François Deruty
@derutyf.bsky.social
📤 304
📥 104
📝 39
threat intelligence at
https://www.sekoia.io
/ former head of cert-fr
https://blog.sekoia.io
Eviltokens ⤵️
blog.sekoia.io/new-widespre...
blog.sekoia.io/eviltokens-a...
loading . . .
New widespread EvilTokens kit: device code phishing as-a-service - Part 1
Uncover the new sophisticated EvilTokens device code phishing as-a-service, with AI-augmented features facilitating BEC fraud
https://blog.sekoia.io/new-widespread-eviltokens-kit-device-code-phishing-as-a-service-part-1/
24 days ago
0
1
0
Silver fox⤵️
blog.sekoia.io/silver-fox-t...
loading . . .
Silver Fox: The Only Tax Audit Where the Fine Print Installs Malware
Track the 2025-2026 shift of China-based Silver Fox from financial crime to APT espionage. Discover how they exploit tax-themed phishing and RMM tools to target South Asian entities.
https://blog.sekoia.io/silver-fox-the-only-tax-audit-where-the-fine-print-installs-malware/
about 1 month ago
0
1
1
OysterLoader ⤵️
blog.sekoia.io/oysterloader...
loading . . .
OysterLoader Unmasked: The Multi-Stage Evasion Loader
Unmasking OysterLoader's evasion: from API hammering to custom LZMA. Explore the 4-stage infection chain and its ties to Rhysida ransomware.
https://blog.sekoia.io/oysterloader-unmasked-the-multi-stage-evasion-loader/
3 months ago
0
1
0
IClickfix ⤵️
blog.sekoia.io/meet-iclickf...
loading . . .
Meet IClickFix: a widespread WordPress-targeting framework using the ClickFix tactic
Uncover IClickFix: a malicious framework exploiting the ClickFix tactic in widespread malware campaigns to deliver NetSupport RAT.
https://blog.sekoia.io/meet-iclickfix-a-widespread-wordpress-targeting-framework-using-the-clickfix-tactic/
3 months ago
0
1
0
Leveraging Landlock telemetry for Linux detection engineering ⤵️
blog.sekoia.io/leveraging-l...
loading . . .
Leveraging Landlock telemetry for Linux detection engineering
This blogpost explore how Landlock as an interesting security mechanism and a valuable source of telemetry for detection engineering.
https://blog.sekoia.io/leveraging-landlock-telemetry-for-linux-detection-engineering/
4 months ago
0
1
0
"I paid twice" ⤵️
blog.sekoia.io/phishing-cam...
loading . . .
Phishing Campaigns "I Paid Twice" Targeting Booking.com Hotels and Customers
Sekoia.io exposes a Booking.com phishing campaign targeting hotels and customers using ClickFix and PureRAT malware.
https://blog.sekoia.io/phishing-campaigns-i-paid-twice-targeting-booking-com-hotels-and-customers/
6 months ago
0
1
0
TransparentTribe⤵️
blog.sekoia.io/transparentt...
loading . . .
TransparentTribe targets Indian military organisations with DeskRAT
TransparentTribe targets Indian military entities using DeskRAT, a Golang-based remote access Trojan. Learn how this new campaign works.
https://blog.sekoia.io/transparenttribe-targets-indian-military-organisations-with-deskrat/
6 months ago
0
2
0
APT28⤵️
blog.sekoia.io/apt28-operat...
loading . . .
APT28 Operation Phantom Net Voxel
APT28 Operation Phantom Net Voxel: weaponized Office lures, COM-hijack DLL, PNG stego to Covenant Grunt via Koofr, BeardShell on icedrive.
https://blog.sekoia.io/apt28-operation-phantom-net-voxel/
8 months ago
0
3
1
Predators for hire ⤵️
blog.sekoia.io/predators-fo...
loading . . .
Predators for Hire: A Global Overview of Commercial Surveillance Vendors
Explore the 2025 landscape of Adversary-in-the-Middle phishing threats with data, trends, and top detection insights.
https://blog.sekoia.io/predators-for-hire-a-global-overview-of-commercial-surveillance-vendors/
8 months ago
0
3
0
reposted by
François Deruty
TechNadu
11 months ago
TechNadu interviewed François Deruty (
@derutyf.bsky.social
), Chief Intelligence Officer of
@sekoia.io
, to get answers about innovations observed in cybercrime operations, challenges faced by CIOs, and adjustments to intelligence programs. Read the interview⤵️
#AI
#Cybersecurity
#GenerativeAI
#CTI
loading . . .
Exploiting Vulnerabilities Using AI at Machine Speed, the Alarming Number of Unpatched Devices, and Anticipating How Adversaries Think
Sekoia.io on collaborating with Europol, dynamic behavior modelling for Gen AI threats, and pooling CTI from various sources
https://www.technadu.com/exploiting-vulnerabilities-using-ai-at-machine-speed-the-alarming-number-of-unpatched-devices-and-anticipating-how-adversaries-think/600534/
0
2
1
reposted by
François Deruty
Sekoia.io
11 months ago
📝 Our latest
#TDR
report delivers an in-depth analysis of Adversary-in-the-Middle (#AitM)
#phishing
threats - targeting Microsoft 365 and Google accounts - and their ecosystem. This report shares actionable intelligence to help analysts detect and investigate AitM phishing.
1
10
7
Vicious trapèze ⤵️
blog.sekoia.io/vicioustrap-...
loading . . .
ViciousTrap - Infiltrate, Control, Lure: Turning edge devices into honeypots en masse.
Discover ViciousTrap, a newly identified threat who turning edge devices into honeypots en masse targeting
https://blog.sekoia.io/vicioustrap-infiltrate-control-lure-turning-edge-devices-into-honeypots-en-masse/
12 months ago
0
3
0
Interlock⤵️
blog.sekoia.io/interlock-ra...
loading . . .
Interlock ransomware evolving under the radar
ClickFix ransomware attack uses deceptive prompts and PowerShell loaders to deploy threats like Interlock under the radar.
https://blog.sekoia.io/interlock-ransomware-evolving-under-the-radar/
about 1 year ago
0
1
0
Clickfake ⤵️
blog.sekoia.io/clickfake-in...
loading . . .
From Contagious to ClickFake Interview: Lazarus leveraging the ClickFix tactic
Discover how Lazarus leverages fake job sites in the ClickFake Interview campaign targeting crypto firms using the ClickFix tactic.
https://blog.sekoia.io/clickfake-interview-campaign-by-lazarus/
about 1 year ago
0
1
0
Clearfake ⤵️
blog.sekoia.io/clearfakes-n...
loading . . .
ClearFake’s New Widespread Variant: Increased Web3 Exploitation for Malware Delivery
ClearFake spreads malware via compromised websites, using fake CAPTCHAs, JavaScript injections, and drive-by downloads.
https://blog.sekoia.io/clearfakes-new-widespread-variant-increased-web3-exploitation-for-malware-delivery/
about 1 year ago
0
1
0
PolarEdge ⤵️
blog.sekoia.io/polaredge-un...
loading . . .
PolarEdge: Unveiling an uncovered ORB network
Discover PolarEdge, a newly identified botnet targeting edge devices via CVE-2023-20118, using a stealthy TLS backdoor.
https://blog.sekoia.io/polaredge-unveiling-an-uncovered-iot-botnet/
about 1 year ago
0
2
0
reposted by
François Deruty
Sekoia.io
about 1 year ago
Cyber threats impacting the financial sector: focus on the main actors We're thrilled to announce the release of the latest strategic report by Sekoia
#TDR
. This analysis highlights key cyber threats to the
#financial
sector in 2024.
https://buff.ly/3D3IZl7
0
5
3
Cyber threats against financial sector⤵️
blog.sekoia.io/cyber-threat...
loading . . .
Cyber threats impacting the financial sector in 2024 - focus on the main actors
Delve into Finance-related cyber threats in 2024. Our report highlights major actors and tactics impacting the financial sector.
https://blog.sekoia.io/cyber-threats-impacting-the-financial-sector-in-2024-focus-on-the-main-actors/
about 1 year ago
0
1
0
New paper⤵️
blog.sekoia.io/ratatouille-...
loading . . .
RATatouille: Cooking Up Chaos in the I2P Kitchen
Discover the challenges of ClickFix12 and the newly identified I2PRAT. Uncover the advanced techniques employed by this multi-stage RAT.
https://blog.sekoia.io/ratatouille-cooking-up-chaos-in-the-i2p-kitchen/
about 1 year ago
0
4
1
Detection part two⤵️
blog.sekoia.io/detection-en...
loading . . .
Detection engineering at scale: one step closer (part two)
Discover the power of detection engineering and how it can help scale your cybersecurity projects efficiently.
https://blog.sekoia.io/detection-engineering-at-scale-one-step-closer-part-two/
over 1 year ago
0
1
0
reposted by
François Deruty
Nicolas Caproni
over 1 year ago
🚨To strengthen the
#investigation
and
#detection
capabilities of the
Sekoia.io
Threat Detection & Research (TDR) team, we are looking for a Senior Technical Threat Researcher!
www.welcometothejungle.com/fr/companies...
#CTI
#DetectionEngineering
loading . . .
Sr Technical Threat Researcher - Sekoia.io - CDI - Télétravail total
Sekoia.io recrute un(e) Sr Technical Threat Researcher !
https://www.welcometothejungle.com/fr/companies/sekoia/jobs/sr-technical-threat-researcher_SEKOI_QaPpoQq
0
5
4
If you are passionate about cyber threat intelligence, this offer is for you! ⤵️
www.welcometothejungle.com/fr/companies...
loading . . .
Sr Technical Threat Researcher - Sekoia.io - CDI - Télétravail total
Sekoia.io recrute un(e) Sr Technical Threat Researcher !
https://www.welcometothejungle.com/fr/companies/sekoia/jobs/sr-technical-threat-researcher_SEKOI_QaPpoQq
over 1 year ago
0
3
0
New campaign ⤵️
blog.sekoia.io/targeted-sup...
loading . . .
Targeted supply chain attack against Chrome browser extensions
In this blog post, learn about the supply chain attack targeting Chrome browser extensions and the associated targeted phishing campaign.
https://blog.sekoia.io/targeted-supply-chain-attack-against-chrome-browser-extensions/
over 1 year ago
0
3
2
reposted by
François Deruty
crep1x
over 1 year ago
Around 1,000 malicious domains are hosting webpages impersonating Reddit and WeTransfer, redirecting users to download password-protected archives These archives contain an AutoIT dropper, we internally named
#SelfAU3
Dropper at
@sekoia.io
, which executes
#Lumma
Stealer IoCs ⬇️
2
9
6
New AiTM phishing as a service ⤵️
blog.sekoia.io/sneaky-2fa-e...
loading . . .
Sneaky 2FA: exposing a new AiTM Phishing-as-a-Service
In this blog post, learn about Sneaky 2FA, a new Adversary-in-the-Middle (AiTM) phishing kit targeting Microsoft 365 accounts.
https://blog.sekoia.io/sneaky-2fa-exposing-a-new-aitm-phishing-as-a-service/
over 1 year ago
0
0
0
reposted by
François Deruty
InfoSec
over 1 year ago
FBI deletes Chinese PlugX malware from thousands of US computers
loading . . .
FBI deletes Chinese PlugX malware from thousands of US computers
The U.S. Department of Justice announced today that the FBI has deleted Chinese PlugX malware from over 4,200 computers in networks across the United States.
https://www.bleepingcomputer.com/news/security/fbi-deletes-chinese-plugx-malware-from-thousands-of-us-computers/
0
3
2
reposted by
François Deruty
jon greig
over 1 year ago
The DOJ worked with French authorities and
Sekoia.io
to remove PlugX malware from thousands of devices around the world
therecord.media/doj-deletes-...
loading . . .
DOJ deletes China-linked PlugX malware off more than 4,200 US computers
U.S law enforcement accused the People’s Republic of China of paying hackers that are part of a well-known group called Mustang Panda to deploy the PlugX malware — which allows them to “infect, contro...
https://therecord.media/doj-deletes-china-linked-plugx-malware
0
16
10
International cooperation, proud of TDR team from
@sekoia.io
⤵️
www.justice.gov/opa/pr/justi...
loading . . .
Justice Department and FBI Conduct International Operation to Delete Malware Used by China-Backed Hackers
The Justice Department and FBI today announced a multi-month law enforcement operation that, alongside international partners, deleted “PlugX” malware from thousands of infected computers worldwide. A...
https://www.justice.gov/opa/pr/justice-department-and-fbi-conduct-international-operation-delete-malware-used-china-backed
over 1 year ago
2
17
4
reposted by
François Deruty
Sekoia.io
over 1 year ago
🇷🇺
#DoubleTap
Campaign:
#Russia-nexus
APT possibly related to
#APT28
conducts cyber espionage on Central Asia and Kazakhstan diplomatic relations
https://buff.ly/3WEwPG7
1
8
6
Double-tap campaign ⤵️
blog.sekoia.io/double-tap-c...
loading . . .
Double-Tap Campaign : Russia-nexus APT possibly related to APT28 conducts cyber espionage on Central Asia and Kazakhstan diplomatic relations
Uncover the details of UAC-0063 cyberespionage campaign in Kazakhstan and its potential connection to APT28
https://blog.sekoia.io/double-tap-campaign-russia-nexus-apt-possibly-related-to-apt28-conducts-cyber-espionage-on-central-asia-and-kazakhstan-diplomatic-relations/
over 1 year ago
0
2
0
Feedbacks on a botnet disinfection campaign ⤵️
blog.sekoia.io/plugx-worm-d...
loading . . .
PlugX worm disinfection campaign feedbacks
Discover how we successfully disinfected thousands of computers infected with the PlugX worm using two remote disinfection methods.
https://blog.sekoia.io/plugx-worm-disinfection-campaign-feedbacks/
over 1 year ago
0
2
0
Happy Yara Xmas ! ⤵️
blog.sekoia.io/happy-yara-c...
loading . . .
Happy YARA Christmas!
Discover daily YARA usage at Sekoia.io TDR. Learn how YARA rules identify threats and aid in investigations and DFIR engagements.
https://blog.sekoia.io/happy-yara-christmas/
over 1 year ago
0
10
6
Want to talk about detection? ⤵️
blog.sekoia.io/detection-en...
loading . . .
Detection engineering at scale: one step closer (part one)
Discover how Sekoia.io addresses SOC and Detection Engineering challenges with innovative continuous monitoring and review approaches.
https://blog.sekoia.io/detection-engineering-at-scale-one-step-closer-part-one/
over 1 year ago
0
2
0
reposted by
François Deruty
Sekoia.io
over 1 year ago
🎯 Ransomware-driven data
#exfiltration
: techniques and implications Our new
#TDR
report focuses on the exfiltration techniques leveraged by
#ransomware
and
#extortion
groups.
https://buff.ly/415o0ry
#ThreatIntelligence
#Detection
loading . . .
Ransomware-driven data exfiltration: techniques and implications
Introduction This report focuses on the exfiltration techniques leveraged by ransomware and extortion groups in lucrative campaigns. It aims to provide a comprehensive analysis of the techniques and…
https://buff.ly/415o0ry
0
11
9
Wanna talk about exfiltration ? ⤵️
blog.sekoia.io/ransomware-d...
loading . . .
Ransomware-driven data exfiltration: techniques and implications
Introduction This report focuses on the exfiltration techniques leveraged by ransomware and extortion groups in lucrative campaigns. It aims to provide a comprehensive analysis of the techniques and t...
https://blog.sekoia.io/ransomware-driven-data-exfiltration-techniques-and-implications/
over 1 year ago
0
1
1
Helldown ⤵️
blog.sekoia.io/helldown-ran...
loading . . .
Helldown Ransomware: an overview of this emerging threat
Comprehensive Analysis of Helldown: Tactics, Techniques, and Procedures (TTPs) and Exploitation of Zyxel Vulnerabilities %
https://blog.sekoia.io/helldown-ransomware-an-overview-of-this-emerging-threat/
over 1 year ago
0
1
0
New paper ⤵️
blog.sekoia.io/a-three-beat...
loading . . .
A three beats waltz: The ecosystem behind Chinese state-sponsored cyber threats
Sekoia TDR analysts conduct an assessment of threats regarding the major elections that will occur in 2024.
https://blog.sekoia.io/a-three-beats-waltz-the-ecosystem-behind-chinese-state-sponsored-cyber-threats/
over 1 year ago
0
4
3
Assessing cyber threats to elections⤵️
blog.sekoia.io/guarding-dem...
loading . . .
Guarding Democracy: Assessing Cyber Threats to 2024 Worldwide Elections
Sekoia TDR analysts conduct an assessment of threats regarding the major elections that will occur in 2024.
https://blog.sekoia.io/guarding-democracy-assessing-cyber-threats-to-2024-worldwide-elections/
about 2 years ago
0
0
0
New paper ⤵️
blog.sekoia.io/the-architec...
loading . . .
The Architects of Evasion: a Crypters Threat Landscape
Learn about key concepts and different crypters-related activities as well as the lucrative ecosystem of malicious groups that exploit them.
https://blog.sekoia.io/the-architects-of-evasion-a-crypters-threat-landscape/
about 2 years ago
0
1
1
Diceloader ⤵️
blog.sekoia.io/unveiling-th...
loading . . .
Unveiling the intricacies of DiceLoader
Learn how DiceLoader (also known as Icebot), a malware used by the FIN7 intrusion set, works.
https://blog.sekoia.io/unveiling-the-intricacies-of-diceloader/
over 2 years ago
0
0
0
New paper ⤵️
blog.sekoia.io/securing-gol...
loading . . .
Securing Gold: Assessing Cyber Threats on Paris 2024
This report provides an overview of the various cyber operations likely to impact the next Olympic and Paralympic Games (Paris 2024).
https://blog.sekoia.io/securing-gold-assessing-cyber-threats-on-paris-2024/
over 2 years ago
0
1
0
reposted by
François Deruty
Sekoia.io
over 2 years ago
🪪 Our new blog post explores the importance of Identity and Access Management (#IAM) event
#detection
. We focus at how
Sekoia.io
set up detection rules for @okta and @JumpCloud technologies.
blog.sekoia.io/iam-detectio...
#DetectionEngineering
#Cloud
#SOCplatform
0
5
2
CALISTO doxxing ⤵️
blog.sekoia.io/calisto-doxx...
loading . . .
CALISTO doxxing: Sekoia.io findings concurs to Reuters’ investigation on FSB-related Andrey Korine...
Discover activities linking Korinets to CALISTO doxxing in our investigation. Uncover details from emails, domains & servers used to target UK Parliament & Cambridge University.
https://blog.sekoia.io/calisto-doxxing-sekoia-io-findings-concurs-to-reuters-investigation-on-fsb-related-andrey-korinets/
over 2 years ago
0
1
1
reposted by
François Deruty
Sekoia.io
over 2 years ago
🏦 Our latest report provides insights on the cyber threats impacting the
#financial
sector in 2023. We analysed the trends in lucrative and state-sponsored ecosystems and outlined the most notable evolutions. For more details, check out our blog post:
blog.sekoia.io/unmasking-th...
loading . . .
Unmasking the latest trends of the Financial Cyber Threat Landscape
This report aims at depicting recent trends in cyber threats impacting the financial sector worldwide. It focuses on principal tactics, techniques and procedures used by lucrative and state-sponsored ...
https://blog.sekoia.io/unmasking-the-latest-trends-of-the-financial-cyber-threat-landscape/
1
5
3
reposted by
François Deruty
Sekoia.io
over 2 years ago
#DarkGate
gained popularity among threat actors (e.g:
#TA577
,
#DuckTail
), our
#RE
analysis details the internals of the malware, how it implements technique to evade defenses: Union-API, token theft via UpdateProcThreadAttribute, APC injection.
blog.sekoia.io/darkgate-int...
1
5
4
Darkgate internals ⤵️
blog.sekoia.io/darkgate-int...
loading . . .
DarkGate Internals
Introduction & Objectives DarkGate is sold as Malware-as-a-Service (MaaS) on various cybercrime forums by RastaFarEye persona, in the past months it has been used by multiple threat actors such as TA5...
https://blog.sekoia.io/darkgate-internals/
over 2 years ago
0
2
0
New blogpost ⤵️
blog.sekoia.io/game-over-ga...
loading . . .
Game Over: gaming community at risk with information stealers
This report was originally published for our customers on 26 October 2023. The world of online gaming, a thriving global community of millions, has become an enticing target for malicious actors seeki...
https://blog.sekoia.io/game-over-gaming-community-at-risk-with-information-stealers/
over 2 years ago
0
1
0
reposted by
François Deruty
Sekoia.io
over 2 years ago
🔍 We recently conducted an in-depth analysis of
#AridViper
, an intrusion set believed to have ties with
#Hamas
. Also known as APT C-23,
#MoleRATs
,
#GazaCyberGang
, or
#DesertFalcon
, AridViper has been reportedly active since 2012.
blog.sekoia.io/aridviper-an...
#CTI
#APT
loading . . .
AridViper, an intrusion set allegedly associated with Hamas
Find out more about AridViper intrusion set and its affiliation with Palestinian militant organisation Hamas. Learn about its cyberespionage activities against Israel and any entity in the Middle East...
https://blog.sekoia.io/aridviper-an-intrusion-set-allegedly-associated-with-hamas/
1
5
1
reposted by
François Deruty
Mathieu Feuillet
over 2 years ago
Le
@cert-fr.bsky.social
vient de publier un mémo sur les campagnes d'attaques APT28 depuis 2021. En plus de décrire les techniques utilisées, le mémo contient plein de recommandations pour s'en prémunir. A lire avec attention !
www.cert.ssi.gouv.fr/cti/CERTFR-2...
2
22
20
our last analysis of ClearFake ⤵️
blog.sekoia.io/clearfake-a-ne…
over 2 years ago
2
6
4
Load more
feeds!
log in
