Threat intelligence sharing is one of the cornerstones of the security community. Disclosing findings publicly helps defenders act, raises collective awareness, and advances the field. But sharing is not a cost-free operation and this talk is about one case where the cost became visible in an unexpected way.
In early 2026, Cleafy TIR published a full technical analysis of Mirax, a novel Android RAT capable of turning infected devices into residential proxy nodes. The report included C2 indicators, malware capabilities, and delivery infrastructure details. One element was deliberately withheld: the URL of an attacker-controlled GitHub repository actively distributing new APK variants on a daily basis. The decision to blur it was intentional, the repository represented a live intelligence source, and burning it would mean losing visibility into an ongoing campaign.

This talk presents that case as a concrete example of a recurring tension in threat intelligence sharing: the gap between the intent of a disclosure and the downstream actions it enables. We examine the decision to blur rather than redact, the signal that blurring carries, and what it means when that signal is not recognised or respected.

The talk does not offer a verdict. It asks a question the community should be discussing openly: how do we share intelligence without becoming collateral in our own disclosures?