We’re introducing Forwarding Profiles in THOR Cloud Enterprise — a feature designed to streamline how scan results are delivered to external systems such as SIEMs, log collectors, or analysis platforms. Rather than downloading logs manually or relying on intermediate cloud services, this feature enables the THOR scanner itself to forward logs directly from the endpoint to your target infrastructure.

Endpoint-Driven Log Forwarding

One of the most important architectural aspects of this feature is where the forwarding occurs. It’s not the THOR Cloud platform that pushes logs to your SIEM—it’s the THOR scanner on each endpoint that performs this action. Once a scan completes, the local scanner connects to the configured destination and transmits the logs directly.

This offers significant advantages:

• Confidentiality: Logs remain inside your environment and do not pass through the cloud.
• Immediate availability: Data reaches your SIEM or analysis system as soon as the scan finishes.
• Reduced cloud dependencies: Ideal for regulated, segmented, or air-gapped environments.

However, there are trade-offs. Since forwarding occurs per endpoint, every host must be able to reach the destination (host, port, protocol). If delivery fails—due to firewall rules, DNS resolution issues, or TLS misconfiguration—the error will appear in the local scan log. There is no centralized retry mechanism: delivery success is per-endpoint and per-scan.

Profile Configuration and Use

Forwarding Profiles are configured in the THOR Cloud portal, under the dedicated “Forwarding” section. Each profile defines:

• One or more destination hosts (FQDN or IP)
• Port and protocol (TCP or UDP, with optional TLS)
• Log format: Syslog, JSON, or CEF
• (Optional) Root CA certificate for TLS-secured connections

You can maintain multiple profiles, each tailored to a specific use case—such as production vs. staging, or by region, business unit, or sensitivity level.

When launching a scan campaign, you’ll find a forwarding profile dropdown in the campaign configuration screen. If a default profile has been defined, it will be pre-selected automatically. This integration ensures that logs are consistently forwarded without requiring manual selection—though it’s easy to override if necessary.

Optional Log Storage Bypass

Every forwarding profile also supports an optional setting to disable cloud-based log storage. When enabled, THOR Cloud does not retain the results of a scan—the logs are forwarded only to the specified external systems. This is useful for scenarios in which data must not leave the local network or be retained in third-party environments.

Summary

Forwarding Profiles in THOR Cloud Enterprise offer a practical, secure, and flexible way to integrate forensic scan results into your centralized workflows. By pushing logs directly from the endpoint to your internal systems, you retain control over your data and reduce operational overhead. For distributed or compliance-focused environments, this change supports secure autonomy at scale—without compromising on visibility or traceability.

The feature is available now to all THOR Cloud Enterprise users. Please reach out to your Nextron contact if you require profile-based forwarding without THOR Cloud storage, or if you need guidance on setting up your internal receivers.

Obfuscation is a technique widely used by cybercriminals, Advanced Persistent Threat (APT) groups, and even red-teaming operations. APTs, in particular, rely on obfuscation to remain undetected within networks for extended periods. However, modern malware, ransomware, and Living-off-the-Land (LotL) attacks also employ obfuscation techniques to evade conventional detection systems. Understanding how to detect these obfuscated threats is critical to modern threat hunting and incident response.

Real-World Example: Obfuscation in Cyber Attacks

A recent attack highlights how obfuscation is strategically used to bypass security measures. Cybercriminals leveraged invoice-themed phishing emails to distribute malware such as Venom RAT, Remcos RAT, XWorm, and NanoCore RAT through a multi-stage infection chain:

1. Phishing Email with Malicious SVG Attachment: The email contained an attachment that, when clicked, initiated the attack.
2. Use of BatCloak and ScrubCrypt: These tools obscure the malware, preventing detection by signature-based security systems.
3. Execution of Venom RAT and Additional Malware: The malware deploys persistence mechanisms to anchor itself within the system while bypassing security protections like AMSI and ETW.
4. Data Theft and System Control: Venom RAT grants attackers remote access to the infected system, loads additional plugins, and exfiltrates sensitive data, including cryptocurrency wallet information.

This case demonstrates how modern cyberattacks leverage obfuscation to infiltrate IT environments undetected.

Common Obfuscation Techniques

Threat actors use various techniques to disguise malware and malicious activities:

• Code Obfuscation: Encrypting or scrambling malicious code to evade signature-based detection.
• Packing & Encoding: Using packers and crypters (e.g., ScrubCrypt) to obscure malware.
• Steganography: Concealing malicious code within seemingly benign files.
• Living-off-the-Land (LotL) Attacks: Exploiting legitimate system tools such as PowerShell and WMI for malicious purposes.
• Traffic Obfuscation: Concealing malicious communication within legitimate cloud services or encrypted tunnels.

Why Traditional Security Tools Fail

Many Endpoint Detection and Response (EDR) and Antivirus (AV) solutions rely on signatures or heuristic algorithms to detect threats. However, modern obfuscation techniques are designed specifically to circumvent these mechanisms. The major weaknesses of conventional security tools include:

• Polymorphic Malware: Constantly changes its code with each infection, rendering signature-based detection ineffective. Attackers use this technique to bypass antivirus solutions and distribute new malware variants continuously.
• Obfuscation via Legitimate Tools: Threat actors abuse trusted system tools such as PowerShell and WMI to execute malicious code. Since these tools are essential components of modern operating systems, their activity often appears benign, allowing them to bypass traditional security measures.
• Memory-Only Malware: Some threats reside exclusively in memory without leaving traces on disk. Many security solutions primarily scan files rather than analyzing volatile memory or process behavior, making it extremely difficult to detect such attacks.
• Multi-Stage Infection Chains: Cyberattacks increasingly use multi-stage installations, where an initially harmless file is executed to later retrieve and deploy additional malicious payloads. This strategy complicates detection since the actual malware may only activate after several steps.
• Bypassing Security Mechanisms: Many modern malware families are engineered to disable or evade security features such as AMSI (Antimalware Scan Interface) and ETW (Event Tracing for Windows), allowing them to operate stealthily even on systems protected by advanced EDR solutions.

How THOR Uncovers Hidden Cyber Threats

Understanding how to detect obfuscated threats requires more than reactive detection or simple IOC matching. While traditional EDR and AV solutions rely on recognizing known signatures, THOR leverages YARA-, Sigma-, and anomaly-based detection methods to identify hidden attacks and trace their origins. With that, Nextron’s THOR employs cutting-edge threat-hunting techniques to expose even the most sophisticated obfuscated threats. These advanced techniques go beyond static signature recognition and actively identify behavioral anomalies, suspicious patterns, and hidden attack indicators that would otherwise remain undetected.

As an on-demand forensic scanner, THOR inspects file systems, memory, logs, and system artifacts during scheduled or manually triggered scans. Its detection capabilities rely on a combination of YARA rules, Sigma rules, and anomaly detection techniques designed to uncover obfuscated activity and behavioral deviations indicative of compromise. Unlike conventional tools that depend solely on predefined threat intelligence, THOR applies a curated set of generic detection rules that surface suspicious patterns—even those associated with novel or previously unknown threats—by highlighting inconsistencies, misuse of legitimate tools, and traces typically missed by AV or EDR solutions.

Why THOR Is the Ultimate Threat Hunting Solution

• Identifies hacker tools, malware outputs, and customized threats that evade traditional signature-based detection.
• Requires no installation – runs portably, remotely, or through the ASGARD Management Center.
• Uses anomaly-based detection to uncover even unknown threats.

Gaining Visibility: The Key to Defeating Obfuscated Threats

Obfuscation is one of the most powerful techniques employed by modern attackers. However, with THOR, even well-hidden threats can be exposed. By combining YARA, Sigma, and behavioral anomaly analysis, Nextron provides a robust cybersecurity solution for rapidly identifying compromised systems.

Have you checked your IT environment for hidden threats? Try THOR now! 🚀

 

Security strategies often assume that systems can be patched, upgraded, or replaced. In reality, many critical environments operate on legacy platforms where these options are impractical. Industrial control networks, healthcare systems, and government infrastructure frequently rely on outdated operating systems and specialized hardware that remain essential despite lacking vendor support or security updates.

Patching? Not always possible. Upgrading? Too risky or too expensive. Replacing? Out of scope. These systems persist because they must, and attackers know it. Legacy systems become low-hanging fruit—under-protected, overlooked, and vulnerable.

When traditional security solutions fall short, forensic-level detection and compromise assessment become essential. Nextron Systems provides these capabilities with THOR and THOR Thunderstorm, enabling organizations to analyze and secure legacy systems without requiring software installations or real-time monitoring.

Why Legacy Systems Persist (And Why Attackers Love Them)

If you’re reading this, you probably know why legacy systems are still around. But for context, let’s clarify why they’re still in production:

• Regulatory or Compliance Needs – Industries like finance, healthcare, and critical infrastructure must often stick with certified, validated software. Moving to new versions is slow, expensive, and bureaucratically painful.
• Operational Dependencies – Some systems are mission-critical and only function on specific OS versions. Changing them risks breaking core operations.
• Cost Constraints – Replacing legacy systems can be prohibitively expensive, particularly for bespoke or embedded systems.
• Hardware Limitations – Older industrial machines and embedded devices simply can’t run modern software.
• Security Tool Incompatibility – Most EDRs and antivirus tools have abandoned support for systems like Windows XP, Server 2003, or IBM AIX.

These outdated systems and isolated networks become prime targets for attackers, offering the path of least resistance. They, often neglected by traditional security tools, present significant security gaps that attackers are quick to exploit. As a result, organizations struggle to find effective ways to secure them, leaving critical infrastructure vulnerable to compromise.

Why Patching Isn’t Always an Option

Security experts love saying, “Just patch it.” But in the real world, that’s not always an option. Here’s why:

• End-of-Life Software – The vendor isn’t issuing patches. The system is on its own.
• Operational Risk – A failed patch could take down a critical system, with impacts ranging from financial loss to public safety risks.
• Isolated Environments – Air-gapped systems and IOT networks don’t have an easy patch path.

Since patching isn’t always an option, organizations need alternative security strategies that provide threat detection and forensic investigation capabilities – without requiring an agent or software installation.

How THOR & THOR Thunderstorm Secure Legacy Systems

Nextron Systems’ forensic security tools provide powerful detection and compromise assessment capabilities, even for outdated, unsupported, or isolated platforms:

1. THOR – Portable Compromise Assessment & Malware Detection

• Agentless scanning – No installation required.
• Compatible with legacy OS – Supports Windows XP, Server 2003, IBM AIX, UNIX-based systems, and more.
• Deep forensic detection – Finds dual-use tools, web shells, backdoors, credential theft, and system anomalies.
• Independent of EDR support – Operates also in environments where traditional tools fail.
• Best for: Offline scanning, forensic analysis, and post-breach investigations.

2. THOR Thunderstorm – Live Forensic Scanning for Air-Gapped & Isolated Systems

• Minimalist scanning – Uses built-in system tools like find and curl to collect artifacts.
• No dependencies – Works without agents, software installations, or kernel access.
• Flexible deployment – Supports scanning industrial control systems (ICS), embedded devices, and IOT environments.
• Customizable detection – Leverages YARA and Sigma rules to detect hidden threats.
• Best for: Securing air-gapped networks, industrial control systems (ICS), and legacy UNIX/Linux environments.

Real-World Use Cases

• Windows XP & Legacy Systems – Many enterprises still run Windows XP or Server 2003 due to software dependencies. THOR can scan these systems where modern security tools no longer function.
• IBM AIX & UNIX Environments – Traditional security tools don’t cover AIX or legacy UNIX. THOR scans these systems to detect malware, backdoors, and system anomalies.
• Air-Gapped and IOT Networks – Industrial environments and air-gapped systems cannot use traditional security tools. THOR Thunderstorm enables agent-less forensic scanning, even in isolated environments.
• Critical Infrastructure & ICS Security – Industrial control systems (ICS) cannot be patched frequently. THOR provides forensic detection without impacting system uptime.

Protecting Systems Others Ignore

Legacy systems won’t disappear overnight, but that doesn’t mean they have to remain unprotected. Nextron Systems’ THOR and THOR Thunderstorm provide the forensic visibility organizations need to detect and analyze threats – across outdated, unsupported, and isolated systems.

Need to secure an outdated IT environment? Contact us today to learn how THOR can help.

The NIS2 Directive not only expands the scope of cybersecurity regulations but also introduces stricter penalties for non-compliance, including fines and liability risks for management. Unlike its predecessor, NIS2 mandates clear accountability and requires organizations to demonstrate ongoing risk assessments, incident reporting, and security improvements. Failing to prepare in time could lead to operational disruptions and legal consequences. How can businesses efficiently meet these new obligations while enhancing their cyber resilience?

In my 2024 article, Cyber Security 2024: Key Trends Beyond the Hype, I aimed to stay rational and avoid hype—especially around AI—and pointed out that most real-world attacks still involved unpatched systems, weak credentials, and social engineering. Over the past year, that has largely remained true.

Now, as we move into 2025, I’m revisiting those same areas with updated examples. Supply chain attacks remain a key concern—especially for identity providers and open-source libraries. Token and cloud API abuse hasn’t slowed down, and attackers keep finding ways to bypass or disable EDR solutions, often hiding behind legitimate software. Meanwhile, basic security missteps still leave many organizations open to recurring threats.

Although I was skeptical about AI-based attacks last year, we do see attackers using AI to automate tasks like scripting or generating phishing emails. There’s still no proof of a fully AI-driven breach from start to finish—it’s more of an efficiency boost than a total game-changer. My goal here is to remain as sober and factual as possible, highlighting what’s genuinely evolving in these trends and where we should pay close attention going into 2025.

1. Supply Chain Attacks

Supply chain attacks continue to pose a serious threat to organizations of all sizes, even those with sophisticated security measures. While these attacks often target software providers or trusted third-party vendors, recent events show that Identity and Access Management (IAM) service providers themselves can become single points of failure. A single breach at a major identity platform can compromise thousands of companies at once, exposing credentials, tokens, and other valuable data.

Okta: A Breach That Shook Customer Trust

Okta’s late-2023 breach is a prime example of how quickly an incident can escalate. Initially, the company reported that only 1% of customers were affected. Weeks later, it revealed that its entire customer base was impacted. To an outside observer, it seems Okta was overwhelmed by the attack’s sophistication and remained cautious in what it disclosed. As more details emerged, the root cause turned out to be surprisingly mundane – an Okta employee logged into a personal Google account on a corporate laptop, opening the door for a massive data exposure. For organizations depending on IAM services, it’s a stark reminder that even top-tier providers have blind spots, and if they’re compromised, the implications can be extremely severe.

Microsoft: The Underrated Damage of a Compromised Key

Shortly after the Okta breach, another incident at Microsoft highlighted just how powerful stolen signing keys can be. In an attack attributed to a Chinese threat actor (Storm-0558), a private encryption key for Microsoft’s identity services was taken.

While Microsoft initially stated the attack impacted only Outlook.com and Exchange Online, independent research suggests the key could have theoretically been used to forge tokens for services like SharePoint, OneDrive, Teams, or even third-party apps using “Login with Microsoft.” Because identity provider keys can grant access to a huge number of services, this breach may be more significant than Microsoft’s public statements suggest.

In reality, organizations have little direct control over how a major cloud provider safeguards its signing keys, so transparency from the provider after any compromise is crucial. Without clear information about the nature and scope of a breach, customers can’t accurately assess their exposure or respond effectively.

Open Source Supply Chain Risks

Open source ecosystems also continue to be a prime target. Malicious actors tamper with NPM packages, PyPi modules, GitHub repositories, or other code libraries, embedding backdoors in widely used dependencies. A notable example involves XZ Utils, a Linux compression library, which was briefly taken over by a suspicious contributor who shipped malicious updates aimed at undermining SSH authentication. Luckily, the rogue versions (5.6.0 and 5.6.1) weren’t widely adopted, limiting real-world impact. However, if they had been broadly deployed—especially in embedded or firmware environments—the fallout could have been much worse. As the reliance on open source only grows, so does the importance of continuous monitoring, code signing, and stricter vendor risk assessment.

These incidents show how quickly a single supplier or identity service compromise can affect thousands of organizations. Sometimes, more details only emerge after weeks, revealing a bigger problem than originally reported. When widely used vendors or open-source libraries are attacked, the damage often extends far beyond one victim. Because so many companies rely on the same tools and providers, supply chain attacks remain one of the most serious threats in cybersecurity today.

2. Token and Cloud API Abuse

Session tokens have become a critical part of modern authentication flows. They let users stay logged in to web apps, cloud consoles, and enterprise services without repeatedly entering credentials. While this feels convenient, it also introduces new ways for attackers to slip through defenses—even in setups that use multi-factor authentication (MFA). If a token is stolen or forged, someone with malicious intent can bypass many security checks and move laterally with little friction.

Below are some practical points worth highlighting:

Token Forging (Lessons from High-Profile Breaches)

The Microsoft Storm-0558 incident showed that losing control of a signing key can be more damaging than a typical credential leak. If attackers can forge their own tokens, they’re suddenly able to impersonate users in multiple cloud services. For any organization relying on a major cloud or identity provider, it’s important to understand how those critical signing keys are protected—because if they’re compromised, you’ll want to detect and respond immediately.

Third-Party Integrations and Code Repositories

Many organizations rely on services like Slack, Teams, or analytics platforms, which connect via tokens or API keys. These secrets often end up in code repositories, config files, or logs. Attackers systematically comb through public GitHub repos to find them. Integrating scanning tools (e.g., GitGuardian or truffleHog) into your CI/CD pipeline can help detect these tokens before they become a liability.

Beyond Web Browsers

Token theft isn’t limited to standard web sessions. Many Office 365–integrated apps, mobile apps, backend microservices, or serverless functions rely on tokens that can offer broader network access than a local user account. Although LSASS (Local Security Authority Subsystem Service) is also a user-mode process, it often has stronger protections (for example, Credential Guard or Protected Process Light) that make direct memory access more difficult. In contrast, Office 365–integrated apps and other cloud-connected processes may not have those same security measures, which can make token extraction easier. Worse yet, these tokens can have privileges that extend into various cloud services, potentially causing greater damage than a compromised local account.

At a minimum, turning on logging or anomaly detection for internal API calls can help reveal suspicious token usage—meaning you’d track typical patterns of API calls (who calls what, how often, at what times, etc.) and flag any outliers. For instance, if a token with standard user permissions starts performing admin-like actions on backend systems, or if an unusual volume of calls occurs outside normal work hours, that could trigger an alert for further investigation.

Zero Trust Increases Token Value

In a zero-trust setup, every request is authenticated—usually via a token. When those tokens become the primary way of granting access, attackers will prioritize stealing or forging them. Requiring continuous validation, checking for abnormal IP addresses or login times, and limiting privileges to the bare essentials can mitigate some of these risks.

User Education & MFA

Even robust technical defenses can fail if employees share their tokens or accept rogue MFA prompts. Attackers keep finding new ways to trick users into handing over access, including real-time phishing tactics that intercept session cookies. Regularly updating security training—and emphasizing the changing face of phishing—is crucial.

By keeping an eye on token usage, scanning for accidental leaks, and teaching employees to question unusual login prompts, organizations can make token abuse more difficult for attackers. It’s not an all-encompassing fix, but it helps curb the most common ways threat actors leverage stolen or forged tokens.

3. Evading EDR in Heavily Monitored Environments

As Endpoint Detection and Response (EDR) solutions become more common on workstations and servers, attackers have adapted. Instead of dropping obvious malware onto well-monitored endpoints, they’ll often store malicious tools on older or unmonitored systems (e.g., network appliances, print servers, exotic systems, outdated embedded devices) and later pivot into the EDR-guarded zone. However, not all attackers stop there—some actively disable EDR agents on highly monitored endpoints to move about undetected.

Below are some recurring tactics we’re observing:

Relying on Legitimate Accounts

Attackers often hijack compromised user or admin accounts to access files, internal apps, or cloud services. Because these actions seem normal on the surface, they frequently slip past rule-based detections. Baselines of typical user behavior or alerting on suspicious account usage can help spot these scenarios.

Direct Attacks on EDR Agents

Some adversaries go beyond evasion and deliberately disable the EDR’s visibility on a targeted system. They may load a known vulnerable driver, gaining kernel privileges to unhook or kill the security agent altogether. Once the agent is neutralized, attackers can deploy tools or tamper with the OS without detection. 

Minimizing Additional Tools

Rather than dropping custom executables (which EDR might flag), attackers use existing OS utilities (e.g., PowerShell, WMI) to escalate privileges, move laterally, or exfiltrate data. These “living off the land” techniques leave fewer artifacts and require closer scrutiny of standard processes to detect anomalies.

Staging Tools on Under-Protected Systems

Attackers often target devices that aren’t covered by modern EDR solutions—like older servers, virtual appliances, or networking appliances from vendors such as Fortinet, Ivanti, and Cisco. These devices not only suffer from recurring critical vulnerabilities but also offer limited logging and a restricted shell, making them hard to investigate thoroughly. By focusing on these “blind spots,” attackers can store malicious tools, launch deeper intrusions, and exfiltrate data without triggering the usual EDR alarms. If these systems aren’t regularly patched and closely watched, they remain a constant weak point in the network.

Layered Social Engineering

Gaining higher privileges often starts with subtle phishing or manipulation tactics. By impersonating help desk personnel, building rapport with employees, or sprinkling in accurate technical details, attackers trick people into revealing credentials. Once they have elevated access, they keep their actions low-key to avoid raising alarms.

Reconnaissance for Weak Spots

Attackers frequently scope out which endpoints are guarded by EDR or similar monitoring tools. They might read internal documentation or test quiet scans to see what triggers alerts. This reconnaissance phase is marked by caution—any loud move could blow their cover.

Stealthy Persistence

To avoid leaving clear IOCs, attackers combine Windows Registry modifications, scheduled tasks, or WMI event subscriptions with stolen tokens from valid sessions. A valid token may allow them to continuously re-authenticate without dropping any new binaries. In a large environment, this can linger for weeks if there are no specific checks for reused or anomalous tokens. Organizations need continuous, behavior-based monitoring to detect unexpected processes, modified configurations, and suspicious token usage.

4. Abuse of Legitimate Software

Attackers are increasingly swapping out traditional malware for legitimate software to evade detection. Whereas classic remote access trojans (RATs) often trigger antivirus and EDR alerts, legitimate tools like ConnectWise Control, Anydesk, NetSupport, TeamViewer, Atera, LogMeIn, or Splashtop usually fly under the radar because they’re widely used by IT teams. The same goes for built-in utilities and common third-party applications that aren’t inherently malicious. When adversaries exploit these, it’s harder for security products to flag the activity as unusual – especially in large organizations.

For a comprehensive list of remote monitoring and management (RMM) software that can be abused, check out LOLRMM.io. It’s a curated catalog of legitimate RMM tools that threat actors might leverage. Use it to inform your threat hunting, detection rules, and policy creation.

Here are some key trends we’re seeing:

Persistence Without Malware

Instead of deploying custom binaries, attackers install legitimate remote access software with benign-sounding names. Because these tools aren’t flagged as malicious, they help attackers remain on the network longer without triggering the usual alarms.

Lateral Movement with Built-in Tools

Beyond remote access, attackers also rely on built-in OS utilities (like net.exe, sc.exe, WMI, or even scheduled tasks) to explore and pivot across the environment. This strategy further masks their presence since they’re only using functionality that system administrators use daily.

Hiding in Plain Sight

Many threat actors register or reuse official-looking certificates and domain names (for example, connecting to “support.yourcompany.com”) to blend into real admin traffic. Security teams might notice some suspicious command sequences if they’re watching closely, but the software itself often goes unnoticed.

Configuration Backdoors

Some attackers don’t even need to run a process continuously. They alter configurations or schedules in existing tools. For instance, a legitimate remote management solution might be set to launch after hours, connecting back to an attacker-controlled server. Without a baseline of normal usage, it can be tough to see these modifications.

“Malware-less” Attacks

Because this approach doesn’t rely on a discrete piece of malware, it sidesteps many classic detection methods. Alerting on suspicious behaviors or unexpected connections becomes essential. Tools and processes that appear valid at first glance can still be used to exfiltrate data or execute commands silently.

5. AI-Aided Attacks – What’s Really Happening

For years, experts have debated the potential for game-changing AI-driven cyberattacks. While AI can streamline malicious operations, we’re not yet seeing radically new exploits. Instead, threat actors mostly use AI to speed up or automate tasks they already do—like writing scripts, debugging code, or crafting phishing lures.

Our findings align with recent analysis by the Google Threat Intelligence Group, who break down AI misuse into four broad categories:

Research & Reconnaissance

Attackers use AI to gather intelligence on target organizations, look up vulnerabilities, and sift through large data sets or open-source reports. This makes it easier for them to pinpoint weak spots and refine future exploits without manually combing through dense documentation.

Phishing & Social Engineering

AI-driven text generation helps create believable phishing messages in any language and can even spin up fake personas for social engineering or disinformation campaigns. The grammar is better, and the phrasing can be tailored to specific targets, reducing red flags.

Malware Development & Scripting

From coding new tools to obfuscating existing scripts, AI can automate much of the grunt work. Attackers—especially those with limited coding skills—gain the ability to produce or refine malicious software more quickly and with fewer errors.

Automation & Evasion

AI can assist with scripting tasks that bypass security measures, escalate privileges, and evade detection. It also lets attackers rapidly generate variants of known attacks, forcing defenders to react faster and update signatures or detections more often.

No Revolutionary Shift—Yet

Even with these AI-enabled efficiencies, there’s no sign of “AI-only” attacks or groundbreaking new exploits driven purely by machine learning. Most of the advantage lies in speed and scale: Threat actors spend less time writing or localizing content and more time on actual infiltration. The real concern going forward is the proliferation of powerful open-source AI models with minimal guardrails, which could further accelerate malicious automation and make these categories of misuse more accessible to a wider range of adversaries.

Conclusion

From supply chain attacks and token abuse to advanced evasion and the misuse of legitimate software, attackers are still relying on familiar methods—just with new twists and a growing interest in AI. Despite these evolving trends, unpatched appliances and missing MFA remain the most common pathways into an organization. While AI speeds up certain steps for attackers, it doesn’t turn breaches into an entirely new game. Instead, it’s an additional tool that defenders also need to adopt—otherwise, they risk falling behind.

Nextron’s Approach to Advanced Threat Detection

Nextron provides specialized digital forensics solutions designed to detect threats that traditional security tools often overlook. Our technology identifies unusual system behavior, hidden malicious activity, and sophisticated attacks that evade conventional antivirus and EDR products.

Our comprehensive signature set detects a broad spectrum of threats, including attacker toolkits, forensic traces, abuse of legitimate applications, and supply chain-based compromises. This extends to identifying “malware-free” intrusions, where adversaries operate without deploying conventional malware, making them difficult to detect.

Additionally, Nextron’s solutions support flexible scanning for unsupported or legacy systems that standard EDR platforms cannot monitor. This allows organizations to expand their detection coverage, ensuring a more comprehensive and actionable security posture across their entire environment.

According to recent reports, cyberattacks rose by 75% in the third quarter of 2024 compared to the same period in the previous year and by 15% compared to the second quarter of 2024. This alarming trend clearly shows that companies are more than ever required to protect their intellectual property, customer data, and reputation.

In today’s interview, Frank Oster, Senior Security Advisor at Nextron Systems, explains why a second line of defense is essential and how companies can benefit from it.

How do you define the first and second line of defense in IT security? 

Frank Oster: The threat landscape has changed significantly. Cybercriminals are becoming more sophisticated and increasingly bypass traditional security mechanisms. The first line of defense consists of technologies such as firewalls, antivirus software, and Endpoint Detection and Response (EDR) systems. These solutions block known threats and prevent unauthorized access.
But what happens when attackers gradually and almost imperceptibly overcome these barriers? This is where the second line of defense comes into play. It detects attackers who have already infiltrated a system and may have been active for an extended period. This approach serves as an additional protective measure and does not replace the solutions of the first line of defense.

What measures are part of the second line of defense?

Frank Oster: The second line of defense includes APT scanners, forensic analysis, and intrusion detection systems. The key difference lies in their approach: While the first line is designed to prevent attacks, the second line focuses on detecting and analyzing threats that have already infiltrated the system. It ensures that no attack goes unnoticed and can be contained quickly. In other words, companies gain crucial time to identify and combat even highly specialized, targeted attacks conducted with significant financial resources.

What role do APT scanners play in this context?

Frank Oster: APT-scanners like THOR are key technologies of the second line of defense. Advanced Persistent Threats (APTs) and other sophisticated attacks intentionally evade traditional security mechanisms and remain undetected for long periods.

An APT scanner searches for indicators of such threats—suspicious log files, obfuscation techniques, or hidden malware. It not only detects known threats using Indicators of Compromise (IOCs) but also identifies suspicious behavior based on YARA and Sigma rules, which may indicate deeply embedded attacks.

Are APT scanners specifically designed to detect targeted attacks?

Frank Oster: Exactly. These scanners identify IOCs and use various techniques to make hidden threats visible. They analyze how deeply an attack has already penetrated the system. This is crucial because the longer a threat remains undetected, the harder it becomes to recognize and eliminate.

Would you recommend integrating APT scanners into a company’s security framework?

Frank Oster: Absolutely. These scanners enable targeted and periodic security assessments to determine whether a company has been compromised.

THOR can be seamlessly integrated with SIEMs, Threat Intelligence platforms (e.g., MISP), and the ASGARD Management Center, enabling centralized management and analysis of results.

These systems identify suspicious activities and document them, allowing incident response teams to react quickly. However, it is important to note that THOR does not provide real-time detection or response like EDR solutions. Instead, it facilitates in-depth forensic analysis, making attacks visible and enabling effective investigations.

What is your ideal security approach?

Frank Oster: A multi-layered security approach is ideal. The first line of defense – including antivirus software, firewalls, and EDR solutions – is essential. However, the second line of defense is just as crucial, as it detects what the first line may have missed. As mentioned earlier, it has become more important than ever for companies to detect and contain attacks before they cause significant damage. Last but not least: Employee awareness remains a critical success factor in the fight against cybercrime.

Is the second line of defense also a tool for damage mitigation?

Frank Oster:  Definitely: It functions like an emergency response team that intervenes when an attack has occurred. Technologies like THOR enable incident response teams to systematically search for attack traces and reconstruct the attack chain. This allows for a faster response and more precise countermeasures.

However, THOR does not stop attacks in real-time but provides valuable insights for damage mitigation and post-attack analysis. In today’s threat landscape, this forensic capability is indispensable for developing robust and resilient security strategies.

Thank you for your insights, Frank Oster.

Security Operations Centers (SOCs) face increasing challenges in defending against sophisticated cyber threats, often compounded by resource limitations. Analyzing large volumes of forensic data to detect indicators of compromise (IoCs) can be a labor-intensive task. Nextron’s THOR Cloud transforms forensic analysis through its cloud-hosted, agentless scanning platform, streamlining endpoint scanning and forensic investigations to enable SOC teams to efficiently identify and address threats.

Advanced Endpoint Analysis for Modern SOC Needs

THOR Cloud offers exceptional forensic analysis capabilities for endpoint systems running standard operating systems such as Windows, Linux, and macOS. Its cloud-hosted, agentless architecture empowers SOC teams to perform targeted scans across infrastructures without the need for on-premise systems or agent installations.

Key Features:

• Agentless Deployment: Scans endpoints without the need for pre-installed agents, reducing setup time and minimizing system disruptions.
• Centralized Management: Offers a unified cloud interface to schedule scans, analyze results, and generate actionable forensic reports.
• Comprehensive Platform Support: Ensures compatibility with diverse operating environments.

Actionable Insights for Incident Response:

THOR Cloud equips SOC teams with actionable forensic data to assess and respond to potential threats efficiently. It identifies key compromise indicators, such as:

• Traces of hacking tools and their outputs.
• Misused legitimate tools and configuration backdoors.
• Obfuscated malware designed for stealth.
• Anomalies, including misplaced system files and renamed executables.

Streamlined Workflow for Enhanced Efficiency

Traditional forensic tools can be cumbersome, requiring endpoint agents and resource-intensive configurations. THOR Cloud’s agentless architecture eliminates these challenges by enabling immediate deployment and execution of lightweight scans directly on endpoints, designed to minimize any noticeable impact on system performance, with results seamlessly uploaded to the cloud for analysis.

Benefits of the Agentless Approach:

• Quick Deployment: Avoids delays typically associated with software installations.
• System Stability: Operates with minimal impact on endpoint operations.
• Flexibility: Suits hybrid environments, including cloud-hosted endpoints and traditional infrastructure.

Empowering Detection Through Nextron’s Advanced Rule Sets

• YARA Rules: To identify known threats, unusual behaviors, and anomalies such as uncommon file placements or tool usage.
• Sigma Rules: To detect log-based anomalies and unusual behaviors.

THOR Cloud provides SOC teams with an edge in identifying threats that traditional tools may overlook, particularly in complex or evasive attack scenarios.

Special Offer: Limited-Time Discount

Until December 20, 2024, Nextron is offering a 50% discount on THOR Cloud Professional Scan Packs. This provides an opportunity to integrate a highly effective forensic analysis platform into your SOC toolkit at a competitive rate. Contact us today for a personalized demo and to explore how THOR Cloud can transform your forensic workflows.

Are you looking for an efficient, cloud-managed solution to streamline your threat detection and compromise assessments? This Black Friday, we’re offering 50% off all THOR Cloud scan packages.

Why THOR Cloud?

• No Setup Hassle: Start scanning within minutes—no agents or servers required.
• Proven Detection Power: Leverage 30,000+ YARA rules, 2,000 Sigma rules, and thousands of IOCs to identify threats traditional tools miss.
• Flexibility: Automate daily, weekly, or custom scan schedules to ensure ongoing coverage.

Whether you’re conducting forensic investigations, validating alerts, or scanning for compliance, THOR Cloud delivers a powerful, easy-to-use solution for every environment.

📅 Offer Valid Until December 20, 2024

👉 Explore the Deal and Save 50% Today

Don’t miss this chance to enhance your threat detection capabilities at half the cost.

We are excited to announce that THOR 10.7 will become the new default scanner version for ASGARD users starting Thursday, November 28th, 2024.

This update introduces significant performance enhancements, including faster scan times, improved archive handling, and refined resource management. ASGARD-managed scans initiated after this date will default to THOR 10.7 unless configured otherwise, ensuring that all customers benefit from the latest detection capabilities and optimizations. Existing scheduled group scans will continue using their previously configured scanner versions (typically THOR 10.6), with clear warnings and options to update to the new version.

Key Features in THOR 10.7

• Memory-Mapped File Scanning: Enhanced speed and reduced I/O bottlenecks.
• Improved JSON Reporting: More detailed and structured output. (details)
• Selective Initialization: Advanced selectors and filters to streamline scans. (details)
• Email Parsing: Scans email formats like .eml and .msg for embedded threats.
• Enhanced Archive Scanning: Support for .cab, .7z, .gzip, and recursive nested archive scanning.
• Bulk Scanning Optimization: Improved throughput for large-scale scanning.
• Refined HTML Report Generation: Lower memory usage and reduced CPU load during processing.
• Unified YARA Rule Sets: A single rule set with namespaces for higher performance.
• Configurable Color Schemes and Output Encryption: Enhanced customization and security. (details)
• Output Encryption at Runtime (details)

New Features in THOR 10.7: Enhancements and Flexibility

Enhancing Detection and Efficiency with Memory-Mapped Scanning

One of the most impactful improvements in THOR 10.7 is the introduction of memory-mapped file scanning, which significantly accelerates scans and reduces disk I/O. This new approach improves overall performance by leveraging memory for file access, allowing scans to complete faster while decreasing wear on disks. For most environments, these improvements will result in more efficient scanning with minimal configuration changes.

To ensure that THOR 10.7 operates reliably across diverse environments, users have options to tailor memory usage:

• Disable memory mapping with the --nommap flag, which may be useful for systems with strict memory limitations, though this comes at the cost of slower scans.
• Fine-tune resource control: ASGARD adjusts THOR’s resource settings dynamically, optimizing scan reliability for both high-performance and resource-constrained systems.

Initialization Filters and Selectors

With THOR 10.7, the Init Selector and Init Filter functionalities offer unparalleled flexibility in customizing scans. These options enable users to focus on specific threat campaigns or exclude less relevant rules for tailored scanning workflows.

For example:

• Use --init-selector to target specific threats or campaigns:

  --init-selector MOVEit
  --init-selector RANSOM,Lockbit
  

• Use --init-filter to exclude rules you don’t need:

  --init-filter PUA_TeamViewer

These filters apply to rule names, tags, and descriptions, offering granular control over signature selection. Combined with the --print-signatures or --print-signatures-json flags, users can verify selected or excluded rules, ensuring precision in their scans. This feature is particularly useful for targeted threat investigations, optimizing performance while maintaining detection accuracy.

JSON Enhancements and the Road Ahead

THOR 10.7 introduces the JSON format version 2, offering significant improvements to the structure and usability of scan outputs. This new format enhances compatibility with modern forensic tools and workflows, making it easier to extract and analyze critical information. Users can activate JSON version 2 with the following flags:

--jsonfile --jsonv2

While JSON version 2 represents a major step forward, it is also a transitional format. The upcoming release of THOR 11 will feature an even more comprehensive JSON format version 3 (or version 2.1). This future iteration will incorporate fully nested structures and lists, ensuring seamless integration with advanced tools like SIEM systems and Cribl configurations. These enhancements will provide greater detail and flexibility for in-depth investigations and automated workflows.

Organizations adopting JSON version 2 in THOR 10.7 will benefit immediately from its improvements and find the transition to the next version in THOR 11 straightforward, ensuring continuous compatibility and advanced functionality.

Email Parsing and Enhanced Archive Scanning

THOR 10.7 expands its capabilities with improved support for email and archive scanning:

• Email Parsing: THOR can now scan .eml and .msg email formats, detecting malicious attachments and embedded threats. This feature ensures more thorough coverage of phishing-related attacks and email-borne threats.
• Enhanced Archive Handling: Support for .cab, .7z, and .gzip files, as well as recursive scanning of nested archives, allows users to detect threats hidden in complex compressed file structures. These improvements streamline the process of analyzing large datasets or artifact collections, ensuring no malicious content is overlooked.

Together, these features strengthen THOR’s ability to detect threats hidden in commonly abused file formats, making it a powerful tool in comprehensive compromise assessments and incident investigations.

Effects of Changes for ASGARD Customers

THOR 10.7 introduces a more adaptive resource management approach in ASGARD to reduce scan failures caused by memory constraints. Previously, ASGARD enforced a strict 2GB memory cap, which occasionally caused scan interruptions even on systems with ample available memory.

With the updated mechanism:

• ASGARD evaluates memory usage dynamically, terminating THOR scans only if the process exceeds 2GB and uses more than 50% of the system’s total memory. This ensures scans proceed smoothly on high-memory systems while protecting systems with limited resources.
• The “Ignore Memory Limit” option allows customers to completely bypass these checks, enabling scans to continue regardless of memory usage.

Existing group scans will retain their current THOR versions (e.g., 10.6) but can be updated to 10.7. Starting November 28th, all new scans—including single and group scans—will default to THOR 10.7, ensuring customers benefit from the latest features and optimizations.

Configuring THOR 10.7 for Limited Hardware Resources

For systems operating under tight hardware constraints, users can disable memory mapping with the --nommap flag. While this option reduces memory usage, it may lead to slower scan speeds and increased disk activity. For most ASGARD-managed environments, we recommend keeping memory mapping enabled to fully leverage THOR 10.7’s performance improvements. This flexibility allows users to adapt the scanner to diverse operational requirements without compromising its core functionality.

End-of-Support Announcements

• THOR 10.6: The current stable version will reach its end-of-life (EOL) on April 30, 2025. Users are encouraged to upgrade to THOR 10.7 to ensure continued support and access to the latest features.
• Legacy Systems Support: The upcoming THOR 11 TechPreview will discontinue support for older operating systems, including Windows 7, Windows 8, Windows 2008 R2, and Windows 2012. Customers relying on these platforms can continue using THOR Legacy with a legacy license to maintain scanning capabilities.

Conclusion

The release of THOR 10.7 as the default version for ASGARD represents a significant step forward in detection capabilities, efficiency, and reliability. With faster scans, reduced disk I/O, and customizable resource controls, THOR 10.7 is designed to perform optimally across diverse environments. While existing group scans will continue using their configured scanner versions, we recommend upgrading to THOR 10.7 to take full advantage of its advanced detection capabilities and optimizations.

Starting November 28th, all new scans will default to THOR 10.7, ensuring your organization is equipped with the latest and most robust scanner available. Embrace this opportunity to enhance your detection workflows and strengthen your security posture with THOR 10.7.