Olivia
Online
Ernesto Fernández
@l3cr0f
Threat Researcher at @TrellixARC | Malware analysis | Threat hunter | Cybercrime researcher
0x0040000
Joined February 2020
221 Following
112 Followers
177 Posts
Pinned Tweet
Check out my latest research with @TrellixARC, along with @phd_phuc and @John_Fokker, to know more about Iranian-linked APT groups.
https://t.co/u44Kud9s09
The geopolitical landscape surrounding Iran's cyber operations has changed dramatically in the last years. This updated analysis from @TrellixARC examines the technical evolution of prominent Iranian state-aligned threat actors.
https://t.co/LcPYzNWUQ3
One issue with all this LLM reverse engineering hype is a misunderstanding what RE means. True RE delivers a complete understanding of malware and all its capabilities. Most of these LLM demos I’ve seen are just replicating what malware sandboxes have been doing for a decade.
Tiranía sutil e insidiosa #LaLigaGate #CryptograFREE "Lo absurdo de querer hacer lo correcto" https://t.co/4KBKgT38Kk
Who to follow
Hossam A. Mesbah 🇵🇸 
@m359ah
Sr. Cybersecurity consultant @Tawuniya| Bug bounty hunter | https://t.co/tuKTyrFrWo | https://t.co/PGSwsav7HG | https://t.co/Z6BCawM3XF
Mehmet Akif AKSOY
@secmehmet
Mehmet Akif AKSOY
Saudi Arabia - Riyadh
[email protected]
https://t.co/qUB8GbBtW3
Cyber Security
Jayesh B. Kulkarni
@JayeshBKulkarni
CyberSecurity
Threat actors continuously expand, collaborate, reshuffle, and evolve. This is why I’m cautious about placing them all into a single bucket. Not every DPRK actor targeting cryptocurrency is Lazarus, not all malware detected as `NukeSped` necessarily belongs to Lazarus, and malware using Korean-language decoys should not be automatically attributed to Kimsuky either.
From this perspective, I align with CrowdStrike’s decision to further separate the Lazarus umbrella based on observed TTPs. As I discussed previously at DEF CON and Virus Bulletin, this cluster began rapidly expanding and fragmenting into multiple groups around 2018, consistent with CrowdStrike’s assessment.
Attribution is inherently difficult, but improving our precision remains an important goal.
CS Blog: https://t.co/hMqcpIHkWv
What separates Chinese cyber ops from Five Eyes?
Three things that shifted my thinking about this topic:
1. Early cyber training (90s-2000s) happened on live targets.
Not sandboxes, not simulations...actual foreign infrastructure. The "practice" was the operation. Operational errors caught during IR back then weren't failures of tradecraft... they were the cost of learning on production.
2. The private sector operates as APT infrastructure.
Cybersecurity companies founded by former 2000s hackers (Topsec, i-SOON, Integrity Tech) were later publicly linked to state-directed operations. The line between "legitimate vendor" and "APT contractor" is deliberately blurred (by design).
3. Operators don't stay siloed in their APT group.
They rotate across teams for decades, carrying often the exact same tools, tactics with them. What we label as "different APT groups" is often the same people with different hats.
This makes attribution way messier than the tidy narrative we see in threat reports.
Worth reading this epic report published by the Zurich Centre for Security Studies if this stuff keeps you up at night:
https://t.co/aGgMyPniWF
SideWinder APT is evolving! Our latest @TrellixARC report, written by @phd_phuc and myself, details their new PDF+ClickOnce infection chain, bypassing traditional security targeting diplomatic entities in South Asia.
https://t.co/ZGlZngVlO2
@l3cr0f uncovers the clever tactics behind the 0bj3ctivityStealer campaign. Phishing, PowerShell scripts, and hidden payloads are all part of the attack chain. Check out his deep dive here: https://t.co/pMC2mt3bnx
@TrellixARC Researcher @l3cr0f dives into 0bj3ctivityStealer, revealing a new campaign that uses phishing, custom PowerShell, and steganography to deliver its payload. Learn more in this new blog. https://t.co/rX7K3StBss
Unpacking 0bj3ctivityStealer's features: From anti-analysis to diverse data collection, check my latest @TrellixARC blog post!
https://t.co/4meHvNYkeS
You know what ? Today I woke up strange.
So LETS BURN SOME North Korean info! Lets see how their backend works. Shall we ? I am going to yolo explain what is happening here (as with most of my research), and if my ADHD mind does not distrupt me it should take 10 minutes!
APT detections surged 45% (Q4'24 to Q1'25) according to the CyberThreat Report: April 2025! Get the full analysis and strategic insights from @l3cr0f. Read it here: https://t.co/yLLQe6i9BJ
Think you're safe from info stealers? Think again. Lumma Stealer is evolving! The Trellix Advanced Research Center uncovers the latest threats. Dive deep. https://t.co/lKYkPu6uwy
Over the past few months, we @Trellix have kept our eyes open for election related threats with regards to the U.S. presidential elections. We have summarised our findings in a blog: https://t.co/eqhJgT9DFM
Leveraging our telemetry data, we analyze execution chains, network activity, rule alerts to counter threats targeting election framework, and more. @John_Fokker, @libranalysis, and @l3cr0f explain how our insights empower customers to safeguard elections. https://t.co/PBImdcAo3O
Russian-aligned hacktivist group CARR specializes in DDoS attacks, among more advanced types of attacks. Researcher @l3cr0f analyzes them and other state-backed groups, including examining various groups’ impact on the complex, evolving threat landscape. https://t.co/7N1ffxFoHl
The gray zone of conflicts, hacktivism! In my latest @Trellix blog, I dive into the tactics, motivations, and impact of state-sponsored hacktivist groups during the latest World conflicts.
https://t.co/aGQR0HaPiJ
The Iranian cyber threat landscape intensifies, with attacks to influence the U.S. presidential election. Leveraging advanced TTPs, custom-built malware, and more to execute espionage-focused operations, @l3cr0f, @phd_phuc, and @John_Fokker share more. https://t.co/mgcHqIBpGG
Iranian threat groups, such as APT35, MuddyWater, and more, continue to intensify activities targeting critical sectors and interfering with U.S. elections. @l3cr0f, @phd_phuc, and @John_Fokker with @TrellixARC provide an overview. https://t.co/WOw2KGLO0s
This August's Summer Camp I'll be representing @Trellix while giving a talk on @defcon's main stage and giving workshops at @DianaInitiative, @BlackHatEvents, and @defcon! Details in chronological order in this thread! All times are Las Vegas local times.
🧵1/5
Most Popular Users
Elon Musk
@elonmusk
240.6M followers
Barack Obama
@barackobama
119.2M followers
Donald J. Trump
@realdonaldtrump
111.7M followers
Cristiano Ronaldo
@cristiano
110.5M followers
Narendra Modi
@narendramodi
107M followers
Rihanna
@rihanna
97.6M followers
NASA
@nasa
92.2M followers
Justin Bieber
@justinbieber
90.9M followers
KATY PERRY
@katyperry
87.6M followers
Taylor Swift
@taylorswift13
81.4M followers
Lady Gaga
@ladygaga
73M followers
Virat Kohli
@imvkohli
69.8M followers
Kim Kardashian
@kimkardashian
69.8M followers
YouTube
@youtube
68.7M followers
Bill Gates
@billgates
63.9M followers
Neymar Jr
@neymarjr
62.5M followers
The Ellen Show
@theellenshow
62.4M followers
CNN
@cnn
61.9M followers
X
@x
60.8M followers
Selena Gomez
@selenagomez
60.7M followers