https://blog.deception.pro/blog daily 1.0 2026-04-13 https://blog.deception.pro/blog/cpuz-trojan-stxrat-purelogs-data-exfil-april-2026 monthly 0.5 2026-04-13 https://images.squarespace-cdn.com/content/v1/695bcc1736756e49405972c8/7a78c8b6-eede-4805-a487-4616ac5976e2/replica_headshot.jpeg Blog - [Op Report] Trojanized CPU-Z Delivers STXRAT, Steals Credentials, and Exfils Data Through a Hidden QEMU VM - Environment at a Glance Replica Role: Cloud Solutions Architect Replica Organization: Market-leading cloud-native AI platform firm Industry: Technology & IT Services Topology: Microsoft Active Directory environment with 1,000+ endpoints and 500+ users. Replica Location: United States Observed duration: ~12 days (Feb 3–Feb 16, 2026) Sensor Stack: LimaCharlie EDR, Suricata (EVE JSON & Decrypted TLS) Infection Vector: Trojanized CPU-Z 2.19 installer Zip (DLL side-loaded) Primary Threat Families: STXRAT, PureLogs Stealers, PureHVNC, rclone (exfil), QEMU Alpine (proxy) Note: Replica personas, organizations, and documents are AI-generated and randomized for believability. Any resemblance to real-world entities is purely coincidental. https://images.squarespace-cdn.com/content/v1/695bcc1736756e49405972c8/42fe99c3-adba-4cae-9b57-a93bfaf48c08/cpuid_com_screenshot.png Blog - [Op Report] Trojanized CPU-Z Delivers STXRAT, Steals Credentials, and Exfils Data Through a Hidden QEMU VM - Make it stand out Figure 1: Initial website cpuid[.]com that contained trojanized installer. https://blog.deception.pro/blog/deceptionpro-platform-update-april-2026 monthly 0.5 2026-04-02 https://images.squarespace-cdn.com/content/v1/695bcc1736756e49405972c8/1ef598e7-965b-4c30-924e-df6e6cffeff1/ssl_inspection.png Blog - [Update] Deception.Pro April 2026 - Make it stand out The SSL Inspection (to include TLS) checkbox is now enabled by default during operation initiation! https://blog.deception.pro/blog/deceptionpro-platform-update-march-2026 monthly 0.5 2026-04-02 https://images.squarespace-cdn.com/content/v1/695bcc1736756e49405972c8/e59f271c-e6d8-41eb-9868-2f602103f326/timeline_example.png Blog - [Update] Deception.Pro March 2026 - Make it stand out Example image of Timeline View from an actual operation. https://blog.deception.pro/blog/clickfix-hok-velvet-tempest-termite monthly 0.5 2026-04-13 https://images.squarespace-cdn.com/content/v1/695bcc1736756e49405972c8/e0d6b8e9-4a52-4a1a-bf1e-3e49b3d661ee/replica_headshot.jpeg Blog - [Op Report] Velvet Tempest linked to ClickFix campaigns for Termite Ransomware, HoK Activity Observed - Environment at a Glance Replica Role: Impact & Data Coordinator Replica Organization: A non-profit that leverages mobile technology and data analytics to improve the efficiency and transparency of aid distribution in underserved communities. Topology: Microsoft Active Directory environment with 3,000+ endpoints and 2,500+ users. Replica Location: United States Observed duration: ~12 days (Feb 3–Feb 16, 2026) Note: Replica personas, organizations, and documents are AI-generated and randomized for believability. Any resemblance to real-world entities is purely coincidental. https://images.squarespace-cdn.com/content/v1/695bcc1736756e49405972c8/ce8afefa-8a2b-45f5-a247-5c3d01cffd54/velvet_tempest_payload_timeline.png Blog - [Op Report] Velvet Tempest linked to ClickFix campaigns for Termite Ransomware, HoK Activity Observed - Make it stand out Figure 1: Velvet Tempest ransomware payload timeline. https://images.squarespace-cdn.com/content/v1/695bcc1736756e49405972c8/57fe921e-83a0-4588-bc1e-673dc6391d91/Termite_support_onion.png Blog - [Op Report] Velvet Tempest linked to ClickFix campaigns for Termite Ransomware, HoK Activity Observed - Make it stand out Figure 2: Termite ransomware victim support portal. https://images.squarespace-cdn.com/content/v1/695bcc1736756e49405972c8/1225cfd0-38b9-4d3e-a27a-deba1b80ee00/Termite-nexus-malvertisment-redacted.png Blog - [Op Report] Velvet Tempest linked to ClickFix campaigns for Termite Ransomware, HoK Activity Observed - Make it stand out Figure 3: ClickFix lure at h3securecloud[.]com with the full paste command pictured in Notepad. https://blog.deception.pro/blog/hok-intrusion-abusing-multiple-rmms-jan2026 monthly 0.5 2026-02-26 https://images.squarespace-cdn.com/content/v1/695bcc1736756e49405972c8/02927ad3-ff3d-4ded-9465-c2cda4a6cce4/replica_headshot.jpeg Blog - [Op Report] Hands-on-Keyboard Intrusion Abusing Multiple RMMs - Environment at a Glance Replica Role: Product Manager, Luxury Travel Replica Organization: A premier tour operator specializing in bespoke luxury travel Topology: Microsoft Active Directory environment with 2,000+ endpoints and 1,500+ users Replica Location: France Observed duration: ~15 days (Jan 14–Jan 27, 2026) https://images.squarespace-cdn.com/content/v1/695bcc1736756e49405972c8/f56c9109-8725-4514-82c5-3be9c2a32a7e/Bluetrait_Email_DP_2.png Blog - [Op Report] Hands-on-Keyboard Intrusion Abusing Multiple RMMs - Make it stand out Figure 1: Email (sanitized) received by victims (French-language travel lure). https://images.squarespace-cdn.com/content/v1/695bcc1736756e49405972c8/3e959730-0b97-491c-a431-fc8e4a201035/Bluetrait_PDF_DP.jpg Blog - [Op Report] Hands-on-Keyboard Intrusion Abusing Multiple RMMs - Make it stand out Figure 2: French PDF lure prompting installation of a “missing Adobe module,” leading to Bluetrait deployment. https://blog.deception.pro/blog/deceptionpro-platform-update-jan-2026 monthly 0.5 2026-03-23 https://blog.deception.pro/blog/castlerat-dec2025-hok-ato monthly 0.5 2026-01-07 https://images.squarespace-cdn.com/content/v1/695bcc1736756e49405972c8/c288063b-816c-4eac-b957-ccdf42c5a0a7/steam_923.png Blog - [Op Report] CastleRAT Campaign leads to Hands-on-Keyboard ATO Operations - Make it stand out Example Steam profile page leveraged by CastleRAT as a command-and-control dead-drop mechanism. https://images.squarespace-cdn.com/content/v1/695bcc1736756e49405972c8/b47da9d6-8013-4df4-9fb2-29d3dc181719/chrome_history.png Blog - [Op Report] CastleRAT Campaign leads to Hands-on-Keyboard ATO Operations - Make it stand out Chrome browser history from the replica workstation, capturing websites visited by the threat actor during live HoK activity. https://blog.deception.pro/blog/oyster-vidar-hok-dec2025 monthly 0.5 2026-01-05 https://blog.deception.pro/blog/updated-nov4-2025 monthly 0.5 2026-01-05