massive-malware-campaign/",
          "date": "2026-03-09"
        },
        {
          "slug": "threat-actors-abuse-atlassian-jira-cloud-to-bypass-email-security-and-target-government-entities",
          "title": "Threat Actors Abuse Atlassian Jira Cloud to Bypass Email Security and Target Government Entities",
          "url": "https://bulwarkblack.com/threat-actors-abuse-atlassian-jira-cloud-to-bypass-email-security-and-target-government-entities/",
          "date": "2026-02-18"
        },
        {
          "slug": "shinyhunters-claims-massive-ivy-league-breach-2-2-million-records-from-harvard-and-upenn",
          "title": "ShinyHunters Claims Massive Ivy League Breach: 2.2 Million Records from Harvard and UPenn",
          "url": "https://bulwarkblack.com/shinyhunters-claims-massive-ivy-league-breach-2-2-million-records-from-harvard-and-upenn/",
          "date": "2026-02-04"
        }
      ]
    },
    {
      "indicator": "clawdbot.getintwopc.site",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-01-27",
      "last_seen": "2026-01-27",
      "reports": [
        {
          "slug": "fake-clawdbot-vs-code-extension-deploys-screenconnect-rat",
          "title": "Fake Clawdbot VS Code Extension Deploys ScreenConnect RAT",
          "url": "https://bulwarkblack.com/fake-clawdbot-vs-code-extension-deploys-screenconnect-rat/",
          "date": "2026-01-27"
        }
      ]
    },
    {
      "indicator": "clear90489058903-document.workers.dev",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-07-01",
      "last_seen": "2026-07-01",
      "reports": [
        {
          "slug": "artoken-eviltokens-microsoft-365-bec-token-defense",
          "title": "ARToken Shows Microsoft 365 Tokens Are the New BEC Control Plane",
          "url": "https://bulwarkblack.com/artoken-eviltokens-microsoft-365-bec-token-defense/",
          "date": "2026-07-01"
        }
      ]
    },
    {
      "indicator": "cloacpae.ddnsfree.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "cloud-server.store",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "cloud.projectdiscovery.io",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2024-01-26",
      "last_seen": "2024-01-26",
      "reports": [
        {
          "slug": "announcing-cvemap-from-projectdiscovery",
          "title": "Announcing cvemap from ProjectDiscovery",
          "url": "https://bulwarkblack.com/announcing-cvemap-from-projectdiscovery/",
          "date": "2024-01-26"
        }
      ]
    },
    {
      "indicator": "cloudinary.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-02-11",
      "last_seen": "2026-02-11",
      "reports": [
        {
          "slug": "xworm-rat-campaign-exploits-cve-2018-0802-in-multi-language-phishing-attacks-using-fileless-injection",
          "title": "XWorm RAT Campaign Exploits CVE-2018-0802 in Multi-Language Phishing Attacks Using Fileless Injection",
          "url": "https://bulwarkblack.com/xworm-rat-campaign-exploits-cve-2018-0802-in-multi-language-phishing-attacks-using-fileless-injection/",
          "date": "2026-02-11"
        }
      ]
    },
    {
      "indicator": "cmwwoods1.theworkpc.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "cnrpaslceas.freeddns.org",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "cockpit.sumsub.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-03-12",
      "last_seen": "2026-03-12",
      "reports": [
        {
          "slug": "infostealer-infection-unmasks-dprk-operative-behind-polyfill-io-supply-chain-attack-and-us-crypto-exchange-infiltration",
          "title": "Infostealer Infection Unmasks DPRK Operative Behind Polyfill.io Supply Chain Attack and US Crypto Exchange Infiltration",
          "url": "https://bulwarkblack.com/infostealer-infection-unmasks-dprk-operative-behind-polyfill-io-supply-chain-attack-and-us-crypto-exchange-infiltration/",
          "date": "2026-03-12"
        }
      ]
    },
    {
      "indicator": "codeberg.org",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-01-31",
      "last_seen": "2026-01-31",
      "reports": [
        {
          "slug": "cve-2026-24061-11-year-old-gnu-telnetd-vulnerability-grants-instant-root-access",
          "title": "CVE-2026-24061: 11-Year-Old GNU Telnetd Vulnerability Grants Instant Root Access",
          "url": "https://bulwarkblack.com/cve-2026-24061-11-year-old-gnu-telnetd-vulnerability-grants-instant-root-access/",
          "date": "2026-01-31"
        }
      ]
    },
    {
      "indicator": "codemicros12.gleeze.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "Coinopsy.com",
      "type": "Domains",
      "report_count": 2,
      "first_seen": "2024-01-07",
      "last_seen": "2026-02-04",
      "reports": [
        {
          "slug": "pdfsider-the-stealthy-backdoor-targeting-fortune-100-financial-institutions",
          "title": "PDFSider: The Stealthy Backdoor Targeting Fortune 100 Financial Institutions",
          "url": "https://bulwarkblack.com/pdfsider-the-stealthy-backdoor-targeting-fortune-100-financial-institutions/",
          "date": "2026-02-04"
        },
        {
          "slug": "prior-to-cyber-attack-russian-attackers-spent-months-inside-the-ukraine-telecoms-giant",
          "title": "Prior to Cyber Attack, Russian Attackers Spent Months Inside the Ukraine Telecoms Giant",
          "url": "https://bulwarkblack.com/prior-to-cyber-attack-russian-attackers-spent-months-inside-the-ukraine-telecoms-giant/",
          "date": "2024-01-07"
        }
      ]
    },
    {
      "indicator": "Collectibles.com",
      "type": "Domains",
      "report_count": 2,
      "first_seen": "2024-01-07",
      "last_seen": "2026-02-04",
      "reports": [
        {
          "slug": "pdfsider-the-stealthy-backdoor-targeting-fortune-100-financial-institutions",
          "title": "PDFSider: The Stealthy Backdoor Targeting Fortune 100 Financial Institutions",
          "url": "https://bulwarkblack.com/pdfsider-the-stealthy-backdoor-targeting-fortune-100-financial-institutions/",
          "date": "2026-02-04"
        },
        {
          "slug": "prior-to-cyber-attack-russian-attackers-spent-months-inside-the-ukraine-telecoms-giant",
          "title": "Prior to Cyber Attack, Russian Attackers Spent Months Inside the Ukraine Telecoms Giant",
          "url": "https://bulwarkblack.com/prior-to-cyber-attack-russian-attackers-spent-months-inside-the-ukraine-telecoms-giant/",
          "date": "2024-01-07"
        }
      ]
    },
    {
      "indicator": "com.app",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-02",
      "last_seen": "2026-06-02",
      "reports": [
        {
          "slug": "flutterbridge-macos-malvertising-fluttershell-backdoor-defense",
          "title": "FlutterBridge Shows Why macOS Malvertising Is Backdoor Delivery, Not Just Adware",
          "url": "https://bulwarkblack.com/flutterbridge-macos-malvertising-fluttershell-backdoor-defense/",
          "date": "2026-06-02"
        }
      ]
    },
    {
      "indicator": "com.pdfninja.app",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-02",
      "last_seen": "2026-06-02",
      "reports": [
        {
          "slug": "flutterbridge-macos-malvertising-fluttershell-backdoor-defense",
          "title": "FlutterBridge Shows Why macOS Malvertising Is Backdoor Delivery, Not Just Adware",
          "url": "https://bulwarkblack.com/flutterbridge-macos-malvertising-fluttershell-backdoor-defense/",
          "date": "2026-06-02"
        }
      ]
    },
    {
      "indicator": "community.spiceworks.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2024-01-05",
      "last_seen": "2024-01-05",
      "reports": [
        {
          "slug": "100-days-of-yara-2023",
          "title": "100 Days of YARA – 2023",
          "url": "https://bulwarkblack.com/100-days-of-yara-2023/",
          "date": "2024-01-05"
        }
      ]
    },
    {
      "indicator": "company.sharepoint.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-05-15",
      "last_seen": "2026-05-15",
      "reports": [
        {
          "slug": "blackfile-vishing-extortion-identity-defense",
          "title": "BlackFile Vishing Campaign Shows Why MFA Alone Is Not Enough",
          "url": "https://bulwarkblack.com/blackfile-vishing-extortion-identity-defense/",
          "date": "2026-05-15"
        }
      ]
    },
    {
      "indicator": "concours.gov",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-02-05",
      "last_seen": "2026-02-05",
      "reports": [
        {
          "slug": "systembc-botnet-survives-law-enforcement-takedown-infects-over-10000-devices-worldwide",
          "title": "SystemBC Botnet Survives Law Enforcement Takedown, Infects Over 10,000 Devices Worldwide",
          "url": "https://bulwarkblack.com/systembc-botnet-survives-law-enforcement-takedown-infects-over-10000-devices-worldwide/",
          "date": "2026-02-05"
        }
      ]
    },
    {
      "indicator": "concours.gov.bf",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-02-05",
      "last_seen": "2026-02-05",
      "reports": [
        {
          "slug": "systembc-botnet-survives-law-enforcement-takedown-infects-over-10000-devices-worldwide",
          "title": "SystemBC Botnet Survives Law Enforcement Takedown, Infects Over 10,000 Devices Worldwide",
          "url": "https://bulwarkblack.com/systembc-botnet-survives-law-enforcement-takedown-infects-over-10000-devices-worldwide/",
          "date": "2026-02-05"
        }
      ]
    },
    {
      "indicator": "connect-microsoft.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-25",
      "last_seen": "2026-06-25",
      "reports": [
        {
          "slug": "strikeshark-sharkloader-cobalt-strike-defense",
          "title": "StrikeShark Shows Loader Malware Is an Edge-Exposure Problem",
          "url": "https://bulwarkblack.com/strikeshark-sharkloader-cobalt-strike-defense/",
          "date": "2026-06-25"
        }
      ]
    },
    {
      "indicator": "consistentdigital.de",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-05-16",
      "last_seen": "2026-05-16",
      "reports": [
        {
          "slug": "device-code-phishing-oauth-token-theft-defense",
          "title": "Device Code Phishing Turns Legitimate Login Flows Into Token Theft",
          "url": "https://bulwarkblack.com/device-code-phishing-oauth-token-theft-defense/",
          "date": "2026-05-16"
        }
      ]
    },
    {
      "indicator": "controlfacturas.site",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-07-02",
      "last_seen": "2026-07-02",
      "reports": [
        {
          "slug": "ousaban-banking-trojan-iberian-phishing-defense",
          "title": "Ousaban Shows Banking Trojans Are Learning to Hide From Sandboxes",
          "url": "https://bulwarkblack.com/ousaban-banking-trojan-iberian-phishing-defense/",
          "date": "2026-07-02"
        }
      ]
    },
    {
      "indicator": "copilot-cloud.net",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-03-03",
      "last_seen": "2026-03-03",
      "reports": [
        {
          "slug": "silver-dragon-apt-targets-southeast-asia-and-europe-using-geardoor-backdoor-with-google-drive-c2",
          "title": "Silver Dragon APT Targets Southeast Asia and Europe Using GearDoor Backdoor with Google Drive C2",
          "url": "https://bulwarkblack.com/silver-dragon-apt-targets-southeast-asia-and-europe-using-geardoor-backdoor-with-google-drive-c2/",
          "date": "2026-03-03"
        }
      ]
    },
    {
      "indicator": "crediblebizextension.de",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-05-16",
      "last_seen": "2026-05-16",
      "reports": [
        {
          "slug": "device-code-phishing-oauth-token-theft-defense",
          "title": "Device Code Phishing Turns Legitimate Login Flows Into Token Theft",
          "url": "https://bulwarkblack.com/device-code-phishing-oauth-token-theft-defense/",
          "date": "2026-05-16"
        }
      ]
    },
    {
      "indicator": "cressmiss.ooguy.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "Crypto.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "cutt.ly",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2024-01-08",
      "last_seen": "2024-01-08",
      "reports": [
        {
          "slug": "deceptive-cracked-software-spreads-lumma-variant-on-youtube",
          "title": "Deceptive Cracked Software Spreads Lumma Variant on YouTube",
          "url": "https://bulwarkblack.com/deceptive-cracked-software-spreads-lumma-variant-on-youtube/",
          "date": "2024-01-08"
        }
      ]
    },
    {
      "indicator": "cvabiasbae.ddnsfree.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "CVE.org",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-01-30",
      "last_seen": "2026-01-30",
      "reports": [
        {
          "slug": "smartermail-fixes-critical-unauthenticated-rce-flaw-with-cvss-9-3-score",
          "title": "SmarterMail Fixes Critical Unauthenticated RCE Flaw with CVSS 9.3 Score",
          "url": "https://bulwarkblack.com/smartermail-fixes-critical-unauthenticated-rce-flaw-with-cvss-9-3-score/",
          "date": "2026-01-30"
        }
      ]
    },
    {
      "indicator": "cvnoc01da1cjmnftsd.accesscam.org",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "cvpc01aenusocirem.accesscam.org",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "cvpc01cgsdfn53hgd.giize.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "d1hmxkpwby0d4s.org",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-30",
      "last_seen": "2026-06-30",
      "reports": [
        {
          "slug": "bing-seo-poisoning-bumblebee-adaptix-akira-ransomware",
          "title": "Bing SEO Poisoning Shows IT Admin Downloads Are Ransomware Initial Access",
          "url": "https://bulwarkblack.com/bing-seo-poisoning-bumblebee-adaptix-akira-ransomware/",
          "date": "2026-06-30"
        }
      ]
    },
    {
      "indicator": "d65sb7ngveucv5k2nm508abdsjmbn7qmn.oast.pro",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-02-23",
      "last_seen": "2026-02-23",
      "reports": [
        {
          "slug": "unit-42-exposes-active-exploitation-of-beyondtrust-cve-2026-1731-with-vshell-and-sparkrat-backdoors",
          "title": "Unit 42 Exposes Active Exploitation of BeyondTrust CVE-2026-1731 with VShell and SparkRAT Backdoors",
          "url": "https://bulwarkblack.com/unit-42-exposes-active-exploitation-of-beyondtrust-cve-2026-1731-with-vshell-and-sparkrat-backdoors/",
          "date": "2026-02-23"
        }
      ]
    },
    {
      "indicator": "daeumer-web.es",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-03-17",
      "last_seen": "2026-03-17",
      "reports": [
        {
          "slug": "glassworm-supply-chain-campaign-hijacks-72-open-vsx-extensions-to-target-developers",
          "title": "GlassWorm Supply Chain Campaign Hijacks 72 Open VSX Extensions to Target Developers",
          "url": "https://bulwarkblack.com/glassworm-supply-chain-campaign-hijacks-72-open-vsx-extensions-to-target-developers/",
          "date": "2026-03-17"
        }
      ]
    },
    {
      "indicator": "dancamp.info",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-26",
      "last_seen": "2026-06-26",
      "reports": [
        {
          "slug": "hospitality-photo-zip-nodejs-implant-defense",
          "title": "Hospitality Photo-ZIP Campaign Shows Front Desk Workflows Are Initial Access Paths",
          "url": "https://bulwarkblack.com/hospitality-photo-zip-nodejs-implant-defense/",
          "date": "2026-06-26"
        }
      ]
    },
    {
      "indicator": "darkgptprivate.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-01-27",
      "last_seen": "2026-01-27",
      "reports": [
        {
          "slug": "fake-clawdbot-vs-code-extension-deploys-screenconnect-rat",
          "title": "Fake Clawdbot VS Code Extension Deploys ScreenConnect RAT",
          "url": "https://bulwarkblack.com/fake-clawdbot-vs-code-extension-deploys-screenconnect-rat/",
          "date": "2026-01-27"
        }
      ]
    },
    {
      "indicator": "dart.dev",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-02",
      "last_seen": "2026-06-02",
      "reports": [
        {
          "slug": "flutterbridge-macos-malvertising-fluttershell-backdoor-defense",
          "title": "FlutterBridge Shows Why macOS Malvertising Is Backdoor Delivery, Not Just Adware",
          "url": "https://bulwarkblack.com/flutterbridge-macos-malvertising-fluttershell-backdoor-defense/",
          "date": "2026-06-02"
        }
      ]
    },
    {
      "indicator": "dashboard-bl.pamconj.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-07-01",
      "last_seen": "2026-07-01",
      "reports": [
        {
          "slug": "artoken-eviltokens-microsoft-365-bec-token-defense",
          "title": "ARToken Shows Microsoft 365 Tokens Are the New BEC Control Plane",
          "url": "https://bulwarkblack.com/artoken-eviltokens-microsoft-365-bec-token-defense/",
          "date": "2026-07-01"
        }
      ]
    },
    {
      "indicator": "dashgamein.info",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-26",
      "last_seen": "2026-06-26",
      "reports": [
        {
          "slug": "hospitality-photo-zip-nodejs-implant-defense",
          "title": "Hospitality Photo-ZIP Campaign Shows Front Desk Workflows Are Initial Access Paths",
          "url": "https://bulwarkblack.com/hospitality-photo-zip-nodejs-implant-defense/",
          "date": "2026-06-26"
        }
      ]
    },
    {
      "indicator": "dataupload.store",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "DCLCWPDTSDCC.ddnsfree.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "ddnsfree.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "ddnsgeek.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "decoded.avast.io",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-05-24",
      "last_seen": "2026-05-24",
      "reports": [
        {
          "slug": "clop-south-staffs-water-soc-coverage-defense",
          "title": "Cl0p’s South Staffs Water Case Shows SOC Coverage Must Be Proven",
          "url": "https://bulwarkblack.com/clop-south-staffs-water-soc-coverage-defense/",
          "date": "2026-05-24"
        }
      ]
    },
    {
      "indicator": "decoorat.net",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-02-27",
      "last_seen": "2026-02-27",
      "reports": [
        {
          "slug": "chinese-apt-campaign-delivers-plugx-rat-via-g-data-antivirus-dll-side-loading",
          "title": "Chinese APT Campaign Delivers PlugX RAT via G DATA Antivirus DLL Side-Loading",
          "url": "https://bulwarkblack.com/chinese-apt-campaign-delivers-plugx-rat-via-g-data-antivirus-dll-side-loading/",
          "date": "2026-02-27"
        }
      ]
    },
    {
      "indicator": "decoraat.net",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-02-27",
      "last_seen": "2026-02-27",
      "reports": [
        {
          "slug": "chinese-apt-campaign-delivers-plugx-rat-via-g-data-antivirus-dll-side-loading",
          "title": "Chinese APT Campaign Delivers PlugX RAT via G DATA Antivirus DLL Side-Loading",
          "url": "https://bulwarkblack.com/chinese-apt-campaign-delivers-plugx-rat-via-g-data-antivirus-dll-side-loading/",
          "date": "2026-02-27"
        }
      ]
    },
    {
      "indicator": "deeprace.info",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-26",
      "last_seen": "2026-06-26",
      "reports": [
        {
          "slug": "hospitality-photo-zip-nodejs-implant-defense",
          "title": "Hospitality Photo-ZIP Campaign Shows Front Desk Workflows Are Initial Access Paths",
          "url": "https://bulwarkblack.com/hospitality-photo-zip-nodejs-implant-defense/",
          "date": "2026-06-26"
        }
      ]
    },
    {
      "indicator": "delete.me",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-30",
      "last_seen": "2026-06-30",
      "reports": [
        {
          "slug": "bing-seo-poisoning-bumblebee-adaptix-akira-ransomware",
          "title": "Bing SEO Poisoning Shows IT Admin Downloads Are Ransomware Initial Access",
          "url": "https://bulwarkblack.com/bing-seo-poisoning-bumblebee-adaptix-akira-ransomware/",
          "date": "2026-06-30"
        }
      ]
    },
    {
      "indicator": "deploypasskey.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-06",
      "last_seen": "2026-06-06",
      "reports": [
        {
          "slug": "pink-extortion-m365-vishing-cloud-data-defense",
          "title": "Pink Extortion Shows Microsoft 365 Defense Starts With Vishing Controls",
          "url": "https://bulwarkblack.com/pink-extortion-m365-vishing-cloud-data-defense/",
          "date": "2026-06-06"
        }
      ]
    },
    {
      "indicator": "derbyoni.info",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-26",
      "last_seen": "2026-06-26",
      "reports": [
        {
          "slug": "hospitality-photo-zip-nodejs-implant-defense",
          "title": "Hospitality Photo-ZIP Campaign Shows Front Desk Workflows Are Initial Access Paths",
          "url": "https://bulwarkblack.com/hospitality-photo-zip-nodejs-implant-defense/",
          "date": "2026-06-26"
        }
      ]
    },
    {
      "indicator": "digitalcontinuity.de",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-05-16",
      "last_seen": "2026-05-16",
      "reports": [
        {
          "slug": "device-code-phishing-oauth-token-theft-defense",
          "title": "Device Code Phishing Turns Legitimate Login Flows Into Token Theft",
          "url": "https://bulwarkblack.com/device-code-phishing-oauth-token-theft-defense/",
          "date": "2026-05-16"
        }
      ]
    },
    {
      "indicator": "digitalreliability.de",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-05-16",
      "last_seen": "2026-05-16",
      "reports": [
        {
          "slug": "device-code-phishing-oauth-token-theft-defense",
          "title": "Device Code Phishing Turns Legitimate Login Flows Into Token Theft",
          "url": "https://bulwarkblack.com/device-code-phishing-oauth-token-theft-defense/",
          "date": "2026-05-16"
        }
      ]
    },
    {
      "indicator": "Direct-download.giize.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-05-27",
      "last_seen": "2026-05-27",
      "reports": [
        {
          "slug": "poisoned-search-ai-screenconnect-cryptojacking-defense",
          "title": "Poisoned Search and AI Recommendations Turn Utility Downloads Into RMM Access",
          "url": "https://bulwarkblack.com/poisoned-search-ai-screenconnect-cryptojacking-defense/",
          "date": "2026-05-27"
        }
      ]
    },
    {
      "indicator": "direct-download.gleeze.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-05-27",
      "last_seen": "2026-05-27",
      "reports": [
        {
          "slug": "poisoned-search-ai-screenconnect-cryptojacking-defense",
          "title": "Poisoned Search and AI Recommendations Turn Utility Downloads Into RMM Access",
          "url": "https://bulwarkblack.com/poisoned-search-ai-screenconnect-cryptojacking-defense/",
          "date": "2026-05-27"
        }
      ]
    },
    {
      "indicator": "direct-downloads.giize.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-05-27",
      "last_seen": "2026-05-27",
      "reports": [
        {
          "slug": "poisoned-search-ai-screenconnect-cryptojacking-defense",
          "title": "Poisoned Search and AI Recommendations Turn Utility Downloads Into RMM Access",
          "url": "https://bulwarkblack.com/poisoned-search-ai-screenconnect-cryptojacking-defense/",
          "date": "2026-05-27"
        }
      ]
    },
    {
      "indicator": "directdownload.icu",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-05-27",
      "last_seen": "2026-05-27",
      "reports": [
        {
          "slug": "poisoned-search-ai-screenconnect-cryptojacking-defense",
          "title": "Poisoned Search and AI Recommendations Turn Utility Downloads Into RMM Access",
          "url": "https://bulwarkblack.com/poisoned-search-ai-screenconnect-cryptojacking-defense/",
          "date": "2026-05-27"
        }
      ]
    },
    {
      "indicator": "discord.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-03-12",
      "last_seen": "2026-03-12",
      "reports": [
        {
          "slug": "infostealer-infection-unmasks-dprk-operative-behind-polyfill-io-supply-chain-attack-and-us-crypto-exchange-infiltration",
          "title": "Infostealer Infection Unmasks DPRK Operative Behind Polyfill.io Supply Chain Attack and US Crypto Exchange Infiltration",
          "url": "https://bulwarkblack.com/infostealer-infection-unmasks-dprk-operative-behind-polyfill-io-supply-chain-attack-and-us-crypto-exchange-infiltration/",
          "date": "2026-03-12"
        }
      ]
    },
    {
      "indicator": "Discord.io",
      "type": "Domains",
      "report_count": 2,
      "first_seen": "2024-01-07",
      "last_seen": "2026-02-04",
      "reports": [
        {
          "slug": "pdfsider-the-stealthy-backdoor-targeting-fortune-100-financial-institutions",
          "title": "PDFSider: The Stealthy Backdoor Targeting Fortune 100 Financial Institutions",
          "url": "https://bulwarkblack.com/pdfsider-the-stealthy-backdoor-targeting-fortune-100-financial-institutions/",
          "date": "2026-02-04"
        },
        {
          "slug": "prior-to-cyber-attack-russian-attackers-spent-months-inside-the-ukraine-telecoms-giant",
          "title": "Prior to Cyber Attack, Russian Attackers Spent Months Inside the Ukraine Telecoms Giant",
          "url": "https://bulwarkblack.com/prior-to-cyber-attack-russian-attackers-spent-months-inside-the-ukraine-telecoms-giant/",
          "date": "2024-01-07"
        }
      ]
    },
    {
      "indicator": "dl.k8s.io",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-03-24",
      "last_seen": "2026-03-24",
      "reports": [
        {
          "slug": "canisterworm-wiper-weaponizes-trivy-supply-chain-to-target-iran",
          "title": "CanisterWorm Wiper Weaponizes Trivy Supply Chain to Target Iran",
          "url": "https://bulwarkblack.com/canisterworm-wiper-weaponizes-trivy-supply-chain-to-target-iran/",
          "date": "2026-03-24"
        }
      ]
    },
    {
      "indicator": "dlpossie.ddnsfree.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "dns.twnic.tw",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2024-01-11",
      "last_seen": "2024-01-11",
      "reports": [
        {
          "slug": "dreambus-unleashes-metabase-mayhem-with-new-exploit-module",
          "title": "DreamBus Unleashes Metabase Mayhem With New Exploit Module",
          "url": "https://bulwarkblack.com/dreambus-unleashes-metabase-mayhem-with-new-exploit-module/",
          "date": "2024-01-11"
        }
      ]
    },
    {
      "indicator": "dnsfreedb.ddnsfree.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "doboudix1024.mywire.org",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "doc-imagehub.info",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-26",
      "last_seen": "2026-06-26",
      "reports": [
        {
          "slug": "hospitality-photo-zip-nodejs-implant-defense",
          "title": "Hospitality Photo-ZIP Campaign Shows Front Desk Workflows Are Initial Access Paths",
          "url": "https://bulwarkblack.com/hospitality-photo-zip-nodejs-implant-defense/",
          "date": "2026-06-26"
        }
      ]
    },
    {
      "indicator": "docshub-01.info",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-26",
      "last_seen": "2026-06-26",
      "reports": [
        {
          "slug": "hospitality-photo-zip-nodejs-implant-defense",
          "title": "Hospitality Photo-ZIP Campaign Shows Front Desk Workflows Are Initial Access Paths",
          "url": "https://bulwarkblack.com/hospitality-photo-zip-nodejs-implant-defense/",
          "date": "2026-06-26"
        }
      ]
    },
    {
      "indicator": "docshub-secure.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-26",
      "last_seen": "2026-06-26",
      "reports": [
        {
          "slug": "hospitality-photo-zip-nodejs-implant-defense",
          "title": "Hospitality Photo-ZIP Campaign Shows Front Desk Workflows Are Initial Access Paths",
          "url": "https://bulwarkblack.com/hospitality-photo-zip-nodejs-implant-defense/",
          "date": "2026-06-26"
        }
      ]
    },
    {
      "indicator": "docspace-twpf0e.onlyoffice.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-05-22",
      "last_seen": "2026-05-22",
      "reports": [
        {
          "slug": "screening-serpens-recruiting-espionage-attack-surface",
          "title": "Screening Serpens Shows Recruiting Is Now an Espionage Attack Surface",
          "url": "https://bulwarkblack.com/screening-serpens-recruiting-espionage-attack-surface/",
          "date": "2026-05-22"
        }
      ]
    },
    {
      "indicator": "docspace-y4cumb.onlyoffice.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-05-22",
      "last_seen": "2026-05-22",
      "reports": [
        {
          "slug": "screening-serpens-recruiting-espionage-attack-surface",
          "title": "Screening Serpens Shows Recruiting Is Now an Espionage Attack Surface",
          "url": "https://bulwarkblack.com/screening-serpens-recruiting-espionage-attack-surface/",
          "date": "2026-05-22"
        }
      ]
    },
    {
      "indicator": "docstore-safe.info",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-26",
      "last_seen": "2026-06-26",
      "reports": [
        {
          "slug": "hospitality-photo-zip-nodejs-implant-defense",
          "title": "Hospitality Photo-ZIP Campaign Shows Front Desk Workflows Are Initial Access Paths",
          "url": "https://bulwarkblack.com/hospitality-photo-zip-nodejs-implant-defense/",
          "date": "2026-06-26"
        }
      ]
    },
    {
      "indicator": "doh-ch.blahdns.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2024-01-11",
      "last_seen": "2024-01-11",
      "reports": [
        {
          "slug": "dreambus-unleashes-metabase-mayhem-with-new-exploit-module",
          "title": "DreamBus Unleashes Metabase Mayhem With New Exploit Module",
          "url": "https://bulwarkblack.com/dreambus-unleashes-metabase-mayhem-with-new-exploit-module/",
          "date": "2024-01-11"
        }
      ]
    },
    {
      "indicator": "doh-de.blahdns.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2024-01-11",
      "last_seen": "2024-01-11",
      "reports": [
        {
          "slug": "dreambus-unleashes-metabase-mayhem-with-new-exploit-module",
          "title": "DreamBus Unleashes Metabase Mayhem With New Exploit Module",
          "url": "https://bulwarkblack.com/dreambus-unleashes-metabase-mayhem-with-new-exploit-module/",
          "date": "2024-01-11"
        }
      ]
    },
    {
      "indicator": "doh-jp.blahdns.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2024-01-11",
      "last_seen": "2024-01-11",
      "reports": [
        {
          "slug": "dreambus-unleashes-metabase-mayhem-with-new-exploit-module",
          "title": "DreamBus Unleashes Metabase Mayhem With New Exploit Module",
          "url": "https://bulwarkblack.com/dreambus-unleashes-metabase-mayhem-with-new-exploit-module/",
          "date": "2024-01-11"
        }
      ]
    },
    {
      "indicator": "doh-sg.blahdns.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2024-01-11",
      "last_seen": "2024-01-11",
      "reports": [
        {
          "slug": "dreambus-unleashes-metabase-mayhem-with-new-exploit-module",
          "title": "DreamBus Unleashes Metabase Mayhem With New Exploit Module",
          "url": "https://bulwarkblack.com/dreambus-unleashes-metabase-mayhem-with-new-exploit-module/",
          "date": "2024-01-11"
        }
      ]
    },
    {
      "indicator": "doh.dns.sb",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2024-01-11",
      "last_seen": "2024-01-11",
      "reports": [
        {
          "slug": "dreambus-unleashes-metabase-mayhem-with-new-exploit-module",
          "title": "DreamBus Unleashes Metabase Mayhem With New Exploit Module",
          "url": "https://bulwarkblack.com/dreambus-unleashes-metabase-mayhem-with-new-exploit-module/",
          "date": "2024-01-11"
        }
      ]
    },
    {
      "indicator": "doh.li",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2024-01-11",
      "last_seen": "2024-01-11",
      "reports": [
        {
          "slug": "dreambus-unleashes-metabase-mayhem-with-new-exploit-module",
          "title": "DreamBus Unleashes Metabase Mayhem With New Exploit Module",
          "url": "https://bulwarkblack.com/dreambus-unleashes-metabase-mayhem-with-new-exploit-module/",
          "date": "2024-01-11"
        }
      ]
    },
    {
      "indicator": "doi.org",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-03-16",
      "last_seen": "2026-03-16",
      "reports": [
        {
          "slug": "the-promptware-kill-chain-a-new-framework-for-understanding-ai-malware-attacks",
          "title": "The Promptware Kill Chain: A New Framework for Understanding AI Malware Attacks",
          "url": "https://bulwarkblack.com/the-promptware-kill-chain-a-new-framework-for-understanding-ai-malware-attacks/",
          "date": "2026-03-16"
        }
      ]
    },
    {
      "indicator": "download-center.online",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-30",
      "last_seen": "2026-06-30",
      "reports": [
        {
          "slug": "bing-seo-poisoning-bumblebee-adaptix-akira-ransomware",
          "title": "Bing SEO Poisoning Shows IT Admin Downloads Are Ransomware Initial Access",
          "url": "https://bulwarkblack.com/bing-seo-poisoning-bumblebee-adaptix-akira-ransomware/",
          "date": "2026-06-30"
        }
      ]
    },
    {
      "indicator": "download-server.online",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-30",
      "last_seen": "2026-06-30",
      "reports": [
        {
          "slug": "bing-seo-poisoning-bumblebee-adaptix-akira-ransomware",
          "title": "Bing SEO Poisoning Shows IT Admin Downloads Are Ransomware Initial Access",
          "url": "https://bulwarkblack.com/bing-seo-poisoning-bumblebee-adaptix-akira-ransomware/",
          "date": "2026-06-30"
        }
      ]
    },
    {
      "indicator": "download.datatabletemplate.xyz",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "download.face-online.world",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "download.pytorch.org",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-02-04",
      "last_seen": "2026-02-04",
      "reports": [
        {
          "slug": "ai-powered-attack-achieves-aws-admin-access-in-under-10-minutes-a-new-era-of-automated-intrusions",
          "title": "AI-Powered Attack Achieves AWS Admin Access in Under 10 Minutes: A New Era of Automated Intrusions",
          "url": "https://bulwarkblack.com/ai-powered-attack-achieves-aws-admin-access-in-under-10-minutes-a-new-era-of-automated-intrusions/",
          "date": "2026-02-04"
        }
      ]
    },
    {
      "indicator": "drivefrontend.pa",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-03-03",
      "last_seen": "2026-03-03",
      "reports": [
        {
          "slug": "silver-dragon-apt-targets-southeast-asia-and-europe-using-geardoor-backdoor-with-google-drive-c2",
          "title": "Silver Dragon APT Targets Southeast Asia and Europe Using GearDoor Backdoor with Google Drive C2",
          "url": "https://bulwarkblack.com/silver-dragon-apt-targets-southeast-asia-and-europe-using-geardoor-backdoor-with-google-drive-c2/",
          "date": "2026-03-03"
        }
      ]
    },
    {
      "indicator": "drivefrontend.pa-clients.workers.dev",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-03-03",
      "last_seen": "2026-03-03",
      "reports": [
        {
          "slug": "silver-dragon-apt-targets-southeast-asia-and-europe-using-geardoor-backdoor-with-google-drive-c2",
          "title": "Silver Dragon APT Targets Southeast Asia and Europe Using GearDoor Backdoor with Google Drive C2",
          "url": "https://bulwarkblack.com/silver-dragon-apt-targets-southeast-asia-and-europe-using-geardoor-backdoor-with-google-drive-c2/",
          "date": "2026-03-03"
        }
      ]
    },
    {
      "indicator": "driverx86-adobe.onrender.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-25",
      "last_seen": "2026-06-25",
      "reports": [
        {
          "slug": "turla-stockstay-backdoor-egress-visibility",
          "title": "Turla’s STOCKSTAY Backdoor Shows Why Espionage Defense Needs Egress Visibility",
          "url": "https://bulwarkblack.com/turla-stockstay-backdoor-egress-visibility/",
          "date": "2026-06-25"
        }
      ]
    },
    {
      "indicator": "dropbox.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-03-26",
      "last_seen": "2026-03-26",
      "reports": [
        {
          "slug": "pawn-storm-deploys-prismex-malware-suite-against-ukrainian-defense-supply-chain-and-nato-allies",
          "title": "Pawn Storm Deploys PRISMEX Malware Suite Against Ukrainian Defense Supply Chain and NATO Allies",
          "url": "https://bulwarkblack.com/pawn-storm-deploys-prismex-malware-suite-against-ukrainian-defense-supply-chain-and-nato-allies/",
          "date": "2026-03-26"
        }
      ]
    },
    {
      "indicator": "Duck.ai",
      "type": "Domains",
      "report_count": 2,
      "first_seen": "2024-01-07",
      "last_seen": "2026-02-04",
      "reports": [
        {
          "slug": "pdfsider-the-stealthy-backdoor-targeting-fortune-100-financial-institutions",
          "title": "PDFSider: The Stealthy Backdoor Targeting Fortune 100 Financial Institutions",
          "url": "https://bulwarkblack.com/pdfsider-the-stealthy-backdoor-targeting-fortune-100-financial-institutions/",
          "date": "2026-02-04"
        },
        {
          "slug": "prior-to-cyber-attack-russian-attackers-spent-months-inside-the-ukraine-telecoms-giant",
          "title": "Prior to Cyber Attack, Russian Attackers Spent Months Inside the Ukraine Telecoms Giant",
          "url": "https://bulwarkblack.com/prior-to-cyber-attack-russian-attackers-spent-months-inside-the-ukraine-telecoms-giant/",
          "date": "2024-01-07"
        }
      ]
    },
    {
      "indicator": "duckdns.org",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-07-02",
      "last_seen": "2026-07-02",
      "reports": [
        {
          "slug": "ousaban-banking-trojan-iberian-phishing-defense",
          "title": "Ousaban Shows Banking Trojans Are Learning to Hide From Sandboxes",
          "url": "https://bulwarkblack.com/ousaban-banking-trojan-iberian-phishing-defense/",
          "date": "2026-07-02"
        }
      ]
    },
    {
      "indicator": "dynu.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-05-27",
      "last_seen": "2026-05-27",
      "reports": [
        {
          "slug": "poisoned-search-ai-screenconnect-cryptojacking-defense",
          "title": "Poisoned Search and AI Recommendations Turn Utility Downloads Into RMM Access",
          "url": "https://bulwarkblack.com/poisoned-search-ai-screenconnect-cryptojacking-defense/",
          "date": "2026-05-27"
        }
      ]
    },
    {
      "indicator": "dynuddns.net",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "e4f8c1b9a2d7e3f6c0b5a8d9e2f1c4d.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-01-29",
      "last_seen": "2026-01-29",
      "reports": [
        {
          "slug": "google-disrupts-worlds-largest-residential-proxy-botnet",
          "title": "Google Disrupts World’s Largest Residential Proxy Botnet",
          "url": "https://bulwarkblack.com/google-disrupts-worlds-largest-residential-proxy-botnet/",
          "date": "2026-01-29"
        }
      ]
    },
    {
      "indicator": "e5.malaymoil.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-03-21",
      "last_seen": "2026-03-21",
      "reports": [
        {
          "slug": "darksword-ios-exploit-kit-russian-hackers-weaponize-six-vulnerabilities-for-full-iphone-takeover",
          "title": "DarkSword iOS Exploit Kit: Russian Hackers Weaponize Six Vulnerabilities for Full iPhone Takeover",
          "url": "https://bulwarkblack.com/darksword-ios-exploit-kit-russian-hackers-weaponize-six-vulnerabilities-for-full-iphone-takeover/",
          "date": "2026-03-21"
        }
      ]
    },
    {
      "indicator": "ed5ce47d835f-endpoint.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-05-16",
      "last_seen": "2026-05-16",
      "reports": [
        {
          "slug": "device-code-phishing-oauth-token-theft-defense",
          "title": "Device Code Phishing Turns Legitimate Login Flows Into Token Theft",
          "url": "https://bulwarkblack.com/device-code-phishing-oauth-token-theft-defense/",
          "date": "2026-05-16"
        }
      ]
    },
    {
      "indicator": "ee10bbf6c689-endpoint.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-05-16",
      "last_seen": "2026-05-16",
      "reports": [
        {
          "slug": "device-code-phishing-oauth-token-theft-defense",
          "title": "Device Code Phishing Turns Legitimate Login Flows Into Token Theft",
          "url": "https://bulwarkblack.com/device-code-phishing-oauth-token-theft-defense/",
          "date": "2026-05-16"
        }
      ]
    },
    {
      "indicator": "egest.filen.io",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-03-26",
      "last_seen": "2026-03-26",
      "reports": [
        {
          "slug": "pawn-storm-deploys-prismex-malware-suite-against-ukrainian-defense-supply-chain-and-nato-allies",
          "title": "Pawn Storm Deploys PRISMEX Malware Suite Against Ukrainian Defense Supply Chain and NATO Allies",
          "url": "https://bulwarkblack.com/pawn-storm-deploys-prismex-malware-suite-against-ukrainian-defense-supply-chain-and-nato-allies/",
          "date": "2026-03-26"
        }
      ]
    },
    {
      "indicator": "ehxbxtjliybbloantpwq.supabase.co",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-02-03",
      "last_seen": "2026-02-03",
      "reports": [
        {
          "slug": "vibe-coding-gone-wrong-moltbook-ai-social-network-exposes-4-75-million-records-in-massive-database-breach",
          "title": "Vibe Coding Gone Wrong: Moltbook AI Social Network Exposes 4.75 Million Records in Massive Database Breach",
          "url": "https://bulwarkblack.com/vibe-coding-gone-wrong-moltbook-ai-social-network-exposes-4-75-million-records-in-massive-database-breach/",
          "date": "2026-02-03"
        }
      ]
    },
    {
      "indicator": "ElementShift.azurewebsites.net",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-05-22",
      "last_seen": "2026-05-22",
      "reports": [
        {
          "slug": "screening-serpens-recruiting-espionage-attack-surface",
          "title": "Screening Serpens Shows Recruiting Is Now an Espionage Attack Surface",
          "url": "https://bulwarkblack.com/screening-serpens-recruiting-espionage-attack-surface/",
          "date": "2026-05-22"
        }
      ]
    },
    {
      "indicator": "enterpriseregistration.windows.net",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-05-24",
      "last_seen": "2026-05-24",
      "reports": [
        {
          "slug": "roadtools-cloud-identity-entra-id-defense",
          "title": "ROADtools Abuse Shows Cloud Identity Is the New Attack Surface",
          "url": "https://bulwarkblack.com/roadtools-cloud-identity-entra-id-defense/",
          "date": "2026-05-24"
        }
      ]
    },
    {
      "indicator": "ernigr-esfilc.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-02-26",
      "last_seen": "2026-02-26",
      "reports": [
        {
          "slug": "diesel-vortex-russian-cybercrime-group-steals-1600-credentials-from-global-logistics-sector",
          "title": "Diesel Vortex: Russian Cybercrime Group Steals 1,600+ Credentials From Global Logistics Sector",
          "url": "https://bulwarkblack.com/diesel-vortex-russian-cybercrime-group-steals-1600-credentials-from-global-logistics-sector/",
          "date": "2026-02-26"
        }
      ]
    },
    {
      "indicator": "etoftheappyrince.org",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-02",
      "last_seen": "2026-06-02",
      "reports": [
        {
          "slug": "flutterbridge-macos-malvertising-fluttershell-backdoor-defense",
          "title": "FlutterBridge Shows Why macOS Malvertising Is Backdoor Delivery, Not Just Adware",
          "url": "https://bulwarkblack.com/flutterbridge-macos-malvertising-fluttershell-backdoor-defense/",
          "date": "2026-06-02"
        }
      ]
    },
    {
      "indicator": "euromarketsignal.de",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-05-16",
      "last_seen": "2026-05-16",
      "reports": [
        {
          "slug": "device-code-phishing-oauth-token-theft-defense",
          "title": "Device Code Phishing Turns Legitimate Login Flows Into Token Theft",
          "url": "https://bulwarkblack.com/device-code-phishing-oauth-token-theft-defense/",
          "date": "2026-05-16"
        }
      ]
    },
    {
      "indicator": "europesignaltrust.de",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-05-16",
      "last_seen": "2026-05-16",
      "reports": [
        {
          "slug": "device-code-phishing-oauth-token-theft-defense",
          "title": "Device Code Phishing Turns Legitimate Login Flows Into Token Theft",
          "url": "https://bulwarkblack.com/device-code-phishing-oauth-token-theft-defense/",
          "date": "2026-05-16"
        }
      ]
    },
    {
      "indicator": "europetrustwave.de",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-05-16",
      "last_seen": "2026-05-16",
      "reports": [
        {
          "slug": "device-code-phishing-oauth-token-theft-defense",
          "title": "Device Code Phishing Turns Legitimate Login Flows Into Token Theft",
          "url": "https://bulwarkblack.com/device-code-phishing-oauth-token-theft-defense/",
          "date": "2026-05-16"
        }
      ]
    },
    {
      "indicator": "ev2sirbd269o5j.org",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-30",
      "last_seen": "2026-06-30",
      "reports": [
        {
          "slug": "bing-seo-poisoning-bumblebee-adaptix-akira-ransomware",
          "title": "Bing SEO Poisoning Shows IT Admin Downloads Are Ransomware Initial Access",
          "url": "https://bulwarkblack.com/bing-seo-poisoning-bumblebee-adaptix-akira-ransomware/",
          "date": "2026-06-30"
        }
      ]
    },
    {
      "indicator": "everycarebd.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-05-16",
      "last_seen": "2026-05-16",
      "reports": [
        {
          "slug": "pawsrunner-steganography-purelogs-infostealer-defense",
          "title": "PawsRunner Steganography Shows Infostealers Are Hiding in Plain Sight",
          "url": "https://bulwarkblack.com/pawsrunner-steganography-purelogs-infostealer-defense/",
          "date": "2026-05-16"
        }
      ]
    },
    {
      "indicator": "evil.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-19",
      "last_seen": "2026-06-19",
      "reports": [
        {
          "slug": "autojack-ai-agent-localhost-rce-boundaries",
          "title": "AutoJack Shows AI Browsing Agents Need Localhost Boundaries",
          "url": "https://bulwarkblack.com/autojack-ai-agent-localhost-rce-boundaries/",
          "date": "2026-06-19"
        }
      ]
    },
    {
      "indicator": "evilginx2.loseyourip.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "ewujsfb1dp5ran.org",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-30",
      "last_seen": "2026-06-30",
      "reports": [
        {
          "slug": "bing-seo-poisoning-bumblebee-adaptix-akira-ransomware",
          "title": "Bing SEO Poisoning Shows IT Admin Downloads Are Ransomware Initial Access",
          "url": "https://bulwarkblack.com/bing-seo-poisoning-bumblebee-adaptix-akira-ransomware/",
          "date": "2026-06-30"
        }
      ]
    },
    {
      "indicator": "examp1e.webredirect.org",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "exchange4study.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-03-03",
      "last_seen": "2026-03-03",
      "reports": [
        {
          "slug": "silver-dragon-apt-targets-southeast-asia-and-europe-using-geardoor-backdoor-with-google-drive-c2",
          "title": "Silver Dragon APT Targets Southeast Asia and Europe Using GearDoor Backdoor with Google Drive C2",
          "url": "https://bulwarkblack.com/silver-dragon-apt-targets-southeast-asia-and-europe-using-geardoor-backdoor-with-google-drive-c2/",
          "date": "2026-03-03"
        }
      ]
    },
    {
      "indicator": "expedla-getphoto.cloud",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-26",
      "last_seen": "2026-06-26",
      "reports": [
        {
          "slug": "hospitality-photo-zip-nodejs-implant-defense",
          "title": "Hospitality Photo-ZIP Campaign Shows Front Desk Workflows Are Initial Access Paths",
          "url": "https://bulwarkblack.com/hospitality-photo-zip-nodejs-implant-defense/",
          "date": "2026-06-26"
        }
      ]
    },
    {
      "indicator": "exploit.in",
      "type": "Domains",
      "report_count": 2,
      "first_seen": "2024-01-09",
      "last_seen": "2026-02-05",
      "reports": [
        {
          "slug": "systembc-botnet-survives-law-enforcement-takedown-infects-over-10000-devices-worldwide",
          "title": "SystemBC Botnet Survives Law Enforcement Takedown, Infects Over 10,000 Devices Worldwide",
          "url": "https://bulwarkblack.com/systembc-botnet-survives-law-enforcement-takedown-infects-over-10000-devices-worldwide/",
          "date": "2026-02-05"
        },
        {
          "slug": "the-underground-economist-volume-4-issue-1",
          "title": "The Underground Economist: Volume 4, Issue 1",
          "url": "https://bulwarkblack.com/the-underground-economist-volume-4-issue-1/",
          "date": "2024-01-09"
        }
      ]
    },
    {
      "indicator": "export.name",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2024-01-05",
      "last_seen": "2024-01-05",
      "reports": [
        {
          "slug": "100-days-of-yara-2023",
          "title": "100 Days of YARA – 2023",
          "url": "https://bulwarkblack.com/100-days-of-yara-2023/",
          "date": "2024-01-05"
        }
      ]
    },
    {
      "indicator": "extendyourcredibility.de",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-05-16",
      "last_seen": "2026-05-16",
      "reports": [
        {
          "slug": "device-code-phishing-oauth-token-theft-defense",
          "title": "Device Code Phishing Turns Legitimate Login Flows Into Token Theft",
          "url": "https://bulwarkblack.com/device-code-phishing-oauth-token-theft-defense/",
          "date": "2026-05-16"
        }
      ]
    },
    {
      "indicator": "f36c2774f013-endpoint.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-05-16",
      "last_seen": "2026-05-16",
      "reports": [
        {
          "slug": "device-code-phishing-oauth-token-theft-defense",
          "title": "Device Code Phishing Turns Legitimate Login Flows Into Token Theft",
          "url": "https://bulwarkblack.com/device-code-phishing-oauth-token-theft-defense/",
          "date": "2026-05-16"
        }
      ]
    },
    {
      "indicator": "f8uh-dwam-j4l5.pvasquez-princetonpartners-com-s-account.workers.dev",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-05-16",
      "last_seen": "2026-05-16",
      "reports": [
        {
          "slug": "device-code-phishing-oauth-token-theft-defense",
          "title": "Device Code Phishing Turns Legitimate Login Flows Into Token Theft",
          "url": "https://bulwarkblack.com/device-code-phishing-oauth-token-theft-defense/",
          "date": "2026-05-16"
        }
      ]
    },
    {
      "indicator": "facture-arsys.duckdns.org",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-07-02",
      "last_seen": "2026-07-02",
      "reports": [
        {
          "slug": "ousaban-banking-trojan-iberian-phishing-defense",
          "title": "Ousaban Shows Banking Trojans Are Learning to Hide From Sandboxes",
          "url": "https://bulwarkblack.com/ousaban-banking-trojan-iberian-phishing-defense/",
          "date": "2026-07-02"
        }
      ]
    },
    {
      "indicator": "facture-in.pages.dev",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-07-02",
      "last_seen": "2026-07-02",
      "reports": [
        {
          "slug": "ousaban-banking-trojan-iberian-phishing-defense",
          "title": "Ousaban Shows Banking Trojans Are Learning to Hide From Sandboxes",
          "url": "https://bulwarkblack.com/ousaban-banking-trojan-iberian-phishing-defense/",
          "date": "2026-07-02"
        }
      ]
    },
    {
      "indicator": "faeelt.giize.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "fairyspells.info",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-26",
      "last_seen": "2026-06-26",
      "reports": [
        {
          "slug": "hospitality-photo-zip-nodejs-implant-defense",
          "title": "Hospitality Photo-ZIP Campaign Shows Front Desk Workflows Are Initial Access Paths",
          "url": "https://bulwarkblack.com/hospitality-photo-zip-nodejs-implant-defense/",
          "date": "2026-06-26"
        }
      ]
    },
    {
      "indicator": "fakjcsaeyhs.ddnsfree.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "fasceadvcva3.gleeze.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "faturanova.duckdns.org",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-07-02",
      "last_seen": "2026-07-02",
      "reports": [
        {
          "slug": "ousaban-banking-trojan-iberian-phishing-defense",
          "title": "Ousaban Shows Banking Trojans Are Learning to Hide From Sandboxes",
          "url": "https://bulwarkblack.com/ousaban-banking-trojan-iberian-phishing-defense/",
          "date": "2026-07-02"
        }
      ]
    },
    {
      "indicator": "faturanova.xyz",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-07-02",
      "last_seen": "2026-07-02",
      "reports": [
        {
          "slug": "ousaban-banking-trojan-iberian-phishing-defense",
          "title": "Ousaban Shows Banking Trojans Are Learning to Hide From Sandboxes",
          "url": "https://bulwarkblack.com/ousaban-banking-trojan-iberian-phishing-defense/",
          "date": "2026-07-02"
        }
      ]
    },
    {
      "indicator": "feee.io",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-03-12",
      "last_seen": "2026-03-12",
      "reports": [
        {
          "slug": "infostealer-infection-unmasks-dprk-operative-behind-polyfill-io-supply-chain-attack-and-us-crypto-exchange-infiltration",
          "title": "Infostealer Infection Unmasks DPRK Operative Behind Polyfill.io Supply Chain Attack and US Crypto Exchange Infiltration",
          "url": "https://bulwarkblack.com/infostealer-infection-unmasks-dprk-operative-behind-polyfill-io-supply-chain-attack-and-us-crypto-exchange-infiltration/",
          "date": "2026-03-12"
        }
      ]
    },
    {
      "indicator": "ffosies2024.camdvr.org",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "fgdedd1dww.gleeze.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "file-server.store",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "filedrive.online",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "Filen.io",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-03-26",
      "last_seen": "2026-03-26",
      "reports": [
        {
          "slug": "pawn-storm-deploys-prismex-malware-suite-against-ukrainian-defense-supply-chain-and-nato-allies",
          "title": "Pawn Storm Deploys PRISMEX Malware Suite Against Ukrainian Defense Supply Chain and NATO Allies",
          "url": "https://bulwarkblack.com/pawn-storm-deploys-prismex-malware-suite-against-ukrainian-defense-supply-chain-and-nato-allies/",
          "date": "2026-03-26"
        }
      ]
    },
    {
      "indicator": "filipinet.ddnsgeek.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "finallyrain.info",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-26",
      "last_seen": "2026-06-26",
      "reports": [
        {
          "slug": "hospitality-photo-zip-nodejs-implant-defense",
          "title": "Hospitality Photo-ZIP Campaign Shows Front Desk Workflows Are Initial Access Paths",
          "url": "https://bulwarkblack.com/hospitality-photo-zip-nodejs-implant-defense/",
          "date": "2026-06-26"
        }
      ]
    },
    {
      "indicator": "first.longlastfor.online",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "first.system-update.xyz",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "firstfromsep.online",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "flashserve.store",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "flipboxstudio.info",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-05-25",
      "last_seen": "2026-05-25",
      "reports": [
        {
          "slug": "laravel-lang-composer-supply-chain-defense",
          "title": "Laravel-Lang Compromise Shows Dependency Tags Can Be Weaponized",
          "url": "https://bulwarkblack.com/laravel-lang-composer-supply-chain-defense/",
          "date": "2026-05-25"
        }
      ]
    },
    {
      "indicator": "flutter.dev",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-02",
      "last_seen": "2026-06-02",
      "reports": [
        {
          "slug": "flutterbridge-macos-malvertising-fluttershell-backdoor-defense",
          "title": "FlutterBridge Shows Why macOS Malvertising Is Backdoor Delivery, Not Just Adware",
          "url": "https://bulwarkblack.com/flutterbridge-macos-malvertising-fluttershell-backdoor-defense/",
          "date": "2026-06-02"
        }
      ]
    },
    {
      "indicator": "flux.smshero.co",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-02-09",
      "last_seen": "2026-02-09",
      "reports": [
        {
          "slug": "fake-7-zip-downloads-convert-home-pcs-into-residential-proxy-nodes-for-cybercriminals",
          "title": "Fake 7-Zip Downloads Convert Home PCs Into Residential Proxy Nodes for Cybercriminals",
          "url": "https://bulwarkblack.com/fake-7-zip-downloads-convert-home-pcs-into-residential-proxy-nodes-for-cybercriminals/",
          "date": "2026-02-09"
        }
      ]
    },
    {
      "indicator": "Fly.io",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-05-25",
      "last_seen": "2026-05-25",
      "reports": [
        {
          "slug": "laravel-lang-composer-supply-chain-defense",
          "title": "Laravel-Lang Compromise Shows Dependency Tags Can Be Weaponized",
          "url": "https://bulwarkblack.com/laravel-lang-composer-supply-chain-defense/",
          "date": "2026-05-25"
        }
      ]
    },
    {
      "indicator": "forest-entity.cc",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-03-31",
      "last_seen": "2026-03-31",
      "reports": [
        {
          "slug": "deepload-malware-ai-generated-evasion-meets-clickfix-delivery-in-enterprise-credential-theft-campaign",
          "title": "DeepLoad Malware: AI-Generated Evasion Meets ClickFix Delivery in Enterprise Credential Theft Campaign",
          "url": "https://bulwarkblack.com/deepload-malware-ai-generated-evasion-meets-clickfix-delivery-in-enterprise-credential-theft-campaign/",
          "date": "2026-03-31"
        }
      ]
    },
    {
      "indicator": "formeld.tech",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2024-01-09",
      "last_seen": "2024-01-09",
      "reports": [
        {
          "slug": "financially-motivated-threat-actors-misusing-app-installer",
          "title": "Financially motivated threat actors misusing App Installer",
          "url": "https://bulwarkblack.com/financially-motivated-threat-actors-misusing-app-installer/",
          "date": "2024-01-09"
        }
      ]
    },
    {
      "indicator": "formeld.tech-department.us",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2024-01-09",
      "last_seen": "2024-01-09",
      "reports": [
        {
          "slug": "financially-motivated-threat-actors-misusing-app-installer",
          "title": "Financially motivated threat actors misusing App Installer",
          "url": "https://bulwarkblack.com/financially-motivated-threat-actors-misusing-app-installer/",
          "date": "2024-01-09"
        }
      ]
    },
    {
      "indicator": "forticlient-for-mac.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-03-13",
      "last_seen": "2026-03-13",
      "reports": [
        {
          "slug": "storm-2561-weaponizes-seo-poisoning-to-deploy-trojanized-vpn-clients-and-steal-enterprise-credentials",
          "title": "Storm-2561 Weaponizes SEO Poisoning to Deploy Trojanized VPN Clients and Steal Enterprise Credentials",
          "url": "https://bulwarkblack.com/storm-2561-weaponizes-seo-poisoning-to-deploy-trojanized-vpn-clients-and-steal-enterprise-credentials/",
          "date": "2026-03-13"
        }
      ]
    },
    {
      "indicator": "forticlient-vpn.de",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-03-13",
      "last_seen": "2026-03-13",
      "reports": [
        {
          "slug": "storm-2561-weaponizes-seo-poisoning-to-deploy-trojanized-vpn-clients-and-steal-enterprise-credentials",
          "title": "Storm-2561 Weaponizes SEO Poisoning to Deploy Trojanized VPN Clients and Steal Enterprise Credentials",
          "url": "https://bulwarkblack.com/storm-2561-weaponizes-seo-poisoning-to-deploy-trojanized-vpn-clients-and-steal-enterprise-credentials/",
          "date": "2026-03-13"
        }
      ]
    },
    {
      "indicator": "forticlient-vpn.fr",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-03-13",
      "last_seen": "2026-03-13",
      "reports": [
        {
          "slug": "storm-2561-weaponizes-seo-poisoning-to-deploy-trojanized-vpn-clients-and-steal-enterprise-credentials",
          "title": "Storm-2561 Weaponizes SEO Poisoning to Deploy Trojanized VPN Clients and Steal Enterprise Credentials",
          "url": "https://bulwarkblack.com/storm-2561-weaponizes-seo-poisoning-to-deploy-trojanized-vpn-clients-and-steal-enterprise-credentials/",
          "date": "2026-03-13"
        }
      ]
    },
    {
      "indicator": "forticlient-vpn.it",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-03-13",
      "last_seen": "2026-03-13",
      "reports": [
        {
          "slug": "storm-2561-weaponizes-seo-poisoning-to-deploy-trojanized-vpn-clients-and-steal-enterprise-credentials",
          "title": "Storm-2561 Weaponizes SEO Poisoning to Deploy Trojanized VPN Clients and Steal Enterprise Credentials",
          "url": "https://bulwarkblack.com/storm-2561-weaponizes-seo-poisoning-to-deploy-trojanized-vpn-clients-and-steal-enterprise-credentials/",
          "date": "2026-03-13"
        }
      ]
    },
    {
      "indicator": "forticlient.ca",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-03-13",
      "last_seen": "2026-03-13",
      "reports": [
        {
          "slug": "storm-2561-weaponizes-seo-poisoning-to-deploy-trojanized-vpn-clients-and-steal-enterprise-credentials",
          "title": "Storm-2561 Weaponizes SEO Poisoning to Deploy Trojanized VPN Clients and Steal Enterprise Credentials",
          "url": "https://bulwarkblack.com/storm-2561-weaponizes-seo-poisoning-to-deploy-trojanized-vpn-clients-and-steal-enterprise-credentials/",
          "date": "2026-03-13"
        }
      ]
    },
    {
      "indicator": "forticlient.co",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-03-13",
      "last_seen": "2026-03-13",
      "reports": [
        {
          "slug": "storm-2561-weaponizes-seo-poisoning-to-deploy-trojanized-vpn-clients-and-steal-enterprise-credentials",
          "title": "Storm-2561 Weaponizes SEO Poisoning to Deploy Trojanized VPN Clients and Steal Enterprise Credentials",
          "url": "https://bulwarkblack.com/storm-2561-weaponizes-seo-poisoning-to-deploy-trojanized-vpn-clients-and-steal-enterprise-credentials/",
          "date": "2026-03-13"
        }
      ]
    },
    {
      "indicator": "forticlient.co.uk",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-03-13",
      "last_seen": "2026-03-13",
      "reports": [
        {
          "slug": "storm-2561-weaponizes-seo-poisoning-to-deploy-trojanized-vpn-clients-and-steal-enterprise-credentials",
          "title": "Storm-2561 Weaponizes SEO Poisoning to Deploy Trojanized VPN Clients and Steal Enterprise Credentials",
          "url": "https://bulwarkblack.com/storm-2561-weaponizes-seo-poisoning-to-deploy-trojanized-vpn-clients-and-steal-enterprise-credentials/",
          "date": "2026-03-13"
        }
      ]
    },
    {
      "indicator": "forticlient.no",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-03-13",
      "last_seen": "2026-03-13",
      "reports": [
        {
          "slug": "storm-2561-weaponizes-seo-poisoning-to-deploy-trojanized-vpn-clients-and-steal-enterprise-credentials",
          "title": "Storm-2561 Weaponizes SEO Poisoning to Deploy Trojanized VPN Clients and Steal Enterprise Credentials",
          "url": "https://bulwarkblack.com/storm-2561-weaponizes-seo-poisoning-to-deploy-trojanized-vpn-clients-and-steal-enterprise-credentials/",
          "date": "2026-03-13"
        }
      ]
    },
    {
      "indicator": "fortinet-vpn.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-03-13",
      "last_seen": "2026-03-13",
      "reports": [
        {
          "slug": "storm-2561-weaponizes-seo-poisoning-to-deploy-trojanized-vpn-clients-and-steal-enterprise-credentials",
          "title": "Storm-2561 Weaponizes SEO Poisoning to Deploy Trojanized VPN Clients and Steal Enterprise Credentials",
          "url": "https://bulwarkblack.com/storm-2561-weaponizes-seo-poisoning-to-deploy-trojanized-vpn-clients-and-steal-enterprise-credentials/",
          "date": "2026-03-13"
        }
      ]
    },
    {
      "indicator": "forum.exploit.in",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-02-05",
      "last_seen": "2026-02-05",
      "reports": [
        {
          "slug": "systembc-botnet-survives-law-enforcement-takedown-infects-over-10000-devices-worldwide",
          "title": "SystemBC Botnet Survives Law Enforcement Takedown, Infects Over 10,000 Devices Worldwide",
          "url": "https://bulwarkblack.com/systembc-botnet-survives-law-enforcement-takedown-infects-over-10000-devices-worldwide/",
          "date": "2026-02-05"
        }
      ]
    },
    {
      "indicator": "forums.ivanti.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-01-31",
      "last_seen": "2026-01-31",
      "reports": [
        {
          "slug": "ivanti-epmm-zero-days-actively-exploited-pre-auth-rce-via-bash-arithmetic-expansion",
          "title": "Ivanti EPMM Zero-Days Actively Exploited: Pre-Auth RCE via Bash Arithmetic Expansion",
          "url": "https://bulwarkblack.com/ivanti-epmm-zero-days-actively-exploited-pre-auth-rce-via-bash-arithmetic-expansion/",
          "date": "2026-01-31"
        }
      ]
    },
    {
      "indicator": "Free-download.giize.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-05-27",
      "last_seen": "2026-05-27",
      "reports": [
        {
          "slug": "poisoned-search-ai-screenconnect-cryptojacking-defense",
          "title": "Poisoned Search and AI Recommendations Turn Utility Downloads Into RMM Access",
          "url": "https://bulwarkblack.com/poisoned-search-ai-screenconnect-cryptojacking-defense/",
          "date": "2026-05-27"
        }
      ]
    },
    {
      "indicator": "freeddns.org",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "freefoodaid.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "apt28-exploits-cve-2026-21509-in-operation-neusploit-stealing-emails-with-minidoor-backdoor",
          "title": "APT28 Exploits CVE-2026-21509 in Operation Neusploit: Stealing Emails with MiniDoor Backdoor",
          "url": "https://bulwarkblack.com/apt28-exploits-cve-2026-21509-in-operation-neusploit-stealing-emails-with-minidoor-backdoor/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "freeios.theworkpc.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "friday.stark-industries.solutions",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-03-12",
      "last_seen": "2026-03-12",
      "reports": [
        {
          "slug": "infostealer-infection-unmasks-dprk-operative-behind-polyfill-io-supply-chain-attack-and-us-crypto-exchange-infiltration",
          "title": "Infostealer Infection Unmasks DPRK Operative Behind Polyfill.io Supply Chain Attack and US Crypto Exchange Infiltration",
          "url": "https://bulwarkblack.com/infostealer-infection-unmasks-dprk-operative-behind-polyfill-io-supply-chain-attack-and-us-crypto-exchange-infiltration/",
          "date": "2026-03-12"
        }
      ]
    },
    {
      "indicator": "ftpuser14.gleeze.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "ftpzpak.kozow.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "fulcio.sigstore.dev",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-13",
      "last_seen": "2026-06-13",
      "reports": [
        {
          "slug": "shai-hulud-ai-scanner-evasion-package-supply-chain-defense",
          "title": "Shai-Hulud Shows AI Package Scanners Need Prompt-Injection Boundaries",
          "url": "https://bulwarkblack.com/shai-hulud-ai-scanner-evasion-package-supply-chain-defense/",
          "date": "2026-06-13"
        }
      ]
    },
    {
      "indicator": "Gate.io",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-03-12",
      "last_seen": "2026-03-12",
      "reports": [
        {
          "slug": "infostealer-infection-unmasks-dprk-operative-behind-polyfill-io-supply-chain-attack-and-us-crypto-exchange-infiltration",
          "title": "Infostealer Infection Unmasks DPRK Operative Behind Polyfill.io Supply Chain Attack and US Crypto Exchange Infiltration",
          "url": "https://bulwarkblack.com/infostealer-infection-unmasks-dprk-operative-behind-polyfill-io-supply-chain-attack-and-us-crypto-exchange-infiltration/",
          "date": "2026-03-12"
        }
      ]
    },
    {
      "indicator": "Gate.us",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-03-12",
      "last_seen": "2026-03-12",
      "reports": [
        {
          "slug": "infostealer-infection-unmasks-dprk-operative-behind-polyfill-io-supply-chain-attack-and-us-crypto-exchange-infiltration",
          "title": "Infostealer Infection Unmasks DPRK Operative Behind Polyfill.io Supply Chain Attack and US Crypto Exchange Infiltration",
          "url": "https://bulwarkblack.com/infostealer-infection-unmasks-dprk-operative-behind-polyfill-io-supply-chain-attack-and-us-crypto-exchange-infiltration/",
          "date": "2026-03-12"
        }
      ]
    },
    {
      "indicator": "gateway.filen-1.net",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-03-26",
      "last_seen": "2026-03-26",
      "reports": [
        {
          "slug": "pawn-storm-deploys-prismex-malware-suite-against-ukrainian-defense-supply-chain-and-nato-allies",
          "title": "Pawn Storm Deploys PRISMEX Malware Suite Against Ukrainian Defense Supply Chain and NATO Allies",
          "url": "https://bulwarkblack.com/pawn-storm-deploys-prismex-malware-suite-against-ukrainian-defense-supply-chain-and-nato-allies/",
          "date": "2026-03-26"
        }
      ]
    },
    {
      "indicator": "gateway.filen-6.net",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-03-26",
      "last_seen": "2026-03-26",
      "reports": [
        {
          "slug": "pawn-storm-deploys-prismex-malware-suite-against-ukrainian-defense-supply-chain-and-nato-allies",
          "title": "Pawn Storm Deploys PRISMEX Malware Suite Against Ukrainian Defense Supply Chain and NATO Allies",
          "url": "https://bulwarkblack.com/pawn-storm-deploys-prismex-malware-suite-against-ukrainian-defense-supply-chain-and-nato-allies/",
          "date": "2026-03-26"
        }
      ]
    },
    {
      "indicator": "gateway.filen.io",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-03-26",
      "last_seen": "2026-03-26",
      "reports": [
        {
          "slug": "pawn-storm-deploys-prismex-malware-suite-against-ukrainian-defense-supply-chain-and-nato-allies",
          "title": "Pawn Storm Deploys PRISMEX Malware Suite Against Ukrainian Defense Supply Chain and NATO Allies",
          "url": "https://bulwarkblack.com/pawn-storm-deploys-prismex-malware-suite-against-ukrainian-defense-supply-chain-and-nato-allies/",
          "date": "2026-03-26"
        }
      ]
    },
    {
      "indicator": "gateway.filen.net",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-03-26",
      "last_seen": "2026-03-26",
      "reports": [
        {
          "slug": "pawn-storm-deploys-prismex-malware-suite-against-ukrainian-defense-supply-chain-and-nato-allies",
          "title": "Pawn Storm Deploys PRISMEX Malware Suite Against Ukrainian Defense Supply Chain and NATO Allies",
          "url": "https://bulwarkblack.com/pawn-storm-deploys-prismex-malware-suite-against-ukrainian-defense-supply-chain-and-nato-allies/",
          "date": "2026-03-26"
        }
      ]
    },
    {
      "indicator": "Gateway.Itstgate.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-02-08",
      "last_seen": "2026-02-08",
      "reports": [
        {
          "slug": "bridgepay-ransomware-attack-forces-nationwide-cash-only-payment-disruption",
          "title": "BridgePay Ransomware Attack Forces Nationwide Cash-Only Payment Disruption",
          "url": "https://bulwarkblack.com/bridgepay-ransomware-attack-forces-nationwide-cash-only-payment-disruption/",
          "date": "2026-02-08"
        }
      ]
    },
    {
      "indicator": "gertefin.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2024-01-09",
      "last_seen": "2024-01-09",
      "reports": [
        {
          "slug": "financially-motivated-threat-actors-misusing-app-installer",
          "title": "Financially motivated threat actors misusing App Installer",
          "url": "https://bulwarkblack.com/financially-motivated-threat-actors-misusing-app-installer/",
          "date": "2024-01-09"
        }
      ]
    },
    {
      "indicator": "gesecole.net",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-02-27",
      "last_seen": "2026-02-27",
      "reports": [
        {
          "slug": "chinese-apt-campaign-delivers-plugx-rat-via-g-data-antivirus-dll-side-loading",
          "title": "Chinese APT Campaign Delivers PlugX RAT via G DATA Antivirus DLL Side-Loading",
          "url": "https://bulwarkblack.com/chinese-apt-campaign-delivers-plugx-rat-via-g-data-antivirus-dll-side-loading/",
          "date": "2026-02-27"
        }
      ]
    },
    {
      "indicator": "geti2p.net",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-02-20",
      "last_seen": "2026-02-20",
      "reports": [
        {
          "slug": "kimwolf-botnet-swamps-i2p-anonymity-network-in-massive-sybil-attack",
          "title": "Kimwolf Botnet Swamps I2P Anonymity Network in Massive Sybil Attack",
          "url": "https://bulwarkblack.com/kimwolf-botnet-swamps-i2p-anonymity-network-in-massive-sybil-attack/",
          "date": "2026-02-20"
        }
      ]
    },
    {
      "indicator": "getintwopc.site",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-01-27",
      "last_seen": "2026-01-27",
      "reports": [
        {
          "slug": "fake-clawdbot-vs-code-extension-deploys-screenconnect-rat",
          "title": "Fake Clawdbot VS Code Extension Deploys ScreenConnect RAT",
          "url": "https://bulwarkblack.com/fake-clawdbot-vs-code-extension-deploys-screenconnect-rat/",
          "date": "2026-01-27"
        }
      ]
    },
    {
      "indicator": "getsession.org",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-05-15",
      "last_seen": "2026-05-15",
      "reports": [
        {
          "slug": "blackfile-vishing-extortion-identity-defense",
          "title": "BlackFile Vishing Campaign Shows Why MFA Alone Is Not Enough",
          "url": "https://bulwarkblack.com/blackfile-vishing-extortion-identity-defense/",
          "date": "2026-05-15"
        }
      ]
    },
    {
      "indicator": "giize.com",
      "type": "Domains",
      "report_count": 4,
      "first_seen": "2026-03-01",
      "last_seen": "2026-05-27",
      "reports": [
        {
          "slug": "poisoned-search-ai-screenconnect-cryptojacking-defense",
          "title": "Poisoned Search and AI Recommendations Turn Utility Downloads Into RMM Access",
          "url": "https://bulwarkblack.com/poisoned-search-ai-screenconnect-cryptojacking-defense/",
          "date": "2026-05-27"
        },
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "gleeze.com",
      "type": "Domains",
      "report_count": 4,
      "first_seen": "2026-03-01",
      "last_seen": "2026-05-27",
      "reports": [
        {
          "slug": "poisoned-search-ai-screenconnect-cryptojacking-defense",
          "title": "Poisoned Search and AI Recommendations Turn Utility Downloads Into RMM Access",
          "url": "https://bulwarkblack.com/poisoned-search-ai-screenconnect-cryptojacking-defense/",
          "date": "2026-05-27"
        },
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "globalprofit-lpanel-abcdefghij.top",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-02-26",
      "last_seen": "2026-02-26",
      "reports": [
        {
          "slug": "diesel-vortex-russian-cybercrime-group-steals-1600-credentials-from-global-logistics-sector",
          "title": "Diesel Vortex: Russian Cybercrime Group Steals 1,600+ Credentials From Global Logistics Sector",
          "url": "https://bulwarkblack.com/diesel-vortex-russian-cybercrime-group-steals-1600-credentials-from-global-logistics-sector/",
          "date": "2026-02-26"
        }
      ]
    },
    {
      "indicator": "globoss.kozow.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "go.googlesource.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-03-03",
      "last_seen": "2026-03-03",
      "reports": [
        {
          "slug": "malicious-go-crypto-module-steals-passwords-and-deploys-rekoobe-backdoor",
          "title": "Malicious Go Crypto Module Steals Passwords and Deploys Rekoobe Backdoor",
          "url": "https://bulwarkblack.com/malicious-go-crypto-module-steals-passwords-and-deploys-rekoobe-backdoor/",
          "date": "2026-03-03"
        }
      ]
    },
    {
      "indicator": "go.nature.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-03-16",
      "last_seen": "2026-03-16",
      "reports": [
        {
          "slug": "the-promptware-kill-chain-a-new-framework-for-understanding-ai-malware-attacks",
          "title": "The Promptware Kill Chain: A New Framework for Understanding AI Malware Attacks",
          "url": "https://bulwarkblack.com/the-promptware-kill-chain-a-new-framework-for-understanding-ai-malware-attacks/",
          "date": "2026-03-16"
        }
      ]
    },
    {
      "indicator": "go.sparkpostmail1.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-02-18",
      "last_seen": "2026-02-18",
      "reports": [
        {
          "slug": "threat-actors-abuse-atlassian-jira-cloud-to-bypass-email-security-and-target-government-entities",
          "title": "Threat Actors Abuse Atlassian Jira Cloud to Bypass Email Security and Target Government Entities",
          "url": "https://bulwarkblack.com/threat-actors-abuse-atlassian-jira-cloud-to-bypass-email-security-and-target-government-entities/",
          "date": "2026-02-18"
        }
      ]
    },
    {
      "indicator": "gogo2025up.ddnsfree.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "google-ai-labs-it.onrender.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-25",
      "last_seen": "2026-06-25",
      "reports": [
        {
          "slug": "turla-stockstay-backdoor-egress-visibility",
          "title": "Turla’s STOCKSTAY Backdoor Shows Why Espionage Defense Needs Egress Visibility",
          "url": "https://bulwarkblack.com/turla-stockstay-backdoor-egress-visibility/",
          "date": "2026-06-25"
        }
      ]
    },
    {
      "indicator": "google-prism.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-03-02",
      "last_seen": "2026-03-02",
      "reports": [
        {
          "slug": "fake-google-security-check-transforms-browser-into-surveillance-toolkit-via-pwa-installation",
          "title": "Fake Google Security Check Transforms Browser Into Surveillance Toolkit via PWA Installation",
          "url": "https://bulwarkblack.com/fake-google-security-check-transforms-browser-into-surveillance-toolkit-via-pwa-installation/",
          "date": "2026-03-02"
        }
      ]
    },
    {
      "indicator": "googlel.gleeze.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "googles.accesscam.org",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "googles.ddnsfree.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "googlett.camdvr.org",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "googllabwws.gleeze.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "gosiweb.gosiclass.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2024-03-22",
      "last_seen": "2024-03-22",
      "reports": [
        {
          "slug": "the-updated-apt-playbook-tales-from-the-kimsuky-threat-actor-group",
          "title": "The Updated APT Playbook: Tales from the Kimsuky threat actor group",
          "url": "https://bulwarkblack.com/the-updated-apt-playbook-tales-from-the-kimsuky-threat-actor-group/",
          "date": "2024-03-22"
        }
      ]
    },
    {
      "indicator": "gov.vn",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-02-05",
      "last_seen": "2026-02-05",
      "reports": [
        {
          "slug": "systembc-botnet-survives-law-enforcement-takedown-infects-over-10000-devices-worldwide",
          "title": "SystemBC Botnet Survives Law Enforcement Takedown, Infects Over 10,000 Devices Worldwide",
          "url": "https://bulwarkblack.com/systembc-botnet-survives-law-enforcement-takedown-infects-over-10000-devices-worldwide/",
          "date": "2026-02-05"
        }
      ]
    },
    {
      "indicator": "group.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "gtaldps31c.ddnsfree.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "gy4q3fpx3gh77gw.kk5yuzmev2qbgulz.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-03-12",
      "last_seen": "2026-03-12",
      "reports": [
        {
          "slug": "infostealer-infection-unmasks-dprk-operative-behind-polyfill-io-supply-chain-attack-and-us-crypto-exchange-infiltration",
          "title": "Infostealer Infection Unmasks DPRK Operative Behind Polyfill.io Supply Chain Attack and US Crypto Exchange Infiltration",
          "url": "https://bulwarkblack.com/infostealer-infection-unmasks-dprk-operative-behind-polyfill-io-supply-chain-attack-and-us-crypto-exchange-infiltration/",
          "date": "2026-03-12"
        }
      ]
    },
    {
      "indicator": "hackaday.io",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2024-01-11",
      "last_seen": "2024-01-11",
      "reports": [
        {
          "slug": "faking-bluetooth-le-with-an-nrf24l01-module",
          "title": "FAKING BLUETOOTH LE WITH AN NRF24L01+ MODULE",
          "url": "https://bulwarkblack.com/faking-bluetooth-le-with-an-nrf24l01-module/",
          "date": "2024-01-11"
        }
      ]
    },
    {
      "indicator": "hakeiwjs727wj.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-26",
      "last_seen": "2026-06-26",
      "reports": [
        {
          "slug": "hospitality-photo-zip-nodejs-implant-defense",
          "title": "Hospitality Photo-ZIP Campaign Shows Front Desk Workflows Are Initial Access Paths",
          "url": "https://bulwarkblack.com/hospitality-photo-zip-nodejs-implant-defense/",
          "date": "2026-06-26"
        }
      ]
    },
    {
      "indicator": "hamkorg.kozow.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "handala-hack.to",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-03-23",
      "last_seen": "2026-03-23",
      "reports": [
        {
          "slug": "fbi-flash-alert-iranian-handala-hackers-weaponize-telegram-for-malware-c2-operations",
          "title": "FBI Flash Alert: Iranian Handala Hackers Weaponize Telegram for Malware C2 Operations",
          "url": "https://bulwarkblack.com/fbi-flash-alert-iranian-handala-hackers-weaponize-telegram-for-malware-c2-operations/",
          "date": "2026-03-23"
        }
      ]
    },
    {
      "indicator": "handala-redwanted.to",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-03-23",
      "last_seen": "2026-03-23",
      "reports": [
        {
          "slug": "fbi-flash-alert-iranian-handala-hackers-weaponize-telegram-for-malware-c2-operations",
          "title": "FBI Flash Alert: Iranian Handala Hackers Weaponize Telegram for Malware C2 Operations",
          "url": "https://bulwarkblack.com/fbi-flash-alert-iranian-handala-hackers-weaponize-telegram-for-malware-c2-operations/",
          "date": "2026-03-23"
        }
      ]
    },
    {
      "indicator": "haobbao.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-26",
      "last_seen": "2026-06-26",
      "reports": [
        {
          "slug": "hospitality-photo-zip-nodejs-implant-defense",
          "title": "Hospitality Photo-ZIP Campaign Shows Front Desk Workflows Are Initial Access Paths",
          "url": "https://bulwarkblack.com/hospitality-photo-zip-nodejs-implant-defense/",
          "date": "2026-06-26"
        }
      ]
    },
    {
      "indicator": "HaveIBeenPwned.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-01-28",
      "last_seen": "2026-01-28",
      "reports": [
        {
          "slug": "soundcloud-data-breach-exposes-29-8-million-user-accounts",
          "title": "SoundCloud Data Breach Exposes 29.8 Million User Accounts",
          "url": "https://bulwarkblack.com/soundcloud-data-breach-exposes-29-8-million-user-accounts/",
          "date": "2026-01-28"
        }
      ]
    },
    {
      "indicator": "healightejustb.org",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-02",
      "last_seen": "2026-06-02",
      "reports": [
        {
          "slug": "flutterbridge-macos-malvertising-fluttershell-backdoor-defense",
          "title": "FlutterBridge Shows Why macOS Malvertising Is Backdoor Delivery, Not Just Adware",
          "url": "https://bulwarkblack.com/flutterbridge-macos-malvertising-fluttershell-backdoor-defense/",
          "date": "2026-06-02"
        }
      ]
    },
    {
      "indicator": "heilbronner-fruehlingssymposium.de",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-05-16",
      "last_seen": "2026-05-16",
      "reports": [
        {
          "slug": "device-code-phishing-oauth-token-theft-defense",
          "title": "Device Code Phishing Turns Legitimate Login Flows Into Token Theft",
          "url": "https://bulwarkblack.com/device-code-phishing-oauth-token-theft-defense/",
          "date": "2026-05-16"
        }
      ]
    },
    {
      "indicator": "heliosup.info",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-26",
      "last_seen": "2026-06-26",
      "reports": [
        {
          "slug": "hospitality-photo-zip-nodejs-implant-defense",
          "title": "Hospitality Photo-ZIP Campaign Shows Front Desk Workflows Are Initial Access Paths",
          "url": "https://bulwarkblack.com/hospitality-photo-zip-nodejs-implant-defense/",
          "date": "2026-06-26"
        }
      ]
    },
    {
      "indicator": "hell1-kitty.cc",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-03-31",
      "last_seen": "2026-03-31",
      "reports": [
        {
          "slug": "deepload-malware-ai-generated-evasion-meets-clickfix-delivery-in-enterprise-credential-theft-campaign",
          "title": "DeepLoad Malware: AI-Generated Evasion Meets ClickFix Delivery in Enterprise Credential Theft Campaign",
          "url": "https://bulwarkblack.com/deepload-malware-ai-generated-evasion-meets-clickfix-delivery-in-enterprise-credential-theft-campaign/",
          "date": "2026-03-31"
        }
      ]
    },
    {
      "indicator": "help.evilginx.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2024-01-26",
      "last_seen": "2024-01-26",
      "reports": [
        {
          "slug": "how-to-protect-evilginx-using-cloudflare-and-html-obfuscation",
          "title": "How to protect Evilginx using Cloudflare and HTML Obfuscation",
          "url": "https://bulwarkblack.com/how-to-protect-evilginx-using-cloudflare-and-html-obfuscation/",
          "date": "2024-01-26"
        }
      ]
    },
    {
      "indicator": "help.ivanti.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-01-31",
      "last_seen": "2026-01-31",
      "reports": [
        {
          "slug": "ivanti-patches-two-critical-epmm-zero-day-vulnerabilities-under-active-exploitation",
          "title": "Ivanti Patches Two Critical EPMM Zero-Day Vulnerabilities Under Active Exploitation",
          "url": "https://bulwarkblack.com/ivanti-patches-two-critical-epmm-zero-day-vulnerabilities-under-active-exploitation/",
          "date": "2026-01-31"
        }
      ]
    },
    {
      "indicator": "hewktree.net",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-05-16",
      "last_seen": "2026-05-16",
      "reports": [
        {
          "slug": "device-code-phishing-oauth-token-theft-defense",
          "title": "Device Code Phishing Turns Legitimate Login Flows Into Token Theft",
          "url": "https://bulwarkblack.com/device-code-phishing-oauth-token-theft-defense/",
          "date": "2026-05-16"
        }
      ]
    },
    {
      "indicator": "hexsdk.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-01-29",
      "last_seen": "2026-01-29",
      "reports": [
        {
          "slug": "google-disrupts-worlds-largest-residential-proxy-botnet",
          "title": "Google Disrupts World’s Largest Residential Proxy Botnet",
          "url": "https://bulwarkblack.com/google-disrupts-worlds-largest-residential-proxy-botnet/",
          "date": "2026-01-29"
        }
      ]
    },
    {
      "indicator": "hightkdhe.store",
      "type": "Domains",
      "report_count": 2,
      "first_seen": "2026-02-26",
      "last_seen": "2026-02-27",
      "reports": [
        {
          "slug": "apt37-ruby-jumper-campaign-north-korean-hackers-deploy-malware-arsenal-to-bridge-air-gapped-networks",
          "title": "APT37 Ruby Jumper Campaign: North Korean Hackers Deploy Malware Arsenal to Bridge Air-Gapped Networks",
          "url": "https://bulwarkblack.com/apt37-ruby-jumper-campaign-north-korean-hackers-deploy-malware-arsenal-to-bridge-air-gapped-networks/",
          "date": "2026-02-27"
        },
        {
          "slug": "apt37-deploys-ruby-jumper-campaign-to-breach-air-gapped-networks",
          "title": "APT37 Deploys Ruby Jumper Campaign to Breach Air-Gapped Networks",
          "url": "https://bulwarkblack.com/apt37-deploys-ruby-jumper-campaign-to-breach-air-gapped-networks/",
          "date": "2026-02-26"
        }
      ]
    },
    {
      "indicator": "higoksbupwou.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-26",
      "last_seen": "2026-06-26",
      "reports": [
        {
          "slug": "hospitality-photo-zip-nodejs-implant-defense",
          "title": "Hospitality Photo-ZIP Campaign Shows Front Desk Workflows Are Initial Access Paths",
          "url": "https://bulwarkblack.com/hospitality-photo-zip-nodejs-implant-defense/",
          "date": "2026-06-26"
        }
      ]
    },
    {
      "indicator": "holiday-updateservice.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-03-31",
      "last_seen": "2026-03-31",
      "reports": [
        {
          "slug": "deepload-malware-ai-generated-evasion-meets-clickfix-delivery-in-enterprise-credential-theft-campaign",
          "title": "DeepLoad Malware: AI-Generated Evasion Meets ClickFix Delivery in Enterprise Credential Theft Campaign",
          "url": "https://bulwarkblack.com/deepload-malware-ai-generated-evasion-meets-clickfix-delivery-in-enterprise-credential-theft-campaign/",
          "date": "2026-03-31"
        }
      ]
    },
    {
      "indicator": "homeatedke.store",
      "type": "Domains",
      "report_count": 2,
      "first_seen": "2026-02-26",
      "last_seen": "2026-02-27",
      "reports": [
        {
          "slug": "apt37-ruby-jumper-campaign-north-korean-hackers-deploy-malware-arsenal-to-bridge-air-gapped-networks",
          "title": "APT37 Ruby Jumper Campaign: North Korean Hackers Deploy Malware Arsenal to Bridge Air-Gapped Networks",
          "url": "https://bulwarkblack.com/apt37-ruby-jumper-campaign-north-korean-hackers-deploy-malware-arsenal-to-bridge-air-gapped-networks/",
          "date": "2026-02-27"
        },
        {
          "slug": "apt37-deploys-ruby-jumper-campaign-to-breach-air-gapped-networks",
          "title": "APT37 Deploys Ruby Jumper Campaign to Breach Air-Gapped Networks",
          "url": "https://bulwarkblack.com/apt37-deploys-ruby-jumper-campaign-to-breach-air-gapped-networks/",
          "date": "2026-02-26"
        }
      ]
    },
    {
      "indicator": "honidoo.loseyourip.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "horizon3.ai",
      "type": "Domains",
      "report_count": 2,
      "first_seen": "2026-01-29",
      "last_seen": "2026-06-30",
      "reports": [
        {
          "slug": "simplehelp-cve-2026-48558-taskweaver-djinn-stealer-defense",
          "title": "SimpleHelp Exploitation Shows RMM Is a Credential Control Plane",
          "url": "https://bulwarkblack.com/simplehelp-cve-2026-48558-taskweaver-djinn-stealer-defense/",
          "date": "2026-06-30"
        },
        {
          "slug": "solarwinds-fixes-six-critical-web-help-desk-vulnerabilities-including-rce-and-auth-bypass",
          "title": "SolarWinds Fixes Six Critical Web Help Desk Vulnerabilities Including RCE and Auth Bypass",
          "url": "https://bulwarkblack.com/solarwinds-fixes-six-critical-web-help-desk-vulnerabilities-including-rce-and-auth-bypass/",
          "date": "2026-01-29"
        }
      ]
    },
    {
      "indicator": "hs-sites-na2.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-05-16",
      "last_seen": "2026-05-16",
      "reports": [
        {
          "slug": "device-code-phishing-oauth-token-theft-defense",
          "title": "Device Code Phishing Turns Legitimate Login Flows Into Token Theft",
          "url": "https://bulwarkblack.com/device-code-phishing-oauth-token-theft-defense/",
          "date": "2026-05-16"
        }
      ]
    },
    {
      "indicator": "hti-245401512.hs-sites-na2.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-05-16",
      "last_seen": "2026-05-16",
      "reports": [
        {
          "slug": "device-code-phishing-oauth-token-theft-defense",
          "title": "Device Code Phishing Turns Legitimate Login Flows Into Token Theft",
          "url": "https://bulwarkblack.com/device-code-phishing-oauth-token-theft-defense/",
          "date": "2026-05-16"
        }
      ]
    },
    {
      "indicator": "hubergroup.tech",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2024-01-09",
      "last_seen": "2024-01-09",
      "reports": [
        {
          "slug": "financially-motivated-threat-actors-misusing-app-installer",
          "title": "Financially motivated threat actors misusing App Installer",
          "url": "https://bulwarkblack.com/financially-motivated-threat-actors-misusing-app-installer/",
          "date": "2024-01-09"
        }
      ]
    },
    {
      "indicator": "hubergroup.tech-department.us",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2024-01-09",
      "last_seen": "2024-01-09",
      "reports": [
        {
          "slug": "financially-motivated-threat-actors-misusing-app-installer",
          "title": "Financially motivated threat actors misusing App Installer",
          "url": "https://bulwarkblack.com/financially-motivated-threat-actors-misusing-app-installer/",
          "date": "2024-01-09"
        }
      ]
    },
    {
      "indicator": "huggingface.co",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-01-30",
      "last_seen": "2026-01-30",
      "reports": [
        {
          "slug": "android-malware-campaign-abuses-hugging-face-ai-platform-to-distribute-rat",
          "title": "Android Malware Campaign Abuses Hugging Face AI Platform to Distribute RAT",
          "url": "https://bulwarkblack.com/android-malware-campaign-abuses-hugging-face-ai-platform-to-distribute-rat/",
          "date": "2026-01-30"
        }
      ]
    },
    {
      "indicator": "Hunt.io",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-02-05",
      "last_seen": "2026-02-05",
      "reports": [
        {
          "slug": "dknife-cisco-talos-exposes-china-nexus-gateway-monitoring-aitm-framework-active-since-2019",
          "title": "DKnife: Cisco Talos Exposes China-Nexus Gateway-Monitoring AitM Framework Active Since 2019",
          "url": "https://bulwarkblack.com/dknife-cisco-talos-exposes-china-nexus-gateway-monitoring-aitm-framework-active-since-2019/",
          "date": "2026-02-05"
        }
      ]
    },
    {
      "indicator": "Hunter.io",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2024-01-12",
      "last_seen": "2024-01-12",
      "reports": [
        {
          "slug": "the-bug-hunters-methodology-live",
          "title": "THE BUG HUNTERS METHODOLOGY LIVE",
          "url": "https://bulwarkblack.com/the-bug-hunters-methodology-live/",
          "date": "2024-01-12"
        }
      ]
    },
    {
      "indicator": "huygdr12.loseyourip.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "HyMbvhNq.tor2web.in",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2024-01-11",
      "last_seen": "2024-01-11",
      "reports": [
        {
          "slug": "dreambus-unleashes-metabase-mayhem-with-new-exploit-module",
          "title": "DreamBus Unleashes Metabase Mayhem With New Exploit Module",
          "url": "https://bulwarkblack.com/dreambus-unleashes-metabase-mayhem-with-new-exploit-module/",
          "date": "2024-01-11"
        }
      ]
    },
    {
      "indicator": "HyMbvhNq.tor2web.it",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2024-01-11",
      "last_seen": "2024-01-11",
      "reports": [
        {
          "slug": "dreambus-unleashes-metabase-mayhem-with-new-exploit-module",
          "title": "DreamBus Unleashes Metabase Mayhem With New Exploit Module",
          "url": "https://bulwarkblack.com/dreambus-unleashes-metabase-mayhem-with-new-exploit-module/",
          "date": "2024-01-11"
        }
      ]
    },
    {
      "indicator": "HyMbvhNq.tor2web.re",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2024-01-11",
      "last_seen": "2024-01-11",
      "reports": [
        {
          "slug": "dreambus-unleashes-metabase-mayhem-with-new-exploit-module",
          "title": "DreamBus Unleashes Metabase Mayhem With New Exploit Module",
          "url": "https://bulwarkblack.com/dreambus-unleashes-metabase-mayhem-with-new-exploit-module/",
          "date": "2024-01-11"
        }
      ]
    },
    {
      "indicator": "icekancusjhea.ddnsgeek.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "ico.org",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-05-24",
      "last_seen": "2026-05-24",
      "reports": [
        {
          "slug": "clop-south-staffs-water-soc-coverage-defense",
          "title": "Cl0p’s South Staffs Water Case Shows SOC Coverage Must Be Proven",
          "url": "https://bulwarkblack.com/clop-south-staffs-water-soc-coverage-defense/",
          "date": "2026-05-24"
        }
      ]
    },
    {
      "indicator": "ico.org.uk",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-05-24",
      "last_seen": "2026-05-24",
      "reports": [
        {
          "slug": "clop-south-staffs-water-soc-coverage-defense",
          "title": "Cl0p’s South Staffs Water Case Shows SOC Coverage Must Be Proven",
          "url": "https://bulwarkblack.com/clop-south-staffs-water-soc-coverage-defense/",
          "date": "2026-05-24"
        }
      ]
    },
    {
      "indicator": "icp0.io",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-03-24",
      "last_seen": "2026-03-24",
      "reports": [
        {
          "slug": "canisterworm-wiper-weaponizes-trivy-supply-chain-to-target-iran",
          "title": "CanisterWorm Wiper Weaponizes Trivy Supply Chain to Target Iran",
          "url": "https://bulwarkblack.com/canisterworm-wiper-weaponizes-trivy-supply-chain-to-target-iran/",
          "date": "2026-03-24"
        }
      ]
    },
    {
      "indicator": "ident.me",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2024-01-11",
      "last_seen": "2024-01-11",
      "reports": [
        {
          "slug": "dreambus-unleashes-metabase-mayhem-with-new-exploit-module",
          "title": "DreamBus Unleashes Metabase Mayhem With New Exploit Module",
          "url": "https://bulwarkblack.com/dreambus-unleashes-metabase-mayhem-with-new-exploit-module/",
          "date": "2024-01-11"
        }
      ]
    },
    {
      "indicator": "idstandsuui.kozow.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "image-support.xyz",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "image-vlt.info",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-26",
      "last_seen": "2026-06-26",
      "reports": [
        {
          "slug": "hospitality-photo-zip-nodejs-implant-defense",
          "title": "Hospitality Photo-ZIP Campaign Shows Front Desk Workflows Are Initial Access Paths",
          "url": "https://bulwarkblack.com/hospitality-photo-zip-nodejs-implant-defense/",
          "date": "2026-06-26"
        }
      ]
    },
    {
      "indicator": "imagestore-hub.info",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-26",
      "last_seen": "2026-06-26",
      "reports": [
        {
          "slug": "hospitality-photo-zip-nodejs-implant-defense",
          "title": "Hospitality Photo-ZIP Campaign Shows Front Desk Workflows Are Initial Access Paths",
          "url": "https://bulwarkblack.com/hospitality-photo-zip-nodejs-implant-defense/",
          "date": "2026-06-26"
        }
      ]
    },
    {
      "indicator": "imagevault-safe.info",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-26",
      "last_seen": "2026-06-26",
      "reports": [
        {
          "slug": "hospitality-photo-zip-nodejs-implant-defense",
          "title": "Hospitality Photo-ZIP Campaign Shows Front Desk Workflows Are Initial Access Paths",
          "url": "https://bulwarkblack.com/hospitality-photo-zip-nodejs-implant-defense/",
          "date": "2026-06-26"
        }
      ]
    },
    {
      "indicator": "index.ht",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2024-01-26",
      "last_seen": "2024-01-26",
      "reports": [
        {
          "slug": "how-to-protect-evilginx-using-cloudflare-and-html-obfuscation",
          "title": "How to protect Evilginx using Cloudflare and HTML Obfuscation",
          "url": "https://bulwarkblack.com/how-to-protect-evilginx-using-cloudflare-and-html-obfuscation/",
          "date": "2024-01-26"
        }
      ]
    },
    {
      "indicator": "indoodchat.theworkpc.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "info-zoomapp.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2024-01-09",
      "last_seen": "2024-01-09",
      "reports": [
        {
          "slug": "financially-motivated-threat-actors-misusing-app-installer",
          "title": "Financially motivated threat actors misusing App Installer",
          "url": "https://bulwarkblack.com/financially-motivated-threat-actors-misusing-app-installer/",
          "date": "2024-01-09"
        }
      ]
    },
    {
      "indicator": "ingest.filen.io",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-03-26",
      "last_seen": "2026-03-26",
      "reports": [
        {
          "slug": "pawn-storm-deploys-prismex-malware-suite-against-ukrainian-defense-supply-chain-and-nato-allies",
          "title": "Pawn Storm Deploys PRISMEX Malware Suite Against Ukrainian Defense Supply Chain and NATO Allies",
          "url": "https://bulwarkblack.com/pawn-storm-deploys-prismex-malware-suite-against-ukrainian-defense-supply-chain-and-nato-allies/",
          "date": "2026-03-26"
        }
      ]
    },
    {
      "indicator": "instant-update.online",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "interoperability.blob.core.windows.net",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2024-01-05",
      "last_seen": "2024-01-05",
      "reports": [
        {
          "slug": "100-days-of-yara-2023",
          "title": "100 Days of YARA – 2023",
          "url": "https://bulwarkblack.com/100-days-of-yara-2023/",
          "date": "2024-01-05"
        }
      ]
    },
    {
      "indicator": "investigation-launches-hearings-copying.trycloudflare.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-03-24",
      "last_seen": "2026-03-24",
      "reports": [
        {
          "slug": "canisterworm-wiper-weaponizes-trivy-supply-chain-to-target-iran",
          "title": "CanisterWorm Wiper Weaponizes Trivy Supply Chain to Target Iran",
          "url": "https://bulwarkblack.com/canisterworm-wiper-weaponizes-trivy-supply-chain-to-target-iran/",
          "date": "2026-03-24"
        }
      ]
    },
    {
      "indicator": "ip-api.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-05-23",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "vidar-xmrig-malvertising-file-size-code-signing-defense",
          "title": "Vidar Stealer Campaign Shows Why File Size and Fake Signatures Still Beat Weak Controls",
          "url": "https://bulwarkblack.com/vidar-xmrig-malvertising-file-size-code-signing-defense/",
          "date": "2026-07-08"
        },
        {
          "slug": "hospitality-photo-zip-nodejs-implant-defense",
          "title": "Hospitality Photo-ZIP Campaign Shows Front Desk Workflows Are Initial Access Paths",
          "url": "https://bulwarkblack.com/hospitality-photo-zip-nodejs-implant-defense/",
          "date": "2026-06-26"
        },
        {
          "slug": "void-dokkaebi-invisibleferret-developer-endpoint-risk",
          "title": "Void Dokkaebi’s InvisibleFerret Shift Shows Developer Endpoints Are Production Risk",
          "url": "https://bulwarkblack.com/void-dokkaebi-invisibleferret-developer-endpoint-risk/",
          "date": "2026-05-23"
        }
      ]
    },
    {
      "indicator": "ip-scanner.org",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-30",
      "last_seen": "2026-06-30",
      "reports": [
        {
          "slug": "bing-seo-poisoning-bumblebee-adaptix-akira-ransomware",
          "title": "Bing SEO Poisoning Shows IT Admin Downloads Are Ransomware Initial Access",
          "url": "https://bulwarkblack.com/bing-seo-poisoning-bumblebee-adaptix-akira-ransomware/",
          "date": "2026-06-30"
        }
      ]
    },
    {
      "indicator": "ip.sb",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2024-01-11",
      "last_seen": "2024-01-11",
      "reports": [
        {
          "slug": "dreambus-unleashes-metabase-mayhem-with-new-exploit-module",
          "title": "DreamBus Unleashes Metabase Mayhem With New Exploit Module",
          "url": "https://bulwarkblack.com/dreambus-unleashes-metabase-mayhem-with-new-exploit-module/",
          "date": "2024-01-11"
        }
      ]
    },
    {
      "indicator": "ipapi.co",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-04",
      "last_seen": "2026-06-04",
      "reports": [
        {
          "slug": "error-524-smishing-fraud-infrastructure-cti-defense",
          "title": "Error 524 Smishing Shows Why Fraud Infrastructure Needs CTI",
          "url": "https://bulwarkblack.com/error-524-smishing-fraud-infrastructure-cti-defense/",
          "date": "2026-06-04"
        }
      ]
    },
    {
      "indicator": "ipinfo.io",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-02-26",
      "last_seen": "2026-02-26",
      "reports": [
        {
          "slug": "diesel-vortex-russian-cybercrime-group-steals-1600-credentials-from-global-logistics-sector",
          "title": "Diesel Vortex: Russian Cybercrime Group Steals 1,600+ Credentials From Global Logistics Sector",
          "url": "https://bulwarkblack.com/diesel-vortex-russian-cybercrime-group-steals-1600-credentials-from-global-logistics-sector/",
          "date": "2026-02-26"
        }
      ]
    },
    {
      "indicator": "iplogger.org",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-02-09",
      "last_seen": "2026-02-09",
      "reports": [
        {
          "slug": "fake-7-zip-downloads-convert-home-pcs-into-residential-proxy-nodes-for-cybercriminals",
          "title": "Fake 7-Zip Downloads Convert Home PCs Into Residential Proxy Nodes for Cybercriminals",
          "url": "https://bulwarkblack.com/fake-7-zip-downloads-convert-home-pcs-into-residential-proxy-nodes-for-cybercriminals/",
          "date": "2026-02-09"
        }
      ]
    },
    {
      "indicator": "itsec.hboeck.de",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-05-16",
      "last_seen": "2026-05-16",
      "reports": [
        {
          "slug": "linux-kernel-ipsec-attack-surface-reduction",
          "title": "Recent Linux Kernel Exploits Make Attack Surface Reduction a Practical Priority",
          "url": "https://bulwarkblack.com/linux-kernel-ipsec-attack-surface-reduction/",
          "date": "2026-05-16"
        }
      ]
    },
    {
      "indicator": "ivanti-pulsesecure.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-03-13",
      "last_seen": "2026-03-13",
      "reports": [
        {
          "slug": "storm-2561-weaponizes-seo-poisoning-to-deploy-trojanized-vpn-clients-and-steal-enterprise-credentials",
          "title": "Storm-2561 Weaponizes SEO Poisoning to Deploy Trojanized VPN Clients and Steal Enterprise Credentials",
          "url": "https://bulwarkblack.com/storm-2561-weaponizes-seo-poisoning-to-deploy-trojanized-vpn-clients-and-steal-enterprise-credentials/",
          "date": "2026-03-13"
        }
      ]
    },
    {
      "indicator": "ivanti-secure-access.de",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-03-13",
      "last_seen": "2026-03-13",
      "reports": [
        {
          "slug": "storm-2561-weaponizes-seo-poisoning-to-deploy-trojanized-vpn-clients-and-steal-enterprise-credentials",
          "title": "Storm-2561 Weaponizes SEO Poisoning to Deploy Trojanized VPN Clients and Steal Enterprise Credentials",
          "url": "https://bulwarkblack.com/storm-2561-weaponizes-seo-poisoning-to-deploy-trojanized-vpn-clients-and-steal-enterprise-credentials/",
          "date": "2026-03-13"
        }
      ]
    },
    {
      "indicator": "ivanti-vpn.org",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-03-13",
      "last_seen": "2026-03-13",
      "reports": [
        {
          "slug": "storm-2561-weaponizes-seo-poisoning-to-deploy-trojanized-vpn-clients-and-steal-enterprise-credentials",
          "title": "Storm-2561 Weaponizes SEO Poisoning to Deploy Trojanized VPN Clients and Steal Enterprise Credentials",
          "url": "https://bulwarkblack.com/storm-2561-weaponizes-seo-poisoning-to-deploy-trojanized-vpn-clients-and-steal-enterprise-credentials/",
          "date": "2026-03-13"
        }
      ]
    },
    {
      "indicator": "jarvis001.freeddns.org",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "jo2c9ada427c6-endpoint.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-05-16",
      "last_seen": "2026-05-16",
      "reports": [
        {
          "slug": "device-code-phishing-oauth-token-theft-defense",
          "title": "Device Code Phishing Turns Legitimate Login Flows Into Token Theft",
          "url": "https://bulwarkblack.com/device-code-phishing-oauth-token-theft-defense/",
          "date": "2026-05-16"
        }
      ]
    },
    {
      "indicator": "joincroud.info",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-26",
      "last_seen": "2026-06-26",
      "reports": [
        {
          "slug": "hospitality-photo-zip-nodejs-implant-defense",
          "title": "Hospitality Photo-ZIP Campaign Shows Front Desk Workflows Are Initial Access Paths",
          "url": "https://bulwarkblack.com/hospitality-photo-zip-nodejs-implant-defense/",
          "date": "2026-06-26"
        }
      ]
    },
    {
      "indicator": "jscdnpack.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2024-01-07",
      "last_seen": "2024-01-07",
      "reports": [
        {
          "slug": "javascript-malware-50000-bank-users-at-risk-worldwide",
          "title": "JavaScript Malware: 50,000+ Bank Users at Risk Worldwide",
          "url": "https://bulwarkblack.com/javascript-malware-50000-bank-users-at-risk-worldwide/",
          "date": "2024-01-07"
        }
      ]
    },
    {
      "indicator": "judiemkqjajsfzpidfjlowgl8nyrtd49x.oast.fun",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-02-23",
      "last_seen": "2026-02-23",
      "reports": [
        {
          "slug": "unit-42-exposes-active-exploitation-of-beyondtrust-cve-2026-1731-with-vshell-and-sparkrat-backdoors",
          "title": "Unit 42 Exposes Active Exploitation of BeyondTrust CVE-2026-1731 with VShell and SparkRAT Backdoors",
          "url": "https://bulwarkblack.com/unit-42-exposes-active-exploitation-of-beyondtrust-cve-2026-1731-with-vshell-and-sparkrat-backdoors/",
          "date": "2026-02-23"
        }
      ]
    },
    {
      "indicator": "justicehomeland.org",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-03-23",
      "last_seen": "2026-03-23",
      "reports": [
        {
          "slug": "fbi-flash-alert-iranian-handala-hackers-weaponize-telegram-for-malware-c2-operations",
          "title": "FBI Flash Alert: Iranian Handala Hackers Weaponize Telegram for Malware C2 Operations",
          "url": "https://bulwarkblack.com/fbi-flash-alert-iranian-handala-hackers-weaponize-telegram-for-malware-c2-operations/",
          "date": "2026-03-23"
        }
      ]
    },
    {
      "indicator": "justwatch.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "vidar-xmrig-malvertising-file-size-code-signing-defense",
          "title": "Vidar Stealer Campaign Shows Why File Size and Fake Signatures Still Beat Weak Controls",
          "url": "https://bulwarkblack.com/vidar-xmrig-malvertising-file-size-code-signing-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "karmabelow80.org",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-03-23",
      "last_seen": "2026-03-23",
      "reports": [
        {
          "slug": "fbi-flash-alert-iranian-handala-hackers-weaponize-telegram-for-malware-c2-operations",
          "title": "FBI Flash Alert: Iranian Handala Hackers Weaponize Telegram for Malware C2 Operations",
          "url": "https://bulwarkblack.com/fbi-flash-alert-iranian-handala-hackers-weaponize-telegram-for-malware-c2-operations/",
          "date": "2026-03-23"
        }
      ]
    },
    {
      "indicator": "Kaushalya.freeddns.org",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "Kawpow.asia",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-02-04",
      "last_seen": "2026-02-04",
      "reports": [
        {
          "slug": "shadowhs-fileless-linux-post-exploitation-framework-runs-entirely-in-memory",
          "title": "ShadowHS: Fileless Linux Post-Exploitation Framework Runs Entirely in Memory",
          "url": "https://bulwarkblack.com/shadowhs-fileless-linux-post-exploitation-framework-runs-entirely-in-memory/",
          "date": "2026-02-04"
        }
      ]
    },
    {
      "indicator": "Kawpow.asia.mine.zergpool.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-02-04",
      "last_seen": "2026-02-04",
      "reports": [
        {
          "slug": "shadowhs-fileless-linux-post-exploitation-framework-runs-entirely-in-memory",
          "title": "ShadowHS: Fileless Linux Post-Exploitation Framework Runs Entirely in Memory",
          "url": "https://bulwarkblack.com/shadowhs-fileless-linux-post-exploitation-framework-runs-entirely-in-memory/",
          "date": "2026-02-04"
        }
      ]
    },
    {
      "indicator": "kawpow.eu",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-02-04",
      "last_seen": "2026-02-04",
      "reports": [
        {
          "slug": "shadowhs-fileless-linux-post-exploitation-framework-runs-entirely-in-memory",
          "title": "ShadowHS: Fileless Linux Post-Exploitation Framework Runs Entirely in Memory",
          "url": "https://bulwarkblack.com/shadowhs-fileless-linux-post-exploitation-framework-runs-entirely-in-memory/",
          "date": "2026-02-04"
        }
      ]
    },
    {
      "indicator": "kawpow.eu.mine.zergpool.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-02-04",
      "last_seen": "2026-02-04",
      "reports": [
        {
          "slug": "shadowhs-fileless-linux-post-exploitation-framework-runs-entirely-in-memory",
          "title": "ShadowHS: Fileless Linux Post-Exploitation Framework Runs Entirely in Memory",
          "url": "https://bulwarkblack.com/shadowhs-fileless-linux-post-exploitation-framework-runs-entirely-in-memory/",
          "date": "2026-02-04"
        }
      ]
    },
    {
      "indicator": "Kawpow.na",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-02-04",
      "last_seen": "2026-02-04",
      "reports": [
        {
          "slug": "shadowhs-fileless-linux-post-exploitation-framework-runs-entirely-in-memory",
          "title": "ShadowHS: Fileless Linux Post-Exploitation Framework Runs Entirely in Memory",
          "url": "https://bulwarkblack.com/shadowhs-fileless-linux-post-exploitation-framework-runs-entirely-in-memory/",
          "date": "2026-02-04"
        }
      ]
    },
    {
      "indicator": "Kawpow.na.mine.zergpool.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-02-04",
      "last_seen": "2026-02-04",
      "reports": [
        {
          "slug": "shadowhs-fileless-linux-post-exploitation-framework-runs-entirely-in-memory",
          "title": "ShadowHS: Fileless Linux Post-Exploitation Framework Runs Entirely in Memory",
          "url": "https://bulwarkblack.com/shadowhs-fileless-linux-post-exploitation-framework-runs-entirely-in-memory/",
          "date": "2026-02-04"
        }
      ]
    },
    {
      "indicator": "kaztelecom.shop",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-01",
      "last_seen": "2026-06-01",
      "reports": [
        {
          "slug": "showboat-jfmbackdoor-telecom-intrusion-defense",
          "title": "Showboat and JFMBackdoor Show Telecom Intrusions Are Built for Pivoting",
          "url": "https://bulwarkblack.com/showboat-jfmbackdoor-telecom-intrusion-defense/",
          "date": "2026-06-01"
        }
      ]
    },
    {
      "indicator": "kellyhrservices-my.sharepoint.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2024-01-09",
      "last_seen": "2024-01-09",
      "reports": [
        {
          "slug": "financially-motivated-threat-actors-misusing-app-installer",
          "title": "Financially motivated threat actors misusing App Installer",
          "url": "https://bulwarkblack.com/financially-motivated-threat-actors-misusing-app-installer/",
          "date": "2024-01-09"
        }
      ]
    },
    {
      "indicator": "kellyservices-hr.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2024-01-09",
      "last_seen": "2024-01-09",
      "reports": [
        {
          "slug": "financially-motivated-threat-actors-misusing-app-installer",
          "title": "Financially motivated threat actors misusing App Installer",
          "url": "https://bulwarkblack.com/financially-motivated-threat-actors-misusing-app-installer/",
          "date": "2024-01-09"
        }
      ]
    },
    {
      "indicator": "kellyservicesheadhunter-my.sharepoint.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2024-01-09",
      "last_seen": "2024-01-09",
      "reports": [
        {
          "slug": "financially-motivated-threat-actors-misusing-app-installer",
          "title": "Financially motivated threat actors misusing App Installer",
          "url": "https://bulwarkblack.com/financially-motivated-threat-actors-misusing-app-installer/",
          "date": "2024-01-09"
        }
      ]
    },
    {
      "indicator": "kellyserviceshr-my.sharepoint.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2024-01-09",
      "last_seen": "2024-01-09",
      "reports": [
        {
          "slug": "financially-motivated-threat-actors-misusing-app-installer",
          "title": "Financially motivated threat actors misusing App Installer",
          "url": "https://bulwarkblack.com/financially-motivated-threat-actors-misusing-app-installer/",
          "date": "2024-01-09"
        }
      ]
    },
    {
      "indicator": "kellyservicesrecruitmentdep-my.sharepoint.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2024-01-09",
      "last_seen": "2024-01-09",
      "reports": [
        {
          "slug": "financially-motivated-threat-actors-misusing-app-installer",
          "title": "Financially motivated threat actors misusing App Installer",
          "url": "https://bulwarkblack.com/financially-motivated-threat-actors-misusing-app-installer/",
          "date": "2024-01-09"
        }
      ]
    },
    {
      "indicator": "kellystreets.info",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-26",
      "last_seen": "2026-06-26",
      "reports": [
        {
          "slug": "hospitality-photo-zip-nodejs-implant-defense",
          "title": "Hospitality Photo-ZIP Campaign Shows Front Desk Workflows Are Initial Access Paths",
          "url": "https://bulwarkblack.com/hospitality-photo-zip-nodejs-implant-defense/",
          "date": "2026-06-26"
        }
      ]
    },
    {
      "indicator": "kelopins.info",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-26",
      "last_seen": "2026-06-26",
      "reports": [
        {
          "slug": "hospitality-photo-zip-nodejs-implant-defense",
          "title": "Hospitality Photo-ZIP Campaign Shows Front Desk Workflows Are Initial Access Paths",
          "url": "https://bulwarkblack.com/hospitality-photo-zip-nodejs-implant-defense/",
          "date": "2026-06-26"
        }
      ]
    },
    {
      "indicator": "kentjerk.info",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-26",
      "last_seen": "2026-06-26",
      "reports": [
        {
          "slug": "hospitality-photo-zip-nodejs-implant-defense",
          "title": "Hospitality Photo-ZIP Campaign Shows Front Desk Workflows Are Initial Access Paths",
          "url": "https://bulwarkblack.com/hospitality-photo-zip-nodejs-implant-defense/",
          "date": "2026-06-26"
        }
      ]
    },
    {
      "indicator": "keypmenu.info",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-26",
      "last_seen": "2026-06-26",
      "reports": [
        {
          "slug": "hospitality-photo-zip-nodejs-implant-defense",
          "title": "Hospitality Photo-ZIP Campaign Shows Front Desk Workflows Are Initial Access Paths",
          "url": "https://bulwarkblack.com/hospitality-photo-zip-nodejs-implant-defense/",
          "date": "2026-06-26"
        }
      ]
    },
    {
      "indicator": "khyes001ndfpnuewdm.kozow.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "kiamatka.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-03-09",
      "last_seen": "2026-03-09",
      "reports": [
        {
          "slug": "boryptgrab-stealer-spreads-through-100-fake-github-repositories-in-massive-malware-campaign",
          "title": "BoryptGrab Stealer Spreads Through 100+ Fake GitHub Repositories in Massive Malware Campaign",
          "url": "https://bulwarkblack.com/boryptgrab-stealer-spreads-through-100-fake-github-repositories-in-massive-malware-campaign/",
          "date": "2026-03-09"
        }
      ]
    },
    {
      "indicator": "kinghoruswe.info",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-26",
      "last_seen": "2026-06-26",
      "reports": [
        {
          "slug": "hospitality-photo-zip-nodejs-implant-defense",
          "title": "Hospitality Photo-ZIP Campaign Shows Front Desk Workflows Are Initial Access Paths",
          "url": "https://bulwarkblack.com/hospitality-photo-zip-nodejs-implant-defense/",
          "date": "2026-06-26"
        }
      ]
    },
    {
      "indicator": "kiptownim.info",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-26",
      "last_seen": "2026-06-26",
      "reports": [
        {
          "slug": "hospitality-photo-zip-nodejs-implant-defense",
          "title": "Hospitality Photo-ZIP Campaign Shows Front Desk Workflows Are Initial Access Paths",
          "url": "https://bulwarkblack.com/hospitality-photo-zip-nodejs-implant-defense/",
          "date": "2026-06-26"
        }
      ]
    },
    {
      "indicator": "kk5yuzmev2qbgulz.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-03-12",
      "last_seen": "2026-03-12",
      "reports": [
        {
          "slug": "infostealer-infection-unmasks-dprk-operative-behind-polyfill-io-supply-chain-attack-and-us-crypto-exchange-infiltration",
          "title": "Infostealer Infection Unmasks DPRK Operative Behind Polyfill.io Supply Chain Attack and US Crypto Exchange Infiltration",
          "url": "https://bulwarkblack.com/infostealer-infection-unmasks-dprk-operative-behind-polyfill-io-supply-chain-attack-and-us-crypto-exchange-infiltration/",
          "date": "2026-03-12"
        }
      ]
    },
    {
      "indicator": "kohlhoff-edelstahlverarbeitung.de",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-05-16",
      "last_seen": "2026-05-16",
      "reports": [
        {
          "slug": "device-code-phishing-oauth-token-theft-defense",
          "title": "Device Code Phishing Turns Legitimate Login Flows Into Token Theft",
          "url": "https://bulwarkblack.com/device-code-phishing-oauth-token-theft-defense/",
          "date": "2026-05-16"
        }
      ]
    },
    {
      "indicator": "Kore.ai",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-03-16",
      "last_seen": "2026-03-16",
      "reports": [
        {
          "slug": "the-promptware-kill-chain-a-new-framework-for-understanding-ai-malware-attacks",
          "title": "The Promptware Kill Chain: A New Framework for Understanding AI Malware Attacks",
          "url": "https://bulwarkblack.com/the-promptware-kill-chain-a-new-framework-for-understanding-ai-malware-attacks/",
          "date": "2026-03-16"
        }
      ]
    },
    {
      "indicator": "kozow.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "ks501oz9nm3v05.org",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-30",
      "last_seen": "2026-06-30",
      "reports": [
        {
          "slug": "bing-seo-poisoning-bumblebee-adaptix-akira-ransomware",
          "title": "Bing SEO Poisoning Shows IT Admin Downloads Are Ransomware Initial Access",
          "url": "https://bulwarkblack.com/bing-seo-poisoning-bumblebee-adaptix-akira-ransomware/",
          "date": "2026-06-30"
        }
      ]
    },
    {
      "indicator": "kskxoscieontrolanel.gleeze.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "ksv01sokudwongsj.theworkpc.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "kwywztxoo2xdot.org",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-30",
      "last_seen": "2026-06-30",
      "reports": [
        {
          "slug": "bing-seo-poisoning-bumblebee-adaptix-akira-ransomware",
          "title": "Bing SEO Poisoning Shows IT Admin Downloads Are Ransomware Initial Access",
          "url": "https://bulwarkblack.com/bing-seo-poisoning-bumblebee-adaptix-akira-ransomware/",
          "date": "2026-06-30"
        }
      ]
    },
    {
      "indicator": "ky1d1p1daahe5t.org",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-30",
      "last_seen": "2026-06-30",
      "reports": [
        {
          "slug": "bing-seo-poisoning-bumblebee-adaptix-akira-ransomware",
          "title": "Bing SEO Poisoning Shows IT Admin Downloads Are Ransomware Initial Access",
          "url": "https://bulwarkblack.com/bing-seo-poisoning-bumblebee-adaptix-akira-ransomware/",
          "date": "2026-06-30"
        }
      ]
    },
    {
      "indicator": "lcskiecjj.loseyourip.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "lcskiecs.ddnsfree.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "ld-linux-x86-64.so",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-20",
      "last_seen": "2026-06-20",
      "reports": [
        {
          "slug": "operation-escaneo-latin-america-edge-device-defense",
          "title": "Operation Escaneo Shows Latin America’s Edge Devices Are Prime Intrusion Targets",
          "url": "https://bulwarkblack.com/operation-escaneo-latin-america-edge-device-defense/",
          "date": "2026-06-20"
        }
      ]
    },
    {
      "indicator": "ld.so",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-20",
      "last_seen": "2026-06-20",
      "reports": [
        {
          "slug": "showboat-linux-malware-telecom-persistence-defense",
          "title": "Showboat Malware Shows Telecom Linux Servers Need Rootkit-Level Monitoring",
          "url": "https://bulwarkblack.com/showboat-linux-malware-telecom-persistence-defense/",
          "date": "2026-06-20"
        }
      ]
    },
    {
      "indicator": "ledger.setuptransactioncheck.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-02-16",
      "last_seen": "2026-02-16",
      "reports": [
        {
          "slug": "physical-mail-phishing-targets-trezor-and-ledger-users-attackers-use-qr-codes-to-steal-recovery-phrases",
          "title": "Physical Mail Phishing Targets Trezor and Ledger Users: Attackers Use QR Codes to Steal Recovery Phrases",
          "url": "https://bulwarkblack.com/physical-mail-phishing-targets-trezor-and-ledger-users-attackers-use-qr-codes-to-steal-recovery-phrases/",
          "date": "2026-02-16"
        }
      ]
    },
    {
      "indicator": "lestresot.info",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-26",
      "last_seen": "2026-06-26",
      "reports": [
        {
          "slug": "hospitality-photo-zip-nodejs-implant-defense",
          "title": "Hospitality Photo-ZIP Campaign Shows Front Desk Workflows Are Initial Access Paths",
          "url": "https://bulwarkblack.com/hospitality-photo-zip-nodejs-implant-defense/",
          "date": "2026-06-26"
        }
      ]
    },
    {
      "indicator": "libethscsi.so",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-13",
      "last_seen": "2026-06-13",
      "reports": [
        {
          "slug": "velvet-ant-operation-highland-authentication-stack-defense",
          "title": "Velvet Ant Shows Authentication Infrastructure Is Critical Infrastructure",
          "url": "https://bulwarkblack.com/velvet-ant-operation-highland-authentication-stack-defense/",
          "date": "2026-06-13"
        }
      ]
    },
    {
      "indicator": "licencemanagers.azurewebsites.net",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-05-22",
      "last_seen": "2026-05-22",
      "reports": [
        {
          "slug": "screening-serpens-recruiting-espionage-attack-surface",
          "title": "Screening Serpens Shows Recruiting Is Now an Espionage Attack Surface",
          "url": "https://bulwarkblack.com/screening-serpens-recruiting-espionage-attack-surface/",
          "date": "2026-05-22"
        }
      ]
    },
    {
      "indicator": "LicenceSupporting.azurewebsites.net",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-05-22",
      "last_seen": "2026-05-22",
      "reports": [
        {
          "slug": "screening-serpens-recruiting-espionage-attack-surface",
          "title": "Screening Serpens Shows Recruiting Is Now an Espionage Attack Surface",
          "url": "https://bulwarkblack.com/screening-serpens-recruiting-espionage-attack-surface/",
          "date": "2026-05-22"
        }
      ]
    },
    {
      "indicator": "lists.gnu.org",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-01-31",
      "last_seen": "2026-01-31",
      "reports": [
        {
          "slug": "cve-2026-24061-11-year-old-gnu-telnetd-vulnerability-grants-instant-root-access",
          "title": "CVE-2026-24061: 11-Year-Old GNU Telnetd Vulnerability Grants Instant Root Access",
          "url": "https://bulwarkblack.com/cve-2026-24061-11-year-old-gnu-telnetd-vulnerability-grants-instant-root-access/",
          "date": "2026-01-31"
        }
      ]
    },
    {
      "indicator": "litellm.cloud",
      "type": "Domains",
      "report_count": 2,
      "first_seen": "2026-04-02",
      "last_seen": "2026-06-13",
      "reports": [
        {
          "slug": "shai-hulud-ai-scanner-evasion-package-supply-chain-defense",
          "title": "Shai-Hulud Shows AI Package Scanners Need Prompt-Injection Boundaries",
          "url": "https://bulwarkblack.com/shai-hulud-ai-scanner-evasion-package-supply-chain-defense/",
          "date": "2026-06-13"
        },
        {
          "slug": "litellm-supply-chain-attack-teampcp-deploys-multi-stage-credential-stealer-to-95m-monthly-downloads",
          "title": "LiteLLM Supply Chain Attack: TeamPCP Deploys Multi-Stage Credential Stealer to 95M Monthly Downloads",
          "url": "https://bulwarkblack.com/litellm-supply-chain-attack-teampcp-deploys-multi-stage-credential-stealer-to-95m-monthly-downloads/",
          "date": "2026-04-02"
        }
      ]
    },
    {
      "indicator": "lookinlip.info",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-26",
      "last_seen": "2026-06-26",
      "reports": [
        {
          "slug": "hospitality-photo-zip-nodejs-implant-defense",
          "title": "Hospitality Photo-ZIP Campaign Shows Front Desk Workflows Are Initial Access Paths",
          "url": "https://bulwarkblack.com/hospitality-photo-zip-nodejs-implant-defense/",
          "date": "2026-06-26"
        }
      ]
    },
    {
      "indicator": "loseyourip.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "losiesca.ddnsgeek.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "lpanel-bckaoplsks.top",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-02-26",
      "last_seen": "2026-02-26",
      "reports": [
        {
          "slug": "diesel-vortex-russian-cybercrime-group-steals-1600-credentials-from-global-logistics-sector",
          "title": "Diesel Vortex: Russian Cybercrime Group Steals 1,600+ Credentials From Global Logistics Sector",
          "url": "https://bulwarkblack.com/diesel-vortex-russian-cybercrime-group-steals-1600-credentials-from-global-logistics-sector/",
          "date": "2026-02-26"
        }
      ]
    },
    {
      "indicator": "lpanel-bumaepxuje-iframe.top",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-02-26",
      "last_seen": "2026-02-26",
      "reports": [
        {
          "slug": "diesel-vortex-russian-cybercrime-group-steals-1600-credentials-from-global-logistics-sector",
          "title": "Diesel Vortex: Russian Cybercrime Group Steals 1,600+ Credentials From Global Logistics Sector",
          "url": "https://bulwarkblack.com/diesel-vortex-russian-cybercrime-group-steals-1600-credentials-from-global-logistics-sector/",
          "date": "2026-02-26"
        }
      ]
    },
    {
      "indicator": "lpanel-bumaepxuje.top",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-02-26",
      "last_seen": "2026-02-26",
      "reports": [
        {
          "slug": "diesel-vortex-russian-cybercrime-group-steals-1600-credentials-from-global-logistics-sector",
          "title": "Diesel Vortex: Russian Cybercrime Group Steals 1,600+ Credentials From Global Logistics Sector",
          "url": "https://bulwarkblack.com/diesel-vortex-russian-cybercrime-group-steals-1600-credentials-from-global-logistics-sector/",
          "date": "2026-02-26"
        }
      ]
    },
    {
      "indicator": "lpanel-kkbnukltpo.top",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-02-26",
      "last_seen": "2026-02-26",
      "reports": [
        {
          "slug": "diesel-vortex-russian-cybercrime-group-steals-1600-credentials-from-global-logistics-sector",
          "title": "Diesel Vortex: Russian Cybercrime Group Steals 1,600+ Credentials From Global Logistics Sector",
          "url": "https://bulwarkblack.com/diesel-vortex-russian-cybercrime-group-steals-1600-credentials-from-global-logistics-sector/",
          "date": "2026-02-26"
        }
      ]
    },
    {
      "indicator": "lps2staging.ddnsfree.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "lrtechs.backlog.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-03-12",
      "last_seen": "2026-03-12",
      "reports": [
        {
          "slug": "infostealer-infection-unmasks-dprk-operative-behind-polyfill-io-supply-chain-attack-and-us-crypto-exchange-infiltration",
          "title": "Infostealer Infection Unmasks DPRK Operative Behind Polyfill.io Supply Chain Attack and US Crypto Exchange Infiltration",
          "url": "https://bulwarkblack.com/infostealer-infection-unmasks-dprk-operative-behind-polyfill-io-supply-chain-attack-and-us-crypto-exchange-infiltration/",
          "date": "2026-03-12"
        }
      ]
    },
    {
      "indicator": "lrtechs.co",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-03-12",
      "last_seen": "2026-03-12",
      "reports": [
        {
          "slug": "infostealer-infection-unmasks-dprk-operative-behind-polyfill-io-supply-chain-attack-and-us-crypto-exchange-infiltration",
          "title": "Infostealer Infection Unmasks DPRK Operative Behind Polyfill.io Supply Chain Attack and US Crypto Exchange Infiltration",
          "url": "https://bulwarkblack.com/infostealer-infection-unmasks-dprk-operative-behind-polyfill-io-supply-chain-attack-and-us-crypto-exchange-infiltration/",
          "date": "2026-03-12"
        }
      ]
    },
    {
      "indicator": "lrtechs.co.jp",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-03-12",
      "last_seen": "2026-03-12",
      "reports": [
        {
          "slug": "infostealer-infection-unmasks-dprk-operative-behind-polyfill-io-supply-chain-attack-and-us-crypto-exchange-infiltration",
          "title": "Infostealer Infection Unmasks DPRK Operative Behind Polyfill.io Supply Chain Attack and US Crypto Exchange Infiltration",
          "url": "https://bulwarkblack.com/infostealer-infection-unmasks-dprk-operative-behind-polyfill-io-supply-chain-attack-and-us-crypto-exchange-infiltration/",
          "date": "2026-03-12"
        }
      ]
    },
    {
      "indicator": "lsls.casacam.net",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "ltiuys.ddnsgeek.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "ltiuys.kozow.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "mailsdy.gleeze.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "maliclick1.ddnsfree.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "malpedia.caad.fkie.fraunhofer.de",
      "type": "Domains",
      "report_count": 2,
      "first_seen": "2026-02-05",
      "last_seen": "2026-05-24",
      "reports": [
        {
          "slug": "clop-south-staffs-water-soc-coverage-defense",
          "title": "Cl0p’s South Staffs Water Case Shows SOC Coverage Must Be Proven",
          "url": "https://bulwarkblack.com/clop-south-staffs-water-soc-coverage-defense/",
          "date": "2026-05-24"
        },
        {
          "slug": "dknife-cisco-talos-exposes-china-nexus-gateway-monitoring-aitm-framework-active-since-2019",
          "title": "DKnife: Cisco Talos Exposes China-Nexus Gateway-Monitoring AitM Framework Active Since 2019",
          "url": "https://bulwarkblack.com/dknife-cisco-talos-exposes-china-nexus-gateway-monitoring-aitm-framework-active-since-2019/",
          "date": "2026-02-05"
        }
      ]
    },
    {
      "indicator": "malvuln.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2024-01-11",
      "last_seen": "2024-01-11",
      "reports": [
        {
          "slug": "backdoor-win32-carbanak-anunak-named-pipe-null-dacl",
          "title": "Backdoor.Win32 Carbanak (Anunak) / Named Pipe Null DACL",
          "url": "https://bulwarkblack.com/backdoor-win32-carbanak-anunak-named-pipe-null-dacl/",
          "date": "2024-01-11"
        }
      ]
    },
    {
      "indicator": "Marinetraffic.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2024-01-09",
      "last_seen": "2024-01-09",
      "reports": [
        {
          "slug": "the-underground-economist-volume-4-issue-1",
          "title": "The Underground Economist: Volume 4, Issue 1",
          "url": "https://bulwarkblack.com/the-underground-economist-volume-4-issue-1/",
          "date": "2024-01-09"
        }
      ]
    },
    {
      "indicator": "marketcredibilitysignals.de",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-05-16",
      "last_seen": "2026-05-16",
      "reports": [
        {
          "slug": "device-code-phishing-oauth-token-theft-defense",
          "title": "Device Code Phishing Turns Legitimate Login Flows Into Token Theft",
          "url": "https://bulwarkblack.com/device-code-phishing-oauth-token-theft-defense/",
          "date": "2026-05-16"
        }
      ]
    },
    {
      "indicator": "marktkarree-langenfeld.de",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-05-16",
      "last_seen": "2026-05-16",
      "reports": [
        {
          "slug": "device-code-phishing-oauth-token-theft-defense",
          "title": "Device Code Phishing Turns Legitimate Login Flows Into Token Theft",
          "url": "https://bulwarkblack.com/device-code-phishing-oauth-token-theft-defense/",
          "date": "2026-05-16"
        }
      ]
    },
    {
      "indicator": "Match.com",
      "type": "Domains",
      "report_count": 2,
      "first_seen": "2026-01-30",
      "last_seen": "2026-03-31",
      "reports": [
        {
          "slug": "shinyhunters-breaches-european-commission-350gb-of-sensitive-data-exfiltrated-from-aws-cloud",
          "title": "ShinyHunters Breaches European Commission: 350GB of Sensitive Data Exfiltrated from AWS Cloud",
          "url": "https://bulwarkblack.com/shinyhunters-breaches-european-commission-350gb-of-sensitive-data-exfiltrated-from-aws-cloud/",
          "date": "2026-03-31"
        },
        {
          "slug": "match-group-data-breach-exposes-user-information-from-tinder-hinge-and-okcupid",
          "title": "Match Group Data Breach Exposes User Information from Tinder, Hinge, and OkCupid",
          "url": "https://bulwarkblack.com/match-group-data-breach-exposes-user-information-from-tinder-hinge-and-okcupid/",
          "date": "2026-01-30"
        }
      ]
    },
    {
      "indicator": "matchinternal.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-01-30",
      "last_seen": "2026-01-30",
      "reports": [
        {
          "slug": "match-group-data-breach-exposes-user-information-from-tinder-hinge-and-okcupid",
          "title": "Match Group Data Breach Exposes User Information from Tinder, Hinge, and OkCupid",
          "url": "https://bulwarkblack.com/match-group-data-breach-exposes-user-information-from-tinder-hinge-and-okcupid/",
          "date": "2026-01-30"
        }
      ]
    },
    {
      "indicator": "mauritasszddb.ddnsfree.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "mc.so",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-05-23",
      "last_seen": "2026-05-23",
      "reports": [
        {
          "slug": "void-dokkaebi-invisibleferret-developer-endpoint-risk",
          "title": "Void Dokkaebi’s InvisibleFerret Shift Shows Developer Endpoints Are Production Risk",
          "url": "https://bulwarkblack.com/void-dokkaebi-invisibleferret-developer-endpoint-risk/",
          "date": "2026-05-23"
        }
      ]
    },
    {
      "indicator": "mckinseyhrcompany-my.sharepoint.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2024-01-09",
      "last_seen": "2024-01-09",
      "reports": [
        {
          "slug": "financially-motivated-threat-actors-misusing-app-installer",
          "title": "Financially motivated threat actors misusing App Installer",
          "url": "https://bulwarkblack.com/financially-motivated-threat-actors-misusing-app-installer/",
          "date": "2024-01-09"
        }
      ]
    },
    {
      "indicator": "meeting.bulletmailer.net",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-01-27",
      "last_seen": "2026-01-27",
      "reports": [
        {
          "slug": "fake-clawdbot-vs-code-extension-deploys-screenconnect-rat",
          "title": "Fake Clawdbot VS Code Extension Deploys ScreenConnect RAT",
          "url": "https://bulwarkblack.com/fake-clawdbot-vs-code-extension-deploys-screenconnect-rat/",
          "date": "2026-01-27"
        }
      ]
    },
    {
      "indicator": "meetlng.group",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2024-01-09",
      "last_seen": "2024-01-09",
      "reports": [
        {
          "slug": "financially-motivated-threat-actors-misusing-app-installer",
          "title": "Financially motivated threat actors misusing App Installer",
          "url": "https://bulwarkblack.com/financially-motivated-threat-actors-misusing-app-installer/",
          "date": "2024-01-09"
        }
      ]
    },
    {
      "indicator": "meetls.kozow.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "mega.nz",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-02-09",
      "last_seen": "2026-02-09",
      "reports": [
        {
          "slug": "tgr-sta-1030-espionage-campaign-compromises-70-organizations-across-37-nations-using-shadowguard-linux-rootkit",
          "title": "TGR-STA-1030 Espionage Campaign Compromises 70 Organizations Across 37 Nations Using ShadowGuard Linux Rootkit",
          "url": "https://bulwarkblack.com/tgr-sta-1030-espionage-campaign-compromises-70-organizations-across-37-nations-using-shadowguard-linux-rootkit/",
          "date": "2026-02-09"
        }
      ]
    },
    {
      "indicator": "metamask.awaitingfor.site",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "methodicalness.de",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-05-16",
      "last_seen": "2026-05-16",
      "reports": [
        {
          "slug": "device-code-phishing-oauth-token-theft-defense",
          "title": "Device Code Phishing Turns Legitimate Login Flows Into Token Theft",
          "url": "https://bulwarkblack.com/device-code-phishing-oauth-token-theft-defense/",
          "date": "2026-05-16"
        }
      ]
    },
    {
      "indicator": "Microsoft.bumbleshrimp.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "mindssurpass.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-03-03",
      "last_seen": "2026-03-03",
      "reports": [
        {
          "slug": "silver-dragon-apt-targets-southeast-asia-and-europe-using-geardoor-backdoor-with-google-drive-c2",
          "title": "Silver Dragon APT Targets Southeast Asia and Europe Using GearDoor Backdoor with Google Drive C2",
          "url": "https://bulwarkblack.com/silver-dragon-apt-targets-southeast-asia-and-europe-using-geardoor-backdoor-with-google-drive-c2/",
          "date": "2026-03-03"
        }
      ]
    },
    {
      "indicator": "minemine.gleeze.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-05-27",
      "last_seen": "2026-05-27",
      "reports": [
        {
          "slug": "poisoned-search-ai-screenconnect-cryptojacking-defense",
          "title": "Poisoned Search and AI Recommendations Turn Utility Downloads Into RMM Access",
          "url": "https://bulwarkblack.com/poisoned-search-ai-screenconnect-cryptojacking-defense/",
          "date": "2026-05-27"
        }
      ]
    },
    {
      "indicator": "ministrew.info",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-26",
      "last_seen": "2026-06-26",
      "reports": [
        {
          "slug": "hospitality-photo-zip-nodejs-implant-defense",
          "title": "Hospitality Photo-ZIP Campaign Shows Front Desk Workflows Are Initial Access Paths",
          "url": "https://bulwarkblack.com/hospitality-photo-zip-nodejs-implant-defense/",
          "date": "2026-06-26"
        }
      ]
    },
    {
      "indicator": "ml3.freeddns.org",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "mlksucnayesk.kozow.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "mmmfaco2025.mywire.org",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "mms.bumbleshrimp.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "mmvmtools.giize.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "mod.so",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-05-23",
      "last_seen": "2026-05-23",
      "reports": [
        {
          "slug": "void-dokkaebi-invisibleferret-developer-endpoint-risk",
          "title": "Void Dokkaebi’s InvisibleFerret Shift Shows Developer Endpoints Are Production Risk",
          "url": "https://bulwarkblack.com/void-dokkaebi-invisibleferret-developer-endpoint-risk/",
          "date": "2026-05-23"
        }
      ]
    },
    {
      "indicator": "models.litellm.cloud",
      "type": "Domains",
      "report_count": 2,
      "first_seen": "2026-04-02",
      "last_seen": "2026-06-13",
      "reports": [
        {
          "slug": "shai-hulud-ai-scanner-evasion-package-supply-chain-defense",
          "title": "Shai-Hulud Shows AI Package Scanners Need Prompt-Injection Boundaries",
          "url": "https://bulwarkblack.com/shai-hulud-ai-scanner-evasion-package-supply-chain-defense/",
          "date": "2026-06-13"
        },
        {
          "slug": "litellm-supply-chain-attack-teampcp-deploys-multi-stage-credential-stealer-to-95m-monthly-downloads",
          "title": "LiteLLM Supply Chain Attack: TeamPCP Deploys Multi-Stage Credential Stealer to 95M Monthly Downloads",
          "url": "https://bulwarkblack.com/litellm-supply-chain-attack-teampcp-deploys-multi-stage-credential-stealer-to-95m-monthly-downloads/",
          "date": "2026-04-02"
        }
      ]
    },
    {
      "indicator": "modgood.gleeze.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "mononapfp.sharepoint.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-07-01",
      "last_seen": "2026-07-01",
      "reports": [
        {
          "slug": "artoken-eviltokens-microsoft-365-bec-token-defense",
          "title": "ARToken Shows Microsoft 365 Tokens Are the New BEC Control Plane",
          "url": "https://bulwarkblack.com/artoken-eviltokens-microsoft-365-bec-token-defense/",
          "date": "2026-07-01"
        }
      ]
    },
    {
      "indicator": "mononapfpcom.sharepoint.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-07-01",
      "last_seen": "2026-07-01",
      "reports": [
        {
          "slug": "artoken-eviltokens-microsoft-365-bec-token-defense",
          "title": "ARToken Shows Microsoft 365 Tokens Are the New BEC Control Plane",
          "url": "https://bulwarkblack.com/artoken-eviltokens-microsoft-365-bec-token-defense/",
          "date": "2026-07-01"
        }
      ]
    },
    {
      "indicator": "montagelips.info",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-26",
      "last_seen": "2026-06-26",
      "reports": [
        {
          "slug": "hospitality-photo-zip-nodejs-implant-defense",
          "title": "Hospitality Photo-ZIP Campaign Shows Front Desk Workflows Are Initial Access Paths",
          "url": "https://bulwarkblack.com/hospitality-photo-zip-nodejs-implant-defense/",
          "date": "2026-06-26"
        }
      ]
    },
    {
      "indicator": "Mosplosaq.accesscam.org",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "ms-25h2-download.pro",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-02-21",
      "last_seen": "2026-02-21",
      "reports": [
        {
          "slug": "facebook-malvertising-campaign-uses-fake-windows-11-pages-to-deploy-credential-stealing-malware",
          "title": "Facebook Malvertising Campaign Uses Fake Windows 11 Pages to Deploy Credential-Stealing Malware",
          "url": "https://bulwarkblack.com/facebook-malvertising-campaign-uses-fake-windows-11-pages-to-deploy-credential-stealing-malware/",
          "date": "2026-02-21"
        }
      ]
    },
    {
      "indicator": "ms-25h2-update.pro",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-02-21",
      "last_seen": "2026-02-21",
      "reports": [
        {
          "slug": "facebook-malvertising-campaign-uses-fake-windows-11-pages-to-deploy-credential-stealing-malware",
          "title": "Facebook Malvertising Campaign Uses Fake Windows 11 Pages to Deploy Credential-Stealing Malware",
          "url": "https://bulwarkblack.com/facebook-malvertising-campaign-uses-fake-windows-11-pages-to-deploy-credential-stealing-malware/",
          "date": "2026-02-21"
        }
      ]
    },
    {
      "indicator": "ms-record.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-25",
      "last_seen": "2026-06-25",
      "reports": [
        {
          "slug": "strikeshark-sharkloader-cobalt-strike-defense",
          "title": "StrikeShark Shows Loader Malware Is an Edge-Exposure Problem",
          "url": "https://bulwarkblack.com/strikeshark-sharkloader-cobalt-strike-defense/",
          "date": "2026-06-25"
        }
      ]
    },
    {
      "indicator": "ms-record.top",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-25",
      "last_seen": "2026-06-25",
      "reports": [
        {
          "slug": "strikeshark-sharkloader-cobalt-strike-defense",
          "title": "StrikeShark Shows Loader Malware Is an Edge-Exposure Problem",
          "url": "https://bulwarkblack.com/strikeshark-sharkloader-cobalt-strike-defense/",
          "date": "2026-06-25"
        }
      ]
    },
    {
      "indicator": "ms-tray.top",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-25",
      "last_seen": "2026-06-25",
      "reports": [
        {
          "slug": "strikeshark-sharkloader-cobalt-strike-defense",
          "title": "StrikeShark Shows Loader Malware Is an Edge-Exposure Problem",
          "url": "https://bulwarkblack.com/strikeshark-sharkloader-cobalt-strike-defense/",
          "date": "2026-06-25"
        }
      ]
    },
    {
      "indicator": "ms25h2-download.pro",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-02-21",
      "last_seen": "2026-02-21",
      "reports": [
        {
          "slug": "facebook-malvertising-campaign-uses-fake-windows-11-pages-to-deploy-credential-stealing-malware",
          "title": "Facebook Malvertising Campaign Uses Fake Windows 11 Pages to Deploy Credential-Stealing Malware",
          "url": "https://bulwarkblack.com/facebook-malvertising-campaign-uses-fake-windows-11-pages-to-deploy-credential-stealing-malware/",
          "date": "2026-02-21"
        }
      ]
    },
    {
      "indicator": "ms25h2-update.pro",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-02-21",
      "last_seen": "2026-02-21",
      "reports": [
        {
          "slug": "facebook-malvertising-campaign-uses-fake-windows-11-pages-to-deploy-credential-stealing-malware",
          "title": "Facebook Malvertising Campaign Uses Fake Windows 11 Pages to Deploy Credential-Stealing Malware",
          "url": "https://bulwarkblack.com/facebook-malvertising-campaign-uses-fake-windows-11-pages-to-deploy-credential-stealing-malware/",
          "date": "2026-02-21"
        }
      ]
    },
    {
      "indicator": "msft.net",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-19",
      "last_seen": "2026-06-19",
      "reports": [
        {
          "slug": "autojack-ai-agent-localhost-rce-boundaries",
          "title": "AutoJack Shows AI Browsing Agents Need Localhost Boundaries",
          "url": "https://bulwarkblack.com/autojack-ai-agent-localhost-rce-boundaries/",
          "date": "2026-06-19"
        }
      ]
    },
    {
      "indicator": "my.f5.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-05-22",
      "last_seen": "2026-05-22",
      "reports": [
        {
          "slug": "f5-confluence-edge-identity-attack-path",
          "title": "F5-to-Confluence Intrusion Shows Edge Devices Are Identity Attack Paths",
          "url": "https://bulwarkblack.com/f5-confluence-edge-identity-attack-path/",
          "date": "2026-05-22"
        }
      ]
    },
    {
      "indicator": "myconnection.pro",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-03-13",
      "last_seen": "2026-03-13",
      "reports": [
        {
          "slug": "storm-2561-weaponizes-seo-poisoning-to-deploy-trojanized-vpn-clients-and-steal-enterprise-credentials",
          "title": "Storm-2561 Weaponizes SEO Poisoning to Deploy Trojanized VPN Clients and Steal Enterprise Credentials",
          "url": "https://bulwarkblack.com/storm-2561-weaponizes-seo-poisoning-to-deploy-trojanized-vpn-clients-and-steal-enterprise-credentials/",
          "date": "2026-03-13"
        }
      ]
    },
    {
      "indicator": "mypbx.pstn.ashburn.twilio.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2025-07-18",
      "last_seen": "2025-07-18",
      "reports": [
        {
          "slug": "complete-guide-setting-up-freepbx-with-vps-docker-and-vpn-cgnat-bypass-solution",
          "title": "Complete Guide: Setting Up FreePBX with VPS, Docker, and VPN (CGNAT Bypass Solution)",
          "url": "https://bulwarkblack.com/complete-guide-setting-up-freepbx-with-vps-docker-and-vpn-cgnat-bypass-solution/",
          "date": "2025-07-18"
        }
      ]
    },
    {
      "indicator": "mysql.casacam.net",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "mywire.org",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "NanoMatrix.azurewebsites.net",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-05-22",
      "last_seen": "2026-05-22",
      "reports": [
        {
          "slug": "screening-serpens-recruiting-espionage-attack-surface",
          "title": "Screening Serpens Shows Recruiting Is Now an Espionage Attack Surface",
          "url": "https://bulwarkblack.com/screening-serpens-recruiting-espionage-attack-surface/",
          "date": "2026-05-22"
        }
      ]
    },
    {
      "indicator": "nenigncagvawr.giize.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "nenignenigoncqvoo.ooguy.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "nenigoncqnutgo.accesscam.org",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "nenigoncuopzc.giize.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "neo.herosms.co",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-02-09",
      "last_seen": "2026-02-09",
      "reports": [
        {
          "slug": "fake-7-zip-downloads-convert-home-pcs-into-residential-proxy-nodes-for-cybercriminals",
          "title": "Fake 7-Zip Downloads Convert Home PCs Into Residential Proxy Nodes for Cybercriminals",
          "url": "https://bulwarkblack.com/fake-7-zip-downloads-convert-home-pcs-into-residential-proxy-nodes-for-cybercriminals/",
          "date": "2026-02-09"
        }
      ]
    },
    {
      "indicator": "netml.shop",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-30",
      "last_seen": "2026-06-30",
      "reports": [
        {
          "slug": "bing-seo-poisoning-bumblebee-adaptix-akira-ransomware",
          "title": "Bing SEO Poisoning Shows IT Admin Downloads Are Ransomware Initial Access",
          "url": "https://bulwarkblack.com/bing-seo-poisoning-bumblebee-adaptix-akira-ransomware/",
          "date": "2026-06-30"
        }
      ]
    },
    {
      "indicator": "Netovrema.pw",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2024-01-08",
      "last_seen": "2024-01-08",
      "reports": [
        {
          "slug": "deceptive-cracked-software-spreads-lumma-variant-on-youtube",
          "title": "Deceptive Cracked Software Spreads Lumma Variant on YouTube",
          "url": "https://bulwarkblack.com/deceptive-cracked-software-spreads-lumma-variant-on-youtube/",
          "date": "2024-01-08"
        }
      ]
    },
    {
      "indicator": "ngrok-free.dev",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "fake-payment-sdk-npm-pypi-secret-theft-defense",
          "title": "Fake Payment SDKs Show Why Dependency Risk Is Credential Risk",
          "url": "https://bulwarkblack.com/fake-payment-sdk-npm-pypi-secret-theft-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "nims.gleeze.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "nisaldwoa.theworkpc.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "niscarea.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2024-03-22",
      "last_seen": "2024-03-22",
      "reports": [
        {
          "slug": "the-updated-apt-playbook-tales-from-the-kimsuky-threat-actor-group",
          "title": "The Updated APT Playbook: Tales from the Kimsuky threat actor group",
          "url": "https://bulwarkblack.com/the-updated-apt-playbook-tales-from-the-kimsuky-threat-actor-group/",
          "date": "2024-03-22"
        }
      ]
    },
    {
      "indicator": "nixonpeabody.tech",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2024-01-09",
      "last_seen": "2024-01-09",
      "reports": [
        {
          "slug": "financially-motivated-threat-actors-misusing-app-installer",
          "title": "Financially motivated threat actors misusing App Installer",
          "url": "https://bulwarkblack.com/financially-motivated-threat-actors-misusing-app-installer/",
          "date": "2024-01-09"
        }
      ]
    },
    {
      "indicator": "nixonpeabody.tech-department.us",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2024-01-09",
      "last_seen": "2024-01-09",
      "reports": [
        {
          "slug": "financially-motivated-threat-actors-misusing-app-installer",
          "title": "Financially motivated threat actors misusing App Installer",
          "url": "https://bulwarkblack.com/financially-motivated-threat-actors-misusing-app-installer/",
          "date": "2024-01-09"
        }
      ]
    },
    {
      "indicator": "nmszablogs.ddnsfree.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "nodekeny11.freeddns.org",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "nodjs2o25nodjs.giize.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "nova.smshero.ai",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-02-09",
      "last_seen": "2026-02-09",
      "reports": [
        {
          "slug": "fake-7-zip-downloads-convert-home-pcs-into-residential-proxy-nodes-for-cybercriminals",
          "title": "Fake 7-Zip Downloads Convert Home PCs Into Residential Proxy Nodes for Cybercriminals",
          "url": "https://bulwarkblack.com/fake-7-zip-downloads-convert-home-pcs-into-residential-proxy-nodes-for-cybercriminals/",
          "date": "2026-02-09"
        }
      ]
    },
    {
      "indicator": "Npeoples.theworkpc.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "ns1.exchange4study.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-03-03",
      "last_seen": "2026-03-03",
      "reports": [
        {
          "slug": "silver-dragon-apt-targets-southeast-asia-and-europe-using-geardoor-backdoor-with-google-drive-c2",
          "title": "Silver Dragon APT Targets Southeast Asia and Europe Using GearDoor Backdoor with Google Drive C2",
          "url": "https://bulwarkblack.com/silver-dragon-apt-targets-southeast-asia-and-europe-using-geardoor-backdoor-with-google-drive-c2/",
          "date": "2026-03-03"
        }
      ]
    },
    {
      "indicator": "ns1.onedriveconsole.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-03-03",
      "last_seen": "2026-03-03",
      "reports": [
        {
          "slug": "silver-dragon-apt-targets-southeast-asia-and-europe-using-geardoor-backdoor-with-google-drive-c2",
          "title": "Silver Dragon APT Targets Southeast Asia and Europe Using GearDoor Backdoor with Google Drive C2",
          "url": "https://bulwarkblack.com/silver-dragon-apt-targets-southeast-asia-and-europe-using-geardoor-backdoor-with-google-drive-c2/",
          "date": "2026-03-03"
        }
      ]
    },
    {
      "indicator": "ns1.suspended-domain.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-02-26",
      "last_seen": "2026-02-26",
      "reports": [
        {
          "slug": "diesel-vortex-russian-cybercrime-group-steals-1600-credentials-from-global-logistics-sector",
          "title": "Diesel Vortex: Russian Cybercrime Group Steals 1,600+ Credentials From Global Logistics Sector",
          "url": "https://bulwarkblack.com/diesel-vortex-russian-cybercrime-group-steals-1600-credentials-from-global-logistics-sector/",
          "date": "2026-02-26"
        }
      ]
    },
    {
      "indicator": "ns2.onedriveconsole.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-03-03",
      "last_seen": "2026-03-03",
      "reports": [
        {
          "slug": "silver-dragon-apt-targets-southeast-asia-and-europe-using-geardoor-backdoor-with-google-drive-c2",
          "title": "Silver Dragon APT Targets Southeast Asia and Europe Using GearDoor Backdoor with Google Drive C2",
          "url": "https://bulwarkblack.com/silver-dragon-apt-targets-southeast-asia-and-europe-using-geardoor-backdoor-with-google-drive-c2/",
          "date": "2026-03-03"
        }
      ]
    },
    {
      "indicator": "nwphotoblog.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-03",
      "last_seen": "2026-06-03",
      "reports": [
        {
          "slug": "ta4922-global-hr-tax-phishing-rmm-defense",
          "title": "TA4922’s Global Expansion Shows HR and Tax Lures Are Initial Access Infrastructure",
          "url": "https://bulwarkblack.com/ta4922-global-hr-tax-phishing-rmm-defense/",
          "date": "2026-06-03"
        }
      ]
    },
    {
      "indicator": "oastify.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-02-23",
      "last_seen": "2026-02-23",
      "reports": [
        {
          "slug": "unit-42-exposes-active-exploitation-of-beyondtrust-cve-2026-1731-with-vshell-and-sparkrat-backdoors",
          "title": "Unit 42 Exposes Active Exploitation of BeyondTrust CVE-2026-1731 with VShell and SparkRAT Backdoors",
          "url": "https://bulwarkblack.com/unit-42-exposes-active-exploitation-of-beyondtrust-cve-2026-1731-with-vshell-and-sparkrat-backdoors/",
          "date": "2026-02-23"
        }
      ]
    },
    {
      "indicator": "OemHwUpd.sy",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-02-05",
      "last_seen": "2026-02-05",
      "reports": [
        {
          "slug": "encase-forensic-driver-weaponized-byovd-attack-targets-59-edr-tools-through-sonicwall-vpn-breach",
          "title": "EnCase Forensic Driver Weaponized: BYOVD Attack Targets 59 EDR Tools Through SonicWall VPN Breach",
          "url": "https://bulwarkblack.com/encase-forensic-driver-weaponized-byovd-attack-targets-59-edr-tools-through-sonicwall-vpn-breach/",
          "date": "2026-02-05"
        }
      ]
    },
    {
      "indicator": "officeshan.kozow.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "oicm.org",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-03-03",
      "last_seen": "2026-03-03",
      "reports": [
        {
          "slug": "silver-dragon-apt-targets-southeast-asia-and-europe-using-geardoor-backdoor-with-google-drive-c2",
          "title": "Silver Dragon APT Targets Southeast Asia and Europe Using GearDoor Backdoor with Google Drive C2",
          "url": "https://bulwarkblack.com/silver-dragon-apt-targets-southeast-asia-and-europe-using-geardoor-backdoor-with-google-drive-c2/",
          "date": "2026-03-03"
        }
      ]
    },
    {
      "indicator": "oigotm.my",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-03-17",
      "last_seen": "2026-03-17",
      "reports": [
        {
          "slug": "glassworm-supply-chain-campaign-hijacks-72-open-vsx-extensions-to-target-developers",
          "title": "GlassWorm Supply Chain Campaign Hijacks 72 Open VSX Extensions to Target Developers",
          "url": "https://bulwarkblack.com/glassworm-supply-chain-campaign-hijacks-72-open-vsx-extensions-to-target-developers/",
          "date": "2026-03-17"
        }
      ]
    },
    {
      "indicator": "okendo.io",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-18",
      "last_seen": "2026-06-18",
      "reports": [
        {
          "slug": "smartapesg-okendo-widget-supply-chain-risk",
          "title": "SmartApeSG Okendo Compromise Shows Third-Party Widgets Are Supply-Chain Risk",
          "url": "https://bulwarkblack.com/smartapesg-okendo-widget-supply-chain-risk/",
          "date": "2026-06-18"
        }
      ]
    },
    {
      "indicator": "okkstt.ddnsgeek.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "oldatain1.ddnsgeek.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "onedow.gesecole.net",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-02-27",
      "last_seen": "2026-02-27",
      "reports": [
        {
          "slug": "chinese-apt-campaign-delivers-plugx-rat-via-g-data-antivirus-dll-side-loading",
          "title": "Chinese APT Campaign Delivers PlugX RAT via G DATA Antivirus DLL Side-Loading",
          "url": "https://bulwarkblack.com/chinese-apt-campaign-delivers-plugx-rat-via-g-data-antivirus-dll-side-loading/",
          "date": "2026-02-27"
        }
      ]
    },
    {
      "indicator": "onedown.gesecole.net",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-02-27",
      "last_seen": "2026-02-27",
      "reports": [
        {
          "slug": "chinese-apt-campaign-delivers-plugx-rat-via-g-data-antivirus-dll-side-loading",
          "title": "Chinese APT Campaign Delivers PlugX RAT via G DATA Antivirus DLL Side-Loading",
          "url": "https://bulwarkblack.com/chinese-apt-campaign-delivers-plugx-rat-via-g-data-antivirus-dll-side-loading/",
          "date": "2026-02-27"
        }
      ]
    },
    {
      "indicator": "onedrive-7tu.techroboticslabmade-techie-com-s-account.workers.dev",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-05-16",
      "last_seen": "2026-05-16",
      "reports": [
        {
          "slug": "device-code-phishing-oauth-token-theft-defense",
          "title": "Device Code Phishing Turns Legitimate Login Flows Into Token Theft",
          "url": "https://bulwarkblack.com/device-code-phishing-oauth-token-theft-defense/",
          "date": "2026-05-16"
        }
      ]
    },
    {
      "indicator": "onedriveconsole.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-03-03",
      "last_seen": "2026-03-03",
      "reports": [
        {
          "slug": "silver-dragon-apt-targets-southeast-asia-and-europe-using-geardoor-backdoor-with-google-drive-c2",
          "title": "Silver Dragon APT Targets Southeast Asia and Europe Using GearDoor Backdoor with Google Drive C2",
          "url": "https://bulwarkblack.com/silver-dragon-apt-targets-southeast-asia-and-europe-using-geardoor-backdoor-with-google-drive-c2/",
          "date": "2026-03-03"
        }
      ]
    },
    {
      "indicator": "onezipapp.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-05-21",
      "last_seen": "2026-05-21",
      "reports": [
        {
          "slug": "tamperedchef-signed-productivity-apps-malware-defense",
          "title": "TamperedChef Shows Signed Productivity Apps Cannot Be Trusted by Default",
          "url": "https://bulwarkblack.com/tamperedchef-signed-productivity-apps-malware-defense/",
          "date": "2026-05-21"
        }
      ]
    },
    {
      "indicator": "online.zp.ua",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-25",
      "last_seen": "2026-06-25",
      "reports": [
        {
          "slug": "turla-stockstay-backdoor-egress-visibility",
          "title": "Turla’s STOCKSTAY Backdoor Shows Why Espionage Defense Needs Egress Visibility",
          "url": "https://bulwarkblack.com/turla-stockstay-backdoor-egress-visibility/",
          "date": "2026-06-25"
        }
      ]
    },
    {
      "indicator": "onlyosun.ooguy.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "ooguy.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "opmanager.pro",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-30",
      "last_seen": "2026-06-30",
      "reports": [
        {
          "slug": "bing-seo-poisoning-bumblebee-adaptix-akira-ransomware",
          "title": "Bing SEO Poisoning Shows IT Admin Downloads Are Ransomware Initial Access",
          "url": "https://bulwarkblack.com/bing-seo-poisoning-bumblebee-adaptix-akira-ransomware/",
          "date": "2026-06-30"
        }
      ]
    },
    {
      "indicator": "opposesicknessopw.pw",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2024-01-08",
      "last_seen": "2024-01-08",
      "reports": [
        {
          "slug": "deceptive-cracked-software-spreads-lumma-variant-on-youtube",
          "title": "Deceptive Cracked Software Spreads Lumma Variant on YouTube",
          "url": "https://bulwarkblack.com/deceptive-cracked-software-spreads-lumma-variant-on-youtube/",
          "date": "2024-01-08"
        }
      ]
    },
    {
      "indicator": "organization.sharepoint.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-05-15",
      "last_seen": "2026-05-15",
      "reports": [
        {
          "slug": "blackfile-vishing-extortion-identity-defense",
          "title": "BlackFile Vishing Campaign Shows Why MFA Alone Is Not Enough",
          "url": "https://bulwarkblack.com/blackfile-vishing-extortion-identity-defense/",
          "date": "2026-05-15"
        }
      ]
    },
    {
      "indicator": "osandamalith.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2024-01-05",
      "last_seen": "2024-01-05",
      "reports": [
        {
          "slug": "100-days-of-yara-2023",
          "title": "100 Days of YARA – 2023",
          "url": "https://bulwarkblack.com/100-days-of-yara-2023/",
          "date": "2024-01-05"
        }
      ]
    },
    {
      "indicator": "osix.ddnsgeek.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "ottawacitizen.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-05-22",
      "last_seen": "2026-05-22",
      "reports": [
        {
          "slug": "kimwolf-arrest-iot-ddos-defense",
          "title": "Kimwolf Arrest Shows DDoS Risk Starts on Forgotten IoT",
          "url": "https://bulwarkblack.com/kimwolf-arrest-iot-ddos-defense/",
          "date": "2026-05-22"
        }
      ]
    },
    {
      "indicator": "ovh1kn1tcqw5kp.org",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-30",
      "last_seen": "2026-06-30",
      "reports": [
        {
          "slug": "bing-seo-poisoning-bumblebee-adaptix-akira-ransomware",
          "title": "Bing SEO Poisoning Shows IT Admin Downloads Are Ransomware Initial Access",
          "url": "https://bulwarkblack.com/bing-seo-poisoning-bumblebee-adaptix-akira-ransomware/",
          "date": "2026-06-30"
        }
      ]
    },
    {
      "indicator": "ovmmiuy.mywire.org",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "p2pool.it",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2024-01-11",
      "last_seen": "2024-01-11",
      "reports": [
        {
          "slug": "dreambus-unleashes-metabase-mayhem-with-new-exploit-module",
          "title": "DreamBus Unleashes Metabase Mayhem With New Exploit Module",
          "url": "https://bulwarkblack.com/dreambus-unleashes-metabase-mayhem-with-new-exploit-module/",
          "date": "2024-01-11"
        }
      ]
    },
    {
      "indicator": "packages.npm.org",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-04-01",
      "last_seen": "2026-04-01",
      "reports": [
        {
          "slug": "axios-npm-supply-chain-attack-deploys-cross-platform-rat-to-83-million-weekly-users",
          "title": "Axios npm Supply Chain Attack Deploys Cross-Platform RAT to 83 Million Weekly Users",
          "url": "https://bulwarkblack.com/axios-npm-supply-chain-attack-deploys-cross-platform-rat-to-83-million-weekly-users/",
          "date": "2026-04-01"
        }
      ]
    },
    {
      "indicator": "packetsdk.io",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-01-29",
      "last_seen": "2026-01-29",
      "reports": [
        {
          "slug": "google-disrupts-worlds-largest-residential-proxy-botnet",
          "title": "Google Disrupts World’s Largest Residential Proxy Botnet",
          "url": "https://bulwarkblack.com/google-disrupts-worlds-largest-residential-proxy-botnet/",
          "date": "2026-01-29"
        }
      ]
    },
    {
      "indicator": "packetsdk.net",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-01-29",
      "last_seen": "2026-01-29",
      "reports": [
        {
          "slug": "google-disrupts-worlds-largest-residential-proxy-botnet",
          "title": "Google Disrupts World’s Largest Residential Proxy Botnet",
          "url": "https://bulwarkblack.com/google-disrupts-worlds-largest-residential-proxy-botnet/",
          "date": "2026-01-29"
        }
      ]
    },
    {
      "indicator": "packetsdk.xyz",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-01-29",
      "last_seen": "2026-01-29",
      "reports": [
        {
          "slug": "google-disrupts-worlds-largest-residential-proxy-botnet",
          "title": "Google Disrupts World’s Largest Residential Proxy Botnet",
          "url": "https://bulwarkblack.com/google-disrupts-worlds-largest-residential-proxy-botnet/",
          "date": "2026-01-29"
        }
      ]
    },
    {
      "indicator": "pad.so",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-05-23",
      "last_seen": "2026-05-23",
      "reports": [
        {
          "slug": "void-dokkaebi-invisibleferret-developer-endpoint-risk",
          "title": "Void Dokkaebi’s InvisibleFerret Shift Shows Developer Endpoints Are Production Risk",
          "url": "https://bulwarkblack.com/void-dokkaebi-invisibleferret-developer-endpoint-risk/",
          "date": "2026-05-23"
        }
      ]
    },
    {
      "indicator": "pages.dev",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-07-02",
      "last_seen": "2026-07-02",
      "reports": [
        {
          "slug": "ousaban-banking-trojan-iberian-phishing-defense",
          "title": "Ousaban Shows Banking Trojans Are Learning to Hide From Sandboxes",
          "url": "https://bulwarkblack.com/ousaban-banking-trojan-iberian-phishing-defense/",
          "date": "2026-07-02"
        }
      ]
    },
    {
      "indicator": "palamolscueajfvc.gleeze.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "panel.hewktree.net",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-05-16",
      "last_seen": "2026-05-16",
      "reports": [
        {
          "slug": "device-code-phishing-oauth-token-theft-defense",
          "title": "Device Code Phishing Turns Legitimate Login Flows Into Token Theft",
          "url": "https://bulwarkblack.com/device-code-phishing-oauth-token-theft-defense/",
          "date": "2026-05-16"
        }
      ]
    },
    {
      "indicator": "param.name",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-05-08",
      "last_seen": "2026-05-08",
      "reports": [
        {
          "slug": "prompt-injection-rce-ai-agent-frameworks",
          "title": "Prompt Injection Just Became an RCE Problem for AI Agents",
          "url": "https://bulwarkblack.com/prompt-injection-rce-ai-agent-frameworks/",
          "date": "2026-05-08"
        }
      ]
    },
    {
      "indicator": "parkspringshotel.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-05-09",
      "last_seen": "2026-05-09",
      "reports": [
        {
          "slug": "jdownloader-site-compromise-trusted-download-verification",
          "title": "JDownloader Site Compromise Shows Why Trusted Downloads Still Need Verification",
          "url": "https://bulwarkblack.com/jdownloader-site-compromise-trusted-download-verification/",
          "date": "2026-05-09"
        }
      ]
    },
    {
      "indicator": "passkeyadd.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-06",
      "last_seen": "2026-06-06",
      "reports": [
        {
          "slug": "pink-extortion-m365-vishing-cloud-data-defense",
          "title": "Pink Extortion Shows Microsoft 365 Defense Starts With Vishing Controls",
          "url": "https://bulwarkblack.com/pink-extortion-m365-vishing-cloud-data-defense/",
          "date": "2026-06-06"
        }
      ]
    },
    {
      "indicator": "passkeydeploy.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-06",
      "last_seen": "2026-06-06",
      "reports": [
        {
          "slug": "pink-extortion-m365-vishing-cloud-data-defense",
          "title": "Pink Extortion Shows Microsoft 365 Defense Starts With Vishing Controls",
          "url": "https://bulwarkblack.com/pink-extortion-m365-vishing-cloud-data-defense/",
          "date": "2026-06-06"
        }
      ]
    },
    {
      "indicator": "pastebin.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-20",
      "last_seen": "2026-06-20",
      "reports": [
        {
          "slug": "showboat-linux-malware-telecom-persistence-defense",
          "title": "Showboat Malware Shows Telecom Linux Servers Need Rootkit-Level Monitoring",
          "url": "https://bulwarkblack.com/showboat-linux-malware-telecom-persistence-defense/",
          "date": "2026-06-20"
        }
      ]
    },
    {
      "indicator": "pawanp.kozow.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "payload.so",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-02-04",
      "last_seen": "2026-02-04",
      "reports": [
        {
          "slug": "shadowhs-fileless-linux-post-exploitation-framework-runs-entirely-in-memory",
          "title": "ShadowHS: Fileless Linux Post-Exploitation Framework Runs Entirely in Memory",
          "url": "https://bulwarkblack.com/shadowhs-fileless-linux-post-exploitation-framework-runs-entirely-in-memory/",
          "date": "2026-02-04"
        }
      ]
    },
    {
      "indicator": "pcmainecia.ddnsfree.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "PcSKnocJ.tor2web.in",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2024-01-11",
      "last_seen": "2024-01-11",
      "reports": [
        {
          "slug": "dreambus-unleashes-metabase-mayhem-with-new-exploit-module",
          "title": "DreamBus Unleashes Metabase Mayhem With New Exploit Module",
          "url": "https://bulwarkblack.com/dreambus-unleashes-metabase-mayhem-with-new-exploit-module/",
          "date": "2024-01-11"
        }
      ]
    },
    {
      "indicator": "PcSKnocJ.tor2web.it",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2024-01-11",
      "last_seen": "2024-01-11",
      "reports": [
        {
          "slug": "dreambus-unleashes-metabase-mayhem-with-new-exploit-module",
          "title": "DreamBus Unleashes Metabase Mayhem With New Exploit Module",
          "url": "https://bulwarkblack.com/dreambus-unleashes-metabase-mayhem-with-new-exploit-module/",
          "date": "2024-01-11"
        }
      ]
    },
    {
      "indicator": "PcSKnocJ.tor2web.re",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2024-01-11",
      "last_seen": "2024-01-11",
      "reports": [
        {
          "slug": "dreambus-unleashes-metabase-mayhem-with-new-exploit-module",
          "title": "DreamBus Unleashes Metabase Mayhem With New Exploit Module",
          "url": "https://bulwarkblack.com/dreambus-unleashes-metabase-mayhem-with-new-exploit-module/",
          "date": "2024-01-11"
        }
      ]
    },
    {
      "indicator": "pcvmts3.kozow.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "PDF-Brain.app",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-02",
      "last_seen": "2026-06-02",
      "reports": [
        {
          "slug": "flutterbridge-macos-malvertising-fluttershell-backdoor-defense",
          "title": "FlutterBridge Shows Why macOS Malvertising Is Backdoor Delivery, Not Just Adware",
          "url": "https://bulwarkblack.com/flutterbridge-macos-malvertising-fluttershell-backdoor-defense/",
          "date": "2026-06-02"
        }
      ]
    },
    {
      "indicator": "PDF-Ninja.app",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-02",
      "last_seen": "2026-06-02",
      "reports": [
        {
          "slug": "flutterbridge-macos-malvertising-fluttershell-backdoor-defense",
          "title": "FlutterBridge Shows Why macOS Malvertising Is Backdoor Delivery, Not Just Adware",
          "url": "https://bulwarkblack.com/flutterbridge-macos-malvertising-fluttershell-backdoor-defense/",
          "date": "2026-06-02"
        }
      ]
    },
    {
      "indicator": "PeerDistSvcManagers.azurewebsites.net",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-05-22",
      "last_seen": "2026-05-22",
      "reports": [
        {
          "slug": "screening-serpens-recruiting-espionage-attack-surface",
          "title": "Screening Serpens Shows Recruiting Is Now an Espionage Attack Surface",
          "url": "https://bulwarkblack.com/screening-serpens-recruiting-espionage-attack-surface/",
          "date": "2026-05-22"
        }
      ]
    },
    {
      "indicator": "peisuesacae.loseyourip.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "penskecar.riersrmissecured.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-02-26",
      "last_seen": "2026-02-26",
      "reports": [
        {
          "slug": "diesel-vortex-russian-cybercrime-group-steals-1600-credentials-from-global-logistics-sector",
          "title": "Diesel Vortex: Russian Cybercrime Group Steals 1,600+ Credentials From Global Logistics Sector",
          "url": "https://bulwarkblack.com/diesel-vortex-russian-cybercrime-group-steals-1600-credentials-from-global-logistics-sector/",
          "date": "2026-02-26"
        }
      ]
    },
    {
      "indicator": "penskecar.rsrmissecured.top",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-02-26",
      "last_seen": "2026-02-26",
      "reports": [
        {
          "slug": "diesel-vortex-russian-cybercrime-group-steals-1600-credentials-from-global-logistics-sector",
          "title": "Diesel Vortex: Russian Cybercrime Group Steals 1,600+ Credentials From Global Logistics Sector",
          "url": "https://bulwarkblack.com/diesel-vortex-russian-cybercrime-group-steals-1600-credentials-from-global-logistics-sector/",
          "date": "2026-02-26"
        }
      ]
    },
    {
      "indicator": "peowork.ddnsgeek.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "pepesetup.ddnsfree.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "perimeter81support-my.sharepoint.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2024-01-09",
      "last_seen": "2024-01-09",
      "reports": [
        {
          "slug": "financially-motivated-threat-actors-misusing-app-installer",
          "title": "Financially motivated threat actors misusing App Installer",
          "url": "https://bulwarkblack.com/financially-motivated-threat-actors-misusing-app-installer/",
          "date": "2024-01-09"
        }
      ]
    },
    {
      "indicator": "pessa07tm.my",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-03-17",
      "last_seen": "2026-03-17",
      "reports": [
        {
          "slug": "glassworm-supply-chain-campaign-hijacks-72-open-vsx-extensions-to-target-developers",
          "title": "GlassWorm Supply Chain Campaign Hijacks 72 Open VSX Extensions to Target Developers",
          "url": "https://bulwarkblack.com/glassworm-supply-chain-campaign-hijacks-72-open-vsx-extensions-to-target-developers/",
          "date": "2026-03-17"
        }
      ]
    },
    {
      "indicator": "pewsus.freeddns.org",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "pg.ae",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-18",
      "last_seen": "2026-06-18",
      "reports": [
        {
          "slug": "uefi-secure-boot-bypass-dbx-revocation-defense",
          "title": "Vendor-Signed UEFI Apps Show Secure Boot Still Depends on Revocation Hygiene",
          "url": "https://bulwarkblack.com/uefi-secure-boot-bypass-dbx-revocation-defense/",
          "date": "2026-06-18"
        }
      ]
    },
    {
      "indicator": "philion.store",
      "type": "Domains",
      "report_count": 2,
      "first_seen": "2026-02-26",
      "last_seen": "2026-02-27",
      "reports": [
        {
          "slug": "apt37-ruby-jumper-campaign-north-korean-hackers-deploy-malware-arsenal-to-bridge-air-gapped-networks",
          "title": "APT37 Ruby Jumper Campaign: North Korean Hackers Deploy Malware Arsenal to Bridge Air-Gapped Networks",
          "url": "https://bulwarkblack.com/apt37-ruby-jumper-campaign-north-korean-hackers-deploy-malware-arsenal-to-bridge-air-gapped-networks/",
          "date": "2026-02-27"
        },
        {
          "slug": "apt37-deploys-ruby-jumper-campaign-to-breach-air-gapped-networks",
          "title": "APT37 Deploys Ruby Jumper Campaign to Breach Air-Gapped Networks",
          "url": "https://bulwarkblack.com/apt37-deploys-ruby-jumper-campaign-to-breach-air-gapped-networks/",
          "date": "2026-02-26"
        }
      ]
    },
    {
      "indicator": "photo-21473.xyz",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-26",
      "last_seen": "2026-06-26",
      "reports": [
        {
          "slug": "hospitality-photo-zip-nodejs-implant-defense",
          "title": "Hospitality Photo-ZIP Campaign Shows Front Desk Workflows Are Initial Access Paths",
          "url": "https://bulwarkblack.com/hospitality-photo-zip-nodejs-implant-defense/",
          "date": "2026-06-26"
        }
      ]
    },
    {
      "indicator": "photo-box.info",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-26",
      "last_seen": "2026-06-26",
      "reports": [
        {
          "slug": "hospitality-photo-zip-nodejs-implant-defense",
          "title": "Hospitality Photo-ZIP Campaign Shows Front Desk Workflows Are Initial Access Paths",
          "url": "https://bulwarkblack.com/hospitality-photo-zip-nodejs-implant-defense/",
          "date": "2026-06-26"
        }
      ]
    },
    {
      "indicator": "photo-dekor.xyz",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-26",
      "last_seen": "2026-06-26",
      "reports": [
        {
          "slug": "hospitality-photo-zip-nodejs-implant-defense",
          "title": "Hospitality Photo-ZIP Campaign Shows Front Desk Workflows Are Initial Access Paths",
          "url": "https://bulwarkblack.com/hospitality-photo-zip-nodejs-implant-defense/",
          "date": "2026-06-26"
        }
      ]
    },
    {
      "indicator": "photo-hub-io.info",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-26",
      "last_seen": "2026-06-26",
      "reports": [
        {
          "slug": "hospitality-photo-zip-nodejs-implant-defense",
          "title": "Hospitality Photo-ZIP Campaign Shows Front Desk Workflows Are Initial Access Paths",
          "url": "https://bulwarkblack.com/hospitality-photo-zip-nodejs-implant-defense/",
          "date": "2026-06-26"
        }
      ]
    },
    {
      "indicator": "photobook-reserv.pro",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-26",
      "last_seen": "2026-06-26",
      "reports": [
        {
          "slug": "hospitality-photo-zip-nodejs-implant-defense",
          "title": "Hospitality Photo-ZIP Campaign Shows Front Desk Workflows Are Initial Access Paths",
          "url": "https://bulwarkblack.com/hospitality-photo-zip-nodejs-implant-defense/",
          "date": "2026-06-26"
        }
      ]
    },
    {
      "indicator": "photobookadm.pro",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-26",
      "last_seen": "2026-06-26",
      "reports": [
        {
          "slug": "hospitality-photo-zip-nodejs-implant-defense",
          "title": "Hospitality Photo-ZIP Campaign Shows Front Desk Workflows Are Initial Access Paths",
          "url": "https://bulwarkblack.com/hospitality-photo-zip-nodejs-implant-defense/",
          "date": "2026-06-26"
        }
      ]
    },
    {
      "indicator": "photodoc-secure.info",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-26",
      "last_seen": "2026-06-26",
      "reports": [
        {
          "slug": "hospitality-photo-zip-nodejs-implant-defense",
          "title": "Hospitality Photo-ZIP Campaign Shows Front Desk Workflows Are Initial Access Paths",
          "url": "https://bulwarkblack.com/hospitality-photo-zip-nodejs-implant-defense/",
          "date": "2026-06-26"
        }
      ]
    },
    {
      "indicator": "photosafe-hub.info",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-26",
      "last_seen": "2026-06-26",
      "reports": [
        {
          "slug": "hospitality-photo-zip-nodejs-implant-defense",
          "title": "Hospitality Photo-ZIP Campaign Shows Front Desk Workflows Are Initial Access Paths",
          "url": "https://bulwarkblack.com/hospitality-photo-zip-nodejs-implant-defense/",
          "date": "2026-06-26"
        }
      ]
    },
    {
      "indicator": "phutho.duchop.gov.vn",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-02-05",
      "last_seen": "2026-02-05",
      "reports": [
        {
          "slug": "systembc-botnet-survives-law-enforcement-takedown-infects-over-10000-devices-worldwide",
          "title": "SystemBC Botnet Survives Law Enforcement Takedown, Infects Over 10,000 Devices Worldwide",
          "url": "https://bulwarkblack.com/systembc-botnet-survives-law-enforcement-takedown-infects-over-10000-devices-worldwide/",
          "date": "2026-02-05"
        }
      ]
    },
    {
      "indicator": "pivot.notemacro.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-03-04",
      "last_seen": "2026-03-04",
      "reports": [
        {
          "slug": "zerobot-malware-targets-n8n-automation-platform-first-active-exploitation-of-cve-2025-68613",
          "title": "Zerobot Malware Targets n8n Automation Platform: First Active Exploitation of CVE-2025-68613",
          "url": "https://bulwarkblack.com/zerobot-malware-targets-n8n-automation-platform-first-active-exploitation-of-cve-2025-68613/",
          "date": "2026-03-04"
        }
      ]
    },
    {
      "indicator": "plcoaweniva.ddnsgeek.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "plug-tab-protective-relay.trycloudflare.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-03-24",
      "last_seen": "2026-03-24",
      "reports": [
        {
          "slug": "teampcp-deploys-canisterworm-wiper-to-target-iranian-systems",
          "title": "TeamPCP Deploys CanisterWorm Wiper to Target Iranian Systems",
          "url": "https://bulwarkblack.com/teampcp-deploys-canisterworm-wiper-to-target-iranian-systems/",
          "date": "2026-03-24"
        }
      ]
    },
    {
      "indicator": "pn-connection.pro",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-03-13",
      "last_seen": "2026-03-13",
      "reports": [
        {
          "slug": "storm-2561-weaponizes-seo-poisoning-to-deploy-trojanized-vpn-clients-and-steal-enterprise-credentials",
          "title": "Storm-2561 Weaponizes SEO Poisoning to Deploy Trojanized VPN Clients and Steal Enterprise Credentials",
          "url": "https://bulwarkblack.com/storm-2561-weaponizes-seo-poisoning-to-deploy-trojanized-vpn-clients-and-steal-enterprise-credentials/",
          "date": "2026-03-13"
        }
      ]
    },
    {
      "indicator": "PolicyAgent.theworkpc.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "politefrightenpowoa.pw",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2024-01-08",
      "last_seen": "2024-01-08",
      "reports": [
        {
          "slug": "deceptive-cracked-software-spreads-lumma-variant-on-youtube",
          "title": "Deceptive Cracked Software Spreads Lumma Variant on YouTube",
          "url": "https://bulwarkblack.com/deceptive-cracked-software-spreads-lumma-variant-on-youtube/",
          "date": "2024-01-08"
        }
      ]
    },
    {
      "indicator": "polokinyea.gleeze.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "polyfill.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-03-12",
      "last_seen": "2026-03-12",
      "reports": [
        {
          "slug": "infostealer-infection-unmasks-dprk-operative-behind-polyfill-io-supply-chain-attack-and-us-crypto-exchange-infiltration",
          "title": "Infostealer Infection Unmasks DPRK Operative Behind Polyfill.io Supply Chain Attack and US Crypto Exchange Infiltration",
          "url": "https://bulwarkblack.com/infostealer-infection-unmasks-dprk-operative-behind-polyfill-io-supply-chain-attack-and-us-crypto-exchange-infiltration/",
          "date": "2026-03-12"
        }
      ]
    },
    {
      "indicator": "Polyfill.io",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-03-12",
      "last_seen": "2026-03-12",
      "reports": [
        {
          "slug": "infostealer-infection-unmasks-dprk-operative-behind-polyfill-io-supply-chain-attack-and-us-crypto-exchange-infiltration",
          "title": "Infostealer Infection Unmasks DPRK Operative Behind Polyfill.io Supply Chain Attack and US Crypto Exchange Infiltration",
          "url": "https://bulwarkblack.com/infostealer-infection-unmasks-dprk-operative-behind-polyfill-io-supply-chain-attack-and-us-crypto-exchange-infiltration/",
          "date": "2026-03-12"
        }
      ]
    },
    {
      "indicator": "polyfillcache.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-03-12",
      "last_seen": "2026-03-12",
      "reports": [
        {
          "slug": "infostealer-infection-unmasks-dprk-operative-behind-polyfill-io-supply-chain-attack-and-us-crypto-exchange-infiltration",
          "title": "Infostealer Infection Unmasks DPRK Operative Behind Polyfill.io Supply Chain Attack and US Crypto Exchange Infiltration",
          "url": "https://bulwarkblack.com/infostealer-infection-unmasks-dprk-operative-behind-polyfill-io-supply-chain-attack-and-us-crypto-exchange-infiltration/",
          "date": "2026-03-12"
        }
      ]
    },
    {
      "indicator": "pool.supportxmr.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "vidar-xmrig-malvertising-file-size-code-signing-defense",
          "title": "Vidar Stealer Campaign Shows Why File Size and Fake Signatures Still Beat Weak Controls",
          "url": "https://bulwarkblack.com/vidar-xmrig-malvertising-file-size-code-signing-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "pplodsssead222.loseyourip.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "pplosad231.kozow.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "ppsaBedon.gleeze.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "prdanjana01.ddnsfree.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "pre.alwayswait.site",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "prejointl.info",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-26",
      "last_seen": "2026-06-26",
      "reports": [
        {
          "slug": "hospitality-photo-zip-nodejs-implant-defense",
          "title": "Hospitality Photo-ZIP Campaign Shows Front Desk Workflows Are Initial Access Paths",
          "url": "https://bulwarkblack.com/hospitality-photo-zip-nodejs-implant-defense/",
          "date": "2026-06-26"
        }
      ]
    },
    {
      "indicator": "Premier-HealthAdvisory.azurewebsites.net",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-05-22",
      "last_seen": "2026-05-22",
      "reports": [
        {
          "slug": "screening-serpens-recruiting-espionage-attack-surface",
          "title": "Screening Serpens Shows Recruiting Is Now an Espionage Attack Surface",
          "url": "https://bulwarkblack.com/screening-serpens-recruiting-espionage-attack-surface/",
          "date": "2026-05-22"
        }
      ]
    },
    {
      "indicator": "PremierHealthAdvisory.azurewebsites.net",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-05-22",
      "last_seen": "2026-05-22",
      "reports": [
        {
          "slug": "screening-serpens-recruiting-espionage-attack-surface",
          "title": "Screening Serpens Shows Recruiting Is Now an Espionage Attack Surface",
          "url": "https://bulwarkblack.com/screening-serpens-recruiting-espionage-attack-surface/",
          "date": "2026-05-22"
        }
      ]
    },
    {
      "indicator": "PremierHealthAdvisory.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-05-22",
      "last_seen": "2026-05-22",
      "reports": [
        {
          "slug": "screening-serpens-recruiting-espionage-attack-surface",
          "title": "Screening Serpens Shows Recruiting Is Now an Espionage Attack Surface",
          "url": "https://bulwarkblack.com/screening-serpens-recruiting-espionage-attack-surface/",
          "date": "2026-05-22"
        }
      ]
    },
    {
      "indicator": "prepaid127.freeddns.org",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "PRIFTP.kozow.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "prihxlcs.ddnsfree.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "prihxlcsw.theworkpc.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "privnote.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-05",
      "last_seen": "2026-06-05",
      "reports": [
        {
          "slug": "unc3753-vishing-rmm-physical-intrusions-law-firms",
          "title": "UNC3753 Brings Vishing, RMM Abuse, and Physical Intrusions to U.S. Law Firms",
          "url": "https://bulwarkblack.com/unc3753-vishing-rmm-physical-intrusions-law-firms/",
          "date": "2026-06-05"
        }
      ]
    },
    {
      "indicator": "protacik.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-03-03",
      "last_seen": "2026-03-03",
      "reports": [
        {
          "slug": "silver-dragon-apt-targets-southeast-asia-and-europe-using-geardoor-backdoor-with-google-drive-c2",
          "title": "Silver Dragon APT Targets Southeast Asia and Europe Using GearDoor Backdoor with Google Drive C2",
          "url": "https://bulwarkblack.com/silver-dragon-apt-targets-southeast-asia-and-europe-using-geardoor-backdoor-with-google-drive-c2/",
          "date": "2026-03-03"
        }
      ]
    },
    {
      "indicator": "pub-3bc1de741f8149f49bdbafa703067f24.r2.dev",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-02-11",
      "last_seen": "2026-02-11",
      "reports": [
        {
          "slug": "xworm-rat-campaign-exploits-cve-2018-0802-in-multi-language-phishing-attacks-using-fileless-injection",
          "title": "XWorm RAT Campaign Exploits CVE-2018-0802 in Multi-Language Phishing Attacks Using Fileless Injection",
          "url": "https://bulwarkblack.com/xworm-rat-campaign-exploits-cve-2018-0802-in-multi-language-phishing-attacks-using-fileless-injection/",
          "date": "2026-02-11"
        }
      ]
    },
    {
      "indicator": "publisher.name",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-03-17",
      "last_seen": "2026-03-17",
      "reports": [
        {
          "slug": "glassworm-supply-chain-campaign-hijacks-72-open-vsx-extensions-to-target-developers",
          "title": "GlassWorm Supply Chain Campaign Hijacks 72 Open VSX Extensions to Target Developers",
          "url": "https://bulwarkblack.com/glassworm-supply-chain-campaign-hijacks-72-open-vsx-extensions-to-target-developers/",
          "date": "2026-03-17"
        }
      ]
    },
    {
      "indicator": "putty.org",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2024-03-22",
      "last_seen": "2024-03-22",
      "reports": [
        {
          "slug": "new-go-loader-pushes-rhadamanthys-stealer",
          "title": "New Go loader pushes Rhadamanthys stealer",
          "url": "https://bulwarkblack.com/new-go-loader-pushes-rhadamanthys-stealer/",
          "date": "2024-03-22"
        }
      ]
    },
    {
      "indicator": "pxlaxvvva.freeddns.org",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "q0r2e5q2dzbykcox9qmkptm12s8mwb.oastify.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-02-23",
      "last_seen": "2026-02-23",
      "reports": [
        {
          "slug": "unit-42-exposes-active-exploitation-of-beyondtrust-cve-2026-1731-with-vshell-and-sparkrat-backdoors",
          "title": "Unit 42 Exposes Active Exploitation of BeyondTrust CVE-2026-1731 with VShell and SparkRAT Backdoors",
          "url": "https://bulwarkblack.com/unit-42-exposes-active-exploitation-of-beyondtrust-cve-2026-1731-with-vshell-and-sparkrat-backdoors/",
          "date": "2026-02-23"
        }
      ]
    },
    {
      "indicator": "QuantumWeave.azurewebsites.net",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-05-22",
      "last_seen": "2026-05-22",
      "reports": [
        {
          "slug": "screening-serpens-recruiting-espionage-attack-surface",
          "title": "Screening Serpens Shows Recruiting Is Now an Espionage Attack Surface",
          "url": "https://bulwarkblack.com/screening-serpens-recruiting-espionage-attack-surface/",
          "date": "2026-05-22"
        }
      ]
    },
    {
      "indicator": "quitgod2023luck.giize.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "r2.dev",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-02-11",
      "last_seen": "2026-02-11",
      "reports": [
        {
          "slug": "xworm-rat-campaign-exploits-cve-2018-0802-in-multi-language-phishing-attacks-using-fileless-injection",
          "title": "XWorm RAT Campaign Exploits CVE-2018-0802 in Multi-Language Phishing Attacks Using Fileless Injection",
          "url": "https://bulwarkblack.com/xworm-rat-campaign-exploits-cve-2018-0802-in-multi-language-phishing-attacks-using-fileless-injection/",
          "date": "2026-02-11"
        }
      ]
    },
    {
      "indicator": "rabbit.ooguy.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "racestrech.info",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-26",
      "last_seen": "2026-06-26",
      "reports": [
        {
          "slug": "hospitality-photo-zip-nodejs-implant-defense",
          "title": "Hospitality Photo-ZIP Campaign Shows Front Desk Workflows Are Initial Access Paths",
          "url": "https://bulwarkblack.com/hospitality-photo-zip-nodejs-implant-defense/",
          "date": "2026-06-26"
        }
      ]
    },
    {
      "indicator": "Ramiltons-finance.azurewebsites.net",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-05-22",
      "last_seen": "2026-05-22",
      "reports": [
        {
          "slug": "screening-serpens-recruiting-espionage-attack-surface",
          "title": "Screening Serpens Shows Recruiting Is Now an Espionage Attack Surface",
          "url": "https://bulwarkblack.com/screening-serpens-recruiting-espionage-attack-surface/",
          "date": "2026-05-22"
        }
      ]
    },
    {
      "indicator": "Ramiltonsfinance.azurewebsites.net",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-05-22",
      "last_seen": "2026-05-22",
      "reports": [
        {
          "slug": "screening-serpens-recruiting-espionage-attack-surface",
          "title": "Screening Serpens Shows Recruiting Is Now an Espionage Attack Surface",
          "url": "https://bulwarkblack.com/screening-serpens-recruiting-espionage-attack-surface/",
          "date": "2026-05-22"
        }
      ]
    },
    {
      "indicator": "Ramiltonsfinance.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-05-22",
      "last_seen": "2026-05-22",
      "reports": [
        {
          "slug": "screening-serpens-recruiting-espionage-attack-surface",
          "title": "Screening Serpens Shows Recruiting Is Now an Espionage Attack Surface",
          "url": "https://bulwarkblack.com/screening-serpens-recruiting-espionage-attack-surface/",
          "date": "2026-05-22"
        }
      ]
    },
    {
      "indicator": "Ransomware.live",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-05-17",
      "last_seen": "2026-05-17",
      "reports": [
        {
          "slug": "grafana-github-token-breach-source-code-defense",
          "title": "Grafana GitHub Token Breach Shows Why Source Code Access Needs Guardrails",
          "url": "https://bulwarkblack.com/grafana-github-token-breach-source-code-defense/",
          "date": "2026-05-17"
        }
      ]
    },
    {
      "indicator": "raxelpak.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-02-15",
      "last_seen": "2026-02-15",
      "reports": [
        {
          "slug": "microsoft-exposes-dns-based-clickfix-attack-nslookup-commands-used-for-stealth-malware-staging",
          "title": "Microsoft Exposes DNS-Based ClickFix Attack: Nslookup Commands Used for Stealth Malware Staging",
          "url": "https://bulwarkblack.com/microsoft-exposes-dns-based-clickfix-attack-nslookup-commands-used-for-stealth-malware-staging/",
          "date": "2026-02-15"
        }
      ]
    },
    {
      "indicator": "readysafe.xyz",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "real-update.xyz",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "recallnine.info",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-26",
      "last_seen": "2026-06-26",
      "reports": [
        {
          "slug": "hospitality-photo-zip-nodejs-implant-defense",
          "title": "Hospitality Photo-ZIP Campaign Shows Front Desk Workflows Are Initial Access Paths",
          "url": "https://bulwarkblack.com/hospitality-photo-zip-nodejs-implant-defense/",
          "date": "2026-06-26"
        }
      ]
    },
    {
      "indicator": "recargapopular.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-05-09",
      "last_seen": "2026-05-09",
      "reports": [
        {
          "slug": "fake-openai-hugging-face-infostealer-ai-supply-chain-risk",
          "title": "Fake OpenAI Hugging Face Repo Shows AI Supply Chain Risk Is Already Here",
          "url": "https://bulwarkblack.com/fake-openai-hugging-face-infostealer-ai-supply-chain-risk/",
          "date": "2026-05-09"
        }
      ]
    },
    {
      "indicator": "recepyman.info",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-26",
      "last_seen": "2026-06-26",
      "reports": [
        {
          "slug": "hospitality-photo-zip-nodejs-implant-defense",
          "title": "Hospitality Photo-ZIP Campaign Shows Front Desk Workflows Are Initial Access Paths",
          "url": "https://bulwarkblack.com/hospitality-photo-zip-nodejs-implant-defense/",
          "date": "2026-06-26"
        }
      ]
    },
    {
      "indicator": "recstrace.info",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-26",
      "last_seen": "2026-06-26",
      "reports": [
        {
          "slug": "hospitality-photo-zip-nodejs-implant-defense",
          "title": "Hospitality Photo-ZIP Campaign Shows Front Desk Workflows Are Initial Access Paths",
          "url": "https://bulwarkblack.com/hospitality-photo-zip-nodejs-implant-defense/",
          "date": "2026-06-26"
        }
      ]
    },
    {
      "indicator": "redcanary.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-05-24",
      "last_seen": "2026-05-24",
      "reports": [
        {
          "slug": "clop-south-staffs-water-soc-coverage-defense",
          "title": "Cl0p’s South Staffs Water Case Shows SOC Coverage Must Be Proven",
          "url": "https://bulwarkblack.com/clop-south-staffs-water-soc-coverage-defense/",
          "date": "2026-05-24"
        }
      ]
    },
    {
      "indicator": "redmaple.tech",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2024-01-05",
      "last_seen": "2024-01-05",
      "reports": [
        {
          "slug": "100-days-of-yara-2023",
          "title": "100 Days of YARA – 2023",
          "url": "https://bulwarkblack.com/100-days-of-yara-2023/",
          "date": "2024-01-05"
        }
      ]
    },
    {
      "indicator": "relay.tor2socks.in",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2024-01-11",
      "last_seen": "2024-01-11",
      "reports": [
        {
          "slug": "dreambus-unleashes-metabase-mayhem-with-new-exploit-module",
          "title": "DreamBus Unleashes Metabase Mayhem With New Exploit Module",
          "url": "https://bulwarkblack.com/dreambus-unleashes-metabase-mayhem-with-new-exploit-module/",
          "date": "2024-01-11"
        }
      ]
    },
    {
      "indicator": "reliableinteractions.de",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-05-16",
      "last_seen": "2026-05-16",
      "reports": [
        {
          "slug": "device-code-phishing-oauth-token-theft-defense",
          "title": "Device Code Phishing Turns Legitimate Login Flows Into Token Theft",
          "url": "https://bulwarkblack.com/device-code-phishing-oauth-token-theft-defense/",
          "date": "2026-05-16"
        }
      ]
    },
    {
      "indicator": "reliablesupport.de",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-05-16",
      "last_seen": "2026-05-16",
      "reports": [
        {
          "slug": "device-code-phishing-oauth-token-theft-defense",
          "title": "Device Code Phishing Turns Legitimate Login Flows Into Token Theft",
          "url": "https://bulwarkblack.com/device-code-phishing-oauth-token-theft-defense/",
          "date": "2026-05-16"
        }
      ]
    },
    {
      "indicator": "replit.dev",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-05-15",
      "last_seen": "2026-05-15",
      "reports": [
        {
          "slug": "cisco-sdwan-active-exploitation-edge-controller-review",
          "title": "Cisco SD-WAN Exploitation Shows Edge Controllers Need Emergency Review",
          "url": "https://bulwarkblack.com/cisco-sdwan-active-exploitation-edge-controller-review/",
          "date": "2026-05-15"
        }
      ]
    },
    {
      "indicator": "res.cloudinary.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-02-11",
      "last_seen": "2026-02-11",
      "reports": [
        {
          "slug": "xworm-rat-campaign-exploits-cve-2018-0802-in-multi-language-phishing-attacks-using-fileless-injection",
          "title": "XWorm RAT Campaign Exploits CVE-2018-0802 in Multi-Language Phishing Attacks Using Fileless Injection",
          "url": "https://bulwarkblack.com/xworm-rat-campaign-exploits-cve-2018-0802-in-multi-language-phishing-attacks-using-fileless-injection/",
          "date": "2026-02-11"
        }
      ]
    },
    {
      "indicator": "reservebookphot.pro",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-26",
      "last_seen": "2026-06-26",
      "reports": [
        {
          "slug": "hospitality-photo-zip-nodejs-implant-defense",
          "title": "Hospitality Photo-ZIP Campaign Shows Front Desk Workflows Are Initial Access Paths",
          "url": "https://bulwarkblack.com/hospitality-photo-zip-nodejs-implant-defense/",
          "date": "2026-06-26"
        }
      ]
    },
    {
      "indicator": "resumebuilders.us",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-03-10",
      "last_seen": "2026-03-10",
      "reports": [
        {
          "slug": "blacksanta-edr-killer-campaign-targets-hr-departments-through-weaponized-resume-files",
          "title": "BlackSanta EDR Killer Campaign Targets HR Departments Through Weaponized Resume Files",
          "url": "https://bulwarkblack.com/blacksanta-edr-killer-campaign-targets-hr-departments-through-weaponized-resume-files/",
          "date": "2026-03-10"
        }
      ]
    },
    {
      "indicator": "retrodayaengineering.icu",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-02-11",
      "last_seen": "2026-02-11",
      "reports": [
        {
          "slug": "xworm-rat-campaign-exploits-cve-2018-0802-in-multi-language-phishing-attacks-using-fileless-injection",
          "title": "XWorm RAT Campaign Exploits CVE-2018-0802 in Multi-Language Phishing Attacks Using Fileless Injection",
          "url": "https://bulwarkblack.com/xworm-rat-campaign-exploits-cve-2018-0802-in-multi-language-phishing-attacks-using-fileless-injection/",
          "date": "2026-02-11"
        }
      ]
    },
    {
      "indicator": "rev.sh",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-20",
      "last_seen": "2026-06-20",
      "reports": [
        {
          "slug": "operation-escaneo-latin-america-edge-device-defense",
          "title": "Operation Escaneo Shows Latin America’s Edge Devices Are Prime Intrusion Targets",
          "url": "https://bulwarkblack.com/operation-escaneo-latin-america-edge-device-defense/",
          "date": "2026-06-20"
        }
      ]
    },
    {
      "indicator": "revitpourtous.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-03-03",
      "last_seen": "2026-03-03",
      "reports": [
        {
          "slug": "silver-dragon-apt-targets-southeast-asia-and-europe-using-geardoor-backdoor-with-google-drive-c2",
          "title": "Silver Dragon APT Targets Southeast Asia and Europe Using GearDoor Backdoor with Google Drive C2",
          "url": "https://bulwarkblack.com/silver-dragon-apt-targets-southeast-asia-and-europe-using-geardoor-backdoor-with-google-drive-c2/",
          "date": "2026-03-03"
        }
      ]
    },
    {
      "indicator": "riersrmissecured.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-02-26",
      "last_seen": "2026-02-26",
      "reports": [
        {
          "slug": "diesel-vortex-russian-cybercrime-group-steals-1600-credentials-from-global-logistics-sector",
          "title": "Diesel Vortex: Russian Cybercrime Group Steals 1,600+ Credentials From Global Logistics Sector",
          "url": "https://bulwarkblack.com/diesel-vortex-russian-cybercrime-group-steals-1600-credentials-from-global-logistics-sector/",
          "date": "2026-02-26"
        }
      ]
    },
    {
      "indicator": "root.chkstate.online",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "root.security-update.xyz",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "rsm323.kozow.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "rsrmissecured.top",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-02-26",
      "last_seen": "2026-02-26",
      "reports": [
        {
          "slug": "diesel-vortex-russian-cybercrime-group-steals-1600-credentials-from-global-logistics-sector",
          "title": "Diesel Vortex: Russian Cybercrime Group Steals 1,600+ Credentials From Global Logistics Sector",
          "url": "https://bulwarkblack.com/diesel-vortex-russian-cybercrime-group-steals-1600-credentials-from-global-logistics-sector/",
          "date": "2026-02-26"
        }
      ]
    },
    {
      "indicator": "saf3asg.giize.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "safe-picvault.info",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-26",
      "last_seen": "2026-06-26",
      "reports": [
        {
          "slug": "hospitality-photo-zip-nodejs-implant-defense",
          "title": "Hospitality Photo-ZIP Campaign Shows Front Desk Workflows Are Initial Access Paths",
          "url": "https://bulwarkblack.com/hospitality-photo-zip-nodejs-implant-defense/",
          "date": "2026-06-26"
        }
      ]
    },
    {
      "indicator": "safedep.io",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-05-26",
      "last_seen": "2026-05-26",
      "reports": [
        {
          "slug": "megalodon-github-actions-cicd-secret-theft-defense",
          "title": "Megalodon GitHub Actions Backdoor Shows CI/CD Is Now a Credential Battlefield",
          "url": "https://bulwarkblack.com/megalodon-github-actions-cicd-secret-theft-defense/",
          "date": "2026-05-26"
        }
      ]
    },
    {
      "indicator": "safedoc-storage.info",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-26",
      "last_seen": "2026-06-26",
      "reports": [
        {
          "slug": "hospitality-photo-zip-nodejs-implant-defense",
          "title": "Hospitality Photo-ZIP Campaign Shows Front Desk Workflows Are Initial Access Paths",
          "url": "https://bulwarkblack.com/hospitality-photo-zip-nodejs-implant-defense/",
          "date": "2026-06-26"
        }
      ]
    },
    {
      "indicator": "safedoc-vault.info",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-26",
      "last_seen": "2026-06-26",
      "reports": [
        {
          "slug": "hospitality-photo-zip-nodejs-implant-defense",
          "title": "Hospitality Photo-ZIP Campaign Shows Front Desk Workflows Are Initial Access Paths",
          "url": "https://bulwarkblack.com/hospitality-photo-zip-nodejs-implant-defense/",
          "date": "2026-06-26"
        }
      ]
    },
    {
      "indicator": "safedocphoto.info",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-26",
      "last_seen": "2026-06-26",
      "reports": [
        {
          "slug": "hospitality-photo-zip-nodejs-implant-defense",
          "title": "Hospitality Photo-ZIP Campaign Shows Front Desk Workflows Are Initial Access Paths",
          "url": "https://bulwarkblack.com/hospitality-photo-zip-nodejs-implant-defense/",
          "date": "2026-06-26"
        }
      ]
    },
    {
      "indicator": "safefor.xyz",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "safephoto-vault.info",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-26",
      "last_seen": "2026-06-26",
      "reports": [
        {
          "slug": "hospitality-photo-zip-nodejs-implant-defense",
          "title": "Hospitality Photo-ZIP Campaign Shows Front Desk Workflows Are Initial Access Paths",
          "url": "https://bulwarkblack.com/hospitality-photo-zip-nodejs-implant-defense/",
          "date": "2026-06-26"
        }
      ]
    },
    {
      "indicator": "safeup.store",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "safeupload.online",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "safevault-hub.info",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-26",
      "last_seen": "2026-06-26",
      "reports": [
        {
          "slug": "hospitality-photo-zip-nodejs-implant-defense",
          "title": "Hospitality Photo-ZIP Campaign Shows Front Desk Workflows Are Initial Access Paths",
          "url": "https://bulwarkblack.com/hospitality-photo-zip-nodejs-implant-defense/",
          "date": "2026-06-26"
        }
      ]
    },
    {
      "indicator": "sahibndn.io",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-03-21",
      "last_seen": "2026-03-21",
      "reports": [
        {
          "slug": "darksword-ios-exploit-kit-russian-hackers-weaponize-six-vulnerabilities-for-full-iphone-takeover",
          "title": "DarkSword iOS Exploit Kit: Russian Hackers Weaponize Six Vulnerabilities for Full iPhone Takeover",
          "url": "https://bulwarkblack.com/darksword-ios-exploit-kit-russian-hackers-weaponize-six-vulnerabilities-for-full-iphone-takeover/",
          "date": "2026-03-21"
        }
      ]
    },
    {
      "indicator": "scan.aquasecurtiy.org",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-03-24",
      "last_seen": "2026-03-24",
      "reports": [
        {
          "slug": "teampcp-deploys-canisterworm-wiper-to-target-iranian-systems",
          "title": "TeamPCP Deploys CanisterWorm Wiper to Target Iranian Systems",
          "url": "https://bulwarkblack.com/teampcp-deploys-canisterworm-wiper-to-target-iranian-systems/",
          "date": "2026-03-24"
        }
      ]
    },
    {
      "indicator": "scheta.site",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2024-01-09",
      "last_seen": "2024-01-09",
      "reports": [
        {
          "slug": "financially-motivated-threat-actors-misusing-app-installer",
          "title": "Financially motivated threat actors misusing App Installer",
          "url": "https://bulwarkblack.com/financially-motivated-threat-actors-misusing-app-installer/",
          "date": "2024-01-09"
        }
      ]
    },
    {
      "indicator": "Scopps.ddnsgeek.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "sdhite43.ddnsfree.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "sdsuytoins63.kozow.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "sec-safe-dc.info",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-26",
      "last_seen": "2026-06-26",
      "reports": [
        {
          "slug": "hospitality-photo-zip-nodejs-implant-defense",
          "title": "Hospitality Photo-ZIP Campaign Shows Front Desk Workflows Are Initial Access Paths",
          "url": "https://bulwarkblack.com/hospitality-photo-zip-nodejs-implant-defense/",
          "date": "2026-06-26"
        }
      ]
    },
    {
      "indicator": "second.awaitingfor.online",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "second.systemupdate.cloud",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "secondshop.online",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "secondshop.store",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "section.name",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2024-01-05",
      "last_seen": "2024-01-05",
      "reports": [
        {
          "slug": "100-days-of-yara-2023",
          "title": "100 Days of YARA – 2023",
          "url": "https://bulwarkblack.com/100-days-of-yara-2023/",
          "date": "2024-01-05"
        }
      ]
    },
    {
      "indicator": "secure-imagehub.info",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-26",
      "last_seen": "2026-06-26",
      "reports": [
        {
          "slug": "hospitality-photo-zip-nodejs-implant-defense",
          "title": "Hospitality Photo-ZIP Campaign Shows Front Desk Workflows Are Initial Access Paths",
          "url": "https://bulwarkblack.com/hospitality-photo-zip-nodejs-implant-defense/",
          "date": "2026-06-26"
        }
      ]
    },
    {
      "indicator": "securityintelligence.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-05-24",
      "last_seen": "2026-05-24",
      "reports": [
        {
          "slug": "clop-south-staffs-water-soc-coverage-defense",
          "title": "Cl0p’s South Staffs Water Case Shows SOC Coverage Must Be Proven",
          "url": "https://bulwarkblack.com/clop-south-staffs-water-soc-coverage-defense/",
          "date": "2026-05-24"
        }
      ]
    },
    {
      "indicator": "selfad.gleeze.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "seo.ai",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2024-01-09",
      "last_seen": "2024-01-09",
      "reports": [
        {
          "slug": "custom-gpts-a-case-of-malware-analysis-and-ioc-analyzing",
          "title": "Custom GPTs: A Case of Malware Analysis and IoC Analyzing",
          "url": "https://bulwarkblack.com/custom-gpts-a-case-of-malware-analysis-and-ioc-analyzing/",
          "date": "2024-01-09"
        }
      ]
    },
    {
      "indicator": "septcntr.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2024-01-09",
      "last_seen": "2024-01-09",
      "reports": [
        {
          "slug": "financially-motivated-threat-actors-misusing-app-installer",
          "title": "Financially motivated threat actors misusing App Installer",
          "url": "https://bulwarkblack.com/financially-motivated-threat-actors-misusing-app-installer/",
          "date": "2024-01-09"
        }
      ]
    },
    {
      "indicator": "serious.kozow.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "servicewithoutinterruption.de",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-05-16",
      "last_seen": "2026-05-16",
      "reports": [
        {
          "slug": "device-code-phishing-oauth-token-theft-defense",
          "title": "Device Code Phishing Turns Legitimate Login Flows Into Token Theft",
          "url": "https://bulwarkblack.com/device-code-phishing-oauth-token-theft-defense/",
          "date": "2026-05-16"
        }
      ]
    },
    {
      "indicator": "setupcodpr2.freeddns.org",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "sfrclak.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-04-01",
      "last_seen": "2026-04-01",
      "reports": [
        {
          "slug": "axios-npm-supply-chain-attack-deploys-cross-platform-rat-to-83-million-weekly-users",
          "title": "Axios npm Supply Chain Attack Deploys Cross-Platform RAT to 83 Million Weekly Users",
          "url": "https://bulwarkblack.com/axios-npm-supply-chain-attack-deploys-cross-platform-rat-to-83-million-weekly-users/",
          "date": "2026-04-01"
        }
      ]
    },
    {
      "indicator": "sgsn.accesscam.org",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "sh.azurestaticprovider.net",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-05-17",
      "last_seen": "2026-05-17",
      "reports": [
        {
          "slug": "node-ipc-npm-supply-chain-ci-secrets-defense",
          "title": "node-ipc Backdoor Shows Why CI Secrets Need Supply Chain Controls",
          "url": "https://bulwarkblack.com/node-ipc-npm-supply-chain-ci-secrets-defense/",
          "date": "2026-05-17"
        }
      ]
    },
    {
      "indicator": "sharepoint.com",
      "type": "Domains",
      "report_count": 2,
      "first_seen": "2024-01-09",
      "last_seen": "2026-07-01",
      "reports": [
        {
          "slug": "artoken-eviltokens-microsoft-365-bec-token-defense",
          "title": "ARToken Shows Microsoft 365 Tokens Are the New BEC Control Plane",
          "url": "https://bulwarkblack.com/artoken-eviltokens-microsoft-365-bec-token-defense/",
          "date": "2026-07-01"
        },
        {
          "slug": "financially-motivated-threat-actors-misusing-app-installer",
          "title": "Financially motivated threat actors misusing App Installer",
          "url": "https://bulwarkblack.com/financially-motivated-threat-actors-misusing-app-installer/",
          "date": "2024-01-09"
        }
      ]
    },
    {
      "indicator": "shopping5.shop",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-30",
      "last_seen": "2026-06-30",
      "reports": [
        {
          "slug": "bing-seo-poisoning-bumblebee-adaptix-akira-ransomware",
          "title": "Bing SEO Poisoning Shows IT Admin Downloads Are Ransomware Initial Access",
          "url": "https://bulwarkblack.com/bing-seo-poisoning-bumblebee-adaptix-akira-ransomware/",
          "date": "2026-06-30"
        }
      ]
    },
    {
      "indicator": "sigmasearchengine.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-30",
      "last_seen": "2026-06-30",
      "reports": [
        {
          "slug": "bing-seo-poisoning-bumblebee-adaptix-akira-ransomware",
          "title": "Bing SEO Poisoning Shows IT Admin Downloads Are Ransomware Initial Access",
          "url": "https://bulwarkblack.com/bing-seo-poisoning-bumblebee-adaptix-akira-ransomware/",
          "date": "2026-06-30"
        }
      ]
    },
    {
      "indicator": "signsafe.site",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "signsafe.xyz",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "signspace.cloud",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-05-19",
      "last_seen": "2026-05-19",
      "reports": [
        {
          "slug": "fox-tempest-code-signing-trust-weaponized",
          "title": "Fox Tempest Shows Code Signing Trust Can Be Weaponized",
          "url": "https://bulwarkblack.com/fox-tempest-code-signing-trust-weaponized/",
          "date": "2026-05-19"
        }
      ]
    },
    {
      "indicator": "simple-help.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-30",
      "last_seen": "2026-06-30",
      "reports": [
        {
          "slug": "simplehelp-cve-2026-48558-taskweaver-djinn-stealer-defense",
          "title": "SimpleHelp Exploitation Shows RMM Is a Credential Control Plane",
          "url": "https://bulwarkblack.com/simplehelp-cve-2026-48558-taskweaver-djinn-stealer-defense/",
          "date": "2026-06-30"
        }
      ]
    },
    {
      "indicator": "singtelcom.site",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-01",
      "last_seen": "2026-06-01",
      "reports": [
        {
          "slug": "showboat-jfmbackdoor-telecom-intrusion-defense",
          "title": "Showboat and JFMBackdoor Show Telecom Intrusions Are Built for Pivoting",
          "url": "https://bulwarkblack.com/showboat-jfmbackdoor-telecom-intrusion-defense/",
          "date": "2026-06-01"
        }
      ]
    },
    {
      "indicator": "sinterfumesco.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-02",
      "last_seen": "2026-06-02",
      "reports": [
        {
          "slug": "flutterbridge-macos-malvertising-fluttershell-backdoor-defense",
          "title": "FlutterBridge Shows Why macOS Malvertising Is Backdoor Delivery, Not Just Adware",
          "url": "https://bulwarkblack.com/flutterbridge-macos-malvertising-fluttershell-backdoor-defense/",
          "date": "2026-06-02"
        }
      ]
    },
    {
      "indicator": "Smartfren.giize.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "sn0son4t31bbsvopou.camdvr.org",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "sn0son4t31opc.freeddns.org",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "snapkeep.info",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-26",
      "last_seen": "2026-06-26",
      "reports": [
        {
          "slug": "hospitality-photo-zip-nodejs-implant-defense",
          "title": "Hospitality Photo-ZIP Campaign Shows Front Desk Workflows Are Initial Access Paths",
          "url": "https://bulwarkblack.com/hospitality-photo-zip-nodejs-implant-defense/",
          "date": "2026-06-26"
        }
      ]
    },
    {
      "indicator": "Snort.org",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-05-27",
      "last_seen": "2026-05-27",
      "reports": [
        {
          "slug": "mediainfolib-parser-bugs-file-metadata-execution-boundary",
          "title": "MediaInfoLib Parser Bugs Show File Metadata Is an Execution Boundary",
          "url": "https://bulwarkblack.com/mediainfolib-parser-bugs-file-metadata-execution-boundary/",
          "date": "2026-05-27"
        }
      ]
    },
    {
      "indicator": "soc.hero-sms.co",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-02-09",
      "last_seen": "2026-02-09",
      "reports": [
        {
          "slug": "fake-7-zip-downloads-convert-home-pcs-into-residential-proxy-nodes-for-cybercriminals",
          "title": "Fake 7-Zip Downloads Convert Home PCs Into Residential Proxy Nodes for Cybercriminals",
          "url": "https://bulwarkblack.com/fake-7-zip-downloads-convert-home-pcs-into-residential-proxy-nodes-for-cybercriminals/",
          "date": "2026-02-09"
        }
      ]
    },
    {
      "indicator": "socksescort.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-03-15",
      "last_seen": "2026-03-15",
      "reports": [
        {
          "slug": "operation-lightning-global-takedown-of-socksescort-botnet-that-enslaved-369000-routers-in-163-countries",
          "title": "Operation Lightning: Global Takedown of SocksEscort Botnet That Enslaved 369,000 Routers in 163 Countries",
          "url": "https://bulwarkblack.com/operation-lightning-global-takedown-of-socksescort-botnet-that-enslaved-369000-routers-in-163-countries/",
          "date": "2026-03-15"
        }
      ]
    },
    {
      "indicator": "socprime.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-01",
      "last_seen": "2026-06-01",
      "reports": [
        {
          "slug": "solyximmortal-python-infostealer-business-risk",
          "title": "SolyxImmortal Shows Why Python Infostealers Are a Business Risk, Not Just Malware Noise",
          "url": "https://bulwarkblack.com/solyximmortal-python-infostealer-business-risk/",
          "date": "2026-06-01"
        }
      ]
    },
    {
      "indicator": "soft-hub.pro",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-30",
      "last_seen": "2026-06-30",
      "reports": [
        {
          "slug": "bing-seo-poisoning-bumblebee-adaptix-akira-ransomware",
          "title": "Bing SEO Poisoning Shows IT Admin Downloads Are Ransomware Initial Access",
          "url": "https://bulwarkblack.com/bing-seo-poisoning-bumblebee-adaptix-akira-ransomware/",
          "date": "2026-06-30"
        }
      ]
    },
    {
      "indicator": "soft-server.online",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-30",
      "last_seen": "2026-06-30",
      "reports": [
        {
          "slug": "bing-seo-poisoning-bumblebee-adaptix-akira-ransomware",
          "title": "Bing SEO Poisoning Shows IT Admin Downloads Are Ransomware Initial Access",
          "url": "https://bulwarkblack.com/bing-seo-poisoning-bumblebee-adaptix-akira-ransomware/",
          "date": "2026-06-30"
        }
      ]
    },
    {
      "indicator": "sonicwall-netextender.nl",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-03-13",
      "last_seen": "2026-03-13",
      "reports": [
        {
          "slug": "storm-2561-weaponizes-seo-poisoning-to-deploy-trojanized-vpn-clients-and-steal-enterprise-credentials",
          "title": "Storm-2561 Weaponizes SEO Poisoning to Deploy Trojanized VPN Clients and Steal Enterprise Credentials",
          "url": "https://bulwarkblack.com/storm-2561-weaponizes-seo-poisoning-to-deploy-trojanized-vpn-clients-and-steal-enterprise-credentials/",
          "date": "2026-03-13"
        }
      ]
    },
    {
      "indicator": "soovuy.gleeze.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "sophos-connect.org",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-03-13",
      "last_seen": "2026-03-13",
      "reports": [
        {
          "slug": "storm-2561-weaponizes-seo-poisoning-to-deploy-trojanized-vpn-clients-and-steal-enterprise-credentials",
          "title": "Storm-2561 Weaponizes SEO Poisoning to Deploy Trojanized VPN Clients and Steal Enterprise Credentials",
          "url": "https://bulwarkblack.com/storm-2561-weaponizes-seo-poisoning-to-deploy-trojanized-vpn-clients-and-steal-enterprise-credentials/",
          "date": "2026-03-13"
        }
      ]
    },
    {
      "indicator": "souls-entire-defined-routes.trycloudflare.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-03-24",
      "last_seen": "2026-03-24",
      "reports": [
        {
          "slug": "canisterworm-wiper-weaponizes-trivy-supply-chain-to-target-iran",
          "title": "CanisterWorm Wiper Weaponizes Trivy Supply Chain to Target Iran",
          "url": "https://bulwarkblack.com/canisterworm-wiper-weaponizes-trivy-supply-chain-to-target-iran/",
          "date": "2026-03-24"
        }
      ]
    },
    {
      "indicator": "spark.herosms.io",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-02-09",
      "last_seen": "2026-02-09",
      "reports": [
        {
          "slug": "fake-7-zip-downloads-convert-home-pcs-into-residential-proxy-nodes-for-cybercriminals",
          "title": "Fake 7-Zip Downloads Convert Home PCs Into Residential Proxy Nodes for Cybercriminals",
          "url": "https://bulwarkblack.com/fake-7-zip-downloads-convert-home-pcs-into-residential-proxy-nodes-for-cybercriminals/",
          "date": "2026-02-09"
        }
      ]
    },
    {
      "indicator": "sparkle-project.org",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-02",
      "last_seen": "2026-06-02",
      "reports": [
        {
          "slug": "flutterbridge-macos-malvertising-fluttershell-backdoor-defense",
          "title": "FlutterBridge Shows Why macOS Malvertising Is Backdoor Delivery, Not Just Adware",
          "url": "https://bulwarkblack.com/flutterbridge-macos-malvertising-fluttershell-backdoor-defense/",
          "date": "2026-06-02"
        }
      ]
    },
    {
      "indicator": "sparkpostmail1.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-02-18",
      "last_seen": "2026-02-18",
      "reports": [
        {
          "slug": "threat-actors-abuse-atlassian-jira-cloud-to-bypass-email-security-and-target-government-entities",
          "title": "Threat Actors Abuse Atlassian Jira Cloud to Bypass Email Security and Target Government Entities",
          "url": "https://bulwarkblack.com/threat-actors-abuse-atlassian-jira-cloud-to-bypass-email-security-and-target-government-entities/",
          "date": "2026-02-18"
        }
      ]
    },
    {
      "indicator": "splunkds.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-03-03",
      "last_seen": "2026-03-03",
      "reports": [
        {
          "slug": "silver-dragon-apt-targets-southeast-asia-and-europe-using-geardoor-backdoor-with-google-drive-c2",
          "title": "Silver Dragon APT Targets Southeast Asia and Europe Using GearDoor Backdoor with Google Drive C2",
          "url": "https://bulwarkblack.com/silver-dragon-apt-targets-southeast-asia-and-europe-using-geardoor-backdoor-with-google-drive-c2/",
          "date": "2026-03-03"
        }
      ]
    },
    {
      "indicator": "spx.pamconj.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-07-01",
      "last_seen": "2026-07-01",
      "reports": [
        {
          "slug": "artoken-eviltokens-microsoft-365-bec-token-defense",
          "title": "ARToken Shows Microsoft 365 Tokens Are the New BEC Control Plane",
          "url": "https://bulwarkblack.com/artoken-eviltokens-microsoft-365-bec-token-defense/",
          "date": "2026-07-01"
        }
      ]
    },
    {
      "indicator": "sqwas.shapelie.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-03-21",
      "last_seen": "2026-03-21",
      "reports": [
        {
          "slug": "darksword-ios-exploit-kit-russian-hackers-weaponize-six-vulnerabilities-for-full-iphone-takeover",
          "title": "DarkSword iOS Exploit Kit: Russian Hackers Weaponize Six Vulnerabilities for Full iPhone Takeover",
          "url": "https://bulwarkblack.com/darksword-ios-exploit-kit-russian-hackers-weaponize-six-vulnerabilities-for-full-iphone-takeover/",
          "date": "2026-03-21"
        }
      ]
    },
    {
      "indicator": "srt.tw",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-03",
      "last_seen": "2026-06-03",
      "reports": [
        {
          "slug": "ta4922-global-hr-tax-phishing-rmm-defense",
          "title": "TA4922’s Global Expansion Shows HR and Tax Lures Are Initial Access Infrastructure",
          "url": "https://bulwarkblack.com/ta4922-global-hr-tax-phishing-rmm-defense/",
          "date": "2026-06-03"
        }
      ]
    },
    {
      "indicator": "stablewebsystems.de",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-05-16",
      "last_seen": "2026-05-16",
      "reports": [
        {
          "slug": "device-code-phishing-oauth-token-theft-defense",
          "title": "Device Code Phishing Turns Legitimate Login Flows Into Token Theft",
          "url": "https://bulwarkblack.com/device-code-phishing-oauth-token-theft-defense/",
          "date": "2026-05-16"
        }
      ]
    },
    {
      "indicator": "stark-industries.solutions",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-03-12",
      "last_seen": "2026-03-12",
      "reports": [
        {
          "slug": "infostealer-infection-unmasks-dprk-operative-behind-polyfill-io-supply-chain-attack-and-us-crypto-exchange-infiltration",
          "title": "Infostealer Infection Unmasks DPRK Operative Behind Polyfill.io Supply Chain Attack and US Crypto Exchange Infiltration",
          "url": "https://bulwarkblack.com/infostealer-infection-unmasks-dprk-operative-behind-polyfill-io-supply-chain-attack-and-us-crypto-exchange-infiltration/",
          "date": "2026-03-12"
        }
      ]
    },
    {
      "indicator": "start-download.gleeze.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-05-27",
      "last_seen": "2026-05-27",
      "reports": [
        {
          "slug": "poisoned-search-ai-screenconnect-cryptojacking-defense",
          "title": "Poisoned Search and AI Recommendations Turn Utility Downloads Into RMM Access",
          "url": "https://bulwarkblack.com/poisoned-search-ai-screenconnect-cryptojacking-defense/",
          "date": "2026-05-27"
        }
      ]
    },
    {
      "indicator": "static.cdncounter.net",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-03-21",
      "last_seen": "2026-03-21",
      "reports": [
        {
          "slug": "darksword-ios-exploit-kit-russian-hackers-weaponize-six-vulnerabilities-for-full-iphone-takeover",
          "title": "DarkSword iOS Exploit Kit: Russian Hackers Weaponize Six Vulnerabilities for Full iPhone Takeover",
          "url": "https://bulwarkblack.com/darksword-ios-exploit-kit-russian-hackers-weaponize-six-vulnerabilities-for-full-iphone-takeover/",
          "date": "2026-03-21"
        }
      ]
    },
    {
      "indicator": "storageplace.pro",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2024-01-09",
      "last_seen": "2024-01-09",
      "reports": [
        {
          "slug": "financially-motivated-threat-actors-misusing-app-installer",
          "title": "Financially motivated threat actors misusing App Installer",
          "url": "https://bulwarkblack.com/financially-motivated-threat-actors-misusing-app-installer/",
          "date": "2024-01-09"
        }
      ]
    },
    {
      "indicator": "stream.bybit.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-25",
      "last_seen": "2026-06-25",
      "reports": [
        {
          "slug": "turla-stockstay-backdoor-egress-visibility",
          "title": "Turla’s STOCKSTAY Backdoor Shows Why Espionage Defense Needs Egress Visibility",
          "url": "https://bulwarkblack.com/turla-stockstay-backdoor-egress-visibility/",
          "date": "2026-06-25"
        }
      ]
    },
    {
      "indicator": "studio-velte-distributor.pro",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-03-17",
      "last_seen": "2026-03-17",
      "reports": [
        {
          "slug": "glassworm-supply-chain-campaign-hijacks-72-open-vsx-extensions-to-target-developers",
          "title": "GlassWorm Supply Chain Campaign Hijacks 72 Open VSX Extensions to Target Developers",
          "url": "https://bulwarkblack.com/glassworm-supply-chain-campaign-hijacks-72-open-vsx-extensions-to-target-developers/",
          "date": "2026-03-17"
        }
      ]
    },
    {
      "indicator": "styuij.mywire.org",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "sun1.space",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2024-01-09",
      "last_seen": "2024-01-09",
      "reports": [
        {
          "slug": "financially-motivated-threat-actors-misusing-app-installer",
          "title": "Financially motivated threat actors misusing App Installer",
          "url": "https://bulwarkblack.com/financially-motivated-threat-actors-misusing-app-installer/",
          "date": "2024-01-09"
        }
      ]
    },
    {
      "indicator": "sundhed.dk",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-02-02",
      "last_seen": "2026-02-02",
      "reports": [
        {
          "slug": "russian-legion-hacker-alliance-launches-opdenmark-campaign-against-danish-critical-infrastructure",
          "title": "Russian Legion Hacker Alliance Launches OpDenmark Campaign Against Danish Critical Infrastructure",
          "url": "https://bulwarkblack.com/russian-legion-hacker-alliance-launches-opdenmark-campaign-against-danish-critical-infrastructure/",
          "date": "2026-02-02"
        }
      ]
    },
    {
      "indicator": "supceasfg1.loseyourip.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "support.ms",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "support.ms-live.us",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "support.video-meeting.online",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "suspended-domain.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-02-26",
      "last_seen": "2026-02-26",
      "reports": [
        {
          "slug": "diesel-vortex-russian-cybercrime-group-steals-1600-credentials-from-global-logistics-sector",
          "title": "Diesel Vortex: Russian Cybercrime Group Steals 1,600+ Credentials From Global Logistics Sector",
          "url": "https://bulwarkblack.com/diesel-vortex-russian-cybercrime-group-steals-1600-credentials-from-global-logistics-sector/",
          "date": "2026-02-26"
        }
      ]
    },
    {
      "indicator": "swissborg.blog",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "system.updatecheck.store",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "systemgroup.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-03-21",
      "last_seen": "2026-03-21",
      "reports": [
        {
          "slug": "darksword-ios-exploit-kit-russian-hackers-weaponize-six-vulnerabilities-for-full-iphone-takeover",
          "title": "DarkSword iOS Exploit Kit: Russian Hackers Weaponize Six Vulnerabilities for Full iPhone Takeover",
          "url": "https://bulwarkblack.com/darksword-ios-exploit-kit-russian-hackers-weaponize-six-vulnerabilities-for-full-iphone-takeover/",
          "date": "2026-03-21"
        }
      ]
    },
    {
      "indicator": "systemsz.kozow.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "t.me",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-02-26",
      "last_seen": "2026-02-26",
      "reports": [
        {
          "slug": "diesel-vortex-russian-cybercrime-group-steals-1600-credentials-from-global-logistics-sector",
          "title": "Diesel Vortex: Russian Cybercrime Group Steals 1,600+ Credentials From Global Logistics Sector",
          "url": "https://bulwarkblack.com/diesel-vortex-russian-cybercrime-group-steals-1600-credentials-from-global-logistics-sector/",
          "date": "2026-02-26"
        }
      ]
    },
    {
      "indicator": "t2.funnull.host",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-03-12",
      "last_seen": "2026-03-12",
      "reports": [
        {
          "slug": "infostealer-infection-unmasks-dprk-operative-behind-polyfill-io-supply-chain-attack-and-us-crypto-exchange-infiltration",
          "title": "Infostealer Infection Unmasks DPRK Operative Behind Polyfill.io Supply Chain Attack and US Crypto Exchange Infiltration",
          "url": "https://bulwarkblack.com/infostealer-infection-unmasks-dprk-operative-behind-polyfill-io-supply-chain-attack-and-us-crypto-exchange-infiltration/",
          "date": "2026-03-12"
        }
      ]
    },
    {
      "indicator": "t31c0mjumpcuyerop.ooguy.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "t31c0mopamcuiomx.kozow.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "t31c0mopmiuewklg.webredirect.org",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "t31c0mopocuveop.accesscam.org",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "t3lc0mcanyqbfac.loseyourip.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "t3lc0mczmoihwc.camdvr.org",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "t3lc0mh4udncifw.casacam.net",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "t3lc0mhasvnctsk.giize.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "t3lm0rtlcagratu.kozow.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "tab1eu.ithr.org",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2024-01-09",
      "last_seen": "2024-01-09",
      "reports": [
        {
          "slug": "financially-motivated-threat-actors-misusing-app-installer",
          "title": "Financially motivated threat actors misusing App Installer",
          "url": "https://bulwarkblack.com/financially-motivated-threat-actors-misusing-app-installer/",
          "date": "2024-01-09"
        }
      ]
    },
    {
      "indicator": "tapnetic.pro",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-02-12",
      "last_seen": "2026-02-12",
      "reports": [
        {
          "slug": "aiframe-campaign-30-fake-ai-chrome-extensions-with-300k-users-steal-credentials-gmail-content",
          "title": "AiFrame Campaign: 30 Fake AI Chrome Extensions with 300K Users Steal Credentials, Gmail Content",
          "url": "https://bulwarkblack.com/aiframe-campaign-30-fake-ai-chrome-extensions-with-300k-users-steal-credentials-gmail-content/",
          "date": "2026-02-12"
        }
      ]
    },
    {
      "indicator": "tbhmlive.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2024-01-12",
      "last_seen": "2024-01-12",
      "reports": [
        {
          "slug": "the-bug-hunters-methodology-live",
          "title": "THE BUG HUNTERS METHODOLOGY LIVE",
          "url": "https://bulwarkblack.com/the-bug-hunters-methodology-live/",
          "date": "2024-01-12"
        }
      ]
    },
    {
      "indicator": "tch.giize.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "tdtqy-oyaaa-aaaae-af2dq-cai.raw.icp0.io",
      "type": "Domains",
      "report_count": 2,
      "first_seen": "2026-03-24",
      "last_seen": "2026-03-24",
      "reports": [
        {
          "slug": "canisterworm-wiper-weaponizes-trivy-supply-chain-to-target-iran",
          "title": "CanisterWorm Wiper Weaponizes Trivy Supply Chain to Target Iran",
          "url": "https://bulwarkblack.com/canisterworm-wiper-weaponizes-trivy-supply-chain-to-target-iran/",
          "date": "2026-03-24"
        },
        {
          "slug": "teampcp-deploys-canisterworm-wiper-to-target-iranian-systems",
          "title": "TeamPCP Deploys CanisterWorm Wiper to Target Iranian Systems",
          "url": "https://bulwarkblack.com/teampcp-deploys-canisterworm-wiper-to-target-iranian-systems/",
          "date": "2026-03-24"
        }
      ]
    },
    {
      "indicator": "teaak.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-05-26",
      "last_seen": "2026-05-26",
      "reports": [
        {
          "slug": "megalodon-github-actions-cicd-secret-theft-defense",
          "title": "Megalodon GitHub Actions Backdoor Shows CI/CD Is Now a Credential Battlefield",
          "url": "https://bulwarkblack.com/megalodon-github-actions-cicd-secret-theft-defense/",
          "date": "2026-05-26"
        }
      ]
    },
    {
      "indicator": "teannviewer.ithr.org",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2024-01-09",
      "last_seen": "2024-01-09",
      "reports": [
        {
          "slug": "financially-motivated-threat-actors-misusing-app-installer",
          "title": "Financially motivated threat actors misusing App Installer",
          "url": "https://bulwarkblack.com/financially-motivated-threat-actors-misusing-app-installer/",
          "date": "2024-01-09"
        }
      ]
    },
    {
      "indicator": "tech-department.us",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2024-01-09",
      "last_seen": "2024-01-09",
      "reports": [
        {
          "slug": "financially-motivated-threat-actors-misusing-app-installer",
          "title": "Financially motivated threat actors misusing App Installer",
          "url": "https://bulwarkblack.com/financially-motivated-threat-actors-misusing-app-installer/",
          "date": "2024-01-09"
        }
      ]
    },
    {
      "indicator": "telcomn.giize.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "telecom.webredirect.org",
      "type": "Domains",
      "report_count": 2,
      "first_seen": "2026-06-01",
      "last_seen": "2026-06-20",
      "reports": [
        {
          "slug": "showboat-linux-malware-telecom-persistence-defense",
          "title": "Showboat Malware Shows Telecom Linux Servers Need Rootkit-Level Monitoring",
          "url": "https://bulwarkblack.com/showboat-linux-malware-telecom-persistence-defense/",
          "date": "2026-06-20"
        },
        {
          "slug": "showboat-jfmbackdoor-telecom-intrusion-defense",
          "title": "Showboat and JFMBackdoor Show Telecom Intrusions Are Built for Pivoting",
          "url": "https://bulwarkblack.com/showboat-jfmbackdoor-telecom-intrusion-defense/",
          "date": "2026-06-01"
        }
      ]
    },
    {
      "indicator": "telegram.org",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-05-15",
      "last_seen": "2026-05-15",
      "reports": [
        {
          "slug": "gremlin-stealer-browser-session-resource-obfuscation",
          "title": "Gremlin Stealer Shows Why Browser Sessions Are Now High-Value Targets",
          "url": "https://bulwarkblack.com/gremlin-stealer-browser-session-resource-obfuscation/",
          "date": "2026-05-15"
        }
      ]
    },
    {
      "indicator": "telen.bumbleshrimp.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "telkom.ooguy.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "telkomservices.theworkpc.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "terraform-bedrock-deploy.tf",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-02-04",
      "last_seen": "2026-02-04",
      "reports": [
        {
          "slug": "ai-powered-attack-achieves-aws-admin-access-in-under-10-minutes-a-new-era-of-automated-intrusions",
          "title": "AI-Powered Attack Achieves AWS Admin Access in Under 10 Minutes: A New Era of Automated Intrusions",
          "url": "https://bulwarkblack.com/ai-powered-attack-achieves-aws-admin-access-in-under-10-minutes-a-new-era-of-automated-intrusions/",
          "date": "2026-02-04"
        }
      ]
    },
    {
      "indicator": "testdomain123123.shop",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-02-15",
      "last_seen": "2026-02-15",
      "reports": [
        {
          "slug": "microsoft-exposes-dns-based-clickfix-attack-nslookup-commands-used-for-stealth-malware-staging",
          "title": "Microsoft Exposes DNS-Based ClickFix Attack: Nslookup Commands Used for Stealth Malware Staging",
          "url": "https://bulwarkblack.com/microsoft-exposes-dns-based-clickfix-attack-nslookup-commands-used-for-stealth-malware-staging/",
          "date": "2026-02-15"
        }
      ]
    },
    {
      "indicator": "thbio.kozow.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "thc.org",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-13",
      "last_seen": "2026-06-13",
      "reports": [
        {
          "slug": "velvet-ant-operation-highland-authentication-stack-defense",
          "title": "Velvet Ant Shows Authentication Infrastructure Is Critical Infrastructure",
          "url": "https://bulwarkblack.com/velvet-ant-operation-highland-authentication-stack-defense/",
          "date": "2026-06-13"
        }
      ]
    },
    {
      "indicator": "thecybersecguru.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-01",
      "last_seen": "2026-06-01",
      "reports": [
        {
          "slug": "meta-ai-support-bot-account-recovery-risk",
          "title": "Meta AI Support Bot Abuse Shows Account Recovery Is Part of the Identity Perimeter",
          "url": "https://bulwarkblack.com/meta-ai-support-bot-account-recovery-risk/",
          "date": "2026-06-01"
        }
      ]
    },
    {
      "indicator": "thecyberwire.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2024-01-09",
      "last_seen": "2024-01-09",
      "reports": [
        {
          "slug": "financially-motivated-threat-actors-misusing-app-installer",
          "title": "Financially motivated threat actors misusing App Installer",
          "url": "https://bulwarkblack.com/financially-motivated-threat-actors-misusing-app-installer/",
          "date": "2024-01-09"
        }
      ]
    },
    {
      "indicator": "ThemesDNA.com",
      "type": "Domains",
      "report_count": 2,
      "first_seen": "2026-01-31",
      "last_seen": "2026-02-27",
      "reports": [
        {
          "slug": "uac-0050-targets-european-financial-institution-in-strategic-phishing-campaign",
          "title": "UAC-0050 Targets European Financial Institution in Strategic Phishing Campaign",
          "url": "https://bulwarkblack.com/uac-0050-targets-european-financial-institution-in-strategic-phishing-campaign/",
          "date": "2026-02-27"
        },
        {
          "slug": "global-energy-systems-exposed-widespread-cybersecurity-gaps-found-in-power-grid-ot-networks",
          "title": "Global Energy Systems Exposed: Widespread Cybersecurity Gaps Found in Power Grid OT Networks",
          "url": "https://bulwarkblack.com/global-energy-systems-exposed-widespread-cybersecurity-gaps-found-in-power-grid-ot-networks/",
          "date": "2026-01-31"
        }
      ]
    },
    {
      "indicator": "ThemesManagers.azurewebsites.net",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-05-22",
      "last_seen": "2026-05-22",
      "reports": [
        {
          "slug": "screening-serpens-recruiting-espionage-attack-surface",
          "title": "Screening Serpens Shows Recruiting Is Now an Espionage Attack Surface",
          "url": "https://bulwarkblack.com/screening-serpens-recruiting-espionage-attack-surface/",
          "date": "2026-05-22"
        }
      ]
    },
    {
      "indicator": "ThemesProviderManagers.azurewebsites.net",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-05-22",
      "last_seen": "2026-05-22",
      "reports": [
        {
          "slug": "screening-serpens-recruiting-espionage-attack-surface",
          "title": "Screening Serpens Shows Recruiting Is Now an Espionage Attack Surface",
          "url": "https://bulwarkblack.com/screening-serpens-recruiting-espionage-attack-surface/",
          "date": "2026-05-22"
        }
      ]
    },
    {
      "indicator": "theworkpc.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "thresumebuilder.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-03-10",
      "last_seen": "2026-03-10",
      "reports": [
        {
          "slug": "blacksanta-edr-killer-campaign-targets-hr-departments-through-weaponized-resume-files",
          "title": "BlackSanta EDR Killer Campaign Targets HR Departments Through Weaponized Resume Files",
          "url": "https://bulwarkblack.com/blacksanta-edr-killer-campaign-targets-hr-departments-through-weaponized-resume-files/",
          "date": "2026-03-10"
        }
      ]
    },
    {
      "indicator": "timpe.kozow.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "timpe.webredirect.org",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "tlse001hdfuwwgdgpnn.theworkpc.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "tltlsktelko.ddnsfree.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "tnetworkslicense.ru",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2024-01-09",
      "last_seen": "2024-01-09",
      "reports": [
        {
          "slug": "financially-motivated-threat-actors-misusing-app-installer",
          "title": "Financially motivated threat actors misusing App Installer",
          "url": "https://bulwarkblack.com/financially-motivated-threat-actors-misusing-app-installer/",
          "date": "2024-01-09"
        }
      ]
    },
    {
      "indicator": "transfer.weepee.io",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-02-23",
      "last_seen": "2026-02-23",
      "reports": [
        {
          "slug": "unit-42-exposes-active-exploitation-of-beyondtrust-cve-2026-1731-with-vshell-and-sparkrat-backdoors",
          "title": "Unit 42 Exposes Active Exploitation of BeyondTrust CVE-2026-1731 with VShell and SparkRAT Backdoors",
          "url": "https://bulwarkblack.com/unit-42-exposes-active-exploitation-of-beyondtrust-cve-2026-1731-with-vshell-and-sparkrat-backdoors/",
          "date": "2026-02-23"
        }
      ]
    },
    {
      "indicator": "transport.dynuddns.net",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "trezor.authentication-check.io",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-02-16",
      "last_seen": "2026-02-16",
      "reports": [
        {
          "slug": "physical-mail-phishing-targets-trezor-and-ledger-users-attackers-use-qr-codes-to-steal-recovery-phrases",
          "title": "Physical Mail Phishing Targets Trezor and Ledger Users: Attackers Use QR Codes to Steal Recovery Phrases",
          "url": "https://bulwarkblack.com/physical-mail-phishing-targets-trezor-and-ledger-users-attackers-use-qr-codes-to-steal-recovery-phrases/",
          "date": "2026-02-16"
        }
      ]
    },
    {
      "indicator": "Tria.ge",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-30",
      "last_seen": "2026-06-30",
      "reports": [
        {
          "slug": "bing-seo-poisoning-bumblebee-adaptix-akira-ransomware",
          "title": "Bing SEO Poisoning Shows IT Admin Downloads Are Ransomware Initial Access",
          "url": "https://bulwarkblack.com/bing-seo-poisoning-bumblebee-adaptix-akira-ransomware/",
          "date": "2026-06-30"
        }
      ]
    },
    {
      "indicator": "tripadvisor-photo-view.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-26",
      "last_seen": "2026-06-26",
      "reports": [
        {
          "slug": "hospitality-photo-zip-nodejs-implant-defense",
          "title": "Hospitality Photo-ZIP Campaign Shows Front Desk Workflows Are Initial Access Paths",
          "url": "https://bulwarkblack.com/hospitality-photo-zip-nodejs-implant-defense/",
          "date": "2026-06-26"
        }
      ]
    },
    {
      "indicator": "Trojan.Shell.Agent.gn",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "trueconf.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-04-01",
      "last_seen": "2026-04-01",
      "reports": [
        {
          "slug": "operation-truechaos-chinese-apt-exploits-trueconf-zero-day-cve-2026-3502-to-target-southeast-asian-governments",
          "title": "Operation TrueChaos: Chinese APT Exploits TrueConf Zero-Day CVE-2026-3502 to Target Southeast Asian Governments",
          "url": "https://bulwarkblack.com/operation-truechaos-chinese-apt-exploits-trueconf-zero-day-cve-2026-3502-to-target-southeast-asian-governments/",
          "date": "2026-04-01"
        }
      ]
    },
    {
      "indicator": "trustbastion.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-01-30",
      "last_seen": "2026-01-30",
      "reports": [
        {
          "slug": "android-malware-campaign-abuses-hugging-face-ai-platform-to-distribute-rat",
          "title": "Android Malware Campaign Abuses Hugging Face AI Platform to Distribute RAT",
          "url": "https://bulwarkblack.com/android-malware-campaign-abuses-hugging-face-ai-platform-to-distribute-rat/",
          "date": "2026-01-30"
        }
      ]
    },
    {
      "indicator": "trustedengagement.de",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-05-16",
      "last_seen": "2026-05-16",
      "reports": [
        {
          "slug": "device-code-phishing-oauth-token-theft-defense",
          "title": "Device Code Phishing Turns Legitimate Login Flows Into Token Theft",
          "url": "https://bulwarkblack.com/device-code-phishing-oauth-token-theft-defense/",
          "date": "2026-05-16"
        }
      ]
    },
    {
      "indicator": "trvcl.bumbleshrimp.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "trycloudflare.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-03-24",
      "last_seen": "2026-03-24",
      "reports": [
        {
          "slug": "canisterworm-wiper-weaponizes-trivy-supply-chain-to-target-iran",
          "title": "CanisterWorm Wiper Weaponizes Trivy Supply Chain to Target Iran",
          "url": "https://bulwarkblack.com/canisterworm-wiper-weaponizes-trivy-supply-chain-to-target-iran/",
          "date": "2026-03-24"
        }
      ]
    },
    {
      "indicator": "ttsiou12.loseyourip.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "twilio.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2025-07-18",
      "last_seen": "2025-07-18",
      "reports": [
        {
          "slug": "complete-guide-setting-up-freepbx-with-vps-docker-and-vpn-cgnat-bypass-solution",
          "title": "Complete Guide: Setting Up FreePBX with VPS, Docker, and VPN (CGNAT Bypass Solution)",
          "url": "https://bulwarkblack.com/complete-guide-setting-up-freepbx-with-vps-docker-and-vpn-cgnat-bypass-solution/",
          "date": "2025-07-18"
        }
      ]
    },
    {
      "indicator": "u.id",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2024-02-14",
      "last_seen": "2024-02-14",
      "reports": [
        {
          "slug": "endpoints-vs-routes-what-every-api-hacker-needs-to-know",
          "title": "Endpoints vs Routes: What every API hacker needs to know",
          "url": "https://bulwarkblack.com/endpoints-vs-routes-what-every-api-hacker-needs-to-know/",
          "date": "2024-02-14"
        }
      ]
    },
    {
      "indicator": "ua2o25yth.ddnsgeek.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "udieyg.gleeze.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "ukpkmkk.so",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-20",
      "last_seen": "2026-06-20",
      "reports": [
        {
          "slug": "showboat-linux-malware-telecom-persistence-defense",
          "title": "Showboat Malware Shows Telecom Linux Servers Need Rootkit-Level Monitoring",
          "url": "https://bulwarkblack.com/showboat-linux-malware-telecom-persistence-defense/",
          "date": "2026-06-20"
        }
      ]
    },
    {
      "indicator": "ukr.net",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-25",
      "last_seen": "2026-06-25",
      "reports": [
        {
          "slug": "turla-stockstay-backdoor-egress-visibility",
          "title": "Turla’s STOCKSTAY Backdoor Shows Why Espionage Defense Needs Egress Visibility",
          "url": "https://bulwarkblack.com/turla-stockstay-backdoor-egress-visibility/",
          "date": "2026-06-25"
        }
      ]
    },
    {
      "indicator": "uninterruptedperformance.de",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-05-16",
      "last_seen": "2026-05-16",
      "reports": [
        {
          "slug": "device-code-phishing-oauth-token-theft-defense",
          "title": "Device Code Phishing Turns Legitimate Login Flows Into Token Theft",
          "url": "https://bulwarkblack.com/device-code-phishing-oauth-token-theft-defense/",
          "date": "2026-05-16"
        }
      ]
    },
    {
      "indicator": "unnjunnani.ddnsfree.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "Unstructured.io",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-02-14",
      "last_seen": "2026-02-14",
      "reports": [
        {
          "slug": "critical-unstructured-io-vulnerability-cve-2025-64712-threatens-ai-pipelines-at-amazon-google-and-fortune-1000-enterprises",
          "title": "Critical Unstructured.io Vulnerability CVE-2025-64712 Threatens AI Pipelines at Amazon, Google, and Fortune 1000 Enterprises",
          "url": "https://bulwarkblack.com/critical-unstructured-io-vulnerability-cve-2025-64712-threatens-ai-pipelines-at-amazon-google-and-fortune-1000-enterprises/",
          "date": "2026-02-14"
        }
      ]
    },
    {
      "indicator": "updatamail.kozow.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "updatasuccess.ddnsgeek.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "update-check.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-28",
      "last_seen": "2026-03-29",
      "reports": [
        {
          "slug": "infinity-stealer-new-macos-infostealer-combines-clickfix-social-engineering-with-nuitka-compilation",
          "title": "Infinity Stealer: New macOS Infostealer Combines ClickFix Social Engineering with Nuitka Compilation",
          "url": "https://bulwarkblack.com/infinity-stealer-new-macos-infostealer-combines-clickfix-social-engineering-with-nuitka-compilation/",
          "date": "2026-03-29"
        },
        {
          "slug": "infinity-stealer-new-macos-infostealer-uses-clickfix-and-nuitka-compilation-to-evade-detection",
          "title": "Infinity Stealer: New macOS Infostealer Uses ClickFix and Nuitka Compilation to Evade Detection",
          "url": "https://bulwarkblack.com/infinity-stealer-new-macos-infostealer-uses-clickfix-and-nuitka-compilation-to-evade-detection/",
          "date": "2026-03-29"
        },
        {
          "slug": "infinity-stealer-new-macos-malware-uses-clickfix-lures-and-nuitka-compiled-python-payload",
          "title": "Infinity Stealer: New macOS Malware Uses ClickFix Lures and Nuitka-Compiled Python Payload",
          "url": "https://bulwarkblack.com/infinity-stealer-new-macos-malware-uses-clickfix-lures-and-nuitka-compiled-python-payload/",
          "date": "2026-03-28"
        }
      ]
    },
    {
      "indicator": "updateservices.kozow.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "updatetools.giize.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "urgent-update.cloud",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "urlscan.io",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-30",
      "last_seen": "2026-06-30",
      "reports": [
        {
          "slug": "bing-seo-poisoning-bumblebee-adaptix-akira-ransomware",
          "title": "Bing SEO Poisoning Shows IT Admin Downloads Are Ransomware Initial Access",
          "url": "https://bulwarkblack.com/bing-seo-poisoning-bumblebee-adaptix-akira-ransomware/",
          "date": "2026-06-30"
        }
      ]
    },
    {
      "indicator": "us.zoom.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "USCARGOEXPRESSyahoo.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-02-26",
      "last_seen": "2026-02-26",
      "reports": [
        {
          "slug": "diesel-vortex-russian-cybercrime-group-steals-1600-credentials-from-global-logistics-sector",
          "title": "Diesel Vortex: Russian Cybercrime Group Steals 1,600+ Credentials From Global Logistics Sector",
          "url": "https://bulwarkblack.com/diesel-vortex-russian-cybercrime-group-steals-1600-credentials-from-global-logistics-sector/",
          "date": "2026-02-26"
        }
      ]
    },
    {
      "indicator": "uscplxsecjs.ddnsgeek.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "user.id",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2024-02-14",
      "last_seen": "2024-02-14",
      "reports": [
        {
          "slug": "endpoints-vs-routes-what-every-api-hacker-needs-to-know",
          "title": "Endpoints vs Routes: What every API hacker needs to know",
          "url": "https://bulwarkblack.com/endpoints-vs-routes-what-every-api-hacker-needs-to-know/",
          "date": "2024-02-14"
        }
      ]
    },
    {
      "indicator": "USOShared1.ddnsfree.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "v46wd6uramzkmeeo.in",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-01-29",
      "last_seen": "2026-01-29",
      "reports": [
        {
          "slug": "google-disrupts-worlds-largest-residential-proxy-botnet",
          "title": "Google Disrupts World’s Largest Residential Proxy Botnet",
          "url": "https://bulwarkblack.com/google-disrupts-worlds-largest-residential-proxy-botnet/",
          "date": "2026-01-29"
        }
      ]
    },
    {
      "indicator": "v5rjsdqogstopr.org",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-30",
      "last_seen": "2026-06-30",
      "reports": [
        {
          "slug": "bing-seo-poisoning-bumblebee-adaptix-akira-ransomware",
          "title": "Bing SEO Poisoning Shows IT Admin Downloads Are Ransomware Initial Access",
          "url": "https://bulwarkblack.com/bing-seo-poisoning-bumblebee-adaptix-akira-ransomware/",
          "date": "2026-06-30"
        }
      ]
    },
    {
      "indicator": "vals.bumbleshrimp.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "vass.ooguy.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "vass2025.casacam.net",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "vebrf.digital",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-05-21",
      "last_seen": "2026-05-21",
      "reports": [
        {
          "slug": "patriot-bait-ai-enabled-fraud-trust-attack-surface",
          "title": "Patriot Bait Shows AI-Enabled Fraud Can Turn Trust Into Attack Surface",
          "url": "https://bulwarkblack.com/patriot-bait-ai-enabled-fraud-trust-attack-surface/",
          "date": "2026-05-21"
        }
      ]
    },
    {
      "indicator": "Venice.ai",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-05-21",
      "last_seen": "2026-05-21",
      "reports": [
        {
          "slug": "patriot-bait-ai-enabled-fraud-trust-attack-surface",
          "title": "Patriot Bait Shows AI-Enabled Fraud Can Turn Trust Into Attack Surface",
          "url": "https://bulwarkblack.com/patriot-bait-ai-enabled-fraud-trust-attack-surface/",
          "date": "2026-05-21"
        }
      ]
    },
    {
      "indicator": "VerifiedVoting.org",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-03-16",
      "last_seen": "2026-03-16",
      "reports": [
        {
          "slug": "the-promptware-kill-chain-a-new-framework-for-understanding-ai-malware-attacks",
          "title": "The Promptware Kill Chain: A New Framework for Understanding AI Malware Attacks",
          "url": "https://bulwarkblack.com/the-promptware-kill-chain-a-new-framework-for-understanding-ai-malware-attacks/",
          "date": "2026-03-16"
        }
      ]
    },
    {
      "indicator": "vertualstreak.info",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-26",
      "last_seen": "2026-06-26",
      "reports": [
        {
          "slug": "hospitality-photo-zip-nodejs-implant-defense",
          "title": "Hospitality Photo-ZIP Campaign Shows Front Desk Workflows Are Initial Access Paths",
          "url": "https://bulwarkblack.com/hospitality-photo-zip-nodejs-implant-defense/",
          "date": "2026-06-26"
        }
      ]
    },
    {
      "indicator": "visa-safedocs.info",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-26",
      "last_seen": "2026-06-26",
      "reports": [
        {
          "slug": "hospitality-photo-zip-nodejs-implant-defense",
          "title": "Hospitality Photo-ZIP Campaign Shows Front Desk Workflows Are Initial Access Paths",
          "url": "https://bulwarkblack.com/hospitality-photo-zip-nodejs-implant-defense/",
          "date": "2026-06-26"
        }
      ]
    },
    {
      "indicator": "visa-vault.info",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-26",
      "last_seen": "2026-06-26",
      "reports": [
        {
          "slug": "hospitality-photo-zip-nodejs-implant-defense",
          "title": "Hospitality Photo-ZIP Campaign Shows Front Desk Workflows Are Initial Access Paths",
          "url": "https://bulwarkblack.com/hospitality-photo-zip-nodejs-implant-defense/",
          "date": "2026-06-26"
        }
      ]
    },
    {
      "indicator": "visaimage-storage.icu",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-26",
      "last_seen": "2026-06-26",
      "reports": [
        {
          "slug": "hospitality-photo-zip-nodejs-implant-defense",
          "title": "Hospitality Photo-ZIP Campaign Shows Front Desk Workflows Are Initial Access Paths",
          "url": "https://bulwarkblack.com/hospitality-photo-zip-nodejs-implant-defense/",
          "date": "2026-06-26"
        }
      ]
    },
    {
      "indicator": "visaimages.info",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-26",
      "last_seen": "2026-06-26",
      "reports": [
        {
          "slug": "hospitality-photo-zip-nodejs-implant-defense",
          "title": "Hospitality Photo-ZIP Campaign Shows Front Desk Workflows Are Initial Access Paths",
          "url": "https://bulwarkblack.com/hospitality-photo-zip-nodejs-implant-defense/",
          "date": "2026-06-26"
        }
      ]
    },
    {
      "indicator": "visaphoto-secure.info",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-26",
      "last_seen": "2026-06-26",
      "reports": [
        {
          "slug": "hospitality-photo-zip-nodejs-implant-defense",
          "title": "Hospitality Photo-ZIP Campaign Shows Front Desk Workflows Are Initial Access Paths",
          "url": "https://bulwarkblack.com/hospitality-photo-zip-nodejs-implant-defense/",
          "date": "2026-06-26"
        }
      ]
    },
    {
      "indicator": "visaphoto-vault.info",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-26",
      "last_seen": "2026-06-26",
      "reports": [
        {
          "slug": "hospitality-photo-zip-nodejs-implant-defense",
          "title": "Hospitality Photo-ZIP Campaign Shows Front Desk Workflows Are Initial Access Paths",
          "url": "https://bulwarkblack.com/hospitality-photo-zip-nodejs-implant-defense/",
          "date": "2026-06-26"
        }
      ]
    },
    {
      "indicator": "vision.stark-industries.solutions",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-03-12",
      "last_seen": "2026-03-12",
      "reports": [
        {
          "slug": "infostealer-infection-unmasks-dprk-operative-behind-polyfill-io-supply-chain-attack-and-us-crypto-exchange-infiltration",
          "title": "Infostealer Infection Unmasks DPRK Operative Behind Polyfill.io Supply Chain Attack and US Crypto Exchange Infiltration",
          "url": "https://bulwarkblack.com/infostealer-infection-unmasks-dprk-operative-behind-polyfill-io-supply-chain-attack-and-us-crypto-exchange-infiltration/",
          "date": "2026-03-12"
        }
      ]
    },
    {
      "indicator": "vmtools.camdvr.org",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "vmtools.loseyourip.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "voicemail-59f.admin-treyripple-com-s-account.workers.dev",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-05-16",
      "last_seen": "2026-05-16",
      "reports": [
        {
          "slug": "device-code-phishing-oauth-token-theft-defense",
          "title": "Device Code Phishing Turns Legitimate Login Flows Into Token Theft",
          "url": "https://bulwarkblack.com/device-code-phishing-oauth-token-theft-defense/",
          "date": "2026-05-16"
        }
      ]
    },
    {
      "indicator": "voicemail-lyr.nbuckley-cambek-com-s-account.workers.dev",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-05-16",
      "last_seen": "2026-05-16",
      "reports": [
        {
          "slug": "device-code-phishing-oauth-token-theft-defense",
          "title": "Device Code Phishing Turns Legitimate Login Flows Into Token Theft",
          "url": "https://bulwarkblack.com/device-code-phishing-oauth-token-theft-defense/",
          "date": "2026-05-16"
        }
      ]
    },
    {
      "indicator": "voicemail-wx7.mark-squires-expressrancnes-com-s-account.workers.dev",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-05-16",
      "last_seen": "2026-05-16",
      "reports": [
        {
          "slug": "device-code-phishing-oauth-token-theft-defense",
          "title": "Device Code Phishing Turns Legitimate Login Flows Into Token Theft",
          "url": "https://bulwarkblack.com/device-code-phishing-oauth-token-theft-defense/",
          "date": "2026-05-16"
        }
      ]
    },
    {
      "indicator": "vosies.ddnsfree.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "vpaspmine.freeddns.org",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "vpn-fortinet.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-03-13",
      "last_seen": "2026-03-13",
      "reports": [
        {
          "slug": "storm-2561-weaponizes-seo-poisoning-to-deploy-trojanized-vpn-clients-and-steal-enterprise-credentials",
          "title": "Storm-2561 Weaponizes SEO Poisoning to Deploy Trojanized VPN Clients and Steal Enterprise Credentials",
          "url": "https://bulwarkblack.com/storm-2561-weaponizes-seo-poisoning-to-deploy-trojanized-vpn-clients-and-steal-enterprise-credentials/",
          "date": "2026-03-13"
        }
      ]
    },
    {
      "indicator": "watchguard-vpn.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-03-13",
      "last_seen": "2026-03-13",
      "reports": [
        {
          "slug": "storm-2561-weaponizes-seo-poisoning-to-deploy-trojanized-vpn-clients-and-steal-enterprise-credentials",
          "title": "Storm-2561 Weaponizes SEO Poisoning to Deploy Trojanized VPN Clients and Steal Enterprise Credentials",
          "url": "https://bulwarkblack.com/storm-2561-weaponizes-seo-poisoning-to-deploy-trojanized-vpn-clients-and-steal-enterprise-credentials/",
          "date": "2026-03-13"
        }
      ]
    },
    {
      "indicator": "wdlcamaakc.ooguy.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "weatherdataai.theworkpc.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-25",
      "last_seen": "2026-06-25",
      "reports": [
        {
          "slug": "turla-stockstay-backdoor-egress-visibility",
          "title": "Turla’s STOCKSTAY Backdoor Shows Why Espionage Defense Needs Egress Visibility",
          "url": "https://bulwarkblack.com/turla-stockstay-backdoor-egress-visibility/",
          "date": "2026-06-25"
        }
      ]
    },
    {
      "indicator": "web.commoncome.online",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "web071zoom.us",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "webhook.site",
      "type": "Domains",
      "report_count": 2,
      "first_seen": "2026-02-23",
      "last_seen": "2026-02-24",
      "reports": [
        {
          "slug": "apt28-deploys-operation-macromaze-webhook-based-macro-malware-targets-european-entities",
          "title": "APT28 Deploys Operation MacroMaze: Webhook-Based Macro Malware Targets European Entities",
          "url": "https://bulwarkblack.com/apt28-deploys-operation-macromaze-webhook-based-macro-malware-targets-european-entities/",
          "date": "2026-02-24"
        },
        {
          "slug": "apt28-targets-european-entities-with-operation-macromaze-webhook-malware-campaign",
          "title": "APT28 Targets European Entities with Operation MacroMaze Webhook Malware Campaign",
          "url": "https://bulwarkblack.com/apt28-targets-european-entities-with-operation-macromaze-webhook-malware-campaign/",
          "date": "2026-02-23"
        }
      ]
    },
    {
      "indicator": "webmicrosoftservicesystem.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2024-01-09",
      "last_seen": "2024-01-09",
      "reports": [
        {
          "slug": "financially-motivated-threat-actors-misusing-app-installer",
          "title": "Financially motivated threat actors misusing App Installer",
          "url": "https://bulwarkblack.com/financially-motivated-threat-actors-misusing-app-installer/",
          "date": "2024-01-09"
        }
      ]
    },
    {
      "indicator": "wellnesscaremed.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-02-10",
      "last_seen": "2026-03-26",
      "reports": [
        {
          "slug": "pawn-storm-deploys-prismex-malware-suite-against-ukrainian-defense-supply-chain-and-nato-allies",
          "title": "Pawn Storm Deploys PRISMEX Malware Suite Against Ukrainian Defense Supply Chain and NATO Allies",
          "url": "https://bulwarkblack.com/pawn-storm-deploys-prismex-malware-suite-against-ukrainian-defense-supply-chain-and-nato-allies/",
          "date": "2026-03-26"
        },
        {
          "slug": "apt28-exploited-cve-2026-21513-mshtml-zero-day-as-attack-vector-before-february-patch-tuesday",
          "title": "APT28 Exploited CVE-2026-21513 MSHTML Zero-Day as Attack Vector Before February Patch Tuesday",
          "url": "https://bulwarkblack.com/apt28-exploited-cve-2026-21513-mshtml-zero-day-as-attack-vector-before-february-patch-tuesday/",
          "date": "2026-03-03"
        },
        {
          "slug": "apt28-exploits-cve-2026-21509-in-operation-neusploit-stealing-emails-with-minidoor-backdoor",
          "title": "APT28 Exploits CVE-2026-21509 in Operation Neusploit: Stealing Emails with MiniDoor Backdoor",
          "url": "https://bulwarkblack.com/apt28-exploits-cve-2026-21509-in-operation-neusploit-stealing-emails-with-minidoor-backdoor/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "widjssij728dj.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-26",
      "last_seen": "2026-06-26",
      "reports": [
        {
          "slug": "hospitality-photo-zip-nodejs-implant-defense",
          "title": "Hospitality Photo-ZIP Campaign Shows Front Desk Workflows Are Initial Access Paths",
          "url": "https://bulwarkblack.com/hospitality-photo-zip-nodejs-implant-defense/",
          "date": "2026-06-26"
        }
      ]
    },
    {
      "indicator": "wigetticks.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-18",
      "last_seen": "2026-06-18",
      "reports": [
        {
          "slug": "smartapesg-okendo-widget-supply-chain-risk",
          "title": "SmartApeSG Okendo Compromise Shows Third-Party Widgets Are Supply-Chain Risk",
          "url": "https://bulwarkblack.com/smartapesg-okendo-widget-supply-chain-risk/",
          "date": "2026-06-18"
        }
      ]
    },
    {
      "indicator": "wikipedla.blog",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-03-03",
      "last_seen": "2026-03-03",
      "reports": [
        {
          "slug": "silver-dragon-apt-targets-southeast-asia-and-europe-using-geardoor-backdoor-with-google-drive-c2",
          "title": "Silver Dragon APT Targets Southeast Asia and Europe Using GearDoor Backdoor with Google Drive C2",
          "url": "https://bulwarkblack.com/silver-dragon-apt-targets-southeast-asia-and-europe-using-geardoor-backdoor-with-google-drive-c2/",
          "date": "2026-03-03"
        }
      ]
    },
    {
      "indicator": "willmam.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-01-29",
      "last_seen": "2026-01-29",
      "reports": [
        {
          "slug": "google-disrupts-worlds-largest-residential-proxy-botnet",
          "title": "Google Disrupts World’s Largest Residential Proxy Botnet",
          "url": "https://bulwarkblack.com/google-disrupts-worlds-largest-residential-proxy-botnet/",
          "date": "2026-01-29"
        }
      ]
    },
    {
      "indicator": "Winbuzzer.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-02-08",
      "last_seen": "2026-02-08",
      "reports": [
        {
          "slug": "flickr-data-breach-exposes-user-information-through-third-party-email-vendor-vulnerability",
          "title": "Flickr Data Breach Exposes User Information Through Third-Party Email Vendor Vulnerability",
          "url": "https://bulwarkblack.com/flickr-data-breach-exposes-user-information-through-third-party-email-vendor-vulnerability/",
          "date": "2026-02-08"
        }
      ]
    },
    {
      "indicator": "winfoss1.kozow.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "wizzleticks.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-18",
      "last_seen": "2026-06-18",
      "reports": [
        {
          "slug": "smartapesg-okendo-widget-supply-chain-risk",
          "title": "SmartApeSG Okendo Compromise Shows Third-Party Widgets Are Supply-Chain Risk",
          "url": "https://bulwarkblack.com/smartapesg-okendo-widget-supply-chain-risk/",
          "date": "2026-06-18"
        }
      ]
    },
    {
      "indicator": "wk.goldeyeuu.io",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-02-07",
      "last_seen": "2026-02-07",
      "reports": [
        {
          "slug": "apt-q-27-goldeneyedog-deploys-fileless-malware-in-stealthy-corporate-network-attacks",
          "title": "APT-Q-27 (GoldenEyeDog) Deploys Fileless Malware in Stealthy Corporate Network Attacks",
          "url": "https://bulwarkblack.com/apt-q-27-goldeneyedog-deploys-fileless-malware-in-stealthy-corporate-network-attacks/",
          "date": "2026-02-07"
        }
      ]
    },
    {
      "indicator": "wool-basalt-clock.glitch.me",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-25",
      "last_seen": "2026-06-25",
      "reports": [
        {
          "slug": "turla-stockstay-backdoor-egress-visibility",
          "title": "Turla’s STOCKSTAY Backdoor Shows Why Espionage Defense Needs Egress Visibility",
          "url": "https://bulwarkblack.com/turla-stockstay-backdoor-egress-visibility/",
          "date": "2026-06-25"
        }
      ]
    },
    {
      "indicator": "writeup.live",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "ws-api.binance.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-25",
      "last_seen": "2026-06-25",
      "reports": [
        {
          "slug": "turla-stockstay-backdoor-egress-visibility",
          "title": "Turla’s STOCKSTAY Backdoor Shows Why Espionage Defense Needs Egress Visibility",
          "url": "https://bulwarkblack.com/turla-stockstay-backdoor-egress-visibility/",
          "date": "2026-06-25"
        }
      ]
    },
    {
      "indicator": "ws-feed-public.sandbox.exchange.coinbase.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-25",
      "last_seen": "2026-06-25",
      "reports": [
        {
          "slug": "turla-stockstay-backdoor-egress-visibility",
          "title": "Turla’s STOCKSTAY Backdoor Shows Why Espionage Defense Needs Egress Visibility",
          "url": "https://bulwarkblack.com/turla-stockstay-backdoor-egress-visibility/",
          "date": "2026-06-25"
        }
      ]
    },
    {
      "indicator": "ws-feed.exchange.coinbase.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-25",
      "last_seen": "2026-06-25",
      "reports": [
        {
          "slug": "turla-stockstay-backdoor-egress-visibility",
          "title": "Turla’s STOCKSTAY Backdoor Shows Why Espionage Defense Needs Egress Visibility",
          "url": "https://bulwarkblack.com/turla-stockstay-backdoor-egress-visibility/",
          "date": "2026-06-25"
        }
      ]
    },
    {
      "indicator": "www.aikido.dev",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-01-27",
      "last_seen": "2026-06-03",
      "reports": [
        {
          "slug": "red-hat-miasma-npm-supply-chain-trusted-publishing-defense",
          "title": "Red Hat’s Miasma npm Compromise Shows Trusted Publishing Is Not a Control Boundary",
          "url": "https://bulwarkblack.com/red-hat-miasma-npm-supply-chain-trusted-publishing-defense/",
          "date": "2026-06-03"
        },
        {
          "slug": "canisterworm-wiper-weaponizes-trivy-supply-chain-to-target-iran",
          "title": "CanisterWorm Wiper Weaponizes Trivy Supply Chain to Target Iran",
          "url": "https://bulwarkblack.com/canisterworm-wiper-weaponizes-trivy-supply-chain-to-target-iran/",
          "date": "2026-03-24"
        },
        {
          "slug": "fake-clawdbot-vs-code-extension-deploys-screenconnect-rat",
          "title": "Fake Clawdbot VS Code Extension Deploys ScreenConnect RAT",
          "url": "https://bulwarkblack.com/fake-clawdbot-vs-code-extension-deploys-screenconnect-rat/",
          "date": "2026-01-27"
        }
      ]
    },
    {
      "indicator": "www.ambitiouspr.co.uk",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2024-03-22",
      "last_seen": "2024-03-22",
      "reports": [
        {
          "slug": "how-to-communicate-a-cyber-breach-to-minimize-reputational-damage",
          "title": "How to communicate a cyber breach to minimize reputational damage",
          "url": "https://bulwarkblack.com/how-to-communicate-a-cyber-breach-to-minimize-reputational-damage/",
          "date": "2024-03-22"
        }
      ]
    },
    {
      "indicator": "www.circoloesteri.it",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-25",
      "last_seen": "2026-06-25",
      "reports": [
        {
          "slug": "turla-stockstay-backdoor-egress-visibility",
          "title": "Turla’s STOCKSTAY Backdoor Shows Why Espionage Defense Needs Egress Visibility",
          "url": "https://bulwarkblack.com/turla-stockstay-backdoor-egress-visibility/",
          "date": "2026-06-25"
        }
      ]
    },
    {
      "indicator": "www.crystalpdf.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-05-21",
      "last_seen": "2026-05-21",
      "reports": [
        {
          "slug": "tamperedchef-signed-productivity-apps-malware-defense",
          "title": "TamperedChef Shows Signed Productivity Apps Cannot Be Trusted by Default",
          "url": "https://bulwarkblack.com/tamperedchef-signed-productivity-apps-malware-defense/",
          "date": "2026-05-21"
        }
      ]
    },
    {
      "indicator": "www.cve.org",
      "type": "Domains",
      "report_count": 2,
      "first_seen": "2026-01-31",
      "last_seen": "2026-06-19",
      "reports": [
        {
          "slug": "apache-apisix-auth-bypass-plugin-review",
          "title": "Apache APISIX Auth Bypass Cluster Shows API Gateways Need Plugin-Level Review",
          "url": "https://bulwarkblack.com/apache-apisix-auth-bypass-plugin-review/",
          "date": "2026-06-19"
        },
        {
          "slug": "cve-2026-24061-11-year-old-gnu-telnetd-vulnerability-grants-instant-root-access",
          "title": "CVE-2026-24061: 11-Year-Old GNU Telnetd Vulnerability Grants Instant Root Access",
          "url": "https://bulwarkblack.com/cve-2026-24061-11-year-old-gnu-telnetd-vulnerability-grants-instant-root-access/",
          "date": "2026-01-31"
        }
      ]
    },
    {
      "indicator": "www.cvedetails.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-01-31",
      "last_seen": "2026-01-31",
      "reports": [
        {
          "slug": "cve-2026-24061-11-year-old-gnu-telnetd-vulnerability-grants-instant-root-access",
          "title": "CVE-2026-24061: 11-Year-Old GNU Telnetd Vulnerability Grants Instant Root Access",
          "url": "https://bulwarkblack.com/cve-2026-24061-11-year-old-gnu-telnetd-vulnerability-grants-instant-root-access/",
          "date": "2026-01-31"
        }
      ]
    },
    {
      "indicator": "www.cyfirma.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-01",
      "last_seen": "2026-06-01",
      "reports": [
        {
          "slug": "solyximmortal-python-infostealer-business-risk",
          "title": "SolyxImmortal Shows Why Python Infostealers Are a Business Risk, Not Just Malware Noise",
          "url": "https://bulwarkblack.com/solyximmortal-python-infostealer-business-risk/",
          "date": "2026-06-01"
        }
      ]
    },
    {
      "indicator": "www.darktrace.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-05-22",
      "last_seen": "2026-05-22",
      "reports": [
        {
          "slug": "f5-confluence-edge-identity-attack-path",
          "title": "F5-to-Confluence Intrusion Shows Edge Devices Are Identity Attack Paths",
          "url": "https://bulwarkblack.com/f5-confluence-edge-identity-attack-path/",
          "date": "2026-05-22"
        }
      ]
    },
    {
      "indicator": "www.dropbox.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-01-27",
      "last_seen": "2026-01-27",
      "reports": [
        {
          "slug": "fake-clawdbot-vs-code-extension-deploys-screenconnect-rat",
          "title": "Fake Clawdbot VS Code Extension Deploys ScreenConnect RAT",
          "url": "https://bulwarkblack.com/fake-clawdbot-vs-code-extension-deploys-screenconnect-rat/",
          "date": "2026-01-27"
        }
      ]
    },
    {
      "indicator": "www.drs.gov.ua",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-25",
      "last_seen": "2026-06-25",
      "reports": [
        {
          "slug": "turla-stockstay-backdoor-egress-visibility",
          "title": "Turla’s STOCKSTAY Backdoor Shows Why Espionage Defense Needs Egress Visibility",
          "url": "https://bulwarkblack.com/turla-stockstay-backdoor-egress-visibility/",
          "date": "2026-06-25"
        }
      ]
    },
    {
      "indicator": "www.garykessler.net",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2024-01-05",
      "last_seen": "2024-01-05",
      "reports": [
        {
          "slug": "100-days-of-yara-2023",
          "title": "100 Days of YARA – 2023",
          "url": "https://bulwarkblack.com/100-days-of-yara-2023/",
          "date": "2024-01-05"
        }
      ]
    },
    {
      "indicator": "www.hightkdhe.store",
      "type": "Domains",
      "report_count": 2,
      "first_seen": "2026-02-26",
      "last_seen": "2026-02-27",
      "reports": [
        {
          "slug": "apt37-ruby-jumper-campaign-north-korean-hackers-deploy-malware-arsenal-to-bridge-air-gapped-networks",
          "title": "APT37 Ruby Jumper Campaign: North Korean Hackers Deploy Malware Arsenal to Bridge Air-Gapped Networks",
          "url": "https://bulwarkblack.com/apt37-ruby-jumper-campaign-north-korean-hackers-deploy-malware-arsenal-to-bridge-air-gapped-networks/",
          "date": "2026-02-27"
        },
        {
          "slug": "apt37-deploys-ruby-jumper-campaign-to-breach-air-gapped-networks",
          "title": "APT37 Deploys Ruby Jumper Campaign to Breach Air-Gapped Networks",
          "url": "https://bulwarkblack.com/apt37-deploys-ruby-jumper-campaign-to-breach-air-gapped-networks/",
          "date": "2026-02-26"
        }
      ]
    },
    {
      "indicator": "www.homeatedke.store",
      "type": "Domains",
      "report_count": 2,
      "first_seen": "2026-02-26",
      "last_seen": "2026-02-27",
      "reports": [
        {
          "slug": "apt37-ruby-jumper-campaign-north-korean-hackers-deploy-malware-arsenal-to-bridge-air-gapped-networks",
          "title": "APT37 Ruby Jumper Campaign: North Korean Hackers Deploy Malware Arsenal to Bridge Air-Gapped Networks",
          "url": "https://bulwarkblack.com/apt37-ruby-jumper-campaign-north-korean-hackers-deploy-malware-arsenal-to-bridge-air-gapped-networks/",
          "date": "2026-02-27"
        },
        {
          "slug": "apt37-deploys-ruby-jumper-campaign-to-breach-air-gapped-networks",
          "title": "APT37 Deploys Ruby Jumper Campaign to Breach Air-Gapped Networks",
          "url": "https://bulwarkblack.com/apt37-deploys-ruby-jumper-campaign-to-breach-air-gapped-networks/",
          "date": "2026-02-26"
        }
      ]
    },
    {
      "indicator": "www.hudsonrock.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-03-12",
      "last_seen": "2026-03-12",
      "reports": [
        {
          "slug": "infostealer-infection-unmasks-dprk-operative-behind-polyfill-io-supply-chain-attack-and-us-crypto-exchange-infiltration",
          "title": "Infostealer Infection Unmasks DPRK Operative Behind Polyfill.io Supply Chain Attack and US Crypto Exchange Infiltration",
          "url": "https://bulwarkblack.com/infostealer-infection-unmasks-dprk-operative-behind-polyfill-io-supply-chain-attack-and-us-crypto-exchange-infiltration/",
          "date": "2026-03-12"
        }
      ]
    },
    {
      "indicator": "www.lumen.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-01",
      "last_seen": "2026-06-01",
      "reports": [
        {
          "slug": "showboat-jfmbackdoor-telecom-intrusion-defense",
          "title": "Showboat and JFMBackdoor Show Telecom Intrusions Are Built for Pivoting",
          "url": "https://bulwarkblack.com/showboat-jfmbackdoor-telecom-intrusion-defense/",
          "date": "2026-06-01"
        }
      ]
    },
    {
      "indicator": "www.mediafire.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-03-12",
      "last_seen": "2026-03-12",
      "reports": [
        {
          "slug": "infostealer-infection-unmasks-dprk-operative-behind-polyfill-io-supply-chain-attack-and-us-crypto-exchange-infiltration",
          "title": "Infostealer Infection Unmasks DPRK Operative Behind Polyfill.io Supply Chain Attack and US Crypto Exchange Infiltration",
          "url": "https://bulwarkblack.com/infostealer-infection-unmasks-dprk-operative-behind-polyfill-io-supply-chain-attack-and-us-crypto-exchange-infiltration/",
          "date": "2026-03-12"
        }
      ]
    },
    {
      "indicator": "www.moltbook.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-02-03",
      "last_seen": "2026-02-03",
      "reports": [
        {
          "slug": "vibe-coding-gone-wrong-moltbook-ai-social-network-exposes-4-75-million-records-in-massive-database-breach",
          "title": "Vibe Coding Gone Wrong: Moltbook AI Social Network Exposes 4.75 Million Records in Massive Database Breach",
          "url": "https://bulwarkblack.com/vibe-coding-gone-wrong-moltbook-ai-social-network-exposes-4-75-million-records-in-massive-database-breach/",
          "date": "2026-02-03"
        }
      ]
    },
    {
      "indicator": "www.news9live.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-20",
      "last_seen": "2026-06-20",
      "reports": [
        {
          "slug": "operation-escaneo-latin-america-edge-device-defense",
          "title": "Operation Escaneo Shows Latin America’s Edge Devices Are Prime Intrusion Targets",
          "url": "https://bulwarkblack.com/operation-escaneo-latin-america-edge-device-defense/",
          "date": "2026-06-20"
        }
      ]
    },
    {
      "indicator": "www.philion.store",
      "type": "Domains",
      "report_count": 2,
      "first_seen": "2026-02-26",
      "last_seen": "2026-02-27",
      "reports": [
        {
          "slug": "apt37-ruby-jumper-campaign-north-korean-hackers-deploy-malware-arsenal-to-bridge-air-gapped-networks",
          "title": "APT37 Ruby Jumper Campaign: North Korean Hackers Deploy Malware Arsenal to Bridge Air-Gapped Networks",
          "url": "https://bulwarkblack.com/apt37-ruby-jumper-campaign-north-korean-hackers-deploy-malware-arsenal-to-bridge-air-gapped-networks/",
          "date": "2026-02-27"
        },
        {
          "slug": "apt37-deploys-ruby-jumper-campaign-to-breach-air-gapped-networks",
          "title": "APT37 Deploys Ruby Jumper Campaign to Breach Air-Gapped Networks",
          "url": "https://bulwarkblack.com/apt37-deploys-ruby-jumper-campaign-to-breach-air-gapped-networks/",
          "date": "2026-02-26"
        }
      ]
    },
    {
      "indicator": "www.r-tec.net",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2024-01-26",
      "last_seen": "2024-01-26",
      "reports": [
        {
          "slug": "how-to-protect-evilginx-using-cloudflare-and-html-obfuscation",
          "title": "How to protect Evilginx using Cloudflare and HTML Obfuscation",
          "url": "https://bulwarkblack.com/how-to-protect-evilginx-using-cloudflare-and-html-obfuscation/",
          "date": "2024-01-26"
        }
      ]
    },
    {
      "indicator": "www.ransomware.live",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-05-24",
      "last_seen": "2026-05-24",
      "reports": [
        {
          "slug": "clop-south-staffs-water-soc-coverage-defense",
          "title": "Cl0p’s South Staffs Water Case Shows SOC Coverage Must Be Proven",
          "url": "https://bulwarkblack.com/clop-south-staffs-water-soc-coverage-defense/",
          "date": "2026-05-24"
        }
      ]
    },
    {
      "indicator": "www.schneier.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-03-16",
      "last_seen": "2026-03-16",
      "reports": [
        {
          "slug": "the-promptware-kill-chain-a-new-framework-for-understanding-ai-malware-attacks",
          "title": "The Promptware Kill Chain: A New Framework for Understanding AI Malware Attacks",
          "url": "https://bulwarkblack.com/the-promptware-kill-chain-a-new-framework-for-understanding-ai-malware-attacks/",
          "date": "2026-03-16"
        }
      ]
    },
    {
      "indicator": "www.securityjoes.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2024-01-05",
      "last_seen": "2024-01-05",
      "reports": [
        {
          "slug": "hide-and-seek-in-windows-closet-unmasking-the-winsxs-hijacking-hideout",
          "title": "Hide and Seek in Windows’ Closet: Unmasking the WinSxS Hijacking Hideout",
          "url": "https://bulwarkblack.com/hide-and-seek-in-windows-closet-unmasking-the-winsxs-hijacking-hideout/",
          "date": "2024-01-05"
        }
      ]
    },
    {
      "indicator": "www.sparkfun.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2024-01-11",
      "last_seen": "2024-01-11",
      "reports": [
        {
          "slug": "faking-bluetooth-le-with-an-nrf24l01-module",
          "title": "FAKING BLUETOOTH LE WITH AN NRF24L01+ MODULE",
          "url": "https://bulwarkblack.com/faking-bluetooth-le-with-an-nrf24l01-module/",
          "date": "2024-01-11"
        }
      ]
    },
    {
      "indicator": "www.tarlogic.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2024-01-05",
      "last_seen": "2024-01-05",
      "reports": [
        {
          "slug": "100-days-of-yara-2023",
          "title": "100 Days of YARA – 2023",
          "url": "https://bulwarkblack.com/100-days-of-yara-2023/",
          "date": "2024-01-05"
        }
      ]
    },
    {
      "indicator": "www.treadstone71.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-02-25",
      "last_seen": "2026-02-25",
      "reports": [
        {
          "slug": "apt31s-multi-year-cyber-espionage-campaign-against-czech-ministry-of-foreign-affairs",
          "title": "APT31’s Multi-Year Cyber Espionage Campaign Against Czech Ministry of Foreign Affairs",
          "url": "https://bulwarkblack.com/apt31s-multi-year-cyber-espionage-campaign-against-czech-ministry-of-foreign-affairs/",
          "date": "2026-02-25"
        }
      ]
    },
    {
      "indicator": "www.trustbastion.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-01-30",
      "last_seen": "2026-01-30",
      "reports": [
        {
          "slug": "android-malware-campaign-abuses-hugging-face-ai-platform-to-distribute-rat",
          "title": "Android Malware Campaign Abuses Hugging Face AI Platform to Distribute RAT",
          "url": "https://bulwarkblack.com/android-malware-campaign-abuses-hugging-face-ai-platform-to-distribute-rat/",
          "date": "2026-01-30"
        }
      ]
    },
    {
      "indicator": "xcit76.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-03-05",
      "last_seen": "2026-03-05",
      "reports": [
        {
          "slug": "uat-9244-china-nexus-apt-deploys-three-new-malware-implants-against-south-american-telecom-providers",
          "title": "UAT-9244: China-Nexus APT Deploys Three New Malware Implants Against South American Telecom Providers",
          "url": "https://bulwarkblack.com/uat-9244-china-nexus-apt-deploys-three-new-malware-implants-against-south-american-telecom-providers/",
          "date": "2026-03-05"
        }
      ]
    },
    {
      "indicator": "xtibh.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-03-05",
      "last_seen": "2026-03-05",
      "reports": [
        {
          "slug": "uat-9244-china-nexus-apt-deploys-three-new-malware-implants-against-south-american-telecom-providers",
          "title": "UAT-9244: China-Nexus APT Deploys Three New Malware Implants Against South American Telecom Providers",
          "url": "https://bulwarkblack.com/uat-9244-china-nexus-apt-deploys-three-new-malware-implants-against-south-american-telecom-providers/",
          "date": "2026-03-05"
        }
      ]
    },
    {
      "indicator": "xverse.app",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-05-16",
      "last_seen": "2026-05-16",
      "reports": [
        {
          "slug": "pawsrunner-steganography-purelogs-infostealer-defense",
          "title": "PawsRunner Steganography Shows Infostealers Are Hiding in Plain Sight",
          "url": "https://bulwarkblack.com/pawsrunner-steganography-purelogs-infostealer-defense/",
          "date": "2026-05-16"
        }
      ]
    },
    {
      "indicator": "yaga9b286ae2c101-endpoint.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-05-16",
      "last_seen": "2026-05-16",
      "reports": [
        {
          "slug": "device-code-phishing-oauth-token-theft-defense",
          "title": "Device Code Phishing Turns Legitimate Login Flows Into Token Theft",
          "url": "https://bulwarkblack.com/device-code-phishing-oauth-token-theft-defense/",
          "date": "2026-05-16"
        }
      ]
    },
    {
      "indicator": "yasomawork.space",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-02-26",
      "last_seen": "2026-02-26",
      "reports": [
        {
          "slug": "diesel-vortex-russian-cybercrime-group-steals-1600-credentials-from-global-logistics-sector",
          "title": "Diesel Vortex: Russian Cybercrime Group Steals 1,600+ Credentials From Global Logistics Sector",
          "url": "https://bulwarkblack.com/diesel-vortex-russian-cybercrime-group-steals-1600-credentials-from-global-logistics-sector/",
          "date": "2026-02-26"
        }
      ]
    },
    {
      "indicator": "yj6jurm5qqkye5.org",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-30",
      "last_seen": "2026-06-30",
      "reports": [
        {
          "slug": "bing-seo-poisoning-bumblebee-adaptix-akira-ransomware",
          "title": "Bing SEO Poisoning Shows IT Admin Downloads Are Ransomware Initial Access",
          "url": "https://bulwarkblack.com/bing-seo-poisoning-bumblebee-adaptix-akira-ransomware/",
          "date": "2026-06-30"
        }
      ]
    },
    {
      "indicator": "yourname.pstn.ashburn.twilio.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2025-07-18",
      "last_seen": "2025-07-18",
      "reports": [
        {
          "slug": "complete-guide-setting-up-freepbx-with-vps-docker-and-vpn-cgnat-bypass-solution",
          "title": "Complete Guide: Setting Up FreePBX with VPS, Docker, and VPN (CGNAT Bypass Solution)",
          "url": "https://bulwarkblack.com/complete-guide-setting-up-freepbx-with-vps-docker-and-vpn-cgnat-bypass-solution/",
          "date": "2025-07-18"
        }
      ]
    },
    {
      "indicator": "ysiohbk.camdvr.org",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "ytgw-9n30-xlwd.pvasquez-princetonpartners-com-s-account.workers.dev",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-05-16",
      "last_seen": "2026-05-16",
      "reports": [
        {
          "slug": "device-code-phishing-oauth-token-theft-defense",
          "title": "Device Code Phishing Turns Legitimate Login Flows Into Token Theft",
          "url": "https://bulwarkblack.com/device-code-phishing-oauth-token-theft-defense/",
          "date": "2026-05-16"
        }
      ]
    },
    {
      "indicator": "z6e43e5886fe-endpoint.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-05-16",
      "last_seen": "2026-05-16",
      "reports": [
        {
          "slug": "device-code-phishing-oauth-token-theft-defense",
          "title": "Device Code Phishing Turns Legitimate Login Flows Into Token Theft",
          "url": "https://bulwarkblack.com/device-code-phishing-oauth-token-theft-defense/",
          "date": "2026-05-16"
        }
      ]
    },
    {
      "indicator": "zammffayhd.ddnsfree.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "zenmap.pro",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-06-30",
      "last_seen": "2026-06-30",
      "reports": [
        {
          "slug": "bing-seo-poisoning-bumblebee-adaptix-akira-ransomware",
          "title": "Bing SEO Poisoning Shows IT Admin Downloads Are Ransomware Initial Access",
          "url": "https://bulwarkblack.com/bing-seo-poisoning-bumblebee-adaptix-akira-ransomware/",
          "date": "2026-06-30"
        }
      ]
    },
    {
      "indicator": "zhydromet.com",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-03-03",
      "last_seen": "2026-03-03",
      "reports": [
        {
          "slug": "silver-dragon-apt-targets-southeast-asia-and-europe-using-geardoor-backdoor-with-google-drive-c2",
          "title": "Silver Dragon APT Targets Southeast Asia and Europe Using GearDoor Backdoor with Google Drive C2",
          "url": "https://bulwarkblack.com/silver-dragon-apt-targets-southeast-asia-and-europe-using-geardoor-backdoor-with-google-drive-c2/",
          "date": "2026-03-03"
        }
      ]
    },
    {
      "indicator": "zmcmvmbm.ddnsfree.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "zoom.app",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "zoonn.ithr.org",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2024-01-09",
      "last_seen": "2024-01-09",
      "reports": [
        {
          "slug": "financially-motivated-threat-actors-misusing-app-installer",
          "title": "Financially motivated threat actors misusing App Installer",
          "url": "https://bulwarkblack.com/financially-motivated-threat-actors-misusing-app-installer/",
          "date": "2024-01-09"
        }
      ]
    },
    {
      "indicator": "zoonn.meetlng.group",
      "type": "Domains",
      "report_count": 1,
      "first_seen": "2024-01-09",
      "last_seen": "2024-01-09",
      "reports": [
        {
          "slug": "financially-motivated-threat-actors-misusing-app-installer",
          "title": "Financially motivated threat actors misusing App Installer",
          "url": "https://bulwarkblack.com/financially-motivated-threat-actors-misusing-app-installer/",
          "date": "2024-01-09"
        }
      ]
    },
    {
      "indicator": "zwmn350n3o1fsdf3gs.kozow.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "zwmn350n3o1ugety2xbe.camdvr.org",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "zwmn350n3o1vsdrggs.ddnsfree.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "zwt310n3o1unety2kab.webredirect.org",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "zwt310n3o2unety6a3k.kozow.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "zwt31n3t0nidoqmve.camdvr.org",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "zwt3ln3t1aimckalw.theworkpc.com",
      "type": "Domains",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "attacker@xyz.com",
      "type": "Email Addresses",
      "report_count": 1,
      "first_seen": "2026-03-23",
      "last_seen": "2026-03-23",
      "reports": [
        {
          "slug": "unit-42-warns-ai-agents-could-enable-gift-card-theft-and-returns-fraud-at-scale",
          "title": "Unit 42 Warns: AI Agents Could Enable Gift Card Theft and Returns Fraud at Scale",
          "url": "https://bulwarkblack.com/unit-42-warns-ai-agents-could-enable-gift-card-theft-and-returns-fraud-at-scale/",
          "date": "2026-03-23"
        }
      ]
    },
    {
      "indicator": "cloud-init@mail.io",
      "type": "Email Addresses",
      "report_count": 1,
      "first_seen": "2026-01-28",
      "last_seen": "2026-01-28",
      "reports": [
        {
          "slug": "fortinet-blocks-actively-exploited-forticloud-sso-zero-day-until-patch-is-ready",
          "title": "Fortinet Blocks Actively Exploited FortiCloud SSO Zero-Day Until Patch is Ready",
          "url": "https://bulwarkblack.com/fortinet-blocks-actively-exploited-forticloud-sso-zero-day-until-patch-is-ready/",
          "date": "2026-01-28"
        }
      ]
    },
    {
      "indicator": "cloud-noc@mail.io",
      "type": "Email Addresses",
      "report_count": 1,
      "first_seen": "2026-01-28",
      "last_seen": "2026-01-28",
      "reports": [
        {
          "slug": "fortinet-blocks-actively-exploited-forticloud-sso-zero-day-until-patch-is-ready",
          "title": "Fortinet Blocks Actively Exploited FortiCloud SSO Zero-Day Until Patch is Ready",
          "url": "https://bulwarkblack.com/fortinet-blocks-actively-exploited-forticloud-sso-zero-day-until-patch-is-ready/",
          "date": "2026-01-28"
        }
      ]
    },
    {
      "indicator": "contact@sygnia.co",
      "type": "Email Addresses",
      "report_count": 1,
      "first_seen": "2026-06-13",
      "last_seen": "2026-06-13",
      "reports": [
        {
          "slug": "velvet-ant-operation-highland-authentication-stack-defense",
          "title": "Velvet Ant Shows Authentication Infrastructure Is Critical Infrastructure",
          "url": "https://bulwarkblack.com/velvet-ant-operation-highland-authentication-stack-defense/",
          "date": "2026-06-13"
        }
      ]
    },
    {
      "indicator": "lucian_constantin@foundryco.com",
      "type": "Email Addresses",
      "report_count": 2,
      "first_seen": "2026-02-14",
      "last_seen": "2026-03-07",
      "reports": [
        {
          "slug": "sap-netweaver-critical-zero-day-cve-2025-31324-under-active-exploitation-by-initial-access-brokers",
          "title": "SAP NetWeaver Critical Zero-Day (CVE-2025-31324) Under Active Exploitation by Initial Access Brokers",
          "url": "https://bulwarkblack.com/sap-netweaver-critical-zero-day-cve-2025-31324-under-active-exploitation-by-initial-access-brokers/",
          "date": "2026-03-07"
        },
        {
          "slug": "cve-2026-1731-critical-beyondtrust-remote-support-vulnerability-under-active-exploitation",
          "title": "CVE-2026-1731: Critical BeyondTrust Remote Support Vulnerability Under Active Exploitation",
          "url": "https://bulwarkblack.com/cve-2026-1731-critical-beyondtrust-remote-support-vulnerability-under-active-exploitation/",
          "date": "2026-02-14"
        }
      ]
    },
    {
      "indicator": "ops@rescana.com",
      "type": "Email Addresses",
      "report_count": 1,
      "first_seen": "2026-03-16",
      "last_seen": "2026-03-16",
      "reports": [
        {
          "slug": "critical-veeam-backup-vulnerabilities-draw-ransomware-group-attention-seven-cvss-9-9-flaws-patched",
          "title": "Critical Veeam Backup Vulnerabilities Draw Ransomware Group Attention: Seven CVSS 9.9 Flaws Patched",
          "url": "https://bulwarkblack.com/critical-veeam-backup-vulnerabilities-draw-ransomware-group-attention-seven-cvss-9-9-flaws-patched/",
          "date": "2026-03-16"
        }
      ]
    },
    {
      "indicator": "schneier@schneier.com",
      "type": "Email Addresses",
      "report_count": 1,
      "first_seen": "2026-03-16",
      "last_seen": "2026-03-16",
      "reports": [
        {
          "slug": "the-promptware-kill-chain-a-new-framework-for-understanding-ai-malware-attacks",
          "title": "The Promptware Kill Chain: A New Framework for Understanding AI Malware Attacks",
          "url": "https://bulwarkblack.com/the-promptware-kill-chain-a-new-framework-for-understanding-ai-malware-attacks/",
          "date": "2026-03-16"
        }
      ]
    },
    {
      "indicator": "victim.user@company.com",
      "type": "Email Addresses",
      "report_count": 1,
      "first_seen": "2026-05-15",
      "last_seen": "2026-05-15",
      "reports": [
        {
          "slug": "blackfile-vishing-extortion-identity-defense",
          "title": "BlackFile Vishing Campaign Shows Why MFA Alone Is Not Enough",
          "url": "https://bulwarkblack.com/blackfile-vishing-extortion-identity-defense/",
          "date": "2026-05-15"
        }
      ]
    },
    {
      "indicator": "victim.user@organization.com",
      "type": "Email Addresses",
      "report_count": 1,
      "first_seen": "2026-05-15",
      "last_seen": "2026-05-15",
      "reports": [
        {
          "slug": "blackfile-vishing-extortion-identity-defense",
          "title": "BlackFile Vishing Campaign Shows Why MFA Alone Is Not Enough",
          "url": "https://bulwarkblack.com/blackfile-vishing-extortion-identity-defense/",
          "date": "2026-05-15"
        }
      ]
    },
    {
      "indicator": "0xd67f158b2bcc819eee7029f3477f0270ec1d37b4",
      "type": "Ethereum Addresses",
      "report_count": 1,
      "first_seen": "2026-02-04",
      "last_seen": "2026-02-04",
      "reports": [
        {
          "slug": "shadowhs-fileless-linux-post-exploitation-framework-runs-entirely-in-memory",
          "title": "ShadowHS: Fileless Linux Post-Exploitation Framework Runs Entirely in Memory",
          "url": "https://bulwarkblack.com/shadowhs-fileless-linux-post-exploitation-framework-runs-entirely-in-memory/",
          "date": "2026-02-04"
        }
      ]
    },
    {
      "indicator": "1.1.1.10",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-02-25",
      "last_seen": "2026-02-25",
      "reports": [
        {
          "slug": "cisco-talos-exposes-three-year-campaign-uat-8616-exploits-sd-wan-zero-day-for-critical-infrastructure-access",
          "title": "Cisco Talos Exposes Three-Year Campaign: UAT-8616 Exploits SD-WAN Zero-Day for Critical Infrastructure Access",
          "url": "https://bulwarkblack.com/cisco-talos-exposes-three-year-campaign-uat-8616-exploits-sd-wan-zero-day-for-critical-infrastructure-access/",
          "date": "2026-02-25"
        }
      ]
    },
    {
      "indicator": "1.3.6.1",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-01-29",
      "last_seen": "2026-01-29",
      "reports": [
        {
          "slug": "google-disrupts-worlds-largest-residential-proxy-botnet",
          "title": "Google Disrupts World’s Largest Residential Proxy Botnet",
          "url": "https://bulwarkblack.com/google-disrupts-worlds-largest-residential-proxy-botnet/",
          "date": "2026-01-29"
        }
      ]
    },
    {
      "indicator": "1.46.6.1",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2024-01-11",
      "last_seen": "2024-01-11",
      "reports": [
        {
          "slug": "dreambus-unleashes-metabase-mayhem-with-new-exploit-module",
          "title": "DreamBus Unleashes Metabase Mayhem With New Exploit Module",
          "url": "https://bulwarkblack.com/dreambus-unleashes-metabase-mayhem-with-new-exploit-module/",
          "date": "2024-01-11"
        }
      ]
    },
    {
      "indicator": "1.9.2.13",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-05-25",
      "last_seen": "2026-05-25",
      "reports": [
        {
          "slug": "knowledgedeliver-viewstate-shared-machine-key-defense",
          "title": "KnowledgeDeliver RCE Shows Shared Machine Keys Are Shared Blast Radius",
          "url": "https://bulwarkblack.com/knowledgedeliver-viewstate-shared-machine-key-defense/",
          "date": "2026-05-25"
        }
      ]
    },
    {
      "indicator": "101.36.105.222",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-06-01",
      "last_seen": "2026-06-01",
      "reports": [
        {
          "slug": "showboat-jfmbackdoor-telecom-intrusion-defense",
          "title": "Showboat and JFMBackdoor Show Telecom Intrusions Are Built for Pivoting",
          "url": "https://bulwarkblack.com/showboat-jfmbackdoor-telecom-intrusion-defense/",
          "date": "2026-06-01"
        }
      ]
    },
    {
      "indicator": "103.112.211.167",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-02-05",
      "last_seen": "2026-02-05",
      "reports": [
        {
          "slug": "systembc-botnet-survives-law-enforcement-takedown-infects-over-10000-devices-worldwide",
          "title": "SystemBC Botnet Survives Law Enforcement Takedown, Infects Over 10,000 Devices Worldwide",
          "url": "https://bulwarkblack.com/systembc-botnet-survives-law-enforcement-takedown-infects-over-10000-devices-worldwide/",
          "date": "2026-02-05"
        }
      ]
    },
    {
      "indicator": "103.177.183.165",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-02-04",
      "last_seen": "2026-02-04",
      "reports": [
        {
          "slug": "ai-powered-attack-achieves-aws-admin-access-in-under-10-minutes-a-new-era-of-automated-intrusions",
          "title": "AI-Powered Attack Achieves AWS Admin Access in Under 10 Minutes: A New Era of Automated Intrusions",
          "url": "https://bulwarkblack.com/ai-powered-attack-achieves-aws-admin-access-in-under-10-minutes-a-new-era-of-automated-intrusions/",
          "date": "2026-02-04"
        }
      ]
    },
    {
      "indicator": "103.214.172.33",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-06-03",
      "last_seen": "2026-06-03",
      "reports": [
        {
          "slug": "ta4922-global-hr-tax-phishing-rmm-defense",
          "title": "TA4922’s Global Expansion Shows HR and Tax Lures Are Initial Access Infrastructure",
          "url": "https://bulwarkblack.com/ta4922-global-hr-tax-phishing-rmm-defense/",
          "date": "2026-06-03"
        }
      ]
    },
    {
      "indicator": "103.28.36.105",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-02-05",
      "last_seen": "2026-02-05",
      "reports": [
        {
          "slug": "systembc-botnet-survives-law-enforcement-takedown-infects-over-10000-devices-worldwide",
          "title": "SystemBC Botnet Survives Law Enforcement Takedown, Infects Over 10,000 Devices Worldwide",
          "url": "https://bulwarkblack.com/systembc-botnet-survives-law-enforcement-takedown-infects-over-10000-devices-worldwide/",
          "date": "2026-02-05"
        }
      ]
    },
    {
      "indicator": "103.59.160.237",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-03-04",
      "last_seen": "2026-03-04",
      "reports": [
        {
          "slug": "zerobot-malware-targets-n8n-automation-platform-first-active-exploitation-of-cve-2025-68613",
          "title": "Zerobot Malware Targets n8n Automation Platform: First Active Exploitation of CVE-2025-68613",
          "url": "https://bulwarkblack.com/zerobot-malware-targets-n8n-automation-platform-first-active-exploitation-of-cve-2025-68613/",
          "date": "2026-03-04"
        }
      ]
    },
    {
      "indicator": "104.155.129.177",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-02-04",
      "last_seen": "2026-02-04",
      "reports": [
        {
          "slug": "ai-powered-attack-achieves-aws-admin-access-in-under-10-minutes-a-new-era-of-automated-intrusions",
          "title": "AI-Powered Attack Achieves AWS Admin Access in Under 10 Minutes: A New Era of Automated Intrusions",
          "url": "https://bulwarkblack.com/ai-powered-attack-achieves-aws-admin-access-in-under-10-minutes-a-new-era-of-automated-intrusions/",
          "date": "2026-02-04"
        }
      ]
    },
    {
      "indicator": "104.155.178.59",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-02-04",
      "last_seen": "2026-02-04",
      "reports": [
        {
          "slug": "ai-powered-attack-achieves-aws-admin-access-in-under-10-minutes-a-new-era-of-automated-intrusions",
          "title": "AI-Powered Attack Achieves AWS Admin Access in Under 10 Minutes: A New Era of Automated Intrusions",
          "url": "https://bulwarkblack.com/ai-powered-attack-achieves-aws-admin-access-in-under-10-minutes-a-new-era-of-automated-intrusions/",
          "date": "2026-02-04"
        }
      ]
    },
    {
      "indicator": "104.168.214.151",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "104.197.169.222",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-02-04",
      "last_seen": "2026-02-04",
      "reports": [
        {
          "slug": "ai-powered-attack-achieves-aws-admin-access-in-under-10-minutes-a-new-era-of-automated-intrusions",
          "title": "AI-Powered Attack Achieves AWS Admin Access in Under 10 Minutes: A New Era of Automated Intrusions",
          "url": "https://bulwarkblack.com/ai-powered-attack-achieves-aws-admin-access-in-under-10-minutes-a-new-era-of-automated-intrusions/",
          "date": "2026-02-04"
        }
      ]
    },
    {
      "indicator": "104.207.144.154",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-06-06",
      "last_seen": "2026-06-06",
      "reports": [
        {
          "slug": "pan-os-globalprotect-cve-2026-0257-vpn-log-review",
          "title": "PAN-OS GlobalProtect Exploitation Shows VPN Access Needs Log Review, Not Just Patching",
          "url": "https://bulwarkblack.com/pan-os-globalprotect-cve-2026-0257-vpn-log-review/",
          "date": "2026-06-06"
        }
      ]
    },
    {
      "indicator": "104.21.51.8",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-03-03",
      "last_seen": "2026-03-03",
      "reports": [
        {
          "slug": "silver-dragon-apt-targets-southeast-asia-and-europe-using-geardoor-backdoor-with-google-drive-c2",
          "title": "Silver Dragon APT Targets Southeast Asia and Europe Using GearDoor Backdoor with Google Drive C2",
          "url": "https://bulwarkblack.com/silver-dragon-apt-targets-southeast-asia-and-europe-using-geardoor-backdoor-with-google-drive-c2/",
          "date": "2026-03-03"
        }
      ]
    },
    {
      "indicator": "104.233.156.1",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-05-15",
      "last_seen": "2026-05-15",
      "reports": [
        {
          "slug": "cisco-sdwan-active-exploitation-edge-controller-review",
          "title": "Cisco SD-WAN Exploitation Shows Edge Controllers Need Emergency Review",
          "url": "https://bulwarkblack.com/cisco-sdwan-active-exploitation-edge-controller-review/",
          "date": "2026-05-15"
        }
      ]
    },
    {
      "indicator": "104.28.195.105",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-01-28",
      "last_seen": "2026-01-28",
      "reports": [
        {
          "slug": "fortinet-blocks-actively-exploited-forticloud-sso-zero-day-until-patch-is-ready",
          "title": "Fortinet Blocks Actively Exploited FortiCloud SSO Zero-Day Until Patch is Ready",
          "url": "https://bulwarkblack.com/fortinet-blocks-actively-exploited-forticloud-sso-zero-day-until-patch-is-ready/",
          "date": "2026-01-28"
        }
      ]
    },
    {
      "indicator": "104.28.195.106",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-01-28",
      "last_seen": "2026-01-28",
      "reports": [
        {
          "slug": "fortinet-blocks-actively-exploited-forticloud-sso-zero-day-until-patch-is-ready",
          "title": "Fortinet Blocks Actively Exploited FortiCloud SSO Zero-Day Until Patch is Ready",
          "url": "https://bulwarkblack.com/fortinet-blocks-actively-exploited-forticloud-sso-zero-day-until-patch-is-ready/",
          "date": "2026-01-28"
        }
      ]
    },
    {
      "indicator": "104.28.212.114",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-01-28",
      "last_seen": "2026-01-28",
      "reports": [
        {
          "slug": "fortinet-blocks-actively-exploited-forticloud-sso-zero-day-until-patch-is-ready",
          "title": "Fortinet Blocks Actively Exploited FortiCloud SSO Zero-Day Until Patch is Ready",
          "url": "https://bulwarkblack.com/fortinet-blocks-actively-exploited-forticloud-sso-zero-day-until-patch-is-ready/",
          "date": "2026-01-28"
        }
      ]
    },
    {
      "indicator": "104.28.212.115",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-01-28",
      "last_seen": "2026-01-28",
      "reports": [
        {
          "slug": "fortinet-blocks-actively-exploited-forticloud-sso-zero-day-until-patch-is-ready",
          "title": "Fortinet Blocks Actively Exploited FortiCloud SSO Zero-Day Until Patch is Ready",
          "url": "https://bulwarkblack.com/fortinet-blocks-actively-exploited-forticloud-sso-zero-day-until-patch-is-ready/",
          "date": "2026-01-28"
        }
      ]
    },
    {
      "indicator": "104.28.227.105",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-01-28",
      "last_seen": "2026-01-28",
      "reports": [
        {
          "slug": "fortinet-blocks-actively-exploited-forticloud-sso-zero-day-until-patch-is-ready",
          "title": "Fortinet Blocks Actively Exploited FortiCloud SSO Zero-Day Until Patch is Ready",
          "url": "https://bulwarkblack.com/fortinet-blocks-actively-exploited-forticloud-sso-zero-day-until-patch-is-ready/",
          "date": "2026-01-28"
        }
      ]
    },
    {
      "indicator": "104.28.227.106",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-01-28",
      "last_seen": "2026-01-28",
      "reports": [
        {
          "slug": "fortinet-blocks-actively-exploited-forticloud-sso-zero-day-until-patch-is-ready",
          "title": "Fortinet Blocks Actively Exploited FortiCloud SSO Zero-Day Until Patch is Ready",
          "url": "https://bulwarkblack.com/fortinet-blocks-actively-exploited-forticloud-sso-zero-day-until-patch-is-ready/",
          "date": "2026-01-28"
        }
      ]
    },
    {
      "indicator": "104.28.244.114",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-01-28",
      "last_seen": "2026-01-28",
      "reports": [
        {
          "slug": "fortinet-blocks-actively-exploited-forticloud-sso-zero-day-until-patch-is-ready",
          "title": "Fortinet Blocks Actively Exploited FortiCloud SSO Zero-Day Until Patch is Ready",
          "url": "https://bulwarkblack.com/fortinet-blocks-actively-exploited-forticloud-sso-zero-day-until-patch-is-ready/",
          "date": "2026-01-28"
        }
      ]
    },
    {
      "indicator": "104.28.244.115",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-01-28",
      "last_seen": "2026-01-28",
      "reports": [
        {
          "slug": "fortinet-blocks-actively-exploited-forticloud-sso-zero-day-until-patch-is-ready",
          "title": "Fortinet Blocks Actively Exploited FortiCloud SSO Zero-Day Until Patch is Ready",
          "url": "https://bulwarkblack.com/fortinet-blocks-actively-exploited-forticloud-sso-zero-day-until-patch-is-ready/",
          "date": "2026-01-28"
        }
      ]
    },
    {
      "indicator": "108.187.7.133",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-01-30",
      "last_seen": "2026-01-30",
      "reports": [
        {
          "slug": "android-malware-campaign-abuses-hugging-face-ai-platform-to-distribute-rat",
          "title": "Android Malware Campaign Abuses Hugging Face AI Platform to Distribute RAT",
          "url": "https://bulwarkblack.com/android-malware-campaign-abuses-hugging-face-ai-platform-to-distribute-rat/",
          "date": "2026-01-30"
        }
      ]
    },
    {
      "indicator": "109.205.195.211",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-06-30",
      "last_seen": "2026-06-30",
      "reports": [
        {
          "slug": "bing-seo-poisoning-bumblebee-adaptix-akira-ransomware",
          "title": "Bing SEO Poisoning Shows IT Admin Downloads Are Ransomware Initial Access",
          "url": "https://bulwarkblack.com/bing-seo-poisoning-bumblebee-adaptix-akira-ransomware/",
          "date": "2026-06-30"
        }
      ]
    },
    {
      "indicator": "109.248.24.177",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-04-03",
      "last_seen": "2026-04-03",
      "reports": [
        {
          "slug": "cl-sta-1087-chinese-apt-targets-southeast-asian-militaries-with-applechris-and-memfun-backdoors",
          "title": "CL-STA-1087: Chinese APT Targets Southeast Asian Militaries with AppleChris and MemFun Backdoors",
          "url": "https://bulwarkblack.com/cl-sta-1087-chinese-apt-targets-southeast-asian-militaries-with-applechris-and-memfun-backdoors/",
          "date": "2026-04-03"
        }
      ]
    },
    {
      "indicator": "116.169.244.208",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-06-01",
      "last_seen": "2026-06-01",
      "reports": [
        {
          "slug": "showboat-jfmbackdoor-telecom-intrusion-defense",
          "title": "Showboat and JFMBackdoor Show Telecom Intrusions Are Built for Pivoting",
          "url": "https://bulwarkblack.com/showboat-jfmbackdoor-telecom-intrusion-defense/",
          "date": "2026-06-01"
        }
      ]
    },
    {
      "indicator": "116.203.243.208",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "vidar-xmrig-malvertising-file-size-code-signing-defense",
          "title": "Vidar Stealer Campaign Shows Why File Size and Fake Signatures Still Beat Weak Controls",
          "url": "https://bulwarkblack.com/vidar-xmrig-malvertising-file-size-code-signing-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "116.63.177.49",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-04-03",
      "last_seen": "2026-04-03",
      "reports": [
        {
          "slug": "cl-sta-1087-chinese-apt-targets-southeast-asian-militaries-with-applechris-and-memfun-backdoors",
          "title": "CL-STA-1087: Chinese APT Targets Southeast Asian Militaries with AppleChris and MemFun Backdoors",
          "url": "https://bulwarkblack.com/cl-sta-1087-chinese-apt-targets-southeast-asian-militaries-with-applechris-and-memfun-backdoors/",
          "date": "2026-04-03"
        }
      ]
    },
    {
      "indicator": "118.194.238.51",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-04-03",
      "last_seen": "2026-04-03",
      "reports": [
        {
          "slug": "cl-sta-1087-chinese-apt-targets-southeast-asian-militaries-with-applechris-and-memfun-backdoors",
          "title": "CL-STA-1087: Chinese APT Targets Southeast Asian Militaries with AppleChris and MemFun Backdoors",
          "url": "https://bulwarkblack.com/cl-sta-1087-chinese-apt-targets-southeast-asian-militaries-with-applechris-and-memfun-backdoors/",
          "date": "2026-04-03"
        }
      ]
    },
    {
      "indicator": "119.0.0.0",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2024-01-08",
      "last_seen": "2024-01-08",
      "reports": [
        {
          "slug": "deceptive-cracked-software-spreads-lumma-variant-on-youtube",
          "title": "Deceptive Cracked Software Spreads Lumma Variant on YouTube",
          "url": "https://bulwarkblack.com/deceptive-cracked-software-spreads-lumma-variant-on-youtube/",
          "date": "2024-01-08"
        }
      ]
    },
    {
      "indicator": "12.2.1.4",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-03-25",
      "last_seen": "2026-03-25",
      "reports": [
        {
          "slug": "oracle-issues-rare-out-of-band-patch-for-critical-cve-2026-21992-rce-in-identity-manager",
          "title": "Oracle Issues Rare Out-of-Band Patch for Critical CVE-2026-21992 RCE in Identity Manager",
          "url": "https://bulwarkblack.com/oracle-issues-rare-out-of-band-patch-for-critical-cve-2026-21992-rce-in-identity-manager/",
          "date": "2026-03-25"
        }
      ]
    },
    {
      "indicator": "12.5.1.0",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-01-31",
      "last_seen": "2026-01-31",
      "reports": [
        {
          "slug": "ivanti-patches-two-critical-epmm-zero-day-vulnerabilities-under-active-exploitation",
          "title": "Ivanti Patches Two Critical EPMM Zero-Day Vulnerabilities Under Active Exploitation",
          "url": "https://bulwarkblack.com/ivanti-patches-two-critical-epmm-zero-day-vulnerabilities-under-active-exploitation/",
          "date": "2026-01-31"
        }
      ]
    },
    {
      "indicator": "12.6.1.0",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-01-31",
      "last_seen": "2026-01-31",
      "reports": [
        {
          "slug": "ivanti-patches-two-critical-epmm-zero-day-vulnerabilities-under-active-exploitation",
          "title": "Ivanti Patches Two Critical EPMM Zero-Day Vulnerabilities Under Active Exploitation",
          "url": "https://bulwarkblack.com/ivanti-patches-two-critical-epmm-zero-day-vulnerabilities-under-active-exploitation/",
          "date": "2026-01-31"
        }
      ]
    },
    {
      "indicator": "12.7.0.0",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-01-31",
      "last_seen": "2026-01-31",
      "reports": [
        {
          "slug": "ivanti-epmm-zero-days-actively-exploited-pre-auth-rce-via-bash-arithmetic-expansion",
          "title": "Ivanti EPMM Zero-Days Actively Exploited: Pre-Auth RCE via Bash Arithmetic Expansion",
          "url": "https://bulwarkblack.com/ivanti-epmm-zero-days-actively-exploited-pre-auth-rce-via-bash-arithmetic-expansion/",
          "date": "2026-01-31"
        }
      ]
    },
    {
      "indicator": "12.8.0.0",
      "type": "IPv4",
      "report_count": 2,
      "first_seen": "2026-01-31",
      "last_seen": "2026-01-31",
      "reports": [
        {
          "slug": "ivanti-patches-two-critical-epmm-zero-day-vulnerabilities-under-active-exploitation",
          "title": "Ivanti Patches Two Critical EPMM Zero-Day Vulnerabilities Under Active Exploitation",
          "url": "https://bulwarkblack.com/ivanti-patches-two-critical-epmm-zero-day-vulnerabilities-under-active-exploitation/",
          "date": "2026-01-31"
        },
        {
          "slug": "ivanti-epmm-zero-days-actively-exploited-pre-auth-rce-via-bash-arithmetic-expansion",
          "title": "Ivanti EPMM Zero-Days Actively Exploited: Pre-Auth RCE via Bash Arithmetic Expansion",
          "url": "https://bulwarkblack.com/ivanti-epmm-zero-days-actively-exploited-pre-auth-rce-via-bash-arithmetic-expansion/",
          "date": "2026-01-31"
        }
      ]
    },
    {
      "indicator": "121.0.0.0",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-05-25",
      "last_seen": "2026-05-25",
      "reports": [
        {
          "slug": "knowledgedeliver-viewstate-shared-machine-key-defense",
          "title": "KnowledgeDeliver RCE Shows Shared Machine Keys Are Shared Blast Radius",
          "url": "https://bulwarkblack.com/knowledgedeliver-viewstate-shared-machine-key-defense/",
          "date": "2026-05-25"
        }
      ]
    },
    {
      "indicator": "13.227.180.4",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-02-18",
      "last_seen": "2026-02-18",
      "reports": [
        {
          "slug": "threat-actors-abuse-atlassian-jira-cloud-to-bypass-email-security-and-target-government-entities",
          "title": "Threat Actors Abuse Atlassian Jira Cloud to Bypass Email Security and Target Government Entities",
          "url": "https://bulwarkblack.com/threat-actors-abuse-atlassian-jira-cloud-to-bypass-email-security-and-target-government-entities/",
          "date": "2026-02-18"
        }
      ]
    },
    {
      "indicator": "13.62.52.206",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-05-15",
      "last_seen": "2026-05-15",
      "reports": [
        {
          "slug": "cisco-sdwan-active-exploitation-edge-controller-review",
          "title": "Cisco SD-WAN Exploitation Shows Edge Controllers Need Emergency Review",
          "url": "https://bulwarkblack.com/cisco-sdwan-active-exploitation-edge-controller-review/",
          "date": "2026-05-15"
        }
      ]
    },
    {
      "indicator": "130.94.6.228",
      "type": "IPv4",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "134.122.13.34",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-02-23",
      "last_seen": "2026-02-23",
      "reports": [
        {
          "slug": "unit-42-exposes-active-exploitation-of-beyondtrust-cve-2026-1731-with-vshell-and-sparkrat-backdoors",
          "title": "Unit 42 Exposes Active Exploitation of BeyondTrust CVE-2026-1731 with VShell and SparkRAT Backdoors",
          "url": "https://bulwarkblack.com/unit-42-exposes-active-exploitation-of-beyondtrust-cve-2026-1731-with-vshell-and-sparkrat-backdoors/",
          "date": "2026-02-23"
        }
      ]
    },
    {
      "indicator": "134.209.69.155",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-02-13",
      "last_seen": "2026-02-13",
      "reports": [
        {
          "slug": "metro4shell-critical-react-native-cli-vulnerability-actively-exploited-to-deploy-malware",
          "title": "Metro4Shell: Critical React Native CLI Vulnerability Actively Exploited to Deploy Malware",
          "url": "https://bulwarkblack.com/metro4shell-critical-react-native-cli-vulnerability-actively-exploited-to-deploy-malware/",
          "date": "2026-02-13"
        }
      ]
    },
    {
      "indicator": "135.237.122.202",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-06-20",
      "last_seen": "2026-06-20",
      "reports": [
        {
          "slug": "operation-escaneo-latin-america-edge-device-defense",
          "title": "Operation Escaneo Shows Latin America’s Edge Devices Are Prime Intrusion Targets",
          "url": "https://bulwarkblack.com/operation-escaneo-latin-america-edge-device-defense/",
          "date": "2026-06-20"
        }
      ]
    },
    {
      "indicator": "136.0.8.48",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-05-08",
      "last_seen": "2026-05-08",
      "reports": [
        {
          "slug": "pan-os-captive-portal-zero-day-edge-device-review",
          "title": "PAN-OS Captive Portal Zero-Day Shows Why Internet-Facing Edge Devices Need Immediate Review",
          "url": "https://bulwarkblack.com/pan-os-captive-portal-zero-day-edge-device-review/",
          "date": "2026-05-08"
        }
      ]
    },
    {
      "indicator": "136.113.159.75",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-02-04",
      "last_seen": "2026-02-04",
      "reports": [
        {
          "slug": "ai-powered-attack-achieves-aws-admin-access-in-under-10-minutes-a-new-era-of-automated-intrusions",
          "title": "AI-Powered Attack Achieves AWS Admin Access in Under 10 Minutes: A New Era of Automated Intrusions",
          "url": "https://bulwarkblack.com/ai-powered-attack-achieves-aws-admin-access-in-under-10-minutes-a-new-era-of-automated-intrusions/",
          "date": "2026-02-04"
        }
      ]
    },
    {
      "indicator": "136.243.203.109",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "vidar-xmrig-malvertising-file-size-code-signing-defense",
          "title": "Vidar Stealer Campaign Shows Why File Size and Fake Signatures Still Beat Weak Controls",
          "url": "https://bulwarkblack.com/vidar-xmrig-malvertising-file-size-code-signing-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "136.243.203.111",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "vidar-xmrig-malvertising-file-size-code-signing-defense",
          "title": "Vidar Stealer Campaign Shows Why File Size and Fake Signatures Still Beat Weak Controls",
          "url": "https://bulwarkblack.com/vidar-xmrig-malvertising-file-size-code-signing-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "138.0.0.0",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-05-08",
      "last_seen": "2026-05-08",
      "reports": [
        {
          "slug": "pan-os-captive-portal-zero-day-edge-device-review",
          "title": "PAN-OS Captive Portal Zero-Day Shows Why Internet-Facing Edge Devices Need Immediate Review",
          "url": "https://bulwarkblack.com/pan-os-captive-portal-zero-day-edge-device-review/",
          "date": "2026-05-08"
        }
      ]
    },
    {
      "indicator": "138.197.14.95",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-02-23",
      "last_seen": "2026-02-23",
      "reports": [
        {
          "slug": "unit-42-exposes-active-exploitation-of-beyondtrust-cve-2026-1731-with-vshell-and-sparkrat-backdoors",
          "title": "Unit 42 Exposes Active Exploitation of BeyondTrust CVE-2026-1731 with VShell and SparkRAT Backdoors",
          "url": "https://bulwarkblack.com/unit-42-exposes-active-exploitation-of-beyondtrust-cve-2026-1731-with-vshell-and-sparkrat-backdoors/",
          "date": "2026-02-23"
        }
      ]
    },
    {
      "indicator": "138.199.246.13",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "vidar-xmrig-malvertising-file-size-code-signing-defense",
          "title": "Vidar Stealer Campaign Shows Why File Size and Fake Signatures Still Beat Weak Controls",
          "url": "https://bulwarkblack.com/vidar-xmrig-malvertising-file-size-code-signing-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "139.180.134.221",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-06-26",
      "last_seen": "2026-06-26",
      "reports": [
        {
          "slug": "cl-sta-1062-tinyrct-critical-infrastructure-web-shell-defense",
          "title": "CL-STA-1062 Shows Critical Infrastructure Intrusions Still Start With Web Shells",
          "url": "https://bulwarkblack.com/cl-sta-1062-tinyrct-critical-infrastructure-web-shell-defense/",
          "date": "2026-06-26"
        }
      ]
    },
    {
      "indicator": "139.180.219.115",
      "type": "IPv4",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "139.59.150.7",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2024-01-11",
      "last_seen": "2024-01-11",
      "reports": [
        {
          "slug": "dreambus-unleashes-metabase-mayhem-with-new-exploit-module",
          "title": "DreamBus Unleashes Metabase Mayhem With New Exploit Module",
          "url": "https://bulwarkblack.com/dreambus-unleashes-metabase-mayhem-with-new-exploit-module/",
          "date": "2024-01-11"
        }
      ]
    },
    {
      "indicator": "139.84.227.139",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-06-01",
      "last_seen": "2026-06-01",
      "reports": [
        {
          "slug": "showboat-jfmbackdoor-telecom-intrusion-defense",
          "title": "Showboat and JFMBackdoor Show Telecom Intrusions Are Built for Pivoting",
          "url": "https://bulwarkblack.com/showboat-jfmbackdoor-telecom-intrusion-defense/",
          "date": "2026-06-01"
        }
      ]
    },
    {
      "indicator": "139.84.236.237",
      "type": "IPv4",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "14.1.2.1",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-03-25",
      "last_seen": "2026-03-25",
      "reports": [
        {
          "slug": "oracle-issues-rare-out-of-band-patch-for-critical-cve-2026-21992-rce-in-identity-manager",
          "title": "Oracle Issues Rare Out-of-Band Patch for Critical CVE-2026-21992 RCE in Identity Manager",
          "url": "https://bulwarkblack.com/oracle-issues-rare-out-of-band-patch-for-critical-cve-2026-21992-rce-in-identity-manager/",
          "date": "2026-03-25"
        }
      ]
    },
    {
      "indicator": "140.233.190.96",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-03-04",
      "last_seen": "2026-03-04",
      "reports": [
        {
          "slug": "zerobot-malware-targets-n8n-automation-platform-first-active-exploitation-of-cve-2025-68613",
          "title": "Zerobot Malware Targets n8n Automation Platform: First Active Exploitation of CVE-2025-68613",
          "url": "https://bulwarkblack.com/zerobot-malware-targets-n8n-automation-platform-first-active-exploitation-of-cve-2025-68613/",
          "date": "2026-03-04"
        }
      ]
    },
    {
      "indicator": "142.11.200.186",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-06-11",
      "last_seen": "2026-06-11",
      "reports": [
        {
          "slug": "shinyhunters-peoplesoft-cve-2026-35273-erp-admin-endpoints",
          "title": "ShinyHunters PeopleSoft Exploitation Shows ERP Admin Endpoints Are Breach Surface",
          "url": "https://bulwarkblack.com/shinyhunters-peoplesoft-cve-2026-35273-erp-admin-endpoints/",
          "date": "2026-06-11"
        }
      ]
    },
    {
      "indicator": "142.11.200.187",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-06-11",
      "last_seen": "2026-06-11",
      "reports": [
        {
          "slug": "shinyhunters-peoplesoft-cve-2026-35273-erp-admin-endpoints",
          "title": "ShinyHunters PeopleSoft Exploitation Shows ERP Admin Endpoints Are Breach Surface",
          "url": "https://bulwarkblack.com/shinyhunters-peoplesoft-cve-2026-35273-erp-admin-endpoints/",
          "date": "2026-06-11"
        }
      ]
    },
    {
      "indicator": "142.11.200.188",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-06-11",
      "last_seen": "2026-06-11",
      "reports": [
        {
          "slug": "shinyhunters-peoplesoft-cve-2026-35273-erp-admin-endpoints",
          "title": "ShinyHunters PeopleSoft Exploitation Shows ERP Admin Endpoints Are Breach Surface",
          "url": "https://bulwarkblack.com/shinyhunters-peoplesoft-cve-2026-35273-erp-admin-endpoints/",
          "date": "2026-06-11"
        }
      ]
    },
    {
      "indicator": "142.11.200.189",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-06-11",
      "last_seen": "2026-06-11",
      "reports": [
        {
          "slug": "shinyhunters-peoplesoft-cve-2026-35273-erp-admin-endpoints",
          "title": "ShinyHunters PeopleSoft Exploitation Shows ERP Admin Endpoints Are Breach Surface",
          "url": "https://bulwarkblack.com/shinyhunters-peoplesoft-cve-2026-35273-erp-admin-endpoints/",
          "date": "2026-06-11"
        }
      ]
    },
    {
      "indicator": "142.11.200.190",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-06-11",
      "last_seen": "2026-06-11",
      "reports": [
        {
          "slug": "shinyhunters-peoplesoft-cve-2026-35273-erp-admin-endpoints",
          "title": "ShinyHunters PeopleSoft Exploitation Shows ERP Admin Endpoints Are Breach Surface",
          "url": "https://bulwarkblack.com/shinyhunters-peoplesoft-cve-2026-35273-erp-admin-endpoints/",
          "date": "2026-06-11"
        }
      ]
    },
    {
      "indicator": "142.111.152.50",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-02-23",
      "last_seen": "2026-02-23",
      "reports": [
        {
          "slug": "unit-42-exposes-active-exploitation-of-beyondtrust-cve-2026-1731-with-vshell-and-sparkrat-backdoors",
          "title": "Unit 42 Exposes Active Exploitation of BeyondTrust CVE-2026-1731 with VShell and SparkRAT Backdoors",
          "url": "https://bulwarkblack.com/unit-42-exposes-active-exploitation-of-beyondtrust-cve-2026-1731-with-vshell-and-sparkrat-backdoors/",
          "date": "2026-02-23"
        }
      ]
    },
    {
      "indicator": "143.204.11.112",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-01-30",
      "last_seen": "2026-01-30",
      "reports": [
        {
          "slug": "android-malware-campaign-abuses-hugging-face-ai-platform-to-distribute-rat",
          "title": "Android Malware Campaign Abuses Hugging Face AI Platform to Distribute RAT",
          "url": "https://bulwarkblack.com/android-malware-campaign-abuses-hugging-face-ai-platform-to-distribute-rat/",
          "date": "2026-01-30"
        }
      ]
    },
    {
      "indicator": "144.0.0.0",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-05-22",
      "last_seen": "2026-05-22",
      "reports": [
        {
          "slug": "screening-serpens-recruiting-espionage-attack-surface",
          "title": "Screening Serpens Shows Recruiting Is Now an Espionage Attack Surface",
          "url": "https://bulwarkblack.com/screening-serpens-recruiting-espionage-attack-surface/",
          "date": "2026-05-22"
        }
      ]
    },
    {
      "indicator": "144.172.100.228",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-03-04",
      "last_seen": "2026-03-04",
      "reports": [
        {
          "slug": "zerobot-malware-targets-n8n-automation-platform-first-active-exploitation-of-cve-2025-68613",
          "title": "Zerobot Malware Targets n8n Automation Platform: First Active Exploitation of CVE-2025-68613",
          "url": "https://bulwarkblack.com/zerobot-malware-targets-n8n-automation-platform-first-active-exploitation-of-cve-2025-68613/",
          "date": "2026-03-04"
        }
      ]
    },
    {
      "indicator": "144.172.102.88",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-04-03",
      "last_seen": "2026-04-03",
      "reports": [
        {
          "slug": "uat-10608-nexus-listener-framework-compromises-766-next-js-hosts-in-24-hour-credential-harvesting-blitz",
          "title": "UAT-10608: NEXUS Listener Framework Compromises 766 Next.js Hosts in 24-Hour Credential Harvesting Blitz",
          "url": "https://bulwarkblack.com/uat-10608-nexus-listener-framework-compromises-766-next-js-hosts-in-24-hour-credential-harvesting-blitz/",
          "date": "2026-04-03"
        }
      ]
    },
    {
      "indicator": "144.172.103.200",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-02-23",
      "last_seen": "2026-02-23",
      "reports": [
        {
          "slug": "unit-42-exposes-active-exploitation-of-beyondtrust-cve-2026-1731-with-vshell-and-sparkrat-backdoors",
          "title": "Unit 42 Exposes Active Exploitation of BeyondTrust CVE-2026-1731 with VShell and SparkRAT Backdoors",
          "url": "https://bulwarkblack.com/unit-42-exposes-active-exploitation-of-beyondtrust-cve-2026-1731-with-vshell-and-sparkrat-backdoors/",
          "date": "2026-02-23"
        }
      ]
    },
    {
      "indicator": "144.172.106.66",
      "type": "IPv4",
      "report_count": 2,
      "first_seen": "2026-02-26",
      "last_seen": "2026-02-27",
      "reports": [
        {
          "slug": "apt37-ruby-jumper-campaign-north-korean-hackers-deploy-malware-arsenal-to-bridge-air-gapped-networks",
          "title": "APT37 Ruby Jumper Campaign: North Korean Hackers Deploy Malware Arsenal to Bridge Air-Gapped Networks",
          "url": "https://bulwarkblack.com/apt37-ruby-jumper-campaign-north-korean-hackers-deploy-malware-arsenal-to-bridge-air-gapped-networks/",
          "date": "2026-02-27"
        },
        {
          "slug": "apt37-deploys-ruby-jumper-campaign-to-breach-air-gapped-networks",
          "title": "APT37 Deploys Ruby Jumper Campaign to Breach Air-Gapped Networks",
          "url": "https://bulwarkblack.com/apt37-deploys-ruby-jumper-campaign-to-breach-air-gapped-networks/",
          "date": "2026-02-26"
        }
      ]
    },
    {
      "indicator": "144.172.112.136",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-04-03",
      "last_seen": "2026-04-03",
      "reports": [
        {
          "slug": "uat-10608-nexus-listener-framework-compromises-766-next-js-hosts-in-24-hour-credential-harvesting-blitz",
          "title": "UAT-10608: NEXUS Listener Framework Compromises 766 Next.js Hosts in 24-Hour Credential Harvesting Blitz",
          "url": "https://bulwarkblack.com/uat-10608-nexus-listener-framework-compromises-766-next-js-hosts-in-24-hour-credential-harvesting-blitz/",
          "date": "2026-04-03"
        }
      ]
    },
    {
      "indicator": "144.172.117.112",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-04-03",
      "last_seen": "2026-04-03",
      "reports": [
        {
          "slug": "uat-10608-nexus-listener-framework-compromises-766-next-js-hosts-in-24-hour-credential-harvesting-blitz",
          "title": "UAT-10608: NEXUS Listener Framework Compromises 766 Next.js Hosts in 24-Hour Credential Harvesting Blitz",
          "url": "https://bulwarkblack.com/uat-10608-nexus-listener-framework-compromises-766-next-js-hosts-in-24-hour-credential-harvesting-blitz/",
          "date": "2026-04-03"
        }
      ]
    },
    {
      "indicator": "146.0.0.0",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-05-22",
      "last_seen": "2026-05-22",
      "reports": [
        {
          "slug": "screening-serpens-recruiting-espionage-attack-surface",
          "title": "Screening Serpens Shows Recruiting Is Now an Espionage Attack Surface",
          "url": "https://bulwarkblack.com/screening-serpens-recruiting-espionage-attack-surface/",
          "date": "2026-05-22"
        }
      ]
    },
    {
      "indicator": "146.19.216.119",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-06-06",
      "last_seen": "2026-06-06",
      "reports": [
        {
          "slug": "pan-os-globalprotect-cve-2026-0257-vpn-log-review",
          "title": "PAN-OS GlobalProtect Exploitation Shows VPN Access Needs Log Review, Not Just Patching",
          "url": "https://bulwarkblack.com/pan-os-globalprotect-cve-2026-0257-vpn-log-review/",
          "date": "2026-06-06"
        }
      ]
    },
    {
      "indicator": "146.19.216.120",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-06-06",
      "last_seen": "2026-06-06",
      "reports": [
        {
          "slug": "pan-os-globalprotect-cve-2026-0257-vpn-log-review",
          "title": "PAN-OS GlobalProtect Exploitation Shows VPN Access Needs Log Review, Not Just Patching",
          "url": "https://bulwarkblack.com/pan-os-globalprotect-cve-2026-0257-vpn-log-review/",
          "date": "2026-06-06"
        }
      ]
    },
    {
      "indicator": "146.19.216.125",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-06-06",
      "last_seen": "2026-06-06",
      "reports": [
        {
          "slug": "pan-os-globalprotect-cve-2026-0257-vpn-log-review",
          "title": "PAN-OS GlobalProtect Exploitation Shows VPN Access Needs Log Review, Not Just Patching",
          "url": "https://bulwarkblack.com/pan-os-globalprotect-cve-2026-0257-vpn-log-review/",
          "date": "2026-06-06"
        }
      ]
    },
    {
      "indicator": "146.70.100.69",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-05-08",
      "last_seen": "2026-05-08",
      "reports": [
        {
          "slug": "pan-os-captive-portal-zero-day-edge-device-review",
          "title": "PAN-OS Captive Portal Zero-Day Shows Why Internet-Facing Edge Devices Need Immediate Review",
          "url": "https://bulwarkblack.com/pan-os-captive-portal-zero-day-edge-device-review/",
          "date": "2026-05-08"
        }
      ]
    },
    {
      "indicator": "148.113.208.227",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-02-05",
      "last_seen": "2026-02-05",
      "reports": [
        {
          "slug": "systembc-botnet-survives-law-enforcement-takedown-infects-over-10000-devices-worldwide",
          "title": "SystemBC Botnet Survives Law Enforcement Takedown, Infects Over 10,000 Devices Worldwide",
          "url": "https://bulwarkblack.com/systembc-botnet-survives-law-enforcement-takedown-infects-over-10000-devices-worldwide/",
          "date": "2026-02-05"
        }
      ]
    },
    {
      "indicator": "148.135.44.146",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-01-30",
      "last_seen": "2026-01-30",
      "reports": [
        {
          "slug": "android-malware-campaign-abuses-hugging-face-ai-platform-to-distribute-rat",
          "title": "Android Malware Campaign Abuses Hugging Face AI Platform to Distribute RAT",
          "url": "https://bulwarkblack.com/android-malware-campaign-abuses-hugging-face-ai-platform-to-distribute-rat/",
          "date": "2026-01-30"
        }
      ]
    },
    {
      "indicator": "149.104.66.84",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-05-08",
      "last_seen": "2026-05-08",
      "reports": [
        {
          "slug": "pan-os-captive-portal-zero-day-edge-device-review",
          "title": "PAN-OS Captive Portal Zero-Day Shows Why Internet-Facing Edge Devices Need Immediate Review",
          "url": "https://bulwarkblack.com/pan-os-captive-portal-zero-day-edge-device-review/",
          "date": "2026-05-08"
        }
      ]
    },
    {
      "indicator": "149.28.128.128",
      "type": "IPv4",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "149.28.139.125",
      "type": "IPv4",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "149.28.25.33",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-03-05",
      "last_seen": "2026-03-05",
      "reports": [
        {
          "slug": "uat-9244-china-nexus-apt-deploys-three-new-malware-implants-against-south-american-telecom-providers",
          "title": "UAT-9244: China-Nexus APT Deploys Three New Malware Implants Against South American Telecom Providers",
          "url": "https://bulwarkblack.com/uat-9244-china-nexus-apt-deploys-three-new-malware-implants-against-south-american-telecom-providers/",
          "date": "2026-03-05"
        }
      ]
    },
    {
      "indicator": "152.58.47.83",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-02-04",
      "last_seen": "2026-02-04",
      "reports": [
        {
          "slug": "ai-powered-attack-achieves-aws-admin-access-in-under-10-minutes-a-new-era-of-automated-intrusions",
          "title": "AI-Powered Attack Achieves AWS Admin Access in Under 10 Minutes: A New Era of Automated Intrusions",
          "url": "https://bulwarkblack.com/ai-powered-attack-achieves-aws-admin-access-in-under-10-minutes-a-new-era-of-automated-intrusions/",
          "date": "2026-02-04"
        }
      ]
    },
    {
      "indicator": "154.198.48.57",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-01-30",
      "last_seen": "2026-01-30",
      "reports": [
        {
          "slug": "android-malware-campaign-abuses-hugging-face-ai-platform-to-distribute-rat",
          "title": "Android Malware Campaign Abuses Hugging Face AI Platform to Distribute RAT",
          "url": "https://bulwarkblack.com/android-malware-campaign-abuses-hugging-face-ai-platform-to-distribute-rat/",
          "date": "2026-01-30"
        }
      ]
    },
    {
      "indicator": "154.205.154.194",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-03-05",
      "last_seen": "2026-03-05",
      "reports": [
        {
          "slug": "uat-9244-china-nexus-apt-deploys-three-new-malware-implants-against-south-american-telecom-providers",
          "title": "UAT-9244: China-Nexus APT Deploys Three New Malware Implants Against South American Telecom Providers",
          "url": "https://bulwarkblack.com/uat-9244-china-nexus-apt-deploys-three-new-malware-implants-against-south-american-telecom-providers/",
          "date": "2026-03-05"
        }
      ]
    },
    {
      "indicator": "154.205.154.65",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-03-05",
      "last_seen": "2026-03-05",
      "reports": [
        {
          "slug": "uat-9244-china-nexus-apt-deploys-three-new-malware-implants-against-south-american-telecom-providers",
          "title": "UAT-9244: China-Nexus APT Deploys Three New Malware Implants Against South American Telecom Providers",
          "url": "https://bulwarkblack.com/uat-9244-china-nexus-apt-deploys-three-new-malware-implants-against-south-american-telecom-providers/",
          "date": "2026-03-05"
        }
      ]
    },
    {
      "indicator": "154.205.154.70",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-03-05",
      "last_seen": "2026-03-05",
      "reports": [
        {
          "slug": "uat-9244-china-nexus-apt-deploys-three-new-malware-implants-against-south-american-telecom-providers",
          "title": "UAT-9244: China-Nexus APT Deploys Three New Malware Implants Against South American Telecom Providers",
          "url": "https://bulwarkblack.com/uat-9244-china-nexus-apt-deploys-three-new-malware-implants-against-south-american-telecom-providers/",
          "date": "2026-03-05"
        }
      ]
    },
    {
      "indicator": "154.205.154.82",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-03-05",
      "last_seen": "2026-03-05",
      "reports": [
        {
          "slug": "uat-9244-china-nexus-apt-deploys-three-new-malware-implants-against-south-american-telecom-providers",
          "title": "UAT-9244: China-Nexus APT Deploys Three New Malware Implants Against South American Telecom Providers",
          "url": "https://bulwarkblack.com/uat-9244-china-nexus-apt-deploys-three-new-malware-implants-against-south-american-telecom-providers/",
          "date": "2026-03-05"
        }
      ]
    },
    {
      "indicator": "154.211.86.110",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-06-03",
      "last_seen": "2026-06-03",
      "reports": [
        {
          "slug": "ta4922-global-hr-tax-phishing-rmm-defense",
          "title": "TA4922’s Global Expansion Shows HR and Tax Lures Are Initial Access Infrastructure",
          "url": "https://bulwarkblack.com/ta4922-global-hr-tax-phishing-rmm-defense/",
          "date": "2026-06-03"
        }
      ]
    },
    {
      "indicator": "154.223.21.130",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-03-05",
      "last_seen": "2026-03-05",
      "reports": [
        {
          "slug": "uat-9244-china-nexus-apt-deploys-three-new-malware-implants-against-south-american-telecom-providers",
          "title": "UAT-9244: China-Nexus APT Deploys Three New Malware Implants Against South American Telecom Providers",
          "url": "https://bulwarkblack.com/uat-9244-china-nexus-apt-deploys-three-new-malware-implants-against-south-american-telecom-providers/",
          "date": "2026-03-05"
        }
      ]
    },
    {
      "indicator": "154.223.21.194",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-03-05",
      "last_seen": "2026-03-05",
      "reports": [
        {
          "slug": "uat-9244-china-nexus-apt-deploys-three-new-malware-implants-against-south-american-telecom-providers",
          "title": "UAT-9244: China-Nexus APT Deploys Three New Malware Implants Against South American Telecom Providers",
          "url": "https://bulwarkblack.com/uat-9244-china-nexus-apt-deploys-three-new-malware-implants-against-south-american-telecom-providers/",
          "date": "2026-03-05"
        }
      ]
    },
    {
      "indicator": "154.39.137.203",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-04-03",
      "last_seen": "2026-04-03",
      "reports": [
        {
          "slug": "cl-sta-1087-chinese-apt-targets-southeast-asian-militaries-with-applechris-and-memfun-backdoors",
          "title": "CL-STA-1087: Chinese APT Targets Southeast Asian Militaries with AppleChris and MemFun Backdoors",
          "url": "https://bulwarkblack.com/cl-sta-1087-chinese-apt-targets-southeast-asian-militaries-with-applechris-and-memfun-backdoors/",
          "date": "2026-04-03"
        }
      ]
    },
    {
      "indicator": "154.39.142.177",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-04-03",
      "last_seen": "2026-04-03",
      "reports": [
        {
          "slug": "cl-sta-1087-chinese-apt-targets-southeast-asian-militaries-with-applechris-and-memfun-backdoors",
          "title": "CL-STA-1087: Chinese APT Targets Southeast Asian Militaries with AppleChris and MemFun Backdoors",
          "url": "https://bulwarkblack.com/cl-sta-1087-chinese-apt-targets-southeast-asian-militaries-with-applechris-and-memfun-backdoors/",
          "date": "2026-04-03"
        }
      ]
    },
    {
      "indicator": "154.81.166.17",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-06-04",
      "last_seen": "2026-06-04",
      "reports": [
        {
          "slug": "error-524-smishing-fraud-infrastructure-cti-defense",
          "title": "Error 524 Smishing Shows Why Fraud Infrastructure Needs CTI",
          "url": "https://bulwarkblack.com/error-524-smishing-fraud-infrastructure-cti-defense/",
          "date": "2026-06-04"
        }
      ]
    },
    {
      "indicator": "154.84.63.184",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-03-03",
      "last_seen": "2026-03-03",
      "reports": [
        {
          "slug": "malicious-go-crypto-module-steals-passwords-and-deploys-rekoobe-backdoor",
          "title": "Malicious Go Crypto Module Steals Passwords and Deploys Rekoobe Backdoor",
          "url": "https://bulwarkblack.com/malicious-go-crypto-module-steals-passwords-and-deploys-rekoobe-backdoor/",
          "date": "2026-03-03"
        }
      ]
    },
    {
      "indicator": "155.2.215.64",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-02-23",
      "last_seen": "2026-02-23",
      "reports": [
        {
          "slug": "unit-42-exposes-active-exploitation-of-beyondtrust-cve-2026-1731-with-vshell-and-sparkrat-backdoors",
          "title": "Unit 42 Exposes Active Exploitation of BeyondTrust CVE-2026-1731 with VShell and SparkRAT Backdoors",
          "url": "https://bulwarkblack.com/unit-42-exposes-active-exploitation-of-beyondtrust-cve-2026-1731-with-vshell-and-sparkrat-backdoors/",
          "date": "2026-02-23"
        }
      ]
    },
    {
      "indicator": "158.247.238.240",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-03-05",
      "last_seen": "2026-03-05",
      "reports": [
        {
          "slug": "uat-9244-china-nexus-apt-deploys-three-new-malware-implants-against-south-american-telecom-providers",
          "title": "UAT-9244: China-Nexus APT Deploys Three New Malware Implants Against South American Telecom Providers",
          "url": "https://bulwarkblack.com/uat-9244-china-nexus-apt-deploys-three-new-malware-implants-against-south-american-telecom-providers/",
          "date": "2026-03-05"
        }
      ]
    },
    {
      "indicator": "162.33.179.46",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-07-02",
      "last_seen": "2026-07-02",
      "reports": [
        {
          "slug": "ousaban-banking-trojan-iberian-phishing-defense",
          "title": "Ousaban Shows Banking Trojans Are Learning to Hide From Sandboxes",
          "url": "https://bulwarkblack.com/ousaban-banking-trojan-iberian-phishing-defense/",
          "date": "2026-07-02"
        }
      ]
    },
    {
      "indicator": "165.22.184.26",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-06-20",
      "last_seen": "2026-06-20",
      "reports": [
        {
          "slug": "operation-escaneo-latin-america-edge-device-defense",
          "title": "Operation Escaneo Shows Latin America’s Edge Devices Are Prime Intrusion Targets",
          "url": "https://bulwarkblack.com/operation-escaneo-latin-america-edge-device-defense/",
          "date": "2026-06-20"
        }
      ]
    },
    {
      "indicator": "170.130.55.223",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-06-30",
      "last_seen": "2026-06-30",
      "reports": [
        {
          "slug": "bing-seo-poisoning-bumblebee-adaptix-akira-ransomware",
          "title": "Bing SEO Poisoning Shows IT Admin Downloads Are Ransomware Initial Access",
          "url": "https://bulwarkblack.com/bing-seo-poisoning-bumblebee-adaptix-akira-ransomware/",
          "date": "2026-06-30"
        }
      ]
    },
    {
      "indicator": "171.22.183.43",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-06-30",
      "last_seen": "2026-06-30",
      "reports": [
        {
          "slug": "bing-seo-poisoning-bumblebee-adaptix-akira-ransomware",
          "title": "Bing SEO Poisoning Shows IT Admin Downloads Are Ransomware Initial Access",
          "url": "https://bulwarkblack.com/bing-seo-poisoning-bumblebee-adaptix-akira-ransomware/",
          "date": "2026-06-30"
        }
      ]
    },
    {
      "indicator": "172.67.161.215",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-06-26",
      "last_seen": "2026-06-26",
      "reports": [
        {
          "slug": "hospitality-photo-zip-nodejs-implant-defense",
          "title": "Hospitality Photo-ZIP Campaign Shows Front Desk Workflows Are Initial Access Paths",
          "url": "https://bulwarkblack.com/hospitality-photo-zip-nodejs-implant-defense/",
          "date": "2026-06-26"
        }
      ]
    },
    {
      "indicator": "172.67.196.232",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-03-11",
      "last_seen": "2026-03-11",
      "reports": [
        {
          "slug": "fortigate-devices-exploited-as-network-entry-points-for-service-account-credential-theft",
          "title": "FortiGate Devices Exploited as Network Entry Points for Service Account Credential Theft",
          "url": "https://bulwarkblack.com/fortigate-devices-exploited-as-network-entry-points-for-service-account-credential-theft/",
          "date": "2026-03-11"
        }
      ]
    },
    {
      "indicator": "172.86.123.179",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-03-04",
      "last_seen": "2026-03-04",
      "reports": [
        {
          "slug": "zerobot-malware-targets-n8n-automation-platform-first-active-exploitation-of-cve-2025-68613",
          "title": "Zerobot Malware Targets n8n Automation Platform: First Active Exploitation of CVE-2025-68613",
          "url": "https://bulwarkblack.com/zerobot-malware-targets-n8n-automation-platform-first-active-exploitation-of-cve-2025-68613/",
          "date": "2026-03-04"
        }
      ]
    },
    {
      "indicator": "172.86.127.128",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-04-03",
      "last_seen": "2026-04-03",
      "reports": [
        {
          "slug": "uat-10608-nexus-listener-framework-compromises-766-next-js-hosts-in-24-hour-credential-harvesting-blitz",
          "title": "UAT-10608: NEXUS Listener Framework Compromises 766 Next.js Hosts in 24-Hour Credential Harvesting Blitz",
          "url": "https://bulwarkblack.com/uat-10608-nexus-listener-framework-compromises-766-next-js-hosts-in-24-hour-credential-harvesting-blitz/",
          "date": "2026-04-03"
        }
      ]
    },
    {
      "indicator": "172.93.100.252",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-06-06",
      "last_seen": "2026-06-06",
      "reports": [
        {
          "slug": "pink-extortion-m365-vishing-cloud-data-defense",
          "title": "Pink Extortion Shows Microsoft 365 Defense Starts With Vishing Controls",
          "url": "https://bulwarkblack.com/pink-extortion-m365-vishing-cloud-data-defense/",
          "date": "2026-06-06"
        }
      ]
    },
    {
      "indicator": "172.96.137.160",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-06-30",
      "last_seen": "2026-06-30",
      "reports": [
        {
          "slug": "bing-seo-poisoning-bumblebee-adaptix-akira-ransomware",
          "title": "Bing SEO Poisoning Shows IT Admin Downloads Are Ransomware Initial Access",
          "url": "https://bulwarkblack.com/bing-seo-poisoning-bumblebee-adaptix-akira-ransomware/",
          "date": "2026-06-30"
        }
      ]
    },
    {
      "indicator": "173.212.205.251",
      "type": "IPv4",
      "report_count": 3,
      "first_seen": "2026-03-21",
      "last_seen": "2026-03-22",
      "reports": [
        {
          "slug": "cve-2026-33017-critical-langflow-ai-framework-vulnerability-exploited-within-20-hours-of-disclosure",
          "title": "CVE-2026-33017: Critical Langflow AI Framework Vulnerability Exploited Within 20 Hours of Disclosure",
          "url": "https://bulwarkblack.com/cve-2026-33017-critical-langflow-ai-framework-vulnerability-exploited-within-20-hours-of-disclosure/",
          "date": "2026-03-22"
        },
        {
          "slug": "cve-2026-33017-critical-langflow-ai-platform-flaw-exploited-within-20-hours-of-disclosure",
          "title": "CVE-2026-33017: Critical Langflow AI Platform Flaw Exploited Within 20 Hours of Disclosure",
          "url": "https://bulwarkblack.com/cve-2026-33017-critical-langflow-ai-platform-flaw-exploited-within-20-hours-of-disclosure/",
          "date": "2026-03-21"
        },
        {
          "slug": "critical-langflow-ai-platform-flaw-cve-2026-33017-exploited-within-20-hours-of-disclosure",
          "title": "Critical Langflow AI Platform Flaw CVE-2026-33017 Exploited Within 20 Hours of Disclosure",
          "url": "https://bulwarkblack.com/critical-langflow-ai-platform-flaw-cve-2026-33017-exploited-within-20-hours-of-disclosure/",
          "date": "2026-03-21"
        }
      ]
    },
    {
      "indicator": "174.169.162.62",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-06-05",
      "last_seen": "2026-06-05",
      "reports": [
        {
          "slug": "unc3753-vishing-rmm-physical-intrusions-law-firms",
          "title": "UNC3753 Brings Vishing, RMM Abuse, and Physical Intrusions to U.S. Law Firms",
          "url": "https://bulwarkblack.com/unc3753-vishing-rmm-physical-intrusions-law-firms/",
          "date": "2026-06-05"
        }
      ]
    },
    {
      "indicator": "176.113.115.224",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2024-01-08",
      "last_seen": "2024-01-08",
      "reports": [
        {
          "slug": "deceptive-cracked-software-spreads-lumma-variant-on-youtube",
          "title": "Deceptive Cracked Software Spreads Lumma Variant on YouTube",
          "url": "https://bulwarkblack.com/deceptive-cracked-software-spreads-lumma-variant-on-youtube/",
          "date": "2024-01-08"
        }
      ]
    },
    {
      "indicator": "176.113.115.226",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2024-01-08",
      "last_seen": "2024-01-08",
      "reports": [
        {
          "slug": "deceptive-cracked-software-spreads-lumma-variant-on-youtube",
          "title": "Deceptive Cracked Software Spreads Lumma Variant on YouTube",
          "url": "https://bulwarkblack.com/deceptive-cracked-software-spreads-lumma-variant-on-youtube/",
          "date": "2024-01-08"
        }
      ]
    },
    {
      "indicator": "176.113.115.227",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2024-01-08",
      "last_seen": "2024-01-08",
      "reports": [
        {
          "slug": "deceptive-cracked-software-spreads-lumma-variant-on-youtube",
          "title": "Deceptive Cracked Software Spreads Lumma Variant on YouTube",
          "url": "https://bulwarkblack.com/deceptive-cracked-software-spreads-lumma-variant-on-youtube/",
          "date": "2024-01-08"
        }
      ]
    },
    {
      "indicator": "176.113.115.229",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2024-01-08",
      "last_seen": "2024-01-08",
      "reports": [
        {
          "slug": "deceptive-cracked-software-spreads-lumma-variant-on-youtube",
          "title": "Deceptive Cracked Software Spreads Lumma Variant on YouTube",
          "url": "https://bulwarkblack.com/deceptive-cracked-software-spreads-lumma-variant-on-youtube/",
          "date": "2024-01-08"
        }
      ]
    },
    {
      "indicator": "176.113.115.232",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2024-01-08",
      "last_seen": "2024-01-08",
      "reports": [
        {
          "slug": "deceptive-cracked-software-spreads-lumma-variant-on-youtube",
          "title": "Deceptive Cracked Software Spreads Lumma Variant on YouTube",
          "url": "https://bulwarkblack.com/deceptive-cracked-software-spreads-lumma-variant-on-youtube/",
          "date": "2024-01-08"
        }
      ]
    },
    {
      "indicator": "176.120.22.24",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-06-11",
      "last_seen": "2026-06-11",
      "reports": [
        {
          "slug": "shinyhunters-peoplesoft-cve-2026-35273-erp-admin-endpoints",
          "title": "ShinyHunters PeopleSoft Exploitation Shows ERP Admin Endpoints Are Breach Surface",
          "url": "https://bulwarkblack.com/shinyhunters-peoplesoft-cve-2026-35273-erp-admin-endpoints/",
          "date": "2026-06-11"
        }
      ]
    },
    {
      "indicator": "176.123.4.44",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-05-19",
      "last_seen": "2026-05-19",
      "reports": [
        {
          "slug": "storm-2949-cloud-identity-breach-defense",
          "title": "Storm-2949 Shows Cloud Breaches Start With Identity, Not Malware",
          "url": "https://bulwarkblack.com/storm-2949-cloud-identity-breach-defense/",
          "date": "2026-05-19"
        }
      ]
    },
    {
      "indicator": "176.65.139.31",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-05-15",
      "last_seen": "2026-05-15",
      "reports": [
        {
          "slug": "cisco-sdwan-active-exploitation-edge-controller-review",
          "title": "Cisco SD-WAN Exploitation Shows Edge Controllers Need Emergency Review",
          "url": "https://bulwarkblack.com/cisco-sdwan-active-exploitation-edge-controller-review/",
          "date": "2026-05-15"
        }
      ]
    },
    {
      "indicator": "178.128.212.209",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-02-23",
      "last_seen": "2026-02-23",
      "reports": [
        {
          "slug": "unit-42-exposes-active-exploitation-of-beyondtrust-cve-2026-1731-with-vshell-and-sparkrat-backdoors",
          "title": "Unit 42 Exposes Active Exploitation of BeyondTrust CVE-2026-1731 with VShell and SparkRAT Backdoors",
          "url": "https://bulwarkblack.com/unit-42-exposes-active-exploitation-of-beyondtrust-cve-2026-1731-with-vshell-and-sparkrat-backdoors/",
          "date": "2026-02-23"
        }
      ]
    },
    {
      "indicator": "178.16.54.253",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-01-27",
      "last_seen": "2026-01-27",
      "reports": [
        {
          "slug": "fake-clawdbot-vs-code-extension-deploys-screenconnect-rat",
          "title": "Fake Clawdbot VS Code Extension Deploys ScreenConnect RAT",
          "url": "https://bulwarkblack.com/fake-clawdbot-vs-code-extension-deploys-screenconnect-rat/",
          "date": "2026-01-27"
        }
      ]
    },
    {
      "indicator": "178.16.54.27",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-06-26",
      "last_seen": "2026-06-26",
      "reports": [
        {
          "slug": "hospitality-photo-zip-nodejs-implant-defense",
          "title": "Hospitality Photo-ZIP Campaign Shows Front Desk Workflows Are Initial Access Paths",
          "url": "https://bulwarkblack.com/hospitality-photo-zip-nodejs-implant-defense/",
          "date": "2026-06-26"
        }
      ]
    },
    {
      "indicator": "178.16.55.179",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-06-26",
      "last_seen": "2026-06-26",
      "reports": [
        {
          "slug": "hospitality-photo-zip-nodejs-implant-defense",
          "title": "Hospitality Photo-ZIP Campaign Shows Front Desk Workflows Are Initial Access Paths",
          "url": "https://bulwarkblack.com/hospitality-photo-zip-nodejs-implant-defense/",
          "date": "2026-06-26"
        }
      ]
    },
    {
      "indicator": "178.62.63.125",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-05-20",
      "last_seen": "2026-05-20",
      "reports": [
        {
          "slug": "p2pinfect-kubernetes-redis-botnet-defense",
          "title": "P2Pinfect Shows Exposed Redis in Kubernetes Can Become Dormant Botnet Infrastructure",
          "url": "https://bulwarkblack.com/p2pinfect-kubernetes-redis-botnet-defense/",
          "date": "2026-05-20"
        }
      ]
    },
    {
      "indicator": "178.79.188.181",
      "type": "IPv4",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "179.43.146.42",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-02-23",
      "last_seen": "2026-02-23",
      "reports": [
        {
          "slug": "unit-42-exposes-active-exploitation-of-beyondtrust-cve-2026-1731-with-vshell-and-sparkrat-backdoors",
          "title": "Unit 42 Exposes Active Exploitation of BeyondTrust CVE-2026-1731 with VShell and SparkRAT Backdoors",
          "url": "https://bulwarkblack.com/unit-42-exposes-active-exploitation-of-beyondtrust-cve-2026-1731-with-vshell-and-sparkrat-backdoors/",
          "date": "2026-02-23"
        }
      ]
    },
    {
      "indicator": "179.43.172.213",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-06-06",
      "last_seen": "2026-06-06",
      "reports": [
        {
          "slug": "pan-os-globalprotect-cve-2026-0257-vpn-log-review",
          "title": "PAN-OS GlobalProtect Exploitation Shows VPN Access Needs Log Review, Not Just Patching",
          "url": "https://bulwarkblack.com/pan-os-globalprotect-cve-2026-0257-vpn-log-review/",
          "date": "2026-06-06"
        }
      ]
    },
    {
      "indicator": "179.43.176.32",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-01-27",
      "last_seen": "2026-01-27",
      "reports": [
        {
          "slug": "fake-clawdbot-vs-code-extension-deploys-screenconnect-rat",
          "title": "Fake Clawdbot VS Code Extension Deploys ScreenConnect RAT",
          "url": "https://bulwarkblack.com/fake-clawdbot-vs-code-extension-deploys-screenconnect-rat/",
          "date": "2026-01-27"
        }
      ]
    },
    {
      "indicator": "179.43.185.226",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-05-15",
      "last_seen": "2026-05-15",
      "reports": [
        {
          "slug": "blackfile-vishing-extortion-identity-defense",
          "title": "BlackFile Vishing Campaign Shows Why MFA Alone Is Not Enough",
          "url": "https://bulwarkblack.com/blackfile-vishing-extortion-identity-defense/",
          "date": "2026-05-15"
        }
      ]
    },
    {
      "indicator": "18.139.83.110",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-06-03",
      "last_seen": "2026-06-03",
      "reports": [
        {
          "slug": "ta4922-global-hr-tax-phishing-rmm-defense",
          "title": "TA4922’s Global Expansion Shows HR and Tax Lures Are Initial Access Infrastructure",
          "url": "https://bulwarkblack.com/ta4922-global-hr-tax-phishing-rmm-defense/",
          "date": "2026-06-03"
        }
      ]
    },
    {
      "indicator": "18.223.24.218",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-03-11",
      "last_seen": "2026-03-11",
      "reports": [
        {
          "slug": "iranian-mois-cyber-actors-embrace-criminal-ecosystem-from-rhadamanthys-to-ransomware-affiliates",
          "title": "Iranian MOIS Cyber Actors Embrace Criminal Ecosystem: From Rhadamanthys to Ransomware Affiliates",
          "url": "https://bulwarkblack.com/iranian-mois-cyber-actors-embrace-criminal-ecosystem-from-rhadamanthys-to-ransomware-affiliates/",
          "date": "2026-03-11"
        }
      ]
    },
    {
      "indicator": "185.135.79.200",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-02-07",
      "last_seen": "2026-02-07",
      "reports": [
        {
          "slug": "apt-q-27-goldeneyedog-deploys-fileless-malware-in-stealthy-corporate-network-attacks",
          "title": "APT-Q-27 (GoldenEyeDog) Deploys Fileless Malware in Stealthy Corporate Network Attacks",
          "url": "https://bulwarkblack.com/apt-q-27-goldeneyedog-deploys-fileless-malware-in-stealthy-corporate-network-attacks/",
          "date": "2026-02-07"
        }
      ]
    },
    {
      "indicator": "185.174.100.203",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-06-30",
      "last_seen": "2026-06-30",
      "reports": [
        {
          "slug": "bing-seo-poisoning-bumblebee-adaptix-akira-ransomware",
          "title": "Bing SEO Poisoning Shows IT Admin Downloads Are Ransomware Initial Access",
          "url": "https://bulwarkblack.com/bing-seo-poisoning-bumblebee-adaptix-akira-ransomware/",
          "date": "2026-06-30"
        }
      ]
    },
    {
      "indicator": "185.178.208.153",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-06-06",
      "last_seen": "2026-06-06",
      "reports": [
        {
          "slug": "pink-extortion-m365-vishing-cloud-data-defense",
          "title": "Pink Extortion Shows Microsoft 365 Defense Starts With Vishing Controls",
          "url": "https://bulwarkblack.com/pink-extortion-m365-vishing-cloud-data-defense/",
          "date": "2026-06-06"
        }
      ]
    },
    {
      "indicator": "185.195.232.139",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-06-06",
      "last_seen": "2026-06-06",
      "reports": [
        {
          "slug": "pan-os-globalprotect-cve-2026-0257-vpn-log-review",
          "title": "PAN-OS GlobalProtect Exploitation Shows VPN Access Needs Log Review, Not Just Patching",
          "url": "https://bulwarkblack.com/pan-os-globalprotect-cve-2026-0257-vpn-log-review/",
          "date": "2026-06-06"
        }
      ]
    },
    {
      "indicator": "185.196.10.247",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-03-05",
      "last_seen": "2026-03-05",
      "reports": [
        {
          "slug": "uat-9244-china-nexus-apt-deploys-three-new-malware-implants-against-south-american-telecom-providers",
          "title": "UAT-9244: China-Nexus APT Deploys Three New Malware Implants Against South American Telecom Providers",
          "url": "https://bulwarkblack.com/uat-9244-china-nexus-apt-deploys-three-new-malware-implants-against-south-american-telecom-providers/",
          "date": "2026-03-05"
        }
      ]
    },
    {
      "indicator": "185.196.10.38",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-03-05",
      "last_seen": "2026-03-05",
      "reports": [
        {
          "slug": "uat-9244-china-nexus-apt-deploys-three-new-malware-implants-against-south-american-telecom-providers",
          "title": "UAT-9244: China-Nexus APT Deploys Three New Malware Implants Against South American Telecom Providers",
          "url": "https://bulwarkblack.com/uat-9244-china-nexus-apt-deploys-three-new-malware-implants-against-south-american-telecom-providers/",
          "date": "2026-03-05"
        }
      ]
    },
    {
      "indicator": "185.204.1.225",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-06-29",
      "last_seen": "2026-06-29",
      "reports": [
        {
          "slug": "shai-hulud-cicd-cloud-identity-redshift-defense",
          "title": "Shai Hulud Shows CI/CD Identity Is Production Cloud Identity",
          "url": "https://bulwarkblack.com/shai-hulud-cicd-cloud-identity-redshift-defense/",
          "date": "2026-06-29"
        }
      ]
    },
    {
      "indicator": "185.220.101.15",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-06-02",
      "last_seen": "2026-06-02",
      "reports": [
        {
          "slug": "forticlient-ems-ekz-infostealer-delivery",
          "title": "FortiClient EMS Exploitation Turns Endpoint Management Into an Infostealer Delivery System",
          "url": "https://bulwarkblack.com/forticlient-ems-ekz-infostealer-delivery/",
          "date": "2026-06-02"
        }
      ]
    },
    {
      "indicator": "185.241.208.243",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-05-19",
      "last_seen": "2026-05-19",
      "reports": [
        {
          "slug": "storm-2949-cloud-identity-breach-defense",
          "title": "Storm-2949 Shows Cloud Breaches Start With Identity, Not Malware",
          "url": "https://bulwarkblack.com/storm-2949-cloud-identity-breach-defense/",
          "date": "2026-05-19"
        }
      ]
    },
    {
      "indicator": "185.65.245.10",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-06-20",
      "last_seen": "2026-06-20",
      "reports": [
        {
          "slug": "operation-escaneo-latin-america-edge-device-defense",
          "title": "Operation Escaneo Shows Latin America’s Edge Devices Are Prime Intrusion Targets",
          "url": "https://bulwarkblack.com/operation-escaneo-latin-america-edge-device-defense/",
          "date": "2026-06-20"
        }
      ]
    },
    {
      "indicator": "185.93.89.145",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-02-05",
      "last_seen": "2026-02-05",
      "reports": [
        {
          "slug": "systembc-botnet-survives-law-enforcement-takedown-infects-over-10000-devices-worldwide",
          "title": "SystemBC Botnet Survives Law Enforcement Takedown, Infects Over 10,000 Devices Worldwide",
          "url": "https://bulwarkblack.com/systembc-botnet-survives-law-enforcement-takedown-infects-over-10000-devices-worldwide/",
          "date": "2026-02-05"
        }
      ]
    },
    {
      "indicator": "188.40.187.145",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-06-30",
      "last_seen": "2026-06-30",
      "reports": [
        {
          "slug": "bing-seo-poisoning-bumblebee-adaptix-akira-ransomware",
          "title": "Bing SEO Poisoning Shows IT Admin Downloads Are Ransomware Initial Access",
          "url": "https://bulwarkblack.com/bing-seo-poisoning-bumblebee-adaptix-akira-ransomware/",
          "date": "2026-06-30"
        }
      ]
    },
    {
      "indicator": "192.121.22.94",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-06-30",
      "last_seen": "2026-06-30",
      "reports": [
        {
          "slug": "bing-seo-poisoning-bumblebee-adaptix-akira-ransomware",
          "title": "Bing SEO Poisoning Shows IT Admin Downloads Are Ransomware Initial Access",
          "url": "https://bulwarkblack.com/bing-seo-poisoning-bumblebee-adaptix-akira-ransomware/",
          "date": "2026-06-30"
        }
      ]
    },
    {
      "indicator": "192.161.60.132",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-03-12",
      "last_seen": "2026-03-12",
      "reports": [
        {
          "slug": "infostealer-infection-unmasks-dprk-operative-behind-polyfill-io-supply-chain-attack-and-us-crypto-exchange-infiltration",
          "title": "Infostealer Infection Unmasks DPRK Operative Behind Polyfill.io Supply Chain Attack and US Crypto Exchange Infiltration",
          "url": "https://bulwarkblack.com/infostealer-infection-unmasks-dprk-operative-behind-polyfill-io-supply-chain-attack-and-us-crypto-exchange-infiltration/",
          "date": "2026-03-12"
        }
      ]
    },
    {
      "indicator": "192.236.146.173",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-06-05",
      "last_seen": "2026-06-05",
      "reports": [
        {
          "slug": "unc3753-vishing-rmm-physical-intrusions-law-firms",
          "title": "UNC3753 Brings Vishing, RMM Abuse, and Physical Intrusions to U.S. Law Firms",
          "url": "https://bulwarkblack.com/unc3753-vishing-rmm-physical-intrusions-law-firms/",
          "date": "2026-06-05"
        }
      ]
    },
    {
      "indicator": "192.236.147.131",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-06-05",
      "last_seen": "2026-06-05",
      "reports": [
        {
          "slug": "unc3753-vishing-rmm-physical-intrusions-law-firms",
          "title": "UNC3753 Brings Vishing, RMM Abuse, and Physical Intrusions to U.S. Law Firms",
          "url": "https://bulwarkblack.com/unc3753-vishing-rmm-physical-intrusions-law-firms/",
          "date": "2026-06-05"
        }
      ]
    },
    {
      "indicator": "192.236.147.138",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-06-05",
      "last_seen": "2026-06-05",
      "reports": [
        {
          "slug": "unc3753-vishing-rmm-physical-intrusions-law-firms",
          "title": "UNC3753 Brings Vishing, RMM Abuse, and Physical Intrusions to U.S. Law Firms",
          "url": "https://bulwarkblack.com/unc3753-vishing-rmm-physical-intrusions-law-firms/",
          "date": "2026-06-05"
        }
      ]
    },
    {
      "indicator": "192.236.154.158",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-06-05",
      "last_seen": "2026-06-05",
      "reports": [
        {
          "slug": "unc3753-vishing-rmm-physical-intrusions-law-firms",
          "title": "UNC3753 Brings Vishing, RMM Abuse, and Physical Intrusions to U.S. Law Firms",
          "url": "https://bulwarkblack.com/unc3753-vishing-rmm-physical-intrusions-law-firms/",
          "date": "2026-06-05"
        }
      ]
    },
    {
      "indicator": "192.42.116.14",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-06-02",
      "last_seen": "2026-06-02",
      "reports": [
        {
          "slug": "forticlient-ems-ekz-infostealer-delivery",
          "title": "FortiClient EMS Exploitation Turns Endpoint Management Into an Infostealer Delivery System",
          "url": "https://bulwarkblack.com/forticlient-ems-ekz-infostealer-delivery/",
          "date": "2026-06-02"
        }
      ]
    },
    {
      "indicator": "192.9.141.111",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-06-01",
      "last_seen": "2026-06-01",
      "reports": [
        {
          "slug": "showboat-jfmbackdoor-telecom-intrusion-defense",
          "title": "Showboat and JFMBackdoor Show Telecom Intrusions Are Built for Pivoting",
          "url": "https://bulwarkblack.com/showboat-jfmbackdoor-telecom-intrusion-defense/",
          "date": "2026-06-01"
        }
      ]
    },
    {
      "indicator": "193.141.60.212",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-06-05",
      "last_seen": "2026-06-05",
      "reports": [
        {
          "slug": "unc3753-vishing-rmm-physical-intrusions-law-firms",
          "title": "UNC3753 Brings Vishing, RMM Abuse, and Physical Intrusions to U.S. Law Firms",
          "url": "https://bulwarkblack.com/unc3753-vishing-rmm-physical-intrusions-law-firms/",
          "date": "2026-06-05"
        }
      ]
    },
    {
      "indicator": "193.143.1.104",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-03-09",
      "last_seen": "2026-03-09",
      "reports": [
        {
          "slug": "boryptgrab-stealer-spreads-through-100-fake-github-repositories-in-massive-malware-campaign",
          "title": "BoryptGrab Stealer Spreads Through 100+ Fake GitHub Repositories in Massive Malware Campaign",
          "url": "https://bulwarkblack.com/boryptgrab-stealer-spreads-through-100-fake-github-repositories-in-massive-malware-campaign/",
          "date": "2026-03-09"
        }
      ]
    },
    {
      "indicator": "193.160.216.221",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-02-05",
      "last_seen": "2026-02-05",
      "reports": [
        {
          "slug": "encase-forensic-driver-weaponized-byovd-attack-targets-59-edr-tools-through-sonicwall-vpn-breach",
          "title": "EnCase Forensic Driver Weaponized: BYOVD Attack Targets 59 EDR Tools Through SonicWall VPN Breach",
          "url": "https://bulwarkblack.com/encase-forensic-driver-weaponized-byovd-attack-targets-59-edr-tools-through-sonicwall-vpn-breach/",
          "date": "2026-02-05"
        }
      ]
    },
    {
      "indicator": "193.202.84.32",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-06-26",
      "last_seen": "2026-06-26",
      "reports": [
        {
          "slug": "hospitality-photo-zip-nodejs-implant-defense",
          "title": "Hospitality Photo-ZIP Campaign Shows Front Desk Workflows Are Initial Access Paths",
          "url": "https://bulwarkblack.com/hospitality-photo-zip-nodejs-implant-defense/",
          "date": "2026-06-26"
        }
      ]
    },
    {
      "indicator": "193.242.184.150",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-06-30",
      "last_seen": "2026-06-30",
      "reports": [
        {
          "slug": "bing-seo-poisoning-bumblebee-adaptix-akira-ransomware",
          "title": "Bing SEO Poisoning Shows IT Admin Downloads Are Ransomware Initial Access",
          "url": "https://bulwarkblack.com/bing-seo-poisoning-bumblebee-adaptix-akira-ransomware/",
          "date": "2026-06-30"
        }
      ]
    },
    {
      "indicator": "193.42.11.108",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-05-27",
      "last_seen": "2026-05-27",
      "reports": [
        {
          "slug": "poisoned-search-ai-screenconnect-cryptojacking-defense",
          "title": "Poisoned Search and AI Recommendations Turn Utility Downloads Into RMM Access",
          "url": "https://bulwarkblack.com/poisoned-search-ai-screenconnect-cryptojacking-defense/",
          "date": "2026-05-27"
        }
      ]
    },
    {
      "indicator": "194.127.167.92",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-02-04",
      "last_seen": "2026-02-04",
      "reports": [
        {
          "slug": "ai-powered-attack-achieves-aws-admin-access-in-under-10-minutes-a-new-era-of-automated-intrusions",
          "title": "AI-Powered Attack Achieves AWS Admin Access in Under 10 Minutes: A New Era of Automated Intrusions",
          "url": "https://bulwarkblack.com/ai-powered-attack-achieves-aws-admin-access-in-under-10-minutes-a-new-era-of-automated-intrusions/",
          "date": "2026-02-04"
        }
      ]
    },
    {
      "indicator": "194.127.178.21",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-06-30",
      "last_seen": "2026-06-30",
      "reports": [
        {
          "slug": "bing-seo-poisoning-bumblebee-adaptix-akira-ransomware",
          "title": "Bing SEO Poisoning Shows IT Admin Downloads Are Ransomware Initial Access",
          "url": "https://bulwarkblack.com/bing-seo-poisoning-bumblebee-adaptix-akira-ransomware/",
          "date": "2026-06-30"
        }
      ]
    },
    {
      "indicator": "194.135.25.132",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-06-01",
      "last_seen": "2026-06-01",
      "reports": [
        {
          "slug": "showboat-jfmbackdoor-telecom-intrusion-defense",
          "title": "Showboat and JFMBackdoor Show Telecom Intrusions Are Built for Pivoting",
          "url": "https://bulwarkblack.com/showboat-jfmbackdoor-telecom-intrusion-defense/",
          "date": "2026-06-01"
        }
      ]
    },
    {
      "indicator": "194.163.175.135",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-05-15",
      "last_seen": "2026-05-15",
      "reports": [
        {
          "slug": "cisco-sdwan-active-exploitation-edge-controller-review",
          "title": "Cisco SD-WAN Exploitation Shows Edge Controllers Need Emergency Review",
          "url": "https://bulwarkblack.com/cisco-sdwan-active-exploitation-edge-controller-review/",
          "date": "2026-05-15"
        }
      ]
    },
    {
      "indicator": "194.233.100.40",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-05-15",
      "last_seen": "2026-05-15",
      "reports": [
        {
          "slug": "cisco-sdwan-active-exploitation-edge-controller-review",
          "title": "Cisco SD-WAN Exploitation Shows Edge Controllers Need Emergency Review",
          "url": "https://bulwarkblack.com/cisco-sdwan-active-exploitation-edge-controller-review/",
          "date": "2026-05-15"
        }
      ]
    },
    {
      "indicator": "194.233.92.26",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-07-07",
      "last_seen": "2026-07-07",
      "reports": [
        {
          "slug": "uat-7810-orb-relay-network-edge-device-defense",
          "title": "UAT-7810 Shows Edge Devices Are Becoming China-Nexus Relay Infrastructure",
          "url": "https://bulwarkblack.com/uat-7810-orb-relay-network-edge-device-defense/",
          "date": "2026-07-07"
        }
      ]
    },
    {
      "indicator": "194.76.226.93",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-03-13",
      "last_seen": "2026-03-13",
      "reports": [
        {
          "slug": "storm-2561-weaponizes-seo-poisoning-to-deploy-trojanized-vpn-clients-and-steal-enterprise-credentials",
          "title": "Storm-2561 Weaponizes SEO Poisoning to Deploy Trojanized VPN Clients and Steal Enterprise Credentials",
          "url": "https://bulwarkblack.com/storm-2561-weaponizes-seo-poisoning-to-deploy-trojanized-vpn-clients-and-steal-enterprise-credentials/",
          "date": "2026-03-13"
        }
      ]
    },
    {
      "indicator": "194.87.92.109",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-05-15",
      "last_seen": "2026-05-15",
      "reports": [
        {
          "slug": "gremlin-stealer-browser-session-resource-obfuscation",
          "title": "Gremlin Stealer Shows Why Browser Sessions Are Now High-Value Targets",
          "url": "https://bulwarkblack.com/gremlin-stealer-browser-session-resource-obfuscation/",
          "date": "2026-05-15"
        }
      ]
    },
    {
      "indicator": "195.123.211.70",
      "type": "IPv4",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "195.123.226.235",
      "type": "IPv4",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "196.13.207.92",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-02-05",
      "last_seen": "2026-02-05",
      "reports": [
        {
          "slug": "systembc-botnet-survives-law-enforcement-takedown-infects-over-10000-devices-worldwide",
          "title": "SystemBC Botnet Survives Law Enforcement Takedown, Infects Over 10,000 Devices Worldwide",
          "url": "https://bulwarkblack.com/systembc-botnet-survives-law-enforcement-takedown-infects-over-10000-devices-worldwide/",
          "date": "2026-02-05"
        }
      ]
    },
    {
      "indicator": "197.51.170.131",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-02-04",
      "last_seen": "2026-02-04",
      "reports": [
        {
          "slug": "ai-powered-attack-achieves-aws-admin-access-in-under-10-minutes-a-new-era-of-automated-intrusions",
          "title": "AI-Powered Attack Achieves AWS Admin Access in Under 10 Minutes: A New Era of Automated Intrusions",
          "url": "https://bulwarkblack.com/ai-powered-attack-achieves-aws-admin-access-in-under-10-minutes-a-new-era-of-automated-intrusions/",
          "date": "2026-02-04"
        }
      ]
    },
    {
      "indicator": "198.12.106.60",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-06-06",
      "last_seen": "2026-06-06",
      "reports": [
        {
          "slug": "pan-os-globalprotect-cve-2026-0257-vpn-log-review",
          "title": "PAN-OS GlobalProtect Exploitation Shows VPN Access Needs Log Review, Not Just Patching",
          "url": "https://bulwarkblack.com/pan-os-globalprotect-cve-2026-0257-vpn-log-review/",
          "date": "2026-06-06"
        }
      ]
    },
    {
      "indicator": "198.23.185.238",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-05-27",
      "last_seen": "2026-05-27",
      "reports": [
        {
          "slug": "poisoned-search-ai-screenconnect-cryptojacking-defense",
          "title": "Poisoned Search and AI Recommendations Turn Utility Downloads Into RMM Access",
          "url": "https://bulwarkblack.com/poisoned-search-ai-screenconnect-cryptojacking-defense/",
          "date": "2026-05-27"
        }
      ]
    },
    {
      "indicator": "2.59.132.106",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-05-27",
      "last_seen": "2026-05-27",
      "reports": [
        {
          "slug": "poisoned-search-ai-screenconnect-cryptojacking-defense",
          "title": "Poisoned Search and AI Recommendations Turn Utility Downloads Into RMM Access",
          "url": "https://bulwarkblack.com/poisoned-search-ai-screenconnect-cryptojacking-defense/",
          "date": "2026-05-27"
        }
      ]
    },
    {
      "indicator": "20.12.7.1",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-06-05",
      "last_seen": "2026-06-05",
      "reports": [
        {
          "slug": "cisco-sdwan-cve-2026-20245-edge-controller-defense",
          "title": "Cisco SD-WAN Zero-Day Shows Edge Controllers Need Compromise Review",
          "url": "https://bulwarkblack.com/cisco-sdwan-cve-2026-20245-edge-controller-defense/",
          "date": "2026-06-05"
        }
      ]
    },
    {
      "indicator": "20.12.7.2",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-06-05",
      "last_seen": "2026-06-05",
      "reports": [
        {
          "slug": "cisco-sdwan-cve-2026-20245-edge-controller-defense",
          "title": "Cisco SD-WAN Zero-Day Shows Edge Controllers Need Compromise Review",
          "url": "https://bulwarkblack.com/cisco-sdwan-cve-2026-20245-edge-controller-defense/",
          "date": "2026-06-05"
        }
      ]
    },
    {
      "indicator": "20.15.4.4",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-06-05",
      "last_seen": "2026-06-05",
      "reports": [
        {
          "slug": "cisco-sdwan-cve-2026-20245-edge-controller-defense",
          "title": "Cisco SD-WAN Zero-Day Shows Edge Controllers Need Compromise Review",
          "url": "https://bulwarkblack.com/cisco-sdwan-cve-2026-20245-edge-controller-defense/",
          "date": "2026-06-05"
        }
      ]
    },
    {
      "indicator": "20.15.4.5",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-06-05",
      "last_seen": "2026-06-05",
      "reports": [
        {
          "slug": "cisco-sdwan-cve-2026-20245-edge-controller-defense",
          "title": "Cisco SD-WAN Zero-Day Shows Edge Controllers Need Compromise Review",
          "url": "https://bulwarkblack.com/cisco-sdwan-cve-2026-20245-edge-controller-defense/",
          "date": "2026-06-05"
        }
      ]
    },
    {
      "indicator": "20.15.5.2",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-06-05",
      "last_seen": "2026-06-05",
      "reports": [
        {
          "slug": "cisco-sdwan-cve-2026-20245-edge-controller-defense",
          "title": "Cisco SD-WAN Zero-Day Shows Edge Controllers Need Compromise Review",
          "url": "https://bulwarkblack.com/cisco-sdwan-cve-2026-20245-edge-controller-defense/",
          "date": "2026-06-05"
        }
      ]
    },
    {
      "indicator": "20.15.5.3",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-06-05",
      "last_seen": "2026-06-05",
      "reports": [
        {
          "slug": "cisco-sdwan-cve-2026-20245-edge-controller-defense",
          "title": "Cisco SD-WAN Zero-Day Shows Edge Controllers Need Compromise Review",
          "url": "https://bulwarkblack.com/cisco-sdwan-cve-2026-20245-edge-controller-defense/",
          "date": "2026-06-05"
        }
      ]
    },
    {
      "indicator": "20.18.3.1",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-06-05",
      "last_seen": "2026-06-05",
      "reports": [
        {
          "slug": "cisco-sdwan-cve-2026-20245-edge-controller-defense",
          "title": "Cisco SD-WAN Zero-Day Shows Edge Controllers Need Compromise Review",
          "url": "https://bulwarkblack.com/cisco-sdwan-cve-2026-20245-edge-controller-defense/",
          "date": "2026-06-05"
        }
      ]
    },
    {
      "indicator": "20.9.9.1",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-06-05",
      "last_seen": "2026-06-05",
      "reports": [
        {
          "slug": "cisco-sdwan-cve-2026-20245-edge-controller-defense",
          "title": "Cisco SD-WAN Zero-Day Shows Edge Controllers Need Compromise Review",
          "url": "https://bulwarkblack.com/cisco-sdwan-cve-2026-20245-edge-controller-defense/",
          "date": "2026-06-05"
        }
      ]
    },
    {
      "indicator": "20.9.9.2",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-06-05",
      "last_seen": "2026-06-05",
      "reports": [
        {
          "slug": "cisco-sdwan-cve-2026-20245-edge-controller-defense",
          "title": "Cisco SD-WAN Zero-Day Shows Edge Controllers Need Compromise Review",
          "url": "https://bulwarkblack.com/cisco-sdwan-cve-2026-20245-edge-controller-defense/",
          "date": "2026-06-05"
        }
      ]
    },
    {
      "indicator": "200.79.113.136",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-06-20",
      "last_seen": "2026-06-20",
      "reports": [
        {
          "slug": "operation-escaneo-latin-america-edge-device-defense",
          "title": "Operation Escaneo Shows Latin America’s Edge Devices Are Prime Intrusion Targets",
          "url": "https://bulwarkblack.com/operation-escaneo-latin-america-edge-device-defense/",
          "date": "2026-06-20"
        }
      ]
    },
    {
      "indicator": "201.144.122.58",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-06-20",
      "last_seen": "2026-06-20",
      "reports": [
        {
          "slug": "operation-escaneo-latin-america-edge-device-defense",
          "title": "Operation Escaneo Shows Latin America’s Edge Devices Are Prime Intrusion Targets",
          "url": "https://bulwarkblack.com/operation-escaneo-latin-america-edge-device-defense/",
          "date": "2026-06-20"
        }
      ]
    },
    {
      "indicator": "201.144.122.60",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-06-20",
      "last_seen": "2026-06-20",
      "reports": [
        {
          "slug": "operation-escaneo-latin-america-edge-device-defense",
          "title": "Operation Escaneo Shows Latin America’s Edge Devices Are Prime Intrusion Targets",
          "url": "https://bulwarkblack.com/operation-escaneo-latin-america-edge-device-defense/",
          "date": "2026-06-20"
        }
      ]
    },
    {
      "indicator": "202.142.184.234",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-02-05",
      "last_seen": "2026-02-05",
      "reports": [
        {
          "slug": "systembc-botnet-survives-law-enforcement-takedown-infects-over-10000-devices-worldwide",
          "title": "SystemBC Botnet Survives Law Enforcement Takedown, Infects Over 10,000 Devices Worldwide",
          "url": "https://bulwarkblack.com/systembc-botnet-survives-law-enforcement-takedown-infects-over-10000-devices-worldwide/",
          "date": "2026-02-05"
        }
      ]
    },
    {
      "indicator": "202.144.192.47",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-06-06",
      "last_seen": "2026-06-06",
      "reports": [
        {
          "slug": "pan-os-globalprotect-cve-2026-0257-vpn-log-review",
          "title": "PAN-OS GlobalProtect Exploitation Shows VPN Access Needs Log Review, Not Just Patching",
          "url": "https://bulwarkblack.com/pan-os-globalprotect-cve-2026-0257-vpn-log-review/",
          "date": "2026-06-06"
        }
      ]
    },
    {
      "indicator": "202.182.102.5",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-06-26",
      "last_seen": "2026-06-26",
      "reports": [
        {
          "slug": "cl-sta-1062-tinyrct-critical-infrastructure-web-shell-defense",
          "title": "CL-STA-1062 Shows Critical Infrastructure Intrusions Still Start With Web Shells",
          "url": "https://bulwarkblack.com/cl-sta-1062-tinyrct-critical-infrastructure-web-shell-defense/",
          "date": "2026-06-26"
        }
      ]
    },
    {
      "indicator": "202.59.10.122",
      "type": "IPv4",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "204.152.223.172",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-02-04",
      "last_seen": "2026-02-04",
      "reports": [
        {
          "slug": "ai-powered-attack-achieves-aws-admin-access-in-under-10-minutes-a-new-era-of-automated-intrusions",
          "title": "AI-Powered Attack Achieves AWS Admin Access in Under 10 Minutes: A New Era of Automated Intrusions",
          "url": "https://bulwarkblack.com/ai-powered-attack-achieves-aws-admin-access-in-under-10-minutes-a-new-era-of-automated-intrusions/",
          "date": "2026-02-04"
        }
      ]
    },
    {
      "indicator": "204.93.253.180",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-02-04",
      "last_seen": "2026-02-04",
      "reports": [
        {
          "slug": "shadowhs-fileless-linux-post-exploitation-framework-runs-entirely-in-memory",
          "title": "ShadowHS: Fileless Linux Post-Exploitation Framework Runs Entirely in Memory",
          "url": "https://bulwarkblack.com/shadowhs-fileless-linux-post-exploitation-framework-runs-entirely-in-memory/",
          "date": "2026-02-04"
        }
      ]
    },
    {
      "indicator": "206.189.27.39",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-05-22",
      "last_seen": "2026-05-22",
      "reports": [
        {
          "slug": "f5-confluence-edge-identity-attack-path",
          "title": "F5-to-Confluence Intrusion Shows Edge Devices Are Identity Attack Paths",
          "url": "https://bulwarkblack.com/f5-confluence-edge-identity-attack-path/",
          "date": "2026-05-22"
        }
      ]
    },
    {
      "indicator": "206.238.115.58",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-06-03",
      "last_seen": "2026-06-03",
      "reports": [
        {
          "slug": "ta4922-global-hr-tax-phishing-rmm-defense",
          "title": "TA4922’s Global Expansion Shows HR and Tax Lures Are Initial Access Infrastructure",
          "url": "https://bulwarkblack.com/ta4922-global-hr-tax-phishing-rmm-defense/",
          "date": "2026-06-03"
        }
      ]
    },
    {
      "indicator": "207.148.120.52",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-03-05",
      "last_seen": "2026-03-05",
      "reports": [
        {
          "slug": "uat-9244-china-nexus-apt-deploys-three-new-malware-implants-against-south-american-telecom-providers",
          "title": "UAT-9244: China-Nexus APT Deploys Three New Malware Implants Against South American Telecom Providers",
          "url": "https://bulwarkblack.com/uat-9244-china-nexus-apt-deploys-three-new-malware-implants-against-south-american-telecom-providers/",
          "date": "2026-03-05"
        }
      ]
    },
    {
      "indicator": "207.148.121.95",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-03-05",
      "last_seen": "2026-03-05",
      "reports": [
        {
          "slug": "uat-9244-china-nexus-apt-deploys-three-new-malware-implants-against-south-american-telecom-providers",
          "title": "UAT-9244: China-Nexus APT Deploys Three New Malware Implants Against South American Telecom Providers",
          "url": "https://bulwarkblack.com/uat-9244-china-nexus-apt-deploys-three-new-malware-implants-against-south-american-telecom-providers/",
          "date": "2026-03-05"
        }
      ]
    },
    {
      "indicator": "207.148.73.18",
      "type": "IPv4",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "208.95.112.1",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-06-26",
      "last_seen": "2026-06-26",
      "reports": [
        {
          "slug": "hospitality-photo-zip-nodejs-implant-defense",
          "title": "Hospitality Photo-ZIP Campaign Shows Front Desk Workflows Are Initial Access Paths",
          "url": "https://bulwarkblack.com/hospitality-photo-zip-nodejs-implant-defense/",
          "date": "2026-06-26"
        }
      ]
    },
    {
      "indicator": "212.104.141.140",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-03-12",
      "last_seen": "2026-03-12",
      "reports": [
        {
          "slug": "kadnap-botnet-hijacks-14000-asus-routers-using-novel-kademlia-dht-protocol-for-stealth-c2",
          "title": "KadNap Botnet Hijacks 14,000+ ASUS Routers Using Novel Kademlia DHT Protocol for Stealth C2",
          "url": "https://bulwarkblack.com/kadnap-botnet-hijacks-14000-asus-routers-using-novel-kademlia-dht-protocol-for-stealth-c2/",
          "date": "2026-03-12"
        }
      ]
    },
    {
      "indicator": "212.11.64.105",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-03-05",
      "last_seen": "2026-03-05",
      "reports": [
        {
          "slug": "uat-9244-china-nexus-apt-deploys-three-new-malware-implants-against-south-american-telecom-providers",
          "title": "UAT-9244: China-Nexus APT Deploys Three New Malware Implants Against South American Telecom Providers",
          "url": "https://bulwarkblack.com/uat-9244-china-nexus-apt-deploys-three-new-malware-implants-against-south-american-telecom-providers/",
          "date": "2026-03-05"
        }
      ]
    },
    {
      "indicator": "212.11.64.250",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-03-04",
      "last_seen": "2026-03-04",
      "reports": [
        {
          "slug": "open-source-cyberstrikeai-tool-weaponized-in-ai-driven-fortigate-attacks-across-55-countries",
          "title": "Open-Source CyberStrikeAI Tool Weaponized in AI-Driven FortiGate Attacks Across 55 Countries",
          "url": "https://bulwarkblack.com/open-source-cyberstrikeai-tool-weaponized-in-ai-driven-fortigate-attacks-across-55-countries/",
          "date": "2026-03-04"
        }
      ]
    },
    {
      "indicator": "212.83.162.37",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-05-15",
      "last_seen": "2026-05-15",
      "reports": [
        {
          "slug": "cisco-sdwan-active-exploitation-edge-controller-review",
          "title": "Cisco SD-WAN Exploitation Shows Edge Controllers Need Emergency Review",
          "url": "https://bulwarkblack.com/cisco-sdwan-active-exploitation-edge-controller-review/",
          "date": "2026-05-15"
        }
      ]
    },
    {
      "indicator": "213.159.64.191",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-07-02",
      "last_seen": "2026-07-02",
      "reports": [
        {
          "slug": "ousaban-banking-trojan-iberian-phishing-defense",
          "title": "Ousaban Shows Banking Trojans Are Learning to Hide From Sandboxes",
          "url": "https://bulwarkblack.com/ousaban-banking-trojan-iberian-phishing-defense/",
          "date": "2026-07-02"
        }
      ]
    },
    {
      "indicator": "213.165.51.115",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-05-21",
      "last_seen": "2026-05-21",
      "reports": [
        {
          "slug": "patriot-bait-ai-enabled-fraud-trust-attack-surface",
          "title": "Patriot Bait Shows AI-Enabled Fraud Can Turn Trust Into Attack Surface",
          "url": "https://bulwarkblack.com/patriot-bait-ai-enabled-fraud-trust-attack-surface/",
          "date": "2026-05-21"
        }
      ]
    },
    {
      "indicator": "216.126.225.129",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-05-26",
      "last_seen": "2026-05-26",
      "reports": [
        {
          "slug": "megalodon-github-actions-cicd-secret-theft-defense",
          "title": "Megalodon GitHub Actions Backdoor Shows CI/CD Is Now a Credential Battlefield",
          "url": "https://bulwarkblack.com/megalodon-github-actions-cicd-secret-theft-defense/",
          "date": "2026-05-26"
        }
      ]
    },
    {
      "indicator": "216.126.225.156",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-03-24",
      "last_seen": "2026-03-24",
      "reports": [
        {
          "slug": "hackers-exploit-cve-2025-32975-cvss-10-0-to-hijack-unpatched-quest-kace-sma-systems",
          "title": "Hackers Exploit CVE-2025-32975 (CVSS 10.0) to Hijack Unpatched Quest KACE SMA Systems",
          "url": "https://bulwarkblack.com/hackers-exploit-cve-2025-32975-cvss-10-0-to-hijack-unpatched-quest-kace-sma-systems/",
          "date": "2026-03-24"
        }
      ]
    },
    {
      "indicator": "216.126.227.101",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-03-04",
      "last_seen": "2026-03-04",
      "reports": [
        {
          "slug": "zerobot-malware-targets-n8n-automation-platform-first-active-exploitation-of-cve-2025-68613",
          "title": "Zerobot Malware Targets n8n Automation Platform: First Active Exploitation of CVE-2025-68613",
          "url": "https://bulwarkblack.com/zerobot-malware-targets-n8n-automation-platform-first-active-exploitation-of-cve-2025-68613/",
          "date": "2026-03-04"
        }
      ]
    },
    {
      "indicator": "216.238.112.222",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-03-05",
      "last_seen": "2026-03-05",
      "reports": [
        {
          "slug": "uat-9244-china-nexus-apt-deploys-three-new-malware-implants-against-south-american-telecom-providers",
          "title": "UAT-9244: China-Nexus APT Deploys Three New Malware Implants Against South American Telecom Providers",
          "url": "https://bulwarkblack.com/uat-9244-china-nexus-apt-deploys-three-new-malware-implants-against-south-american-telecom-providers/",
          "date": "2026-03-05"
        }
      ]
    },
    {
      "indicator": "216.238.123.242",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-03-05",
      "last_seen": "2026-03-05",
      "reports": [
        {
          "slug": "uat-9244-china-nexus-apt-deploys-three-new-malware-implants-against-south-american-telecom-providers",
          "title": "UAT-9244: China-Nexus APT Deploys Three New Malware Implants Against South American Telecom Providers",
          "url": "https://bulwarkblack.com/uat-9244-china-nexus-apt-deploys-three-new-malware-implants-against-south-american-telecom-providers/",
          "date": "2026-03-05"
        }
      ]
    },
    {
      "indicator": "216.238.94.37",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-03-05",
      "last_seen": "2026-03-05",
      "reports": [
        {
          "slug": "uat-9244-china-nexus-apt-deploys-three-new-malware-implants-against-south-american-telecom-providers",
          "title": "UAT-9244: China-Nexus APT Deploys Three New Malware Implants Against South American Telecom Providers",
          "url": "https://bulwarkblack.com/uat-9244-china-nexus-apt-deploys-three-new-malware-implants-against-south-american-telecom-providers/",
          "date": "2026-03-05"
        }
      ]
    },
    {
      "indicator": "217.119.139.50",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-01-28",
      "last_seen": "2026-01-28",
      "reports": [
        {
          "slug": "fortinet-blocks-actively-exploited-forticloud-sso-zero-day-until-patch-is-ready",
          "title": "Fortinet Blocks Actively Exploited FortiCloud SSO Zero-Day Until Patch is Ready",
          "url": "https://bulwarkblack.com/fortinet-blocks-actively-exploited-forticloud-sso-zero-day-until-patch-is-ready/",
          "date": "2026-01-28"
        }
      ]
    },
    {
      "indicator": "217.15.160.247",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-07-07",
      "last_seen": "2026-07-07",
      "reports": [
        {
          "slug": "uat-7810-orb-relay-network-edge-device-defense",
          "title": "UAT-7810 Shows Edge Devices Are Becoming China-Nexus Relay Infrastructure",
          "url": "https://bulwarkblack.com/uat-7810-orb-relay-network-edge-device-defense/",
          "date": "2026-07-07"
        }
      ]
    },
    {
      "indicator": "217.15.164.147",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-07-07",
      "last_seen": "2026-07-07",
      "reports": [
        {
          "slug": "uat-7810-orb-relay-network-edge-device-defense",
          "title": "UAT-7810 Shows Edge Devices Are Becoming China-Nexus Relay Infrastructure",
          "url": "https://bulwarkblack.com/uat-7810-orb-relay-network-edge-device-defense/",
          "date": "2026-07-07"
        }
      ]
    },
    {
      "indicator": "223.6.249.141",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-02-13",
      "last_seen": "2026-02-13",
      "reports": [
        {
          "slug": "metro4shell-critical-react-native-cli-vulnerability-actively-exploited-to-deploy-malware",
          "title": "Metro4Shell: Critical React Native CLI Vulnerability Actively Exploited to Deploy Malware",
          "url": "https://bulwarkblack.com/metro4shell-critical-react-native-cli-vulnerability-actively-exploited-to-deploy-malware/",
          "date": "2026-02-13"
        }
      ]
    },
    {
      "indicator": "23.128.228.6",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-06-06",
      "last_seen": "2026-06-06",
      "reports": [
        {
          "slug": "pan-os-globalprotect-cve-2026-0257-vpn-log-review",
          "title": "PAN-OS GlobalProtect Exploitation Shows VPN Access Needs Log Review, Not Just Patching",
          "url": "https://bulwarkblack.com/pan-os-globalprotect-cve-2026-0257-vpn-log-review/",
          "date": "2026-06-06"
        }
      ]
    },
    {
      "indicator": "23.162.40.187",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-02-23",
      "last_seen": "2026-02-23",
      "reports": [
        {
          "slug": "unit-42-exposes-active-exploitation-of-beyondtrust-cve-2026-1731-with-vshell-and-sparkrat-backdoors",
          "title": "Unit 42 Exposes Active Exploitation of BeyondTrust CVE-2026-1731 with VShell and SparkRAT Backdoors",
          "url": "https://bulwarkblack.com/unit-42-exposes-active-exploitation-of-beyondtrust-cve-2026-1731-with-vshell-and-sparkrat-backdoors/",
          "date": "2026-02-23"
        }
      ]
    },
    {
      "indicator": "23.27.143.170",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-05-15",
      "last_seen": "2026-05-15",
      "reports": [
        {
          "slug": "cisco-sdwan-active-exploitation-edge-controller-review",
          "title": "Cisco SD-WAN Exploitation Shows Edge Controllers Need Emergency Review",
          "url": "https://bulwarkblack.com/cisco-sdwan-active-exploitation-edge-controller-review/",
          "date": "2026-05-15"
        }
      ]
    },
    {
      "indicator": "23.27.201.160",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-06-01",
      "last_seen": "2026-06-01",
      "reports": [
        {
          "slug": "showboat-jfmbackdoor-telecom-intrusion-defense",
          "title": "Showboat and JFMBackdoor Show Telecom Intrusions Are Built for Pivoting",
          "url": "https://bulwarkblack.com/showboat-jfmbackdoor-telecom-intrusion-defense/",
          "date": "2026-06-01"
        }
      ]
    },
    {
      "indicator": "26.1.1.1",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-06-05",
      "last_seen": "2026-06-05",
      "reports": [
        {
          "slug": "cisco-sdwan-cve-2026-20245-edge-controller-defense",
          "title": "Cisco SD-WAN Zero-Day Shows Edge Controllers Need Compromise Review",
          "url": "https://bulwarkblack.com/cisco-sdwan-cve-2026-20245-edge-controller-defense/",
          "date": "2026-06-05"
        }
      ]
    },
    {
      "indicator": "26.1.1.2",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-06-05",
      "last_seen": "2026-06-05",
      "reports": [
        {
          "slug": "cisco-sdwan-cve-2026-20245-edge-controller-defense",
          "title": "Cisco SD-WAN Zero-Day Shows Edge Controllers Need Compromise Review",
          "url": "https://bulwarkblack.com/cisco-sdwan-cve-2026-20245-edge-controller-defense/",
          "date": "2026-06-05"
        }
      ]
    },
    {
      "indicator": "34.171.37.34",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-02-04",
      "last_seen": "2026-02-04",
      "reports": [
        {
          "slug": "ai-powered-attack-achieves-aws-admin-access-in-under-10-minutes-a-new-era-of-automated-intrusions",
          "title": "AI-Powered Attack Achieves AWS Admin Access in Under 10 Minutes: A New Era of Automated Intrusions",
          "url": "https://bulwarkblack.com/ai-powered-attack-achieves-aws-admin-access-in-under-10-minutes-a-new-era-of-automated-intrusions/",
          "date": "2026-02-04"
        }
      ]
    },
    {
      "indicator": "34.173.176.171",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-02-04",
      "last_seen": "2026-02-04",
      "reports": [
        {
          "slug": "ai-powered-attack-achieves-aws-admin-access-in-under-10-minutes-a-new-era-of-automated-intrusions",
          "title": "AI-Powered Attack Achieves AWS Admin Access in Under 10 Minutes: A New Era of Automated Intrusions",
          "url": "https://bulwarkblack.com/ai-powered-attack-achieves-aws-admin-access-in-under-10-minutes-a-new-era-of-automated-intrusions/",
          "date": "2026-02-04"
        }
      ]
    },
    {
      "indicator": "34.30.49.235",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-02-04",
      "last_seen": "2026-02-04",
      "reports": [
        {
          "slug": "ai-powered-attack-achieves-aws-admin-access-in-under-10-minutes-a-new-era-of-automated-intrusions",
          "title": "AI-Powered Attack Achieves AWS Admin Access in Under 10 Minutes: A New Era of Automated Intrusions",
          "url": "https://bulwarkblack.com/ai-powered-attack-achieves-aws-admin-access-in-under-10-minutes-a-new-era-of-automated-intrusions/",
          "date": "2026-02-04"
        }
      ]
    },
    {
      "indicator": "34.34.57.141",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-05-21",
      "last_seen": "2026-05-21",
      "reports": [
        {
          "slug": "patriot-bait-ai-enabled-fraud-trust-attack-surface",
          "title": "Patriot Bait Shows AI-Enabled Fraud Can Turn Trust Into Attack Surface",
          "url": "https://bulwarkblack.com/patriot-bait-ai-enabled-fraud-trust-attack-surface/",
          "date": "2026-05-21"
        }
      ]
    },
    {
      "indicator": "34.34.81.129",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-05-21",
      "last_seen": "2026-05-21",
      "reports": [
        {
          "slug": "patriot-bait-ai-enabled-fraud-trust-attack-surface",
          "title": "Patriot Bait Shows AI-Enabled Fraud Can Turn Trust Into Attack Surface",
          "url": "https://bulwarkblack.com/patriot-bait-ai-enabled-fraud-trust-attack-surface/",
          "date": "2026-05-21"
        }
      ]
    },
    {
      "indicator": "34.63.142.34",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-02-04",
      "last_seen": "2026-02-04",
      "reports": [
        {
          "slug": "ai-powered-attack-achieves-aws-admin-access-in-under-10-minutes-a-new-era-of-automated-intrusions",
          "title": "AI-Powered Attack Achieves AWS Admin Access in Under 10 Minutes: A New Era of Automated Intrusions",
          "url": "https://bulwarkblack.com/ai-powered-attack-achieves-aws-admin-access-in-under-10-minutes-a-new-era-of-automated-intrusions/",
          "date": "2026-02-04"
        }
      ]
    },
    {
      "indicator": "34.66.36.38",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-02-04",
      "last_seen": "2026-02-04",
      "reports": [
        {
          "slug": "ai-powered-attack-achieves-aws-admin-access-in-under-10-minutes-a-new-era-of-automated-intrusions",
          "title": "AI-Powered Attack Achieves AWS Admin Access in Under 10 Minutes: A New Era of Automated Intrusions",
          "url": "https://bulwarkblack.com/ai-powered-attack-achieves-aws-admin-access-in-under-10-minutes-a-new-era-of-automated-intrusions/",
          "date": "2026-02-04"
        }
      ]
    },
    {
      "indicator": "34.69.200.125",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-02-04",
      "last_seen": "2026-02-04",
      "reports": [
        {
          "slug": "ai-powered-attack-achieves-aws-admin-access-in-under-10-minutes-a-new-era-of-automated-intrusions",
          "title": "AI-Powered Attack Achieves AWS Admin Access in Under 10 Minutes: A New Era of Automated Intrusions",
          "url": "https://bulwarkblack.com/ai-powered-attack-achieves-aws-admin-access-in-under-10-minutes-a-new-era-of-automated-intrusions/",
          "date": "2026-02-04"
        }
      ]
    },
    {
      "indicator": "34.9.139.206",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-02-04",
      "last_seen": "2026-02-04",
      "reports": [
        {
          "slug": "ai-powered-attack-achieves-aws-admin-access-in-under-10-minutes-a-new-era-of-automated-intrusions",
          "title": "AI-Powered Attack Achieves AWS Admin Access in Under 10 Minutes: A New Era of Automated Intrusions",
          "url": "https://bulwarkblack.com/ai-powered-attack-achieves-aws-admin-access-in-under-10-minutes-a-new-era-of-automated-intrusions/",
          "date": "2026-02-04"
        }
      ]
    },
    {
      "indicator": "35.188.114.132",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-02-04",
      "last_seen": "2026-02-04",
      "reports": [
        {
          "slug": "ai-powered-attack-achieves-aws-admin-access-in-under-10-minutes-a-new-era-of-automated-intrusions",
          "title": "AI-Powered Attack Achieves AWS Admin Access in Under 10 Minutes: A New Era of Automated Intrusions",
          "url": "https://bulwarkblack.com/ai-powered-attack-achieves-aws-admin-access-in-under-10-minutes-a-new-era-of-automated-intrusions/",
          "date": "2026-02-04"
        }
      ]
    },
    {
      "indicator": "35.192.38.204",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-02-04",
      "last_seen": "2026-02-04",
      "reports": [
        {
          "slug": "ai-powered-attack-achieves-aws-admin-access-in-under-10-minutes-a-new-era-of-automated-intrusions",
          "title": "AI-Powered Attack Achieves AWS Admin Access in Under 10 Minutes: A New Era of Automated Intrusions",
          "url": "https://bulwarkblack.com/ai-powered-attack-achieves-aws-admin-access-in-under-10-minutes-a-new-era-of-automated-intrusions/",
          "date": "2026-02-04"
        }
      ]
    },
    {
      "indicator": "35.192.41.201",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-05-21",
      "last_seen": "2026-05-21",
      "reports": [
        {
          "slug": "patriot-bait-ai-enabled-fraud-trust-attack-surface",
          "title": "Patriot Bait Shows AI-Enabled Fraud Can Turn Trust Into Attack Surface",
          "url": "https://bulwarkblack.com/patriot-bait-ai-enabled-fraud-trust-attack-surface/",
          "date": "2026-05-21"
        }
      ]
    },
    {
      "indicator": "36.255.98.152",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-02-05",
      "last_seen": "2026-02-05",
      "reports": [
        {
          "slug": "systembc-botnet-survives-law-enforcement-takedown-infects-over-10000-devices-worldwide",
          "title": "SystemBC Botnet Survives Law Enforcement Takedown, Infects Over 10,000 Devices Worldwide",
          "url": "https://bulwarkblack.com/systembc-botnet-survives-law-enforcement-takedown-infects-over-10000-devices-worldwide/",
          "date": "2026-02-05"
        }
      ]
    },
    {
      "indicator": "36.255.98.159",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-02-05",
      "last_seen": "2026-02-05",
      "reports": [
        {
          "slug": "systembc-botnet-survives-law-enforcement-takedown-infects-over-10000-devices-worldwide",
          "title": "SystemBC Botnet Survives Law Enforcement Takedown, Infects Over 10,000 Devices Worldwide",
          "url": "https://bulwarkblack.com/systembc-botnet-survives-law-enforcement-takedown-infects-over-10000-devices-worldwide/",
          "date": "2026-02-05"
        }
      ]
    },
    {
      "indicator": "36.255.98.160",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-02-05",
      "last_seen": "2026-02-05",
      "reports": [
        {
          "slug": "systembc-botnet-survives-law-enforcement-takedown-infects-over-10000-devices-worldwide",
          "title": "SystemBC Botnet Survives Law Enforcement Takedown, Infects Over 10,000 Devices Worldwide",
          "url": "https://bulwarkblack.com/systembc-botnet-survives-law-enforcement-takedown-infects-over-10000-devices-worldwide/",
          "date": "2026-02-05"
        }
      ]
    },
    {
      "indicator": "36.255.98.165",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-02-05",
      "last_seen": "2026-02-05",
      "reports": [
        {
          "slug": "systembc-botnet-survives-law-enforcement-takedown-infects-over-10000-devices-worldwide",
          "title": "SystemBC Botnet Survives Law Enforcement Takedown, Infects Over 10,000 Devices Worldwide",
          "url": "https://bulwarkblack.com/systembc-botnet-survives-law-enforcement-takedown-infects-over-10000-devices-worldwide/",
          "date": "2026-02-05"
        }
      ]
    },
    {
      "indicator": "36.255.98.179",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-02-05",
      "last_seen": "2026-02-05",
      "reports": [
        {
          "slug": "systembc-botnet-survives-law-enforcement-takedown-infects-over-10000-devices-worldwide",
          "title": "SystemBC Botnet Survives Law Enforcement Takedown, Infects Over 10,000 Devices Worldwide",
          "url": "https://bulwarkblack.com/systembc-botnet-survives-law-enforcement-takedown-infects-over-10000-devices-worldwide/",
          "date": "2026-02-05"
        }
      ]
    },
    {
      "indicator": "37.1.209.19",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-01-28",
      "last_seen": "2026-01-28",
      "reports": [
        {
          "slug": "fortinet-blocks-actively-exploited-forticloud-sso-zero-day-until-patch-is-ready",
          "title": "Fortinet Blocks Actively Exploited FortiCloud SSO Zero-Day Until Patch is Ready",
          "url": "https://bulwarkblack.com/fortinet-blocks-actively-exploited-forticloud-sso-zero-day-until-patch-is-ready/",
          "date": "2026-01-28"
        }
      ]
    },
    {
      "indicator": "37.19.221.180",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-02-23",
      "last_seen": "2026-02-23",
      "reports": [
        {
          "slug": "unit-42-exposes-active-exploitation-of-beyondtrust-cve-2026-1731-with-vshell-and-sparkrat-backdoors",
          "title": "Unit 42 Exposes Active Exploitation of BeyondTrust CVE-2026-1731 with VShell and SparkRAT Backdoors",
          "url": "https://bulwarkblack.com/unit-42-exposes-active-exploitation-of-beyondtrust-cve-2026-1731-with-vshell-and-sparkrat-backdoors/",
          "date": "2026-02-23"
        }
      ]
    },
    {
      "indicator": "38.180.205.14",
      "type": "IPv4",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "38.181.52.89",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-05-15",
      "last_seen": "2026-05-15",
      "reports": [
        {
          "slug": "cisco-sdwan-active-exploitation-edge-controller-review",
          "title": "Cisco SD-WAN Exploitation Shows Edge Controllers Need Emergency Review",
          "url": "https://bulwarkblack.com/cisco-sdwan-active-exploitation-edge-controller-review/",
          "date": "2026-05-15"
        }
      ]
    },
    {
      "indicator": "38.54.112.184",
      "type": "IPv4",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "38.54.125.134",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-03-05",
      "last_seen": "2026-03-05",
      "reports": [
        {
          "slug": "uat-9244-china-nexus-apt-deploys-three-new-malware-implants-against-south-american-telecom-providers",
          "title": "UAT-9244: China-Nexus APT Deploys Three New Malware Implants Against South American Telecom Providers",
          "url": "https://bulwarkblack.com/uat-9244-china-nexus-apt-deploys-three-new-malware-implants-against-south-american-telecom-providers/",
          "date": "2026-03-05"
        }
      ]
    },
    {
      "indicator": "38.54.31.146",
      "type": "IPv4",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "38.54.32.244",
      "type": "IPv4",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "38.54.37.196",
      "type": "IPv4",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "38.54.82.69",
      "type": "IPv4",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "38.60.171.242",
      "type": "IPv4",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "38.60.194.21",
      "type": "IPv4",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "38.60.199.34",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-03-05",
      "last_seen": "2026-03-05",
      "reports": [
        {
          "slug": "uat-9244-china-nexus-apt-deploys-three-new-malware-implants-against-south-american-telecom-providers",
          "title": "UAT-9244: China-Nexus APT Deploys Three New Malware Implants Against South American Telecom Providers",
          "url": "https://bulwarkblack.com/uat-9244-china-nexus-apt-deploys-three-new-malware-implants-against-south-american-telecom-providers/",
          "date": "2026-03-05"
        }
      ]
    },
    {
      "indicator": "38.60.214.92",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-05-15",
      "last_seen": "2026-05-15",
      "reports": [
        {
          "slug": "cisco-sdwan-active-exploitation-edge-controller-review",
          "title": "Cisco SD-WAN Exploitation Shows Edge Controllers Need Emergency Review",
          "url": "https://bulwarkblack.com/cisco-sdwan-active-exploitation-edge-controller-review/",
          "date": "2026-05-15"
        }
      ]
    },
    {
      "indicator": "38.60.224.25",
      "type": "IPv4",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "38.60.252.66",
      "type": "IPv4",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "4.239.95.1",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-06-30",
      "last_seen": "2026-06-30",
      "reports": [
        {
          "slug": "bing-seo-poisoning-bumblebee-adaptix-akira-ransomware",
          "title": "Bing SEO Poisoning Shows IT Admin Downloads Are Ransomware Initial Access",
          "url": "https://bulwarkblack.com/bing-seo-poisoning-bumblebee-adaptix-akira-ransomware/",
          "date": "2026-06-30"
        }
      ]
    },
    {
      "indicator": "4.4.3.12",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-06-25",
      "last_seen": "2026-06-25",
      "reports": [
        {
          "slug": "turla-stockstay-backdoor-egress-visibility",
          "title": "Turla’s STOCKSTAY Backdoor Shows Why Espionage Defense Needs Egress Visibility",
          "url": "https://bulwarkblack.com/turla-stockstay-backdoor-egress-visibility/",
          "date": "2026-06-25"
        }
      ]
    },
    {
      "indicator": "43.134.52.221",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-04-01",
      "last_seen": "2026-04-01",
      "reports": [
        {
          "slug": "operation-truechaos-chinese-apt-exploits-trueconf-zero-day-cve-2026-3502-to-target-southeast-asian-governments",
          "title": "Operation TrueChaos: Chinese APT Exploits TrueConf Zero-Day CVE-2026-3502 to Target Southeast Asian Governments",
          "url": "https://bulwarkblack.com/operation-truechaos-chinese-apt-exploits-trueconf-zero-day-cve-2026-3502-to-target-southeast-asian-governments/",
          "date": "2026-04-01"
        }
      ]
    },
    {
      "indicator": "43.134.90.60",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-04-01",
      "last_seen": "2026-04-01",
      "reports": [
        {
          "slug": "operation-truechaos-chinese-apt-exploits-trueconf-zero-day-cve-2026-3502-to-target-southeast-asian-governments",
          "title": "Operation TrueChaos: Chinese APT Exploits TrueConf Zero-Day CVE-2026-3502 to Target Southeast Asian Governments",
          "url": "https://bulwarkblack.com/operation-truechaos-chinese-apt-exploits-trueconf-zero-day-cve-2026-3502-to-target-southeast-asian-governments/",
          "date": "2026-04-01"
        }
      ]
    },
    {
      "indicator": "43.156.77.97",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-06-03",
      "last_seen": "2026-06-03",
      "reports": [
        {
          "slug": "ta4922-global-hr-tax-phishing-rmm-defense",
          "title": "TA4922’s Global Expansion Shows HR and Tax Lures Are Initial Access Infrastructure",
          "url": "https://bulwarkblack.com/ta4922-global-hr-tax-phishing-rmm-defense/",
          "date": "2026-06-03"
        }
      ]
    },
    {
      "indicator": "43.159.168.186",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-06-04",
      "last_seen": "2026-06-04",
      "reports": [
        {
          "slug": "error-524-smishing-fraud-infrastructure-cti-defense",
          "title": "Error 524 Smishing Shows Why Fraud Infrastructure Needs CTI",
          "url": "https://bulwarkblack.com/error-524-smishing-fraud-infrastructure-cti-defense/",
          "date": "2026-06-04"
        }
      ]
    },
    {
      "indicator": "43.162.84.202",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-06-04",
      "last_seen": "2026-06-04",
      "reports": [
        {
          "slug": "error-524-smishing-fraud-infrastructure-cti-defense",
          "title": "Error 524 Smishing Shows Why Fraud Infrastructure Needs CTI",
          "url": "https://bulwarkblack.com/error-524-smishing-fraud-infrastructure-cti-defense/",
          "date": "2026-06-04"
        }
      ]
    },
    {
      "indicator": "43.165.6.36",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-06-04",
      "last_seen": "2026-06-04",
      "reports": [
        {
          "slug": "error-524-smishing-fraud-infrastructure-cti-defense",
          "title": "Error 524 Smishing Shows Why Fraud Infrastructure Needs CTI",
          "url": "https://bulwarkblack.com/error-524-smishing-fraud-infrastructure-cti-defense/",
          "date": "2026-06-04"
        }
      ]
    },
    {
      "indicator": "45.135.162.90",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-06-04",
      "last_seen": "2026-06-04",
      "reports": [
        {
          "slug": "error-524-smishing-fraud-infrastructure-cti-defense",
          "title": "Error 524 Smishing Shows Why Fraud Infrastructure Needs CTI",
          "url": "https://bulwarkblack.com/error-524-smishing-fraud-infrastructure-cti-defense/",
          "date": "2026-06-04"
        }
      ]
    },
    {
      "indicator": "45.148.10.212",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-03-24",
      "last_seen": "2026-03-24",
      "reports": [
        {
          "slug": "teampcp-deploys-canisterworm-wiper-to-target-iranian-systems",
          "title": "TeamPCP Deploys CanisterWorm Wiper to Target Iranian Systems",
          "url": "https://bulwarkblack.com/teampcp-deploys-canisterworm-wiper-to-target-iranian-systems/",
          "date": "2026-03-24"
        }
      ]
    },
    {
      "indicator": "45.32.106.94",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-03-05",
      "last_seen": "2026-03-05",
      "reports": [
        {
          "slug": "uat-9244-china-nexus-apt-deploys-three-new-malware-implants-against-south-american-telecom-providers",
          "title": "UAT-9244: China-Nexus APT Deploys Three New Malware Implants Against South American Telecom Providers",
          "url": "https://bulwarkblack.com/uat-9244-china-nexus-apt-deploys-three-new-malware-implants-against-south-american-telecom-providers/",
          "date": "2026-03-05"
        }
      ]
    },
    {
      "indicator": "45.32.113.172",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-06-26",
      "last_seen": "2026-06-26",
      "reports": [
        {
          "slug": "cl-sta-1062-tinyrct-critical-infrastructure-web-shell-defense",
          "title": "CL-STA-1062 Shows Critical Infrastructure Intrusions Still Start With Web Shells",
          "url": "https://bulwarkblack.com/cl-sta-1062-tinyrct-critical-infrastructure-web-shell-defense/",
          "date": "2026-06-26"
        }
      ]
    },
    {
      "indicator": "45.32.150.251",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-03-17",
      "last_seen": "2026-03-17",
      "reports": [
        {
          "slug": "glassworm-supply-chain-campaign-hijacks-72-open-vsx-extensions-to-target-developers",
          "title": "GlassWorm Supply Chain Campaign Hijacks 72 Open VSX Extensions to Target Developers",
          "url": "https://bulwarkblack.com/glassworm-supply-chain-campaign-hijacks-72-open-vsx-extensions-to-target-developers/",
          "date": "2026-03-17"
        }
      ]
    },
    {
      "indicator": "45.32.151.157",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-03-17",
      "last_seen": "2026-03-17",
      "reports": [
        {
          "slug": "glassworm-supply-chain-campaign-hijacks-72-open-vsx-extensions-to-target-developers",
          "title": "GlassWorm Supply Chain Campaign Hijacks 72 Open VSX Extensions to Target Developers",
          "url": "https://bulwarkblack.com/glassworm-supply-chain-campaign-hijacks-72-open-vsx-extensions-to-target-developers/",
          "date": "2026-03-17"
        }
      ]
    },
    {
      "indicator": "45.59.160.199",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-05-23",
      "last_seen": "2026-05-23",
      "reports": [
        {
          "slug": "void-dokkaebi-invisibleferret-developer-endpoint-risk",
          "title": "Void Dokkaebi’s InvisibleFerret Shift Shows Developer Endpoints Are Production Risk",
          "url": "https://bulwarkblack.com/void-dokkaebi-invisibleferret-developer-endpoint-risk/",
          "date": "2026-05-23"
        }
      ]
    },
    {
      "indicator": "45.61.137.126",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-06-20",
      "last_seen": "2026-06-20",
      "reports": [
        {
          "slug": "operation-escaneo-latin-america-edge-device-defense",
          "title": "Operation Escaneo Shows Latin America’s Edge Devices Are Prime Intrusion Targets",
          "url": "https://bulwarkblack.com/operation-escaneo-latin-america-edge-device-defense/",
          "date": "2026-06-20"
        }
      ]
    },
    {
      "indicator": "45.61.150.96",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-02-23",
      "last_seen": "2026-02-23",
      "reports": [
        {
          "slug": "unit-42-exposes-active-exploitation-of-beyondtrust-cve-2026-1731-with-vshell-and-sparkrat-backdoors",
          "title": "Unit 42 Exposes Active Exploitation of BeyondTrust CVE-2026-1731 with VShell and SparkRAT Backdoors",
          "url": "https://bulwarkblack.com/unit-42-exposes-active-exploitation-of-beyondtrust-cve-2026-1731-with-vshell-and-sparkrat-backdoors/",
          "date": "2026-02-23"
        }
      ]
    },
    {
      "indicator": "45.76.157.113",
      "type": "IPv4",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "45.76.184.214",
      "type": "IPv4",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "45.76.210.43",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-06-26",
      "last_seen": "2026-06-26",
      "reports": [
        {
          "slug": "cl-sta-1062-tinyrct-critical-infrastructure-web-shell-defense",
          "title": "CL-STA-1062 Shows Critical Infrastructure Intrusions Still Start With Web Shells",
          "url": "https://bulwarkblack.com/cl-sta-1062-tinyrct-critical-infrastructure-web-shell-defense/",
          "date": "2026-06-26"
        }
      ]
    },
    {
      "indicator": "45.77.254.168",
      "type": "IPv4",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "45.77.34.194",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-03-05",
      "last_seen": "2026-03-05",
      "reports": [
        {
          "slug": "uat-9244-china-nexus-apt-deploys-three-new-malware-implants-against-south-american-telecom-providers",
          "title": "UAT-9244: China-Nexus APT Deploys Three New Malware Implants Against South American Telecom Providers",
          "url": "https://bulwarkblack.com/uat-9244-china-nexus-apt-deploys-three-new-malware-implants-against-south-american-telecom-providers/",
          "date": "2026-03-05"
        }
      ]
    },
    {
      "indicator": "45.77.41.141",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-03-05",
      "last_seen": "2026-03-05",
      "reports": [
        {
          "slug": "uat-9244-china-nexus-apt-deploys-three-new-malware-implants-against-south-american-telecom-providers",
          "title": "UAT-9244: China-Nexus APT Deploys Three New Malware Implants Against South American Telecom Providers",
          "url": "https://bulwarkblack.com/uat-9244-china-nexus-apt-deploys-three-new-malware-implants-against-south-american-telecom-providers/",
          "date": "2026-03-05"
        }
      ]
    },
    {
      "indicator": "45.78.214.188",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-01-29",
      "last_seen": "2026-01-29",
      "reports": [
        {
          "slug": "google-disrupts-worlds-largest-residential-proxy-botnet",
          "title": "Google Disrupts World’s Largest Residential Proxy Botnet",
          "url": "https://bulwarkblack.com/google-disrupts-worlds-largest-residential-proxy-botnet/",
          "date": "2026-01-29"
        }
      ]
    },
    {
      "indicator": "45.90.59.129",
      "type": "IPv4",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "45.93.20.195",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-03-09",
      "last_seen": "2026-03-09",
      "reports": [
        {
          "slug": "boryptgrab-stealer-spreads-through-100-fake-github-repositories-in-massive-malware-campaign",
          "title": "BoryptGrab Stealer Spreads Through 100+ Fake GitHub Repositories in Massive Malware Campaign",
          "url": "https://bulwarkblack.com/boryptgrab-stealer-spreads-through-100-fake-github-repositories-in-massive-malware-campaign/",
          "date": "2026-03-09"
        }
      ]
    },
    {
      "indicator": "45.93.20.61",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-03-09",
      "last_seen": "2026-03-09",
      "reports": [
        {
          "slug": "boryptgrab-stealer-spreads-through-100-fake-github-repositories-in-massive-malware-campaign",
          "title": "BoryptGrab Stealer Spreads Through 100+ Fake GitHub Repositories in Massive Malware Campaign",
          "url": "https://bulwarkblack.com/boryptgrab-stealer-spreads-through-100-fake-github-repositories-in-massive-malware-campaign/",
          "date": "2026-03-09"
        }
      ]
    },
    {
      "indicator": "47.104.248.7",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-05-15",
      "last_seen": "2026-05-15",
      "reports": [
        {
          "slug": "cisco-sdwan-active-exploitation-edge-controller-review",
          "title": "Cisco SD-WAN Exploitation Shows Edge Controllers Need Emergency Review",
          "url": "https://bulwarkblack.com/cisco-sdwan-active-exploitation-edge-controller-review/",
          "date": "2026-05-15"
        }
      ]
    },
    {
      "indicator": "47.237.140.12",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-05-20",
      "last_seen": "2026-05-20",
      "reports": [
        {
          "slug": "p2pinfect-kubernetes-redis-botnet-defense",
          "title": "P2Pinfect Shows Exposed Redis in Kubernetes Can Become Dormant Botnet Infrastructure",
          "url": "https://bulwarkblack.com/p2pinfect-kubernetes-redis-botnet-defense/",
          "date": "2026-05-20"
        }
      ]
    },
    {
      "indicator": "47.237.15.197",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-04-01",
      "last_seen": "2026-04-01",
      "reports": [
        {
          "slug": "operation-truechaos-chinese-apt-exploits-trueconf-zero-day-cve-2026-3502-to-target-southeast-asian-governments",
          "title": "Operation TrueChaos: Chinese APT Exploits TrueConf Zero-Day CVE-2026-3502 to Target Southeast Asian Governments",
          "url": "https://bulwarkblack.com/operation-truechaos-chinese-apt-exploits-trueconf-zero-day-cve-2026-3502-to-target-southeast-asian-governments/",
          "date": "2026-04-01"
        }
      ]
    },
    {
      "indicator": "47.238.184.9",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-01-27",
      "last_seen": "2026-01-27",
      "reports": [
        {
          "slug": "chinese-apt-groups-leverage-peckbirdy-javascript-c2-framework-since-2023",
          "title": "Chinese APT Groups Leverage PeckBirdy JavaScript C2 Framework Since 2023",
          "url": "https://bulwarkblack.com/chinese-apt-groups-leverage-peckbirdy-javascript-c2-framework-since-2023/",
          "date": "2026-01-27"
        }
      ]
    },
    {
      "indicator": "47.76.100.159",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-03-05",
      "last_seen": "2026-03-05",
      "reports": [
        {
          "slug": "uat-9244-china-nexus-apt-deploys-three-new-malware-implants-against-south-american-telecom-providers",
          "title": "UAT-9244: China-Nexus APT Deploys Three New Malware Implants Against South American Telecom Providers",
          "url": "https://bulwarkblack.com/uat-9244-china-nexus-apt-deploys-three-new-malware-implants-against-south-american-telecom-providers/",
          "date": "2026-03-05"
        }
      ]
    },
    {
      "indicator": "47.82.154.2",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-06-04",
      "last_seen": "2026-06-04",
      "reports": [
        {
          "slug": "error-524-smishing-fraud-infrastructure-cti-defense",
          "title": "Error 524 Smishing Shows Why Fraud Infrastructure Needs CTI",
          "url": "https://bulwarkblack.com/error-524-smishing-fraud-infrastructure-cti-defense/",
          "date": "2026-06-04"
        }
      ]
    },
    {
      "indicator": "47.83.124.121",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-05-20",
      "last_seen": "2026-05-20",
      "reports": [
        {
          "slug": "p2pinfect-kubernetes-redis-botnet-defense",
          "title": "P2Pinfect Shows Exposed Redis in Kubernetes Can Become Dormant Botnet Infrastructure",
          "url": "https://bulwarkblack.com/p2pinfect-kubernetes-redis-botnet-defense/",
          "date": "2026-05-20"
        }
      ]
    },
    {
      "indicator": "47.86.33.195",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-05-20",
      "last_seen": "2026-05-20",
      "reports": [
        {
          "slug": "p2pinfect-kubernetes-redis-botnet-defense",
          "title": "P2Pinfect Shows Exposed Redis in Kubernetes Can Become Dormant Botnet Infrastructure",
          "url": "https://bulwarkblack.com/p2pinfect-kubernetes-redis-botnet-defense/",
          "date": "2026-05-20"
        }
      ]
    },
    {
      "indicator": "47.86.5.176",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-05-20",
      "last_seen": "2026-05-20",
      "reports": [
        {
          "slug": "p2pinfect-kubernetes-redis-botnet-defense",
          "title": "P2Pinfect Shows Exposed Redis in Kubernetes Can Become Dormant Botnet Infrastructure",
          "url": "https://bulwarkblack.com/p2pinfect-kubernetes-redis-botnet-defense/",
          "date": "2026-05-20"
        }
      ]
    },
    {
      "indicator": "49.51.68.143",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-01-29",
      "last_seen": "2026-01-29",
      "reports": [
        {
          "slug": "google-disrupts-worlds-largest-residential-proxy-botnet",
          "title": "Google Disrupts World’s Largest Residential Proxy Botnet",
          "url": "https://bulwarkblack.com/google-disrupts-worlds-largest-residential-proxy-botnet/",
          "date": "2026-01-29"
        }
      ]
    },
    {
      "indicator": "5.101.84.202",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-05-16",
      "last_seen": "2026-05-16",
      "reports": [
        {
          "slug": "pawsrunner-steganography-purelogs-infostealer-defense",
          "title": "PawsRunner Steganography Shows Infostealers Are Hiding in Plain Sight",
          "url": "https://bulwarkblack.com/pawsrunner-steganography-purelogs-infostealer-defense/",
          "date": "2026-05-16"
        }
      ]
    },
    {
      "indicator": "5.109.182.231",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-02-13",
      "last_seen": "2026-02-13",
      "reports": [
        {
          "slug": "metro4shell-critical-react-native-cli-vulnerability-actively-exploited-to-deploy-malware",
          "title": "Metro4Shell: Critical React Native CLI Vulnerability Actively Exploited to Deploy Malware",
          "url": "https://bulwarkblack.com/metro4shell-critical-react-native-cli-vulnerability-actively-exploited-to-deploy-malware/",
          "date": "2026-02-13"
        }
      ]
    },
    {
      "indicator": "5.34.176.6",
      "type": "IPv4",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "60.2.1.3",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-01-29",
      "last_seen": "2026-01-29",
      "reports": [
        {
          "slug": "google-disrupts-worlds-largest-residential-proxy-botnet",
          "title": "Google Disrupts World’s Largest Residential Proxy Botnet",
          "url": "https://bulwarkblack.com/google-disrupts-worlds-largest-residential-proxy-botnet/",
          "date": "2026-01-29"
        }
      ]
    },
    {
      "indicator": "62.171.153.47",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-02-04",
      "last_seen": "2026-02-04",
      "reports": [
        {
          "slug": "shadowhs-fileless-linux-post-exploitation-framework-runs-entirely-in-memory",
          "title": "ShadowHS: Fileless Linux Post-Exploitation Framework Runs Entirely in Memory",
          "url": "https://bulwarkblack.com/shadowhs-fileless-linux-post-exploitation-framework-runs-entirely-in-memory/",
          "date": "2026-02-04"
        }
      ]
    },
    {
      "indicator": "62.171.185.97",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-06-20",
      "last_seen": "2026-06-20",
      "reports": [
        {
          "slug": "operation-escaneo-latin-america-edge-device-defense",
          "title": "Operation Escaneo Shows Latin America’s Edge Devices Are Prime Intrusion Targets",
          "url": "https://bulwarkblack.com/operation-escaneo-latin-america-edge-device-defense/",
          "date": "2026-06-20"
        }
      ]
    },
    {
      "indicator": "62.60.131.180",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-02-05",
      "last_seen": "2026-02-05",
      "reports": [
        {
          "slug": "systembc-botnet-survives-law-enforcement-takedown-infects-over-10000-devices-worldwide",
          "title": "SystemBC Botnet Survives Law Enforcement Takedown, Infects Over 10,000 Devices Worldwide",
          "url": "https://bulwarkblack.com/systembc-botnet-survives-law-enforcement-takedown-infects-over-10000-devices-worldwide/",
          "date": "2026-02-05"
        }
      ]
    },
    {
      "indicator": "62.60.131.184",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-02-05",
      "last_seen": "2026-02-05",
      "reports": [
        {
          "slug": "systembc-botnet-survives-law-enforcement-takedown-infects-over-10000-devices-worldwide",
          "title": "SystemBC Botnet Survives Law Enforcement Takedown, Infects Over 10,000 Devices Worldwide",
          "url": "https://bulwarkblack.com/systembc-botnet-survives-law-enforcement-takedown-infects-over-10000-devices-worldwide/",
          "date": "2026-02-05"
        }
      ]
    },
    {
      "indicator": "62.60.131.187",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-02-05",
      "last_seen": "2026-02-05",
      "reports": [
        {
          "slug": "systembc-botnet-survives-law-enforcement-takedown-infects-over-10000-devices-worldwide",
          "title": "SystemBC Botnet Survives Law Enforcement Takedown, Infects Over 10,000 Devices Worldwide",
          "url": "https://bulwarkblack.com/systembc-botnet-survives-law-enforcement-takedown-infects-over-10000-devices-worldwide/",
          "date": "2026-02-05"
        }
      ]
    },
    {
      "indicator": "62.60.131.191",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-02-05",
      "last_seen": "2026-02-05",
      "reports": [
        {
          "slug": "systembc-botnet-survives-law-enforcement-takedown-infects-over-10000-devices-worldwide",
          "title": "SystemBC Botnet Survives Law Enforcement Takedown, Infects Over 10,000 Devices Worldwide",
          "url": "https://bulwarkblack.com/systembc-botnet-survives-law-enforcement-takedown-infects-over-10000-devices-worldwide/",
          "date": "2026-02-05"
        }
      ]
    },
    {
      "indicator": "62.60.131.204",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-02-05",
      "last_seen": "2026-02-05",
      "reports": [
        {
          "slug": "systembc-botnet-survives-law-enforcement-takedown-infects-over-10000-devices-worldwide",
          "title": "SystemBC Botnet Survives Law Enforcement Takedown, Infects Over 10,000 Devices Worldwide",
          "url": "https://bulwarkblack.com/systembc-botnet-survives-law-enforcement-takedown-infects-over-10000-devices-worldwide/",
          "date": "2026-02-05"
        }
      ]
    },
    {
      "indicator": "62.72.21.10",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-03-21",
      "last_seen": "2026-03-21",
      "reports": [
        {
          "slug": "darksword-ios-exploit-kit-russian-hackers-weaponize-six-vulnerabilities-for-full-iphone-takeover",
          "title": "DarkSword iOS Exploit Kit: Russian Hackers Weaponize Six Vulnerabilities for Full iPhone Takeover",
          "url": "https://bulwarkblack.com/darksword-ios-exploit-kit-russian-hackers-weaponize-six-vulnerabilities-for-full-iphone-takeover/",
          "date": "2026-03-21"
        }
      ]
    },
    {
      "indicator": "64.176.43.209",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-06-01",
      "last_seen": "2026-06-01",
      "reports": [
        {
          "slug": "showboat-jfmbackdoor-telecom-intrusion-defense",
          "title": "Showboat and JFMBackdoor Show Telecom Intrusions Are Built for Pivoting",
          "url": "https://bulwarkblack.com/showboat-jfmbackdoor-telecom-intrusion-defense/",
          "date": "2026-06-01"
        }
      ]
    },
    {
      "indicator": "64.190.113.170",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-03-05",
      "last_seen": "2026-03-05",
      "reports": [
        {
          "slug": "uat-9244-china-nexus-apt-deploys-three-new-malware-implants-against-south-american-telecom-providers",
          "title": "UAT-9244: China-Nexus APT Deploys Three New Malware Implants Against South American Telecom Providers",
          "url": "https://bulwarkblack.com/uat-9244-china-nexus-apt-deploys-three-new-malware-implants-against-south-american-telecom-providers/",
          "date": "2026-03-05"
        }
      ]
    },
    {
      "indicator": "64.31.28.221",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-02-23",
      "last_seen": "2026-02-23",
      "reports": [
        {
          "slug": "unit-42-exposes-active-exploitation-of-beyondtrust-cve-2026-1731-with-vshell-and-sparkrat-backdoors",
          "title": "Unit 42 Exposes Active Exploitation of BeyondTrust CVE-2026-1731 with VShell and SparkRAT Backdoors",
          "url": "https://bulwarkblack.com/unit-42-exposes-active-exploitation-of-beyondtrust-cve-2026-1731-with-vshell-and-sparkrat-backdoors/",
          "date": "2026-02-23"
        }
      ]
    },
    {
      "indicator": "64.94.84.97",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-06-05",
      "last_seen": "2026-06-05",
      "reports": [
        {
          "slug": "unc3753-vishing-rmm-physical-intrusions-law-firms",
          "title": "UNC3753 Brings Vishing, RMM Abuse, and Physical Intrusions to U.S. Law Firms",
          "url": "https://bulwarkblack.com/unc3753-vishing-rmm-physical-intrusions-law-firms/",
          "date": "2026-06-05"
        }
      ]
    },
    {
      "indicator": "64.95.10.115",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-02-23",
      "last_seen": "2026-02-23",
      "reports": [
        {
          "slug": "unit-42-exposes-active-exploitation-of-beyondtrust-cve-2026-1731-with-vshell-and-sparkrat-backdoors",
          "title": "Unit 42 Exposes Active Exploitation of BeyondTrust CVE-2026-1731 with VShell and SparkRAT Backdoors",
          "url": "https://bulwarkblack.com/unit-42-exposes-active-exploitation-of-beyondtrust-cve-2026-1731-with-vshell-and-sparkrat-backdoors/",
          "date": "2026-02-23"
        }
      ]
    },
    {
      "indicator": "64.95.10.253",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-03-05",
      "last_seen": "2026-03-05",
      "reports": [
        {
          "slug": "uat-9244-china-nexus-apt-deploys-three-new-malware-implants-against-south-american-telecom-providers",
          "title": "UAT-9244: China-Nexus APT Deploys Three New Malware Implants Against South American Telecom Providers",
          "url": "https://bulwarkblack.com/uat-9244-china-nexus-apt-deploys-three-new-malware-implants-against-south-american-telecom-providers/",
          "date": "2026-03-05"
        }
      ]
    },
    {
      "indicator": "65.20.104.91",
      "type": "IPv4",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "65.20.67.134",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-05-15",
      "last_seen": "2026-05-15",
      "reports": [
        {
          "slug": "cisco-sdwan-active-exploitation-edge-controller-review",
          "title": "Cisco SD-WAN Exploitation Shows Edge Controllers Need Emergency Review",
          "url": "https://bulwarkblack.com/cisco-sdwan-active-exploitation-edge-controller-review/",
          "date": "2026-05-15"
        }
      ]
    },
    {
      "indicator": "67.206.213.86",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-05-08",
      "last_seen": "2026-05-08",
      "reports": [
        {
          "slug": "pan-os-captive-portal-zero-day-edge-device-review",
          "title": "PAN-OS Captive Portal Zero-Day Shows Why Internet-Facing Edge Devices Need Immediate Review",
          "url": "https://bulwarkblack.com/pan-os-captive-portal-zero-day-edge-device-review/",
          "date": "2026-05-08"
        }
      ]
    },
    {
      "indicator": "69.10.60.250",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-02-05",
      "last_seen": "2026-02-05",
      "reports": [
        {
          "slug": "encase-forensic-driver-weaponized-byovd-attack-targets-59-edr-tools-through-sonicwall-vpn-breach",
          "title": "EnCase Forensic Driver Weaponized: BYOVD Attack Targets 59 EDR Tools Through SonicWall VPN Breach",
          "url": "https://bulwarkblack.com/encase-forensic-driver-weaponized-byovd-attack-targets-59-edr-tools-through-sonicwall-vpn-breach/",
          "date": "2026-02-05"
        }
      ]
    },
    {
      "indicator": "70.23.0.66",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-02-23",
      "last_seen": "2026-02-23",
      "reports": [
        {
          "slug": "unit-42-exposes-active-exploitation-of-beyondtrust-cve-2026-1731-with-vshell-and-sparkrat-backdoors",
          "title": "Unit 42 Exposes Active Exploitation of BeyondTrust CVE-2026-1731 with VShell and SparkRAT Backdoors",
          "url": "https://bulwarkblack.com/unit-42-exposes-active-exploitation-of-beyondtrust-cve-2026-1731-with-vshell-and-sparkrat-backdoors/",
          "date": "2026-02-23"
        }
      ]
    },
    {
      "indicator": "70.34.242.255",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-03-17",
      "last_seen": "2026-03-17",
      "reports": [
        {
          "slug": "glassworm-supply-chain-campaign-hijacks-72-open-vsx-extensions-to-target-developers",
          "title": "GlassWorm Supply Chain Campaign Hijacks 72 Open VSX Extensions to Target Developers",
          "url": "https://bulwarkblack.com/glassworm-supply-chain-campaign-hijacks-72-open-vsx-extensions-to-target-developers/",
          "date": "2026-03-17"
        }
      ]
    },
    {
      "indicator": "71.80.85.135",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-05-15",
      "last_seen": "2026-05-15",
      "reports": [
        {
          "slug": "cisco-sdwan-active-exploitation-edge-controller-review",
          "title": "Cisco SD-WAN Exploitation Shows Edge Controllers Need Emergency Review",
          "url": "https://bulwarkblack.com/cisco-sdwan-active-exploitation-edge-controller-review/",
          "date": "2026-05-15"
        }
      ]
    },
    {
      "indicator": "72.60.98.48",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-03-21",
      "last_seen": "2026-03-21",
      "reports": [
        {
          "slug": "darksword-ios-exploit-kit-russian-hackers-weaponize-six-vulnerabilities-for-full-iphone-takeover",
          "title": "DarkSword iOS Exploit Kit: Russian Hackers Weaponize Six Vulnerabilities for Full iPhone Takeover",
          "url": "https://bulwarkblack.com/darksword-ios-exploit-kit-russian-hackers-weaponize-six-vulnerabilities-for-full-iphone-takeover/",
          "date": "2026-03-21"
        }
      ]
    },
    {
      "indicator": "78.40.209.32",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-07-02",
      "last_seen": "2026-07-02",
      "reports": [
        {
          "slug": "ousaban-banking-trojan-iberian-phishing-defense",
          "title": "Ousaban Shows Banking Trojans Are Learning to Hide From Sandboxes",
          "url": "https://bulwarkblack.com/ousaban-banking-trojan-iberian-phishing-defense/",
          "date": "2026-07-02"
        }
      ]
    },
    {
      "indicator": "79.135.105.208",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-05-15",
      "last_seen": "2026-05-15",
      "reports": [
        {
          "slug": "cisco-sdwan-active-exploitation-edge-controller-review",
          "title": "Cisco SD-WAN Exploitation Shows Edge Controllers Need Emergency Review",
          "url": "https://bulwarkblack.com/cisco-sdwan-active-exploitation-edge-controller-review/",
          "date": "2026-05-15"
        }
      ]
    },
    {
      "indicator": "8.210.178.40",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-05-20",
      "last_seen": "2026-05-20",
      "reports": [
        {
          "slug": "p2pinfect-kubernetes-redis-botnet-defense",
          "title": "P2Pinfect Shows Exposed Redis in Kubernetes Can Become Dormant Botnet Infrastructure",
          "url": "https://bulwarkblack.com/p2pinfect-kubernetes-redis-botnet-defense/",
          "date": "2026-05-20"
        }
      ]
    },
    {
      "indicator": "8.210.50.65",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-05-20",
      "last_seen": "2026-05-20",
      "reports": [
        {
          "slug": "p2pinfect-kubernetes-redis-botnet-defense",
          "title": "P2Pinfect Shows Exposed Redis in Kubernetes Can Become Dormant Botnet Infrastructure",
          "url": "https://bulwarkblack.com/p2pinfect-kubernetes-redis-botnet-defense/",
          "date": "2026-05-20"
        }
      ]
    },
    {
      "indicator": "8.212.169.27",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-04-03",
      "last_seen": "2026-04-03",
      "reports": [
        {
          "slug": "cl-sta-1087-chinese-apt-targets-southeast-asian-militaries-with-applechris-and-memfun-backdoors",
          "title": "CL-STA-1087: Chinese APT Targets Southeast Asian Militaries with AppleChris and MemFun Backdoors",
          "url": "https://bulwarkblack.com/cl-sta-1087-chinese-apt-targets-southeast-asian-militaries-with-applechris-and-memfun-backdoors/",
          "date": "2026-04-03"
        }
      ]
    },
    {
      "indicator": "8.220.135.151",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-04-03",
      "last_seen": "2026-04-03",
      "reports": [
        {
          "slug": "cl-sta-1087-chinese-apt-targets-southeast-asian-militaries-with-applechris-and-memfun-backdoors",
          "title": "CL-STA-1087: Chinese APT Targets Southeast Asian Militaries with AppleChris and MemFun Backdoors",
          "url": "https://bulwarkblack.com/cl-sta-1087-chinese-apt-targets-southeast-asian-militaries-with-applechris-and-memfun-backdoors/",
          "date": "2026-04-03"
        }
      ]
    },
    {
      "indicator": "8.220.177.252",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-04-03",
      "last_seen": "2026-04-03",
      "reports": [
        {
          "slug": "cl-sta-1087-chinese-apt-targets-southeast-asian-militaries-with-applechris-and-memfun-backdoors",
          "title": "CL-STA-1087: Chinese APT Targets Southeast Asian Militaries with AppleChris and MemFun Backdoors",
          "url": "https://bulwarkblack.com/cl-sta-1087-chinese-apt-targets-southeast-asian-militaries-with-applechris-and-memfun-backdoors/",
          "date": "2026-04-03"
        }
      ]
    },
    {
      "indicator": "8.220.184.177",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-04-03",
      "last_seen": "2026-04-03",
      "reports": [
        {
          "slug": "cl-sta-1087-chinese-apt-targets-southeast-asian-militaries-with-applechris-and-memfun-backdoors",
          "title": "CL-STA-1087: Chinese APT Targets Southeast Asian Militaries with AppleChris and MemFun Backdoors",
          "url": "https://bulwarkblack.com/cl-sta-1087-chinese-apt-targets-southeast-asian-militaries-with-applechris-and-memfun-backdoors/",
          "date": "2026-04-03"
        }
      ]
    },
    {
      "indicator": "8.222.134.149",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-06-04",
      "last_seen": "2026-06-04",
      "reports": [
        {
          "slug": "error-524-smishing-fraud-infrastructure-cti-defense",
          "title": "Error 524 Smishing Shows Why Fraud Infrastructure Needs CTI",
          "url": "https://bulwarkblack.com/error-524-smishing-fraud-infrastructure-cti-defense/",
          "date": "2026-06-04"
        }
      ]
    },
    {
      "indicator": "82.29.53.187",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-02-23",
      "last_seen": "2026-02-23",
      "reports": [
        {
          "slug": "unit-42-exposes-active-exploitation-of-beyondtrust-cve-2026-1731-with-vshell-and-sparkrat-backdoors",
          "title": "Unit 42 Exposes Active Exploitation of BeyondTrust CVE-2026-1731 with VShell and SparkRAT Backdoors",
          "url": "https://bulwarkblack.com/unit-42-exposes-active-exploitation-of-beyondtrust-cve-2026-1731-with-vshell-and-sparkrat-backdoors/",
          "date": "2026-02-23"
        }
      ]
    },
    {
      "indicator": "82.29.72.16",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-02-23",
      "last_seen": "2026-02-23",
      "reports": [
        {
          "slug": "unit-42-exposes-active-exploitation-of-beyondtrust-cve-2026-1731-with-vshell-and-sparkrat-backdoors",
          "title": "Unit 42 Exposes Active Exploitation of BeyondTrust CVE-2026-1731 with VShell and SparkRAT Backdoors",
          "url": "https://bulwarkblack.com/unit-42-exposes-active-exploitation-of-beyondtrust-cve-2026-1731-with-vshell-and-sparkrat-backdoors/",
          "date": "2026-02-23"
        }
      ]
    },
    {
      "indicator": "83.138.53.110",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-06-02",
      "last_seen": "2026-06-02",
      "reports": [
        {
          "slug": "forticlient-ems-ekz-infostealer-delivery",
          "title": "FortiClient EMS Exploitation Turns Endpoint Management Into an Infostealer Delivery System",
          "url": "https://bulwarkblack.com/forticlient-ems-ekz-infostealer-delivery/",
          "date": "2026-06-02"
        }
      ]
    },
    {
      "indicator": "83.138.53.139",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-02-23",
      "last_seen": "2026-02-23",
      "reports": [
        {
          "slug": "unit-42-exposes-active-exploitation-of-beyondtrust-cve-2026-1731-with-vshell-and-sparkrat-backdoors",
          "title": "Unit 42 Exposes Active Exploitation of BeyondTrust CVE-2026-1731 with VShell and SparkRAT Backdoors",
          "url": "https://bulwarkblack.com/unit-42-exposes-active-exploitation-of-beyondtrust-cve-2026-1731-with-vshell-and-sparkrat-backdoors/",
          "date": "2026-02-23"
        }
      ]
    },
    {
      "indicator": "83.229.126.195",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-05-15",
      "last_seen": "2026-05-15",
      "reports": [
        {
          "slug": "cisco-sdwan-active-exploitation-edge-controller-review",
          "title": "Cisco SD-WAN Exploitation Shows Edge Controllers Need Emergency Review",
          "url": "https://bulwarkblack.com/cisco-sdwan-active-exploitation-edge-controller-review/",
          "date": "2026-05-15"
        }
      ]
    },
    {
      "indicator": "84.32.84.32",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-06-30",
      "last_seen": "2026-06-30",
      "reports": [
        {
          "slug": "bing-seo-poisoning-bumblebee-adaptix-akira-ransomware",
          "title": "Bing SEO Poisoning Shows IT Admin Downloads Are Ransomware Initial Access",
          "url": "https://bulwarkblack.com/bing-seo-poisoning-bumblebee-adaptix-akira-ransomware/",
          "date": "2026-06-30"
        }
      ]
    },
    {
      "indicator": "85.155.186.121",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-02-23",
      "last_seen": "2026-02-23",
      "reports": [
        {
          "slug": "unit-42-exposes-active-exploitation-of-beyondtrust-cve-2026-1731-with-vshell-and-sparkrat-backdoors",
          "title": "Unit 42 Exposes Active Exploitation of BeyondTrust CVE-2026-1731 with VShell and SparkRAT Backdoors",
          "url": "https://bulwarkblack.com/unit-42-exposes-active-exploitation-of-beyondtrust-cve-2026-1731-with-vshell-and-sparkrat-backdoors/",
          "date": "2026-02-23"
        }
      ]
    },
    {
      "indicator": "89.125.244.33",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-05-15",
      "last_seen": "2026-05-15",
      "reports": [
        {
          "slug": "cisco-sdwan-active-exploitation-edge-controller-review",
          "title": "Cisco SD-WAN Exploitation Shows Edge Controllers Need Emergency Review",
          "url": "https://bulwarkblack.com/cisco-sdwan-active-exploitation-edge-controller-review/",
          "date": "2026-05-15"
        }
      ]
    },
    {
      "indicator": "89.125.244.51",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-05-15",
      "last_seen": "2026-05-15",
      "reports": [
        {
          "slug": "cisco-sdwan-active-exploitation-edge-controller-review",
          "title": "Cisco SD-WAN Exploitation Shows Edge Controllers Need Emergency Review",
          "url": "https://bulwarkblack.com/cisco-sdwan-active-exploitation-edge-controller-review/",
          "date": "2026-05-15"
        }
      ]
    },
    {
      "indicator": "89.22.231.63",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-06-29",
      "last_seen": "2026-06-29",
      "reports": [
        {
          "slug": "shai-hulud-cicd-cloud-identity-redshift-defense",
          "title": "Shai Hulud Shows CI/CD Identity Is Production Cloud Identity",
          "url": "https://bulwarkblack.com/shai-hulud-cicd-cloud-identity-redshift-defense/",
          "date": "2026-06-29"
        }
      ]
    },
    {
      "indicator": "91.208.197.87",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-05-19",
      "last_seen": "2026-05-19",
      "reports": [
        {
          "slug": "storm-2949-cloud-identity-breach-defense",
          "title": "Storm-2949 Shows Cloud Breaches Start With Identity, Not Malware",
          "url": "https://bulwarkblack.com/storm-2949-cloud-identity-breach-defense/",
          "date": "2026-05-19"
        }
      ]
    },
    {
      "indicator": "91.92.240.140",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-07-02",
      "last_seen": "2026-07-02",
      "reports": [
        {
          "slug": "ousaban-banking-trojan-iberian-phishing-defense",
          "title": "Ousaban Shows Banking Trojans Are Learning to Hide From Sandboxes",
          "url": "https://bulwarkblack.com/ousaban-banking-trojan-iberian-phishing-defense/",
          "date": "2026-07-02"
        }
      ]
    },
    {
      "indicator": "91.92.242.200",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-02-04",
      "last_seen": "2026-02-04",
      "reports": [
        {
          "slug": "shadowhs-fileless-linux-post-exploitation-framework-runs-entirely-in-memory",
          "title": "ShadowHS: Fileless Linux Post-Exploitation Framework Runs Entirely in Memory",
          "url": "https://bulwarkblack.com/shadowhs-fileless-linux-post-exploitation-framework-runs-entirely-in-memory/",
          "date": "2026-02-04"
        }
      ]
    },
    {
      "indicator": "92.204.243.155",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2024-01-11",
      "last_seen": "2024-01-11",
      "reports": [
        {
          "slug": "dreambus-unleashes-metabase-mayhem-with-new-exploit-module",
          "title": "DreamBus Unleashes Metabase Mayhem With New Exploit Module",
          "url": "https://bulwarkblack.com/dreambus-unleashes-metabase-mayhem-with-new-exploit-module/",
          "date": "2024-01-11"
        }
      ]
    },
    {
      "indicator": "92.223.44.134",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-02-23",
      "last_seen": "2026-02-23",
      "reports": [
        {
          "slug": "unit-42-exposes-active-exploitation-of-beyondtrust-cve-2026-1731-with-vshell-and-sparkrat-backdoors",
          "title": "Unit 42 Exposes Active Exploitation of BeyondTrust CVE-2026-1731 with VShell and SparkRAT Backdoors",
          "url": "https://bulwarkblack.com/unit-42-exposes-active-exploitation-of-beyondtrust-cve-2026-1731-with-vshell-and-sparkrat-backdoors/",
          "date": "2026-02-23"
        }
      ]
    },
    {
      "indicator": "93.115.10.35",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-05-27",
      "last_seen": "2026-05-27",
      "reports": [
        {
          "slug": "poisoned-search-ai-screenconnect-cryptojacking-defense",
          "title": "Poisoned Search and AI Recommendations Turn Utility Downloads Into RMM Access",
          "url": "https://bulwarkblack.com/poisoned-search-ai-screenconnect-cryptojacking-defense/",
          "date": "2026-05-27"
        }
      ]
    },
    {
      "indicator": "95.182.100.231",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-07-07",
      "last_seen": "2026-07-07",
      "reports": [
        {
          "slug": "uat-7810-orb-relay-network-edge-device-defense",
          "title": "UAT-7810 Shows Edge Devices Are Becoming China-Nexus Relay Infrastructure",
          "url": "https://bulwarkblack.com/uat-7810-orb-relay-network-edge-device-defense/",
          "date": "2026-07-07"
        }
      ]
    },
    {
      "indicator": "95.217.97.121",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-06-26",
      "last_seen": "2026-06-26",
      "reports": [
        {
          "slug": "hospitality-photo-zip-nodejs-implant-defense",
          "title": "Hospitality Photo-ZIP Campaign Shows Front Desk Workflows Are Initial Access Paths",
          "url": "https://bulwarkblack.com/hospitality-photo-zip-nodejs-implant-defense/",
          "date": "2026-06-26"
        }
      ]
    },
    {
      "indicator": "96.232.20.66",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-06-06",
      "last_seen": "2026-06-06",
      "reports": [
        {
          "slug": "pink-extortion-m365-vishing-cloud-data-defense",
          "title": "Pink Extortion Shows Microsoft 365 Defense Starts With Vishing Controls",
          "url": "https://bulwarkblack.com/pink-extortion-m365-vishing-cloud-data-defense/",
          "date": "2026-06-06"
        }
      ]
    },
    {
      "indicator": "98.10.233.76",
      "type": "IPv4",
      "report_count": 1,
      "first_seen": "2026-02-23",
      "last_seen": "2026-02-23",
      "reports": [
        {
          "slug": "unit-42-exposes-active-exploitation-of-beyondtrust-cve-2026-1731-with-vshell-and-sparkrat-backdoors",
          "title": "Unit 42 Exposes Active Exploitation of BeyondTrust CVE-2026-1731 with VShell and SparkRAT Backdoors",
          "url": "https://bulwarkblack.com/unit-42-exposes-active-exploitation-of-beyondtrust-cve-2026-1731-with-vshell-and-sparkrat-backdoors/",
          "date": "2026-02-23"
        }
      ]
    },
    {
      "indicator": "00857cca77b615c369f48ead5f8eb7f3",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2026-01-29",
      "last_seen": "2026-01-29",
      "reports": [
        {
          "slug": "google-disrupts-worlds-largest-residential-proxy-botnet",
          "title": "Google Disrupts World’s Largest Residential Proxy Botnet",
          "url": "https://bulwarkblack.com/google-disrupts-worlds-largest-residential-proxy-botnet/",
          "date": "2026-01-29"
        }
      ]
    },
    {
      "indicator": "00dd47af3db45548d2722fe8a4489508",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "01d3ed1c228f09d8e56bfbc5f5622a6c",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "03860d116701cdc9d9bf9c45099bb3d3",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2026-05-13",
      "last_seen": "2026-05-13",
      "reports": [
        {
          "slug": "gentlemen-raas-leak-edge-device-ransomware-risk",
          "title": "The Gentlemen RaaS Leak Shows Ransomware Is Still an Edge-Device Problem",
          "url": "https://bulwarkblack.com/gentlemen-raas-leak-edge-device-ransomware-risk/",
          "date": "2026-05-13"
        }
      ]
    },
    {
      "indicator": "08ad2c2877edda9a050b81d011c1c003",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2026-05-20",
      "last_seen": "2026-05-20",
      "reports": [
        {
          "slug": "p2pinfect-kubernetes-redis-botnet-defense",
          "title": "P2Pinfect Shows Exposed Redis in Kubernetes Can Become Dormant Botnet Infrastructure",
          "url": "https://bulwarkblack.com/p2pinfect-kubernetes-redis-botnet-defense/",
          "date": "2026-05-20"
        }
      ]
    },
    {
      "indicator": "098d697f29b94c11b52c51bfe8f9c47d",
      "type": "md5",
      "report_count": 2,
      "first_seen": "2026-02-26",
      "last_seen": "2026-02-27",
      "reports": [
        {
          "slug": "apt37-ruby-jumper-campaign-north-korean-hackers-deploy-malware-arsenal-to-bridge-air-gapped-networks",
          "title": "APT37 Ruby Jumper Campaign: North Korean Hackers Deploy Malware Arsenal to Bridge Air-Gapped Networks",
          "url": "https://bulwarkblack.com/apt37-ruby-jumper-campaign-north-korean-hackers-deploy-malware-arsenal-to-bridge-air-gapped-networks/",
          "date": "2026-02-27"
        },
        {
          "slug": "apt37-deploys-ruby-jumper-campaign-to-breach-air-gapped-networks",
          "title": "APT37 Deploys Ruby Jumper Campaign to Breach Air-Gapped Networks",
          "url": "https://bulwarkblack.com/apt37-deploys-ruby-jumper-campaign-to-breach-air-gapped-networks/",
          "date": "2026-02-26"
        }
      ]
    },
    {
      "indicator": "0af11f610da1f691e43173d44643283f",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "0c855f87a7574b28df383eca5084fcdc",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2026-01-29",
      "last_seen": "2026-01-29",
      "reports": [
        {
          "slug": "google-disrupts-worlds-largest-residential-proxy-botnet",
          "title": "Google Disrupts World’s Largest Residential Proxy Botnet",
          "url": "https://bulwarkblack.com/google-disrupts-worlds-largest-residential-proxy-botnet/",
          "date": "2026-01-29"
        }
      ]
    },
    {
      "indicator": "0ca37675d75af0e7def0025cd564d6c5",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "10cd1ef394bc2a2d8d8f2558b73ac7b8",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "11e7baca7e652995b2364fdab0d362b7",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2026-05-13",
      "last_seen": "2026-05-13",
      "reports": [
        {
          "slug": "gentlemen-raas-leak-edge-device-ransomware-risk",
          "title": "The Gentlemen RaaS Leak Shows Ransomware Is Still an Edge-Device Problem",
          "url": "https://bulwarkblack.com/gentlemen-raas-leak-edge-device-ransomware-risk/",
          "date": "2026-05-13"
        }
      ]
    },
    {
      "indicator": "1243968876262c3ad4250e1371447b23",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "124a48b78060fa851e1cc077ca35713c",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2026-06-30",
      "last_seen": "2026-06-30",
      "reports": [
        {
          "slug": "bing-seo-poisoning-bumblebee-adaptix-akira-ransomware",
          "title": "Bing SEO Poisoning Shows IT Admin Downloads Are Ransomware Initial Access",
          "url": "https://bulwarkblack.com/bing-seo-poisoning-bumblebee-adaptix-akira-ransomware/",
          "date": "2026-06-30"
        }
      ]
    },
    {
      "indicator": "154ff6774294e0e6a46581c8452a77de",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "apt28-exploits-cve-2026-21509-in-operation-neusploit-stealing-emails-with-minidoor-backdoor",
          "title": "APT28 Exploits CVE-2026-21509 in Operation Neusploit: Stealing Emails with MiniDoor Backdoor",
          "url": "https://bulwarkblack.com/apt28-exploits-cve-2026-21509-in-operation-neusploit-stealing-emails-with-minidoor-backdoor/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "15bdc66aca9fb7290165d460e6a993a9",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2026-01-30",
      "last_seen": "2026-01-30",
      "reports": [
        {
          "slug": "android-malware-campaign-abuses-hugging-face-ai-platform-to-distribute-rat",
          "title": "Android Malware Campaign Abuses Hugging Face AI Platform to Distribute RAT",
          "url": "https://bulwarkblack.com/android-malware-campaign-abuses-hugging-face-ai-platform-to-distribute-rat/",
          "date": "2026-01-30"
        }
      ]
    },
    {
      "indicator": "1653d75d579872fadec1f22cf7fee3c0",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "17082531775760189576112827972435",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2026-06-26",
      "last_seen": "2026-06-26",
      "reports": [
        {
          "slug": "hospitality-photo-zip-nodejs-implant-defense",
          "title": "Hospitality Photo-ZIP Campaign Shows Front Desk Workflows Are Initial Access Paths",
          "url": "https://bulwarkblack.com/hospitality-photo-zip-nodejs-implant-defense/",
          "date": "2026-06-26"
        }
      ]
    },
    {
      "indicator": "17baae144d383e4dc32f1bf69700e587",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "19a7e16332a6860b65e6944f1f3c5001",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "1aae8bf580c846f39c71c05898e57e88",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "vidar-xmrig-malvertising-file-size-code-signing-defense",
          "title": "Vidar Stealer Campaign Shows Why File Size and Fake Signatures Still Beat Weak Controls",
          "url": "https://bulwarkblack.com/vidar-xmrig-malvertising-file-size-code-signing-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "1ee10fa01587cec51f455ceec779a160",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "1F65544978B8EA0E745E573B8EE9684B",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2026-06-25",
      "last_seen": "2026-06-25",
      "reports": [
        {
          "slug": "strikeshark-sharkloader-cobalt-strike-defense",
          "title": "StrikeShark Shows Loader Malware Is an Edge-Exposure Problem",
          "url": "https://bulwarkblack.com/strikeshark-sharkloader-cobalt-strike-defense/",
          "date": "2026-06-25"
        }
      ]
    },
    {
      "indicator": "22e32bcf113326e366ac480b077067cf",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2026-04-01",
      "last_seen": "2026-04-01",
      "reports": [
        {
          "slug": "operation-truechaos-chinese-apt-exploits-trueconf-zero-day-cve-2026-3502-to-target-southeast-asian-governments",
          "title": "Operation TrueChaos: Chinese APT Exploits TrueConf Zero-Day CVE-2026-3502 to Target Southeast Asian Governments",
          "url": "https://bulwarkblack.com/operation-truechaos-chinese-apt-exploits-trueconf-zero-day-cve-2026-3502-to-target-southeast-asian-governments/",
          "date": "2026-04-01"
        }
      ]
    },
    {
      "indicator": "248a4d7d4c48478dcbeade8f7dba80b3",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2026-04-01",
      "last_seen": "2026-04-01",
      "reports": [
        {
          "slug": "operation-truechaos-chinese-apt-exploits-trueconf-zero-day-cve-2026-3502-to-target-southeast-asian-governments",
          "title": "Operation TrueChaos: Chinese APT Exploits TrueConf Zero-Day CVE-2026-3502 to Target Southeast Asian Governments",
          "url": "https://bulwarkblack.com/operation-truechaos-chinese-apt-exploits-trueconf-zero-day-cve-2026-3502-to-target-southeast-asian-governments/",
          "date": "2026-04-01"
        }
      ]
    },
    {
      "indicator": "24FCEBDEECBA65004FDB0923763D74FD",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2026-06-25",
      "last_seen": "2026-06-25",
      "reports": [
        {
          "slug": "strikeshark-sharkloader-cobalt-strike-defense",
          "title": "StrikeShark Shows Loader Malware Is an Edge-Exposure Problem",
          "url": "https://bulwarkblack.com/strikeshark-sharkloader-cobalt-strike-defense/",
          "date": "2026-06-25"
        }
      ]
    },
    {
      "indicator": "25908558764390958596189327204542",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2026-06-26",
      "last_seen": "2026-06-26",
      "reports": [
        {
          "slug": "hospitality-photo-zip-nodejs-implant-defense",
          "title": "Hospitality Photo-ZIP Campaign Shows Front Desk Workflows Are Initial Access Paths",
          "url": "https://bulwarkblack.com/hospitality-photo-zip-nodejs-implant-defense/",
          "date": "2026-06-26"
        }
      ]
    },
    {
      "indicator": "261a409946b6b4d9ce706242a76134e3",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "2690f7c685784fff006fe451fa3b154c",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2026-06-01",
      "last_seen": "2026-06-01",
      "reports": [
        {
          "slug": "solyximmortal-python-infostealer-business-risk",
          "title": "SolyxImmortal Shows Why Python Infostealers Are a Business Risk, Not Just Malware Noise",
          "url": "https://bulwarkblack.com/solyximmortal-python-infostealer-business-risk/",
          "date": "2026-06-01"
        }
      ]
    },
    {
      "indicator": "269af2751efee65b1ab00622816c83e6",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2024-01-05",
      "last_seen": "2024-01-05",
      "reports": [
        {
          "slug": "100-days-of-yara-2023",
          "title": "100 Days of YARA – 2023",
          "url": "https://bulwarkblack.com/100-days-of-yara-2023/",
          "date": "2024-01-05"
        }
      ]
    },
    {
      "indicator": "2B499EB3865A7EF17264D15252B7F73E",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "2c42253ebf9a743814b9b16a89522bef",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "2cd4eb358c45ca783a20ec854a5a860c",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2026-05-13",
      "last_seen": "2026-05-13",
      "reports": [
        {
          "slug": "gentlemen-raas-leak-edge-device-ransomware-risk",
          "title": "The Gentlemen RaaS Leak Shows Ransomware Is Still an Edge-Device Problem",
          "url": "https://bulwarkblack.com/gentlemen-raas-leak-edge-device-ransomware-risk/",
          "date": "2026-05-13"
        }
      ]
    },
    {
      "indicator": "2e5d1a352885a6efd84dbc0387cbc79e",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2026-05-13",
      "last_seen": "2026-05-13",
      "reports": [
        {
          "slug": "gentlemen-raas-leak-edge-device-ransomware-risk",
          "title": "The Gentlemen RaaS Leak Shows Ransomware Is Still an Edge-Device Problem",
          "url": "https://bulwarkblack.com/gentlemen-raas-leak-edge-device-ransomware-risk/",
          "date": "2026-05-13"
        }
      ]
    },
    {
      "indicator": "2f7b4dca1c79e525aef8da537294a6c4",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "apt28-exploits-cve-2026-21509-in-operation-neusploit-stealing-emails-with-minidoor-backdoor",
          "title": "APT28 Exploits CVE-2026-21509 in Operation Neusploit: Stealing Emails with MiniDoor Backdoor",
          "url": "https://bulwarkblack.com/apt28-exploits-cve-2026-21509-in-operation-neusploit-stealing-emails-with-minidoor-backdoor/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "30851d4a2b31e9699084a06e765e21b0",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2024-01-05",
      "last_seen": "2024-01-05",
      "reports": [
        {
          "slug": "100-days-of-yara-2023",
          "title": "100 Days of YARA – 2023",
          "url": "https://bulwarkblack.com/100-days-of-yara-2023/",
          "date": "2024-01-05"
        }
      ]
    },
    {
      "indicator": "31b88dd319af8e4b8a96fc9732ebc708",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "31d58c226fc5a0aa976e13ca9ecebcc8",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2026-01-29",
      "last_seen": "2026-01-29",
      "reports": [
        {
          "slug": "google-disrupts-worlds-largest-residential-proxy-botnet",
          "title": "Google Disrupts World’s Largest Residential Proxy Botnet",
          "url": "https://bulwarkblack.com/google-disrupts-worlds-largest-residential-proxy-botnet/",
          "date": "2026-01-29"
        }
      ]
    },
    {
      "indicator": "338662fd0c4d750a0ba203a32b59f081",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2026-06-02",
      "last_seen": "2026-06-02",
      "reports": [
        {
          "slug": "forticlient-ems-ekz-infostealer-delivery",
          "title": "FortiClient EMS Exploitation Turns Endpoint Management Into an Infostealer Delivery System",
          "url": "https://bulwarkblack.com/forticlient-ems-ekz-infostealer-delivery/",
          "date": "2026-06-02"
        }
      ]
    },
    {
      "indicator": "358c2969041c8be74ce478edb2ffcd19",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "364d4fdf430477222fe854b3cd5b6d40",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2024-03-22",
      "last_seen": "2024-03-22",
      "reports": [
        {
          "slug": "the-updated-apt-playbook-tales-from-the-kimsuky-threat-actor-group",
          "title": "The Updated APT Playbook: Tales from the Kimsuky threat actor group",
          "url": "https://bulwarkblack.com/the-updated-apt-playbook-tales-from-the-kimsuky-threat-actor-group/",
          "date": "2024-03-22"
        }
      ]
    },
    {
      "indicator": "389447013870120775556bb4519dba97",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "38c8d80dd32d00e9c9440a498f7dd739",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "3b7b4f2d33bdfb8a31b480d0eb2815cd",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2026-05-13",
      "last_seen": "2026-05-13",
      "reports": [
        {
          "slug": "gentlemen-raas-leak-edge-device-ransomware-risk",
          "title": "The Gentlemen RaaS Leak Shows Ransomware Is Still an Edge-Device Problem",
          "url": "https://bulwarkblack.com/gentlemen-raas-leak-edge-device-ransomware-risk/",
          "date": "2026-05-13"
        }
      ]
    },
    {
      "indicator": "3bbe4dfe3134c8a7928d10c948e20bee",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "3bc1de741f8149f49bdbafa703067f24",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2026-02-11",
      "last_seen": "2026-02-11",
      "reports": [
        {
          "slug": "xworm-rat-campaign-exploits-cve-2018-0802-in-multi-language-phishing-attacks-using-fileless-injection",
          "title": "XWorm RAT Campaign Exploits CVE-2018-0802 in Multi-Language Phishing Attacks Using Fileless Injection",
          "url": "https://bulwarkblack.com/xworm-rat-campaign-exploits-cve-2018-0802-in-multi-language-phishing-attacks-using-fileless-injection/",
          "date": "2026-02-11"
        }
      ]
    },
    {
      "indicator": "4214818d7cde26ebeb4f35bc2fc29ada",
      "type": "md5",
      "report_count": 2,
      "first_seen": "2026-02-26",
      "last_seen": "2026-02-27",
      "reports": [
        {
          "slug": "apt37-ruby-jumper-campaign-north-korean-hackers-deploy-malware-arsenal-to-bridge-air-gapped-networks",
          "title": "APT37 Ruby Jumper Campaign: North Korean Hackers Deploy Malware Arsenal to Bridge Air-Gapped Networks",
          "url": "https://bulwarkblack.com/apt37-ruby-jumper-campaign-north-korean-hackers-deploy-malware-arsenal-to-bridge-air-gapped-networks/",
          "date": "2026-02-27"
        },
        {
          "slug": "apt37-deploys-ruby-jumper-campaign-to-breach-air-gapped-networks",
          "title": "APT37 Deploys Ruby Jumper Campaign to Breach Air-Gapped Networks",
          "url": "https://bulwarkblack.com/apt37-deploys-ruby-jumper-campaign-to-breach-air-gapped-networks/",
          "date": "2026-02-26"
        }
      ]
    },
    {
      "indicator": "4727582023cd8071a6f388ea3ba2feaa",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "apt28-exploits-cve-2026-21509-in-operation-neusploit-stealing-emails-with-minidoor-backdoor",
          "title": "APT28 Exploits CVE-2026-21509 in Operation Neusploit: Stealing Emails with MiniDoor Backdoor",
          "url": "https://bulwarkblack.com/apt28-exploits-cve-2026-21509-in-operation-neusploit-stealing-emails-with-minidoor-backdoor/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "476bce9b9a387c5f39461d781e7e22b9",
      "type": "md5",
      "report_count": 2,
      "first_seen": "2026-02-26",
      "last_seen": "2026-02-27",
      "reports": [
        {
          "slug": "apt37-ruby-jumper-campaign-north-korean-hackers-deploy-malware-arsenal-to-bridge-air-gapped-networks",
          "title": "APT37 Ruby Jumper Campaign: North Korean Hackers Deploy Malware Arsenal to Bridge Air-Gapped Networks",
          "url": "https://bulwarkblack.com/apt37-ruby-jumper-campaign-north-korean-hackers-deploy-malware-arsenal-to-bridge-air-gapped-networks/",
          "date": "2026-02-27"
        },
        {
          "slug": "apt37-deploys-ruby-jumper-campaign-to-breach-air-gapped-networks",
          "title": "APT37 Deploys Ruby Jumper Campaign to Breach Air-Gapped Networks",
          "url": "https://bulwarkblack.com/apt37-deploys-ruby-jumper-campaign-to-breach-air-gapped-networks/",
          "date": "2026-02-26"
        }
      ]
    },
    {
      "indicator": "4a94d2b730a5a63e6cd54a9b0bb4ea71",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2026-05-13",
      "last_seen": "2026-05-13",
      "reports": [
        {
          "slug": "gentlemen-raas-leak-edge-device-ransomware-risk",
          "title": "The Gentlemen RaaS Leak Shows Ransomware Is Still an Edge-Device Problem",
          "url": "https://bulwarkblack.com/gentlemen-raas-leak-edge-device-ransomware-risk/",
          "date": "2026-05-13"
        }
      ]
    },
    {
      "indicator": "4e0c37cbf4dde9683943c8a738e5b00a",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2026-05-13",
      "last_seen": "2026-05-13",
      "reports": [
        {
          "slug": "gentlemen-raas-leak-edge-device-ransomware-risk",
          "title": "The Gentlemen RaaS Leak Shows Ransomware Is Still an Edge-Device Problem",
          "url": "https://bulwarkblack.com/gentlemen-raas-leak-edge-device-ransomware-risk/",
          "date": "2026-05-13"
        }
      ]
    },
    {
      "indicator": "4f6b9c644d4fe517889b3fbb0b4271ca",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2024-01-05",
      "last_seen": "2024-01-05",
      "reports": [
        {
          "slug": "100-days-of-yara-2023",
          "title": "100 Days of YARA – 2023",
          "url": "https://bulwarkblack.com/100-days-of-yara-2023/",
          "date": "2024-01-05"
        }
      ]
    },
    {
      "indicator": "50f341b24cb75f37d042d1e5f9e3e5aa",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "51dec3e170f8a181cc9aea8dcc90c7ab",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2026-05-13",
      "last_seen": "2026-05-13",
      "reports": [
        {
          "slug": "gentlemen-raas-leak-edge-device-ransomware-risk",
          "title": "The Gentlemen RaaS Leak Shows Ransomware Is Still an Edge-Device Problem",
          "url": "https://bulwarkblack.com/gentlemen-raas-leak-edge-device-ransomware-risk/",
          "date": "2026-05-13"
        }
      ]
    },
    {
      "indicator": "529fe6eff1cf452680976087e2250c02",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "57dac5f7d21da2454d0fbefdced80bf3",
      "type": "md5",
      "report_count": 2,
      "first_seen": "2026-02-26",
      "last_seen": "2026-02-27",
      "reports": [
        {
          "slug": "apt37-ruby-jumper-campaign-north-korean-hackers-deploy-malware-arsenal-to-bridge-air-gapped-networks",
          "title": "APT37 Ruby Jumper Campaign: North Korean Hackers Deploy Malware Arsenal to Bridge Air-Gapped Networks",
          "url": "https://bulwarkblack.com/apt37-ruby-jumper-campaign-north-korean-hackers-deploy-malware-arsenal-to-bridge-air-gapped-networks/",
          "date": "2026-02-27"
        },
        {
          "slug": "apt37-deploys-ruby-jumper-campaign-to-breach-air-gapped-networks",
          "title": "APT37 Deploys Ruby Jumper Campaign to Breach Air-Gapped Networks",
          "url": "https://bulwarkblack.com/apt37-deploys-ruby-jumper-campaign-to-breach-air-gapped-networks/",
          "date": "2026-02-26"
        }
      ]
    },
    {
      "indicator": "583fe1c1a39f6b873a5c0997bea1f657",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2026-05-13",
      "last_seen": "2026-05-13",
      "reports": [
        {
          "slug": "gentlemen-raas-leak-edge-device-ransomware-risk",
          "title": "The Gentlemen RaaS Leak Shows Ransomware Is Still an Edge-Device Problem",
          "url": "https://bulwarkblack.com/gentlemen-raas-leak-edge-device-ransomware-risk/",
          "date": "2026-05-13"
        }
      ]
    },
    {
      "indicator": "585322a931a49f4e1d78fb0b3f3c6212",
      "type": "md5",
      "report_count": 2,
      "first_seen": "2026-02-26",
      "last_seen": "2026-02-27",
      "reports": [
        {
          "slug": "apt37-ruby-jumper-campaign-north-korean-hackers-deploy-malware-arsenal-to-bridge-air-gapped-networks",
          "title": "APT37 Ruby Jumper Campaign: North Korean Hackers Deploy Malware Arsenal to Bridge Air-Gapped Networks",
          "url": "https://bulwarkblack.com/apt37-ruby-jumper-campaign-north-korean-hackers-deploy-malware-arsenal-to-bridge-air-gapped-networks/",
          "date": "2026-02-27"
        },
        {
          "slug": "apt37-deploys-ruby-jumper-campaign-to-breach-air-gapped-networks",
          "title": "APT37 Deploys Ruby Jumper Campaign to Breach Air-Gapped Networks",
          "url": "https://bulwarkblack.com/apt37-deploys-ruby-jumper-campaign-to-breach-air-gapped-networks/",
          "date": "2026-02-26"
        }
      ]
    },
    {
      "indicator": "5ad40a5fd18a1b57b69c44bc2963dc6b",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "5c6ff601ccc75e76c2fc99808d8cc9a9",
      "type": "md5",
      "report_count": 2,
      "first_seen": "2026-02-26",
      "last_seen": "2026-02-27",
      "reports": [
        {
          "slug": "apt37-ruby-jumper-campaign-north-korean-hackers-deploy-malware-arsenal-to-bridge-air-gapped-networks",
          "title": "APT37 Ruby Jumper Campaign: North Korean Hackers Deploy Malware Arsenal to Bridge Air-Gapped Networks",
          "url": "https://bulwarkblack.com/apt37-ruby-jumper-campaign-north-korean-hackers-deploy-malware-arsenal-to-bridge-air-gapped-networks/",
          "date": "2026-02-27"
        },
        {
          "slug": "apt37-deploys-ruby-jumper-campaign-to-breach-air-gapped-networks",
          "title": "APT37 Deploys Ruby Jumper Campaign to Breach Air-Gapped Networks",
          "url": "https://bulwarkblack.com/apt37-deploys-ruby-jumper-campaign-to-breach-air-gapped-networks/",
          "date": "2026-02-26"
        }
      ]
    },
    {
      "indicator": "5cb4f0084f3c25e640952753ed5b25d0",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "5d1ca537c4bedebf2f4d276d4199ea95",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2026-05-20",
      "last_seen": "2026-05-20",
      "reports": [
        {
          "slug": "p2pinfect-kubernetes-redis-botnet-defense",
          "title": "P2Pinfect Shows Exposed Redis in Kubernetes Can Become Dormant Botnet Infrastructure",
          "url": "https://bulwarkblack.com/p2pinfect-kubernetes-redis-botnet-defense/",
          "date": "2026-05-20"
        }
      ]
    },
    {
      "indicator": "60bfe4f378e9f5a84183ac505a032228",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "6348b49f3499d760797247b94385fda3",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "6422795a6df10c45c1006f92d686ee7e",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "697f182826495662427ca49edbb345fc",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2026-05-13",
      "last_seen": "2026-05-13",
      "reports": [
        {
          "slug": "gentlemen-raas-leak-edge-device-ransomware-risk",
          "title": "The Gentlemen RaaS Leak Shows Ransomware Is Still an Edge-Device Problem",
          "url": "https://bulwarkblack.com/gentlemen-raas-leak-edge-device-ransomware-risk/",
          "date": "2026-05-13"
        }
      ]
    },
    {
      "indicator": "6aa93664b4852cb5bad84ba1a187f645",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "709d70239f1e9441e8e21fcacfdc5d08",
      "type": "md5",
      "report_count": 2,
      "first_seen": "2026-02-26",
      "last_seen": "2026-02-27",
      "reports": [
        {
          "slug": "apt37-ruby-jumper-campaign-north-korean-hackers-deploy-malware-arsenal-to-bridge-air-gapped-networks",
          "title": "APT37 Ruby Jumper Campaign: North Korean Hackers Deploy Malware Arsenal to Bridge Air-Gapped Networks",
          "url": "https://bulwarkblack.com/apt37-ruby-jumper-campaign-north-korean-hackers-deploy-malware-arsenal-to-bridge-air-gapped-networks/",
          "date": "2026-02-27"
        },
        {
          "slug": "apt37-deploys-ruby-jumper-campaign-to-breach-air-gapped-networks",
          "title": "APT37 Deploys Ruby Jumper Campaign to Breach Air-Gapped Networks",
          "url": "https://bulwarkblack.com/apt37-deploys-ruby-jumper-campaign-to-breach-air-gapped-networks/",
          "date": "2026-02-26"
        }
      ]
    },
    {
      "indicator": "7168ce5c6e5545a5b389db09c90038da",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "71d503709af88821c183a1d0b7ae06ec",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2026-05-13",
      "last_seen": "2026-05-13",
      "reports": [
        {
          "slug": "gentlemen-raas-leak-edge-device-ransomware-risk",
          "title": "The Gentlemen RaaS Leak Shows Ransomware Is Still an Edge-Device Problem",
          "url": "https://bulwarkblack.com/gentlemen-raas-leak-edge-device-ransomware-risk/",
          "date": "2026-05-13"
        }
      ]
    },
    {
      "indicator": "71db2ae9c36403cec1fd38864d64f239",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2024-03-22",
      "last_seen": "2024-03-22",
      "reports": [
        {
          "slug": "the-updated-apt-playbook-tales-from-the-kimsuky-threat-actor-group",
          "title": "The Updated APT Playbook: Tales from the Kimsuky threat actor group",
          "url": "https://bulwarkblack.com/the-updated-apt-playbook-tales-from-the-kimsuky-threat-actor-group/",
          "date": "2024-03-22"
        }
      ]
    },
    {
      "indicator": "721606b3659f2c2d80a196ed3cd60053",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2026-05-13",
      "last_seen": "2026-05-13",
      "reports": [
        {
          "slug": "gentlemen-raas-leak-edge-device-ransomware-risk",
          "title": "The Gentlemen RaaS Leak Shows Ransomware Is Still an Edge-Device Problem",
          "url": "https://bulwarkblack.com/gentlemen-raas-leak-edge-device-ransomware-risk/",
          "date": "2026-05-13"
        }
      ]
    },
    {
      "indicator": "72f60d7f4ce22db4506547ad555ea0b1",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2024-01-05",
      "last_seen": "2024-01-05",
      "reports": [
        {
          "slug": "100-days-of-yara-2023",
          "title": "100 Days of YARA – 2023",
          "url": "https://bulwarkblack.com/100-days-of-yara-2023/",
          "date": "2024-01-05"
        }
      ]
    },
    {
      "indicator": "735069890a414869f0113de820ba9afb",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2026-05-13",
      "last_seen": "2026-05-13",
      "reports": [
        {
          "slug": "gentlemen-raas-leak-edge-device-ransomware-risk",
          "title": "The Gentlemen RaaS Leak Shows Ransomware Is Still an Edge-Device Problem",
          "url": "https://bulwarkblack.com/gentlemen-raas-leak-edge-device-ransomware-risk/",
          "date": "2026-05-13"
        }
      ]
    },
    {
      "indicator": "73d26eb56e5a3426884733c104c3f625",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "74ea100b581ec32ea6c2ac2a0030a9f6",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2026-05-13",
      "last_seen": "2026-05-13",
      "reports": [
        {
          "slug": "gentlemen-raas-leak-edge-device-ransomware-risk",
          "title": "The Gentlemen RaaS Leak Shows Ransomware Is Still an Edge-Device Problem",
          "url": "https://bulwarkblack.com/gentlemen-raas-leak-edge-device-ransomware-risk/",
          "date": "2026-05-13"
        }
      ]
    },
    {
      "indicator": "7581854ff6c890684823f3aed03c210f",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "76ACE3A6892C25512B17ED42AC2EBD05",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "776e86c13433747299a4e5f9f22e3415",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2026-05-13",
      "last_seen": "2026-05-13",
      "reports": [
        {
          "slug": "gentlemen-raas-leak-edge-device-ransomware-risk",
          "title": "The Gentlemen RaaS Leak Shows Ransomware Is Still an Edge-Device Problem",
          "url": "https://bulwarkblack.com/gentlemen-raas-leak-edge-device-ransomware-risk/",
          "date": "2026-05-13"
        }
      ]
    },
    {
      "indicator": "7aae8fd9187c88dd0292cce1abd050e2",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2026-05-13",
      "last_seen": "2026-05-13",
      "reports": [
        {
          "slug": "gentlemen-raas-leak-edge-device-ransomware-risk",
          "title": "The Gentlemen RaaS Leak Shows Ransomware Is Still an Edge-Device Problem",
          "url": "https://bulwarkblack.com/gentlemen-raas-leak-edge-device-ransomware-risk/",
          "date": "2026-05-13"
        }
      ]
    },
    {
      "indicator": "7c396677848776f9824ebe408bbba943",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "apt28-exploits-cve-2026-21509-in-operation-neusploit-stealing-emails-with-minidoor-backdoor",
          "title": "APT28 Exploits CVE-2026-21509 in Operation Neusploit: Stealing Emails with MiniDoor Backdoor",
          "url": "https://bulwarkblack.com/apt28-exploits-cve-2026-21509-in-operation-neusploit-stealing-emails-with-minidoor-backdoor/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "7e50c3f301dd045eb189ba1644ded155",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "7f94ed2d5f566c12de5ebe4b5e3d8aa3",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "8006efb8dd703073197e5a27682b35bf",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "80676a539765a9e117f20b6b99887eca",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2026-05-20",
      "last_seen": "2026-05-20",
      "reports": [
        {
          "slug": "p2pinfect-kubernetes-redis-botnet-defense",
          "title": "P2Pinfect Shows Exposed Redis in Kubernetes Can Become Dormant Botnet Infrastructure",
          "url": "https://bulwarkblack.com/p2pinfect-kubernetes-redis-botnet-defense/",
          "date": "2026-05-20"
        }
      ]
    },
    {
      "indicator": "81a578e065da1ccd8c81a8e90c309275",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2026-05-13",
      "last_seen": "2026-05-13",
      "reports": [
        {
          "slug": "gentlemen-raas-leak-edge-device-ransomware-risk",
          "title": "The Gentlemen RaaS Leak Shows Ransomware Is Still an Edge-Device Problem",
          "url": "https://bulwarkblack.com/gentlemen-raas-leak-edge-device-ransomware-risk/",
          "date": "2026-05-13"
        }
      ]
    },
    {
      "indicator": "82160a7da5fc4c935e6f48d38a5aaaa6",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2026-05-13",
      "last_seen": "2026-05-13",
      "reports": [
        {
          "slug": "gentlemen-raas-leak-edge-device-ransomware-risk",
          "title": "The Gentlemen RaaS Leak Shows Ransomware Is Still an Edge-Device Problem",
          "url": "https://bulwarkblack.com/gentlemen-raas-leak-edge-device-ransomware-risk/",
          "date": "2026-05-13"
        }
      ]
    },
    {
      "indicator": "82760B84F1D703D596C79B88BA4FAC1E",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "kazuar-p2p-botnet-russian-espionage-defense",
          "title": "Kazuar Shows Russian Espionage Malware Is Engineering for Resilience",
          "url": "https://bulwarkblack.com/kazuar-p2p-botnet-russian-espionage-defense/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "859c4b85ed85e6cc4eadb1a037a61e16",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "apt28-exploits-cve-2026-21509-in-operation-neusploit-stealing-emails-with-minidoor-backdoor",
          "title": "APT28 Exploits CVE-2026-21509 in Operation Neusploit: Stealing Emails with MiniDoor Backdoor",
          "url": "https://bulwarkblack.com/apt28-exploits-cve-2026-21509-in-operation-neusploit-stealing-emails-with-minidoor-backdoor/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "893f735e9a8cc9814dc6eccd5579561c",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2026-05-13",
      "last_seen": "2026-05-13",
      "reports": [
        {
          "slug": "gentlemen-raas-leak-edge-device-ransomware-risk",
          "title": "The Gentlemen RaaS Leak Shows Ransomware Is Still an Edge-Device Problem",
          "url": "https://bulwarkblack.com/gentlemen-raas-leak-edge-device-ransomware-risk/",
          "date": "2026-05-13"
        }
      ]
    },
    {
      "indicator": "8a9bd7e7a806b2cc606b7a1d8f495662",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2026-01-29",
      "last_seen": "2026-01-29",
      "reports": [
        {
          "slug": "google-disrupts-worlds-largest-residential-proxy-botnet",
          "title": "Google Disrupts World’s Largest Residential Proxy Botnet",
          "url": "https://bulwarkblack.com/google-disrupts-worlds-largest-residential-proxy-botnet/",
          "date": "2026-01-29"
        }
      ]
    },
    {
      "indicator": "8b21a945159f23b740c836eb50953818",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2026-01-29",
      "last_seen": "2026-01-29",
      "reports": [
        {
          "slug": "google-disrupts-worlds-largest-residential-proxy-botnet",
          "title": "Google Disrupts World’s Largest Residential Proxy Botnet",
          "url": "https://bulwarkblack.com/google-disrupts-worlds-largest-residential-proxy-botnet/",
          "date": "2026-01-29"
        }
      ]
    },
    {
      "indicator": "8c113b3aa82c81eee7c6b4ed0ba9a90f",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2026-06-30",
      "last_seen": "2026-06-30",
      "reports": [
        {
          "slug": "bing-seo-poisoning-bumblebee-adaptix-akira-ransomware",
          "title": "Bing SEO Poisoning Shows IT Admin Downloads Are Ransomware Initial Access",
          "url": "https://bulwarkblack.com/bing-seo-poisoning-bumblebee-adaptix-akira-ransomware/",
          "date": "2026-06-30"
        }
      ]
    },
    {
      "indicator": "8c5b72906e8183037532afc3f4639931",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2026-06-02",
      "last_seen": "2026-06-02",
      "reports": [
        {
          "slug": "forticlient-ems-ekz-infostealer-delivery",
          "title": "FortiClient EMS Exploitation Turns Endpoint Management Into an Infostealer Delivery System",
          "url": "https://bulwarkblack.com/forticlient-ems-ekz-infostealer-delivery/",
          "date": "2026-06-02"
        }
      ]
    },
    {
      "indicator": "8f8942cd14f646f59729f83cbd4c357b",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "8fceea4fd9ce32dd620ccd580297c7c5",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2026-05-13",
      "last_seen": "2026-05-13",
      "reports": [
        {
          "slug": "gentlemen-raas-leak-edge-device-ransomware-risk",
          "title": "The Gentlemen RaaS Leak Shows Ransomware Is Still an Edge-Device Problem",
          "url": "https://bulwarkblack.com/gentlemen-raas-leak-edge-device-ransomware-risk/",
          "date": "2026-05-13"
        }
      ]
    },
    {
      "indicator": "92d8bd2a6ee7f6d5c84e037066ce0539",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2026-05-13",
      "last_seen": "2026-05-13",
      "reports": [
        {
          "slug": "gentlemen-raas-leak-edge-device-ransomware-risk",
          "title": "The Gentlemen RaaS Leak Shows Ransomware Is Still an Edge-Device Problem",
          "url": "https://bulwarkblack.com/gentlemen-raas-leak-edge-device-ransomware-risk/",
          "date": "2026-05-13"
        }
      ]
    },
    {
      "indicator": "931cec3c80c78d233e3602a042a2e71b",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "9551b4af789b2db563f9452eaf46b6aa",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "95e59536455a089ced64f5af2539a449",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "apt28-exploits-cve-2026-21509-in-operation-neusploit-stealing-emails-with-minidoor-backdoor",
          "title": "APT28 Exploits CVE-2026-21509 in Operation Neusploit: Stealing Emails with MiniDoor Backdoor",
          "url": "https://bulwarkblack.com/apt28-exploits-cve-2026-21509-in-operation-neusploit-stealing-emails-with-minidoor-backdoor/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "963f473f1734d8b3fbb8c9a227c06d07",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "993AE4FE78B879239BDC14DFBC0963CD",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2026-01-29",
      "last_seen": "2026-01-29",
      "reports": [
        {
          "slug": "google-disrupts-worlds-largest-residential-proxy-botnet",
          "title": "Google Disrupts World’s Largest Residential Proxy Botnet",
          "url": "https://bulwarkblack.com/google-disrupts-worlds-largest-residential-proxy-botnet/",
          "date": "2026-01-29"
        }
      ]
    },
    {
      "indicator": "9b435ad985b733b64a6d5f39080f4ae0",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2026-04-01",
      "last_seen": "2026-04-01",
      "reports": [
        {
          "slug": "operation-truechaos-chinese-apt-exploits-trueconf-zero-day-cve-2026-3502-to-target-southeast-asian-governments",
          "title": "Operation TrueChaos: Chinese APT Exploits TrueConf Zero-Day CVE-2026-3502 to Target Southeast Asian Governments",
          "url": "https://bulwarkblack.com/operation-truechaos-chinese-apt-exploits-trueconf-zero-day-cve-2026-3502-to-target-southeast-asian-governments/",
          "date": "2026-04-01"
        }
      ]
    },
    {
      "indicator": "9C872A0D5D5A38950E8B9AC9B488BE3F",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2026-06-25",
      "last_seen": "2026-06-25",
      "reports": [
        {
          "slug": "strikeshark-sharkloader-cobalt-strike-defense",
          "title": "StrikeShark Shows Loader Malware Is an Edge-Exposure Problem",
          "url": "https://bulwarkblack.com/strikeshark-sharkloader-cobalt-strike-defense/",
          "date": "2026-06-25"
        }
      ]
    },
    {
      "indicator": "9CBD560F820C95D7C38342CD558CB5C6",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2026-06-25",
      "last_seen": "2026-06-25",
      "reports": [
        {
          "slug": "strikeshark-sharkloader-cobalt-strike-defense",
          "title": "StrikeShark Shows Loader Malware Is an Edge-Exposure Problem",
          "url": "https://bulwarkblack.com/strikeshark-sharkloader-cobalt-strike-defense/",
          "date": "2026-06-25"
        }
      ]
    },
    {
      "indicator": "9d3f61dcaba90db2ede1c1906a80ace2",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2026-03-03",
      "last_seen": "2026-03-03",
      "reports": [
        {
          "slug": "silver-dragon-apt-targets-southeast-asia-and-europe-using-geardoor-backdoor-with-google-drive-c2",
          "title": "Silver Dragon APT Targets Southeast Asia and Europe Using GearDoor Backdoor with Google Drive C2",
          "url": "https://bulwarkblack.com/silver-dragon-apt-targets-southeast-asia-and-europe-using-geardoor-backdoor-with-google-drive-c2/",
          "date": "2026-03-03"
        }
      ]
    },
    {
      "indicator": "a023a6b15419600dc3f6b93e11761dfe",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2026-05-13",
      "last_seen": "2026-05-13",
      "reports": [
        {
          "slug": "gentlemen-raas-leak-edge-device-ransomware-risk",
          "title": "The Gentlemen RaaS Leak Shows Ransomware Is Still an Edge-Device Problem",
          "url": "https://bulwarkblack.com/gentlemen-raas-leak-edge-device-ransomware-risk/",
          "date": "2026-05-13"
        }
      ]
    },
    {
      "indicator": "a070b77c5028d7a5d2895f1c9d35016f",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "a0eb7e480752d494709c63aa35ccf36c",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "a1a35afebb585917675534de3d610c93",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2026-05-20",
      "last_seen": "2026-05-20",
      "reports": [
        {
          "slug": "p2pinfect-kubernetes-redis-botnet-defense",
          "title": "P2Pinfect Shows Exposed Redis in Kubernetes Can Become Dormant Botnet Infrastructure",
          "url": "https://bulwarkblack.com/p2pinfect-kubernetes-redis-botnet-defense/",
          "date": "2026-05-20"
        }
      ]
    },
    {
      "indicator": "a26f2b97ca4e2b4b5d58933900f02131",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "A514D1BB62D7916475946FE7C07AC0AA",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2026-06-25",
      "last_seen": "2026-06-25",
      "reports": [
        {
          "slug": "strikeshark-sharkloader-cobalt-strike-defense",
          "title": "StrikeShark Shows Loader Malware Is an Edge-Exposure Problem",
          "url": "https://bulwarkblack.com/strikeshark-sharkloader-cobalt-strike-defense/",
          "date": "2026-06-25"
        }
      ]
    },
    {
      "indicator": "a6ce961f487b4cbdfe68d0a249647c48",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "a73526d89e5fb7b57f50d8da340e53e9",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2026-05-13",
      "last_seen": "2026-05-13",
      "reports": [
        {
          "slug": "gentlemen-raas-leak-edge-device-ransomware-risk",
          "title": "The Gentlemen RaaS Leak Shows Ransomware Is Still an Edge-Device Problem",
          "url": "https://bulwarkblack.com/gentlemen-raas-leak-edge-device-ransomware-risk/",
          "date": "2026-05-13"
        }
      ]
    },
    {
      "indicator": "a8d3b9e1f5c7024d6e0b7a2c9f1d83e5",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2026-01-29",
      "last_seen": "2026-01-29",
      "reports": [
        {
          "slug": "google-disrupts-worlds-largest-residential-proxy-botnet",
          "title": "Google Disrupts World’s Largest Residential Proxy Botnet",
          "url": "https://bulwarkblack.com/google-disrupts-worlds-largest-residential-proxy-botnet/",
          "date": "2026-01-29"
        }
      ]
    },
    {
      "indicator": "AA3086BE652C8B20B0B29B2730D57119",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2026-06-25",
      "last_seen": "2026-06-25",
      "reports": [
        {
          "slug": "strikeshark-sharkloader-cobalt-strike-defense",
          "title": "StrikeShark Shows Loader Malware Is an Edge-Exposure Problem",
          "url": "https://bulwarkblack.com/strikeshark-sharkloader-cobalt-strike-defense/",
          "date": "2026-06-25"
        }
      ]
    },
    {
      "indicator": "ab1e8693931f8c694247d96cf5a85197",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "abd11823ddcc3d746ad8621e677a93eb",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2026-05-13",
      "last_seen": "2026-05-13",
      "reports": [
        {
          "slug": "gentlemen-raas-leak-edge-device-ransomware-risk",
          "title": "The Gentlemen RaaS Leak Shows Ransomware Is Still an Edge-Device Problem",
          "url": "https://bulwarkblack.com/gentlemen-raas-leak-edge-device-ransomware-risk/",
          "date": "2026-05-13"
        }
      ]
    },
    {
      "indicator": "ad556f4eb48e7dba6da14444dcce3170",
      "type": "md5",
      "report_count": 2,
      "first_seen": "2026-02-26",
      "last_seen": "2026-02-27",
      "reports": [
        {
          "slug": "apt37-ruby-jumper-campaign-north-korean-hackers-deploy-malware-arsenal-to-bridge-air-gapped-networks",
          "title": "APT37 Ruby Jumper Campaign: North Korean Hackers Deploy Malware Arsenal to Bridge Air-Gapped Networks",
          "url": "https://bulwarkblack.com/apt37-ruby-jumper-campaign-north-korean-hackers-deploy-malware-arsenal-to-bridge-air-gapped-networks/",
          "date": "2026-02-27"
        },
        {
          "slug": "apt37-deploys-ruby-jumper-campaign-to-breach-air-gapped-networks",
          "title": "APT37 Deploys Ruby Jumper Campaign to Breach Air-Gapped Networks",
          "url": "https://bulwarkblack.com/apt37-deploys-ruby-jumper-campaign-to-breach-air-gapped-networks/",
          "date": "2026-02-26"
        }
      ]
    },
    {
      "indicator": "ae776206422e886961eefb358c4fefda",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2024-01-11",
      "last_seen": "2024-01-11",
      "reports": [
        {
          "slug": "dreambus-unleashes-metabase-mayhem-with-new-exploit-module",
          "title": "DreamBus Unleashes Metabase Mayhem With New Exploit Module",
          "url": "https://bulwarkblack.com/dreambus-unleashes-metabase-mayhem-with-new-exploit-module/",
          "date": "2024-01-11"
        }
      ]
    },
    {
      "indicator": "af4760df2c08896a9638e26e7dd20aae",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2026-01-29",
      "last_seen": "2026-01-29",
      "reports": [
        {
          "slug": "google-disrupts-worlds-largest-residential-proxy-botnet",
          "title": "Google Disrupts World’s Largest Residential Proxy Botnet",
          "url": "https://bulwarkblack.com/google-disrupts-worlds-largest-residential-proxy-botnet/",
          "date": "2026-01-29"
        }
      ]
    },
    {
      "indicator": "b2e9a6412fd7c068a5d7c38d0afd946f",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "B3352B42432DEDC4A519F011DC8B5D5A",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2026-06-25",
      "last_seen": "2026-06-25",
      "reports": [
        {
          "slug": "strikeshark-sharkloader-cobalt-strike-defense",
          "title": "StrikeShark Shows Loader Malware Is an Edge-Exposure Problem",
          "url": "https://bulwarkblack.com/strikeshark-sharkloader-cobalt-strike-defense/",
          "date": "2026-06-25"
        }
      ]
    },
    {
      "indicator": "b567bfdaac131a2d8a23ad8fd450a31d",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "b5b42ac289581b3387ebf120129a19a6",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2026-05-13",
      "last_seen": "2026-05-13",
      "reports": [
        {
          "slug": "gentlemen-raas-leak-edge-device-ransomware-risk",
          "title": "The Gentlemen RaaS Leak Shows Ransomware Is Still an Edge-Device Problem",
          "url": "https://bulwarkblack.com/gentlemen-raas-leak-edge-device-ransomware-risk/",
          "date": "2026-05-13"
        }
      ]
    },
    {
      "indicator": "b62c906078644edd3439e2d986abd2e2",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2026-01-30",
      "last_seen": "2026-01-30",
      "reports": [
        {
          "slug": "android-malware-campaign-abuses-hugging-face-ai-platform-to-distribute-rat",
          "title": "Android Malware Campaign Abuses Hugging Face AI Platform to Distribute RAT",
          "url": "https://bulwarkblack.com/android-malware-campaign-abuses-hugging-face-ai-platform-to-distribute-rat/",
          "date": "2026-01-30"
        }
      ]
    },
    {
      "indicator": "b68e019efb39b85f5a0326e22fd4498a",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2026-05-13",
      "last_seen": "2026-05-13",
      "reports": [
        {
          "slug": "gentlemen-raas-leak-edge-device-ransomware-risk",
          "title": "The Gentlemen RaaS Leak Shows Ransomware Is Still an Edge-Device Problem",
          "url": "https://bulwarkblack.com/gentlemen-raas-leak-edge-device-ransomware-risk/",
          "date": "2026-05-13"
        }
      ]
    },
    {
      "indicator": "b716a8a742fec3084b0f497abbfecfc0",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2026-01-30",
      "last_seen": "2026-01-30",
      "reports": [
        {
          "slug": "android-malware-campaign-abuses-hugging-face-ai-platform-to-distribute-rat",
          "title": "Android Malware Campaign Abuses Hugging Face AI Platform to Distribute RAT",
          "url": "https://bulwarkblack.com/android-malware-campaign-abuses-hugging-face-ai-platform-to-distribute-rat/",
          "date": "2026-01-30"
        }
      ]
    },
    {
      "indicator": "b8e1e5b832e5947f41fd6ae6ef6d09a1",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2024-01-11",
      "last_seen": "2024-01-11",
      "reports": [
        {
          "slug": "backdoor-win32-carbanak-anunak-named-pipe-null-dacl",
          "title": "Backdoor.Win32 Carbanak (Anunak) / Named Pipe Null DACL",
          "url": "https://bulwarkblack.com/backdoor-win32-carbanak-anunak-named-pipe-null-dacl/",
          "date": "2024-01-11"
        }
      ]
    },
    {
      "indicator": "bc6b87c79bc71a78da623d031ec1a958",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2026-05-13",
      "last_seen": "2026-05-13",
      "reports": [
        {
          "slug": "gentlemen-raas-leak-edge-device-ransomware-risk",
          "title": "The Gentlemen RaaS Leak Shows Ransomware Is Still an Edge-Device Problem",
          "url": "https://bulwarkblack.com/gentlemen-raas-leak-edge-device-ransomware-risk/",
          "date": "2026-05-13"
        }
      ]
    },
    {
      "indicator": "c0de41e45352714500771d43f0d8c4c3",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2024-01-05",
      "last_seen": "2024-01-05",
      "reports": [
        {
          "slug": "100-days-of-yara-2023",
          "title": "100 Days of YARA – 2023",
          "url": "https://bulwarkblack.com/100-days-of-yara-2023/",
          "date": "2024-01-05"
        }
      ]
    },
    {
      "indicator": "c10333c92889b65c3590ef2b3819b420",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "vidar-xmrig-malvertising-file-size-code-signing-defense",
          "title": "Vidar Stealer Campaign Shows Why File Size and Fake Signatures Still Beat Weak Controls",
          "url": "https://bulwarkblack.com/vidar-xmrig-malvertising-file-size-code-signing-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "c42c7a2ea1c2f00dddb0cc4c8bfb5bcf",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "c446682f33641cff21083ac2ce477dbe",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "C559CC68986933200FD5D9E4388E2F58",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2026-06-25",
      "last_seen": "2026-06-25",
      "reports": [
        {
          "slug": "strikeshark-sharkloader-cobalt-strike-defense",
          "title": "StrikeShark Shows Loader Malware Is an Edge-Exposure Problem",
          "url": "https://bulwarkblack.com/strikeshark-sharkloader-cobalt-strike-defense/",
          "date": "2026-06-25"
        }
      ]
    },
    {
      "indicator": "c6f0c8d41b9ad4f079161548d2435d80",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "c8eb024c053f82831f2738bd48afc256",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2026-01-29",
      "last_seen": "2026-01-29",
      "reports": [
        {
          "slug": "google-disrupts-worlds-largest-residential-proxy-botnet",
          "title": "Google Disrupts World’s Largest Residential Proxy Botnet",
          "url": "https://bulwarkblack.com/google-disrupts-worlds-largest-residential-proxy-botnet/",
          "date": "2026-01-29"
        }
      ]
    },
    {
      "indicator": "ca8646dfc88423bb9fffda811160cebe",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2026-06-30",
      "last_seen": "2026-06-30",
      "reports": [
        {
          "slug": "bing-seo-poisoning-bumblebee-adaptix-akira-ransomware",
          "title": "Bing SEO Poisoning Shows IT Admin Downloads Are Ransomware Initial Access",
          "url": "https://bulwarkblack.com/bing-seo-poisoning-bumblebee-adaptix-akira-ransomware/",
          "date": "2026-06-30"
        }
      ]
    },
    {
      "indicator": "cfe47df26c8eaf0a7c136b50c703e173",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2026-01-29",
      "last_seen": "2026-01-29",
      "reports": [
        {
          "slug": "google-disrupts-worlds-largest-residential-proxy-botnet",
          "title": "Google Disrupts World’s Largest Residential Proxy Botnet",
          "url": "https://bulwarkblack.com/google-disrupts-worlds-largest-residential-proxy-botnet/",
          "date": "2026-01-29"
        }
      ]
    },
    {
      "indicator": "d184d705189e42b54c6243a55d6c9502",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2026-01-30",
      "last_seen": "2026-01-30",
      "reports": [
        {
          "slug": "android-malware-campaign-abuses-hugging-face-ai-platform-to-distribute-rat",
          "title": "Android Malware Campaign Abuses Hugging Face AI Platform to Distribute RAT",
          "url": "https://bulwarkblack.com/android-malware-campaign-abuses-hugging-face-ai-platform-to-distribute-rat/",
          "date": "2026-01-30"
        }
      ]
    },
    {
      "indicator": "d42595b695fc008ef2c56aabd8efd68e",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "vidar-xmrig-malvertising-file-size-code-signing-defense",
          "title": "Vidar Stealer Campaign Shows Why File Size and Fake Signatures Still Beat Weak Controls",
          "url": "https://bulwarkblack.com/vidar-xmrig-malvertising-file-size-code-signing-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "d47261e52335b516a777da368208ee91",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "apt28-exploits-cve-2026-21509-in-operation-neusploit-stealing-emails-with-minidoor-backdoor",
          "title": "APT28 Exploits CVE-2026-21509 in Operation Neusploit: Stealing Emails with MiniDoor Backdoor",
          "url": "https://bulwarkblack.com/apt28-exploits-cve-2026-21509-in-operation-neusploit-stealing-emails-with-minidoor-backdoor/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "d63805e89053716b6ab93ce6decf8450",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "d75246d230f22b1da6bbf5fceeed2ef2",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2026-05-13",
      "last_seen": "2026-05-13",
      "reports": [
        {
          "slug": "gentlemen-raas-leak-edge-device-ransomware-risk",
          "title": "The Gentlemen RaaS Leak Shows Ransomware Is Still an Edge-Device Problem",
          "url": "https://bulwarkblack.com/gentlemen-raas-leak-edge-device-ransomware-risk/",
          "date": "2026-05-13"
        }
      ]
    },
    {
      "indicator": "d8529855fab4b4aa6c2b34449cb3b9fb",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "d8b0fd515d860be2969cf441ea3b620d",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2026-01-30",
      "last_seen": "2026-01-30",
      "reports": [
        {
          "slug": "android-malware-campaign-abuses-hugging-face-ai-platform-to-distribute-rat",
          "title": "Android Malware Campaign Abuses Hugging Face AI Platform to Distribute RAT",
          "url": "https://bulwarkblack.com/android-malware-campaign-abuses-hugging-face-ai-platform-to-distribute-rat/",
          "date": "2026-01-30"
        }
      ]
    },
    {
      "indicator": "d8b31f8c03e0c76ff245ed05a15ffe6c",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "vidar-xmrig-malvertising-file-size-code-signing-defense",
          "title": "Vidar Stealer Campaign Shows Why File Size and Fake Signatures Still Beat Weak Controls",
          "url": "https://bulwarkblack.com/vidar-xmrig-malvertising-file-size-code-signing-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "D98F568496512E4F98670C61C97CB07A",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2026-06-25",
      "last_seen": "2026-06-25",
      "reports": [
        {
          "slug": "strikeshark-sharkloader-cobalt-strike-defense",
          "title": "StrikeShark Shows Loader Malware Is an Edge-Exposure Problem",
          "url": "https://bulwarkblack.com/strikeshark-sharkloader-cobalt-strike-defense/",
          "date": "2026-06-25"
        }
      ]
    },
    {
      "indicator": "da9cff1b478b64d47b68d50330e96c60",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2026-05-13",
      "last_seen": "2026-05-13",
      "reports": [
        {
          "slug": "gentlemen-raas-leak-edge-device-ransomware-risk",
          "title": "The Gentlemen RaaS Leak Shows Ransomware Is Still an Edge-Device Problem",
          "url": "https://bulwarkblack.com/gentlemen-raas-leak-edge-device-ransomware-risk/",
          "date": "2026-05-13"
        }
      ]
    },
    {
      "indicator": "de2381ccba8aa44b77bda1c971a33b5e",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2024-01-11",
      "last_seen": "2024-01-11",
      "reports": [
        {
          "slug": "dreambus-unleashes-metabase-mayhem-with-new-exploit-module",
          "title": "DreamBus Unleashes Metabase Mayhem With New Exploit Module",
          "url": "https://bulwarkblack.com/dreambus-unleashes-metabase-mayhem-with-new-exploit-module/",
          "date": "2024-01-11"
        }
      ]
    },
    {
      "indicator": "de93e85199240de761a8ba0a56f0088d",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "e33f942cf1479ca8530a916868bad954",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "e4a5c4b205e1b80dc20d9a2fb4126d06",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "apt28-exploits-cve-2026-21509-in-operation-neusploit-stealing-emails-with-minidoor-backdoor",
          "title": "APT28 Exploits CVE-2026-21509 in Operation Neusploit: Stealing Emails with MiniDoor Backdoor",
          "url": "https://bulwarkblack.com/apt28-exploits-cve-2026-21509-in-operation-neusploit-stealing-emails-with-minidoor-backdoor/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "e8680d17fba6425e4a9bb552fb8db2b1",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "e9fdd703e60b31eb803b1b59985cabec",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "ea6615942f2c23dba7810a6f7d69e2da",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "apt28-exploits-cve-2026-21509-in-operation-neusploit-stealing-emails-with-minidoor-backdoor",
          "title": "APT28 Exploits CVE-2026-21509 in Operation Neusploit: Stealing Emails with MiniDoor Backdoor",
          "url": "https://bulwarkblack.com/apt28-exploits-cve-2026-21509-in-operation-neusploit-stealing-emails-with-minidoor-backdoor/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "ead0d7a8ae0a6ffb7f0a5873fec4ff5e",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2026-05-13",
      "last_seen": "2026-05-13",
      "reports": [
        {
          "slug": "gentlemen-raas-leak-edge-device-ransomware-risk",
          "title": "The Gentlemen RaaS Leak Shows Ransomware Is Still an Edge-Device Problem",
          "url": "https://bulwarkblack.com/gentlemen-raas-leak-edge-device-ransomware-risk/",
          "date": "2026-05-13"
        }
      ]
    },
    {
      "indicator": "eb5e96e05129e5691f9677be4e396c88",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2026-03-11",
      "last_seen": "2026-03-11",
      "reports": [
        {
          "slug": "iranian-mois-cyber-actors-embrace-criminal-ecosystem-from-rhadamanthys-to-ransomware-affiliates",
          "title": "Iranian MOIS Cyber Actors Embrace Criminal Ecosystem: From Rhadamanthys to Ransomware Affiliates",
          "url": "https://bulwarkblack.com/iranian-mois-cyber-actors-embrace-criminal-ecosystem-from-rhadamanthys-to-ransomware-affiliates/",
          "date": "2026-03-11"
        }
      ]
    },
    {
      "indicator": "ed54cf1ebffbfc1c8ae1ccdd2c681012",
      "type": "md5",
      "report_count": 2,
      "first_seen": "2026-02-26",
      "last_seen": "2026-02-27",
      "reports": [
        {
          "slug": "apt37-ruby-jumper-campaign-north-korean-hackers-deploy-malware-arsenal-to-bridge-air-gapped-networks",
          "title": "APT37 Ruby Jumper Campaign: North Korean Hackers Deploy Malware Arsenal to Bridge Air-Gapped Networks",
          "url": "https://bulwarkblack.com/apt37-ruby-jumper-campaign-north-korean-hackers-deploy-malware-arsenal-to-bridge-air-gapped-networks/",
          "date": "2026-02-27"
        },
        {
          "slug": "apt37-deploys-ruby-jumper-campaign-to-breach-air-gapped-networks",
          "title": "APT37 Deploys Ruby Jumper Campaign to Breach Air-Gapped Networks",
          "url": "https://bulwarkblack.com/apt37-deploys-ruby-jumper-campaign-to-breach-air-gapped-networks/",
          "date": "2026-02-26"
        }
      ]
    },
    {
      "indicator": "eda0525c078f5a216a977bc64e86160a",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "edcdba624ddb43c2a1dcf334aa493068",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2026-05-22",
      "last_seen": "2026-05-22",
      "reports": [
        {
          "slug": "screening-serpens-recruiting-espionage-attack-surface",
          "title": "Screening Serpens Shows Recruiting Is Now an Espionage Attack Surface",
          "url": "https://bulwarkblack.com/screening-serpens-recruiting-espionage-attack-surface/",
          "date": "2026-05-22"
        }
      ]
    },
    {
      "indicator": "ee0b44346db028a621d1dec99f429823",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "apt28-exploits-cve-2026-21509-in-operation-neusploit-stealing-emails-with-minidoor-backdoor",
          "title": "APT28 Exploits CVE-2026-21509 in Operation Neusploit: Stealing Emails with MiniDoor Backdoor",
          "url": "https://bulwarkblack.com/apt28-exploits-cve-2026-21509-in-operation-neusploit-stealing-emails-with-minidoor-backdoor/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "f05d0b13c633ad889334781cf4091d3e",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "apt28-exploits-cve-2026-21509-in-operation-neusploit-stealing-emails-with-minidoor-backdoor",
          "title": "APT28 Exploits CVE-2026-21509 in Operation Neusploit: Stealing Emails with MiniDoor Backdoor",
          "url": "https://bulwarkblack.com/apt28-exploits-cve-2026-21509-in-operation-neusploit-stealing-emails-with-minidoor-backdoor/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "f1bad0efbd3bd5a4202fe740756f977a",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "f1d2af27b13cd3424556b18dfd3cf83f",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "f34d5f2d4577ed6d9ceec516c1f5a744",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2024-01-05",
      "last_seen": "2024-01-05",
      "reports": [
        {
          "slug": "100-days-of-yara-2023",
          "title": "100 Days of YARA – 2023",
          "url": "https://bulwarkblack.com/100-days-of-yara-2023/",
          "date": "2024-01-05"
        }
      ]
    },
    {
      "indicator": "f35b05779e9538cec363ca37ab38e287",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2024-03-22",
      "last_seen": "2024-03-22",
      "reports": [
        {
          "slug": "the-updated-apt-playbook-tales-from-the-kimsuky-threat-actor-group",
          "title": "The Updated APT Playbook: Tales from the Kimsuky threat actor group",
          "url": "https://bulwarkblack.com/the-updated-apt-playbook-tales-from-the-kimsuky-threat-actor-group/",
          "date": "2024-03-22"
        }
      ]
    },
    {
      "indicator": "f3b869a8d5ad243e35963ba6d7f89855",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "apt28-exploits-cve-2026-21509-in-operation-neusploit-stealing-emails-with-minidoor-backdoor",
          "title": "APT28 Exploits CVE-2026-21509 in Operation Neusploit: Stealing Emails with MiniDoor Backdoor",
          "url": "https://bulwarkblack.com/apt28-exploits-cve-2026-21509-in-operation-neusploit-stealing-emails-with-minidoor-backdoor/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "f8bb2528bf35f8c11fbc4369e68c4038",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "fc874c42ea76dd5f867649cbdf81e39b",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2026-01-30",
      "last_seen": "2026-01-30",
      "reports": [
        {
          "slug": "android-malware-campaign-abuses-hugging-face-ai-platform-to-distribute-rat",
          "title": "Android Malware Campaign Abuses Hugging Face AI Platform to Distribute RAT",
          "url": "https://bulwarkblack.com/android-malware-campaign-abuses-hugging-face-ai-platform-to-distribute-rat/",
          "date": "2026-01-30"
        }
      ]
    },
    {
      "indicator": "fece5b954e69b2c6a8d0a1029631a0d7",
      "type": "md5",
      "report_count": 1,
      "first_seen": "2026-05-15",
      "last_seen": "2026-05-15",
      "reports": [
        {
          "slug": "cisco-sdwan-active-exploitation-edge-controller-review",
          "title": "Cisco SD-WAN Exploitation Shows Edge Controllers Need Emergency Review",
          "url": "https://bulwarkblack.com/cisco-sdwan-active-exploitation-edge-controller-review/",
          "date": "2026-05-15"
        }
      ]
    },
    {
      "indicator": "87YLCx7zEFghgMEeZvJCZ3gHyS3fUsbAnXSTH8nh8EP7SeptPH8Pnh18snravwhE3dfRt5x67aWo8e6tSJ2cv4mpRNkSdqL",
      "type": "Monero Addresses",
      "report_count": 1,
      "first_seen": "2026-02-04",
      "last_seen": "2026-02-04",
      "reports": [
        {
          "slug": "shadowhs-fileless-linux-post-exploitation-framework-runs-entirely-in-memory",
          "title": "ShadowHS: Fileless Linux Post-Exploitation Framework Runs Entirely in Memory",
          "url": "https://bulwarkblack.com/shadowhs-fileless-linux-post-exploitation-framework-runs-entirely-in-memory/",
          "date": "2026-02-04"
        }
      ]
    },
    {
      "indicator": "88H9UmU6QyYiGeZdR6hXZJXtJF9Z8zLHDQbC1NV1PDdjCynBq3QKzB1fo1NRhgMX4cBx68Rva5msyKW3PGXfPhCA4itHmiv",
      "type": "Monero Addresses",
      "report_count": 1,
      "first_seen": "2026-02-04",
      "last_seen": "2026-02-04",
      "reports": [
        {
          "slug": "shadowhs-fileless-linux-post-exploitation-framework-runs-entirely-in-memory",
          "title": "ShadowHS: Fileless Linux Post-Exploitation Framework Runs Entirely in Memory",
          "url": "https://bulwarkblack.com/shadowhs-fileless-linux-post-exploitation-framework-runs-entirely-in-memory/",
          "date": "2026-02-04"
        }
      ]
    },
    {
      "indicator": "Mutex: Global\\3a886eb8-fe40-4d0a-b78b-9e0bcb683fb7",
      "type": "Mutex Names",
      "report_count": 1,
      "first_seen": "2026-02-09",
      "last_seen": "2026-02-09",
      "reports": [
        {
          "slug": "fake-7-zip-downloads-convert-home-pcs-into-residential-proxy-nodes-for-cybercriminals",
          "title": "Fake 7-Zip Downloads Convert Home PCs Into Residential Proxy Nodes for Cybercriminals",
          "url": "https://bulwarkblack.com/fake-7-zip-downloads-convert-home-pcs-into-residential-proxy-nodes-for-cybercriminals/",
          "date": "2026-02-09"
        }
      ]
    },
    {
      "indicator": "05ef26965be930fade49e5dcba73b9fefc04757e",
      "type": "sha1",
      "report_count": 1,
      "first_seen": "2024-01-05",
      "last_seen": "2024-01-05",
      "reports": [
        {
          "slug": "100-days-of-yara-2023",
          "title": "100 Days of YARA – 2023",
          "url": "https://bulwarkblack.com/100-days-of-yara-2023/",
          "date": "2024-01-05"
        }
      ]
    },
    {
      "indicator": "0891663bc55073747be0eb864fbec3727840945d",
      "type": "sha1",
      "report_count": 1,
      "first_seen": "2026-03-24",
      "last_seen": "2026-03-24",
      "reports": [
        {
          "slug": "teampcp-deploys-canisterworm-wiper-to-target-iranian-systems",
          "title": "TeamPCP Deploys CanisterWorm Wiper to Target Iranian Systems",
          "url": "https://bulwarkblack.com/teampcp-deploys-canisterworm-wiper-to-target-iranian-systems/",
          "date": "2026-03-24"
        }
      ]
    },
    {
      "indicator": "0902d7915a19975817ec1ccb0f2f6714aed19638",
      "type": "sha1",
      "report_count": 1,
      "first_seen": "2026-03-11",
      "last_seen": "2026-03-11",
      "reports": [
        {
          "slug": "iranian-mois-cyber-actors-embrace-criminal-ecosystem-from-rhadamanthys-to-ransomware-affiliates",
          "title": "Iranian MOIS Cyber Actors Embrace Criminal Ecosystem: From Rhadamanthys to Ransomware Affiliates",
          "url": "https://bulwarkblack.com/iranian-mois-cyber-actors-embrace-criminal-ecosystem-from-rhadamanthys-to-ransomware-affiliates/",
          "date": "2026-03-11"
        }
      ]
    },
    {
      "indicator": "0c5077e51419868618aeaa5fe8019c62421857d6",
      "type": "sha1",
      "report_count": 1,
      "first_seen": "2026-06-03",
      "last_seen": "2026-06-03",
      "reports": [
        {
          "slug": "red-hat-miasma-npm-supply-chain-trusted-publishing-defense",
          "title": "Red Hat’s Miasma npm Compromise Shows Trusted Publishing Is Not a Control Boundary",
          "url": "https://bulwarkblack.com/red-hat-miasma-npm-supply-chain-trusted-publishing-defense/",
          "date": "2026-06-03"
        }
      ]
    },
    {
      "indicator": "0d49ceb356f7d4735c63bd0d5c7e67665ec7f80c",
      "type": "sha1",
      "report_count": 1,
      "first_seen": "2026-03-24",
      "last_seen": "2026-03-24",
      "reports": [
        {
          "slug": "teampcp-deploys-canisterworm-wiper-to-target-iranian-systems",
          "title": "TeamPCP Deploys CanisterWorm Wiper to Target Iranian Systems",
          "url": "https://bulwarkblack.com/teampcp-deploys-canisterworm-wiper-to-target-iranian-systems/",
          "date": "2026-03-24"
        }
      ]
    },
    {
      "indicator": "17e771c78430cc67e71d4547f8996a1a488e9d3f",
      "type": "sha1",
      "report_count": 1,
      "first_seen": "2026-06-02",
      "last_seen": "2026-06-02",
      "reports": [
        {
          "slug": "forticlient-ems-ekz-infostealer-delivery",
          "title": "FortiClient EMS Exploitation Turns Endpoint Management Into an Infostealer Delivery System",
          "url": "https://bulwarkblack.com/forticlient-ems-ekz-infostealer-delivery/",
          "date": "2026-06-02"
        }
      ]
    },
    {
      "indicator": "18aa49e5f42ceaf9f010f01a396f625100c7aad8",
      "type": "sha1",
      "report_count": 1,
      "first_seen": "2026-05-26",
      "last_seen": "2026-05-26",
      "reports": [
        {
          "slug": "megalodon-github-actions-cicd-secret-theft-defense",
          "title": "Megalodon GitHub Actions Backdoor Shows CI/CD Is Now a Credential Battlefield",
          "url": "https://bulwarkblack.com/megalodon-github-actions-cicd-secret-theft-defense/",
          "date": "2026-05-26"
        }
      ]
    },
    {
      "indicator": "18f01febc4c3cd70ce6b94b70e69ab866fc033f5",
      "type": "sha1",
      "report_count": 1,
      "first_seen": "2026-03-24",
      "last_seen": "2026-03-24",
      "reports": [
        {
          "slug": "teampcp-deploys-canisterworm-wiper-to-target-iranian-systems",
          "title": "TeamPCP Deploys CanisterWorm Wiper to Target Iranian Systems",
          "url": "https://bulwarkblack.com/teampcp-deploys-canisterworm-wiper-to-target-iranian-systems/",
          "date": "2026-03-24"
        }
      ]
    },
    {
      "indicator": "19851bef764b57ff95b35e66589f31949eeb229d",
      "type": "sha1",
      "report_count": 1,
      "first_seen": "2026-03-24",
      "last_seen": "2026-03-24",
      "reports": [
        {
          "slug": "teampcp-deploys-canisterworm-wiper-to-target-iranian-systems",
          "title": "TeamPCP Deploys CanisterWorm Wiper to Target Iranian Systems",
          "url": "https://bulwarkblack.com/teampcp-deploys-canisterworm-wiper-to-target-iranian-systems/",
          "date": "2026-03-24"
        }
      ]
    },
    {
      "indicator": "1d74e4cf63b7cf083cf92bf5923cf037f7011c6b",
      "type": "sha1",
      "report_count": 1,
      "first_seen": "2026-03-24",
      "last_seen": "2026-03-24",
      "reports": [
        {
          "slug": "teampcp-deploys-canisterworm-wiper-to-target-iranian-systems",
          "title": "TeamPCP Deploys CanisterWorm Wiper to Target Iranian Systems",
          "url": "https://bulwarkblack.com/teampcp-deploys-canisterworm-wiper-to-target-iranian-systems/",
          "date": "2026-03-24"
        }
      ]
    },
    {
      "indicator": "2087bb914327e937ea6e77fe6c832576338c2af8",
      "type": "sha1",
      "report_count": 1,
      "first_seen": "2026-03-11",
      "last_seen": "2026-03-11",
      "reports": [
        {
          "slug": "iranian-mois-cyber-actors-embrace-criminal-ecosystem-from-rhadamanthys-to-ransomware-affiliates",
          "title": "Iranian MOIS Cyber Actors Embrace Criminal Ecosystem: From Rhadamanthys to Ransomware Affiliates",
          "url": "https://bulwarkblack.com/iranian-mois-cyber-actors-embrace-criminal-ecosystem-from-rhadamanthys-to-ransomware-affiliates/",
          "date": "2026-03-11"
        }
      ]
    },
    {
      "indicator": "21a435ecaa7b86efbec7f6fb61fcda3da686125c",
      "type": "sha1",
      "report_count": 1,
      "first_seen": "2026-03-11",
      "last_seen": "2026-03-11",
      "reports": [
        {
          "slug": "iranian-mois-cyber-actors-embrace-criminal-ecosystem-from-rhadamanthys-to-ransomware-affiliates",
          "title": "Iranian MOIS Cyber Actors Embrace Criminal Ecosystem: From Rhadamanthys to Ransomware Affiliates",
          "url": "https://bulwarkblack.com/iranian-mois-cyber-actors-embrace-criminal-ecosystem-from-rhadamanthys-to-ransomware-affiliates/",
          "date": "2026-03-11"
        }
      ]
    },
    {
      "indicator": "2297a1b967ecc05ba2285eb6af56ab4da554ecae",
      "type": "sha1",
      "report_count": 1,
      "first_seen": "2026-03-24",
      "last_seen": "2026-03-24",
      "reports": [
        {
          "slug": "teampcp-deploys-canisterworm-wiper-to-target-iranian-systems",
          "title": "TeamPCP Deploys CanisterWorm Wiper to Target Iranian Systems",
          "url": "https://bulwarkblack.com/teampcp-deploys-canisterworm-wiper-to-target-iranian-systems/",
          "date": "2026-03-24"
        }
      ]
    },
    {
      "indicator": "22da6a104149cad87d5ec5da4c3153bebf68c411",
      "type": "sha1",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "apt28-exploits-cve-2026-21509-in-operation-neusploit-stealing-emails-with-minidoor-backdoor",
          "title": "APT28 Exploits CVE-2026-21509 in Operation Neusploit: Stealing Emails with MiniDoor Backdoor",
          "url": "https://bulwarkblack.com/apt28-exploits-cve-2026-21509-in-operation-neusploit-stealing-emails-with-minidoor-backdoor/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "22e864e71155122e2834eb0c10d0e7e0b8f65aa3",
      "type": "sha1",
      "report_count": 1,
      "first_seen": "2026-03-24",
      "last_seen": "2026-03-24",
      "reports": [
        {
          "slug": "teampcp-deploys-canisterworm-wiper-to-target-iranian-systems",
          "title": "TeamPCP Deploys CanisterWorm Wiper to Target Iranian Systems",
          "url": "https://bulwarkblack.com/teampcp-deploys-canisterworm-wiper-to-target-iranian-systems/",
          "date": "2026-03-24"
        }
      ]
    },
    {
      "indicator": "23b6f9c00b9d5475212173ec3cbbcff34c4400a7",
      "type": "sha1",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "apt28-exploits-cve-2026-21509-in-operation-neusploit-stealing-emails-with-minidoor-backdoor",
          "title": "APT28 Exploits CVE-2026-21509 in Operation Neusploit: Stealing Emails with MiniDoor Backdoor",
          "url": "https://bulwarkblack.com/apt28-exploits-cve-2026-21509-in-operation-neusploit-stealing-emails-with-minidoor-backdoor/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "252554b0e1130467f4301ba65c55a9c373508e35",
      "type": "sha1",
      "report_count": 1,
      "first_seen": "2026-03-24",
      "last_seen": "2026-03-24",
      "reports": [
        {
          "slug": "teampcp-deploys-canisterworm-wiper-to-target-iranian-systems",
          "title": "TeamPCP Deploys CanisterWorm Wiper to Target Iranian Systems",
          "url": "https://bulwarkblack.com/teampcp-deploys-canisterworm-wiper-to-target-iranian-systems/",
          "date": "2026-03-24"
        }
      ]
    },
    {
      "indicator": "276ca9680f6df9016db12f7c48571e5c4639451d",
      "type": "sha1",
      "report_count": 1,
      "first_seen": "2026-03-24",
      "last_seen": "2026-03-24",
      "reports": [
        {
          "slug": "teampcp-deploys-canisterworm-wiper-to-target-iranian-systems",
          "title": "TeamPCP Deploys CanisterWorm Wiper to Target Iranian Systems",
          "url": "https://bulwarkblack.com/teampcp-deploys-canisterworm-wiper-to-target-iranian-systems/",
          "date": "2026-03-24"
        }
      ]
    },
    {
      "indicator": "2a51c5c5bb1fd1f0e134c9754f1702cfa359c3dd",
      "type": "sha1",
      "report_count": 1,
      "first_seen": "2026-03-24",
      "last_seen": "2026-03-24",
      "reports": [
        {
          "slug": "teampcp-deploys-canisterworm-wiper-to-target-iranian-systems",
          "title": "TeamPCP Deploys CanisterWorm Wiper to Target Iranian Systems",
          "url": "https://bulwarkblack.com/teampcp-deploys-canisterworm-wiper-to-target-iranian-systems/",
          "date": "2026-03-24"
        }
      ]
    },
    {
      "indicator": "2b170a6d90fceba72aba3c7bc5c40b9725f43788",
      "type": "sha1",
      "report_count": 1,
      "first_seen": "2026-03-05",
      "last_seen": "2026-03-05",
      "reports": [
        {
          "slug": "uat-9244-china-nexus-apt-deploys-three-new-malware-implants-against-south-american-telecom-providers",
          "title": "UAT-9244: China-Nexus APT Deploys Three New Malware Implants Against South American Telecom Providers",
          "url": "https://bulwarkblack.com/uat-9244-china-nexus-apt-deploys-three-new-malware-implants-against-south-american-telecom-providers/",
          "date": "2026-03-05"
        }
      ]
    },
    {
      "indicator": "2b1dac84ff12ba56158b3a97e2941a587cb20da9",
      "type": "sha1",
      "report_count": 1,
      "first_seen": "2026-03-24",
      "last_seen": "2026-03-24",
      "reports": [
        {
          "slug": "teampcp-deploys-canisterworm-wiper-to-target-iranian-systems",
          "title": "TeamPCP Deploys CanisterWorm Wiper to Target Iranian Systems",
          "url": "https://bulwarkblack.com/teampcp-deploys-canisterworm-wiper-to-target-iranian-systems/",
          "date": "2026-03-24"
        }
      ]
    },
    {
      "indicator": "2b631d0ee47650923955398921c1ceccc3e38cb1",
      "type": "sha1",
      "report_count": 1,
      "first_seen": "2024-01-05",
      "last_seen": "2024-01-05",
      "reports": [
        {
          "slug": "100-days-of-yara-2023",
          "title": "100 Days of YARA – 2023",
          "url": "https://bulwarkblack.com/100-days-of-yara-2023/",
          "date": "2024-01-05"
        }
      ]
    },
    {
      "indicator": "2e7964d59cd24d1fd2aa4d6a5f93b7f09ea96947",
      "type": "sha1",
      "report_count": 1,
      "first_seen": "2026-03-24",
      "last_seen": "2026-03-24",
      "reports": [
        {
          "slug": "teampcp-deploys-canisterworm-wiper-to-target-iranian-systems",
          "title": "TeamPCP Deploys CanisterWorm Wiper to Target Iranian Systems",
          "url": "https://bulwarkblack.com/teampcp-deploys-canisterworm-wiper-to-target-iranian-systems/",
          "date": "2026-03-24"
        }
      ]
    },
    {
      "indicator": "2e8ea913573610667ad54e31dba2e8198ebf7cf9",
      "type": "sha1",
      "report_count": 1,
      "first_seen": "2026-05-09",
      "last_seen": "2026-05-09",
      "reports": [
        {
          "slug": "mcp-server-command-injection-ai-tool-isolation",
          "title": "MCP Server Command Injection Shows Why AI Tools Need Real Isolation",
          "url": "https://bulwarkblack.com/mcp-server-command-injection-ai-tool-isolation/",
          "date": "2026-05-09"
        }
      ]
    },
    {
      "indicator": "3201ddddd69a1419c6f1511a14c5945ba3217126",
      "type": "sha1",
      "report_count": 1,
      "first_seen": "2026-03-24",
      "last_seen": "2026-03-24",
      "reports": [
        {
          "slug": "teampcp-deploys-canisterworm-wiper-to-target-iranian-systems",
          "title": "TeamPCP Deploys CanisterWorm Wiper to Target Iranian Systems",
          "url": "https://bulwarkblack.com/teampcp-deploys-canisterworm-wiper-to-target-iranian-systems/",
          "date": "2026-03-24"
        }
      ]
    },
    {
      "indicator": "384add36b52014a0f99c0ab3a3d58bd47e53d00f",
      "type": "sha1",
      "report_count": 1,
      "first_seen": "2026-03-24",
      "last_seen": "2026-03-24",
      "reports": [
        {
          "slug": "teampcp-deploys-canisterworm-wiper-to-target-iranian-systems",
          "title": "TeamPCP Deploys CanisterWorm Wiper to Target Iranian Systems",
          "url": "https://bulwarkblack.com/teampcp-deploys-canisterworm-wiper-to-target-iranian-systems/",
          "date": "2026-03-24"
        }
      ]
    },
    {
      "indicator": "38623bf26706d51c45647909dcfb669825442804",
      "type": "sha1",
      "report_count": 1,
      "first_seen": "2026-03-24",
      "last_seen": "2026-03-24",
      "reports": [
        {
          "slug": "teampcp-deploys-canisterworm-wiper-to-target-iranian-systems",
          "title": "TeamPCP Deploys CanisterWorm Wiper to Target Iranian Systems",
          "url": "https://bulwarkblack.com/teampcp-deploys-canisterworm-wiper-to-target-iranian-systems/",
          "date": "2026-03-24"
        }
      ]
    },
    {
      "indicator": "386c0f18ac3d7f2ed33e2d884761119f4024ff8a",
      "type": "sha1",
      "report_count": 1,
      "first_seen": "2026-03-24",
      "last_seen": "2026-03-24",
      "reports": [
        {
          "slug": "teampcp-deploys-canisterworm-wiper-to-target-iranian-systems",
          "title": "TeamPCP Deploys CanisterWorm Wiper to Target Iranian Systems",
          "url": "https://bulwarkblack.com/teampcp-deploys-canisterworm-wiper-to-target-iranian-systems/",
          "date": "2026-03-24"
        }
      ]
    },
    {
      "indicator": "389b12da259a23fa4559eb1d97198120f2a722fe",
      "type": "sha1",
      "report_count": 1,
      "first_seen": "2026-03-11",
      "last_seen": "2026-03-11",
      "reports": [
        {
          "slug": "iranian-mois-cyber-actors-embrace-criminal-ecosystem-from-rhadamanthys-to-ransomware-affiliates",
          "title": "Iranian MOIS Cyber Actors Embrace Criminal Ecosystem: From Rhadamanthys to Ransomware Affiliates",
          "url": "https://bulwarkblack.com/iranian-mois-cyber-actors-embrace-criminal-ecosystem-from-rhadamanthys-to-ransomware-affiliates/",
          "date": "2026-03-11"
        }
      ]
    },
    {
      "indicator": "3c615ac0f29e743eda8863377f9776619fd2db76",
      "type": "sha1",
      "report_count": 1,
      "first_seen": "2026-03-24",
      "last_seen": "2026-03-24",
      "reports": [
        {
          "slug": "teampcp-deploys-canisterworm-wiper-to-target-iranian-systems",
          "title": "TeamPCP Deploys CanisterWorm Wiper to Target Iranian Systems",
          "url": "https://bulwarkblack.com/teampcp-deploys-canisterworm-wiper-to-target-iranian-systems/",
          "date": "2026-03-24"
        }
      ]
    },
    {
      "indicator": "3d1b5be1589a83fc98b82781c263708b2eb3b47b",
      "type": "sha1",
      "report_count": 1,
      "first_seen": "2026-03-24",
      "last_seen": "2026-03-24",
      "reports": [
        {
          "slug": "teampcp-deploys-canisterworm-wiper-to-target-iranian-systems",
          "title": "TeamPCP Deploys CanisterWorm Wiper to Target Iranian Systems",
          "url": "https://bulwarkblack.com/teampcp-deploys-canisterworm-wiper-to-target-iranian-systems/",
          "date": "2026-03-24"
        }
      ]
    },
    {
      "indicator": "3dffed04dc90cf1c548f40577d642c52241ec76c",
      "type": "sha1",
      "report_count": 1,
      "first_seen": "2026-03-24",
      "last_seen": "2026-03-24",
      "reports": [
        {
          "slug": "teampcp-deploys-canisterworm-wiper-to-target-iranian-systems",
          "title": "TeamPCP Deploys CanisterWorm Wiper to Target Iranian Systems",
          "url": "https://bulwarkblack.com/teampcp-deploys-canisterworm-wiper-to-target-iranian-systems/",
          "date": "2026-03-24"
        }
      ]
    },
    {
      "indicator": "405e91f329294fb696f55793203abf1f6aba9b40",
      "type": "sha1",
      "report_count": 1,
      "first_seen": "2026-03-24",
      "last_seen": "2026-03-24",
      "reports": [
        {
          "slug": "teampcp-deploys-canisterworm-wiper-to-target-iranian-systems",
          "title": "TeamPCP Deploys CanisterWorm Wiper to Target Iranian Systems",
          "url": "https://bulwarkblack.com/teampcp-deploys-canisterworm-wiper-to-target-iranian-systems/",
          "date": "2026-03-24"
        }
      ]
    },
    {
      "indicator": "4209dcadeaea6a7df69262fef1beeda940881d4d",
      "type": "sha1",
      "report_count": 1,
      "first_seen": "2026-03-24",
      "last_seen": "2026-03-24",
      "reports": [
        {
          "slug": "teampcp-deploys-canisterworm-wiper-to-target-iranian-systems",
          "title": "TeamPCP Deploys CanisterWorm Wiper to Target Iranian Systems",
          "url": "https://bulwarkblack.com/teampcp-deploys-canisterworm-wiper-to-target-iranian-systems/",
          "date": "2026-03-24"
        }
      ]
    },
    {
      "indicator": "4592e6173a643699dc526778aa0a30330d16fe08",
      "type": "sha1",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "apt28-exploits-cve-2026-21509-in-operation-neusploit-stealing-emails-with-minidoor-backdoor",
          "title": "APT28 Exploits CVE-2026-21509 in Operation Neusploit: Stealing Emails with MiniDoor Backdoor",
          "url": "https://bulwarkblack.com/apt28-exploits-cve-2026-21509-in-operation-neusploit-stealing-emails-with-minidoor-backdoor/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "4bdcc5d9ef3ddb42ccc9126e6c07faa3df2807e3",
      "type": "sha1",
      "report_count": 1,
      "first_seen": "2026-03-24",
      "last_seen": "2026-03-24",
      "reports": [
        {
          "slug": "teampcp-deploys-canisterworm-wiper-to-target-iranian-systems",
          "title": "TeamPCP Deploys CanisterWorm Wiper to Target Iranian Systems",
          "url": "https://bulwarkblack.com/teampcp-deploys-canisterworm-wiper-to-target-iranian-systems/",
          "date": "2026-03-24"
        }
      ]
    },
    {
      "indicator": "506d7ff06abc509692c600b5b69b4dc6ceaa4b15",
      "type": "sha1",
      "report_count": 1,
      "first_seen": "2026-03-24",
      "last_seen": "2026-03-24",
      "reports": [
        {
          "slug": "teampcp-deploys-canisterworm-wiper-to-target-iranian-systems",
          "title": "TeamPCP Deploys CanisterWorm Wiper to Target Iranian Systems",
          "url": "https://bulwarkblack.com/teampcp-deploys-canisterworm-wiper-to-target-iranian-systems/",
          "date": "2026-03-24"
        }
      ]
    },
    {
      "indicator": "551bdf646df8e9abe04483882650a8ffae43cb55",
      "type": "sha1",
      "report_count": 1,
      "first_seen": "2026-03-11",
      "last_seen": "2026-03-11",
      "reports": [
        {
          "slug": "iranian-mois-cyber-actors-embrace-criminal-ecosystem-from-rhadamanthys-to-ransomware-affiliates",
          "title": "Iranian MOIS Cyber Actors Embrace Criminal Ecosystem: From Rhadamanthys to Ransomware Affiliates",
          "url": "https://bulwarkblack.com/iranian-mois-cyber-actors-embrace-criminal-ecosystem-from-rhadamanthys-to-ransomware-affiliates/",
          "date": "2026-03-11"
        }
      ]
    },
    {
      "indicator": "555e7ad4c895c558c7214496df1cd56d1390c516",
      "type": "sha1",
      "report_count": 1,
      "first_seen": "2026-03-24",
      "last_seen": "2026-03-24",
      "reports": [
        {
          "slug": "teampcp-deploys-canisterworm-wiper-to-target-iranian-systems",
          "title": "TeamPCP Deploys CanisterWorm Wiper to Target Iranian Systems",
          "url": "https://bulwarkblack.com/teampcp-deploys-canisterworm-wiper-to-target-iranian-systems/",
          "date": "2026-03-24"
        }
      ]
    },
    {
      "indicator": "579a4584a6eef0a2453841453221d0fb25c08c89",
      "type": "sha1",
      "report_count": 1,
      "first_seen": "2026-03-11",
      "last_seen": "2026-03-11",
      "reports": [
        {
          "slug": "iranian-mois-cyber-actors-embrace-criminal-ecosystem-from-rhadamanthys-to-ransomware-affiliates",
          "title": "Iranian MOIS Cyber Actors Embrace Criminal Ecosystem: From Rhadamanthys to Ransomware Affiliates",
          "url": "https://bulwarkblack.com/iranian-mois-cyber-actors-embrace-criminal-ecosystem-from-rhadamanthys-to-ransomware-affiliates/",
          "date": "2026-03-11"
        }
      ]
    },
    {
      "indicator": "5c7b2705155023e6e438399d895d30bf924e0547",
      "type": "sha1",
      "report_count": 1,
      "first_seen": "2024-03-22",
      "last_seen": "2024-03-22",
      "reports": [
        {
          "slug": "the-updated-apt-playbook-tales-from-the-kimsuky-threat-actor-group",
          "title": "The Updated APT Playbook: Tales from the Kimsuky threat actor group",
          "url": "https://bulwarkblack.com/the-updated-apt-playbook-tales-from-the-kimsuky-threat-actor-group/",
          "date": "2024-03-22"
        }
      ]
    },
    {
      "indicator": "61fbe20b7589e6b61eedcd5fe1e958e1a95fbd13",
      "type": "sha1",
      "report_count": 1,
      "first_seen": "2026-03-24",
      "last_seen": "2026-03-24",
      "reports": [
        {
          "slug": "teampcp-deploys-canisterworm-wiper-to-target-iranian-systems",
          "title": "TeamPCP Deploys CanisterWorm Wiper to Target Iranian Systems",
          "url": "https://bulwarkblack.com/teampcp-deploys-canisterworm-wiper-to-target-iranian-systems/",
          "date": "2026-03-24"
        }
      ]
    },
    {
      "indicator": "66c90331c8b991e7895d37796ac712b5895dda3b",
      "type": "sha1",
      "report_count": 1,
      "first_seen": "2026-03-24",
      "last_seen": "2026-03-24",
      "reports": [
        {
          "slug": "teampcp-deploys-canisterworm-wiper-to-target-iranian-systems",
          "title": "TeamPCP Deploys CanisterWorm Wiper to Target Iranian Systems",
          "url": "https://bulwarkblack.com/teampcp-deploys-canisterworm-wiper-to-target-iranian-systems/",
          "date": "2026-03-24"
        }
      ]
    },
    {
      "indicator": "6d8d730153d6151e03549f276faca0275ed9c7b2",
      "type": "sha1",
      "report_count": 1,
      "first_seen": "2026-03-24",
      "last_seen": "2026-03-24",
      "reports": [
        {
          "slug": "teampcp-deploys-canisterworm-wiper-to-target-iranian-systems",
          "title": "TeamPCP Deploys CanisterWorm Wiper to Target Iranian Systems",
          "url": "https://bulwarkblack.com/teampcp-deploys-canisterworm-wiper-to-target-iranian-systems/",
          "date": "2026-03-24"
        }
      ]
    },
    {
      "indicator": "6ec7aaf336b7d2593d980908be9bc4fed6d407c6",
      "type": "sha1",
      "report_count": 1,
      "first_seen": "2026-03-24",
      "last_seen": "2026-03-24",
      "reports": [
        {
          "slug": "teampcp-deploys-canisterworm-wiper-to-target-iranian-systems",
          "title": "TeamPCP Deploys CanisterWorm Wiper to Target Iranian Systems",
          "url": "https://bulwarkblack.com/teampcp-deploys-canisterworm-wiper-to-target-iranian-systems/",
          "date": "2026-03-24"
        }
      ]
    },
    {
      "indicator": "6fc874a1f9d65052d4c67a314da1dae914f1daff",
      "type": "sha1",
      "report_count": 1,
      "first_seen": "2026-03-24",
      "last_seen": "2026-03-24",
      "reports": [
        {
          "slug": "teampcp-deploys-canisterworm-wiper-to-target-iranian-systems",
          "title": "TeamPCP Deploys CanisterWorm Wiper to Target Iranian Systems",
          "url": "https://bulwarkblack.com/teampcp-deploys-canisterworm-wiper-to-target-iranian-systems/",
          "date": "2026-03-24"
        }
      ]
    },
    {
      "indicator": "7550f14b64c1c724035a075b36e71423719a1f30",
      "type": "sha1",
      "report_count": 1,
      "first_seen": "2026-03-24",
      "last_seen": "2026-03-24",
      "reports": [
        {
          "slug": "teampcp-deploys-canisterworm-wiper-to-target-iranian-systems",
          "title": "TeamPCP Deploys CanisterWorm Wiper to Target Iranian Systems",
          "url": "https://bulwarkblack.com/teampcp-deploys-canisterworm-wiper-to-target-iranian-systems/",
          "date": "2026-03-24"
        }
      ]
    },
    {
      "indicator": "794b6d99daefd5e27ecb33e12691c4026739bf98",
      "type": "sha1",
      "report_count": 1,
      "first_seen": "2026-03-24",
      "last_seen": "2026-03-24",
      "reports": [
        {
          "slug": "teampcp-deploys-canisterworm-wiper-to-target-iranian-systems",
          "title": "TeamPCP Deploys CanisterWorm Wiper to Target Iranian Systems",
          "url": "https://bulwarkblack.com/teampcp-deploys-canisterworm-wiper-to-target-iranian-systems/",
          "date": "2026-03-24"
        }
      ]
    },
    {
      "indicator": "7a4b6f31edb8db48cc22a1d41e298b38c4a6417e",
      "type": "sha1",
      "report_count": 1,
      "first_seen": "2026-03-24",
      "last_seen": "2026-03-24",
      "reports": [
        {
          "slug": "teampcp-deploys-canisterworm-wiper-to-target-iranian-systems",
          "title": "TeamPCP Deploys CanisterWorm Wiper to Target Iranian Systems",
          "url": "https://bulwarkblack.com/teampcp-deploys-canisterworm-wiper-to-target-iranian-systems/",
          "date": "2026-03-24"
        }
      ]
    },
    {
      "indicator": "7b955a5ece1e1b085c12dac7ac10e0eb1f5b0d4d",
      "type": "sha1",
      "report_count": 1,
      "first_seen": "2026-03-24",
      "last_seen": "2026-03-24",
      "reports": [
        {
          "slug": "teampcp-deploys-canisterworm-wiper-to-target-iranian-systems",
          "title": "TeamPCP Deploys CanisterWorm Wiper to Target Iranian Systems",
          "url": "https://bulwarkblack.com/teampcp-deploys-canisterworm-wiper-to-target-iranian-systems/",
          "date": "2026-03-24"
        }
      ]
    },
    {
      "indicator": "7bbb530eb77c6416f02813cd2764e49bd084465c",
      "type": "sha1",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "apt28-exploits-cve-2026-21509-in-operation-neusploit-stealing-emails-with-minidoor-backdoor",
          "title": "APT28 Exploits CVE-2026-21509 in Operation Neusploit: Stealing Emails with MiniDoor Backdoor",
          "url": "https://bulwarkblack.com/apt28-exploits-cve-2026-21509-in-operation-neusploit-stealing-emails-with-minidoor-backdoor/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "7e6d9dac619c04ae1b3c8c0906123e752ed66d63",
      "type": "sha1",
      "report_count": 1,
      "first_seen": "2026-05-19",
      "last_seen": "2026-05-19",
      "reports": [
        {
          "slug": "fox-tempest-code-signing-trust-weaponized",
          "title": "Fox Tempest Shows Code Signing Trust Can Be Weaponized",
          "url": "https://bulwarkblack.com/fox-tempest-code-signing-trust-weaponized/",
          "date": "2026-05-19"
        }
      ]
    },
    {
      "indicator": "7f6f0ce52a59bdfc5757c3982aac2353b58f4c73",
      "type": "sha1",
      "report_count": 1,
      "first_seen": "2026-03-24",
      "last_seen": "2026-03-24",
      "reports": [
        {
          "slug": "teampcp-deploys-canisterworm-wiper-to-target-iranian-systems",
          "title": "TeamPCP Deploys CanisterWorm Wiper to Target Iranian Systems",
          "url": "https://bulwarkblack.com/teampcp-deploys-canisterworm-wiper-to-target-iranian-systems/",
          "date": "2026-03-24"
        }
      ]
    },
    {
      "indicator": "81c66c043982cfee9e60ae94203f4336da0b50c0",
      "type": "sha1",
      "report_count": 1,
      "first_seen": "2026-06-01",
      "last_seen": "2026-06-01",
      "reports": [
        {
          "slug": "solyximmortal-python-infostealer-business-risk",
          "title": "SolyxImmortal Shows Why Python Infostealers Are a Business Risk, Not Just Malware Noise",
          "url": "https://bulwarkblack.com/solyximmortal-python-infostealer-business-risk/",
          "date": "2026-06-01"
        }
      ]
    },
    {
      "indicator": "820428afeb64484d311211658383ce7f79d31a0a",
      "type": "sha1",
      "report_count": 1,
      "first_seen": "2026-03-24",
      "last_seen": "2026-03-24",
      "reports": [
        {
          "slug": "teampcp-deploys-canisterworm-wiper-to-target-iranian-systems",
          "title": "TeamPCP Deploys CanisterWorm Wiper to Target Iranian Systems",
          "url": "https://bulwarkblack.com/teampcp-deploys-canisterworm-wiper-to-target-iranian-systems/",
          "date": "2026-03-24"
        }
      ]
    },
    {
      "indicator": "848d665ed24dc1a41f6b4b7c7ffac7693d6b37be",
      "type": "sha1",
      "report_count": 1,
      "first_seen": "2026-03-24",
      "last_seen": "2026-03-24",
      "reports": [
        {
          "slug": "teampcp-deploys-canisterworm-wiper-to-target-iranian-systems",
          "title": "TeamPCP Deploys CanisterWorm Wiper to Target Iranian Systems",
          "url": "https://bulwarkblack.com/teampcp-deploys-canisterworm-wiper-to-target-iranian-systems/",
          "date": "2026-03-24"
        }
      ]
    },
    {
      "indicator": "8519037888b189f13047371758f7aed2283c6b58",
      "type": "sha1",
      "report_count": 1,
      "first_seen": "2026-03-24",
      "last_seen": "2026-03-24",
      "reports": [
        {
          "slug": "teampcp-deploys-canisterworm-wiper-to-target-iranian-systems",
          "title": "TeamPCP Deploys CanisterWorm Wiper to Target Iranian Systems",
          "url": "https://bulwarkblack.com/teampcp-deploys-canisterworm-wiper-to-target-iranian-systems/",
          "date": "2026-03-24"
        }
      ]
    },
    {
      "indicator": "85cb72f1e8ee5e6e44488cd6cbdbca94722f96ed",
      "type": "sha1",
      "report_count": 1,
      "first_seen": "2026-03-24",
      "last_seen": "2026-03-24",
      "reports": [
        {
          "slug": "teampcp-deploys-canisterworm-wiper-to-target-iranian-systems",
          "title": "TeamPCP Deploys CanisterWorm Wiper to Target Iranian Systems",
          "url": "https://bulwarkblack.com/teampcp-deploys-canisterworm-wiper-to-target-iranian-systems/",
          "date": "2026-03-24"
        }
      ]
    },
    {
      "indicator": "8a454e601c4f69576c4e4edd14b8d2a0c52eaf27",
      "type": "sha1",
      "report_count": 1,
      "first_seen": "2026-05-26",
      "last_seen": "2026-05-26",
      "reports": [
        {
          "slug": "megalodon-github-actions-cicd-secret-theft-defense",
          "title": "Megalodon GitHub Actions Backdoor Shows CI/CD Is Now a Credential Battlefield",
          "url": "https://bulwarkblack.com/megalodon-github-actions-cicd-secret-theft-defense/",
          "date": "2026-05-26"
        }
      ]
    },
    {
      "indicator": "8aa8af3ea1de8e968a3e49a40afb063692ab8eae",
      "type": "sha1",
      "report_count": 1,
      "first_seen": "2026-03-24",
      "last_seen": "2026-03-24",
      "reports": [
        {
          "slug": "teampcp-deploys-canisterworm-wiper-to-target-iranian-systems",
          "title": "TeamPCP Deploys CanisterWorm Wiper to Target Iranian Systems",
          "url": "https://bulwarkblack.com/teampcp-deploys-canisterworm-wiper-to-target-iranian-systems/",
          "date": "2026-03-24"
        }
      ]
    },
    {
      "indicator": "8ae5a08aec3013ee8f6132b2a9012b45002f8eaa",
      "type": "sha1",
      "report_count": 1,
      "first_seen": "2026-03-24",
      "last_seen": "2026-03-24",
      "reports": [
        {
          "slug": "teampcp-deploys-canisterworm-wiper-to-target-iranian-systems",
          "title": "TeamPCP Deploys CanisterWorm Wiper to Target Iranian Systems",
          "url": "https://bulwarkblack.com/teampcp-deploys-canisterworm-wiper-to-target-iranian-systems/",
          "date": "2026-03-24"
        }
      ]
    },
    {
      "indicator": "8afa9b9f9183b4e00c46e2b82d34047e3c177bd0",
      "type": "sha1",
      "report_count": 1,
      "first_seen": "2026-03-24",
      "last_seen": "2026-03-24",
      "reports": [
        {
          "slug": "teampcp-deploys-canisterworm-wiper-to-target-iranian-systems",
          "title": "TeamPCP Deploys CanisterWorm Wiper to Target Iranian Systems",
          "url": "https://bulwarkblack.com/teampcp-deploys-canisterworm-wiper-to-target-iranian-systems/",
          "date": "2026-03-24"
        }
      ]
    },
    {
      "indicator": "8cfb9c31cc944da57458555aa398bb99336d5a1f",
      "type": "sha1",
      "report_count": 1,
      "first_seen": "2026-03-24",
      "last_seen": "2026-03-24",
      "reports": [
        {
          "slug": "teampcp-deploys-canisterworm-wiper-to-target-iranian-systems",
          "title": "TeamPCP Deploys CanisterWorm Wiper to Target Iranian Systems",
          "url": "https://bulwarkblack.com/teampcp-deploys-canisterworm-wiper-to-target-iranian-systems/",
          "date": "2026-03-24"
        }
      ]
    },
    {
      "indicator": "9092287c0339a8102f91c5a257a7e27625d9d029",
      "type": "sha1",
      "report_count": 1,
      "first_seen": "2026-03-24",
      "last_seen": "2026-03-24",
      "reports": [
        {
          "slug": "teampcp-deploys-canisterworm-wiper-to-target-iranian-systems",
          "title": "TeamPCP Deploys CanisterWorm Wiper to Target Iranian Systems",
          "url": "https://bulwarkblack.com/teampcp-deploys-canisterworm-wiper-to-target-iranian-systems/",
          "date": "2026-03-24"
        }
      ]
    },
    {
      "indicator": "91d5e0a13afab54533a95f8019dd7530bd38a071",
      "type": "sha1",
      "report_count": 1,
      "first_seen": "2026-03-24",
      "last_seen": "2026-03-24",
      "reports": [
        {
          "slug": "teampcp-deploys-canisterworm-wiper-to-target-iranian-systems",
          "title": "TeamPCP Deploys CanisterWorm Wiper to Target Iranian Systems",
          "url": "https://bulwarkblack.com/teampcp-deploys-canisterworm-wiper-to-target-iranian-systems/",
          "date": "2026-03-24"
        }
      ]
    },
    {
      "indicator": "91e7c2c36dcad14149d8e455b960af62a2ffb275",
      "type": "sha1",
      "report_count": 1,
      "first_seen": "2026-03-24",
      "last_seen": "2026-03-24",
      "reports": [
        {
          "slug": "teampcp-deploys-canisterworm-wiper-to-target-iranian-systems",
          "title": "TeamPCP Deploys CanisterWorm Wiper to Target Iranian Systems",
          "url": "https://bulwarkblack.com/teampcp-deploys-canisterworm-wiper-to-target-iranian-systems/",
          "date": "2026-03-24"
        }
      ]
    },
    {
      "indicator": "9738180dd24427b8824445dbbc23c30ffc1cb0d8",
      "type": "sha1",
      "report_count": 1,
      "first_seen": "2026-03-24",
      "last_seen": "2026-03-24",
      "reports": [
        {
          "slug": "teampcp-deploys-canisterworm-wiper-to-target-iranian-systems",
          "title": "TeamPCP Deploys CanisterWorm Wiper to Target Iranian Systems",
          "url": "https://bulwarkblack.com/teampcp-deploys-canisterworm-wiper-to-target-iranian-systems/",
          "date": "2026-03-24"
        }
      ]
    },
    {
      "indicator": "985447b035c447c1ed45f38fad7ca7a4254cb668",
      "type": "sha1",
      "report_count": 1,
      "first_seen": "2026-03-24",
      "last_seen": "2026-03-24",
      "reports": [
        {
          "slug": "teampcp-deploys-canisterworm-wiper-to-target-iranian-systems",
          "title": "TeamPCP Deploys CanisterWorm Wiper to Target Iranian Systems",
          "url": "https://bulwarkblack.com/teampcp-deploys-canisterworm-wiper-to-target-iranian-systems/",
          "date": "2026-03-24"
        }
      ]
    },
    {
      "indicator": "99b93c070aac11b52dfc3e41a55cbb24a331ae75",
      "type": "sha1",
      "report_count": 1,
      "first_seen": "2026-03-24",
      "last_seen": "2026-03-24",
      "reports": [
        {
          "slug": "teampcp-deploys-canisterworm-wiper-to-target-iranian-systems",
          "title": "TeamPCP Deploys CanisterWorm Wiper to Target Iranian Systems",
          "url": "https://bulwarkblack.com/teampcp-deploys-canisterworm-wiper-to-target-iranian-systems/",
          "date": "2026-03-24"
        }
      ]
    },
    {
      "indicator": "9ba3c3cd3b23d033cd91253a9e61a4bf59c8a670",
      "type": "sha1",
      "report_count": 1,
      "first_seen": "2026-03-24",
      "last_seen": "2026-03-24",
      "reports": [
        {
          "slug": "teampcp-deploys-canisterworm-wiper-to-target-iranian-systems",
          "title": "TeamPCP Deploys CanisterWorm Wiper to Target Iranian Systems",
          "url": "https://bulwarkblack.com/teampcp-deploys-canisterworm-wiper-to-target-iranian-systems/",
          "date": "2026-03-24"
        }
      ]
    },
    {
      "indicator": "9c000ba9d482773cbbc2c3544d61b109bc9eb832",
      "type": "sha1",
      "report_count": 1,
      "first_seen": "2026-03-24",
      "last_seen": "2026-03-24",
      "reports": [
        {
          "slug": "teampcp-deploys-canisterworm-wiper-to-target-iranian-systems",
          "title": "TeamPCP Deploys CanisterWorm Wiper to Target Iranian Systems",
          "url": "https://bulwarkblack.com/teampcp-deploys-canisterworm-wiper-to-target-iranian-systems/",
          "date": "2026-03-24"
        }
      ]
    },
    {
      "indicator": "9dcb994ea2b8e6169b76a524fae7b2d2dcd1807d",
      "type": "sha1",
      "report_count": 1,
      "first_seen": "2026-03-11",
      "last_seen": "2026-03-11",
      "reports": [
        {
          "slug": "iranian-mois-cyber-actors-embrace-criminal-ecosystem-from-rhadamanthys-to-ransomware-affiliates",
          "title": "Iranian MOIS Cyber Actors Embrace Criminal Ecosystem: From Rhadamanthys to Ransomware Affiliates",
          "url": "https://bulwarkblack.com/iranian-mois-cyber-actors-embrace-criminal-ecosystem-from-rhadamanthys-to-ransomware-affiliates/",
          "date": "2026-03-11"
        }
      ]
    },
    {
      "indicator": "9e8968cb83234f0de0217aa8c934a68a317ee518",
      "type": "sha1",
      "report_count": 1,
      "first_seen": "2026-03-24",
      "last_seen": "2026-03-24",
      "reports": [
        {
          "slug": "teampcp-deploys-canisterworm-wiper-to-target-iranian-systems",
          "title": "TeamPCP Deploys CanisterWorm Wiper to Target Iranian Systems",
          "url": "https://bulwarkblack.com/teampcp-deploys-canisterworm-wiper-to-target-iranian-systems/",
          "date": "2026-03-24"
        }
      ]
    },
    {
      "indicator": "a182e35da64e6d71cb55f125c4d4225196523f14",
      "type": "sha1",
      "report_count": 1,
      "first_seen": "2026-02-05",
      "last_seen": "2026-02-05",
      "reports": [
        {
          "slug": "dknife-cisco-talos-exposes-china-nexus-gateway-monitoring-aitm-framework-active-since-2019",
          "title": "DKnife: Cisco Talos Exposes China-Nexus Gateway-Monitoring AitM Framework Active Since 2019",
          "url": "https://bulwarkblack.com/dknife-cisco-talos-exposes-china-nexus-gateway-monitoring-aitm-framework-active-since-2019/",
          "date": "2026-02-05"
        }
      ]
    },
    {
      "indicator": "a5b4818debf2adbaba872aaffd6a0f64a26449fa",
      "type": "sha1",
      "report_count": 1,
      "first_seen": "2026-03-24",
      "last_seen": "2026-03-24",
      "reports": [
        {
          "slug": "teampcp-deploys-canisterworm-wiper-to-target-iranian-systems",
          "title": "TeamPCP Deploys CanisterWorm Wiper to Target Iranian Systems",
          "url": "https://bulwarkblack.com/teampcp-deploys-canisterworm-wiper-to-target-iranian-systems/",
          "date": "2026-03-24"
        }
      ]
    },
    {
      "indicator": "a9bc513ea7989e3234b395cafb8ed5ccc3755636",
      "type": "sha1",
      "report_count": 1,
      "first_seen": "2026-03-24",
      "last_seen": "2026-03-24",
      "reports": [
        {
          "slug": "teampcp-deploys-canisterworm-wiper-to-target-iranian-systems",
          "title": "TeamPCP Deploys CanisterWorm Wiper to Target Iranian Systems",
          "url": "https://bulwarkblack.com/teampcp-deploys-canisterworm-wiper-to-target-iranian-systems/",
          "date": "2026-03-24"
        }
      ]
    },
    {
      "indicator": "aa3c46a9643b18125abb8aefc13219014e9c4be8",
      "type": "sha1",
      "report_count": 1,
      "first_seen": "2026-03-24",
      "last_seen": "2026-03-24",
      "reports": [
        {
          "slug": "teampcp-deploys-canisterworm-wiper-to-target-iranian-systems",
          "title": "TeamPCP Deploys CanisterWorm Wiper to Target Iranian Systems",
          "url": "https://bulwarkblack.com/teampcp-deploys-canisterworm-wiper-to-target-iranian-systems/",
          "date": "2026-03-24"
        }
      ]
    },
    {
      "indicator": "ab6606b76e5a054be08cab3d07da323e90e751e8",
      "type": "sha1",
      "report_count": 1,
      "first_seen": "2026-03-24",
      "last_seen": "2026-03-24",
      "reports": [
        {
          "slug": "teampcp-deploys-canisterworm-wiper-to-target-iranian-systems",
          "title": "TeamPCP Deploys CanisterWorm Wiper to Target Iranian Systems",
          "url": "https://bulwarkblack.com/teampcp-deploys-canisterworm-wiper-to-target-iranian-systems/",
          "date": "2026-03-24"
        }
      ]
    },
    {
      "indicator": "ab82bf27132323861810c0efcac6d5dd01600dd4",
      "type": "sha1",
      "report_count": 1,
      "first_seen": "2026-06-30",
      "last_seen": "2026-06-30",
      "reports": [
        {
          "slug": "bing-seo-poisoning-bumblebee-adaptix-akira-ransomware",
          "title": "Bing SEO Poisoning Shows IT Admin Downloads Are Ransomware Initial Access",
          "url": "https://bulwarkblack.com/bing-seo-poisoning-bumblebee-adaptix-akira-ransomware/",
          "date": "2026-06-30"
        }
      ]
    },
    {
      "indicator": "ab92f731ab20774dfdb95664ee41a2fbafe2a284",
      "type": "sha1",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "vidar-xmrig-malvertising-file-size-code-signing-defense",
          "title": "Vidar Stealer Campaign Shows Why File Size and Fake Signatures Still Beat Weak Controls",
          "url": "https://bulwarkblack.com/vidar-xmrig-malvertising-file-size-code-signing-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "acac5a9854650c4ae2883c4740bf87d34120c038",
      "type": "sha1",
      "report_count": 1,
      "first_seen": "2026-05-26",
      "last_seen": "2026-05-26",
      "reports": [
        {
          "slug": "megalodon-github-actions-cicd-secret-theft-defense",
          "title": "Megalodon GitHub Actions Backdoor Shows CI/CD Is Now a Credential Battlefield",
          "url": "https://bulwarkblack.com/megalodon-github-actions-cicd-secret-theft-defense/",
          "date": "2026-05-26"
        }
      ]
    },
    {
      "indicator": "ad623e14ebdfe82b9627811d57b9a39e283d6128",
      "type": "sha1",
      "report_count": 1,
      "first_seen": "2026-03-24",
      "last_seen": "2026-03-24",
      "reports": [
        {
          "slug": "teampcp-deploys-canisterworm-wiper-to-target-iranian-systems",
          "title": "TeamPCP Deploys CanisterWorm Wiper to Target Iranian Systems",
          "url": "https://bulwarkblack.com/teampcp-deploys-canisterworm-wiper-to-target-iranian-systems/",
          "date": "2026-03-24"
        }
      ]
    },
    {
      "indicator": "b5224224fdbabdea53a91a96e9f816c6f9a8708c",
      "type": "sha1",
      "report_count": 1,
      "first_seen": "2024-03-22",
      "last_seen": "2024-03-22",
      "reports": [
        {
          "slug": "the-updated-apt-playbook-tales-from-the-kimsuky-threat-actor-group",
          "title": "The Updated APT Playbook: Tales from the Kimsuky threat actor group",
          "url": "https://bulwarkblack.com/the-updated-apt-playbook-tales-from-the-kimsuky-threat-actor-group/",
          "date": "2024-03-22"
        }
      ]
    },
    {
      "indicator": "b674578d4bdb24cd58bf2dc884eaa658b7aa250c",
      "type": "sha1",
      "report_count": 1,
      "first_seen": "2026-03-11",
      "last_seen": "2026-03-11",
      "reports": [
        {
          "slug": "iranian-mois-cyber-actors-embrace-criminal-ecosystem-from-rhadamanthys-to-ransomware-affiliates",
          "title": "Iranian MOIS Cyber Actors Embrace Criminal Ecosystem: From Rhadamanthys to Ransomware Affiliates",
          "url": "https://bulwarkblack.com/iranian-mois-cyber-actors-embrace-criminal-ecosystem-from-rhadamanthys-to-ransomware-affiliates/",
          "date": "2026-03-11"
        }
      ]
    },
    {
      "indicator": "b7252377a3d82c73d497bfafa3eabe84de1d02c4",
      "type": "sha1",
      "report_count": 1,
      "first_seen": "2026-03-24",
      "last_seen": "2026-03-24",
      "reports": [
        {
          "slug": "teampcp-deploys-canisterworm-wiper-to-target-iranian-systems",
          "title": "TeamPCP Deploys CanisterWorm Wiper to Target Iranian Systems",
          "url": "https://bulwarkblack.com/teampcp-deploys-canisterworm-wiper-to-target-iranian-systems/",
          "date": "2026-03-24"
        }
      ]
    },
    {
      "indicator": "b745a35bad072d93a9b83080e9920ec52c6b5a27",
      "type": "sha1",
      "report_count": 1,
      "first_seen": "2026-03-24",
      "last_seen": "2026-03-24",
      "reports": [
        {
          "slug": "teampcp-deploys-canisterworm-wiper-to-target-iranian-systems",
          "title": "TeamPCP Deploys CanisterWorm Wiper to Target Iranian Systems",
          "url": "https://bulwarkblack.com/teampcp-deploys-canisterworm-wiper-to-target-iranian-systems/",
          "date": "2026-03-24"
        }
      ]
    },
    {
      "indicator": "b7befdc106c600585d3eec87d7e98e1c136839ae",
      "type": "sha1",
      "report_count": 1,
      "first_seen": "2026-03-24",
      "last_seen": "2026-03-24",
      "reports": [
        {
          "slug": "teampcp-deploys-canisterworm-wiper-to-target-iranian-systems",
          "title": "TeamPCP Deploys CanisterWorm Wiper to Target Iranian Systems",
          "url": "https://bulwarkblack.com/teampcp-deploys-canisterworm-wiper-to-target-iranian-systems/",
          "date": "2026-03-24"
        }
      ]
    },
    {
      "indicator": "b9faa60f85f6f780a34b8d0faaf45b3e3966fdda",
      "type": "sha1",
      "report_count": 1,
      "first_seen": "2026-03-24",
      "last_seen": "2026-03-24",
      "reports": [
        {
          "slug": "teampcp-deploys-canisterworm-wiper-to-target-iranian-systems",
          "title": "TeamPCP Deploys CanisterWorm Wiper to Target Iranian Systems",
          "url": "https://bulwarkblack.com/teampcp-deploys-canisterworm-wiper-to-target-iranian-systems/",
          "date": "2026-03-24"
        }
      ]
    },
    {
      "indicator": "bb75a9059c2d5803db49e6ed6c6f7e0b367f96be",
      "type": "sha1",
      "report_count": 1,
      "first_seen": "2026-03-24",
      "last_seen": "2026-03-24",
      "reports": [
        {
          "slug": "teampcp-deploys-canisterworm-wiper-to-target-iranian-systems",
          "title": "TeamPCP Deploys CanisterWorm Wiper to Target Iranian Systems",
          "url": "https://bulwarkblack.com/teampcp-deploys-canisterworm-wiper-to-target-iranian-systems/",
          "date": "2026-03-24"
        }
      ]
    },
    {
      "indicator": "bdf3779ddc10f241603be57a90865b680cde8c31",
      "type": "sha1",
      "report_count": 1,
      "first_seen": "2026-01-30",
      "last_seen": "2026-01-30",
      "reports": [
        {
          "slug": "android-malware-campaign-abuses-hugging-face-ai-platform-to-distribute-rat",
          "title": "Android Malware Campaign Abuses Hugging Face AI Platform to Distribute RAT",
          "url": "https://bulwarkblack.com/android-malware-campaign-abuses-hugging-face-ai-platform-to-distribute-rat/",
          "date": "2026-01-30"
        }
      ]
    },
    {
      "indicator": "c19401b2f58dc6d2632cb473d44be98dd8292a93",
      "type": "sha1",
      "report_count": 1,
      "first_seen": "2026-03-24",
      "last_seen": "2026-03-24",
      "reports": [
        {
          "slug": "teampcp-deploys-canisterworm-wiper-to-target-iranian-systems",
          "title": "TeamPCP Deploys CanisterWorm Wiper to Target Iranian Systems",
          "url": "https://bulwarkblack.com/teampcp-deploys-canisterworm-wiper-to-target-iranian-systems/",
          "date": "2026-03-24"
        }
      ]
    },
    {
      "indicator": "c1b272067491258ea4a2b1d2789d82d157aaf90a",
      "type": "sha1",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "apt28-exploits-cve-2026-21509-in-operation-neusploit-stealing-emails-with-minidoor-backdoor",
          "title": "APT28 Exploits CVE-2026-21509 in Operation Neusploit: Stealing Emails with MiniDoor Backdoor",
          "url": "https://bulwarkblack.com/apt28-exploits-cve-2026-21509-in-operation-neusploit-stealing-emails-with-minidoor-backdoor/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "c4799d17a4343bd353e0edb0a4de248b99295d4d",
      "type": "sha1",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "apt28-exploits-cve-2026-21509-in-operation-neusploit-stealing-emails-with-minidoor-backdoor",
          "title": "APT28 Exploits CVE-2026-21509 in Operation Neusploit: Stealing Emails with MiniDoor Backdoor",
          "url": "https://bulwarkblack.com/apt28-exploits-cve-2026-21509-in-operation-neusploit-stealing-emails-with-minidoor-backdoor/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "c5967f85626795f647d4bf6eb67227f9b79e02f5",
      "type": "sha1",
      "report_count": 1,
      "first_seen": "2026-03-24",
      "last_seen": "2026-03-24",
      "reports": [
        {
          "slug": "teampcp-deploys-canisterworm-wiper-to-target-iranian-systems",
          "title": "TeamPCP Deploys CanisterWorm Wiper to Target Iranian Systems",
          "url": "https://bulwarkblack.com/teampcp-deploys-canisterworm-wiper-to-target-iranian-systems/",
          "date": "2026-03-24"
        }
      ]
    },
    {
      "indicator": "c8c84bf33c05fb3a69bc5e2d6377b73649b93dce",
      "type": "sha1",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "apt28-exploits-cve-2026-21509-in-operation-neusploit-stealing-emails-with-minidoor-backdoor",
          "title": "APT28 Exploits CVE-2026-21509 in Operation Neusploit: Stealing Emails with MiniDoor Backdoor",
          "url": "https://bulwarkblack.com/apt28-exploits-cve-2026-21509-in-operation-neusploit-stealing-emails-with-minidoor-backdoor/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "ccba9f748aa8d50a38d7748e2e60362edd6a32cc",
      "type": "sha1",
      "report_count": 1,
      "first_seen": "2026-01-31",
      "last_seen": "2026-01-31",
      "reports": [
        {
          "slug": "cve-2026-24061-11-year-old-gnu-telnetd-vulnerability-grants-instant-root-access",
          "title": "CVE-2026-24061: 11-Year-Old GNU Telnetd Vulnerability Grants Instant Root Access",
          "url": "https://bulwarkblack.com/cve-2026-24061-11-year-old-gnu-telnetd-vulnerability-grants-instant-root-access/",
          "date": "2026-01-31"
        }
      ]
    },
    {
      "indicator": "cea7e9323d79054f92634f4032c26d30c1cedd7e",
      "type": "sha1",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "apt28-exploits-cve-2026-21509-in-operation-neusploit-stealing-emails-with-minidoor-backdoor",
          "title": "APT28 Exploits CVE-2026-21509 in Operation Neusploit: Stealing Emails with MiniDoor Backdoor",
          "url": "https://bulwarkblack.com/apt28-exploits-cve-2026-21509-in-operation-neusploit-stealing-emails-with-minidoor-backdoor/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "cf1692a1fc7a47120e6508309765db7e33477946",
      "type": "sha1",
      "report_count": 1,
      "first_seen": "2026-03-24",
      "last_seen": "2026-03-24",
      "reports": [
        {
          "slug": "teampcp-deploys-canisterworm-wiper-to-target-iranian-systems",
          "title": "TeamPCP Deploys CanisterWorm Wiper to Target Iranian Systems",
          "url": "https://bulwarkblack.com/teampcp-deploys-canisterworm-wiper-to-target-iranian-systems/",
          "date": "2026-03-24"
        }
      ]
    },
    {
      "indicator": "cf19d27c8a7fb7a8bbf1e1000e9318749bcd82cf",
      "type": "sha1",
      "report_count": 1,
      "first_seen": "2026-03-24",
      "last_seen": "2026-03-24",
      "reports": [
        {
          "slug": "teampcp-deploys-canisterworm-wiper-to-target-iranian-systems",
          "title": "TeamPCP Deploys CanisterWorm Wiper to Target Iranian Systems",
          "url": "https://bulwarkblack.com/teampcp-deploys-canisterworm-wiper-to-target-iranian-systems/",
          "date": "2026-03-24"
        }
      ]
    },
    {
      "indicator": "d488f4388ff4aa268906e25c2144f1433a4edec2",
      "type": "sha1",
      "report_count": 1,
      "first_seen": "2026-03-24",
      "last_seen": "2026-03-24",
      "reports": [
        {
          "slug": "teampcp-deploys-canisterworm-wiper-to-target-iranian-systems",
          "title": "TeamPCP Deploys CanisterWorm Wiper to Target Iranian Systems",
          "url": "https://bulwarkblack.com/teampcp-deploys-canisterworm-wiper-to-target-iranian-systems/",
          "date": "2026-03-24"
        }
      ]
    },
    {
      "indicator": "d4fa57f9c9e35222a8cacddc79055c1d76907fb9",
      "type": "sha1",
      "report_count": 1,
      "first_seen": "2024-03-22",
      "last_seen": "2024-03-22",
      "reports": [
        {
          "slug": "the-updated-apt-playbook-tales-from-the-kimsuky-threat-actor-group",
          "title": "The Updated APT Playbook: Tales from the Kimsuky threat actor group",
          "url": "https://bulwarkblack.com/the-updated-apt-playbook-tales-from-the-kimsuky-threat-actor-group/",
          "date": "2024-03-22"
        }
      ]
    },
    {
      "indicator": "D577c4a264fee27084ddf717441eb89f714972a5",
      "type": "sha1",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "apt28-exploits-cve-2026-21509-in-operation-neusploit-stealing-emails-with-minidoor-backdoor",
          "title": "APT28 Exploits CVE-2026-21509 in Operation Neusploit: Stealing Emails with MiniDoor Backdoor",
          "url": "https://bulwarkblack.com/apt28-exploits-cve-2026-21509-in-operation-neusploit-stealing-emails-with-minidoor-backdoor/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "d66944e1a57daf04d3e809f22cd01946d593acaf",
      "type": "sha1",
      "report_count": 1,
      "first_seen": "2026-06-30",
      "last_seen": "2026-06-30",
      "reports": [
        {
          "slug": "bing-seo-poisoning-bumblebee-adaptix-akira-ransomware",
          "title": "Bing SEO Poisoning Shows IT Admin Downloads Are Ransomware Initial Access",
          "url": "https://bulwarkblack.com/bing-seo-poisoning-bumblebee-adaptix-akira-ransomware/",
          "date": "2026-06-30"
        }
      ]
    },
    {
      "indicator": "d788d85335e20bb1f173d4d0494629d36083dddc",
      "type": "sha1",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "apt28-exploits-cve-2026-21509-in-operation-neusploit-stealing-emails-with-minidoor-backdoor",
          "title": "APT28 Exploits CVE-2026-21509 in Operation Neusploit: Stealing Emails with MiniDoor Backdoor",
          "url": "https://bulwarkblack.com/apt28-exploits-cve-2026-21509-in-operation-neusploit-stealing-emails-with-minidoor-backdoor/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "d920ae0f8ea8b5bd42de49e01c6bbd4c2c6d0847",
      "type": "sha1",
      "report_count": 1,
      "first_seen": "2026-03-11",
      "last_seen": "2026-03-11",
      "reports": [
        {
          "slug": "iranian-mois-cyber-actors-embrace-criminal-ecosystem-from-rhadamanthys-to-ransomware-affiliates",
          "title": "Iranian MOIS Cyber Actors Embrace Criminal Ecosystem: From Rhadamanthys to Ransomware Affiliates",
          "url": "https://bulwarkblack.com/iranian-mois-cyber-actors-embrace-criminal-ecosystem-from-rhadamanthys-to-ransomware-affiliates/",
          "date": "2026-03-11"
        }
      ]
    },
    {
      "indicator": "da1c3e92f69e6ca0e4f4823525905cb6969a44ad",
      "type": "sha1",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "apt28-exploits-cve-2026-21509-in-operation-neusploit-stealing-emails-with-minidoor-backdoor",
          "title": "APT28 Exploits CVE-2026-21509 in Operation Neusploit: Stealing Emails with MiniDoor Backdoor",
          "url": "https://bulwarkblack.com/apt28-exploits-cve-2026-21509-in-operation-neusploit-stealing-emails-with-minidoor-backdoor/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "da73ae0790e458e878b300b57ceb5f81ac573b46",
      "type": "sha1",
      "report_count": 1,
      "first_seen": "2026-03-24",
      "last_seen": "2026-03-24",
      "reports": [
        {
          "slug": "teampcp-deploys-canisterworm-wiper-to-target-iranian-systems",
          "title": "TeamPCP Deploys CanisterWorm Wiper to Target Iranian Systems",
          "url": "https://bulwarkblack.com/teampcp-deploys-canisterworm-wiper-to-target-iranian-systems/",
          "date": "2026-03-24"
        }
      ]
    },
    {
      "indicator": "dc0acb01e3086ea8a9cb144a5f97810d291020ce",
      "type": "sha1",
      "report_count": 1,
      "first_seen": "2026-05-19",
      "last_seen": "2026-05-19",
      "reports": [
        {
          "slug": "fox-tempest-code-signing-trust-weaponized",
          "title": "Fox Tempest Shows Code Signing Trust Can Be Weaponized",
          "url": "https://bulwarkblack.com/fox-tempest-code-signing-trust-weaponized/",
          "date": "2026-05-19"
        }
      ]
    },
    {
      "indicator": "ddb6697447a97198bdef9bae00215059eb5e8bc2",
      "type": "sha1",
      "report_count": 1,
      "first_seen": "2026-03-24",
      "last_seen": "2026-03-24",
      "reports": [
        {
          "slug": "teampcp-deploys-canisterworm-wiper-to-target-iranian-systems",
          "title": "TeamPCP Deploys CanisterWorm Wiper to Target Iranian Systems",
          "url": "https://bulwarkblack.com/teampcp-deploys-canisterworm-wiper-to-target-iranian-systems/",
          "date": "2026-03-24"
        }
      ]
    },
    {
      "indicator": "ddb94181dcbc723d96ffc07fddd14d97e4849016",
      "type": "sha1",
      "report_count": 1,
      "first_seen": "2026-03-24",
      "last_seen": "2026-03-24",
      "reports": [
        {
          "slug": "teampcp-deploys-canisterworm-wiper-to-target-iranian-systems",
          "title": "TeamPCP Deploys CanisterWorm Wiper to Target Iranian Systems",
          "url": "https://bulwarkblack.com/teampcp-deploys-canisterworm-wiper-to-target-iranian-systems/",
          "date": "2026-03-24"
        }
      ]
    },
    {
      "indicator": "ddb9da4475c1cef7d5389062bdfdfbdbd1394648",
      "type": "sha1",
      "report_count": 1,
      "first_seen": "2026-03-24",
      "last_seen": "2026-03-24",
      "reports": [
        {
          "slug": "teampcp-deploys-canisterworm-wiper-to-target-iranian-systems",
          "title": "TeamPCP Deploys CanisterWorm Wiper to Target Iranian Systems",
          "url": "https://bulwarkblack.com/teampcp-deploys-canisterworm-wiper-to-target-iranian-systems/",
          "date": "2026-03-24"
        }
      ]
    },
    {
      "indicator": "de0fac2e4500dabe0009e67214ff5f5447ce83dd",
      "type": "sha1",
      "report_count": 1,
      "first_seen": "2026-06-03",
      "last_seen": "2026-06-03",
      "reports": [
        {
          "slug": "red-hat-miasma-npm-supply-chain-trusted-publishing-defense",
          "title": "Red Hat’s Miasma npm Compromise Shows Trusted Publishing Is Not a Control Boundary",
          "url": "https://bulwarkblack.com/red-hat-miasma-npm-supply-chain-trusted-publishing-defense/",
          "date": "2026-06-03"
        }
      ]
    },
    {
      "indicator": "e0198fd2b6e1679e36d32933941182d9afa82f6f",
      "type": "sha1",
      "report_count": 1,
      "first_seen": "2026-03-24",
      "last_seen": "2026-03-24",
      "reports": [
        {
          "slug": "teampcp-deploys-canisterworm-wiper-to-target-iranian-systems",
          "title": "TeamPCP Deploys CanisterWorm Wiper to Target Iranian Systems",
          "url": "https://bulwarkblack.com/teampcp-deploys-canisterworm-wiper-to-target-iranian-systems/",
          "date": "2026-03-24"
        }
      ]
    },
    {
      "indicator": "e52a9f004f4359ea0f8f9c6eb91731ed78e5c4d3",
      "type": "sha1",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "apt28-exploits-cve-2026-21509-in-operation-neusploit-stealing-emails-with-minidoor-backdoor",
          "title": "APT28 Exploits CVE-2026-21509 in Operation Neusploit: Stealing Emails with MiniDoor Backdoor",
          "url": "https://bulwarkblack.com/apt28-exploits-cve-2026-21509-in-operation-neusploit-stealing-emails-with-minidoor-backdoor/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "e53b0483d08da44da9dfe8a84bf2837e5163699b",
      "type": "sha1",
      "report_count": 1,
      "first_seen": "2026-03-24",
      "last_seen": "2026-03-24",
      "reports": [
        {
          "slug": "teampcp-deploys-canisterworm-wiper-to-target-iranian-systems",
          "title": "TeamPCP Deploys CanisterWorm Wiper to Target Iranian Systems",
          "url": "https://bulwarkblack.com/teampcp-deploys-canisterworm-wiper-to-target-iranian-systems/",
          "date": "2026-03-24"
        }
      ]
    },
    {
      "indicator": "ea56cd31d82b853932d50f1144e95b21817e52cf",
      "type": "sha1",
      "report_count": 1,
      "first_seen": "2026-03-24",
      "last_seen": "2026-03-24",
      "reports": [
        {
          "slug": "teampcp-deploys-canisterworm-wiper-to-target-iranian-systems",
          "title": "TeamPCP Deploys CanisterWorm Wiper to Target Iranian Systems",
          "url": "https://bulwarkblack.com/teampcp-deploys-canisterworm-wiper-to-target-iranian-systems/",
          "date": "2026-03-24"
        }
      ]
    },
    {
      "indicator": "ef3a510e3f94df3ea9fcd01621155ca5f2c3bf5b",
      "type": "sha1",
      "report_count": 1,
      "first_seen": "2026-03-24",
      "last_seen": "2026-03-24",
      "reports": [
        {
          "slug": "teampcp-deploys-canisterworm-wiper-to-target-iranian-systems",
          "title": "TeamPCP Deploys CanisterWorm Wiper to Target Iranian Systems",
          "url": "https://bulwarkblack.com/teampcp-deploys-canisterworm-wiper-to-target-iranian-systems/",
          "date": "2026-03-24"
        }
      ]
    },
    {
      "indicator": "f4436225d8a5fd1715d3c2290d8a50643e726031",
      "type": "sha1",
      "report_count": 1,
      "first_seen": "2026-03-24",
      "last_seen": "2026-03-24",
      "reports": [
        {
          "slug": "teampcp-deploys-canisterworm-wiper-to-target-iranian-systems",
          "title": "TeamPCP Deploys CanisterWorm Wiper to Target Iranian Systems",
          "url": "https://bulwarkblack.com/teampcp-deploys-canisterworm-wiper-to-target-iranian-systems/",
          "date": "2026-03-24"
        }
      ]
    },
    {
      "indicator": "f4f1785be270ae13f36f6a8cfbf6faaae50e660a",
      "type": "sha1",
      "report_count": 1,
      "first_seen": "2026-03-24",
      "last_seen": "2026-03-24",
      "reports": [
        {
          "slug": "teampcp-deploys-canisterworm-wiper-to-target-iranian-systems",
          "title": "TeamPCP Deploys CanisterWorm Wiper to Target Iranian Systems",
          "url": "https://bulwarkblack.com/teampcp-deploys-canisterworm-wiper-to-target-iranian-systems/",
          "date": "2026-03-24"
        }
      ]
    },
    {
      "indicator": "f5c9fd927027beaa3760d2a84daa8b00e6e5ee21",
      "type": "sha1",
      "report_count": 1,
      "first_seen": "2026-03-24",
      "last_seen": "2026-03-24",
      "reports": [
        {
          "slug": "teampcp-deploys-canisterworm-wiper-to-target-iranian-systems",
          "title": "TeamPCP Deploys CanisterWorm Wiper to Target Iranian Systems",
          "url": "https://bulwarkblack.com/teampcp-deploys-canisterworm-wiper-to-target-iranian-systems/",
          "date": "2026-03-24"
        }
      ]
    },
    {
      "indicator": "f77738448eec70113cf711656914b61905b3bd47",
      "type": "sha1",
      "report_count": 1,
      "first_seen": "2026-03-24",
      "last_seen": "2026-03-24",
      "reports": [
        {
          "slug": "teampcp-deploys-canisterworm-wiper-to-target-iranian-systems",
          "title": "TeamPCP Deploys CanisterWorm Wiper to Target Iranian Systems",
          "url": "https://bulwarkblack.com/teampcp-deploys-canisterworm-wiper-to-target-iranian-systems/",
          "date": "2026-03-24"
        }
      ]
    },
    {
      "indicator": "f8444dfc740b94227ab9b2e757b8f8f1fa49362a",
      "type": "sha1",
      "report_count": 1,
      "first_seen": "2026-03-11",
      "last_seen": "2026-03-11",
      "reports": [
        {
          "slug": "iranian-mois-cyber-actors-embrace-criminal-ecosystem-from-rhadamanthys-to-ransomware-affiliates",
          "title": "Iranian MOIS Cyber Actors Embrace Criminal Ecosystem: From Rhadamanthys to Ransomware Affiliates",
          "url": "https://bulwarkblack.com/iranian-mois-cyber-actors-embrace-criminal-ecosystem-from-rhadamanthys-to-ransomware-affiliates/",
          "date": "2026-03-11"
        }
      ]
    },
    {
      "indicator": "fa4209b6182a4c1609ce34d40b67f5cfd7f00f53",
      "type": "sha1",
      "report_count": 1,
      "first_seen": "2026-03-24",
      "last_seen": "2026-03-24",
      "reports": [
        {
          "slug": "teampcp-deploys-canisterworm-wiper-to-target-iranian-systems",
          "title": "TeamPCP Deploys CanisterWorm Wiper to Target Iranian Systems",
          "url": "https://bulwarkblack.com/teampcp-deploys-canisterworm-wiper-to-target-iranian-systems/",
          "date": "2026-03-24"
        }
      ]
    },
    {
      "indicator": "fa78e67c0df002c509bcdea88677fb5e2fe6a9b1",
      "type": "sha1",
      "report_count": 1,
      "first_seen": "2026-03-24",
      "last_seen": "2026-03-24",
      "reports": [
        {
          "slug": "teampcp-deploys-canisterworm-wiper-to-target-iranian-systems",
          "title": "TeamPCP Deploys CanisterWorm Wiper to Target Iranian Systems",
          "url": "https://bulwarkblack.com/teampcp-deploys-canisterworm-wiper-to-target-iranian-systems/",
          "date": "2026-03-24"
        }
      ]
    },
    {
      "indicator": "fd090040b5f584f4fcbe466878cb204d0735dcf4",
      "type": "sha1",
      "report_count": 1,
      "first_seen": "2026-03-24",
      "last_seen": "2026-03-24",
      "reports": [
        {
          "slug": "teampcp-deploys-canisterworm-wiper-to-target-iranian-systems",
          "title": "TeamPCP Deploys CanisterWorm Wiper to Target Iranian Systems",
          "url": "https://bulwarkblack.com/teampcp-deploys-canisterworm-wiper-to-target-iranian-systems/",
          "date": "2026-03-24"
        }
      ]
    },
    {
      "indicator": "fd429cf86db999572f3d9ca7c54561fdf7d388a4",
      "type": "sha1",
      "report_count": 1,
      "first_seen": "2026-03-24",
      "last_seen": "2026-03-24",
      "reports": [
        {
          "slug": "teampcp-deploys-canisterworm-wiper-to-target-iranian-systems",
          "title": "TeamPCP Deploys CanisterWorm Wiper to Target Iranian Systems",
          "url": "https://bulwarkblack.com/teampcp-deploys-canisterworm-wiper-to-target-iranian-systems/",
          "date": "2026-03-24"
        }
      ]
    },
    {
      "indicator": "fd702c02497b2f398e739e3119bed0b23dd7aa7b",
      "type": "sha1",
      "report_count": 1,
      "first_seen": "2026-01-31",
      "last_seen": "2026-01-31",
      "reports": [
        {
          "slug": "cve-2026-24061-11-year-old-gnu-telnetd-vulnerability-grants-instant-root-access",
          "title": "CVE-2026-24061: 11-Year-Old GNU Telnetd Vulnerability Grants Instant Root Access",
          "url": "https://bulwarkblack.com/cve-2026-24061-11-year-old-gnu-telnetd-vulnerability-grants-instant-root-access/",
          "date": "2026-01-31"
        }
      ]
    },
    {
      "indicator": "febbaf5f08a8e0782ffcce8beef1f2b4e249a52b",
      "type": "sha1",
      "report_count": 1,
      "first_seen": "2026-06-30",
      "last_seen": "2026-06-30",
      "reports": [
        {
          "slug": "bing-seo-poisoning-bumblebee-adaptix-akira-ransomware",
          "title": "Bing SEO Poisoning Shows IT Admin Downloads Are Ransomware Initial Access",
          "url": "https://bulwarkblack.com/bing-seo-poisoning-bumblebee-adaptix-akira-ransomware/",
          "date": "2026-06-30"
        }
      ]
    },
    {
      "indicator": "0020d23b0f9c5e6851a7f737af73fd143175ee47054931166369edd93338538a",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-06-18",
      "last_seen": "2026-06-18",
      "reports": [
        {
          "slug": "tor-crypto-clipper-usb-worm-backdoor-defense",
          "title": "Tor-Based Crypto Clipper Shows Clipboard Theft Is Now Backdoor Activity",
          "url": "https://bulwarkblack.com/tor-crypto-clipper-usb-worm-backdoor-defense/",
          "date": "2026-06-18"
        }
      ]
    },
    {
      "indicator": "003669761229d3e1db0f5a5b333ef62b3dffcc8e27c821ce9018362e0a2df7e9",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2024-01-05",
      "last_seen": "2024-01-05",
      "reports": [
        {
          "slug": "100-days-of-yara-2023",
          "title": "100 Days of YARA – 2023",
          "url": "https://bulwarkblack.com/100-days-of-yara-2023/",
          "date": "2024-01-05"
        }
      ]
    },
    {
      "indicator": "00735a8a50d2856c11150ef1e29c05acebce7ad3edad00e37c7f043aacb46330",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-03-05",
      "last_seen": "2026-03-05",
      "reports": [
        {
          "slug": "uat-9244-china-nexus-apt-deploys-three-new-malware-implants-against-south-american-telecom-providers",
          "title": "UAT-9244: China-Nexus APT Deploys Three New Malware Implants Against South American Telecom Providers",
          "url": "https://bulwarkblack.com/uat-9244-china-nexus-apt-deploys-three-new-malware-implants-against-south-american-telecom-providers/",
          "date": "2026-03-05"
        }
      ]
    },
    {
      "indicator": "00e09754526d0fe836ba27e3144ae161b0ecd3774abec5560504a16a67f0087c",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-06-26",
      "last_seen": "2026-06-26",
      "reports": [
        {
          "slug": "cl-sta-1062-tinyrct-critical-infrastructure-web-shell-defense",
          "title": "CL-STA-1062 Shows Critical Infrastructure Intrusions Still Start With Web Shells",
          "url": "https://bulwarkblack.com/cl-sta-1062-tinyrct-critical-infrastructure-web-shell-defense/",
          "date": "2026-06-26"
        }
      ]
    },
    {
      "indicator": "01a23f8f59455eb97f55086c21be934e6e5db07e64acb6e63c8d358b763dab4f",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2024-01-08",
      "last_seen": "2024-01-08",
      "reports": [
        {
          "slug": "deceptive-cracked-software-spreads-lumma-variant-on-youtube",
          "title": "Deceptive Cracked Software Spreads Lumma Variant on YouTube",
          "url": "https://bulwarkblack.com/deceptive-cracked-software-spreads-lumma-variant-on-youtube/",
          "date": "2024-01-08"
        }
      ]
    },
    {
      "indicator": "01ac6012d4316b68bb3165ee451f2fcc494e4e37011a73b8cf2680de3364fcf4",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-01-29",
      "last_seen": "2026-01-29",
      "reports": [
        {
          "slug": "google-disrupts-worlds-largest-residential-proxy-botnet",
          "title": "Google Disrupts World’s Largest Residential Proxy Botnet",
          "url": "https://bulwarkblack.com/google-disrupts-worlds-largest-residential-proxy-botnet/",
          "date": "2026-01-29"
        }
      ]
    },
    {
      "indicator": "01fc3bd5a78cd59255a867ffb3dfdd6e0b7713ee90098ea96cc01c640c6495eb",
      "type": "sha256",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "021666417de8b9972c179783fe60d4c4ad2d93224e3a0f16137065c960b1b845",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-06-02",
      "last_seen": "2026-06-02",
      "reports": [
        {
          "slug": "flutterbridge-macos-malvertising-fluttershell-backdoor-defense",
          "title": "FlutterBridge Shows Why macOS Malvertising Is Backdoor Delivery, Not Just Adware",
          "url": "https://bulwarkblack.com/flutterbridge-macos-malvertising-fluttershell-backdoor-defense/",
          "date": "2026-06-02"
        }
      ]
    },
    {
      "indicator": "023467e236a95d5f0e62e26445d430d749c59312f66cf136e6e2c2d526c46ba1",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-03-05",
      "last_seen": "2026-03-05",
      "reports": [
        {
          "slug": "uat-9244-china-nexus-apt-deploys-three-new-malware-implants-against-south-american-telecom-providers",
          "title": "UAT-9244: China-Nexus APT Deploys Three New Malware Implants Against South American Telecom Providers",
          "url": "https://bulwarkblack.com/uat-9244-china-nexus-apt-deploys-three-new-malware-implants-against-south-american-telecom-providers/",
          "date": "2026-03-05"
        }
      ]
    },
    {
      "indicator": "025fc0976c548fb5a880c83ea3eb21a5f23c5d53c4e51e862bb893c11adf712a",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-05-13",
      "last_seen": "2026-05-13",
      "reports": [
        {
          "slug": "gentlemen-raas-leak-edge-device-ransomware-risk",
          "title": "The Gentlemen RaaS Leak Shows Ransomware Is Still an Edge-Device Problem",
          "url": "https://bulwarkblack.com/gentlemen-raas-leak-edge-device-ransomware-risk/",
          "date": "2026-05-13"
        }
      ]
    },
    {
      "indicator": "02654acfb21f83485393ba8b14bd8862b919b9ec966fc6768f6aac1338a45ee8",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-05-15",
      "last_seen": "2026-05-15",
      "reports": [
        {
          "slug": "cisco-sdwan-active-exploitation-edge-controller-review",
          "title": "Cisco SD-WAN Exploitation Shows Edge Controllers Need Emergency Review",
          "url": "https://bulwarkblack.com/cisco-sdwan-active-exploitation-edge-controller-review/",
          "date": "2026-05-15"
        }
      ]
    },
    {
      "indicator": "0352f3e338261d98895df4c7b7a76b296485b2290c72bce56603351d167d0601",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-07",
      "last_seen": "2026-07-07",
      "reports": [
        {
          "slug": "uat-7810-orb-relay-network-edge-device-defense",
          "title": "UAT-7810 Shows Edge Devices Are Becoming China-Nexus Relay Infrastructure",
          "url": "https://bulwarkblack.com/uat-7810-orb-relay-network-edge-device-defense/",
          "date": "2026-07-07"
        }
      ]
    },
    {
      "indicator": "03926e3da998f32ad898b640bd15cf145768f9e849e6f18d81350234254c424e",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-07",
      "last_seen": "2026-07-07",
      "reports": [
        {
          "slug": "uat-7810-orb-relay-network-edge-device-defense",
          "title": "UAT-7810 Shows Edge Devices Are Becoming China-Nexus Relay Infrastructure",
          "url": "https://bulwarkblack.com/uat-7810-orb-relay-network-edge-device-defense/",
          "date": "2026-07-07"
        }
      ]
    },
    {
      "indicator": "03e6f4f49cec3af38bbec9ed64c195c7a85a630ec989efb3669f04a2993c1dd7",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "vidar-xmrig-malvertising-file-size-code-signing-defense",
          "title": "Vidar Stealer Campaign Shows Why File Size and Fake Signatures Still Beat Weak Controls",
          "url": "https://bulwarkblack.com/vidar-xmrig-malvertising-file-size-code-signing-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "03eac9eb7f4b4bc494ef0496ee23cabbf38f883896838ed813741d8f64ac9fde",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-03-05",
      "last_seen": "2026-03-05",
      "reports": [
        {
          "slug": "uat-9244-china-nexus-apt-deploys-three-new-malware-implants-against-south-american-telecom-providers",
          "title": "UAT-9244: China-Nexus APT Deploys Three New Malware Implants Against South American Telecom Providers",
          "url": "https://bulwarkblack.com/uat-9244-china-nexus-apt-deploys-three-new-malware-implants-against-south-american-telecom-providers/",
          "date": "2026-03-05"
        }
      ]
    },
    {
      "indicator": "0434437a073a3f3a49e84d5ecb20c99dd551bacc32bf100fbb8cf67a50642181",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-03-09",
      "last_seen": "2026-03-09",
      "reports": [
        {
          "slug": "boryptgrab-stealer-spreads-through-100-fake-github-repositories-in-massive-malware-campaign",
          "title": "BoryptGrab Stealer Spreads Through 100+ Fake GitHub Repositories in Massive Malware Campaign",
          "url": "https://bulwarkblack.com/boryptgrab-stealer-spreads-through-100-fake-github-repositories-in-massive-malware-campaign/",
          "date": "2026-03-09"
        }
      ]
    },
    {
      "indicator": "045a1e42cb64e4aa91601f65a80ec5bd040ea4024c6d3b051cb1a6aa15d03b57",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-03-04",
      "last_seen": "2026-03-04",
      "reports": [
        {
          "slug": "zerobot-malware-targets-n8n-automation-platform-first-active-exploitation-of-cve-2025-68613",
          "title": "Zerobot Malware Targets n8n Automation Platform: First Active Exploitation of CVE-2025-68613",
          "url": "https://bulwarkblack.com/zerobot-malware-targets-n8n-automation-platform-first-active-exploitation-of-cve-2025-68613/",
          "date": "2026-03-04"
        }
      ]
    },
    {
      "indicator": "04a072481ebda2aa8f9e0dac371847f210199a503bf31950d796901d5dbe9d58",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-02-04",
      "last_seen": "2026-02-04",
      "reports": [
        {
          "slug": "shadowhs-fileless-linux-post-exploitation-framework-runs-entirely-in-memory",
          "title": "ShadowHS: Fileless Linux Post-Exploitation Framework Runs Entirely in Memory",
          "url": "https://bulwarkblack.com/shadowhs-fileless-linux-post-exploitation-framework-runs-entirely-in-memory/",
          "date": "2026-02-04"
        }
      ]
    },
    {
      "indicator": "04ec44f2618460f5c77c5e56014a512cc03a123c9c5b6b6b1273e2a1681ac2e1",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-06-26",
      "last_seen": "2026-06-26",
      "reports": [
        {
          "slug": "hospitality-photo-zip-nodejs-implant-defense",
          "title": "Hospitality Photo-ZIP Campaign Shows Front Desk Workflows Are Initial Access Paths",
          "url": "https://bulwarkblack.com/hospitality-photo-zip-nodejs-implant-defense/",
          "date": "2026-06-26"
        }
      ]
    },
    {
      "indicator": "04ef48b104d6ebd05ad70f6685ade26c1905495456f52dfe0fb42f550bd43388",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-01-27",
      "last_seen": "2026-01-27",
      "reports": [
        {
          "slug": "fake-clawdbot-vs-code-extension-deploys-screenconnect-rat",
          "title": "Fake Clawdbot VS Code Extension Deploys ScreenConnect RAT",
          "url": "https://bulwarkblack.com/fake-clawdbot-vs-code-extension-deploys-screenconnect-rat/",
          "date": "2026-01-27"
        }
      ]
    },
    {
      "indicator": "062bb28765fbaa11f8cc341fa16e2c7f942a122d929cb41f4a0f755b4429f246",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-05-27",
      "last_seen": "2026-05-27",
      "reports": [
        {
          "slug": "poisoned-search-ai-screenconnect-cryptojacking-defense",
          "title": "Poisoned Search and AI Recommendations Turn Utility Downloads Into RMM Access",
          "url": "https://bulwarkblack.com/poisoned-search-ai-screenconnect-cryptojacking-defense/",
          "date": "2026-05-27"
        }
      ]
    },
    {
      "indicator": "06a2888c1f07119873ccb051221bd8717281494b33585f4242556e6e5e227969",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-06-26",
      "last_seen": "2026-06-26",
      "reports": [
        {
          "slug": "hospitality-photo-zip-nodejs-implant-defense",
          "title": "Hospitality Photo-ZIP Campaign Shows Front Desk Workflows Are Initial Access Paths",
          "url": "https://bulwarkblack.com/hospitality-photo-zip-nodejs-implant-defense/",
          "date": "2026-06-26"
        }
      ]
    },
    {
      "indicator": "06b23d84fd7afd525dfd7860ebd561dcdd72ccbeb51981d5d9a75acf068d0a2a",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-03-05",
      "last_seen": "2026-03-05",
      "reports": [
        {
          "slug": "uat-9244-china-nexus-apt-deploys-three-new-malware-implants-against-south-american-telecom-providers",
          "title": "UAT-9244: China-Nexus APT Deploys Three New Malware Implants Against South American Telecom Providers",
          "url": "https://bulwarkblack.com/uat-9244-china-nexus-apt-deploys-three-new-malware-implants-against-south-american-telecom-providers/",
          "date": "2026-03-05"
        }
      ]
    },
    {
      "indicator": "06b4aebbc3cd62e0aadd1852102645f9a00cc7eea492c0939675efba7566a6de",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2024-01-09",
      "last_seen": "2024-01-09",
      "reports": [
        {
          "slug": "financially-motivated-threat-actors-misusing-app-installer",
          "title": "Financially motivated threat actors misusing App Installer",
          "url": "https://bulwarkblack.com/financially-motivated-threat-actors-misusing-app-installer/",
          "date": "2024-01-09"
        }
      ]
    },
    {
      "indicator": "072e08b38a18a00d75b139a5bbb18ac4aa891f4fd013b55bfd3d6747e1ba0a27",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-02-04",
      "last_seen": "2026-02-04",
      "reports": [
        {
          "slug": "shadowhs-fileless-linux-post-exploitation-framework-runs-entirely-in-memory",
          "title": "ShadowHS: Fileless Linux Post-Exploitation Framework Runs Entirely in Memory",
          "url": "https://bulwarkblack.com/shadowhs-fileless-linux-post-exploitation-framework-runs-entirely-in-memory/",
          "date": "2026-02-04"
        }
      ]
    },
    {
      "indicator": "075b20a21ea6a0d2201a12a049f332ecc61348fc0ad3cfee038c6ad6aa44e744",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-03-05",
      "last_seen": "2026-03-05",
      "reports": [
        {
          "slug": "uat-9244-china-nexus-apt-deploys-three-new-malware-implants-against-south-american-telecom-providers",
          "title": "UAT-9244: China-Nexus APT Deploys Three New Malware Implants Against South American Telecom Providers",
          "url": "https://bulwarkblack.com/uat-9244-china-nexus-apt-deploys-three-new-malware-implants-against-south-american-telecom-providers/",
          "date": "2026-03-05"
        }
      ]
    },
    {
      "indicator": "077ab28d66abdafad9f5411e18d26e87fe43da1410ee8fe846bd721ab0cb52de",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-03-11",
      "last_seen": "2026-03-11",
      "reports": [
        {
          "slug": "iranian-mois-cyber-actors-embrace-criminal-ecosystem-from-rhadamanthys-to-ransomware-affiliates",
          "title": "Iranian MOIS Cyber Actors Embrace Criminal Ecosystem: From Rhadamanthys to Ransomware Affiliates",
          "url": "https://bulwarkblack.com/iranian-mois-cyber-actors-embrace-criminal-ecosystem-from-rhadamanthys-to-ransomware-affiliates/",
          "date": "2026-03-11"
        }
      ]
    },
    {
      "indicator": "0857148fb0bc4aa7adf967ede2307bdb4fc427065d5b6a6db132688a5a8e1eb8",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-06-03",
      "last_seen": "2026-06-03",
      "reports": [
        {
          "slug": "ta4922-global-hr-tax-phishing-rmm-defense",
          "title": "TA4922’s Global Expansion Shows HR and Tax Lures Are Initial Access Infrastructure",
          "url": "https://bulwarkblack.com/ta4922-global-hr-tax-phishing-rmm-defense/",
          "date": "2026-06-03"
        }
      ]
    },
    {
      "indicator": "08701ed7975bf4f5688c2724d27ab497764200ad6f4dc53d3cc03b170378ced0",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-07",
      "last_seen": "2026-07-07",
      "reports": [
        {
          "slug": "uat-7810-orb-relay-network-edge-device-defense",
          "title": "UAT-7810 Shows Edge Devices Are Becoming China-Nexus Relay Infrastructure",
          "url": "https://bulwarkblack.com/uat-7810-orb-relay-network-edge-device-defense/",
          "date": "2026-07-07"
        }
      ]
    },
    {
      "indicator": "0880819ef821cff918960a39c1c1aada55a5593c61c608ea9215da858a86e349",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-03-24",
      "last_seen": "2026-03-24",
      "reports": [
        {
          "slug": "teampcp-deploys-canisterworm-wiper-to-target-iranian-systems",
          "title": "TeamPCP Deploys CanisterWorm Wiper to Target Iranian Systems",
          "url": "https://bulwarkblack.com/teampcp-deploys-canisterworm-wiper-to-target-iranian-systems/",
          "date": "2026-03-24"
        }
      ]
    },
    {
      "indicator": "097a87cfa4a5186aba3bba096866692951bde59c6f0c2e8c1c4a599246d14da8",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "vidar-xmrig-malvertising-file-size-code-signing-defense",
          "title": "Vidar Stealer Campaign Shows Why File Size and Fake Signatures Still Beat Weak Controls",
          "url": "https://bulwarkblack.com/vidar-xmrig-malvertising-file-size-code-signing-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "0a545dd1b703cddfb3d582c8c70f65f556bbd580bfa836a387121eb837bda61b",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-06-25",
      "last_seen": "2026-06-25",
      "reports": [
        {
          "slug": "turla-stockstay-backdoor-egress-visibility",
          "title": "Turla’s STOCKSTAY Backdoor Shows Why Espionage Defense Needs Egress Visibility",
          "url": "https://bulwarkblack.com/turla-stockstay-backdoor-egress-visibility/",
          "date": "2026-06-25"
        }
      ]
    },
    {
      "indicator": "0a6a67a2fc4d79ec1cd8afc5b8b7a5e69a406e53d57a7334e097c5d0644de5f6",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "vidar-xmrig-malvertising-file-size-code-signing-defense",
          "title": "Vidar Stealer Campaign Shows Why File Size and Fake Signatures Still Beat Weak Controls",
          "url": "https://bulwarkblack.com/vidar-xmrig-malvertising-file-size-code-signing-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "0a8555a71868749be8c905ed53296ce335af50a9262772b5e154ad3f9c35c2e4",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-07",
      "last_seen": "2026-07-07",
      "reports": [
        {
          "slug": "uat-7810-orb-relay-network-edge-device-defense",
          "title": "UAT-7810 Shows Edge Devices Are Becoming China-Nexus Relay Infrastructure",
          "url": "https://bulwarkblack.com/uat-7810-orb-relay-network-edge-device-defense/",
          "date": "2026-07-07"
        }
      ]
    },
    {
      "indicator": "0a8cae96e25e85c612b0736fe886f9b124ad70ec425bc2ec1a8a4135b25436ba",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-07",
      "last_seen": "2026-07-07",
      "reports": [
        {
          "slug": "uat-7810-orb-relay-network-edge-device-defense",
          "title": "UAT-7810 Shows Edge Devices Are Becoming China-Nexus Relay Infrastructure",
          "url": "https://bulwarkblack.com/uat-7810-orb-relay-network-edge-device-defense/",
          "date": "2026-07-07"
        }
      ]
    },
    {
      "indicator": "0af4c52a1d13e4132a1843ce7727abcf0ddd4d1ca6a4b17cdf599ec3f355c241",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-07",
      "last_seen": "2026-07-07",
      "reports": [
        {
          "slug": "uat-7810-orb-relay-network-edge-device-defense",
          "title": "UAT-7810 Shows Edge Devices Are Becoming China-Nexus Relay Infrastructure",
          "url": "https://bulwarkblack.com/uat-7810-orb-relay-network-edge-device-defense/",
          "date": "2026-07-07"
        }
      ]
    },
    {
      "indicator": "0bb0d54033767f081cae775e3cf9ede7ae6bea75f35fbfb748ccba9325e28e5e",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "apt28-exploits-cve-2026-21509-in-operation-neusploit-stealing-emails-with-minidoor-backdoor",
          "title": "APT28 Exploits CVE-2026-21509 in Operation Neusploit: Stealing Emails with MiniDoor Backdoor",
          "url": "https://bulwarkblack.com/apt28-exploits-cve-2026-21509-in-operation-neusploit-stealing-emails-with-minidoor-backdoor/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "0bb7d4d8a9c8f6b3622d07ae9892aa34dc2d0171209e2829d7d39d5024fd79ef",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-02-04",
      "last_seen": "2026-02-04",
      "reports": [
        {
          "slug": "shadowhs-fileless-linux-post-exploitation-framework-runs-entirely-in-memory",
          "title": "ShadowHS: Fileless Linux Post-Exploitation Framework Runs Entirely in Memory",
          "url": "https://bulwarkblack.com/shadowhs-fileless-linux-post-exploitation-framework-runs-entirely-in-memory/",
          "date": "2026-02-04"
        }
      ]
    },
    {
      "indicator": "0c7e36683a100a96f695a952cf07052af9a47f5898e1078311fd58c5fdbdecc8",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-03-05",
      "last_seen": "2026-03-05",
      "reports": [
        {
          "slug": "uat-9244-china-nexus-apt-deploys-three-new-malware-implants-against-south-american-telecom-providers",
          "title": "UAT-9244: China-Nexus APT Deploys Three New Malware Implants Against South American Telecom Providers",
          "url": "https://bulwarkblack.com/uat-9244-china-nexus-apt-deploys-three-new-malware-implants-against-south-american-telecom-providers/",
          "date": "2026-03-05"
        }
      ]
    },
    {
      "indicator": "0c87871642f84e09e8d3fb23ec36bf55601323e31151a7017a85dbec929cf15d",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-05-15",
      "last_seen": "2026-05-15",
      "reports": [
        {
          "slug": "cisco-sdwan-active-exploitation-edge-controller-review",
          "title": "Cisco SD-WAN Exploitation Shows Edge Controllers Need Emergency Review",
          "url": "https://bulwarkblack.com/cisco-sdwan-active-exploitation-edge-controller-review/",
          "date": "2026-05-15"
        }
      ]
    },
    {
      "indicator": "0d6b083208097d5b3e189891338540f6c64faaaaf268b0bb0b085dd53d5857b4",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-06-25",
      "last_seen": "2026-06-25",
      "reports": [
        {
          "slug": "turla-stockstay-backdoor-egress-visibility",
          "title": "Turla’s STOCKSTAY Backdoor Shows Why Espionage Defense Needs Egress Visibility",
          "url": "https://bulwarkblack.com/turla-stockstay-backdoor-egress-visibility/",
          "date": "2026-06-25"
        }
      ]
    },
    {
      "indicator": "0da123adf9251957a4b850a3f6bd6a753dd4892be176a84a18450e899534cc5e",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-06-02",
      "last_seen": "2026-06-02",
      "reports": [
        {
          "slug": "forticlient-ems-ekz-infostealer-delivery",
          "title": "FortiClient EMS Exploitation Turns Endpoint Management Into an Infostealer Delivery System",
          "url": "https://bulwarkblack.com/forticlient-ems-ekz-infostealer-delivery/",
          "date": "2026-06-02"
        }
      ]
    },
    {
      "indicator": "0db36a04d304ad96f9e6f97b531934594cd95a5cea9ff2c9af249201089dc864",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-05-22",
      "last_seen": "2026-05-22",
      "reports": [
        {
          "slug": "screening-serpens-recruiting-espionage-attack-surface",
          "title": "Screening Serpens Shows Recruiting Is Now an Espionage Attack Surface",
          "url": "https://bulwarkblack.com/screening-serpens-recruiting-espionage-attack-surface/",
          "date": "2026-05-22"
        }
      ]
    },
    {
      "indicator": "0e255b4b04f5064ff97da214050da81a823b3d99bce60cdd9ee90d913cc4a952",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-04-03",
      "last_seen": "2026-04-03",
      "reports": [
        {
          "slug": "cl-sta-1087-chinese-apt-targets-southeast-asian-militaries-with-applechris-and-memfun-backdoors",
          "title": "CL-STA-1087: Chinese APT Targets Southeast Asian Militaries with AppleChris and MemFun Backdoors",
          "url": "https://bulwarkblack.com/cl-sta-1087-chinese-apt-targets-southeast-asian-militaries-with-applechris-and-memfun-backdoors/",
          "date": "2026-04-03"
        }
      ]
    },
    {
      "indicator": "0ecc867ce916d01640d76ec03de24d1d23585eb582e9c48a0364c62a590548ac",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-02-23",
      "last_seen": "2026-02-23",
      "reports": [
        {
          "slug": "unit-42-exposes-active-exploitation-of-beyondtrust-cve-2026-1731-with-vshell-and-sparkrat-backdoors",
          "title": "Unit 42 Exposes Active Exploitation of BeyondTrust CVE-2026-1731 with VShell and SparkRAT Backdoors",
          "url": "https://bulwarkblack.com/unit-42-exposes-active-exploitation-of-beyondtrust-cve-2026-1731-with-vshell-and-sparkrat-backdoors/",
          "date": "2026-02-23"
        }
      ]
    },
    {
      "indicator": "0ed72d52347bfe4a78afff8a6982a64050c8fc86d8957a20eeb3e0f3f5342ed0",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-05-15",
      "last_seen": "2026-05-15",
      "reports": [
        {
          "slug": "cisco-sdwan-active-exploitation-edge-controller-review",
          "title": "Cisco SD-WAN Exploitation Shows Edge Controllers Need Emergency Review",
          "url": "https://bulwarkblack.com/cisco-sdwan-active-exploitation-edge-controller-review/",
          "date": "2026-05-15"
        }
      ]
    },
    {
      "indicator": "0f5c81eaf35755a52e670c89b9546e7047828d83f346e3c29be1f6958e14a384",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-02-05",
      "last_seen": "2026-02-05",
      "reports": [
        {
          "slug": "systembc-botnet-survives-law-enforcement-takedown-infects-over-10000-devices-worldwide",
          "title": "SystemBC Botnet Survives Law Enforcement Takedown, Infects Over 10,000 Devices Worldwide",
          "url": "https://bulwarkblack.com/systembc-botnet-survives-law-enforcement-takedown-infects-over-10000-devices-worldwide/",
          "date": "2026-02-05"
        }
      ]
    },
    {
      "indicator": "0fcb86ae384e9975933314ac2a231f0ff46c0208556bf4a16f096a642d3f505e",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-05-16",
      "last_seen": "2026-05-16",
      "reports": [
        {
          "slug": "pawsrunner-steganography-purelogs-infostealer-defense",
          "title": "PawsRunner Steganography Shows Infostealers Are Hiding in Plain Sight",
          "url": "https://bulwarkblack.com/pawsrunner-steganography-purelogs-infostealer-defense/",
          "date": "2026-05-16"
        }
      ]
    },
    {
      "indicator": "100407796028bf3649752d9d2a67a0e4394d752eb8de86daa42920e814f3fae8",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-06-18",
      "last_seen": "2026-06-18",
      "reports": [
        {
          "slug": "tor-crypto-clipper-usb-worm-backdoor-defense",
          "title": "Tor-Based Crypto Clipper Shows Clipboard Theft Is Now Backdoor Activity",
          "url": "https://bulwarkblack.com/tor-crypto-clipper-usb-worm-backdoor-defense/",
          "date": "2026-06-18"
        }
      ]
    },
    {
      "indicator": "11af4566539ad3224e968194c7a9ad7b596460d8f6e423fc62d1ea5fc0724326",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-05-19",
      "last_seen": "2026-05-19",
      "reports": [
        {
          "slug": "fox-tempest-code-signing-trust-weaponized",
          "title": "Fox Tempest Shows Code Signing Trust Can Be Weaponized",
          "url": "https://bulwarkblack.com/fox-tempest-code-signing-trust-weaponized/",
          "date": "2026-05-19"
        }
      ]
    },
    {
      "indicator": "11b71429869f29122236a44a292fde3f0269cde8eb76a52c89139f79f4b97e63",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2024-01-09",
      "last_seen": "2024-01-09",
      "reports": [
        {
          "slug": "financially-motivated-threat-actors-misusing-app-installer",
          "title": "Financially motivated threat actors misusing App Installer",
          "url": "https://bulwarkblack.com/financially-motivated-threat-actors-misusing-app-installer/",
          "date": "2024-01-09"
        }
      ]
    },
    {
      "indicator": "123aabf796106cfb2ab40cbbd43ba5b44fd937f1a5856e0a95640ba6f9d71843",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-01-31",
      "last_seen": "2026-01-31",
      "reports": [
        {
          "slug": "ivanti-epmm-zero-days-actively-exploited-pre-auth-rce-via-bash-arithmetic-expansion",
          "title": "Ivanti EPMM Zero-Days Actively Exploited: Pre-Auth RCE via Bash Arithmetic Expansion",
          "url": "https://bulwarkblack.com/ivanti-epmm-zero-days-actively-exploited-pre-auth-rce-via-bash-arithmetic-expansion/",
          "date": "2026-01-31"
        }
      ]
    },
    {
      "indicator": "1314fc888ca5b3ea91a04e1f5b63039ffc7fc3832b8d809a28ad549c6f9d4f23",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "fake-payment-sdk-npm-pypi-secret-theft-defense",
          "title": "Fake Payment SDKs Show Why Dependency Risk Is Credential Risk",
          "url": "https://bulwarkblack.com/fake-payment-sdk-npm-pypi-secret-theft-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "1334f0189a8e6dbc48456fa4b482c5726ab7609f7fa652fcc4c1a96f2334436f",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-05-13",
      "last_seen": "2026-05-13",
      "reports": [
        {
          "slug": "gentlemen-raas-leak-edge-device-ransomware-risk",
          "title": "The Gentlemen RaaS Leak Shows Ransomware Is Still an Edge-Device Problem",
          "url": "https://bulwarkblack.com/gentlemen-raas-leak-edge-device-ransomware-risk/",
          "date": "2026-05-13"
        }
      ]
    },
    {
      "indicator": "13acadb3541e75af50e02d5be56c2238b93d8f154ce5514be1558e6ee59a1432",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-07",
      "last_seen": "2026-07-07",
      "reports": [
        {
          "slug": "uat-7810-orb-relay-network-edge-device-defense",
          "title": "UAT-7810 Shows Edge Devices Are Becoming China-Nexus Relay Infrastructure",
          "url": "https://bulwarkblack.com/uat-7810-orb-relay-network-edge-device-defense/",
          "date": "2026-07-07"
        }
      ]
    },
    {
      "indicator": "148f199591b9a696197ec72f8edb0cf4f90c5dcad0805cfab4a660f65bf27ef3",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-02-04",
      "last_seen": "2026-02-04",
      "reports": [
        {
          "slug": "shadowhs-fileless-linux-post-exploitation-framework-runs-entirely-in-memory",
          "title": "ShadowHS: Fileless Linux Post-Exploitation Framework Runs Entirely in Memory",
          "url": "https://bulwarkblack.com/shadowhs-fileless-linux-post-exploitation-framework-runs-entirely-in-memory/",
          "date": "2026-02-04"
        }
      ]
    },
    {
      "indicator": "15489bcd6e4602b41c9a787ec8d7ab027d5e45d400938048bb1c702ad5937980",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "vidar-xmrig-malvertising-file-size-code-signing-defense",
          "title": "Vidar Stealer Campaign Shows Why File Size and Fake Signatures Still Beat Weak Controls",
          "url": "https://bulwarkblack.com/vidar-xmrig-malvertising-file-size-code-signing-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "15d937803f90c2b9e277ff94d3e98ff30015ecc7f4623a158e3c98861e5cb278",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-03-05",
      "last_seen": "2026-03-05",
      "reports": [
        {
          "slug": "uat-9244-china-nexus-apt-deploys-three-new-malware-implants-against-south-american-telecom-providers",
          "title": "UAT-9244: China-Nexus APT Deploys Three New Malware Implants Against South American Telecom Providers",
          "url": "https://bulwarkblack.com/uat-9244-china-nexus-apt-deploys-three-new-malware-implants-against-south-american-telecom-providers/",
          "date": "2026-03-05"
        }
      ]
    },
    {
      "indicator": "15de71073f44c657c23f5f97caa11f1b12e654d4d17684bfc628cc1e5b6bcdd5",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-03-09",
      "last_seen": "2026-03-09",
      "reports": [
        {
          "slug": "boryptgrab-stealer-spreads-through-100-fake-github-repositories-in-massive-malware-campaign",
          "title": "BoryptGrab Stealer Spreads Through 100+ Fake GitHub Repositories in Massive Malware Campaign",
          "url": "https://bulwarkblack.com/boryptgrab-stealer-spreads-through-100-fake-github-repositories-in-massive-malware-campaign/",
          "date": "2026-03-09"
        }
      ]
    },
    {
      "indicator": "16562974deec80e41ef57a71a6de8c03ceb393005fb1432f8d9d82c61294ef8c",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-05-27",
      "last_seen": "2026-05-27",
      "reports": [
        {
          "slug": "poisoned-search-ai-screenconnect-cryptojacking-defense",
          "title": "Poisoned Search and AI Recommendations Turn Utility Downloads Into RMM Access",
          "url": "https://bulwarkblack.com/poisoned-search-ai-screenconnect-cryptojacking-defense/",
          "date": "2026-05-27"
        }
      ]
    },
    {
      "indicator": "1660536f448b8b9f086ce9ea3ce4e9deefc59a76711ea53ee6d8f08fc8c1bb99",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-07",
      "last_seen": "2026-07-07",
      "reports": [
        {
          "slug": "uat-7810-orb-relay-network-edge-device-defense",
          "title": "UAT-7810 Shows Edge Devices Are Becoming China-Nexus Relay Infrastructure",
          "url": "https://bulwarkblack.com/uat-7810-orb-relay-network-edge-device-defense/",
          "date": "2026-07-07"
        }
      ]
    },
    {
      "indicator": "166e777cb72a7c4e126f8ed97e0a82e7ca9e87df7793fea811daf34e1e7e47a6",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-03-03",
      "last_seen": "2026-03-03",
      "reports": [
        {
          "slug": "silver-dragon-apt-targets-southeast-asia-and-europe-using-geardoor-backdoor-with-google-drive-c2",
          "title": "Silver Dragon APT Targets Southeast Asia and Europe Using GearDoor Backdoor with Google Drive C2",
          "url": "https://bulwarkblack.com/silver-dragon-apt-targets-southeast-asia-and-europe-using-geardoor-backdoor-with-google-drive-c2/",
          "date": "2026-03-03"
        }
      ]
    },
    {
      "indicator": "1682e8d82016b3f10434d2ebac995fd3b6aa812f079bfd7888652e94a994d851",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-06-25",
      "last_seen": "2026-06-25",
      "reports": [
        {
          "slug": "turla-stockstay-backdoor-egress-visibility",
          "title": "Turla’s STOCKSTAY Backdoor Shows Why Espionage Defense Needs Egress Visibility",
          "url": "https://bulwarkblack.com/turla-stockstay-backdoor-egress-visibility/",
          "date": "2026-06-25"
        }
      ]
    },
    {
      "indicator": "16971f9706d70ac4925651c7c8719b9d77aff63e4c0a618129efc32c2c46b989",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-07",
      "last_seen": "2026-07-07",
      "reports": [
        {
          "slug": "uat-7810-orb-relay-network-edge-device-defense",
          "title": "UAT-7810 Shows Edge Devices Are Becoming China-Nexus Relay Infrastructure",
          "url": "https://bulwarkblack.com/uat-7810-orb-relay-network-edge-device-defense/",
          "date": "2026-07-07"
        }
      ]
    },
    {
      "indicator": "169a330353e53a409e0109c914404354741ff1e1c64e501738dc05e58ea92abc",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "vidar-xmrig-malvertising-file-size-code-signing-defense",
          "title": "Vidar Stealer Campaign Shows Why File Size and Fake Signatures Still Beat Weak Controls",
          "url": "https://bulwarkblack.com/vidar-xmrig-malvertising-file-size-code-signing-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "16b9a7358be88632378ba20ba1430786f3b844694b1f876211ecdbecf5cccbc2",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-03-03",
      "last_seen": "2026-03-03",
      "reports": [
        {
          "slug": "silver-dragon-apt-targets-southeast-asia-and-europe-using-geardoor-backdoor-with-google-drive-c2",
          "title": "Silver Dragon APT Targets Southeast Asia and Europe Using GearDoor Backdoor with Google Drive C2",
          "url": "https://bulwarkblack.com/silver-dragon-apt-targets-southeast-asia-and-europe-using-geardoor-backdoor-with-google-drive-c2/",
          "date": "2026-03-03"
        }
      ]
    },
    {
      "indicator": "17302d903baf182f94dc3be40ab1e0874dd0eb2ec5255bf9131fd53591efe925",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-05-15",
      "last_seen": "2026-05-15",
      "reports": [
        {
          "slug": "cisco-sdwan-active-exploitation-edge-controller-review",
          "title": "Cisco SD-WAN Exploitation Shows Edge Controllers Need Emergency Review",
          "url": "https://bulwarkblack.com/cisco-sdwan-active-exploitation-edge-controller-review/",
          "date": "2026-05-15"
        }
      ]
    },
    {
      "indicator": "17652d7bb5fe0454023db4fc7f608df0dbe6af237be31258e16ba52f0e895e26",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-03-05",
      "last_seen": "2026-03-05",
      "reports": [
        {
          "slug": "uat-9244-china-nexus-apt-deploys-three-new-malware-implants-against-south-american-telecom-providers",
          "title": "UAT-9244: China-Nexus APT Deploys Three New Malware Implants Against South American Telecom Providers",
          "url": "https://bulwarkblack.com/uat-9244-china-nexus-apt-deploys-three-new-malware-implants-against-south-american-telecom-providers/",
          "date": "2026-03-05"
        }
      ]
    },
    {
      "indicator": "186b26df63df3b7334043b47659cba4185c948629d857d47452cc1936f0aa5da",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-06-30",
      "last_seen": "2026-06-30",
      "reports": [
        {
          "slug": "bing-seo-poisoning-bumblebee-adaptix-akira-ransomware",
          "title": "Bing SEO Poisoning Shows IT Admin Downloads Are Ransomware Initial Access",
          "url": "https://bulwarkblack.com/bing-seo-poisoning-bumblebee-adaptix-akira-ransomware/",
          "date": "2026-06-30"
        }
      ]
    },
    {
      "indicator": "18d77c9c5bbb5b9d5bdfd366fdfcf26bad9e64c63ca865fad711bcce8e3d5a80",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-05-15",
      "last_seen": "2026-05-15",
      "reports": [
        {
          "slug": "cisco-sdwan-active-exploitation-edge-controller-review",
          "title": "Cisco SD-WAN Exploitation Shows Edge Controllers Need Emergency Review",
          "url": "https://bulwarkblack.com/cisco-sdwan-active-exploitation-edge-controller-review/",
          "date": "2026-05-15"
        }
      ]
    },
    {
      "indicator": "18fd38988d58dd930f5992d448cc09a9400c1eafba76b820b9a83239ac48cf4e",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-02",
      "last_seen": "2026-07-02",
      "reports": [
        {
          "slug": "ousaban-banking-trojan-iberian-phishing-defense",
          "title": "Ousaban Shows Banking Trojans Are Learning to Hide From Sandboxes",
          "url": "https://bulwarkblack.com/ousaban-banking-trojan-iberian-phishing-defense/",
          "date": "2026-07-02"
        }
      ]
    },
    {
      "indicator": "19139a525ee9c22efd6a4842c4cd50ab2c5f9ee391e5531071df0bb4e685f55d",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-03-03",
      "last_seen": "2026-03-03",
      "reports": [
        {
          "slug": "silver-dragon-apt-targets-southeast-asia-and-europe-using-geardoor-backdoor-with-google-drive-c2",
          "title": "Silver Dragon APT Targets Southeast Asia and Europe Using GearDoor Backdoor with Google Drive C2",
          "url": "https://bulwarkblack.com/silver-dragon-apt-targets-southeast-asia-and-europe-using-geardoor-backdoor-with-google-drive-c2/",
          "date": "2026-03-03"
        }
      ]
    },
    {
      "indicator": "19ac18a50abb48dc0ea9524850acfaec49359e6b3bcc67c6193c2d56da812c71",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-02",
      "last_seen": "2026-07-02",
      "reports": [
        {
          "slug": "ousaban-banking-trojan-iberian-phishing-defense",
          "title": "Ousaban Shows Banking Trojans Are Learning to Hide From Sandboxes",
          "url": "https://bulwarkblack.com/ousaban-banking-trojan-iberian-phishing-defense/",
          "date": "2026-07-02"
        }
      ]
    },
    {
      "indicator": "19df5436972b330910f7cb9856ef5fb17320f50b6ced68a76faecddcafa7dcd7",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-02-04",
      "last_seen": "2026-02-04",
      "reports": [
        {
          "slug": "shadowhs-fileless-linux-post-exploitation-framework-runs-entirely-in-memory",
          "title": "ShadowHS: Fileless Linux Post-Exploitation Framework Runs Entirely in Memory",
          "url": "https://bulwarkblack.com/shadowhs-fileless-linux-post-exploitation-framework-runs-entirely-in-memory/",
          "date": "2026-02-04"
        }
      ]
    },
    {
      "indicator": "19e6ed42248f9d03beb343a7c09a864dcd3cd671c29e1e5eac93579225224ac9",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-06-25",
      "last_seen": "2026-06-25",
      "reports": [
        {
          "slug": "turla-stockstay-backdoor-egress-visibility",
          "title": "Turla’s STOCKSTAY Backdoor Shows Why Espionage Defense Needs Egress Visibility",
          "url": "https://bulwarkblack.com/turla-stockstay-backdoor-egress-visibility/",
          "date": "2026-06-25"
        }
      ]
    },
    {
      "indicator": "19f1a6b9ad1a9654e7c78fa2d37a3ec10192b01b636c5fc1995b80bf6f7dcb36",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-01-30",
      "last_seen": "2026-01-30",
      "reports": [
        {
          "slug": "android-malware-campaign-abuses-hugging-face-ai-platform-to-distribute-rat",
          "title": "Android Malware Campaign Abuses Hugging Face AI Platform to Distribute RAT",
          "url": "https://bulwarkblack.com/android-malware-campaign-abuses-hugging-face-ai-platform-to-distribute-rat/",
          "date": "2026-01-30"
        }
      ]
    },
    {
      "indicator": "1a2ca8b8e0344fe3d80da7352206a470245443e2349a237bc093df934ddc011f",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-06-25",
      "last_seen": "2026-06-25",
      "reports": [
        {
          "slug": "turla-stockstay-backdoor-egress-visibility",
          "title": "Turla’s STOCKSTAY Backdoor Shows Why Espionage Defense Needs Egress Visibility",
          "url": "https://bulwarkblack.com/turla-stockstay-backdoor-egress-visibility/",
          "date": "2026-06-25"
        }
      ]
    },
    {
      "indicator": "1af419b36a5edefef387409e2b3248c9223f7dc49a4f7b15ea095d371c3a70b2",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-05-13",
      "last_seen": "2026-05-13",
      "reports": [
        {
          "slug": "gentlemen-raas-leak-edge-device-ransomware-risk",
          "title": "The Gentlemen RaaS Leak Shows Ransomware Is Still an Edge-Device Problem",
          "url": "https://bulwarkblack.com/gentlemen-raas-leak-edge-device-ransomware-risk/",
          "date": "2026-05-13"
        }
      ]
    },
    {
      "indicator": "1b2555b09ac62164638f47c8272beb6b0f97186e37d3a54cb84c723ff7a2eee5",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-05-27",
      "last_seen": "2026-05-27",
      "reports": [
        {
          "slug": "poisoned-search-ai-screenconnect-cryptojacking-defense",
          "title": "Poisoned Search and AI Recommendations Turn Utility Downloads Into RMM Access",
          "url": "https://bulwarkblack.com/poisoned-search-ai-screenconnect-cryptojacking-defense/",
          "date": "2026-05-27"
        }
      ]
    },
    {
      "indicator": "1b5649b479fd625de5c8120873644b5eb669cc89cd504582c18e0ae350fd8823",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-07",
      "last_seen": "2026-07-07",
      "reports": [
        {
          "slug": "uat-7810-orb-relay-network-edge-device-defense",
          "title": "UAT-7810 Shows Edge Devices Are Becoming China-Nexus Relay Infrastructure",
          "url": "https://bulwarkblack.com/uat-7810-orb-relay-network-edge-device-defense/",
          "date": "2026-07-07"
        }
      ]
    },
    {
      "indicator": "1b730de72f921458b6b162b105a9521a931f07e19d3cac53207c7a8efbc412f9",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-05-16",
      "last_seen": "2026-05-16",
      "reports": [
        {
          "slug": "pawsrunner-steganography-purelogs-infostealer-defense",
          "title": "PawsRunner Steganography Shows Infostealers Are Hiding in Plain Sight",
          "url": "https://bulwarkblack.com/pawsrunner-steganography-purelogs-infostealer-defense/",
          "date": "2026-05-16"
        }
      ]
    },
    {
      "indicator": "1bae9f2fb9866422f07345501fa2cb4c3a99f2652c8c9decdc27ffbf9714e7bc",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "fake-payment-sdk-npm-pypi-secret-theft-defense",
          "title": "Fake Payment SDKs Show Why Dependency Risk Is Credential Risk",
          "url": "https://bulwarkblack.com/fake-payment-sdk-npm-pypi-secret-theft-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "1bd0a200528c82c6488b4f48dd6dbc818d48782a2e25ccd22781c5718c3f62f5",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-05-15",
      "last_seen": "2026-05-15",
      "reports": [
        {
          "slug": "gremlin-stealer-browser-session-resource-obfuscation",
          "title": "Gremlin Stealer Shows Why Browser Sessions Are Now High-Value Targets",
          "url": "https://bulwarkblack.com/gremlin-stealer-browser-session-resource-obfuscation/",
          "date": "2026-05-15"
        }
      ]
    },
    {
      "indicator": "1bd605ef84b6767df74bd6290f1468eed5a88264df23fcf70b6a75d5bdcf7d76",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-03-09",
      "last_seen": "2026-03-09",
      "reports": [
        {
          "slug": "boryptgrab-stealer-spreads-through-100-fake-github-repositories-in-massive-malware-campaign",
          "title": "BoryptGrab Stealer Spreads Through 100+ Fake GitHub Repositories in Massive Malware Campaign",
          "url": "https://bulwarkblack.com/boryptgrab-stealer-spreads-through-100-fake-github-repositories-in-massive-malware-campaign/",
          "date": "2026-03-09"
        }
      ]
    },
    {
      "indicator": "1bfa32548676d32b7639d3171e2f9feefba5026dc336968c91f4ae2b152c5410",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "fake-payment-sdk-npm-pypi-secret-theft-defense",
          "title": "Fake Payment SDKs Show Why Dependency Risk Is Credential Risk",
          "url": "https://bulwarkblack.com/fake-payment-sdk-npm-pypi-secret-theft-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "1c693bcdaf1da636eb21c274b21cc2f6c52c62ddd514700783eee83fe13acb0a",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-06-26",
      "last_seen": "2026-06-26",
      "reports": [
        {
          "slug": "hospitality-photo-zip-nodejs-implant-defense",
          "title": "Hospitality Photo-ZIP Campaign Shows Front Desk Workflows Are Initial Access Paths",
          "url": "https://bulwarkblack.com/hospitality-photo-zip-nodejs-implant-defense/",
          "date": "2026-06-26"
        }
      ]
    },
    {
      "indicator": "1cedf01dd4b7e50181d0e781825c66957b862941395d77c8bd7705114f319c80",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-03-05",
      "last_seen": "2026-03-05",
      "reports": [
        {
          "slug": "uat-9244-china-nexus-apt-deploys-three-new-malware-implants-against-south-american-telecom-providers",
          "title": "UAT-9244: China-Nexus APT Deploys Three New Malware Implants Against South American Telecom Providers",
          "url": "https://bulwarkblack.com/uat-9244-china-nexus-apt-deploys-three-new-malware-implants-against-south-american-telecom-providers/",
          "date": "2026-03-05"
        }
      ]
    },
    {
      "indicator": "1d567795a366b9edcfef7f1fa2d398b7cb41890dd3b2f3f1f9803de0cdba0c89",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "fake-payment-sdk-npm-pypi-secret-theft-defense",
          "title": "Fake Payment SDKs Show Why Dependency Risk Is Credential Risk",
          "url": "https://bulwarkblack.com/fake-payment-sdk-npm-pypi-secret-theft-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "1db32411a88725b259a7f079bdebd5602f11130f71ec35bec9d18134adbd4352",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2024-01-05",
      "last_seen": "2024-01-05",
      "reports": [
        {
          "slug": "100-days-of-yara-2023",
          "title": "100 Days of YARA – 2023",
          "url": "https://bulwarkblack.com/100-days-of-yara-2023/",
          "date": "2024-01-05"
        }
      ]
    },
    {
      "indicator": "1df8c579ffcbf5527b1856bd1774601a5188b380e442c5a0fbd400bd86a4501b",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "fake-payment-sdk-npm-pypi-secret-theft-defense",
          "title": "Fake Payment SDKs Show Why Dependency Risk Is Credential Risk",
          "url": "https://bulwarkblack.com/fake-payment-sdk-npm-pypi-secret-theft-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "1e77992666acbbfa0d01fcefa9cc8fbdac291e0681b35745be27c6dfb159a375",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-02",
      "last_seen": "2026-07-02",
      "reports": [
        {
          "slug": "ousaban-banking-trojan-iberian-phishing-defense",
          "title": "Ousaban Shows Banking Trojans Are Learning to Hide From Sandboxes",
          "url": "https://bulwarkblack.com/ousaban-banking-trojan-iberian-phishing-defense/",
          "date": "2026-07-02"
        }
      ]
    },
    {
      "indicator": "1ed863a32372160b3a25549aad25d48d5352d9b4f58d4339408c4eea69807f50",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "apt28-exploits-cve-2026-21509-in-operation-neusploit-stealing-emails-with-minidoor-backdoor",
          "title": "APT28 Exploits CVE-2026-21509 in Operation Neusploit: Stealing Emails with MiniDoor Backdoor",
          "url": "https://bulwarkblack.com/apt28-exploits-cve-2026-21509-in-operation-neusploit-stealing-emails-with-minidoor-backdoor/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "1eece1e1ba4b96e6c784729f0608ad2939cfb67bc4236dfababbe1d09268960c",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-05-13",
      "last_seen": "2026-05-13",
      "reports": [
        {
          "slug": "gentlemen-raas-leak-edge-device-ransomware-risk",
          "title": "The Gentlemen RaaS Leak Shows Ransomware Is Still an Edge-Device Problem",
          "url": "https://bulwarkblack.com/gentlemen-raas-leak-edge-device-ransomware-risk/",
          "date": "2026-05-13"
        }
      ]
    },
    {
      "indicator": "1f5635a512a923e98a90cdc1b2fb988a2da78706e07e419dae9e1a54dd4d682b",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-03-05",
      "last_seen": "2026-03-05",
      "reports": [
        {
          "slug": "uat-9244-china-nexus-apt-deploys-three-new-malware-implants-against-south-american-telecom-providers",
          "title": "UAT-9244: China-Nexus APT Deploys Three New Malware Implants Against South American Telecom Providers",
          "url": "https://bulwarkblack.com/uat-9244-china-nexus-apt-deploys-three-new-malware-implants-against-south-american-telecom-providers/",
          "date": "2026-03-05"
        }
      ]
    },
    {
      "indicator": "1f8daffec5945a13a1e9231f4a76655d4c7ef4560d0c64ca3abfe48f38297cbd",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-06-26",
      "last_seen": "2026-06-26",
      "reports": [
        {
          "slug": "hospitality-photo-zip-nodejs-implant-defense",
          "title": "Hospitality Photo-ZIP Campaign Shows Front Desk Workflows Are Initial Access Paths",
          "url": "https://bulwarkblack.com/hospitality-photo-zip-nodejs-implant-defense/",
          "date": "2026-06-26"
        }
      ]
    },
    {
      "indicator": "1fc23ec18a94a599a34c74ef5f49a1e27acd37a07d5846661702b5e7e81a6a24",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-06-25",
      "last_seen": "2026-06-25",
      "reports": [
        {
          "slug": "turla-stockstay-backdoor-egress-visibility",
          "title": "Turla’s STOCKSTAY Backdoor Shows Why Espionage Defense Needs Egress Visibility",
          "url": "https://bulwarkblack.com/turla-stockstay-backdoor-egress-visibility/",
          "date": "2026-06-25"
        }
      ]
    },
    {
      "indicator": "1fcdd5a417db31e5e07d32cecfa69e53f0dce95b7130ad9c03b92249f001801d",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-03-05",
      "last_seen": "2026-03-05",
      "reports": [
        {
          "slug": "uat-9244-china-nexus-apt-deploys-three-new-malware-implants-against-south-american-telecom-providers",
          "title": "UAT-9244: China-Nexus APT Deploys Three New Malware Implants Against South American Telecom Providers",
          "url": "https://bulwarkblack.com/uat-9244-china-nexus-apt-deploys-three-new-malware-implants-against-south-american-telecom-providers/",
          "date": "2026-03-05"
        }
      ]
    },
    {
      "indicator": "1fe2be4582c4cbce8013c3506bc8b46f850c23937a564d17e5e170d6f60d8c08",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-03-02",
      "last_seen": "2026-03-02",
      "reports": [
        {
          "slug": "fake-google-security-check-transforms-browser-into-surveillance-toolkit-via-pwa-installation",
          "title": "Fake Google Security Check Transforms Browser Into Surveillance Toolkit via PWA Installation",
          "url": "https://bulwarkblack.com/fake-google-security-check-transforms-browser-into-surveillance-toolkit-via-pwa-installation/",
          "date": "2026-03-02"
        }
      ]
    },
    {
      "indicator": "201594c9d173bba6cb509407ecba378c19b93da0a81a2182a913c480e6dbb54e",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "vidar-xmrig-malvertising-file-size-code-signing-defense",
          "title": "Vidar Stealer Campaign Shows Why File Size and Fake Signatures Still Beat Weak Controls",
          "url": "https://bulwarkblack.com/vidar-xmrig-malvertising-file-size-code-signing-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "2050468744e44554fac17fb83f1515c95f2f2236716e2b5267a81c2b94205e6a",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-03-09",
      "last_seen": "2026-03-09",
      "reports": [
        {
          "slug": "boryptgrab-stealer-spreads-through-100-fake-github-repositories-in-massive-malware-campaign",
          "title": "BoryptGrab Stealer Spreads Through 100+ Fake GitHub Repositories in Massive Malware Campaign",
          "url": "https://bulwarkblack.com/boryptgrab-stealer-spreads-through-100-fake-github-repositories-in-massive-malware-campaign/",
          "date": "2026-03-09"
        }
      ]
    },
    {
      "indicator": "20bf39e1e67152039e70a01ad9e7b23c08d23d2a724ef9c44903f3d4353a2275",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "vidar-xmrig-malvertising-file-size-code-signing-defense",
          "title": "Vidar Stealer Campaign Shows Why File Size and Fake Signatures Still Beat Weak Controls",
          "url": "https://bulwarkblack.com/vidar-xmrig-malvertising-file-size-code-signing-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "20c1819c2fb886375d9504b0e7e5debb87ec9d1a53073b1f3f36dd6a6ac3f427",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-02-04",
      "last_seen": "2026-02-04",
      "reports": [
        {
          "slug": "shadowhs-fileless-linux-post-exploitation-framework-runs-entirely-in-memory",
          "title": "ShadowHS: Fileless Linux Post-Exploitation Framework Runs Entirely in Memory",
          "url": "https://bulwarkblack.com/shadowhs-fileless-linux-post-exploitation-framework-runs-entirely-in-memory/",
          "date": "2026-02-04"
        }
      ]
    },
    {
      "indicator": "20db98af3037b197c8a846dbf17b87fc6f049c3e0d9a188f9b9a74d3916dd5e1",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-06-18",
      "last_seen": "2026-06-18",
      "reports": [
        {
          "slug": "tor-crypto-clipper-usb-worm-backdoor-defense",
          "title": "Tor-Based Crypto Clipper Shows Clipboard Theft Is Now Backdoor Activity",
          "url": "https://bulwarkblack.com/tor-crypto-clipper-usb-worm-backdoor-defense/",
          "date": "2026-06-18"
        }
      ]
    },
    {
      "indicator": "20fcba222f74dd68aaeb1f0ad30cdf702a828ee164a182b30d05d600c35b72d9",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-07",
      "last_seen": "2026-07-07",
      "reports": [
        {
          "slug": "uat-7810-orb-relay-network-edge-device-defense",
          "title": "UAT-7810 Shows Edge Devices Are Becoming China-Nexus Relay Infrastructure",
          "url": "https://bulwarkblack.com/uat-7810-orb-relay-network-edge-device-defense/",
          "date": "2026-07-07"
        }
      ]
    },
    {
      "indicator": "2172dae9a5a695e00e0e4609e7db0207d8566d225f7e815fada246ae995c0f9b",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-05-15",
      "last_seen": "2026-05-15",
      "reports": [
        {
          "slug": "gremlin-stealer-browser-session-resource-obfuscation",
          "title": "Gremlin Stealer Shows Why Browser Sessions Are Now High-Value Targets",
          "url": "https://bulwarkblack.com/gremlin-stealer-browser-session-resource-obfuscation/",
          "date": "2026-05-15"
        }
      ]
    },
    {
      "indicator": "21b24f7ee1f6bdbbb670f0394d66009ee0daa8ced57048298da715e88f7a7cdd",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-02",
      "last_seen": "2026-07-02",
      "reports": [
        {
          "slug": "ousaban-banking-trojan-iberian-phishing-defense",
          "title": "Ousaban Shows Banking Trojans Are Learning to Hide From Sandboxes",
          "url": "https://bulwarkblack.com/ousaban-banking-trojan-iberian-phishing-defense/",
          "date": "2026-07-02"
        }
      ]
    },
    {
      "indicator": "2218904238dc4f8bb5bb838ed4fa779f7873814d7711a28ba59603826ae020aa",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2024-01-05",
      "last_seen": "2024-01-05",
      "reports": [
        {
          "slug": "100-days-of-yara-2023",
          "title": "100 Days of YARA – 2023",
          "url": "https://bulwarkblack.com/100-days-of-yara-2023/",
          "date": "2024-01-05"
        }
      ]
    },
    {
      "indicator": "2229e7f3cabbce4d67cd79c89fd5a100b20e8a99f4a2bf9aac77a978f49eb520",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-06-01",
      "last_seen": "2026-06-01",
      "reports": [
        {
          "slug": "showboat-jfmbackdoor-telecom-intrusion-defense",
          "title": "Showboat and JFMBackdoor Show Telecom Intrusions Are Built for Pivoting",
          "url": "https://bulwarkblack.com/showboat-jfmbackdoor-telecom-intrusion-defense/",
          "date": "2026-06-01"
        }
      ]
    },
    {
      "indicator": "2231bfa7c7bd4a8ff12568074f83de8e4ec95c226230cccc6616a1a4416de268",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-05-21",
      "last_seen": "2026-05-21",
      "reports": [
        {
          "slug": "tamperedchef-signed-productivity-apps-malware-defense",
          "title": "TamperedChef Shows Signed Productivity Apps Cannot Be Trusted by Default",
          "url": "https://bulwarkblack.com/tamperedchef-signed-productivity-apps-malware-defense/",
          "date": "2026-05-21"
        }
      ]
    },
    {
      "indicator": "22b38dad7da097ea03aa28d0614164cd25fafeb1383dbc15047e34c8050f6f67",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-05-13",
      "last_seen": "2026-05-13",
      "reports": [
        {
          "slug": "gentlemen-raas-leak-edge-device-ransomware-risk",
          "title": "The Gentlemen RaaS Leak Shows Ransomware Is Still an Edge-Device Problem",
          "url": "https://bulwarkblack.com/gentlemen-raas-leak-edge-device-ransomware-risk/",
          "date": "2026-05-13"
        }
      ]
    },
    {
      "indicator": "2303a74a5fac917279f1078e03a4bfd6afbb89462f97d7344ed10e6e9e9e92b7",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "fake-payment-sdk-npm-pypi-secret-theft-defense",
          "title": "Fake Payment SDKs Show Why Dependency Risk Is Credential Risk",
          "url": "https://bulwarkblack.com/fake-payment-sdk-npm-pypi-secret-theft-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "23c1e673f315dafa14b73034a90dd3d393a984451ff6601b8be8142be6487b43",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-06-18",
      "last_seen": "2026-06-18",
      "reports": [
        {
          "slug": "tor-crypto-clipper-usb-worm-backdoor-defense",
          "title": "Tor-Based Crypto Clipper Shows Clipboard Theft Is Now Backdoor Activity",
          "url": "https://bulwarkblack.com/tor-crypto-clipper-usb-worm-backdoor-defense/",
          "date": "2026-06-18"
        }
      ]
    },
    {
      "indicator": "24857fe82f454719cd18bcbe19b0cfa5387bee1022008b7f5f3a8be9f05e4d14",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-03-11",
      "last_seen": "2026-03-11",
      "reports": [
        {
          "slug": "iranian-mois-cyber-actors-embrace-criminal-ecosystem-from-rhadamanthys-to-ransomware-affiliates",
          "title": "Iranian MOIS Cyber Actors Embrace Criminal Ecosystem: From Rhadamanthys to Ransomware Affiliates",
          "url": "https://bulwarkblack.com/iranian-mois-cyber-actors-embrace-criminal-ecosystem-from-rhadamanthys-to-ransomware-affiliates/",
          "date": "2026-03-11"
        }
      ]
    },
    {
      "indicator": "248de1470771904462c91f146074e49b3d7416844ec143ade53f4ac0487fdb44",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-05-21",
      "last_seen": "2026-05-21",
      "reports": [
        {
          "slug": "tamperedchef-signed-productivity-apps-malware-defense",
          "title": "TamperedChef Shows Signed Productivity Apps Cannot Be Trusted by Default",
          "url": "https://bulwarkblack.com/tamperedchef-signed-productivity-apps-malware-defense/",
          "date": "2026-05-21"
        }
      ]
    },
    {
      "indicator": "249a4c7cacdd8e99a2a089a5c0ce904f2eff22e0e40fcfb10f7824dca6c51ecb",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-06-25",
      "last_seen": "2026-06-25",
      "reports": [
        {
          "slug": "turla-stockstay-backdoor-egress-visibility",
          "title": "Turla’s STOCKSTAY Backdoor Shows Why Espionage Defense Needs Egress Visibility",
          "url": "https://bulwarkblack.com/turla-stockstay-backdoor-egress-visibility/",
          "date": "2026-06-25"
        }
      ]
    },
    {
      "indicator": "24ac3588fb8cfbff63b7fdfcbc7dec1f3c60e54e6f949dd69d68e89e0c89d966",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-05-13",
      "last_seen": "2026-05-13",
      "reports": [
        {
          "slug": "gentlemen-raas-leak-edge-device-ransomware-risk",
          "title": "The Gentlemen RaaS Leak Shows Ransomware Is Still an Edge-Device Problem",
          "url": "https://bulwarkblack.com/gentlemen-raas-leak-edge-device-ransomware-risk/",
          "date": "2026-05-13"
        }
      ]
    },
    {
      "indicator": "2623c6e3c1f5a7b5e735a64813bc0e1382ae45831f5fadffb08c0e7b096627f7",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-06-25",
      "last_seen": "2026-06-25",
      "reports": [
        {
          "slug": "turla-stockstay-backdoor-egress-visibility",
          "title": "Turla’s STOCKSTAY Backdoor Shows Why Espionage Defense Needs Egress Visibility",
          "url": "https://bulwarkblack.com/turla-stockstay-backdoor-egress-visibility/",
          "date": "2026-06-25"
        }
      ]
    },
    {
      "indicator": "26db3fd959f12a61d19d102c1a0fb5ee7ae3661fa2b301135cdb686298989179",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-03-13",
      "last_seen": "2026-03-13",
      "reports": [
        {
          "slug": "storm-2561-weaponizes-seo-poisoning-to-deploy-trojanized-vpn-clients-and-steal-enterprise-credentials",
          "title": "Storm-2561 Weaponizes SEO Poisoning to Deploy Trojanized VPN Clients and Steal Enterprise Credentials",
          "url": "https://bulwarkblack.com/storm-2561-weaponizes-seo-poisoning-to-deploy-trojanized-vpn-clients-and-steal-enterprise-credentials/",
          "date": "2026-03-13"
        }
      ]
    },
    {
      "indicator": "272c86c6db95f1ef8b83f672b65e64df16494cae261e1aba1aeb1e59dcb68524",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-01-31",
      "last_seen": "2026-01-31",
      "reports": [
        {
          "slug": "winrar-cve-2025-8088-russia-china-and-cybercriminals-unite-to-exploit-path-traversal-flaw",
          "title": "WinRAR CVE-2025-8088: Russia, China, and Cybercriminals Unite to Exploit Path Traversal Flaw",
          "url": "https://bulwarkblack.com/winrar-cve-2025-8088-russia-china-and-cybercriminals-unite-to-exploit-path-traversal-flaw/",
          "date": "2026-01-31"
        }
      ]
    },
    {
      "indicator": "27df475626aafce2ea1548a9f35efb9ad951298c8b11a6adb3ccdfcd5170c677",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-06-01",
      "last_seen": "2026-06-01",
      "reports": [
        {
          "slug": "showboat-jfmbackdoor-telecom-intrusion-defense",
          "title": "Showboat and JFMBackdoor Show Telecom Intrusions Are Built for Pivoting",
          "url": "https://bulwarkblack.com/showboat-jfmbackdoor-telecom-intrusion-defense/",
          "date": "2026-06-01"
        }
      ]
    },
    {
      "indicator": "281b970f281dbea3c0e8cfc68b2e9939b253e5d3de52265b454d8f0f578768a2",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-05-15",
      "last_seen": "2026-05-15",
      "reports": [
        {
          "slug": "gremlin-stealer-browser-session-resource-obfuscation",
          "title": "Gremlin Stealer Shows Why Browser Sessions Are Now High-Value Targets",
          "url": "https://bulwarkblack.com/gremlin-stealer-browser-session-resource-obfuscation/",
          "date": "2026-05-15"
        }
      ]
    },
    {
      "indicator": "2822c72a59b58c00fc088aa551cdeeb92ca10fd23e23745610ff207f53118db9",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "apt28-exploits-cve-2026-21509-in-operation-neusploit-stealing-emails-with-minidoor-backdoor",
          "title": "APT28 Exploits CVE-2026-21509 in Operation Neusploit: Stealing Emails with MiniDoor Backdoor",
          "url": "https://bulwarkblack.com/apt28-exploits-cve-2026-21509-in-operation-neusploit-stealing-emails-with-minidoor-backdoor/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "2927bc31b4f8254c6b332fc03110a6373cad00ffa2ff9de427c26bb222017bb2",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-06-02",
      "last_seen": "2026-06-02",
      "reports": [
        {
          "slug": "forticlient-ems-ekz-infostealer-delivery",
          "title": "FortiClient EMS Exploitation Turns Endpoint Management Into an Infostealer Delivery System",
          "url": "https://bulwarkblack.com/forticlient-ems-ekz-infostealer-delivery/",
          "date": "2026-06-02"
        }
      ]
    },
    {
      "indicator": "29686c933cec1e274467e2dae264625ae6f754824bb7f550bc9c3131f625562c",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-07",
      "last_seen": "2026-07-07",
      "reports": [
        {
          "slug": "uat-7810-orb-relay-network-edge-device-defense",
          "title": "UAT-7810 Shows Edge Devices Are Becoming China-Nexus Relay Infrastructure",
          "url": "https://bulwarkblack.com/uat-7810-orb-relay-network-edge-device-defense/",
          "date": "2026-07-07"
        }
      ]
    },
    {
      "indicator": "29c7fccc6ef8cbfe4da9a169c7c74bacaea1fb515a1fddef91ab1b1522f76e4c",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-07",
      "last_seen": "2026-07-07",
      "reports": [
        {
          "slug": "uat-7810-orb-relay-network-edge-device-defense",
          "title": "UAT-7810 Shows Edge Devices Are Becoming China-Nexus Relay Infrastructure",
          "url": "https://bulwarkblack.com/uat-7810-orb-relay-network-edge-device-defense/",
          "date": "2026-07-07"
        }
      ]
    },
    {
      "indicator": "29cd44aa2a51a200d82cca578d97dc13241bc906ea6a33b132c6ca567dc8f3ad",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-02-27",
      "last_seen": "2026-02-27",
      "reports": [
        {
          "slug": "chinese-apt-campaign-delivers-plugx-rat-via-g-data-antivirus-dll-side-loading",
          "title": "Chinese APT Campaign Delivers PlugX RAT via G DATA Antivirus DLL Side-Loading",
          "url": "https://bulwarkblack.com/chinese-apt-campaign-delivers-plugx-rat-via-g-data-antivirus-dll-side-loading/",
          "date": "2026-02-27"
        }
      ]
    },
    {
      "indicator": "29f89486bb820d40c9bee8bf70ee8664ea270b16e486af4a53ab703996943256",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-01-31",
      "last_seen": "2026-01-31",
      "reports": [
        {
          "slug": "winrar-cve-2025-8088-russia-china-and-cybercriminals-unite-to-exploit-path-traversal-flaw",
          "title": "WinRAR CVE-2025-8088: Russia, China, and Cybercriminals Unite to Exploit Path Traversal Flaw",
          "url": "https://bulwarkblack.com/winrar-cve-2025-8088-russia-china-and-cybercriminals-unite-to-exploit-path-traversal-flaw/",
          "date": "2026-01-31"
        }
      ]
    },
    {
      "indicator": "2a02ec4af5ed591afdf1236a443e3b68642ee133f38a2857d1eada51246ab498",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "vidar-xmrig-malvertising-file-size-code-signing-defense",
          "title": "Vidar Stealer Campaign Shows Why File Size and Fake Signatures Still Beat Weak Controls",
          "url": "https://bulwarkblack.com/vidar-xmrig-malvertising-file-size-code-signing-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "2a09bbb3d1ddb729ea7591f197b5955453aa3769c6fb98a5ef60c6e4b7df23a5",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-03-11",
      "last_seen": "2026-03-11",
      "reports": [
        {
          "slug": "iranian-mois-cyber-actors-embrace-criminal-ecosystem-from-rhadamanthys-to-ransomware-affiliates",
          "title": "Iranian MOIS Cyber Actors Embrace Criminal Ecosystem: From Rhadamanthys to Ransomware Affiliates",
          "url": "https://bulwarkblack.com/iranian-mois-cyber-actors-embrace-criminal-ecosystem-from-rhadamanthys-to-ransomware-affiliates/",
          "date": "2026-03-11"
        }
      ]
    },
    {
      "indicator": "2ab684d93c1553fad87041b4dea97188a97e78589deee2a7bacff905564f3a35",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-06-11",
      "last_seen": "2026-06-11",
      "reports": [
        {
          "slug": "shinyhunters-peoplesoft-cve-2026-35273-erp-admin-endpoints",
          "title": "ShinyHunters PeopleSoft Exploitation Shows ERP Admin Endpoints Are Breach Surface",
          "url": "https://bulwarkblack.com/shinyhunters-peoplesoft-cve-2026-35273-erp-admin-endpoints/",
          "date": "2026-06-11"
        }
      ]
    },
    {
      "indicator": "2abe0ef88ba92db79d82cde4c0ed1f382bb347517a54ea82084c841d0f955518",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-03-09",
      "last_seen": "2026-03-09",
      "reports": [
        {
          "slug": "boryptgrab-stealer-spreads-through-100-fake-github-repositories-in-massive-malware-campaign",
          "title": "BoryptGrab Stealer Spreads Through 100+ Fake GitHub Repositories in Massive Malware Campaign",
          "url": "https://bulwarkblack.com/boryptgrab-stealer-spreads-through-100-fake-github-repositories-in-massive-malware-campaign/",
          "date": "2026-03-09"
        }
      ]
    },
    {
      "indicator": "2af7b513c05e76d7da5f75bb0a223c894a706c99ef2c2ddfe4eae542f95a08e0",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-06-25",
      "last_seen": "2026-06-25",
      "reports": [
        {
          "slug": "turla-stockstay-backdoor-egress-visibility",
          "title": "Turla’s STOCKSTAY Backdoor Shows Why Espionage Defense Needs Egress Visibility",
          "url": "https://bulwarkblack.com/turla-stockstay-backdoor-egress-visibility/",
          "date": "2026-06-25"
        }
      ]
    },
    {
      "indicator": "2b7297a5f502a2e9a59066f0a370bc5a8b28addd0e27975db3d770f801c15397",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "vidar-xmrig-malvertising-file-size-code-signing-defense",
          "title": "Vidar Stealer Campaign Shows Why File Size and Fake Signatures Still Beat Weak Controls",
          "url": "https://bulwarkblack.com/vidar-xmrig-malvertising-file-size-code-signing-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "2b7696575278e6e223cc44553c687e45afd04df7eb32efbf49b39da64b795982",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "fake-payment-sdk-npm-pypi-secret-theft-defense",
          "title": "Fake Payment SDKs Show Why Dependency Risk Is Credential Risk",
          "url": "https://bulwarkblack.com/fake-payment-sdk-npm-pypi-secret-theft-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "2b7d8a519f44d3105e9fde2770c75efb933994c658855dca7d48c8b4897f81e6",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-03-11",
      "last_seen": "2026-03-11",
      "reports": [
        {
          "slug": "iranian-mois-cyber-actors-embrace-criminal-ecosystem-from-rhadamanthys-to-ransomware-affiliates",
          "title": "Iranian MOIS Cyber Actors Embrace Criminal Ecosystem: From Rhadamanthys to Ransomware Affiliates",
          "url": "https://bulwarkblack.com/iranian-mois-cyber-actors-embrace-criminal-ecosystem-from-rhadamanthys-to-ransomware-affiliates/",
          "date": "2026-03-11"
        }
      ]
    },
    {
      "indicator": "2ba527fb8e31cb209df8d1890a63cda9cd4433aa0b841ed8b86fa801aff4ccbd",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2024-01-09",
      "last_seen": "2024-01-09",
      "reports": [
        {
          "slug": "financially-motivated-threat-actors-misusing-app-installer",
          "title": "Financially motivated threat actors misusing App Installer",
          "url": "https://bulwarkblack.com/financially-motivated-threat-actors-misusing-app-installer/",
          "date": "2024-01-09"
        }
      ]
    },
    {
      "indicator": "2bc8af4bd2f539630f7800f3491b64c7e2bffe12e955d0d4f03a4f6a4b0018bd",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "fake-payment-sdk-npm-pypi-secret-theft-defense",
          "title": "Fake Payment SDKs Show Why Dependency Risk Is Credential Risk",
          "url": "https://bulwarkblack.com/fake-payment-sdk-npm-pypi-secret-theft-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "2c0b344af415b787b396c8e23bbeb112bd471a1ca1d12cf357c48e2ee1ae068c",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "vidar-xmrig-malvertising-file-size-code-signing-defense",
          "title": "Vidar Stealer Campaign Shows Why File Size and Fake Signatures Still Beat Weak Controls",
          "url": "https://bulwarkblack.com/vidar-xmrig-malvertising-file-size-code-signing-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "2c3f2261b00ea45e25eb4e9de2b7ff8e41f311c0b3d986461f834022c08b3b99",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-03-05",
      "last_seen": "2026-03-05",
      "reports": [
        {
          "slug": "uat-9244-china-nexus-apt-deploys-three-new-malware-implants-against-south-american-telecom-providers",
          "title": "UAT-9244: China-Nexus APT Deploys Three New Malware Implants Against South American Telecom Providers",
          "url": "https://bulwarkblack.com/uat-9244-china-nexus-apt-deploys-three-new-malware-implants-against-south-american-telecom-providers/",
          "date": "2026-03-05"
        }
      ]
    },
    {
      "indicator": "2c40e7cf613bf2806ff6e9bc396058fe4f85926493979189dbdbc7d615b7cb14",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-01-31",
      "last_seen": "2026-01-31",
      "reports": [
        {
          "slug": "winrar-cve-2025-8088-russia-china-and-cybercriminals-unite-to-exploit-path-traversal-flaw",
          "title": "WinRAR CVE-2025-8088: Russia, China, and Cybercriminals Unite to Exploit Path Traversal Flaw",
          "url": "https://bulwarkblack.com/winrar-cve-2025-8088-russia-china-and-cybercriminals-unite-to-exploit-path-traversal-flaw/",
          "date": "2026-01-31"
        }
      ]
    },
    {
      "indicator": "2c6e8f86c05781af12b323311e83e011f1a603928e2086c48e2ca59e33d90dbe",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "vidar-xmrig-malvertising-file-size-code-signing-defense",
          "title": "Vidar Stealer Campaign Shows Why File Size and Fake Signatures Still Beat Weak Controls",
          "url": "https://bulwarkblack.com/vidar-xmrig-malvertising-file-size-code-signing-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "2cbfc4e4b1de5e68ab81fba7e1b0c711b4d26197b48ea4db6819c9cea223b0ed",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "fake-payment-sdk-npm-pypi-secret-theft-defense",
          "title": "Fake Payment SDKs Show Why Dependency Risk Is Credential Risk",
          "url": "https://bulwarkblack.com/fake-payment-sdk-npm-pypi-secret-theft-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "2d1891b6d0c158ad7280f0f30f3c9d913960a793c6abcda249f9c76e13014e45",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-01-29",
      "last_seen": "2026-01-29",
      "reports": [
        {
          "slug": "google-disrupts-worlds-largest-residential-proxy-botnet",
          "title": "Google Disrupts World’s Largest Residential Proxy Botnet",
          "url": "https://bulwarkblack.com/google-disrupts-worlds-largest-residential-proxy-botnet/",
          "date": "2026-01-29"
        }
      ]
    },
    {
      "indicator": "2d2a251a88632f010fd9671789746908eeccaa5bc5c0a5d25e4649efe4f5b15d",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-06-03",
      "last_seen": "2026-06-03",
      "reports": [
        {
          "slug": "ta4922-global-hr-tax-phishing-rmm-defense",
          "title": "TA4922’s Global Expansion Shows HR and Tax Lures Are Initial Access Infrastructure",
          "url": "https://bulwarkblack.com/ta4922-global-hr-tax-phishing-rmm-defense/",
          "date": "2026-06-03"
        }
      ]
    },
    {
      "indicator": "2d2ca7d21310b14f5f5641bbf4a9ff4c3e566b1fbbd370034c6844cedc8f0538",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-03-05",
      "last_seen": "2026-03-05",
      "reports": [
        {
          "slug": "uat-9244-china-nexus-apt-deploys-three-new-malware-implants-against-south-american-telecom-providers",
          "title": "UAT-9244: China-Nexus APT Deploys Three New Malware Implants Against South American Telecom Providers",
          "url": "https://bulwarkblack.com/uat-9244-china-nexus-apt-deploys-three-new-malware-implants-against-south-american-telecom-providers/",
          "date": "2026-03-05"
        }
      ]
    },
    {
      "indicator": "2e0e43776e2e1a37d882a1b2ebb7d337ee88950177e43831dae645a367824feb",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-07",
      "last_seen": "2026-07-07",
      "reports": [
        {
          "slug": "uat-7810-orb-relay-network-edge-device-defense",
          "title": "UAT-7810 Shows Edge Devices Are Becoming China-Nexus Relay Infrastructure",
          "url": "https://bulwarkblack.com/uat-7810-orb-relay-network-edge-device-defense/",
          "date": "2026-07-07"
        }
      ]
    },
    {
      "indicator": "2e11a16f94484e0f43eb4572f800f26f0b4a1314cbdae3c44c1ae35f376906d8",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "vidar-xmrig-malvertising-file-size-code-signing-defense",
          "title": "Vidar Stealer Campaign Shows Why File Size and Fake Signatures Still Beat Weak Controls",
          "url": "https://bulwarkblack.com/vidar-xmrig-malvertising-file-size-code-signing-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "2e5a56beb63f21d9347310412ae6efb29fd3db2d3a3fc0798865a29a3c578d35",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-03-21",
      "last_seen": "2026-03-21",
      "reports": [
        {
          "slug": "darksword-ios-exploit-kit-russian-hackers-weaponize-six-vulnerabilities-for-full-iphone-takeover",
          "title": "DarkSword iOS Exploit Kit: Russian Hackers Weaponize Six Vulnerabilities for Full iPhone Takeover",
          "url": "https://bulwarkblack.com/darksword-ios-exploit-kit-russian-hackers-weaponize-six-vulnerabilities-for-full-iphone-takeover/",
          "date": "2026-03-21"
        }
      ]
    },
    {
      "indicator": "2e5fd01b7949a45937b853eabcf4b03195614cf84338dcaaa97240d1c5301ddc",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-06-26",
      "last_seen": "2026-06-26",
      "reports": [
        {
          "slug": "hospitality-photo-zip-nodejs-implant-defense",
          "title": "Hospitality Photo-ZIP Campaign Shows Front Desk Workflows Are Initial Access Paths",
          "url": "https://bulwarkblack.com/hospitality-photo-zip-nodejs-implant-defense/",
          "date": "2026-06-26"
        }
      ]
    },
    {
      "indicator": "2ebc1b6cf543e2cb3f22d9a5b54b6676bb71dde98df7532f8791297734e44fdd",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-07",
      "last_seen": "2026-07-07",
      "reports": [
        {
          "slug": "uat-7810-orb-relay-network-edge-device-defense",
          "title": "UAT-7810 Shows Edge Devices Are Becoming China-Nexus Relay Infrastructure",
          "url": "https://bulwarkblack.com/uat-7810-orb-relay-network-edge-device-defense/",
          "date": "2026-07-07"
        }
      ]
    },
    {
      "indicator": "2ed5660c7b768b4c2a7899d00773af60cd4396f24a2f7d643ccc1bf74a403970",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2024-01-09",
      "last_seen": "2024-01-09",
      "reports": [
        {
          "slug": "financially-motivated-threat-actors-misusing-app-installer",
          "title": "Financially motivated threat actors misusing App Installer",
          "url": "https://bulwarkblack.com/financially-motivated-threat-actors-misusing-app-installer/",
          "date": "2024-01-09"
        }
      ]
    },
    {
      "indicator": "2ed9494e9b7b68415b4eb151c922c82c0191294d0aa443dd2cb5133e6bfe3d5d",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-05-13",
      "last_seen": "2026-05-13",
      "reports": [
        {
          "slug": "gentlemen-raas-leak-edge-device-ransomware-risk",
          "title": "The Gentlemen RaaS Leak Shows Ransomware Is Still an Edge-Device Problem",
          "url": "https://bulwarkblack.com/gentlemen-raas-leak-edge-device-ransomware-risk/",
          "date": "2026-05-13"
        }
      ]
    },
    {
      "indicator": "2edb3f162f9676196e818d9b795d599ba119a961ffe98c4866351735980d213d",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "fake-payment-sdk-npm-pypi-secret-theft-defense",
          "title": "Fake Payment SDKs Show Why Dependency Risk Is Credential Risk",
          "url": "https://bulwarkblack.com/fake-payment-sdk-npm-pypi-secret-theft-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "2ee667c0ddd4aa341adf8d85b54fbb2fce8cc14aa88967a5cb99babb08a10fae",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-04-03",
      "last_seen": "2026-04-03",
      "reports": [
        {
          "slug": "cl-sta-1087-chinese-apt-targets-southeast-asian-militaries-with-applechris-and-memfun-backdoors",
          "title": "CL-STA-1087: Chinese APT Targets Southeast Asian Militaries with AppleChris and MemFun Backdoors",
          "url": "https://bulwarkblack.com/cl-sta-1087-chinese-apt-targets-southeast-asian-militaries-with-applechris-and-memfun-backdoors/",
          "date": "2026-04-03"
        }
      ]
    },
    {
      "indicator": "2ee93ccbcd49ed94c65dcf52e7dcb8f0fa0a443ca24c0e0c7f79152efba657b7",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-05-27",
      "last_seen": "2026-05-27",
      "reports": [
        {
          "slug": "poisoned-search-ai-screenconnect-cryptojacking-defense",
          "title": "Poisoned Search and AI Recommendations Turn Utility Downloads Into RMM Access",
          "url": "https://bulwarkblack.com/poisoned-search-ai-screenconnect-cryptojacking-defense/",
          "date": "2026-05-27"
        }
      ]
    },
    {
      "indicator": "2f1400a91c853d61622f4d21ed97d96ea1093c0fa1586669bea6f6baa331251f",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "vidar-xmrig-malvertising-file-size-code-signing-defense",
          "title": "Vidar Stealer Campaign Shows Why File Size and Fake Signatures Still Beat Weak Controls",
          "url": "https://bulwarkblack.com/vidar-xmrig-malvertising-file-size-code-signing-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "2f25ea1b622abf3212141af932c2ec4cbd6b2b5903c2a531121f691227d98cff",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-06-02",
      "last_seen": "2026-06-02",
      "reports": [
        {
          "slug": "forticlient-ems-ekz-infostealer-delivery",
          "title": "FortiClient EMS Exploitation Turns Endpoint Management Into an Infostealer Delivery System",
          "url": "https://bulwarkblack.com/forticlient-ems-ekz-infostealer-delivery/",
          "date": "2026-06-02"
        }
      ]
    },
    {
      "indicator": "2f787c1454891b242ab221b8b8b420373c3eb1a0c1fdcb624dd800c50758bbb0",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-03-03",
      "last_seen": "2026-03-03",
      "reports": [
        {
          "slug": "silver-dragon-apt-targets-southeast-asia-and-europe-using-geardoor-backdoor-with-google-drive-c2",
          "title": "Silver Dragon APT Targets Southeast Asia and Europe Using GearDoor Backdoor with Google Drive C2",
          "url": "https://bulwarkblack.com/silver-dragon-apt-targets-southeast-asia-and-europe-using-geardoor-backdoor-with-google-drive-c2/",
          "date": "2026-03-03"
        }
      ]
    },
    {
      "indicator": "30448686ec900d5213d74f08f0d2b7924c5336a29445b2a434aba8d8b19d7530",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-06-02",
      "last_seen": "2026-06-02",
      "reports": [
        {
          "slug": "flutterbridge-macos-malvertising-fluttershell-backdoor-defense",
          "title": "FlutterBridge Shows Why macOS Malvertising Is Backdoor Delivery, Not Just Adware",
          "url": "https://bulwarkblack.com/flutterbridge-macos-malvertising-fluttershell-backdoor-defense/",
          "date": "2026-06-02"
        }
      ]
    },
    {
      "indicator": "3111f4d7d4fac55103453c4c8adb742def007b96b7c8ed265347df97137fbee0",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-02-05",
      "last_seen": "2026-02-05",
      "reports": [
        {
          "slug": "encase-forensic-driver-weaponized-byovd-attack-targets-59-edr-tools-through-sonicwall-vpn-breach",
          "title": "EnCase Forensic Driver Weaponized: BYOVD Attack Targets 59 EDR Tools Through SonicWall VPN Breach",
          "url": "https://bulwarkblack.com/encase-forensic-driver-weaponized-byovd-attack-targets-59-edr-tools-through-sonicwall-vpn-breach/",
          "date": "2026-02-05"
        }
      ]
    },
    {
      "indicator": "3119cf37b8267db8a2dcd11d9a83d5237d7ef1e42388e7c9afa2831b91da8a2d",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-06-03",
      "last_seen": "2026-06-03",
      "reports": [
        {
          "slug": "ta4922-global-hr-tax-phishing-rmm-defense",
          "title": "TA4922’s Global Expansion Shows HR and Tax Lures Are Initial Access Infrastructure",
          "url": "https://bulwarkblack.com/ta4922-global-hr-tax-phishing-rmm-defense/",
          "date": "2026-06-03"
        }
      ]
    },
    {
      "indicator": "3128bdb8efaaa04c0ba96337252f4cc2dc795021cbc410f74ace9dde958bac1d",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-03-03",
      "last_seen": "2026-03-03",
      "reports": [
        {
          "slug": "silver-dragon-apt-targets-southeast-asia-and-europe-using-geardoor-backdoor-with-google-drive-c2",
          "title": "Silver Dragon APT Targets Southeast Asia and Europe Using GearDoor Backdoor with Google Drive C2",
          "url": "https://bulwarkblack.com/silver-dragon-apt-targets-southeast-asia-and-europe-using-geardoor-backdoor-with-google-drive-c2/",
          "date": "2026-03-03"
        }
      ]
    },
    {
      "indicator": "313853a82bce61052c00e6a6af85b5069e007a76122c727f31661bc636b12f14",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "fake-payment-sdk-npm-pypi-secret-theft-defense",
          "title": "Fake Payment SDKs Show Why Dependency Risk Is Credential Risk",
          "url": "https://bulwarkblack.com/fake-payment-sdk-npm-pypi-secret-theft-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "314ce675c040c63b825f213965f5c76a3bd09bf70e138708367e2a84e9e84b30",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "vidar-xmrig-malvertising-file-size-code-signing-defense",
          "title": "Vidar Stealer Campaign Shows Why File Size and Fake Signatures Still Beat Weak Controls",
          "url": "https://bulwarkblack.com/vidar-xmrig-malvertising-file-size-code-signing-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "314f4b59535d1b783e1c20c2be00f9e30f8ed27b2e21fad06a73b47ea43279ef",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-06-03",
      "last_seen": "2026-06-03",
      "reports": [
        {
          "slug": "ta4922-global-hr-tax-phishing-rmm-defense",
          "title": "TA4922’s Global Expansion Shows HR and Tax Lures Are Initial Access Infrastructure",
          "url": "https://bulwarkblack.com/ta4922-global-hr-tax-phishing-rmm-defense/",
          "date": "2026-06-03"
        }
      ]
    },
    {
      "indicator": "3169a6dbcce684e2c5a2f166996b58ffa673df6e58b8edf2bdf3e66271c8c69e",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-07",
      "last_seen": "2026-07-07",
      "reports": [
        {
          "slug": "uat-7810-orb-relay-network-edge-device-defense",
          "title": "UAT-7810 Shows Edge Devices Are Becoming China-Nexus Relay Infrastructure",
          "url": "https://bulwarkblack.com/uat-7810-orb-relay-network-edge-device-defense/",
          "date": "2026-07-07"
        }
      ]
    },
    {
      "indicator": "32172e4d8d2ab9fb29b36c9b279117be6ff611b5b91ff7b1c42501a5ec969f2b",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "vidar-xmrig-malvertising-file-size-code-signing-defense",
          "title": "Vidar Stealer Campaign Shows Why File Size and Fake Signatures Still Beat Weak Controls",
          "url": "https://bulwarkblack.com/vidar-xmrig-malvertising-file-size-code-signing-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "323c3a91be60ebc3e06e942bad04899a15911cea23269e43d07829164b2ce5d4",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-07",
      "last_seen": "2026-07-07",
      "reports": [
        {
          "slug": "uat-7810-orb-relay-network-edge-device-defense",
          "title": "UAT-7810 Shows Edge Devices Are Becoming China-Nexus Relay Infrastructure",
          "url": "https://bulwarkblack.com/uat-7810-orb-relay-network-edge-device-defense/",
          "date": "2026-07-07"
        }
      ]
    },
    {
      "indicator": "324d95024fc8da5c92b5a1f4825aed5a2a91c9ca8fb6aa52abb332a4c9cf4257",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-07",
      "last_seen": "2026-07-07",
      "reports": [
        {
          "slug": "uat-7810-orb-relay-network-edge-device-defense",
          "title": "UAT-7810 Shows Edge Devices Are Becoming China-Nexus Relay Infrastructure",
          "url": "https://bulwarkblack.com/uat-7810-orb-relay-network-edge-device-defense/",
          "date": "2026-07-07"
        }
      ]
    },
    {
      "indicator": "32ea41ff050f09d0b92967588a131e0a170cb46baf7ee58d03277d09336f89d9",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2024-01-05",
      "last_seen": "2024-01-05",
      "reports": [
        {
          "slug": "tackling-anti-analysis-techniques-of-guloader-and-redline-stealer",
          "title": "Tackling Anti-Analysis Techniques of GuLoader and RedLine Stealer",
          "url": "https://bulwarkblack.com/tackling-anti-analysis-techniques-of-guloader-and-redline-stealer/",
          "date": "2024-01-05"
        }
      ]
    },
    {
      "indicator": "330efeebba3782994612fdfe20ff96c930af33a83b88a342b6622461511921b2",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "vidar-xmrig-malvertising-file-size-code-signing-defense",
          "title": "Vidar Stealer Campaign Shows Why File Size and Fake Signatures Still Beat Weak Controls",
          "url": "https://bulwarkblack.com/vidar-xmrig-malvertising-file-size-code-signing-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "332ba2f0297dfb1599adecc3e9067893e7cf243aa23aedce4906a4c480574c17",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-05-22",
      "last_seen": "2026-05-22",
      "reports": [
        {
          "slug": "screening-serpens-recruiting-espionage-attack-surface",
          "title": "Screening Serpens Shows Recruiting Is Now an Espionage Attack Surface",
          "url": "https://bulwarkblack.com/screening-serpens-recruiting-espionage-attack-surface/",
          "date": "2026-05-22"
        }
      ]
    },
    {
      "indicator": "33580073680016f23bf474e6e62c61bf6a776e561385bfb06788a4713114ba9d",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-01-31",
      "last_seen": "2026-01-31",
      "reports": [
        {
          "slug": "winrar-cve-2025-8088-russia-china-and-cybercriminals-unite-to-exploit-path-traversal-flaw",
          "title": "WinRAR CVE-2025-8088: Russia, China, and Cybercriminals Unite to Exploit Path Traversal Flaw",
          "url": "https://bulwarkblack.com/winrar-cve-2025-8088-russia-china-and-cybercriminals-unite-to-exploit-path-traversal-flaw/",
          "date": "2026-01-31"
        }
      ]
    },
    {
      "indicator": "33c10b77e1da9f0679023d55fb3057879d15609db9c1d46ee5c3ff1240a3d052",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-07",
      "last_seen": "2026-07-07",
      "reports": [
        {
          "slug": "uat-7810-orb-relay-network-edge-device-defense",
          "title": "UAT-7810 Shows Edge Devices Are Becoming China-Nexus Relay Infrastructure",
          "url": "https://bulwarkblack.com/uat-7810-orb-relay-network-edge-device-defense/",
          "date": "2026-07-07"
        }
      ]
    },
    {
      "indicator": "34d64b3cd9430e85edefcb883973a086dd5de9917e05fabec89b1f4ab9627e91",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-03-05",
      "last_seen": "2026-03-05",
      "reports": [
        {
          "slug": "uat-9244-china-nexus-apt-deploys-three-new-malware-implants-against-south-american-telecom-providers",
          "title": "UAT-9244: China-Nexus APT Deploys Three New Malware Implants Against South American Telecom Providers",
          "url": "https://bulwarkblack.com/uat-9244-china-nexus-apt-deploys-three-new-malware-implants-against-south-american-telecom-providers/",
          "date": "2026-03-05"
        }
      ]
    },
    {
      "indicator": "34fcbe7e90fc87a4f3766469c19a64f24672d7adb99e0198f5ba10d58911368b",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-06-25",
      "last_seen": "2026-06-25",
      "reports": [
        {
          "slug": "turla-stockstay-backdoor-egress-visibility",
          "title": "Turla’s STOCKSTAY Backdoor Shows Why Espionage Defense Needs Egress Visibility",
          "url": "https://bulwarkblack.com/turla-stockstay-backdoor-egress-visibility/",
          "date": "2026-06-25"
        }
      ]
    },
    {
      "indicator": "3544ffefb2a38bf4faf6181aa4374f4c186d3c2a7b9b059244b65dce8d5688d9",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-02-09",
      "last_seen": "2026-02-09",
      "reports": [
        {
          "slug": "fake-7-zip-downloads-convert-home-pcs-into-residential-proxy-nodes-for-cybercriminals",
          "title": "Fake 7-Zip Downloads Convert Home PCs Into Residential Proxy Nodes for Cybercriminals",
          "url": "https://bulwarkblack.com/fake-7-zip-downloads-convert-home-pcs-into-residential-proxy-nodes-for-cybercriminals/",
          "date": "2026-02-09"
        }
      ]
    },
    {
      "indicator": "35a6bc44b176a050fd6824904b7604f0f45b0fdfa26bf9500b9e05973b387cfd",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-06-18",
      "last_seen": "2026-06-18",
      "reports": [
        {
          "slug": "tor-crypto-clipper-usb-worm-backdoor-defense",
          "title": "Tor-Based Crypto Clipper Shows Clipboard Theft Is Now Backdoor Activity",
          "url": "https://bulwarkblack.com/tor-crypto-clipper-usb-worm-backdoor-defense/",
          "date": "2026-06-18"
        }
      ]
    },
    {
      "indicator": "35b51bbe42edd15918b015eaa1b4f0e6b5c94f186d71d887e39f1da69a4dec3f",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "vidar-xmrig-malvertising-file-size-code-signing-defense",
          "title": "Vidar Stealer Campaign Shows Why File Size and Fake Signatures Still Beat Weak Controls",
          "url": "https://bulwarkblack.com/vidar-xmrig-malvertising-file-size-code-signing-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "35dde1b2482b12582820a861e7c46f10721af6b75052fc872c05d2230a4e8ca1",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "vidar-xmrig-malvertising-file-size-code-signing-defense",
          "title": "Vidar Stealer Campaign Shows Why File Size and Fake Signatures Still Beat Weak Controls",
          "url": "https://bulwarkblack.com/vidar-xmrig-malvertising-file-size-code-signing-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "360467c3b733513c922b90d0e222067509df6481636926fa1786d0273169f4da",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-03-04",
      "last_seen": "2026-03-04",
      "reports": [
        {
          "slug": "zerobot-malware-targets-n8n-automation-platform-first-active-exploitation-of-cve-2025-68613",
          "title": "Zerobot Malware Targets n8n Automation Platform: First Active Exploitation of CVE-2025-68613",
          "url": "https://bulwarkblack.com/zerobot-malware-targets-n8n-automation-platform-first-active-exploitation-of-cve-2025-68613/",
          "date": "2026-03-04"
        }
      ]
    },
    {
      "indicator": "3627f582420ad2782d452fe6d13fae42658d1484296351d3916703e25dcadd14",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-06-25",
      "last_seen": "2026-06-25",
      "reports": [
        {
          "slug": "turla-stockstay-backdoor-egress-visibility",
          "title": "Turla’s STOCKSTAY Backdoor Shows Why Espionage Defense Needs Egress Visibility",
          "url": "https://bulwarkblack.com/turla-stockstay-backdoor-egress-visibility/",
          "date": "2026-06-25"
        }
      ]
    },
    {
      "indicator": "363923500ce942bf1a953e8a4e943fbf1fb1b5ed6e5d247964c345b3ad5bfc34",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-06-02",
      "last_seen": "2026-06-02",
      "reports": [
        {
          "slug": "flutterbridge-macos-malvertising-fluttershell-backdoor-defense",
          "title": "FlutterBridge Shows Why macOS Malvertising Is Backdoor Delivery, Not Just Adware",
          "url": "https://bulwarkblack.com/flutterbridge-macos-malvertising-fluttershell-backdoor-defense/",
          "date": "2026-06-02"
        }
      ]
    },
    {
      "indicator": "37b485ed8d150d022c41e5e307b8c54c34ef806625b44d0c940b18be7d5b29ce",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-03-03",
      "last_seen": "2026-03-03",
      "reports": [
        {
          "slug": "silver-dragon-apt-targets-southeast-asia-and-europe-using-geardoor-backdoor-with-google-drive-c2",
          "title": "Silver Dragon APT Targets Southeast Asia and Europe Using GearDoor Backdoor with Google Drive C2",
          "url": "https://bulwarkblack.com/silver-dragon-apt-targets-southeast-asia-and-europe-using-geardoor-backdoor-with-google-drive-c2/",
          "date": "2026-03-03"
        }
      ]
    },
    {
      "indicator": "3878dd5c8eba1e5b53ab2e07e7b5482e95a3fd3e98268bcd7861318bc9902376",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-07",
      "last_seen": "2026-07-07",
      "reports": [
        {
          "slug": "uat-7810-orb-relay-network-edge-device-defense",
          "title": "UAT-7810 Shows Edge Devices Are Becoming China-Nexus Relay Infrastructure",
          "url": "https://bulwarkblack.com/uat-7810-orb-relay-network-edge-device-defense/",
          "date": "2026-07-07"
        }
      ]
    },
    {
      "indicator": "38bd137c672bd58d08c4f0502f993a6561e2c3411773d1ae57ee0151a0a9d11d",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-05-22",
      "last_seen": "2026-05-22",
      "reports": [
        {
          "slug": "screening-serpens-recruiting-espionage-attack-surface",
          "title": "Screening Serpens Shows Recruiting Is Now an Espionage Attack Surface",
          "url": "https://bulwarkblack.com/screening-serpens-recruiting-espionage-attack-surface/",
          "date": "2026-05-22"
        }
      ]
    },
    {
      "indicator": "38eeaa4eaad72feb3f8e6993565fcc548d8e7bb93642590f00fa24aacc0e2862",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-03-05",
      "last_seen": "2026-03-05",
      "reports": [
        {
          "slug": "uat-9244-china-nexus-apt-deploys-three-new-malware-implants-against-south-american-telecom-providers",
          "title": "UAT-9244: China-Nexus APT Deploys Three New Malware Implants Against South American Telecom Providers",
          "url": "https://bulwarkblack.com/uat-9244-china-nexus-apt-deploys-three-new-malware-implants-against-south-american-telecom-providers/",
          "date": "2026-03-05"
        }
      ]
    },
    {
      "indicator": "390bca9d70efa42cb792f7f677189821a24527cd4298ab2acb954df0abb5c1c3",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "fake-payment-sdk-npm-pypi-secret-theft-defense",
          "title": "Fake Payment SDKs Show Why Dependency Risk Is Credential Risk",
          "url": "https://bulwarkblack.com/fake-payment-sdk-npm-pypi-secret-theft-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "391e51354118fb87dc57650cbbd94258c3f7c0a0d6868040b7a473ad626ff25e",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-06-25",
      "last_seen": "2026-06-25",
      "reports": [
        {
          "slug": "turla-stockstay-backdoor-egress-visibility",
          "title": "Turla’s STOCKSTAY Backdoor Shows Why Espionage Defense Needs Egress Visibility",
          "url": "https://bulwarkblack.com/turla-stockstay-backdoor-egress-visibility/",
          "date": "2026-06-25"
        }
      ]
    },
    {
      "indicator": "39371ac7061168dd3d890061267b3875bc4b30dca5e28d40dbc27a4396439ff1",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "fake-payment-sdk-npm-pypi-secret-theft-defense",
          "title": "Fake Payment SDKs Show Why Dependency Risk Is Credential Risk",
          "url": "https://bulwarkblack.com/fake-payment-sdk-npm-pypi-secret-theft-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "3a0dd3479eaf85b65e5abd63d6451f98506faddee47cf4bebd9f91296abb29f0",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "fake-payment-sdk-npm-pypi-secret-theft-defense",
          "title": "Fake Payment SDKs Show Why Dependency Risk Is Credential Risk",
          "url": "https://bulwarkblack.com/fake-payment-sdk-npm-pypi-secret-theft-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "3a2df7a2cfeca5ba315a29cf313268a53a22316c925e6b9760ead8f4df0d1f75",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-03-03",
      "last_seen": "2026-03-03",
      "reports": [
        {
          "slug": "silver-dragon-apt-targets-southeast-asia-and-europe-using-geardoor-backdoor-with-google-drive-c2",
          "title": "Silver Dragon APT Targets Southeast Asia and Europe Using GearDoor Backdoor with Google Drive C2",
          "url": "https://bulwarkblack.com/silver-dragon-apt-targets-southeast-asia-and-europe-using-geardoor-backdoor-with-google-drive-c2/",
          "date": "2026-03-03"
        }
      ]
    },
    {
      "indicator": "3ab9575225e00a83a4ac2b534da5a710bdcf6eb72884944c437b5fbe5c5c9235",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-05-13",
      "last_seen": "2026-05-13",
      "reports": [
        {
          "slug": "gentlemen-raas-leak-edge-device-ransomware-risk",
          "title": "The Gentlemen RaaS Leak Shows Ransomware Is Still an Edge-Device Problem",
          "url": "https://bulwarkblack.com/gentlemen-raas-leak-edge-device-ransomware-risk/",
          "date": "2026-05-13"
        }
      ]
    },
    {
      "indicator": "3b47df790abb4eb3ac570b50bf96bb1943d4b46851430ebf3fc36f645061491b",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-01-31",
      "last_seen": "2026-01-31",
      "reports": [
        {
          "slug": "winrar-cve-2025-8088-russia-china-and-cybercriminals-unite-to-exploit-path-traversal-flaw",
          "title": "WinRAR CVE-2025-8088: Russia, China, and Cybercriminals Unite to Exploit Path Traversal Flaw",
          "url": "https://bulwarkblack.com/winrar-cve-2025-8088-russia-china-and-cybercriminals-unite-to-exploit-path-traversal-flaw/",
          "date": "2026-01-31"
        }
      ]
    },
    {
      "indicator": "3b85d0261ab2531aba9e2992eb85273be0e26fe61e4592862d8f45d6807ceee4",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-01-31",
      "last_seen": "2026-01-31",
      "reports": [
        {
          "slug": "winrar-cve-2025-8088-russia-china-and-cybercriminals-unite-to-exploit-path-traversal-flaw",
          "title": "WinRAR CVE-2025-8088: Russia, China, and Cybercriminals Unite to Exploit Path Traversal Flaw",
          "url": "https://bulwarkblack.com/winrar-cve-2025-8088-russia-china-and-cybercriminals-unite-to-exploit-path-traversal-flaw/",
          "date": "2026-01-31"
        }
      ]
    },
    {
      "indicator": "3b89d183eb014e29d9d0d4e45fc2b784a7fcfcf31dd48fd3bde30f8d956383d1",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-07",
      "last_seen": "2026-07-07",
      "reports": [
        {
          "slug": "uat-7810-orb-relay-network-edge-device-defense",
          "title": "UAT-7810 Shows Edge Devices Are Becoming China-Nexus Relay Infrastructure",
          "url": "https://bulwarkblack.com/uat-7810-orb-relay-network-edge-device-defense/",
          "date": "2026-07-07"
        }
      ]
    },
    {
      "indicator": "3ba88f92a87c0bb01b13754190c36d8af7cd047f738ebb3d6f975960fe7614d6",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-02-04",
      "last_seen": "2026-02-04",
      "reports": [
        {
          "slug": "shadowhs-fileless-linux-post-exploitation-framework-runs-entirely-in-memory",
          "title": "ShadowHS: Fileless Linux Post-Exploitation Framework Runs Entirely in Memory",
          "url": "https://bulwarkblack.com/shadowhs-fileless-linux-post-exploitation-framework-runs-entirely-in-memory/",
          "date": "2026-02-04"
        }
      ]
    },
    {
      "indicator": "3c098a687947938e36ab34b9f09a11ebd82d50089cbfe6e237d810faa729f8ff",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-03-05",
      "last_seen": "2026-03-05",
      "reports": [
        {
          "slug": "uat-9244-china-nexus-apt-deploys-three-new-malware-implants-against-south-american-telecom-providers",
          "title": "UAT-9244: China-Nexus APT Deploys Three New Malware Implants Against South American Telecom Providers",
          "url": "https://bulwarkblack.com/uat-9244-china-nexus-apt-deploys-three-new-malware-implants-against-south-american-telecom-providers/",
          "date": "2026-03-05"
        }
      ]
    },
    {
      "indicator": "3c2182cb0bc7528829ef03f1b1745a92bcc47d917eb8870862488f21fdf1a6d6",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-05-13",
      "last_seen": "2026-05-13",
      "reports": [
        {
          "slug": "gentlemen-raas-leak-edge-device-ransomware-risk",
          "title": "The Gentlemen RaaS Leak Shows Ransomware Is Still an Edge-Device Problem",
          "url": "https://bulwarkblack.com/gentlemen-raas-leak-edge-device-ransomware-risk/",
          "date": "2026-05-13"
        }
      ]
    },
    {
      "indicator": "3c3f12531045b7eedfe25e0f291d4792b0d8c8366f8de043e2fa8ecf34ccb913",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "vidar-xmrig-malvertising-file-size-code-signing-defense",
          "title": "Vidar Stealer Campaign Shows Why File Size and Fake Signatures Still Beat Weak Controls",
          "url": "https://bulwarkblack.com/vidar-xmrig-malvertising-file-size-code-signing-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "3d296af7f29c0425655bd1cc0be48fe4aba52ee6760a89e805ca2589f4ef4d77",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-07",
      "last_seen": "2026-07-07",
      "reports": [
        {
          "slug": "uat-7810-orb-relay-network-edge-device-defense",
          "title": "UAT-7810 Shows Edge Devices Are Becoming China-Nexus Relay Infrastructure",
          "url": "https://bulwarkblack.com/uat-7810-orb-relay-network-edge-device-defense/",
          "date": "2026-07-07"
        }
      ]
    },
    {
      "indicator": "3d9fbfc2c056eac857ba54e5ed134aa45a4b8322ee9f9353ba32e5b2ca71b0e3",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-03-05",
      "last_seen": "2026-03-05",
      "reports": [
        {
          "slug": "uat-9244-china-nexus-apt-deploys-three-new-malware-implants-against-south-american-telecom-providers",
          "title": "UAT-9244: China-Nexus APT Deploys Three New Malware Implants Against South American Telecom Providers",
          "url": "https://bulwarkblack.com/uat-9244-china-nexus-apt-deploys-three-new-malware-implants-against-south-american-telecom-providers/",
          "date": "2026-03-05"
        }
      ]
    },
    {
      "indicator": "3db33b0423bb9278db267a7adb036ecbd6aeebd7909d06d824919708b1e12e1b",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "vidar-xmrig-malvertising-file-size-code-signing-defense",
          "title": "Vidar Stealer Campaign Shows Why File Size and Fake Signatures Still Beat Weak Controls",
          "url": "https://bulwarkblack.com/vidar-xmrig-malvertising-file-size-code-signing-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "3DD226D0B700F33974F409142DEFB62A8CD172AE5F2EB9BEB7F5750EB1702E2A",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "3e2a0bafbd44e24b17fd7b17c9f2b2a3727349971d42612d55bbc1732082619a",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-03-03",
      "last_seen": "2026-03-03",
      "reports": [
        {
          "slug": "silver-dragon-apt-targets-southeast-asia-and-europe-using-geardoor-backdoor-with-google-drive-c2",
          "title": "Silver Dragon APT Targets Southeast Asia and Europe Using GearDoor Backdoor with Google Drive C2",
          "url": "https://bulwarkblack.com/silver-dragon-apt-targets-southeast-asia-and-europe-using-geardoor-backdoor-with-google-drive-c2/",
          "date": "2026-03-03"
        }
      ]
    },
    {
      "indicator": "3e906ae47e9836a591f44d4b743e961d634a404fa8fd8bfae64f1d54c853be2b",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "vidar-xmrig-malvertising-file-size-code-signing-defense",
          "title": "Vidar Stealer Campaign Shows Why File Size and Fake Signatures Still Beat Weak Controls",
          "url": "https://bulwarkblack.com/vidar-xmrig-malvertising-file-size-code-signing-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "3f014aa3e339d33760934f180915045daf922ca8ae07531c8e716608e683d92d",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-02-04",
      "last_seen": "2026-02-04",
      "reports": [
        {
          "slug": "shadowhs-fileless-linux-post-exploitation-framework-runs-entirely-in-memory",
          "title": "ShadowHS: Fileless Linux Post-Exploitation Framework Runs Entirely in Memory",
          "url": "https://bulwarkblack.com/shadowhs-fileless-linux-post-exploitation-framework-runs-entirely-in-memory/",
          "date": "2026-02-04"
        }
      ]
    },
    {
      "indicator": "3f446d316efe2514efd70c975d0c87e12357db9fca54a25834d60b28192c6a69",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "apt28-exploits-cve-2026-21509-in-operation-neusploit-stealing-emails-with-minidoor-backdoor",
          "title": "APT28 Exploits CVE-2026-21509 in Operation Neusploit: Stealing Emails with MiniDoor Backdoor",
          "url": "https://bulwarkblack.com/apt28-exploits-cve-2026-21509-in-operation-neusploit-stealing-emails-with-minidoor-backdoor/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "3F4C3C16F63FB90D1FD64B031D8A9803035F3CB18332E198850896881FB42FE5",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-02-11",
      "last_seen": "2026-02-11",
      "reports": [
        {
          "slug": "xworm-rat-campaign-exploits-cve-2018-0802-in-multi-language-phishing-attacks-using-fileless-injection",
          "title": "XWorm RAT Campaign Exploits CVE-2018-0802 in Multi-Language Phishing Attacks Using Fileless Injection",
          "url": "https://bulwarkblack.com/xworm-rat-campaign-exploits-cve-2018-0802-in-multi-language-phishing-attacks-using-fileless-injection/",
          "date": "2026-02-11"
        }
      ]
    },
    {
      "indicator": "3f66634f103b80412d1d670b91befab2a74425d2ea76d904c4a7ffae2ae94b44",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-06-26",
      "last_seen": "2026-06-26",
      "reports": [
        {
          "slug": "hospitality-photo-zip-nodejs-implant-defense",
          "title": "Hospitality Photo-ZIP Campaign Shows Front Desk Workflows Are Initial Access Paths",
          "url": "https://bulwarkblack.com/hospitality-photo-zip-nodejs-implant-defense/",
          "date": "2026-06-26"
        }
      ]
    },
    {
      "indicator": "3fcaa3038e365b6ab0b121e2cd319c56b74e37381943a0da0e8dce407087cdb8",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-07",
      "last_seen": "2026-07-07",
      "reports": [
        {
          "slug": "uat-7810-orb-relay-network-edge-device-defense",
          "title": "UAT-7810 Shows Edge Devices Are Becoming China-Nexus Relay Infrastructure",
          "url": "https://bulwarkblack.com/uat-7810-orb-relay-network-edge-device-defense/",
          "date": "2026-07-07"
        }
      ]
    },
    {
      "indicator": "3fcadde4b414a18b2fed56c1ec59d97977123615fbbf411a1c78425445a6e71c",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-03-05",
      "last_seen": "2026-03-05",
      "reports": [
        {
          "slug": "uat-9244-china-nexus-apt-deploys-three-new-malware-implants-against-south-american-telecom-providers",
          "title": "UAT-9244: China-Nexus APT Deploys Three New Malware Implants Against South American Telecom Providers",
          "url": "https://bulwarkblack.com/uat-9244-china-nexus-apt-deploys-three-new-malware-implants-against-south-american-telecom-providers/",
          "date": "2026-03-05"
        }
      ]
    },
    {
      "indicator": "3fcced9332301ff70b20c98c9434c858400013d659afa6bb5149cffb0206357d",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-03-05",
      "last_seen": "2026-03-05",
      "reports": [
        {
          "slug": "uat-9244-china-nexus-apt-deploys-three-new-malware-implants-against-south-american-telecom-providers",
          "title": "UAT-9244: China-Nexus APT Deploys Three New Malware Implants Against South American Telecom Providers",
          "url": "https://bulwarkblack.com/uat-9244-china-nexus-apt-deploys-three-new-malware-implants-against-south-american-telecom-providers/",
          "date": "2026-03-05"
        }
      ]
    },
    {
      "indicator": "4069eaadc94efb5be43b768c47d526e4c080b7d35b4c9e7eeb63b8dcf0038d7d",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-02-04",
      "last_seen": "2026-02-04",
      "reports": [
        {
          "slug": "shadowhs-fileless-linux-post-exploitation-framework-runs-entirely-in-memory",
          "title": "ShadowHS: Fileless Linux Post-Exploitation Framework Runs Entirely in Memory",
          "url": "https://bulwarkblack.com/shadowhs-fileless-linux-post-exploitation-framework-runs-entirely-in-memory/",
          "date": "2026-02-04"
        }
      ]
    },
    {
      "indicator": "40a3b969d81ef1ef35dd9ebcc6774e060b1b8949d3d74f38ca6b7d789c95cdb3",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-06-25",
      "last_seen": "2026-06-25",
      "reports": [
        {
          "slug": "turla-stockstay-backdoor-egress-visibility",
          "title": "Turla’s STOCKSTAY Backdoor Shows Why Espionage Defense Needs Egress Visibility",
          "url": "https://bulwarkblack.com/turla-stockstay-backdoor-egress-visibility/",
          "date": "2026-06-25"
        }
      ]
    },
    {
      "indicator": "40b1208dda0cd5dd95c6b57764b2cfe7145b3ed9457f498408b4aaa05bf3ef50",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-06-25",
      "last_seen": "2026-06-25",
      "reports": [
        {
          "slug": "turla-stockstay-backdoor-egress-visibility",
          "title": "Turla’s STOCKSTAY Backdoor Shows Why Espionage Defense Needs Egress Visibility",
          "url": "https://bulwarkblack.com/turla-stockstay-backdoor-egress-visibility/",
          "date": "2026-06-25"
        }
      ]
    },
    {
      "indicator": "40b41979b317406f8abc601677a3b93aaf6ef8ab8ac188b8f383735e388f13b5",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-06-03",
      "last_seen": "2026-06-03",
      "reports": [
        {
          "slug": "ta4922-global-hr-tax-phishing-rmm-defense",
          "title": "TA4922’s Global Expansion Shows HR and Tax Lures Are Initial Access Infrastructure",
          "url": "https://bulwarkblack.com/ta4922-global-hr-tax-phishing-rmm-defense/",
          "date": "2026-06-03"
        }
      ]
    },
    {
      "indicator": "4130f49fa81a699a667cafdbd6d1f6e781edd686c947eb8ae27134f6dc2c43d7",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-07",
      "last_seen": "2026-07-07",
      "reports": [
        {
          "slug": "uat-7810-orb-relay-network-edge-device-defense",
          "title": "UAT-7810 Shows Edge Devices Are Becoming China-Nexus Relay Infrastructure",
          "url": "https://bulwarkblack.com/uat-7810-orb-relay-network-edge-device-defense/",
          "date": "2026-07-07"
        }
      ]
    },
    {
      "indicator": "413daa580db74a38397d09979090b291f916f0bb26a68e7e0b03b4390c1b472f",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-04-03",
      "last_seen": "2026-04-03",
      "reports": [
        {
          "slug": "cl-sta-1087-chinese-apt-targets-southeast-asian-militaries-with-applechris-and-memfun-backdoors",
          "title": "CL-STA-1087: Chinese APT Targets Southeast Asian Militaries with AppleChris and MemFun Backdoors",
          "url": "https://bulwarkblack.com/cl-sta-1087-chinese-apt-targets-southeast-asian-militaries-with-applechris-and-memfun-backdoors/",
          "date": "2026-04-03"
        }
      ]
    },
    {
      "indicator": "425bf771c8c9f740b1ae9803dcb4fd45af4d6a6f171fcc72fc7d511095ca82ce",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-07",
      "last_seen": "2026-07-07",
      "reports": [
        {
          "slug": "uat-7810-orb-relay-network-edge-device-defense",
          "title": "UAT-7810 Shows Edge Devices Are Becoming China-Nexus Relay Infrastructure",
          "url": "https://bulwarkblack.com/uat-7810-orb-relay-network-edge-device-defense/",
          "date": "2026-07-07"
        }
      ]
    },
    {
      "indicator": "4264a88035aa0b63e9aef96daa78a58114d60a344ea10168a8ef5ef36bf8edbd",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-03-09",
      "last_seen": "2026-03-09",
      "reports": [
        {
          "slug": "boryptgrab-stealer-spreads-through-100-fake-github-repositories-in-massive-malware-campaign",
          "title": "BoryptGrab Stealer Spreads Through 100+ Fake GitHub Repositories in Massive Malware Campaign",
          "url": "https://bulwarkblack.com/boryptgrab-stealer-spreads-through-100-fake-github-repositories-in-massive-malware-campaign/",
          "date": "2026-03-09"
        }
      ]
    },
    {
      "indicator": "433a13cc70396f80dc29d1150c050339d78964fdc91bcdc3f40c67a77add1476",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-03-09",
      "last_seen": "2026-03-09",
      "reports": [
        {
          "slug": "boryptgrab-stealer-spreads-through-100-fake-github-repositories-in-massive-malware-campaign",
          "title": "BoryptGrab Stealer Spreads Through 100+ Fake GitHub Repositories in Massive Malware Campaign",
          "url": "https://bulwarkblack.com/boryptgrab-stealer-spreads-through-100-fake-github-repositories-in-massive-malware-campaign/",
          "date": "2026-03-09"
        }
      ]
    },
    {
      "indicator": "436cfce71290c2fc2f2c362541db68ced6847c66a73b55487e5e5c73b0636c85",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "kazuar-p2p-botnet-russian-espionage-defense",
          "title": "Kazuar Shows Russian Espionage Malware Is Engineering for Resilience",
          "url": "https://bulwarkblack.com/kazuar-p2p-botnet-russian-espionage-defense/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "43920ef7d2742d140a1ab2a1ef172c716903474c73561377dc4f1534d2c5f581",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "vidar-xmrig-malvertising-file-size-code-signing-defense",
          "title": "Vidar Stealer Campaign Shows Why File Size and Fake Signatures Still Beat Weak Controls",
          "url": "https://bulwarkblack.com/vidar-xmrig-malvertising-file-size-code-signing-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "43dc62cef52ebdd69e79f10015b3e13890f26c058325c0ff139c70f8d8eadcfa",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-05-22",
      "last_seen": "2026-05-22",
      "reports": [
        {
          "slug": "screening-serpens-recruiting-espionage-attack-surface",
          "title": "Screening Serpens Shows Recruiting Is Now an Espionage Attack Surface",
          "url": "https://bulwarkblack.com/screening-serpens-recruiting-espionage-attack-surface/",
          "date": "2026-05-22"
        }
      ]
    },
    {
      "indicator": "43f8f94ca5aa0af7bfb0cc1d2f664a46500a161b2d082b48b516d084ef485348",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-03-03",
      "last_seen": "2026-03-03",
      "reports": [
        {
          "slug": "silver-dragon-apt-targets-southeast-asia-and-europe-using-geardoor-backdoor-with-google-drive-c2",
          "title": "Silver Dragon APT Targets Southeast Asia and Europe Using GearDoor Backdoor with Google Drive C2",
          "url": "https://bulwarkblack.com/silver-dragon-apt-targets-southeast-asia-and-europe-using-geardoor-backdoor-with-google-drive-c2/",
          "date": "2026-03-03"
        }
      ]
    },
    {
      "indicator": "4451EE8BC53EA7C148D8348BC7B82ACA9977BDD31C0156DFE25C4A879A1D2190",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "447484c76a06918d7f6f6c6f95ee2bced6dd2e9b282c6f5b92b2b7c0976381d5",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "fake-payment-sdk-npm-pypi-secret-theft-defense",
          "title": "Fake Payment SDKs Show Why Dependency Risk Is Credential Risk",
          "url": "https://bulwarkblack.com/fake-payment-sdk-npm-pypi-secret-theft-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "447f430b46fad5a3f8e8c5aad1f8f7f79af069489c3d9c29224bb9f14f0c7bf4",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-06-25",
      "last_seen": "2026-06-25",
      "reports": [
        {
          "slug": "turla-stockstay-backdoor-egress-visibility",
          "title": "Turla’s STOCKSTAY Backdoor Shows Why Espionage Defense Needs Egress Visibility",
          "url": "https://bulwarkblack.com/turla-stockstay-backdoor-egress-visibility/",
          "date": "2026-06-25"
        }
      ]
    },
    {
      "indicator": "44906752f500b61d436411a121cab8d88edf614e1140a2d01474bd587a8d7ba8",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-03-13",
      "last_seen": "2026-03-13",
      "reports": [
        {
          "slug": "storm-2561-weaponizes-seo-poisoning-to-deploy-trojanized-vpn-clients-and-steal-enterprise-credentials",
          "title": "Storm-2561 Weaponizes SEO Poisoning to Deploy Trojanized VPN Clients and Steal Enterprise Credentials",
          "url": "https://bulwarkblack.com/storm-2561-weaponizes-seo-poisoning-to-deploy-trojanized-vpn-clients-and-steal-enterprise-credentials/",
          "date": "2026-03-13"
        }
      ]
    },
    {
      "indicator": "449f528f5ceae8c3f8336d0d8e3e3ec9031d1ad67c31ee7311b67e01d5fdf225",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-03-09",
      "last_seen": "2026-03-09",
      "reports": [
        {
          "slug": "boryptgrab-stealer-spreads-through-100-fake-github-repositories-in-massive-malware-campaign",
          "title": "BoryptGrab Stealer Spreads Through 100+ Fake GitHub Repositories in Massive Malware Campaign",
          "url": "https://bulwarkblack.com/boryptgrab-stealer-spreads-through-100-fake-github-repositories-in-massive-malware-campaign/",
          "date": "2026-03-09"
        }
      ]
    },
    {
      "indicator": "44cac5bf0bab56b0840bd1c7b95f9c7f5078ff417705eeaaf5ea5a2167a81dd5",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2024-01-09",
      "last_seen": "2024-01-09",
      "reports": [
        {
          "slug": "financially-motivated-threat-actors-misusing-app-installer",
          "title": "Financially motivated threat actors misusing App Installer",
          "url": "https://bulwarkblack.com/financially-motivated-threat-actors-misusing-app-installer/",
          "date": "2024-01-09"
        }
      ]
    },
    {
      "indicator": "44e769efed3e4f9f04c52dcd13f15cead251a1a08827a2cb6ea68427522c7fbb",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-03-03",
      "last_seen": "2026-03-03",
      "reports": [
        {
          "slug": "silver-dragon-apt-targets-southeast-asia-and-europe-using-geardoor-backdoor-with-google-drive-c2",
          "title": "Silver Dragon APT Targets Southeast Asia and Europe Using GearDoor Backdoor with Google Drive C2",
          "url": "https://bulwarkblack.com/silver-dragon-apt-targets-southeast-asia-and-europe-using-geardoor-backdoor-with-google-drive-c2/",
          "date": "2026-03-03"
        }
      ]
    },
    {
      "indicator": "44f4f7aca7f1d9bfdaf7b3736934cbe19f851a707662f8f0b0c49b383e054250",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-05-22",
      "last_seen": "2026-05-22",
      "reports": [
        {
          "slug": "screening-serpens-recruiting-espionage-attack-surface",
          "title": "Screening Serpens Shows Recruiting Is Now an Espionage Attack Surface",
          "url": "https://bulwarkblack.com/screening-serpens-recruiting-espionage-attack-surface/",
          "date": "2026-05-22"
        }
      ]
    },
    {
      "indicator": "45bb8d1ab2c13bf4354294e13d3c9be15de625d807301905b98462f43f93e893",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-06-25",
      "last_seen": "2026-06-25",
      "reports": [
        {
          "slug": "turla-stockstay-backdoor-egress-visibility",
          "title": "Turla’s STOCKSTAY Backdoor Shows Why Espionage Defense Needs Egress Visibility",
          "url": "https://bulwarkblack.com/turla-stockstay-backdoor-egress-visibility/",
          "date": "2026-06-25"
        }
      ]
    },
    {
      "indicator": "46314092c8d00ab93cbbdc824b9fc39dec9303169163b9625bae3b1717d70ebc",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-02-27",
      "last_seen": "2026-02-27",
      "reports": [
        {
          "slug": "chinese-apt-campaign-delivers-plugx-rat-via-g-data-antivirus-dll-side-loading",
          "title": "Chinese APT Campaign Delivers PlugX RAT via G DATA Antivirus DLL Side-Loading",
          "url": "https://bulwarkblack.com/chinese-apt-campaign-delivers-plugx-rat-via-g-data-antivirus-dll-side-loading/",
          "date": "2026-02-27"
        }
      ]
    },
    {
      "indicator": "4762e944a0ce1f9aef243e11538f84f16b6f36560ed6e32dfd9a5f99e17e8e50",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-02-23",
      "last_seen": "2026-02-23",
      "reports": [
        {
          "slug": "unit-42-exposes-active-exploitation-of-beyondtrust-cve-2026-1731-with-vshell-and-sparkrat-backdoors",
          "title": "Unit 42 Exposes Active Exploitation of BeyondTrust CVE-2026-1731 with VShell and SparkRAT Backdoors",
          "url": "https://bulwarkblack.com/unit-42-exposes-active-exploitation-of-beyondtrust-cve-2026-1731-with-vshell-and-sparkrat-backdoors/",
          "date": "2026-02-23"
        }
      ]
    },
    {
      "indicator": "47d6d1a38534ba897a5a1e293e3d5df303bbd8e0526e756ad08887ffc1417bef",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "vidar-xmrig-malvertising-file-size-code-signing-defense",
          "title": "Vidar Stealer Campaign Shows Why File Size and Fake Signatures Still Beat Weak Controls",
          "url": "https://bulwarkblack.com/vidar-xmrig-malvertising-file-size-code-signing-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "48047c34bbd57fe1e24bc538bc2ce9e0ac4c4eb48d3b0c195b414f0379dc0745",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-06-02",
      "last_seen": "2026-06-02",
      "reports": [
        {
          "slug": "flutterbridge-macos-malvertising-fluttershell-backdoor-defense",
          "title": "FlutterBridge Shows Why macOS Malvertising Is Backdoor Delivery, Not Just Adware",
          "url": "https://bulwarkblack.com/flutterbridge-macos-malvertising-fluttershell-backdoor-defense/",
          "date": "2026-06-02"
        }
      ]
    },
    {
      "indicator": "483672a00ea676236ea423c91d576542dc572be864a4162df031faf35897a532",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2024-01-08",
      "last_seen": "2024-01-08",
      "reports": [
        {
          "slug": "deceptive-cracked-software-spreads-lumma-variant-on-youtube",
          "title": "Deceptive Cracked Software Spreads Lumma Variant on YouTube",
          "url": "https://bulwarkblack.com/deceptive-cracked-software-spreads-lumma-variant-on-youtube/",
          "date": "2024-01-08"
        }
      ]
    },
    {
      "indicator": "48723a33bab89f174750576f9a62da35b3b9e5ac31a5a8f1ce9859a1b35bf8b8",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-02",
      "last_seen": "2026-07-02",
      "reports": [
        {
          "slug": "ousaban-banking-trojan-iberian-phishing-defense",
          "title": "Ousaban Shows Banking Trojans Are Learning to Hide From Sandboxes",
          "url": "https://bulwarkblack.com/ousaban-banking-trojan-iberian-phishing-defense/",
          "date": "2026-07-02"
        }
      ]
    },
    {
      "indicator": "488d941b7b4428b0f4a0e5495e3857b9b96215fb3e7f164b06640d59096425e6",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "vidar-xmrig-malvertising-file-size-code-signing-defense",
          "title": "Vidar Stealer Campaign Shows Why File Size and Fake Signatures Still Beat Weak Controls",
          "url": "https://bulwarkblack.com/vidar-xmrig-malvertising-file-size-code-signing-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "48aa2393ef590bab4ff2fd1e7d95af36e5b6911348d7674347626c9aaafa255e",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2024-01-09",
      "last_seen": "2024-01-09",
      "reports": [
        {
          "slug": "financially-motivated-threat-actors-misusing-app-installer",
          "title": "Financially motivated threat actors misusing App Installer",
          "url": "https://bulwarkblack.com/financially-motivated-threat-actors-misusing-app-installer/",
          "date": "2024-01-09"
        }
      ]
    },
    {
      "indicator": "48cbeb1b1ca0a7b3a9f6ac56273fbaf85e78c534e26fb2bca1152ecd7542af54",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2024-01-08",
      "last_seen": "2024-01-08",
      "reports": [
        {
          "slug": "deceptive-cracked-software-spreads-lumma-variant-on-youtube",
          "title": "Deceptive Cracked Software Spreads Lumma Variant on YouTube",
          "url": "https://bulwarkblack.com/deceptive-cracked-software-spreads-lumma-variant-on-youtube/",
          "date": "2024-01-08"
        }
      ]
    },
    {
      "indicator": "48d9b2ce4fcd6854a3164ce395d7140014e0b58b77680623f3e4ca22d3a6e7fd",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-05-13",
      "last_seen": "2026-05-13",
      "reports": [
        {
          "slug": "gentlemen-raas-leak-edge-device-ransomware-risk",
          "title": "The Gentlemen RaaS Leak Shows Ransomware Is Still an Edge-Device Problem",
          "url": "https://bulwarkblack.com/gentlemen-raas-leak-edge-device-ransomware-risk/",
          "date": "2026-05-13"
        }
      ]
    },
    {
      "indicator": "498961237cf1c48f1e7764829818c5ba0af24a234c2f29c4420fb80276aec676",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-01-31",
      "last_seen": "2026-01-31",
      "reports": [
        {
          "slug": "winrar-cve-2025-8088-russia-china-and-cybercriminals-unite-to-exploit-path-traversal-flaw",
          "title": "WinRAR CVE-2025-8088: Russia, China, and Cybercriminals Unite to Exploit Path Traversal Flaw",
          "url": "https://bulwarkblack.com/winrar-cve-2025-8088-russia-china-and-cybercriminals-unite-to-exploit-path-traversal-flaw/",
          "date": "2026-01-31"
        }
      ]
    },
    {
      "indicator": "49cc0e0c3ec060fb354cacee244d4f297aaefb6db66e67a21262d6c4d2eae1bd",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-06-26",
      "last_seen": "2026-06-26",
      "reports": [
        {
          "slug": "hospitality-photo-zip-nodejs-implant-defense",
          "title": "Hospitality Photo-ZIP Campaign Shows Front Desk Workflows Are Initial Access Paths",
          "url": "https://bulwarkblack.com/hospitality-photo-zip-nodejs-implant-defense/",
          "date": "2026-06-26"
        }
      ]
    },
    {
      "indicator": "4a175eed927c0a477eafb8aa35a93c191748acaa78ac7aecd8ea3c4cd868887c",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-05-13",
      "last_seen": "2026-05-13",
      "reports": [
        {
          "slug": "gentlemen-raas-leak-edge-device-ransomware-risk",
          "title": "The Gentlemen RaaS Leak Shows Ransomware Is Still an Edge-Device Problem",
          "url": "https://bulwarkblack.com/gentlemen-raas-leak-edge-device-ransomware-risk/",
          "date": "2026-05-13"
        }
      ]
    },
    {
      "indicator": "4a4b5c1bc1e948c853cb0978c07c7b8d1540c7b1ded95f8d5ad25c126cb6c7b0",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "fake-payment-sdk-npm-pypi-secret-theft-defense",
          "title": "Fake Payment SDKs Show Why Dependency Risk Is Credential Risk",
          "url": "https://bulwarkblack.com/fake-payment-sdk-npm-pypi-secret-theft-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "4a927d031919fd6bd88d3c8a917214b54bca00f8ddc80ecfe4d230663dda7465",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-05-22",
      "last_seen": "2026-05-22",
      "reports": [
        {
          "slug": "f5-confluence-edge-identity-attack-path",
          "title": "F5-to-Confluence Intrusion Shows Edge Devices Are Identity Attack Paths",
          "url": "https://bulwarkblack.com/f5-confluence-edge-identity-attack-path/",
          "date": "2026-05-22"
        }
      ]
    },
    {
      "indicator": "4aef998e3b3f6ca21c78ed71732c9d2bdcc8a4e0284f51d7462c79d446fbc7be",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-03-11",
      "last_seen": "2026-03-11",
      "reports": [
        {
          "slug": "iranian-mois-cyber-actors-embrace-criminal-ecosystem-from-rhadamanthys-to-ransomware-affiliates",
          "title": "Iranian MOIS Cyber Actors Embrace Criminal Ecosystem: From Rhadamanthys to Ransomware Affiliates",
          "url": "https://bulwarkblack.com/iranian-mois-cyber-actors-embrace-criminal-ecosystem-from-rhadamanthys-to-ransomware-affiliates/",
          "date": "2026-03-11"
        }
      ]
    },
    {
      "indicator": "4bf770a59d367b532dec32668f86003b17d93918dba5ef5fd2b19c5394252436",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "vidar-xmrig-malvertising-file-size-code-signing-defense",
          "title": "Vidar Stealer Campaign Shows Why File Size and Fake Signatures Still Beat Weak Controls",
          "url": "https://bulwarkblack.com/vidar-xmrig-malvertising-file-size-code-signing-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "4c9fdc2823da505ef339d43c6ad38499b7e3447736733e42b5ab6b1afcfd42aa",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-02",
      "last_seen": "2026-07-02",
      "reports": [
        {
          "slug": "ousaban-banking-trojan-iberian-phishing-defense",
          "title": "Ousaban Shows Banking Trojans Are Learning to Hide From Sandboxes",
          "url": "https://bulwarkblack.com/ousaban-banking-trojan-iberian-phishing-defense/",
          "date": "2026-07-02"
        }
      ]
    },
    {
      "indicator": "4ca2c863d740bb7022776dccabd8ae34bb9998768928042d76ebcf08984eefcb",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-02",
      "last_seen": "2026-07-02",
      "reports": [
        {
          "slug": "ousaban-banking-trojan-iberian-phishing-defense",
          "title": "Ousaban Shows Banking Trojans Are Learning to Hide From Sandboxes",
          "url": "https://bulwarkblack.com/ousaban-banking-trojan-iberian-phishing-defense/",
          "date": "2026-07-02"
        }
      ]
    },
    {
      "indicator": "4e1f8888d020decd09799ec946f1bf677cac6612b24582ddbf4d8ede425d8384",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-06-26",
      "last_seen": "2026-06-26",
      "reports": [
        {
          "slug": "cl-sta-1062-tinyrct-critical-infrastructure-web-shell-defense",
          "title": "CL-STA-1062 Shows Critical Infrastructure Intrusions Still Start With Web Shells",
          "url": "https://bulwarkblack.com/cl-sta-1062-tinyrct-critical-infrastructure-web-shell-defense/",
          "date": "2026-06-26"
        }
      ]
    },
    {
      "indicator": "4e3bed10a8eff3e9205c1f37f647512464271d5ac65df7ae4709735621a38320",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-06-25",
      "last_seen": "2026-06-25",
      "reports": [
        {
          "slug": "turla-stockstay-backdoor-egress-visibility",
          "title": "Turla’s STOCKSTAY Backdoor Shows Why Espionage Defense Needs Egress Visibility",
          "url": "https://bulwarkblack.com/turla-stockstay-backdoor-egress-visibility/",
          "date": "2026-06-25"
        }
      ]
    },
    {
      "indicator": "4e90d386c1c7d3d1fd4176975795a2f432d95685690778e09313b4a1dbab9997",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-03-09",
      "last_seen": "2026-03-09",
      "reports": [
        {
          "slug": "boryptgrab-stealer-spreads-through-100-fake-github-repositories-in-massive-malware-campaign",
          "title": "BoryptGrab Stealer Spreads Through 100+ Fake GitHub Repositories in Massive Malware Campaign",
          "url": "https://bulwarkblack.com/boryptgrab-stealer-spreads-through-100-fake-github-repositories-in-massive-malware-campaign/",
          "date": "2026-03-09"
        }
      ]
    },
    {
      "indicator": "4eb994b816a1a24cf97bfd7551d00fe14b810859170dbf15180d39e05cd7c0f9",
      "type": "sha256",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "4f456142caf590d98fb11ca247800bb417766714527e5a4707ac2f5d01542626",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "vidar-xmrig-malvertising-file-size-code-signing-defense",
          "title": "Vidar Stealer Campaign Shows Why File Size and Fake Signatures Still Beat Weak Controls",
          "url": "https://bulwarkblack.com/vidar-xmrig-malvertising-file-size-code-signing-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "4f4567abe9ff520797b04b04255bbbe07ecdddb594559d436ac53314ec62c1b3",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-01-31",
      "last_seen": "2026-01-31",
      "reports": [
        {
          "slug": "winrar-cve-2025-8088-russia-china-and-cybercriminals-unite-to-exploit-path-traversal-flaw",
          "title": "WinRAR CVE-2025-8088: Russia, China, and Cybercriminals Unite to Exploit Path Traversal Flaw",
          "url": "https://bulwarkblack.com/winrar-cve-2025-8088-russia-china-and-cybercriminals-unite-to-exploit-path-traversal-flaw/",
          "date": "2026-01-31"
        }
      ]
    },
    {
      "indicator": "4f93be0c46a53701b1777ab8df874c837df3d8256e026f138d60fc2932e569a8",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-03-03",
      "last_seen": "2026-03-03",
      "reports": [
        {
          "slug": "silver-dragon-apt-targets-southeast-asia-and-europe-using-geardoor-backdoor-with-google-drive-c2",
          "title": "Silver Dragon APT Targets Southeast Asia and Europe Using GearDoor Backdoor with Google Drive C2",
          "url": "https://bulwarkblack.com/silver-dragon-apt-targets-southeast-asia-and-europe-using-geardoor-backdoor-with-google-drive-c2/",
          "date": "2026-03-03"
        }
      ]
    },
    {
      "indicator": "4fcfa88fffacbce30bbe2136753c9ab5a4c092940d2406fd9d44d5118e745b9d",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-06-03",
      "last_seen": "2026-06-03",
      "reports": [
        {
          "slug": "ta4922-global-hr-tax-phishing-rmm-defense",
          "title": "TA4922’s Global Expansion Shows HR and Tax Lures Are Initial Access Infrastructure",
          "url": "https://bulwarkblack.com/ta4922-global-hr-tax-phishing-rmm-defense/",
          "date": "2026-06-03"
        }
      ]
    },
    {
      "indicator": "50cb7550224d8d227a0625e7f53be86924d8e057e403b6b91b83ea20df834048",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "fake-payment-sdk-npm-pypi-secret-theft-defense",
          "title": "Fake Payment SDKs Show Why Dependency Risk Is Credential Risk",
          "url": "https://bulwarkblack.com/fake-payment-sdk-npm-pypi-secret-theft-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "51684a0e356513486489986f5832c948107ff687c8501d64846cdc4307429413",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-03-03",
      "last_seen": "2026-03-03",
      "reports": [
        {
          "slug": "silver-dragon-apt-targets-southeast-asia-and-europe-using-geardoor-backdoor-with-google-drive-c2",
          "title": "Silver Dragon APT Targets Southeast Asia and Europe Using GearDoor Backdoor with Google Drive C2",
          "url": "https://bulwarkblack.com/silver-dragon-apt-targets-southeast-asia-and-europe-using-geardoor-backdoor-with-google-drive-c2/",
          "date": "2026-03-03"
        }
      ]
    },
    {
      "indicator": "51b9f246d6da85631131fcd1fabf0a67937d4bdde33625a44f7ee6a3a7baebd2",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-05-13",
      "last_seen": "2026-05-13",
      "reports": [
        {
          "slug": "gentlemen-raas-leak-edge-device-ransomware-risk",
          "title": "The Gentlemen RaaS Leak Shows Ransomware Is Still an Edge-Device Problem",
          "url": "https://bulwarkblack.com/gentlemen-raas-leak-edge-device-ransomware-risk/",
          "date": "2026-05-13"
        }
      ]
    },
    {
      "indicator": "5242c5086d75a492d14e474de7c8f34b18ec0a8a9ce6d77eec8675a9572d9d23",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "fake-payment-sdk-npm-pypi-secret-theft-defense",
          "title": "Fake Payment SDKs Show Why Dependency Risk Is Credential Risk",
          "url": "https://bulwarkblack.com/fake-payment-sdk-npm-pypi-secret-theft-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "52a57c502e40b3f9897d0ca32bba6f844b4113f5c017627ea9eba660eb47f405",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "fake-payment-sdk-npm-pypi-secret-theft-defense",
          "title": "Fake Payment SDKs Show Why Dependency Risk Is Credential Risk",
          "url": "https://bulwarkblack.com/fake-payment-sdk-npm-pypi-secret-theft-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "52b871429833e1dee348263844efb531f6a3fcd321f88dc8a876caaee912cedd",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-07",
      "last_seen": "2026-07-07",
      "reports": [
        {
          "slug": "uat-7810-orb-relay-network-edge-device-defense",
          "title": "UAT-7810 Shows Edge Devices Are Becoming China-Nexus Relay Infrastructure",
          "url": "https://bulwarkblack.com/uat-7810-orb-relay-network-edge-device-defense/",
          "date": "2026-07-07"
        }
      ]
    },
    {
      "indicator": "5341c7256542405abdd01ee288b08e49dcb6d1782be6b7bea63b459d80f9a8f5",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-03-03",
      "last_seen": "2026-03-03",
      "reports": [
        {
          "slug": "silver-dragon-apt-targets-southeast-asia-and-europe-using-geardoor-backdoor-with-google-drive-c2",
          "title": "Silver Dragon APT Targets Southeast Asia and Europe Using GearDoor Backdoor with Google Drive C2",
          "url": "https://bulwarkblack.com/silver-dragon-apt-targets-southeast-asia-and-europe-using-geardoor-backdoor-with-google-drive-c2/",
          "date": "2026-03-03"
        }
      ]
    },
    {
      "indicator": "534a4a5bff2609a2d6e088cb87465c08c2d69c6aaa7d2ffcbcd491274b8505f1",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-07",
      "last_seen": "2026-07-07",
      "reports": [
        {
          "slug": "uat-7810-orb-relay-network-edge-device-defense",
          "title": "UAT-7810 Shows Edge Devices Are Becoming China-Nexus Relay Infrastructure",
          "url": "https://bulwarkblack.com/uat-7810-orb-relay-network-edge-device-defense/",
          "date": "2026-07-07"
        }
      ]
    },
    {
      "indicator": "53ac2b231c23d41234e55b1f7ed89f86234f785adbbe820959655d7b019d7df9",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-07",
      "last_seen": "2026-07-07",
      "reports": [
        {
          "slug": "uat-7810-orb-relay-network-edge-device-defense",
          "title": "UAT-7810 Shows Edge Devices Are Becoming China-Nexus Relay Infrastructure",
          "url": "https://bulwarkblack.com/uat-7810-orb-relay-network-edge-device-defense/",
          "date": "2026-07-07"
        }
      ]
    },
    {
      "indicator": "53d263b292be387843fadb7131c2d538b4262c81f5b95cfacafacf2d5446c06e",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "vidar-xmrig-malvertising-file-size-code-signing-defense",
          "title": "Vidar Stealer Campaign Shows Why File Size and Fake Signatures Still Beat Weak Controls",
          "url": "https://bulwarkblack.com/vidar-xmrig-malvertising-file-size-code-signing-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "53f1b841d323c211c715b8f80d0efb9529440caae921a60340de027052946dd9",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-01-31",
      "last_seen": "2026-01-31",
      "reports": [
        {
          "slug": "winrar-cve-2025-8088-russia-china-and-cybercriminals-unite-to-exploit-path-traversal-flaw",
          "title": "WinRAR CVE-2025-8088: Russia, China, and Cybercriminals Unite to Exploit Path Traversal Flaw",
          "url": "https://bulwarkblack.com/winrar-cve-2025-8088-russia-china-and-cybercriminals-unite-to-exploit-path-traversal-flaw/",
          "date": "2026-01-31"
        }
      ]
    },
    {
      "indicator": "540ee1936e61d2344b5ebc93485589a351ec2f113a9b4940ae16f3baa4807392",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-02",
      "last_seen": "2026-07-02",
      "reports": [
        {
          "slug": "ousaban-banking-trojan-iberian-phishing-defense",
          "title": "Ousaban Shows Banking Trojans Are Learning to Hide From Sandboxes",
          "url": "https://bulwarkblack.com/ousaban-banking-trojan-iberian-phishing-defense/",
          "date": "2026-07-02"
        }
      ]
    },
    {
      "indicator": "54305c7b95d8105601461bb18de87f1f679d833f15e38a9ee7895a0c8605c0d0",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-01-31",
      "last_seen": "2026-01-31",
      "reports": [
        {
          "slug": "winrar-cve-2025-8088-russia-china-and-cybercriminals-unite-to-exploit-path-traversal-flaw",
          "title": "WinRAR CVE-2025-8088: Russia, China, and Cybercriminals Unite to Exploit Path Traversal Flaw",
          "url": "https://bulwarkblack.com/winrar-cve-2025-8088-russia-china-and-cybercriminals-unite-to-exploit-path-traversal-flaw/",
          "date": "2026-01-31"
        }
      ]
    },
    {
      "indicator": "5494909e0f5221db75e933b28981b2d0e118f227b7d8a5980d88b500b76dfc2e",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "vidar-xmrig-malvertising-file-size-code-signing-defense",
          "title": "Vidar Stealer Campaign Shows Why File Size and Fake Signatures Still Beat Weak Controls",
          "url": "https://bulwarkblack.com/vidar-xmrig-malvertising-file-size-code-signing-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "54dc05ab56244444f86d69b8274a6075906f7ba2307b08e08d3884abde255495",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "vidar-xmrig-malvertising-file-size-code-signing-defense",
          "title": "Vidar Stealer Campaign Shows Why File Size and Fake Signatures Still Beat Weak Controls",
          "url": "https://bulwarkblack.com/vidar-xmrig-malvertising-file-size-code-signing-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "55249f296b63a8bcf911b8bc96de43c1ac2b4a56c150a19d33d892a47e57352c",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-06-25",
      "last_seen": "2026-06-25",
      "reports": [
        {
          "slug": "turla-stockstay-backdoor-egress-visibility",
          "title": "Turla’s STOCKSTAY Backdoor Shows Why Espionage Defense Needs Egress Visibility",
          "url": "https://bulwarkblack.com/turla-stockstay-backdoor-egress-visibility/",
          "date": "2026-06-25"
        }
      ]
    },
    {
      "indicator": "559f46ceb801a3540eace594476718e1486b5b4423cfb4ff64530ff8fb4a3815",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "vidar-xmrig-malvertising-file-size-code-signing-defense",
          "title": "Vidar Stealer Campaign Shows Why File Size and Fake Signatures Still Beat Weak Controls",
          "url": "https://bulwarkblack.com/vidar-xmrig-malvertising-file-size-code-signing-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "55b3dc57929d8eacfdadc71d92483eabe4874bf3d0189f861b145705a0f0a8fe",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-01-31",
      "last_seen": "2026-01-31",
      "reports": [
        {
          "slug": "winrar-cve-2025-8088-russia-china-and-cybercriminals-unite-to-exploit-path-traversal-flaw",
          "title": "WinRAR CVE-2025-8088: Russia, China, and Cybercriminals Unite to Exploit Path Traversal Flaw",
          "url": "https://bulwarkblack.com/winrar-cve-2025-8088-russia-china-and-cybercriminals-unite-to-exploit-path-traversal-flaw/",
          "date": "2026-01-31"
        }
      ]
    },
    {
      "indicator": "568c67564d62b09d1a1bc29a494cf4bf31afddcafcf78592b178c63f23ccfcae",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-03-03",
      "last_seen": "2026-03-03",
      "reports": [
        {
          "slug": "silver-dragon-apt-targets-southeast-asia-and-europe-using-geardoor-backdoor-with-google-drive-c2",
          "title": "Silver Dragon APT Targets Southeast Asia and Europe Using GearDoor Backdoor with Google Drive C2",
          "url": "https://bulwarkblack.com/silver-dragon-apt-targets-southeast-asia-and-europe-using-geardoor-backdoor-with-google-drive-c2/",
          "date": "2026-03-03"
        }
      ]
    },
    {
      "indicator": "56bead2933e91366e4a0d5761daf5b238a7f2c22e597664ef67b3ecae20ab326",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-03-05",
      "last_seen": "2026-03-05",
      "reports": [
        {
          "slug": "uat-9244-china-nexus-apt-deploys-three-new-malware-implants-against-south-american-telecom-providers",
          "title": "UAT-9244: China-Nexus APT Deploys Three New Malware Implants Against South American Telecom Providers",
          "url": "https://bulwarkblack.com/uat-9244-china-nexus-apt-deploys-three-new-malware-implants-against-south-american-telecom-providers/",
          "date": "2026-03-05"
        }
      ]
    },
    {
      "indicator": "574a17028b28fdf860e23754d16ede622e4e27bac11d33dbf5c39db501dfccdc",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-02-04",
      "last_seen": "2026-02-04",
      "reports": [
        {
          "slug": "shadowhs-fileless-linux-post-exploitation-framework-runs-entirely-in-memory",
          "title": "ShadowHS: Fileless Linux Post-Exploitation Framework Runs Entirely in Memory",
          "url": "https://bulwarkblack.com/shadowhs-fileless-linux-post-exploitation-framework-runs-entirely-in-memory/",
          "date": "2026-02-04"
        }
      ]
    },
    {
      "indicator": "576692df4bf1c7d8927d3a183f5219a81c3bff3dd22971691f8af6889f80c5a0",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-03-09",
      "last_seen": "2026-03-09",
      "reports": [
        {
          "slug": "boryptgrab-stealer-spreads-through-100-fake-github-repositories-in-massive-malware-campaign",
          "title": "BoryptGrab Stealer Spreads Through 100+ Fake GitHub Repositories in Massive Malware Campaign",
          "url": "https://bulwarkblack.com/boryptgrab-stealer-spreads-through-100-fake-github-repositories-in-massive-malware-campaign/",
          "date": "2026-03-09"
        }
      ]
    },
    {
      "indicator": "57a50a1c04254df3db638e75a64d5dd3b0d6a460829192277e252dc0c157a62f",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-03-13",
      "last_seen": "2026-03-13",
      "reports": [
        {
          "slug": "storm-2561-weaponizes-seo-poisoning-to-deploy-trojanized-vpn-clients-and-steal-enterprise-credentials",
          "title": "Storm-2561 Weaponizes SEO Poisoning to Deploy Trojanized VPN Clients and Steal Enterprise Credentials",
          "url": "https://bulwarkblack.com/storm-2561-weaponizes-seo-poisoning-to-deploy-trojanized-vpn-clients-and-steal-enterprise-credentials/",
          "date": "2026-03-13"
        }
      ]
    },
    {
      "indicator": "57b3188e24782c27fdf72493ce599537efd3187d03b80f8afe733c72d68c5517",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-05-22",
      "last_seen": "2026-05-22",
      "reports": [
        {
          "slug": "f5-confluence-edge-identity-attack-path",
          "title": "F5-to-Confluence Intrusion Shows Edge Devices Are Identity Attack Paths",
          "url": "https://bulwarkblack.com/f5-confluence-edge-identity-attack-path/",
          "date": "2026-05-22"
        }
      ]
    },
    {
      "indicator": "57bdab2ba4b05ec0338c06632599393d5b14227f31a43fe950ea8fdd47428715",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-07",
      "last_seen": "2026-07-07",
      "reports": [
        {
          "slug": "uat-7810-orb-relay-network-edge-device-defense",
          "title": "UAT-7810 Shows Edge Devices Are Becoming China-Nexus Relay Infrastructure",
          "url": "https://bulwarkblack.com/uat-7810-orb-relay-network-edge-device-defense/",
          "date": "2026-07-07"
        }
      ]
    },
    {
      "indicator": "5837e47198a20877e1b04b270c36d9194206ee38d4f32fe3151b3c3b396c4f0d",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-02",
      "last_seen": "2026-07-02",
      "reports": [
        {
          "slug": "ousaban-banking-trojan-iberian-phishing-defense",
          "title": "Ousaban Shows Banking Trojans Are Learning to Hide From Sandboxes",
          "url": "https://bulwarkblack.com/ousaban-banking-trojan-iberian-phishing-defense/",
          "date": "2026-07-02"
        }
      ]
    },
    {
      "indicator": "5838ae6c748dcbdfa13c6529c654cb821897d29835d3e7e05ca23fb2f3794f02",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "vidar-xmrig-malvertising-file-size-code-signing-defense",
          "title": "Vidar Stealer Campaign Shows Why File Size and Fake Signatures Still Beat Weak Controls",
          "url": "https://bulwarkblack.com/vidar-xmrig-malvertising-file-size-code-signing-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "584a9448dda46bd590d7a2f86228100d2ae6e0d6d990c1a4459ed5ee28e07ae8",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-06-03",
      "last_seen": "2026-06-03",
      "reports": [
        {
          "slug": "ta4922-global-hr-tax-phishing-rmm-defense",
          "title": "TA4922’s Global Expansion Shows HR and Tax Lures Are Initial Access Infrastructure",
          "url": "https://bulwarkblack.com/ta4922-global-hr-tax-phishing-rmm-defense/",
          "date": "2026-06-03"
        }
      ]
    },
    {
      "indicator": "5904bc90aec64b12caa5d352199bd4ec2f5a3a9ac0a08adf954689a58eff3f2a",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2024-01-05",
      "last_seen": "2024-01-05",
      "reports": [
        {
          "slug": "100-days-of-yara-2023",
          "title": "100 Days of YARA – 2023",
          "url": "https://bulwarkblack.com/100-days-of-yara-2023/",
          "date": "2024-01-05"
        }
      ]
    },
    {
      "indicator": "59b9153c4c9e155c976db1a2fd4d1b28fa10bb9c4dcafdc4758b352c037e3d86",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "vidar-xmrig-malvertising-file-size-code-signing-defense",
          "title": "Vidar Stealer Campaign Shows Why File Size and Fake Signatures Still Beat Weak Controls",
          "url": "https://bulwarkblack.com/vidar-xmrig-malvertising-file-size-code-signing-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "59cbdecfc01eba859d12fbeb48f96fe3fe841ac1aafa6bd38eff92f0dcfd4554",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-01-29",
      "last_seen": "2026-01-29",
      "reports": [
        {
          "slug": "google-disrupts-worlds-largest-residential-proxy-botnet",
          "title": "Google Disrupts World’s Largest Residential Proxy Botnet",
          "url": "https://bulwarkblack.com/google-disrupts-worlds-largest-residential-proxy-botnet/",
          "date": "2026-01-29"
        }
      ]
    },
    {
      "indicator": "5a17cfaea0cc3a82242fdd11b53140c0b56256d769b07c33757d61e0a0a6ec02",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "apt28-exploits-cve-2026-21509-in-operation-neusploit-stealing-emails-with-minidoor-backdoor",
          "title": "APT28 Exploits CVE-2026-21509 in Operation Neusploit: Stealing Emails with MiniDoor Backdoor",
          "url": "https://bulwarkblack.com/apt28-exploits-cve-2026-21509-in-operation-neusploit-stealing-emails-with-minidoor-backdoor/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "5a1b440861ef652cc207158e7e129f0b3a22ed5ef5d2ea5968e1d9eff33017bc",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-06-01",
      "last_seen": "2026-06-01",
      "reports": [
        {
          "slug": "solyximmortal-python-infostealer-business-risk",
          "title": "SolyxImmortal Shows Why Python Infostealers Are a Business Risk, Not Just Malware Noise",
          "url": "https://bulwarkblack.com/solyximmortal-python-infostealer-business-risk/",
          "date": "2026-06-01"
        }
      ]
    },
    {
      "indicator": "5a2ed557c357ba8f96f2d55a8a00695987806b5df766cd1dfdab0cbed111774a",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-02",
      "last_seen": "2026-07-02",
      "reports": [
        {
          "slug": "ousaban-banking-trojan-iberian-phishing-defense",
          "title": "Ousaban Shows Banking Trojans Are Learning to Hide From Sandboxes",
          "url": "https://bulwarkblack.com/ousaban-banking-trojan-iberian-phishing-defense/",
          "date": "2026-07-02"
        }
      ]
    },
    {
      "indicator": "5a6b08d42cc8296b32034b132bab18d201a48c1628df3200e869722506dd4ec6",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-02-04",
      "last_seen": "2026-02-04",
      "reports": [
        {
          "slug": "shadowhs-fileless-linux-post-exploitation-framework-runs-entirely-in-memory",
          "title": "ShadowHS: Fileless Linux Post-Exploitation Framework Runs Entirely in Memory",
          "url": "https://bulwarkblack.com/shadowhs-fileless-linux-post-exploitation-framework-runs-entirely-in-memory/",
          "date": "2026-02-04"
        }
      ]
    },
    {
      "indicator": "5a6ba08efcef32f5f38df544c319d1983adc35f3db64f77fa5b51b44d0e5052c",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-04-03",
      "last_seen": "2026-04-03",
      "reports": [
        {
          "slug": "cl-sta-1087-chinese-apt-targets-southeast-asian-militaries-with-applechris-and-memfun-backdoors",
          "title": "CL-STA-1087: Chinese APT Targets Southeast Asian Militaries with AppleChris and MemFun Backdoors",
          "url": "https://bulwarkblack.com/cl-sta-1087-chinese-apt-targets-southeast-asian-militaries-with-applechris-and-memfun-backdoors/",
          "date": "2026-04-03"
        }
      ]
    },
    {
      "indicator": "5ad857df8976523cb3ad2fdf30e87c0e7daa64135716b139ffdcd209b98e1654",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-03-03",
      "last_seen": "2026-03-03",
      "reports": [
        {
          "slug": "silver-dragon-apt-targets-southeast-asia-and-europe-using-geardoor-backdoor-with-google-drive-c2",
          "title": "Silver Dragon APT Targets Southeast Asia and Europe Using GearDoor Backdoor with Google Drive C2",
          "url": "https://bulwarkblack.com/silver-dragon-apt-targets-southeast-asia-and-europe-using-geardoor-backdoor-with-google-drive-c2/",
          "date": "2026-03-03"
        }
      ]
    },
    {
      "indicator": "5b64786ed92545eeac013be9456e1ff03d95073910742e45ff6b88a86e91901b",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-01-31",
      "last_seen": "2026-01-31",
      "reports": [
        {
          "slug": "winrar-cve-2025-8088-russia-china-and-cybercriminals-unite-to-exploit-path-traversal-flaw",
          "title": "WinRAR CVE-2025-8088: Russia, China, and Cybercriminals Unite to Exploit Path Traversal Flaw",
          "url": "https://bulwarkblack.com/winrar-cve-2025-8088-russia-china-and-cybercriminals-unite-to-exploit-path-traversal-flaw/",
          "date": "2026-01-31"
        }
      ]
    },
    {
      "indicator": "5b6a466b65d479b77a03b15a95ac097b45e23ff7ae5ef6282985b2a503deb691",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "vidar-xmrig-malvertising-file-size-code-signing-defense",
          "title": "Vidar Stealer Campaign Shows Why File Size and Fake Signatures Still Beat Weak Controls",
          "url": "https://bulwarkblack.com/vidar-xmrig-malvertising-file-size-code-signing-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "5B77F83ECEFA0E32BA922F61C9EFFF7F755BA51A010DB844CA7E8AD3DB28650A",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "5bc5998161056b7c8f70c9724d8a63abc7ff8c3843b91c30cffab0899e39b7f8",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-05-15",
      "last_seen": "2026-05-15",
      "reports": [
        {
          "slug": "cisco-sdwan-active-exploitation-edge-controller-review",
          "title": "Cisco SD-WAN Exploitation Shows Edge Controllers Need Emergency Review",
          "url": "https://bulwarkblack.com/cisco-sdwan-active-exploitation-edge-controller-review/",
          "date": "2026-05-15"
        }
      ]
    },
    {
      "indicator": "5c3f190571645c4641dcff2c07a4c3ab9acad06aa9607350a385729d8d6139f1",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-07",
      "last_seen": "2026-07-07",
      "reports": [
        {
          "slug": "uat-7810-orb-relay-network-edge-device-defense",
          "title": "UAT-7810 Shows Edge Devices Are Becoming China-Nexus Relay Infrastructure",
          "url": "https://bulwarkblack.com/uat-7810-orb-relay-network-edge-device-defense/",
          "date": "2026-07-07"
        }
      ]
    },
    {
      "indicator": "5c4faef80c83c7ec0925a4aacb4bddabe82b91066ac41305907ba277cd7b3b85",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "fake-payment-sdk-npm-pypi-secret-theft-defense",
          "title": "Fake Payment SDKs Show Why Dependency Risk Is Credential Risk",
          "url": "https://bulwarkblack.com/fake-payment-sdk-npm-pypi-secret-theft-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "5cd62e708ae4393c99579ec1433571998299bf7e2fde9bafeb9a79f8bdf065e9",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "fake-payment-sdk-npm-pypi-secret-theft-defense",
          "title": "Fake Payment SDKs Show Why Dependency Risk Is Credential Risk",
          "url": "https://bulwarkblack.com/fake-payment-sdk-npm-pypi-secret-theft-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "5d7324d8b5a25f862ef8223c6766d0e80af3ad168e17312b265e13a3a68e0ded",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "vidar-xmrig-malvertising-file-size-code-signing-defense",
          "title": "Vidar Stealer Campaign Shows Why File Size and Fake Signatures Still Beat Weak Controls",
          "url": "https://bulwarkblack.com/vidar-xmrig-malvertising-file-size-code-signing-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "5db2ce9acd50f96d566e8d139f6490abf2bbf7a9293b876eeb4598fd2c37c515",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-07",
      "last_seen": "2026-07-07",
      "reports": [
        {
          "slug": "uat-7810-orb-relay-network-edge-device-defense",
          "title": "UAT-7810 Shows Edge Devices Are Becoming China-Nexus Relay Infrastructure",
          "url": "https://bulwarkblack.com/uat-7810-orb-relay-network-edge-device-defense/",
          "date": "2026-07-07"
        }
      ]
    },
    {
      "indicator": "5dbfa033676b5caacfae902734ce462cd871181eefbe299250ca8ac7e139719e",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-07",
      "last_seen": "2026-07-07",
      "reports": [
        {
          "slug": "uat-7810-orb-relay-network-edge-device-defense",
          "title": "UAT-7810 Shows Edge Devices Are Becoming China-Nexus Relay Infrastructure",
          "url": "https://bulwarkblack.com/uat-7810-orb-relay-network-edge-device-defense/",
          "date": "2026-07-07"
        }
      ]
    },
    {
      "indicator": "5dc607c8990841139768884b1b43e1403496d5a458788a1937be139594f01dca",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-05-13",
      "last_seen": "2026-05-13",
      "reports": [
        {
          "slug": "gentlemen-raas-leak-edge-device-ransomware-risk",
          "title": "The Gentlemen RaaS Leak Shows Ransomware Is Still an Edge-Device Problem",
          "url": "https://bulwarkblack.com/gentlemen-raas-leak-edge-device-ransomware-risk/",
          "date": "2026-05-13"
        }
      ]
    },
    {
      "indicator": "5dee69127d501142413fb93fd2af8c8a378682c140c52b48990a5c41f2ce3616",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-01-31",
      "last_seen": "2026-01-31",
      "reports": [
        {
          "slug": "winrar-cve-2025-8088-russia-china-and-cybercriminals-unite-to-exploit-path-traversal-flaw",
          "title": "WinRAR CVE-2025-8088: Russia, China, and Cybercriminals Unite to Exploit Path Traversal Flaw",
          "url": "https://bulwarkblack.com/winrar-cve-2025-8088-russia-china-and-cybercriminals-unite-to-exploit-path-traversal-flaw/",
          "date": "2026-01-31"
        }
      ]
    },
    {
      "indicator": "5e06af187b45476ade0d953e834fced6197d0a33ac60c2575877660e26ab15e8",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-02",
      "last_seen": "2026-07-02",
      "reports": [
        {
          "slug": "ousaban-banking-trojan-iberian-phishing-defense",
          "title": "Ousaban Shows Banking Trojans Are Learning to Hide From Sandboxes",
          "url": "https://bulwarkblack.com/ousaban-banking-trojan-iberian-phishing-defense/",
          "date": "2026-07-02"
        }
      ]
    },
    {
      "indicator": "5e225ea2648a8cba0fd94ec7fd8ce5315f5d0cc2922bafc9db3c8c41280e917c",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-07",
      "last_seen": "2026-07-07",
      "reports": [
        {
          "slug": "uat-7810-orb-relay-network-edge-device-defense",
          "title": "UAT-7810 Shows Edge Devices Are Becoming China-Nexus Relay Infrastructure",
          "url": "https://bulwarkblack.com/uat-7810-orb-relay-network-edge-device-defense/",
          "date": "2026-07-07"
        }
      ]
    },
    {
      "indicator": "5eab4c61baa67ae2838a36c2e6ff0476a8f2117b96a7027b830c8cb46ce78efc",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-07",
      "last_seen": "2026-07-07",
      "reports": [
        {
          "slug": "uat-7810-orb-relay-network-edge-device-defense",
          "title": "UAT-7810 Shows Edge Devices Are Becoming China-Nexus Relay Infrastructure",
          "url": "https://bulwarkblack.com/uat-7810-orb-relay-network-edge-device-defense/",
          "date": "2026-07-07"
        }
      ]
    },
    {
      "indicator": "5f9af68db10b029453264cfc9b8eee4265549a2855bb79668ccfc571fb11f5fc",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-02-27",
      "last_seen": "2026-02-27",
      "reports": [
        {
          "slug": "chinese-apt-campaign-delivers-plugx-rat-via-g-data-antivirus-dll-side-loading",
          "title": "Chinese APT Campaign Delivers PlugX RAT via G DATA Antivirus DLL Side-Loading",
          "url": "https://bulwarkblack.com/chinese-apt-campaign-delivers-plugx-rat-via-g-data-antivirus-dll-side-loading/",
          "date": "2026-02-27"
        }
      ]
    },
    {
      "indicator": "5faea1650cac0f3ffd2dc1fb220182095a46e34158967d37c2a942e85e2ca97b",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-07",
      "last_seen": "2026-07-07",
      "reports": [
        {
          "slug": "uat-7810-orb-relay-network-edge-device-defense",
          "title": "UAT-7810 Shows Edge Devices Are Becoming China-Nexus Relay Infrastructure",
          "url": "https://bulwarkblack.com/uat-7810-orb-relay-network-edge-device-defense/",
          "date": "2026-07-07"
        }
      ]
    },
    {
      "indicator": "604b53f87d6c070bf387e80c70a6df8d272fa3fc143148d41f13e59d52ab1f13",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-07",
      "last_seen": "2026-07-07",
      "reports": [
        {
          "slug": "uat-7810-orb-relay-network-edge-device-defense",
          "title": "UAT-7810 Shows Edge Devices Are Becoming China-Nexus Relay Infrastructure",
          "url": "https://bulwarkblack.com/uat-7810-orb-relay-network-edge-device-defense/",
          "date": "2026-07-07"
        }
      ]
    },
    {
      "indicator": "6129d717e4e3a6fb4681463e421a5603b640bc6173fb7ba45a41a881c79415ca",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-03-13",
      "last_seen": "2026-03-13",
      "reports": [
        {
          "slug": "storm-2561-weaponizes-seo-poisoning-to-deploy-trojanized-vpn-clients-and-steal-enterprise-credentials",
          "title": "Storm-2561 Weaponizes SEO Poisoning to Deploy Trojanized VPN Clients and Steal Enterprise Credentials",
          "url": "https://bulwarkblack.com/storm-2561-weaponizes-seo-poisoning-to-deploy-trojanized-vpn-clients-and-steal-enterprise-credentials/",
          "date": "2026-03-13"
        }
      ]
    },
    {
      "indicator": "613e5314a7ded3155cdec49fd34e852e181f4651d78bd8bf3adad2f4dbf22b0d",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "vidar-xmrig-malvertising-file-size-code-signing-defense",
          "title": "Vidar Stealer Campaign Shows Why File Size and Fake Signatures Still Beat Weak Controls",
          "url": "https://bulwarkblack.com/vidar-xmrig-malvertising-file-size-code-signing-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "615805652b2f006e69512b90d0d63883d7ae1ede69d86384fd77bd46235b2369",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "fake-payment-sdk-npm-pypi-secret-theft-defense",
          "title": "Fake Payment SDKs Show Why Dependency Risk Is Credential Risk",
          "url": "https://bulwarkblack.com/fake-payment-sdk-npm-pypi-secret-theft-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "616b41657e9afaa9354fc1a106393373dcbf8aac8455b7d2cbbb44463434528e",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "fake-payment-sdk-npm-pypi-secret-theft-defense",
          "title": "Fake Payment SDKs Show Why Dependency Risk Is Credential Risk",
          "url": "https://bulwarkblack.com/fake-payment-sdk-npm-pypi-secret-theft-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "61b61dd25cd8dcc43cd78418f3e3eb3fd9002d9e49961eefb12c1022ce4c3b63",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "fake-payment-sdk-npm-pypi-secret-theft-defense",
          "title": "Fake Payment SDKs Show Why Dependency Risk Is Credential Risk",
          "url": "https://bulwarkblack.com/fake-payment-sdk-npm-pypi-secret-theft-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "626330d22f77d9cbca9d40cc06568041703f194610c4c5a84bbb05a2e4ee7459",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-06-25",
      "last_seen": "2026-06-25",
      "reports": [
        {
          "slug": "turla-stockstay-backdoor-egress-visibility",
          "title": "Turla’s STOCKSTAY Backdoor Shows Why Espionage Defense Needs Egress Visibility",
          "url": "https://bulwarkblack.com/turla-stockstay-backdoor-egress-visibility/",
          "date": "2026-06-25"
        }
      ]
    },
    {
      "indicator": "62877a5096828c4bc2fca7cbee7d38b11a0c90fd0d3fc8c37981581e9988c919",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "vidar-xmrig-malvertising-file-size-code-signing-defense",
          "title": "Vidar Stealer Campaign Shows Why File Size and Fake Signatures Still Beat Weak Controls",
          "url": "https://bulwarkblack.com/vidar-xmrig-malvertising-file-size-code-signing-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "6298f3150ad94a242e649886d47c59c634a4d04b9af5ee15e3bf335c40b5e58e",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-06-25",
      "last_seen": "2026-06-25",
      "reports": [
        {
          "slug": "turla-stockstay-backdoor-egress-visibility",
          "title": "Turla’s STOCKSTAY Backdoor Shows Why Espionage Defense Needs Egress Visibility",
          "url": "https://bulwarkblack.com/turla-stockstay-backdoor-egress-visibility/",
          "date": "2026-06-25"
        }
      ]
    },
    {
      "indicator": "62c2c24937d67fdeb43f2c9690ab10e8bb90713af46945048db9a94a465ffcb8",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-05-13",
      "last_seen": "2026-05-13",
      "reports": [
        {
          "slug": "gentlemen-raas-leak-edge-device-ransomware-risk",
          "title": "The Gentlemen RaaS Leak Shows Ransomware Is Still an Edge-Device Problem",
          "url": "https://bulwarkblack.com/gentlemen-raas-leak-edge-device-ransomware-risk/",
          "date": "2026-05-13"
        }
      ]
    },
    {
      "indicator": "62d4ec87ed21f0d15cb769b0b2a5577cab41fc2cdb1e7e796c5bdff09264dd9a",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-07",
      "last_seen": "2026-07-07",
      "reports": [
        {
          "slug": "uat-7810-orb-relay-network-edge-device-defense",
          "title": "UAT-7810 Shows Edge Devices Are Becoming China-Nexus Relay Infrastructure",
          "url": "https://bulwarkblack.com/uat-7810-orb-relay-network-edge-device-defense/",
          "date": "2026-07-07"
        }
      ]
    },
    {
      "indicator": "6328a34b26a63423b555a61f89a6a0525a534e9c88584c815d937910f1ddd538",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-03-24",
      "last_seen": "2026-03-24",
      "reports": [
        {
          "slug": "teampcp-deploys-canisterworm-wiper-to-target-iranian-systems",
          "title": "TeamPCP Deploys CanisterWorm Wiper to Target Iranian Systems",
          "url": "https://bulwarkblack.com/teampcp-deploys-canisterworm-wiper-to-target-iranian-systems/",
          "date": "2026-03-24"
        }
      ]
    },
    {
      "indicator": "634e89d8592d7c9e2bc1c098217a813947b44a4f80bc569e9a15c1e8b0864b91",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "vidar-xmrig-malvertising-file-size-code-signing-defense",
          "title": "Vidar Stealer Campaign Shows Why File Size and Fake Signatures Still Beat Weak Controls",
          "url": "https://bulwarkblack.com/vidar-xmrig-malvertising-file-size-code-signing-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "63565f15a99769bbcd527a4d53e5cc259d80e1254463ef9c878c2074685558ae",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-06-26",
      "last_seen": "2026-06-26",
      "reports": [
        {
          "slug": "hospitality-photo-zip-nodejs-implant-defense",
          "title": "Hospitality Photo-ZIP Campaign Shows Front Desk Workflows Are Initial Access Paths",
          "url": "https://bulwarkblack.com/hospitality-photo-zip-nodejs-implant-defense/",
          "date": "2026-06-26"
        }
      ]
    },
    {
      "indicator": "6366d59b573d50fd23ff650923c4a8c1c918518a02d0a56f12c23533c45f439d",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-07",
      "last_seen": "2026-07-07",
      "reports": [
        {
          "slug": "uat-7810-orb-relay-network-edge-device-defense",
          "title": "UAT-7810 Shows Edge Devices Are Becoming China-Nexus Relay Infrastructure",
          "url": "https://bulwarkblack.com/uat-7810-orb-relay-network-edge-device-defense/",
          "date": "2026-07-07"
        }
      ]
    },
    {
      "indicator": "64263640a6fdeb2388bca2e9094a17065308cf8dcb0032454c0a71d9b78327eb",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-03-11",
      "last_seen": "2026-03-11",
      "reports": [
        {
          "slug": "iranian-mois-cyber-actors-embrace-criminal-ecosystem-from-rhadamanthys-to-ransomware-affiliates",
          "title": "Iranian MOIS Cyber Actors Embrace Criminal Ecosystem: From Rhadamanthys to Ransomware Affiliates",
          "url": "https://bulwarkblack.com/iranian-mois-cyber-actors-embrace-criminal-ecosystem-from-rhadamanthys-to-ransomware-affiliates/",
          "date": "2026-03-11"
        }
      ]
    },
    {
      "indicator": "644fc49fa1006a2a2acace694e5fb83753164e2617051ece6d9dc9ea32329e70",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-06-02",
      "last_seen": "2026-06-02",
      "reports": [
        {
          "slug": "flutterbridge-macos-malvertising-fluttershell-backdoor-defense",
          "title": "FlutterBridge Shows Why macOS Malvertising Is Backdoor Delivery, Not Just Adware",
          "url": "https://bulwarkblack.com/flutterbridge-macos-malvertising-fluttershell-backdoor-defense/",
          "date": "2026-06-02"
        }
      ]
    },
    {
      "indicator": "64cf334716f15da1db7981fad6c81a640d94aa1d65391ef879f4b7b6edf6e7f1",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-03-11",
      "last_seen": "2026-03-11",
      "reports": [
        {
          "slug": "iranian-mois-cyber-actors-embrace-criminal-ecosystem-from-rhadamanthys-to-ransomware-affiliates",
          "title": "Iranian MOIS Cyber Actors Embrace Criminal Ecosystem: From Rhadamanthys to Ransomware Affiliates",
          "url": "https://bulwarkblack.com/iranian-mois-cyber-actors-embrace-criminal-ecosystem-from-rhadamanthys-to-ransomware-affiliates/",
          "date": "2026-03-11"
        }
      ]
    },
    {
      "indicator": "6580de3b74fd635a1d7a887b8f6e5b0c9ac9e90d6e20466ad41489203119cca9",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-06-26",
      "last_seen": "2026-06-26",
      "reports": [
        {
          "slug": "hospitality-photo-zip-nodejs-implant-defense",
          "title": "Hospitality Photo-ZIP Campaign Shows Front Desk Workflows Are Initial Access Paths",
          "url": "https://bulwarkblack.com/hospitality-photo-zip-nodejs-implant-defense/",
          "date": "2026-06-26"
        }
      ]
    },
    {
      "indicator": "65c1a998bac48e02b52b1c850cd500e9fb87521e21755c3a4a491243f5f9a700",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-02",
      "last_seen": "2026-07-02",
      "reports": [
        {
          "slug": "ousaban-banking-trojan-iberian-phishing-defense",
          "title": "Ousaban Shows Banking Trojans Are Learning to Hide From Sandboxes",
          "url": "https://bulwarkblack.com/ousaban-banking-trojan-iberian-phishing-defense/",
          "date": "2026-07-02"
        }
      ]
    },
    {
      "indicator": "65feba2c971c214e71303ad2e0fbf62b45ebcaa784cbf3d0dab62786cb4c0469",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-07",
      "last_seen": "2026-07-07",
      "reports": [
        {
          "slug": "uat-7810-orb-relay-network-edge-device-defense",
          "title": "UAT-7810 Shows Edge Devices Are Becoming China-Nexus Relay Infrastructure",
          "url": "https://bulwarkblack.com/uat-7810-orb-relay-network-edge-device-defense/",
          "date": "2026-07-07"
        }
      ]
    },
    {
      "indicator": "662d4e58e95b7b27eb961f3d81d299af961892c74bc7a1f2bb7a8f2442030d0e",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-02-04",
      "last_seen": "2026-02-04",
      "reports": [
        {
          "slug": "shadowhs-fileless-linux-post-exploitation-framework-runs-entirely-in-memory",
          "title": "ShadowHS: Fileless Linux Post-Exploitation Framework Runs Entirely in Memory",
          "url": "https://bulwarkblack.com/shadowhs-fileless-linux-post-exploitation-framework-runs-entirely-in-memory/",
          "date": "2026-02-04"
        }
      ]
    },
    {
      "indicator": "666122c39b2fd4499678105420e21b938f0f62defdbc85275e14156ae69539d6",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-02-04",
      "last_seen": "2026-02-04",
      "reports": [
        {
          "slug": "shadowhs-fileless-linux-post-exploitation-framework-runs-entirely-in-memory",
          "title": "ShadowHS: Fileless Linux Post-Exploitation Framework Runs Entirely in Memory",
          "url": "https://bulwarkblack.com/shadowhs-fileless-linux-post-exploitation-framework-runs-entirely-in-memory/",
          "date": "2026-02-04"
        }
      ]
    },
    {
      "indicator": "667a8f568a611f2f3d84a366b7946b360e055bece9699c95aad619637ab72a38",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-06-25",
      "last_seen": "2026-06-25",
      "reports": [
        {
          "slug": "turla-stockstay-backdoor-egress-visibility",
          "title": "Turla’s STOCKSTAY Backdoor Shows Why Espionage Defense Needs Egress Visibility",
          "url": "https://bulwarkblack.com/turla-stockstay-backdoor-egress-visibility/",
          "date": "2026-06-25"
        }
      ]
    },
    {
      "indicator": "669917bad46a57e5f2de037f8ec200a44fb579d723af3e2f1be1e8479a267966",
      "type": "sha256",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "66a3836b9a17771bce2161f6b73cbc2494a91e49d6aa30d2d53711e8d10de60d",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-06-03",
      "last_seen": "2026-06-03",
      "reports": [
        {
          "slug": "ta4922-global-hr-tax-phishing-rmm-defense",
          "title": "TA4922’s Global Expansion Shows HR and Tax Lures Are Initial Access Infrastructure",
          "url": "https://bulwarkblack.com/ta4922-global-hr-tax-phishing-rmm-defense/",
          "date": "2026-06-03"
        }
      ]
    },
    {
      "indicator": "66adeedfb739774fcc09aa7426c8fad29f8047ab4caee8040d07c0e84d011611",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-03-05",
      "last_seen": "2026-03-05",
      "reports": [
        {
          "slug": "uat-9244-china-nexus-apt-deploys-three-new-malware-implants-against-south-american-telecom-providers",
          "title": "UAT-9244: China-Nexus APT Deploys Three New Malware Implants Against South American Telecom Providers",
          "url": "https://bulwarkblack.com/uat-9244-china-nexus-apt-deploys-three-new-malware-implants-against-south-american-telecom-providers/",
          "date": "2026-03-05"
        }
      ]
    },
    {
      "indicator": "66bdce93de3b02cf9cdadad18ca1504ac83e379a752d51f60deae6dcbafe4e31",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-03-05",
      "last_seen": "2026-03-05",
      "reports": [
        {
          "slug": "uat-9244-china-nexus-apt-deploys-three-new-malware-implants-against-south-american-telecom-providers",
          "title": "UAT-9244: China-Nexus APT Deploys Three New Malware Implants Against South American Telecom Providers",
          "url": "https://bulwarkblack.com/uat-9244-china-nexus-apt-deploys-three-new-malware-implants-against-south-american-telecom-providers/",
          "date": "2026-03-05"
        }
      ]
    },
    {
      "indicator": "66cceb2c2f1d9988b501832fd3b559775982e2fce4ab38fc4ffe71b74eafc726",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-02-23",
      "last_seen": "2026-02-23",
      "reports": [
        {
          "slug": "unit-42-exposes-active-exploitation-of-beyondtrust-cve-2026-1731-with-vshell-and-sparkrat-backdoors",
          "title": "Unit 42 Exposes Active Exploitation of BeyondTrust CVE-2026-1731 with VShell and SparkRAT Backdoors",
          "url": "https://bulwarkblack.com/unit-42-exposes-active-exploitation-of-beyondtrust-cve-2026-1731-with-vshell-and-sparkrat-backdoors/",
          "date": "2026-02-23"
        }
      ]
    },
    {
      "indicator": "66ce42258062e902bd7f9e90ad5453a901cfc424f0ea497c4d14f063f3acd329",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-03-05",
      "last_seen": "2026-03-05",
      "reports": [
        {
          "slug": "uat-9244-china-nexus-apt-deploys-three-new-malware-implants-against-south-american-telecom-providers",
          "title": "UAT-9244: China-Nexus APT Deploys Three New Malware Implants Against South American Telecom Providers",
          "url": "https://bulwarkblack.com/uat-9244-china-nexus-apt-deploys-three-new-malware-implants-against-south-american-telecom-providers/",
          "date": "2026-03-05"
        }
      ]
    },
    {
      "indicator": "67569adec99fd38b114ae07e2e549e6c16f75368f3c5373022c84934ed1c8e84",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "vidar-xmrig-malvertising-file-size-code-signing-defense",
          "title": "Vidar Stealer Campaign Shows Why File Size and Fake Signatures Still Beat Weak Controls",
          "url": "https://bulwarkblack.com/vidar-xmrig-malvertising-file-size-code-signing-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "679ee05d92a858b6fe70aeb6072eb804548f1732e18b6c181af122b833386afb",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-02-23",
      "last_seen": "2026-02-23",
      "reports": [
        {
          "slug": "unit-42-exposes-active-exploitation-of-beyondtrust-cve-2026-1731-with-vshell-and-sparkrat-backdoors",
          "title": "Unit 42 Exposes Active Exploitation of BeyondTrust CVE-2026-1731 with VShell and SparkRAT Backdoors",
          "url": "https://bulwarkblack.com/unit-42-exposes-active-exploitation-of-beyondtrust-cve-2026-1731-with-vshell-and-sparkrat-backdoors/",
          "date": "2026-02-23"
        }
      ]
    },
    {
      "indicator": "67e4d6a4f53098e48bfa6ecceeaa754592bc249b83404bcfb8542977ae36dac4",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "fake-payment-sdk-npm-pypi-secret-theft-defense",
          "title": "Fake Payment SDKs Show Why Dependency Risk Is Credential Risk",
          "url": "https://bulwarkblack.com/fake-payment-sdk-npm-pypi-secret-theft-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "67eb3bd505ebfffbd73fc3ef0b2976c375df732f0bd0496ed6653c3e2be5a0e5",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "fake-payment-sdk-npm-pypi-secret-theft-defense",
          "title": "Fake Payment SDKs Show Why Dependency Risk Is Credential Risk",
          "url": "https://bulwarkblack.com/fake-payment-sdk-npm-pypi-secret-theft-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "67fc5cf395e28294bbb91ed0e954fdf2e80ebd9119022a115a42c286dc8bacf5",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-06-18",
      "last_seen": "2026-06-18",
      "reports": [
        {
          "slug": "tor-crypto-clipper-usb-worm-backdoor-defense",
          "title": "Tor-Based Crypto Clipper Shows Clipboard Theft Is Now Backdoor Activity",
          "url": "https://bulwarkblack.com/tor-crypto-clipper-usb-worm-backdoor-defense/",
          "date": "2026-06-18"
        }
      ]
    },
    {
      "indicator": "68257a6f9ff196179ec03624e849927f26599eb180a7c82e14ef5bc4e93bc309",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-06-11",
      "last_seen": "2026-06-11",
      "reports": [
        {
          "slug": "shinyhunters-peoplesoft-cve-2026-35273-erp-admin-endpoints",
          "title": "ShinyHunters PeopleSoft Exploitation Shows ERP Admin Endpoints Are Breach Surface",
          "url": "https://bulwarkblack.com/shinyhunters-peoplesoft-cve-2026-35273-erp-admin-endpoints/",
          "date": "2026-06-11"
        }
      ]
    },
    {
      "indicator": "68445a37a9943a267a8b2100fba2678353d6ec88844505ccbba659e586c7a105",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-07",
      "last_seen": "2026-07-07",
      "reports": [
        {
          "slug": "uat-7810-orb-relay-network-edge-device-defense",
          "title": "UAT-7810 Shows Edge Devices Are Becoming China-Nexus Relay Infrastructure",
          "url": "https://bulwarkblack.com/uat-7810-orb-relay-network-edge-device-defense/",
          "date": "2026-07-07"
        }
      ]
    },
    {
      "indicator": "68ced9d7c1b1ff8ffb5f56c7d3f849d4fd16a1b95324426811424b40043d6d25",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "vidar-xmrig-malvertising-file-size-code-signing-defense",
          "title": "Vidar Stealer Campaign Shows Why File Size and Fake Signatures Still Beat Weak Controls",
          "url": "https://bulwarkblack.com/vidar-xmrig-malvertising-file-size-code-signing-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "68d9020aa9b509a6d018d6d9f4c77e7604a588b2848e05da6a4d9f82d725f91b",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-01-31",
      "last_seen": "2026-01-31",
      "reports": [
        {
          "slug": "winrar-cve-2025-8088-russia-china-and-cybercriminals-unite-to-exploit-path-traversal-flaw",
          "title": "WinRAR CVE-2025-8088: Russia, China, and Cybercriminals Unite to Exploit Path Traversal Flaw",
          "url": "https://bulwarkblack.com/winrar-cve-2025-8088-russia-china-and-cybercriminals-unite-to-exploit-path-traversal-flaw/",
          "date": "2026-01-31"
        }
      ]
    },
    {
      "indicator": "69077fcf940fc5852fb32beed15636756ebc04ac971b7ed71d36251e7ea70a20",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-05-27",
      "last_seen": "2026-05-27",
      "reports": [
        {
          "slug": "poisoned-search-ai-screenconnect-cryptojacking-defense",
          "title": "Poisoned Search and AI Recommendations Turn Utility Downloads Into RMM Access",
          "url": "https://bulwarkblack.com/poisoned-search-ai-screenconnect-cryptojacking-defense/",
          "date": "2026-05-27"
        }
      ]
    },
    {
      "indicator": "6910d27b9e1dc2229a8c280f5d0cea85146d50274c56a4d9a5b8d1793505b1b9",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-05-16",
      "last_seen": "2026-05-16",
      "reports": [
        {
          "slug": "pawsrunner-steganography-purelogs-infostealer-defense",
          "title": "PawsRunner Steganography Shows Infostealers Are Hiding in Plain Sight",
          "url": "https://bulwarkblack.com/pawsrunner-steganography-purelogs-infostealer-defense/",
          "date": "2026-05-16"
        }
      ]
    },
    {
      "indicator": "6917c0f9eafefe42e33e791b75a7e503ff8b081bc10a98449e4076787dfc6c16",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-07",
      "last_seen": "2026-07-07",
      "reports": [
        {
          "slug": "uat-7810-orb-relay-network-edge-device-defense",
          "title": "UAT-7810 Shows Edge Devices Are Becoming China-Nexus Relay Infrastructure",
          "url": "https://bulwarkblack.com/uat-7810-orb-relay-network-edge-device-defense/",
          "date": "2026-07-07"
        }
      ]
    },
    {
      "indicator": "691896c7be87e47f3e9ae914d76caaf026aaad0a1034e9f396c2354245215dc3",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-05-15",
      "last_seen": "2026-05-15",
      "reports": [
        {
          "slug": "gremlin-stealer-browser-session-resource-obfuscation",
          "title": "Gremlin Stealer Shows Why Browser Sessions Are Now High-Value Targets",
          "url": "https://bulwarkblack.com/gremlin-stealer-browser-session-resource-obfuscation/",
          "date": "2026-05-15"
        }
      ]
    },
    {
      "indicator": "69908f05b436bd97baae56296bf9b9e734486516f9bb9938c2b8752e152315d4",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "kazuar-p2p-botnet-russian-espionage-defense",
          "title": "Kazuar Shows Russian Espionage Malware Is Engineering for Resilience",
          "url": "https://bulwarkblack.com/kazuar-p2p-botnet-russian-espionage-defense/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "69946018ddda1058ce5c2a556c78a747838865c47074dcb165effb0840cb1cf5",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "vidar-xmrig-malvertising-file-size-code-signing-defense",
          "title": "Vidar Stealer Campaign Shows Why File Size and Fake Signatures Still Beat Weak Controls",
          "url": "https://bulwarkblack.com/vidar-xmrig-malvertising-file-size-code-signing-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "6a2d23cc8746a83e9a3b974788fce0e414706b8e75ff390426dd7e10b19967b3",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-03-05",
      "last_seen": "2026-03-05",
      "reports": [
        {
          "slug": "uat-9244-china-nexus-apt-deploys-three-new-malware-implants-against-south-american-telecom-providers",
          "title": "UAT-9244: China-Nexus APT Deploys Three New Malware Implants Against South American Telecom Providers",
          "url": "https://bulwarkblack.com/uat-9244-china-nexus-apt-deploys-three-new-malware-implants-against-south-american-telecom-providers/",
          "date": "2026-03-05"
        }
      ]
    },
    {
      "indicator": "6a3ab9e984a759d55af4e84487d1fc44683065cc9a1089d5aa4ad1c0e4e84a63",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-05-13",
      "last_seen": "2026-05-13",
      "reports": [
        {
          "slug": "gentlemen-raas-leak-edge-device-ransomware-risk",
          "title": "The Gentlemen RaaS Leak Shows Ransomware Is Still an Edge-Device Problem",
          "url": "https://bulwarkblack.com/gentlemen-raas-leak-edge-device-ransomware-risk/",
          "date": "2026-05-13"
        }
      ]
    },
    {
      "indicator": "6a6aaeed4a6bbe82a08d197f5d40c2592a461175f181e0440e0ff45d5fb60939",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-02-05",
      "last_seen": "2026-02-05",
      "reports": [
        {
          "slug": "encase-forensic-driver-weaponized-byovd-attack-targets-59-edr-tools-through-sonicwall-vpn-breach",
          "title": "EnCase Forensic Driver Weaponized: BYOVD Attack Targets 59 EDR Tools Through SonicWall VPN Breach",
          "url": "https://bulwarkblack.com/encase-forensic-driver-weaponized-byovd-attack-targets-59-edr-tools-through-sonicwall-vpn-breach/",
          "date": "2026-02-05"
        }
      ]
    },
    {
      "indicator": "6b7ff061eebeb9ead8812c410247768a7ba90786aeeb1bafa6412cc5b08237b5",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "vidar-xmrig-malvertising-file-size-code-signing-defense",
          "title": "Vidar Stealer Campaign Shows Why File Size and Fake Signatures Still Beat Weak Controls",
          "url": "https://bulwarkblack.com/vidar-xmrig-malvertising-file-size-code-signing-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "6bc2e11b0917f47d0557288c4f0cb20bd7589185943b989a969fdc6d3704ee73",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-02",
      "last_seen": "2026-07-02",
      "reports": [
        {
          "slug": "ousaban-banking-trojan-iberian-phishing-defense",
          "title": "Ousaban Shows Banking Trojans Are Learning to Hide From Sandboxes",
          "url": "https://bulwarkblack.com/ousaban-banking-trojan-iberian-phishing-defense/",
          "date": "2026-07-02"
        }
      ]
    },
    {
      "indicator": "6c50fcf14af7f984a152016498bf4096dd1f71e9d35000301b8319bd50f7f6d0",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-02-04",
      "last_seen": "2026-02-04",
      "reports": [
        {
          "slug": "shadowhs-fileless-linux-post-exploitation-framework-runs-entirely-in-memory",
          "title": "ShadowHS: Fileless Linux Post-Exploitation Framework Runs Entirely in Memory",
          "url": "https://bulwarkblack.com/shadowhs-fileless-linux-post-exploitation-framework-runs-entirely-in-memory/",
          "date": "2026-02-04"
        }
      ]
    },
    {
      "indicator": "6c9ab17a4aff2cdf408815ec120718f19f1a31c13fc5889167065d448a40dfe6",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-03-13",
      "last_seen": "2026-03-13",
      "reports": [
        {
          "slug": "storm-2561-weaponizes-seo-poisoning-to-deploy-trojanized-vpn-clients-and-steal-enterprise-credentials",
          "title": "Storm-2561 Weaponizes SEO Poisoning to Deploy Trojanized VPN Clients and Steal Enterprise Credentials",
          "url": "https://bulwarkblack.com/storm-2561-weaponizes-seo-poisoning-to-deploy-trojanized-vpn-clients-and-steal-enterprise-credentials/",
          "date": "2026-03-13"
        }
      ]
    },
    {
      "indicator": "6cda1e81667f869940401f05a55c8dea94dbdf3ceffb93b5f320a6462cfea44d",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-07",
      "last_seen": "2026-07-07",
      "reports": [
        {
          "slug": "uat-7810-orb-relay-network-edge-device-defense",
          "title": "UAT-7810 Shows Edge Devices Are Becoming China-Nexus Relay Infrastructure",
          "url": "https://bulwarkblack.com/uat-7810-orb-relay-network-edge-device-defense/",
          "date": "2026-07-07"
        }
      ]
    },
    {
      "indicator": "6cee9e838792ac5e2098362d68ce93a9a2c095d476dc16b289fe8509c99b2b8b",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-06-25",
      "last_seen": "2026-06-25",
      "reports": [
        {
          "slug": "turla-stockstay-backdoor-egress-visibility",
          "title": "Turla’s STOCKSTAY Backdoor Shows Why Espionage Defense Needs Egress Visibility",
          "url": "https://bulwarkblack.com/turla-stockstay-backdoor-egress-visibility/",
          "date": "2026-06-25"
        }
      ]
    },
    {
      "indicator": "6d3586aa6603f1c1c79d7bd7e0b5c5f0cc8e8a84577c35d21b0f462656c2e1f9",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-01-31",
      "last_seen": "2026-01-31",
      "reports": [
        {
          "slug": "winrar-cve-2025-8088-russia-china-and-cybercriminals-unite-to-exploit-path-traversal-flaw",
          "title": "WinRAR CVE-2025-8088: Russia, China, and Cybercriminals Unite to Exploit Path Traversal Flaw",
          "url": "https://bulwarkblack.com/winrar-cve-2025-8088-russia-china-and-cybercriminals-unite-to-exploit-path-traversal-flaw/",
          "date": "2026-01-31"
        }
      ]
    },
    {
      "indicator": "6d49233b1fca22f3823e856e4c16749e9c45f384ea57055fead16df35b217226",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "vidar-xmrig-malvertising-file-size-code-signing-defense",
          "title": "Vidar Stealer Campaign Shows Why File Size and Fake Signatures Still Beat Weak Controls",
          "url": "https://bulwarkblack.com/vidar-xmrig-malvertising-file-size-code-signing-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "6da0b4c1a5d0d3fb6e6a2990a82ba51db1f68a3bba818baa46526a29731e2342",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-06-25",
      "last_seen": "2026-06-25",
      "reports": [
        {
          "slug": "turla-stockstay-backdoor-egress-visibility",
          "title": "Turla’s STOCKSTAY Backdoor Shows Why Espionage Defense Needs Egress Visibility",
          "url": "https://bulwarkblack.com/turla-stockstay-backdoor-egress-visibility/",
          "date": "2026-06-25"
        }
      ]
    },
    {
      "indicator": "6dbd507ca7cecea861f9cf704b3c5c37f5bd5392886a8c2562088892b7703fa5",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-07",
      "last_seen": "2026-07-07",
      "reports": [
        {
          "slug": "uat-7810-orb-relay-network-edge-device-defense",
          "title": "UAT-7810 Shows Edge Devices Are Becoming China-Nexus Relay Infrastructure",
          "url": "https://bulwarkblack.com/uat-7810-orb-relay-network-edge-device-defense/",
          "date": "2026-07-07"
        }
      ]
    },
    {
      "indicator": "6dc672e3bab8bcf80c66b2f95150067fb47429d4cf65eb95215e5f3abc7cade5",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "fake-payment-sdk-npm-pypi-secret-theft-defense",
          "title": "Fake Payment SDKs Show Why Dependency Risk Is Credential Risk",
          "url": "https://bulwarkblack.com/fake-payment-sdk-npm-pypi-secret-theft-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "6df8649bf4e233ee86a896ee8e5a3b3179c168ef927ac9283b945186f8629ee7",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-02-27",
      "last_seen": "2026-02-27",
      "reports": [
        {
          "slug": "chinese-apt-campaign-delivers-plugx-rat-via-g-data-antivirus-dll-side-loading",
          "title": "Chinese APT Campaign Delivers PlugX RAT via G DATA Antivirus DLL Side-Loading",
          "url": "https://bulwarkblack.com/chinese-apt-campaign-delivers-plugx-rat-via-g-data-antivirus-dll-side-loading/",
          "date": "2026-02-27"
        }
      ]
    },
    {
      "indicator": "6e251c3d2bde8fff0487c1eecd359c4a544a09fd708755020e4b1c53ad6b8dd1",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "fake-payment-sdk-npm-pypi-secret-theft-defense",
          "title": "Fake Payment SDKs Show Why Dependency Risk Is Credential Risk",
          "url": "https://bulwarkblack.com/fake-payment-sdk-npm-pypi-secret-theft-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "6eb31006ca318a21eb619d008226f08e287f753aec9042269203290462eaa00d",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "kazuar-p2p-botnet-russian-espionage-defense",
          "title": "Kazuar Shows Russian Espionage Malware Is Engineering for Resilience",
          "url": "https://bulwarkblack.com/kazuar-p2p-botnet-russian-espionage-defense/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "6ec070457d1f6f239cb02c5e1576a3660cca98f3a07eec6e4e107f698d7fe555",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-03-05",
      "last_seen": "2026-03-05",
      "reports": [
        {
          "slug": "uat-9244-china-nexus-apt-deploys-three-new-malware-implants-against-south-american-telecom-providers",
          "title": "UAT-9244: China-Nexus APT Deploys Three New Malware Implants Against South American Telecom Providers",
          "url": "https://bulwarkblack.com/uat-9244-china-nexus-apt-deploys-three-new-malware-implants-against-south-american-telecom-providers/",
          "date": "2026-03-05"
        }
      ]
    },
    {
      "indicator": "7035c2abeb617e828dfda1b119b8544fa9ae15a1d263d18bc5506acaf381f496",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-05-27",
      "last_seen": "2026-05-27",
      "reports": [
        {
          "slug": "poisoned-search-ai-screenconnect-cryptojacking-defense",
          "title": "Poisoned Search and AI Recommendations Turn Utility Downloads Into RMM Access",
          "url": "https://bulwarkblack.com/poisoned-search-ai-screenconnect-cryptojacking-defense/",
          "date": "2026-05-27"
        }
      ]
    },
    {
      "indicator": "710a9d2653c8bd3689e451778dab9daec0de4c4c75f900788ccf23ef254b122a",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-05-22",
      "last_seen": "2026-05-22",
      "reports": [
        {
          "slug": "f5-confluence-edge-identity-attack-path",
          "title": "F5-to-Confluence Intrusion Shows Edge Devices Are Identity Attack Paths",
          "url": "https://bulwarkblack.com/f5-confluence-edge-identity-attack-path/",
          "date": "2026-05-22"
        }
      ]
    },
    {
      "indicator": "711d9427ee43bc2186b9124f31cba2db5f54ec9a0d56dc2948e1a4377bada289",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-03-05",
      "last_seen": "2026-03-05",
      "reports": [
        {
          "slug": "uat-9244-china-nexus-apt-deploys-three-new-malware-implants-against-south-american-telecom-providers",
          "title": "UAT-9244: China-Nexus APT Deploys Three New Malware Implants Against South American Telecom Providers",
          "url": "https://bulwarkblack.com/uat-9244-china-nexus-apt-deploys-three-new-malware-implants-against-south-american-telecom-providers/",
          "date": "2026-03-05"
        }
      ]
    },
    {
      "indicator": "71B743C529F0B27735F7774A0903CB908EDC93423B60FE9BE49A3729982D0E8D",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "71c79e8bf71ed257435ea9b8b91e118ba03ec681860651190f7d7457804313ee",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "vidar-xmrig-malvertising-file-size-code-signing-defense",
          "title": "Vidar Stealer Campaign Shows Why File Size and Fake Signatures Still Beat Weak Controls",
          "url": "https://bulwarkblack.com/vidar-xmrig-malvertising-file-size-code-signing-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "72023e9829b0de93cf9f057858cac1bcd4a0499b018fb81406e08cd3053ae55b",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-02-04",
      "last_seen": "2026-02-04",
      "reports": [
        {
          "slug": "shadowhs-fileless-linux-post-exploitation-framework-runs-entirely-in-memory",
          "title": "ShadowHS: Fileless Linux Post-Exploitation Framework Runs Entirely in Memory",
          "url": "https://bulwarkblack.com/shadowhs-fileless-linux-post-exploitation-framework-runs-entirely-in-memory/",
          "date": "2026-02-04"
        }
      ]
    },
    {
      "indicator": "727fe9c1dfa39d6590012e0593c9837c628fc2cd22aa0f4e486b7ed1aec02697",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "fake-payment-sdk-npm-pypi-secret-theft-defense",
          "title": "Fake Payment SDKs Show Why Dependency Risk Is Credential Risk",
          "url": "https://bulwarkblack.com/fake-payment-sdk-npm-pypi-secret-theft-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "72e4b6540e32b8b7aac850055609bc5afc19e29834e9aa6be29a8ea59a2c9785",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-03-03",
      "last_seen": "2026-03-03",
      "reports": [
        {
          "slug": "silver-dragon-apt-targets-southeast-asia-and-europe-using-geardoor-backdoor-with-google-drive-c2",
          "title": "Silver Dragon APT Targets Southeast Asia and Europe Using GearDoor Backdoor with Google Drive C2",
          "url": "https://bulwarkblack.com/silver-dragon-apt-targets-southeast-asia-and-europe-using-geardoor-backdoor-with-google-drive-c2/",
          "date": "2026-03-03"
        }
      ]
    },
    {
      "indicator": "72f570ce97de3eaaffef33d90b0c337a153fc9690cc34ee207b557d868360060",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-05-15",
      "last_seen": "2026-05-15",
      "reports": [
        {
          "slug": "cisco-sdwan-active-exploitation-edge-controller-review",
          "title": "Cisco SD-WAN Exploitation Shows Edge Controllers Need Emergency Review",
          "url": "https://bulwarkblack.com/cisco-sdwan-active-exploitation-edge-controller-review/",
          "date": "2026-05-15"
        }
      ]
    },
    {
      "indicator": "7361c6861fdb08cab819b13bf2327bc82eebdd70651c7de1aed18515c1700d97",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-02-04",
      "last_seen": "2026-02-04",
      "reports": [
        {
          "slug": "shadowhs-fileless-linux-post-exploitation-framework-runs-entirely-in-memory",
          "title": "ShadowHS: Fileless Linux Post-Exploitation Framework Runs Entirely in Memory",
          "url": "https://bulwarkblack.com/shadowhs-fileless-linux-post-exploitation-framework-runs-entirely-in-memory/",
          "date": "2026-02-04"
        }
      ]
    },
    {
      "indicator": "7384462d420bdc9683a4cac2a8ad19353a2aa7d2244c91e9182345777e811e33",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-03-03",
      "last_seen": "2026-03-03",
      "reports": [
        {
          "slug": "silver-dragon-apt-targets-southeast-asia-and-europe-using-geardoor-backdoor-with-google-drive-c2",
          "title": "Silver Dragon APT Targets Southeast Asia and Europe Using GearDoor Backdoor with Google Drive C2",
          "url": "https://bulwarkblack.com/silver-dragon-apt-targets-southeast-asia-and-europe-using-geardoor-backdoor-with-google-drive-c2/",
          "date": "2026-03-03"
        }
      ]
    },
    {
      "indicator": "739cdedb20de39aeb1f15dc8c2dbbf15fa993250fd879bf87443ff9aeaf4997b",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "vidar-xmrig-malvertising-file-size-code-signing-defense",
          "title": "Vidar Stealer Campaign Shows Why File Size and Fake Signatures Still Beat Weak Controls",
          "url": "https://bulwarkblack.com/vidar-xmrig-malvertising-file-size-code-signing-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "740a09fcdefa5a5f79355b720f54ff09efa64062229fb388adbccd9c829e9ff0",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-03-03",
      "last_seen": "2026-03-03",
      "reports": [
        {
          "slug": "silver-dragon-apt-targets-southeast-asia-and-europe-using-geardoor-backdoor-with-google-drive-c2",
          "title": "Silver Dragon APT Targets Southeast Asia and Europe Using GearDoor Backdoor with Google Drive C2",
          "url": "https://bulwarkblack.com/silver-dragon-apt-targets-southeast-asia-and-europe-using-geardoor-backdoor-with-google-drive-c2/",
          "date": "2026-03-03"
        }
      ]
    },
    {
      "indicator": "745538dea8ed9aec4466e67a9d0aecf9e7026ff16a792d1d6f306e8b67d3f34c",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-07",
      "last_seen": "2026-07-07",
      "reports": [
        {
          "slug": "uat-7810-orb-relay-network-edge-device-defense",
          "title": "UAT-7810 Shows Edge Devices Are Becoming China-Nexus Relay Infrastructure",
          "url": "https://bulwarkblack.com/uat-7810-orb-relay-network-edge-device-defense/",
          "date": "2026-07-07"
        }
      ]
    },
    {
      "indicator": "74882085db2088356ed7f72f01e0404a0a98cda88ef56fb15ce74c1f36b26d27",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-05-22",
      "last_seen": "2026-05-22",
      "reports": [
        {
          "slug": "screening-serpens-recruiting-espionage-attack-surface",
          "title": "Screening Serpens Shows Recruiting Is Now an Espionage Attack Surface",
          "url": "https://bulwarkblack.com/screening-serpens-recruiting-espionage-attack-surface/",
          "date": "2026-05-22"
        }
      ]
    },
    {
      "indicator": "74a11a07d167f8f5c0baa724d1f7708985c81d0ac3d0e4d7ef3f3220c335e009",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-03-03",
      "last_seen": "2026-03-03",
      "reports": [
        {
          "slug": "silver-dragon-apt-targets-southeast-asia-and-europe-using-geardoor-backdoor-with-google-drive-c2",
          "title": "Silver Dragon APT Targets Southeast Asia and Europe Using GearDoor Backdoor with Google Drive C2",
          "url": "https://bulwarkblack.com/silver-dragon-apt-targets-southeast-asia-and-europe-using-geardoor-backdoor-with-google-drive-c2/",
          "date": "2026-03-03"
        }
      ]
    },
    {
      "indicator": "74d1a678bdc4bb9f33321e94e3bd1bc1740472ed734231fc46af720072ecb77e",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-03-05",
      "last_seen": "2026-03-05",
      "reports": [
        {
          "slug": "uat-9244-china-nexus-apt-deploys-three-new-malware-implants-against-south-american-telecom-providers",
          "title": "UAT-9244: China-Nexus APT Deploys Three New Malware Implants Against South American Telecom Providers",
          "url": "https://bulwarkblack.com/uat-9244-china-nexus-apt-deploys-three-new-malware-implants-against-south-american-telecom-providers/",
          "date": "2026-03-05"
        }
      ]
    },
    {
      "indicator": "74db1f653da6de134bdc526412a517a30b6856de9c3e5d0c742cb5fe9959ad0d",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-03-11",
      "last_seen": "2026-03-11",
      "reports": [
        {
          "slug": "iranian-mois-cyber-actors-embrace-criminal-ecosystem-from-rhadamanthys-to-ransomware-affiliates",
          "title": "Iranian MOIS Cyber Actors Embrace Criminal Ecosystem: From Rhadamanthys to Ransomware Affiliates",
          "url": "https://bulwarkblack.com/iranian-mois-cyber-actors-embrace-criminal-ecosystem-from-rhadamanthys-to-ransomware-affiliates/",
          "date": "2026-03-11"
        }
      ]
    },
    {
      "indicator": "74df77b6a83d89fa137fd285a2efde36b1d62c00b3be81cc93df7d1e6e94837b",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "vidar-xmrig-malvertising-file-size-code-signing-defense",
          "title": "Vidar Stealer Campaign Shows Why File Size and Fake Signatures Still Beat Weak Controls",
          "url": "https://bulwarkblack.com/vidar-xmrig-malvertising-file-size-code-signing-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "74fbc8360d4c95d64d7acaa4d18943dce2d41f91d080b0b5e435d8bce52861a5",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-03-05",
      "last_seen": "2026-03-05",
      "reports": [
        {
          "slug": "uat-9244-china-nexus-apt-deploys-three-new-malware-implants-against-south-american-telecom-providers",
          "title": "UAT-9244: China-Nexus APT Deploys Three New Malware Implants Against South American Telecom Providers",
          "url": "https://bulwarkblack.com/uat-9244-china-nexus-apt-deploys-three-new-malware-implants-against-south-american-telecom-providers/",
          "date": "2026-03-05"
        }
      ]
    },
    {
      "indicator": "755fcee1337a252203002ecfdf673a08cfadeda8d738bef2d518a08e0626aa4f",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-07",
      "last_seen": "2026-07-07",
      "reports": [
        {
          "slug": "uat-7810-orb-relay-network-edge-device-defense",
          "title": "UAT-7810 Shows Edge Devices Are Becoming China-Nexus Relay Infrastructure",
          "url": "https://bulwarkblack.com/uat-7810-orb-relay-network-edge-device-defense/",
          "date": "2026-07-07"
        }
      ]
    },
    {
      "indicator": "7603c6dd9edca615d6dc3599970c203555b57e2cab208d87545188b57aa2c6b1",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2024-01-08",
      "last_seen": "2024-01-08",
      "reports": [
        {
          "slug": "deceptive-cracked-software-spreads-lumma-variant-on-youtube",
          "title": "Deceptive Cracked Software Spreads Lumma Variant on YouTube",
          "url": "https://bulwarkblack.com/deceptive-cracked-software-spreads-lumma-variant-on-youtube/",
          "date": "2024-01-08"
        }
      ]
    },
    {
      "indicator": "7615140f78d9a0ce31cc9fe8c54c60028a7439cb32526fd97b10afef7145dd78",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-06-25",
      "last_seen": "2026-06-25",
      "reports": [
        {
          "slug": "turla-stockstay-backdoor-egress-visibility",
          "title": "Turla’s STOCKSTAY Backdoor Shows Why Espionage Defense Needs Egress Visibility",
          "url": "https://bulwarkblack.com/turla-stockstay-backdoor-egress-visibility/",
          "date": "2026-06-25"
        }
      ]
    },
    {
      "indicator": "7630debd35cac6b7d58c4427695579b3e3a8b1cc462f523234cd6c698882a68c",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-06-18",
      "last_seen": "2026-06-18",
      "reports": [
        {
          "slug": "tor-crypto-clipper-usb-worm-backdoor-defense",
          "title": "Tor-Based Crypto Clipper Shows Clipboard Theft Is Now Backdoor Activity",
          "url": "https://bulwarkblack.com/tor-crypto-clipper-usb-worm-backdoor-defense/",
          "date": "2026-06-18"
        }
      ]
    },
    {
      "indicator": "76d54a57bf9521f6558b588acd0326249248f91b27ebc25fd94ebe92dc497809",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2024-01-05",
      "last_seen": "2024-01-05",
      "reports": [
        {
          "slug": "100-days-of-yara-2023",
          "title": "100 Days of YARA – 2023",
          "url": "https://bulwarkblack.com/100-days-of-yara-2023/",
          "date": "2024-01-05"
        }
      ]
    },
    {
      "indicator": "76d9e2a2ff313f5b91cc67aab1127122baee1c3efbae1087e58a25bc5f1eb065",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-07",
      "last_seen": "2026-07-07",
      "reports": [
        {
          "slug": "uat-7810-orb-relay-network-edge-device-defense",
          "title": "UAT-7810 Shows Edge Devices Are Becoming China-Nexus Relay Infrastructure",
          "url": "https://bulwarkblack.com/uat-7810-orb-relay-network-edge-device-defense/",
          "date": "2026-07-07"
        }
      ]
    },
    {
      "indicator": "7720e83c02a027d70ae201c393c1956aa2fa8199879a3a4c4fd1d20b03022cfd",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "vidar-xmrig-malvertising-file-size-code-signing-defense",
          "title": "Vidar Stealer Campaign Shows Why File Size and Fake Signatures Still Beat Weak Controls",
          "url": "https://bulwarkblack.com/vidar-xmrig-malvertising-file-size-code-signing-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "77417df21b4b4e8d86b8bda4afeef93fd36f355362586b2d1f51121a82244167",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-06-25",
      "last_seen": "2026-06-25",
      "reports": [
        {
          "slug": "turla-stockstay-backdoor-egress-visibility",
          "title": "Turla’s STOCKSTAY Backdoor Shows Why Espionage Defense Needs Egress Visibility",
          "url": "https://bulwarkblack.com/turla-stockstay-backdoor-egress-visibility/",
          "date": "2026-06-25"
        }
      ]
    },
    {
      "indicator": "77469615c5f548063922b469a8c0a4116511395d013e5a798e123e9c119acc4b",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "vidar-xmrig-malvertising-file-size-code-signing-defense",
          "title": "Vidar Stealer Campaign Shows Why File Size and Fake Signatures Still Beat Weak Controls",
          "url": "https://bulwarkblack.com/vidar-xmrig-malvertising-file-size-code-signing-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "7787a9a7d8ae393aa32f257d083903c4dc9b97a1e5b0458c4cd480d4f3cb5b05",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-06-18",
      "last_seen": "2026-06-18",
      "reports": [
        {
          "slug": "tor-crypto-clipper-usb-worm-backdoor-defense",
          "title": "Tor-Based Crypto Clipper Shows Clipboard Theft Is Now Backdoor Activity",
          "url": "https://bulwarkblack.com/tor-crypto-clipper-usb-worm-backdoor-defense/",
          "date": "2026-06-18"
        }
      ]
    },
    {
      "indicator": "7828e17e674507ab13dfd84b31b361fa19b9cb27ee130620ba9211feef746d31",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "vidar-xmrig-malvertising-file-size-code-signing-defense",
          "title": "Vidar Stealer Campaign Shows Why File Size and Fake Signatures Still Beat Weak Controls",
          "url": "https://bulwarkblack.com/vidar-xmrig-malvertising-file-size-code-signing-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "788ba200f776a188c248d6c2029f00b5d34be45d4444f7cb89ffe838c39b8b19",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-05-13",
      "last_seen": "2026-05-13",
      "reports": [
        {
          "slug": "gentlemen-raas-leak-edge-device-ransomware-risk",
          "title": "The Gentlemen RaaS Leak Shows Ransomware Is Still an Edge-Device Problem",
          "url": "https://bulwarkblack.com/gentlemen-raas-leak-edge-device-ransomware-risk/",
          "date": "2026-05-13"
        }
      ]
    },
    {
      "indicator": "7aa88a64a527ade7d93c20faf23b54f2ee33ad9b1246cdc2f8ded2ab639affb1",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-05-15",
      "last_seen": "2026-05-15",
      "reports": [
        {
          "slug": "cisco-sdwan-active-exploitation-edge-controller-review",
          "title": "Cisco SD-WAN Exploitation Shows Edge Controllers Need Emergency Review",
          "url": "https://bulwarkblack.com/cisco-sdwan-active-exploitation-edge-controller-review/",
          "date": "2026-05-15"
        }
      ]
    },
    {
      "indicator": "7b70cd956f082b1029d02b4cb7608893f2de7fa9c500d7d7febdd0f745ac3cb6",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-03-05",
      "last_seen": "2026-03-05",
      "reports": [
        {
          "slug": "uat-9244-china-nexus-apt-deploys-three-new-malware-implants-against-south-american-telecom-providers",
          "title": "UAT-9244: China-Nexus APT Deploys Three New Malware Implants Against South American Telecom Providers",
          "url": "https://bulwarkblack.com/uat-9244-china-nexus-apt-deploys-three-new-malware-implants-against-south-american-telecom-providers/",
          "date": "2026-03-05"
        }
      ]
    },
    {
      "indicator": "7c1f99dca8e5a7897892f9d224a6495023a2cfd2671697d229d355978c415ed2",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-05-25",
      "last_seen": "2026-05-25",
      "reports": [
        {
          "slug": "knowledgedeliver-viewstate-shared-machine-key-defense",
          "title": "KnowledgeDeliver RCE Shows Shared Machine Keys Are Shared Blast Radius",
          "url": "https://bulwarkblack.com/knowledgedeliver-viewstate-shared-machine-key-defense/",
          "date": "2026-05-25"
        }
      ]
    },
    {
      "indicator": "7e49da0ae2f81e14841f356b4d69f0480c2d9ce3fab5a3fa91b0036d9a36fa0f",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "vidar-xmrig-malvertising-file-size-code-signing-defense",
          "title": "Vidar Stealer Campaign Shows Why File Size and Fake Signatures Still Beat Weak Controls",
          "url": "https://bulwarkblack.com/vidar-xmrig-malvertising-file-size-code-signing-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "7e646dfe7b7f330cb21db07b94f611eb39f604fab36e347fb884f797ba462402",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2024-01-09",
      "last_seen": "2024-01-09",
      "reports": [
        {
          "slug": "financially-motivated-threat-actors-misusing-app-installer",
          "title": "Financially motivated threat actors misusing App Installer",
          "url": "https://bulwarkblack.com/financially-motivated-threat-actors-misusing-app-installer/",
          "date": "2024-01-09"
        }
      ]
    },
    {
      "indicator": "7ed4a256e1d281cb4f194d13ff554fd4fb280dafde0a67a18115ea038ea6c87d",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "vidar-xmrig-malvertising-file-size-code-signing-defense",
          "title": "Vidar Stealer Campaign Shows Why File Size and Fake Signatures Still Beat Weak Controls",
          "url": "https://bulwarkblack.com/vidar-xmrig-malvertising-file-size-code-signing-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "7f2315b89fb9a47e1516def136844d617bfcdce19000a1b0436706692dbe166c",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-03-09",
      "last_seen": "2026-03-09",
      "reports": [
        {
          "slug": "boryptgrab-stealer-spreads-through-100-fake-github-repositories-in-massive-malware-campaign",
          "title": "BoryptGrab Stealer Spreads Through 100+ Fake GitHub Repositories in Massive Malware Campaign",
          "url": "https://bulwarkblack.com/boryptgrab-stealer-spreads-through-100-fake-github-repositories-in-massive-malware-campaign/",
          "date": "2026-03-09"
        }
      ]
    },
    {
      "indicator": "7f89a4d5af47bc00a9ad58f0bcbe8a7be2662953dcd03f0e881cc5cbf6b7bca8",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-03-03",
      "last_seen": "2026-03-03",
      "reports": [
        {
          "slug": "silver-dragon-apt-targets-southeast-asia-and-europe-using-geardoor-backdoor-with-google-drive-c2",
          "title": "Silver Dragon APT Targets Southeast Asia and Europe Using GearDoor Backdoor with Google Drive C2",
          "url": "https://bulwarkblack.com/silver-dragon-apt-targets-southeast-asia-and-europe-using-geardoor-backdoor-with-google-drive-c2/",
          "date": "2026-03-03"
        }
      ]
    },
    {
      "indicator": "7fbab71fcc454401f6c3db91ed0afb0027266d5681c23900894f1002ceca389a",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-02-04",
      "last_seen": "2026-02-04",
      "reports": [
        {
          "slug": "shadowhs-fileless-linux-post-exploitation-framework-runs-entirely-in-memory",
          "title": "ShadowHS: Fileless Linux Post-Exploitation Framework Runs Entirely in Memory",
          "url": "https://bulwarkblack.com/shadowhs-fileless-linux-post-exploitation-framework-runs-entirely-in-memory/",
          "date": "2026-02-04"
        }
      ]
    },
    {
      "indicator": "8007b94d367b7dbacaac4c1da0305b489f0f3f7a38770dcdb68d5824fe33d041",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-02-04",
      "last_seen": "2026-02-04",
      "reports": [
        {
          "slug": "shadowhs-fileless-linux-post-exploitation-framework-runs-entirely-in-memory",
          "title": "ShadowHS: Fileless Linux Post-Exploitation Framework Runs Entirely in Memory",
          "url": "https://bulwarkblack.com/shadowhs-fileless-linux-post-exploitation-framework-runs-entirely-in-memory/",
          "date": "2026-02-04"
        }
      ]
    },
    {
      "indicator": "80f6c010fd260d0bcf18a4b6a8d62505adbed50d2e615ed9522c4bfd61c00661",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-06-25",
      "last_seen": "2026-06-25",
      "reports": [
        {
          "slug": "turla-stockstay-backdoor-egress-visibility",
          "title": "Turla’s STOCKSTAY Backdoor Shows Why Espionage Defense Needs Egress Visibility",
          "url": "https://bulwarkblack.com/turla-stockstay-backdoor-egress-visibility/",
          "date": "2026-06-25"
        }
      ]
    },
    {
      "indicator": "813c78b5b6ef28a9c0ed35f2c6cd88fc50880ab91f8777dfe7aaccb1c24b08d5",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-06-25",
      "last_seen": "2026-06-25",
      "reports": [
        {
          "slug": "turla-stockstay-backdoor-egress-visibility",
          "title": "Turla’s STOCKSTAY Backdoor Shows Why Espionage Defense Needs Egress Visibility",
          "url": "https://bulwarkblack.com/turla-stockstay-backdoor-egress-visibility/",
          "date": "2026-06-25"
        }
      ]
    },
    {
      "indicator": "81aabf646619ea5f4a72457cd3aa17c5988003d67e6454f45e7cb33613021bac",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-06-25",
      "last_seen": "2026-06-25",
      "reports": [
        {
          "slug": "turla-stockstay-backdoor-egress-visibility",
          "title": "Turla’s STOCKSTAY Backdoor Shows Why Espionage Defense Needs Egress Visibility",
          "url": "https://bulwarkblack.com/turla-stockstay-backdoor-egress-visibility/",
          "date": "2026-06-25"
        }
      ]
    },
    {
      "indicator": "822dd269ec10459572dfaaefe163dae693c344249a0161953f0d5cdd110bd2a0",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-03-24",
      "last_seen": "2026-03-24",
      "reports": [
        {
          "slug": "teampcp-deploys-canisterworm-wiper-to-target-iranian-systems",
          "title": "TeamPCP Deploys CanisterWorm Wiper to Target Iranian Systems",
          "url": "https://bulwarkblack.com/teampcp-deploys-canisterworm-wiper-to-target-iranian-systems/",
          "date": "2026-03-24"
        }
      ]
    },
    {
      "indicator": "82707cfdf24dcb762f4615f01e1ba4d3dfdec4abe9cd588558d2634d7e6a5eeb",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-06-25",
      "last_seen": "2026-06-25",
      "reports": [
        {
          "slug": "turla-stockstay-backdoor-egress-visibility",
          "title": "Turla’s STOCKSTAY Backdoor Shows Why Espionage Defense Needs Egress Visibility",
          "url": "https://bulwarkblack.com/turla-stockstay-backdoor-egress-visibility/",
          "date": "2026-06-25"
        }
      ]
    },
    {
      "indicator": "83e970feb3f10692c164f6889f7a026f135c2433e5bf8e662a6e63a3b81267b7",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-06-26",
      "last_seen": "2026-06-26",
      "reports": [
        {
          "slug": "hospitality-photo-zip-nodejs-implant-defense",
          "title": "Hospitality Photo-ZIP Campaign Shows Front Desk Workflows Are Initial Access Paths",
          "url": "https://bulwarkblack.com/hospitality-photo-zip-nodejs-implant-defense/",
          "date": "2026-06-26"
        }
      ]
    },
    {
      "indicator": "8421c902364980e3d762ec6dbbe6b0f40577c27bd79b48c57d098328b2533109",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-06-02",
      "last_seen": "2026-06-02",
      "reports": [
        {
          "slug": "flutterbridge-macos-malvertising-fluttershell-backdoor-defense",
          "title": "FlutterBridge Shows Why macOS Malvertising Is Backdoor Delivery, Not Just Adware",
          "url": "https://bulwarkblack.com/flutterbridge-macos-malvertising-fluttershell-backdoor-defense/",
          "date": "2026-06-02"
        }
      ]
    },
    {
      "indicator": "8421e7995778faf1f2a902fb2c51d85ae39481f443b7b3186068d5c33c472d99",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-02-27",
      "last_seen": "2026-02-27",
      "reports": [
        {
          "slug": "chinese-apt-campaign-delivers-plugx-rat-via-g-data-antivirus-dll-side-loading",
          "title": "Chinese APT Campaign Delivers PlugX RAT via G DATA Antivirus DLL Side-Loading",
          "url": "https://bulwarkblack.com/chinese-apt-campaign-delivers-plugx-rat-via-g-data-antivirus-dll-side-loading/",
          "date": "2026-02-27"
        }
      ]
    },
    {
      "indicator": "8459ff264a2c81c68a34c4ee6bc109d141ad28b96037d34ff112322a4c853739",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-07",
      "last_seen": "2026-07-07",
      "reports": [
        {
          "slug": "uat-7810-orb-relay-network-edge-device-defense",
          "title": "UAT-7810 Shows Edge Devices Are Becoming China-Nexus Relay Infrastructure",
          "url": "https://bulwarkblack.com/uat-7810-orb-relay-network-edge-device-defense/",
          "date": "2026-07-07"
        }
      ]
    },
    {
      "indicator": "847846a0f0c76cf5699342a066378774f1101d2fb74850e3731dc9b74e12a69d",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-02-04",
      "last_seen": "2026-02-04",
      "reports": [
        {
          "slug": "shadowhs-fileless-linux-post-exploitation-framework-runs-entirely-in-memory",
          "title": "ShadowHS: Fileless Linux Post-Exploitation Framework Runs Entirely in Memory",
          "url": "https://bulwarkblack.com/shadowhs-fileless-linux-post-exploitation-framework-runs-entirely-in-memory/",
          "date": "2026-02-04"
        }
      ]
    },
    {
      "indicator": "85a03d2e74ae84093a74699057693d11e5c61f85b62e741778cbc5fc9f89022f",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-03-03",
      "last_seen": "2026-03-03",
      "reports": [
        {
          "slug": "silver-dragon-apt-targets-southeast-asia-and-europe-using-geardoor-backdoor-with-google-drive-c2",
          "title": "Silver Dragon APT Targets Southeast Asia and Europe Using GearDoor Backdoor with Google Drive C2",
          "url": "https://bulwarkblack.com/silver-dragon-apt-targets-southeast-asia-and-europe-using-geardoor-backdoor-with-google-drive-c2/",
          "date": "2026-03-03"
        }
      ]
    },
    {
      "indicator": "85c4837e3337165d24c6690ca63a3274dfaaa03b2ddaca7f1d18b3b169c6aac1",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-03-13",
      "last_seen": "2026-03-13",
      "reports": [
        {
          "slug": "storm-2561-weaponizes-seo-poisoning-to-deploy-trojanized-vpn-clients-and-steal-enterprise-credentials",
          "title": "Storm-2561 Weaponizes SEO Poisoning to Deploy Trojanized VPN Clients and Steal Enterprise Credentials",
          "url": "https://bulwarkblack.com/storm-2561-weaponizes-seo-poisoning-to-deploy-trojanized-vpn-clients-and-steal-enterprise-credentials/",
          "date": "2026-03-13"
        }
      ]
    },
    {
      "indicator": "860a6177b055a2f5aa61470d17ec3c69da24f1cdf0a782237055cba431158923",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-05-13",
      "last_seen": "2026-05-13",
      "reports": [
        {
          "slug": "gentlemen-raas-leak-edge-device-ransomware-risk",
          "title": "The Gentlemen RaaS Leak Shows Ransomware Is Still an Edge-Device Problem",
          "url": "https://bulwarkblack.com/gentlemen-raas-leak-edge-device-ransomware-risk/",
          "date": "2026-05-13"
        }
      ]
    },
    {
      "indicator": "862f004679d3b142d9d2c729e78df716aeeda0c7a87a11324742a5a8eda9b557",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-03-13",
      "last_seen": "2026-03-13",
      "reports": [
        {
          "slug": "storm-2561-weaponizes-seo-poisoning-to-deploy-trojanized-vpn-clients-and-steal-enterprise-credentials",
          "title": "Storm-2561 Weaponizes SEO Poisoning to Deploy Trojanized VPN Clients and Steal Enterprise Credentials",
          "url": "https://bulwarkblack.com/storm-2561-weaponizes-seo-poisoning-to-deploy-trojanized-vpn-clients-and-steal-enterprise-credentials/",
          "date": "2026-03-13"
        }
      ]
    },
    {
      "indicator": "8665BC1B33CBE6F5859CD6E362AF77738BA73A6E6D4B9974C16C8521D84C1892",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-02-11",
      "last_seen": "2026-02-11",
      "reports": [
        {
          "slug": "xworm-rat-campaign-exploits-cve-2018-0802-in-multi-language-phishing-attacks-using-fileless-injection",
          "title": "XWorm RAT Campaign Exploits CVE-2018-0802 in Multi-Language Phishing Attacks Using Fileless Injection",
          "url": "https://bulwarkblack.com/xworm-rat-campaign-exploits-cve-2018-0802-in-multi-language-phishing-attacks-using-fileless-injection/",
          "date": "2026-02-11"
        }
      ]
    },
    {
      "indicator": "867a05d67dd184d544d5513f4f07959a7c2b558197c99cb8139ea797ad9fbece",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-01-31",
      "last_seen": "2026-01-31",
      "reports": [
        {
          "slug": "winrar-cve-2025-8088-russia-china-and-cybercriminals-unite-to-exploit-path-traversal-flaw",
          "title": "WinRAR CVE-2025-8088: Russia, China, and Cybercriminals Unite to Exploit Path Traversal Flaw",
          "url": "https://bulwarkblack.com/winrar-cve-2025-8088-russia-china-and-cybercriminals-unite-to-exploit-path-traversal-flaw/",
          "date": "2026-01-31"
        }
      ]
    },
    {
      "indicator": "870e791af14caaf395c56028176a9c3f4c1ff0318ef3112d57ecd3d4a1be2ef9",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-03-05",
      "last_seen": "2026-03-05",
      "reports": [
        {
          "slug": "uat-9244-china-nexus-apt-deploys-three-new-malware-implants-against-south-american-telecom-providers",
          "title": "UAT-9244: China-Nexus APT Deploys Three New Malware Implants Against South American Telecom Providers",
          "url": "https://bulwarkblack.com/uat-9244-china-nexus-apt-deploys-three-new-malware-implants-against-south-american-telecom-providers/",
          "date": "2026-03-05"
        }
      ]
    },
    {
      "indicator": "87d25d0e5880b3b5cd30106853cbfc6ef1ad38966b30d9bd5b99df46098e546c",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-05-13",
      "last_seen": "2026-05-13",
      "reports": [
        {
          "slug": "gentlemen-raas-leak-edge-device-ransomware-risk",
          "title": "The Gentlemen RaaS Leak Shows Ransomware Is Still an Edge-Device Problem",
          "url": "https://bulwarkblack.com/gentlemen-raas-leak-edge-device-ransomware-risk/",
          "date": "2026-05-13"
        }
      ]
    },
    {
      "indicator": "880425fee707e9f42e0b8d60119ed639b1ad506ea29877d126bdebce379cd229",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-07",
      "last_seen": "2026-07-07",
      "reports": [
        {
          "slug": "uat-7810-orb-relay-network-edge-device-defense",
          "title": "UAT-7810 Shows Edge Devices Are Becoming China-Nexus Relay Infrastructure",
          "url": "https://bulwarkblack.com/uat-7810-orb-relay-network-edge-device-defense/",
          "date": "2026-07-07"
        }
      ]
    },
    {
      "indicator": "8808c794c24367438f183e4be941876f1d3ecd0c8d2eb43b10d2380841d2283b",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-05-22",
      "last_seen": "2026-05-22",
      "reports": [
        {
          "slug": "screening-serpens-recruiting-espionage-attack-surface",
          "title": "Screening Serpens Shows Recruiting Is Now an Espionage Attack Surface",
          "url": "https://bulwarkblack.com/screening-serpens-recruiting-espionage-attack-surface/",
          "date": "2026-05-22"
        }
      ]
    },
    {
      "indicator": "887e1f5b5b50162a60bd03b66269e0ae545d0aef0583c1c5b00972152ad7e073",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-03-24",
      "last_seen": "2026-03-24",
      "reports": [
        {
          "slug": "teampcp-deploys-canisterworm-wiper-to-target-iranian-systems",
          "title": "TeamPCP Deploys CanisterWorm Wiper to Target Iranian Systems",
          "url": "https://bulwarkblack.com/teampcp-deploys-canisterworm-wiper-to-target-iranian-systems/",
          "date": "2026-03-24"
        }
      ]
    },
    {
      "indicator": "89934cb1494cf0327f0ab82fe644c74caf687814379cad116bd7adaca74c1028",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-06-26",
      "last_seen": "2026-06-26",
      "reports": [
        {
          "slug": "hospitality-photo-zip-nodejs-implant-defense",
          "title": "Hospitality Photo-ZIP Campaign Shows Front Desk Workflows Are Initial Access Paths",
          "url": "https://bulwarkblack.com/hospitality-photo-zip-nodejs-implant-defense/",
          "date": "2026-06-26"
        }
      ]
    },
    {
      "indicator": "89f0a67bc595ab8bce02c2f95f9292ad06e1868207e809c76bd16f0cab800c06",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-07",
      "last_seen": "2026-07-07",
      "reports": [
        {
          "slug": "uat-7810-orb-relay-network-edge-device-defense",
          "title": "UAT-7810 Shows Edge Devices Are Becoming China-Nexus Relay Infrastructure",
          "url": "https://bulwarkblack.com/uat-7810-orb-relay-network-edge-device-defense/",
          "date": "2026-07-07"
        }
      ]
    },
    {
      "indicator": "8a58e3ed713c1c70f421ab56a18cfb6a120c960d227e495b511c2552f25f188b",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "fake-payment-sdk-npm-pypi-secret-theft-defense",
          "title": "Fake Payment SDKs Show Why Dependency Risk Is Credential Risk",
          "url": "https://bulwarkblack.com/fake-payment-sdk-npm-pypi-secret-theft-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "8a70a5c1075f2dea4db94633ddc64b0d03d0385fdeda7c226acc944331febf43",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "fake-payment-sdk-npm-pypi-secret-theft-defense",
          "title": "Fake Payment SDKs Show Why Dependency Risk Is Credential Risk",
          "url": "https://bulwarkblack.com/fake-payment-sdk-npm-pypi-secret-theft-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "8a7ee2a8e6b3476319a3a0d5846805fd25fa388c7f2215668bc134202ea093fa",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-01-31",
      "last_seen": "2026-01-31",
      "reports": [
        {
          "slug": "winrar-cve-2025-8088-russia-china-and-cybercriminals-unite-to-exploit-path-traversal-flaw",
          "title": "WinRAR CVE-2025-8088: Russia, China, and Cybercriminals Unite to Exploit Path Traversal Flaw",
          "url": "https://bulwarkblack.com/winrar-cve-2025-8088-russia-china-and-cybercriminals-unite-to-exploit-path-traversal-flaw/",
          "date": "2026-01-31"
        }
      ]
    },
    {
      "indicator": "8aa0cb69ca2777001e0f4ba0eaab0841592710e4cc5ccd6b0b526d78bbd8bfba",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-05-13",
      "last_seen": "2026-05-13",
      "reports": [
        {
          "slug": "gentlemen-raas-leak-edge-device-ransomware-risk",
          "title": "The Gentlemen RaaS Leak Shows Ransomware Is Still an Edge-Device Problem",
          "url": "https://bulwarkblack.com/gentlemen-raas-leak-edge-device-ransomware-risk/",
          "date": "2026-05-13"
        }
      ]
    },
    {
      "indicator": "8b40cc7d173efd27fb60f3d260acef28f58d67d1f39597e1d611db311a305f62",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "vidar-xmrig-malvertising-file-size-code-signing-defense",
          "title": "Vidar Stealer Campaign Shows Why File Size and Fake Signatures Still Beat Weak Controls",
          "url": "https://bulwarkblack.com/vidar-xmrig-malvertising-file-size-code-signing-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "8c104da0e66ef6384663309aaf8fb49f549f2785d835eec620b265f8aa11d9f0",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-07",
      "last_seen": "2026-07-07",
      "reports": [
        {
          "slug": "uat-7810-orb-relay-network-edge-device-defense",
          "title": "UAT-7810 Shows Edge Devices Are Becoming China-Nexus Relay Infrastructure",
          "url": "https://bulwarkblack.com/uat-7810-orb-relay-network-edge-device-defense/",
          "date": "2026-07-07"
        }
      ]
    },
    {
      "indicator": "8c29f9189a9ad75a959024f59e68c62d42a6fd42f9eacf847128c7efe4ef7578",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-03-03",
      "last_seen": "2026-03-03",
      "reports": [
        {
          "slug": "silver-dragon-apt-targets-southeast-asia-and-europe-using-geardoor-backdoor-with-google-drive-c2",
          "title": "Silver Dragon APT Targets Southeast Asia and Europe Using GearDoor Backdoor with Google Drive C2",
          "url": "https://bulwarkblack.com/silver-dragon-apt-targets-southeast-asia-and-europe-using-geardoor-backdoor-with-google-drive-c2/",
          "date": "2026-03-03"
        }
      ]
    },
    {
      "indicator": "8c87134c1b45e990e9568f0a3899b0076f94be16d3c40fa824ac1e6c6ee892db",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-05-13",
      "last_seen": "2026-05-13",
      "reports": [
        {
          "slug": "gentlemen-raas-leak-edge-device-ransomware-risk",
          "title": "The Gentlemen RaaS Leak Shows Ransomware Is Still an Edge-Device Problem",
          "url": "https://bulwarkblack.com/gentlemen-raas-leak-edge-device-ransomware-risk/",
          "date": "2026-05-13"
        }
      ]
    },
    {
      "indicator": "8c9b6542f73c5c7fe455b52f5101314407da4f65ff48e7ebf6896605e607c8d0",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-06-03",
      "last_seen": "2026-06-03",
      "reports": [
        {
          "slug": "ta4922-global-hr-tax-phishing-rmm-defense",
          "title": "TA4922’s Global Expansion Shows HR and Tax Lures Are Initial Access Infrastructure",
          "url": "https://bulwarkblack.com/ta4922-global-hr-tax-phishing-rmm-defense/",
          "date": "2026-06-03"
        }
      ]
    },
    {
      "indicator": "8d0bcde739929fe41a6bcaaa62f7cba802af90b2ba8dea6ed1a4821236cdd588",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-05-16",
      "last_seen": "2026-05-16",
      "reports": [
        {
          "slug": "pawsrunner-steganography-purelogs-infostealer-defense",
          "title": "PawsRunner Steganography Shows Infostealers Are Hiding in Plain Sight",
          "url": "https://bulwarkblack.com/pawsrunner-steganography-purelogs-infostealer-defense/",
          "date": "2026-05-16"
        }
      ]
    },
    {
      "indicator": "8dbcde2a28a0b3de201214d7e3bd43acc97561924daa247c05c4b0536d42be85",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "vidar-xmrig-malvertising-file-size-code-signing-defense",
          "title": "Vidar Stealer Campaign Shows Why File Size and Fake Signatures Still Beat Weak Controls",
          "url": "https://bulwarkblack.com/vidar-xmrig-malvertising-file-size-code-signing-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "8ebe082a4b52ad737f7ed33ccc61024c9f020fd085c7985e9c90dc2008a15adc",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-03-13",
      "last_seen": "2026-03-13",
      "reports": [
        {
          "slug": "storm-2561-weaponizes-seo-poisoning-to-deploy-trojanized-vpn-clients-and-steal-enterprise-credentials",
          "title": "Storm-2561 Weaponizes SEO Poisoning to Deploy Trojanized VPN Clients and Steal Enterprise Credentials",
          "url": "https://bulwarkblack.com/storm-2561-weaponizes-seo-poisoning-to-deploy-trojanized-vpn-clients-and-steal-enterprise-credentials/",
          "date": "2026-03-13"
        }
      ]
    },
    {
      "indicator": "901a43b42f997710147295a0625e20c935207f8c531daf5311449ec119a37dcc",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "vidar-xmrig-malvertising-file-size-code-signing-defense",
          "title": "Vidar Stealer Campaign Shows Why File Size and Fake Signatures Still Beat Weak Controls",
          "url": "https://bulwarkblack.com/vidar-xmrig-malvertising-file-size-code-signing-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "9053e8ddaecca1f960c041c944ca8799fc71dc86a4b50d2639ee4e0d2cb82f47",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-06-02",
      "last_seen": "2026-06-02",
      "reports": [
        {
          "slug": "flutterbridge-macos-malvertising-fluttershell-backdoor-defense",
          "title": "FlutterBridge Shows Why macOS Malvertising Is Backdoor Delivery, Not Just Adware",
          "url": "https://bulwarkblack.com/flutterbridge-macos-malvertising-fluttershell-backdoor-defense/",
          "date": "2026-06-02"
        }
      ]
    },
    {
      "indicator": "912adea5339c73cb4a777a3e9f98bf3cb08da6622c9dd3b4cc9b083cb03d10a2",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-07",
      "last_seen": "2026-07-07",
      "reports": [
        {
          "slug": "uat-7810-orb-relay-network-edge-device-defense",
          "title": "UAT-7810 Shows Edge Devices Are Becoming China-Nexus Relay Infrastructure",
          "url": "https://bulwarkblack.com/uat-7810-orb-relay-network-edge-device-defense/",
          "date": "2026-07-07"
        }
      ]
    },
    {
      "indicator": "91415e0b9fe4e7cbe43ec0558a7adf89423de30d22b00b985c2e4b97e75076b1",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-05-13",
      "last_seen": "2026-05-13",
      "reports": [
        {
          "slug": "gentlemen-raas-leak-edge-device-ransomware-risk",
          "title": "The Gentlemen RaaS Leak Shows Ransomware Is Still an Edge-Device Problem",
          "url": "https://bulwarkblack.com/gentlemen-raas-leak-edge-device-ransomware-risk/",
          "date": "2026-05-13"
        }
      ]
    },
    {
      "indicator": "914c18a04a2727bba9cecab78a1d516ec3c7a3f667e0e5a6081aa0e9206a69fe",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "vidar-xmrig-malvertising-file-size-code-signing-defense",
          "title": "Vidar Stealer Campaign Shows Why File Size and Fake Signatures Still Beat Weak Controls",
          "url": "https://bulwarkblack.com/vidar-xmrig-malvertising-file-size-code-signing-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "9164054d0bf0b7c8820da4f742860940998984555e65820e4fa8dd07b6bd67ec",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-06-25",
      "last_seen": "2026-06-25",
      "reports": [
        {
          "slug": "turla-stockstay-backdoor-egress-visibility",
          "title": "Turla’s STOCKSTAY Backdoor Shows Why Espionage Defense Needs Egress Visibility",
          "url": "https://bulwarkblack.com/turla-stockstay-backdoor-egress-visibility/",
          "date": "2026-06-25"
        }
      ]
    },
    {
      "indicator": "91e61fd77460393a89a8af657d09df6a815465f6ce22f1db8277d58342b32249",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-01-31",
      "last_seen": "2026-01-31",
      "reports": [
        {
          "slug": "winrar-cve-2025-8088-russia-china-and-cybercriminals-unite-to-exploit-path-traversal-flaw",
          "title": "WinRAR CVE-2025-8088: Russia, China, and Cybercriminals Unite to Exploit Path Traversal Flaw",
          "url": "https://bulwarkblack.com/winrar-cve-2025-8088-russia-china-and-cybercriminals-unite-to-exploit-path-traversal-flaw/",
          "date": "2026-01-31"
        }
      ]
    },
    {
      "indicator": "93724f1a9ad3a28c171927fc449ac34dc6ca890f915f00210e8b305577388c6e",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-05-16",
      "last_seen": "2026-05-16",
      "reports": [
        {
          "slug": "pawsrunner-steganography-purelogs-infostealer-defense",
          "title": "PawsRunner Steganography Shows Infostealers Are Hiding in Plain Sight",
          "url": "https://bulwarkblack.com/pawsrunner-steganography-purelogs-infostealer-defense/",
          "date": "2026-05-16"
        }
      ]
    },
    {
      "indicator": "9425e8e39fa8a7212cdd07f0917cb3dfde38a90b87297de2c82a5850aff1e4de",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-06-02",
      "last_seen": "2026-06-02",
      "reports": [
        {
          "slug": "flutterbridge-macos-malvertising-fluttershell-backdoor-defense",
          "title": "FlutterBridge Shows Why macOS Malvertising Is Backdoor Delivery, Not Just Adware",
          "url": "https://bulwarkblack.com/flutterbridge-macos-malvertising-fluttershell-backdoor-defense/",
          "date": "2026-06-02"
        }
      ]
    },
    {
      "indicator": "948468aba5c851952ebe56a5bf37904ed83a6c8cb520304db6938d79892f0a1b",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-03-03",
      "last_seen": "2026-03-03",
      "reports": [
        {
          "slug": "silver-dragon-apt-targets-southeast-asia-and-europe-using-geardoor-backdoor-with-google-drive-c2",
          "title": "Silver Dragon APT Targets Southeast Asia and Europe Using GearDoor Backdoor with Google Drive C2",
          "url": "https://bulwarkblack.com/silver-dragon-apt-targets-southeast-asia-and-europe-using-geardoor-backdoor-with-google-drive-c2/",
          "date": "2026-03-03"
        }
      ]
    },
    {
      "indicator": "94db6fa14b4e487dffba709b87e8a7e25483300ed409de243b19fff7cf2f0978",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "vidar-xmrig-malvertising-file-size-code-signing-defense",
          "title": "Vidar Stealer Campaign Shows Why File Size and Fake Signatures Still Beat Weak Controls",
          "url": "https://bulwarkblack.com/vidar-xmrig-malvertising-file-size-code-signing-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "94f05495eb1b2ebe592481e01d3900615040aa02bd1807b705a50e45d7c53444",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-03-11",
      "last_seen": "2026-03-11",
      "reports": [
        {
          "slug": "iranian-mois-cyber-actors-embrace-criminal-ecosystem-from-rhadamanthys-to-ransomware-affiliates",
          "title": "Iranian MOIS Cyber Actors Embrace Criminal Ecosystem: From Rhadamanthys to Ransomware Affiliates",
          "url": "https://bulwarkblack.com/iranian-mois-cyber-actors-embrace-criminal-ecosystem-from-rhadamanthys-to-ransomware-affiliates/",
          "date": "2026-03-11"
        }
      ]
    },
    {
      "indicator": "958921ea0995482fb04ea4a50bbdb654f272ab991046a43c1fdbd22da302d544",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-01-31",
      "last_seen": "2026-01-31",
      "reports": [
        {
          "slug": "winrar-cve-2025-8088-russia-china-and-cybercriminals-unite-to-exploit-path-traversal-flaw",
          "title": "WinRAR CVE-2025-8088: Russia, China, and Cybercriminals Unite to Exploit Path Traversal Flaw",
          "url": "https://bulwarkblack.com/winrar-cve-2025-8088-russia-china-and-cybercriminals-unite-to-exploit-path-traversal-flaw/",
          "date": "2026-01-31"
        }
      ]
    },
    {
      "indicator": "95cd48130247525d8a7e966bd3fa07e9d6c39ebbe3058ecccb336f66bb8e3d1e",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "vidar-xmrig-malvertising-file-size-code-signing-defense",
          "title": "Vidar Stealer Campaign Shows Why File Size and Fake Signatures Still Beat Weak Controls",
          "url": "https://bulwarkblack.com/vidar-xmrig-malvertising-file-size-code-signing-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "9656d3301f63ef6114289739a1c44082206298f787238fc6c190ad87eab24751",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "vidar-xmrig-malvertising-file-size-code-signing-defense",
          "title": "Vidar Stealer Campaign Shows Why File Size and Fake Signatures Still Beat Weak Controls",
          "url": "https://bulwarkblack.com/vidar-xmrig-malvertising-file-size-code-signing-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "967b5c611d304385807ea2d865fa561c15cde0473dd63e768679a4f29f0e4563",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-03-03",
      "last_seen": "2026-03-03",
      "reports": [
        {
          "slug": "silver-dragon-apt-targets-southeast-asia-and-europe-using-geardoor-backdoor-with-google-drive-c2",
          "title": "Silver Dragon APT Targets Southeast Asia and Europe Using GearDoor Backdoor with Google Drive C2",
          "url": "https://bulwarkblack.com/silver-dragon-apt-targets-southeast-asia-and-europe-using-geardoor-backdoor-with-google-drive-c2/",
          "date": "2026-03-03"
        }
      ]
    },
    {
      "indicator": "96bb418128deeb2b9d2e4b66b98cae07b238b326b6456cc9b86802e67c504a03",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "vidar-xmrig-malvertising-file-size-code-signing-defense",
          "title": "Vidar Stealer Campaign Shows Why File Size and Fake Signatures Still Beat Weak Controls",
          "url": "https://bulwarkblack.com/vidar-xmrig-malvertising-file-size-code-signing-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "96fc528ca5e7d1c2b3add5e31b8797cb126f704976c8fbeaecdbf0aa4309ad46",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-05-15",
      "last_seen": "2026-05-15",
      "reports": [
        {
          "slug": "cisco-sdwan-active-exploitation-edge-controller-review",
          "title": "Cisco SD-WAN Exploitation Shows Edge Controllers Need Emergency Review",
          "url": "https://bulwarkblack.com/cisco-sdwan-active-exploitation-edge-controller-review/",
          "date": "2026-05-15"
        }
      ]
    },
    {
      "indicator": "971198ff86aeb42739ba9381923d0bc6f847a91553ec57ea6bae5becf80f8759",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-05-15",
      "last_seen": "2026-05-15",
      "reports": [
        {
          "slug": "gremlin-stealer-browser-session-resource-obfuscation",
          "title": "Gremlin Stealer Shows Why Browser Sessions Are Now High-Value Targets",
          "url": "https://bulwarkblack.com/gremlin-stealer-browser-session-resource-obfuscation/",
          "date": "2026-05-15"
        }
      ]
    },
    {
      "indicator": "9727c804c4354e481d2ff9d4934bd1b2518293a9ca34a14f5c7ae9d0cd30ce94",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "fake-payment-sdk-npm-pypi-secret-theft-defense",
          "title": "Fake Payment SDKs Show Why Dependency Risk Is Credential Risk",
          "url": "https://bulwarkblack.com/fake-payment-sdk-npm-pypi-secret-theft-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "97448688b292bfec6d83b153588076fe59b111c35ac4e42a916238df16a71e2f",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-06-26",
      "last_seen": "2026-06-26",
      "reports": [
        {
          "slug": "hospitality-photo-zip-nodejs-implant-defense",
          "title": "Hospitality Photo-ZIP Campaign Shows Front Desk Workflows Are Initial Access Paths",
          "url": "https://bulwarkblack.com/hospitality-photo-zip-nodejs-implant-defense/",
          "date": "2026-06-26"
        }
      ]
    },
    {
      "indicator": "98442387d466f27357d727b3706037a4df12a78602b93df973b063462a677761",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-02-23",
      "last_seen": "2026-02-23",
      "reports": [
        {
          "slug": "unit-42-exposes-active-exploitation-of-beyondtrust-cve-2026-1731-with-vshell-and-sparkrat-backdoors",
          "title": "Unit 42 Exposes Active Exploitation of BeyondTrust CVE-2026-1731 with VShell and SparkRAT Backdoors",
          "url": "https://bulwarkblack.com/unit-42-exposes-active-exploitation-of-beyondtrust-cve-2026-1731-with-vshell-and-sparkrat-backdoors/",
          "date": "2026-02-23"
        }
      ]
    },
    {
      "indicator": "98825c0c7764f45c891275b2f038ea559e84b340df30b41c2cc77b8d4215c6c8",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-06-26",
      "last_seen": "2026-06-26",
      "reports": [
        {
          "slug": "hospitality-photo-zip-nodejs-implant-defense",
          "title": "Hospitality Photo-ZIP Campaign Shows Front Desk Workflows Are Initial Access Paths",
          "url": "https://bulwarkblack.com/hospitality-photo-zip-nodejs-implant-defense/",
          "date": "2026-06-26"
        }
      ]
    },
    {
      "indicator": "98a7b0900a9072bb40af579ec372da7b27af12b15868394df51fefe290ab176b",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-02-23",
      "last_seen": "2026-02-23",
      "reports": [
        {
          "slug": "unit-42-exposes-active-exploitation-of-beyondtrust-cve-2026-1731-with-vshell-and-sparkrat-backdoors",
          "title": "Unit 42 Exposes Active Exploitation of BeyondTrust CVE-2026-1731 with VShell and SparkRAT Backdoors",
          "url": "https://bulwarkblack.com/unit-42-exposes-active-exploitation-of-beyondtrust-cve-2026-1731-with-vshell-and-sparkrat-backdoors/",
          "date": "2026-02-23"
        }
      ]
    },
    {
      "indicator": "98cce1e69873de25e5139aa848f469bef2af345a8a49d15000b5b5e72b582896",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "vidar-xmrig-malvertising-file-size-code-signing-defense",
          "title": "Vidar Stealer Campaign Shows Why File Size and Fake Signatures Still Beat Weak Controls",
          "url": "https://bulwarkblack.com/vidar-xmrig-malvertising-file-size-code-signing-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "98ce3c6e4dd05887ea619f2bbfeb2e2c2805ed07e85e119b79b828b7ef8be397",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-06-25",
      "last_seen": "2026-06-25",
      "reports": [
        {
          "slug": "turla-stockstay-backdoor-egress-visibility",
          "title": "Turla’s STOCKSTAY Backdoor Shows Why Espionage Defense Needs Egress Visibility",
          "url": "https://bulwarkblack.com/turla-stockstay-backdoor-egress-visibility/",
          "date": "2026-06-25"
        }
      ]
    },
    {
      "indicator": "98f21b8fa426fc79aa82e28669faac9a9c7fce9b49d75bbec7b60167e21963c9",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-03-13",
      "last_seen": "2026-03-13",
      "reports": [
        {
          "slug": "storm-2561-weaponizes-seo-poisoning-to-deploy-trojanized-vpn-clients-and-steal-enterprise-credentials",
          "title": "Storm-2561 Weaponizes SEO Poisoning to Deploy Trojanized VPN Clients and Steal Enterprise Credentials",
          "url": "https://bulwarkblack.com/storm-2561-weaponizes-seo-poisoning-to-deploy-trojanized-vpn-clients-and-steal-enterprise-credentials/",
          "date": "2026-03-13"
        }
      ]
    },
    {
      "indicator": "994d6d1edb57f945f4284cc0163ec998861c7496d85f6d45c08657c9727186e3",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-05-13",
      "last_seen": "2026-05-13",
      "reports": [
        {
          "slug": "gentlemen-raas-leak-edge-device-ransomware-risk",
          "title": "The Gentlemen RaaS Leak Shows Ransomware Is Still an Edge-Device Problem",
          "url": "https://bulwarkblack.com/gentlemen-raas-leak-edge-device-ransomware-risk/",
          "date": "2026-05-13"
        }
      ]
    },
    {
      "indicator": "9a7225c17e4bad3ffe7f080530d36f4f8aca5c116b913caa91ab9b0cee85638e",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-03-05",
      "last_seen": "2026-03-05",
      "reports": [
        {
          "slug": "uat-9244-china-nexus-apt-deploys-three-new-malware-implants-against-south-american-telecom-providers",
          "title": "UAT-9244: China-Nexus APT Deploys Three New Malware Implants Against South American Telecom Providers",
          "url": "https://bulwarkblack.com/uat-9244-china-nexus-apt-deploys-three-new-malware-implants-against-south-american-telecom-providers/",
          "date": "2026-03-05"
        }
      ]
    },
    {
      "indicator": "9a927c37a31b80975c5c5467f112b61478c9493c046281046443525358a5acb0",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-07",
      "last_seen": "2026-07-07",
      "reports": [
        {
          "slug": "uat-7810-orb-relay-network-edge-device-defense",
          "title": "UAT-7810 Shows Edge Devices Are Becoming China-Nexus Relay Infrastructure",
          "url": "https://bulwarkblack.com/uat-7810-orb-relay-network-edge-device-defense/",
          "date": "2026-07-07"
        }
      ]
    },
    {
      "indicator": "9aab30a3190301016c79f8a7f8edf45ec088ceecad39926cfcf3418145f3d614",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-05-15",
      "last_seen": "2026-05-15",
      "reports": [
        {
          "slug": "gremlin-stealer-browser-session-resource-obfuscation",
          "title": "Gremlin Stealer Shows Why Browser Sessions Are Now High-Value Targets",
          "url": "https://bulwarkblack.com/gremlin-stealer-browser-session-resource-obfuscation/",
          "date": "2026-05-15"
        }
      ]
    },
    {
      "indicator": "9b3df1b6c1b98c201de09a7719066f7bcae6b66a3173b703a617f53fddf67d51",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "vidar-xmrig-malvertising-file-size-code-signing-defense",
          "title": "Vidar Stealer Campaign Shows Why File Size and Fake Signatures Still Beat Weak Controls",
          "url": "https://bulwarkblack.com/vidar-xmrig-malvertising-file-size-code-signing-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "9b481b69cd91b09fa7bae7428f646dd89473a4c03393e43da81fe756cde1c472",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-06-26",
      "last_seen": "2026-06-26",
      "reports": [
        {
          "slug": "cl-sta-1062-tinyrct-critical-infrastructure-web-shell-defense",
          "title": "CL-STA-1062 Shows Critical Infrastructure Intrusions Still Start With Web Shells",
          "url": "https://bulwarkblack.com/cl-sta-1062-tinyrct-critical-infrastructure-web-shell-defense/",
          "date": "2026-06-26"
        }
      ]
    },
    {
      "indicator": "9b9e0e5a1eb469b8d20dc23351e08ff5d5731e1cedce0ddee9bbd00a76217f13",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-07",
      "last_seen": "2026-07-07",
      "reports": [
        {
          "slug": "uat-7810-orb-relay-network-edge-device-defense",
          "title": "UAT-7810 Shows Edge Devices Are Becoming China-Nexus Relay Infrastructure",
          "url": "https://bulwarkblack.com/uat-7810-orb-relay-network-edge-device-defense/",
          "date": "2026-07-07"
        }
      ]
    },
    {
      "indicator": "9cf029daca89523d917dafed0568d11d00e45ec96b5b90b4a1f7fd4018c7da84",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-05-22",
      "last_seen": "2026-05-22",
      "reports": [
        {
          "slug": "screening-serpens-recruiting-espionage-attack-surface",
          "title": "Screening Serpens Shows Recruiting Is Now an Espionage Attack Surface",
          "url": "https://bulwarkblack.com/screening-serpens-recruiting-espionage-attack-surface/",
          "date": "2026-05-22"
        }
      ]
    },
    {
      "indicator": "9d07a83cf89685651ea8992047ae694c24f6ddef193044357debd15ce07a64fe",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-02",
      "last_seen": "2026-07-02",
      "reports": [
        {
          "slug": "ousaban-banking-trojan-iberian-phishing-defense",
          "title": "Ousaban Shows Banking Trojans Are Learning to Hide From Sandboxes",
          "url": "https://bulwarkblack.com/ousaban-banking-trojan-iberian-phishing-defense/",
          "date": "2026-07-02"
        }
      ]
    },
    {
      "indicator": "9d0a55c545c4147956db2c2667c4ed931a2875309147548b1dfdd216228f5f73",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-06-03",
      "last_seen": "2026-06-03",
      "reports": [
        {
          "slug": "ta4922-global-hr-tax-phishing-rmm-defense",
          "title": "TA4922’s Global Expansion Shows HR and Tax Lures Are Initial Access Infrastructure",
          "url": "https://bulwarkblack.com/ta4922-global-hr-tax-phishing-rmm-defense/",
          "date": "2026-06-03"
        }
      ]
    },
    {
      "indicator": "9d52cb4febf3342c34dcc8198dcaf453458be3699ab47dc08616aa7f18daa7fa",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-07",
      "last_seen": "2026-07-07",
      "reports": [
        {
          "slug": "uat-7810-orb-relay-network-edge-device-defense",
          "title": "UAT-7810 Shows Edge Devices Are Becoming China-Nexus Relay Infrastructure",
          "url": "https://bulwarkblack.com/uat-7810-orb-relay-network-edge-device-defense/",
          "date": "2026-07-07"
        }
      ]
    },
    {
      "indicator": "9d90f54ae36c6c5435d5b8bed40faf54cc91f6db28574a6310b5ffaeb0362e96",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-06-18",
      "last_seen": "2026-06-18",
      "reports": [
        {
          "slug": "tor-crypto-clipper-usb-worm-backdoor-defense",
          "title": "Tor-Based Crypto Clipper Shows Clipboard Theft Is Now Backdoor Activity",
          "url": "https://bulwarkblack.com/tor-crypto-clipper-usb-worm-backdoor-defense/",
          "date": "2026-06-18"
        }
      ]
    },
    {
      "indicator": "9e44a460196cc92fa6c6c8a12d74fb73a55955045733719e3966a7b8ced6c500",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-04-03",
      "last_seen": "2026-04-03",
      "reports": [
        {
          "slug": "cl-sta-1087-chinese-apt-targets-southeast-asian-militaries-with-applechris-and-memfun-backdoors",
          "title": "CL-STA-1087: Chinese APT Targets Southeast Asian Militaries with AppleChris and MemFun Backdoors",
          "url": "https://bulwarkblack.com/cl-sta-1087-chinese-apt-targets-southeast-asian-militaries-with-applechris-and-memfun-backdoors/",
          "date": "2026-04-03"
        }
      ]
    },
    {
      "indicator": "9e4a658e6d831c9e9bdfe11884a75b7c64812ed0a80e8495ddf6b316505acac1",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-05-22",
      "last_seen": "2026-05-22",
      "reports": [
        {
          "slug": "screening-serpens-recruiting-espionage-attack-surface",
          "title": "Screening Serpens Shows Recruiting Is Now an Espionage Attack Surface",
          "url": "https://bulwarkblack.com/screening-serpens-recruiting-espionage-attack-surface/",
          "date": "2026-05-22"
        }
      ]
    },
    {
      "indicator": "9e81ade09cc18f0fc09d73e72d2e0bffad02f52fdcc26553e473cee8cabc1567",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-02",
      "last_seen": "2026-07-02",
      "reports": [
        {
          "slug": "ousaban-banking-trojan-iberian-phishing-defense",
          "title": "Ousaban Shows Banking Trojans Are Learning to Hide From Sandboxes",
          "url": "https://bulwarkblack.com/ousaban-banking-trojan-iberian-phishing-defense/",
          "date": "2026-07-02"
        }
      ]
    },
    {
      "indicator": "9e9655f54bfac8a937d78ac506722bae1468ead4cc9ee95b35e0f8ef17ee13d9",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "fake-payment-sdk-npm-pypi-secret-theft-defense",
          "title": "Fake Payment SDKs Show Why Dependency Risk Is Credential Risk",
          "url": "https://bulwarkblack.com/fake-payment-sdk-npm-pypi-secret-theft-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "9f10e3b6e5745784f26d18c38ce01fba054b19749c17260978ac11472564aee2",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-06-26",
      "last_seen": "2026-06-26",
      "reports": [
        {
          "slug": "hospitality-photo-zip-nodejs-implant-defense",
          "title": "Hospitality Photo-ZIP Campaign Shows Front Desk Workflows Are Initial Access Paths",
          "url": "https://bulwarkblack.com/hospitality-photo-zip-nodejs-implant-defense/",
          "date": "2026-06-26"
        }
      ]
    },
    {
      "indicator": "9f2cfc65b480695aa2fd847db901e6b1135b5ed982d9942c61b629243d6830dd",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-02-04",
      "last_seen": "2026-02-04",
      "reports": [
        {
          "slug": "shadowhs-fileless-linux-post-exploitation-framework-runs-entirely-in-memory",
          "title": "ShadowHS: Fileless Linux Post-Exploitation Framework Runs Entirely in Memory",
          "url": "https://bulwarkblack.com/shadowhs-fileless-linux-post-exploitation-framework-runs-entirely-in-memory/",
          "date": "2026-02-04"
        }
      ]
    },
    {
      "indicator": "9f431d5549a03aee92cfd2bdbbe90f1c91e965c99e90a0c9ad5a001f4e80c350",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-02-23",
      "last_seen": "2026-02-23",
      "reports": [
        {
          "slug": "unit-42-exposes-active-exploitation-of-beyondtrust-cve-2026-1731-with-vshell-and-sparkrat-backdoors",
          "title": "Unit 42 Exposes Active Exploitation of BeyondTrust CVE-2026-1731 with VShell and SparkRAT Backdoors",
          "url": "https://bulwarkblack.com/unit-42-exposes-active-exploitation-of-beyondtrust-cve-2026-1731-with-vshell-and-sparkrat-backdoors/",
          "date": "2026-02-23"
        }
      ]
    },
    {
      "indicator": "9f4672c1374034ac4556264f0d4bf96ee242c0b5a9edaa4715b5e61fe8d55cc8",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "apt28-exploits-cve-2026-21509-in-operation-neusploit-stealing-emails-with-minidoor-backdoor",
          "title": "APT28 Exploits CVE-2026-21509 in Operation Neusploit: Stealing Emails with MiniDoor Backdoor",
          "url": "https://bulwarkblack.com/apt28-exploits-cve-2026-21509-in-operation-neusploit-stealing-emails-with-minidoor-backdoor/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "9f61ff4deb8afced8b1ecdc8787a134c63bde632b18293fbfc94a91749e3e454",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-05-13",
      "last_seen": "2026-05-13",
      "reports": [
        {
          "slug": "gentlemen-raas-leak-edge-device-ransomware-risk",
          "title": "The Gentlemen RaaS Leak Shows Ransomware Is Still an Edge-Device Problem",
          "url": "https://bulwarkblack.com/gentlemen-raas-leak-edge-device-ransomware-risk/",
          "date": "2026-05-13"
        }
      ]
    },
    {
      "indicator": "9fd06d823d54183cc91625fdc6decffe8db2863f6499a955656ebdcc089792cf",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "fake-payment-sdk-npm-pypi-secret-theft-defense",
          "title": "Fake Payment SDKs Show Why Dependency Risk Is Credential Risk",
          "url": "https://bulwarkblack.com/fake-payment-sdk-npm-pypi-secret-theft-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "9fda1ddb1acf8dd3685ec31b0b07110855832e3bed28a0f3b81c57fe7fe3ac20",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-05-15",
      "last_seen": "2026-05-15",
      "reports": [
        {
          "slug": "gremlin-stealer-browser-session-resource-obfuscation",
          "title": "Gremlin Stealer Shows Why Browser Sessions Are Now High-Value Targets",
          "url": "https://bulwarkblack.com/gremlin-stealer-browser-session-resource-obfuscation/",
          "date": "2026-05-15"
        }
      ]
    },
    {
      "indicator": "9fdaf64180b7d02b399d2a92f1cdd062af2e6584852ea597c50194b62cca3c0b",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-02-04",
      "last_seen": "2026-02-04",
      "reports": [
        {
          "slug": "shadowhs-fileless-linux-post-exploitation-framework-runs-entirely-in-memory",
          "title": "ShadowHS: Fileless Linux Post-Exploitation Framework Runs Entirely in Memory",
          "url": "https://bulwarkblack.com/shadowhs-fileless-linux-post-exploitation-framework-runs-entirely-in-memory/",
          "date": "2026-02-04"
        }
      ]
    },
    {
      "indicator": "9fe944147c15a87963b06baf6473288d64c23655a0ba9369c35566272d8efc73",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-06-25",
      "last_seen": "2026-06-25",
      "reports": [
        {
          "slug": "turla-stockstay-backdoor-egress-visibility",
          "title": "Turla’s STOCKSTAY Backdoor Shows Why Espionage Defense Needs Egress Visibility",
          "url": "https://bulwarkblack.com/turla-stockstay-backdoor-egress-visibility/",
          "date": "2026-06-25"
        }
      ]
    },
    {
      "indicator": "9ff07c9fafa9c03fdf69e4abf6806aa7c938b5480e7e258f227db0719ecd6386",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-05-27",
      "last_seen": "2026-05-27",
      "reports": [
        {
          "slug": "poisoned-search-ai-screenconnect-cryptojacking-defense",
          "title": "Poisoned Search and AI Recommendations Turn Utility Downloads Into RMM Access",
          "url": "https://bulwarkblack.com/poisoned-search-ai-screenconnect-cryptojacking-defense/",
          "date": "2026-05-27"
        }
      ]
    },
    {
      "indicator": "a0313822513f9b89479f666888a4784a3fc99b4cc4566213dcda66b03b47120c",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "fake-payment-sdk-npm-pypi-secret-theft-defense",
          "title": "Fake Payment SDKs Show Why Dependency Risk Is Credential Risk",
          "url": "https://bulwarkblack.com/fake-payment-sdk-npm-pypi-secret-theft-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "a1039de7ec690d64db9d7d91f3d777d308e49e958de4154aa0b62ded7820f1fe",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "vidar-xmrig-malvertising-file-size-code-signing-defense",
          "title": "Vidar Stealer Campaign Shows Why File Size and Fake Signatures Still Beat Weak Controls",
          "url": "https://bulwarkblack.com/vidar-xmrig-malvertising-file-size-code-signing-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "a17a972a05afe387ed32aa2986d5be8bca2f22619d0aedfa834c6963abfab3bf",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "vidar-xmrig-malvertising-file-size-code-signing-defense",
          "title": "Vidar Stealer Campaign Shows Why File Size and Fake Signatures Still Beat Weak Controls",
          "url": "https://bulwarkblack.com/vidar-xmrig-malvertising-file-size-code-signing-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "a313f76fca50fff1bcd6f2c6cbc1268985f8c0a3a05fe7f43c4fc0ac3aff84dc",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-03-05",
      "last_seen": "2026-03-05",
      "reports": [
        {
          "slug": "uat-9244-china-nexus-apt-deploys-three-new-malware-implants-against-south-american-telecom-providers",
          "title": "UAT-9244: China-Nexus APT Deploys Three New Malware Implants Against South American Telecom Providers",
          "url": "https://bulwarkblack.com/uat-9244-china-nexus-apt-deploys-three-new-malware-implants-against-south-american-telecom-providers/",
          "date": "2026-03-05"
        }
      ]
    },
    {
      "indicator": "a37a290863fe29b9812e819e4c5b047c44e7a7d7c40e33da6f5662e1957862ab",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2024-01-05",
      "last_seen": "2024-01-05",
      "reports": [
        {
          "slug": "100-days-of-yara-2023",
          "title": "100 Days of YARA – 2023",
          "url": "https://bulwarkblack.com/100-days-of-yara-2023/",
          "date": "2024-01-05"
        }
      ]
    },
    {
      "indicator": "a40bf9c75d1bfa6d66f1179f2321de6589f80d3089d992797a9cb0e84f6196ce",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-06-25",
      "last_seen": "2026-06-25",
      "reports": [
        {
          "slug": "turla-stockstay-backdoor-egress-visibility",
          "title": "Turla’s STOCKSTAY Backdoor Shows Why Espionage Defense Needs Egress Visibility",
          "url": "https://bulwarkblack.com/turla-stockstay-backdoor-egress-visibility/",
          "date": "2026-06-25"
        }
      ]
    },
    {
      "indicator": "a44b35f376f6e493580c988cd697e8a2d64c82ab665dfd100115fb6f700bb82a",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2024-01-05",
      "last_seen": "2024-01-05",
      "reports": [
        {
          "slug": "100-days-of-yara-2023",
          "title": "100 Days of YARA – 2023",
          "url": "https://bulwarkblack.com/100-days-of-yara-2023/",
          "date": "2024-01-05"
        }
      ]
    },
    {
      "indicator": "a460d00ef93c8ce70d32e48e55781af66a53328fc2dde45519be196c265de074",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-05-27",
      "last_seen": "2026-05-27",
      "reports": [
        {
          "slug": "poisoned-search-ai-screenconnect-cryptojacking-defense",
          "title": "Poisoned Search and AI Recommendations Turn Utility Downloads Into RMM Access",
          "url": "https://bulwarkblack.com/poisoned-search-ai-screenconnect-cryptojacking-defense/",
          "date": "2026-05-27"
        }
      ]
    },
    {
      "indicator": "a4bd1371fe644d7e6898045cc8e7b5e1562bdfd0e4871d46034e29a22dec6377",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-03-11",
      "last_seen": "2026-03-11",
      "reports": [
        {
          "slug": "iranian-mois-cyber-actors-embrace-criminal-ecosystem-from-rhadamanthys-to-ransomware-affiliates",
          "title": "Iranian MOIS Cyber Actors Embrace Criminal Ecosystem: From Rhadamanthys to Ransomware Affiliates",
          "url": "https://bulwarkblack.com/iranian-mois-cyber-actors-embrace-criminal-ecosystem-from-rhadamanthys-to-ransomware-affiliates/",
          "date": "2026-03-11"
        }
      ]
    },
    {
      "indicator": "a4cf69f849e9ea0ab4eba1cdc1ef2a973591bc7bb55901fdbceb412fb1147ef9",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2024-01-05",
      "last_seen": "2024-01-05",
      "reports": [
        {
          "slug": "tackling-anti-analysis-techniques-of-guloader-and-redline-stealer",
          "title": "Tackling Anti-Analysis Techniques of GuLoader and RedLine Stealer",
          "url": "https://bulwarkblack.com/tackling-anti-analysis-techniques-of-guloader-and-redline-stealer/",
          "date": "2024-01-05"
        }
      ]
    },
    {
      "indicator": "a4f979b4a5d7bc8bc455dd4c09b44e51a389576fccce35a2c8da3ce680237565",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "vidar-xmrig-malvertising-file-size-code-signing-defense",
          "title": "Vidar Stealer Campaign Shows Why File Size and Fake Signatures Still Beat Weak Controls",
          "url": "https://bulwarkblack.com/vidar-xmrig-malvertising-file-size-code-signing-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "a50cf45d8b119af0cc75679c8307b05e29f2bc85b6d0bd55999dd018639f1c72",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-01-30",
      "last_seen": "2026-01-30",
      "reports": [
        {
          "slug": "android-malware-campaign-abuses-hugging-face-ai-platform-to-distribute-rat",
          "title": "Android Malware Campaign Abuses Hugging Face AI Platform to Distribute RAT",
          "url": "https://bulwarkblack.com/android-malware-campaign-abuses-hugging-face-ai-platform-to-distribute-rat/",
          "date": "2026-01-30"
        }
      ]
    },
    {
      "indicator": "a54bcafd9d4ece87fa314d508a68f47b0ec3351c0a270aa2ed3a0e275b9db03c",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-01-31",
      "last_seen": "2026-01-31",
      "reports": [
        {
          "slug": "winrar-cve-2025-8088-russia-china-and-cybercriminals-unite-to-exploit-path-traversal-flaw",
          "title": "WinRAR CVE-2025-8088: Russia, China, and Cybercriminals Unite to Exploit Path Traversal Flaw",
          "url": "https://bulwarkblack.com/winrar-cve-2025-8088-russia-china-and-cybercriminals-unite-to-exploit-path-traversal-flaw/",
          "date": "2026-01-31"
        }
      ]
    },
    {
      "indicator": "A5e413456ce9fc60bb44d442b72546e9e4118a61894fbe4b5c56e4dfad6055e3",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-03-05",
      "last_seen": "2026-03-05",
      "reports": [
        {
          "slug": "uat-9244-china-nexus-apt-deploys-three-new-malware-implants-against-south-american-telecom-providers",
          "title": "UAT-9244: China-Nexus APT Deploys Three New Malware Implants Against South American Telecom Providers",
          "url": "https://bulwarkblack.com/uat-9244-china-nexus-apt-deploys-three-new-malware-implants-against-south-american-telecom-providers/",
          "date": "2026-03-05"
        }
      ]
    },
    {
      "indicator": "a64843ebfbc39e96ec7613003b1b5c3a9b878874ea15a05e1d34ce91781ebfb6",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "vidar-xmrig-malvertising-file-size-code-signing-defense",
          "title": "Vidar Stealer Campaign Shows Why File Size and Fake Signatures Still Beat Weak Controls",
          "url": "https://bulwarkblack.com/vidar-xmrig-malvertising-file-size-code-signing-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "a648db354820ea4d02940cb1702b35974513b7aae83f6dffaacaac4ba31f9295",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-06-03",
      "last_seen": "2026-06-03",
      "reports": [
        {
          "slug": "ta4922-global-hr-tax-phishing-rmm-defense",
          "title": "TA4922’s Global Expansion Shows HR and Tax Lures Are Initial Access Infrastructure",
          "url": "https://bulwarkblack.com/ta4922-global-hr-tax-phishing-rmm-defense/",
          "date": "2026-06-03"
        }
      ]
    },
    {
      "indicator": "a677c02e545941e43f8b21a5761b035e911b53e2c065fea219e0f3462f282fd8",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "fake-payment-sdk-npm-pypi-secret-theft-defense",
          "title": "Fake Payment SDKs Show Why Dependency Risk Is Credential Risk",
          "url": "https://bulwarkblack.com/fake-payment-sdk-npm-pypi-secret-theft-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "a6b5448ba45f3f352f5f4c5376024891adda1ef8ebf62a8fe63424fa230c691d",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-03-03",
      "last_seen": "2026-03-03",
      "reports": [
        {
          "slug": "silver-dragon-apt-targets-southeast-asia-and-europe-using-geardoor-backdoor-with-google-drive-c2",
          "title": "Silver Dragon APT Targets Southeast Asia and Europe Using GearDoor Backdoor with Google Drive C2",
          "url": "https://bulwarkblack.com/silver-dragon-apt-targets-southeast-asia-and-europe-using-geardoor-backdoor-with-google-drive-c2/",
          "date": "2026-03-03"
        }
      ]
    },
    {
      "indicator": "A6C1A7CE43B029A1EF4AE69B26F745440ECCE8368C89F11AC999D4ED04A31572",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "a6df0b49a5ef9ffd6513bfe061fb60f6d2941a440038e2de8a7aeb1914945331",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-06-30",
      "last_seen": "2026-06-30",
      "reports": [
        {
          "slug": "bing-seo-poisoning-bumblebee-adaptix-akira-ransomware",
          "title": "Bing SEO Poisoning Shows IT Admin Downloads Are Ransomware Initial Access",
          "url": "https://bulwarkblack.com/bing-seo-poisoning-bumblebee-adaptix-akira-ransomware/",
          "date": "2026-06-30"
        }
      ]
    },
    {
      "indicator": "A72427af3c046fd90999a6505b2372dc4ffde122227f30ed21621ecd4f2d3e8b",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-06-01",
      "last_seen": "2026-06-01",
      "reports": [
        {
          "slug": "showboat-jfmbackdoor-telecom-intrusion-defense",
          "title": "Showboat and JFMBackdoor Show Telecom Intrusions Are Built for Pivoting",
          "url": "https://bulwarkblack.com/showboat-jfmbackdoor-telecom-intrusion-defense/",
          "date": "2026-06-01"
        }
      ]
    },
    {
      "indicator": "a75eab31d7ff06b6864960ad7e633be3f9730ff3d3873e4539c8f425fc632dad",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-06-03",
      "last_seen": "2026-06-03",
      "reports": [
        {
          "slug": "ta4922-global-hr-tax-phishing-rmm-defense",
          "title": "TA4922’s Global Expansion Shows HR and Tax Lures Are Initial Access Infrastructure",
          "url": "https://bulwarkblack.com/ta4922-global-hr-tax-phishing-rmm-defense/",
          "date": "2026-06-03"
        }
      ]
    },
    {
      "indicator": "a785fc61fc4ff7cff0ddb540bf7ff12111ed0d6031f78f48387a6c16cb3c5451",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "vidar-xmrig-malvertising-file-size-code-signing-defense",
          "title": "Vidar Stealer Campaign Shows Why File Size and Fake Signatures Still Beat Weak Controls",
          "url": "https://bulwarkblack.com/vidar-xmrig-malvertising-file-size-code-signing-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "a7a19cab7aab606f833fa8225bc94ec9570a6666660b02cc41a63fe39ea8b0ad",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-05-13",
      "last_seen": "2026-05-13",
      "reports": [
        {
          "slug": "gentlemen-raas-leak-edge-device-ransomware-risk",
          "title": "The Gentlemen RaaS Leak Shows Ransomware Is Still an Edge-Device Problem",
          "url": "https://bulwarkblack.com/gentlemen-raas-leak-edge-device-ransomware-risk/",
          "date": "2026-05-13"
        }
      ]
    },
    {
      "indicator": "a7abf1d9d6686af1cefcd60b17a312e7eb8cfe267def1ec34aeab6128c811630",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-06-18",
      "last_seen": "2026-06-18",
      "reports": [
        {
          "slug": "tor-crypto-clipper-usb-worm-backdoor-defense",
          "title": "Tor-Based Crypto Clipper Shows Clipboard Theft Is Now Backdoor Activity",
          "url": "https://bulwarkblack.com/tor-crypto-clipper-usb-worm-backdoor-defense/",
          "date": "2026-06-18"
        }
      ]
    },
    {
      "indicator": "a876f648991711e44a8dcf888a271880c6c930e5138f284cd6ca6128eca56ba1",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "apt28-exploits-cve-2026-21509-in-operation-neusploit-stealing-emails-with-minidoor-backdoor",
          "title": "APT28 Exploits CVE-2026-21509 in Operation Neusploit: Stealing Emails with MiniDoor Backdoor",
          "url": "https://bulwarkblack.com/apt28-exploits-cve-2026-21509-in-operation-neusploit-stealing-emails-with-minidoor-backdoor/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "a8c380b57cb7c381ca6ba845bd7af7333f52ee4dc4e935e98b48bb81facad72b",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-03-11",
      "last_seen": "2026-03-11",
      "reports": [
        {
          "slug": "iranian-mois-cyber-actors-embrace-criminal-ecosystem-from-rhadamanthys-to-ransomware-affiliates",
          "title": "Iranian MOIS Cyber Actors Embrace Criminal Ecosystem: From Rhadamanthys to Ransomware Affiliates",
          "url": "https://bulwarkblack.com/iranian-mois-cyber-actors-embrace-criminal-ecosystem-from-rhadamanthys-to-ransomware-affiliates/",
          "date": "2026-03-11"
        }
      ]
    },
    {
      "indicator": "a92d28f1d32e3a9ab7c3691f8bfca8f7586bb0666adbba47eab3e1a8faf7ecc0",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-03-11",
      "last_seen": "2026-03-11",
      "reports": [
        {
          "slug": "iranian-mois-cyber-actors-embrace-criminal-ecosystem-from-rhadamanthys-to-ransomware-affiliates",
          "title": "Iranian MOIS Cyber Actors Embrace Criminal Ecosystem: From Rhadamanthys to Ransomware Affiliates",
          "url": "https://bulwarkblack.com/iranian-mois-cyber-actors-embrace-criminal-ecosystem-from-rhadamanthys-to-ransomware-affiliates/",
          "date": "2026-03-11"
        }
      ]
    },
    {
      "indicator": "a944a09783023a2c6c62d3601cbd5392a03d808a6a51728e07a3270861c2a8ee",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "apt28-exploits-cve-2026-21509-in-operation-neusploit-stealing-emails-with-minidoor-backdoor",
          "title": "APT28 Exploits CVE-2026-21509 in Operation Neusploit: Stealing Emails with MiniDoor Backdoor",
          "url": "https://bulwarkblack.com/apt28-exploits-cve-2026-21509-in-operation-neusploit-stealing-emails-with-minidoor-backdoor/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "a97f460bfa612f1d406823620d0d25e381f9b980a0497e2775269917a7150f04",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-01-31",
      "last_seen": "2026-01-31",
      "reports": [
        {
          "slug": "winrar-cve-2025-8088-russia-china-and-cybercriminals-unite-to-exploit-path-traversal-flaw",
          "title": "WinRAR CVE-2025-8088: Russia, China, and Cybercriminals Unite to Exploit Path Traversal Flaw",
          "url": "https://bulwarkblack.com/winrar-cve-2025-8088-russia-china-and-cybercriminals-unite-to-exploit-path-traversal-flaw/",
          "date": "2026-01-31"
        }
      ]
    },
    {
      "indicator": "a9f529a5cbc1f3ee80f785b22e0c472953e6cb226952218aecc7ab07ca328abd",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-05-15",
      "last_seen": "2026-05-15",
      "reports": [
        {
          "slug": "gremlin-stealer-browser-session-resource-obfuscation",
          "title": "Gremlin Stealer Shows Why Browser Sessions Are Now High-Value Targets",
          "url": "https://bulwarkblack.com/gremlin-stealer-browser-session-resource-obfuscation/",
          "date": "2026-05-15"
        }
      ]
    },
    {
      "indicator": "aa0083f662f055e8d911c5de3a8f3a31b3c84cacc7dccc30c98f2be14dba4102",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "vidar-xmrig-malvertising-file-size-code-signing-defense",
          "title": "Vidar Stealer Campaign Shows Why File Size and Fake Signatures Still Beat Weak Controls",
          "url": "https://bulwarkblack.com/vidar-xmrig-malvertising-file-size-code-signing-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "aaa2bc1128d8b8b2da76262bf87ede19bac053cca6576efba6aaa71c9438c304",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "vidar-xmrig-malvertising-file-size-code-signing-defense",
          "title": "Vidar Stealer Campaign Shows Why File Size and Fake Signatures Still Beat Weak Controls",
          "url": "https://bulwarkblack.com/vidar-xmrig-malvertising-file-size-code-signing-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "aae017e7a36e016655c91bd01b4f3c46309bbe540733f82cce29392e72e9bd1f",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-03-11",
      "last_seen": "2026-03-11",
      "reports": [
        {
          "slug": "iranian-mois-cyber-actors-embrace-criminal-ecosystem-from-rhadamanthys-to-ransomware-affiliates",
          "title": "Iranian MOIS Cyber Actors Embrace Criminal Ecosystem: From Rhadamanthys to Ransomware Affiliates",
          "url": "https://bulwarkblack.com/iranian-mois-cyber-actors-embrace-criminal-ecosystem-from-rhadamanthys-to-ransomware-affiliates/",
          "date": "2026-03-11"
        }
      ]
    },
    {
      "indicator": "ab0fa760bd037a95c4dee431e649e0db860f7cdad6428895b9a399b6991bf3cd",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-05-15",
      "last_seen": "2026-05-15",
      "reports": [
        {
          "slug": "gremlin-stealer-browser-session-resource-obfuscation",
          "title": "Gremlin Stealer Shows Why Browser Sessions Are Now High-Value Targets",
          "url": "https://bulwarkblack.com/gremlin-stealer-browser-session-resource-obfuscation/",
          "date": "2026-05-15"
        }
      ]
    },
    {
      "indicator": "ac8eae94d27122f4751bc96d9ea52d30000b7ca37569a2291b2710824ca3396f",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-07",
      "last_seen": "2026-07-07",
      "reports": [
        {
          "slug": "uat-7810-orb-relay-network-edge-device-defense",
          "title": "UAT-7810 Shows Edge Devices Are Becoming China-Nexus Relay Infrastructure",
          "url": "https://bulwarkblack.com/uat-7810-orb-relay-network-edge-device-defense/",
          "date": "2026-07-07"
        }
      ]
    },
    {
      "indicator": "ad25b40315dad0bda5916854e1925c1514f8f8b94e4ee09a43375cc1e77422ad",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-04-03",
      "last_seen": "2026-04-03",
      "reports": [
        {
          "slug": "cl-sta-1087-chinese-apt-targets-southeast-asian-militaries-with-applechris-and-memfun-backdoors",
          "title": "CL-STA-1087: Chinese APT Targets Southeast Asian Militaries with AppleChris and MemFun Backdoors",
          "url": "https://bulwarkblack.com/cl-sta-1087-chinese-apt-targets-southeast-asian-militaries-with-applechris-and-memfun-backdoors/",
          "date": "2026-04-03"
        }
      ]
    },
    {
      "indicator": "adbcdb613c04fd51936cb0863d2417604db0cd04792ab7cae02526d48944c77b",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-01-27",
      "last_seen": "2026-01-27",
      "reports": [
        {
          "slug": "fake-clawdbot-vs-code-extension-deploys-screenconnect-rat",
          "title": "Fake Clawdbot VS Code Extension Deploys ScreenConnect RAT",
          "url": "https://bulwarkblack.com/fake-clawdbot-vs-code-extension-deploys-screenconnect-rat/",
          "date": "2026-01-27"
        }
      ]
    },
    {
      "indicator": "ae93d9327a91e90bf7744c6ce0eb4affb3acb62a5d1b2dafd645cba9af28d795",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-01-31",
      "last_seen": "2026-01-31",
      "reports": [
        {
          "slug": "winrar-cve-2025-8088-russia-china-and-cybercriminals-unite-to-exploit-path-traversal-flaw",
          "title": "WinRAR CVE-2025-8088: Russia, China, and Cybercriminals Unite to Exploit Path Traversal Flaw",
          "url": "https://bulwarkblack.com/winrar-cve-2025-8088-russia-china-and-cybercriminals-unite-to-exploit-path-traversal-flaw/",
          "date": "2026-01-31"
        }
      ]
    },
    {
      "indicator": "aea13e5871b683a19a05015ff0369b412b985d47eb67a3af93f44400a026b4b0",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-01-31",
      "last_seen": "2026-01-31",
      "reports": [
        {
          "slug": "winrar-cve-2025-8088-russia-china-and-cybercriminals-unite-to-exploit-path-traversal-flaw",
          "title": "WinRAR CVE-2025-8088: Russia, China, and Cybercriminals Unite to Exploit Path Traversal Flaw",
          "url": "https://bulwarkblack.com/winrar-cve-2025-8088-russia-china-and-cybercriminals-unite-to-exploit-path-traversal-flaw/",
          "date": "2026-01-31"
        }
      ]
    },
    {
      "indicator": "aef34f14456358db91840c416e55acc7d10185ff2beb362ea24697d7cdad321f",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-01-29",
      "last_seen": "2026-01-29",
      "reports": [
        {
          "slug": "google-disrupts-worlds-largest-residential-proxy-botnet",
          "title": "Google Disrupts World’s Largest Residential Proxy Botnet",
          "url": "https://bulwarkblack.com/google-disrupts-worlds-largest-residential-proxy-botnet/",
          "date": "2026-01-29"
        }
      ]
    },
    {
      "indicator": "aefd15e3c395edd16ede7685c6e97ca0350a702ee7c8585274b457166e86b1fa",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-03-26",
      "last_seen": "2026-03-26",
      "reports": [
        {
          "slug": "pawn-storm-deploys-prismex-malware-suite-against-ukrainian-defense-supply-chain-and-nato-allies",
          "title": "Pawn Storm Deploys PRISMEX Malware Suite Against Ukrainian Defense Supply Chain and NATO Allies",
          "url": "https://bulwarkblack.com/pawn-storm-deploys-prismex-malware-suite-against-ukrainian-defense-supply-chain-and-nato-allies/",
          "date": "2026-03-26"
        }
      ]
    },
    {
      "indicator": "af66bc2b516d1ef71af9b6ee9f8f5af0a99fed562b34809cd55071b94c2d1304",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "fake-payment-sdk-npm-pypi-secret-theft-defense",
          "title": "Fake Payment SDKs Show Why Dependency Risk Is Credential Risk",
          "url": "https://bulwarkblack.com/fake-payment-sdk-npm-pypi-secret-theft-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "b04daeacd1d1c9020cce2a97fa7af83dbedf4e6d17dd12c0f337f32240399785",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "fake-payment-sdk-npm-pypi-secret-theft-defense",
          "title": "Fake Payment SDKs Show Why Dependency Risk Is Credential Risk",
          "url": "https://bulwarkblack.com/fake-payment-sdk-npm-pypi-secret-theft-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "b064a3efb04ed77e6c57955089ce639e193d166c8ea2216c98c3e9b701ea2cff",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-06-25",
      "last_seen": "2026-06-25",
      "reports": [
        {
          "slug": "turla-stockstay-backdoor-egress-visibility",
          "title": "Turla’s STOCKSTAY Backdoor Shows Why Espionage Defense Needs Egress Visibility",
          "url": "https://bulwarkblack.com/turla-stockstay-backdoor-egress-visibility/",
          "date": "2026-06-25"
        }
      ]
    },
    {
      "indicator": "b0726bdd53083968870d0b147b72dad422d6d04f27cd52a7891d038ee83aef5b",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-01-29",
      "last_seen": "2026-01-29",
      "reports": [
        {
          "slug": "google-disrupts-worlds-largest-residential-proxy-botnet",
          "title": "Google Disrupts World’s Largest Residential Proxy Botnet",
          "url": "https://bulwarkblack.com/google-disrupts-worlds-largest-residential-proxy-botnet/",
          "date": "2026-01-29"
        }
      ]
    },
    {
      "indicator": "b0f51b098842cd630097b462aab0ec357e2c7824af37cca6d08165265da2c2d3",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-05-15",
      "last_seen": "2026-05-15",
      "reports": [
        {
          "slug": "cisco-sdwan-active-exploitation-edge-controller-review",
          "title": "Cisco SD-WAN Exploitation Shows Edge Controllers Need Emergency Review",
          "url": "https://bulwarkblack.com/cisco-sdwan-active-exploitation-edge-controller-review/",
          "date": "2026-05-15"
        }
      ]
    },
    {
      "indicator": "b157a66826d27512c3618817fee924e53d14cabb2c4c7f454affde37350f55f0",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "fake-payment-sdk-npm-pypi-secret-theft-defense",
          "title": "Fake Payment SDKs Show Why Dependency Risk Is Credential Risk",
          "url": "https://bulwarkblack.com/fake-payment-sdk-npm-pypi-secret-theft-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "B19e06da580cf91691eda066ac9ee4b09c6e5dc26c367af12660fe1f9306eec4",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-05-22",
      "last_seen": "2026-05-22",
      "reports": [
        {
          "slug": "screening-serpens-recruiting-espionage-attack-surface",
          "title": "Screening Serpens Shows Recruiting Is Now an Espionage Attack Surface",
          "url": "https://bulwarkblack.com/screening-serpens-recruiting-espionage-attack-surface/",
          "date": "2026-05-22"
        }
      ]
    },
    {
      "indicator": "b2777b73a4c33ac6a409d475057843be6b5d32262ef28a1f1ff5bb52e3834c5f",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-06-18",
      "last_seen": "2026-06-18",
      "reports": [
        {
          "slug": "tor-crypto-clipper-usb-worm-backdoor-defense",
          "title": "Tor-Based Crypto Clipper Shows Clipboard Theft Is Now Backdoor Activity",
          "url": "https://bulwarkblack.com/tor-crypto-clipper-usb-worm-backdoor-defense/",
          "date": "2026-06-18"
        }
      ]
    },
    {
      "indicator": "b287347a5bff8af360ce0e6500c336b6fe6d97920abc26202c9d843ffebc5f89",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-06-25",
      "last_seen": "2026-06-25",
      "reports": [
        {
          "slug": "turla-stockstay-backdoor-egress-visibility",
          "title": "Turla’s STOCKSTAY Backdoor Shows Why Espionage Defense Needs Egress Visibility",
          "url": "https://bulwarkblack.com/turla-stockstay-backdoor-egress-visibility/",
          "date": "2026-06-25"
        }
      ]
    },
    {
      "indicator": "b29973eda4d0c090608c15a976688cad0b2114fdc0dcb89ad37515287ba13aad",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "fake-payment-sdk-npm-pypi-secret-theft-defense",
          "title": "Fake Payment SDKs Show Why Dependency Risk Is Credential Risk",
          "url": "https://bulwarkblack.com/fake-payment-sdk-npm-pypi-secret-theft-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "b2b62703a1ef7d9d3376c6b3609cd901cbccdcca80fba940ce8ed3f4e54cdbe6",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-01-31",
      "last_seen": "2026-01-31",
      "reports": [
        {
          "slug": "winrar-cve-2025-8088-russia-china-and-cybercriminals-unite-to-exploit-path-traversal-flaw",
          "title": "WinRAR CVE-2025-8088: Russia, China, and Cybercriminals Unite to Exploit Path Traversal Flaw",
          "url": "https://bulwarkblack.com/winrar-cve-2025-8088-russia-china-and-cybercriminals-unite-to-exploit-path-traversal-flaw/",
          "date": "2026-01-31"
        }
      ]
    },
    {
      "indicator": "b2ba51b4491da8604ff9410d6e004971e3cd9a321390d0258e294ac42010b546",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "apt28-exploits-cve-2026-21509-in-operation-neusploit-stealing-emails-with-minidoor-backdoor",
          "title": "APT28 Exploits CVE-2026-21509 in Operation Neusploit: Stealing Emails with MiniDoor Backdoor",
          "url": "https://bulwarkblack.com/apt28-exploits-cve-2026-21509-in-operation-neusploit-stealing-emails-with-minidoor-backdoor/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "b2ea8d69f6792a87327ffde2ee4551bb6b99617f53e1ba71bf9a70f45dbc57ea",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "fake-payment-sdk-npm-pypi-secret-theft-defense",
          "title": "Fake Payment SDKs Show Why Dependency Risk Is Credential Risk",
          "url": "https://bulwarkblack.com/fake-payment-sdk-npm-pypi-secret-theft-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "B3CC15C1033DE79024F9CF3CD6A6A7A9B7E54A1A57D3156036F5C05F541694B7",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "b3ee445675fce1fccf365a7b681b316124b1a5f0a7e87042136e91776b187f39",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-02-04",
      "last_seen": "2026-02-04",
      "reports": [
        {
          "slug": "shadowhs-fileless-linux-post-exploitation-framework-runs-entirely-in-memory",
          "title": "ShadowHS: Fileless Linux Post-Exploitation Framework Runs Entirely in Memory",
          "url": "https://bulwarkblack.com/shadowhs-fileless-linux-post-exploitation-framework-runs-entirely-in-memory/",
          "date": "2026-02-04"
        }
      ]
    },
    {
      "indicator": "b4592cea69699b2c0737d4e19cff7dca17b5baf5a238cd6da950a37e9986f216",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-05-22",
      "last_seen": "2026-05-22",
      "reports": [
        {
          "slug": "f5-confluence-edge-identity-attack-path",
          "title": "F5-to-Confluence Intrusion Shows Edge Devices Are Identity Attack Paths",
          "url": "https://bulwarkblack.com/f5-confluence-edge-identity-attack-path/",
          "date": "2026-05-22"
        }
      ]
    },
    {
      "indicator": "B494A0AE421AFE170F6CB9DE2C1193A78FBE16F627F85139676AFC5D9BFE93A2",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "b53069a380a9dd3dc1c758888d0e50dd43935f16df0f7124c77569375a9f44f5",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-01-31",
      "last_seen": "2026-01-31",
      "reports": [
        {
          "slug": "winrar-cve-2025-8088-russia-china-and-cybercriminals-unite-to-exploit-path-traversal-flaw",
          "title": "WinRAR CVE-2025-8088: Russia, China, and Cybercriminals Unite to Exploit Path Traversal Flaw",
          "url": "https://bulwarkblack.com/winrar-cve-2025-8088-russia-china-and-cybercriminals-unite-to-exploit-path-traversal-flaw/",
          "date": "2026-01-31"
        }
      ]
    },
    {
      "indicator": "b55f3b8a7334af049ba3f70a9ad3fe78574b1e180c68baf9a7110d104387a636",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-06-25",
      "last_seen": "2026-06-25",
      "reports": [
        {
          "slug": "turla-stockstay-backdoor-egress-visibility",
          "title": "Turla’s STOCKSTAY Backdoor Shows Why Espionage Defense Needs Egress Visibility",
          "url": "https://bulwarkblack.com/turla-stockstay-backdoor-egress-visibility/",
          "date": "2026-06-25"
        }
      ]
    },
    {
      "indicator": "b58814fb3ce5a085014ee6e8d89f7cc1380b234b97170fd5f3398031281c6a77",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "vidar-xmrig-malvertising-file-size-code-signing-defense",
          "title": "Vidar Stealer Campaign Shows Why File Size and Fake Signatures Still Beat Weak Controls",
          "url": "https://bulwarkblack.com/vidar-xmrig-malvertising-file-size-code-signing-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "b5969636eec376ad6c3ece2202b1722219955638e09b6f96d4cfc0598d3b1890",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-07",
      "last_seen": "2026-07-07",
      "reports": [
        {
          "slug": "uat-7810-orb-relay-network-edge-device-defense",
          "title": "UAT-7810 Shows Edge Devices Are Becoming China-Nexus Relay Infrastructure",
          "url": "https://bulwarkblack.com/uat-7810-orb-relay-network-edge-device-defense/",
          "date": "2026-07-07"
        }
      ]
    },
    {
      "indicator": "b60074d1ea2008a581f432f2dee5f84f78668d9dd8e66f75d03c42dabd89bdea",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-06-02",
      "last_seen": "2026-06-02",
      "reports": [
        {
          "slug": "flutterbridge-macos-malvertising-fluttershell-backdoor-defense",
          "title": "FlutterBridge Shows Why macOS Malvertising Is Backdoor Delivery, Not Just Adware",
          "url": "https://bulwarkblack.com/flutterbridge-macos-malvertising-fluttershell-backdoor-defense/",
          "date": "2026-06-02"
        }
      ]
    },
    {
      "indicator": "b67958afc982cafbe1c3f114b444d7f4c91a88a3e7a86f89ab8795ac2110d1e6",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-05-13",
      "last_seen": "2026-05-13",
      "reports": [
        {
          "slug": "gentlemen-raas-leak-edge-device-ransomware-risk",
          "title": "The Gentlemen RaaS Leak Shows Ransomware Is Still an Edge-Device Problem",
          "url": "https://bulwarkblack.com/gentlemen-raas-leak-edge-device-ransomware-risk/",
          "date": "2026-05-13"
        }
      ]
    },
    {
      "indicator": "b6912c23cccc4b0964d55608916297f6978f0b38c80a4beac472004a786fcef7",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "vidar-xmrig-malvertising-file-size-code-signing-defense",
          "title": "Vidar Stealer Campaign Shows Why File Size and Fake Signatures Still Beat Weak Controls",
          "url": "https://bulwarkblack.com/vidar-xmrig-malvertising-file-size-code-signing-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "b728eba4f0d6d16602fbad05a591f14391594262d3584b2e249e97f86e4dcc5a",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-06-25",
      "last_seen": "2026-06-25",
      "reports": [
        {
          "slug": "turla-stockstay-backdoor-egress-visibility",
          "title": "Turla’s STOCKSTAY Backdoor Shows Why Espionage Defense Needs Egress Visibility",
          "url": "https://bulwarkblack.com/turla-stockstay-backdoor-egress-visibility/",
          "date": "2026-06-25"
        }
      ]
    },
    {
      "indicator": "b79633917e51da2a4401473d08719f493d61fd64a1b10fe482c12d984d791ccb",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2024-01-09",
      "last_seen": "2024-01-09",
      "reports": [
        {
          "slug": "financially-motivated-threat-actors-misusing-app-installer",
          "title": "Financially motivated threat actors misusing App Installer",
          "url": "https://bulwarkblack.com/financially-motivated-threat-actors-misusing-app-installer/",
          "date": "2024-01-09"
        }
      ]
    },
    {
      "indicator": "b7a7013b951c3cea178ece3363e3dd06626b9b98ee27ebfd7c161d0bbcfbd894",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-02-09",
      "last_seen": "2026-02-09",
      "reports": [
        {
          "slug": "fake-7-zip-downloads-convert-home-pcs-into-residential-proxy-nodes-for-cybercriminals",
          "title": "Fake 7-Zip Downloads Convert Home PCs Into Residential Proxy Nodes for Cybercriminals",
          "url": "https://bulwarkblack.com/fake-7-zip-downloads-convert-home-pcs-into-residential-proxy-nodes-for-cybercriminals/",
          "date": "2026-02-09"
        }
      ]
    },
    {
      "indicator": "b7d217f13550227bb6d80d05bde26e43cd752a870973052080a72a510c444b5a",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2024-01-05",
      "last_seen": "2024-01-05",
      "reports": [
        {
          "slug": "100-days-of-yara-2023",
          "title": "100 Days of YARA – 2023",
          "url": "https://bulwarkblack.com/100-days-of-yara-2023/",
          "date": "2024-01-05"
        }
      ]
    },
    {
      "indicator": "b7f46b192cd83a1d2487cb048cca645f6e8855b9673d500d50bbdb04eebc6bea",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-06-26",
      "last_seen": "2026-06-26",
      "reports": [
        {
          "slug": "hospitality-photo-zip-nodejs-implant-defense",
          "title": "Hospitality Photo-ZIP Campaign Shows Front Desk Workflows Are Initial Access Paths",
          "url": "https://bulwarkblack.com/hospitality-photo-zip-nodejs-implant-defense/",
          "date": "2026-06-26"
        }
      ]
    },
    {
      "indicator": "b830f043076a12748b6a2dc0810ece85439ee77434d991ae7d84201b09ead756",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "vidar-xmrig-malvertising-file-size-code-signing-defense",
          "title": "Vidar Stealer Campaign Shows Why File Size and Fake Signatures Still Beat Weak Controls",
          "url": "https://bulwarkblack.com/vidar-xmrig-malvertising-file-size-code-signing-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "b8b5f6991a3a61083461d5269245bebf28b90934c328848ba8c1e084a5a6216c",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "vidar-xmrig-malvertising-file-size-code-signing-defense",
          "title": "Vidar Stealer Campaign Shows Why File Size and Fake Signatures Still Beat Weak Controls",
          "url": "https://bulwarkblack.com/vidar-xmrig-malvertising-file-size-code-signing-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "b8d247fd1fb85d24a17afeec3815906dfbcdc5359647910b4a153900ec999a0f",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-07",
      "last_seen": "2026-07-07",
      "reports": [
        {
          "slug": "uat-7810-orb-relay-network-edge-device-defense",
          "title": "UAT-7810 Shows Edge Devices Are Becoming China-Nexus Relay Infrastructure",
          "url": "https://bulwarkblack.com/uat-7810-orb-relay-network-edge-device-defense/",
          "date": "2026-07-07"
        }
      ]
    },
    {
      "indicator": "b90ef1d21523eeffbca17181ccccf269bca3840786fcbf5c73218c6e1d6a51a9",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-01-31",
      "last_seen": "2026-01-31",
      "reports": [
        {
          "slug": "winrar-cve-2025-8088-russia-china-and-cybercriminals-unite-to-exploit-path-traversal-flaw",
          "title": "WinRAR CVE-2025-8088: Russia, China, and Cybercriminals Unite to Exploit Path Traversal Flaw",
          "url": "https://bulwarkblack.com/winrar-cve-2025-8088-russia-china-and-cybercriminals-unite-to-exploit-path-traversal-flaw/",
          "date": "2026-01-31"
        }
      ]
    },
    {
      "indicator": "b927d265fa29e471c1ae0d31516e480c09c0fb17f480ad08ea8d5b73e84b7a1b",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "vidar-xmrig-malvertising-file-size-code-signing-defense",
          "title": "Vidar Stealer Campaign Shows Why File Size and Fake Signatures Still Beat Weak Controls",
          "url": "https://bulwarkblack.com/vidar-xmrig-malvertising-file-size-code-signing-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "b93560c4d18120e113fb8b04a8aa05f66a12116d1fbf18a93186f6314381e97e",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-03-03",
      "last_seen": "2026-03-03",
      "reports": [
        {
          "slug": "silver-dragon-apt-targets-southeast-asia-and-europe-using-geardoor-backdoor-with-google-drive-c2",
          "title": "Silver Dragon APT Targets Southeast Asia and Europe Using GearDoor Backdoor with Google Drive C2",
          "url": "https://bulwarkblack.com/silver-dragon-apt-targets-southeast-asia-and-europe-using-geardoor-backdoor-with-google-drive-c2/",
          "date": "2026-03-03"
        }
      ]
    },
    {
      "indicator": "b9b6893fa6b04ee8daa29e515c08239ac5204af1a1fa2bc10006eede1b41329b",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "vidar-xmrig-malvertising-file-size-code-signing-defense",
          "title": "Vidar Stealer Campaign Shows Why File Size and Fake Signatures Still Beat Weak Controls",
          "url": "https://bulwarkblack.com/vidar-xmrig-malvertising-file-size-code-signing-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "b9fe48bda9a6c8787981a24f8bbc723a6f6aa80cab5fa53481937382f3c6ce85",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-07",
      "last_seen": "2026-07-07",
      "reports": [
        {
          "slug": "uat-7810-orb-relay-network-edge-device-defense",
          "title": "UAT-7810 Shows Edge Devices Are Becoming China-Nexus Relay Infrastructure",
          "url": "https://bulwarkblack.com/uat-7810-orb-relay-network-edge-device-defense/",
          "date": "2026-07-07"
        }
      ]
    },
    {
      "indicator": "ba86b6e0199b8907427364246f049efd67dc4eda0b5078f4bc7607253634cf24",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-01-31",
      "last_seen": "2026-01-31",
      "reports": [
        {
          "slug": "winrar-cve-2025-8088-russia-china-and-cybercriminals-unite-to-exploit-path-traversal-flaw",
          "title": "WinRAR CVE-2025-8088: Russia, China, and Cybercriminals Unite to Exploit Path Traversal Flaw",
          "url": "https://bulwarkblack.com/winrar-cve-2025-8088-russia-china-and-cybercriminals-unite-to-exploit-path-traversal-flaw/",
          "date": "2026-01-31"
        }
      ]
    },
    {
      "indicator": "ba9b1f4cc2c7f4aeda7a1280bbc901671f4ec3edaa17f1db676e17651e9bff5f",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-01-29",
      "last_seen": "2026-01-29",
      "reports": [
        {
          "slug": "google-disrupts-worlds-largest-residential-proxy-botnet",
          "title": "Google Disrupts World’s Largest Residential Proxy Botnet",
          "url": "https://bulwarkblack.com/google-disrupts-worlds-largest-residential-proxy-botnet/",
          "date": "2026-01-29"
        }
      ]
    },
    {
      "indicator": "babc81fc9c998e9dc4ab545f0e112e34d2641e1333bc81aaa131abd061a5b604",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-03-05",
      "last_seen": "2026-03-05",
      "reports": [
        {
          "slug": "uat-9244-china-nexus-apt-deploys-three-new-malware-implants-against-south-american-telecom-providers",
          "title": "UAT-9244: China-Nexus APT Deploys Three New Malware Implants Against South American Telecom Providers",
          "url": "https://bulwarkblack.com/uat-9244-china-nexus-apt-deploys-three-new-malware-implants-against-south-american-telecom-providers/",
          "date": "2026-03-05"
        }
      ]
    },
    {
      "indicator": "bafba443170e54ef7fd431ce7f1b5e202719f3fd022e4ef70788904f574d2cdf",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-07",
      "last_seen": "2026-07-07",
      "reports": [
        {
          "slug": "uat-7810-orb-relay-network-edge-device-defense",
          "title": "UAT-7810 Shows Edge Devices Are Becoming China-Nexus Relay Infrastructure",
          "url": "https://bulwarkblack.com/uat-7810-orb-relay-network-edge-device-defense/",
          "date": "2026-07-07"
        }
      ]
    },
    {
      "indicator": "bb23545380fde9f48ad070f88fe0afd695da5fcae8c5274814858c5a681d8c4e",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "apt28-exploits-cve-2026-21509-in-operation-neusploit-stealing-emails-with-minidoor-backdoor",
          "title": "APT28 Exploits CVE-2026-21509 in Operation Neusploit: Stealing Emails with MiniDoor Backdoor",
          "url": "https://bulwarkblack.com/apt28-exploits-cve-2026-21509-in-operation-neusploit-stealing-emails-with-minidoor-backdoor/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "bb30cc2b302d9a6963109b201b78d4163bb6c2d7bc8bf5a66e9a744b62fc2717",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "vidar-xmrig-malvertising-file-size-code-signing-defense",
          "title": "Vidar Stealer Campaign Shows Why File Size and Fake Signatures Still Beat Weak Controls",
          "url": "https://bulwarkblack.com/vidar-xmrig-malvertising-file-size-code-signing-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "bb4856a66bf7e0de18522e35798c0a8734179c1aab21ed2ad6821aaa99e1cb4c",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-01-31",
      "last_seen": "2026-01-31",
      "reports": [
        {
          "slug": "winrar-cve-2025-8088-russia-china-and-cybercriminals-unite-to-exploit-path-traversal-flaw",
          "title": "WinRAR CVE-2025-8088: Russia, China, and Cybercriminals Unite to Exploit Path Traversal Flaw",
          "url": "https://bulwarkblack.com/winrar-cve-2025-8088-russia-china-and-cybercriminals-unite-to-exploit-path-traversal-flaw/",
          "date": "2026-01-31"
        }
      ]
    },
    {
      "indicator": "bc3b44154518c5794ce639108e7b9c5fecb0c189607a26de1aaed518d890c7ad",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-05-22",
      "last_seen": "2026-05-22",
      "reports": [
        {
          "slug": "screening-serpens-recruiting-espionage-attack-surface",
          "title": "Screening Serpens Shows Recruiting Is Now an Espionage Attack Surface",
          "url": "https://bulwarkblack.com/screening-serpens-recruiting-espionage-attack-surface/",
          "date": "2026-05-22"
        }
      ]
    },
    {
      "indicator": "bcbe2f0a8134c0e7fce18d0394ababc1d910e6f7b77b8c07643434cd14f4c5d6",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-03-03",
      "last_seen": "2026-03-03",
      "reports": [
        {
          "slug": "silver-dragon-apt-targets-southeast-asia-and-europe-using-geardoor-backdoor-with-google-drive-c2",
          "title": "Silver Dragon APT Targets Southeast Asia and Europe Using GearDoor Backdoor with Google Drive C2",
          "url": "https://bulwarkblack.com/silver-dragon-apt-targets-southeast-asia-and-europe-using-geardoor-backdoor-with-google-drive-c2/",
          "date": "2026-03-03"
        }
      ]
    },
    {
      "indicator": "bd3230e4ceaf32ad2248ab069b164bd2144401967ac69de0a4cd1734fe429d9c",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "vidar-xmrig-malvertising-file-size-code-signing-defense",
          "title": "Vidar Stealer Campaign Shows Why File Size and Fake Signatures Still Beat Weak Controls",
          "url": "https://bulwarkblack.com/vidar-xmrig-malvertising-file-size-code-signing-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "bd6805782df15e53581096b99bd6bbb81f4d4a5e2d2b30954df63175a4075be9",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-06-26",
      "last_seen": "2026-06-26",
      "reports": [
        {
          "slug": "hospitality-photo-zip-nodejs-implant-defense",
          "title": "Hospitality Photo-ZIP Campaign Shows Front Desk Workflows Are Initial Access Paths",
          "url": "https://bulwarkblack.com/hospitality-photo-zip-nodejs-implant-defense/",
          "date": "2026-06-26"
        }
      ]
    },
    {
      "indicator": "bd699ed720e2bd7085b3444cb8f4d36870b5b48df1055ec6cc1553db3eef7faf",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-03-03",
      "last_seen": "2026-03-03",
      "reports": [
        {
          "slug": "silver-dragon-apt-targets-southeast-asia-and-europe-using-geardoor-backdoor-with-google-drive-c2",
          "title": "Silver Dragon APT Targets Southeast Asia and Europe Using GearDoor Backdoor with Google Drive C2",
          "url": "https://bulwarkblack.com/silver-dragon-apt-targets-southeast-asia-and-europe-using-geardoor-backdoor-with-google-drive-c2/",
          "date": "2026-03-03"
        }
      ]
    },
    {
      "indicator": "bdd5da81ac34d9faa2a5118d4ed8f492239734be02146cd24a0e34270a48a455",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-05-22",
      "last_seen": "2026-05-22",
      "reports": [
        {
          "slug": "f5-confluence-edge-identity-attack-path",
          "title": "F5-to-Confluence Intrusion Shows Edge Devices Are Identity Attack Paths",
          "url": "https://bulwarkblack.com/f5-confluence-edge-identity-attack-path/",
          "date": "2026-05-22"
        }
      ]
    },
    {
      "indicator": "bef7e2c5a92c4fa4af17791efc1e46311c0f304796f1172fce192f5efc40f5d7",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-03-24",
      "last_seen": "2026-03-24",
      "reports": [
        {
          "slug": "teampcp-deploys-canisterworm-wiper-to-target-iranian-systems",
          "title": "TeamPCP Deploys CanisterWorm Wiper to Target Iranian Systems",
          "url": "https://bulwarkblack.com/teampcp-deploys-canisterworm-wiper-to-target-iranian-systems/",
          "date": "2026-03-24"
        }
      ]
    },
    {
      "indicator": "bf70c6f3a8e913f526ec57eeec50e1306f7b34b037915b7a1cf2968cc46acc58",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-07",
      "last_seen": "2026-07-07",
      "reports": [
        {
          "slug": "uat-7810-orb-relay-network-edge-device-defense",
          "title": "UAT-7810 Shows Edge Devices Are Becoming China-Nexus Relay Infrastructure",
          "url": "https://bulwarkblack.com/uat-7810-orb-relay-network-edge-device-defense/",
          "date": "2026-07-07"
        }
      ]
    },
    {
      "indicator": "bfc35f12d00fa4b40c5fbce9e37d704e12a52262709bcbdf09f97890bc40cad5",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-03-05",
      "last_seen": "2026-03-05",
      "reports": [
        {
          "slug": "uat-9244-china-nexus-apt-deploys-three-new-malware-implants-against-south-american-telecom-providers",
          "title": "UAT-9244: China-Nexus APT Deploys Three New Malware Implants Against South American Telecom Providers",
          "url": "https://bulwarkblack.com/uat-9244-china-nexus-apt-deploys-three-new-malware-implants-against-south-american-telecom-providers/",
          "date": "2026-03-05"
        }
      ]
    },
    {
      "indicator": "c1f278f88275e07cc03bd390fe1cbeedd55933110c6fd16de4187f4c4aaf42b9",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-05-14",
      "last_seen": "2026-05-14",
      "reports": [
        {
          "slug": "kazuar-p2p-botnet-russian-espionage-defense",
          "title": "Kazuar Shows Russian Espionage Malware Is Engineering for Resilience",
          "url": "https://bulwarkblack.com/kazuar-p2p-botnet-russian-espionage-defense/",
          "date": "2026-05-14"
        }
      ]
    },
    {
      "indicator": "c25799facb3e788830bcf614f33411d3bcfc0edd4a2200e160b5eb4ce700039f",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "vidar-xmrig-malvertising-file-size-code-signing-defense",
          "title": "Vidar Stealer Campaign Shows Why File Size and Fake Signatures Still Beat Weak Controls",
          "url": "https://bulwarkblack.com/vidar-xmrig-malvertising-file-size-code-signing-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "c2a361a7d8feb95be97c957fc7652d348f4fa9a987bde5f09883f46b65c460f1",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "fake-payment-sdk-npm-pypi-secret-theft-defense",
          "title": "Fake Payment SDKs Show Why Dependency Risk Is Credential Risk",
          "url": "https://bulwarkblack.com/fake-payment-sdk-npm-pypi-secret-theft-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "c2a69a33b086364ca51b030b6b15e99be46ce8255ddf62839a4fc7f2b34023de",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "fake-payment-sdk-npm-pypi-secret-theft-defense",
          "title": "Fake Payment SDKs Show Why Dependency Risk Is Credential Risk",
          "url": "https://bulwarkblack.com/fake-payment-sdk-npm-pypi-secret-theft-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "c2ab9adaba93ff094b8f3fc37d906014d870582039d276b7bd03e6fd583d8a15",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-07",
      "last_seen": "2026-07-07",
      "reports": [
        {
          "slug": "uat-7810-orb-relay-network-edge-device-defense",
          "title": "UAT-7810 Shows Edge Devices Are Becoming China-Nexus Relay Infrastructure",
          "url": "https://bulwarkblack.com/uat-7810-orb-relay-network-edge-device-defense/",
          "date": "2026-07-07"
        }
      ]
    },
    {
      "indicator": "c2e4483abea830ba8b8230540ace51788d0712bed9006697ddddb9cbf133c151",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "fake-payment-sdk-npm-pypi-secret-theft-defense",
          "title": "Fake Payment SDKs Show Why Dependency Risk Is Credential Risk",
          "url": "https://bulwarkblack.com/fake-payment-sdk-npm-pypi-secret-theft-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "c328b78c21060e2203ac517833fce41572b91878e187f85fa434cd6914659834",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "vidar-xmrig-malvertising-file-size-code-signing-defense",
          "title": "Vidar Stealer Campaign Shows Why File Size and Fake Signatures Still Beat Weak Controls",
          "url": "https://bulwarkblack.com/vidar-xmrig-malvertising-file-size-code-signing-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "c39fedb662259bd76b11616966c41ff1fbda58d9b129b9c1bd818700eea92b29",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "vidar-xmrig-malvertising-file-size-code-signing-defense",
          "title": "Vidar Stealer Campaign Shows Why File Size and Fake Signatures Still Beat Weak Controls",
          "url": "https://bulwarkblack.com/vidar-xmrig-malvertising-file-size-code-signing-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "c40b9913e79c5dd09751b1afb03aaa98658bab61bacf27a299abd84fd44fe707",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-03-09",
      "last_seen": "2026-03-09",
      "reports": [
        {
          "slug": "boryptgrab-stealer-spreads-through-100-fake-github-repositories-in-massive-malware-campaign",
          "title": "BoryptGrab Stealer Spreads Through 100+ Fake GitHub Repositories in Massive Malware Campaign",
          "url": "https://bulwarkblack.com/boryptgrab-stealer-spreads-through-100-fake-github-repositories-in-massive-malware-campaign/",
          "date": "2026-03-09"
        }
      ]
    },
    {
      "indicator": "c46b5a18ab3fb5fd1c5c8288a41c75bf0170c10b5e829af89370a12c86dd10f8",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-05-13",
      "last_seen": "2026-05-13",
      "reports": [
        {
          "slug": "gentlemen-raas-leak-edge-device-ransomware-risk",
          "title": "The Gentlemen RaaS Leak Shows Ransomware Is Still an Edge-Device Problem",
          "url": "https://bulwarkblack.com/gentlemen-raas-leak-edge-device-ransomware-risk/",
          "date": "2026-05-13"
        }
      ]
    },
    {
      "indicator": "c494c878e28284539419612616d964ab9224cbe27e57f42293d91d02d684e3db",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-07",
      "last_seen": "2026-07-07",
      "reports": [
        {
          "slug": "uat-7810-orb-relay-network-edge-device-defense",
          "title": "UAT-7810 Shows Edge Devices Are Becoming China-Nexus Relay Infrastructure",
          "url": "https://bulwarkblack.com/uat-7810-orb-relay-network-edge-device-defense/",
          "date": "2026-07-07"
        }
      ]
    },
    {
      "indicator": "C4DB903322D17C8CBF1D1DB55124854C0B070D6ECE54162B6A4D06DF24C572DF",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "c4de1f1a8cb3b0392802ee56096ddb25b6f51c51350ce7c45e14d8c285765300",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-03-03",
      "last_seen": "2026-03-03",
      "reports": [
        {
          "slug": "silver-dragon-apt-targets-southeast-asia-and-europe-using-geardoor-backdoor-with-google-drive-c2",
          "title": "Silver Dragon APT Targets Southeast Asia and Europe Using GearDoor Backdoor with Google Drive C2",
          "url": "https://bulwarkblack.com/silver-dragon-apt-targets-southeast-asia-and-europe-using-geardoor-backdoor-with-google-drive-c2/",
          "date": "2026-03-03"
        }
      ]
    },
    {
      "indicator": "c51c0b6c7817443b021aff44d4416c09fd039849db81860b9b5144e789fa3987",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "fake-payment-sdk-npm-pypi-secret-theft-defense",
          "title": "Fake Payment SDKs Show Why Dependency Risk Is Credential Risk",
          "url": "https://bulwarkblack.com/fake-payment-sdk-npm-pypi-secret-theft-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "c539766062555d47716f8432e73adbe3a0c0c954a0b6c4005017a668975e275c",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-06-13",
      "last_seen": "2026-06-13",
      "reports": [
        {
          "slug": "shai-hulud-ai-scanner-evasion-package-supply-chain-defense",
          "title": "Shai-Hulud Shows AI Package Scanners Need Prompt-Injection Boundaries",
          "url": "https://bulwarkblack.com/shai-hulud-ai-scanner-evasion-package-supply-chain-defense/",
          "date": "2026-06-13"
        }
      ]
    },
    {
      "indicator": "c5baa0c16b0074a1e94b48aa0177e9bfc23746aca8a5b42848a6685da85658b5",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-06-26",
      "last_seen": "2026-06-26",
      "reports": [
        {
          "slug": "hospitality-photo-zip-nodejs-implant-defense",
          "title": "Hospitality Photo-ZIP Campaign Shows Front Desk Workflows Are Initial Access Paths",
          "url": "https://bulwarkblack.com/hospitality-photo-zip-nodejs-implant-defense/",
          "date": "2026-06-26"
        }
      ]
    },
    {
      "indicator": "c62677543eeb50e0def44fc75009a7748cdbedd0a3ccf62f50d7f219f6a5aa05",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2024-03-22",
      "last_seen": "2024-03-22",
      "reports": [
        {
          "slug": "the-updated-apt-playbook-tales-from-the-kimsuky-threat-actor-group",
          "title": "The Updated APT Playbook: Tales from the Kimsuky threat actor group",
          "url": "https://bulwarkblack.com/the-updated-apt-playbook-tales-from-the-kimsuky-threat-actor-group/",
          "date": "2024-03-22"
        }
      ]
    },
    {
      "indicator": "c634838f255e0a691f8be3eab45f2015f7f3572fba2124142cf9fe1d227416aa",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-02-21",
      "last_seen": "2026-02-21",
      "reports": [
        {
          "slug": "facebook-malvertising-campaign-uses-fake-windows-11-pages-to-deploy-credential-stealing-malware",
          "title": "Facebook Malvertising Campaign Uses Fake Windows 11 Pages to Deploy Credential-Stealing Malware",
          "url": "https://bulwarkblack.com/facebook-malvertising-campaign-uses-fake-windows-11-pages-to-deploy-credential-stealing-malware/",
          "date": "2026-02-21"
        }
      ]
    },
    {
      "indicator": "c679b408275f9624602702f5601954f3b51efbb1acc505950ee88175854e783f",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-02-04",
      "last_seen": "2026-02-04",
      "reports": [
        {
          "slug": "shadowhs-fileless-linux-post-exploitation-framework-runs-entirely-in-memory",
          "title": "ShadowHS: Fileless Linux Post-Exploitation Framework Runs Entirely in Memory",
          "url": "https://bulwarkblack.com/shadowhs-fileless-linux-post-exploitation-framework-runs-entirely-in-memory/",
          "date": "2026-02-04"
        }
      ]
    },
    {
      "indicator": "c6af37a6739f0d919ab7049caf3a85831cab44bdbea27e0d9de7adec80334e2b",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "fake-payment-sdk-npm-pypi-secret-theft-defense",
          "title": "Fake Payment SDKs Show Why Dependency Risk Is Credential Risk",
          "url": "https://bulwarkblack.com/fake-payment-sdk-npm-pypi-secret-theft-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "c729bf6ea292116b3477da4843aaeec73370e2bd46e7a27674671e9a65fb473a",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-02-05",
      "last_seen": "2026-02-05",
      "reports": [
        {
          "slug": "systembc-botnet-survives-law-enforcement-takedown-infects-over-10000-devices-worldwide",
          "title": "SystemBC Botnet Survives Law Enforcement Takedown, Infects Over 10,000 Devices Worldwide",
          "url": "https://bulwarkblack.com/systembc-botnet-survives-law-enforcement-takedown-infects-over-10000-devices-worldwide/",
          "date": "2026-02-05"
        }
      ]
    },
    {
      "indicator": "c7425fbe6c3a4937934215c54027d4b67202d12ab490682fae03498870d66d06",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-05-27",
      "last_seen": "2026-05-27",
      "reports": [
        {
          "slug": "poisoned-search-ai-screenconnect-cryptojacking-defense",
          "title": "Poisoned Search and AI Recommendations Turn Utility Downloads Into RMM Access",
          "url": "https://bulwarkblack.com/poisoned-search-ai-screenconnect-cryptojacking-defense/",
          "date": "2026-05-27"
        }
      ]
    },
    {
      "indicator": "c7726c166e1947fdbf808a50b75ca7400d56fa6fef2a76cefe314848db22c76c",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-01-31",
      "last_seen": "2026-01-31",
      "reports": [
        {
          "slug": "winrar-cve-2025-8088-russia-china-and-cybercriminals-unite-to-exploit-path-traversal-flaw",
          "title": "WinRAR CVE-2025-8088: Russia, China, and Cybercriminals Unite to Exploit Path Traversal Flaw",
          "url": "https://bulwarkblack.com/winrar-cve-2025-8088-russia-china-and-cybercriminals-unite-to-exploit-path-traversal-flaw/",
          "date": "2026-01-31"
        }
      ]
    },
    {
      "indicator": "c7a4a547eb7f6b0b4b75bb6dd8955244bb2618ba234ae740cdedd7c2d30e3465",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "vidar-xmrig-malvertising-file-size-code-signing-defense",
          "title": "Vidar Stealer Campaign Shows Why File Size and Fake Signatures Still Beat Weak Controls",
          "url": "https://bulwarkblack.com/vidar-xmrig-malvertising-file-size-code-signing-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "c7c37a973b14edd5b6b2da4a1497c593e43640735ff54aecc9a3288fa5e548e3",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "vidar-xmrig-malvertising-file-size-code-signing-defense",
          "title": "Vidar Stealer Campaign Shows Why File Size and Fake Signatures Still Beat Weak Controls",
          "url": "https://bulwarkblack.com/vidar-xmrig-malvertising-file-size-code-signing-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "c7c9bfa9ffcd8fb6a2afe656f510c406ddc58ebff48ce1d0fd3fad951b46a36e",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-07",
      "last_seen": "2026-07-07",
      "reports": [
        {
          "slug": "uat-7810-orb-relay-network-edge-device-defense",
          "title": "UAT-7810 Shows Edge Devices Are Becoming China-Nexus Relay Infrastructure",
          "url": "https://bulwarkblack.com/uat-7810-orb-relay-network-edge-device-defense/",
          "date": "2026-07-07"
        }
      ]
    },
    {
      "indicator": "c7e9332731b06644fc73e0046a2a89eaa59b09f54250e9bd622467187351711f",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-06-11",
      "last_seen": "2026-06-11",
      "reports": [
        {
          "slug": "shinyhunters-peoplesoft-cve-2026-35273-erp-admin-endpoints",
          "title": "ShinyHunters PeopleSoft Exploitation Shows ERP Admin Endpoints Are Breach Surface",
          "url": "https://bulwarkblack.com/shinyhunters-peoplesoft-cve-2026-35273-erp-admin-endpoints/",
          "date": "2026-06-11"
        }
      ]
    },
    {
      "indicator": "c7f7b5a6e7d93221344e6368c7ab4abf93e162f7567e1a7bcb8786cb8a183a73",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-05-13",
      "last_seen": "2026-05-13",
      "reports": [
        {
          "slug": "gentlemen-raas-leak-edge-device-ransomware-risk",
          "title": "The Gentlemen RaaS Leak Shows Ransomware Is Still an Edge-Device Problem",
          "url": "https://bulwarkblack.com/gentlemen-raas-leak-edge-device-ransomware-risk/",
          "date": "2026-05-13"
        }
      ]
    },
    {
      "indicator": "c824630154ac4fdfce94ded01f037c305eab51e9bef3f493c60ff3184a640502",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-06-18",
      "last_seen": "2026-06-18",
      "reports": [
        {
          "slug": "tor-crypto-clipper-usb-worm-backdoor-defense",
          "title": "Tor-Based Crypto Clipper Shows Clipboard Theft Is Now Backdoor Activity",
          "url": "https://bulwarkblack.com/tor-crypto-clipper-usb-worm-backdoor-defense/",
          "date": "2026-06-18"
        }
      ]
    },
    {
      "indicator": "c8b4d17c1f0aa7c50f2fa23d7c328482a4ad2c4da4d600f358ebdf200cbefd83",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "fake-payment-sdk-npm-pypi-secret-theft-defense",
          "title": "Fake Payment SDKs Show Why Dependency Risk Is Credential Risk",
          "url": "https://bulwarkblack.com/fake-payment-sdk-npm-pypi-secret-theft-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "c8e8b627398ece071a3a148d6f38e46763dc534f9bfd967ebc8ac3479540111f",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-03-04",
      "last_seen": "2026-03-04",
      "reports": [
        {
          "slug": "zerobot-malware-targets-n8n-automation-platform-first-active-exploitation-of-cve-2025-68613",
          "title": "Zerobot Malware Targets n8n Automation Platform: First Active Exploitation of CVE-2025-68613",
          "url": "https://bulwarkblack.com/zerobot-malware-targets-n8n-automation-platform-first-active-exploitation-of-cve-2025-68613/",
          "date": "2026-03-04"
        }
      ]
    },
    {
      "indicator": "c905cb512018cc55512c6a22677c3d6f389c47afd54d7c85797868fc4fcb90e9",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-06-25",
      "last_seen": "2026-06-25",
      "reports": [
        {
          "slug": "turla-stockstay-backdoor-egress-visibility",
          "title": "Turla’s STOCKSTAY Backdoor Shows Why Espionage Defense Needs Egress Visibility",
          "url": "https://bulwarkblack.com/turla-stockstay-backdoor-egress-visibility/",
          "date": "2026-06-25"
        }
      ]
    },
    {
      "indicator": "c91183175ce77360006f964841eb4048cf37cb82103f2573e262927be4c7607f",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "apt28-exploits-cve-2026-21509-in-operation-neusploit-stealing-emails-with-minidoor-backdoor",
          "title": "APT28 Exploits CVE-2026-21509 in Operation Neusploit: Stealing Emails with MiniDoor Backdoor",
          "url": "https://bulwarkblack.com/apt28-exploits-cve-2026-21509-in-operation-neusploit-stealing-emails-with-minidoor-backdoor/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "c92541f273eeb576d39235d0a5c6f18f2574b132a1022598edfa38065783ab98",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-07",
      "last_seen": "2026-07-07",
      "reports": [
        {
          "slug": "uat-7810-orb-relay-network-edge-device-defense",
          "title": "UAT-7810 Shows Edge Devices Are Becoming China-Nexus Relay Infrastructure",
          "url": "https://bulwarkblack.com/uat-7810-orb-relay-network-edge-device-defense/",
          "date": "2026-07-07"
        }
      ]
    },
    {
      "indicator": "c98ac83685cb5f7f72e832998fec753910e77d1b8eee638acb508252912f6cf6",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2024-01-05",
      "last_seen": "2024-01-05",
      "reports": [
        {
          "slug": "100-days-of-yara-2023",
          "title": "100 Days of YARA – 2023",
          "url": "https://bulwarkblack.com/100-days-of-yara-2023/",
          "date": "2024-01-05"
        }
      ]
    },
    {
      "indicator": "c9a42423ef08bd7f183915780d39530eba5e4e25968c51965ff8bb3026965a28",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-03-05",
      "last_seen": "2026-03-05",
      "reports": [
        {
          "slug": "uat-9244-china-nexus-apt-deploys-three-new-malware-implants-against-south-american-telecom-providers",
          "title": "UAT-9244: China-Nexus APT Deploys Three New Malware Implants Against South American Telecom Providers",
          "url": "https://bulwarkblack.com/uat-9244-china-nexus-apt-deploys-three-new-malware-implants-against-south-american-telecom-providers/",
          "date": "2026-03-05"
        }
      ]
    },
    {
      "indicator": "c9fc2af30f769d856b88b3051f19fdb663b3e0a0916279df9bbcba93c6a110c9",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-03-05",
      "last_seen": "2026-03-05",
      "reports": [
        {
          "slug": "uat-9244-china-nexus-apt-deploys-three-new-malware-implants-against-south-american-telecom-providers",
          "title": "UAT-9244: China-Nexus APT Deploys Three New Malware Implants Against South American Telecom Providers",
          "url": "https://bulwarkblack.com/uat-9244-china-nexus-apt-deploys-three-new-malware-implants-against-south-american-telecom-providers/",
          "date": "2026-03-05"
        }
      ]
    },
    {
      "indicator": "ca8a00c9d36c64e5dcf562c7ae2b8df4bd6455fe0b41b32ee3a2a528ddc2d155",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "vidar-xmrig-malvertising-file-size-code-signing-defense",
          "title": "Vidar Stealer Campaign Shows Why File Size and Fake Signatures Still Beat Weak Controls",
          "url": "https://bulwarkblack.com/vidar-xmrig-malvertising-file-size-code-signing-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "cbfe8de6ffadbb1d396f61e63eb18e8b11c29527c1528641e3223d4c516cf7c3",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-06-26",
      "last_seen": "2026-06-26",
      "reports": [
        {
          "slug": "cl-sta-1062-tinyrct-critical-infrastructure-web-shell-defense",
          "title": "CL-STA-1062 Shows Critical Infrastructure Intrusions Still Start With Web Shells",
          "url": "https://bulwarkblack.com/cl-sta-1062-tinyrct-critical-infrastructure-web-shell-defense/",
          "date": "2026-06-26"
        }
      ]
    },
    {
      "indicator": "cc1efbca0da739b7784d833e56a22063ec4719cd095b16e3e10f77efd4277e24",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-03-04",
      "last_seen": "2026-03-04",
      "reports": [
        {
          "slug": "zerobot-malware-targets-n8n-automation-platform-first-active-exploitation-of-cve-2025-68613",
          "title": "Zerobot Malware Targets n8n Automation Platform: First Active Exploitation of CVE-2025-68613",
          "url": "https://bulwarkblack.com/zerobot-malware-targets-n8n-automation-platform-first-active-exploitation-of-cve-2025-68613/",
          "date": "2026-03-04"
        }
      ]
    },
    {
      "indicator": "cc2bc3750cc5125a50466f66ae4f2bedf1cac0e43477a78ed2fd88f3e987a292",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-02-23",
      "last_seen": "2026-02-23",
      "reports": [
        {
          "slug": "unit-42-exposes-active-exploitation-of-beyondtrust-cve-2026-1731-with-vshell-and-sparkrat-backdoors",
          "title": "Unit 42 Exposes Active Exploitation of BeyondTrust CVE-2026-1731 with VShell and SparkRAT Backdoors",
          "url": "https://bulwarkblack.com/unit-42-exposes-active-exploitation-of-beyondtrust-cve-2026-1731-with-vshell-and-sparkrat-backdoors/",
          "date": "2026-02-23"
        }
      ]
    },
    {
      "indicator": "cd7255730b6a7a3895d622d37d0e8f984d2d280689acef56ff195d663e7723ad",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "fake-payment-sdk-npm-pypi-secret-theft-defense",
          "title": "Fake Payment SDKs Show Why Dependency Risk Is Credential Risk",
          "url": "https://bulwarkblack.com/fake-payment-sdk-npm-pypi-secret-theft-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "ce09810adca70ebec87bc455380ef629ceaa2a0d926149d9115604060167682c",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "fake-payment-sdk-npm-pypi-secret-theft-defense",
          "title": "Fake Payment SDKs Show Why Dependency Risk Is Credential Risk",
          "url": "https://bulwarkblack.com/fake-payment-sdk-npm-pypi-secret-theft-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "ce36a5fc44cbd7de947130b67be9e732a7b4086fb1df98a5afd724087c973b47",
      "type": "sha256",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "ce379de03e35e0ea2c88744c29b9e2678165214065f9b957177002c6bbe69084",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "vidar-xmrig-malvertising-file-size-code-signing-defense",
          "title": "Vidar Stealer Campaign Shows Why File Size and Fake Signatures Still Beat Weak Controls",
          "url": "https://bulwarkblack.com/vidar-xmrig-malvertising-file-size-code-signing-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "cf35ce47b35f1405969f40633fcf35132ca3ccb3fdfded8cc270fc2223049b80",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-01-31",
      "last_seen": "2026-01-31",
      "reports": [
        {
          "slug": "winrar-cve-2025-8088-russia-china-and-cybercriminals-unite-to-exploit-path-traversal-flaw",
          "title": "WinRAR CVE-2025-8088: Russia, China, and Cybercriminals Unite to Exploit Path Traversal Flaw",
          "url": "https://bulwarkblack.com/winrar-cve-2025-8088-russia-china-and-cybercriminals-unite-to-exploit-path-traversal-flaw/",
          "date": "2026-01-31"
        }
      ]
    },
    {
      "indicator": "cf3f8160eb5a5580e0c35054847e3ac4d01e9fe74fab8bc12bf6e8a40bf696b2",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-05-27",
      "last_seen": "2026-05-27",
      "reports": [
        {
          "slug": "poisoned-search-ai-screenconnect-cryptojacking-defense",
          "title": "Poisoned Search and AI Recommendations Turn Utility Downloads Into RMM Access",
          "url": "https://bulwarkblack.com/poisoned-search-ai-screenconnect-cryptojacking-defense/",
          "date": "2026-05-27"
        }
      ]
    },
    {
      "indicator": "cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-02-23",
      "last_seen": "2026-02-23",
      "reports": [
        {
          "slug": "unit-42-exposes-active-exploitation-of-beyondtrust-cve-2026-1731-with-vshell-and-sparkrat-backdoors",
          "title": "Unit 42 Exposes Active Exploitation of BeyondTrust CVE-2026-1731 with VShell and SparkRAT Backdoors",
          "url": "https://bulwarkblack.com/unit-42-exposes-active-exploitation-of-beyondtrust-cve-2026-1731-with-vshell-and-sparkrat-backdoors/",
          "date": "2026-02-23"
        }
      ]
    },
    {
      "indicator": "cf8ebfd98da3025dc09d0b3bbeef874d8f9c4d4ba4937719f0a9a3aa04c81beb",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-01-31",
      "last_seen": "2026-01-31",
      "reports": [
        {
          "slug": "winrar-cve-2025-8088-russia-china-and-cybercriminals-unite-to-exploit-path-traversal-flaw",
          "title": "WinRAR CVE-2025-8088: Russia, China, and Cybercriminals Unite to Exploit Path Traversal Flaw",
          "url": "https://bulwarkblack.com/winrar-cve-2025-8088-russia-china-and-cybercriminals-unite-to-exploit-path-traversal-flaw/",
          "date": "2026-01-31"
        }
      ]
    },
    {
      "indicator": "cf9fc891ea5ca5ecd8113ef3e69f6f52ff538b6cccbdaa9559106fc72bc6da30",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-06-18",
      "last_seen": "2026-06-18",
      "reports": [
        {
          "slug": "tor-crypto-clipper-usb-worm-backdoor-defense",
          "title": "Tor-Based Crypto Clipper Shows Clipboard Theft Is Now Backdoor Activity",
          "url": "https://bulwarkblack.com/tor-crypto-clipper-usb-worm-backdoor-defense/",
          "date": "2026-06-18"
        }
      ]
    },
    {
      "indicator": "cfa4781ebfa5a8d68b233efb723dbde434ca70b2f76ff28127ecf13753bfe011",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-03-13",
      "last_seen": "2026-03-13",
      "reports": [
        {
          "slug": "storm-2561-weaponizes-seo-poisoning-to-deploy-trojanized-vpn-clients-and-steal-enterprise-credentials",
          "title": "Storm-2561 Weaponizes SEO Poisoning to Deploy Trojanized VPN Clients and Steal Enterprise Credentials",
          "url": "https://bulwarkblack.com/storm-2561-weaponizes-seo-poisoning-to-deploy-trojanized-vpn-clients-and-steal-enterprise-credentials/",
          "date": "2026-03-13"
        }
      ]
    },
    {
      "indicator": "d024039824db6fe535ddd51bc81099c946871e4e280c48ed6e90dada79ccfcc7",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-03-04",
      "last_seen": "2026-03-04",
      "reports": [
        {
          "slug": "zerobot-malware-targets-n8n-automation-platform-first-active-exploitation-of-cve-2025-68613",
          "title": "Zerobot Malware Targets n8n Automation Platform: First Active Exploitation of CVE-2025-68613",
          "url": "https://bulwarkblack.com/zerobot-malware-targets-n8n-automation-platform-first-active-exploitation-of-cve-2025-68613/",
          "date": "2026-03-04"
        }
      ]
    },
    {
      "indicator": "d11938f14499de03d6a02b5e158782afd903460576e9227e0a15d960a2e9c02c",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-05-15",
      "last_seen": "2026-05-15",
      "reports": [
        {
          "slug": "gremlin-stealer-browser-session-resource-obfuscation",
          "title": "Gremlin Stealer Shows Why Browser Sessions Are Now High-Value Targets",
          "url": "https://bulwarkblack.com/gremlin-stealer-browser-session-resource-obfuscation/",
          "date": "2026-05-15"
        }
      ]
    },
    {
      "indicator": "d14b80cbd1a19d4ad0473a0661297f8fdf598e81ff6c4ab24e212dcad2e54b3f",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-06-18",
      "last_seen": "2026-06-18",
      "reports": [
        {
          "slug": "tor-crypto-clipper-usb-worm-backdoor-defense",
          "title": "Tor-Based Crypto Clipper Shows Clipboard Theft Is Now Backdoor Activity",
          "url": "https://bulwarkblack.com/tor-crypto-clipper-usb-worm-backdoor-defense/",
          "date": "2026-06-18"
        }
      ]
    },
    {
      "indicator": "d14ba95cdce1ef7dc9ad3ac74949ca5db38b27378ee30f30a23cf26f9e875a11",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-06-26",
      "last_seen": "2026-06-26",
      "reports": [
        {
          "slug": "hospitality-photo-zip-nodejs-implant-defense",
          "title": "Hospitality Photo-ZIP Campaign Shows Front Desk Workflows Are Initial Access Paths",
          "url": "https://bulwarkblack.com/hospitality-photo-zip-nodejs-implant-defense/",
          "date": "2026-06-26"
        }
      ]
    },
    {
      "indicator": "d18369be4487d7cd0e4bd3dd0da720672e56e13ca43627305e26767e26925551",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "vidar-xmrig-malvertising-file-size-code-signing-defense",
          "title": "Vidar Stealer Campaign Shows Why File Size and Fake Signatures Still Beat Weak Controls",
          "url": "https://bulwarkblack.com/vidar-xmrig-malvertising-file-size-code-signing-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "d1889d81cfa99d52017732da9dc52127d03893037874c8671943cede4b8d1bb2",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "fake-payment-sdk-npm-pypi-secret-theft-defense",
          "title": "Fake Payment SDKs Show Why Dependency Risk Is Credential Risk",
          "url": "https://bulwarkblack.com/fake-payment-sdk-npm-pypi-secret-theft-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "d1e0c26774cb8beabaf64f119652719f673fb530368d5b2166178191ad5fcbea",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-01-27",
      "last_seen": "2026-01-27",
      "reports": [
        {
          "slug": "fake-clawdbot-vs-code-extension-deploys-screenconnect-rat",
          "title": "Fake Clawdbot VS Code Extension Deploys ScreenConnect RAT",
          "url": "https://bulwarkblack.com/fake-clawdbot-vs-code-extension-deploys-screenconnect-rat/",
          "date": "2026-01-27"
        }
      ]
    },
    {
      "indicator": "d1e54270433a94aa3d45d888e4c62299bee3480eb2cb4a5489c7dda69d476c3e",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-06-25",
      "last_seen": "2026-06-25",
      "reports": [
        {
          "slug": "turla-stockstay-backdoor-egress-visibility",
          "title": "Turla’s STOCKSTAY Backdoor Shows Why Espionage Defense Needs Egress Visibility",
          "url": "https://bulwarkblack.com/turla-stockstay-backdoor-egress-visibility/",
          "date": "2026-06-25"
        }
      ]
    },
    {
      "indicator": "d1f963b88672f3676a7da1580262ba0d4f367cc57a94b551754c20f77a670c43",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-07",
      "last_seen": "2026-07-07",
      "reports": [
        {
          "slug": "uat-7810-orb-relay-network-edge-device-defense",
          "title": "UAT-7810 Shows Edge Devices Are Becoming China-Nexus Relay Infrastructure",
          "url": "https://bulwarkblack.com/uat-7810-orb-relay-network-edge-device-defense/",
          "date": "2026-07-07"
        }
      ]
    },
    {
      "indicator": "d2148a458da46e81702136aa915312d360805f083d1f37ff5531db9fbdb8ad6d",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "vidar-xmrig-malvertising-file-size-code-signing-defense",
          "title": "Vidar Stealer Campaign Shows Why File Size and Fake Signatures Still Beat Weak Controls",
          "url": "https://bulwarkblack.com/vidar-xmrig-malvertising-file-size-code-signing-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "d25024ccea8eac85a9522289cfb709f2ed4e20176dd37855bacc2cd75c995606",
      "type": "sha256",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "d293ded5a63679b81556d2c622c78be6253f500b6751d4eeb271e6500a23b21e",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-02-27",
      "last_seen": "2026-02-27",
      "reports": [
        {
          "slug": "chinese-apt-campaign-delivers-plugx-rat-via-g-data-antivirus-dll-side-loading",
          "title": "Chinese APT Campaign Delivers PlugX RAT via G DATA Antivirus DLL Side-Loading",
          "url": "https://bulwarkblack.com/chinese-apt-campaign-delivers-plugx-rat-via-g-data-antivirus-dll-side-loading/",
          "date": "2026-02-27"
        }
      ]
    },
    {
      "indicator": "d295720bc0c1111ce1c3d8b1bc1b36ba840f103b3ca7e95a5a8bf03e2cc44fe5",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-03-09",
      "last_seen": "2026-03-09",
      "reports": [
        {
          "slug": "boryptgrab-stealer-spreads-through-100-fake-github-repositories-in-massive-malware-campaign",
          "title": "BoryptGrab Stealer Spreads Through 100+ Fake GitHub Repositories in Massive Malware Campaign",
          "url": "https://bulwarkblack.com/boryptgrab-stealer-spreads-through-100-fake-github-repositories-in-massive-malware-campaign/",
          "date": "2026-03-09"
        }
      ]
    },
    {
      "indicator": "d384c403c084967d8c967501ee6332b050af04ef424f13a3f5a88d155389d98c",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "vidar-xmrig-malvertising-file-size-code-signing-defense",
          "title": "Vidar Stealer Campaign Shows Why File Size and Fake Signatures Still Beat Weak Controls",
          "url": "https://bulwarkblack.com/vidar-xmrig-malvertising-file-size-code-signing-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "d3fd32f915c239872c9e7ed9408b1f36dfcef03aa68f9a396d05c437667cdb43",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-06-25",
      "last_seen": "2026-06-25",
      "reports": [
        {
          "slug": "turla-stockstay-backdoor-egress-visibility",
          "title": "Turla’s STOCKSTAY Backdoor Shows Why Espionage Defense Needs Egress Visibility",
          "url": "https://bulwarkblack.com/turla-stockstay-backdoor-egress-visibility/",
          "date": "2026-06-25"
        }
      ]
    },
    {
      "indicator": "d418f878fa02729b38b5384bcb3216872a968f5d0c9c77609d8c5aacedb07546",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-01-31",
      "last_seen": "2026-01-31",
      "reports": [
        {
          "slug": "winrar-cve-2025-8088-russia-china-and-cybercriminals-unite-to-exploit-path-traversal-flaw",
          "title": "WinRAR CVE-2025-8088: Russia, China, and Cybercriminals Unite to Exploit Path Traversal Flaw",
          "url": "https://bulwarkblack.com/winrar-cve-2025-8088-russia-china-and-cybercriminals-unite-to-exploit-path-traversal-flaw/",
          "date": "2026-01-31"
        }
      ]
    },
    {
      "indicator": "d43bf94f0cb0ab97c88113b7e07d1a4024d1610617b5ad05882b1dbab89e15ba",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-06-18",
      "last_seen": "2026-06-18",
      "reports": [
        {
          "slug": "tor-crypto-clipper-usb-worm-backdoor-defense",
          "title": "Tor-Based Crypto Clipper Shows Clipboard Theft Is Now Backdoor Activity",
          "url": "https://bulwarkblack.com/tor-crypto-clipper-usb-worm-backdoor-defense/",
          "date": "2026-06-18"
        }
      ]
    },
    {
      "indicator": "d4861088161fc72b9922abf933b4ea664a807105ec1eab4a173253aa60bfe6d7",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-07",
      "last_seen": "2026-07-07",
      "reports": [
        {
          "slug": "uat-7810-orb-relay-network-edge-device-defense",
          "title": "UAT-7810 Shows Edge Devices Are Becoming China-Nexus Relay Infrastructure",
          "url": "https://bulwarkblack.com/uat-7810-orb-relay-network-edge-device-defense/",
          "date": "2026-07-07"
        }
      ]
    },
    {
      "indicator": "d4a7e9f107fe40c1a5d0139c6c6e25bf6bf57f61feff090bee28f476bb3cc3c2",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-05-22",
      "last_seen": "2026-05-22",
      "reports": [
        {
          "slug": "screening-serpens-recruiting-espionage-attack-surface",
          "title": "Screening Serpens Shows Recruiting Is Now an Espionage Attack Surface",
          "url": "https://bulwarkblack.com/screening-serpens-recruiting-espionage-attack-surface/",
          "date": "2026-05-22"
        }
      ]
    },
    {
      "indicator": "d4eb4ff02df659fdeec17d36b77084627469623bb3c7d16383d257404b52d1c3",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-02",
      "last_seen": "2026-07-02",
      "reports": [
        {
          "slug": "ousaban-banking-trojan-iberian-phishing-defense",
          "title": "Ousaban Shows Banking Trojans Are Learning to Hide From Sandboxes",
          "url": "https://bulwarkblack.com/ousaban-banking-trojan-iberian-phishing-defense/",
          "date": "2026-07-02"
        }
      ]
    },
    {
      "indicator": "d4ed2d87942fbefa5d7b7f19fb6f2e9bc293c96bf577bb97ed3ca56185abcf25",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "fake-payment-sdk-npm-pypi-secret-theft-defense",
          "title": "Fake Payment SDKs Show Why Dependency Risk Is Credential Risk",
          "url": "https://bulwarkblack.com/fake-payment-sdk-npm-pypi-secret-theft-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "d5cf7315186a78ab6a7475c338bdf101bc6461930aaa7a012a02cf93f347c207",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-07",
      "last_seen": "2026-07-07",
      "reports": [
        {
          "slug": "uat-7810-orb-relay-network-edge-device-defense",
          "title": "UAT-7810 Shows Edge Devices Are Becoming China-Nexus Relay Infrastructure",
          "url": "https://bulwarkblack.com/uat-7810-orb-relay-network-edge-device-defense/",
          "date": "2026-07-07"
        }
      ]
    },
    {
      "indicator": "d5eb979cb8a72706bfa591fa57d4ebf7d13cecdc9377b0192375e2f570f796df",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-03-05",
      "last_seen": "2026-03-05",
      "reports": [
        {
          "slug": "uat-9244-china-nexus-apt-deploys-three-new-malware-implants-against-south-american-telecom-providers",
          "title": "UAT-9244: China-Nexus APT Deploys Three New Malware Implants Against South American Telecom Providers",
          "url": "https://bulwarkblack.com/uat-9244-china-nexus-apt-deploys-three-new-malware-implants-against-south-american-telecom-providers/",
          "date": "2026-03-05"
        }
      ]
    },
    {
      "indicator": "d5edd791021b966fb6af0ace09319ace7b97d6642363ef27b3d5056ca654a94c",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-03-24",
      "last_seen": "2026-03-24",
      "reports": [
        {
          "slug": "teampcp-deploys-canisterworm-wiper-to-target-iranian-systems",
          "title": "TeamPCP Deploys CanisterWorm Wiper to Target Iranian Systems",
          "url": "https://bulwarkblack.com/teampcp-deploys-canisterworm-wiper-to-target-iranian-systems/",
          "date": "2026-03-24"
        }
      ]
    },
    {
      "indicator": "d6446f2803444bd2200d48a01a9ad7d487e67e8e831c9cd13f89cbfec17fd4e2",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "vidar-xmrig-malvertising-file-size-code-signing-defense",
          "title": "Vidar Stealer Campaign Shows Why File Size and Fake Signatures Still Beat Weak Controls",
          "url": "https://bulwarkblack.com/vidar-xmrig-malvertising-file-size-code-signing-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "d7745513034af14617436ad6b3fc125fd0343218411d0c79bda56b0dadc86b2b",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "vidar-xmrig-malvertising-file-size-code-signing-defense",
          "title": "Vidar Stealer Campaign Shows Why File Size and Fake Signatures Still Beat Weak Controls",
          "url": "https://bulwarkblack.com/vidar-xmrig-malvertising-file-size-code-signing-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "d78082dc33c6dca98316e865efa9829c6eb5a97c2ca3cd4ea6c2123a5f6ae45b",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "vidar-xmrig-malvertising-file-size-code-signing-defense",
          "title": "Vidar Stealer Campaign Shows Why File Size and Fake Signatures Still Beat Weak Controls",
          "url": "https://bulwarkblack.com/vidar-xmrig-malvertising-file-size-code-signing-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "d78b3c6df8f3756a7e310cf7435fdba201dd03ec9f97420a0db683489a01a7c9",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-03-05",
      "last_seen": "2026-03-05",
      "reports": [
        {
          "slug": "uat-9244-china-nexus-apt-deploys-three-new-malware-implants-against-south-american-telecom-providers",
          "title": "UAT-9244: China-Nexus APT Deploys Three New Malware Implants Against South American Telecom Providers",
          "url": "https://bulwarkblack.com/uat-9244-china-nexus-apt-deploys-three-new-malware-implants-against-south-american-telecom-providers/",
          "date": "2026-03-05"
        }
      ]
    },
    {
      "indicator": "d7b56818c829960b692de9ad5a14e52669d953e9f074f7218c3fe34ede4a11a0",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "vidar-xmrig-malvertising-file-size-code-signing-defense",
          "title": "Vidar Stealer Campaign Shows Why File Size and Fake Signatures Still Beat Weak Controls",
          "url": "https://bulwarkblack.com/vidar-xmrig-malvertising-file-size-code-signing-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "d7c9c9469c513c05aa431fae34f414f91fcf3f794d3e76b6e4d0b92c4cd3ff2e",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "vidar-xmrig-malvertising-file-size-code-signing-defense",
          "title": "Vidar Stealer Campaign Shows Why File Size and Fake Signatures Still Beat Weak Controls",
          "url": "https://bulwarkblack.com/vidar-xmrig-malvertising-file-size-code-signing-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "d81201d0fc19977e51104438a5b9cba861f4da20cea3ae9183edf16ab11d98f8",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-07",
      "last_seen": "2026-07-07",
      "reports": [
        {
          "slug": "uat-7810-orb-relay-network-edge-device-defense",
          "title": "UAT-7810 Shows Edge Devices Are Becoming China-Nexus Relay Infrastructure",
          "url": "https://bulwarkblack.com/uat-7810-orb-relay-network-edge-device-defense/",
          "date": "2026-07-07"
        }
      ]
    },
    {
      "indicator": "d83fdb9e53c5ff03c4cb0451ea1bebd79b53f29eadc1e2fa394c7af13a86ce2f",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-06-11",
      "last_seen": "2026-06-11",
      "reports": [
        {
          "slug": "shinyhunters-peoplesoft-cve-2026-35273-erp-admin-endpoints",
          "title": "ShinyHunters PeopleSoft Exploitation Shows ERP Admin Endpoints Are Breach Surface",
          "url": "https://bulwarkblack.com/shinyhunters-peoplesoft-cve-2026-35273-erp-admin-endpoints/",
          "date": "2026-06-11"
        }
      ]
    },
    {
      "indicator": "d871d76171504597bbda387689e12e7a5e354c360ff135f4df231cec68c761af",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-07",
      "last_seen": "2026-07-07",
      "reports": [
        {
          "slug": "uat-7810-orb-relay-network-edge-device-defense",
          "title": "UAT-7810 Shows Edge Devices Are Becoming China-Nexus Relay Infrastructure",
          "url": "https://bulwarkblack.com/uat-7810-orb-relay-network-edge-device-defense/",
          "date": "2026-07-07"
        }
      ]
    },
    {
      "indicator": "d8ac0c08e4c698017558e532974cf749135d3d49757f05001e6127dc6e07cf17",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "vidar-xmrig-malvertising-file-size-code-signing-defense",
          "title": "Vidar Stealer Campaign Shows Why File Size and Fake Signatures Still Beat Weak Controls",
          "url": "https://bulwarkblack.com/vidar-xmrig-malvertising-file-size-code-signing-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "d8c1f96107a3349e62b3ab9afc60f62af9c89b6961b637a26b71e1230f2b3b8a",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "vidar-xmrig-malvertising-file-size-code-signing-defense",
          "title": "Vidar Stealer Campaign Shows Why File Size and Fake Signatures Still Beat Weak Controls",
          "url": "https://bulwarkblack.com/vidar-xmrig-malvertising-file-size-code-signing-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "d8fe8f3fe838d5b1a1043096f6f6bb6f524f5f1b0c9f83a081078a824daa0cf3",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-06-25",
      "last_seen": "2026-06-25",
      "reports": [
        {
          "slug": "turla-stockstay-backdoor-egress-visibility",
          "title": "Turla’s STOCKSTAY Backdoor Shows Why Espionage Defense Needs Egress Visibility",
          "url": "https://bulwarkblack.com/turla-stockstay-backdoor-egress-visibility/",
          "date": "2026-06-25"
        }
      ]
    },
    {
      "indicator": "d91c00fad521e76efa89715cca89db487d5676f2c767c883482f9c8f82bd383a",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-06-02",
      "last_seen": "2026-06-02",
      "reports": [
        {
          "slug": "forticlient-ems-ekz-infostealer-delivery",
          "title": "FortiClient EMS Exploitation Turns Endpoint Management Into an Infostealer Delivery System",
          "url": "https://bulwarkblack.com/forticlient-ems-ekz-infostealer-delivery/",
          "date": "2026-06-02"
        }
      ]
    },
    {
      "indicator": "d94f75a70b5cabaf786ac57177ed841732e62bdcc9a29e06e5b41d9be567bcfa",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-05-15",
      "last_seen": "2026-05-15",
      "reports": [
        {
          "slug": "cisco-sdwan-active-exploitation-edge-controller-review",
          "title": "Cisco SD-WAN Exploitation Shows Edge Controllers Need Emergency Review",
          "url": "https://bulwarkblack.com/cisco-sdwan-active-exploitation-edge-controller-review/",
          "date": "2026-05-15"
        }
      ]
    },
    {
      "indicator": "d973ad5a80c3d7468a9c392db4166857ed32b5d61cd6755766ba8922156dada3",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-07",
      "last_seen": "2026-07-07",
      "reports": [
        {
          "slug": "uat-7810-orb-relay-network-edge-device-defense",
          "title": "UAT-7810 Shows Edge Devices Are Becoming China-Nexus Relay Infrastructure",
          "url": "https://bulwarkblack.com/uat-7810-orb-relay-network-edge-device-defense/",
          "date": "2026-07-07"
        }
      ]
    },
    {
      "indicator": "d981a16b9da1615514a02f5ebb38416a009f5621c0b718214d5b105c9f552389",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-01-31",
      "last_seen": "2026-01-31",
      "reports": [
        {
          "slug": "winrar-cve-2025-8088-russia-china-and-cybercriminals-unite-to-exploit-path-traversal-flaw",
          "title": "WinRAR CVE-2025-8088: Russia, China, and Cybercriminals Unite to Exploit Path Traversal Flaw",
          "url": "https://bulwarkblack.com/winrar-cve-2025-8088-russia-china-and-cybercriminals-unite-to-exploit-path-traversal-flaw/",
          "date": "2026-01-31"
        }
      ]
    },
    {
      "indicator": "da4b72764ae929050353f3da759c839e2a061a8b9a8dd3c3b2e909d4a8a3291c",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-06-26",
      "last_seen": "2026-06-26",
      "reports": [
        {
          "slug": "hospitality-photo-zip-nodejs-implant-defense",
          "title": "Hospitality Photo-ZIP Campaign Shows Front Desk Workflows Are Initial Access Paths",
          "url": "https://bulwarkblack.com/hospitality-photo-zip-nodejs-implant-defense/",
          "date": "2026-06-26"
        }
      ]
    },
    {
      "indicator": "da79eea1198a1a10e2ffd50fd949521632d8f252fb1aadb57a45218482b9fd89",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2024-03-22",
      "last_seen": "2024-03-22",
      "reports": [
        {
          "slug": "the-updated-apt-playbook-tales-from-the-kimsuky-threat-actor-group",
          "title": "The Updated APT Playbook: Tales from the Kimsuky threat actor group",
          "url": "https://bulwarkblack.com/the-updated-apt-playbook-tales-from-the-kimsuky-threat-actor-group/",
          "date": "2024-03-22"
        }
      ]
    },
    {
      "indicator": "da8a96bc74e265f945f1cc6992c6dc0f9ea36ed1991f7b8d312db79d9bf78c40",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-06-25",
      "last_seen": "2026-06-25",
      "reports": [
        {
          "slug": "turla-stockstay-backdoor-egress-visibility",
          "title": "Turla’s STOCKSTAY Backdoor Shows Why Espionage Defense Needs Egress Visibility",
          "url": "https://bulwarkblack.com/turla-stockstay-backdoor-egress-visibility/",
          "date": "2026-06-25"
        }
      ]
    },
    {
      "indicator": "da95384032f84228ef62f982f3c0f9e574dc6b06b606db33889ea6a5f93d6ae2",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-02-05",
      "last_seen": "2026-02-05",
      "reports": [
        {
          "slug": "systembc-botnet-survives-law-enforcement-takedown-infects-over-10000-devices-worldwide",
          "title": "SystemBC Botnet Survives Law Enforcement Takedown, Infects Over 10,000 Devices Worldwide",
          "url": "https://bulwarkblack.com/systembc-botnet-survives-law-enforcement-takedown-infects-over-10000-devices-worldwide/",
          "date": "2026-02-05"
        }
      ]
    },
    {
      "indicator": "dabb47d75f2efa6a5540661484efa989ccb338f24938b23152f14f3e424b0cb5",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "fake-payment-sdk-npm-pypi-secret-theft-defense",
          "title": "Fake Payment SDKs Show Why Dependency Risk Is Credential Risk",
          "url": "https://bulwarkblack.com/fake-payment-sdk-npm-pypi-secret-theft-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "db2a872f712fbdb1e347d06e29a9ed8278d86710ffc14ff04422be76e47124f4",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "vidar-xmrig-malvertising-file-size-code-signing-defense",
          "title": "Vidar Stealer Campaign Shows Why File Size and Fake Signatures Still Beat Weak Controls",
          "url": "https://bulwarkblack.com/vidar-xmrig-malvertising-file-size-code-signing-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "db2d33c4e6e4a5c2263b56e8303c343305a94dde1fc2968304ba260acbbd9f9f",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-05-27",
      "last_seen": "2026-05-27",
      "reports": [
        {
          "slug": "poisoned-search-ai-screenconnect-cryptojacking-defense",
          "title": "Poisoned Search and AI Recommendations Turn Utility Downloads Into RMM Access",
          "url": "https://bulwarkblack.com/poisoned-search-ai-screenconnect-cryptojacking-defense/",
          "date": "2026-05-27"
        }
      ]
    },
    {
      "indicator": "dc48b09b2a5954f7ff79ab8a2fd80202bd3b59c08c7cdbc6025aa923cb4c0efe",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-06-13",
      "last_seen": "2026-06-13",
      "reports": [
        {
          "slug": "shai-hulud-ai-scanner-evasion-package-supply-chain-defense",
          "title": "Shai-Hulud Shows AI Package Scanners Need Prompt-Injection Boundaries",
          "url": "https://bulwarkblack.com/shai-hulud-ai-scanner-evasion-package-supply-chain-defense/",
          "date": "2026-06-13"
        }
      ]
    },
    {
      "indicator": "dc4f25b2247cfdd6fc96848db30a178baa4419a4c854e86e315b465836102d14",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-07",
      "last_seen": "2026-07-07",
      "reports": [
        {
          "slug": "uat-7810-orb-relay-network-edge-device-defense",
          "title": "UAT-7810 Shows Edge Devices Are Becoming China-Nexus Relay Infrastructure",
          "url": "https://bulwarkblack.com/uat-7810-orb-relay-network-edge-device-defense/",
          "date": "2026-07-07"
        }
      ]
    },
    {
      "indicator": "dccf9f008b42a04f7e69d3bbf7b5ce81e71308545d6176cc4763920a424e5ac1",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "vidar-xmrig-malvertising-file-size-code-signing-defense",
          "title": "Vidar Stealer Campaign Shows Why File Size and Fake Signatures Still Beat Weak Controls",
          "url": "https://bulwarkblack.com/vidar-xmrig-malvertising-file-size-code-signing-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "dce2e5cc00eff2493f8ced546dc51f9d5ef78c5ee56805906ec642dfa77a1c70",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-05-13",
      "last_seen": "2026-05-13",
      "reports": [
        {
          "slug": "gentlemen-raas-leak-edge-device-ransomware-risk",
          "title": "The Gentlemen RaaS Leak Shows Ransomware Is Still an Edge-Device Problem",
          "url": "https://bulwarkblack.com/gentlemen-raas-leak-edge-device-ransomware-risk/",
          "date": "2026-05-13"
        }
      ]
    },
    {
      "indicator": "dce5df29bddff5a4ddaea5c4fec14da91f7b69063a6e1c45ed61e5da4fc6c87b",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-06-26",
      "last_seen": "2026-06-26",
      "reports": [
        {
          "slug": "cl-sta-1062-tinyrct-critical-infrastructure-web-shell-defense",
          "title": "CL-STA-1062 Shows Critical Infrastructure Intrusions Still Start With Web Shells",
          "url": "https://bulwarkblack.com/cl-sta-1062-tinyrct-critical-infrastructure-web-shell-defense/",
          "date": "2026-06-26"
        }
      ]
    },
    {
      "indicator": "dd0fc1a88180fde8367bec7086f99294f36b8332f12994293139ed532d2ebbac",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-07",
      "last_seen": "2026-07-07",
      "reports": [
        {
          "slug": "uat-7810-orb-relay-network-edge-device-defense",
          "title": "UAT-7810 Shows Edge Devices Are Becoming China-Nexus Relay Infrastructure",
          "url": "https://bulwarkblack.com/uat-7810-orb-relay-network-edge-device-defense/",
          "date": "2026-07-07"
        }
      ]
    },
    {
      "indicator": "ddaca57f3d5f4986da052ca172631b351410d6f5831f6af351699c6201cc011b",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-03-03",
      "last_seen": "2026-03-03",
      "reports": [
        {
          "slug": "silver-dragon-apt-targets-southeast-asia-and-europe-using-geardoor-backdoor-with-google-drive-c2",
          "title": "Silver Dragon APT Targets Southeast Asia and Europe Using GearDoor Backdoor with Google Drive C2",
          "url": "https://bulwarkblack.com/silver-dragon-apt-targets-southeast-asia-and-europe-using-geardoor-backdoor-with-google-drive-c2/",
          "date": "2026-03-03"
        }
      ]
    },
    {
      "indicator": "ddceade244c636435f2444cd4c4d3dc161981f3af1f622c03442747ecef50888",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-03-11",
      "last_seen": "2026-03-11",
      "reports": [
        {
          "slug": "iranian-mois-cyber-actors-embrace-criminal-ecosystem-from-rhadamanthys-to-ransomware-affiliates",
          "title": "Iranian MOIS Cyber Actors Embrace Criminal Ecosystem: From Rhadamanthys to Ransomware Affiliates",
          "url": "https://bulwarkblack.com/iranian-mois-cyber-actors-embrace-criminal-ecosystem-from-rhadamanthys-to-ransomware-affiliates/",
          "date": "2026-03-11"
        }
      ]
    },
    {
      "indicator": "ddd67dda5d58c7480152c9f6e8043c3ea7de2e593beedf86b867b83f005bf0cc",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-01-31",
      "last_seen": "2026-01-31",
      "reports": [
        {
          "slug": "winrar-cve-2025-8088-russia-china-and-cybercriminals-unite-to-exploit-path-traversal-flaw",
          "title": "WinRAR CVE-2025-8088: Russia, China, and Cybercriminals Unite to Exploit Path Traversal Flaw",
          "url": "https://bulwarkblack.com/winrar-cve-2025-8088-russia-china-and-cybercriminals-unite-to-exploit-path-traversal-flaw/",
          "date": "2026-01-31"
        }
      ]
    },
    {
      "indicator": "de730d969854c3697fd0e0803826b4222f3a14efe47e4c60ed749fff6edce19d",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-06-30",
      "last_seen": "2026-06-30",
      "reports": [
        {
          "slug": "bing-seo-poisoning-bumblebee-adaptix-akira-ransomware",
          "title": "Bing SEO Poisoning Shows IT Admin Downloads Are Ransomware Initial Access",
          "url": "https://bulwarkblack.com/bing-seo-poisoning-bumblebee-adaptix-akira-ransomware/",
          "date": "2026-06-30"
        }
      ]
    },
    {
      "indicator": "de82998ad5fcd63deae030803388e0fb4290d6223fda82368fd25b99b823f0d2",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-06-03",
      "last_seen": "2026-06-03",
      "reports": [
        {
          "slug": "ta4922-global-hr-tax-phishing-rmm-defense",
          "title": "TA4922’s Global Expansion Shows HR and Tax Lures Are Initial Access Infrastructure",
          "url": "https://bulwarkblack.com/ta4922-global-hr-tax-phishing-rmm-defense/",
          "date": "2026-06-03"
        }
      ]
    },
    {
      "indicator": "de8ddc2451fb1305d76ab20661725d11c77625aeeaa1447faf3fbf56706c87f1",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-02-27",
      "last_seen": "2026-02-27",
      "reports": [
        {
          "slug": "chinese-apt-campaign-delivers-plugx-rat-via-g-data-antivirus-dll-side-loading",
          "title": "Chinese APT Campaign Delivers PlugX RAT via G DATA Antivirus DLL Side-Loading",
          "url": "https://bulwarkblack.com/chinese-apt-campaign-delivers-plugx-rat-via-g-data-antivirus-dll-side-loading/",
          "date": "2026-02-27"
        }
      ]
    },
    {
      "indicator": "deb70af83a9b3bb8f9424b709c3f6342d0c63aa10e7f8df43dd7a457bda8f060",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-03-04",
      "last_seen": "2026-03-04",
      "reports": [
        {
          "slug": "zerobot-malware-targets-n8n-automation-platform-first-active-exploitation-of-cve-2025-68613",
          "title": "Zerobot Malware Targets n8n Automation Platform: First Active Exploitation of CVE-2025-68613",
          "url": "https://bulwarkblack.com/zerobot-malware-targets-n8n-automation-platform-first-active-exploitation-of-cve-2025-68613/",
          "date": "2026-03-04"
        }
      ]
    },
    {
      "indicator": "defe25e400d4925d8a2bb4b1181044d06a8bf61688fd9c9ea59f1e0bb7bc21d8",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-01-31",
      "last_seen": "2026-01-31",
      "reports": [
        {
          "slug": "winrar-cve-2025-8088-russia-china-and-cybercriminals-unite-to-exploit-path-traversal-flaw",
          "title": "WinRAR CVE-2025-8088: Russia, China, and Cybercriminals Unite to Exploit Path Traversal Flaw",
          "url": "https://bulwarkblack.com/winrar-cve-2025-8088-russia-china-and-cybercriminals-unite-to-exploit-path-traversal-flaw/",
          "date": "2026-01-31"
        }
      ]
    },
    {
      "indicator": "dfd5cb91d06b9649d4cab500343af80ad1144a9e46641cc406f43dd169003c22",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-06-25",
      "last_seen": "2026-06-25",
      "reports": [
        {
          "slug": "turla-stockstay-backdoor-egress-visibility",
          "title": "Turla’s STOCKSTAY Backdoor Shows Why Espionage Defense Needs Egress Visibility",
          "url": "https://bulwarkblack.com/turla-stockstay-backdoor-egress-visibility/",
          "date": "2026-06-25"
        }
      ]
    },
    {
      "indicator": "dfe696ff713318c53fb17731bd4a6585a02c085b590149b19847990b324a0be6",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-05-13",
      "last_seen": "2026-05-13",
      "reports": [
        {
          "slug": "gentlemen-raas-leak-edge-device-ransomware-risk",
          "title": "The Gentlemen RaaS Leak Shows Ransomware Is Still an Edge-Device Problem",
          "url": "https://bulwarkblack.com/gentlemen-raas-leak-edge-device-ransomware-risk/",
          "date": "2026-05-13"
        }
      ]
    },
    {
      "indicator": "e021662a652ba95c8778b991056696ab3c9b0f60d5e23b1e6cf73c3847db6610",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-05-27",
      "last_seen": "2026-05-27",
      "reports": [
        {
          "slug": "poisoned-search-ai-screenconnect-cryptojacking-defense",
          "title": "Poisoned Search and AI Recommendations Turn Utility Downloads Into RMM Access",
          "url": "https://bulwarkblack.com/poisoned-search-ai-screenconnect-cryptojacking-defense/",
          "date": "2026-05-27"
        }
      ]
    },
    {
      "indicator": "e076e13a7e112d364f03bd1ead7abaa83249d544491621254860ab0a73adc9b9",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "fake-payment-sdk-npm-pypi-secret-theft-defense",
          "title": "Fake Payment SDKs Show Why Dependency Risk Is Credential Risk",
          "url": "https://bulwarkblack.com/fake-payment-sdk-npm-pypi-secret-theft-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "e0a6a71c605d9a4076147e9537f82f79f1e1eccadc874595160aa4637ff4088c",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-06-03",
      "last_seen": "2026-06-03",
      "reports": [
        {
          "slug": "ta4922-global-hr-tax-phishing-rmm-defense",
          "title": "TA4922’s Global Expansion Shows HR and Tax Lures Are Initial Access Infrastructure",
          "url": "https://bulwarkblack.com/ta4922-global-hr-tax-phishing-rmm-defense/",
          "date": "2026-06-03"
        }
      ]
    },
    {
      "indicator": "e11bcba19ac628ae1d0b56e43646ae1b5da2ccc1da5162e6719d4b7d68d37096",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-02-04",
      "last_seen": "2026-02-04",
      "reports": [
        {
          "slug": "shadowhs-fileless-linux-post-exploitation-framework-runs-entirely-in-memory",
          "title": "ShadowHS: Fileless Linux Post-Exploitation Framework Runs Entirely in Memory",
          "url": "https://bulwarkblack.com/shadowhs-fileless-linux-post-exploitation-framework-runs-entirely-in-memory/",
          "date": "2026-02-04"
        }
      ]
    },
    {
      "indicator": "e11f69b49b6f2e829454371c31ebf86893f82a042dae3f2faf63dcd84f97a584",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-05-08",
      "last_seen": "2026-05-08",
      "reports": [
        {
          "slug": "pan-os-captive-portal-zero-day-edge-device-review",
          "title": "PAN-OS Captive Portal Zero-Day Shows Why Internet-Facing Edge Devices Need Immediate Review",
          "url": "https://bulwarkblack.com/pan-os-captive-portal-zero-day-edge-device-review/",
          "date": "2026-05-08"
        }
      ]
    },
    {
      "indicator": "e1342a80d4b5e83d2c7c22e1e0aaa95f2d88e3dbf0d853a4994b180c93a4b17d",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-06-13",
      "last_seen": "2026-06-13",
      "reports": [
        {
          "slug": "shai-hulud-ai-scanner-evasion-package-supply-chain-defense",
          "title": "Shai-Hulud Shows AI Package Scanners Need Prompt-Injection Boundaries",
          "url": "https://bulwarkblack.com/shai-hulud-ai-scanner-evasion-package-supply-chain-defense/",
          "date": "2026-06-13"
        }
      ]
    },
    {
      "indicator": "e1d16fb635060d23e889b0617d77f0cf06d00cc19b43a2c8b5ac53ac027ac722",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-06-25",
      "last_seen": "2026-06-25",
      "reports": [
        {
          "slug": "turla-stockstay-backdoor-egress-visibility",
          "title": "Turla’s STOCKSTAY Backdoor Shows Why Espionage Defense Needs Egress Visibility",
          "url": "https://bulwarkblack.com/turla-stockstay-backdoor-egress-visibility/",
          "date": "2026-06-25"
        }
      ]
    },
    {
      "indicator": "e20b920c7af988aa215c95bbaa365d005dd673544ab7e3577b60fecf11dcdea2",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-01-27",
      "last_seen": "2026-01-27",
      "reports": [
        {
          "slug": "fake-clawdbot-vs-code-extension-deploys-screenconnect-rat",
          "title": "Fake Clawdbot VS Code Extension Deploys ScreenConnect RAT",
          "url": "https://bulwarkblack.com/fake-clawdbot-vs-code-extension-deploys-screenconnect-rat/",
          "date": "2026-01-27"
        }
      ]
    },
    {
      "indicator": "e2308749f6b7b7573009d0cac6616a6aa83cecb1f2933e868776400d122c86ec",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-05-16",
      "last_seen": "2026-05-16",
      "reports": [
        {
          "slug": "pawsrunner-steganography-purelogs-infostealer-defense",
          "title": "PawsRunner Steganography Shows Infostealers Are Hiding in Plain Sight",
          "url": "https://bulwarkblack.com/pawsrunner-steganography-purelogs-infostealer-defense/",
          "date": "2026-05-16"
        }
      ]
    },
    {
      "indicator": "E28a96f983b8605decd2ac1db16ebad5fa741a6aa4e585a38ade0e5ad7d6cec0",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-06-01",
      "last_seen": "2026-06-01",
      "reports": [
        {
          "slug": "showboat-jfmbackdoor-telecom-intrusion-defense",
          "title": "Showboat and JFMBackdoor Show Telecom Intrusions Are Built for Pivoting",
          "url": "https://bulwarkblack.com/showboat-jfmbackdoor-telecom-intrusion-defense/",
          "date": "2026-06-01"
        }
      ]
    },
    {
      "indicator": "e2a0f4440f67998a0215d49be31746ea192bfcb4dc4ee532a218f8cf13605714",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-06-25",
      "last_seen": "2026-06-25",
      "reports": [
        {
          "slug": "turla-stockstay-backdoor-egress-visibility",
          "title": "Turla’s STOCKSTAY Backdoor Shows Why Espionage Defense Needs Egress Visibility",
          "url": "https://bulwarkblack.com/turla-stockstay-backdoor-egress-visibility/",
          "date": "2026-06-25"
        }
      ]
    },
    {
      "indicator": "e2f0c2d4c1552cd81fa012043e4a5ac832582b639b7b6b7eccc0c4802d7a8ad8",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-02",
      "last_seen": "2026-07-02",
      "reports": [
        {
          "slug": "ousaban-banking-trojan-iberian-phishing-defense",
          "title": "Ousaban Shows Banking Trojans Are Learning to Hide From Sandboxes",
          "url": "https://bulwarkblack.com/ousaban-banking-trojan-iberian-phishing-defense/",
          "date": "2026-07-02"
        }
      ]
    },
    {
      "indicator": "e316b1e13154dc6115e1e0c023f6fe3d17861cae839d4a4a81779b6aad9a24f8",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-06-25",
      "last_seen": "2026-06-25",
      "reports": [
        {
          "slug": "turla-stockstay-backdoor-egress-visibility",
          "title": "Turla’s STOCKSTAY Backdoor Shows Why Espionage Defense Needs Egress Visibility",
          "url": "https://bulwarkblack.com/turla-stockstay-backdoor-egress-visibility/",
          "date": "2026-06-25"
        }
      ]
    },
    {
      "indicator": "e3364ee21cae6725451e8bc9ab9933df0000fd19814170bd132da68d1906d5ff",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-06-25",
      "last_seen": "2026-06-25",
      "reports": [
        {
          "slug": "turla-stockstay-backdoor-egress-visibility",
          "title": "Turla’s STOCKSTAY Backdoor Shows Why Espionage Defense Needs Egress Visibility",
          "url": "https://bulwarkblack.com/turla-stockstay-backdoor-egress-visibility/",
          "date": "2026-06-25"
        }
      ]
    },
    {
      "indicator": "e34c9159e6e78c59518a14c5b96bddfee094b684f99d4f69b13371284a014e87",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-03-05",
      "last_seen": "2026-03-05",
      "reports": [
        {
          "slug": "uat-9244-china-nexus-apt-deploys-three-new-malware-implants-against-south-american-telecom-providers",
          "title": "UAT-9244: China-Nexus APT Deploys Three New Malware Implants Against South American Telecom Providers",
          "url": "https://bulwarkblack.com/uat-9244-china-nexus-apt-deploys-three-new-malware-implants-against-south-american-telecom-providers/",
          "date": "2026-03-05"
        }
      ]
    },
    {
      "indicator": "e3b016f2fc865d0f53f635f740eb0203626517425ed9a2908058f96a3bcf470d",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-03-03",
      "last_seen": "2026-03-03",
      "reports": [
        {
          "slug": "silver-dragon-apt-targets-southeast-asia-and-europe-using-geardoor-backdoor-with-google-drive-c2",
          "title": "Silver Dragon APT Targets Southeast Asia and Europe Using GearDoor Backdoor with Google Drive C2",
          "url": "https://bulwarkblack.com/silver-dragon-apt-targets-southeast-asia-and-europe-using-geardoor-backdoor-with-google-drive-c2/",
          "date": "2026-03-03"
        }
      ]
    },
    {
      "indicator": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-02-04",
      "last_seen": "2026-02-04",
      "reports": [
        {
          "slug": "shadowhs-fileless-linux-post-exploitation-framework-runs-entirely-in-memory",
          "title": "ShadowHS: Fileless Linux Post-Exploitation Framework Runs Entirely in Memory",
          "url": "https://bulwarkblack.com/shadowhs-fileless-linux-post-exploitation-framework-runs-entirely-in-memory/",
          "date": "2026-02-04"
        }
      ]
    },
    {
      "indicator": "e5341edb7c039c456d46c39f194be86ce4b41725d7ad12d297d18aa99cddd675",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "vidar-xmrig-malvertising-file-size-code-signing-defense",
          "title": "Vidar Stealer Campaign Shows Why File Size and Fake Signatures Still Beat Weak Controls",
          "url": "https://bulwarkblack.com/vidar-xmrig-malvertising-file-size-code-signing-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "e5a6deec56095d0ae702655ea2899c752f4a0735f9077605d933a04d45cd7e24",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-02-04",
      "last_seen": "2026-02-04",
      "reports": [
        {
          "slug": "shadowhs-fileless-linux-post-exploitation-framework-runs-entirely-in-memory",
          "title": "ShadowHS: Fileless Linux Post-Exploitation Framework Runs Entirely in Memory",
          "url": "https://bulwarkblack.com/shadowhs-fileless-linux-post-exploitation-framework-runs-entirely-in-memory/",
          "date": "2026-02-04"
        }
      ]
    },
    {
      "indicator": "e5d2de8ae98579bfb940290f60e59a502b3065345aaf765456387989c0488b20",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-07",
      "last_seen": "2026-07-07",
      "reports": [
        {
          "slug": "uat-7810-orb-relay-network-edge-device-defense",
          "title": "UAT-7810 Shows Edge Devices Are Becoming China-Nexus Relay Infrastructure",
          "url": "https://bulwarkblack.com/uat-7810-orb-relay-network-edge-device-defense/",
          "date": "2026-07-07"
        }
      ]
    },
    {
      "indicator": "e6310d8a003d7ac101a6b1cd39ff6c6a88ee454b767c1bdce143e04bc1113243",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-03-24",
      "last_seen": "2026-03-24",
      "reports": [
        {
          "slug": "teampcp-deploys-canisterworm-wiper-to-target-iranian-systems",
          "title": "TeamPCP Deploys CanisterWorm Wiper to Target Iranian Systems",
          "url": "https://bulwarkblack.com/teampcp-deploys-canisterworm-wiper-to-target-iranian-systems/",
          "date": "2026-03-24"
        }
      ]
    },
    {
      "indicator": "e64e152afe2c722d750f10259626f357cdea40420c5eedae37969fbf13abbecf",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-03-24",
      "last_seen": "2026-03-24",
      "reports": [
        {
          "slug": "teampcp-deploys-canisterworm-wiper-to-target-iranian-systems",
          "title": "TeamPCP Deploys CanisterWorm Wiper to Target Iranian Systems",
          "url": "https://bulwarkblack.com/teampcp-deploys-canisterworm-wiper-to-target-iranian-systems/",
          "date": "2026-03-24"
        }
      ]
    },
    {
      "indicator": "e6d8192960a89d5480868b94088cccdaa1560f9c8a0b0282ced2b7c1f72341b6",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-06-25",
      "last_seen": "2026-06-25",
      "reports": [
        {
          "slug": "turla-stockstay-backdoor-egress-visibility",
          "title": "Turla’s STOCKSTAY Backdoor Shows Why Espionage Defense Needs Egress Visibility",
          "url": "https://bulwarkblack.com/turla-stockstay-backdoor-egress-visibility/",
          "date": "2026-06-25"
        }
      ]
    },
    {
      "indicator": "e6e78eb2e9bd41a4bc62f7ad54d095ea9813864bebe37172ae30a1afa631fe14",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-02",
      "last_seen": "2026-07-02",
      "reports": [
        {
          "slug": "ousaban-banking-trojan-iberian-phishing-defense",
          "title": "Ousaban Shows Banking Trojans Are Learning to Hide From Sandboxes",
          "url": "https://bulwarkblack.com/ousaban-banking-trojan-iberian-phishing-defense/",
          "date": "2026-07-02"
        }
      ]
    },
    {
      "indicator": "e7291095de78484039fdc82106d191bf41b7469811c4e31b4228227911d25027",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-02-09",
      "last_seen": "2026-02-09",
      "reports": [
        {
          "slug": "fake-7-zip-downloads-convert-home-pcs-into-residential-proxy-nodes-for-cybercriminals",
          "title": "Fake 7-Zip Downloads Convert Home PCs Into Residential Proxy Nodes for Cybercriminals",
          "url": "https://bulwarkblack.com/fake-7-zip-downloads-convert-home-pcs-into-residential-proxy-nodes-for-cybercriminals/",
          "date": "2026-02-09"
        }
      ]
    },
    {
      "indicator": "e799d72929d7ccc7f6b6109742b8cc482838303207efc989543b6e1ca6d16e9c",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-07",
      "last_seen": "2026-07-07",
      "reports": [
        {
          "slug": "uat-7810-orb-relay-network-edge-device-defense",
          "title": "UAT-7810 Shows Edge Devices Are Becoming China-Nexus Relay Infrastructure",
          "url": "https://bulwarkblack.com/uat-7810-orb-relay-network-edge-device-defense/",
          "date": "2026-07-07"
        }
      ]
    },
    {
      "indicator": "e7ed0cd4115f3ff35c38d36cc50c6a13eba2d845554439a36108789cd1e05b17",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-02-27",
      "last_seen": "2026-02-27",
      "reports": [
        {
          "slug": "chinese-apt-campaign-delivers-plugx-rat-via-g-data-antivirus-dll-side-loading",
          "title": "Chinese APT Campaign Delivers PlugX RAT via G DATA Antivirus DLL Side-Loading",
          "url": "https://bulwarkblack.com/chinese-apt-campaign-delivers-plugx-rat-via-g-data-antivirus-dll-side-loading/",
          "date": "2026-02-27"
        }
      ]
    },
    {
      "indicator": "e8000ddfddbe120b5f2fb3677abbad901615d1abd01a0de204fade5d2dd5ad0d",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2024-03-22",
      "last_seen": "2024-03-22",
      "reports": [
        {
          "slug": "the-updated-apt-playbook-tales-from-the-kimsuky-threat-actor-group",
          "title": "The Updated APT Playbook: Tales from the Kimsuky threat actor group",
          "url": "https://bulwarkblack.com/the-updated-apt-playbook-tales-from-the-kimsuky-threat-actor-group/",
          "date": "2024-03-22"
        }
      ]
    },
    {
      "indicator": "e836873479ff558cfb885097e8783356aad1f2d30b69d825b3a71cb7a57cf930",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-01-31",
      "last_seen": "2026-01-31",
      "reports": [
        {
          "slug": "winrar-cve-2025-8088-russia-china-and-cybercriminals-unite-to-exploit-path-traversal-flaw",
          "title": "WinRAR CVE-2025-8088: Russia, China, and Cybercriminals Unite to Exploit Path Traversal Flaw",
          "url": "https://bulwarkblack.com/winrar-cve-2025-8088-russia-china-and-cybercriminals-unite-to-exploit-path-traversal-flaw/",
          "date": "2026-01-31"
        }
      ]
    },
    {
      "indicator": "e83f274bf9914c6cfc0c6b3cdadf089565f49dace4aca93287c22aba9641c8f3",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-06-25",
      "last_seen": "2026-06-25",
      "reports": [
        {
          "slug": "turla-stockstay-backdoor-egress-visibility",
          "title": "Turla’s STOCKSTAY Backdoor Shows Why Espionage Defense Needs Egress Visibility",
          "url": "https://bulwarkblack.com/turla-stockstay-backdoor-egress-visibility/",
          "date": "2026-06-25"
        }
      ]
    },
    {
      "indicator": "e88c41a6f769cd760e323b4f7c01835433cd4059cd59630cb1a9eb1181b350ed",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "vidar-xmrig-malvertising-file-size-code-signing-defense",
          "title": "Vidar Stealer Campaign Shows Why File Size and Fake Signatures Still Beat Weak Controls",
          "url": "https://bulwarkblack.com/vidar-xmrig-malvertising-file-size-code-signing-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "e9e5e748ec5c0b811c8e60b0e55059edb4d2df86ff3ca45969e57d5fecb11a38",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "vidar-xmrig-malvertising-file-size-code-signing-defense",
          "title": "Vidar Stealer Campaign Shows Why File Size and Fake Signatures Still Beat Weak Controls",
          "url": "https://bulwarkblack.com/vidar-xmrig-malvertising-file-size-code-signing-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "ea0869fa9d5e23bdd16cddfefbbf9c67744598f379be306ff652f910db1ba162",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-01-31",
      "last_seen": "2026-01-31",
      "reports": [
        {
          "slug": "winrar-cve-2025-8088-russia-china-and-cybercriminals-unite-to-exploit-path-traversal-flaw",
          "title": "WinRAR CVE-2025-8088: Russia, China, and Cybercriminals Unite to Exploit Path Traversal Flaw",
          "url": "https://bulwarkblack.com/winrar-cve-2025-8088-russia-china-and-cybercriminals-unite-to-exploit-path-traversal-flaw/",
          "date": "2026-01-31"
        }
      ]
    },
    {
      "indicator": "EACD8E95EAD3FFE2C225768EF6F85672C4BFDF61655ED697B97F598203EF2CF6",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-02-11",
      "last_seen": "2026-02-11",
      "reports": [
        {
          "slug": "xworm-rat-campaign-exploits-cve-2018-0802-in-multi-language-phishing-attacks-using-fileless-injection",
          "title": "XWorm RAT Campaign Exploits CVE-2018-0802 in Multi-Language Phishing Attacks Using Fileless Injection",
          "url": "https://bulwarkblack.com/xworm-rat-campaign-exploits-cve-2018-0802-in-multi-language-phishing-attacks-using-fileless-injection/",
          "date": "2026-02-11"
        }
      ]
    },
    {
      "indicator": "eae055c5736366811d2a4b1f78ff206486e7f7445040122efbe023ecd2d20bcc",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "fake-payment-sdk-npm-pypi-secret-theft-defense",
          "title": "Fake Payment SDKs Show Why Dependency Risk Is Credential Risk",
          "url": "https://bulwarkblack.com/fake-payment-sdk-npm-pypi-secret-theft-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "eb08c840f4c95e2fa5eff05e5f922f86c766f5368a63476f046b2b9dbffc2033",
      "type": "sha256",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "eb30a1822bd6f503f8151cb04bfd315a62fa67dbfe1f573e6fcfd74636ecedd5",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2024-01-05",
      "last_seen": "2024-01-05",
      "reports": [
        {
          "slug": "100-days-of-yara-2023",
          "title": "100 Days of YARA – 2023",
          "url": "https://bulwarkblack.com/100-days-of-yara-2023/",
          "date": "2024-01-05"
        }
      ]
    },
    {
      "indicator": "eb8b81277c80eeb3c094d0a168533b07366e759a8671af8bfbe12d8bc87650c9",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-03-13",
      "last_seen": "2026-03-13",
      "reports": [
        {
          "slug": "storm-2561-weaponizes-seo-poisoning-to-deploy-trojanized-vpn-clients-and-steal-enterprise-credentials",
          "title": "Storm-2561 Weaponizes SEO Poisoning to Deploy Trojanized VPN Clients and Steal Enterprise Credentials",
          "url": "https://bulwarkblack.com/storm-2561-weaponizes-seo-poisoning-to-deploy-trojanized-vpn-clients-and-steal-enterprise-credentials/",
          "date": "2026-03-13"
        }
      ]
    },
    {
      "indicator": "ebcb2691b7c92cdf2b2ff5e2d753abeea8cb325c16596cd839e6bd147f80e38a",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-03-05",
      "last_seen": "2026-03-05",
      "reports": [
        {
          "slug": "uat-9244-china-nexus-apt-deploys-three-new-malware-implants-against-south-american-telecom-providers",
          "title": "UAT-9244: China-Nexus APT Deploys Three New Malware Implants Against South American Telecom Providers",
          "url": "https://bulwarkblack.com/uat-9244-china-nexus-apt-deploys-three-new-malware-implants-against-south-american-telecom-providers/",
          "date": "2026-03-05"
        }
      ]
    },
    {
      "indicator": "ec368ae0b4369b6ef0da244774995c819c63cffb7fd2132379963b9c1640ccd2",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-05-13",
      "last_seen": "2026-05-13",
      "reports": [
        {
          "slug": "gentlemen-raas-leak-edge-device-ransomware-risk",
          "title": "The Gentlemen RaaS Leak Shows Ransomware Is Still an Edge-Device Problem",
          "url": "https://bulwarkblack.com/gentlemen-raas-leak-edge-device-ransomware-risk/",
          "date": "2026-05-13"
        }
      ]
    },
    {
      "indicator": "ecce7ae5ffc9f57bb70efd3ea136a2923f701334a8cd47d4fbf01a97fd22859c",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-03-24",
      "last_seen": "2026-03-24",
      "reports": [
        {
          "slug": "teampcp-deploys-canisterworm-wiper-to-target-iranian-systems",
          "title": "TeamPCP Deploys CanisterWorm Wiper to Target Iranian Systems",
          "url": "https://bulwarkblack.com/teampcp-deploys-canisterworm-wiper-to-target-iranian-systems/",
          "date": "2026-03-24"
        }
      ]
    },
    {
      "indicator": "ed1745cc49b929e499966d87e163219fe0f24069fe88dfacbd69c0ebab85a640",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-03-09",
      "last_seen": "2026-03-09",
      "reports": [
        {
          "slug": "boryptgrab-stealer-spreads-through-100-fake-github-repositories-in-massive-malware-campaign",
          "title": "BoryptGrab Stealer Spreads Through 100+ Fake GitHub Repositories in Massive Malware Campaign",
          "url": "https://bulwarkblack.com/boryptgrab-stealer-spreads-through-100-fake-github-repositories-in-massive-malware-campaign/",
          "date": "2026-03-09"
        }
      ]
    },
    {
      "indicator": "ed48d56a47982c3c9b39ee8859e0b764454ab9ac6e7a7866cdef5c310521be19",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2024-01-05",
      "last_seen": "2024-01-05",
      "reports": [
        {
          "slug": "100-days-of-yara-2023",
          "title": "100 Days of YARA – 2023",
          "url": "https://bulwarkblack.com/100-days-of-yara-2023/",
          "date": "2024-01-05"
        }
      ]
    },
    {
      "indicator": "ed5b920dad5dcd3f9e55828f82a27211a212839c8942531c288535b92df7f453",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-01-31",
      "last_seen": "2026-01-31",
      "reports": [
        {
          "slug": "winrar-cve-2025-8088-russia-china-and-cybercriminals-unite-to-exploit-path-traversal-flaw",
          "title": "WinRAR CVE-2025-8088: Russia, China, and Cybercriminals Unite to Exploit Path Traversal Flaw",
          "url": "https://bulwarkblack.com/winrar-cve-2025-8088-russia-china-and-cybercriminals-unite-to-exploit-path-traversal-flaw/",
          "date": "2026-01-31"
        }
      ]
    },
    {
      "indicator": "edc1f7528ca93ec432daca820f47e08d218b79cceca1ee764966f8f90d6a58bd",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-01-31",
      "last_seen": "2026-01-31",
      "reports": [
        {
          "slug": "winrar-cve-2025-8088-russia-china-and-cybercriminals-unite-to-exploit-path-traversal-flaw",
          "title": "WinRAR CVE-2025-8088: Russia, China, and Cybercriminals Unite to Exploit Path Traversal Flaw",
          "url": "https://bulwarkblack.com/winrar-cve-2025-8088-russia-china-and-cybercriminals-unite-to-exploit-path-traversal-flaw/",
          "date": "2026-01-31"
        }
      ]
    },
    {
      "indicator": "ee4d4b7340b3fa70387050cd139b43ecc65d0cfd9e3c7dcb94562f5c9c91f58f",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-04-03",
      "last_seen": "2026-04-03",
      "reports": [
        {
          "slug": "cl-sta-1087-chinese-apt-targets-southeast-asian-militaries-with-applechris-and-memfun-backdoors",
          "title": "CL-STA-1087: Chinese APT Targets Southeast Asian Militaries with AppleChris and MemFun Backdoors",
          "url": "https://bulwarkblack.com/cl-sta-1087-chinese-apt-targets-southeast-asian-militaries-with-applechris-and-memfun-backdoors/",
          "date": "2026-04-03"
        }
      ]
    },
    {
      "indicator": "EE663D016894D44C69B1FDC9D2A5BE02F028A56FC22B694FF7C1DACB2BBBCC6D",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-02-11",
      "last_seen": "2026-02-11",
      "reports": [
        {
          "slug": "xworm-rat-campaign-exploits-cve-2018-0802-in-multi-language-phishing-attacks-using-fileless-injection",
          "title": "XWorm RAT Campaign Exploits CVE-2018-0802 in Multi-Language Phishing Attacks Using Fileless Injection",
          "url": "https://bulwarkblack.com/xworm-rat-campaign-exploits-cve-2018-0802-in-multi-language-phishing-attacks-using-fileless-injection/",
          "date": "2026-02-11"
        }
      ]
    },
    {
      "indicator": "ef0e1bb2d389ab8b5f15d2f83cf978662e18e31dbe875f39db563e8a019af577",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-01-31",
      "last_seen": "2026-01-31",
      "reports": [
        {
          "slug": "winrar-cve-2025-8088-russia-china-and-cybercriminals-unite-to-exploit-path-traversal-flaw",
          "title": "WinRAR CVE-2025-8088: Russia, China, and Cybercriminals Unite to Exploit Path Traversal Flaw",
          "url": "https://bulwarkblack.com/winrar-cve-2025-8088-russia-china-and-cybercriminals-unite-to-exploit-path-traversal-flaw/",
          "date": "2026-01-31"
        }
      ]
    },
    {
      "indicator": "efaf8e7422ffd09c7f03f1a5b4e5c2cc32b05334c18d1ccb9673667f8f43108f",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-05-13",
      "last_seen": "2026-05-13",
      "reports": [
        {
          "slug": "gentlemen-raas-leak-edge-device-ransomware-risk",
          "title": "The Gentlemen RaaS Leak Shows Ransomware Is Still an Edge-Device Problem",
          "url": "https://bulwarkblack.com/gentlemen-raas-leak-edge-device-ransomware-risk/",
          "date": "2026-05-13"
        }
      ]
    },
    {
      "indicator": "f02a924c9ff92a8780ce812511341182c6b509d45bc59f3f7b522e37225d24fc",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-06-11",
      "last_seen": "2026-06-11",
      "reports": [
        {
          "slug": "shinyhunters-peoplesoft-cve-2026-35273-erp-admin-endpoints",
          "title": "ShinyHunters PeopleSoft Exploitation Shows ERP Admin Endpoints Are Breach Surface",
          "url": "https://bulwarkblack.com/shinyhunters-peoplesoft-cve-2026-35273-erp-admin-endpoints/",
          "date": "2026-06-11"
        }
      ]
    },
    {
      "indicator": "f04f43b6f7c2d86109c495179b497f7fb45fd95816623de1b77900f71b4f99ed",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-06-25",
      "last_seen": "2026-06-25",
      "reports": [
        {
          "slug": "turla-stockstay-backdoor-egress-visibility",
          "title": "Turla’s STOCKSTAY Backdoor Shows Why Espionage Defense Needs Egress Visibility",
          "url": "https://bulwarkblack.com/turla-stockstay-backdoor-egress-visibility/",
          "date": "2026-06-25"
        }
      ]
    },
    {
      "indicator": "f0668ce925f36ff7f3359b0ea47e3fa243af13cd6ad9661dfccc9ff79fb4f1cc",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-05-19",
      "last_seen": "2026-05-19",
      "reports": [
        {
          "slug": "fox-tempest-code-signing-trust-weaponized",
          "title": "Fox Tempest Shows Code Signing Trust Can Be Weaponized",
          "url": "https://bulwarkblack.com/fox-tempest-code-signing-trust-weaponized/",
          "date": "2026-05-19"
        }
      ]
    },
    {
      "indicator": "f0a6b89ec7eee83274cd484cea526b970a3ef28038799b0a5774bb33c5793b55",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-05-19",
      "last_seen": "2026-05-19",
      "reports": [
        {
          "slug": "fox-tempest-code-signing-trust-weaponized",
          "title": "Fox Tempest Shows Code Signing Trust Can Be Weaponized",
          "url": "https://bulwarkblack.com/fox-tempest-code-signing-trust-weaponized/",
          "date": "2026-05-19"
        }
      ]
    },
    {
      "indicator": "f0dcb7e407de85d8de8e2221df8dddecac8aec88af8975c9f07e14100f6edb88",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "vidar-xmrig-malvertising-file-size-code-signing-defense",
          "title": "Vidar Stealer Campaign Shows Why File Size and Fake Signatures Still Beat Weak Controls",
          "url": "https://bulwarkblack.com/vidar-xmrig-malvertising-file-size-code-signing-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "f119cc4cb5a7972bdc80548982b2b63fac5b48d5fce1517270db67c858e9e8b0",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2024-01-05",
      "last_seen": "2024-01-05",
      "reports": [
        {
          "slug": "100-days-of-yara-2023",
          "title": "100 Days of YARA – 2023",
          "url": "https://bulwarkblack.com/100-days-of-yara-2023/",
          "date": "2024-01-05"
        }
      ]
    },
    {
      "indicator": "f13f9cef5cc020bf673c7f4e19c93c312a043867f46796a8f01927a9a14c2533",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "vidar-xmrig-malvertising-file-size-code-signing-defense",
          "title": "Vidar Stealer Campaign Shows Why File Size and Fake Signatures Still Beat Weak Controls",
          "url": "https://bulwarkblack.com/vidar-xmrig-malvertising-file-size-code-signing-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "f235d2e044c2f7814e6bbcd835b9fd9f10f227dacfb9396185ec2013e7df4db4",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-07",
      "last_seen": "2026-07-07",
      "reports": [
        {
          "slug": "uat-7810-orb-relay-network-edge-device-defense",
          "title": "UAT-7810 Shows Edge Devices Are Becoming China-Nexus Relay Infrastructure",
          "url": "https://bulwarkblack.com/uat-7810-orb-relay-network-edge-device-defense/",
          "date": "2026-07-07"
        }
      ]
    },
    {
      "indicator": "f34bd1d485de437fe18360d1e850c3fd64415e49d691e610711d8d232071a0b1",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-06-26",
      "last_seen": "2026-06-26",
      "reports": [
        {
          "slug": "cl-sta-1062-tinyrct-critical-infrastructure-web-shell-defense",
          "title": "CL-STA-1062 Shows Critical Infrastructure Intrusions Still Start With Web Shells",
          "url": "https://bulwarkblack.com/cl-sta-1062-tinyrct-critical-infrastructure-web-shell-defense/",
          "date": "2026-06-26"
        }
      ]
    },
    {
      "indicator": "f36913607356a32ea106103387105c635fa923f8ed98ad0194b66ec79e379a02",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-03-05",
      "last_seen": "2026-03-05",
      "reports": [
        {
          "slug": "uat-9244-china-nexus-apt-deploys-three-new-malware-implants-against-south-american-telecom-providers",
          "title": "UAT-9244: China-Nexus APT Deploys Three New Malware Implants Against South American Telecom Providers",
          "url": "https://bulwarkblack.com/uat-9244-china-nexus-apt-deploys-three-new-malware-implants-against-south-american-telecom-providers/",
          "date": "2026-03-05"
        }
      ]
    },
    {
      "indicator": "f3b54984caca95fd496bcfe5d7db1611b08d2f5b7d250b43b430e5d76393f9e0",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-06-18",
      "last_seen": "2026-06-18",
      "reports": [
        {
          "slug": "tor-crypto-clipper-usb-worm-backdoor-defense",
          "title": "Tor-Based Crypto Clipper Shows Clipboard Theft Is Now Backdoor Activity",
          "url": "https://bulwarkblack.com/tor-crypto-clipper-usb-worm-backdoor-defense/",
          "date": "2026-06-18"
        }
      ]
    },
    {
      "indicator": "f3e5667d02f95c001c717dfc5a0e100d2b701be4ec35a3e6875dc276431a7497",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-01-31",
      "last_seen": "2026-01-31",
      "reports": [
        {
          "slug": "winrar-cve-2025-8088-russia-china-and-cybercriminals-unite-to-exploit-path-traversal-flaw",
          "title": "WinRAR CVE-2025-8088: Russia, China, and Cybercriminals Unite to Exploit Path Traversal Flaw",
          "url": "https://bulwarkblack.com/winrar-cve-2025-8088-russia-china-and-cybercriminals-unite-to-exploit-path-traversal-flaw/",
          "date": "2026-01-31"
        }
      ]
    },
    {
      "indicator": "f3e899789b56429f483e5096e1f473335024f1f763e2d428132338e30352b89e",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-03-05",
      "last_seen": "2026-03-05",
      "reports": [
        {
          "slug": "uat-9244-china-nexus-apt-deploys-three-new-malware-implants-against-south-american-telecom-providers",
          "title": "UAT-9244: China-Nexus APT Deploys Three New Malware Implants Against South American Telecom Providers",
          "url": "https://bulwarkblack.com/uat-9244-china-nexus-apt-deploys-three-new-malware-implants-against-south-american-telecom-providers/",
          "date": "2026-03-05"
        }
      ]
    },
    {
      "indicator": "f3fbf4481f30fd840f35568746f54be49eb92b2c9ac95597a7760abb171cb54b",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-07",
      "last_seen": "2026-07-07",
      "reports": [
        {
          "slug": "uat-7810-orb-relay-network-edge-device-defense",
          "title": "UAT-7810 Shows Edge Devices Are Becoming China-Nexus Relay Infrastructure",
          "url": "https://bulwarkblack.com/uat-7810-orb-relay-network-edge-device-defense/",
          "date": "2026-07-07"
        }
      ]
    },
    {
      "indicator": "f43cb68850a2506805d60ff466f54eba331e1cc2a513b329f5121e0c39104418",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "fake-payment-sdk-npm-pypi-secret-theft-defense",
          "title": "Fake Payment SDKs Show Why Dependency Risk Is Credential Risk",
          "url": "https://bulwarkblack.com/fake-payment-sdk-npm-pypi-secret-theft-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "f5a57dfae488d9dfe260b32460a1d947fb5af58ceaf2fb0139bc08b4bb79a966",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-07",
      "last_seen": "2026-07-07",
      "reports": [
        {
          "slug": "uat-7810-orb-relay-network-edge-device-defense",
          "title": "UAT-7810 Shows Edge Devices Are Becoming China-Nexus Relay Infrastructure",
          "url": "https://bulwarkblack.com/uat-7810-orb-relay-network-edge-device-defense/",
          "date": "2026-07-07"
        }
      ]
    },
    {
      "indicator": "f629311734b7c6e6579f8e1d0e1e3f3bf72c9ac6c301b631ba4df7f393c41b14",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-06-26",
      "last_seen": "2026-06-26",
      "reports": [
        {
          "slug": "hospitality-photo-zip-nodejs-implant-defense",
          "title": "Hospitality Photo-ZIP Campaign Shows Front Desk Workflows Are Initial Access Paths",
          "url": "https://bulwarkblack.com/hospitality-photo-zip-nodejs-implant-defense/",
          "date": "2026-06-26"
        }
      ]
    },
    {
      "indicator": "f6761b5341a33188a7a1ca7a904d5866e07b8ddbde9adebdbce4306923cfc60a",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-01-31",
      "last_seen": "2026-01-31",
      "reports": [
        {
          "slug": "winrar-cve-2025-8088-russia-china-and-cybercriminals-unite-to-exploit-path-traversal-flaw",
          "title": "WinRAR CVE-2025-8088: Russia, China, and Cybercriminals Unite to Exploit Path Traversal Flaw",
          "url": "https://bulwarkblack.com/winrar-cve-2025-8088-russia-china-and-cybercriminals-unite-to-exploit-path-traversal-flaw/",
          "date": "2026-01-31"
        }
      ]
    },
    {
      "indicator": "f6f8e0d790645395188fc521039385b7c4f42fa8b426fd035f489f6cda9b5da1",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-05-15",
      "last_seen": "2026-05-15",
      "reports": [
        {
          "slug": "cisco-sdwan-active-exploitation-edge-controller-review",
          "title": "Cisco SD-WAN Exploitation Shows Edge Controllers Need Emergency Review",
          "url": "https://bulwarkblack.com/cisco-sdwan-active-exploitation-edge-controller-review/",
          "date": "2026-05-15"
        }
      ]
    },
    {
      "indicator": "f7084b0229dce605ccc5506b14acd4d954a496da4b6134a294844ca8d601970d",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-03-24",
      "last_seen": "2026-03-24",
      "reports": [
        {
          "slug": "teampcp-deploys-canisterworm-wiper-to-target-iranian-systems",
          "title": "TeamPCP Deploys CanisterWorm Wiper to Target Iranian Systems",
          "url": "https://bulwarkblack.com/teampcp-deploys-canisterworm-wiper-to-target-iranian-systems/",
          "date": "2026-03-24"
        }
      ]
    },
    {
      "indicator": "f736be55193c77af346dbe905e25f6a1dee3ec1aedca8989ad2088e4f6576b12",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-05-13",
      "last_seen": "2026-05-13",
      "reports": [
        {
          "slug": "gentlemen-raas-leak-edge-device-ransomware-risk",
          "title": "The Gentlemen RaaS Leak Shows Ransomware Is Still an Edge-Device Problem",
          "url": "https://bulwarkblack.com/gentlemen-raas-leak-edge-device-ransomware-risk/",
          "date": "2026-05-13"
        }
      ]
    },
    {
      "indicator": "f760bc16a585325ba9d74917f9e0994d3a4164c1141158c799b619d2c823e818",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "vidar-xmrig-malvertising-file-size-code-signing-defense",
          "title": "Vidar Stealer Campaign Shows Why File Size and Fake Signatures Still Beat Weak Controls",
          "url": "https://bulwarkblack.com/vidar-xmrig-malvertising-file-size-code-signing-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "f76ba1a4650d8cafb6d3ff071688c5db6fd37e165050f03cece693826f51d346",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-05-15",
      "last_seen": "2026-05-15",
      "reports": [
        {
          "slug": "gremlin-stealer-browser-session-resource-obfuscation",
          "title": "Gremlin Stealer Shows Why Browser Sessions Are Now High-Value Targets",
          "url": "https://bulwarkblack.com/gremlin-stealer-browser-session-resource-obfuscation/",
          "date": "2026-05-15"
        }
      ]
    },
    {
      "indicator": "f7d9865ea3874d2b135eeee0aa0d12fc108d89e1dd706e4e40eb7605b76d35ca",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "fake-payment-sdk-npm-pypi-secret-theft-defense",
          "title": "Fake Payment SDKs Show Why Dependency Risk Is Credential Risk",
          "url": "https://bulwarkblack.com/fake-payment-sdk-npm-pypi-secret-theft-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "f8066833e47814793d8c58743622b051070dac09cb010c323970c81b59260f84",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-03-05",
      "last_seen": "2026-03-05",
      "reports": [
        {
          "slug": "uat-9244-china-nexus-apt-deploys-three-new-malware-implants-against-south-american-telecom-providers",
          "title": "UAT-9244: China-Nexus APT Deploys Three New Malware Implants Against South American Telecom Providers",
          "url": "https://bulwarkblack.com/uat-9244-china-nexus-apt-deploys-three-new-malware-implants-against-south-american-telecom-providers/",
          "date": "2026-03-05"
        }
      ]
    },
    {
      "indicator": "f964353b9ae4bedbe62de6c0d7eafa9fb8b87897bbaea483aedaa8ae191834da",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-06-25",
      "last_seen": "2026-06-25",
      "reports": [
        {
          "slug": "turla-stockstay-backdoor-egress-visibility",
          "title": "Turla’s STOCKSTAY Backdoor Shows Why Espionage Defense Needs Egress Visibility",
          "url": "https://bulwarkblack.com/turla-stockstay-backdoor-egress-visibility/",
          "date": "2026-06-25"
        }
      ]
    },
    {
      "indicator": "fa767391b99865f8533efc1fe6dfa6175215718679fb00ca85fc13c3bd4ae4b7",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-03-09",
      "last_seen": "2026-03-09",
      "reports": [
        {
          "slug": "boryptgrab-stealer-spreads-through-100-fake-github-repositories-in-massive-malware-campaign",
          "title": "BoryptGrab Stealer Spreads Through 100+ Fake GitHub Repositories in Massive Malware Campaign",
          "url": "https://bulwarkblack.com/boryptgrab-stealer-spreads-through-100-fake-github-repositories-in-massive-malware-campaign/",
          "date": "2026-03-09"
        }
      ]
    },
    {
      "indicator": "fadbb8061715128bebecf7bc59132b6bb04fe8cc39b965aa5b8722dffe28d7e7",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-02",
      "last_seen": "2026-07-02",
      "reports": [
        {
          "slug": "ousaban-banking-trojan-iberian-phishing-defense",
          "title": "Ousaban Shows Banking Trojans Are Learning to Hide From Sandboxes",
          "url": "https://bulwarkblack.com/ousaban-banking-trojan-iberian-phishing-defense/",
          "date": "2026-07-02"
        }
      ]
    },
    {
      "indicator": "fc2a6138786fae4e33dc343aea2b1a7cd6411187307ea2c82cd96b45f6d1f2a0",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-01-31",
      "last_seen": "2026-01-31",
      "reports": [
        {
          "slug": "winrar-cve-2025-8088-russia-china-and-cybercriminals-unite-to-exploit-path-traversal-flaw",
          "title": "WinRAR CVE-2025-8088: Russia, China, and Cybercriminals Unite to Exploit Path Traversal Flaw",
          "url": "https://bulwarkblack.com/winrar-cve-2025-8088-russia-china-and-cybercriminals-unite-to-exploit-path-traversal-flaw/",
          "date": "2026-01-31"
        }
      ]
    },
    {
      "indicator": "fc75ed2159e0c8274076e46a37671cfb8d677af9f586224da1713df89490a958",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-05-13",
      "last_seen": "2026-05-13",
      "reports": [
        {
          "slug": "gentlemen-raas-leak-edge-device-ransomware-risk",
          "title": "The Gentlemen RaaS Leak Shows Ransomware Is Still an Edge-Device Problem",
          "url": "https://bulwarkblack.com/gentlemen-raas-leak-edge-device-ransomware-risk/",
          "date": "2026-05-13"
        }
      ]
    },
    {
      "indicator": "fd3f13db41cd5b442fa26ba8bc0e9703ed243b3516374e3ef89be71cbf07436b",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "apt28-exploits-cve-2026-21509-in-operation-neusploit-stealing-emails-with-minidoor-backdoor",
          "title": "APT28 Exploits CVE-2026-21509 in Operation Neusploit: Stealing Emails with MiniDoor Backdoor",
          "url": "https://bulwarkblack.com/apt28-exploits-cve-2026-21509-in-operation-neusploit-stealing-emails-with-minidoor-backdoor/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "fd65051c61a904a304919c04a8c8633c001183ac73ac461cd4d9057946f02bf5",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-06-02",
      "last_seen": "2026-06-02",
      "reports": [
        {
          "slug": "forticlient-ems-ekz-infostealer-delivery",
          "title": "FortiClient EMS Exploitation Turns Endpoint Management Into an Infostealer Delivery System",
          "url": "https://bulwarkblack.com/forticlient-ems-ekz-infostealer-delivery/",
          "date": "2026-06-02"
        }
      ]
    },
    {
      "indicator": "FD9BA9E6BD4886EDC1123D4074D0EAC363DF61162364530B1303390AA621140B",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-02-11",
      "last_seen": "2026-02-11",
      "reports": [
        {
          "slug": "xworm-rat-campaign-exploits-cve-2018-0802-in-multi-language-phishing-attacks-using-fileless-injection",
          "title": "XWorm RAT Campaign Exploits CVE-2018-0802 in Multi-Language Phishing Attacks Using Fileless Injection",
          "url": "https://bulwarkblack.com/xworm-rat-campaign-exploits-cve-2018-0802-in-multi-language-phishing-attacks-using-fileless-injection/",
          "date": "2026-02-11"
        }
      ]
    },
    {
      "indicator": "fe4e5fb28d2c2b3a640112b6b125ce8c4afa8be28342e3bfda097ad9dd2ef9ee",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-03-09",
      "last_seen": "2026-03-09",
      "reports": [
        {
          "slug": "boryptgrab-stealer-spreads-through-100-fake-github-repositories-in-massive-malware-campaign",
          "title": "BoryptGrab Stealer Spreads Through 100+ Fake GitHub Repositories in Massive Malware Campaign",
          "url": "https://bulwarkblack.com/boryptgrab-stealer-spreads-through-100-fake-github-repositories-in-massive-malware-campaign/",
          "date": "2026-03-09"
        }
      ]
    },
    {
      "indicator": "ffb45dc14ea908b21e01e87ec18725dff560c093884005c2b71277e2de354866",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2024-01-09",
      "last_seen": "2024-01-09",
      "reports": [
        {
          "slug": "financially-motivated-threat-actors-misusing-app-installer",
          "title": "Financially motivated threat actors misusing App Installer",
          "url": "https://bulwarkblack.com/financially-motivated-threat-actors-misusing-app-installer/",
          "date": "2024-01-09"
        }
      ]
    },
    {
      "indicator": "ffb9eb47cc0cb2f43e04a10dc84df13d04bca1ebacbe47fad0b669728de2f59c",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-07-02",
      "last_seen": "2026-07-02",
      "reports": [
        {
          "slug": "ousaban-banking-trojan-iberian-phishing-defense",
          "title": "Ousaban Shows Banking Trojans Are Learning to Hide From Sandboxes",
          "url": "https://bulwarkblack.com/ousaban-banking-trojan-iberian-phishing-defense/",
          "date": "2026-07-02"
        }
      ]
    },
    {
      "indicator": "ffc6c3805bbaef2c4003763fd5fac0ebcccf99a1656f10cf7677f6c2a5d16dbd",
      "type": "sha256",
      "report_count": 1,
      "first_seen": "2026-01-31",
      "last_seen": "2026-01-31",
      "reports": [
        {
          "slug": "winrar-cve-2025-8088-russia-china-and-cybercriminals-unite-to-exploit-path-traversal-flaw",
          "title": "WinRAR CVE-2025-8088: Russia, China, and Cybercriminals Unite to Exploit Path Traversal Flaw",
          "url": "https://bulwarkblack.com/winrar-cve-2025-8088-russia-china-and-cybercriminals-unite-to-exploit-path-traversal-flaw/",
          "date": "2026-01-31"
        }
      ]
    },
    {
      "indicator": "alwayswait.site",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "api.anthropic.com/v1/api",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-06-13",
      "last_seen": "2026-06-13",
      "reports": [
        {
          "slug": "shai-hulud-ai-scanner-evasion-package-supply-chain-defense",
          "title": "Shai-Hulud Shows AI Package Scanners Need Prompt-Injection Boundaries",
          "url": "https://bulwarkblack.com/shai-hulud-ai-scanner-evasion-package-supply-chain-defense/",
          "date": "2026-06-13"
        }
      ]
    },
    {
      "indicator": "api.wigetticks.com/logout/private-response[",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-06-18",
      "last_seen": "2026-06-18",
      "reports": [
        {
          "slug": "smartapesg-okendo-widget-supply-chain-risk",
          "title": "SmartApeSG Okendo Compromise Shows Third-Party Widgets Are Supply-Chain Risk",
          "url": "https://bulwarkblack.com/smartapesg-okendo-widget-supply-chain-risk/",
          "date": "2026-06-18"
        }
      ]
    },
    {
      "indicator": "api.wizzleticks.com/claims/scope-schema[",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-06-18",
      "last_seen": "2026-06-18",
      "reports": [
        {
          "slug": "smartapesg-okendo-widget-supply-chain-risk",
          "title": "SmartApeSG Okendo Compromise Shows Third-Party Widgets Are Supply-Chain Risk",
          "url": "https://bulwarkblack.com/smartapesg-okendo-widget-supply-chain-risk/",
          "date": "2026-06-18"
        }
      ]
    },
    {
      "indicator": "aquasecurtiy.org",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-03-24",
      "last_seen": "2026-03-24",
      "reports": [
        {
          "slug": "teampcp-deploys-canisterworm-wiper-to-target-iranian-systems",
          "title": "TeamPCP Deploys CanisterWorm Wiper to Target Iranian Systems",
          "url": "https://bulwarkblack.com/teampcp-deploys-canisterworm-wiper-to-target-iranian-systems/",
          "date": "2026-03-24"
        }
      ]
    },
    {
      "indicator": "atsheisdomestic.org/update-thanks.html",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-06-02",
      "last_seen": "2026-06-02",
      "reports": [
        {
          "slug": "flutterbridge-macos-malvertising-fluttershell-backdoor-defense",
          "title": "FlutterBridge Shows Why macOS Malvertising Is Backdoor Delivery, Not Just Adware",
          "url": "https://bulwarkblack.com/flutterbridge-macos-malvertising-fluttershell-backdoor-defense/",
          "date": "2026-06-02"
        }
      ]
    },
    {
      "indicator": "auraguest.lk/m/douV2quu.php",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-05-09",
      "last_seen": "2026-05-09",
      "reports": [
        {
          "slug": "jdownloader-site-compromise-trusted-download-verification",
          "title": "JDownloader Site Compromise Shows Why Trusted Downloads Still Need Verification",
          "url": "https://bulwarkblack.com/jdownloader-site-compromise-trusted-download-verification/",
          "date": "2026-05-09"
        }
      ]
    },
    {
      "indicator": "authentication-check.io/",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-02-16",
      "last_seen": "2026-02-16",
      "reports": [
        {
          "slug": "physical-mail-phishing-targets-trezor-and-ledger-users-attackers-use-qr-codes-to-steal-recovery-phrases",
          "title": "Physical Mail Phishing Targets Trezor and Ledger Users: Attackers Use QR Codes to Steal Recovery Phrases",
          "url": "https://bulwarkblack.com/physical-mail-phishing-targets-trezor-and-ledger-users-attackers-use-qr-codes-to-steal-recovery-phrases/",
          "date": "2026-02-16"
        }
      ]
    },
    {
      "indicator": "authentication-check.io/black/api/send.php",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-02-16",
      "last_seen": "2026-02-16",
      "reports": [
        {
          "slug": "physical-mail-phishing-targets-trezor-and-ledger-users-attackers-use-qr-codes-to-steal-recovery-phrases",
          "title": "Physical Mail Phishing Targets Trezor and Ledger Users: Attackers Use QR Codes to Steal Recovery Phrases",
          "url": "https://bulwarkblack.com/physical-mail-phishing-targets-trezor-and-ledger-users-attackers-use-qr-codes-to-steal-recovery-phrases/",
          "date": "2026-02-16"
        }
      ]
    },
    {
      "indicator": "autoupdate.xyz",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "awaitingfor.online",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "awaitingfor.site/update",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "azurewebsites.net",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-05-22",
      "last_seen": "2026-05-22",
      "reports": [
        {
          "slug": "screening-serpens-recruiting-espionage-attack-surface",
          "title": "Screening Serpens Shows Recruiting Is Now an Espionage Attack Surface",
          "url": "https://bulwarkblack.com/screening-serpens-recruiting-espionage-attack-surface/",
          "date": "2026-05-22"
        }
      ]
    },
    {
      "indicator": "best-tinted.com/github-download.html",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-03-09",
      "last_seen": "2026-03-09",
      "reports": [
        {
          "slug": "boryptgrab-stealer-spreads-through-100-fake-github-repositories-in-massive-malware-campaign",
          "title": "BoryptGrab Stealer Spreads Through 100+ Fake GitHub Repositories in Massive Malware Campaign",
          "url": "https://bulwarkblack.com/boryptgrab-stealer-spreads-through-100-fake-github-repositories-in-massive-malware-campaign/",
          "date": "2026-03-09"
        }
      ]
    },
    {
      "indicator": "botshield.vu/kFcjld",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-03-09",
      "last_seen": "2026-03-09",
      "reports": [
        {
          "slug": "boryptgrab-stealer-spreads-through-100-fake-github-repositories-in-massive-malware-campaign",
          "title": "BoryptGrab Stealer Spreads Through 100+ Fake GitHub Repositories in Massive Malware Campaign",
          "url": "https://bulwarkblack.com/boryptgrab-stealer-spreads-through-100-fake-github-repositories-in-massive-malware-campaign/",
          "date": "2026-03-09"
        }
      ]
    },
    {
      "indicator": "botshield.vu/KKRkm9",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-03-09",
      "last_seen": "2026-03-09",
      "reports": [
        {
          "slug": "boryptgrab-stealer-spreads-through-100-fake-github-repositories-in-massive-malware-campaign",
          "title": "BoryptGrab Stealer Spreads Through 100+ Fake GitHub Repositories in Massive Malware Campaign",
          "url": "https://bulwarkblack.com/boryptgrab-stealer-spreads-through-100-fake-github-repositories-in-massive-malware-campaign/",
          "date": "2026-03-09"
        }
      ]
    },
    {
      "indicator": "bulletmailer.net",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-01-27",
      "last_seen": "2026-01-27",
      "reports": [
        {
          "slug": "fake-clawdbot-vs-code-extension-deploys-screenconnect-rat",
          "title": "Fake Clawdbot VS Code Extension Deploys ScreenConnect RAT",
          "url": "https://bulwarkblack.com/fake-clawdbot-vs-code-extension-deploys-screenconnect-rat/",
          "date": "2026-01-27"
        }
      ]
    },
    {
      "indicator": "cdn-static.okendo.io/reviews-widget-plus/js/okendo-reviews[",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-06-18",
      "last_seen": "2026-06-18",
      "reports": [
        {
          "slug": "smartapesg-okendo-widget-supply-chain-risk",
          "title": "SmartApeSG Okendo Compromise Shows Third-Party Widgets Are Supply-Chain Risk",
          "url": "https://bulwarkblack.com/smartapesg-okendo-widget-supply-chain-risk/",
          "date": "2026-06-18"
        }
      ]
    },
    {
      "indicator": "cdncounter.net",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-03-21",
      "last_seen": "2026-03-21",
      "reports": [
        {
          "slug": "darksword-ios-exploit-kit-russian-hackers-weaponize-six-vulnerabilities-for-full-iphone-takeover",
          "title": "DarkSword iOS Exploit Kit: Russian Hackers Weaponize Six Vulnerabilities for Full iPhone Takeover",
          "url": "https://bulwarkblack.com/darksword-ios-exploit-kit-russian-hackers-weaponize-six-vulnerabilities-for-full-iphone-takeover/",
          "date": "2026-03-21"
        }
      ]
    },
    {
      "indicator": "chkactive.online/update",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "chkstate.online",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "cloud-server.store/update",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "co.uk",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-03-13",
      "last_seen": "2026-03-13",
      "reports": [
        {
          "slug": "storm-2561-weaponizes-seo-poisoning-to-deploy-trojanized-vpn-clients-and-steal-enterprise-credentials",
          "title": "Storm-2561 Weaponizes SEO Poisoning to Deploy Trojanized VPN Clients and Steal Enterprise Credentials",
          "url": "https://bulwarkblack.com/storm-2561-weaponizes-seo-poisoning-to-deploy-trojanized-vpn-clients-and-steal-enterprise-credentials/",
          "date": "2026-03-13"
        }
      ]
    },
    {
      "indicator": "commoncome.online",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "crystalpdf.com/conditions",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-05-21",
      "last_seen": "2026-05-21",
      "reports": [
        {
          "slug": "tamperedchef-signed-productivity-apps-malware-defense",
          "title": "TamperedChef Shows Signed Productivity Apps Cannot Be Trusted by Default",
          "url": "https://bulwarkblack.com/tamperedchef-signed-productivity-apps-malware-defense/",
          "date": "2026-05-21"
        }
      ]
    },
    {
      "indicator": "cutt.ly/lwD7B7lp",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2024-01-08",
      "last_seen": "2024-01-08",
      "reports": [
        {
          "slug": "deceptive-cracked-software-spreads-lumma-variant-on-youtube",
          "title": "Deceptive Cracked Software Spreads Lumma Variant on YouTube",
          "url": "https://bulwarkblack.com/deceptive-cracked-software-spreads-lumma-variant-on-youtube/",
          "date": "2024-01-08"
        }
      ]
    },
    {
      "indicator": "datatabletemplate.shop",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "datatabletemplate.xyz",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "datatabletemplate.xyz/account/register/id=8118555902061899&amp",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "dataupload.store/uploadfiles",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "dropbox.com/scl/fi/tmwi4j86op04r9qo2xdgh/zoomupdate.msi?rlkey=ymr9yn5p3q2w2l3uz9cg71dvm&amp",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-01-27",
      "last_seen": "2026-01-27",
      "reports": [
        {
          "slug": "fake-clawdbot-vs-code-extension-deploys-screenconnect-rat",
          "title": "Fake Clawdbot VS Code Extension Deploys ScreenConnect RAT",
          "url": "https://bulwarkblack.com/fake-clawdbot-vs-code-extension-deploys-screenconnect-rat/",
          "date": "2026-01-27"
        }
      ]
    },
    {
      "indicator": "duchop.gov.vn",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-02-05",
      "last_seen": "2026-02-05",
      "reports": [
        {
          "slug": "systembc-botnet-survives-law-enforcement-takedown-infects-over-10000-devices-worldwide",
          "title": "SystemBC Botnet Survives Law Enforcement Takedown, Infects Over 10,000 Devices Worldwide",
          "url": "https://bulwarkblack.com/systembc-botnet-survives-law-enforcement-takedown-infects-over-10000-devices-worldwide/",
          "date": "2026-02-05"
        }
      ]
    },
    {
      "indicator": "enrollms.com",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-05-15",
      "last_seen": "2026-05-15",
      "reports": [
        {
          "slug": "blackfile-vishing-extortion-identity-defense",
          "title": "BlackFile Vishing Campaign Shows Why MFA Alone Is Not Enough",
          "url": "https://bulwarkblack.com/blackfile-vishing-extortion-identity-defense/",
          "date": "2026-05-15"
        }
      ]
    },
    {
      "indicator": "ernigr-esfilc.com/security/logon[",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-02-26",
      "last_seen": "2026-02-26",
      "reports": [
        {
          "slug": "diesel-vortex-russian-cybercrime-group-steals-1600-credentials-from-global-logistics-sector",
          "title": "Diesel Vortex: Russian Cybercrime Group Steals 1,600+ Credentials From Global Logistics Sector",
          "url": "https://bulwarkblack.com/diesel-vortex-russian-cybercrime-group-steals-1600-credentials-from-global-logistics-sector/",
          "date": "2026-02-26"
        }
      ]
    },
    {
      "indicator": "etoftheappyrince.org/update-delay",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-06-02",
      "last_seen": "2026-06-02",
      "reports": [
        {
          "slug": "flutterbridge-macos-malvertising-fluttershell-backdoor-defense",
          "title": "FlutterBridge Shows Why macOS Malvertising Is Backdoor Delivery, Not Just Adware",
          "url": "https://bulwarkblack.com/flutterbridge-macos-malvertising-fluttershell-backdoor-defense/",
          "date": "2026-06-02"
        }
      ]
    },
    {
      "indicator": "everycarebd.com/imagelkjh0987[",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-05-16",
      "last_seen": "2026-05-16",
      "reports": [
        {
          "slug": "pawsrunner-steganography-purelogs-infostealer-defense",
          "title": "PawsRunner Steganography Shows Infostealers Are Hiding in Plain Sight",
          "url": "https://bulwarkblack.com/pawsrunner-steganography-purelogs-infostealer-defense/",
          "date": "2026-05-16"
        }
      ]
    },
    {
      "indicator": "face-online.world",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "file-server.store/update",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "filedrive.online/uploadfiles",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "filemail.com/api/file/get?filekey=T0EnWQ6NugHkW_kLfDxPBEw_um6NSkg9ZwNRQ_5lrKrLLUo35pV8m3TKv1LqF3zZzdUm",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-05-22",
      "last_seen": "2026-05-22",
      "reports": [
        {
          "slug": "screening-serpens-recruiting-espionage-attack-surface",
          "title": "Screening Serpens Shows Recruiting Is Now an Espionage Attack Surface",
          "url": "https://bulwarkblack.com/screening-serpens-recruiting-espionage-attack-surface/",
          "date": "2026-05-22"
        }
      ]
    },
    {
      "indicator": "firstfromsep.online/client",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "flashserve.store/update",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "flipboxstudio.info/exfil",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-05-25",
      "last_seen": "2026-05-25",
      "reports": [
        {
          "slug": "laravel-lang-composer-supply-chain-defense",
          "title": "Laravel-Lang Compromise Shows Dependency Tags Can Be Weaponized",
          "url": "https://bulwarkblack.com/laravel-lang-composer-supply-chain-defense/",
          "date": "2026-05-25"
        }
      ]
    },
    {
      "indicator": "freefoodaid.com/documents/2_2.d",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "apt28-exploits-cve-2026-21509-in-operation-neusploit-stealing-emails-with-minidoor-backdoor",
          "title": "APT28 Exploits CVE-2026-21509 in Operation Neusploit: Stealing Emails with MiniDoor Backdoor",
          "url": "https://bulwarkblack.com/apt28-exploits-cve-2026-21509-in-operation-neusploit-stealing-emails-with-minidoor-backdoor/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "freefoodaid.com/documents/2_2.lNk",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "apt28-exploits-cve-2026-21509-in-operation-neusploit-stealing-emails-with-minidoor-backdoor",
          "title": "APT28 Exploits CVE-2026-21509 in Operation Neusploit: Stealing Emails with MiniDoor Backdoor",
          "url": "https://bulwarkblack.com/apt28-exploits-cve-2026-21509-in-operation-neusploit-stealing-emails-with-minidoor-backdoor/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "freefoodaid.com/tables/tables.d",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "apt28-exploits-cve-2026-21509-in-operation-neusploit-stealing-emails-with-minidoor-backdoor",
          "title": "APT28 Exploits CVE-2026-21509 in Operation Neusploit: Stealing Emails with MiniDoor Backdoor",
          "url": "https://bulwarkblack.com/apt28-exploits-cve-2026-21509-in-operation-neusploit-stealing-emails-with-minidoor-backdoor/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "ftp://47.237.15.197/update.7z",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-04-01",
      "last_seen": "2026-04-01",
      "reports": [
        {
          "slug": "operation-truechaos-chinese-apt-exploits-trueconf-zero-day-cve-2026-3502-to-target-southeast-asian-governments",
          "title": "Operation TrueChaos: Chinese APT Exploits TrueConf Zero-Day CVE-2026-3502 to Target Southeast Asian Governments",
          "url": "https://bulwarkblack.com/operation-truechaos-chinese-apt-exploits-trueconf-zero-day-cve-2026-3502-to-target-southeast-asian-governments/",
          "date": "2026-04-01"
        }
      ]
    },
    {
      "indicator": "funnull.host",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-03-12",
      "last_seen": "2026-03-12",
      "reports": [
        {
          "slug": "infostealer-infection-unmasks-dprk-operative-behind-polyfill-io-supply-chain-attack-and-us-crypto-exchange-infiltration",
          "title": "Infostealer Infection Unmasks DPRK Operative Behind Polyfill.io Supply Chain Attack and US Crypto Exchange Infiltration",
          "url": "https://bulwarkblack.com/infostealer-infection-unmasks-dprk-operative-behind-polyfill-io-supply-chain-attack-and-us-crypto-exchange-infiltration/",
          "date": "2026-03-12"
        }
      ]
    },
    {
      "indicator": "getintwopc.site/config.json",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-01-27",
      "last_seen": "2026-01-27",
      "reports": [
        {
          "slug": "fake-clawdbot-vs-code-extension-deploys-screenconnect-rat",
          "title": "Fake Clawdbot VS Code Extension Deploys ScreenConnect RAT",
          "url": "https://bulwarkblack.com/fake-clawdbot-vs-code-extension-deploys-screenconnect-rat/",
          "date": "2026-01-27"
        }
      ]
    },
    {
      "indicator": "getintwopc.site/config.json&#x27",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-01-27",
      "last_seen": "2026-01-27",
      "reports": [
        {
          "slug": "fake-clawdbot-vs-code-extension-deploys-screenconnect-rat",
          "title": "Fake Clawdbot VS Code Extension Deploys ScreenConnect RAT",
          "url": "https://bulwarkblack.com/fake-clawdbot-vs-code-extension-deploys-screenconnect-rat/",
          "date": "2026-01-27"
        }
      ]
    },
    {
      "indicator": "gosiclass.com/m/gnu/convert/html/com/list.php?query=6",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2024-03-22",
      "last_seen": "2024-03-22",
      "reports": [
        {
          "slug": "the-updated-apt-playbook-tales-from-the-kimsuky-threat-actor-group",
          "title": "The Updated APT Playbook: Tales from the Kimsuky threat actor group",
          "url": "https://bulwarkblack.com/the-updated-apt-playbook-tales-from-the-kimsuky-threat-actor-group/",
          "date": "2024-03-22"
        }
      ]
    },
    {
      "indicator": "healightejustb.org/checkupdateTO.js",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-06-02",
      "last_seen": "2026-06-02",
      "reports": [
        {
          "slug": "flutterbridge-macos-malvertising-fluttershell-backdoor-defense",
          "title": "FlutterBridge Shows Why macOS Malvertising Is Backdoor Delivery, Not Just Adware",
          "url": "https://bulwarkblack.com/flutterbridge-macos-malvertising-fluttershell-backdoor-defense/",
          "date": "2026-06-02"
        }
      ]
    },
    {
      "indicator": "helpdesk.com",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-06-05",
      "last_seen": "2026-06-05",
      "reports": [
        {
          "slug": "unc3753-vishing-rmm-physical-intrusions-law-firms",
          "title": "UNC3753 Brings Vishing, RMM Abuse, and Physical Intrusions to U.S. Law Firms",
          "url": "https://bulwarkblack.com/unc3753-vishing-rmm-physical-intrusions-law-firms/",
          "date": "2026-06-05"
        }
      ]
    },
    {
      "indicator": "hero-sms.co",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-02-09",
      "last_seen": "2026-02-09",
      "reports": [
        {
          "slug": "fake-7-zip-downloads-convert-home-pcs-into-residential-proxy-nodes-for-cybercriminals",
          "title": "Fake 7-Zip Downloads Convert Home PCs Into Residential Proxy Nodes for Cybercriminals",
          "url": "https://bulwarkblack.com/fake-7-zip-downloads-convert-home-pcs-into-residential-proxy-nodes-for-cybercriminals/",
          "date": "2026-02-09"
        }
      ]
    },
    {
      "indicator": "herosms.ai",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-02-09",
      "last_seen": "2026-02-09",
      "reports": [
        {
          "slug": "fake-7-zip-downloads-convert-home-pcs-into-residential-proxy-nodes-for-cybercriminals",
          "title": "Fake 7-Zip Downloads Convert Home PCs Into Residential Proxy Nodes for Cybercriminals",
          "url": "https://bulwarkblack.com/fake-7-zip-downloads-convert-home-pcs-into-residential-proxy-nodes-for-cybercriminals/",
          "date": "2026-02-09"
        }
      ]
    },
    {
      "indicator": "herosms.co",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-02-09",
      "last_seen": "2026-02-09",
      "reports": [
        {
          "slug": "fake-7-zip-downloads-convert-home-pcs-into-residential-proxy-nodes-for-cybercriminals",
          "title": "Fake 7-Zip Downloads Convert Home PCs Into Residential Proxy Nodes for Cybercriminals",
          "url": "https://bulwarkblack.com/fake-7-zip-downloads-convert-home-pcs-into-residential-proxy-nodes-for-cybercriminals/",
          "date": "2026-02-09"
        }
      ]
    },
    {
      "indicator": "herosms.io",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-02-09",
      "last_seen": "2026-02-09",
      "reports": [
        {
          "slug": "fake-7-zip-downloads-convert-home-pcs-into-residential-proxy-nodes-for-cybercriminals",
          "title": "Fake 7-Zip Downloads Convert Home PCs Into Residential Proxy Nodes for Cybercriminals",
          "url": "https://bulwarkblack.com/fake-7-zip-downloads-convert-home-pcs-into-residential-proxy-nodes-for-cybercriminals/",
          "date": "2026-02-09"
        }
      ]
    },
    {
      "indicator": "hf.co/r",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-01-30",
      "last_seen": "2026-01-30",
      "reports": [
        {
          "slug": "android-malware-campaign-abuses-hugging-face-ai-platform-to-distribute-rat",
          "title": "Android Malware Campaign Abuses Hugging Face AI Platform to Distribute RAT",
          "url": "https://bulwarkblack.com/android-malware-campaign-abuses-hugging-face-ai-platform-to-distribute-rat/",
          "date": "2026-01-30"
        }
      ]
    },
    {
      "indicator": "hf.co/repos/a5/0c/a50cf45d8b119af0cc75679c8307b05e29f2bc85b6d0bd55999dd018639f1c72/19f1a6b9ad1a9654e7c78fa2d37a3ec10192b01b636c5fc1995b80bf6f7dcb36?response-content-disposition=attachment%3B+filename*%3DUTF-8%27%27b.apk%3B+filename%3D%22b.apk%22%3B&amp",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-01-30",
      "last_seen": "2026-01-30",
      "reports": [
        {
          "slug": "android-malware-campaign-abuses-hugging-face-ai-platform-to-distribute-rat",
          "title": "Android Malware Campaign Abuses Hugging Face AI Platform to Distribute RAT",
          "url": "https://bulwarkblack.com/android-malware-campaign-abuses-hugging-face-ai-platform-to-distribute-rat/",
          "date": "2026-01-30"
        }
      ]
    },
    {
      "indicator": "hightkdhe.store/star/main.php",
      "type": "URLs",
      "report_count": 2,
      "first_seen": "2026-02-26",
      "last_seen": "2026-02-27",
      "reports": [
        {
          "slug": "apt37-ruby-jumper-campaign-north-korean-hackers-deploy-malware-arsenal-to-bridge-air-gapped-networks",
          "title": "APT37 Ruby Jumper Campaign: North Korean Hackers Deploy Malware Arsenal to Bridge Air-Gapped Networks",
          "url": "https://bulwarkblack.com/apt37-ruby-jumper-campaign-north-korean-hackers-deploy-malware-arsenal-to-bridge-air-gapped-networks/",
          "date": "2026-02-27"
        },
        {
          "slug": "apt37-deploys-ruby-jumper-campaign-to-breach-air-gapped-networks",
          "title": "APT37 Deploys Ruby Jumper Campaign to Breach Air-Gapped Networks",
          "url": "https://bulwarkblack.com/apt37-deploys-ruby-jumper-campaign-to-breach-air-gapped-networks/",
          "date": "2026-02-26"
        }
      ]
    },
    {
      "indicator": "homeatedke.store/star/main.php",
      "type": "URLs",
      "report_count": 2,
      "first_seen": "2026-02-26",
      "last_seen": "2026-02-27",
      "reports": [
        {
          "slug": "apt37-ruby-jumper-campaign-north-korean-hackers-deploy-malware-arsenal-to-bridge-air-gapped-networks",
          "title": "APT37 Ruby Jumper Campaign: North Korean Hackers Deploy Malware Arsenal to Bridge Air-Gapped Networks",
          "url": "https://bulwarkblack.com/apt37-ruby-jumper-campaign-north-korean-hackers-deploy-malware-arsenal-to-bridge-air-gapped-networks/",
          "date": "2026-02-27"
        },
        {
          "slug": "apt37-deploys-ruby-jumper-campaign-to-breach-air-gapped-networks",
          "title": "APT37 Deploys Ruby Jumper Campaign to Breach Air-Gapped Networks",
          "url": "https://bulwarkblack.com/apt37-deploys-ruby-jumper-campaign-to-breach-air-gapped-networks/",
          "date": "2026-02-26"
        }
      ]
    },
    {
      "indicator": "http://13.62.52.206:5004”",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-05-15",
      "last_seen": "2026-05-15",
      "reports": [
        {
          "slug": "cisco-sdwan-active-exploitation-edge-controller-review",
          "title": "Cisco SD-WAN Exploitation Shows Edge Controllers Need Emergency Review",
          "url": "https://bulwarkblack.com/cisco-sdwan-active-exploitation-edge-controller-review/",
          "date": "2026-05-15"
        }
      ]
    },
    {
      "indicator": "http://13.62.52.206:5004&nbsp",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-05-15",
      "last_seen": "2026-05-15",
      "reports": [
        {
          "slug": "cisco-sdwan-active-exploitation-edge-controller-review",
          "title": "Cisco SD-WAN Exploitation Shows Edge Controllers Need Emergency Review",
          "url": "https://bulwarkblack.com/cisco-sdwan-active-exploitation-edge-controller-review/",
          "date": "2026-05-15"
        }
      ]
    },
    {
      "indicator": "http://130.94.6.228/amp.tar.gz",
      "type": "URLs",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "http://130.94.6.228/apt.tar.gz",
      "type": "URLs",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "http://130.94.6.228/update.tar.gz",
      "type": "URLs",
      "report_count": 3,
      "first_seen": "2026-03-01",
      "last_seen": "2026-03-06",
      "reports": [
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "http://134.122.13.34:8979/c",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-02-23",
      "last_seen": "2026-02-23",
      "reports": [
        {
          "slug": "unit-42-exposes-active-exploitation-of-beyondtrust-cve-2026-1731-with-vshell-and-sparkrat-backdoors",
          "title": "Unit 42 Exposes Active Exploitation of BeyondTrust CVE-2026-1731 with VShell and SparkRAT Backdoors",
          "url": "https://bulwarkblack.com/unit-42-exposes-active-exploitation-of-beyondtrust-cve-2026-1731-with-vshell-and-sparkrat-backdoors/",
          "date": "2026-02-23"
        }
      ]
    },
    {
      "indicator": "http://139.180.134.221/PerfWatson2.exe",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-06-26",
      "last_seen": "2026-06-26",
      "reports": [
        {
          "slug": "cl-sta-1062-tinyrct-critical-infrastructure-web-shell-defense",
          "title": "CL-STA-1062 Shows Critical Infrastructure Intrusions Still Start With Web Shells",
          "url": "https://bulwarkblack.com/cl-sta-1062-tinyrct-critical-infrastructure-web-shell-defense/",
          "date": "2026-06-26"
        }
      ]
    },
    {
      "indicator": "http://139.180.134.221/sdksdk608/1.zip",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-06-26",
      "last_seen": "2026-06-26",
      "reports": [
        {
          "slug": "cl-sta-1062-tinyrct-critical-infrastructure-web-shell-defense",
          "title": "CL-STA-1062 Shows Critical Infrastructure Intrusions Still Start With Web Shells",
          "url": "https://bulwarkblack.com/cl-sta-1062-tinyrct-critical-infrastructure-web-shell-defense/",
          "date": "2026-06-26"
        }
      ]
    },
    {
      "indicator": "http://139.180.134.221/sdksdk608/anydesk%5f0117.zip",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-06-26",
      "last_seen": "2026-06-26",
      "reports": [
        {
          "slug": "cl-sta-1062-tinyrct-critical-infrastructure-web-shell-defense",
          "title": "CL-STA-1062 Shows Critical Infrastructure Intrusions Still Start With Web Shells",
          "url": "https://bulwarkblack.com/cl-sta-1062-tinyrct-critical-infrastructure-web-shell-defense/",
          "date": "2026-06-26"
        }
      ]
    },
    {
      "indicator": "http://139.180.134.221/sdksdk608/hamcore.se2",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-06-26",
      "last_seen": "2026-06-26",
      "reports": [
        {
          "slug": "cl-sta-1062-tinyrct-critical-infrastructure-web-shell-defense",
          "title": "CL-STA-1062 Shows Critical Infrastructure Intrusions Still Start With Web Shells",
          "url": "https://bulwarkblack.com/cl-sta-1062-tinyrct-critical-infrastructure-web-shell-defense/",
          "date": "2026-06-26"
        }
      ]
    },
    {
      "indicator": "http://139.180.134.221/sdksdk608/httpdf",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-06-26",
      "last_seen": "2026-06-26",
      "reports": [
        {
          "slug": "cl-sta-1062-tinyrct-critical-infrastructure-web-shell-defense",
          "title": "CL-STA-1062 Shows Critical Infrastructure Intrusions Still Start With Web Shells",
          "url": "https://bulwarkblack.com/cl-sta-1062-tinyrct-critical-infrastructure-web-shell-defense/",
          "date": "2026-06-26"
        }
      ]
    },
    {
      "indicator": "http://139.180.134.221/sdksdk608/vpn%5fbridge.config",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-06-26",
      "last_seen": "2026-06-26",
      "reports": [
        {
          "slug": "cl-sta-1062-tinyrct-critical-infrastructure-web-shell-defense",
          "title": "CL-STA-1062 Shows Critical Infrastructure Intrusions Still Start With Web Shells",
          "url": "https://bulwarkblack.com/cl-sta-1062-tinyrct-critical-infrastructure-web-shell-defense/",
          "date": "2026-06-26"
        }
      ]
    },
    {
      "indicator": "http://139.180.134.221/sdksdk608/win-vpn.rar",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-06-26",
      "last_seen": "2026-06-26",
      "reports": [
        {
          "slug": "cl-sta-1062-tinyrct-critical-infrastructure-web-shell-defense",
          "title": "CL-STA-1062 Shows Critical Infrastructure Intrusions Still Start With Web Shells",
          "url": "https://bulwarkblack.com/cl-sta-1062-tinyrct-critical-infrastructure-web-shell-defense/",
          "date": "2026-06-26"
        }
      ]
    },
    {
      "indicator": "http://146.70.100.69:8000/php_sess",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-05-08",
      "last_seen": "2026-05-08",
      "reports": [
        {
          "slug": "pan-os-captive-portal-zero-day-edge-device-review",
          "title": "PAN-OS Captive Portal Zero-Day Shows Why Internet-Facing Edge Devices Need Immediate Review",
          "url": "https://bulwarkblack.com/pan-os-captive-portal-zero-day-edge-device-review/",
          "date": "2026-05-08"
        }
      ]
    },
    {
      "indicator": "http://193.143.1.104:5000",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-03-09",
      "last_seen": "2026-03-09",
      "reports": [
        {
          "slug": "boryptgrab-stealer-spreads-through-100-fake-github-repositories-in-massive-malware-campaign",
          "title": "BoryptGrab Stealer Spreads Through 100+ Fake GitHub Repositories in Massive Malware Campaign",
          "url": "https://bulwarkblack.com/boryptgrab-stealer-spreads-through-100-fake-github-repositories-in-massive-malware-campaign/",
          "date": "2026-03-09"
        }
      ]
    },
    {
      "indicator": "http://194.233.92.26:2222/",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-07-07",
      "last_seen": "2026-07-07",
      "reports": [
        {
          "slug": "uat-7810-orb-relay-network-edge-device-defense",
          "title": "UAT-7810 Shows Edge Devices Are Becoming China-Nexus Relay Infrastructure",
          "url": "https://bulwarkblack.com/uat-7810-orb-relay-network-edge-device-defense/",
          "date": "2026-07-07"
        }
      ]
    },
    {
      "indicator": "http://194.233.92.26:8088/",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-07-07",
      "last_seen": "2026-07-07",
      "reports": [
        {
          "slug": "uat-7810-orb-relay-network-edge-device-defense",
          "title": "UAT-7810 Shows Edge Devices Are Becoming China-Nexus Relay Infrastructure",
          "url": "https://bulwarkblack.com/uat-7810-orb-relay-network-edge-device-defense/",
          "date": "2026-07-07"
        }
      ]
    },
    {
      "indicator": "http://206.189.27.39:8888/5",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-05-22",
      "last_seen": "2026-05-22",
      "reports": [
        {
          "slug": "f5-confluence-edge-identity-attack-path",
          "title": "F5-to-Confluence Intrusion Shows Edge Devices Are Identity Attack Paths",
          "url": "https://bulwarkblack.com/f5-confluence-edge-identity-attack-path/",
          "date": "2026-05-22"
        }
      ]
    },
    {
      "indicator": "http://216.126.225.129:8443",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-05-26",
      "last_seen": "2026-05-26",
      "reports": [
        {
          "slug": "megalodon-github-actions-cicd-secret-theft-defense",
          "title": "Megalodon GitHub Actions Backdoor Shows CI/CD Is Now a Credential Battlefield",
          "url": "https://bulwarkblack.com/megalodon-github-actions-cicd-secret-theft-defense/",
          "date": "2026-05-26"
        }
      ]
    },
    {
      "indicator": "http://216.126.225.129:8443?h=megalodon&amp;l=gh_dump&amp;id=hefs8esnhgkx&quot",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-05-26",
      "last_seen": "2026-05-26",
      "reports": [
        {
          "slug": "megalodon-github-actions-cicd-secret-theft-defense",
          "title": "Megalodon GitHub Actions Backdoor Shows CI/CD Is Now a Credential Battlefield",
          "url": "https://bulwarkblack.com/megalodon-github-actions-cicd-secret-theft-defense/",
          "date": "2026-05-26"
        }
      ]
    },
    {
      "indicator": "http://217.15.160.247:2222/",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-07-07",
      "last_seen": "2026-07-07",
      "reports": [
        {
          "slug": "uat-7810-orb-relay-network-edge-device-defense",
          "title": "UAT-7810 Shows Edge Devices Are Becoming China-Nexus Relay Infrastructure",
          "url": "https://bulwarkblack.com/uat-7810-orb-relay-network-edge-device-defense/",
          "date": "2026-07-07"
        }
      ]
    },
    {
      "indicator": "http://217.15.160.247:8088/",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-07-07",
      "last_seen": "2026-07-07",
      "reports": [
        {
          "slug": "uat-7810-orb-relay-network-edge-device-defense",
          "title": "UAT-7810 Shows Edge Devices Are Becoming China-Nexus Relay Infrastructure",
          "url": "https://bulwarkblack.com/uat-7810-orb-relay-network-edge-device-defense/",
          "date": "2026-07-07"
        }
      ]
    },
    {
      "indicator": "http://217.15.160.247:99/",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-07-07",
      "last_seen": "2026-07-07",
      "reports": [
        {
          "slug": "uat-7810-orb-relay-network-edge-device-defense",
          "title": "UAT-7810 Shows Edge Devices Are Becoming China-Nexus Relay Infrastructure",
          "url": "https://bulwarkblack.com/uat-7810-orb-relay-network-edge-device-defense/",
          "date": "2026-07-07"
        }
      ]
    },
    {
      "indicator": "http://217.15.164.147:2222/",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-07-07",
      "last_seen": "2026-07-07",
      "reports": [
        {
          "slug": "uat-7810-orb-relay-network-edge-device-defense",
          "title": "UAT-7810 Shows Edge Devices Are Becoming China-Nexus Relay Infrastructure",
          "url": "https://bulwarkblack.com/uat-7810-orb-relay-network-edge-device-defense/",
          "date": "2026-07-07"
        }
      ]
    },
    {
      "indicator": "http://217.15.164.147:8088/",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-07-07",
      "last_seen": "2026-07-07",
      "reports": [
        {
          "slug": "uat-7810-orb-relay-network-edge-device-defense",
          "title": "UAT-7810 Shows Edge Devices Are Becoming China-Nexus Relay Infrastructure",
          "url": "https://bulwarkblack.com/uat-7810-orb-relay-network-edge-device-defense/",
          "date": "2026-07-07"
        }
      ]
    },
    {
      "indicator": "http://217.15.164.147:99/",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-07-07",
      "last_seen": "2026-07-07",
      "reports": [
        {
          "slug": "uat-7810-orb-relay-network-edge-device-defense",
          "title": "UAT-7810 Shows Edge Devices Are Becoming China-Nexus Relay Infrastructure",
          "url": "https://bulwarkblack.com/uat-7810-orb-relay-network-edge-device-defense/",
          "date": "2026-07-07"
        }
      ]
    },
    {
      "indicator": "http://39uchxifap4cvgzsuirom0szrrg.d65lre9sfqnlcv49317gcis6pyjsatzho.oast.pro",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-02-23",
      "last_seen": "2026-02-23",
      "reports": [
        {
          "slug": "unit-42-exposes-active-exploitation-of-beyondtrust-cve-2026-1731-with-vshell-and-sparkrat-backdoors",
          "title": "Unit 42 Exposes Active Exploitation of BeyondTrust CVE-2026-1731 with VShell and SparkRAT Backdoors",
          "url": "https://bulwarkblack.com/unit-42-exposes-active-exploitation-of-beyondtrust-cve-2026-1731-with-vshell-and-sparkrat-backdoors/",
          "date": "2026-02-23"
        }
      ]
    },
    {
      "indicator": "http://45.93.20.195:5000",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-03-09",
      "last_seen": "2026-03-09",
      "reports": [
        {
          "slug": "boryptgrab-stealer-spreads-through-100-fake-github-repositories-in-massive-malware-campaign",
          "title": "BoryptGrab Stealer Spreads Through 100+ Fake GitHub Repositories in Massive Malware Campaign",
          "url": "https://bulwarkblack.com/boryptgrab-stealer-spreads-through-100-fake-github-repositories-in-massive-malware-campaign/",
          "date": "2026-03-09"
        }
      ]
    },
    {
      "indicator": "http://45.93.20.61:5466/api/x32_chromium",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-03-09",
      "last_seen": "2026-03-09",
      "reports": [
        {
          "slug": "boryptgrab-stealer-spreads-through-100-fake-github-repositories-in-massive-malware-campaign",
          "title": "BoryptGrab Stealer Spreads Through 100+ Fake GitHub Repositories in Massive Malware Campaign",
          "url": "https://bulwarkblack.com/boryptgrab-stealer-spreads-through-100-fake-github-repositories-in-massive-malware-campaign/",
          "date": "2026-03-09"
        }
      ]
    },
    {
      "indicator": "http://64.31.28.221/support",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-02-23",
      "last_seen": "2026-02-23",
      "reports": [
        {
          "slug": "unit-42-exposes-active-exploitation-of-beyondtrust-cve-2026-1731-with-vshell-and-sparkrat-backdoors",
          "title": "Unit 42 Exposes Active Exploitation of BeyondTrust CVE-2026-1731 with VShell and SparkRAT Backdoors",
          "url": "https://bulwarkblack.com/unit-42-exposes-active-exploitation-of-beyondtrust-cve-2026-1731-with-vshell-and-sparkrat-backdoors/",
          "date": "2026-02-23"
        }
      ]
    },
    {
      "indicator": "http://8.210.50.65:60126/linux",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-05-20",
      "last_seen": "2026-05-20",
      "reports": [
        {
          "slug": "p2pinfect-kubernetes-redis-botnet-defense",
          "title": "P2Pinfect Shows Exposed Redis in Kubernetes Can Become Dormant Botnet Infrastructure",
          "url": "https://bulwarkblack.com/p2pinfect-kubernetes-redis-botnet-defense/",
          "date": "2026-05-20"
        }
      ]
    },
    {
      "indicator": "http://82.29.53.187:8778/app_cli",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-02-23",
      "last_seen": "2026-02-23",
      "reports": [
        {
          "slug": "unit-42-exposes-active-exploitation-of-beyondtrust-cve-2026-1731-with-vshell-and-sparkrat-backdoors",
          "title": "Unit 42 Exposes Active Exploitation of BeyondTrust CVE-2026-1731 with VShell and SparkRAT Backdoors",
          "url": "https://bulwarkblack.com/unit-42-exposes-active-exploitation-of-beyondtrust-cve-2026-1731-with-vshell-and-sparkrat-backdoors/",
          "date": "2026-02-23"
        }
      ]
    },
    {
      "indicator": "http://83.138.53.110/dl/p.exe",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-06-02",
      "last_seen": "2026-06-02",
      "reports": [
        {
          "slug": "forticlient-ems-ekz-infostealer-delivery",
          "title": "FortiClient EMS Exploitation Turns Endpoint Management Into an Infostealer Delivery System",
          "url": "https://bulwarkblack.com/forticlient-ems-ekz-infostealer-delivery/",
          "date": "2026-06-02"
        }
      ]
    },
    {
      "indicator": "http://83.138.53.110/service/save.php",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-06-02",
      "last_seen": "2026-06-02",
      "reports": [
        {
          "slug": "forticlient-ems-ekz-infostealer-delivery",
          "title": "FortiClient EMS Exploitation Turns Endpoint Management Into an Infostealer Delivery System",
          "url": "https://bulwarkblack.com/forticlient-ems-ekz-infostealer-delivery/",
          "date": "2026-06-02"
        }
      ]
    },
    {
      "indicator": "http://83.229.126.195:8081/config.json",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-05-15",
      "last_seen": "2026-05-15",
      "reports": [
        {
          "slug": "cisco-sdwan-active-exploitation-edge-controller-review",
          "title": "Cisco SD-WAN Exploitation Shows Edge Controllers Need Emergency Review",
          "url": "https://bulwarkblack.com/cisco-sdwan-active-exploitation-edge-controller-review/",
          "date": "2026-05-15"
        }
      ]
    },
    {
      "indicator": "http://83.229.126.195:8081/xmrig",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-05-15",
      "last_seen": "2026-05-15",
      "reports": [
        {
          "slug": "cisco-sdwan-active-exploitation-edge-controller-review",
          "title": "Cisco SD-WAN Exploitation Shows Edge Controllers Need Emergency Review",
          "url": "https://bulwarkblack.com/cisco-sdwan-active-exploitation-edge-controller-review/",
          "date": "2026-05-15"
        }
      ]
    },
    {
      "indicator": "http://85.155.186.121/access",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-02-23",
      "last_seen": "2026-02-23",
      "reports": [
        {
          "slug": "unit-42-exposes-active-exploitation-of-beyondtrust-cve-2026-1731-with-vshell-and-sparkrat-backdoors",
          "title": "Unit 42 Exposes Active Exploitation of BeyondTrust CVE-2026-1731 with VShell and SparkRAT Backdoors",
          "url": "https://bulwarkblack.com/unit-42-exposes-active-exploitation-of-beyondtrust-cve-2026-1731-with-vshell-and-sparkrat-backdoors/",
          "date": "2026-02-23"
        }
      ]
    },
    {
      "indicator": "http://95.182.100.231:2222/",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-07-07",
      "last_seen": "2026-07-07",
      "reports": [
        {
          "slug": "uat-7810-orb-relay-network-edge-device-defense",
          "title": "UAT-7810 Shows Edge Devices Are Becoming China-Nexus Relay Infrastructure",
          "url": "https://bulwarkblack.com/uat-7810-orb-relay-network-edge-device-defense/",
          "date": "2026-07-07"
        }
      ]
    },
    {
      "indicator": "http://api.ipify.org/?format=json",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-05-15",
      "last_seen": "2026-05-15",
      "reports": [
        {
          "slug": "gremlin-stealer-browser-session-resource-obfuscation",
          "title": "Gremlin Stealer Shows Why Browser Sessions Are Now High-Value Targets",
          "url": "https://bulwarkblack.com/gremlin-stealer-browser-session-resource-obfuscation/",
          "date": "2026-05-15"
        }
      ]
    },
    {
      "indicator": "http://cdn-static.okendo.io/reviews-widget-plus/js/okendo-reviews.js",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-06-18",
      "last_seen": "2026-06-18",
      "reports": [
        {
          "slug": "smartapesg-okendo-widget-supply-chain-risk",
          "title": "SmartApeSG Okendo Compromise Shows Third-Party Widgets Are Supply-Chain Risk",
          "url": "https://bulwarkblack.com/smartapesg-okendo-widget-supply-chain-risk/",
          "date": "2026-06-18"
        }
      ]
    },
    {
      "indicator": "http://clawdbot.getintwopc.site/config.json&#x27",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-01-27",
      "last_seen": "2026-01-27",
      "reports": [
        {
          "slug": "fake-clawdbot-vs-code-extension-deploys-screenconnect-rat",
          "title": "Fake Clawdbot VS Code Extension Deploys ScreenConnect RAT",
          "url": "https://bulwarkblack.com/fake-clawdbot-vs-code-extension-deploys-screenconnect-rat/",
          "date": "2026-01-27"
        }
      ]
    },
    {
      "indicator": "http://clawdbot.getintwopc.site/dl/Lightshot.dll&#x27",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-01-27",
      "last_seen": "2026-01-27",
      "reports": [
        {
          "slug": "fake-clawdbot-vs-code-extension-deploys-screenconnect-rat",
          "title": "Fake Clawdbot VS Code Extension Deploys ScreenConnect RAT",
          "url": "https://bulwarkblack.com/fake-clawdbot-vs-code-extension-deploys-screenconnect-rat/",
          "date": "2026-01-27"
        }
      ]
    },
    {
      "indicator": "http://clawdbot.getintwopc.site/dl/Lightshot.exe&#x27",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-01-27",
      "last_seen": "2026-01-27",
      "reports": [
        {
          "slug": "fake-clawdbot-vs-code-extension-deploys-screenconnect-rat",
          "title": "Fake Clawdbot VS Code Extension Deploys ScreenConnect RAT",
          "url": "https://bulwarkblack.com/fake-clawdbot-vs-code-extension-deploys-screenconnect-rat/",
          "date": "2026-01-27"
        }
      ]
    },
    {
      "indicator": "http://cutt.ly/lwD7B7lp,”",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2024-01-08",
      "last_seen": "2024-01-08",
      "reports": [
        {
          "slug": "deceptive-cracked-software-spreads-lumma-variant-on-youtube",
          "title": "Deceptive Cracked Software Spreads Lumma Variant on YouTube",
          "url": "https://bulwarkblack.com/deceptive-cracked-software-spreads-lumma-variant-on-youtube/",
          "date": "2024-01-08"
        }
      ]
    },
    {
      "indicator": "http://gosiweb.gosiclass.com/m/gnu/convert/html/com/list.php?query=6",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2024-03-22",
      "last_seen": "2024-03-22",
      "reports": [
        {
          "slug": "the-updated-apt-playbook-tales-from-the-kimsuky-threat-actor-group",
          "title": "The Updated APT Playbook: Tales from the Kimsuky threat actor group",
          "url": "https://bulwarkblack.com/the-updated-apt-playbook-tales-from-the-kimsuky-threat-actor-group/",
          "date": "2024-03-22"
        }
      ]
    },
    {
      "indicator": "http://ip-api.com/json",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-05-23",
      "last_seen": "2026-05-23",
      "reports": [
        {
          "slug": "void-dokkaebi-invisibleferret-developer-endpoint-risk",
          "title": "Void Dokkaebi’s InvisibleFerret Shift Shows Developer Endpoints Are Production Risk",
          "url": "https://bulwarkblack.com/void-dokkaebi-invisibleferret-developer-endpoint-risk/",
          "date": "2026-05-23"
        }
      ]
    },
    {
      "indicator": "http://pub-3bc1de741f8149f49bdbafa703067f24.r2.dev/wwa.txt",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-02-11",
      "last_seen": "2026-02-11",
      "reports": [
        {
          "slug": "xworm-rat-campaign-exploits-cve-2018-0802-in-multi-language-phishing-attacks-using-fileless-injection",
          "title": "XWorm RAT Campaign Exploits CVE-2018-0802 in Multi-Language Phishing Attacks Using Fileless Injection",
          "url": "https://bulwarkblack.com/xworm-rat-campaign-exploits-cve-2018-0802-in-multi-language-phishing-attacks-using-fileless-injection/",
          "date": "2026-02-11"
        }
      ]
    },
    {
      "indicator": "http://web071zoom.us/fix/audio-fv/7217417464",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "http://web071zoom.us/fix/audio-tr/7217417464",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "http://web071zoom.us/fix/audio/4542828056",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "https://1a820b09-95ba-44eb-b350-417e8241b725-00-1lgwuuen9b77p.worf.replit.dev/download",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-05-15",
      "last_seen": "2026-05-15",
      "reports": [
        {
          "slug": "cisco-sdwan-active-exploitation-edge-controller-review",
          "title": "Cisco SD-WAN Exploitation Shows Edge Controllers Need Emergency Review",
          "url": "https://bulwarkblack.com/cisco-sdwan-active-exploitation-edge-controller-review/",
          "date": "2026-05-15"
        }
      ]
    },
    {
      "indicator": "https://2117.filemail.com/api/file/get?filekey=T0EnWQ6NugHkW_kLfDxPBEw_um6NSkg9ZwNRQ_5lrKrLLUo35pV8m3TKv1LqF3zZzdUm",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-05-22",
      "last_seen": "2026-05-22",
      "reports": [
        {
          "slug": "screening-serpens-recruiting-espionage-attack-surface",
          "title": "Screening Serpens Shows Recruiting Is Now an Espionage Attack Surface",
          "url": "https://bulwarkblack.com/screening-serpens-recruiting-espionage-attack-surface/",
          "date": "2026-05-22"
        }
      ]
    },
    {
      "indicator": "https://64.95.10.115:23011/update.sh",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-02-23",
      "last_seen": "2026-02-23",
      "reports": [
        {
          "slug": "unit-42-exposes-active-exploitation-of-beyondtrust-cve-2026-1731-with-vshell-and-sparkrat-backdoors",
          "title": "Unit 42 Exposes Active Exploitation of BeyondTrust CVE-2026-1731 with VShell and SparkRAT Backdoors",
          "url": "https://bulwarkblack.com/unit-42-exposes-active-exploitation-of-beyondtrust-cve-2026-1731-with-vshell-and-sparkrat-backdoors/",
          "date": "2026-02-23"
        }
      ]
    },
    {
      "indicator": "https://85.155.186.121/access/Remote%20Access-linux64-offline.tar?language=en&amp;app=76049110434275449312180081368257747094",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-02-23",
      "last_seen": "2026-02-23",
      "reports": [
        {
          "slug": "unit-42-exposes-active-exploitation-of-beyondtrust-cve-2026-1731-with-vshell-and-sparkrat-backdoors",
          "title": "Unit 42 Exposes Active Exploitation of BeyondTrust CVE-2026-1731 with VShell and SparkRAT Backdoors",
          "url": "https://bulwarkblack.com/unit-42-exposes-active-exploitation-of-beyondtrust-cve-2026-1731-with-vshell-and-sparkrat-backdoors/",
          "date": "2026-02-23"
        }
      ]
    },
    {
      "indicator": "https://academy.breakdev.org/evilginx-mastery",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2024-01-26",
      "last_seen": "2024-01-26",
      "reports": [
        {
          "slug": "how-to-protect-evilginx-using-cloudflare-and-html-obfuscation",
          "title": "How to protect Evilginx using Cloudflare and HTML Obfuscation",
          "url": "https://bulwarkblack.com/how-to-protect-evilginx-using-cloudflare-and-html-obfuscation/",
          "date": "2024-01-26"
        }
      ]
    },
    {
      "indicator": "https://aka.ms/threatintelblog",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2024-01-09",
      "last_seen": "2024-01-09",
      "reports": [
        {
          "slug": "financially-motivated-threat-actors-misusing-app-installer",
          "title": "Financially motivated threat actors misusing App Installer",
          "url": "https://bulwarkblack.com/financially-motivated-threat-actors-misusing-app-installer/",
          "date": "2024-01-09"
        }
      ]
    },
    {
      "indicator": "https://api.anthropic.com/v1/api",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-06-13",
      "last_seen": "2026-06-13",
      "reports": [
        {
          "slug": "shai-hulud-ai-scanner-evasion-package-supply-chain-defense",
          "title": "Shai-Hulud Shows AI Package Scanners Need Prompt-Injection Boundaries",
          "url": "https://bulwarkblack.com/shai-hulud-ai-scanner-evasion-package-supply-chain-defense/",
          "date": "2026-06-13"
        }
      ]
    },
    {
      "indicator": "https://api.telegram.org",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-05-15",
      "last_seen": "2026-05-15",
      "reports": [
        {
          "slug": "gremlin-stealer-browser-session-resource-obfuscation",
          "title": "Gremlin Stealer Shows Why Browser Sessions Are Now High-Value Targets",
          "url": "https://bulwarkblack.com/gremlin-stealer-browser-session-resource-obfuscation/",
          "date": "2026-05-15"
        }
      ]
    },
    {
      "indicator": "https://api.wigetticks.com/logout/private-response.php?8D1V4th3",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-06-18",
      "last_seen": "2026-06-18",
      "reports": [
        {
          "slug": "smartapesg-okendo-widget-supply-chain-risk",
          "title": "SmartApeSG Okendo Compromise Shows Third-Party Widgets Are Supply-Chain Risk",
          "url": "https://bulwarkblack.com/smartapesg-okendo-widget-supply-chain-risk/",
          "date": "2026-06-18"
        }
      ]
    },
    {
      "indicator": "https://api.wizzleticks.com/claims/scope-schema.php?4ManBBdA",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-06-18",
      "last_seen": "2026-06-18",
      "reports": [
        {
          "slug": "smartapesg-okendo-widget-supply-chain-risk",
          "title": "SmartApeSG Okendo Compromise Shows Third-Party Widgets Are Supply-Chain Risk",
          "url": "https://bulwarkblack.com/smartapesg-okendo-widget-supply-chain-risk/",
          "date": "2026-06-18"
        }
      ]
    },
    {
      "indicator": "https://apisix.apache.org",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-06-19",
      "last_seen": "2026-06-19",
      "reports": [
        {
          "slug": "apache-apisix-auth-bypass-plugin-review",
          "title": "Apache APISIX Auth Bypass Cluster Shows API Gateways Need Plugin-Level Review",
          "url": "https://bulwarkblack.com/apache-apisix-auth-bypass-plugin-review/",
          "date": "2026-06-19"
        }
      ]
    },
    {
      "indicator": "https://apps.nulab.com/signup/verify",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-03-12",
      "last_seen": "2026-03-12",
      "reports": [
        {
          "slug": "infostealer-infection-unmasks-dprk-operative-behind-polyfill-io-supply-chain-attack-and-us-crypto-exchange-infiltration",
          "title": "Infostealer Infection Unmasks DPRK Operative Behind Polyfill.io Supply Chain Attack and US Crypto Exchange Infiltration",
          "url": "https://bulwarkblack.com/infostealer-infection-unmasks-dprk-operative-behind-polyfill-io-supply-chain-attack-and-us-crypto-exchange-infiltration/",
          "date": "2026-03-12"
        }
      ]
    },
    {
      "indicator": "https://assets.lumen.com/is/content/Lumen/Black_Lotus_Labs_Video-6341053041112",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-06-01",
      "last_seen": "2026-06-01",
      "reports": [
        {
          "slug": "showboat-jfmbackdoor-telecom-intrusion-defense",
          "title": "Showboat and JFMBackdoor Show Telecom Intrusions Are Built for Pivoting",
          "url": "https://bulwarkblack.com/showboat-jfmbackdoor-telecom-intrusion-defense/",
          "date": "2026-06-01"
        }
      ]
    },
    {
      "indicator": "https://assets.lumen.com/is/image/Lumen/author-black-lotus-labs-logo-image-300x300?Creativeid=b08a9660-2840-4cf8-b2b4-aa45b9585632",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-06-01",
      "last_seen": "2026-06-01",
      "reports": [
        {
          "slug": "showboat-jfmbackdoor-telecom-intrusion-defense",
          "title": "Showboat and JFMBackdoor Show Telecom Intrusions Are Built for Pivoting",
          "url": "https://bulwarkblack.com/showboat-jfmbackdoor-telecom-intrusion-defense/",
          "date": "2026-06-01"
        }
      ]
    },
    {
      "indicator": "https://assets.lumen.com/is/image/Lumen/img-blog-bll-malware-fig1?$PNG$&#x26;Creativeid=baae57fe-30cb-446d-9373-b5835ed6d74a",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-06-01",
      "last_seen": "2026-06-01",
      "reports": [
        {
          "slug": "showboat-jfmbackdoor-telecom-intrusion-defense",
          "title": "Showboat and JFMBackdoor Show Telecom Intrusions Are Built for Pivoting",
          "url": "https://bulwarkblack.com/showboat-jfmbackdoor-telecom-intrusion-defense/",
          "date": "2026-06-01"
        }
      ]
    },
    {
      "indicator": "https://assets.lumen.com/is/image/Lumen/img-blog-bll-malware-fig2?$PNG$&#x26;Creativeid=679e321b-7df3-45e4-9292-c1c02c13732c",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-06-01",
      "last_seen": "2026-06-01",
      "reports": [
        {
          "slug": "showboat-jfmbackdoor-telecom-intrusion-defense",
          "title": "Showboat and JFMBackdoor Show Telecom Intrusions Are Built for Pivoting",
          "url": "https://bulwarkblack.com/showboat-jfmbackdoor-telecom-intrusion-defense/",
          "date": "2026-06-01"
        }
      ]
    },
    {
      "indicator": "https://assets.lumen.com/is/image/Lumen/img-blog-bll-malware-fig3?$PNG$&#x26;Creativeid=c742db12-86dc-4216-b182-07991ebadce5",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-06-01",
      "last_seen": "2026-06-01",
      "reports": [
        {
          "slug": "showboat-jfmbackdoor-telecom-intrusion-defense",
          "title": "Showboat and JFMBackdoor Show Telecom Intrusions Are Built for Pivoting",
          "url": "https://bulwarkblack.com/showboat-jfmbackdoor-telecom-intrusion-defense/",
          "date": "2026-06-01"
        }
      ]
    },
    {
      "indicator": "https://assets.lumen.com/is/image/Lumen/img-blog-bll-malware-fig4?$PNG$&#x26;Creativeid=f104f1c6-3a1f-460b-b597-813b63e43e0d",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-06-01",
      "last_seen": "2026-06-01",
      "reports": [
        {
          "slug": "showboat-jfmbackdoor-telecom-intrusion-defense",
          "title": "Showboat and JFMBackdoor Show Telecom Intrusions Are Built for Pivoting",
          "url": "https://bulwarkblack.com/showboat-jfmbackdoor-telecom-intrusion-defense/",
          "date": "2026-06-01"
        }
      ]
    },
    {
      "indicator": "https://assets.lumen.com/is/image/Lumen/img-blog-bll-malware-fig5?$PNG$&#x26;Creativeid=9f6a7f84-711d-4f83-b1b4-38b6129e1d23",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-06-01",
      "last_seen": "2026-06-01",
      "reports": [
        {
          "slug": "showboat-jfmbackdoor-telecom-intrusion-defense",
          "title": "Showboat and JFMBackdoor Show Telecom Intrusions Are Built for Pivoting",
          "url": "https://bulwarkblack.com/showboat-jfmbackdoor-telecom-intrusion-defense/",
          "date": "2026-06-01"
        }
      ]
    },
    {
      "indicator": "https://assets.lumen.com/is/image/Lumen/img-blog-bll-malware-fig6?$PNG$&#x26;Creativeid=a9148deb-22b8-43c8-bb11-dc6feceb9714",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-06-01",
      "last_seen": "2026-06-01",
      "reports": [
        {
          "slug": "showboat-jfmbackdoor-telecom-intrusion-defense",
          "title": "Showboat and JFMBackdoor Show Telecom Intrusions Are Built for Pivoting",
          "url": "https://bulwarkblack.com/showboat-jfmbackdoor-telecom-intrusion-defense/",
          "date": "2026-06-01"
        }
      ]
    },
    {
      "indicator": "https://assets.lumen.com/is/image/Lumen/img-blog-bll-malware-fig8?$PNG$&#x26;Creativeid=bdd1dcd8-5848-4020-b2e8-448ad48d9e98",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-06-01",
      "last_seen": "2026-06-01",
      "reports": [
        {
          "slug": "showboat-jfmbackdoor-telecom-intrusion-defense",
          "title": "Showboat and JFMBackdoor Show Telecom Intrusions Are Built for Pivoting",
          "url": "https://bulwarkblack.com/showboat-jfmbackdoor-telecom-intrusion-defense/",
          "date": "2026-06-01"
        }
      ]
    },
    {
      "indicator": "https://assets.lumen.com/is/image/Lumen/img-blog-bll-malware-showboat-table?$JPG$&#x26;Creativeid=416e9156-1fd8-4382-b2a3-107f5062946a",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-06-01",
      "last_seen": "2026-06-01",
      "reports": [
        {
          "slug": "showboat-jfmbackdoor-telecom-intrusion-defense",
          "title": "Showboat and JFMBackdoor Show Telecom Intrusions Are Built for Pivoting",
          "url": "https://bulwarkblack.com/showboat-jfmbackdoor-telecom-intrusion-defense/",
          "date": "2026-06-01"
        }
      ]
    },
    {
      "indicator": "https://assets.lumen.com/is/image/Lumen/img-blog-bll-newmalware-figure7?$PNG$&#x26;Creativeid=adbfea9c-c17b-4cbe-bb9d-c800b6b23a84",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-06-01",
      "last_seen": "2026-06-01",
      "reports": [
        {
          "slug": "showboat-jfmbackdoor-telecom-intrusion-defense",
          "title": "Showboat and JFMBackdoor Show Telecom Intrusions Are Built for Pivoting",
          "url": "https://bulwarkblack.com/showboat-jfmbackdoor-telecom-intrusion-defense/",
          "date": "2026-06-01"
        }
      ]
    },
    {
      "indicator": "https://assets.lumen.com/is/image/Lumen/img-blog-featured-resource-card-bll?Creativeid=844b527d-b24a-4d66-928e-9d6964fc2220",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-06-01",
      "last_seen": "2026-06-01",
      "reports": [
        {
          "slug": "showboat-jfmbackdoor-telecom-intrusion-defense",
          "title": "Showboat and JFMBackdoor Show Telecom Intrusions Are Built for Pivoting",
          "url": "https://bulwarkblack.com/showboat-jfmbackdoor-telecom-intrusion-defense/",
          "date": "2026-06-01"
        }
      ]
    },
    {
      "indicator": "https://assets.lumen.com/is/image/Lumen/img-blog-header-bll-malware-848x566?$PNG$&#x26;Creativeid=7832e142-117a-4b22-9ce4-cf575ba34f02",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-06-01",
      "last_seen": "2026-06-01",
      "reports": [
        {
          "slug": "showboat-jfmbackdoor-telecom-intrusion-defense",
          "title": "Showboat and JFMBackdoor Show Telecom Intrusions Are Built for Pivoting",
          "url": "https://bulwarkblack.com/showboat-jfmbackdoor-telecom-intrusion-defense/",
          "date": "2026-06-01"
        }
      ]
    },
    {
      "indicator": "https://atsheisdomestic.org/update-thanks.html",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-06-02",
      "last_seen": "2026-06-02",
      "reports": [
        {
          "slug": "flutterbridge-macos-malvertising-fluttershell-backdoor-defense",
          "title": "FlutterBridge Shows Why macOS Malvertising Is Backdoor Delivery, Not Just Adware",
          "url": "https://bulwarkblack.com/flutterbridge-macos-malvertising-fluttershell-backdoor-defense/",
          "date": "2026-06-02"
        }
      ]
    },
    {
      "indicator": "https://auraguest.lk/m/douV2quu.php",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-05-09",
      "last_seen": "2026-05-09",
      "reports": [
        {
          "slug": "jdownloader-site-compromise-trusted-download-verification",
          "title": "JDownloader Site Compromise Shows Why Trusted Downloads Still Need Verification",
          "url": "https://bulwarkblack.com/jdownloader-site-compromise-trusted-download-verification/",
          "date": "2026-05-09"
        }
      ]
    },
    {
      "indicator": "https://badkeys.info/",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-05-16",
      "last_seen": "2026-05-16",
      "reports": [
        {
          "slug": "linux-kernel-ipsec-attack-surface-reduction",
          "title": "Recent Linux Kernel Exploits Make Attack Surface Reduction a Practical Priority",
          "url": "https://bulwarkblack.com/linux-kernel-ipsec-attack-surface-reduction/",
          "date": "2026-05-16"
        }
      ]
    },
    {
      "indicator": "https://basecon.com.ua/calculator.rar",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-06-25",
      "last_seen": "2026-06-25",
      "reports": [
        {
          "slug": "turla-stockstay-backdoor-egress-visibility",
          "title": "Turla’s STOCKSTAY Backdoor Shows Why Espionage Defense Needs Egress Visibility",
          "url": "https://bulwarkblack.com/turla-stockstay-backdoor-egress-visibility/",
          "date": "2026-06-25"
        }
      ]
    },
    {
      "indicator": "https://best-tinted.com/github-download.html",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-03-09",
      "last_seen": "2026-03-09",
      "reports": [
        {
          "slug": "boryptgrab-stealer-spreads-through-100-fake-github-repositories-in-massive-malware-campaign",
          "title": "BoryptGrab Stealer Spreads Through 100+ Fake GitHub Repositories in Massive Malware Campaign",
          "url": "https://bulwarkblack.com/boryptgrab-stealer-spreads-through-100-fake-github-repositories-in-massive-malware-campaign/",
          "date": "2026-03-09"
        }
      ]
    },
    {
      "indicator": "https://blackpointcyber.com/blog/a-djinn-in-the-machine-taskweavers-node-js-intrusion-chain/",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-06-30",
      "last_seen": "2026-06-30",
      "reports": [
        {
          "slug": "simplehelp-cve-2026-48558-taskweaver-djinn-stealer-defense",
          "title": "SimpleHelp Exploitation Shows RMM Is a Credential Control Plane",
          "url": "https://bulwarkblack.com/simplehelp-cve-2026-48558-taskweaver-djinn-stealer-defense/",
          "date": "2026-06-30"
        }
      ]
    },
    {
      "indicator": "https://bots.autoupdate.online:8080/test",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "https://botshield.vu/kFcjld",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-03-09",
      "last_seen": "2026-03-09",
      "reports": [
        {
          "slug": "boryptgrab-stealer-spreads-through-100-fake-github-repositories-in-massive-malware-campaign",
          "title": "BoryptGrab Stealer Spreads Through 100+ Fake GitHub Repositories in Massive Malware Campaign",
          "url": "https://bulwarkblack.com/boryptgrab-stealer-spreads-through-100-fake-github-repositories-in-massive-malware-campaign/",
          "date": "2026-03-09"
        }
      ]
    },
    {
      "indicator": "https://botshield.vu/KKRkm9",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-03-09",
      "last_seen": "2026-03-09",
      "reports": [
        {
          "slug": "boryptgrab-stealer-spreads-through-100-fake-github-repositories-in-massive-malware-campaign",
          "title": "BoryptGrab Stealer Spreads Through 100+ Fake GitHub Repositories in Massive Malware Campaign",
          "url": "https://bulwarkblack.com/boryptgrab-stealer-spreads-through-100-fake-github-repositories-in-massive-malware-campaign/",
          "date": "2026-03-09"
        }
      ]
    },
    {
      "indicator": "https://business-data-leaks.com",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-06-05",
      "last_seen": "2026-06-05",
      "reports": [
        {
          "slug": "unc3753-vishing-rmm-physical-intrusions-law-firms",
          "title": "UNC3753 Brings Vishing, RMM Abuse, and Physical Intrusions to U.S. Law Firms",
          "url": "https://bulwarkblack.com/unc3753-vishing-rmm-physical-intrusions-law-firms/",
          "date": "2026-06-05"
        }
      ]
    },
    {
      "indicator": "https://caliber-spinner-finishing.ngrok-free.dev:443/",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "fake-payment-sdk-npm-pypi-secret-theft-defense",
          "title": "Fake Payment SDKs Show Why Dependency Risk Is Credential Risk",
          "url": "https://bulwarkblack.com/fake-payment-sdk-npm-pypi-secret-theft-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "https://cdn-lfs-us-1.hf.co/r",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-01-30",
      "last_seen": "2026-01-30",
      "reports": [
        {
          "slug": "android-malware-campaign-abuses-hugging-face-ai-platform-to-distribute-rat",
          "title": "Android Malware Campaign Abuses Hugging Face AI Platform to Distribute RAT",
          "url": "https://bulwarkblack.com/android-malware-campaign-abuses-hugging-face-ai-platform-to-distribute-rat/",
          "date": "2026-01-30"
        }
      ]
    },
    {
      "indicator": "https://cdn-lfs-us-1.hf.co/repos/a5/0c/a50cf45d8b119af0cc75679c8307b05e29f2bc85b6d0bd55999dd018639f1c72/19f1a6b9ad1a9654e7c78fa2d37a3ec10192b01b636c5fc1995b80bf6f7dcb36?response-content-disposition=attachment%3B+filename*%3DUTF-8%27%27b.apk%3B+filename%3D%22b.apk%22%3B&amp;response-content-type=application%2Fvnd.android.package-archive&amp;Expires=1764089304&amp;Policy=eyJTdGF0ZW1lbnQiOlt7IkNvbmRpdGlvbiI6eyJEYXRlTGVzc1RoYW4iOnsiQVdTOkVwb2NoVGltZSI6MTc2NDA4OTMwNH19LCJSZXNvdXJjZSI6Imh0dHBzOi8vY2RuLWxmcy11cy0xLmhmLmNvL3JlcG9zL2E1LzBjL2E1MGNmNDVkOGIxMTlhZjBjYzc1Njc5YzgzMDdiMDVlMjlmMmJjODViNmQwYmQ1NTk5OWRkMDE4NjM5ZjFjNzIvMTlmMWE2YjlhZDFhOTY1NGU3Yzc4ZmEyZDM3YTNlYzEwMTkyYjAxYjYzNmM1ZmMxOTk1YjgwYmY2ZjdkY2IzNj9yZXNwb25zZS1jb250ZW50LWRpc3Bvc2l0aW9uPSomcmVzcG9uc2UtY29udGVudC10eXBlPSoifV19&amp;Signature=Mqc2vLuG17L9PD9eOO96Tbl8S1P6Efgzc1c%7EvjGQqg7jE6NcLyKqkIn7Koq06ybpChfuNeUOUSIRvqUXUd%7EAUt1mvivbp8cZla5frbYSx6ce2-Enp7KmhKXafgpPH6Hr8sGEt8EO56g3oF867bsCO3qH4Q9HqcX6DZZfgyysDxK22VIzEOYCoGqzIa0pj1gFr57PGdcyQJxqFDvpQ9KiCoLxqGjf4O5EpO-4bLJ53D3nZUTrDZX3sCHo7hUOxwqBMUefhgL0BKhL4JPfaBsHyfM9Cj%7EO1yPsf6CqZd%7EVfQWh9CH6ZW834YlKppFxovUMdg3dUHxUNUBDZg2-Nf3plw__&amp;Key-Pair-Id=K24J24Z295AEI9",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-01-30",
      "last_seen": "2026-01-30",
      "reports": [
        {
          "slug": "android-malware-campaign-abuses-hugging-face-ai-platform-to-distribute-rat",
          "title": "Android Malware Campaign Abuses Hugging Face AI Platform to Distribute RAT",
          "url": "https://bulwarkblack.com/android-malware-campaign-abuses-hugging-face-ai-platform-to-distribute-rat/",
          "date": "2026-01-30"
        }
      ]
    },
    {
      "indicator": "https://championships-peoples-point-cassette.trycloudflare.com",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-03-24",
      "last_seen": "2026-03-24",
      "reports": [
        {
          "slug": "canisterworm-wiper-weaponizes-trivy-supply-chain-to-target-iran",
          "title": "CanisterWorm Wiper Weaponizes Trivy Supply Chain to Target Iran",
          "url": "https://bulwarkblack.com/canisterworm-wiper-weaponizes-trivy-supply-chain-to-target-iran/",
          "date": "2026-03-24"
        }
      ]
    },
    {
      "indicator": "https://championships-peoples-point-cassette.trycloudflare.com/prop.py",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-03-24",
      "last_seen": "2026-03-24",
      "reports": [
        {
          "slug": "canisterworm-wiper-weaponizes-trivy-supply-chain-to-target-iran",
          "title": "CanisterWorm Wiper Weaponizes Trivy Supply Chain to Target Iran",
          "url": "https://bulwarkblack.com/canisterworm-wiper-weaponizes-trivy-supply-chain-to-target-iran/",
          "date": "2026-03-24"
        }
      ]
    },
    {
      "indicator": "https://chkactive.online/update",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "https://ci.appveyor.com/project/plusvic/yara/build/job/wthlb30bklmlns0a/artifacts",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2024-01-05",
      "last_seen": "2024-01-05",
      "reports": [
        {
          "slug": "100-days-of-yara-2023",
          "title": "100 Days of YARA – 2023",
          "url": "https://bulwarkblack.com/100-days-of-yara-2023/",
          "date": "2024-01-05"
        }
      ]
    },
    {
      "indicator": "https://circoloesteri.elezioni.idnet.it/admin-election/riepilogo.php",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-06-25",
      "last_seen": "2026-06-25",
      "reports": [
        {
          "slug": "turla-stockstay-backdoor-egress-visibility",
          "title": "Turla’s STOCKSTAY Backdoor Shows Why Espionage Defense Needs Egress Visibility",
          "url": "https://bulwarkblack.com/turla-stockstay-backdoor-egress-visibility/",
          "date": "2026-06-25"
        }
      ]
    },
    {
      "indicator": "https://cloud-server.store/update",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "https://cloud.projectdiscovery.io/",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2024-01-26",
      "last_seen": "2024-01-26",
      "reports": [
        {
          "slug": "announcing-cvemap-from-projectdiscovery",
          "title": "Announcing cvemap from ProjectDiscovery",
          "url": "https://bulwarkblack.com/announcing-cvemap-from-projectdiscovery/",
          "date": "2024-01-26"
        }
      ]
    },
    {
      "indicator": "https://cloud.projectdiscovery.io/?ref=api_key",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2024-01-26",
      "last_seen": "2024-01-26",
      "reports": [
        {
          "slug": "announcing-cvemap-from-projectdiscovery",
          "title": "Announcing cvemap from ProjectDiscovery",
          "url": "https://bulwarkblack.com/announcing-cvemap-from-projectdiscovery/",
          "date": "2024-01-26"
        }
      ]
    },
    {
      "indicator": "https://cockpit.sumsub.com/checkus#/applicant/66a453df5137ba3da8742f58/basicInfo?clientId=gate.us_60664",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-03-12",
      "last_seen": "2026-03-12",
      "reports": [
        {
          "slug": "infostealer-infection-unmasks-dprk-operative-behind-polyfill-io-supply-chain-attack-and-us-crypto-exchange-infiltration",
          "title": "Infostealer Infection Unmasks DPRK Operative Behind Polyfill.io Supply Chain Attack and US Crypto Exchange Infiltration",
          "url": "https://bulwarkblack.com/infostealer-infection-unmasks-dprk-operative-behind-polyfill-io-supply-chain-attack-and-us-crypto-exchange-infiltration/",
          "date": "2026-03-12"
        }
      ]
    },
    {
      "indicator": "https://codeberg.org/inetutils/inetutils/commit/ccba9f748aa8d50a38d7748e2e60362edd6a32cc",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-01-31",
      "last_seen": "2026-01-31",
      "reports": [
        {
          "slug": "cve-2026-24061-11-year-old-gnu-telnetd-vulnerability-grants-instant-root-access",
          "title": "CVE-2026-24061: 11-Year-Old GNU Telnetd Vulnerability Grants Instant Root Access",
          "url": "https://bulwarkblack.com/cve-2026-24061-11-year-old-gnu-telnetd-vulnerability-grants-instant-root-access/",
          "date": "2026-01-31"
        }
      ]
    },
    {
      "indicator": "https://codeberg.org/inetutils/inetutils/commit/fd702c02497b2f398e739e3119bed0b23dd7aa7b",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-01-31",
      "last_seen": "2026-01-31",
      "reports": [
        {
          "slug": "cve-2026-24061-11-year-old-gnu-telnetd-vulnerability-grants-instant-root-access",
          "title": "CVE-2026-24061: 11-Year-Old GNU Telnetd Vulnerability Grants Instant Root Access",
          "url": "https://bulwarkblack.com/cve-2026-24061-11-year-old-gnu-telnetd-vulnerability-grants-instant-root-access/",
          "date": "2026-01-31"
        }
      ]
    },
    {
      "indicator": "https://community.spiceworks.com/topic/2107142-what-are-all-of-the-file-types-on-a-windows-pc-that-contain-executable-code",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2024-01-05",
      "last_seen": "2024-01-05",
      "reports": [
        {
          "slug": "100-days-of-yara-2023",
          "title": "100 Days of YARA – 2023",
          "url": "https://bulwarkblack.com/100-days-of-yara-2023/",
          "date": "2024-01-05"
        }
      ]
    },
    {
      "indicator": "https://company.sharepoint.com/sites/ProductionOps/",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-05-15",
      "last_seen": "2026-05-15",
      "reports": [
        {
          "slug": "blackfile-vishing-extortion-identity-defense",
          "title": "BlackFile Vishing Campaign Shows Why MFA Alone Is Not Enough",
          "url": "https://bulwarkblack.com/blackfile-vishing-extortion-identity-defense/",
          "date": "2026-05-15"
        }
      ]
    },
    {
      "indicator": "https://darkgptprivate.com/d111&quot",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-01-27",
      "last_seen": "2026-01-27",
      "reports": [
        {
          "slug": "fake-clawdbot-vs-code-extension-deploys-screenconnect-rat",
          "title": "Fake Clawdbot VS Code Extension Deploys ScreenConnect RAT",
          "url": "https://bulwarkblack.com/fake-clawdbot-vs-code-extension-deploys-screenconnect-rat/",
          "date": "2026-01-27"
        }
      ]
    },
    {
      "indicator": "https://dataupload.store/uploadfiles",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-05-24",
      "last_seen": "2026-05-24",
      "reports": [
        {
          "slug": "clop-south-staffs-water-soc-coverage-defense",
          "title": "Cl0p’s South Staffs Water Case Shows SOC Coverage Must Be Proven",
          "url": "https://bulwarkblack.com/clop-south-staffs-water-soc-coverage-defense/",
          "date": "2026-05-24"
        }
      ]
    },
    {
      "indicator": "https://decoraat.net:443",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-02-27",
      "last_seen": "2026-02-27",
      "reports": [
        {
          "slug": "chinese-apt-campaign-delivers-plugx-rat-via-g-data-antivirus-dll-side-loading",
          "title": "Chinese APT Campaign Delivers PlugX RAT via G DATA Antivirus DLL Side-Loading",
          "url": "https://bulwarkblack.com/chinese-apt-campaign-delivers-plugx-rat-via-g-data-antivirus-dll-side-loading/",
          "date": "2026-02-27"
        }
      ]
    },
    {
      "indicator": "https://discord.com/register",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-03-12",
      "last_seen": "2026-03-12",
      "reports": [
        {
          "slug": "infostealer-infection-unmasks-dprk-operative-behind-polyfill-io-supply-chain-attack-and-us-crypto-exchange-infiltration",
          "title": "Infostealer Infection Unmasks DPRK Operative Behind Polyfill.io Supply Chain Attack and US Crypto Exchange Infiltration",
          "url": "https://bulwarkblack.com/infostealer-infection-unmasks-dprk-operative-behind-polyfill-io-supply-chain-attack-and-us-crypto-exchange-infiltration/",
          "date": "2026-03-12"
        }
      ]
    },
    {
      "indicator": "https://dl.k8s.io/release/$(curl",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-03-24",
      "last_seen": "2026-03-24",
      "reports": [
        {
          "slug": "canisterworm-wiper-weaponizes-trivy-supply-chain-to-target-iran",
          "title": "CanisterWorm Wiper Weaponizes Trivy Supply Chain to Target Iran",
          "url": "https://bulwarkblack.com/canisterworm-wiper-weaponizes-trivy-supply-chain-to-target-iran/",
          "date": "2026-03-24"
        }
      ]
    },
    {
      "indicator": "https://dl.k8s.io/release/stable.txt)/bin/linux/${ARCH}/kubectl&quot",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-03-24",
      "last_seen": "2026-03-24",
      "reports": [
        {
          "slug": "canisterworm-wiper-weaponizes-trivy-supply-chain-to-target-iran",
          "title": "CanisterWorm Wiper Weaponizes Trivy Supply Chain to Target Iran",
          "url": "https://bulwarkblack.com/canisterworm-wiper-weaponizes-trivy-supply-chain-to-target-iran/",
          "date": "2026-03-24"
        }
      ]
    },
    {
      "indicator": "https://docspace-twpf0e.onlyoffice.com/storage/files/root/folder_3765000/file_3764519/v1/content.zip?filename=remote.[REDACTED].zip",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-05-22",
      "last_seen": "2026-05-22",
      "reports": [
        {
          "slug": "screening-serpens-recruiting-espionage-attack-surface",
          "title": "Screening Serpens Shows Recruiting Is Now an Espionage Attack Surface",
          "url": "https://bulwarkblack.com/screening-serpens-recruiting-espionage-attack-surface/",
          "date": "2026-05-22"
        }
      ]
    },
    {
      "indicator": "https://docspace-y4cumb.onlyoffice.com/storage/files/root/folder_3602000/file_3601577/v1/content.zip[",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-05-22",
      "last_seen": "2026-05-22",
      "reports": [
        {
          "slug": "screening-serpens-recruiting-espionage-attack-surface",
          "title": "Screening Serpens Shows Recruiting Is Now an Espionage Attack Surface",
          "url": "https://bulwarkblack.com/screening-serpens-recruiting-espionage-attack-surface/",
          "date": "2026-05-22"
        }
      ]
    },
    {
      "indicator": "https://doi.org/10.48550/arXiv.2509.14233",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-03-16",
      "last_seen": "2026-03-16",
      "reports": [
        {
          "slug": "the-promptware-kill-chain-a-new-framework-for-understanding-ai-malware-attacks",
          "title": "The Promptware Kill Chain: A New Framework for Understanding AI Malware Attacks",
          "url": "https://bulwarkblack.com/the-promptware-kill-chain-a-new-framework-for-understanding-ai-malware-attacks/",
          "date": "2026-03-16"
        }
      ]
    },
    {
      "indicator": "https://download.datatabletemplate.xyz/account/register/id=8118555902061899&amp;secret=QwLoOZSDakFh",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "https://ehxbxtjliybbloantpwq.supabase.co/rest/v1/agents?select",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-02-03",
      "last_seen": "2026-02-03",
      "reports": [
        {
          "slug": "vibe-coding-gone-wrong-moltbook-ai-social-network-exposes-4-75-million-records-in-massive-database-breach",
          "title": "Vibe Coding Gone Wrong: Moltbook AI Social Network Exposes 4.75 Million Records in Massive Database Breach",
          "url": "https://bulwarkblack.com/vibe-coding-gone-wrong-moltbook-ai-social-network-exposes-4-75-million-records-in-massive-database-breach/",
          "date": "2026-02-03"
        }
      ]
    },
    {
      "indicator": "https://ehxbxtjliybbloantpwq.supabase.co/rest/v1/owners?select=email,x_handle,x_name&#x26;email=neq.null&#x26;limit=5",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-02-03",
      "last_seen": "2026-02-03",
      "reports": [
        {
          "slug": "vibe-coding-gone-wrong-moltbook-ai-social-network-exposes-4-75-million-records-in-massive-database-breach",
          "title": "Vibe Coding Gone Wrong: Moltbook AI Social Network Exposes 4.75 Million Records in Massive Database Breach",
          "url": "https://bulwarkblack.com/vibe-coding-gone-wrong-moltbook-ai-social-network-exposes-4-75-million-records-in-massive-database-breach/",
          "date": "2026-02-03"
        }
      ]
    },
    {
      "indicator": "https://ehxbxtjliybbloantpwq.supabase.co/rest/v1/posts?id=eq.74b073fd-37db-4a32-a9e1-c7652e5c0d59",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-02-03",
      "last_seen": "2026-02-03",
      "reports": [
        {
          "slug": "vibe-coding-gone-wrong-moltbook-ai-social-network-exposes-4-75-million-records-in-massive-database-breach",
          "title": "Vibe Coding Gone Wrong: Moltbook AI Social Network Exposes 4.75 Million Records in Massive Database Breach",
          "url": "https://bulwarkblack.com/vibe-coding-gone-wrong-moltbook-ai-social-network-exposes-4-75-million-records-in-massive-database-breach/",
          "date": "2026-02-03"
        }
      ]
    },
    {
      "indicator": "https://ehxbxtjliybbloantpwq.supabase.co/rest/v1/users",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-02-03",
      "last_seen": "2026-02-03",
      "reports": [
        {
          "slug": "vibe-coding-gone-wrong-moltbook-ai-social-network-exposes-4-75-million-records-in-massive-database-breach",
          "title": "Vibe Coding Gone Wrong: Moltbook AI Social Network Exposes 4.75 Million Records in Massive Database Breach",
          "url": "https://bulwarkblack.com/vibe-coding-gone-wrong-moltbook-ai-social-network-exposes-4-75-million-records-in-massive-database-breach/",
          "date": "2026-02-03"
        }
      ]
    },
    {
      "indicator": "https://ElementShift.azurewebsites.net",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-05-22",
      "last_seen": "2026-05-22",
      "reports": [
        {
          "slug": "screening-serpens-recruiting-espionage-attack-surface",
          "title": "Screening Serpens Shows Recruiting Is Now an Espionage Attack Surface",
          "url": "https://bulwarkblack.com/screening-serpens-recruiting-espionage-attack-surface/",
          "date": "2026-05-22"
        }
      ]
    },
    {
      "indicator": "https://ernigr-esfilc.com/security/logon.jsp?verify=7g2q978fg11jka=891FHjaH32-2f1Hnb2sF",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-02-26",
      "last_seen": "2026-02-26",
      "reports": [
        {
          "slug": "diesel-vortex-russian-cybercrime-group-steals-1600-credentials-from-global-logistics-sector",
          "title": "Diesel Vortex: Russian Cybercrime Group Steals 1,600+ Credentials From Global Logistics Sector",
          "url": "https://bulwarkblack.com/diesel-vortex-russian-cybercrime-group-steals-1600-credentials-from-global-logistics-sector/",
          "date": "2026-02-26"
        }
      ]
    },
    {
      "indicator": "https://etoftheappyrince.org/update-delay",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-06-02",
      "last_seen": "2026-06-02",
      "reports": [
        {
          "slug": "flutterbridge-macos-malvertising-fluttershell-backdoor-defense",
          "title": "FlutterBridge Shows Why macOS Malvertising Is Backdoor Delivery, Not Just Adware",
          "url": "https://bulwarkblack.com/flutterbridge-macos-malvertising-fluttershell-backdoor-defense/",
          "date": "2026-06-02"
        }
      ]
    },
    {
      "indicator": "https://everycarebd.com/imagelkjh0987.png",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-05-16",
      "last_seen": "2026-05-16",
      "reports": [
        {
          "slug": "pawsrunner-steganography-purelogs-infostealer-defense",
          "title": "PawsRunner Steganography Shows Infostealers Are Hiding in Plain Sight",
          "url": "https://bulwarkblack.com/pawsrunner-steganography-purelogs-infostealer-defense/",
          "date": "2026-05-16"
        }
      ]
    },
    {
      "indicator": "https://evil.com",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-06-19",
      "last_seen": "2026-06-19",
      "reports": [
        {
          "slug": "autojack-ai-agent-localhost-rce-boundaries",
          "title": "AutoJack Shows AI Browsing Agents Need Localhost Boundaries",
          "url": "https://bulwarkblack.com/autojack-ai-agent-localhost-rce-boundaries/",
          "date": "2026-06-19"
        }
      ]
    },
    {
      "indicator": "https://file-server.store/update",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "https://filedrive.online/uploadfiles",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "https://flashserve.store/update",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-CVE-2026-1281-CVE-2026-1340?language=en_US",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-01-31",
      "last_seen": "2026-01-31",
      "reports": [
        {
          "slug": "ivanti-epmm-zero-days-actively-exploited-pre-auth-rce-via-bash-arithmetic-expansion",
          "title": "Ivanti EPMM Zero-Days Actively Exploited: Pre-Auth RCE via Bash Arithmetic Expansion",
          "url": "https://bulwarkblack.com/ivanti-epmm-zero-days-actively-exploited-pre-auth-rce-via-bash-arithmetic-expansion/",
          "date": "2026-01-31"
        }
      ]
    },
    {
      "indicator": "https://freefoodaid.com/documents/2_2.d",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "apt28-exploits-cve-2026-21509-in-operation-neusploit-stealing-emails-with-minidoor-backdoor",
          "title": "APT28 Exploits CVE-2026-21509 in Operation Neusploit: Stealing Emails with MiniDoor Backdoor",
          "url": "https://bulwarkblack.com/apt28-exploits-cve-2026-21509-in-operation-neusploit-stealing-emails-with-minidoor-backdoor/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "https://freefoodaid.com/documents/2_2.lNk",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "apt28-exploits-cve-2026-21509-in-operation-neusploit-stealing-emails-with-minidoor-backdoor",
          "title": "APT28 Exploits CVE-2026-21509 in Operation Neusploit: Stealing Emails with MiniDoor Backdoor",
          "url": "https://bulwarkblack.com/apt28-exploits-cve-2026-21509-in-operation-neusploit-stealing-emails-with-minidoor-backdoor/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "https://freefoodaid.com/tables/tables.d",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "apt28-exploits-cve-2026-21509-in-operation-neusploit-stealing-emails-with-minidoor-backdoor",
          "title": "APT28 Exploits CVE-2026-21509 in Operation Neusploit: Stealing Emails with MiniDoor Backdoor",
          "url": "https://bulwarkblack.com/apt28-exploits-cve-2026-21509-in-operation-neusploit-stealing-emails-with-minidoor-backdoor/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "https://gy4q3fpx3gh77gw.kk5yuzmev2qbgulz.com/#/domin/list",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-03-12",
      "last_seen": "2026-03-12",
      "reports": [
        {
          "slug": "infostealer-infection-unmasks-dprk-operative-behind-polyfill-io-supply-chain-attack-and-us-crypto-exchange-infiltration",
          "title": "Infostealer Infection Unmasks DPRK Operative Behind Polyfill.io Supply Chain Attack and US Crypto Exchange Infiltration",
          "url": "https://bulwarkblack.com/infostealer-infection-unmasks-dprk-operative-behind-polyfill-io-supply-chain-attack-and-us-crypto-exchange-infiltration/",
          "date": "2026-03-12"
        }
      ]
    },
    {
      "indicator": "https://hackaday.io/project/162131-graphical-pinout-generator/",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2024-01-11",
      "last_seen": "2024-01-11",
      "reports": [
        {
          "slug": "faking-bluetooth-le-with-an-nrf24l01-module",
          "title": "FAKING BLUETOOTH LE WITH AN NRF24L01+ MODULE",
          "url": "https://bulwarkblack.com/faking-bluetooth-le-with-an-nrf24l01-module/",
          "date": "2024-01-11"
        }
      ]
    },
    {
      "indicator": "https://healightejustb.org/checkupdateTO.js",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-06-02",
      "last_seen": "2026-06-02",
      "reports": [
        {
          "slug": "flutterbridge-macos-malvertising-fluttershell-backdoor-defense",
          "title": "FlutterBridge Shows Why macOS Malvertising Is Backdoor Delivery, Not Just Adware",
          "url": "https://bulwarkblack.com/flutterbridge-macos-malvertising-fluttershell-backdoor-defense/",
          "date": "2026-06-02"
        }
      ]
    },
    {
      "indicator": "https://help.evilginx.com/docs/category/getting-started",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2024-01-26",
      "last_seen": "2024-01-26",
      "reports": [
        {
          "slug": "how-to-protect-evilginx-using-cloudflare-and-html-obfuscation",
          "title": "How to protect Evilginx using Cloudflare and HTML Obfuscation",
          "url": "https://bulwarkblack.com/how-to-protect-evilginx-using-cloudflare-and-html-obfuscation/",
          "date": "2024-01-26"
        }
      ]
    },
    {
      "indicator": "https://help.ivanti.com/mi/help/en_us/core/11.x/gsg/CoreGettingStarted/Configuring_LDAP_servers.htm",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-01-31",
      "last_seen": "2026-01-31",
      "reports": [
        {
          "slug": "ivanti-patches-two-critical-epmm-zero-day-vulnerabilities-under-active-exploitation",
          "title": "Ivanti Patches Two Critical EPMM Zero-Day Vulnerabilities Under Active Exploitation",
          "url": "https://bulwarkblack.com/ivanti-patches-two-critical-epmm-zero-day-vulnerabilities-under-active-exploitation/",
          "date": "2026-01-31"
        }
      ]
    },
    {
      "indicator": "https://horizon3.ai/attack-research/disclosures/cve-2026-48558-simplehelp-authentication-bypass-iocs/",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-06-30",
      "last_seen": "2026-06-30",
      "reports": [
        {
          "slug": "simplehelp-cve-2026-48558-taskweaver-djinn-stealer-defense",
          "title": "SimpleHelp Exploitation Shows RMM Is a Credential Control Plane",
          "url": "https://bulwarkblack.com/simplehelp-cve-2026-48558-taskweaver-djinn-stealer-defense/",
          "date": "2026-06-30"
        }
      ]
    },
    {
      "indicator": "https://huggingface.co",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-01-30",
      "last_seen": "2026-01-30",
      "reports": [
        {
          "slug": "android-malware-campaign-abuses-hugging-face-ai-platform-to-distribute-rat",
          "title": "Android Malware Campaign Abuses Hugging Face AI Platform to Distribute RAT",
          "url": "https://bulwarkblack.com/android-malware-campaign-abuses-hugging-face-ai-platform-to-distribute-rat/",
          "date": "2026-01-30"
        }
      ]
    },
    {
      "indicator": "https://huggingface.co/datasets/xcvqsccm/sfxyt851/resolve/main/b.apk?download=true",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-01-30",
      "last_seen": "2026-01-30",
      "reports": [
        {
          "slug": "android-malware-campaign-abuses-hugging-face-ai-platform-to-distribute-rat",
          "title": "Android Malware Campaign Abuses Hugging Face AI Platform to Distribute RAT",
          "url": "https://bulwarkblack.com/android-malware-campaign-abuses-hugging-face-ai-platform-to-distribute-rat/",
          "date": "2026-01-30"
        }
      ]
    },
    {
      "indicator": "https://ico.org.uk/media2/xdrfahsw/south-staffordshire-plc-and-south-staffordshire-water-plc-monetary-penalty-notice.pdf",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-05-24",
      "last_seen": "2026-05-24",
      "reports": [
        {
          "slug": "clop-south-staffs-water-soc-coverage-defense",
          "title": "Cl0p’s South Staffs Water Case Shows SOC Coverage Must Be Proven",
          "url": "https://bulwarkblack.com/clop-south-staffs-water-soc-coverage-defense/",
          "date": "2026-05-24"
        }
      ]
    },
    {
      "indicator": "https://interoperability.blob.core.windows.net/files/MS-ONE/%5bMS-ONE%5d.pdf",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2024-01-05",
      "last_seen": "2024-01-05",
      "reports": [
        {
          "slug": "100-days-of-yara-2023",
          "title": "100 Days of YARA – 2023",
          "url": "https://bulwarkblack.com/100-days-of-yara-2023/",
          "date": "2024-01-05"
        }
      ]
    },
    {
      "indicator": "https://investigation-launches-hearings-copying.trycloudflare.com/",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-03-24",
      "last_seen": "2026-03-24",
      "reports": [
        {
          "slug": "canisterworm-wiper-weaponizes-trivy-supply-chain-to-target-iran",
          "title": "CanisterWorm Wiper Weaponizes Trivy Supply Chain to Target Iran",
          "url": "https://bulwarkblack.com/canisterworm-wiper-weaponizes-trivy-supply-chain-to-target-iran/",
          "date": "2026-03-24"
        }
      ]
    },
    {
      "indicator": "https://itsec.hboeck.de/",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-05-16",
      "last_seen": "2026-05-16",
      "reports": [
        {
          "slug": "linux-kernel-ipsec-attack-surface-reduction",
          "title": "Recent Linux Kernel Exploits Make Attack Surface Reduction a Practical Priority",
          "url": "https://bulwarkblack.com/linux-kernel-ipsec-attack-surface-reduction/",
          "date": "2026-05-16"
        }
      ]
    },
    {
      "indicator": "https://judiemkqjajsfzpidfjlowgl8nyrtd49x.oast.fun",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-02-23",
      "last_seen": "2026-02-23",
      "reports": [
        {
          "slug": "unit-42-exposes-active-exploitation-of-beyondtrust-cve-2026-1731-with-vshell-and-sparkrat-backdoors",
          "title": "Unit 42 Exposes Active Exploitation of BeyondTrust CVE-2026-1731 with VShell and SparkRAT Backdoors",
          "url": "https://bulwarkblack.com/unit-42-exposes-active-exploitation-of-beyondtrust-cve-2026-1731-with-vshell-and-sparkrat-backdoors/",
          "date": "2026-02-23"
        }
      ]
    },
    {
      "indicator": "https://kiamatka.com/kaiok.kakman",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-03-09",
      "last_seen": "2026-03-09",
      "reports": [
        {
          "slug": "boryptgrab-stealer-spreads-through-100-fake-github-repositories-in-massive-malware-campaign",
          "title": "BoryptGrab Stealer Spreads Through 100+ Fake GitHub Repositories in Massive Malware Campaign",
          "url": "https://bulwarkblack.com/boryptgrab-stealer-spreads-through-100-fake-github-repositories-in-massive-malware-campaign/",
          "date": "2026-03-09"
        }
      ]
    },
    {
      "indicator": "https://ledger.setuptransactioncheck.com/",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-02-16",
      "last_seen": "2026-02-16",
      "reports": [
        {
          "slug": "physical-mail-phishing-targets-trezor-and-ledger-users-attackers-use-qr-codes-to-steal-recovery-phrases",
          "title": "Physical Mail Phishing Targets Trezor and Ledger Users: Attackers Use QR Codes to Steal Recovery Phrases",
          "url": "https://bulwarkblack.com/physical-mail-phishing-targets-trezor-and-ledger-users-attackers-use-qr-codes-to-steal-recovery-phrases/",
          "date": "2026-02-16"
        }
      ]
    },
    {
      "indicator": "https://lists.gnu.org/archive/html/bug-inetutils/2026-01/msg00004.html",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-01-31",
      "last_seen": "2026-01-31",
      "reports": [
        {
          "slug": "cve-2026-24061-11-year-old-gnu-telnetd-vulnerability-grants-instant-root-access",
          "title": "CVE-2026-24061: 11-Year-Old GNU Telnetd Vulnerability Grants Instant Root Access",
          "url": "https://bulwarkblack.com/cve-2026-24061-11-year-old-gnu-telnetd-vulnerability-grants-instant-root-access/",
          "date": "2026-01-31"
        }
      ]
    },
    {
      "indicator": "https://lrtechs.backlog.com/dashboard",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-03-12",
      "last_seen": "2026-03-12",
      "reports": [
        {
          "slug": "infostealer-infection-unmasks-dprk-operative-behind-polyfill-io-supply-chain-attack-and-us-crypto-exchange-infiltration",
          "title": "Infostealer Infection Unmasks DPRK Operative Behind Polyfill.io Supply Chain Attack and US Crypto Exchange Infiltration",
          "url": "https://bulwarkblack.com/infostealer-infection-unmasks-dprk-operative-behind-polyfill-io-supply-chain-attack-and-us-crypto-exchange-infiltration/",
          "date": "2026-03-12"
        }
      ]
    },
    {
      "indicator": "https://malpedia.caad.fkie.fraunhofer.de/details/win.clop",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-05-24",
      "last_seen": "2026-05-24",
      "reports": [
        {
          "slug": "clop-south-staffs-water-soc-coverage-defense",
          "title": "Cl0p’s South Staffs Water Case Shows SOC Coverage Must Be Proven",
          "url": "https://bulwarkblack.com/clop-south-staffs-water-soc-coverage-defense/",
          "date": "2026-05-24"
        }
      ]
    },
    {
      "indicator": "https://malpedia.caad.fkie.fraunhofer.de/details/win.get2",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-05-24",
      "last_seen": "2026-05-24",
      "reports": [
        {
          "slug": "clop-south-staffs-water-soc-coverage-defense",
          "title": "Cl0p’s South Staffs Water Case Shows SOC Coverage Must Be Proven",
          "url": "https://bulwarkblack.com/clop-south-staffs-water-soc-coverage-defense/",
          "date": "2026-05-24"
        }
      ]
    },
    {
      "indicator": "https://malpedia.caad.fkie.fraunhofer.de/details/win.sdbbot",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-05-24",
      "last_seen": "2026-05-24",
      "reports": [
        {
          "slug": "clop-south-staffs-water-soc-coverage-defense",
          "title": "Cl0p’s South Staffs Water Case Shows SOC Coverage Must Be Proven",
          "url": "https://bulwarkblack.com/clop-south-staffs-water-soc-coverage-defense/",
          "date": "2026-05-24"
        }
      ]
    },
    {
      "indicator": "https://malpedia.caad.fkie.fraunhofer.de/details/win.shadowpad&quot",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-02-05",
      "last_seen": "2026-02-05",
      "reports": [
        {
          "slug": "dknife-cisco-talos-exposes-china-nexus-gateway-monitoring-aitm-framework-active-since-2019",
          "title": "DKnife: Cisco Talos Exposes China-Nexus Gateway-Monitoring AitM Framework Active Since 2019",
          "url": "https://bulwarkblack.com/dknife-cisco-talos-exposes-china-nexus-gateway-monitoring-aitm-framework-active-since-2019/",
          "date": "2026-02-05"
        }
      ]
    },
    {
      "indicator": "https://malvuln.com/advisory/b8e1e5b832e5947f41fd6ae6ef6d09a1.txt",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2024-01-11",
      "last_seen": "2024-01-11",
      "reports": [
        {
          "slug": "backdoor-win32-carbanak-anunak-named-pipe-null-dacl",
          "title": "Backdoor.Win32 Carbanak (Anunak) / Named Pipe Null DACL",
          "url": "https://bulwarkblack.com/backdoor-win32-carbanak-anunak-named-pipe-null-dacl/",
          "date": "2024-01-11"
        }
      ]
    },
    {
      "indicator": "https://metamask.awaitingfor.site/update",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "https://mononapfp.sharepoint.com/:f:/document/INV-IgCx1X50pgUjR7iAjZL2fuQaAW4GfKVs6wHT3BYv9sgwW7g”",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-07-01",
      "last_seen": "2026-07-01",
      "reports": [
        {
          "slug": "artoken-eviltokens-microsoft-365-bec-token-defense",
          "title": "ARToken Shows Microsoft 365 Tokens Are the New BEC Control Plane",
          "url": "https://bulwarkblack.com/artoken-eviltokens-microsoft-365-bec-token-defense/",
          "date": "2026-07-01"
        }
      ]
    },
    {
      "indicator": "https://mononapfpcom.sharepoint.com/:f:/g/IgAdH_aaBPMcQbtINZzC1TsLARj3dHj63MnKjvnY-QJrKEc",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-07-01",
      "last_seen": "2026-07-01",
      "reports": [
        {
          "slug": "artoken-eviltokens-microsoft-365-bec-token-defense",
          "title": "ARToken Shows Microsoft 365 Tokens Are the New BEC Control Plane",
          "url": "https://bulwarkblack.com/artoken-eviltokens-microsoft-365-bec-token-defense/",
          "date": "2026-07-01"
        }
      ]
    },
    {
      "indicator": "https://my.f5.com/manage/s/article/K000156741",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-05-22",
      "last_seen": "2026-05-22",
      "reports": [
        {
          "slug": "f5-confluence-edge-identity-attack-path",
          "title": "F5-to-Confluence Intrusion Shows Edge Devices Are Identity Attack Paths",
          "url": "https://bulwarkblack.com/f5-confluence-edge-identity-attack-path/",
          "date": "2026-05-22"
        }
      ]
    },
    {
      "indicator": "https://NanoMatrix.azurewebsites.net",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-05-22",
      "last_seen": "2026-05-22",
      "reports": [
        {
          "slug": "screening-serpens-recruiting-espionage-attack-surface",
          "title": "Screening Serpens Shows Recruiting Is Now an Espionage Attack Surface",
          "url": "https://bulwarkblack.com/screening-serpens-recruiting-espionage-attack-surface/",
          "date": "2026-05-22"
        }
      ]
    },
    {
      "indicator": "https://niscarea.com/in.php?cn=[base64]&amp;fn=[DateTime",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2024-03-22",
      "last_seen": "2024-03-22",
      "reports": [
        {
          "slug": "the-updated-apt-playbook-tales-from-the-kimsuky-threat-actor-group",
          "title": "The Updated APT Playbook: Tales from the Kimsuky threat actor group",
          "url": "https://bulwarkblack.com/the-updated-apt-playbook-tales-from-the-kimsuky-threat-actor-group/",
          "date": "2024-03-22"
        }
      ]
    },
    {
      "indicator": "https://onedow.gesecole.net/download",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-02-27",
      "last_seen": "2026-02-27",
      "reports": [
        {
          "slug": "chinese-apt-campaign-delivers-plugx-rat-via-g-data-antivirus-dll-side-loading",
          "title": "Chinese APT Campaign Delivers PlugX RAT via G DATA Antivirus DLL Side-Loading",
          "url": "https://bulwarkblack.com/chinese-apt-campaign-delivers-plugx-rat-via-g-data-antivirus-dll-side-loading/",
          "date": "2026-02-27"
        }
      ]
    },
    {
      "indicator": "https://onedown.gesecole.net/download",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-02-27",
      "last_seen": "2026-02-27",
      "reports": [
        {
          "slug": "chinese-apt-campaign-delivers-plugx-rat-via-g-data-antivirus-dll-side-loading",
          "title": "Chinese APT Campaign Delivers PlugX RAT via G DATA Antivirus DLL Side-Loading",
          "url": "https://bulwarkblack.com/chinese-apt-campaign-delivers-plugx-rat-via-g-data-antivirus-dll-side-loading/",
          "date": "2026-02-27"
        }
      ]
    },
    {
      "indicator": "https://online.zp.ua/wp-content/uploads/Tools/EditorToolsPdf.zip",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-06-25",
      "last_seen": "2026-06-25",
      "reports": [
        {
          "slug": "turla-stockstay-backdoor-egress-visibility",
          "title": "Turla’s STOCKSTAY Backdoor Shows Why Espionage Defense Needs Egress Visibility",
          "url": "https://bulwarkblack.com/turla-stockstay-backdoor-egress-visibility/",
          "date": "2026-06-25"
        }
      ]
    },
    {
      "indicator": "https://organization.sharepoint.com/sites/Legal_Archive/",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-05-15",
      "last_seen": "2026-05-15",
      "reports": [
        {
          "slug": "blackfile-vishing-extortion-identity-defense",
          "title": "BlackFile Vishing Campaign Shows Why MFA Alone Is Not Enough",
          "url": "https://bulwarkblack.com/blackfile-vishing-extortion-identity-defense/",
          "date": "2026-05-15"
        }
      ]
    },
    {
      "indicator": "https://osandamalith.com/2020/07/19/exploring-the-ms-dos-stub/",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2024-01-05",
      "last_seen": "2024-01-05",
      "reports": [
        {
          "slug": "100-days-of-yara-2023",
          "title": "100 Days of YARA – 2023",
          "url": "https://bulwarkblack.com/100-days-of-yara-2023/",
          "date": "2024-01-05"
        }
      ]
    },
    {
      "indicator": "https://ottawacitizen.com/news/local-news/what-is-going-on-in-ottawa-handcuffing-of-another-child-with-autism-worries-advocates",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-05-22",
      "last_seen": "2026-05-22",
      "reports": [
        {
          "slug": "kimwolf-arrest-iot-ddos-defense",
          "title": "Kimwolf Arrest Shows DDoS Risk Starts on Forgotten IoT",
          "url": "https://bulwarkblack.com/kimwolf-arrest-iot-ddos-defense/",
          "date": "2026-05-22"
        }
      ]
    },
    {
      "indicator": "https://parkspringshotel.com/m/Lu6aeloo.php",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-05-09",
      "last_seen": "2026-05-09",
      "reports": [
        {
          "slug": "jdownloader-site-compromise-trusted-download-verification",
          "title": "JDownloader Site Compromise Shows Why Trusted Downloads Still Need Verification",
          "url": "https://bulwarkblack.com/jdownloader-site-compromise-trusted-download-verification/",
          "date": "2026-05-09"
        }
      ]
    },
    {
      "indicator": "https://pastebin.com/raw/[actor_page",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-06-20",
      "last_seen": "2026-06-20",
      "reports": [
        {
          "slug": "showboat-linux-malware-telecom-persistence-defense",
          "title": "Showboat Malware Shows Telecom Linux Servers Need Rootkit-Level Monitoring",
          "url": "https://bulwarkblack.com/showboat-linux-malware-telecom-persistence-defense/",
          "date": "2026-06-20"
        }
      ]
    },
    {
      "indicator": "https://penskecar.riersrmissecured.com/_c/cstm/4325/reg/DOTLookup.aspx",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-02-26",
      "last_seen": "2026-02-26",
      "reports": [
        {
          "slug": "diesel-vortex-russian-cybercrime-group-steals-1600-credentials-from-global-logistics-sector",
          "title": "Diesel Vortex: Russian Cybercrime Group Steals 1,600+ Credentials From Global Logistics Sector",
          "url": "https://bulwarkblack.com/diesel-vortex-russian-cybercrime-group-steals-1600-credentials-from-global-logistics-sector/",
          "date": "2026-02-26"
        }
      ]
    },
    {
      "indicator": "https://pub-3bc1de741f8149f49bdbafa703067f24.r2.dev/wwa.txt",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-02-11",
      "last_seen": "2026-02-11",
      "reports": [
        {
          "slug": "xworm-rat-campaign-exploits-cve-2018-0802-in-multi-language-phishing-attacks-using-fileless-injection",
          "title": "XWorm RAT Campaign Exploits CVE-2018-0802 in Multi-Language Phishing Attacks Using Fileless Injection",
          "url": "https://bulwarkblack.com/xworm-rat-campaign-exploits-cve-2018-0802-in-multi-language-phishing-attacks-using-fileless-injection/",
          "date": "2026-02-11"
        }
      ]
    },
    {
      "indicator": "https://QuantumWeave.azurewebsites.net",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-05-22",
      "last_seen": "2026-05-22",
      "reports": [
        {
          "slug": "screening-serpens-recruiting-espionage-attack-surface",
          "title": "Screening Serpens Shows Recruiting Is Now an Espionage Attack Surface",
          "url": "https://bulwarkblack.com/screening-serpens-recruiting-espionage-attack-surface/",
          "date": "2026-05-22"
        }
      ]
    },
    {
      "indicator": "https://redcanary.com/blog/raspberry-robin",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-05-24",
      "last_seen": "2026-05-24",
      "reports": [
        {
          "slug": "clop-south-staffs-water-soc-coverage-defense",
          "title": "Cl0p’s South Staffs Water Case Shows SOC Coverage Must Be Proven",
          "url": "https://bulwarkblack.com/clop-south-staffs-water-soc-coverage-defense/",
          "date": "2026-05-24"
        }
      ]
    },
    {
      "indicator": "https://redmaple.tech/blogs/macho-files/",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2024-01-05",
      "last_seen": "2024-01-05",
      "reports": [
        {
          "slug": "100-days-of-yara-2023",
          "title": "100 Days of YARA – 2023",
          "url": "https://bulwarkblack.com/100-days-of-yara-2023/",
          "date": "2024-01-05"
        }
      ]
    },
    {
      "indicator": "https://res.cloudinary.com/dbjtzqp4q/image/upload/v1767455040/",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-02-11",
      "last_seen": "2026-02-11",
      "reports": [
        {
          "slug": "xworm-rat-campaign-exploits-cve-2018-0802-in-multi-language-phishing-attacks-using-fileless-injection",
          "title": "XWorm RAT Campaign Exploits CVE-2018-0802 in Multi-Language Phishing Attacks Using Fileless Injection",
          "url": "https://bulwarkblack.com/xworm-rat-campaign-exploits-cve-2018-0802-in-multi-language-phishing-attacks-using-fileless-injection/",
          "date": "2026-02-11"
        }
      ]
    },
    {
      "indicator": "https://res.cloudinary.com/dbjtzqp4q/image/upload/v1767455040/optimized_MSI_lpsd9p.jpg",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-02-11",
      "last_seen": "2026-02-11",
      "reports": [
        {
          "slug": "xworm-rat-campaign-exploits-cve-2018-0802-in-multi-language-phishing-attacks-using-fileless-injection",
          "title": "XWorm RAT Campaign Exploits CVE-2018-0802 in Multi-Language Phishing Attacks Using Fileless Injection",
          "url": "https://bulwarkblack.com/xworm-rat-campaign-exploits-cve-2018-0802-in-multi-language-phishing-attacks-using-fileless-injection/",
          "date": "2026-02-11"
        }
      ]
    },
    {
      "indicator": "https://retrodayaengineering.icu/HGG.hta",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-02-11",
      "last_seen": "2026-02-11",
      "reports": [
        {
          "slug": "xworm-rat-campaign-exploits-cve-2018-0802-in-multi-language-phishing-attacks-using-fileless-injection",
          "title": "XWorm RAT Campaign Exploits CVE-2018-0802 in Multi-Language Phishing Attacks Using Fileless Injection",
          "url": "https://bulwarkblack.com/xworm-rat-campaign-exploits-cve-2018-0802-in-multi-language-phishing-attacks-using-fileless-injection/",
          "date": "2026-02-11"
        }
      ]
    },
    {
      "indicator": "https://rsrmissecured.top/.git/config",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-02-26",
      "last_seen": "2026-02-26",
      "reports": [
        {
          "slug": "diesel-vortex-russian-cybercrime-group-steals-1600-credentials-from-global-logistics-sector",
          "title": "Diesel Vortex: Russian Cybercrime Group Steals 1,600+ Credentials From Global Logistics Sector",
          "url": "https://bulwarkblack.com/diesel-vortex-russian-cybercrime-group-steals-1600-credentials-from-global-logistics-sector/",
          "date": "2026-02-26"
        }
      ]
    },
    {
      "indicator": "https://safeup.store/test",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "https://safeupload.online/uploadfiles",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "https://scan.aquasecurtiy.org",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-03-24",
      "last_seen": "2026-03-24",
      "reports": [
        {
          "slug": "teampcp-deploys-canisterworm-wiper-to-target-iranian-systems",
          "title": "TeamPCP Deploys CanisterWorm Wiper to Target Iranian Systems",
          "url": "https://bulwarkblack.com/teampcp-deploys-canisterworm-wiper-to-target-iranian-systems/",
          "date": "2026-03-24"
        }
      ]
    },
    {
      "indicator": "https://scheta.site/api.store/Setup.msix",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2024-01-09",
      "last_seen": "2024-01-09",
      "reports": [
        {
          "slug": "financially-motivated-threat-actors-misusing-app-installer",
          "title": "Financially motivated threat actors misusing App Installer",
          "url": "https://bulwarkblack.com/financially-motivated-threat-actors-misusing-app-installer/",
          "date": "2024-01-09"
        }
      ]
    },
    {
      "indicator": "https://scheta.site/api.store/ZoomInstaller.msix",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2024-01-09",
      "last_seen": "2024-01-09",
      "reports": [
        {
          "slug": "financially-motivated-threat-actors-misusing-app-installer",
          "title": "Financially motivated threat actors misusing App Installer",
          "url": "https://bulwarkblack.com/financially-motivated-threat-actors-misusing-app-installer/",
          "date": "2024-01-09"
        }
      ]
    },
    {
      "indicator": "https://securityintelligence.com/posts/raspberry-robin-worm-dridex-malware/",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-05-24",
      "last_seen": "2026-05-24",
      "reports": [
        {
          "slug": "clop-south-staffs-water-soc-coverage-defense",
          "title": "Cl0p’s South Staffs Water Case Shows SOC Coverage Must Be Proven",
          "url": "https://bulwarkblack.com/clop-south-staffs-water-soc-coverage-defense/",
          "date": "2026-05-24"
        }
      ]
    },
    {
      "indicator": "https://simple-help.com/release-news",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-06-30",
      "last_seen": "2026-06-30",
      "reports": [
        {
          "slug": "simplehelp-cve-2026-48558-taskweaver-djinn-stealer-defense",
          "title": "SimpleHelp Exploitation Shows RMM Is a Credential Control Plane",
          "url": "https://bulwarkblack.com/simplehelp-cve-2026-48558-taskweaver-djinn-stealer-defense/",
          "date": "2026-06-30"
        }
      ]
    },
    {
      "indicator": "https://simple-help.com/security/simplehelp-security-update-2026-05",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-06-30",
      "last_seen": "2026-06-30",
      "reports": [
        {
          "slug": "simplehelp-cve-2026-48558-taskweaver-djinn-stealer-defense",
          "title": "SimpleHelp Exploitation Shows RMM Is a Credential Control Plane",
          "url": "https://bulwarkblack.com/simplehelp-cve-2026-48558-taskweaver-djinn-stealer-defense/",
          "date": "2026-06-30"
        }
      ]
    },
    {
      "indicator": "https://sinterfumesco.com/search?utn=[Tracking",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-06-02",
      "last_seen": "2026-06-02",
      "reports": [
        {
          "slug": "flutterbridge-macos-malvertising-fluttershell-backdoor-defense",
          "title": "FlutterBridge Shows Why macOS Malvertising Is Backdoor Delivery, Not Just Adware",
          "url": "https://bulwarkblack.com/flutterbridge-macos-malvertising-fluttershell-backdoor-defense/",
          "date": "2026-06-02"
        }
      ]
    },
    {
      "indicator": "https://socprime.com/active-threats/solyximmortal-python-malware-analysis/",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-06-01",
      "last_seen": "2026-06-01",
      "reports": [
        {
          "slug": "solyximmortal-python-infostealer-business-risk",
          "title": "SolyxImmortal Shows Why Python Infostealers Are a Business Risk, Not Just Malware Noise",
          "url": "https://bulwarkblack.com/solyximmortal-python-infostealer-business-risk/",
          "date": "2026-06-01"
        }
      ]
    },
    {
      "indicator": "https://souls-entire-defined-routes.trycloudflare.com/",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-03-24",
      "last_seen": "2026-03-24",
      "reports": [
        {
          "slug": "canisterworm-wiper-weaponizes-trivy-supply-chain-to-target-iran",
          "title": "CanisterWorm Wiper Weaponizes Trivy Supply Chain to Target Iran",
          "url": "https://bulwarkblack.com/canisterworm-wiper-weaponizes-trivy-supply-chain-to-target-iran/",
          "date": "2026-03-24"
        }
      ]
    },
    {
      "indicator": "https://souls-entire-defined-routes.trycloudflare.com/kamikaze.sh",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-03-24",
      "last_seen": "2026-03-24",
      "reports": [
        {
          "slug": "canisterworm-wiper-weaponizes-trivy-supply-chain-to-target-iran",
          "title": "CanisterWorm Wiper Weaponizes Trivy Supply Chain to Target Iran",
          "url": "https://bulwarkblack.com/canisterworm-wiper-weaponizes-trivy-supply-chain-to-target-iran/",
          "date": "2026-03-24"
        }
      ]
    },
    {
      "indicator": "https://souls-entire-defined-routes.trycloudflare.com/kube.py&quot",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-03-24",
      "last_seen": "2026-03-24",
      "reports": [
        {
          "slug": "canisterworm-wiper-weaponizes-trivy-supply-chain-to-target-iran",
          "title": "CanisterWorm Wiper Weaponizes Trivy Supply Chain to Target Iran",
          "url": "https://bulwarkblack.com/canisterworm-wiper-weaponizes-trivy-supply-chain-to-target-iran/",
          "date": "2026-03-24"
        }
      ]
    },
    {
      "indicator": "https://static.cdncounter.net/assets/index.html",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-03-21",
      "last_seen": "2026-03-21",
      "reports": [
        {
          "slug": "darksword-ios-exploit-kit-russian-hackers-weaponize-six-vulnerabilities-for-full-iphone-takeover",
          "title": "DarkSword iOS Exploit Kit: Russian Hackers Weaponize Six Vulnerabilities for Full iPhone Takeover",
          "url": "https://bulwarkblack.com/darksword-ios-exploit-kit-russian-hackers-weaponize-six-vulnerabilities-for-full-iphone-takeover/",
          "date": "2026-03-21"
        }
      ]
    },
    {
      "indicator": "https://static.cdncounter.net/widgets.js?uhfiu27fajf2948fjfefaa42&quot;&gt;&lt;/script&gt",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-03-21",
      "last_seen": "2026-03-21",
      "reports": [
        {
          "slug": "darksword-ios-exploit-kit-russian-hackers-weaponize-six-vulnerabilities-for-full-iphone-takeover",
          "title": "DarkSword iOS Exploit Kit: Russian Hackers Weaponize Six Vulnerabilities for Full iPhone Takeover",
          "url": "https://bulwarkblack.com/darksword-ios-exploit-kit-russian-hackers-weaponize-six-vulnerabilities-for-full-iphone-takeover/",
          "date": "2026-03-21"
        }
      ]
    },
    {
      "indicator": "https://support.ms-live.us/301631/check",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "https://support.ms-live.us/register/22989524464UcX2b5w52",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "https://support.ms-live.us/update/02583235891M49FYUN57",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "https://tbhmlive.com/",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2024-01-12",
      "last_seen": "2024-01-12",
      "reports": [
        {
          "slug": "the-bug-hunters-methodology-live",
          "title": "THE BUG HUNTERS METHODOLOGY LIVE",
          "url": "https://bulwarkblack.com/the-bug-hunters-methodology-live/",
          "date": "2024-01-12"
        }
      ]
    },
    {
      "indicator": "https://tdtqy-oyaaa-aaaae-af2dq-cai.raw.icp0.io/",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-03-24",
      "last_seen": "2026-03-24",
      "reports": [
        {
          "slug": "teampcp-deploys-canisterworm-wiper-to-target-iranian-systems",
          "title": "TeamPCP Deploys CanisterWorm Wiper to Target Iranian Systems",
          "url": "https://bulwarkblack.com/teampcp-deploys-canisterworm-wiper-to-target-iranian-systems/",
          "date": "2026-03-24"
        }
      ]
    },
    {
      "indicator": "https://thecyberwire.com/podcasts/microsoft-threat-intelligence",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2024-01-09",
      "last_seen": "2024-01-09",
      "reports": [
        {
          "slug": "financially-motivated-threat-actors-misusing-app-installer",
          "title": "Financially motivated threat actors misusing App Installer",
          "url": "https://bulwarkblack.com/financially-motivated-threat-actors-misusing-app-installer/",
          "date": "2024-01-09"
        }
      ]
    },
    {
      "indicator": "https://transfer.weepee.io/7nZw7/blue.drx",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-02-23",
      "last_seen": "2026-02-23",
      "reports": [
        {
          "slug": "unit-42-exposes-active-exploitation-of-beyondtrust-cve-2026-1731-with-vshell-and-sparkrat-backdoors",
          "title": "Unit 42 Exposes Active Exploitation of BeyondTrust CVE-2026-1731 with VShell and SparkRAT Backdoors",
          "url": "https://bulwarkblack.com/unit-42-exposes-active-exploitation-of-beyondtrust-cve-2026-1731-with-vshell-and-sparkrat-backdoors/",
          "date": "2026-02-23"
        }
      ]
    },
    {
      "indicator": "https://trezor.authentication-check.io/",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-02-16",
      "last_seen": "2026-02-16",
      "reports": [
        {
          "slug": "physical-mail-phishing-targets-trezor-and-ledger-users-attackers-use-qr-codes-to-steal-recovery-phrases",
          "title": "Physical Mail Phishing Targets Trezor and Ledger Users: Attackers Use QR Codes to Steal Recovery Phrases",
          "url": "https://bulwarkblack.com/physical-mail-phishing-targets-trezor-and-ledger-users-attackers-use-qr-codes-to-steal-recovery-phrases/",
          "date": "2026-02-16"
        }
      ]
    },
    {
      "indicator": "https://trezor.authentication-check.io/black/api/send.php",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-02-16",
      "last_seen": "2026-02-16",
      "reports": [
        {
          "slug": "physical-mail-phishing-targets-trezor-and-ledger-users-attackers-use-qr-codes-to-steal-recovery-phrases",
          "title": "Physical Mail Phishing Targets Trezor and Ledger Users: Attackers Use QR Codes to Steal Recovery Phrases",
          "url": "https://bulwarkblack.com/physical-mail-phishing-targets-trezor-and-ledger-users-attackers-use-qr-codes-to-steal-recovery-phrases/",
          "date": "2026-02-16"
        }
      ]
    },
    {
      "indicator": "https://tria.ge/250530-ttmjhayzhw",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-06-30",
      "last_seen": "2026-06-30",
      "reports": [
        {
          "slug": "bing-seo-poisoning-bumblebee-adaptix-akira-ransomware",
          "title": "Bing SEO Poisoning Shows IT Admin Downloads Are Ransomware Initial Access",
          "url": "https://bulwarkblack.com/bing-seo-poisoning-bumblebee-adaptix-akira-ransomware/",
          "date": "2026-06-30"
        }
      ]
    },
    {
      "indicator": "https://tria.ge/250812-zw4tfszpy4",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-06-30",
      "last_seen": "2026-06-30",
      "reports": [
        {
          "slug": "bing-seo-poisoning-bumblebee-adaptix-akira-ransomware",
          "title": "Bing SEO Poisoning Shows IT Admin Downloads Are Ransomware Initial Access",
          "url": "https://bulwarkblack.com/bing-seo-poisoning-bumblebee-adaptix-akira-ransomware/",
          "date": "2026-06-30"
        }
      ]
    },
    {
      "indicator": "https://trueconf.com/docs/server/en/admin/info/",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-04-01",
      "last_seen": "2026-04-01",
      "reports": [
        {
          "slug": "operation-truechaos-chinese-apt-exploits-trueconf-zero-day-cve-2026-3502-to-target-southeast-asian-governments",
          "title": "Operation TrueChaos: Chinese APT Exploits TrueConf Zero-Day CVE-2026-3502 to Target Southeast Asian Governments",
          "url": "https://bulwarkblack.com/operation-truechaos-chinese-apt-exploits-trueconf-zero-day-cve-2026-3502-to-target-southeast-asian-governments/",
          "date": "2026-04-01"
        }
      ]
    },
    {
      "indicator": "https://urgent-update.cloud/uploadfiles",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "https://vision.stark-industries.solutions/auth/login",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-03-12",
      "last_seen": "2026-03-12",
      "reports": [
        {
          "slug": "infostealer-infection-unmasks-dprk-operative-behind-polyfill-io-supply-chain-attack-and-us-crypto-exchange-infiltration",
          "title": "Infostealer Infection Unmasks DPRK Operative Behind Polyfill.io Supply Chain Attack and US Crypto Exchange Infiltration",
          "url": "https://bulwarkblack.com/infostealer-infection-unmasks-dprk-operative-behind-polyfill-io-supply-chain-attack-and-us-crypto-exchange-infiltration/",
          "date": "2026-03-12"
        }
      ]
    },
    {
      "indicator": "https://writeup.live/test",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "https://www.aikido.dev/blog/fake-clawdbot-vscode-extension-malware",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-01-27",
      "last_seen": "2026-01-27",
      "reports": [
        {
          "slug": "fake-clawdbot-vs-code-extension-deploys-screenconnect-rat",
          "title": "Fake Clawdbot VS Code Extension Deploys ScreenConnect RAT",
          "url": "https://bulwarkblack.com/fake-clawdbot-vs-code-extension-deploys-screenconnect-rat/",
          "date": "2026-01-27"
        }
      ]
    },
    {
      "indicator": "https://www.aikido.dev/blog/red-hat-npm-packages-compromised-credential-stealing-worm",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-06-03",
      "last_seen": "2026-06-03",
      "reports": [
        {
          "slug": "red-hat-miasma-npm-supply-chain-trusted-publishing-defense",
          "title": "Red Hat’s Miasma npm Compromise Shows Trusted Publishing Is Not a Control Boundary",
          "url": "https://bulwarkblack.com/red-hat-miasma-npm-supply-chain-trusted-publishing-defense/",
          "date": "2026-06-03"
        }
      ]
    },
    {
      "indicator": "https://www.aikido.dev/blog/teampcp-stage-payload-canisterworm-iran",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-03-24",
      "last_seen": "2026-03-24",
      "reports": [
        {
          "slug": "canisterworm-wiper-weaponizes-trivy-supply-chain-to-target-iran",
          "title": "CanisterWorm Wiper Weaponizes Trivy Supply Chain to Target Iran",
          "url": "https://bulwarkblack.com/canisterworm-wiper-weaponizes-trivy-supply-chain-to-target-iran/",
          "date": "2026-03-24"
        }
      ]
    },
    {
      "indicator": "https://www.ambitiouspr.co.uk/",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2024-03-22",
      "last_seen": "2024-03-22",
      "reports": [
        {
          "slug": "how-to-communicate-a-cyber-breach-to-minimize-reputational-damage",
          "title": "How to communicate a cyber breach to minimize reputational damage",
          "url": "https://bulwarkblack.com/how-to-communicate-a-cyber-breach-to-minimize-reputational-damage/",
          "date": "2024-03-22"
        }
      ]
    },
    {
      "indicator": "https://www.circoloesteri.it/",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-06-25",
      "last_seen": "2026-06-25",
      "reports": [
        {
          "slug": "turla-stockstay-backdoor-egress-visibility",
          "title": "Turla’s STOCKSTAY Backdoor Shows Why Espionage Defense Needs Egress Visibility",
          "url": "https://bulwarkblack.com/turla-stockstay-backdoor-egress-visibility/",
          "date": "2026-06-25"
        }
      ]
    },
    {
      "indicator": "https://www.crystalpdf.com/conditions",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-05-21",
      "last_seen": "2026-05-21",
      "reports": [
        {
          "slug": "tamperedchef-signed-productivity-apps-malware-defense",
          "title": "TamperedChef Shows Signed Productivity Apps Cannot Be Trusted by Default",
          "url": "https://bulwarkblack.com/tamperedchef-signed-productivity-apps-malware-defense/",
          "date": "2026-05-21"
        }
      ]
    },
    {
      "indicator": "https://www.cve.org/CVERecord?id=CVE-2026-24061",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-01-31",
      "last_seen": "2026-01-31",
      "reports": [
        {
          "slug": "cve-2026-24061-11-year-old-gnu-telnetd-vulnerability-grants-instant-root-access",
          "title": "CVE-2026-24061: 11-Year-Old GNU Telnetd Vulnerability Grants Instant Root Access",
          "url": "https://bulwarkblack.com/cve-2026-24061-11-year-old-gnu-telnetd-vulnerability-grants-instant-root-access/",
          "date": "2026-01-31"
        }
      ]
    },
    {
      "indicator": "https://www.cve.org/CVERecord?id=CVE-2026-39999",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-06-19",
      "last_seen": "2026-06-19",
      "reports": [
        {
          "slug": "apache-apisix-auth-bypass-plugin-review",
          "title": "Apache APISIX Auth Bypass Cluster Shows API Gateways Need Plugin-Level Review",
          "url": "https://bulwarkblack.com/apache-apisix-auth-bypass-plugin-review/",
          "date": "2026-06-19"
        }
      ]
    },
    {
      "indicator": "https://www.cvedetails.com/cve/CVE-2026-24061/",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-01-31",
      "last_seen": "2026-01-31",
      "reports": [
        {
          "slug": "cve-2026-24061-11-year-old-gnu-telnetd-vulnerability-grants-instant-root-access",
          "title": "CVE-2026-24061: 11-Year-Old GNU Telnetd Vulnerability Grants Instant Root Access",
          "url": "https://bulwarkblack.com/cve-2026-24061-11-year-old-gnu-telnetd-vulnerability-grants-instant-root-access/",
          "date": "2026-01-31"
        }
      ]
    },
    {
      "indicator": "https://www.cyfirma.com/research/solyximmortal-python-malware-analysis/",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-06-01",
      "last_seen": "2026-06-01",
      "reports": [
        {
          "slug": "solyximmortal-python-infostealer-business-risk",
          "title": "SolyxImmortal Shows Why Python Infostealers Are a Business Risk, Not Just Malware Noise",
          "url": "https://bulwarkblack.com/solyximmortal-python-infostealer-business-risk/",
          "date": "2026-06-01"
        }
      ]
    },
    {
      "indicator": "https://www.darktrace.com/blog/darktraces-view-on-operation-lunar-peek-exploitation-of-palo-alto-firewall-devices-cve-2024-2012-and-2024-9474",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-05-22",
      "last_seen": "2026-05-22",
      "reports": [
        {
          "slug": "f5-confluence-edge-identity-attack-path",
          "title": "F5-to-Confluence Intrusion Shows Edge Devices Are Identity Attack Paths",
          "url": "https://bulwarkblack.com/f5-confluence-edge-identity-attack-path/",
          "date": "2026-05-22"
        }
      ]
    },
    {
      "indicator": "https://www.dropbox.com/scl/fi/tmwi4j86op04r9qo2xdgh/zoomupdate.msi?rlkey=ymr9yn5p3q2w2l3uz9cg71dvm&amp;st=q93av9p6&amp;dl=1",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-01-27",
      "last_seen": "2026-01-27",
      "reports": [
        {
          "slug": "fake-clawdbot-vs-code-extension-deploys-screenconnect-rat",
          "title": "Fake Clawdbot VS Code Extension Deploys ScreenConnect RAT",
          "url": "https://bulwarkblack.com/fake-clawdbot-vs-code-extension-deploys-screenconnect-rat/",
          "date": "2026-01-27"
        }
      ]
    },
    {
      "indicator": "https://www.drs.gov.ua/wp-content/themes/twentytwentyfive/docs.zip",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-06-25",
      "last_seen": "2026-06-25",
      "reports": [
        {
          "slug": "turla-stockstay-backdoor-egress-visibility",
          "title": "Turla’s STOCKSTAY Backdoor Shows Why Espionage Defense Needs Egress Visibility",
          "url": "https://bulwarkblack.com/turla-stockstay-backdoor-egress-visibility/",
          "date": "2026-06-25"
        }
      ]
    },
    {
      "indicator": "https://www.garykessler.net/library/file_sigs.html",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2024-01-05",
      "last_seen": "2024-01-05",
      "reports": [
        {
          "slug": "100-days-of-yara-2023",
          "title": "100 Days of YARA – 2023",
          "url": "https://bulwarkblack.com/100-days-of-yara-2023/",
          "date": "2024-01-05"
        }
      ]
    },
    {
      "indicator": "https://www.hightkdhe.store/star/main.php",
      "type": "URLs",
      "report_count": 2,
      "first_seen": "2026-02-26",
      "last_seen": "2026-02-27",
      "reports": [
        {
          "slug": "apt37-ruby-jumper-campaign-north-korean-hackers-deploy-malware-arsenal-to-bridge-air-gapped-networks",
          "title": "APT37 Ruby Jumper Campaign: North Korean Hackers Deploy Malware Arsenal to Bridge Air-Gapped Networks",
          "url": "https://bulwarkblack.com/apt37-ruby-jumper-campaign-north-korean-hackers-deploy-malware-arsenal-to-bridge-air-gapped-networks/",
          "date": "2026-02-27"
        },
        {
          "slug": "apt37-deploys-ruby-jumper-campaign-to-breach-air-gapped-networks",
          "title": "APT37 Deploys Ruby Jumper Campaign to Breach Air-Gapped Networks",
          "url": "https://bulwarkblack.com/apt37-deploys-ruby-jumper-campaign-to-breach-air-gapped-networks/",
          "date": "2026-02-26"
        }
      ]
    },
    {
      "indicator": "https://www.homeatedke.store/star/main.php",
      "type": "URLs",
      "report_count": 2,
      "first_seen": "2026-02-26",
      "last_seen": "2026-02-27",
      "reports": [
        {
          "slug": "apt37-ruby-jumper-campaign-north-korean-hackers-deploy-malware-arsenal-to-bridge-air-gapped-networks",
          "title": "APT37 Ruby Jumper Campaign: North Korean Hackers Deploy Malware Arsenal to Bridge Air-Gapped Networks",
          "url": "https://bulwarkblack.com/apt37-ruby-jumper-campaign-north-korean-hackers-deploy-malware-arsenal-to-bridge-air-gapped-networks/",
          "date": "2026-02-27"
        },
        {
          "slug": "apt37-deploys-ruby-jumper-campaign-to-breach-air-gapped-networks",
          "title": "APT37 Deploys Ruby Jumper Campaign to Breach Air-Gapped Networks",
          "url": "https://bulwarkblack.com/apt37-deploys-ruby-jumper-campaign-to-breach-air-gapped-networks/",
          "date": "2026-02-26"
        }
      ]
    },
    {
      "indicator": "https://www.hudsonrock.com/schedule-demo",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-03-12",
      "last_seen": "2026-03-12",
      "reports": [
        {
          "slug": "infostealer-infection-unmasks-dprk-operative-behind-polyfill-io-supply-chain-attack-and-us-crypto-exchange-infiltration",
          "title": "Infostealer Infection Unmasks DPRK Operative Behind Polyfill.io Supply Chain Attack and US Crypto Exchange Infiltration",
          "url": "https://bulwarkblack.com/infostealer-infection-unmasks-dprk-operative-behind-polyfill-io-supply-chain-attack-and-us-crypto-exchange-infiltration/",
          "date": "2026-03-12"
        }
      ]
    },
    {
      "indicator": "https://www.lumen.com/en-us/security/black-lotus-labs.html",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-06-01",
      "last_seen": "2026-06-01",
      "reports": [
        {
          "slug": "showboat-jfmbackdoor-telecom-intrusion-defense",
          "title": "Showboat and JFMBackdoor Show Telecom Intrusions Are Built for Pivoting",
          "url": "https://bulwarkblack.com/showboat-jfmbackdoor-telecom-intrusion-defense/",
          "date": "2026-06-01"
        }
      ]
    },
    {
      "indicator": "https://www.mediafire.com/file/gflsp6ovigjnvms/@#Full_Istaller_Pc_Setup_2024_PaSSW%E1%B9%8FrD^$.zip/file",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-03-12",
      "last_seen": "2026-03-12",
      "reports": [
        {
          "slug": "infostealer-infection-unmasks-dprk-operative-behind-polyfill-io-supply-chain-attack-and-us-crypto-exchange-infiltration",
          "title": "Infostealer Infection Unmasks DPRK Operative Behind Polyfill.io Supply Chain Attack and US Crypto Exchange Infiltration",
          "url": "https://bulwarkblack.com/infostealer-infection-unmasks-dprk-operative-behind-polyfill-io-supply-chain-attack-and-us-crypto-exchange-infiltration/",
          "date": "2026-03-12"
        }
      ]
    },
    {
      "indicator": "https://www.moltbook.com/_next/static/chunks/18e24eafc444b2b9.js",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-02-03",
      "last_seen": "2026-02-03",
      "reports": [
        {
          "slug": "vibe-coding-gone-wrong-moltbook-ai-social-network-exposes-4-75-million-records-in-massive-database-breach",
          "title": "Vibe Coding Gone Wrong: Moltbook AI Social Network Exposes 4.75 Million Records in Massive Database Breach",
          "url": "https://bulwarkblack.com/vibe-coding-gone-wrong-moltbook-ai-social-network-exposes-4-75-million-records-in-massive-database-breach/",
          "date": "2026-02-03"
        }
      ]
    },
    {
      "indicator": "https://www.news9live.com/technology/tech-news/hackers-used-claude-hit-mexico-agencies-150gb-data-claim-report-2936314",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-06-20",
      "last_seen": "2026-06-20",
      "reports": [
        {
          "slug": "operation-escaneo-latin-america-edge-device-defense",
          "title": "Operation Escaneo Shows Latin America’s Edge Devices Are Prime Intrusion Targets",
          "url": "https://bulwarkblack.com/operation-escaneo-latin-america-edge-device-defense/",
          "date": "2026-06-20"
        }
      ]
    },
    {
      "indicator": "https://www.philion.store/star/main.php",
      "type": "URLs",
      "report_count": 2,
      "first_seen": "2026-02-26",
      "last_seen": "2026-02-27",
      "reports": [
        {
          "slug": "apt37-ruby-jumper-campaign-north-korean-hackers-deploy-malware-arsenal-to-bridge-air-gapped-networks",
          "title": "APT37 Ruby Jumper Campaign: North Korean Hackers Deploy Malware Arsenal to Bridge Air-Gapped Networks",
          "url": "https://bulwarkblack.com/apt37-ruby-jumper-campaign-north-korean-hackers-deploy-malware-arsenal-to-bridge-air-gapped-networks/",
          "date": "2026-02-27"
        },
        {
          "slug": "apt37-deploys-ruby-jumper-campaign-to-breach-air-gapped-networks",
          "title": "APT37 Deploys Ruby Jumper Campaign to Breach Air-Gapped Networks",
          "url": "https://bulwarkblack.com/apt37-deploys-ruby-jumper-campaign-to-breach-air-gapped-networks/",
          "date": "2026-02-26"
        }
      ]
    },
    {
      "indicator": "https://www.r-tec.net/r-tec-blog-evade-signature-based-phishing-detections.html",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2024-01-26",
      "last_seen": "2024-01-26",
      "reports": [
        {
          "slug": "how-to-protect-evilginx-using-cloudflare-and-html-obfuscation",
          "title": "How to protect Evilginx using Cloudflare and HTML Obfuscation",
          "url": "https://bulwarkblack.com/how-to-protect-evilginx-using-cloudflare-and-html-obfuscation/",
          "date": "2024-01-26"
        }
      ]
    },
    {
      "indicator": "https://www.ransomware.live/group/clop",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-05-24",
      "last_seen": "2026-05-24",
      "reports": [
        {
          "slug": "clop-south-staffs-water-soc-coverage-defense",
          "title": "Cl0p’s South Staffs Water Case Shows SOC Coverage Must Be Proven",
          "url": "https://bulwarkblack.com/clop-south-staffs-water-soc-coverage-defense/",
          "date": "2026-05-24"
        }
      ]
    },
    {
      "indicator": "https://www.schneier.com",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-03-16",
      "last_seen": "2026-03-16",
      "reports": [
        {
          "slug": "the-promptware-kill-chain-a-new-framework-for-understanding-ai-malware-attacks",
          "title": "The Promptware Kill Chain: A New Framework for Understanding AI Malware Attacks",
          "url": "https://bulwarkblack.com/the-promptware-kill-chain-a-new-framework-for-understanding-ai-malware-attacks/",
          "date": "2026-03-16"
        }
      ]
    },
    {
      "indicator": "https://www.securityjoes.com/post/hide-and-seek-in-windows-closet-unmasking-the-winsxs-hijacking-hideout",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2024-01-05",
      "last_seen": "2024-01-05",
      "reports": [
        {
          "slug": "hide-and-seek-in-windows-closet-unmasking-the-winsxs-hijacking-hideout",
          "title": "Hide and Seek in Windows’ Closet: Unmasking the WinSxS Hijacking Hideout",
          "url": "https://bulwarkblack.com/hide-and-seek-in-windows-closet-unmasking-the-winsxs-hijacking-hideout/",
          "date": "2024-01-05"
        }
      ]
    },
    {
      "indicator": "https://www.sparkfun.com/news/1947",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2024-01-11",
      "last_seen": "2024-01-11",
      "reports": [
        {
          "slug": "faking-bluetooth-le-with-an-nrf24l01-module",
          "title": "FAKING BLUETOOTH LE WITH AN NRF24L01+ MODULE",
          "url": "https://bulwarkblack.com/faking-bluetooth-le-with-an-nrf24l01-module/",
          "date": "2024-01-11"
        }
      ]
    },
    {
      "indicator": "https://www.tarlogic.com/blog/seloaddriverprivilege-privilege-escalation/",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2024-01-05",
      "last_seen": "2024-01-05",
      "reports": [
        {
          "slug": "100-days-of-yara-2023",
          "title": "100 Days of YARA – 2023",
          "url": "https://bulwarkblack.com/100-days-of-yara-2023/",
          "date": "2024-01-05"
        }
      ]
    },
    {
      "indicator": "https://www.treadstone71.com/cognitive-army",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-02-25",
      "last_seen": "2026-02-25",
      "reports": [
        {
          "slug": "apt31s-multi-year-cyber-espionage-campaign-against-czech-ministry-of-foreign-affairs",
          "title": "APT31’s Multi-Year Cyber Espionage Campaign Against Czech Ministry of Foreign Affairs",
          "url": "https://bulwarkblack.com/apt31s-multi-year-cyber-espionage-campaign-against-czech-ministry-of-foreign-affairs/",
          "date": "2026-02-25"
        }
      ]
    },
    {
      "indicator": "https://www.treadstone71.com/training/building-a-cognitive-warfare-cyber-psyops-program",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-02-25",
      "last_seen": "2026-02-25",
      "reports": [
        {
          "slug": "apt31s-multi-year-cyber-espionage-campaign-against-czech-ministry-of-foreign-affairs",
          "title": "APT31’s Multi-Year Cyber Espionage Campaign Against Czech Ministry of Foreign Affairs",
          "url": "https://bulwarkblack.com/apt31s-multi-year-cyber-espionage-campaign-against-czech-ministry-of-foreign-affairs/",
          "date": "2026-02-25"
        }
      ]
    },
    {
      "indicator": "https://www.treadstone71.com/training/p-omega-syllabus",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-02-25",
      "last_seen": "2026-02-25",
      "reports": [
        {
          "slug": "apt31s-multi-year-cyber-espionage-campaign-against-czech-ministry-of-foreign-affairs",
          "title": "APT31’s Multi-Year Cyber Espionage Campaign Against Czech Ministry of Foreign Affairs",
          "url": "https://bulwarkblack.com/apt31s-multi-year-cyber-espionage-campaign-against-czech-ministry-of-foreign-affairs/",
          "date": "2026-02-25"
        }
      ]
    },
    {
      "indicator": "https://www.treadstone71.com/training/the-mission",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-02-25",
      "last_seen": "2026-02-25",
      "reports": [
        {
          "slug": "apt31s-multi-year-cyber-espionage-campaign-against-czech-ministry-of-foreign-affairs",
          "title": "APT31’s Multi-Year Cyber Espionage Campaign Against Czech Ministry of Foreign Affairs",
          "url": "https://bulwarkblack.com/apt31s-multi-year-cyber-espionage-campaign-against-czech-ministry-of-foreign-affairs/",
          "date": "2026-02-25"
        }
      ]
    },
    {
      "indicator": "https://www.trustbastion.com/xiazz.html",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-01-30",
      "last_seen": "2026-01-30",
      "reports": [
        {
          "slug": "android-malware-campaign-abuses-hugging-face-ai-platform-to-distribute-rat",
          "title": "Android Malware Campaign Abuses Hugging Face AI Platform to Distribute RAT",
          "url": "https://bulwarkblack.com/android-malware-campaign-abuses-hugging-face-ai-platform-to-distribute-rat/",
          "date": "2026-01-30"
        }
      ]
    },
    {
      "indicator": "huggingface.co/datasets/xcvqsccm/sfxyt851/resolve/main/b.apk?download=true",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-01-30",
      "last_seen": "2026-01-30",
      "reports": [
        {
          "slug": "android-malware-campaign-abuses-hugging-face-ai-platform-to-distribute-rat",
          "title": "Android Malware Campaign Abuses Hugging Face AI Platform to Distribute RAT",
          "url": "https://bulwarkblack.com/android-malware-campaign-abuses-hugging-face-ai-platform-to-distribute-rat/",
          "date": "2026-01-30"
        }
      ]
    },
    {
      "indicator": "ip-api.com/json",
      "type": "URLs",
      "report_count": 2,
      "first_seen": "2026-05-23",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "vidar-xmrig-malvertising-file-size-code-signing-defense",
          "title": "Vidar Stealer Campaign Shows Why File Size and Fake Signatures Still Beat Weak Controls",
          "url": "https://bulwarkblack.com/vidar-xmrig-malvertising-file-size-code-signing-defense/",
          "date": "2026-07-08"
        },
        {
          "slug": "void-dokkaebi-invisibleferret-developer-endpoint-risk",
          "title": "Void Dokkaebi’s InvisibleFerret Shift Shows Developer Endpoints Are Production Risk",
          "url": "https://bulwarkblack.com/void-dokkaebi-invisibleferret-developer-endpoint-risk/",
          "date": "2026-05-23"
        }
      ]
    },
    {
      "indicator": "ipify.org",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-05-15",
      "last_seen": "2026-05-15",
      "reports": [
        {
          "slug": "gremlin-stealer-browser-session-resource-obfuscation",
          "title": "Gremlin Stealer Shows Why Browser Sessions Are Now High-Value Targets",
          "url": "https://bulwarkblack.com/gremlin-stealer-browser-session-resource-obfuscation/",
          "date": "2026-05-15"
        }
      ]
    },
    {
      "indicator": "it.com",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-06-05",
      "last_seen": "2026-06-05",
      "reports": [
        {
          "slug": "unc3753-vishing-rmm-physical-intrusions-law-firms",
          "title": "UNC3753 Brings Vishing, RMM Abuse, and Physical Intrusions to U.S. Law Firms",
          "url": "https://bulwarkblack.com/unc3753-vishing-rmm-physical-intrusions-law-firms/",
          "date": "2026-06-05"
        }
      ]
    },
    {
      "indicator": "itdesk.com",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-06-05",
      "last_seen": "2026-06-05",
      "reports": [
        {
          "slug": "unc3753-vishing-rmm-physical-intrusions-law-firms",
          "title": "UNC3753 Brings Vishing, RMM Abuse, and Physical Intrusions to U.S. Law Firms",
          "url": "https://bulwarkblack.com/unc3753-vishing-rmm-physical-intrusions-law-firms/",
          "date": "2026-06-05"
        }
      ]
    },
    {
      "indicator": "ithr.org",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2024-01-09",
      "last_seen": "2024-01-09",
      "reports": [
        {
          "slug": "financially-motivated-threat-actors-misusing-app-installer",
          "title": "Financially motivated threat actors misusing App Installer",
          "url": "https://bulwarkblack.com/financially-motivated-threat-actors-misusing-app-installer/",
          "date": "2024-01-09"
        }
      ]
    },
    {
      "indicator": "kiamatka.com/kaiok.kakman",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-03-09",
      "last_seen": "2026-03-09",
      "reports": [
        {
          "slug": "boryptgrab-stealer-spreads-through-100-fake-github-repositories-in-massive-malware-campaign",
          "title": "BoryptGrab Stealer Spreads Through 100+ Fake GitHub Repositories in Massive Malware Campaign",
          "url": "https://bulwarkblack.com/boryptgrab-stealer-spreads-through-100-fake-github-repositories-in-massive-malware-campaign/",
          "date": "2026-03-09"
        }
      ]
    },
    {
      "indicator": "longlastfor.online",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "malaymoil.com",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-03-21",
      "last_seen": "2026-03-21",
      "reports": [
        {
          "slug": "darksword-ios-exploit-kit-russian-hackers-weaponize-six-vulnerabilities-for-full-iphone-takeover",
          "title": "DarkSword iOS Exploit Kit: Russian Hackers Weaponize Six Vulnerabilities for Full iPhone Takeover",
          "url": "https://bulwarkblack.com/darksword-ios-exploit-kit-russian-hackers-weaponize-six-vulnerabilities-for-full-iphone-takeover/",
          "date": "2026-03-21"
        }
      ]
    },
    {
      "indicator": "ms-live.us/301631/check",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "ms-live.us/register/22989524464UcX2b5w52",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "ms-live.us/update/02583235891M49FYUN57",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "niscarea.com/in.php?cn=[base64",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2024-03-22",
      "last_seen": "2024-03-22",
      "reports": [
        {
          "slug": "the-updated-apt-playbook-tales-from-the-kimsuky-threat-actor-group",
          "title": "The Updated APT Playbook: Tales from the Kimsuky threat actor group",
          "url": "https://bulwarkblack.com/the-updated-apt-playbook-tales-from-the-kimsuky-threat-actor-group/",
          "date": "2024-03-22"
        }
      ]
    },
    {
      "indicator": "notemacro.com",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-03-04",
      "last_seen": "2026-03-04",
      "reports": [
        {
          "slug": "zerobot-malware-targets-n8n-automation-platform-first-active-exploitation-of-cve-2025-68613",
          "title": "Zerobot Malware Targets n8n Automation Platform: First Active Exploitation of CVE-2025-68613",
          "url": "https://bulwarkblack.com/zerobot-malware-targets-n8n-automation-platform-first-active-exploitation-of-cve-2025-68613/",
          "date": "2026-03-04"
        }
      ]
    },
    {
      "indicator": "oast.fun",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-02-23",
      "last_seen": "2026-02-23",
      "reports": [
        {
          "slug": "unit-42-exposes-active-exploitation-of-beyondtrust-cve-2026-1731-with-vshell-and-sparkrat-backdoors",
          "title": "Unit 42 Exposes Active Exploitation of BeyondTrust CVE-2026-1731 with VShell and SparkRAT Backdoors",
          "url": "https://bulwarkblack.com/unit-42-exposes-active-exploitation-of-beyondtrust-cve-2026-1731-with-vshell-and-sparkrat-backdoors/",
          "date": "2026-02-23"
        }
      ]
    },
    {
      "indicator": "oast.pro",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-02-23",
      "last_seen": "2026-02-23",
      "reports": [
        {
          "slug": "unit-42-exposes-active-exploitation-of-beyondtrust-cve-2026-1731-with-vshell-and-sparkrat-backdoors",
          "title": "Unit 42 Exposes Active Exploitation of BeyondTrust CVE-2026-1731 with VShell and SparkRAT Backdoors",
          "url": "https://bulwarkblack.com/unit-42-exposes-active-exploitation-of-beyondtrust-cve-2026-1731-with-vshell-and-sparkrat-backdoors/",
          "date": "2026-02-23"
        }
      ]
    },
    {
      "indicator": "onedow.gesecole.net/download",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-02-27",
      "last_seen": "2026-02-27",
      "reports": [
        {
          "slug": "chinese-apt-campaign-delivers-plugx-rat-via-g-data-antivirus-dll-side-loading",
          "title": "Chinese APT Campaign Delivers PlugX RAT via G DATA Antivirus DLL Side-Loading",
          "url": "https://bulwarkblack.com/chinese-apt-campaign-delivers-plugx-rat-via-g-data-antivirus-dll-side-loading/",
          "date": "2026-02-27"
        }
      ]
    },
    {
      "indicator": "onedown.gesecole.net/download",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-02-27",
      "last_seen": "2026-02-27",
      "reports": [
        {
          "slug": "chinese-apt-campaign-delivers-plugx-rat-via-g-data-antivirus-dll-side-loading",
          "title": "Chinese APT Campaign Delivers PlugX RAT via G DATA Antivirus DLL Side-Loading",
          "url": "https://bulwarkblack.com/chinese-apt-campaign-delivers-plugx-rat-via-g-data-antivirus-dll-side-loading/",
          "date": "2026-02-27"
        }
      ]
    },
    {
      "indicator": "onlyoffice.com",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-05-22",
      "last_seen": "2026-05-22",
      "reports": [
        {
          "slug": "screening-serpens-recruiting-espionage-attack-surface",
          "title": "Screening Serpens Shows Recruiting Is Now an Espionage Attack Surface",
          "url": "https://bulwarkblack.com/screening-serpens-recruiting-espionage-attack-surface/",
          "date": "2026-05-22"
        }
      ]
    },
    {
      "indicator": "onlyoffice.com/storage/files/root/folder_3602000/file_3601577/v1/content.zip[",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-05-22",
      "last_seen": "2026-05-22",
      "reports": [
        {
          "slug": "screening-serpens-recruiting-espionage-attack-surface",
          "title": "Screening Serpens Shows Recruiting Is Now an Espionage Attack Surface",
          "url": "https://bulwarkblack.com/screening-serpens-recruiting-espionage-attack-surface/",
          "date": "2026-05-22"
        }
      ]
    },
    {
      "indicator": "onlyoffice.com/storage/files/root/folder_3765000/file_3764519/v1/content.zip?filename=remote.[REDACTED",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-05-22",
      "last_seen": "2026-05-22",
      "reports": [
        {
          "slug": "screening-serpens-recruiting-espionage-attack-surface",
          "title": "Screening Serpens Shows Recruiting Is Now an Espionage Attack Surface",
          "url": "https://bulwarkblack.com/screening-serpens-recruiting-espionage-attack-surface/",
          "date": "2026-05-22"
        }
      ]
    },
    {
      "indicator": "pamconj.com",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-07-01",
      "last_seen": "2026-07-01",
      "reports": [
        {
          "slug": "artoken-eviltokens-microsoft-365-bec-token-defense",
          "title": "ARToken Shows Microsoft 365 Tokens Are the New BEC Control Plane",
          "url": "https://bulwarkblack.com/artoken-eviltokens-microsoft-365-bec-token-defense/",
          "date": "2026-07-01"
        }
      ]
    },
    {
      "indicator": "parkspringshotel.com/m/Lu6aeloo.php",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-05-09",
      "last_seen": "2026-05-09",
      "reports": [
        {
          "slug": "jdownloader-site-compromise-trusted-download-verification",
          "title": "JDownloader Site Compromise Shows Why Trusted Downloads Still Need Verification",
          "url": "https://bulwarkblack.com/jdownloader-site-compromise-trusted-download-verification/",
          "date": "2026-05-09"
        }
      ]
    },
    {
      "indicator": "passkeyms.com",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-05-15",
      "last_seen": "2026-05-15",
      "reports": [
        {
          "slug": "blackfile-vishing-extortion-identity-defense",
          "title": "BlackFile Vishing Campaign Shows Why MFA Alone Is Not Enough",
          "url": "https://bulwarkblack.com/blackfile-vishing-extortion-identity-defense/",
          "date": "2026-05-15"
        }
      ]
    },
    {
      "indicator": "penskecar.riersrmissecured.com/_c/cstm/4325/reg/DOTLookup.aspx",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-02-26",
      "last_seen": "2026-02-26",
      "reports": [
        {
          "slug": "diesel-vortex-russian-cybercrime-group-steals-1600-credentials-from-global-logistics-sector",
          "title": "Diesel Vortex: Russian Cybercrime Group Steals 1,600+ Credentials From Global Logistics Sector",
          "url": "https://bulwarkblack.com/diesel-vortex-russian-cybercrime-group-steals-1600-credentials-from-global-logistics-sector/",
          "date": "2026-02-26"
        }
      ]
    },
    {
      "indicator": "philion.store/star/main.php",
      "type": "URLs",
      "report_count": 2,
      "first_seen": "2026-02-26",
      "last_seen": "2026-02-27",
      "reports": [
        {
          "slug": "apt37-ruby-jumper-campaign-north-korean-hackers-deploy-malware-arsenal-to-bridge-air-gapped-networks",
          "title": "APT37 Ruby Jumper Campaign: North Korean Hackers Deploy Malware Arsenal to Bridge Air-Gapped Networks",
          "url": "https://bulwarkblack.com/apt37-ruby-jumper-campaign-north-korean-hackers-deploy-malware-arsenal-to-bridge-air-gapped-networks/",
          "date": "2026-02-27"
        },
        {
          "slug": "apt37-deploys-ruby-jumper-campaign-to-breach-air-gapped-networks",
          "title": "APT37 Deploys Ruby Jumper Campaign to Breach Air-Gapped Networks",
          "url": "https://bulwarkblack.com/apt37-deploys-ruby-jumper-campaign-to-breach-air-gapped-networks/",
          "date": "2026-02-26"
        }
      ]
    },
    {
      "indicator": "pub-3bc1de741f8149f49bdbafa703067f24.r2.dev/wwa.txt",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-02-11",
      "last_seen": "2026-02-11",
      "reports": [
        {
          "slug": "xworm-rat-campaign-exploits-cve-2018-0802-in-multi-language-phishing-attacks-using-fileless-injection",
          "title": "XWorm RAT Campaign Exploits CVE-2018-0802 in Multi-Language Phishing Attacks Using Fileless Injection",
          "url": "https://bulwarkblack.com/xworm-rat-campaign-exploits-cve-2018-0802-in-multi-language-phishing-attacks-using-fileless-injection/",
          "date": "2026-02-11"
        }
      ]
    },
    {
      "indicator": "qzz.io",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-03-04",
      "last_seen": "2026-03-04",
      "reports": [
        {
          "slug": "zerobot-malware-targets-n8n-automation-platform-first-active-exploitation-of-cve-2025-68613",
          "title": "Zerobot Malware Targets n8n Automation Platform: First Active Exploitation of CVE-2025-68613",
          "url": "https://bulwarkblack.com/zerobot-malware-targets-n8n-automation-platform-first-active-exploitation-of-cve-2025-68613/",
          "date": "2026-03-04"
        }
      ]
    },
    {
      "indicator": "res.cloudinary.com/dbjtzqp4q/image/upload/v1767455040/",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-02-11",
      "last_seen": "2026-02-11",
      "reports": [
        {
          "slug": "xworm-rat-campaign-exploits-cve-2018-0802-in-multi-language-phishing-attacks-using-fileless-injection",
          "title": "XWorm RAT Campaign Exploits CVE-2018-0802 in Multi-Language Phishing Attacks Using Fileless Injection",
          "url": "https://bulwarkblack.com/xworm-rat-campaign-exploits-cve-2018-0802-in-multi-language-phishing-attacks-using-fileless-injection/",
          "date": "2026-02-11"
        }
      ]
    },
    {
      "indicator": "res.cloudinary.com/dbjtzqp4q/image/upload/v1767455040/optimized_MSI_lpsd9p.jpg",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-02-11",
      "last_seen": "2026-02-11",
      "reports": [
        {
          "slug": "xworm-rat-campaign-exploits-cve-2018-0802-in-multi-language-phishing-attacks-using-fileless-injection",
          "title": "XWorm RAT Campaign Exploits CVE-2018-0802 in Multi-Language Phishing Attacks Using Fileless Injection",
          "url": "https://bulwarkblack.com/xworm-rat-campaign-exploits-cve-2018-0802-in-multi-language-phishing-attacks-using-fileless-injection/",
          "date": "2026-02-11"
        }
      ]
    },
    {
      "indicator": "retrodayaengineering.icu/HGG.hta",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-02-11",
      "last_seen": "2026-02-11",
      "reports": [
        {
          "slug": "xworm-rat-campaign-exploits-cve-2018-0802-in-multi-language-phishing-attacks-using-fileless-injection",
          "title": "XWorm RAT Campaign Exploits CVE-2018-0802 in Multi-Language Phishing Attacks Using Fileless Injection",
          "url": "https://bulwarkblack.com/xworm-rat-campaign-exploits-cve-2018-0802-in-multi-language-phishing-attacks-using-fileless-injection/",
          "date": "2026-02-11"
        }
      ]
    },
    {
      "indicator": "safeup.store/test",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "safeupload.online/uploadfiles",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "scheta.site/api.store/Setup.msix",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2024-01-09",
      "last_seen": "2024-01-09",
      "reports": [
        {
          "slug": "financially-motivated-threat-actors-misusing-app-installer",
          "title": "Financially motivated threat actors misusing App Installer",
          "url": "https://bulwarkblack.com/financially-motivated-threat-actors-misusing-app-installer/",
          "date": "2024-01-09"
        }
      ]
    },
    {
      "indicator": "scheta.site/api.store/ZoomInstaller.msix",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2024-01-09",
      "last_seen": "2024-01-09",
      "reports": [
        {
          "slug": "financially-motivated-threat-actors-misusing-app-installer",
          "title": "Financially motivated threat actors misusing App Installer",
          "url": "https://bulwarkblack.com/financially-motivated-threat-actors-misusing-app-installer/",
          "date": "2024-01-09"
        }
      ]
    },
    {
      "indicator": "security-update.xyz",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "setupsso.com",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-05-15",
      "last_seen": "2026-05-15",
      "reports": [
        {
          "slug": "blackfile-vishing-extortion-identity-defense",
          "title": "BlackFile Vishing Campaign Shows Why MFA Alone Is Not Enough",
          "url": "https://bulwarkblack.com/blackfile-vishing-extortion-identity-defense/",
          "date": "2026-05-15"
        }
      ]
    },
    {
      "indicator": "setuptransactioncheck.com/",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-02-16",
      "last_seen": "2026-02-16",
      "reports": [
        {
          "slug": "physical-mail-phishing-targets-trezor-and-ledger-users-attackers-use-qr-codes-to-steal-recovery-phrases",
          "title": "Physical Mail Phishing Targets Trezor and Ledger Users: Attackers Use QR Codes to Steal Recovery Phrases",
          "url": "https://bulwarkblack.com/physical-mail-phishing-targets-trezor-and-ledger-users-attackers-use-qr-codes-to-steal-recovery-phrases/",
          "date": "2026-02-16"
        }
      ]
    },
    {
      "indicator": "shapelie.com",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-03-21",
      "last_seen": "2026-03-21",
      "reports": [
        {
          "slug": "darksword-ios-exploit-kit-russian-hackers-weaponize-six-vulnerabilities-for-full-iphone-takeover",
          "title": "DarkSword iOS Exploit Kit: Russian Hackers Weaponize Six Vulnerabilities for Full iPhone Takeover",
          "url": "https://bulwarkblack.com/darksword-ios-exploit-kit-russian-hackers-weaponize-six-vulnerabilities-for-full-iphone-takeover/",
          "date": "2026-03-21"
        }
      ]
    },
    {
      "indicator": "sharepoint.com/:f:/document/INV-IgCx1X50pgUjR7iAjZL2fuQaAW4GfKVs6wHT3BYv9sgwW7g”",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-07-01",
      "last_seen": "2026-07-01",
      "reports": [
        {
          "slug": "artoken-eviltokens-microsoft-365-bec-token-defense",
          "title": "ARToken Shows Microsoft 365 Tokens Are the New BEC Control Plane",
          "url": "https://bulwarkblack.com/artoken-eviltokens-microsoft-365-bec-token-defense/",
          "date": "2026-07-01"
        }
      ]
    },
    {
      "indicator": "sharepoint.com/:f:/g/IgAdH_aaBPMcQbtINZzC1TsLARj3dHj63MnKjvnY-QJrKEc",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-07-01",
      "last_seen": "2026-07-01",
      "reports": [
        {
          "slug": "artoken-eviltokens-microsoft-365-bec-token-defense",
          "title": "ARToken Shows Microsoft 365 Tokens Are the New BEC Control Plane",
          "url": "https://bulwarkblack.com/artoken-eviltokens-microsoft-365-bec-token-defense/",
          "date": "2026-07-01"
        }
      ]
    },
    {
      "indicator": "signsafe.xyz/update",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "sinterfumesco.com/search?utn=[Tracking",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-06-02",
      "last_seen": "2026-06-02",
      "reports": [
        {
          "slug": "flutterbridge-macos-malvertising-fluttershell-backdoor-defense",
          "title": "FlutterBridge Shows Why macOS Malvertising Is Backdoor Delivery, Not Just Adware",
          "url": "https://bulwarkblack.com/flutterbridge-macos-malvertising-fluttershell-backdoor-defense/",
          "date": "2026-06-02"
        }
      ]
    },
    {
      "indicator": "smshero.ai",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-02-09",
      "last_seen": "2026-02-09",
      "reports": [
        {
          "slug": "fake-7-zip-downloads-convert-home-pcs-into-residential-proxy-nodes-for-cybercriminals",
          "title": "Fake 7-Zip Downloads Convert Home PCs Into Residential Proxy Nodes for Cybercriminals",
          "url": "https://bulwarkblack.com/fake-7-zip-downloads-convert-home-pcs-into-residential-proxy-nodes-for-cybercriminals/",
          "date": "2026-02-09"
        }
      ]
    },
    {
      "indicator": "smshero.co",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-02-09",
      "last_seen": "2026-02-09",
      "reports": [
        {
          "slug": "fake-7-zip-downloads-convert-home-pcs-into-residential-proxy-nodes-for-cybercriminals",
          "title": "Fake 7-Zip Downloads Convert Home PCs Into Residential Proxy Nodes for Cybercriminals",
          "url": "https://bulwarkblack.com/fake-7-zip-downloads-convert-home-pcs-into-residential-proxy-nodes-for-cybercriminals/",
          "date": "2026-02-09"
        }
      ]
    },
    {
      "indicator": "supportxmr.com",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-07-08",
      "last_seen": "2026-07-08",
      "reports": [
        {
          "slug": "vidar-xmrig-malvertising-file-size-code-signing-defense",
          "title": "Vidar Stealer Campaign Shows Why File Size and Fake Signatures Still Beat Weak Controls",
          "url": "https://bulwarkblack.com/vidar-xmrig-malvertising-file-size-code-signing-defense/",
          "date": "2026-07-08"
        }
      ]
    },
    {
      "indicator": "system-update.xyz",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "systemupdate.cloud",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "systemupdate.cloud/client",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "trustbastion.com/xiazz.html",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-01-30",
      "last_seen": "2026-01-30",
      "reports": [
        {
          "slug": "android-malware-campaign-abuses-hugging-face-ai-platform-to-distribute-rat",
          "title": "Android Malware Campaign Abuses Hugging Face AI Platform to Distribute RAT",
          "url": "https://bulwarkblack.com/android-malware-campaign-abuses-hugging-face-ai-platform-to-distribute-rat/",
          "date": "2026-01-30"
        }
      ]
    },
    {
      "indicator": "trycloudflare.com/",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-03-24",
      "last_seen": "2026-03-24",
      "reports": [
        {
          "slug": "canisterworm-wiper-weaponizes-trivy-supply-chain-to-target-iran",
          "title": "CanisterWorm Wiper Weaponizes Trivy Supply Chain to Target Iran",
          "url": "https://bulwarkblack.com/canisterworm-wiper-weaponizes-trivy-supply-chain-to-target-iran/",
          "date": "2026-03-24"
        }
      ]
    },
    {
      "indicator": "trycloudflare.com/kube.py&quot",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-03-24",
      "last_seen": "2026-03-24",
      "reports": [
        {
          "slug": "canisterworm-wiper-weaponizes-trivy-supply-chain-to-target-iran",
          "title": "CanisterWorm Wiper Weaponizes Trivy Supply Chain to Target Iran",
          "url": "https://bulwarkblack.com/canisterworm-wiper-weaponizes-trivy-supply-chain-to-target-iran/",
          "date": "2026-03-24"
        }
      ]
    },
    {
      "indicator": "trycloudflare.com/prop.py",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-03-24",
      "last_seen": "2026-03-24",
      "reports": [
        {
          "slug": "canisterworm-wiper-weaponizes-trivy-supply-chain-to-target-iran",
          "title": "CanisterWorm Wiper Weaponizes Trivy Supply Chain to Target Iran",
          "url": "https://bulwarkblack.com/canisterworm-wiper-weaponizes-trivy-supply-chain-to-target-iran/",
          "date": "2026-03-24"
        }
      ]
    },
    {
      "indicator": "updatecheck.store",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "urgent-update.cloud/uploadfiles",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "video-meeting.online",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "web071zoom.us/fix/audio-fv/7217417464",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "web071zoom.us/fix/audio-tr/7217417464",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "web071zoom.us/fix/audio/4542828056",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "webredirect.org",
      "type": "URLs",
      "report_count": 5,
      "first_seen": "2026-03-01",
      "last_seen": "2026-06-20",
      "reports": [
        {
          "slug": "showboat-linux-malware-telecom-persistence-defense",
          "title": "Showboat Malware Shows Telecom Linux Servers Need Rootkit-Level Monitoring",
          "url": "https://bulwarkblack.com/showboat-linux-malware-telecom-persistence-defense/",
          "date": "2026-06-20"
        },
        {
          "slug": "showboat-jfmbackdoor-telecom-intrusion-defense",
          "title": "Showboat and JFMBackdoor Show Telecom Intrusions Are Built for Pivoting",
          "url": "https://bulwarkblack.com/showboat-jfmbackdoor-telecom-intrusion-defense/",
          "date": "2026-06-01"
        },
        {
          "slug": "google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries",
          "title": "Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries",
          "title": "Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries",
          "url": "https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/",
          "date": "2026-03-06"
        },
        {
          "slug": "google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries",
          "title": "Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries",
          "url": "https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/",
          "date": "2026-03-01"
        }
      ]
    },
    {
      "indicator": "weepee.io/7nZw7/blue.drx",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-02-23",
      "last_seen": "2026-02-23",
      "reports": [
        {
          "slug": "unit-42-exposes-active-exploitation-of-beyondtrust-cve-2026-1731-with-vshell-and-sparkrat-backdoors",
          "title": "Unit 42 Exposes Active Exploitation of BeyondTrust CVE-2026-1731 with VShell and SparkRAT Backdoors",
          "url": "https://bulwarkblack.com/unit-42-exposes-active-exploitation-of-beyondtrust-cve-2026-1731-with-vshell-and-sparkrat-backdoors/",
          "date": "2026-02-23"
        }
      ]
    },
    {
      "indicator": "windows.net",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-05-24",
      "last_seen": "2026-05-24",
      "reports": [
        {
          "slug": "roadtools-cloud-identity-entra-id-defense",
          "title": "ROADtools Abuse Shows Cloud Identity Is the New Attack Surface",
          "url": "https://bulwarkblack.com/roadtools-cloud-identity-entra-id-defense/",
          "date": "2026-05-24"
        }
      ]
    },
    {
      "indicator": "workers.dev",
      "type": "URLs",
      "report_count": 3,
      "first_seen": "2026-03-03",
      "last_seen": "2026-07-01",
      "reports": [
        {
          "slug": "artoken-eviltokens-microsoft-365-bec-token-defense",
          "title": "ARToken Shows Microsoft 365 Tokens Are the New BEC Control Plane",
          "url": "https://bulwarkblack.com/artoken-eviltokens-microsoft-365-bec-token-defense/",
          "date": "2026-07-01"
        },
        {
          "slug": "device-code-phishing-oauth-token-theft-defense",
          "title": "Device Code Phishing Turns Legitimate Login Flows Into Token Theft",
          "url": "https://bulwarkblack.com/device-code-phishing-oauth-token-theft-defense/",
          "date": "2026-05-16"
        },
        {
          "slug": "silver-dragon-apt-targets-southeast-asia-and-europe-using-geardoor-backdoor-with-google-drive-c2",
          "title": "Silver Dragon APT Targets Southeast Asia and Europe Using GearDoor Backdoor with Google Drive C2",
          "url": "https://bulwarkblack.com/silver-dragon-apt-targets-southeast-asia-and-europe-using-geardoor-backdoor-with-google-drive-c2/",
          "date": "2026-03-03"
        }
      ]
    },
    {
      "indicator": "writeup.live/test",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-02-10",
      "last_seen": "2026-02-10",
      "reports": [
        {
          "slug": "bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives",
          "title": "BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives",
          "url": "https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/",
          "date": "2026-02-10"
        }
      ]
    },
    {
      "indicator": "xyz.com",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-03-23",
      "last_seen": "2026-03-23",
      "reports": [
        {
          "slug": "unit-42-warns-ai-agents-could-enable-gift-card-theft-and-returns-fraud-at-scale",
          "title": "Unit 42 Warns: AI Agents Could Enable Gift Card Theft and Returns Fraud at Scale",
          "url": "https://bulwarkblack.com/unit-42-warns-ai-agents-could-enable-gift-card-theft-and-returns-fraud-at-scale/",
          "date": "2026-03-23"
        }
      ]
    },
    {
      "indicator": "zergpool.com",
      "type": "URLs",
      "report_count": 1,
      "first_seen": "2026-02-04",
      "last_seen": "2026-02-04",
      "reports": [
        {
          "slug": "shadowhs-fileless-linux-post-exploitation-framework-runs-entirely-in-memory",
          "title": "ShadowHS: Fileless Linux Post-Exploitation Framework Runs Entirely in Memory",
          "url": "https://bulwarkblack.com/shadowhs-fileless-linux-post-exploitation-framework-runs-entirely-in-memory/",
          "date": "2026-02-04"
        }
      ]
    }
  ]
}