One Billion CISA KEV Records Prove the Human-Speed Security Model Is Already Dead

Attackers are now exploiting vulnerabilities an average of seven days before a patch exists. Defenders, meanwhile, leave 63% of critical vulnerabilities unpatched after a full week [2]. That gap is not a process failure but a structural collapse. Analysis of more than one billion CISA KEV remediation records across 10,000 organizations confirms what front-line teams have felt for years: the human-speed security operations model cannot keep pace with machine-speed adversaries [2].

The data comes from Qualys research published alongside Google's M-Trends 2026 report, and the numbers are stark. Security teams are closing 6.5 times more vulnerability tickets than they were three years ago, yet the percentage of critical vulnerabilities still open at Day 7 has actually worsened, rising from 56% in 2022 to 63% in 2025 [1][2]. Working harder is not working.

The Time-to-Exploit Collapse

The single most important metric in vulnerability management is the gap between disclosure and exploitation. That gap has effectively inverted.

M-Trends 2026 reveals that the mean time to exploit vulnerabilities dropped to an estimated -7 days, meaning exploitation is routinely occurring before a patch is even released [3]. Google's M-Trends 2026 confirms exploitation is now "routinely occurring before a patch is released" [3]. Half of the 52 tracked weaponized vulnerabilities in the Qualys dataset were weaponized before any patch existed [1]. Of the rest, 88% were patched more slowly than they were exploited [1].

This collapse has real consequences. Mandiant reports that exploitation served as the initial infection vector in 32% of intrusions for the sixth consecutive year [3].

Why More Tickets Don't Mean More Security

The instinct is to blame patching speed. The data says otherwise.

At the point of disclosure, 85% of vulnerable assets remain unpatched [2]. After 21 days, 33% are still open. After 90 days, 12% remain exposed [2]. Teams are triaging more, closing more tickets, and still falling further behind. As one Qualys researcher put it: "The problem is not speed. It is the operational model itself" [1].

The volume is part of the problem. More than 48,000 CVEs were published in 2025 alone [6]. But only a small fraction will ever become remotely exploitable or actively weaponized, meaning 99% of CVE findings consume the bulk of remediation capacity despite posing low actual risk [6]. Security teams are drowning in noise while the signal gets buried.

Global median dwell time actually rose to 14 days from 11 days, according to M-Trends 2026 [3]. Attackers are staying longer in compromised environments even as defenders process more alerts.

The KEV Catalog: Useful but Insufficient

CISA's Known Exploited Vulnerabilities catalog was designed to cut through the noise. It has partially worked, but its own data reveals limitations.

As of January 2026, the catalog tracks 1,488 KEVs. Of those, only 483 (32%) are useful for immediate initial access [5]. The vulnerabilities span a wide range of MITRE ATT&CK techniques: 424 KEV-listed vulnerabilities map to various ATT&CK techniques, confirming that KEV-listed flaws are not narrowly concentrated in a small set of attacker behaviors [5].

CISA continues to add entries actively. The catalog remains a living, updated resource, but the remediation data shows organizations cannot keep up even with this curated, prioritized list.

Adversaries Are Adding AI to Their Arsenal

The exploitation speed problem is compounding because attackers are automating at every stage.

Unit 42's 2026 Global Incident Response Report found that attackers start scanning for newly discovered vulnerabilities within 15 minutes of a CVE being announced [4]. AI is compressing the entire attack lifecycle: in 2025, exfiltration speeds for the fastest attacks quadrupled [4].

Google's Threat Intelligence Group (GTIG) documented the first observation of malware using LLMs during execution rather than just during development [9]. PROMPTFLUX, a VBScript-based malware family, queries Google's Gemini API to request code obfuscation and evasion techniques in real time [9][10]. PROMPTSTEAL, a data miner likely linked to Russia's APT28, was observed in operations against Ukraine targets [10][11]. QUIETVAULT, a JavaScript credential stealer targeting GitHub and NPM tokens, uses on-host AI tools for secret enumeration [11]. FRUITSHELL, a PowerShell reverse shell, carries hard-coded prompts for LLM-based evasion, and PROMPTLOCK is an experimental ransomware strain using LLMs to generate Lua scripts [11].

These are not proof-of-concept experiments. They are operational tools deployed by state-sponsored and criminal actors.

WARP PANDA and BRICKSTORM: Patient, Persistent, Precise

While the vulnerability exploitation window collapses, sophisticated state actors are using that access for long-term persistence. WARP PANDA, a PRC state-sponsored adversary tracked by Mandiant as UNC5221, has been active since at least 2022 and demonstrates high technical sophistication [8][13].

CISA published analysis of 12 BRICKSTORM malware samples obtained from victim organizations, documenting that the actors maintained access from at least April 2024 through at least September 3, 2025 [7]. BRICKSTORM is a custom Go- or Rust-based backdoor deployed on VMware vSphere and Windows environments [7]. CrowdStrike reports that WARP PANDA's longest observed dwell time extended at least 18 months and the group "almost certainly focuses on maintaining persistent, long-term, covert access" [8].

BRICKSTORM masquerades as legitimate VMware binaries, deploying with filenames like vmware-sphere, vnetd, vami, updatemgr, viocli, vts, and vmckd [7]. It was also found disguised in directories as tmpd in /mnt/cpt/ and httpd in /bin/ [7][12]. Alongside BRICKSTORM, threat actors deployed BEEFLUSH and BUSHWALK web shells, with BRICKSTORM supplemented by the SPAWN ecosystem (SPAWNANT, SPAWNMOLE, SPAWNSNAIL) plus TRAILBLAZE and BRUSHFIRE malware [12][13].

IOC Table

MITRE ATT&CK Mapping

Detection and Hunting

BRICKSTORM / WARP PANDA Detection:

• Search VMware vCenter and ESXi hosts for unexpected binaries in /mnt/cpt/, /bin/, and standard VMware directories. Specifically hunt for tmpd, httpd, vmware-sphere, vnetd, vami, updatemgr, viocli, vts, and vmckd in locations where they should not exist [7][12].
• Monitor for VSOCK connections and unexpected HTTP listeners on ESXi hosts [8].
• Given WARP PANDA's extended dwell times, historical log review covering 12+ months is warranted.

AI-Enabled Malware Detection:

• Monitor outbound connections to gemini.googleapis.com from endpoints that should not be making API calls to LLM services [9].
• Hunt for thinking_robot_log.txt in %TEMP% directories [9].
• Look for modifications to ~/.bashrc and ~/.zshrc that were not initiated by administrators, particularly additions that reference credential stores or token files [11].
• Flag VBScript processes making HTTPS connections to known LLM API endpoints.

Vulnerability Exploitation Indicators:

• Correlate scanning activity within 15 minutes of new CVE announcements against your external attack surface [4].
• Track identity-based anomalies: 65% of initial access now uses identity techniques and 99% of cloud users have excessive permissions [4].

Analysis

The convergence of three trends creates a compounding problem for defenders.

First, exploitation timing has inverted. When attackers routinely weaponize vulnerabilities before patches exist, patching speed becomes irrelevant for a significant portion of the threat surface. The traditional "patch Tuesday, exploit Wednesday" cadence assumed patches would at least exist when exploitation began. That assumption is dead.

Second, volume is a weapon. With 48,000+ CVEs published annually and 99% consuming remediation capacity despite low risk [6], the signal-to-noise ratio works in the attacker's favor. CISA's KEV catalog helps, but even this curated list of 1,488 entries overwhelms teams that cannot clear 63% of critical vulnerabilities in a week.

Third, AI is amplifying both sides asymmetrically. Attackers are already deploying AI-enabled malware operationally (PROMPTFLUX, PROMPTSTEAL, QUIETVAULT) [9][10][11], while defensive AI remains concentrated on discovery and scoring rather than autonomous remediation. The offensive adoption curve is steeper.

The WARP PANDA / BRICKSTORM campaign illustrates the downstream consequences. When exploitation provides reliable initial access, patient adversaries like PRC-linked groups convert that access into year-long persistence campaigns targeting critical infrastructure [7][13]. The vulnerability management failure is not just about the vulnerability but about what happens in the months after the initial compromise goes undetected.

References

[1] https://www.bleepingcomputer.com/news/security/analysis-of-one-billion-cisa-kev-remediation-records-exposes-limits-of-human-scale-security/

[2] https://securitybrief.com.au/story/qualys-warns-exploitation-is-outpacing-manual-patching

[3] https://cloud.google.com/blog/topics/threat-intelligence/m-trends-2026

[4] https://www.paloaltonetworks.com/resources/research/unit-42-incident-response-report

[5] https://www.runzero.com/resources/kevology/

[6] https://blog.qualys.com/product-tech/2026/03/23/meet-agent-val-closing-the-validation-gap-in-exposure-management-at-machine-speed-with-agentic-ai

[7] https://www.cisa.gov/news-events/analysis-reports/ar25-338a

[8] https://www.crowdstrike.com/en-us/blog/warp-panda-cloud-threats/

[9] https://cloud.google.com/blog/topics/threat-intelligence/threat-actor-usage-of-ai-tools

[10] https://thehackernews.com/2025/11/google-uncovers-promptflux-malware-that.html

[11] https://blog.polyswarm.io/rise-of-the-ai-enabled-malware

[12] https://medium.com/mitre-engenuity/technical-deep-dive-understanding-the-anatomy-of-a-cyber-intrusion-080bddc679f3

[13] https://intruvent.com/threat-intelligence/threat-actors/warp-panda/

Hunt Guide: Hunt Report: WARP PANDA/BRICKSTORM VMware Infrastructure Campaign

Hypothesis: If WARP PANDA actors are active in our environment, we expect to observe BRICKSTORM backdoors masquerading as VMware binaries, web shells (BEEFLUSH/BUSHWALK), and AI-enabled malware querying LLM APIs in VMware vCenter/ESXi hosts and Windows endpoints.

Intelligence Summary: WARP PANDA (UNC5221), a PRC state-sponsored adversary, has maintained persistent access to victim networks for up to 18 months using BRICKSTORM malware targeting VMware infrastructure. The campaign exploits vulnerabilities within 7 days before patches exist, with adversaries deploying AI-enabled malware that queries Google Gemini API for runtime obfuscation.

Confidence: High | Priority: Critical

Scope

• Networks: All VMware vCenter and ESXi infrastructure, Windows endpoints with internet access, Linux servers with developer tools
• Timeframe: Initial sweep: 18 months historical (WARP PANDA max dwell time). Ongoing: Real-time + daily retrohunts
• Priority Systems: VMware vCenter servers, ESXi hosts, CI/CD pipeline servers, systems with GitHub/NPM tokens

MITRE ATT&CK Techniques

T1036.004 — Masquerade Task or Service (Defense Evasion) [P1]

BRICKSTORM masquerades as legitimate VMware binaries (vmware-sphere, vnetd, vami, updatemgr) and system processes (tmpd, httpd) in non-standard directories

Splunk SPL:

index=vmware OR index=linux sourcetype=linux_secure OR sourcetype=sysmon EventCode=1 | eval suspicious_path=case(match(Image, "/(mnt/cpt/tmpd|bin/httpd)$"), 1, match(Image, "(vmware-sphere|vnetd|vami|updatemgr|viocli|vts|vmckd)"), 1, 1=1, 0) | where suspicious_path=1 | stats count by host, Image, CommandLine, User | where count < 5

Elastic KQL:

(host.os.type:linux AND (process.executable:"/mnt/cpt/tmpd" OR process.executable:"/bin/httpd" OR process.name:("vmware-sphere" OR "vnetd" OR "vami" OR "updatemgr" OR "viocli" OR "vts" OR "vmckd"))) OR (event.code:1 AND process.name:("tmpd" OR "httpd" OR "vmware-sphere" OR "vnetd" OR "vami" OR "updatemgr"))

Sigma Rule:

title: BRICKSTORM VMware Masquerading Detection
id: a7c3d773-3d4f-4a6b-9e8c-5f2b10e5c4d2
status: experimental
author: RedSheep Security/Stone
description: Detects BRICKSTORM malware masquerading as VMware binaries
references:
  - https://www.cisa.gov/news-events/analysis-reports/ar25-338a
logsource:
  category: process_creation
  product: linux
detection:
  selection_path:
    Image|endswith:
      - '/mnt/cpt/tmpd'
      - '/bin/httpd'
  selection_name:
    Image|contains:
      - 'vmware-sphere'
      - 'vnetd'
      - 'vami'
      - 'updatemgr'
      - 'viocli'
      - 'vts'
      - 'vmckd'
    Image|endswith|not:
      - '/usr/bin/'
      - '/opt/vmware/'
  condition: selection_path or selection_name
falsepositives:
  - Legitimate VMware administrative activities
level: high
tags:
  - attack.defense_evasion
  - attack.t1036.004

Focus on VMware infrastructure. Whitelist legitimate VMware installation paths (/opt/vmware/, /usr/lib/vmware/). Alert on any matches in /mnt/cpt/ or /bin/ directories.

T1505.003 — Web Shell (Persistence) [P1]

BEEFLUSH (Java-based) and BUSHWALK web shells deployed alongside BRICKSTORM for persistent access to VMware vCenter

Splunk SPL:

index=web OR index=vmware sourcetype=access_combined OR sourcetype=vmware:vcenter | regex uri="(Fushd|fushd|FUSHD|beeflush|BEEFLUSH|bushwalk|BUSHWALK)" OR regex cs_uri_query="(Fushd|cmd=|system\(|eval\(|base64_decode)" | stats count by src_ip, uri, cs_uri_query, status, bytes_out | where (status >= 200 AND status < 300) OR bytes_out > 10000

Elastic KQL:

(url.path:*Fushd* OR url.query:*Fushd* OR url.path:*beeflush* OR url.path:*bushwalk* OR http.request.body.content:"cmd=" OR http.request.body.content:"system(" OR http.request.body.content:"eval(") AND (http.response.status_code:[200 TO 299] OR http.response.body.bytes:[10000 TO *])

Sigma Rule:

title: BEEFLUSH/BUSHWALK Web Shell Activity
id: b8e4c332-1f0a-4d8e-b3c4-8a9f10e5c4d3
status: experimental
author: RedSheep Security/Stone
description: Detects BEEFLUSH and BUSHWALK web shell activity in VMware environments
logsource:
  category: webserver
detection:
  selection_uri:
    cs-uri-query|contains:
      - 'Fushd'
      - 'fushd'
      - 'cmd='
      - 'system('
      - 'eval('
  selection_path:
    cs-uri-stem|contains:
      - 'beeflush'
      - 'bushwalk'
  selection_response:
    sc-status: 200
    sc-bytes:
      - '>10000'
  condition: (selection_uri or selection_path) and selection_response
level: critical

BEEFLUSH uses 'Fushd' parameter. Monitor for unusually large response sizes (>10KB) from web shells. Check VMware vCenter /ui/ paths specifically.

T1071.001 — Web Protocols (Command and Control) [P1]

PROMPTFLUX malware queries gemini.googleapis.com for LLM-based obfuscation instructions via HTTPS

Splunk SPL:

index=proxy OR index=dns OR index=sysmon EventCode=3 | search dest_host="gemini.googleapis.com" OR query="gemini.googleapis.com" OR DestinationHostname="gemini.googleapis.com" | eval process_suspicious=case(match(Image, "(wscript|cscript|mshta|powershell|cmd)"), 1, match(process_name, "(svchost|rundll32|dllhost)"), 1, 1=1, 0) | stats count by src_ip, dest_host, Image, process_name, user | where process_suspicious=1 OR count > 10

Elastic KQL:

(destination.domain:"gemini.googleapis.com" OR dns.question.name:"gemini.googleapis.com" OR url.domain:"gemini.googleapis.com") AND (process.name:("wscript.exe" OR "cscript.exe" OR "mshta.exe" OR "powershell.exe" OR "cmd.exe") OR process.parent.name:("svchost.exe" OR "rundll32.exe"))

Alert on any endpoint process making API calls to Gemini. Prioritize script interpreters (wscript, powershell) and unusual system processes. Whitelist approved AI/ML workloads.

T1059.005 — Visual Basic (Execution) [P2]

PROMPTFLUX is VBScript-based malware that downloads as 'crypted_ScreenRec_webinstall' and creates thinking_robot_log.txt

Splunk SPL:

index=windows sourcetype=sysmon EventCode=1 (Image="*\\wscript.exe" OR Image="*\\cscript.exe") OR EventCode=11 (TargetFilename="*\\thinking_robot_log.txt" OR TargetFilename="*\\crypted_ScreenRec_webinstall*") | transaction host maxspan=5m startswith=(EventCode=1) endswith=(EventCode=11) | table _time, host, Image, CommandLine, TargetFilename, User

Elastic KQL:

(event.code:1 AND (process.executable:*wscript.exe OR process.executable:*cscript.exe)) OR (event.code:11 AND (file.path:*thinking_robot_log.txt OR file.name:*crypted_ScreenRec_webinstall*))

thinking_robot_log.txt in %TEMP% is a high-confidence indicator. Correlate VBScript execution with network connections to gemini.googleapis.com within 5 minutes.

T1037 — Boot or Logon Initialization Scripts (Persistence) [P2]

QUIETVAULT modifies .bashrc and .zshrc files to establish persistence and enumerate credentials

Splunk SPL:

index=linux sourcetype=linux_audit type=PATH name="/home/*/.bashrc" OR name="/home/*/.zshrc" OR name="/root/.bashrc" OR name="/root/.zshrc" | eval suspicious_mod=if(match(name, "(github|gitlab|npm|aws|gcloud)"), 1, 0) | stats count by host, name, auid, exe | where suspicious_mod=1 OR count > 2

Elastic KQL:

(file.path:"/home/*/.bashrc" OR file.path:"/home/*/.zshrc" OR file.path:"/root/.bashrc" OR file.path:"/root/.zshrc") AND event.action:("creation" OR "modification" OR "write")

Monitor for additions containing credential harvesting keywords: github, npm, AWS, gcloud. Alert on non-interactive modifications to shell RC files.

T1190 — Exploit Public-Facing Application (Initial Access) [P1]

Adversaries exploit vulnerabilities within 15 minutes of CVE publication, with mean time-to-exploit at -7 days

Splunk SPL:

index=waf OR index=ids sourcetype=modsec* OR sourcetype=snort | bucket _time span=15m | eval cve_published_time=relative_time(now(), "-24h") | where _time > cve_published_time | regex attack_pattern="(CVE-202[4-6]-\d+|/cgi-bin/|/admin/|UNION.*SELECT|<script|onerror=)" | stats count by src_ip, dest_port, attack_pattern, signature | where count > 50

Elastic KQL:

(event.module:suricata OR event.module:modsecurity) AND (vulnerability.id:CVE-202[4-6]-* OR url.path:*/cgi-bin/* OR url.path:*/admin/* OR http.request.body.content:"UNION*SELECT")

Correlate scanning spikes with CISA KEV additions. Focus on VMware vCenter, public-facing web apps. 15-minute detection window is critical.

T1078 — Valid Accounts (Initial Access) [P2]

65% of initial access uses identity-based techniques with 99% of cloud accounts having excessive permissions

Splunk SPL:

index=azure_ad sourcetype="azure:aad:signin" OR index=aws sourcetype=aws:cloudtrail | eval risk_score=case(errorCode="50126", 10, userAgent="*python*", 5, location.countryOrRegion!="US", 8, 1=1, 0) | eventstats dc(location.countryOrRegion) as country_count by userPrincipalName | where country_count > 2 OR risk_score > 5 | table _time, userPrincipalName, ipAddress, location.countryOrRegion, errorCode, appDisplayName

Elastic KQL:

(event.dataset:"azure.signinlogs" OR event.dataset:"aws.cloudtrail") AND (azure.signinlogs.result_type:50126 OR user_agent.original:*python* OR NOT client.geo.country_iso_code:"US")

Focus on impossible travel, legacy auth protocols, service accounts with interactive logins. Cross-reference with excessive permission audit results.

Indicators of Compromise

IOC Sweep Queries (Splunk):

index=* (process_name="tmpd" OR file_path="/mnt/cpt/tmpd" OR TargetFilename="/mnt/cpt/tmpd") | stats count by host, user, process_path | where count > 0

index=* (process_path="/bin/httpd" OR Image="/bin/httpd" OR file_path="/bin/httpd") | stats count by host, user, hash | where count > 0

index=* (process_name="vmware-sphere" OR Image="*vmware-sphere*") | eval legitimate=if(match(process_path, "/opt/vmware/|/usr/lib/vmware/"), 1, 0) | where legitimate=0 | stats count by host, process_path, hash

index=* (filename="thinking_robot_log.txt" OR TargetFilename="*thinking_robot_log.txt") | stats count by host, file_path, user | where count > 0

index=* (filename="*crypted_ScreenRec_webinstall*" OR TargetFilename="*crypted_ScreenRec_webinstall*") | stats count by host, file_path, hash | where count > 0

index=* (dest="gemini.googleapis.com" OR query="gemini.googleapis.com" OR url="*gemini.googleapis.com*") | stats count by src_ip, user, process_name | where count > 0

index=* process_name="vnetd" NOT process_path="*/vmware/*" | stats count by host, process_path, hash | where count > 0

index=* process_name="vami" NOT process_path="*/vmware/*" | stats count by host, process_path, hash | where count > 0

index=* process_name="updatemgr" NOT process_path="*/vmware/*" | stats count by host, process_path, hash | where count > 0

index=* (process_name="Junction" OR filename="Junction" OR Image="*Junction*") | stats count by host, process_path, listening_port | where count > 0

index=* (process_name="GuestConduit" OR filename="GuestConduit") | stats count by host, process_path, network_connections | where count > 0

YARA Rules

BRICKSTORM_VMware_Masquerade — Detects BRICKSTORM backdoor masquerading as VMware binaries

rule BRICKSTORM_VMware_Masquerade
{
    meta:
        description = "Detects BRICKSTORM backdoor masquerading as VMware binaries"
        author = "RedSheep Security/Stone"
        date = "2026-04-07"
        reference = "https://www.cisa.gov/news-events/analysis-reports/ar25-338a"
    strings:
        $vmware1 = "vmware-sphere" ascii wide
        $vmware2 = "vnetd" ascii wide
        $vmware3 = "vami" ascii wide
        $vmware4 = "updatemgr" ascii wide
        $vmware5 = "viocli" ascii wide
        $path1 = "/mnt/cpt/tmpd" ascii
        $path2 = "/bin/httpd" ascii
        $go_header = { 47 6F 20 62 75 69 6C 64 20 69 6E 66 }
        $rust_header = { 72 75 73 74 63 20 31 2E }
    condition:
        (any of ($vmware*) and not uint32(0) == 0x464c457f) or
        any of ($path*) or
        (filesize < 10MB and ($go_header or $rust_header) and any of ($vmware*))
}

PROMPTFLUX_LLM_Malware — Detects PROMPTFLUX VBScript malware with LLM integration

rule PROMPTFLUX_LLM_Malware
{
    meta:
        description = "Detects PROMPTFLUX VBScript malware querying Gemini API"
        author = "RedSheep Security/Stone"
        date = "2026-04-07"
        reference = "https://cloud.google.com/blog/topics/threat-intelligence/threat-actor-usage-of-ai-tools"
    strings:
        $api = "gemini.googleapis.com" ascii wide
        $log = "thinking_robot_log.txt" ascii wide
        $lure = "crypted_ScreenRec_webinstall" ascii wide
        $vbs1 = "WScript.Shell" ascii
        $vbs2 = "CreateObject" ascii
        $vbs3 = "MSXML2.XMLHTTP" ascii
        $prompt1 = "obfuscate" ascii wide
        $prompt2 = "evade detection" ascii wide
    condition:
        ($api and any of ($log, $lure)) or
        (2 of ($vbs*) and $api) or
        ($api and any of ($prompt*))
}

QUIETVAULT_Credential_Stealer — Detects QUIETVAULT JavaScript credential stealer targeting dev tokens

rule QUIETVAULT_Credential_Stealer
{
    meta:
        description = "Detects QUIETVAULT modifying shell RC files for credential theft"
        author = "RedSheep Security/Stone"
        date = "2026-04-07"
    strings:
        $rc1 = ".bashrc" ascii
        $rc2 = ".zshrc" ascii
        $cred1 = "github" ascii wide nocase
        $cred2 = "npm" ascii wide nocase
        $cred3 = "GITHUB_TOKEN" ascii
        $cred4 = "NPM_TOKEN" ascii
        $js1 = "require('fs')" ascii
        $js2 = "readFileSync" ascii
        $js3 = "process.env" ascii
    condition:
        (any of ($rc*) and 2 of ($cred*)) or
        (2 of ($js*) and any of ($cred*))
}

Suricata Rules

SID 2025001 — PROMPTFLUX Gemini API Query

alert http $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE PROMPTFLUX Gemini API Query"; flow:established,to_server; content:"POST"; http_method; content:"gemini.googleapis.com"; http_host; content:"/v1/models/"; http_uri; pcre:"/User-Agent:[^\r\n]*(WinHttp|VBScript|WSH)/i"; reference:url,cloud.google.com/blog/topics/threat-intelligence/threat-actor-usage-of-ai-tools; classtype:trojan-activity; sid:2025001; rev:1;)

SID 2025002 — BRICKSTORM C2 Beacon Pattern

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BRICKSTORM C2 Beacon"; flow:established,to_server; content:"GET"; http_method; pcre:"/^Host:[^\r\n]*\.(top|tk|ml|ga)\r\n/mi"; content:"VMware"; http_header; pcre:"/User-Agent:[^\r\n]*(vSphere|vCenter|ESXi)/i"; threshold:type limit, track by_src, count 1, seconds 300; reference:url,cisa.gov/news-events/analysis-reports/ar25-338a; classtype:trojan-activity; sid:2025002; rev:1;)

SID 2025003 — BEEFLUSH Web Shell Fushd Parameter

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEBSHELL BEEFLUSH Fushd Parameter"; flow:established,to_server; content:"Fushd="; http_uri; pcre:"/Fushd=[^&]*?(cmd|system|eval|base64)/i"; content:"200"; http_stat_code; reference:url,medium.com/mitre-engenuity/technical-deep-dive-understanding-the-anatomy-of-a-cyber-intrusion-080bddc679f3; classtype:web-application-attack; sid:2025003; rev:1;)

Data Source Requirements

Sources

• Analysis of one billion CISA KEV remediation records exposes limits of human-scale security
• Qualys warns exploitation is outpacing manual patching
• M-Trends 2026
• Unit 42 2026 Global Incident Response Report
• KEVology: Analysis of CISA's Known Exploited Vulnerabilities
• Meet Agent VAL: Closing the Validation Gap in Exposure Management
• CISA Analysis Report AR25-338A
• WARP PANDA Cloud Threats
• Threat Actor Usage of AI Tools
• Google Uncovers PROMPTFLUX Malware
• Rise of the AI-Enabled Malware
• Technical Deep Dive: Understanding the Anatomy of a Cyber Intrusion
• WARP PANDA Threat Intelligence