Skip Navigation
Get a Demo
Resources Blog Threat detection

Get in loser, we’re detecting threats: October 3rd edition

Celebrate National Mean Girls Day by watching clips from our favorite Plastics-inspired threat detection webinar

Marc Lean
Originally published . Last modified .

We like to think of our annual Threat Detection Report as the “Burn Book” of cybersecurity: a non-exhaustive tome of the most grotsky threats, trends, and techniques that we see across our customer’s environments.



Since October 3rd is National Mean Girls Day, we thought this would be a fetch opportunity showcase “Get in loser, we’re detecting threats,” a Mean Girls-themed webinar presented by Red Canary Detection Engineers Mak Foss and Rachel Schwalk. They break down how to detect some of the top threats highlighted in the 2023 Threat Detection Report with a deep dive into initial access, execution, and persistence techniques of Qbot, Gootloader, SocGholish, and more—so we can all get along like we used to in middle school and bake cakes filled with rainbows and smiles and everyone would eat and be happy…

The full webinar is available on-demand, and you can watch clips below.

“Raise your hand if you’ve been personally victimized by Gootloader.”

Mak and Rachel first highlight Gootloader malware, a common entry point for Cobalt Strike. Its hobbies include delivering payloads, transmitting victim data, and persisting covertly.



“Qbot doesn’t even go here.”

While law enforcement took down Qbot’s infrastructure this past summer, its associated behavior is still worth looking at for, as adversaries such as TA570 and TA577 have plenty of similar tools at their disposal. “Girl World” may be at peace by the end of Mean Girls, but there are always “Junior Plastics” entering the fray.


“I’m SocGholish. Duh.”

To paraphrase Cady Heron, “In the real world, Halloween is when kids dress up and beg for candy. But in SocGholish world, Halloween is the one time of year a drive-by download can masquerade like software updates for initial access and no other thrunter can say anything about it.”



“I’m sorry I laughed at you that time you got LOLBins at Barnes & Noble. And I’m sorry for telling everyone about it. And I’m sorry for repeating it now.”


Principal Duvall has sequestered all the girls in the school until 4:00 and Ms. Norbury asks each girl to confess and apologize to each other—it’s time to go over what we’ve learned today.


Mathlete Lightning Round: The limit of detection engineering does not exist!

To close things out, Mak and Rachel are quizzed by the audience about preventing automatic execution of script files, filtering out noisy detectors, cloud security threats, and more.



How adversaries use Entra ID service principals in business email compromise schemes


MSIX and other tricks: How to detect malicious installer packages


The detection engineer’s guide to Linux


The Trainman’s Guide to overlooked entry points in Microsoft Azure

Subscribe to our blog

Back to Top