Rankiteo Logo
Rankiteo
Leader in Cyber Underwriting
Loading...
NEWRankiteo Cyber Underwriting Desktop - Score, price, and bind from your desktop
WindowsmacOSLinux
Download
Expel

Expel Vendor Cyber Rating & Cyber Score

expel.com

No black box, no BS. Expel was built on transparency and trust by security practitioners. You see the same Expel Workbench platform our 24x7 SOC uses. Real-time visibility into every alert, investigation, and response action. We show you where you stand, suggest improvements, and instantly improve your overall coverage throughout your threat landscape. We use AI to filter 99.9% of alert noise and deliver a sub-20-minute MTTR on high-severity incidents so that our analysts can focus on handling actual threats. Trusted by Fortune 500 enterprises.


Expel A.I CyberSecurity Scoring

Expel
Company Information
Website:https://expel.com
Employees number:487
Number of followers:29,179
NAICS:541514
Industry Type:Computer and Network Security
Homepage:expel.com
Expel Risk Score (AI oriented)
Between 650 and 699
logo
ExpelComputer and Network Security
Updated:
23/04/2026
699/1000
Weak
B
AaaAaABaaBaBCaaCaC
Powered by our proprietary A.I cyber incident model
Insurance prefers TPRM score to calculate premium
Expel Global Score (TPRM)
xxxx
logo
ExpelComputer and Network Security
•••
Score locked
Instant access to detailed risk factors
Vulnerabilities
Benchmark vs. industry & size peers
Findings

Expel
ExpelWeak
Current Score
699B (WEAK)
01000
2 incidents
-29 avg impact
Incident timeline with MITRE ATT&CK tactics, techniques, and mitigations.
JULY 2026
704Before Incident
JUNE 2026
703Before Incident
MAY 2026
701Before Incident
APRIL 2026
740Before Incident
Cyber Attack
22 Apr 2026Expel
Expel, OpenAI, Cursor and Anima: AI Tools Are Helping Mediocre North Korean Hackers Steal Millions

North Korean Hackers Leverage AI to Steal $12 Million in Cryptocurrency

699After Incident
LOW-41
EXPANIANYOPE1776903982
North Korean Hackers Leverage AI to Steal $12 Million in Cryptocurrency Cybersecurity firm Expel has uncovered a North Korean state-sponsored hacking campaign that exploited AI tools to orchestrate a large-scale cryptocurrency theft operation. The group, dubbed HexagonalRodent, targeted over 2,000 developers working on cryptocurrency, NFT, and Web3 projects, using AI-generated malware and phishing infrastructure to siphon an estimated $12 million in just three months. Unlike highly sophisticated cybercrime syndicates, HexagonalRodent relied on AI platforms including OpenAI, Cursor, and Anima to compensate for its lack of technical expertise. The hackers used these tools to write malware, design fake company websites, and craft phishing lures, particularly fraudulent job offers aimed at developers. Victims were tricked into downloading malware-laced coding assignments, which stole credentials and, in some cases, crypto wallet keys. Security researcher Marcus Hutchins, who identified the group, noted that the operation’s success stemmed not from advanced hacking skills but from AI’s ability to automate tasks that would otherwise require significant technical knowledge. The hackers’ reliance on AI was evident in their malware, which included unusual features like excessive English-language comments and emoji-littered code hallmarks of large language model-generated software. Despite their effectiveness, the group left critical infrastructure exposed, revealing their AI prompts and a database tracking victim wallets. While the $12 million figure represents the total value of compromised wallets, researchers could not confirm whether all funds had been drained, as some wallets may have been protected by hardware security tokens. The campaign underscores how AI is lowering the barrier to entry for cybercriminals, enabling even low-skilled actors to execute high-impact attacks.
INCIDENT DETAILS -
TYPE
Cryptocurrency Theft
MOTIVATION
Financial gain
IMPACT
Financial Loss: $12 million (estimated)Data Compromised: Credentials, crypto wallet keysSystems Affected: Victim devices (developers' systems)Identity Theft Risk: High (credentials and wallet keys compromised)Payment Information Risk: High (crypto wallet keys compromised)
DATA BREACH
Type Of Data Compromised: Credentials, crypto wallet keysSensitivity Of Data: High (personally identifiable and financial information)Personally Identifiable Information: Yes (credentials, wallet keys)
MARCH 2026
740Before Incident
FEBRUARY 2026
740Before Incident
JANUARY 2026
739Before Incident
DECEMBER 2025
739Before Incident
NOVEMBER 2025
754Before Incident
Cyber Attack
01 Nov 2025Expel
Huntress, Rhysida and Expel: Gootloader Malware Maintains Low Detection Rate While Bypassing Most Security Tools

Gootloader’s Sophisticated Anti-Detection Tactics Exposed in Latest Campaign

737After Incident
LOW-17
HUNREDEXP1768977371
Gootloader’s Sophisticated Anti-Detection Tactics Exposed in Latest Campaign A recent analysis by Huntress and Expel reveals how the Gootloader malware leverages deliberately malformed ZIP archives to evade security tools while maintaining functionality for targeted victims. The threat actor, known for its role as an initial access broker in ransomware operations, has partnered with Vanilla Tempest, a group deploying Rhysida ransomware, in an ongoing campaign active since November 2025. ### Evasion Through Malformed ZIP Archives Gootloader’s infection chain begins with weaponized ZIP files containing malicious JScript payloads, such as "Indiana_Animal_Protection_Laws_Guide.js." These archives are engineered to bypass analysis tools like 7-Zip and WinRAR while remaining extractable via Windows’ native unarchiving utility. Key evasion techniques include: - Concatenated ZIP structures: Each archive contains 500–1,000 nested ZIP files, with the End of Central Directory (EOCD) record strategically placed to direct extraction to the valid payload. - Truncated EOCD records: Missing critical bytes violate ZIP format standards, causing parsing failures in security tools. - Randomized metadata: Mismatched version numbers, timestamps, CRC32 checksums, and file sizes between local file headers and central directory records further disrupt analysis. - Client-side generation: Victims receive XOR-encoded data blobs decoded by browsers, assembling into identical ZIP structures until reaching 70–80 MB despite the extracted JScript payload being only ~287 KB. ### Execution & Persistence When victims extract and run the JScript file, Windows Script Host (WScript) processes it from `AppData\Local\Temp`, initiating a multi-stage attack: 1. Persistence: Creates LNK shortcuts in the Startup folder, referencing secondary scripts via NTFS short filenames (e.g., `FILENA~1.js`). 2. Obfuscated PowerShell execution: CScript launches the script, which spawns PowerShell processes with heavily obfuscated commands to establish command-and-control (C2) communications. ### Detection & Indicators of Compromise Security teams can identify Gootloader activity by monitoring: - Process patterns: `wscript.exe` executing JScript from temp directories, followed by `cscript.exe` invoking scripts via NTFS shortnames and spawning PowerShell. - File characteristics: ZIP archives with >100 instances of `PK\x03\x04` (local file headers) or `PK\x05\x06` (EOCD records). - Persistence artifacts: LNK files in `\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\`. Known IOCs: - File hash (SHA-256): `b05eb7a367b5b86f8527af7b14e97b311580a8ff73f27eaa1fb793abb902dc6e` - Malicious extensions: `.js`, `.jse` - Execution paths: Temp directories, NTFS shortname scripts Gootloader remains a persistent threat, historically accounting for 11% of malware bypassing enterprise security solutions. Its collaboration with Vanilla Tempest underscores its role in facilitating Rhysida ransomware attacks.
INCIDENT DETAILS -
TYPE
Malware Campaign
MOTIVATION
Initial access for ransomware operations (Rhysida ransomware deployment)
DATA BREACH
.js.jse
OCTOBER 2025
754Before Incident
SEPTEMBER 2025
754Before Incident
AUGUST 2025
754Before Incident

Frequently Asked Questions

?
What is the current A.I Rankiteo Cyber Score for Expel ?
?
What was Expel's A.I Rankiteo Cyber Score in June 2026 ?
?
What was Expel's A.I Rankiteo Cyber Score in May 2026 ?
?
What was Expel's A.I Rankiteo Cyber Score in April 2026 ?
?
What was Expel's A.I Rankiteo Cyber Score in March 2026 ?
?
What was Expel's A.I Rankiteo Cyber Score in February 2026 ?
?
What was Expel's A.I Rankiteo Cyber Score in January 2026 ?
?
What was Expel's A.I Rankiteo Cyber Score in December 2025 ?
?
What was Expel's A.I Rankiteo Cyber Score in November 2025 ?
?
What was Expel's A.I Rankiteo Cyber Score in October 2025 ?
?
What was Expel's A.I Rankiteo Cyber Score in September 2025 ?
?
What was Expel's A.I Rankiteo Cyber Score in August 2025 ?
?
What is the average per-incident point impact on Expel's A.I Rankiteo Cyber Score over the past 12 months ?
?
Where can I access detailed records of all cyber incidents associated with Expel ?
?
Where can I find a summary of the A.I Rankiteo Risk Scoring methodology ?
?
Where can I view Expel's profile page on Rankiteo ?
?
How accurate is the A.I Rankiteo Risk Scoring methodology ?
Expel Cyber Scoring History | Rankiteo