Crunching reports by so many different researchers was a great learning experience. There is a lot of awesome knowledge out there! And to top it off, I got to work alongside the relentless @0xfmz. Mission accomplished!
#ESETresearch has published a comprehensive whitepaper comparing all known malware frameworks designed to breach air-gapped networks. Read more: https://t.co/Sal0yAPMQo @adorais@0xfmz 1/7
Proofpoint @threatinsight identified a targeted campaign against operations personnel at energy firms linked to projects in Pakistan.
The messages were sent on 18 March 2026, and mimicked invitations to the upcoming Pakistan Energy Exhibition & Conference (PEEC).
We track the activity as UNK_VaporVibes. 1/8
Alongside this activity recently highlighted by Google, @Proofpoint@threatinsight has observed additional exploitation of WinRAR vulnerability CVE-2025-8088 by both financially motivated threat actors and by state‑aligned groups linked to China and the DPRK.
Vendors only have partial visibility on any campaign. What appears as highly targeted to one can be widespread to another. It is normal and expected - we all have visibility biases.
Working together and combining our findings is the only way to get closer to the full picture 🤜🤛
Proofpoint also observed the activity reported by Trellix in email threat data targeting financial organizations and people in positions of leadership.
Our researchers offer clarifying context below to supplement @TrellixARC’s technical analysis. 🧵
@Glacius_@medioum43 "AV engines on VT are using Yara (if I'm not mistaking)"
that is not exactly how this works - VT scans files with the actual AV engines with whatever technology they each implement internally
Developing story - attack against #BGP peers of a European telco. The malicious emails impersonated that same telco and included the ASN of each recipient in the subject line.
The emails contained a password-protected RAR attachment with the malicious payload.
Between December 11 and 12, 2024, a spearphishing campaign targeted at least 20 Autonomous System (AS) owners, predominantly Internet Service Providers (ISPs), and purported to come from the Network Operations Center (NOC) of a prominent European ISP.
All of the observed targeted entities peer with the spoofed ISP and phishing emails were sent to contact addresses present in the AS's WHOIS records, indicative of a highly deliberate targeting effort.
Each spearphishing email was personalized to the target based on their Autonomous System Number (ASN) and purported to relate to a detected BGP (Border Gateway Protocol) flapping session within the target’s network.
Next monday, I'll have the privilege to chat with my colleagues @jiboutin, @adorais and Catherine Dupont-Gagnon (@Cybercitoyen_) for a panel focused on “State-sponsored cyber attacks: current trends and impact on modern society” at #FPS2024. Join us !
👉https://t.co/8td6rGoGTr
#ESETResearch is hiring a senior malware researcher for our 🇨🇦office. If you’d like to track some of the most impactful APTs/cybercrime campaigns, don’t wait and apply here 👇
https://t.co/YDZQeUH0nn 1/3
Proofpoint has tracked this technique since August 2024, and call it “brooxml”. Our researchers do not consider this a zero-day or vulnerability in general.
We’ve released Emerging Threats and YARA signatures at the end of this thread.
Lots of good research this week on MacOS activity from Bluenoroff / TA444 / Sapphire Sleet
New record: only one of them said Lazarus instead of Bluenoroff 😂
Public WiFi is so unsafe (it’s not it’s generally fine for personal/family use) that when I arp spoof and dns spoof not only do I get errors with TLS (this site doesn’t have hsts enabled) but my phone (android) literally warns me the network is acting in a suspicious manner….
That’s with defaults! If you harden the phone and browser a tiny bit by forcing dns over https (DoH) it will break the key component here (dns spoofing)!
@sherrod_im - how many Gregs does it take to track all of DPRK cyber shenanigans?
- do you think industry research/insight into DPRK activities is being fully leveraged by policy makers / foreign relations offices so that timely & thoroughly informed decisions can be made?
Hey @cybleglobal marketing team please clarify your blog and actually credit the author of the Ransomware Vulnerability Matrix… because that would be me 🙃 otherwise others may think you made it 🤦🏻♂️
hxxps://cyble[.]com/blog/ransomware-vulnerability-matrix-a-comprehensive/
In August 2024, @Proofpoint published research highlighting an unusual, suspected espionage campaign targeting dozens of organizations worldwide to deliver a custom malware family named “Voldemort”.
Proofpoint @threatinsight analysts now attribute this campaign to the China-aligned threat group #TA415 (also known as #APT41 and #BrassTyphoon).
This attribution is based on multiple newly identified high confidence links between the campaign distributing Voldemort and known TA415-attributed infrastructure, including overlaps with activity publicly reported by Mandiant in July 2024: https://t.co/npL5soxq3k.