CW's CTI

STORM-1175: KQL Detections for Medusa Ransomware Operations

April 6, 2026 12 min read

Storm-1175 is a financially motivated actor operating high-velocity Medusa ransomware campaigns, weaponising N-day vulnerabilities within days of disclosure. The group has targeted healthcare, education, finance, and professional services across Australia, the UK, and the US — moving from initial exploitation to full ransomware deployment in under 24 hours. This post covers 8 KQL detections across the full attack chain.

BRICKSTORM: KQL Detections for vSphere Backdoor Activity

April 5, 2026 10 min read

BRICKSTORM is a Go-based backdoor attributed to UNC5221 / Warp Panda targeting VMware vSphere infrastructure. Operating beneath the guest OS layer, it exploits the EDR visibility gap on virtualisation control planes. This post covers 8 KQL detections spanning initial access through to C2 and tamper detection.

APT

Inside APT-29: Dissecting a Multi-Stage Phishing Campaign Targeting Government Infrastructure

April 2, 2026 8 min read

Analysts observed a resurgence of spear-phishing activity attributed with high confidence to APT-29 (Cozy Bear). The campaign leveraged novel HTML smuggling techniques combined with legitimate cloud storage providers to deliver a previously undocumented loader.

Malware

Ransomware TTPs in 2026: How Threat Actors Are Evolving Their Extortion Playbooks

March 28, 2026 6 min read

Ransomware operators have shifted from opportunistic spray-and-pray tactics to highly targeted intrusions with median dwell times exceeding three weeks. This post examines MITRE ATT&CK technique clusters observed across 14 incidents in Q1 2026, including novel data exfiltration via DNS tunnelling and living-off-the-land binaries to evade EDR solutions.