Trends
Chokepoints stay stable — but the techniques layered around them shift constantly. These analyses track what adversaries are actually doing: which payloads and cradle families dominate, which evasion techniques are rising or dying, and what infrastructure they keep coming back to. Data-driven signal for prioritizing detection work.
Analyses
10 months of MHaggis ClickGrab crawl data mapped through the Detection Chokepoint Framework. Tracks cradle family evolution (IWR→Curl pivot), evasion technique acceleration (Base64 18×), self-delete emergence, and CDN staging infrastructure across 20K+ malicious sites.
How adversaries build convincing fake software sites — typosquatting, combosquatting, stolen favicons, and valid TLS — and why every user-facing trust signal is forgeable. Covers favicon hash pivoting as an infrastructure clustering technique and the Tier 1 chokepoints that survive even perfect visual impersonation.
In Development
Command-line argument frequency, string patterns, and target file paths across RedLine, LummaC2, Vidar, and StealC — ranked by prevalence to prioritize detection coverage.
ASN distribution, certificate reuse, and domain registration patterns across AnyDesk, ScreenConnect, RustDesk, and MeshCentral deployments observed in incident response data.
Which living-off-the-land binaries appear most in real campaigns vs. red team exercises — certutil, mshta, regsvr32, wscript, cscript, rundll32 tracked across public incident data.
Have data worth analyzing? Trends analyses are sourced from crawled infrastructure, public incident reports, and open datasets. If you have a dataset that maps well to detection chokepoints, see CONTRIBUTING.md or open an issue to discuss.