Proofpoint has directly observed a targeted email campaign that delivers DarkSword RCE, and we attribute the messages to Russian FSB threat actor TA446 with high confidence. 🧵

Proofpoint identified a targeted campaign against operations personnel at energy firms linked to projects in Pakistan. The messages were sent on 18 March 2026, and mimicked invitations to the upcoming Pakistan Energy Exhibition & Conference (PEEC). We track the activity as UNK_VaporVibes. 1/8

Conflict in Iran is accelerating cyber espionage across the Middle East. Since the start of Operation Epic Fury on February 28, 2026, Proofpoint researchers have observed heightened cyber activity against Middle East targets tied to the war. Details: brnw.ch/21x0EJi.

New Iran drop from me tracking an attribution nightmare - UNK_SmudgedSerpent! A little Charming, a little Muddy, and a lot C5. Targeting policy experts with benign conversation starters, health-themed infra, OnlyOffice spoofs, and RMMs. Check out the full story www.proofpoint.com/us/blog/thre...

A South Asian APT has been persistently targeting Sri Lanka, Bangladesh, Pakistan, and Turkey. This post walks through how to pivot from the well-publicized phishing infrastructure to expose APK tooling that compromised members of the military of Asian countries. strikeready.com/blog/apt-and...

New: A handful of Chinese-linked cyber espionage groups are stepping up targeting of Taiwanese semiconductor companies, per new analysis from @proofpoint.com. Campaigns include targeting of financial analysts focused on the sector as well: www.reuters.com/sustainabili...

Just published: A two-part blog series in collaboration with @threatray.bsky.social, which aims to substantiate the claim that #TA397 (Bitter) is an espionage-focused, state-backed threat actor with interests aligned to the Indian state. Part 1: brnw.ch/21wT9A5 Part 2: brnw.ch/21wT9Ad.

Dropping some joint research today with Threatray on TA397/Bitter 🔍 We dive into the confluence of signals that led us to our attribution of the threat actor 🎯 Shoutout to @konstantinklinger.bsky.social and Threatray for collaborating on this research. www.proofpoint.com/us/blog/thre...

Is the era of the “named actor” done? As the OG adversary sets diverge, get promoted, or move on actors dispersing across the kill chain based on specialized skills increases (ORBs, criminal underground) AND the CTI models maturing… APTs ⬇️⬇️ UNCs ⬆️⬆️

@greg-l.bsky.social drops knowledge on TA406 (Konni) as North Korea shows new interest in Ukraine, likely to keep tabs on the progress of the war and Russia's ability to keep pace on the battlefield www.proofpoint.com/us/blog/thre...

Introducing #UNK_CraftyCamel! Leveraged Trusted Business Relationship? ✅ Low Volume, highly targeted? ✅ Interesting technique? ✅ Overlaps with other IRGC clusters? ✅ Bonus: Infrastructure still up to watch how they respond to the blog? ✅ www.proofpoint.com/us/blog/thre...

Dropping some new research on TA397/Bitter 🚨 Hidden in Plain Sight | TA397’s New Attack Chain Delivers Espionage RATs Report: www.proofpoint.com/us/blog/thre...

In December 11 and 12, 2024, a spearphishing campaign targeted at least 20 Autonomous System (AS) owners, predominantly Internet Service Providers (ISPs), and purported to come from the Network Operations Center (NOC) of a prominent European ISP. 🧵⤵️

I’m a little excited for this one

#PIVOTcon25 registration is now OPEN 🤟📥📥📥 pivotcon.org #CTI #ThreatResearch #ThreatIntel Please read carefully the whole 🧵 for the rules about invite -> registration (1/5)

Wait... did a Chinese security vendor just publish research on a suspected Chinese APT backdoor? 🙃 I need your thoughts here @jags.bsky.social blog.xlab.qianxin.com/analysis_of_...