All Blogs

Bumblebee Malware Attack Demo

By Threat_Labs posted 25 days ago
In this episode of the HPE Threat Labs attack demo series, we demonstrate how threat actors use Bumblebee malware to conduct a multi-staged attack from initial phishing to full malware deployment. For more information about HPE Threat Labs, visit: hpe.com/hpe-threat-labs

HPE Aruba Networking Hardening Guides: Your Practical Playbooks for Attack Surface Reduction

By pjortiz posted Apr 16, 2026
Picture this : your network team just discovered an unauthorized access attempt on a critical switch. The attacker tried default credentials first; and they worked. Then they moved laterally through an unsegmented management network. Your SIEM? Silent, because nobody configured external logging. In thirty minutes, what should have been a non-event became a full-blown incident requiring forensic analysis, executive briefings, and uncomfortable questions about "basic security controls." This scenario plays out more often than anyone wants to admit. The irony? HPE Aruba Networking publishes comprehensive security hardening guides for every major platform ...

What you Need to Know About Network Security and Federal Certifications

By Threat_Labs posted Mar 19, 2026
If you are a commercial or public-sector organization evaluating network or network security products, it is common to hear that a product is “FIPS certified” or uses “FIPS- validated cryptography” as a selling point. Sometimes commercial customers may even be told that a product is “Common Criteria validated” or “on the DoD Approved Product List,” with the implication that said product is “good enough for the intelligence community or the U.S. Army, so it’s good enough for you.” One way in which the nature of federal certifications may arise is in the context of network security. Network security refers broadly to the architectural principles and everyday ...

DNS Tunneling: The Hidden Highway Out of Your Network

By Threat_Labs posted Mar 02, 2026
DNS Tunneling: The Hidden Highway Out of Your Network Imagine this: it’s a quiet Thursday afternoon. You’re quietly analyzing the latest threats from your EDR and firewall consoles, checking all alerts of outbound calls to strange addresses. Every one of them has been blocked. Yet, even as you sip your coffee, a vicious malware is spreading across the entire enterprise network, a crippling and expensive ransomware attack imminent. This malware is not operating in the dark: it has an open phone line back to its masters. But this line is not a TCP connection you will see on your firewall. It is passing undetected, hidden deep inside a torrent of DNS queries, ...

Inside HPE Threat Labs: Where threats meet their match

By Threat_Labs posted Feb 09, 2026
Inside HPE Threat Labs: Where threats meet their match Picture this: Your phone buzzes at 6:07 a.m. A new high severity CVE drops. You haven’t even had time for your morning coffee . The questions are straight forward. What is happening? How is the attacker moving? Which control should tighten right now? That cuts to the spirit and intention of HPE Threat Labs. We aren’t here to provide a 200 page theory, but rather distill insights that can be turned into action: patch this, block that, monitor here, harden there. Say hello to the new HPE Threat Labs , our dedicated hub for security threat research and ...

Blackbyte Ransomware

By camilla.ahlquist posted Feb 04, 2026
Threat Description Blackbyte has been known to be a Ransomware-as-a-Service (RaaS) since July 2021. It was reported that it was used in infecting organizations in at least three US critical infrastructure sectors — government facilities, financial, and food and agriculture — as well as others outside the US. The San Francisco 49ers was attacked by BlackByte and it was reportedly exfiltrated 300MB, but nothing to do with customer data. They publish stolen data on a .onion web site Sha256: 1df11bc19aa52b623bdf15380e3fded56d8eb6fb7b53a2240779864b1a6474ad   Back in October 2021, cybersecurity firm Trustwave created ...

“Springshell” Vulnerability

By camilla.ahlquist posted Feb 04, 2026
On March 30, 2022, a pseudonymous security researcher posted a proof of concept of a remote code execution vulnerability in the Spring framework for Java. Early speculation likened this vulnerability to last year’s log4shell vulnerability. While subsequent proofs of concept have confirmed this vulnerability, due to the conditions necessary for the attack, we believe that this vulnerability — although serious — will not have the same widespread impact as log4shell. Vulnerability Details The vulnerability is a result of the Spring framework’s data binding capability. Data binding enables the creation or modification of Java objects from the ...

StealC Malware

By camilla.ahlquist posted Feb 04, 2026
Executive Summary StealC is a commodity information‑stealer offered as Malware‑as‑a‑Service (MaaS). It emerged in early 2023 and has evolved with newer versions introducing RC4‑protected strings and traffic. It targets browser credentials, cookies, autofill data, crypto‑wallets, and messenger tokens. Distribution typically occurs via malvertising, SEO‑poisoned download sites, and phishing campaigns. Malware Family: StealC Sample SHA‑256: 95a6054ae187f3c968ad 3a7832aa05c413dd00b7c6feaec42bb74349a97471b0 The analyzed sample executed a short‑lived loader that: Spawned two child binaries in the user’s Documents folder. Harvested Chromium/Firefox/Edge ...

GhostRat Malware

By camilla.ahlquist posted Feb 04, 2026
Threat Intelligence Report Malware Family: GhostRat Executive Summary GhostRat is a sophisticated Remote Access Trojan (RAT) known for its stealth, persistence, and modular architecture. The analyzed sample demonstrates advanced capabilities including process injection, credential harvesting, system reconnaissance, and encrypted command-and-control (C2) communication. The malware employs multiple evasion techniques and leverages legitimate tools such as PowerShell and Node.js to maintain persistence and avoid detection. Technical Analysis 1. Initial Infection Vector · The sample is a PE32 executable ...

Lumma Stealer (a.k.a. LummaC2)

By camilla.ahlquist posted Feb 04, 2026
Executive summary Lumma Stealer is a prolific, Windows‑focused infostealer offered under a malware‑as‑a‑service (MaaS) model since 2022. It targets browser credentials, cookies, crypto‑wallets and 2FA browser extensions, while employing strong anti‑analysis (anti‑VM, anti‑debug, unhooking/indirect syscalls) and resilient C2 rotation to sustain operations. Recent reporting shows active Lumma campaigns through 2024–2025 and a large‑scale disruption in May 2025 followed by a quick resurgence. [1] [2] [3] [4] Key findings · Family overview & business model. Lumma is a MaaS sold to affiliates who build ...

AgentTesla

By camilla.ahlquist posted Jan 27, 2026
Agent Tesla is a spyware that is capable of stealing personal data from web browsers, mail clients and FTP servers. It can also collect screenshots, videos and capture clipboard data. Recent versions of this malware are also capable of stealing personal data from VPN clients. It was being sold on the underground markets for as low as $12 up to $70 depending on the additional features. This malware has been around since 2014. This malware kit was sold online first on the website agenttela.com ( defunct). It has ...

One Endpoint to Rule Them All: Securing GraphQL in Modern Network Management

By gbanys posted Jan 22, 2026
One Endpoint to Rule Them All: Securing GraphQL in Modern Network Management A deep dive on GraphQL, HPE Aruba Networking Central’s new API framework Introduction Earlier this year, HPE Networking proudly announced a long-awaited upgrade to our online network management service, New HPE Aruba Networking Central – sometimes referred to as “New Central”. HPE Aruba Networking Central released as a distinct offering with a host of new features, including a brand-new UI, revamped management dashboards, an intuitive network organization system, and to top it off – a new API framework powered by GraphQL to seamlessly coordinate user actions with backend ...

Mapping the Threat Landscape of Legacy Active Directory

By Threat_Labs posted Dec 18, 2025
Mapping the Threat Landscape of Legacy Active Directory For over two decades, system administrators have relied on Active Directory (AD) and the Lightweight Directory Access Protocol (LDAP) as authoritative solutions for managing authentication and authorization to LAN-based resources. Originally designed as an intuitive method for provisioning access rights to users, the continued iteration of AD has introduced tooling that provides granular access control, allowing admins to tailor privilege delegation for specific use-cases. This has cemented AD as one of the most powerful tools in modern enterprise networking and made it a necessary component of many organizations’ ...

Don’t Panic: Cybersecurity Assessments for Network Engineers

By Threat_Labs posted Nov 20, 2025
Don’t Panic: Cybersecurity Assessments for Network Engineers Introduction Security is difficult in the best of times. It’s hard enough to keep the IT infrastructure running, and organizations can’t watch everything and know everything about the latest security panic. They often need help from outside organizations that have specialized security expertise. The help usually comes in the form of periodic assessments of organizational security posture, usually called a security audit or assessment. This article will try to demystify the security assessments for network engineers. It will talk about what security audits are, and how the network team can get ...

Hidden Danger in your Network

By Threat_Labs posted Oct 22, 2025
Hidden Danger in your Network A modern enterprise network is an intricate ecosystem; a wide range of devices from servers, workstations, to IoT gadgets and BYOD hosts presents an ever growing challenge for network administrators. Keeping networks both seamless and secure across this complex environment requires vigilance and awareness. And while core services like DNS and DHCP are fundamental to your network, their IPv6 versions can introduce significant and often overlooked security vulnerabilities, even if you haven’t formally adopted IPv6. The Rise of Dual-Stack The journey from IPv4 to IPv6 has been long, and is still very far from “complete”. Standardized ...

HeadIWin: Why Secure Boot and the Hardware Root of Trust Matter

By nstarke-atl posted Sep 16, 2025
For many different valid reasons, people look for software solutions that provide a robust degree of privacy and security to protect themselves online. Many users who rely on these privacy solutions though do not understand that if the underlying system is compromised, the privacy and security provided by the software is completely negated – leaving users who think they are protected at risk. In recent years there has been an increased amount of attention paid to Hardware Root of Trust vulnerabilities as more systems have support for Secure Boot and related technologies. These vulnerabilities often seem esoteric in that they rarely come with proof-of-concept ...

The Cost of Convenience: Multicast DNS and Your Privacy

By Threat_Labs posted Jul 22, 2025
The Cost of Convenience: Multicast DNS and Your Privacy Every time you connect to a Wi-Fi network, there’s a hidden risk to you and your device’s privacy, all thanks to a networking protocol designed to make life easier. Let’s explore Multicast DNS (mDNS) and the ways that ease-of-use networking can introduce security risks. Modern networking has become a complex labyrinth of moving parts that can be a headache to navigate. As enterprises continue to introduce new technologies and devices into their LAN infrastructure, making sure that everything can communicate effectively brings new obstacles. While larger organizations have dedicated infrastructure to ...

Ghost in the Network: The Persistent Threat of Multicast Name Resolution

By Threat_Labs posted Jun 19, 2025
Ghost in the Network: The Persistent Threat of Multicast Name Resolution So much of cybersecurity news is dominated by flashy new APTs, CVEs, and malware campaigns that it would be easy to think the field should care about little else but “the next thing”. However, if years of experience penetration testing is any indication, some of the most dangerous and destructive vulnerabilities in medium-to-large organizations are relatively old, poorly understood, and badly configured subsystems. In some cases, there are subsystems and protocols lurking on these organization’s networks that represent existential threats, and they are rarely aware that these threats exist. ...

Network access control and Blast RADIUS: What you need to know

By agallnx posted Dec 11, 2024
Network access control and Blast RADIUS: What you need to know By Adilson Gal and Nicholas Stark e Researchers demonstrated a novel attack in the summer of 2024 against the RADIUS protocol. Being a protocol level attack, th eir attack affected all RADIUS implementations. The researchers dubbed this attack “Blast RADIUS . ” The attack works by filling specific data fields within the RADIUS UDP Packet with random data in order to force a cryptographic hash collis ion. To better understand the risk posed by this vulnerability — as well as how HPE Aruba ...