Threat Archive
The Deretti Cyber Labs Threat Archive preserves historical research notes, response pages, and technical references created during major malware, ransomware, vulnerability, and infrastructure-defense events.
These materials are preserved for historical and educational value. They reflect the threat landscape, available guidance, and research context at the time they were written or last updated. They should not be treated as current security advisories or production remediation guidance.
Entries — 14 of 14
Conficker
Windows Server service worm that built one of the largest known botnets, infecting over ten million systems across 190 countries despite an available patch.
NetTraveler
Long-running cyber-espionage campaign exploiting Microsoft Office vulnerabilities to target governments, embassies, and research institutes across more than forty countries.
Rowhammer
First documented widespread system security vulnerability rooted in a circuit-level hardware failure mechanism; established a vulnerability category that has no software-only fix and continues producing new variants more than a decade after the original 2014 disclosure.
KeRanger
First fully functional macOS ransomware, distributed via a compromised Transmission BitTorrent client installer signed with a valid developer certificate.
NotPetya
Destructive wiper disguised as ransomware, delivered through a compromised Ukrainian tax software update; resulted in approximately ten billion dollars in global damages.
WannaCrypt
Self-propagating ransomware leveraging the EternalBlue SMB exploit; infected over 230,000 systems across 150 countries within days of outbreak.
Spectre and Meltdown
Hardware-level vulnerabilities in speculative execution affecting essentially every high-performance CPU designed in the prior two decades; permanently changed how defenders treat the microarchitecture as a threat surface.
VPNFilter
State-sponsored modular firmware implant targeting consumer and small-business routers and NAS devices, attributed to Sandworm; disrupted by FBI sinkhole and coordinated vendor response.
Ripple20
Nineteen vulnerabilities in the Treck TCP/IP stack embedded in hundreds of millions of IoT, industrial, medical, and infrastructure devices; defined the modern embedded supply-chain disclosure problem.
SMBGhost
Pre-authentication remote code execution in SMBv3 compression handling, accidentally disclosed via Microsoft's Advance Notification Service before the patch was ready.
Log4Shell
Critical JNDI-injection vulnerability in the ubiquitous Apache Log4j logging library, enabling unauthenticated remote code execution across millions of Java applications.
PIPEDREAM (INCONTROLLER)
Modular industrial control system attack framework attributed to the CHERNOVITE activity group; discovered and disclosed before any known operational deployment.
CrowdStrike Falcon — Channel File 291
Faulty channel-file update to the CrowdStrike Falcon sensor crashed approximately 8.5 million Windows devices globally — the largest IT outage in history. Not a malicious attack, but a defining infrastructure-resilience event.
ReVault
Five firmware vulnerabilities in Dell's ControlVault3 hardware security module — disclosed by Cisco Talos, addressed in Dell advisory DSA-2025-053. Enables authentication bypass, privilege escalation, and persistent firmware backdoors that survive OS reinstall.