LabHost: A defunct but potent phishing service
The administrator of LabHost, a phishing-as-a-service (PhaaS) offering, was sentenced to 8 1/2 years in prison. Here's why PhaaS services are making it more difficult for defenders to prevent account takeovers and fraud.
Understanding and threat hunting for RMM software misuse
Remote monitoring and management software is useful for administrators and threat actors, who often abuse or install it. Here's a briefing on RMM platform misuse and guidance for how to threat hunt for misbehavior.
Threat-hunting case study: Windows Management Instrumentation abuse
Attackers often use Windows Management Instrumentation (WMI) for reconnaissance to map networks. This case study describes how to threat hunt for malicious use of WMI, which is also used legitimately by administrators.
An in-depth look at Black Basta's TTPs
The Black Basta group constantly sought new malware and methods to infiltrate systems with ransomware. Here's a look at those tactics as drawn from a large leak of the group's chat messages.
VanHelsing Ransomware
Launched in March 2025, the cross-platform VanHelsing ransomware-as-a-service quickly attracted affiliates with its profit-sharing model and intuitive control panel, infecting multiple victims within weeks and showing signs o...
Writing high-quality IDS detection rules
In this Studio 471, Jeremy Kirk sits down with Luca Allodi and Koen Teuwen of Eindhoven University of Technology who co-authored a recent academic study that examines how to write lower-noise rules for intrusion detection sys...
Update: Medusa Ransomware
Medusa ransomware, active since 2021, continues to target critical infrastructure through unpatched applications and brokered access. Affiliates use living-off-the-land techniques and double-extortion tactics, prompting a new...
Six Key Takeaways From the SANS 2025 Threat Hunting Survey
SANS 2025 Threat Hunting Survey shines the light on why behavioral threat hunting can do what AI and IOC-hunts can’t do alone.
Threat hunting case study: RMM software
Attackers hijack or install their own remote monitoring and management software to penetrate deeper into organizations. This activity, however, can be detected using threat hunts based on threat intelligence.
Update: LockBit Ransomware
LockBit 4.0 continues to evolve with enhanced evasion techniques, making it a persistent threat to organizations, and Intel 471 has updated its collection with relevant Hunt Packages to support detection efforts.
