Beazley Security Labs and SentinelLabs collaborated to investigate a complex delivery & execution chain leading to PXA Stealer
Aug 4 - 19 Min Read
Updated to include discovery of PDFMaker reskin. Beazley Security MXDR Teams recently observed a “free word to PDF converter” exhibit suspicious activity across client environments.
May 28 - 5 Min Read
Late last year, Beazley Security Managed Extended Detection and Response (MXDR) identified and thwarted a threat actor within a client's environment. We previously published our initial analysis that included some of the activity and tools used by the threat actor. In this article, we detail additional findings based on our continued study of telemetry and artifacts related to this breach.
Apr 14 - 9 Min Read
Beazley Security has seen attackers disabling EDR solutions leveraging Windows Defender Access Control Policies in the wild. 🫨
Mar 6 - 3 Min Read
Threat Actor abusing free Cloudflare Argo Tunnels for C2 contained by Beazley Security MDR.
Nov 13 - 9 Min Read
More research coming soon, in the mean time, check out our advisories
On October 23rd, Microsoft issued an out-of-band security update to address a previously reported vulnerability identified as CVE-2025-59287. This vulnerability affects the Windows Server Update Service (WSUS) component and may allow unauthorized attackers to execute remote code on WSUS servers. If exploited, threat actors could use this vulnerability to distribute malicious software to Windows systems that are configured to receive updates from the compromised WSUS server. The out-of-band update was likely in response to proof-of-concept (PoC) exploit code published by cyber security company HawkTrace, followed by reports of exploit attempts from threat actor groups in-the-wild observed by cyber security company Huntress.
Oct 24 - 4 Min Read
On October 17th, open-source web proxy project Squid published an advisory concerning an information disclosure vulnerability in their popular Squid proxy software. The vulnerability can be leveraged to reveal confidential, internal authentication material to unauthorized parties. The vulnerability was also assigned the highest possible CVSS risk score of 10.0. Squid proxies are commonly deployed internet facing by design, and compromised authentication material could grant threat actors initial access into an organization’s network.
Oct 20 - 2 Min Read
On October 15th, vendor F5 publicly disclosed a security breach impacting their internal environment and resulting in a threat actor exfiltrating sensitive data about their BIG-IP product line including source code, engineering documentation, and undisclosed vulnerability data. We examine the impact of the breach and review the vulnerabilities that F5 has now addressed in their response to the breach.
Oct 15 - 10 Min Read
On October 7, 2025, the Zero Day Initiative (ZDI) by Trend Micro publicly disclosed 13 unpatched vulnerabilities in Ivanti Endpoint Management, including twelve remote code execution (RCE) flaws and one local privilege escalation bug. These issues were privately reported to Ivanti between November 2024 and June 2025 but were still unresolved when they were publicly disclosed. ZDI did not provide technical details or public proof-of-concept (PoC) exploit code but did list the vulnerable endpoints.
Oct 9 - 2 Min Read
On October 8th, SonicWall confirmed that threat actors gained access to firewall configuration backup files for all customers who used the MySonicWall cloud backup service.
Oct 9 - 4 Min Read