TJ Nel
@idr0p.net
Sr. Director of Technical Analysis @ Recorded Future
Malware, AI, data, and coffee.
@idr0p@infosec.exchange
Malware, AI, data, and coffee.
@idr0p@infosec.exchange
Reposted by TJ Nel
Recorded Future’s Insikt Group uncovered four GrayBravo activity clusters. TAG-160 impersonates logistics firms, while TAG-161 impersonates Booking.com, employing ClickFix to deliver CastleLoader and Matanbuchus. www.recordedfuture.com/research/gra...
December 9, 2025 at 11:25 AM
Recorded Future’s Insikt Group uncovered four GrayBravo activity clusters. TAG-160 impersonates logistics firms, while TAG-161 impersonates Booking.com, employing ClickFix to deliver CastleLoader and Matanbuchus. www.recordedfuture.com/research/gra...
"There is a lack of consensus regarding the current state of AI malware maturity."
So we put together #AIM3 to help #malware researchers describe the maturity level of an #AI_Malware Threat.
www.recordedfuture.com/blog/ai-malw...
So we put together #AIM3 to help #malware researchers describe the maturity level of an #AI_Malware Threat.
www.recordedfuture.com/blog/ai-malw...
December 6, 2025 at 3:23 AM
"There is a lack of consensus regarding the current state of AI malware maturity."
So we put together #AIM3 to help #malware researchers describe the maturity level of an #AI_Malware Threat.
www.recordedfuture.com/blog/ai-malw...
So we put together #AIM3 to help #malware researchers describe the maturity level of an #AI_Malware Threat.
www.recordedfuture.com/blog/ai-malw...
We all spent the last year vibe coding the shit out of web apps in React without knowing a single thing about JavaScript. Then enters #CVE-2025-55182 #React2Shell... poetry.
“The spirits that I summoned I now cannot rid myself of again.”
“The spirits that I summoned I now cannot rid myself of again.”
December 5, 2025 at 12:56 PM
We all spent the last year vibe coding the shit out of web apps in React without knowing a single thing about JavaScript. Then enters #CVE-2025-55182 #React2Shell... poetry.
“The spirits that I summoned I now cannot rid myself of again.”
“The spirits that I summoned I now cannot rid myself of again.”
Reposted by TJ Nel
Excited to join a discussion on the second edition of The Mythical Beast by Jen Roberts (@atlanticcouncil.bsky.social), exploring the complex networks behind the spyware ecosystem. This kicks off the new Colloquium series by @virtualroutes.bsky.social: virtual-routes.org/event/mythic...
Mythical Beasts and Where to Find Them: Diving into the Depths of the Global Spyware Market - Virtual Routes Colloquium
The first session of the Virtual Routes Colloquium Fall/Winter series hosts Jen Roberts from Cyber Statecraft Initiative. Jen will present her research on "Mythical Beasts and Where to Find Them: Divi...
virtual-routes.org
September 29, 2025 at 8:29 AM
Excited to join a discussion on the second edition of The Mythical Beast by Jen Roberts (@atlanticcouncil.bsky.social), exploring the complex networks behind the spyware ecosystem. This kicks off the new Colloquium series by @virtualroutes.bsky.social: virtual-routes.org/event/mythic...
Reposted by TJ Nel
Great blog post from @briankrebs.infosec.exchange.ap.brid.gy on #StarkIndustries. Makes a great point by highlighting it's links to MIRHosting. Where there are Dutch prefixes under these providers, there is usually always MIRHosting upstream.
September 11, 2025 at 6:32 PM
Great blog post from @briankrebs.infosec.exchange.ap.brid.gy on #StarkIndustries. Makes a great point by highlighting it's links to MIRHosting. Where there are Dutch prefixes under these providers, there is usually always MIRHosting upstream.
Not a lot of public reporting on this, but we are seeing a mountain of activity 👀
1/ Today @whoisnt.bsky.social, Marius, and I release a report on a new threat actor, #TAG-150, active since at least March 2025, which stands out for its rapid development, sophistication, responsiveness to reporting, and a large, evolving infrastructure: www.recordedfuture.com/research/fro...
From CastleLoader to CastleRAT: TAG-150 Advances Operations with Multi-Tiered Infrastructure
Insikt Group reveals TAG-150’s multi-tiered infrastructure and CastleRAT malware—an advanced threat actor evolving rapidly with stealth and scale.
www.recordedfuture.com
September 4, 2025 at 7:36 PM
Not a lot of public reporting on this, but we are seeing a mountain of activity 👀
Reposted by TJ Nel
1/ Today @whoisnt.bsky.social, Marius, and I release a report on a new threat actor, #TAG-150, active since at least March 2025, which stands out for its rapid development, sophistication, responsiveness to reporting, and a large, evolving infrastructure: www.recordedfuture.com/research/fro...
From CastleLoader to CastleRAT: TAG-150 Advances Operations with Multi-Tiered Infrastructure
Insikt Group reveals TAG-150’s multi-tiered infrastructure and CastleRAT malware—an advanced threat actor evolving rapidly with stealth and scale.
www.recordedfuture.com
September 4, 2025 at 3:05 PM
1/ Today @whoisnt.bsky.social, Marius, and I release a report on a new threat actor, #TAG-150, active since at least March 2025, which stands out for its rapid development, sophistication, responsiveness to reporting, and a large, evolving infrastructure: www.recordedfuture.com/research/fro...
Big report from our team at Recorded Future around #ThreatActivityEnablers (all of the hostings and services that power malicious infrastructure). Great Research on #StarkIndustries!
1/ Today, we published “One Step Ahead: Stark Industries Solutions Preempts EU Sanctions,” revealing how hosting provider #StarkIndustries executed a multi-phase restructuring of its operations, beginning up to a month before #EU sanctions.
August 27, 2025 at 5:01 PM
Big report from our team at Recorded Future around #ThreatActivityEnablers (all of the hostings and services that power malicious infrastructure). Great Research on #StarkIndustries!
Please give me the strength not to buy this hotswap GPU framework laptop with maxed-out specs. 😬
August 27, 2025 at 1:44 AM
Please give me the strength not to buy this hotswap GPU framework laptop with maxed-out specs. 😬
Reposted by TJ Nel
1/ We just released a new report on TAG-144 (also known as Blind Eagle), where we identified five distinct activity clusters that have been active throughout 2024 and 2025, primarily targeting the Colombian government at multiple levels. Link to the report: www.recordedfuture.com/research/tag...
TAG-144’s Persistent Grip on South American Organizations
Persistent cyber operations by TAG-144 (Blind Eagle) continue to target South American, primarily Colombian, government entities through advanced spearphishing and RAT-based malware campaigns. Explore...
www.recordedfuture.com
August 26, 2025 at 2:15 PM
1/ We just released a new report on TAG-144 (also known as Blind Eagle), where we identified five distinct activity clusters that have been active throughout 2024 and 2025, primarily targeting the Colombian government at multiple levels. Link to the report: www.recordedfuture.com/research/tag...
🔎 A day in the life of a #Lumma malware operator... this is a must-read! 💪
1/ Today, we release a first-of-its-kind analysis of a set of Lumma affiliates within a vast info-stealing ecosystem, showing their interconnectedness and resilience even after a major law enforcement takedown attempts earlier this year: www.recordedfuture.com/research/beh...
Behind the Curtain: How Lumma Affiliates Operate
Explore a groundbreaking investigation into Lumma affiliates: uncover their tools, tactics, scams, and integration in the cybercriminal ecosystem. Essential reading for defenders.
www.recordedfuture.com
August 20, 2025 at 2:33 PM
🔎 A day in the life of a #Lumma malware operator... this is a must-read! 💪
Reposted by TJ Nel
1/ We've just released a new report uncovering new infrastructure tied to multiple activity clusters linked to the Israeli spyware vendor #Candiru across several countries. Full report: www.recordedfuture.com/research/tra...
Tracking Candiru’s DevilsTongue Spyware in Multiple Countries
Recorded Future's Insikt Group uncovers active infrastructure linked to Candiru’s DevilsTongue spyware across multiple countries. Discover how this stealthy spyware targets high-value individuals and ...
www.recordedfuture.com
August 5, 2025 at 2:18 PM
1/ We've just released a new report uncovering new infrastructure tied to multiple activity clusters linked to the Israeli spyware vendor #Candiru across several countries. Full report: www.recordedfuture.com/research/tra...
"By 2025, 96% of companies are expected to use public cloud services, and 84% will adopt private cloud services. Additionally, 92% of organizations are projected to implement a multicloud strategy, reflecting the growing trend of cloud adoption across various industries." - Nextwork
July 23, 2025 at 7:23 PM
"By 2025, 96% of companies are expected to use public cloud services, and 84% will adopt private cloud services. Additionally, 92% of organizations are projected to implement a multicloud strategy, reflecting the growing trend of cloud adoption across various industries." - Nextwork
Amazing DDoSia Project Research by @calwarez.bsky.social, great work!!! www.recordedfuture.com/research/ana...
NoName057(16) had thousands of targets in their crosshairs 🎯, and they utilized their DDoSia Project and a crowdsourced army 🪖 to take them down... This is a must-read Report!
NoName057(16) had thousands of targets in their crosshairs 🎯, and they utilized their DDoSia Project and a crowdsourced army 🪖 to take them down... This is a must-read Report!
Inside DDoSia: NoName057(16)’s Pro-Russian DDoS Campaign Infrastructure
Discover how NoName057(16) targeted 3,700+ hosts across Europe using its DDoSia platform. This in-depth report reveals multi-tiered C2 infrastructure, attack patterns, and strategic geopolitical motiv...
www.recordedfuture.com
July 22, 2025 at 3:45 PM
Amazing DDoSia Project Research by @calwarez.bsky.social, great work!!! www.recordedfuture.com/research/ana...
NoName057(16) had thousands of targets in their crosshairs 🎯, and they utilized their DDoSia Project and a crowdsourced army 🪖 to take them down... This is a must-read Report!
NoName057(16) had thousands of targets in their crosshairs 🎯, and they utilized their DDoSia Project and a crowdsourced army 🪖 to take them down... This is a must-read Report!
simonwillison.net/2025/Jul/6/s... This is likely the beginning of the new "open S3 bucket" wave of attacks. MCP is awesome and a greatly needed standard, but we know how this will go for the next year or two. 🫤
Supabase MCP can leak your entire SQL database
Here's yet another example of a lethal trifecta attack, where an LLM system combines access to private data, exposure to potentially malicious instructions and a mechanism to communicate data back …
simonwillison.net
July 14, 2025 at 4:32 PM
simonwillison.net/2025/Jul/6/s... This is likely the beginning of the new "open S3 bucket" wave of attacks. MCP is awesome and a greatly needed standard, but we know how this will go for the next year or two. 🫤
#Remcos #malware is now at v7.0. No significant changes to the payload side, but improvements to enhance reliability and address bugs based on operator experience added.
Samples:
tria.ge/250709-3vxwa...
tria.ge/250710-vba87...
Looks to be distributed via email campaigns from reboundue[.]com emails
Samples:
tria.ge/250709-3vxwa...
tria.ge/250710-vba87...
Looks to be distributed via email campaigns from reboundue[.]com emails
remcos | e24d9afbc2ed01e348ef6946672ef5f310940dd57a5216d0f1edbe31c919374b | Triage
Check this remcos report malware sample
e24d9afbc2ed01e348ef6946672ef5f310940dd57a5216d0f1edbe31c919374b, with a score of 10 out of 10.
tria.ge
July 11, 2025 at 1:34 AM
#Remcos #malware is now at v7.0. No significant changes to the payload side, but improvements to enhance reliability and address bugs based on operator experience added.
Samples:
tria.ge/250709-3vxwa...
tria.ge/250710-vba87...
Looks to be distributed via email campaigns from reboundue[.]com emails
Samples:
tria.ge/250709-3vxwa...
tria.ge/250710-vba87...
Looks to be distributed via email campaigns from reboundue[.]com emails
Reposted by TJ Nel
Today we are releasing a report on new infrastructure and tooling linked to GrayAlpha, a financially motivated threat actor overlapping with FIN7 🧵
www.recordedfuture.com/research/gra...
www.recordedfuture.com/research/gra...
GrayAlpha Unmasked: New FIN7-Linked Infrastructure, PowerNet Loader, and Fake Update Attacks
Insikt Group exposes GrayAlpha’s evolving infrastructure and infection methods—including PowerNet and MaskBat loaders, fake 7-Zip sites, and the undocumented TAG-124 network—linking the group to FIN7’...
www.recordedfuture.com
June 13, 2025 at 2:35 PM
Today we are releasing a report on new infrastructure and tooling linked to GrayAlpha, a financially motivated threat actor overlapping with FIN7 🧵
www.recordedfuture.com/research/gra...
www.recordedfuture.com/research/gra...
Reposted by TJ Nel
Today we’re publishing new findings on Predator spyware, still active despite global sanctions, now with a new client and ties to a Czech entity. Here’s what we found 🧵
www.recordedfuture.com/research/pre...
www.recordedfuture.com/research/pre...
Predator Spyware Resurgence: Insikt Group Exposes New Global Infrastructure
Despite sanctions and global scrutiny, Predator spyware operations persist. Insikt Group reveals new infrastructure links in Mozambique, Africa, and Europe, highlighting ongoing threats to civil socie...
www.recordedfuture.com
June 12, 2025 at 2:23 PM
Today we’re publishing new findings on Predator spyware, still active despite global sanctions, now with a new client and ties to a Czech entity. Here’s what we found 🧵
www.recordedfuture.com/research/pre...
www.recordedfuture.com/research/pre...
Reposted by TJ Nel
Another report by Insikt Group on newly identified malware families #TerraStealerV2 as well as #TerraLogger, both attributed to the threat actor Golden Chickens: www.recordedfuture.com/research/ter...
Golden Chickens Unveils TerraStealerV2 and TerraLogger: New Credential Theft Tools Identified by Insikt Group
Insikt Group reveals two emerging malware strains—TerraStealerV2 and TerraLogger—linked to Golden Chickens, a threat actor behind credential theft and keylogging MaaS platforms. Learn how these tools ...
www.recordedfuture.com
May 2, 2025 at 5:54 AM
Another report by Insikt Group on newly identified malware families #TerraStealerV2 as well as #TerraLogger, both attributed to the threat actor Golden Chickens: www.recordedfuture.com/research/ter...
Reposted by TJ Nel
Oh my god, they just unintentionally wrecked a ton of red team playbooks at the NSA popular.info/p/the-nsas-b...
February 10, 2025 at 2:43 PM
Oh my god, they just unintentionally wrecked a ton of red team playbooks at the NSA popular.info/p/the-nsas-b...
Today was the first day I reflexively went to Bsky for a quick check-in on the world of social media. Post-Twitter, as someone who does not use other platforms, I missed seeing authentic commentary without all the other madness.
a man in a suit and tie with the words it 's just refreshing behind him
ALT: a man in a suit and tie with the words it 's just refreshing behind him
media.tenor.com
February 2, 2025 at 6:41 PM
Today was the first day I reflexively went to Bsky for a quick check-in on the world of social media. Post-Twitter, as someone who does not use other platforms, I missed seeing authentic commentary without all the other madness.
time.com/7210296/chin... But where is Mistral.AI?
What Is DeepSeek, the New Chinese OpenAI Rival?
The Chinese company causing turmoil in the American AI industry
time.com
January 29, 2025 at 4:45 PM
time.com/7210296/chin... But where is Mistral.AI?
Threat model around controlling an AI-driven IDE like Cursor and now Trae (Bytedance) www.trae.ai
Imagine being a MiTM of code generation and shipment to git repos. You could lean the developer toward vulnerabilities and Just-in-time code injection for PRs.
We will still be busy, that's for sure.
Imagine being a MiTM of code generation and shipment to git repos. You could lean the developer toward vulnerabilities and Just-in-time code injection for PRs.
We will still be busy, that's for sure.
Trae - Ship Faster with Trae
Trae is an adaptive AI IDE that transforms how you work, collaborating with you to run faster.
www.trae.ai
January 23, 2025 at 4:50 PM
Threat model around controlling an AI-driven IDE like Cursor and now Trae (Bytedance) www.trae.ai
Imagine being a MiTM of code generation and shipment to git repos. You could lean the developer toward vulnerabilities and Just-in-time code injection for PRs.
We will still be busy, that's for sure.
Imagine being a MiTM of code generation and shipment to git repos. You could lean the developer toward vulnerabilities and Just-in-time code injection for PRs.
We will still be busy, that's for sure.
therecord.media/kristi-noem-...
- Give someone a fish... they eat for a day 🍴
- Teach someone to fish... they eat for a lifetime 💪
- Convince someone that fish are evil, and you should not listen to fish or eat anything in general... they starve 💀
- Give someone a fish... they eat for a day 🍴
- Teach someone to fish... they eat for a lifetime 💪
- Convince someone that fish are evil, and you should not listen to fish or eat anything in general... they starve 💀
Homeland Security nominee Kristi Noem bashes CISA, says agency must be 'smaller, more nimble'
The South Dakota governor said efforts to address foreign disinformation campaigns were "far off mission” for the Cybersecurity and Infrastructure Security Agency.
therecord.media
January 17, 2025 at 8:31 PM
therecord.media/kristi-noem-...
- Give someone a fish... they eat for a day 🍴
- Teach someone to fish... they eat for a lifetime 💪
- Convince someone that fish are evil, and you should not listen to fish or eat anything in general... they starve 💀
- Give someone a fish... they eat for a day 🍴
- Teach someone to fish... they eat for a lifetime 💪
- Convince someone that fish are evil, and you should not listen to fish or eat anything in general... they starve 💀
When top Infostealers do the press rounds 🎬... it's a good reminder for me.
Cybercrime isn’t lurking in the shadows anymore—it’s running PR campaigns.
The game has changed so much and is probably driving the disruption ops that LE has been doing. 🤔
g0njxa.medium.com/lumma-steale...
Cybercrime isn’t lurking in the shadows anymore—it’s running PR campaigns.
The game has changed so much and is probably driving the disruption ops that LE has been doing. 🤔
g0njxa.medium.com/lumma-steale...
Lumma Stealer Q&A
The people have spoken, you asked and them replied
g0njxa.medium.com
January 16, 2025 at 9:47 PM
When top Infostealers do the press rounds 🎬... it's a good reminder for me.
Cybercrime isn’t lurking in the shadows anymore—it’s running PR campaigns.
The game has changed so much and is probably driving the disruption ops that LE has been doing. 🤔
g0njxa.medium.com/lumma-steale...
Cybercrime isn’t lurking in the shadows anymore—it’s running PR campaigns.
The game has changed so much and is probably driving the disruption ops that LE has been doing. 🤔
g0njxa.medium.com/lumma-steale...