Threat Hunting

Active Node.js Malware Campaign Targeting Manual Reader Applications

Oct 21, 2025 2 min read Intermediate

Threat Hunting Incident Response Malware Node.js EDR CrowdStrike SentinelOne

We’re seeing a significant uptick in a malware campaign that’s affecting multiple customers. This one’s worth knowing about if you’re in a SOC or working with EDR platforms.

The Campaign

Attackers are distributing malicious Node.js payloads disguised as manual reader and document utility applications. The names are designed to look legitimate: AllManualsReader, OpenMyManual, ManualFinder, AppSuitePDF, and OneStart.

Initial distribution appears to be through SEO poisoning. Users search for manuals or document tools, find these applications in search results, and download what they think is a legitimate utility.

Read More
Building Effective Threat Hunting Queries

Oct 20, 2025 2 min read Intermediate

Threat Hunting SIEM Queries Splunk Sentinel KQL Hunting

Effective threat hunting queries help you find what automated detections miss. Here’s my approach to building them.

Start with a Hypothesis

Before writing a query, form a hypothesis about adversary behavior. Instead of “check for PowerShell activity,” try “threat actors may use encoded PowerShell commands to download payloads.”

This frames your hunt around specific TTPs rather than casting a wide net.

Build Queries That Surface Anomalies

Here’s a query for hunting suspicious PowerShell usage:

Read More