New espionage/e-crime crossover blog from the team on the continued rise of device code phishing by state-aligned and financially motivated groups.

A study in the evolution of SVR cyberespionage tradecraft

@volexity.com tracks a variety of threat actors abusing Device Code & OAuth authentication workflows to phish credentials, which continue to see success due to creative social engineering. Our latest blog post details Russian threat actor UTA0355’s campaigns impersonating European security events.

1/ Today we release a new report exposing previously undisclosed entities connected to the wider #Intellexa ecosystem as well as newly identified activity clusters in Iraq and indications of activity in Pakistan: www.recordedfuture.com/research/int...

New Iran drop from me tracking an attribution nightmare - UNK_SmudgedSerpent! A little Charming, a little Muddy, and a lot C5. Targeting policy experts with benign conversation starters, health-themed infra, OnlyOffice spoofs, and RMMs. Check out the full story www.proofpoint.com/us/blog/thre...

Proofpoint threat researchers have designed an open-source tool—named PDF Object Hashing—to track and detect the unique characteristics of PDFs used by threat actors... similar to a digital fingerprint. 🫆 We use this tool internally to help track multiple threat actors with high confidence.

📣 🔥 🛋️ SAVE THE DATE 🛋️ 🔥 📣 The next #PIVOTcon will be on 6-8 May 2026, in Malaga, ES!!! You favorite ;) #ThreatResearch conference is coming back and we are planning to bring you the usual experience and content of utmost quality. Follow us + #StayTuned for more info #CTI #ThreatIntel #PIVOTcon26

Good piece covering a big burst of TA416 activity targeting European governments last week!

First public report at Recorded Future by yours truly is out! RedNovember (formerly TAG-100, a.k.a. Storm-2077) is a Chinese state-sponsored threat group focused on intelligence collection, especially on flashpoint issues of strategic interest to China. www.recordedfuture.com/research/red...

Proofpoint threat researchers have published new research identifying a new cyber-espionage campaign by #TA415 (#APT41), a China-aligned threat actor, exploiting growing uncertainty in U.S.-China economic relations. Blog: www.proofpoint.com/us/blog/thre....

🚨🇨🇳💰 New @threatinsight.proofpoint.com blog on TA415 (aka APT41) economy and trade-themed spearphishing against US govt, think tanks & academia. The campaigns used U.S.-China economic lures and spoofed the Chair of the House Select Committee on CCP competition + the US-China Business Council.

It is time the Mustang Panda moniker went the way of Winnti Group ☠️

1/ We've just released a new report uncovering new infrastructure tied to multiple activity clusters linked to the Israeli spyware vendor #Candiru across several countries. Full report: www.recordedfuture.com/research/tra...

🚨🆕🐟🍟 New blog from me and the amazing @threatinsight.proofpoint.com team covering recent activity by multiple China-aligned threat actors targeting semiconductor companies in Taiwan over the past few months: www.proofpoint.com/us/blog/thre...

New: A handful of Chinese-linked cyber espionage groups are stepping up targeting of Taiwanese semiconductor companies, per new analysis from @proofpoint.com. Campaigns include targeting of financial analysts focused on the sector as well: www.reuters.com/sustainabili...

New DISCARDED podcast drop! Join @greg-l.bsky.social and me as we talk about our fave North Korean groups, DPRK as the neglected child, TA406 and the Russian connection, and finally, the dreaded but pervasive IT worker problem podcasts.apple.com/us/podcast/c... open.spotify.com/episode/01d1...

Fun crossover blog about TA829 (RomCom) & TransferLoader with my ecrime pals @selenalarson.bsky.social it’s got it all: 🛰️ Popped routers for sending phish 📊 ACH on attribution 👾 custom protocols 👽 cool malware 🕵️ crime 🎯 espionage ❔many unanswered questions www.proofpoint.com/us/blog/thre...

🚨 We’re hiring at Recorded Future’s Insikt Group Two senior analyst roles are open right now. Both focus on tracking nation-state threats. 🧵

Today we’re publishing new findings on Predator spyware, still active despite global sanctions, now with a new client and ties to a Czech entity. Here’s what we found 🧵 www.recordedfuture.com/research/pre...

Dropping some joint research today with Threatray on TA397/Bitter 🔍 We dive into the confluence of signals that led us to our attribution of the threat actor 🎯 Shoutout to @konstantinklinger.bsky.social and Threatray for collaborating on this research. www.proofpoint.com/us/blog/thre...

From phishes to hands-on-keyboard commands 🔥 new @proofpoint.bsky.social research from @nickattfield.bsky.social and @konstantinklinger.bsky.social on Indian state-sponsored actor TA397 (Bitter) with a great story on the steps to technical and political attribution www.proofpoint.com/us/blog/thre...

Is the era of the “named actor” done? As the OG adversary sets diverge, get promoted, or move on actors dispersing across the kill chain based on specialized skills increases (ORBs, criminal underground) AND the CTI models maturing… APTs ⬇️⬇️ UNCs ⬆️⬆️

same tbh

New Proofpoint blog alert We observed DPRK actor TA406 (overlaps w/ Opal Sleet/Konni) targeting government entities in Ukraine in early 2025: www.proofpoint.com/us/blog/thre...

@greg-l.bsky.social drops knowledge on TA406 (Konni) as North Korea shows new interest in Ukraine, likely to keep tabs on the progress of the war and Russia's ability to keep pace on the battlefield www.proofpoint.com/us/blog/thre...

Had such a great time at PIVOTcon @pivotcon.bsky.social - what a brilliant conference and the location isn't half bad either 🇪🇸

If you're looking at email headers and they're not pretty, you need to install @jacoblatonis.me's @vscode.dev extension marketplace.visualstudio.com/items?itemNa...

Thanks to my favorite team buddies for their collab and indulging my slight obsession 💜 @greg-l.bsky.social @mkyo.bsky.social and Josh

Saher's first blog on the scourge that is ClickFix usage in the espionage space!! Had to sneak in the UNK_RemoteRogue RDP shenanigans as well - a thus far unattributed group we assess to be Russia-aligned, using a pretty fun set of email tactics

My first blog with Proofpoint is live! And we love a good crossover. State-sponsored actors try their hand at ClickFix - the hottest thing in cybercrime. Meet the North Koreans, Iranians, and Russians who are upping their social engineering game www.proofpoint.com/us/blog/thre...

tired of looking at email headers as disgusting plaintext? only want things of value to stand out? look no further than this VSCode extension built by @jacoblatonis.me marketplace.visualstudio.com/items?itemNa...

timmy?!?!

📣 Oops!... They did it again!!! 61 Talks submitted and so many too good that, once again, we had to increase a bit the number of accepted talks.🔥 #PIVOTcon25 Agenda is finally here, and the caliber is insane!!! Check it out➡️ pivotcon.org/agenda-2025/ #CTI #ThreatIntel Talks and presenters in🧵⬇️ 1/18

Veeeery excited to attend and present at @pivotcon.bsky.social on attributing an extremely weird campaign to China-aligned TA415 (APT41/Brass Typhoon), as well as covering subsequent targeted activity linked to this actor!

Introducing #UNK_CraftyCamel! Leveraged Trusted Business Relationship? ✅ Low Volume, highly targeted? ✅ Interesting technique? ✅ Overlaps with other IRGC clusters? ✅ Bonus: Infrastructure still up to watch how they respond to the blog? ✅ www.proofpoint.com/us/blog/thre...

if you haven't done an escape room with members of your threat research team you're missing out

If I had a dollar for every single time something is attributed vaguely to “”Mustang Panda”” I could buy a flat in London

Dropping some new research on TA397/Bitter 🚨 Hidden in Plain Sight | TA397’s New Attack Chain Delivers Espionage RATs Report: www.proofpoint.com/us/blog/thre...

Preeeetty interesting targeting in this campaign 👀

New episode of DISCARDED where we sit down with the 🐐 Mark Kelly, our lead China analyst, to talk all things China APT! Tune in wherever you get your podcasts. 🔮 Web: www.proofpoint.com/us/podcasts/... Apple: podcasts.apple.com/us/podcast/d... Spotify: open.spotify.com/episode/2AtJ...

Shout out to my 10-month-old for expanding my medical knowledge by giving me two illnesses I had never heard of until a few months ago—at the SAME TIME! 🎉

Looking for more people to follow on BlueSky? Find the @curatedintel.bsky.social folks here: go.bsky.app/Kfp62Uh

It's only an "ORB" if it is from the Cheltenham region of UK, otherwise it is just a sparkling botnet

All you random non-cyber people who started following me are going to be very confused when I post about Chinese APTs and not my dog

1/ In a recent cyber campaign, the Chinese state-sponsored group TAG-112 compromised two Tibetan websites to deliver the Cobalt Strike malware, highlighting an ongoing espionage focus on Tibetan entities: www.recordedfuture.com/research/chi...

hello bluesky but more importantly here's my dog

🚨 Chinese APT drama: Chengdu 404 (#RedGolf/#APT41) suing i-SOON (#RedHotel/#EarthLusca) over a "software development dispute" 🙃 Particularly interesting given RedHotel's use of malware families suspected to be originally developed in part by RedGolf/APT41 operators (e.g. ShadowPad/Winnti)

New from us on a Chinese APT group we track as RedHotel targeting orgs globally (overlaps Aquatic Panda/Earth Lusca/Bronze University/Red Scylla) https://www.recordedfuture.com/redhotel-a-prolific-chinese-state-sponsored-group-operating-at-a-global-scale

ICYMI: In July 2023, Curated Intel members shared a brand new resource for the community called 'The Threat Actor Profile Guide for CTI Analysts'. The Threat Actor Profile Guide for CTI Analysts (curatedintel.org)

1\ Үер усны сэрэмжлүүлэг.lnk b919ab6f54f632401d708c66675da07d While this might look like Russian, this is Mongolian. LNK connects to estmongolia[.]com to install MSI file. Үер усны сэрэмжлүүлэг.msi 204a12016c46d31d615c38b13f6ad7ec MSI drops 32c26797ab646074a2bb562f9d10adb5 legit onenote to sideload