What's new

Cisco SD-WAN Analytics: Expanded coverage for Cisco SD-WAN environments with new analytics targeting exploitation and anomalous traffic patterns, including detections for Cisco SD-WAN Arbitrary File Overwrite Exploitation Activity and Cisco SD-WAN Uncommon User-Agent Multi-URI Activity, improving visibility into potential exploitation attempts and suspicious HTTP behaviors indicative of adversary interaction with SD-WAN infrastructure.

BlankGrabber Stealer and Muddy Water Analytics: Expanded detection coverage for BlankGrabber, a Windows-based information stealer used to harvest browser credentials, cryptocurrency wallets, and authentication tokens, by tagging existing analytics and introducing new detections focused on browser data access, suspicious registry queries, WMI reconnaissance, and defense evasion behaviors such as PowerShell exclusion tampering. This update enhances visibility into credential harvesting, data staging, and stealthy exfiltration activity commonly associated with phishing-delivered stealers and cracked software infections, helping defenders detect and respond to early-stage compromise before widespread account takeover or financial theft occurs.

Lotus Blossom (Chrysalis Backdoor) Supply Chain Attack: Added new detection coverage for the Lotus Blossom (Billbug) APT group's Chrysalis backdoor campaign, which leveraged a Notepad++ supply chain compromise (June–December 2025) to target government, financial, and IT sectors. This release introduces detections for Bitdefender DLL sideloading abuse, BluetoothService-based persistence, and TinyCC shellcode execution, along with tagging existing analytics for system and user discovery behaviors observed across multiple infection chains. These updates improve visibility into stealthy execution, persistence mechanisms, and post-compromise reconnaissance associated with sophisticated supply chain intrusions and staged payload delivery.

Standardized Risk Scoring Across Detections: Implemented consistent risk scoring across all analytics by assigning a score of 50 for TTP detections and 20 for anomaly-based detections, improving prioritization, correlation, and alert triage across detection workflows.