Security Lab
Research & Threat Intelligence
Real-world attack analysis, vulnerability research, and honeypot intelligence from our team.

MacSync Stealer: How a Google Ad Turned Install Claude Code into Full Mac Compromise
A sponsored Google Ad impersonating Claude Code delivered MacSync Stealer (build tag `claude1`) to macOS developers. Caronte traced the full chain: triple-encoded dropper → osascript credential harvester → surgical app.asar replacement of Ledger Live and Ledger Wallet. The attacker left a Russian INSERT HERE comment in the Electron bundle and walked away with keychains, Chrome Safe Storage keys, iCloud passwords, SSH keys, and a persistent hardware wallet phishing overlay.

Needle: Inside a Modular Crypto-Stealing C2 That Left Its Keys in the Malware
A single MalwareBazaar sample, fed to our Caronte CTI platform, unfolded into 1,932 victims, six withdrawal wallets, and ~$148 ETH already moved to cold storage. All from intelligence Caronte extracted autonomously in minutes.

Catching Cloudflare WARP Leaking Real IPs Through Tor
A visitor reached a Beelzebub honeypot emulating Ollama through six Tor exit nodes across four countries. Every request carried five Cloudflare headers, including the visitor's real IP. The undocumented header Cf-Warp-Tag-Id persisted across two sessions from two different source IPs, linking an anonymous VPS to a residential broadband connection two hours apart.

Catching AI Red Teamers in the Wild: Using Reverse Prompt Injection as a Honeypot Detection Mechanism
How we used reverse prompt injection embedded in a honeypot to detect and fingerprint an autonomous AI agent performing red team operations in the wild.

Runtime Tracing for AI Agents: What Your OpenClaw Agent Actually Does Inside the Container
Autonomous AI agents run 24/7 with shell access, network connectivity, and full filesystem permissions. We built Azazel, an eBPF-based runtime tracer that captures every syscall, file touch, network connection, and suspicious behavior, **treating the agent with the same rigor as an unknown binary in a malware sandbox.**

Watching CVE-2026-24423 Hit the Wire: A SmarterMail Honeypot Field Report
From Background Noise to Weaponized Exploit in 3 Days

Automated Exploitation Campaigns Targeting OpenClaw Gateway Infrastructure
Our honeypot captured a sophisticated, multi-phase attack campaign targeting exposed OpenClaw Gateways. This report details the attack methodology, exploited vulnerabilities, and actionable defenses.

Catching CVE-2026-24061: 11 Years of Silent Root Access
How I captured active exploitation of a critical telnetd vulnerability using a Beelzebub honeypot

From React2Shell to a Hard-to-Kill Cryptojacking: 10 Layers of Survival Mechanisms
A live XMRig campaign exploited React2Shell, dropped a Go backdoor called n0de on NKN, and relied on ten overlapping survival layers. Cleanup attempts failed because every removal step triggered another layer to rebuild the payload.

Catching Ni8mare in the Wild: 48 Hours from Disclosure to Exploitation
How I captured active exploitation of CVE-2026-21858 using a n8n beelzebub honeypot

Operation PCPcat: Hunting a Next.js Credential Stealer That's Already Compromised 59K Servers
A threat campaign called 'PCPcat' is silently harvesting credentials from Next.js deployments at scale. Through active honeypot reconnaissance, I breached their C2 API and exposed their operational metrics: 59,128 confirmed server compromises, a 64.6% success rate, and a blueprint for exploiting the entire global infrastructure. This is what industrial-scale credential theft looks like, and how to detect it.

How I Reverse Engineered a Rust Botnet and Built a C2 Honeypot to Monitor Its Targets
A Rust DDoS botnet slipped past every antivirus engine. I captured it on my honeypot, reverse engineered its custom C2 protocol, and built a fake bot to infiltrate the network-now monitoring attack targets and tracking the malware's evolution in real-time.

RondoDox v2: Evolution of RondoDox Botnet with 650% More Exploits
Through honeypot telemetry, this research identifies RondoDox v2, a significant evolution of the RondoDox botnet first documented by FortiGuard Labs in September 2024. This variant demonstrates a 650% increase in exploitation vectors, expanding from niche DVR targeting to enterprise. This paper provides comprehensive technical analysis, IOC extraction, XOR deobfuscation methodology, and detection guidance for the security community.

Inside the Time-to-exploit -1 days era, How Self-Updating malware exploits vulnerabilities before patches are deployed
In 2024, Time-to-Exploit reached -1 days for the first time: attackers exploit vulnerabilities faster than defenders can apply patches. This analysis decodes the advanced self-update mechanisms that enable malware to deploy zero-day exploits in seconds, not hours.

Securing AI Agents with Honeypots
This article explores the Beelzebub MCP honeypot system that transforms AI agent security by deploying deceptive functions to detect and analyze sophisticated prompt injection attacks in real-time.

Defensive Deception with Kong and Beelzebub LLM Honeypot
This article explores the innovative approach that transforms your existing Kong infrastructure into a powerful threat intelligence platform for modern cloud-native environments.

Securing Kubernetes: Using Honeypots to Detect and Prevent Lateral Movement Attacks
This article examines lateral movement threats in Kubernetes clusters and demonstrates how to configure and deploy the Beelzebub honeypot system using Helm to detect and prevent these attacks.

LLM Honeypot vs. Cryptojacking: Understanding the Enemy
Catch a crypto jacking malware and analyze how cybercriminals make money with it using a LLM honeypot.

SSH LLM Honeypot caught a real threat actor
Discover how a real threat actor was captured and analyzed using an SSH LLM honeypot.

How cybercriminals attacks your company
You can’t defend. You can’t prevent. The only thing you can do is detect and respond. By Bruce Schneier

LLM Honeypot with Beelzebub framework
You can’t defend. You can’t prevent. The only thing you can do is detect and respond. By Bruce Schneier