ThreatWatch Feed Audit and the BEC Landscape in Early 2026
Finally did the ThreatWatch feed audit I've been putting off. 18% of sources were returning stale data. Also notes on TA4903 and how BEC actors are adapting their delivery methods.
The ThreatWatch feed audit
I’ve been aware that some of our feeds were degrading in quality for a few weeks. This week I actually did something about it.
Wrote a freshness checker that pulls the 10 most recent items from each feed and checks publication timestamps. Anything with a median age over 48 hours on a “real-time” or “daily” feed gets flagged. Results:
- 9 of our 50+ feeds flagged for staleness
- 3 of those were returning data with correctly-timestamped items that were actually duplicates from months ago (the feed itself was healthy; the source was rehashing old alerts)
- 6 were genuinely slow: pulling from sources that have become less active or have rate-limited our scraper
The dark web sources are the most problematic, as expected. .onion endpoints change. Sites go down. Scrapers that worked six months ago silently fail. We’ve been displaying “last updated” timestamps in the dashboard but not alerting when a source goes stale, that’s the gap.
Added a feed freshness score to the dashboard. Each source now shows a health indicator, green/amber/red based on how recently it’s pushed real data. The amber/red ones get queued for manual review.
Also need to start building a feed replacement pipeline. When a source goes dead, there should be a process for identifying and vetting alternatives. Right now that’s entirely manual and inconsistent.
TA4903 and evolving BEC delivery
TA4903 is a financially motivated threat actor tracked by Proofpoint, primarily targeting US organisations. Their main method is credential phishing and business email compromise, they spoof government entities and legitimate businesses to get targets to hand over credentials or wire money.
What’s changed recently is delivery. The shift to QR codes in PDF attachments (what I wrote about in week 4) has shown up in TA4903 campaigns. The scenario: email purporting to be an HR benefits update or a vendor invoice, PDF attachment, QR code inside the PDF linking to a credential harvesting page. The target scans with their phone, enters credentials on what looks like a Microsoft login page.
This maps directly to the quishing mechanics I worked through earlier. The technique isn’t novel to TA4903, it’s become table stakes for any financially motivated actor running credential phishing at scale.
The more notable shift is the contextual quality of the lures. BEC emails a few years ago were often syntactically off in ways a careful reader would catch. Recent samples are cleaner. Not necessarily because these actors are using LLMs, though some likely are, but because email security tooling has pushed them to iterate and improve what gets through.
APT41’s C2 creativity
Unrelated to BEC but interesting from a tradecraft perspective: APT41’s TOUGHPROGRESS campaign (documented by Google Threat Intelligence in late 2024) used Google Calendar for command and control. The attack chain used spear-phishing with LNK files disguised as PDFs; once executed, the malware polled a Google Calendar event’s description field for C2 instructions.
The technique is clever because Google Calendar traffic is trusted by most corporate proxies and firewalls. C2 communication looks like calendar sync. Detection requires monitoring the content of encrypted HTTPS traffic to legitimate Google endpoints, which most organisations don’t do.
This is the category of technique that makes generic “block known malicious domains” threat intel less useful. When C2 lives on infrastructure that you can’t block without breaking productivity tools, IOC-based detection fails. Behavioural detection (looking at what a process does rather than where it connects) is the only option.
Moxel update
Side note: got prefetching working on Moxel this week. Early numbers are better than the baseline from week 6. Still not fast, but the improvement is meaningful. Will write this up properly next week when I have cleaner benchmark data.
PhishRig QR module progress
The quishing simulation module is taking shape. Built the QR code generation with customisable evasion options (plain QR, colour-modified, Cloudflare-wrapped redirect). Testing against common mobile scanning apps, all decode successfully. The credential capture landing page is working via the Evilginx proxy backend.
Still need to build out the reporting and the engagement tracking. Next few weeks.
Next week: EU AI Act Article 50 compliance, getting more concrete about what ProvStamp needs to actually deliver before August.