Safeguard
Topic

Threat Intelligence

In-depth guides and analysis on threat intelligence from the Safeguard engineering team.

64 articles

Threat Intelligence

Flax Typhoon Residential Proxy Supply Chain 2024

Flax Typhoon's Raptor Train botnet turned consumer IoT into a state-aligned proxy network. Here is the tradecraft, the takedown, and the supply chain lessons.

Mar 28, 20268 min read
Threat Intelligence

Developer Social Engineering Campaigns 2024-2025

State-aligned and financially motivated actors now target individual developers with bespoke social engineering. Here is the tradecraft and what engineering leaders must do.

Mar 21, 20268 min read
Threat Intelligence

APT29 Cloud Supply Chain Tradecraft 2025

APT29's 2024-2025 cloud-native tradecraft — from Midnight Blizzard's Microsoft intrusion to the Teams phishing pivots — shows how SVR targets identity as supply chain.

Mar 14, 20267 min read
Threat Intelligence

UNC5221 Ivanti Exploitation Campaign Analysis

UNC5221 chained Ivanti Connect Secure zero-days through 2024 and 2025. The campaign reads like a masterclass in living off trusted edge appliances.

Mar 13, 20267 min read
Threat Intelligence

Storm-0558 Microsoft Cloud Identity Aftermath

Storm-0558 forged Microsoft cloud tokens with a stolen MSA key and read government email. Three years later the architectural lessons are still unevenly applied.

Mar 11, 20267 min read
Threat Intelligence

Akira Ransomware VPN Appliance Exploitation

Akira has industrialized VPN appliance exploitation. Here is the tradecraft, the advisories that document it, and what defenders must do about edge software supply chain risk.

Mar 7, 20267 min read
Threat Intelligence

The Supply Chain Attack Kill Chain: A Framework for Defense

We propose a kill chain framework specific to software supply chain attacks, mapping attacker techniques to defensive controls at each stage.

Mar 5, 20266 min read
Threat Intelligence

Dependency Confusion: Attack Evolution from 2022 to 2026

Alex Birsan's 2021 disclosure named a class of attacks. Four years on, dependency confusion has evolved across registries, tooling, and victim profiles.

Mar 2, 20265 min read
Threat Intelligence

Volt Typhoon: Critical Infrastructure Supply Chain

Volt Typhoon is pre-positioning inside U.S. critical infrastructure using living-off-the-land tradecraft and third-party access. Here is what defenders should do about it.

Mar 2, 20266 min read
Threat Intelligence

Cozy Bear / Midnight Blizzard Supply Chain Tactics

Midnight Blizzard (APT29, Cozy Bear) has refined long-dwell supply chain access into an operational art. Here is what their 2023-2025 pattern looks like to defenders.

Feb 25, 20266 min read
Threat Intelligence

DPRK IT Worker Supply Chain Insider Threat

DPRK operatives have placed themselves inside Western companies as remote developers. Here is how that pattern functions as a supply chain threat and how to detect it.

Feb 20, 20266 min read
Threat Intelligence

Black Basta Ransomware Leak Lessons Learned

The Black Basta chat leak gave defenders a rare inside view of how a ransomware program operates. Here are the durable engineering lessons to take from it.

Feb 17, 20266 min read
Threat Intelligence (Page 3) — Supply Chain Security Blog | Safeguard