Security Lab

Research & Threat Intelligence

Real-world attack analysis, vulnerability research, and honeypot intelligence from our team.

<h3>MacSync Stealer: How a Google Ad Turned Install Claude Code into Full Mac Compromise</h3>
Malware Analysis

MacSync Stealer: How a Google Ad Turned Install Claude Code into Full Mac Compromise

A sponsored Google Ad impersonating Claude Code delivered MacSync Stealer (build tag `claude1`) to macOS developers. Caronte traced the full chain: triple-encoded dropper → osascript credential harvester → surgical app.asar replacement of Ledger Live and Ledger Wallet. The attacker left a Russian INSERT HERE comment in the Electron bundle and walked away with keychains, Chrome Safe Storage keys, iCloud passwords, SSH keys, and a persistent hardware wallet phishing overlay.

May 6, 2026Giovanni Braccini
<h3>Needle: Inside a Modular Crypto-Stealing C2 That Left Its Keys in the Malware</h3>
Malware Analysis

Needle: Inside a Modular Crypto-Stealing C2 That Left Its Keys in the Malware

A single MalwareBazaar sample, fed to our Caronte CTI platform, unfolded into 1,932 victims, six withdrawal wallets, and ~$148 ETH already moved to cold storage. All from intelligence Caronte extracted autonomously in minutes.

May 4, 2026Beelzebub Labs
Catching Cloudflare WARP Leaking Real IPs Through Tor
Honeypot

Catching Cloudflare WARP Leaking Real IPs Through Tor

A visitor reached a Beelzebub honeypot emulating Ollama through six Tor exit nodes across four countries. Every request carried five Cloudflare headers, including the visitor's real IP. The undocumented header Cf-Warp-Tag-Id persisted across two sessions from two different source IPs, linking an anonymous VPS to a residential broadband connection two hours apart.

Apr 6, 2026Zachary Gardner
Catching AI Red Teamers in the Wild: Using Reverse Prompt Injection as a Honeypot Detection Mechanism
Honeypot

Catching AI Red Teamers in the Wild: Using Reverse Prompt Injection as a Honeypot Detection Mechanism

How we used reverse prompt injection embedded in a honeypot to detect and fingerprint an autonomous AI agent performing red team operations in the wild.

Mar 1, 2026Mario Candela
<h3>Runtime Tracing for AI Agents: What Your OpenClaw Agent Actually Does Inside the Container</h3>
runtime security

Runtime Tracing for AI Agents: What Your OpenClaw Agent Actually Does Inside the Container

Autonomous AI agents run 24/7 with shell access, network connectivity, and full filesystem permissions. We built Azazel, an eBPF-based runtime tracer that captures every syscall, file touch, network connection, and suspicious behavior, **treating the agent with the same rigor as an unknown binary in a malware sandbox.**

Feb 15, 2026Mario Candela
Watching CVE-2026-24423 Hit the Wire: A SmarterMail Honeypot Field Report
SmarterMail

Watching CVE-2026-24423 Hit the Wire: A SmarterMail Honeypot Field Report

From Background Noise to Weaponized Exploit in 3 Days

Feb 11, 2026Michel Verbel
Automated Exploitation Campaigns Targeting OpenClaw Gateway Infrastructure
Threat Intelligence

Automated Exploitation Campaigns Targeting OpenClaw Gateway Infrastructure

Our honeypot captured a sophisticated, multi-phase attack campaign targeting exposed OpenClaw Gateways. This report details the attack methodology, exploited vulnerabilities, and actionable defenses.

Feb 1, 2026Beelzebub Security Lab
Catching CVE-2026-24061: 11 Years of Silent Root Access
Ni8mare

Catching CVE-2026-24061: 11 Years of Silent Root Access

How I captured active exploitation of a critical telnetd vulnerability using a Beelzebub honeypot

Jan 26, 2026Mario Candela
<h3>From React2Shell to a Hard-to-Kill Cryptojacking: 10 Layers of Survival Mechanisms</h3>
Threat Intelligence

From React2Shell to a Hard-to-Kill Cryptojacking: 10 Layers of Survival Mechanisms

A live XMRig campaign exploited React2Shell, dropped a Go backdoor called n0de on NKN, and relied on ten overlapping survival layers. Cleanup attempts failed because every removal step triggered another layer to rebuild the payload.

Jan 19, 2026Giovanni Braccini
Catching Ni8mare in the Wild: 48 Hours from Disclosure to Exploitation
Ni8mare

Catching Ni8mare in the Wild: 48 Hours from Disclosure to Exploitation

How I captured active exploitation of CVE-2026-21858 using a n8n beelzebub honeypot

Jan 9, 2026Mario Candela
<h3>Operation PCPcat: Hunting a Next.js Credential Stealer That's Already Compromised 59K Servers</h3>
Threat Hunting

Operation PCPcat: Hunting a Next.js Credential Stealer That's Already Compromised 59K Servers

A threat campaign called 'PCPcat' is silently harvesting credentials from Next.js deployments at scale. Through active honeypot reconnaissance, I breached their C2 API and exposed their operational metrics: 59,128 confirmed server compromises, a 64.6% success rate, and a blueprint for exploiting the entire global infrastructure. This is what industrial-scale credential theft looks like, and how to detect it.

Dec 14, 2025Mario Candela
<h3>How I Reverse Engineered a Rust Botnet and Built a C2 Honeypot to Monitor Its Targets</h3>
Malware Analysis

How I Reverse Engineered a Rust Botnet and Built a C2 Honeypot to Monitor Its Targets

A Rust DDoS botnet slipped past every antivirus engine. I captured it on my honeypot, reverse engineered its custom C2 protocol, and built a fake bot to infiltrate the network-now monitoring attack targets and tracking the malware's evolution in real-time.

Nov 30, 2025Mario Candela
RondoDox v2: Evolution of RondoDox Botnet with 650% More Exploits
Botnet

RondoDox v2: Evolution of RondoDox Botnet with 650% More Exploits

Through honeypot telemetry, this research identifies RondoDox v2, a significant evolution of the RondoDox botnet first documented by FortiGuard Labs in September 2024. This variant demonstrates a 650% increase in exploitation vectors, expanding from niche DVR targeting to enterprise. This paper provides comprehensive technical analysis, IOC extraction, XOR deobfuscation methodology, and detection guidance for the security community.

Nov 3, 2025Mario Candela
<h3>Inside the Time-to-exploit -1 days era, How Self-Updating malware exploits vulnerabilities before patches are deployed</h3>
multi-modal malware

Inside the Time-to-exploit -1 days era, How Self-Updating malware exploits vulnerabilities before patches are deployed

In 2024, Time-to-Exploit reached -1 days for the first time: attackers exploit vulnerabilities faster than defenders can apply patches. This analysis decodes the advanced self-update mechanisms that enable malware to deploy zero-day exploits in seconds, not hours.

Oct 15, 2025Mario Candela
Securing AI Agents with Honeypots
MCP honeypot tool

Securing AI Agents with Honeypots

This article explores the Beelzebub MCP honeypot system that transforms AI agent security by deploying deceptive functions to detect and analyze sophisticated prompt injection attacks in real-time.

Jul 5, 2025Mario Candela
Defensive Deception with Kong and Beelzebub LLM Honeypot
AI API Honeypot

Defensive Deception with Kong and Beelzebub LLM Honeypot

This article explores the innovative approach that transforms your existing Kong infrastructure into a powerful threat intelligence platform for modern cloud-native environments.

Apr 6, 2025Mario Candela
Securing Kubernetes: Using Honeypots to Detect and Prevent Lateral Movement Attacks
Kubernetes

Securing Kubernetes: Using Honeypots to Detect and Prevent Lateral Movement Attacks

This article examines lateral movement threats in Kubernetes clusters and demonstrates how to configure and deploy the Beelzebub honeypot system using Helm to detect and prevent these attacks.

Mar 30, 2025Mario Candela
LLM Honeypot vs. Cryptojacking: Understanding the Enemy
Cryptojacking

LLM Honeypot vs. Cryptojacking: Understanding the Enemy

Catch a crypto jacking malware and analyze how cybercriminals make money with it using a LLM honeypot.

Feb 8, 2025Mario Candela
SSH LLM Honeypot caught a real threat actor
threat actor

SSH LLM Honeypot caught a real threat actor

Discover how a real threat actor was captured and analyzed using an SSH LLM honeypot.

Dec 24, 2024Mario Candela
How cybercriminals attacks your company
Supply Chain

How cybercriminals attacks your company

You can’t defend. You can’t prevent. The only thing you can do is detect and respond. By Bruce Schneier

Oct 8, 2024Mario Candela
LLM Honeypot with Beelzebub framework
honeypots

LLM Honeypot with Beelzebub framework

You can’t defend. You can’t prevent. The only thing you can do is detect and respond. By Bruce Schneier

Jun 25, 2024Mario Candela