Wes - AlphaHunt Newsletter

forecasts

Will RedNovember be publicly reported to exploit at least one zero-day vulnerability in 2026? Updated 2025-11-06

We’re at 29% that RedNovember will be publicly reported exploiting at least one zero‑day in 2026 under strict timing and attribution rules. The hinge is whether the group escalates beyond PoC‑driven N‑day edge exploits and whether attribution survives rebranding.

weekly

Signals Weekly: The Shortcut That Opened Doors in Europe

A Windows .LNK just became an actual door key. UNC6384 → PlugX at EU diplomats. CISA drops 2 new KEV vulns (CentreStack/Triofox & CWP) + 5 ICS advisories. Patch what you can, isolate what you can’t.

unc5221

Will UNC5221 pop a fresh zero-day before Dec 31? Updated!

UNC5221 is an edge-focused PRC espionage actor repeatedly tied to zero-days (Ivanti 2023–2025; prior NetScaler). Edge products remained a major zero-day target in 2024. But public attributions typically lag exploitation by weeks, and the window is short...

romance-scam

Kill the Lights, Fire Up Starlink: Scam Compounds Slide South

Thailand pulled the plug. The grift brought generators + Starlink. Shift north→south (Shwe Kokko/Myawaddy; Tachileik/Mae Sai). Squeeze OTC cash-outs + first-funding friction, or watch it respawn.

weekly

Signals Weekly: Active WSUS Exploits and Ransomware Shifts

WSUS RCE is live—patch OOB now + watch 8530/8531. Payments fell to 23% in Q3 as crews pivot to insider bribes; Qilin doubles down on ESXi + EDR tamper.

cl0p

Cl0p’s Leak Sites: 20% Chance They Go Dark by Apr 22, 2026

Forecast: 20% chance Cl0p’s leak sites go dark by Apr 22, 2026. Needs a seizure banner or ≥14 days down w/ LE attribution. Cronos showed it’s doable; mirrors make it brutal.

forecasts

COLDRIVER’s Next Move

COLDRIVER went from LOSTKEYS to a full “ROBOT” chain and ClickFix tricks—then started poking linked-device flows. We put 75% on a truly new family or access vector within 12 months.

weekly

Signals Weekly: Devices Under Siege- SNMP Rootkits, F5 Fallout

SNMP rootkits on Cisco (CVE-2025-20352) 🎛️, F5 source-code heist + CISA ED 26-01 🚨, and 175 MS CVEs 📅. Pick your poison: harden SNMP or inventory+patch BIG-IP today.

storm-2603

Storm-2657 Watch: Does Workday mark the start — or just the first stop?

Workday was the first stop, not the destination. We’re at 62% odds it hits another payroll stack by 2026-04-17. Harden all the paydoors, not just the pretty one.

cl0p

CL0P/FIN11 Go In-Memory on Oracle EBS — The Extortion Comes Later

Oracle EBS got in-memory Java loaders, not lockerware. Patch CVE-2025-61882, lock egress, hunt TemplatePreviewPG with TMP|DEF + XSL-TEXT|XML. Extortion rides in via “pubstorm.”

zero-day

Signals Weekly: Zero-Days, Hijacked Payrolls & a Crypto Kingpin

This Week's Threat Intel Pulse: Oracle EBS zero-day exploited before patches dropped, Storm-1175 abuses GoAnywhere MFT, payroll hijackers hit US universities, ransomware crews weaponize Velociraptor, and a $15B Southeast Asian scam network faces global sanctions.

ta558

TA558 2026: The Quiet Upgrade

Which scenario will best describe TA558’s (aka RevengeHotels) evolution by June 30, 2026?