persistence

Patch and Pray Failed: FIRESTARTER Proves Cisco Devices Can Stay Owned

John Z Black Apr 23, 2026

Security Operations & Resilience #cisco #firestarter #persistence #malware #cisa #federal #incident-response #patch-management

A federal agency followed the rules, patched the CVE, and still got owned. FIRESTARTER is a specialized Cisco backdoor designed to survive the remediation cycle. It’s time to stop assuming a patch equals a clean network.

Russian Hackers Are Going Back to Old Victims to Check If the Door's Still Open

John Z Black Apr 4, 2026

Threat Intelligence #russia #apt28 #fancy-bear #void-blizzard #cert-ua #ukraine #persistence #social-engineering

CERT-UA warns APT28 and Void Blizzard are revisiting old compromises, testing dormant access, and calling targets directly in fluent Ukrainian. Incident response has an expiration date. Attackers don't.

Delete This Web Shell and It Grows Back. Thanks, Cron.

John Z Black Apr 4, 2026

Threat Intelligence #webshell #php #cookie-c2 #linux #persistence #microsoft-defender

Microsoft found PHP web shells that take commands through cookies instead of URLs. Delete them and a cron job rebuilds them. Your WAF probably can't see any of it.