The why-now: AI-generated code, agentic workflows, and machine-speed software delivery are creating a new class of executable risk. How Zero Trust for Code addresses the threat.

Market volatility visual showing rapid financial decline, underscoring how uncontrolled software execution can amplify systemic risk in financial environments

The Rising Threat of Algorithmic Trading Exploits

/in , , /by

The financial services industry is increasingly reliant on algorithmic and high-frequency trading (HFT), which has revolutionized the speed and efficiency of trades. However, this technological advancement comes with heightened cybersecurity risks. As cybercriminals evolve their tactics, CISOs are becoming more concerned about the potential for attacks targeting these advanced trading systems. The threat posed by such cyberattacks is no longer theoretical; it is a growing reality that could have severe consequences for markets worldwide.

Read more

Energy grid infrastructure targeted by a cyberattack, illustrating the risk of nation-state threats exploiting software execution within critical utilities

Defending the Energy Industry from Nation-State Cyberattacks

/in , /by

The energy industry has become a prime target for cyberattacks, particularly from nation-state actors. These attacks, driven by geopolitical motives, espionage, and the desire to disrupt economies or gain competitive advantage, pose a critical threat to the global energy infrastructure. Energy companies, from oil refineries to nuclear power plants, form the backbone of nations’ economies, and a breach in their cybersecurity could lead to catastrophic outcomes such as power outages, environmental disasters, or the manipulation of energy prices.

Read more

Security interface visualizing custom malware activity and layered defenses, highlighting the need to understand and control software execution before code runs

Proactive Protection Against Custom Malware

/in , , /by

In the realm of cybersecurity, custom malware has become a formidable threat to organizations of all sizes. Unlike generic malware, which is designed for mass deployment and targets a wide range of victims, custom malware is meticulously crafted to infiltrate specific organizations. This personalized approach makes it incredibly effective at bypassing traditional security measures, posing significant risks to targeted businesses.

Read more

Locked system surrounded by stolen data, illustrating double extortion risk when unauthorized software is allowed to execute without pre-execution controls

Double Extortion: The Latest Malicious Money Grab

/in , /by

In recent years, cybersecurity threats have evolved dramatically, with ransomware attacks becoming increasingly sophisticated and damaging. Among the latest trends in this digital arms race is the tactic known as double extortion. This method goes beyond encrypting a victim’s data by also threatening to expose it publicly unless a ransom is paid. Affected organizations thereby suffer double the pressure to comply with the demands.

Read more

Alert-saturated security screen highlighting the limits of reactive monitoring and the need to control software execution before risk escalates

AI-Generated Malware and the Case for Zero Trust for Code 

/in /by

A recent study from the University of Illinois Urbana-Campaign reveals that widely available AI agents had an 87% success rate exploiting zero-day vulnerabilities. Researchers gave OpenAI’s GPT-4 access to a database of zero-day vulnerabilities without existing patches. Armed with nothing more than CVE descriptions and embedded reference links, the model autonomously exploited the flaws. Most open-source scanners could not detect the same vulnerabilities at all.

That number is worth sitting with. 87%, without custom tooling, without deep technical expertise, with a description and a capable enough model. Generative AI has not just lowered the barrier to exploitation. It has functionally removed it for anyone with access to a sufficiently advanced model.

When Open Information Becomes a Vulnerability

The CVE database was built to enable collaborative defense. Making knowledge of specific threats available across the industry helps security teams respond faster and share critical context that would otherwise stay siloed. That model has genuine value.

The UIUC study exposes a real tension in that approach. The precise, structured information that makes CVE entries useful for defenders is exactly the information a large language model can use to generate a working exploit. Collaboration infrastructure designed to strengthen defense is also infrastructure that can be handed to an AI and turned into an offense engine.

The Gap GPT-3.5 Reveals

GPT-3.5 achieved a 0% success rate given the same inputs as GPT-4. The jump from 0% to 87% happened in a single model generation, and as models grow more capable and more accessible, the democratization of zero-day exploitation is not a future risk. It is an accelerating present one.

Signature-based detection is a catalog of what has already been observed. AI-generated malicious code is, by design, something that has not been observed before. Every variant is new, and every payload can be structurally different from its predecessor while doing the same thing. Writing signatures fast enough to keep up with AI-generated novelty is not a strategy that scales.

Behavioral Capability Does Not Care About Code Origin

What makes pre-execution behavioral intent analysis the right control for AI-generated threats is that it does not depend on recognizing the code. A credential harvester generated by GPT-4 still harvests credentials. A persistence mechanism written by an AI still installs persistence. A lateral movement script produced by a language model still attempts lateral movement. The behavioral capability is present in the artifact regardless of whether any human authored it or whether any prior version has ever been seen.

Pre-execution analysis deconstructs the artifact to surface those capabilities before execution is authorized. The verdict is deterministic, Allow, Block, Contain, or Escalate, and it is applied equally to human-authored and AI-generated code alike, because the artifact does not advertise how it was made. Only what it will do.

Zero Trust for Code as the AI Defense

The industry needed Zero Trust for identity when identity became the primary attack vector. The same logic applies now to code execution. AI has shifted the threat model in a way that makes pre-execution enforcement the practical necessity it always was in theory.

CodeHunter uses automation to defend against automation. Our pre-execution behavioral intent analysis evaluates AI-generated executable code on behavioral capability, not origin or resemblance to known threats. The verdict is issued before the code runs, backed by forensic evidence, and mapped to MITRE ATT&CK so security teams have the context to act immediately.

Every artifact is untrusted by default. Trust is earned through behavioral verification. Stop chasing alerts. Start enforcing trust.

Binary code with a hidden threat symbol illustrating zero-day risk and the danger of unknown software behavior executing before it is understood

Proactive Prevention: How to Defend Against Zero-Day Attacks

/in , , , /by

The Anatomy of Zero-Day Malware

Zero-day malware is called such because it takes advantage of zero-day vulnerabilities, which are newly discovered flaws that have yet to be patched. The time when the vulnerability is discovered is referred to as “Day 0”. These vulnerabilities provide cyber attackers with a window of opportunity to launch their attacks, often catching victims- and their security systems- off guard. In the time that it takes for a patch to be deployed across an entire enterprise malware can already be siphoning critical information from your system.  

Read more

digital security imagery representing software execution activity and the importance of verifying and controlling code behavior before it is allowed to run

Defense-in-Depth in 2026: Adding the Execution Control Plane Above EDR

/in , /by

The probability of encountering advanced code-based threats, including zero-day exploits, multi-stage payloads, and purpose-built attacks, continues to rise. Threat actors persist in finding new ways into secured corporate networks, and services that offer ready-made attack infrastructure have made sophisticated campaigns accessible to actors with limited technical backgrounds of their own.

For organizations to stay ahead of a breach, a multi-layered security posture is not optional. It is the baseline. Defense-in-depth, the practice of combining multiple layers of controls that compensate for each other’s limitations, remains the right strategic framework. The question in 2026 is not whether to practice defense-in-depth, but whether the layers you have actually cover the execution surface where modern attacks land. Most do not. The missing layer is the execution control plane.

Where the Existing Layers Perform Well

Before addressing the gap, it is worth being precise about what existing defense-in-depth layers do well, because Zero Trust for Code complements the stack rather than replacing it.

Cybersecurity awareness training reduces the human error that attackers exploit through social engineering and phishing. Network segmentation limits an attacker’s ability to move laterally after gaining initial access. Regular patching reduces the window of exposure on known vulnerabilities. Multi-factor authentication adds meaningful friction to credential-based attacks. EDR provides visibility into behavior at the endpoint and detection of anomalies after execution begins.

Each of these layers is valuable. Each one also operates either before an artifact enters the environment or after it has already executed. None of them systematically answers the question that should gate execution: what will this code do when it runs?

The Gap in the Stack

Traditional security measures do a reasonable job identifying known threats. They are not designed to evaluate complex, novel, or AI-generated artifacts that carry no prior signature, and the gap is structural. Existing layers cannot catch what they do not know to look for.

Behavioral intent analysis addresses this gap directly. Rather than comparing an artifact against a catalog of known threats, it deconstructs the artifact to surface what it is programmatically capable of doing. That capability profile is what should drive the execution decision, not the artifact’s resemblance to something previously observed. The analysis sits above EDR, authorizing what is allowed to execute before downstream detection tools ever see it.

How CodeHunter Strengthens Defense-in-Depth

CodeHunter’s patented behavioral intent analysis automates the artifact deconstruction process that previously required months of expert work. Operating at binary code level, the platform evaluates any executable artifact, whether a binary, script, container, package, or AI-generated file, and produces a deterministic verdict: Allow, Block, Contain, or Escalate. That verdict arrives before execution, and the forensic evidence behind it is auditable and mapped to MITRE ATT&CK.

Applied across the defense-in-depth stack, this means every artifact entering the environment is evaluated for behavioral capability before execution is authorized, closing the window that attackers have learned to exploit between delivery and detection. SOC teams receive fewer alerts from code that should never have been permitted to run. Compliance teams have a documented, policy-backed record of every execution decision. DevSecOps teams catch risky artifacts in the CI/CD pipeline before they reach production, replacing post-incident response with pre-execution enforcement.

The Execution Control Plane as the Missing Layer

Zero Trust for Code is the framework that makes defense-in-depth complete. It does not replace the layers already in your stack. It fills the gap those layers leave open, which is the execution authorization decision that has historically been made by assumption rather than by policy.

Every artifact is untrusted by default. Trust is earned through behavioral verification. The verdict is deterministic. The evidence is forensic. That is what it means to govern the execution layer rather than hope for the best about it. Speak with the CodeHunter team to learn how pre-execution behavioral intent analysis integrates into your existing defense-in-depth strategy.

Abstract digital security visualization representing software execution activity and the need to verify and control code behavior before it runs

Malware-as-a-Service: A Top Threat to Organizations in 2024

/in , , , /by

What is Malware-as-a-Service?

Malware-as-a-service (MaaS) poses a serious threat to enterprise organizations. MaaS functions much like any other software-as-a-service you may be familiar with, and in some cases even comes with technical support. Hackers develop complex malware systems that can be easily purchased by even the most novice of cybercriminals, who can then launch sophisticated attacks against individuals and businesses. Malware-as-a-service democratizes cybercrime, providing any run-of-the-mill criminal with the expertise of an experienced hacker, drastically increasing the average strength and sophistication of a malware attack.  Read more

Abstract security journey visualization illustrating the path to controlled software execution and the importance of verifying code behavior before it runs

Formjacking Exposes Mortgage Lenders to Cyber Threats

/in , , /by

Formjacking is malicious JavaScript code that steals digital information through online forms — and it’s wreaking havoc on mortgage lenders. Malicious software lurks in the background of compromised online forms waiting to steal credit card information, social security numbers, passwords, and other PII while innocent hopefuls sign up for an account or apply for a home loan.

Cybercriminals use formjacking to take advantage of trusting home buyers operating under the illusion of digital safety. Most prospective clients assume bankers and lenders place everyone’s information under a tight watch, trusting the mortgage lenders implicitly as they fill out web forms. They rarely stop to consider who else might be accessing them.

How Does Formjacking Work?

The method is simple and eerily effective: A cybercriminal slips malicious JavaScript code into a website’s back or front end, which sends copies of users’ input to them instantly. If their code seeps into the front end, malicious actors can add extra input fields to any form. They can request sensitive information like a social security number or bank account credentials. And, if they’re particularly hungry, they can track mouse clicks and IP addresses.

If that sounds bad, it only gets worse. It’s far too easy for these formjackers to go undetected for months or even years. They can set the script to activate at certain times of day to avoid a cybersecurity team’s working hours or split it into multiple files to make detection that much harder.

Mortgage Lenders: A Tempting Target

Mortgage lenders are a tempting target for their size, ubiquity, and access to sensitive information. What better way to demonstrate what formjacking can do than with the hackers who infiltrated hundreds of real estate websites with a single video?

Brightcove provides video streaming services to many well-known clients, including Sotheby’s International Realty. In January 2021, an attacker injected JavaScript codes into a video used in over 100 real estate websites run by Sotheby’s — which means that every time a user opened an infected page, the software would import the video. Then, the malicious code would become embedded in the website.

Sotheby’s was only recently able to end the attack campaign, meaning that for a year, their attacker hoarded clients’ names, email addresses, phone numbers, and credit card data.

The danger is not limited to clients either. Though news reports tend to highlight the damage to consumers, formjacking can just as easily steal internal information through company portals. If a cybercriminal managed to embed their code into an employee training video purchased from a mass retailer, for example, they wouldn’t need to wait long before taking a snapshot of an employee’s login credentials.

Formjacking is a growing trend — and it’s not going away anytime soon. Though it would be nice to believe that Brightcove’s breach was an anomaly, 4,800 websites are compromised with formjacking every month. Attackers especially enjoy targeting third-party tools because the average eCommerce website uses 40-60 of them, with the majority (68%) of those tools accessing form and input fields. Given the prevalence of these tools in modern business, anyone can be an easy target.

Protect Your Organization From Formjacking

Safeguarding your business from formjacking is becoming increasingly important, and there are steps you can take to minimize risk:

  1. Website admins should manage permissions with a zero-trust mentality: In other words, trust nobody — and limit access to those who need it to do their job.

  2. Most data breaches are a result of human error. Educate your staff about cybersecurity best practices.

  3. Require two-factor authentication (2FA) to verify form submissions on your website. While 2FA doesn’t stop formjacking itself, it can minimize damage by preventing an attacker from taking over a person’s accounts. The malicious actor must simultaneously compromise both devices customers use for authorization (not an easy feat). Attackers tend to look for easier prey.

  4. Detect unwanted changes to your environment with file integrity monitoring (FIM). You’ll be alerted to any changes made to files you’ve set it to monitor.

  5. Run penetration tests and vulnerability scans. No matter how confident you feel about your security, make it a habit to look for weaknesses and consider new ways to strengthen your cybersecurity framework.

  6. Run quality assurance tests on new updates. Make sure things are operating as you intend before launching something new, from back-end functionality to UI interactions.

It’s time to level up your security and stay multiple steps ahead of cybercriminals — it’s your job to protect your customers’ assets, and your own! Update your cybersecurity framework and audit your organization with meticulous detail because what you don’t know will hurt you.

 

Read More: What Is Malware — and Why You Should Give a Sh*t

Illustration highlighting FIN12 ransomware tactics and the operational risk they pose to hospital CISOs responsible for protecting clinical systems

The Nauseating Truth About FIN12 for Hospital CISOs

/in , /by

FIN12’s Ruthless Tactics Put Lives at Risk

FIN12 is an aggressive, ransomware-focused cybercrime group that specializes in targeted attacks on the healthcare sector. While many cybercrime groups will avoid hospitals, nursing homes, and 911 services — FIN12 has no reluctance.

Since 2018, FIN12 has actively targeted a range of businesses — making the group one of the most notorious big game hunters in cybercrime. Nearly 20% of their victims are in healthcare; 85% are in North America; and all boast revenues of at least $300 million. With no sign of remorse or morals, FIN12 stands in stark contrast to other cybercriminals: DoppelPaymer and Maze claim that they provide free decryption keys if they accidentally target a vulnerable group. FIN12 deliberately seeks them out.

A New Challenge For Hospital CISOs

No sector is safe from this group’s reach (they have also attacked government websites, schools, universities, and local municipalities), but their ruthless tactics pose a huge threat to healthcare. CISOs have to strategize for FIN12’s attacks — especially if long-distance treatments like telesurgery become more prominent, which will raise the stakes astronomically.

FIN12’s Brutal Methods

FIN12’s single-minded focus on ransomware deployment sets them apart. Their methods are ruthless — and brutally quick. By developing close partnerships with other threat actors who have already gained access to a victim’s network, FIN12 can creep in undetected and quickly deploy debilitating ransomware. Then, when access is securely locked down, they request a single large payout in Bitcoin. Their time-to-ransom (TTR) is incredibly short — the attack and payout all occur in 2 to 3 days.

To make their attacks more complex, FIN12 often overlaps toolsets and services to include backdoors, droppers, and codesigning certificates. The rise of remote work and relaxed home cybersecurity has made it easier for them to access remote logins — paving the way for their attacks.

A Reason to Pay Ransom

FIN12 is in it for the money — not for the data. Since they solely encrypt or block access to data instead of exfiltrating it, there’s an incentive for hospitals to pay up, get systems running, and save lives. Without the threat of corrupted data or exposed personal identifiable information (PII), their victims have reason to believe that they won’t be extorted or left behind without restored access. Additionally, FIN12 has a reputation for taking payment and moving on — another reason used to justify random payments.

A Stronger Defense

Along with updating security processes, procedures, and systems — the no-brainer basics — educating healthcare personnel on cyber security best practices helps prevent attackers like FIN12 from gaining a foothold. In most cases, mismanaged credentials and privileges lead to a breach: Many successful attacks began with a mere phishing email.

Enacting safety standards such as prohibiting personal use of company devices, using multi-factor or adaptive authentication, and keeping OS and antivirus software up to date can go a long way in preventing threats from getting in.

Illustration challenging malware hunting by emphasizing the risk of unknown software behavior executing without pre-execution controls

The New Shadow IT: AI-Generated Code and Agentic Workflows as Ungoverned Execution Risk

/in /by

The best defense is a good offense, assuming your offense includes solid surveillance. It is not enough to know that cybercriminals might come for your data. You need to know when, how, and through what code they are getting in.

The original shadow IT problem was ungoverned software entering the enterprise through employees: personal devices, unapproved applications, flash drives, and accounts that IT never sanctioned. That problem has not gone away. But in 2026, it has a much larger and faster-moving version sitting right next to it. AI-generated code and agentic workflows are introducing unverified executable artifacts into enterprise environments at machine speed, through channels organizations have explicitly trusted. The governance gap is the same. The scale is entirely different.

What Is Shadow IT, and Why Does It Still Matter

Shadow IT is the use of computing systems, devices, software, applications, and services by employees without the IT department’s knowledge, guidance, or approval. It covers everything from logging into personal email on a work device to installing unapproved applications to using personal flash drives to move work-related data. While shadow IT can improve employee productivity and drive innovation in the short term, it introduces serious security risks regardless of intent.

With more people working remotely, IT departments and security teams are managing a wider and less visible surface than ever. Even the strongest protection around your organization’s email servers will not protect an employee who gets phished through a personal account. A flash drive in a backpack may contain code that triggers the moment it connects to a corporate network. The legal exposure from an employee mishandling sensitive data compounds the security risk considerably.

Most employees do not realize how little it takes for a malicious outsider to gain access through a trusted-looking file, link, or device. That has always been true. What has changed is who, and what, is generating those files.

The New Shadow IT: AI-Generated Code Nobody Reviewed

Traditional shadow IT was ungoverned because it was invisible. IT did not know about the tool, so IT could not govern it. AI-generated code is ungoverned for a different reason. It is visible, since developers are generating it, committing it, and deploying it, but the behavioral verification step between code generated and code executed does not exist in most organizations.

A developer accepts an AI code suggestion and commits it. The CI/CD pipeline runs. The code deploys. At no point does any control ask what that AI-generated artifact is designed to do. The governance gap is not visibility. It is execution authorization. The code is there. Nobody asked what it would do before it ran.

Agentic Workflows: Ungoverned Execution at Machine Speed

The escalation of this problem is agentic workflows: AI systems that do not just suggest code for human review but generate and execute code autonomously, often without a human authorization step in the loop at all. An agentic pipeline that retrieves an external package and executes it. An AI system that generates a script to accomplish a task and runs it immediately. A development workflow where AI-generated contributions are merged and deployed without a behavioral verification gate.

Each of these scenarios represents executable code entering and running in an enterprise environment without policy-based authorization. This is ungoverned execution at machine speed, and it is the 2026 version of the shadow IT problem that the industry has not yet built adequate controls to address.

Pre-Execution Defense Is the Control That Scales

Traditional shadow IT governance built controls around identity and device management: application allowlisting, endpoint management, and two-factor authentication for high-risk systems. These are still worth doing. Train employees on best practices, test instincts with simulated phishing, monitor remote devices for unusual activity, and enforce MFA on sensitive systems.

But identity-based controls govern who can access systems. They do not govern what code is allowed to execute once access is granted. Zero Trust for Code addresses the behavioral verification gap directly. Every artifact, regardless of how it arrived, who generated it, or what channel delivered it, is evaluated for behavioral intent before execution is authorized. The verdict is deterministic: Allow, Block, Contain, or Escalate, based on behavioral capability relative to policy.

Solid surveillance, evolving technology, and keeping your colleagues educated about ungoverned execution risk will help even the score. The organizations that add pre-execution enforcement to that posture are the ones that stay ahead. Stop chasing alerts. Start enforcing trust.

CodeHunter brand mark representing Zero Trust for Code and pre-execution control over what software is allowed to run

Killware and Nation-State Code Threats: Why Zero Trust for Code Is the Execution Defense

/in /by

Movies and television have done a lot to shape the popular image of hackers: solitary misfits in poorly lit rooms, disrupting business as usual for fun or notoriety. The reality of state-sponsored cybercrime in 2026 looks nothing like that. Organized, well-funded threat actors operate in coordinated rings across the world, targeting critical infrastructure with code designed not to steal data or demand ransom, but to cause physical harm.

Killware is the category of malicious code built to destroy. It targets water treatment facilities, power grids, hospital systems, and transportation networks. It is the most consequential category of software threat in existence, and it is growing more targeted and more deadly with every passing year.

Killware Is Not a New Threat, But It Is a Growing One

Killware has been around for decades. What has changed is its frequency, precision, and the reach of the damage it can cause. After an attempted hack of a water treatment facility in Oldsmar, Florida, U.S. Homeland Security Secretary Alejandro Mayorkas warned publicly that killware attacks are increasing in both frequency and gravity. Had that attack succeeded, the damage to public health and safety could have been catastrophic. The question that still lingers is whether it was a genuine attempt or a test of current defenses.>

The answer matters less than the implication. Someone with the capability and intent to weaponize critical infrastructure systems was probing for gaps, and the gaps they look for are not in firewalls. They are in the software that runs operational systems.

Weaponized Operational Technology Is a Real and Present Risk

The integration of IT and operational technology has expanded the attack surface for killware significantly. OT systems, including those that control industrial processes, utilities, and physical infrastructure, were built before modern cybersecurity was a design consideration. They are typically older, expensive to update, deeply interconnected, and hacking into a single device can cascade across an entire OT network.

The WannaCry ransomware attack in 2017 demonstrated exactly how quickly that cascade happens. After infecting Windows systems through IT networks, the code spread to 70,000 devices across National Health Service hospitals in England and Scotland. Hospital services were disrupted. Communications failed. Ambulances were stalled. Lives were put at risk. That attack was ransomware. Killware is designed to cause that kind of damage on purpose, with precision.

Gartner predicted that by 2025, attacks on OT environments would be weaponized with the intent to cause physical harm or death, costing over $50 billion per year. The trajectory has not softened.

How Killware Gets In: The Supply Chain Vector

The most sophisticated killware campaigns do not arrive through obvious attack vectors. They arrive through trusted ones: a software update from a vendor with access to critical infrastructure systems, a signed package delivered through a legitimate supply chain channel, code that passes every existing security control because those controls evaluate origin rather than behavior.

This is the same pattern that made SolarWinds so damaging and so difficult to detect: trusted delivery, legitimate-looking code, and behavioral capability that activated only after the artifact had already executed across thousands of systems.

Patching early and often is necessary. Modernizing legacy systems reduces the attack surface. Training OT staff and maintaining secure backup architecture are all sound practices. But none of these controls answer the question that determines whether a killware payload actually executes: what will this code do when it runs?

Zero Trust for Code: The Execution Defense for Critical Infrastructure

Pre-execution behavioral capability analysis does not require prior knowledge of a threat actor, their campaign, or the specific payload to surface dangerous behavioral characteristics. It deconstructs the artifact itself to identify what it is programmatically capable of doing.

A killware payload designed to interfere with industrial control systems carries the behavioral characteristics of code that interferes with industrial control systems, regardless of whether it has ever been observed before. Its system interactions, its process manipulation patterns, and its execution behavior are embedded in the artifact’s structure. Those characteristics can be surfaced before execution is authorized, which is the only point in the chain where a policy-based decision can still prevent the damage.

For critical infrastructure organizations, the case for pre-execution enforcement is both a security case and a public safety case. A supply chain attack that executes in an operational environment does not just create a security incident. It creates a public safety emergency that extends well beyond the organization itself.

Zero Trust for Code applies the principle that every artifact is untrusted by default and must earn authorization through behavioral verification. The verdict is deterministic: Allow, Block, Contain, or Escalate. The evidence is forensic. The decision is made before the code runs, not after a water treatment system has been compromised or a hospital network has gone dark.

The next war may well be started remotely. The defense starts at the execution layer. Talk to CodeHunter about building pre-execution enforcement into your critical infrastructure security posture.