The Birdling

21/03/2026

If you can’t see it, you can’t stop it.

Argos gives you full-spectrum threat visibility with multi-source ingestion and intelligent UEBA — all in one SIEM.

11/03/2026

Did we miss International Women’s Day? Not really. 😉

We believe the women who secure our digital world deserve recognition every day, not just on March 8.

Leading complex research, protecting critical infrastructure, women in cybersecurity are essential, every single day.

Tag a phenomenal woman in tech or cyber who inspires you and let’s give them their flowers, year-round. 💐👇

14/02/2026

Today, we’re open-sourcing Chimera v0.2.0 — a modular behavioral authentication research framework built around a simple question:

What happens to anomaly detection when you remove the cloud?

Most modern security architectures assume:

• Global telemetry

• Continuous threat feeds

• Massive labeled datasets

But many environments operate under strict constraints — air-gapped networks, forensic workstations, OT systems, or smaller infrastructures with limited observability.

In building Chimera, we found that ensemble models behave very differently under these conditions.

Score normalization breaks.

Thresholding becomes brittle.

Signal reliability degrades quickly.

So we pivoted.

Chimera is now positioned explicitly as a research framework for studying authentication anomaly detection in infrastructure-constrained environments.

Key areas explored:

• Robust ensemble normalization

• Dynamic percentile-based thresholding

• Offline threat intelligence enrichment

• Deterministic reproducibility

It’s not a SIEM.

It’s not a product.

It’s a laboratory.

If you're interested in authentication modeling, unsupervised ensembles, or edge-constrained detection systems, we welcome scrutiny and collaboration.

The future of detection systems won’t just be about scale, they'll be about how well they function under constraint.

https://github.com/thebirdling/chimera

---

Modular behavioral authentication research framework for infrastructure-constrained environments. - thebirdling/chimera

13/02/2026

14 people (labeled Trusted Community Representatives) hold 7 physical "keys" (or, more accurately, smart cards)

These are used in ceremonies to manage security for the Internet Corporation for Assigned Names and Numbers (ICANN).

These keys are crucial for protecting the Domain Name System (DNS)—the "phonebook of the internet"—by ensuring that web addresses map to the correct numerical IP addresses, preventing malicious redirection and cyberattacks.

Key Details About the "Keys to the Internet":

The 14 Keyholders: ICANN appointed 14 people from around the world as key holders.

There are seven primary keyholders and seven backup keyholders.

The "Key" Ceremony: These individuals meet regularly, often four times a year, to perform a high-security ceremony known as a Root Signing Ceremony, where they use their smart cards to generate new master keys, or "key-signing keys".

Physical Security: The physical keys unlock safe deposit boxes that contain the smart cards necessary to activate the machine that signs the DNS root zone.

Purpose: These ceremonies are not about turning the internet "off or on" but rather securing the DNS system by periodically updating its digital keys to prevent counterfeiting.

If the ICANN root zone were compromised, it could theoretically cause severe disruption to global internet traffic by enabling the redirection of traffic to fraudulent websites.

---

06/02/2026

Yes, several of the first electronic computers in the late 1940s and early 1950s used mercury delay lines as their primary memory.

These systems stored data as acoustic waves (sound) traveling through tubes filled with liquid mercury.

Here how it worked:

Data was converted into electrical pulses, then transformed into ultrasonic sound waves by a quartz crystal transducer at one end of a tube of liquid mercury.

The sound waves traveled to the other end, where they were converted back into electrical signals, amplified, and recirculated back into the tube to "store" the data.

Notable early computers using this technology included the EDSAC (1949), EDVAC, and the UNIVAC I (1951).

Because the sound traveled much slower through mercury than electrical signals through wires, the delay line acted as a "delay" that kept data stored until it was needed.

It had a challenge, the systems were sensitive to temperature and vibrations.

The mercury had to be kept at a constant 40°C (104°F) in "ovens" to ensure the speed of sound remained consistent.

Due to the audible sound produced by the devices, they were sometimes jokingly referred to as "mumble-tubs".

This was largely replaced by faster, more stable technologies like magnetic core memory by the mid-1950s.

---

29/01/2026

⏱️ Another organization has just realized their security and compliance tools aren’t talking to each other.

That gap is exactly where attackers—and frankly, auditors—find their way in.

Threats evolve every 11 seconds, treating Cybersecurity and Compliance as two separate marathons isn't just exhausting; but also a liability.

1️⃣ If your security team sees a threat but your compliance team doesn't see the policy violation, you're only half-protected.

2️⃣ Running two different stacks doubles your costs and halves your speed.

3️⃣ 60% of firms struggle to provide real-time evidence of compliance during an active incident.

It’s time to stop "doubling up" on tools and start doubling your efficiency.

✅ Fill Two Needs with One Deed: ARGOS

ARGOS was built to bridge this exact divide. It doesn't just watch your perimeter; it maps every action to your regulatory requirements.

🛡️ For Cybersecurity:

Visibility: Full-spectrum oversight of your environment.

Identification: Spotting threats before they escalate.

Response: Automated, lightning-fast neutralization.

📜 For Compliance:

Identification: Mapping data to regulatory frameworks.

Implementation: Turning complex requirements into active controls.

Achievement: Reaching audit-ready status, 24/7.

Why fight two battles with two different weapons? With ARGOS, one platform secures your future and satisfies the regulators.

Forewarned is Forearmed.

27/01/2026

Managing and Monitoring Firewall is Easy

But only if you have the right expertise in your team.

But most organizations don't.

---

01/01/2026

Happy New Year!

As we welcome 2026, we're filled with hope for a year of growth, innovation, and security for everyone.

Our resolution is to continue providing the intelligence and protection our communities need to thrive. In 2026 and beyond, remember: to be forewarned is to be forearmed.

Wishing you and yours a very happy and safe New Year!

25/12/2025

Merry Christmas (what does the code say?)

22/12/2025

igerian authorities, working with Microsoft and U.S. partners, have arrested suspects tied to RaccoonO365 (aka Storm-2246).

RaccoonO365 (aka Storm-2246) is a phishing-as-a-service (PhaaS) operation that stole thousands of Microsoft 365 credentials.

The takedown of hundreds of malicious domains and this arrest are important wins, but PhaaS is resilient.

In this newsletter, we explain what happened, why it matters for African organisations, and exactly what to do now.

Forewarned is Forearmed.

------------------------------


https://www.thebirdling.com/blog/nigeria-arrests-raccoono365-developer

16/12/2025

🚨 Phishing Campaign: AWS S3 + nxcli Infrastructure Abuse

We just released a new technical report analyzing an active crypto-themed phishing campaign impersonating major Web3 brands.

Our investigation shows attackers leveraging:

Disposable nxcli subdomains for mail infrastructure

Public AWS S3 static pages for phishing payload delivery

Brand impersonation (Coinbase, MetaMask) combined with urgency and incentive-based lures

📌 Key takeaways from the report:

Clear IOC patterns for email gateways and SIEMs

Practical detection and hunting queries

Takedown and reporting workflows (AWS + brand abuse)

User-risk implications for crypto and Web3 ecosystems

This research is part of our ongoing effort to document real-world attacker tradecraft and provide actionable intelligence for defenders.

📄 Read the full report:

https://www.thebirdling.com/blog/aws-s3-nxcli-crypto-themed-phishing-campaign

-----------------

12/12/2025

We have noticed a concerning rise in online chatter related to civilian arms acquisition in Nigeria, particularly within southern-based online communities.

We published a full advisory on this activity here:

The Birdling's Threat Intelligence Unit has detected a concerning rise in online chatter related to civilian arms acquisition in Nigeria, particularly within southern-based online communities.