Fran Donoso
@francisck.com
I'm an infosec person who currently works as the CTO of a security services firm. Have done DevSecOps, Red Teaming, and reverse engineering. I reversed some of the tooling leaked by the Shadow Brokers and spoke about it publicly
Pinned
Fran Donoso
@francisck.com
· Nov 14
Hey new folks, welcome to BlueSky! My name is Fran and I run the following #cybersecurity feed:
bsky.app/profile/did:...
I'll be working keep it spam free & good.
If you're curious here are the keywords I'm looking for:
gist.github.com/francisck/d8...
Please provide feedback if you have any.
bsky.app/profile/did:...
I'll be working keep it spam free & good.
If you're curious here are the keywords I'm looking for:
gist.github.com/francisck/d8...
Please provide feedback if you have any.
November 1, 2025 at 2:34 AM
This report from @interseclab.bsky.social on how a Chinese company is exporting some of the capabilities of "The Great Wall of China" to other autocratic countries is INSANELY INTERESTING:
interseclab.org/wp-content/u...
*EVERY Page is worth reading*
Some interesting tidbits in the thread
interseclab.org/wp-content/u...
*EVERY Page is worth reading*
Some interesting tidbits in the thread
interseclab.org
September 14, 2025 at 6:15 PM
This report from @interseclab.bsky.social on how a Chinese company is exporting some of the capabilities of "The Great Wall of China" to other autocratic countries is INSANELY INTERESTING:
interseclab.org/wp-content/u...
*EVERY Page is worth reading*
Some interesting tidbits in the thread
interseclab.org/wp-content/u...
*EVERY Page is worth reading*
Some interesting tidbits in the thread
Plex was hacked. It included usernames, emails, and hashed passwords.
Change your passwords when you can,
Change your passwords when you can,
September 8, 2025 at 10:37 PM
Plex was hacked. It included usernames, emails, and hashed passwords.
Change your passwords when you can,
Change your passwords when you can,
Reposted by Fran Donoso
#ESETResearch has discovered the first known AI-powered ransomware, which we named #PromptLock. The PromptLock malware uses the gpt-oss:20b model from OpenAI locally via the Ollama API to generate malicious Lua scripts on the fly, which it then executes 1/7
August 26, 2025 at 3:38 PM
#ESETResearch has discovered the first known AI-powered ransomware, which we named #PromptLock. The PromptLock malware uses the gpt-oss:20b model from OpenAI locally via the Ollama API to generate malicious Lua scripts on the fly, which it then executes 1/7
Reposted by Fran Donoso
SentinelOne and Beazley Security have discovered a new Windows infostealer used in the wild named PXA Stealer, most likely the work of a Vietnamese-speaking cybercrime group.
www.sentinelone.com/labs/ghost-i...
labs.beazley.security/articles/gho...
www.sentinelone.com/labs/ghost-i...
labs.beazley.security/articles/gho...
August 5, 2025 at 11:47 AM
SentinelOne and Beazley Security have discovered a new Windows infostealer used in the wild named PXA Stealer, most likely the work of a Vietnamese-speaking cybercrime group.
www.sentinelone.com/labs/ghost-i...
labs.beazley.security/articles/gho...
www.sentinelone.com/labs/ghost-i...
labs.beazley.security/articles/gho...
I mean I’ve been urging people to toss their sonicwall devices into a shredder for years now 🤷🏻♂️
SonicWall is urging customers to take some VPN devices offline after multiple security firms discovered a campaign of ransomware attacks over the last two weeks
SonicWall did not explain if the ransomware gangs are using a zero-day
therecord.media/sonicwall-po...
SonicWall did not explain if the ransomware gangs are using a zero-day
therecord.media/sonicwall-po...
SonicWall urges customers to take VPN devices offline after ransomware incidents
Multiple cybersecurity incident response firms are warning about the possibility that a zero-day vulnerability in some SonicWall devices is allowing ransomware attacks.
therecord.media
August 4, 2025 at 8:39 PM
I mean I’ve been urging people to toss their sonicwall devices into a shredder for years now 🤷🏻♂️
Our team collaborated with our friends at @sentinellabs.bsky.social to identify and disrupt a PXA infostealer campaign that has an intricate and complex delivery chain:
labs.beazley.security/articles/gho...
Thanks for the fantastic collab SentinelLabs team!
labs.beazley.security/articles/gho...
Thanks for the fantastic collab SentinelLabs team!
BSL - Ghost in the Zip | New PXA Stealer and Its Telegram-Powered Ecosystem
labs.beazley.security
August 4, 2025 at 5:58 PM
Our team collaborated with our friends at @sentinellabs.bsky.social to identify and disrupt a PXA infostealer campaign that has an intricate and complex delivery chain:
labs.beazley.security/articles/gho...
Thanks for the fantastic collab SentinelLabs team!
labs.beazley.security/articles/gho...
Thanks for the fantastic collab SentinelLabs team!
Reposted by Fran Donoso
👀 Update from @threatintel.microsoft.com: 'our continued monitoring of exploitation activity by Storm-2603 leading to the deployment of Warlock ransomware' www.microsoft.com/en-us/securi... #Microsoft #SharePoint #cybersecurity #ransomware @gate15.bsky.social @ransomwaresommelier.com @ecrime.ch
Disrupting active exploitation of on-premises SharePoint vulnerabilities | Microsoft Security Blog
Microsoft has observed two named Chinese nation-state actors, Linen Typhoon and Violet Typhoon, exploiting vulnerabilities targeting internet-facing SharePoint servers. In addition, we have observed a...
www.microsoft.com
July 24, 2025 at 1:07 PM
👀 Update from @threatintel.microsoft.com: 'our continued monitoring of exploitation activity by Storm-2603 leading to the deployment of Warlock ransomware' www.microsoft.com/en-us/securi... #Microsoft #SharePoint #cybersecurity #ransomware @gate15.bsky.social @ransomwaresommelier.com @ecrime.ch
We’re actively seeing this exploitation as well.
Here is my team’s advisory on this vulnerability:
labs.beazley.security/advisories/B...
Is your have a publicly exposed SharePoint server, its probably already compromised so get ready to do some IR.
Here is my team’s advisory on this vulnerability:
labs.beazley.security/advisories/B...
Is your have a publicly exposed SharePoint server, its probably already compromised so get ready to do some IR.
July 20, 2025 at 11:38 PM
We’re actively seeing this exploitation as well.
Here is my team’s advisory on this vulnerability:
labs.beazley.security/advisories/B...
Is your have a publicly exposed SharePoint server, its probably already compromised so get ready to do some IR.
Here is my team’s advisory on this vulnerability:
labs.beazley.security/advisories/B...
Is your have a publicly exposed SharePoint server, its probably already compromised so get ready to do some IR.
Reposted by Fran Donoso
🩸& #threatintel | We (GreyNoise) just published a quick note (www.greynoise.io/blo...) regarding CVE-2025-5777 - CitrixBleed 2
1/2
1/2
Exploitation of CitrixBleed 2 (CVE-2025-5777) Began Before PoC Was Public
GreyNoise has observed active exploitation attempts against CVE-2025-5777 (CitrixBleed 2), a memory overread vulnerability in Citrix NetScaler. Exploitation began on June 23 — nearly two weeks before a public proof-of-concept was released on July 4.
www.greynoise.io
July 16, 2025 at 9:05 PM
🩸& #threatintel | We (GreyNoise) just published a quick note (www.greynoise.io/blo...) regarding CVE-2025-5777 - CitrixBleed 2
1/2
1/2
Reposted by Fran Donoso
July 13, 2025 at 7:10 PM
Reposted by Fran Donoso
Worth turning on if you have AT&T.
Other carriers (like T-mobile) have similar programs.
Other carriers (like T-mobile) have similar programs.
AT&T widely launched its Wireless Account Lock feature Tuesday, aiming to strengthen customer protection against account takeovers and SIM-swapping attacks, Cyberscoop writes.
"The Wireless Account Lock, which had been rolling out in waves since earlier this year, is widely accessible for both […]
"The Wireless Account Lock, which had been rolling out in waves since earlier this year, is widely accessible for both […]
Original post on infosec.exchange
infosec.exchange
July 2, 2025 at 2:24 AM
Worth turning on if you have AT&T.
Other carriers (like T-mobile) have similar programs.
Other carriers (like T-mobile) have similar programs.
Reposted by Fran Donoso
Need something positive to do in your life this week?
If you don’t have a library card, go get one. Then learn about all the awesome things your local public library has to offer.
If you don’t have a library card, go get one. Then learn about all the awesome things your local public library has to offer.
June 26, 2025 at 9:43 PM
Need something positive to do in your life this week?
If you don’t have a library card, go get one. Then learn about all the awesome things your local public library has to offer.
If you don’t have a library card, go get one. Then learn about all the awesome things your local public library has to offer.
This is related to ROP code exec on switch 2
userland ROP on day 1 💪
June 6, 2025 at 12:42 PM
This is related to ROP code exec on switch 2
Reposted by Fran Donoso
New, by me: Data broker giant LexisNexis has revealed that its risk solutions unit (think "know your customer," risk assessing, due diligence, and law enforcement assistance) was breached, affecting the personal data and Social Security numbers of at least 364,000 people.
Data broker giant LexisNexis says breach exposed personal information of over 364,000 people | TechCrunch
The data collector said the stolen data includes Social Security numbers.
techcrunch.com
May 28, 2025 at 2:07 PM
New, by me: Data broker giant LexisNexis has revealed that its risk solutions unit (think "know your customer," risk assessing, due diligence, and law enforcement assistance) was breached, affecting the personal data and Social Security numbers of at least 364,000 people.
Reposted by Fran Donoso
Just the tip of the iceberg from this roll-your-own security protocol. We're about to usher in a golden age of Valhalla-level AI pwnage, and it'll be riding on the coattails of badly designed agents.
invariantlabs.ai/blog/mcp-git...
invariantlabs.ai/blog/mcp-git...
GitHub MCP Exploited: Accessing private repositories via MCP
We showcase a critical vulnerability with the official GitHub MCP server, allowing attackers to access private repository data. The vulnerability is among the first discovered by Invariant's security ...
invariantlabs.ai
May 27, 2025 at 2:35 AM
Just the tip of the iceberg from this roll-your-own security protocol. We're about to usher in a golden age of Valhalla-level AI pwnage, and it'll be riding on the coattails of badly designed agents.
invariantlabs.ai/blog/mcp-git...
invariantlabs.ai/blog/mcp-git...
Reposted by Fran Donoso
By making minor changes to command-line arguments, it is possible to bypass EDR/AV detections.
My research, comprising ~70 Windows executables, found that all of them were vulnerable to this, to varying degrees.
Here’s what I found and why it matters 👉 wietze.github.io/blog/bypassi...
My research, comprising ~70 Windows executables, found that all of them were vulnerable to this, to varying degrees.
Here’s what I found and why it matters 👉 wietze.github.io/blog/bypassi...
March 24, 2025 at 9:08 AM
By making minor changes to command-line arguments, it is possible to bypass EDR/AV detections.
My research, comprising ~70 Windows executables, found that all of them were vulnerable to this, to varying degrees.
Here’s what I found and why it matters 👉 wietze.github.io/blog/bypassi...
My research, comprising ~70 Windows executables, found that all of them were vulnerable to this, to varying degrees.
Here’s what I found and why it matters 👉 wietze.github.io/blog/bypassi...
Reposted by Fran Donoso
Ubiquiti has released a security update for UniFi Protect Cameras to fix an RCE vulnerability with a severity score of 10/10
Oh boy...
community.ui.com/releases/Sec...
Oh boy...
community.ui.com/releases/Sec...
May 8, 2025 at 12:35 AM
Ubiquiti has released a security update for UniFi Protect Cameras to fix an RCE vulnerability with a severity score of 10/10
Oh boy...
community.ui.com/releases/Sec...
Oh boy...
community.ui.com/releases/Sec...
Reposted by Fran Donoso
New from 404 Media: the Signal clone the Trump administration uses was just hacked. TeleMessage makes a modified version of Signal that archives messages for government agencies, Waltz used it. A hacker got some users' messages, group chats. Hugely significant breach www.404media.co/the-signal-c...
The Signal Clone the Trump Admin Uses Was Hacked
TeleMessage, a company that makes a modified version of Signal that archives messages for government agencies, was hacked.
www.404media.co
May 4, 2025 at 10:01 PM
New from 404 Media: the Signal clone the Trump administration uses was just hacked. TeleMessage makes a modified version of Signal that archives messages for government agencies, Waltz used it. A hacker got some users' messages, group chats. Hugely significant breach www.404media.co/the-signal-c...
Reposted by Fran Donoso
🧙 Want to join the team? 🧙
We’re on the hunt for volunteer DFIR analysts—with potential for paid opportunities!
You’ll get a set of artifacts and a limited time to show us what you’ve got. 🔎
Follow us on socials—details drop soon!
We’re on the hunt for volunteer DFIR analysts—with potential for paid opportunities!
You’ll get a set of artifacts and a limited time to show us what you’ve got. 🔎
Follow us on socials—details drop soon!
March 23, 2025 at 1:51 PM
🧙 Want to join the team? 🧙
We’re on the hunt for volunteer DFIR analysts—with potential for paid opportunities!
You’ll get a set of artifacts and a limited time to show us what you’ve got. 🔎
Follow us on socials—details drop soon!
We’re on the hunt for volunteer DFIR analysts—with potential for paid opportunities!
You’ll get a set of artifacts and a limited time to show us what you’ve got. 🔎
Follow us on socials—details drop soon!
This is interesting.
Good write up here:
www.stepsecurity.io/blog/harden-...
The commit that backdoors this is bash that executes something that is base64 encoded which is something that attempts to run a python script to scrape memory on the runner for secrets (see attached image)
🧵 1/2
Good write up here:
www.stepsecurity.io/blog/harden-...
The commit that backdoors this is bash that executes something that is base64 encoded which is something that attempts to run a python script to scrape memory on the runner for secrets (see attached image)
🧵 1/2
March 15, 2025 at 3:06 AM
This is interesting.
Good write up here:
www.stepsecurity.io/blog/harden-...
The commit that backdoors this is bash that executes something that is base64 encoded which is something that attempts to run a python script to scrape memory on the runner for secrets (see attached image)
🧵 1/2
Good write up here:
www.stepsecurity.io/blog/harden-...
The commit that backdoors this is bash that executes something that is base64 encoded which is something that attempts to run a python script to scrape memory on the runner for secrets (see attached image)
🧵 1/2