Faster. Cleaner. More focused review. Reviewing large THOR scan reports can be time-consuming, especially when analysts need to quickly understand why a detection was triggered, identify the affected artifact, and separate signal from noise. To make this process...
During a recent incident, we identified a sophisticated sideloading infection chain dropping a custom implant for data exfiltration. Further analysis allowed us to attribute the activity to the Iran-nexus APT group Nimbus Manticore, also tracked as UNC1549 and Smoke...
A New Chapter for Nextron Systems Today marks an important milestone in the journey of Nextron Systems. When we founded the company in 2017, we shared a simple but ambitious goal: to close the visibility gaps left by traditional security tooling and help defenders...
With ASGARD Management Center 4.0, we are releasing a major update that represents an important technological step forward. In addition to functional enhancements and new platform capabilities, this version introduces fundamental architectural changes, including...
Nextron Systems supports teams participating in Locked Shields, one of the most advanced and large-scale live-fire cyber defence exercises. Organised by the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE), the exercise brings together multinational blue...
AIX is still running critical workloads in finance, manufacturing, and other industries that value stability over frequent platform churn. The uncomfortable part is that many security programs treat these systems as “special cases” - meaning they often end up outside...
Executive Summary This report analyzes RegPhantom, a stealthy Windows kernel rootkit designed to give attackers code execution in kernel mode while leaving very little visible evidence behind. The malware abuses the Windows registry as a covert trigger mechanism: a...
With ASGARD Analysis Cockpit 4.4, we deliver a release that clearly focuses on more efficient analysis, more precise searches, and better prioritization of relevant events. At its core, this version introduces a powerful new query language, complemented by targeted...
Over the past few months, we have analyzed many infection chains that all start in a very similar way: malicious advertisements placed on legitimate websites. These ads lure users into downloading "converter" tools that promise to convert images or documents (for...
In our previous publication, we detailed our internal artifact-scanning service that continuously monitors packages from multiple sources to detect malicious packages and supply chain attacks. While this automated scanning capability has proven invaluable for threat...
Over the past days, many of our customers have seen reports about a critical remote code execution vulnerability in React Server Components (CVE-2025-55182) and the related Next.js vulnerability (CVE-2025-66478). These issues have received a lot of attention and have...
Yesterday we published a short write-up about the malicious VS Code extension posing as “Material Icon Theme”. That post covered the discovery, the extension’s release timeline, and the fact that version 5.29.1 shipped with two Rust implants. This follow-up focuses on...
Recently, we investigated a highly sophisticated malware campaign that combines multiple layers of obfuscation, endpoint security tampering, and kernel-level tricks. The operators hide behind repackaged installers for popular tools such as Telegram, WinSCP, Google...
Over the last weeks we’ve been running a new internal artifact-scanning service across several large ecosystems. It’s still growing feature-wise, LLM scoring and a few other bits are being added, but the core pipeline is already pulling huge amounts of stuff every...
As someone who has spent many years researching attacks and supporting incident response teams, I’ve seen one question come up again and again: How do we return to a verified clean state after an intrusion? In every ransomware case, in every targeted espionage...