Threat Intelligence
In-depth guides and analysis on threat intelligence from the Safeguard engineering team.
64 articles
Flax Typhoon Residential Proxy Supply Chain 2024
Flax Typhoon's Raptor Train botnet turned consumer IoT into a state-aligned proxy network. Here is the tradecraft, the takedown, and the supply chain lessons.
Developer Social Engineering Campaigns 2024-2025
State-aligned and financially motivated actors now target individual developers with bespoke social engineering. Here is the tradecraft and what engineering leaders must do.
APT29 Cloud Supply Chain Tradecraft 2025
APT29's 2024-2025 cloud-native tradecraft — from Midnight Blizzard's Microsoft intrusion to the Teams phishing pivots — shows how SVR targets identity as supply chain.
UNC5221 Ivanti Exploitation Campaign Analysis
UNC5221 chained Ivanti Connect Secure zero-days through 2024 and 2025. The campaign reads like a masterclass in living off trusted edge appliances.
Storm-0558 Microsoft Cloud Identity Aftermath
Storm-0558 forged Microsoft cloud tokens with a stolen MSA key and read government email. Three years later the architectural lessons are still unevenly applied.
Akira Ransomware VPN Appliance Exploitation
Akira has industrialized VPN appliance exploitation. Here is the tradecraft, the advisories that document it, and what defenders must do about edge software supply chain risk.
The Supply Chain Attack Kill Chain: A Framework for Defense
We propose a kill chain framework specific to software supply chain attacks, mapping attacker techniques to defensive controls at each stage.
Dependency Confusion: Attack Evolution from 2022 to 2026
Alex Birsan's 2021 disclosure named a class of attacks. Four years on, dependency confusion has evolved across registries, tooling, and victim profiles.
Volt Typhoon: Critical Infrastructure Supply Chain
Volt Typhoon is pre-positioning inside U.S. critical infrastructure using living-off-the-land tradecraft and third-party access. Here is what defenders should do about it.
Cozy Bear / Midnight Blizzard Supply Chain Tactics
Midnight Blizzard (APT29, Cozy Bear) has refined long-dwell supply chain access into an operational art. Here is what their 2023-2025 pattern looks like to defenders.
DPRK IT Worker Supply Chain Insider Threat
DPRK operatives have placed themselves inside Western companies as remote developers. Here is how that pattern functions as a supply chain threat and how to detect it.
Black Basta Ransomware Leak Lessons Learned
The Black Basta chat leak gave defenders a rare inside view of how a ransomware program operates. Here are the durable engineering lessons to take from it.