Aurora is a lightweight endpoint agent that applies Sigma rules and IOCs directly to Windows system events reconstructed from Event Tracing for Windows (ETW). Unlike traditional logging tools or Sysmon, Aurora subscribes to raw ETW streams and transforms them into...
Persistence is a cornerstone tactic for both threat actors and red‑teamers, allowing them to cling to a compromised system even after reboots, credential resets, or other disruptions that might otherwise cut them off. MITRE ATT&CK places these activities in...
The recently exploited SharePoint vulnerability chain known as ToolShell (CVE-2025-53770) has shown once again that patching alone isn't enough. Attackers gained unauthenticated remote access to vulnerable on-premises SharePoint servers, planted web shells, and...
We are excited to announce a strategic partnership between Nextron Systems and Threatray AG. This collaboration aims to significantly enhance our existing threat detection capabilities and further improve the precision and sensitivity of our detection signatures....
At the recent Cybersecurity Summit in Hamburg, we joined our partner agilimo Consulting to present on the theme: “Cybersecurity made in Germany.” The central question: How can organizations turn digital sovereignty into real operational security – beyond just a...
Antivirus engines and EDRs have their place – no doubt. But what happens when malware simply slips through their nets? What if the malicious file was never executed? What if the incident happened months ago? That’s where THOR comes in. Our compromise assessment...
We’ve released a CLI utility that converts THOR logs into a Timesketch-compatible format. This allows analysts to import and visualize THOR’s forensic findings as timestamped events on a unified timeline, together with data from other sources. The thor2ts utility...
Abuse of Modular Trust PAM (Pluggable Authentication Modules) is a fundamental part of Linux authentication infrastructure. Its flexibility - designed to support various authentication mechanisms - can be exploited by adversaries. In our analysis, we encountered a...
In this analysis, we will delve into the technical details of Katz Stealer, a credential-stealing malware as a service. We will explore its infection chain and the various techniques it employs to evade detection and exfiltrate sensitive data. We will also discuss...
First detected in September 2024 and initially targeting the United States and Canada, the Nitrogen ransomware group has since expanded its reach into parts of Africa and Europe. Many of their victims remain absent from Nitrogen’s public ransomware blog and likely...
We’re introducing Forwarding Profiles in THOR Cloud Enterprise — a feature designed to streamline how scan results are delivered to external systems such as SIEMs, log collectors, or analysis platforms. Rather than downloading logs manually or relying on intermediate...
Obfuscation is a technique widely used by cybercriminals, Advanced Persistent Threat (APT) groups, and even red-teaming operations. APTs, in particular, rely on obfuscation to remain undetected within networks for extended periods. However, modern malware, ransomware,...
Security strategies often assume that systems can be patched, upgraded, or replaced. In reality, many critical environments operate on legacy platforms where these options are impractical. Industrial control networks, healthcare systems, and government infrastructure...
The NIS2 Directive not only expands the scope of cybersecurity regulations but also introduces stricter penalties for non-compliance, including fines and liability risks for management. Unlike its predecessor, NIS2 mandates clear accountability and requires...
Many organizations make a critical mistake when responding to actively exploited zero-day vulnerabilities: they patch but don’t investigate. Think about it this way: If your front door was left wide open for weeks, would you just lock it and walk away? If attackers...