Safeguard
Topic

Threat Intelligence

In-depth guides and analysis on threat intelligence from the Safeguard engineering team.

64 articles

Threat Intelligence

LockBit Takedown: What Came After

Operation Cronos disrupted LockBit's infrastructure but not the underlying affiliate economy. Here is what actually changed and what defenders should take from it into 2026.

Feb 13, 20267 min read
Threat Intelligence

FIN7 Supply Chain Social Engineering (2024)

FIN7 built tooling that made its social engineering feel like a SaaS product. Here is how its 2024 tradecraft blended malvertising, fake tools, and credential theft into a supply chain attack.

Feb 10, 20266 min read
Threat Intelligence

Gamaredon Ukraine Targeting Supply Chain 2025

Gamaredon's 2025 operations against Ukraine have leaned harder into software and MSP supply chain pivots. Here is the tradecraft defenders need to recognize.

Feb 6, 20267 min read
Threat Intelligence

Lazarus Group: 3CX and Software Builds

Lazarus turned a developer's personal machine into a corporate build-system compromise. Here is how that cascade actually worked and what it teaches about build-system trust.

Feb 6, 20267 min read
Threat Intelligence

RansomHub Ransomware and EDR Bypass (2024)

RansomHub absorbed affiliates displaced by BlackCat and ran one of the most prolific extortion operations of 2024. Here is what made its tradecraft effective and how to counter it.

Feb 2, 20267 min read
Threat Intelligence

Salt Typhoon Telecom Supply Chain Campaign 2024

Salt Typhoon's 2024 intrusions into U.S. telecoms reframed supply chain risk as a routing and lawful-intercept problem. Here is what the campaign looked like from a defender's seat.

Feb 2, 20267 min read
Threat Intelligence

Scattered Spider: Identity as Supply Chain 2024-25

Scattered Spider showed that help-desk processes, SaaS federation, and MSPs are the new software supply chain. Here is how to think about it and what to actually change.

Jan 30, 20267 min read
Threat Intelligence

Clop/Cl0p Supply Chain Exploitation Patterns

Clop has industrialized third-party file-transfer exploitation. Here is how the group operates, what it keeps repeating, and how defenders can stop repeating their own mistakes.

Jan 23, 20266 min read
Threat Intelligence

Software Supply Chain Attacks: H1 2025 Report

A data-driven breakdown of supply chain attacks from January through June 2025, covering attack vectors, targeted ecosystems, and emerging trends.

Jul 10, 20255 min read
Threat Intelligence

Scattered Spider 2025: How the Most Dangerous Social Engineering Group Evolved

Scattered Spider adapted its tactics in 2025, moving beyond casino hacks to target retail, healthcare, and manufacturing with increasingly sophisticated social engineering.

Mar 20, 20257 min read
Threat Intelligence

CISA KEV Catalog in 2025: What the Data Tells Us About Real-World Exploitation

The CISA Known Exploited Vulnerabilities catalog has become the definitive list of actively exploited flaws. An analysis of 2025 KEV trends reveals which products, vulnerability types, and attack patterns dominate.

Mar 18, 20255 min read
Threat Intelligence

Qilin Ransomware Group: Dissecting a Rising Threat Actor

Qilin has rapidly become one of the most active ransomware operations, targeting healthcare, manufacturing, and critical infrastructure. A technical breakdown of their methods.

Feb 20, 20255 min read
Threat Intelligence (Page 4) — Supply Chain Security Blog | Safeguard