ScatterSpider
Critical Financially motivated social-engineering crew. Bypasses MFA with real-time phishing proxies and help-desk impersonation. Pivots to cloud admin in hours.
TTPs: vishing · SIM swap · OAuth abuse
Threat Intelligence Center
The adversary moves first. We move faster.
A live window into the campaigns, crews, and indicators our analysts track around the clock. Every signal here is correlated across 1,300+ sensors and fed directly into our managed detection & response platform — so the intel that protects our customers is the same intel you're reading now.
0
Active campaigns tracked
0
IOCs in the live feed
0
Threat actors monitored
0
Avg. indicator-to-block time
Live feed
Intelligence, streaming in real time
Our collection pipeline ingests dark-web chatter, honeypot telemetry, malware detonations, and partner sharing — then de-duplicates and scores every artifact before it reaches an analyst or a customer sensor.
- Automated enrichment against 40+ commercial and open-source feeds.
- Confidence scoring so your team chases signal, not noise.
- STIX/TAXII and API delivery into your SIEM, EDR, or firewall.
intel@s-security:~$ ./feed --tail
# Streaming high-confidence indicators…
[!] C2 beacon 185.■■.■■.21 .. LockBit-X
[!] Phish kit "AuthMirror" ... ScatterSpider
[✓] 1,204 IOCs pushed to MDR sensors
[!] CVE-2026-3187 weaponized .. IN THE WILD
[✓] Hash blocklist updated ..... GLOBAL
# 48,113 indicators live · refreshed 38s ago
intel@s-security:~$
Current top threats
What's hitting our customers right now
A snapshot of the highest-priority campaigns our SOC is actively defending against this week. Severity reflects exploitation activity, blast radius, and ease of weaponization.
| Threat | Type | Severity | Targeted sectors | Status |
|---|---|---|---|---|
| LockBit-X | Ransomware | Critical | Finance, Manufacturing | Contained |
| AuthMirror | Phishing-as-a-Service | Critical | SaaS, Healthcare | Active |
| CVE-2026-3187 | RCE / Edge VPN | Critical | Cross-sector | Exploited |
| QuietHarvest | Infostealer | High | Retail, Hospitality | Active |
| NorthDrift | Supply-chain implant | High | Government, Defense | Monitoring |
| GreyTide | DDoS-for-hire | Medium | Gaming, Media | Mitigated |
| HollowMint | Business email compromise | Medium | Legal, Real estate | Active |
Tracked threat actors
Know your enemy by name
We maintain detailed dossiers on the crews and nation-state groups most likely to target our customers — their tooling, tradecraft, and tells.
LockBit-X
Critical Prolific ransomware-as-a-service operation with an affiliate model. Double-extortion: exfiltrate first, encrypt second, leak if unpaid.
TTPs: edge exploit · LSASS dump · GPO deploy
NorthDrift
High Suspected state-aligned espionage group. Patient, low-and-slow operators that compromise software vendors to reach downstream targets.
TTPs: supply chain · living-off-the-land
QuietHarvest
High Infostealer broker that floods criminal markets with corporate session tokens and credentials harvested from malvertising campaigns.
TTPs: malvertising · cookie theft · access broker
GreyTide
Medium Booter/stresser collective renting volumetric DDoS firepower. Often a smokescreen for a quieter intrusion happening elsewhere.
TTPs: UDP reflection · extortion · diversion
HollowMint
Medium BEC specialists who hijack invoicing threads and impersonate executives to redirect wire transfers. Low tech, high payout.
TTPs: thread hijack · lookalike domains · CEO fraud
Latest advisories
Read before the breach, not after
Our analysts publish actionable advisories the moment a threat crosses our detection threshold — with detections, mitigations, and the indicators you need to hunt.
CVE-2026-3187: edge VPN RCE under mass exploitation
Patch now or isolate. We're seeing weaponization within hours of disclosure. Compensating controls and detection rules inside.
ScatterSpider escalates help-desk social engineering
New playbook targets IT support to reset MFA. Harden your verification process with our recommended call-back protocol.
LockBit-X affiliate adds ESXi encryptor
Hypervisor-level encryption is back. Segment management networks and enforce MFA on vCenter today.
QuietHarvest tied to retail token resale spike
Stolen session cookies are bypassing MFA. Shorten session lifetimes and bind tokens to device posture.
From intel to action
How this feeds your defense
Intelligence is only valuable when it changes outcomes. Here's the closed loop that turns what we learn into protection you never have to think about.
1. Collect
We gather raw signals from sensors, honeypots, dark-web sources, and trusted sharing partners worldwide.
2. Enrich
Analysts and ML models score, correlate, and contextualize every indicator into an actionable picture.
3. Deploy
High-confidence indicators auto-push to every MDR sensor, blocking the threat before it reaches you.
4. Learn
Every block and investigation feeds back into the model, making the whole network smarter with each event.
Turn intel into immunity
Put this threat feed to work in your environment
Stop reading about breaches and start preventing them. See how S-Security intelligence plugs into your existing tools and powers our 24/7 managed detection & response.