Love how @nxthompson homes in on the most important implication of my Fast16 story (https://t.co/yckU3Qem1y): "It was like epistemological warfare. It was affecting belief of the scientists so they would think it’s not working. This is...pretty important when you think about the future. Imagine hacks of AI systems that we trust so much, that could...tell us that research that is actually good, is bad, and throw us off our work. That is some crazy software."
the fast16 malware was almost certainly targeting spherical implosion simulations.
left: unmodified LS-DYNA 970
right: LS-DYNA 970 modified with the relevant portions of fast16.sys
both running a spherical implosion deck
Until now, Vladimir Putin’s government is thought to have provided intelligence that enabled Iran to target American forces in the Middle East. Our exclusive reporting shows it also offered to send fibre-optic drones of the sort used in the Ukraine war https://t.co/rYewBXTSpE
A newly decoded piece of sabotage malware called Fast16, created before Stuxnet, was made to silently tamper with calculations in research and engineering software. Likely created by the US or an ally, and possibly used against Iran's nuclear program. https://t.co/jE045ejq6u
We did our most in-depth model welfare assessment yet for Claude Mythos Preview. We’re still super uncertain about all of this, but as models become more capable and sophisticated we think it's an increasingly important topic for both moral and pragmatic reasons. 🧵
Gen. Joshua Rudd has assumed the role of Commander, @US_CYBERCOM, Director, @NSAGov / Chief, CSS following an assumption of command, directorship, and responsibility ceremony at the Pentagon today.
⚡️ Sweden’s Security Service warns that russia is preparing for more risky and unpredictable actions. According to the agency, russian agents have been tasked with mapping and documenting facilities critical to Sweden’s defense.
We are aware of recent reports regarding targeted phishing attacks that have resulted in account takeovers of some Signal users, including government officials and journalists. We take this very seriously.
To be clear: Signal’s encryption and infrastructure have not been compromised and remain robust. These attacks were executed via sophisticated phishing campaigns, designed to trick users into sharing information – SMS codes and/or Signal PIN – to gain access to users’ accounts. 1/4
👀"Russian state hackers are engaged in a large-scale global cyber campaign to gain access to Signal and WhatsApp accounts belonging to dignitaries, military personnel and civil servants," per the Dutch intelligence and security services MIVD and AIVD. https://t.co/PlZlgBhEpQ
Hacking internet-connected civilian security cameras for recon is now part of the playbook in modern warfare. First for Russia and Ukraine, now for Israel and Iran.
Your insecure internet-of-things surveillance system is now their targeting system.
https://t.co/2V05iTSxYz
Exclusive: Russia is providing Iran with targeting information to attack American forces in the Middle East, the first indication that another major U.S. adversary is participating — even indirectly — in the war. https://t.co/SfBeKxq7zC
Researchers have identified a suspected Russian espionage campaign against Ukraine that uses two previously undocumented malware strains https://t.co/3XRBpszGxK
🕵️Call us the 'Headquarters Hunters': together with @pustota, we found the 'mail center' of the GRU 'Africa Corps.' You will – and will not – be surprised where we found it. Full thread below 🔽
Yeah, so basically Mandiant and iVerify released a paper today about this spoopy thingy called "Coruna".
Coruna is very, very silly. Mandiant and iVerify discovered SOMEONE (they don't say who) developed some hardcore iOS zero day exploits. It exploited how iOS devices handled visiting websites (WebKit).
When an iOS device visited very, very specific websites (which were hacked by ???), the hacked website delivered carefully written Javascript code that would exploit iOS web browsers. When the iOS device visited the website, the very special Javascript code allowed the website to execute code on the iOS device.
In other words, if you're using an iPhone, visit hacked website (you have no idea though), spoopy Javascript (you can't see it) does black magic, automatically executes code on your iOS device to perform espionage (spying).
Who is "someone"? Per Mandiant, this toolkit was purchased by a company ... but they don't say the company that purchased it ... This is a toolkit (cyber weapon) purchased by an unknown company and was developed by an unknown organization (or company).
Interestingly, the code in Coruna has code overlap with Operation Triangulation, an iOS exploit which was targeting the Russian government ... which was attributed to the United States National Security Agency (by Kaspersky in conjunction with the Russian government)
Code overlap in iOS exploits of this caliber are not common. It has lead some to speculate the United States government purchased, or developed, iOS exploits to target Russian government officials and now this same company ... or organization ... is back.
Note: The United States governments has not commented on Operation Triangulation (they don't confirm or deny).
Interestingly, every single compromised website, delivering the super spoopy Javascript that exploited iOS devices was in Ukraine. It was developed to target Ukrainians. The Ukrainian websites that were compromised were industry specific:
- Industrial equipment
- Retail tools
- Ecommerce websites
So, people using iOS devices interested in Industrial equipment, retail tools, and visiting specific ecommerce sites, had their iPhones compromised.
However, Mandiant noticed in late 2025, there was a shift. Coruna no longer was targeting Ukrainians. It was targeting Chinese cryptocurrency exchanges.
Mandiant did more reverse engineering and through a long winded investigation, they discovered Coruna had 23 iOS exploits. They managed to recover the iOS and (based on programming artifacts) "codenames" with each exploit. The exploits have cool and badass names.
BuffOut, Jacurutu, BlueBird, TerrorBird, Cassowary, Breezy, Breezy15, SeedBell, SeedBell16_16, SeedBell_17, IronLoader, NeuronLoader, Neutron, Dynamo, Pendulum, Photon, Parallax, Gruber, Quark, Gallium, Carbone, Sparrow, Rocket
23 iOS RCE exploits are expensive to buy. A conservative estimate for this code would be approx. $11,500,000.
Is the United States government purchasing and/or developing iOS exploits? Would the United States government target Ukrainians who buy industrial equipment? Why would the United States target cryptocurrency exchanges? Is it even the United States government?
Find out next time on Dragon Ball Z
.@RecordedFuture's Insikt Group analysis provides a continuously updated compilation of the threat actors, tactics, and infrastructure likely to be involved in Iranian cyber retaliation.
https://t.co/coVel5HUog
The exploit kit, named "Coruna", contained 5 iOS exploit chains and a total of 23 exploits. The core technical value of this exploit kit lies in its comprehensive collection of iOS exploits with the most advanced ones using nonpublic exploitation techniques & mitigation bypasses.
Google Threat Intelligence Group (GTIG) has identified a new and powerful exploit kit targeting Apple iPhone models running iOS version 13.0 (released in September 2019) up to version 17.2.1 (released in December 2023).
https://t.co/0Zhe4Dq266