Multiple reports have documented specific TA397 campaigns, this one takes a holistic look at the group's activity and puts forward attribution elements pointing towards Indian state interests alignment. Stellar work by @nickattfield.bsky.social and @threatray.bsky.social's researchers

New Proofpoint blog alert We observed DPRK actor TA406 (overlaps w/ Opal Sleet/Konni) targeting government entities in Ukraine in early 2025: www.proofpoint.com/us/blog/thre...

Personal bias aside, that is still a must-read. Impressive work by @saffronsec.bsky.social grouping together multiple campaigns to provide a comprehensive view of APT state-sponsored actors using ClickFix. Here's to your first blog with us! 🥂

🎯New Proofpoint research: Around the World in 90 Days: State-Sponsored Actors Try ClickFix 🎯 www.proofpoint.com/us/blog/thre... In 2024 we released two blogs on cybercrime actors using ClickFix in their attack chains: www.proofpoint.com/us/blog/thre... www.proofpoint.com/us/blog/thre...

Hot off the press - new report on TA397 (aka Bitter) by Proofpoint's Threat Research team - Targeted the Turkish defense sector in Fall 2024 - Uses Alternate Data Streams in RAR archives www.proofpoint.com/us/blog/thre...

Developing story - attack against #BGP peers of a European telco. The malicious emails impersonated that same telco and included the ASN of each recipient in the subject line. The emails contained a password-protected RAR attachment with the malicious payload.

since I'm cold and missing #OBTS I wanted to reflect on what @jacoblatonis.me and Tomas have gifted us with the YARA-X Macho module the OG YARA macho parsing left a lot to be desired, and the new YARA-X ver has all sorts of goodies