Threat Intelligence
In-depth guides and analysis on threat intelligence from the Safeguard engineering team.
64 articles
LockBit Takedown: What Came After
Operation Cronos disrupted LockBit's infrastructure but not the underlying affiliate economy. Here is what actually changed and what defenders should take from it into 2026.
FIN7 Supply Chain Social Engineering (2024)
FIN7 built tooling that made its social engineering feel like a SaaS product. Here is how its 2024 tradecraft blended malvertising, fake tools, and credential theft into a supply chain attack.
Gamaredon Ukraine Targeting Supply Chain 2025
Gamaredon's 2025 operations against Ukraine have leaned harder into software and MSP supply chain pivots. Here is the tradecraft defenders need to recognize.
Lazarus Group: 3CX and Software Builds
Lazarus turned a developer's personal machine into a corporate build-system compromise. Here is how that cascade actually worked and what it teaches about build-system trust.
RansomHub Ransomware and EDR Bypass (2024)
RansomHub absorbed affiliates displaced by BlackCat and ran one of the most prolific extortion operations of 2024. Here is what made its tradecraft effective and how to counter it.
Salt Typhoon Telecom Supply Chain Campaign 2024
Salt Typhoon's 2024 intrusions into U.S. telecoms reframed supply chain risk as a routing and lawful-intercept problem. Here is what the campaign looked like from a defender's seat.
Scattered Spider: Identity as Supply Chain 2024-25
Scattered Spider showed that help-desk processes, SaaS federation, and MSPs are the new software supply chain. Here is how to think about it and what to actually change.
Clop/Cl0p Supply Chain Exploitation Patterns
Clop has industrialized third-party file-transfer exploitation. Here is how the group operates, what it keeps repeating, and how defenders can stop repeating their own mistakes.
Software Supply Chain Attacks: H1 2025 Report
A data-driven breakdown of supply chain attacks from January through June 2025, covering attack vectors, targeted ecosystems, and emerging trends.
Scattered Spider 2025: How the Most Dangerous Social Engineering Group Evolved
Scattered Spider adapted its tactics in 2025, moving beyond casino hacks to target retail, healthcare, and manufacturing with increasingly sophisticated social engineering.
CISA KEV Catalog in 2025: What the Data Tells Us About Real-World Exploitation
The CISA Known Exploited Vulnerabilities catalog has become the definitive list of actively exploited flaws. An analysis of 2025 KEV trends reveals which products, vulnerability types, and attack patterns dominate.
Qilin Ransomware Group: Dissecting a Rising Threat Actor
Qilin has rapidly become one of the most active ransomware operations, targeting healthcare, manufacturing, and critical infrastructure. A technical breakdown of their methods.