![[GAME THEORY] UAT-4356/Storm-1849: When Patching Is Not Eviction](https://storage.ghost.io/c/06/e5/06e5730b-7d78-4713-9cec-6cba31d297f5/content/images/size/w600/2026/04/z-11.png)
gametheory
[GAME THEORY] UAT-4356/Storm-1849: When Patching Is Not Eviction
“We patched it” is not an eviction notice. On edge boxes, that sentence has been carrying way too much emotional weight.
china
![[FORECAST] Will RedNovember be publicly reported to exploit at least one zero-day vulnerability in 2026? Updated 2026-03-24](https://storage.ghost.io/c/06/e5/06e5730b-7d78-4713-9cec-6cba31d297f5/content/images/size/w600/2026/03/z-4.png)
forecasts
[FORECAST] Will RedNovember be publicly reported to exploit at least one zero-day vulnerability in 2026? Updated 2026-03-24
RedNovember is the kind of crew that turns “it was only an N-day” into a post-incident coping mechanism. We’re at 25% odds they get publicly tied to a true 0-day in 2026. With edge exploitation surging, that’s not exactly comforting. 👀🔥
unc6201
CISA Flags Dell RecoverPoint Zero-Day: Backup Systems as the New Beachhead
Your backup system isn’t your parachute. It’s a beachhead. 🏖️ Mandiant/GTIG report UNC6201 exploiting Dell RP4VM (CVE-2026-22769, CVSS 10.0). Hardcoded credential → OS-level control + root persistence.
![[FORECAST] Dismantled or Displaced? Cambodia’s Scam-Compound Crackdown by 2030?](https://storage.ghost.io/c/06/e5/06e5730b-7d78-4713-9cec-6cba31d297f5/content/images/size/w600/2026/02/z-7.png)
forecasts
[FORECAST] Dismantled or Displaced? Cambodia’s Scam-Compound Crackdown by 2030?
Cambodia says it sealed off ~190 scam sites. 🧨 Now the real question: dismantled or displaced? 🧱🚚 Our forecast uses grown-up metrics (convictions + asset denial + independent compound counts).
forecasts
Will UNC5221 pop a fresh zero-day before Dec 31? Final Forecast!
BRICKSTORM intel just landed: PRC actors camping in vCenter/ESXi + Windows. 🧱🕵️♂️ F5 source-code drama raises the long-run 0-day odds, but the calendar + attribution lag are savage. Our final call: 11% UNC5221 gets publicly tied to a new 0-day before Dec 31. 🎯
weekly
SIGNALS WEEKLY: React2Shell in the Wild, BRICKSTORM in the Walls, Predator on the Phone
React2Shell in the wild, BRICKSTORM in the walls, Predator on the phone. Not a dystopian haiku—this week’s risk stack. 🧯🕳️📱
china
Typhoon by Consent: Quiet, Durable, Everywhere
One “Allow” → tenant-wide weather event. 🌀 AI agent phish wraps the consent flow, device-code keeps churning, and Typhoon rides “good” U.S. infra. Kill list: user consent, device-code, or EWS app perms—what’s first?
forecasts
Will RedNovember be publicly reported to exploit at least one zero-day vulnerability in 2026? Updated 2025-11-06
We’re at 29% that RedNovember will be publicly reported exploiting at least one zero‑day in 2026 under strict timing and attribution rules. The hinge is whether the group escalates beyond PoC‑driven N‑day edge exploits and whether attribution survives rebranding.
romance-scam
Kill the Lights, Fire Up Starlink: Scam Compounds Slide South
Thailand pulled the plug. The grift brought generators + Starlink. Shift north→south (Shwe Kokko/Myawaddy; Tachileik/Mae Sai). Squeeze OTC cash-outs + first-funding friction, or watch it respawn.
china
Will RedNovember be publicly reported to exploit at least one zero-day vulnerability in 2026?
RedNovember likely stays fast-follow on edge devices using N-days and public PoCs, not 0-days. China-nexus peers show willingness to burn edge 0-days, so a pivot is plausible but not base case...
storm-2603
Storm-2603: Hybrid Espionage and Ransomware Operations Exploiting SharePoint ToolShell Vulnerabilities
Storm-2603 is a China-based threat actor, first identified in 2025, leveraging a hybrid operational model that combines espionage tactics with financially motivated ransomware deployment. The group is distinct from, but shares some infrastructure and tooling with, other Chinese APTs such as...
storm-2603
Storm-2603: SharePoint Zero-Day Exploitation and Warlock Ransomware—A Hybrid Financial and Espionage Threat
Storm-2603 is a China-based, financially motivated threat actor first identified in early 2025, responsible for a global campaign exploiting critical Microsoft SharePoint zero-day vulnerabilities (CVE-2025-53770, CVE-2025-49706, CVE-2025-49704).