Primary threat research from Elastic Security Labs
8 October 2025
What the 2025 Elastic Global Threat Report reveals about the evolving threat landscape
The 2025 Elastic Global Threat Report provides current insights on adversary trends and defender strategies derived from real-world telemetry.
Featured
Detection Engineering
View all
Linux & Cloud Detection Engineering - Getting Started with Defend for Containers (D4C)
This technical resource provides a comprehensive walkthrough of Elastic’s Defend for Containers (D4C) integration, covering Kubernetes-based deployment, the analysis of BPF-enriched runtime telemetry, and the practical application of policy-driven security controls to monitor and alert on activities within containerized Linux environments.
Beyond Behaviors: AI-Augmented Detection Engineering with ES|QL COMPLETION
Learn how Elastic's ES|QL COMPLETION command brings LLM reasoning directly into detection rules, enabling detection engineers to build intelligent alert triage without external orchestration.
The Engineer's Guide to Elastic Detections as Code
This post details the latest evolution of Elastic Security's Detections as Code (DaC) framework, including its development timeline, current feature highlights, and tailored implementation examples.
Investigating a Mysteriously Malformed Authenticode Signature
An in-depth investigation tracing a Windows Authenticode validation failure from vague error codes to undocumented kernel routines.
Malware Analysis
View all
From Invitation to Infection: How SILENTCONNECT Delivers ScreenConnect
SILENTCONNECT is a multi-stage loader that leverages VBScript, in-memory PowerShell execution, and PEB masquerading to silently deploy the ScreenConnect RMM tool.
Hooked on Linux: Rootkit Taxonomy, Hooking Techniques and Tradecraft
In this first part of a two-part series, we explore Linux rootkit taxonomy, trace their evolution from userland shared object hijacking and kernel-space loadable kernel module hooking to modern eBPF- and io_uring-powered techniques.
MIMICRAT: ClickFix Campaign Delivers Custom RAT via Compromised Legitimate Websites
Elastic Security Labs uncovered a ClickFix campaign using compromised legitimate sites to deliver a five-stage chain ending in MIMICRAT, a custom native C RAT with malleable C2, token theft, and SOCKS5 tunneling.
BADIIS to the Bone: New Insights to a Global SEO Poisoning Campaign
In November 2025, Elastic Security Labs observed an intrusion affecting a multinational organization based in Southeast Asia. During the analysis of this activity, our team observed various post-compromise techniques and tooling used to deploy BADIIS malware onto a Windows web server consistent with other industry publications.
Internals
View all
Patch diff to SYSTEM
Leveraging LLMs and patch diffing, this research details a Use-After-Free vulnerability in Windows DWM, demonstrating a reliable exploit that achieves escalation from low-privileged user permissions to SYSTEM.
The Immutable Illusion: Pwning Your Kernel with Cloud Files
Threat actors can abuse a class of vulnerabilities to bypass security restrictions and break trust chains.
FlipSwitch: a Novel Syscall Hooking Technique
FlipSwitch offers a fresh look at bypassing Linux kernel defenses, revealing a new technique in the ongoing battle between cyber attackers and defenders.
Investigating a Mysteriously Malformed Authenticode Signature
An in-depth investigation tracing a Windows Authenticode validation failure from vague error codes to undocumented kernel routines.
Threat Intelligence
View allFrom Invitation to Infection: How SILENTCONNECT Delivers ScreenConnect
SILENTCONNECT is a multi-stage loader that leverages VBScript, in-memory PowerShell execution, and PEB masquerading to silently deploy the ScreenConnect RMM tool.
Taking SHELLTER: a commercial evasion framework abused in-the-wild
Elastic Security Labs detected the recent emergence of infostealers using an illicitly acquired version of the commercial evasion framework, SHELLTER, to deploy post-exploitation payloads.
From South America to Southeast Asia: The Fragile Web of REF7707
REF7707 targeted a South American foreign ministry using novel malware families. Inconsistent evasion tactics and operational security missteps exposed additional adversary-owned infrastructure.
Betting on Bots: Investigating Linux malware, crypto mining, and gambling API abuse
The REF6138 campaign involved cryptomining, DDoS attacks, and potential money laundering via gambling APIs, highlighting the attackers' use of evolving malware and stealthy communication channels.
Machine Learning
View all
Detect domain generation algorithm (DGA) activity with new Kibana integration
We have added a DGA detection package to the Integrations app in Kibana. In a single click, you can install and start using the DGA model and associated assets, including ingest pipeline configurations, anomaly detection jobs, and detection rules.
Automating the Security Protections rapid response to malware
See how we’ve been improving the processes that allow us to make updates quickly in response to new information and propagate those protections to our users, with the help of machine learning models.
Detecting Living-off-the-land attacks with new Elastic Integration
We added a Living off the land (LotL) detection package to the Integrations app in Kibana. In a single click, you can install and start using the ProblemChild model and associated assets including anomaly detection configurations and detection rules.
Identifying beaconing malware using Elastic
In this blog, we walk users through identifying beaconing malware in their environment using our beaconing identification framework.
GenerativeAI
View all
Get started with Elastic Security from your AI agent
Go from zero to a fully populated Elastic Security environment without leaving your IDE, using open source Agent Skills.
MCP Tools: Attack Vectors and Defense Recommendations for Autonomous Agents
This research examines how Model Context Protocol (MCP) tools expand the attack surface for autonomous agents, detailing exploit vectors such as tool poisoning, orchestration injection, and rug-pull redefinitions alongside practical defense strategies.
Agentic Frameworks Summary
Agentic systems require security teams to balance autonomy with alignment, ensuring that AI agents can act independently while remaining goal-consistent and controllable .
Elastic Advances LLM Security with Standardized Fields and Integrations
Discover Elastic’s latest advancements in LLM security, focusing on standardized field integrations and enhanced detection capabilities. Learn how adopting these standards can safeguard your systems.
Tools
View all
WinVisor – A hypervisor-based emulator for Windows x64 user-mode executables
WinVisor is a hypervisor-based emulator for Windows x64 user-mode executables that leverages the Windows Hypervisor Platform API to provide a virtualized environment for logging syscalls and enabling memory introspection.
STIXy Situations: ECSaping your threat data
Structured threat data is commonly formatted using STIX. To help get this data into Elasticsearch, we’re releasing a Python script that converts STIX to an ECS format to be ingested into your stack.
Dancing the night away with named pipes - PIPEDANCE client release
In this publication, we will walk through this client application’s functionality and how to get started with the tool.
Click, Click… Boom! Automating Protections Testing with Detonate
To automate this process and test our protections at scale, we built Detonate, a system that is used by security research engineers to measure the efficacy of our Elastic Security solution in an automated fashion.