Expel

The pages don’t include a download link and we haven’t been able to answer the question: What does the user see?

If you’re able to find out, let us know in our DMs or comments 📥

Clicking on the “Dragons Guide” sent us to Bing instead. From Bing, we were able to view one of the several Link-pits we found. We found other sites by looking for webpages with the same “dodecadragons-guide” in the URL.

We also found a few hosting the SEO poisoning. Here are some examples: graduatetutor[.]org, theyansweredthecall[.]com, traykin[.]com, and mediagin[.]net.

These websites are “Link-pits.” They hold a large number of pages and keywords to arrive high in search results.

We did some digging and found a bunch of these JavaScript files. The name is always “FULL DOCUMENT.JS” but they come in a ZIP file with the name from the SEO poisoning. The ZIPs were named like the examples below.

The JS file contains the following content.

It calls GetObject() with content that decodes to "scriptlet:http[:]//0x3e3cb218/vag"

That hex? That’s an IP address 👀 62.60.178[.]24

When the script executes, it downloads a remote payload and starts the malware infection.

A user attempts to download a sort of guide. Their “guide” arrives high in search results. If they download the file, they receive a .ZIP and inside the ZIP file there is a small JS file. Due to size and obfuscation, this small file can easily bypass the first pass of detections.

⚠️ We’ve noticed a campaign leveraging SEO poisoning to drop a small loader. If you’ve seen the lure in the watering hole, we’d love to know. A copy of the malware can be found on VirusTotal as MD5 hash 6af56c606b4ece68b4d38752e7501457.

Here’s what we’re seeing 🧵

What Fortune 100s are getting wrong about cybersecurity hiring - Help Net Security New research reveals cybersecurity hiring trends for 2025, showing how rigid job requirements and low flexibility are driving talent away.

What Fortune 100s are getting wrong about cybersecurity hiring

📖 Read more: www.helpnetsecurity.com/2025/07/17/c...

#cybersecurity #cybersecuritynews #burnout #certification @expelsecurity.bsky.social

Spotted in NYC ❎👀

Took cloud security so seriously we actually ended up in the clouds. ☁️ Thanks for having us, Nasdaq!

What we're seeing from Iran (and what it means for you) Here's Expel's take on what the geopolitical issues between the US, Israel, and Iran look like for the cybersecurity community to date.

⚠️ We’ve been keeping a close eye on the US-Israel-Iran geopolitical situation. Many resources are providing a ton of information and data but not a lot of analysis.

Our take: things are not likely to intensify in the cyber realm.

Here's what to do and what Expel is doing:

Explore Expel’s auto remediations: Delete malicious file In this series, we explore Expel's auto remediations so you understand how they work. Let's explore delete malicious file.

📂💥 When a malicious file hits your environment, every second counts.

Expel's “delete malicious file” response action enables our SOC to permanently remove a confirmed malicious file directly from an affected host, using the EDRs and security tools you already have. expel.com/blog/explore...

Emerging threat: Scattered Spider’s heightened activity—here’s the 411 Threat group Scattered Spider is making headlines again as they increase targeting for financial services and insurance orgs.

⚠️🕷️ Scattered Spider is acting with a heightened amount of activity. We're seeing them pivot from credential harvesting to directly targeting IT help desks, using social engineering to reset passwords and bypass MFA.

Get the full 411 on Scattered Spider's heightened activity:

Patch Tuesday: June 2025 (Expel's version) The June 2025 edition of Patch Tuesday is live, and this month we're highlighting a handful of Ivanti critical vulnerabilities.

It’s Patch Tuesday! 🩹 This month, Microsoft released 66 CVEs including CVE-2025-33053 and CVE-2025-33070.

Of the vulnerabilities, here are the three that caught our eye as the highest priority due to the vulnerability exploitation risk factors 👀🚨 expel.com/blog/patch-t...

More SIEM flexibility: Expel MDR adds support for XSIAM Expel expands its SIEM coverage by launching advanced support for Palo Alto Networks Cortex® XSIAM. Welcome XSIAM users!

Learn more about how Expel MDR can work with your XSIAM deployment: expel.com/blog/more-si...

What this means for your security team:
🤸 Choose the best security tools for you knowing Expel can integrate with them
🔎 Combine the strengths of your SIEM data & detections with Expel’s expert analysis & response capabilities
🟰 Receive the same high-quality Expel MDR experience

You’ve invested in your SIEM, now our goal is to make that investment 𝘸𝘰𝘳𝘬.

We’re doubling down on our position as a leader in MDR flexibility by announcing the expansion of our SIEM coverage. We’ve launched advanced support for Palo Alto Networks Cortex XSIAM this month. 👏

5 questions to ask when your security vendor gets acquired Whether your MDR provider is going through a merger or acquisition, here are five questions you'll want to ask your new point of contact.

Acquisitions happen. But when your security vendor gets bought out, it's not just business as usual. Are you ready to ask the hard questions? Because you need to.

Our CSO Greg Notch lays out the 5 questions you need to ask when your security vendor gets acquired: expel.com/blog/5-quest...

How to onboard with Expel in 7 minutes (No, really. We'll show you.) See with your own eyes how Expel MDR is up and running in less than seven minutes, from API connection to immeidate protection.

In 7 minutes you can...

🏃 run a darn good mile
🤳 doom scroll before your next meeting
🖥️ or onboard Expel

That's right. The onboarding even includes time to validate the connection within Expel Workbench™ and to test the connection. Watch the full demo and follow along! expel.com/blog/how-to-...

Identity: Your new financial fortress (and who's trying to log in?) Identity is the new perimeter in cybersecurity, and bad attackers aren't breaking in—they're logging in, and targeting FinServ.

This is where Expel MDR can partner with financial organizations to protect against bad actors attempting to look like the real deal. Learn more 👇 expel.com/blog/identit...

The numbers paint a clear picture:

🧑‍💻 Stolen credentials were used in 22% of breaches
💸 ATO incidents jumped 13% in 2024, with global losses projected to hit $17 billion by 2025
🙅 80% of consumers would ditch a platform after an account takeover

🦹 While the convenience is great, cybercriminals are all over this—targeting credentials via phishing and social engineering to simply walk into your systems.

🎭 Identity is your new perimeter in cybersecurity. Today, hackers aren’t just breaking in, they’re logging in.

In financial services, trust is everything. Your customers and employees need to securely access your services from anywhere.

Explore Expel’s auto remediations: Contain host In this series, we explore Expel's auto remediations so you understand how they work, and the benefits of each. Let's explore contain host.

Expel's contain host auto remediation allows our SOC analysts—with your pre-approval—to automatically isolate a compromised or suspicious endpoint from your network.

Learn:
⚙️how our contain host auto remediation works
👟how our analysts kick off this action
🖥️how to set it up

In media (and cloud) we trust 🫡

Join Pierre Noel on 3rd June at #Infosec2025 for insights on overcoming common cloud transformation challenges in a changing digital media ecosystem. And don't forget to come see us at stand C85 for custom AI portraits and swag. expel.com/infosecurity...

🕷️Operation Endgame just announced disruption of the infrastructure behind Lactrodectus malware, a malware used by ransomware actors to gain access to enterprise networks. But the devs are persistent so we expect them to return.

Here are the most recent tactics we've seen: expel.com/blog/followi...

How to protect M&A in FinServ with Visa and Expel | Expel

Mergers and acquisitions can fuel growth but they also create opportunities for cyber threats. Join Expel's experts along with Visa's Ilaiy Elangovan on June 5 for a discussion on expanding your org—without slowing down the deal. 🏦🛡️

Register now: expel.com/webinars/ma-...

Explore Expel’s auto remediations: Kill process In this series, we explore Expel's auto remediations so you understand how they work, and the benefits of each. Let's explore kill process.

New blog series alert! 🔦 Follow along as we explore all of Expel’s auto remediations.

In this post, we'll focus on the kill process auto remediation, which enables Expel's SOC to immediately terminate malicious processes across endpoints.

Here's how it works and how to set it up:

Recapping RSAC 2025: How AI, ethics, and geopolitical events combine in cybersecurity scenarios Here's a recap of the Expel team's experience at RSAC 2025. We pet puppies and goats, played games, connected, and highlight trending topics.

Now that we're (a bit more) recovered from #RSAC, we wanted to take a minute to highlight the key themes we saw this year.

🧠AI—who’s using it & how
🗺️Geopolitical shifts & its impact on cybersecurity
💭Changes in corporate expectations
💡How all of this is shaping new tech

expel.com/blog/recappi...

Why Identity Is the New Battleground in Cyber Defense Credential theft is eclipsing ransomware as one of the top threat vectors targeting victims around the world, according to Expel's Dave Merkel, who explains how

Identity has become the new frontline in cybersecurity. 🪪

🎥 In this interview with ISMG at #RSAC 2025, our CEO Dave Merkel shares why threat actors are prioritizing identity-based attacks and what security leaders should ask when evaluating AI-enabled tools. www.databreachtoday.com/identity-new...

Simplifying Microsoft security with Expel MDR Expel MDR seamlessly integrates with all the Microsoft security tools in your tech stack, from Microsoft Azure to Microsoft 365 and more.

If you're one of the many orgs that consolidated their security tools around @microsoft.com to keep costs down and now need an MDR provider to protect these new investments, you're in the right place. 🍀

Learn how Expel MDR works seamlessly with your Microsoft environment: expel.com/blog/simplif...