Ghidra, scripting, LLM, automagic automation. That should grab the attention for this thread. If you want to read the complete blog, you can do so here: www.trellix.com/blogs/resear... 1/n

Many many folks in this effort over the years. Thankful for everyone and hope its of use.

The Natto Team continues finding stories of Chinese hackers fascinating as they reveal the motivations behind cyber operations and the evolution of China's information security industry. nattothoughts.substack.com/p/stories-of...

The May release for ACCE includes updates and support including #AurotunStealer #rutserv #PupkinStealer #PE32Ransomware #Interlock www.ciphertechsolutions.com/acce-release...

France just called out GRU Unit 20728 (166th Research Information Centre), posted up in Rostov-on-Don, for cyberattacks. Kremlin got new ops on the board. www.diplomatie.gouv.fr/en/country-f... @wylienewmark.bsky.social

Yall are beyond not ready about the shit we're cooking up with @censys.bsky.social and @greynoise.io powers combined censys.com/blog/hunting...

I'm always a big fan of @agreenberg.bsky.social's writing, but I don't see a clear reason to believe these six stories are connected to "lesser-known hacker groups."

S02E01: Smoked Customers operation-endgame.com

It's here! S02E01: Smoked customers

Tick Tock ⏰

Kyle's talk at Insomni'Hack is live! youtu.be/I0PoE0IdtmE?... Check it out if you're interested in a slice of modern program analysis and try the latest version of Tanto as well, in the plugin manager or at github.com/Vector35/tanto

Cool stuff. Kudos to whoever at Censys wrote this. I researched the ORB network myself but lack access to historical data. Thanks for providing historical visibility. censys.com/junos-and-re...

Bring Back RiskIQ!

🚨 ALEART 🚨 #UAT-5918 is the new #Winnti! 😂

The R&D team at JuniperNetworks released a detailed 35-page malware analysis report "The RedPenguin Malware Incident", covering the #TINYSHELL components used by #UNC3886, including the C2 protocol structure. supportportal.juniper.net/sfc/servlet.shepherd/document/download/069Dp00000FzdmIIAR

APT27 & i-soon hackers charged by DOJ—12 caught as the cats are out of the bag now. Yet APT27’s infra still purrs. Let’s see how they claw back from this! www.justice.gov/opa/pr/justi...

Epic collab, UNC4899 🤝 UNC5267 FBI official advisory on Bybit crypto theft www.ic3.gov/PSA/2025/PSA...

@shodanhq.bsky.social Awesome! Shodan History is back in the UI. Nice!!! Thank you. But I have a question regarding trends.shodan.io. all trends I do are stopping at October 2024. Why? Please make them to the current data again. I love it and need it. :)

Today, Google Threat Intelligence is alerting the community to increasing efforts from several Russia state-aligned threat actors (GRU, FSB, etc.) to compromise Signal Messenger accounts. cloud.google.com/blog/topics/...

This latest blog from Cyfirma on Cl0p/Cleo exploitation is utter garbage, ignore it. LLM YARA rule (not even valid syntax), massively inflated statistics, and misleading IOCs and analysis. www.cyfirma.com/research/cl0...

Excited to receive the @abuse-ch.bsky.social& @spamhaus.bsky.social swag! 🎁 Thank you for sending this amazing package. It means a lot to be recognized as a Top Contributor in the fight against cybercrime. Looking forward to continuing our battle together! 💪 #StrengthINUnity

I miss the free version of riskIQ

A BIG thank you to our top contributors🎖️for sharing valuable technical cyber threat intelligence on our platforms over the past year. 🙏 Your efforts had a significant impact on cyber security, making the internet a safer place👏💪🛡️ A nice surprise is coming your way! 🎁 👀👇

#CMS8000 backdoor Hardcoded IP: 202.114.4[.]119 (h/t @craiu.bsky.social) registered to Tsinghua University 👀 VT link: www.virustotal.com/gui/file/4e4... 📝 www.cisa.gov/sites/defaul...

The blog feels like a retro FLARE blog from the good old FireEye days! Shout out to Nino Isakovic, @qutluch.bsky.social and @lukejenx.bsky.social cloud.google.com/blog/topics/...

⚖️EU sanctions three Russian GRU Unit 29155 officers for cyberattacks against Estonia in 2020. www.consilium.europa.eu/en/press/pre... Individuals Sanctioned: 1️⃣Nikolay Alexandrovich KORCHAGIN 2️⃣Vitaly SHEVCHENKO 🆕 3️⃣Yuriy Fedorovich DENISOV 📎 eur-lex.europa.eu/legal-conten...

⚖️EU sanctions three Russian GRU Unit 29155 officers for cyberattacks against Estonia in 2020. www.consilium.europa.eu/en/press/pre... Individuals Sanctioned: 1️⃣Nikolay Alexandrovich KORCHAGIN 2️⃣Vitaly SHEVCHENKO 🆕 3️⃣Yuriy Fedorovich DENISOV 📎 eur-lex.europa.eu/legal-conten...

Spent a bit of time adding some new features to “yr fmt” that I suspect will be well liked and very useful if you write a lot of rules and like consistency. I have the gist of it but am stumbling over some rust intricacies for the first time. Maybe by the end of the year I’ll have it done.

Just read this @sekoia.io's blog, and wow, it's a cool deep dive into how they use YARA internally! They go deep into metadata which you don't hear much about. Good stuff if you're into the nitty-gritty of YARA. blog.sekoia.io/happy-yara-c... #yara #threatintelligence

A new #yara-x release is out with some small improvements and bugfix. github.com/VirusTotal/y...

Russia’s cyber warfare evolved with #SecretBlizzard (APT) repurposing tools from other groups (Storm-1837 & Storm-1919) for targeted operations. The analysis details ongoing attacks on Ukraine, showcasing the group’s resource-sharing strategy and growing sophistication. tinyurl.com/4kzn3zcv

Two more suspected #Zloader HTTPS C2 server theartofshare./com (193.188.22.125:443) ~ 2024-11-12 checkpointone./world (147.45.79.30:443) ~ 2024-06-14 www.zscaler.com/blogs/securi...

Secret Blizzard: the hand-me-down hacker collective! After using tools from Hazel Sandstorm & Storm-0473, they’re now remixing Storm-0156’s infrastructure for fresh espionage hits. Also, they've leveraged resources from at least 6 other threat actors in the past! 👀 www.microsoft.com/en-us/securi...

See you 🔜 Boris! ⚖️

Close access technical operations are never going away; there’ll always be at least edge cases requiring physical proximity to target. But given the risks involved, pursuing remote means to achieve “close”-style tactics is likely a trend that has been ongoing but only just now coming into the light.

🚨 Microsoft’s Digital Crimes Unit takes aim at Storm-0867, the operator behind the #Caffeine Phishing-as-a-Service (PhaaS) platform ☕. A major crackdown on the cybercrime supply chain! blogs.microsoft.com/on-the-issue... 📜Unsealed court order: www.noticeofpleadings.com/fakeonnx/

Yara rule to match concatenated zip files. I like this one (biased) because of how we are able to avoid matching nested zip files. More info: x.com/threatinsigh... #yara github.com/EmergingThre...

ESET’s latest, a roundup on 2 years of Gamaredon/PRIMITIVE BEAR ops targeting Ukraine, is a banner example of how cyber operations are primarily used—and better suited—for intelligence collection. While the GRU is playing cyber soldier to avoid the front, FSB Center 18 is on that espionage grind.

For a great discussion about a couple North Korean threat actors, check out this podcast thecyberwire.com/podcasts/mic...