{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/threat-intelligence/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2014-6271"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["honeypot","ai","deception","threat-intelligence"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe rise of AI brings advantages to both defenders and threat actors. This brief explores how generative AI can be leveraged to create adaptive honeypot systems. These systems can instantly create diverse honeypots, such as Linux shells or IoT devices, using simple text prompts. This approach offers a scalable method for deploying complex, convincing deceptive environments. Because AI-driven attacks often prioritize speed over stealth, they are highly susceptible to being tricked by these simulated systems. Defenders can actively manipulate and mislead threat actors, observing their methodologies in real-time within a controlled environment. By exploiting the inherent lack of awareness in AI agents, defenders can turn the attacker\u0026rsquo;s automation into a liability.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s AI-driven tool scans a range of IP addresses, identifying open TCP ports.\u003c/li\u003e\n\u003cli\u003eThe attacking tool connects to a honeypot listener on a designated port.\u003c/li\u003e\n\u003cli\u003eThe honeypot presents a simulated login prompt.\u003c/li\u003e\n\u003cli\u003eThe attacking tool attempts to authenticate using common credentials or exploits known vulnerabilities.\u003c/li\u003e\n\u003cli\u003eIf the attacker attempts the correct username (\u0026ldquo;admin\u0026rdquo;) and password (\u0026ldquo;password123\u0026rdquo;), or exploits a simulated vulnerability like Shellshock (CVE-2014-6271), the honeypot grants access to a simulated environment.\u003c/li\u003e\n\u003cli\u003eThe attacker issues commands, believing they are interacting with a real system.\u003c/li\u003e\n\u003cli\u003eThe honeypot, powered by a generative AI model, responds in a manner consistent with the simulated environment, logging all attacker actions.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to move laterally, install malware, or exfiltrate data, all within the confines of the honeypot.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful deployment of AI-powered honeypots allows organizations to gain valuable insights into the tactics, techniques, and procedures (TTPs) of automated threat actors. This information can be used to improve existing security measures, develop more effective detection strategies, and proactively defend against future attacks. By observing attacker behavior in a controlled environment, organizations can minimize the risk of real systems being compromised. The number of diverted attacks will vary depending on honeypot deployment scale and attacker activity.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy honeypots simulating common services or devices within your network to attract automated attacks and observe attacker behavior.\u003c/li\u003e\n\u003cli\u003eMonitor network connections to honeypot IP addresses (using a firewall or network intrusion detection system) and trigger alerts on any inbound connection attempts.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule \u0026ldquo;Detect Successful Honeypot Authentication\u0026rdquo; to identify when an attacker successfully authenticates to the honeypot.\u003c/li\u003e\n\u003cli\u003eEnable process creation logging on systems running honeypots and deploy the Sigma rule \u0026ldquo;Detect Suspicious Commands in Honeypot Environment\u0026rdquo; to identify malicious commands executed within the simulated environment.\u003c/li\u003e\n\u003cli\u003eReview network traffic generated by honeypots for exploitation attempts targeting vulnerabilities like CVE-2014-6271.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-29T10:00:42Z","date_published":"2026-04-29T10:00:42Z","id":"/briefs/2026-04-ai-honeypots/","summary":"Generative AI can be used to rapidly deploy adaptive honeypot systems that simulate diverse environments, like Linux shells or IoT devices, to trick and observe AI-driven attacks that prioritize speed over stealth.","title":"AI-Powered Honeypots: Deceptive Environments for Automated Threat Actors","url":"https://feed.craftedsignal.io/briefs/2026-04-ai-honeypots/"},{"_cs_actors":["Lazarus Group","HIDDEN COBRA","LABYRINTH CHOLLIMA","Diamond Sleet","Zinc","Scattered Spider","UNC3944","Octo Tempest","Roasted 0ktapus","Muddled Libra","Star Fraud"],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["cloud-security","cnapp","threat-intelligence"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCrowdStrike has enhanced its Falcon Cloud Security with new CNAPP (Cloud-Native Application Protection Platform) capabilities designed to provide more proactive and context-aware cloud security. These advancements address limitations in current CNAPP solutions, which often lack visibility into business applications, ignore adversary behavior, and result in endless triage due to a lack of causality information. The new features, including Application Explorer and adversary-informed risk prioritization, aim to provide security teams with the necessary context to understand cloud risks, prioritize remediation efforts, and quickly respond to potential breaches by threat actors, with a specific focus on groups like LABYRINTH CHOLLIMA and SCATTERED SPIDER who are known to target cloud environments. According to the CrowdStrike 2026 Global Threat Report, cloud-conscious intrusions by state-nexus threat actors surged 266% year-over-year in 2025, highlighting the need for improved cloud security measures.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e Adversaries gain initial access to the cloud environment through various means, such as exploiting misconfigurations or vulnerabilities in cloud services.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDiscovery:\u003c/strong\u003e Threat actors perform reconnaissance to discover cloud resources, services, and applications.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement:\u003c/strong\u003e Attackers move laterally within the cloud environment, leveraging compromised credentials or exploiting vulnerabilities to access additional resources.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation:\u003c/strong\u003e Adversaries escalate privileges to gain higher-level access to critical cloud resources and data.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Access:\u003c/strong\u003e Attackers access sensitive data stored in cloud storage resources, databases, or applications.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExfiltration:\u003c/strong\u003e The stolen data is exfiltrated from the cloud environment to an external location controlled by the attacker.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact:\u003c/strong\u003e The exfiltration of sensitive data can lead to financial loss, reputational damage, and regulatory penalties for the victim organization.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful cloud breach can result in significant damage, including data theft, financial losses, and reputational harm. The enhanced CNAPP capabilities in CrowdStrike Falcon Cloud Security aim to mitigate these risks by providing organizations with better visibility into cloud assets, risk prioritization based on adversary behavior, and faster remediation capabilities. Specifically, organizations operating in sectors targeted by groups like LABYRINTH CHOLLIMA or SCATTERED SPIDER are at increased risk. In 2025, cloud intrusions increased dramatically, underscoring the urgent need for more effective cloud security measures.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Application Explorer to gain visibility into how business applications run across cloud and on-premises environments and identify application-layer risks.\u003c/li\u003e\n\u003cli\u003eUtilize the adversary intelligence feature in Falcon Cloud Security to prioritize cloud risks based on the tactics, techniques, and procedures (TTPs) of known threat actors like LABYRINTH CHOLLIMA and SCATTERED SPIDER.\u003c/li\u003e\n\u003cli\u003eMonitor for overly permissive access to storage resources that connect to applications processing customer personally identifiable information (PII) using a rule like the one below to detect potential data breaches.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule below to identify processes accessing cloud resources with unusual user agents, which can indicate unauthorized access attempts or exploitation activity.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-30T06:43:41Z","date_published":"2026-03-30T06:43:41Z","id":"/briefs/2026-03-cnapp-advancements/","summary":"CrowdStrike Falcon Cloud Security enhances its CNAPP capabilities, incorporating adversary intelligence to prioritize cloud risks based on threat actor behavior, particularly focusing on groups like LABYRINTH CHOLLIMA and SCATTERED SPIDER, to enable security teams to understand and remediate cloud exposures more effectively.","title":"CrowdStrike Falcon Cloud Security Advances CNAPP with Adversary-Informed Risk Prioritization","url":"https://feed.craftedsignal.io/briefs/2026-03-cnapp-advancements/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["siem","edr","threat-intelligence"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCrowdStrike Falcon Next-Gen SIEM is expanding its capabilities to integrate with third-party EDR solutions, beginning with Microsoft Defender. This allows organizations to modernize their Security Operations Center (SOC) without the need to replace existing endpoint agents. The integration addresses the challenge of adversaries exploiting cross-domain gaps across endpoint, identity, network, and cloud environments. Security teams can now investigate across previously fragmented systems. Falcon Onum, natively embedded within the Falcon platform, delivers a unified experience for real-time data pipelines, enabling ingestion, filtering, enrichment, and routing of data in motion. This enhancement aims to reduce noise and improve data fidelity before it reaches downstream systems, leading to faster detection and more efficient investigations.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAdversary exploits cross-domain gaps across endpoint, identity, network, and cloud environments.\u003c/li\u003e\n\u003cli\u003eAttack spans across different tools and environments, creating fragmented investigation scenarios for security teams.\u003c/li\u003e\n\u003cli\u003eLegacy SIEMs impose a \u0026ldquo;data tax\u0026rdquo; for full ingestion, resulting in slower detection.\u003c/li\u003e\n\u003cli\u003eSiloed tools create blind spots and disconnected workflows, hindering effective response.\u003c/li\u003e\n\u003cli\u003eFalcon Onum ingests data, filters noise, enriches telemetry, and routes data in real-time to reduce storage costs.\u003c/li\u003e\n\u003cli\u003eHigh-signal data is prioritized and routed to Falcon Next-Gen SIEM for active investigations.\u003c/li\u003e\n\u003cli\u003eRemaining data is efficiently archived to cost-effective external data stores like Amazon S3 via Athena.\u003c/li\u003e\n\u003cli\u003eSecurity teams can then investigate across the disparate data sources through federated search, operationalizing threat intelligence at scale.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe lack of integrated security tools leads to slower detection and delayed incident response, making it harder for SOC teams to keep pace with modern threats. Organizations face increased operational costs due to duplicated data and the need for extensive data ingestion. By integrating third-party EDR solutions, CrowdStrike aims to provide faster detection, more efficient investigations, and a stronger foundation for AI-driven security operations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy Falcon Next-Gen SIEM and configure it to ingest Microsoft Defender telemetry to unify detection, investigation, and response without changing endpoint deployments.\u003c/li\u003e\n\u003cli\u003eLeverage Falcon Onum to filter and enrich data in real-time, reducing noise and storage costs, as mentioned in the \u003cstrong\u003eOverview\u003c/strong\u003e.\u003c/li\u003e\n\u003cli\u003eUtilize federated search capabilities to investigate across live, network, and archived data sources (Falcon LogScale, ExtraHop, Amazon S3 via Athena) as described in the \u003cstrong\u003eAttack Chain\u003c/strong\u003e.\u003c/li\u003e\n\u003cli\u003eExplore the Third-Party Indicator Management feature to ingest, enrich, and manage external indicators of compromise.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-29T14:22:47Z","date_published":"2026-03-29T14:22:47Z","id":"/briefs/2026-03-falcon-siem-microsoft-defender/","summary":"CrowdStrike's Falcon Next-Gen SIEM now supports third-party EDR solutions, starting with Microsoft Defender, to extend AI-native SOC capabilities without replacing existing endpoint agents.","title":"CrowdStrike Falcon Next-Gen SIEM Supports Third-Party EDR Tools","url":"https://feed.craftedsignal.io/briefs/2026-03-falcon-siem-microsoft-defender/"},{"_cs_actors":["Lazarus Group","HIDDEN COBRA","LABYRINTH CHOLLIMA","Diamond Sleet","Zinc","Scattered Spider","UNC3944","Octo Tempest","Roasted 0ktapus","Muddled Libra","Star Fraud"],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cloud-security","cnapp","threat-intelligence"],"_cs_type":"threat","_cs_vendors":[],"content_html":"\u003cp\u003eCrowdStrike has enhanced its Cloud Native Application Protection Platform (CNAPP) to prioritize cloud risks based on real-world adversary behavior, addressing limitations in traditional CNAPP solutions. These improvements correlate application-layer visibility with cloud infrastructure context, enabling security teams to understand how applications interact with services, access data, use credentials, and integrate AI components. Falcon Cloud Security maps cloud risks to known adversary profiles and observed techniques, allowing security teams to focus on conditions attackers target in documented intrusions. With threat intelligence from over 280 adversary groups, including LABYRINTH CHOLLIMA and SCATTERED SPIDER, organizations can better prepare their defenses against evolving cloud threats. This advancement aims to reduce alert fatigue and enable more effective remediation by aligning security efforts with actual adversary tactics. The enhancements were announced on March 24, 2026, and are designed to address the increasing number of cloud-conscious intrusions, which surged 266% year-over-year in 2025, as highlighted in the CrowdStrike 2026 Global Threat Report.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Compromise:\u003c/strong\u003e Adversaries exploit misconfigurations or vulnerabilities in cloud infrastructure or applications to gain initial access.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDiscovery:\u003c/strong\u003e Using tools and techniques, the adversary performs reconnaissance to map out cloud assets, services, and dependencies, identifying potential targets.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation:\u003c/strong\u003e The attacker leverages compromised credentials or exploits vulnerabilities to elevate privileges within the cloud environment.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement:\u003c/strong\u003e With elevated privileges, the adversary moves laterally across different cloud services and applications to access sensitive data.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Access:\u003c/strong\u003e The threat actor accesses business-critical applications, customer PII, or AI components to exfiltrate data or cause disruption.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExfiltration:\u003c/strong\u003e Sensitive data is exfiltrated from the cloud environment to an external location controlled by the adversary.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence:\u003c/strong\u003e Adversaries establish persistence mechanisms to maintain access to the compromised cloud environment for future operations.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact:\u003c/strong\u003e The ultimate objective is achieved, whether it be data theft, disruption of services, or financial gain.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to significant data breaches, disruption of critical business applications, and financial losses. With the increasing reliance on cloud infrastructure, the impact can extend across various sectors, affecting organizations of all sizes. The 266% surge in cloud intrusions in 2025 demonstrates the growing threat, potentially impacting millions of users and costing organizations significant resources to remediate and recover.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the \u0026ldquo;Detect Cloud Infrastructure Misconfiguration Leading to Potential Data Access\u0026rdquo; Sigma rule to identify overly permissive access to storage resources (rules).\u003c/li\u003e\n\u003cli\u003eImplement the \u0026ldquo;Detect Shadow AI Activity via LLM Usage\u0026rdquo; Sigma rule to detect unauthorized use of external large language models (LLMs) (rules).\u003c/li\u003e\n\u003cli\u003eLeverage CrowdStrike Falcon Cloud Security to correlate application-layer visibility with cloud infrastructure context for comprehensive risk analysis (overview).\u003c/li\u003e\n\u003cli\u003ePrioritize cloud risks based on adversary intelligence provided by CrowdStrike to focus on conditions targeted by threat actors like LABYRINTH CHOLLIMA and SCATTERED SPIDER (overview).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-29T07:19:13Z","date_published":"2026-03-29T07:19:13Z","id":"/briefs/2026-03-cnapp-adversary-prioritization/","summary":"CrowdStrike's CNAPP enhancements prioritize cloud risk based on adversary behavior, correlating application insights with cloud infrastructure telemetry to identify and address critical exposures targeted by specific threat actors like LABYRINTH CHOLLIMA and SCATTERED SPIDER.","title":"CrowdStrike CNAPP Enhancements Prioritize Risk Based on Adversary Behavior","url":"https://feed.craftedsignal.io/briefs/2026-03-cnapp-adversary-prioritization/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["siem","edr","threat-intelligence"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCrowdStrike\u0026rsquo;s Falcon Next-Gen SIEM is expanding its capabilities to support third-party EDR solutions, beginning with Microsoft Defender. Announced on March 23, 2026, this enhancement allows organizations to integrate Microsoft Defender telemetry into Falcon Next-Gen SIEM, streamlining detection, investigation, and response without requiring changes to existing endpoint deployments. This integration addresses the increasing challenge of adversaries exploiting gaps across endpoint, identity, network, and cloud environments. Falcon Next-Gen SIEM aims to unify disparate security tools and workflows, improve data fidelity, and accelerate security outcomes by eliminating the traditional \u0026ldquo;data tax\u0026rdquo; associated with legacy SIEMs. The updates also include Falcon Onum for real-time data control, federated search capabilities, and third-party indicator management to improve threat intelligence operationalization.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAdversary gains initial access to a target environment through various means, potentially bypassing existing endpoint security measures.\u003c/li\u003e\n\u003cli\u003eMicrosoft Defender detects suspicious activity on an endpoint and generates telemetry data.\u003c/li\u003e\n\u003cli\u003eFalcon Next-Gen SIEM ingests the Microsoft Defender telemetry data.\u003c/li\u003e\n\u003cli\u003eFalcon Onum filters, enriches, and routes the telemetry data, reducing noise and improving data fidelity.\u003c/li\u003e\n\u003cli\u003eFalcon Next-Gen SIEM analyzes the processed data, correlating it with other security event data.\u003c/li\u003e\n\u003cli\u003eAI-powered threat detection identifies potentially malicious activity based on the combined data.\u003c/li\u003e\n\u003cli\u003eSecurity analysts investigate the detected activity within the Falcon Next-Gen SIEM console, leveraging federated search capabilities to access additional data sources if needed.\u003c/li\u003e\n\u003cli\u003eBased on the investigation, analysts initiate response actions through Falcon Fusion SOAR.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe integration of third-party EDR solutions like Microsoft Defender into CrowdStrike Falcon Next-Gen SIEM aims to reduce the time to detect and respond to threats. By unifying security data and workflows, organizations can eliminate blind spots, improve data fidelity, and accelerate investigations. Successful attacks can lead to data breaches, system compromise, and financial losses. The number of affected organizations and the specific financial impact will depend on the effectiveness of the integrated security measures.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rules provided in this brief to your SIEM and tune them according to your environment to detect suspicious activity correlated across multiple data sources.\u003c/li\u003e\n\u003cli\u003eEnable and configure Microsoft Defender to generate detailed telemetry data, which can then be ingested into Falcon Next-Gen SIEM for enhanced analysis.\u003c/li\u003e\n\u003cli\u003eUtilize Falcon Onum to filter, enrich, and route telemetry data to improve data fidelity and reduce storage costs, as mentioned in the overview.\u003c/li\u003e\n\u003cli\u003eLeverage the federated search capabilities of Falcon Next-Gen SIEM to investigate threats across live, network, and archived data sources without costly re-ingestion, as described in the overview.\u003c/li\u003e\n\u003cli\u003eImplement third-party indicator management to operationalize threat intelligence at scale by ingesting, enriching, scoring, and managing external indicators of compromise.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-29T06:23:07Z","date_published":"2026-03-29T06:23:07Z","id":"/briefs/2026-03-falcon-siem-defender-integration/","summary":"CrowdStrike Falcon Next-Gen SIEM now supports third-party EDR solutions like Microsoft Defender, enabling unified detection and response across diverse environments, addressing the challenges of cross-domain attacks and fragmented security systems.","title":"CrowdStrike Falcon Next-Gen SIEM Integrates with Microsoft Defender EDR","url":"https://feed.craftedsignal.io/briefs/2026-03-falcon-siem-defender-integration/"},{"_cs_actors":["Lazarus Group","HIDDEN COBRA","LABYRINTH CHOLLIMA","Diamond Sleet","Zinc","Scattered Spider","UNC3944","Octo Tempest","Roasted 0ktapus","Muddled Libra","Star Fraud"],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["cloud-security","cnapp","threat-intelligence","risk-prioritization"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCrowdStrike has advanced its Cloud-Native Application Protection Platform (CNAPP) to address limitations in current cloud security approaches. The enhancements include Application Explorer, which provides application-layer visibility alongside cloud infrastructure context, and adversary intelligence for cloud risks. These updates aim to help organizations understand how applications interact with infrastructure and prioritize risks based on threat actor behavior. Specifically, the CNAPP maps cloud risks to over 280 adversary groups tracked by CrowdStrike, such as LABYRINTH CHOLLIMA and SCATTERED SPIDER. This allows security teams to focus on exploitation chains known to be used against specific industries and organizational profiles, moving beyond theoretical risk assessments.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Compromise:\u003c/strong\u003e An attacker gains initial access to a cloud environment through compromised credentials or exploitation of a vulnerability in a cloud service. (TA0001)\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation:\u003c/strong\u003e The attacker attempts to elevate privileges within the cloud environment to gain access to more sensitive resources and data.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement:\u003c/strong\u003e Using the compromised credentials or elevated privileges, the attacker moves laterally within the cloud environment to identify and access target applications and data stores.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eApplication Discovery:\u003c/strong\u003e The attacker uses Application Explorer (if available) to map application dependencies, identify business-critical applications, and locate AI components (MCPs, LLMs) within the environment.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration:\u003c/strong\u003e The attacker identifies storage resources or data stores containing sensitive information (e.g., PII) and attempts to exfiltrate the data to an external location.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eShadow AI Exploitation:\u003c/strong\u003e The attacker exploits shadow AI activity by identifying unapproved model usage and exposing sensitive data to external AI services.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence:\u003c/strong\u003e The attacker establishes persistence within the environment to maintain access and continue their activities even if initial access methods are remediated. (TA0003)\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe impact of a successful attack can range from data breaches and financial losses to reputational damage and disruption of critical business operations. Specific consequences include the compromise of business-critical applications (e.g., payment processing, hospital ERP), exposure of sensitive data (e.g., PII), and the exploitation of AI-driven applications through shadow AI activity. In 2025, cloud-conscious intrusions by state-nexus threat actors surged 266% year-over-year, highlighting the increasing risk and potential impact of cloud-based attacks.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eLeverage Falcon Cloud Security\u0026rsquo;s Application Explorer to gain visibility into application dependencies, identify business-critical applications, and map infrastructure risks affecting production applications.\u003c/li\u003e\n\u003cli\u003eUtilize the adversary intelligence feature within Falcon Cloud Security to prioritize cloud risks based on known adversary profiles and observed techniques, focusing on groups like LABYRINTH CHOLLIMA and SCATTERED SPIDER.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules below to detect suspicious activity related to common cloud attack patterns in your environment.\u003c/li\u003e\n\u003cli\u003eReview and harden overly permissive access controls on storage resources identified by CrowdStrike.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-28T14:46:06Z","date_published":"2026-03-28T14:46:06Z","id":"/briefs/2026-03-cnapp-advances/","summary":"CrowdStrike has enhanced its CNAPP capabilities by adding application-layer visibility and prioritizing risks based on known adversary tactics, techniques, and procedures (TTPs).","title":"CrowdStrike CNAPP Enhanced with Adversary-Informed Risk Prioritization","url":"https://feed.craftedsignal.io/briefs/2026-03-cnapp-advances/"},{"_cs_actors":["Lazarus Group","HIDDEN COBRA","LABYRINTH CHOLLIMA","Diamond Sleet","Zinc","Scattered Spider","UNC3944","Octo Tempest","Roasted 0ktapus","Muddled Libra","Star Fraud"],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["cloud-security","cnapp","threat-intelligence","risk-prioritization"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCrowdStrike has enhanced its Falcon Cloud Security with new Cloud-Native Application Protection Platform (CNAPP) capabilities designed to prioritize cloud risks based on adversary behavior. This update addresses critical gaps in current CNAPP solutions, including limited visibility into business applications, a lack of integration of adversary intelligence, and difficulties in tracing the root cause of exposures. The new features provide application-layer visibility, correlate risks with threat actor profiles and techniques, and help identify the configuration changes that introduced vulnerabilities. This enables security teams to focus on the attack paths most likely to be exploited by threat actors, such as LABYRINTH CHOLLIMA and SCATTERED SPIDER, and to more effectively prioritize remediation efforts within their cloud environments.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Compromise (Theoretical):\u003c/strong\u003e An attacker gains initial access to the cloud environment, potentially exploiting a misconfiguration or vulnerability in a cloud service or application.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eReconnaissance:\u003c/strong\u003e The attacker uses internal reconnaissance techniques to discover cloud resources, application dependencies, and potential attack paths within the cloud environment. This phase can be accelerated by exploiting overly permissive access controls on storage resources.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation:\u003c/strong\u003e The attacker attempts to elevate privileges within the cloud environment by exploiting weak IAM configurations, vulnerable services, or exposed credentials.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement:\u003c/strong\u003e Using compromised credentials or exploiting service vulnerabilities, the attacker moves laterally to other cloud resources and applications within the environment. The attacker may target business-critical applications that process sensitive data.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Access:\u003c/strong\u003e The attacker accesses sensitive data stored in cloud storage, databases, or other resources, potentially including customer PII.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExfiltration (Theoretical):\u003c/strong\u003e The attacker exfiltrates the stolen data from the cloud environment to an external location.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact (Theoretical):\u003c/strong\u003e The successful attack results in data breaches, financial loss, reputational damage, and disruption of business operations.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe observed trend of increasing cloud breaches, including a 266% year-over-year surge in cloud-conscious intrusions by state-nexus threat actors in 2025, highlights the critical need for enhanced cloud security measures. Successful attacks can lead to data breaches, financial losses, reputational damage, and disruption of critical business operations, particularly targeting financial services. The Falcon Cloud Security CNAPP aims to reduce the risk of such incidents by providing better visibility, risk prioritization, and faster response times.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy Falcon Cloud Security to gain visibility into application-layer risks and dependencies as described in the overview section.\u003c/li\u003e\n\u003cli\u003eUtilize the adversary intelligence features of Falcon Cloud Security to prioritize cloud risks based on known threat actor profiles and observed techniques, mapping risks to groups like LABYRINTH CHOLLIMA and SCATTERED SPIDER.\u003c/li\u003e\n\u003cli\u003eInvestigate alerts generated by Falcon Cloud Security that indicate potential attack paths used by known threat actors, focusing on the industries they actively target, as mentioned in the threat brief.\u003c/li\u003e\n\u003cli\u003eEnable and review logs from your cloud infrastructure and application services to correlate with the Falcon Cloud Security findings and identify the configuration changes that introduced the exposures.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-28T08:17:27Z","date_published":"2026-03-28T08:17:27Z","id":"/briefs/2026-03-crowdstrike-cnapp/","summary":"CrowdStrike's new CNAPP capabilities in Falcon Cloud Security focus on adversary-informed risk prioritization by correlating application-layer visibility with threat actor profiles and techniques, enabling security teams to understand cloud risk, prioritize remediation, and accelerate response.","title":"CrowdStrike Falcon Cloud Security CNAPP with Adversary-Informed Risk Prioritization","url":"https://feed.craftedsignal.io/briefs/2026-03-crowdstrike-cnapp/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["maltrail","threat-intelligence","apt","malware"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThis threat brief is based on an IOC feed from Maltrail, dated February 27, 2026, which aggregates indicators related to various threat actors and malware campaigns. The tracked actors include APT_UNC2465, Lazarus Group, Gorat, APT_Bitter, Android_Joker, PowerShell Injector, SmokeLoader, and FakeApp. The IOCs primarily consist of domains and IP addresses associated with these groups\u0026rsquo; network infrastructure and malware distribution. These campaigns are likely targeting a wide range of victims across multiple sectors, employing diverse techniques to achieve their objectives, including initial access, command and control, and potentially data exfiltration or deployment of malicious payloads. The data suggests ongoing malicious activity necessitating proactive monitoring and detection efforts.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Compromise:\u003c/strong\u003e An unsuspecting user visits a compromised website or interacts with a malicious advertisement, potentially leading to the download of a malware loader such as those associated with SmokeLoader or FakeApp.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMalware Installation:\u003c/strong\u003e The initial loader executes on the victim\u0026rsquo;s system, establishing persistence and preparing the environment for further malicious activities. This may involve creating scheduled tasks or modifying registry keys for auto-start.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCommand and Control (C2) Communication:\u003c/strong\u003e The malware establishes communication with a command-and-control server, using domains such as \u003ccode\u003edax.estate\u003c/code\u003e (SmokeLoader) or \u003ccode\u003eresistantmusic.shop\u003c/code\u003e (PowerShell Injector) to receive instructions and transmit data.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePowerShell Injection:\u003c/strong\u003e The PowerShell Injector, utilizes multiple techniques to inject malicious code into running processes, allowing it to evade detection and maintain persistence within the system. Domains such as \u003ccode\u003eapostile.zapto.org\u003c/code\u003e and \u003ccode\u003egoogletranslate.zapto.org\u003c/code\u003e may resolve to infrastructure involved in command and control of compromised hosts.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement:\u003c/strong\u003e The attackers leverage compromised systems to move laterally within the network, potentially using stolen credentials or exploiting vulnerabilities to gain access to additional systems.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration:\u003c/strong\u003e Sensitive data is collected from compromised systems and exfiltrated to attacker-controlled servers, potentially using domains such as \u003ccode\u003eashersoftlib.com\u003c/code\u003e (APT_Bitter) for staging or exfiltration.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAndroid Exploitation:\u003c/strong\u003e In the case of Android_Joker, malicious applications distributed through unofficial channels or app stores communicate with \u003ccode\u003epetitle.cloud\u003c/code\u003e for command and control, potentially leading to data theft or installation of further malware.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eFinal Objective:\u003c/strong\u003e The final objective of the attack may vary depending on the actor and the target, ranging from data theft and espionage (APT_UNC2465, Lazarus Group, APT_Bitter) to financial gain (Android_Joker) or widespread malware distribution (SmokeLoader, FakeApp, PowerShell Injector).\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCompromised systems can be used for a variety of malicious purposes, including data theft, financial fraud, and further propagation of malware. Victims may experience data breaches, financial losses, and reputational damage. The wide range of threat actors involved suggests that various sectors and organizations are at risk. If successful, these attacks can lead to significant financial losses and disruption of business operations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eBlock the identified malicious domains and IP addresses at the network perimeter to prevent communication with command-and-control servers (IOC table).\u003c/li\u003e\n\u003cli\u003eImplement a web proxy filter to block access to URLs associated with malware downloads and phishing campaigns (IOC table).\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for connections to known malicious domains and IP addresses associated with APT_Bitter, PowerShell Injector, SmokeLoader, and FakeApp (IOC table).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to detect network connections to domains associated with PowerShell Injector infrastructure. Tune the rule for your environment (Sigma Rule).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to detect network connections to infrastructure associated with FakeApp campaigns, adjusting the rule as needed for your environment (Sigma Rule).\u003c/li\u003e\n\u003cli\u003eInvestigate and remediate any systems that exhibit suspicious network activity or have been identified as compromised based on the IOCs provided (IOC table).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-02-27T23:00:14Z","date_published":"2026-02-27T23:00:14Z","id":"/briefs/2026-02-maltrail-iocs/","summary":"This brief analyzes IOCs aggregated by Maltrail on February 27, 2026, highlighting network activity associated with diverse threat actors including APT_UNC2465, Lazarus Group, Gorat, APT_Bitter, Android_Joker, PowerShell Injector, SmokeLoader, and FakeApp campaigns targeting various sectors.","title":"Maltrail IOCs Report: Tracking Multiple Threat Actors","url":"https://feed.craftedsignal.io/briefs/2026-02-maltrail-iocs/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Azure Active Directory"],"_cs_severities":["high"],"_cs_tags":["azuread","threat-intelligence","risk-detection"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAzure AD Threat Intelligence identifies suspicious user activities that deviate from established patterns or align with known attack tactics. These alerts, surfaced within the Azure AD Identity Protection framework, are crucial for detecting stealthy maneuvers, persistence attempts, unauthorized privilege escalations, and initial access attempts. The alerts are triggered by unusual sign-ins, potentially originating from unfamiliar locations or devices. Defenders should prioritize investigation into these alerts as they can be indicative of compromised accounts or malicious actors attempting to gain unauthorized access to resources within the Azure environment. Successfully identifying and mitigating these threats prevents further lateral movement, data exfiltration, and potential damage to the organization.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker compromises user credentials through phishing, credential stuffing, or other means (Initial Access).\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to sign in to Azure AD using the compromised credentials, potentially from an unusual location or device.\u003c/li\u003e\n\u003cli\u003eAzure AD Threat Intelligence detects the unusual sign-in activity based on risk indicators and flags it as \u0026lsquo;investigationsThreatIntelligence\u0026rsquo;.\u003c/li\u003e\n\u003cli\u003eThe attacker, if successful in the initial sign-in, attempts to access sensitive resources or applications within the Azure environment.\u003c/li\u003e\n\u003cli\u003eThe attacker may attempt to establish persistence by modifying user profiles or application settings.\u003c/li\u003e\n\u003cli\u003eThe attacker may attempt to escalate privileges by exploiting vulnerabilities or misconfigurations within the Azure environment.\u003c/li\u003e\n\u003cli\u003eThe attacker moves laterally to other resources and accounts.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as data exfiltration or disruption of services.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack targeting Azure AD can compromise user accounts and lead to unauthorized access to sensitive data and resources. The impact can range from data breaches and financial losses to reputational damage and disruption of business operations. Organizations relying heavily on Azure AD for identity and access management are particularly vulnerable. The number of affected users and the extent of the damage will depend on the attacker\u0026rsquo;s objectives and the organization\u0026rsquo;s security posture.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect \u0026lsquo;investigationsThreatIntelligence\u0026rsquo; events within Azure AD risk detection logs (logsource: azure, service: riskdetection).\u003c/li\u003e\n\u003cli\u003eInvestigate sessions flagged by the detection, correlating with other sign-in events from the same user to identify potential false positives or confirm malicious activity.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) to mitigate the risk of compromised credentials and unauthorized sign-ins.\u003c/li\u003e\n\u003cli\u003eReview and enforce conditional access policies to restrict access based on location, device, and other risk factors.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-24T12:00:00Z","date_published":"2024-01-24T12:00:00Z","id":"/briefs/2024-01-azuread-threatintel/","summary":"This brief focuses on detecting unusual user activity and sign-in patterns flagged by Azure AD Threat Intelligence, which may indicate stealthy attacks, persistence attempts, privilege escalation, or initial access.","title":"Azure AD Threat Intelligence Detection","url":"https://feed.craftedsignal.io/briefs/2024-01-azuread-threatintel/"}],"language":"en","title":"CraftedSignal Threat Feed — Threat-Intelligence","version":"https://jsonfeed.org/version/1.1"}