https://polymathmonkey.github.io/weblog/tags/misp/index.htmlHugoen-usSat, 06 Jun 2026 13:27:31 +0200https://polymathmonkey.github.io/weblog/securityresearch/hassh-redtail-cryptominer-campaign/index.htmlSat, 06 Jun 2026 10:00:00 +0200https://polymathmonkey.github.io/weblog/securityresearch/hassh-redtail-cryptominer-campaign/index.htmlThe Alert At 10:23 on June 5th, ElastAlert fired a Pushover notification: MISP Hit: Known Threat Actor IP: 130.12.180.51 | Canada Feed: Maltrail IOC for 2026-06-01 | Level: Medium What followed was a two-day investigation that started with a medium-severity feed match on a Canadian IP and ended with confirmed cryptominer deployment, SSH key persistence, and a second infrastructure node that the feed had never seen.https://polymathmonkey.github.io/weblog/securityresearch/threathuntinglikeanerd/index.htmlFri, 05 Jun 2026 12:04:00 +0200https://polymathmonkey.github.io/weblog/securityresearch/threathuntinglikeanerd/index.htmlThe Tooling Problem Most threat hunters use one of three things to document their work: a Word document, a Jupyter notebook, or a dedicated platform like TheHive or Aurora. Word documents are fine until you want to run a query from inside the document. Jupyter notebooks are fine until you want to write prose that does not look like a GitHub README. TheHive is fine until you are a solo analyst running a homelab and you do not want to maintain another service.