🚨 New threat research: Proofpoint identified a likely North Korea-aligned threat cluster, UNK_DeadDrop, targeting software developers through trusted development platforms and workflows. Read the blog: www.proofpoint.com/us/blog/thre....

New from @threatinsight.proofpoint.com! North Korean actor UNK_DeadDrop (possibly overlapping with Contagious Interview) conducts a high volume phishing campaign targeting developers with a new technique abusing VSIX extensions and new open source payload Overlord www.proofpoint.com/us/blog/thre...

NEW: we caught 🇨🇳Chinese hackers... again. Twist: they're hacking journalists & activists, but we suspect they're private contractors. State repression... with a profit margin. Thread + how to protect yourself 1/ By my colleagues @citizenlab.ca + @icij.org citizenlab.ca/research/how...

🚨New research reveals how two sophisticated surveillance actors exploited the global telecom ecosystem and, for the first time, directly links combined 3G and 4G network attacks to mobile operator infrastructure. citizenlab.ca/research/unc...

After a lull in activity targeting Europe from mid-2023 to mid-2025, the China-aligned espionage actor #TA416 (RedDelta, Vertigo Panda, Red Lich) has resumed targeting European government and diplomatic entities, with a recent expansion to the Middle East. brnw.ch/21x1f0j

Proofpoint has directly observed a targeted email campaign that delivers DarkSword RCE, and we attribute the messages to Russian FSB threat actor TA446 with high confidence. 🧵

Conflict in Iran is accelerating cyber espionage across the Middle East. Since the start of Operation Epic Fury on February 28, 2026, Proofpoint researchers have observed heightened cyber activity against Middle East targets tied to the war. Details: brnw.ch/21x0EJi.

📣 #PIVOTcon26 Agenda is here 🤟 We are thrilled to announce the lineup for this year's edition! 2⃣ days and 19 talks from leading #ThreatResearch experts. The agenda link is in the first comment👇, and the talks and speakers are in the thread.🧵 #CTI #ThreatIntel 1/15

One of the fastest ways to trigger me in a work context these days is to whisper "Mustang Panda". Instant menty b ✨

In addition to espionage threat actors, financially motivated cybercriminals have been exploiting the WinRAR vulnerability CVE-2025-8088. The highly effective ecrime actor, typically seen distributing Koi Stealer/Koi Loader (TA4561), was observed doing so in Fall 2025. Details. ⤵️

Alongside this activity recently highlighted by Google (cloud.google.com/blog/topics/...), Proofpoint threat researchers have observed additional exploitation of WinRAR vulnerability CVE-2025-8088 by state‑aligned groups linked to China and the DPRK.

New espionage/e-crime crossover blog from the team on the continued rise of device code phishing by state-aligned and financially motivated groups.

A study in the evolution of SVR cyberespionage tradecraft

@volexity.com tracks a variety of threat actors abusing Device Code & OAuth authentication workflows to phish credentials, which continue to see success due to creative social engineering. Our latest blog post details Russian threat actor UTA0355’s campaigns impersonating European security events.

1/ Today we release a new report exposing previously undisclosed entities connected to the wider #Intellexa ecosystem as well as newly identified activity clusters in Iraq and indications of activity in Pakistan: www.recordedfuture.com/research/int...

New Iran drop from me tracking an attribution nightmare - UNK_SmudgedSerpent! A little Charming, a little Muddy, and a lot C5. Targeting policy experts with benign conversation starters, health-themed infra, OnlyOffice spoofs, and RMMs. Check out the full story www.proofpoint.com/us/blog/thre...

Proofpoint threat researchers have designed an open-source tool—named PDF Object Hashing—to track and detect the unique characteristics of PDFs used by threat actors... similar to a digital fingerprint. 🫆 We use this tool internally to help track multiple threat actors with high confidence.

📣 🔥 🛋️ SAVE THE DATE 🛋️ 🔥 📣 The next #PIVOTcon will be on 6-8 May 2026, in Malaga, ES!!! You favorite ;) #ThreatResearch conference is coming back and we are planning to bring you the usual experience and content of utmost quality. Follow us + #StayTuned for more info #CTI #ThreatIntel #PIVOTcon26

Good piece covering a big burst of TA416 activity targeting European governments last week!

First public report at Recorded Future by yours truly is out! RedNovember (formerly TAG-100, a.k.a. Storm-2077) is a Chinese state-sponsored threat group focused on intelligence collection, especially on flashpoint issues of strategic interest to China. www.recordedfuture.com/research/red...

Proofpoint threat researchers have published new research identifying a new cyber-espionage campaign by #TA415 (#APT41), a China-aligned threat actor, exploiting growing uncertainty in U.S.-China economic relations. Blog: www.proofpoint.com/us/blog/thre....

🚨🇨🇳💰 New @threatinsight.proofpoint.com blog on TA415 (aka APT41) economy and trade-themed spearphishing against US govt, think tanks & academia. The campaigns used U.S.-China economic lures and spoofed the Chair of the House Select Committee on CCP competition + the US-China Business Council.

It is time the Mustang Panda moniker went the way of Winnti Group ☠️

1/ We've just released a new report uncovering new infrastructure tied to multiple activity clusters linked to the Israeli spyware vendor #Candiru across several countries. Full report: www.recordedfuture.com/research/tra...

🚨🆕🐟🍟 New blog from me and the amazing @threatinsight.proofpoint.com team covering recent activity by multiple China-aligned threat actors targeting semiconductor companies in Taiwan over the past few months: www.proofpoint.com/us/blog/thre...

New: A handful of Chinese-linked cyber espionage groups are stepping up targeting of Taiwanese semiconductor companies, per new analysis from @proofpoint.com. Campaigns include targeting of financial analysts focused on the sector as well: www.reuters.com/sustainabili...

New DISCARDED podcast drop! Join @greg-l.bsky.social and me as we talk about our fave North Korean groups, DPRK as the neglected child, TA406 and the Russian connection, and finally, the dreaded but pervasive IT worker problem podcasts.apple.com/us/podcast/c... open.spotify.com/episode/01d1...

Fun crossover blog about TA829 (RomCom) & TransferLoader with my ecrime pals @selenalarson.bsky.social it’s got it all: 🛰️ Popped routers for sending phish 📊 ACH on attribution 👾 custom protocols 👽 cool malware 🕵️ crime 🎯 espionage ❔many unanswered questions www.proofpoint.com/us/blog/thre...

🚨 We’re hiring at Recorded Future’s Insikt Group Two senior analyst roles are open right now. Both focus on tracking nation-state threats. 🧵

Today we’re publishing new findings on Predator spyware, still active despite global sanctions, now with a new client and ties to a Czech entity. Here’s what we found 🧵 www.recordedfuture.com/research/pre...

Dropping some joint research today with Threatray on TA397/Bitter 🔍 We dive into the confluence of signals that led us to our attribution of the threat actor 🎯 Shoutout to @konstantinklinger.bsky.social and Threatray for collaborating on this research. www.proofpoint.com/us/blog/thre...

From phishes to hands-on-keyboard commands 🔥 new @proofpoint.bsky.social research from @nickattfield.bsky.social and @konstantinklinger.bsky.social on Indian state-sponsored actor TA397 (Bitter) with a great story on the steps to technical and political attribution www.proofpoint.com/us/blog/thre...

Is the era of the “named actor” done? As the OG adversary sets diverge, get promoted, or move on actors dispersing across the kill chain based on specialized skills increases (ORBs, criminal underground) AND the CTI models maturing… APTs ⬇️⬇️ UNCs ⬆️⬆️

same tbh

New Proofpoint blog alert We observed DPRK actor TA406 (overlaps w/ Opal Sleet/Konni) targeting government entities in Ukraine in early 2025: www.proofpoint.com/us/blog/thre...

@greg-l.bsky.social drops knowledge on TA406 (Konni) as North Korea shows new interest in Ukraine, likely to keep tabs on the progress of the war and Russia's ability to keep pace on the battlefield www.proofpoint.com/us/blog/thre...

Had such a great time at PIVOTcon @pivotcon.bsky.social - what a brilliant conference and the location isn't half bad either 🇪🇸

If you're looking at email headers and they're not pretty, you need to install @jacoblatonis.me's @vscode.dev extension marketplace.visualstudio.com/items?itemNa...

Thanks to my favorite team buddies for their collab and indulging my slight obsession 💜 @greg-l.bsky.social @mkyo.bsky.social and Josh

Saher's first blog on the scourge that is ClickFix usage in the espionage space!! Had to sneak in the UNK_RemoteRogue RDP shenanigans as well - a thus far unattributed group we assess to be Russia-aligned, using a pretty fun set of email tactics

My first blog with Proofpoint is live! And we love a good crossover. State-sponsored actors try their hand at ClickFix - the hottest thing in cybercrime. Meet the North Koreans, Iranians, and Russians who are upping their social engineering game www.proofpoint.com/us/blog/thre...

tired of looking at email headers as disgusting plaintext? only want things of value to stand out? look no further than this VSCode extension built by @jacoblatonis.me marketplace.visualstudio.com/items?itemNa...

timmy?!?!

📣 Oops!... They did it again!!! 61 Talks submitted and so many too good that, once again, we had to increase a bit the number of accepted talks.🔥 #PIVOTcon25 Agenda is finally here, and the caliber is insane!!! Check it out➡️ pivotcon.org/agenda-2025/ #CTI #ThreatIntel Talks and presenters in🧵⬇️ 1/18

Veeeery excited to attend and present at @pivotcon.bsky.social on attributing an extremely weird campaign to China-aligned TA415 (APT41/Brass Typhoon), as well as covering subsequent targeted activity linked to this actor!

Introducing #UNK_CraftyCamel! Leveraged Trusted Business Relationship? ✅ Low Volume, highly targeted? ✅ Interesting technique? ✅ Overlaps with other IRGC clusters? ✅ Bonus: Infrastructure still up to watch how they respond to the blog? ✅ www.proofpoint.com/us/blog/thre...

if you haven't done an escape room with members of your threat research team you're missing out

If I had a dollar for every single time something is attributed vaguely to “”Mustang Panda”” I could buy a flat in London

Dropping some new research on TA397/Bitter 🚨 Hidden in Plain Sight | TA397’s New Attack Chain Delivers Espionage RATs Report: www.proofpoint.com/us/blog/thre...

Preeeetty interesting targeting in this campaign 👀