GuardiCore labs is a global research team focused on critical cyber security analysis and investigation. Our mission is to benefit the community through publications and timely disclosure of new advanced threats, targeting data centers and clouds. Our team delivers cutting-edge breach detection and response methodologies to protect critical business applications and infrastructure.

Read our latest posts:

Highlights from Black Hat & DEFCON

August 02, 2017
Highlights from the  “Hacker Summer Camp” of Black Hat and DEFCON. Besides meeting people and enjoying the dual craziness of the DEFCON crowd and the Black Hat business hall, we also gave a well received lecture – Escalating Insider Threats using VMWare’s API. Ofri Ziv, Head of GuardiCore labs, presented a backdoor we discovered in VMware’s remote administration API, enabling vSphere users to quickly and easily take over guest machines without providing guest credentials
Learn More >>


July 27, 2017
Overview VMware vSphere is the most widely used virtualization platform for on-premises data centers. Similarly to other virtualization platforms, it basically relies on host servers running guest machines. These hosts and guest machines can be managed using administration interfaces such as vSphere API and VIX API. The GuardiCore Labs team has discovered a vulnerability in
Learn More >>

SambaCry, the Seven Year Old Samba Vulnerability, is the Next Big Threat (for now)

May 26, 2017
The Samba team released a patch on May 24 for a critical remote code execution vulnerability in Samba, the most popular file sharing service for all Linux systems. Samba is commonly included as a basic system service on other Unix-based operating systems as well. This vulnerability, indexed CVE-2017-7494, enables a malicious attacker with valid
Get the detection script>>

The Bondnet Army- Q&A

May 11, 2017
Recently GuardiCore uncovered Bondnet, a new botnet. The originator of Bondnet had installed a cryptocurrency miner and backdoor in thousands of servers of varying power and conscripted them into a botnet – a group of computing devices that can be centrally controlled for malicious purposes
Learn more and download the detection & cleanup tool>>

The Bondnet Army

May 4, 2017
GuardiCore Labs picked up a botnet of thousands of compromised servers of varying power. Managed and controlled remotely, the botnet is ready to be weaponized and is currently used to mine different cryptocurrencies.
Learn more and download the detection & cleanup tool>>

0.2 BTC Strikes Back, Now Attacking MySQL Databases

February 24, 2017
GuardiCore Global Sensor Network (GGSN) has detected a wide ransomware attack targeting MySQL databases. The attacks look like an evolution of the MongoDB ransomware attacks first reported earlier this year by Victor Gevers. Similarly to the MongoDB attacks, owners are instructed to pay a 0.2 Bitcoin ransom (approx. $200)


The Oracle of Delphi Will Steal Your Credentials

October 3, 2016
It was one of those warm summer nights, no clouds, just a bright full moon lighting the way. Someone had unknowingly stumbled upon our honeypot, completely unaware of the fact that her every move was recorded and fully analyzed. Thanks to our deception technology, we could easily reroute the attacker, making her believe she reached her real target


Infection Monkey Is on the Loose!

July 27, 2016
Today we are releasing the Infection Monkey, our inhouse tool for testing a data center’s resiliency to perimeter breaches and internal server infection. The Infection Monkey is a new open source security testing tool that we’ve developed at GuardiCore to test the resiliency of modern data centers to attack. Being good sports, we are sharing it with the security community.


The PhotoMiner Campaign

June 14, 2016
Over the past few months, we’ve been following a new type of worm we named PhotoMiner. PhotoMiner features a unique infection mechanism, reaching endpoints by infecting websites hosted on FTP servers while making money by mining Monero.