A trojanized CPU-Z installer dropped STXRAT via DLL side-loading, quietly deploying PureLogs Stealer to harvest browser credentials and PureHVNC for remote access — all while routing 54 hours of continuous data exfiltration through a locally-hosted QEMU Alpine Linux VM to evade detection. Deception.Pro captured the first documented full post-exploitation chain for this campaign, delivering ground-truth adversary telemetry that no sandbox or threat feed could replicate.

TLS introspection is now live on Deception.Pro — decrypted PCAPs are automatically generated and available in the Artifact section of every operation. For the first time, you have full plaintext visibility into encrypted adversary traffic, correlated alongside your EDR telemetry, Suricata EVE logs, and raw captures. This release also ships meaningful improvements to artifact delivery speed, platform stability, and internal architecture.

This release brings a new Timeline View for unified process and event history across detonations, expanded YARA detection coverage for executables in memory and on disk, and a round of frontend stability improvements. Free researcher accounts will also see a new telemetry consent flow for anonymized data used in AI model training — paid and PoV accounts are unaffected. Attackers bet heavily on encryption to blind defenders — that's about to get harder, with TLS introspection and several other major capabilities coming to the platform soon.

A recent deception operation shows Velvet Tempest leaning on a “ClickFix”-style lure to move fast from initial access into hands-on-keyboard activity consistent with Termite ransomware operations. In this post, we break down the timeline, highlight the most actionable indicators of compromise, and translate the tradecraft into practical defender takeaways—including where deception can turn attacker momentum into instant signal.

Proofpoint observed a hands-on-keyboard intrusion where an operator abused multiple RMM platforms—including Bluetrait, Fleetdeck, Level, and MSP360—after initial access via a malicious PDF “missing Adobe plugin” lure. The activity underscores a growing reality: attackers are increasingly using legitimate IT tooling as a resilient intrusion framework.

The January 2026 Deception.Pro update introduces industry based replica browsing for Premium users, expanded and more reliable malware auto detonation across common delivery formats, improved artifact handling with VirusTotal linking, and broad stability enhancements, while laying the groundwork for dedicated KVM infrastructure, TLS inspection, and memory dump support.

This Deception.Pro operation captured a multi-stage malware intrusion culminating in hands-on-keyboard (HoK) activity focused exclusively on account takeover (ATO): not ransomware staging or enterprise lateral movement.

A recent Deception.Pro operation involving a replica victim in the travel and tourism sector revealed a multi-stage infection beginning with an Oyster malware dropper masquerading as a Microsoft Teams installer.

A list of recent updates and features.