Splunk Security Content for Threat Detection & Response: March Recap

In March, the Splunk Threat Research Team (STRT) had 2 releases of new security content via the Enterprise Security Content Update (ESCU) app (v5.23 and v5.24). With this release, there are 5 new analytic stories and 17 new analytics now available in Splunk Enterprise Security via the ESCU application update process.

Content Highlights Include:

• Visibility into SD-WAN control-plane activity, enabling security teams to detect unauthorized peers, anomalous control connections, and topology drift earlier. By baselining peer relationships and highlighting rare or unexpected control-plane combinations, defenders can more quickly surface misconfigurations, rogue devices, and potential exploitation attempts targeting SD-WAN infrastructure.

• New process-level detection strengthens coverage for obfuscated payload retrieval via curl, helping SOC teams identify evasive download behavior before secondary tooling is deployed. Threshold-based logic and tunable parameters across analytics support environment-specific noise reduction while preserving high-signal findings.

• Expanded coverage for Cisco SD-WAN environments with new analytics targeting exploitation and anomalous traffic patterns, including detections for Cisco SD-WAN Arbitrary File Overwrite Exploitation Activity and Cisco SD-WAN Uncommon User-Agent Multi-URI Activity, improving visibility into potential exploitation attempts and suspicious HTTP behaviors indicative of adversary interaction with SD-WAN infrastructure.

• BlankGrabber Stealer and Muddy Water Analytics: Expanded detection coverage for BlankGrabber, a Windows-based information stealer used to harvest browser credentials, cryptocurrency wallets, and authentication tokens, by tagging existing analytics and introducing new detections focused on browser data access, suspicious registry queries, WMI reconnaissance, and defense evasion behaviors such as PowerShell exclusion tampering. This update enhances visibility into credential harvesting, data staging, and stealthy exfiltration activity commonly associated with phishing-delivered stealers and cracked software infections, helping defenders detect and respond to early-stage compromise before widespread account takeover or financial theft occurs.

• Lotus Blossom (Chrysalis Backdoor) Supply Chain Attack: Added new detection coverage for the Lotus Blossom (Billbug) APT group’s Chrysalis backdoor campaign, which leveraged a Notepad++ supply chain compromise (June–December 2025) to target government, financial, and IT sectors. This release introduces detections for Bitdefender DLL sideloading abuse, BluetoothService-based persistence, and TinyCC shellcode execution, along with tagging existing analytics for system and user discovery behaviors observed across multiple infection chains.

• QUIETVAULT: A new analytic story that covers the JavaScript‑based credential‑stealing malware identified by Google’s Threat Intelligence Group that targets GitHub and npm tokens by exfiltrating them to a publicly accessible GitHub repository. In addition to stealing these credentials, QUIETVAULT leverages on‑host installed AI CLI tools and crafted AI prompts to search the infected system for other sensitive secrets, which it then also exfiltrates.

• Standardized Risk Scoring Across Detections: Implemented consistent risk scoring across all analytics by assigning a score of 50 for TTP detections and 20 for anomaly-based detections, improving prioritization, correlation, and alert triage across detection workflows.

For all our tools and security content, please visit research.splunk.com.