§ Category
Category

IR

AU

ESXi Can Write Its Logs to a RAM Disk. Ransomware Counts on It

On an ESXi host without persistent scratch, /var/run/log lives on an in-memory ramdisk and evaporates at the next boot. Ransomware crews get the same effect for free — they power off, kill, or reboot the workloads before encrypting — which means your entire forensic timeline had to be forwarded off-box before the incident or it never existed at all.

·
Cyber Tools

Defender’s Auto-Isolate Preview: What Changes When ‘Contain’ Becomes ‘Isolate’

Microsoft Defender’s new Preview adds automatic Isolate device to the attack disruption stack — distinct from the Device contain action that’s been auto-firing since 2023. The distinction matters operationally. So does Microsoft’s stated 99%+ confidence threshold, the 3-day offline retry window, the workstation-only scope, and the exclusion model defenders need to wire up before flipping this on.

·
Cyber Tools

Operation Saffron and the End of First VPN: Pre-Positioning Was the Whole Move

First VPN — 1vpns.com, twelve years old, 5,000 accounts, the bulletproof VPN that ‘wouldn’t fall under any jurisdiction’ — is offline as of May 20. The story isn’t the seizure. It’s that Europol was already inside the infrastructure before the takedown, walking out with the user database. That changes the threat model for every successor service still running.

·
Cyber Tools

ClickFix Detection Without the Fairy Tale

ClickFix initial access has been pasting PowerShell into RunMRU for two years and most detection content still treats it like a primer. Here is what the telemetry actually looks like, what tunes out, and where teams keep getting it wrong.

·