Reposted by Mark Kelly
New Iran drop from me tracking an attribution nightmare - UNK_SmudgedSerpent! A little Charming, a little Muddy, and a lot C5. Targeting policy experts with benign conversation starters, health-themed infra, OnlyOffice spoofs, and RMMs. Check out the full story www.proofpoint.com/us/blog/thre...
Crossed wires: a case study of Iranian espionage and attribution | Proofpoint US
Proofpoint would like to thank Josh Miller for his initial research on UNK_SmudgedSerpent and contribution to this report. Key findings Between June and August 2025,
www.proofpoint.com
November 5, 2025 at 1:37 PM
New Iran drop from me tracking an attribution nightmare - UNK_SmudgedSerpent! A little Charming, a little Muddy, and a lot C5. Targeting policy experts with benign conversation starters, health-themed infra, OnlyOffice spoofs, and RMMs. Check out the full story www.proofpoint.com/us/blog/thre...
Reposted by Mark Kelly
Proofpoint threat researchers have designed an open-source tool—named PDF Object Hashing—to track and detect the unique characteristics of PDFs used by threat actors... similar to a digital fingerprint.
We use this tool internally to help track multiple threat actors with high confidence.
We use this tool internally to help track multiple threat actors with high confidence.
October 23, 2025 at 6:05 PM
Proofpoint threat researchers have designed an open-source tool—named PDF Object Hashing—to track and detect the unique characteristics of PDFs used by threat actors... similar to a digital fingerprint.
We use this tool internally to help track multiple threat actors with high confidence.
We use this tool internally to help track multiple threat actors with high confidence.
Reposted by Mark Kelly
📣 🔥 🛋️ SAVE THE DATE 🛋️ 🔥 📣
The next #PIVOTcon will be on 6-8 May 2026, in Malaga, ES!!!
You favorite ;) #ThreatResearch conference is coming back and we are planning to bring you the usual experience and content of utmost quality. Follow us + #StayTuned for more info
#CTI #ThreatIntel #PIVOTcon26
The next #PIVOTcon will be on 6-8 May 2026, in Malaga, ES!!!
You favorite ;) #ThreatResearch conference is coming back and we are planning to bring you the usual experience and content of utmost quality. Follow us + #StayTuned for more info
#CTI #ThreatIntel #PIVOTcon26
October 2, 2025 at 2:51 PM
📣 🔥 🛋️ SAVE THE DATE 🛋️ 🔥 📣
The next #PIVOTcon will be on 6-8 May 2026, in Malaga, ES!!!
You favorite ;) #ThreatResearch conference is coming back and we are planning to bring you the usual experience and content of utmost quality. Follow us + #StayTuned for more info
#CTI #ThreatIntel #PIVOTcon26
The next #PIVOTcon will be on 6-8 May 2026, in Malaga, ES!!!
You favorite ;) #ThreatResearch conference is coming back and we are planning to bring you the usual experience and content of utmost quality. Follow us + #StayTuned for more info
#CTI #ThreatIntel #PIVOTcon26
Good piece covering a big burst of TA416 activity targeting European governments last week!
Quite a bit of CN APT activity in europe in the past week
strikeready.com/blog/cn-apt-...
As always, if you're interested in tuning your skills, download the samples here github.com/StrikeReady-...
strikeready.com/blog/cn-apt-...
As always, if you're interested in tuning your skills, download the samples here github.com/StrikeReady-...
CN APT targets Serbian Government
Mustang Panda continues targeting European governments
strikeready.com
October 4, 2025 at 11:32 AM
Good piece covering a big burst of TA416 activity targeting European governments last week!
Reposted by Mark Kelly
First public report at Recorded Future by yours truly is out! RedNovember (formerly TAG-100, a.k.a. Storm-2077) is a Chinese state-sponsored threat group focused on intelligence collection, especially on flashpoint issues of strategic interest to China. www.recordedfuture.com/research/red...
RedNovember Targets Government, Defense, and Technology Organizations
RedNovember, a likely Chinese state-sponsored cyber-espionage group, has targeted global government, defense, and tech sectors using advanced tools like Pantegana and Cobalt Strike. Discover the lates...
www.recordedfuture.com
September 24, 2025 at 6:57 PM
First public report at Recorded Future by yours truly is out! RedNovember (formerly TAG-100, a.k.a. Storm-2077) is a Chinese state-sponsored threat group focused on intelligence collection, especially on flashpoint issues of strategic interest to China. www.recordedfuture.com/research/red...
Reposted by Mark Kelly
Proofpoint threat researchers have published new research identifying a new cyber-espionage campaign by #TA415 (#APT41), a China-aligned threat actor, exploiting growing uncertainty in U.S.-China economic relations.
Blog: www.proofpoint.com/us/blog/thre....
Blog: www.proofpoint.com/us/blog/thre....
Going Underground: China-aligned TA415 Conducts U.S.-China Economic Relations Targeting Using VS Code Remote Tunnels | Proofpoint US
What happened Throughout July and August 2025, TA415 conducted spearphishing campaigns targeting United States government, think tank, and academic organizations utilizing U.S.-China
www.proofpoint.com
September 18, 2025 at 5:11 PM
Proofpoint threat researchers have published new research identifying a new cyber-espionage campaign by #TA415 (#APT41), a China-aligned threat actor, exploiting growing uncertainty in U.S.-China economic relations.
Blog: www.proofpoint.com/us/blog/thre....
Blog: www.proofpoint.com/us/blog/thre....
🚨🇨🇳💰 New @threatinsight.proofpoint.com blog on TA415 (aka APT41) economy and trade-themed spearphishing against US govt, think tanks & academia.
The campaigns used U.S.-China economic lures and spoofed the Chair of the House Select Committee on CCP competition + the US-China Business Council.
The campaigns used U.S.-China economic lures and spoofed the Chair of the House Select Committee on CCP competition + the US-China Business Council.
September 16, 2025 at 12:49 PM
🚨🇨🇳💰 New @threatinsight.proofpoint.com blog on TA415 (aka APT41) economy and trade-themed spearphishing against US govt, think tanks & academia.
The campaigns used U.S.-China economic lures and spoofed the Chair of the House Select Committee on CCP competition + the US-China Business Council.
The campaigns used U.S.-China economic lures and spoofed the Chair of the House Select Committee on CCP competition + the US-China Business Council.
It is time the Mustang Panda moniker went the way of Winnti Group ☠️
September 11, 2025 at 10:24 AM
It is time the Mustang Panda moniker went the way of Winnti Group ☠️
Reposted by Mark Kelly
1/ We've just released a new report uncovering new infrastructure tied to multiple activity clusters linked to the Israeli spyware vendor #Candiru across several countries. Full report: www.recordedfuture.com/research/tra...
Tracking Candiru’s DevilsTongue Spyware in Multiple Countries
Recorded Future's Insikt Group uncovers active infrastructure linked to Candiru’s DevilsTongue spyware across multiple countries. Discover how this stealthy spyware targets high-value individuals and ...
www.recordedfuture.com
August 5, 2025 at 2:18 PM
1/ We've just released a new report uncovering new infrastructure tied to multiple activity clusters linked to the Israeli spyware vendor #Candiru across several countries. Full report: www.recordedfuture.com/research/tra...
🚨🆕🐟🍟 New blog from me and the amazing @threatinsight.proofpoint.com team covering recent activity by multiple China-aligned threat actors targeting semiconductor companies in Taiwan over the past few months:
www.proofpoint.com/us/blog/thre...
www.proofpoint.com/us/blog/thre...
Phish and Chips: China-Aligned Espionage Actors Ramp Up Taiwan Semiconductor Industry Targeting | Proofpoint US
Key findings Between March and June 2025, Proofpoint Threat Research observed three Chinese state-sponsored threat actors conduct targeted phishing campaigns against the Taiwanese
www.proofpoint.com
July 16, 2025 at 9:35 PM
🚨🆕🐟🍟 New blog from me and the amazing @threatinsight.proofpoint.com team covering recent activity by multiple China-aligned threat actors targeting semiconductor companies in Taiwan over the past few months:
www.proofpoint.com/us/blog/thre...
www.proofpoint.com/us/blog/thre...
Reposted by Mark Kelly
New: A handful of Chinese-linked cyber espionage groups are stepping up targeting of Taiwanese semiconductor companies, per new analysis from @proofpoint.com. Campaigns include targeting of financial analysts focused on the sector as well: www.reuters.com/sustainabili...
Exclusive: China-linked hackers target Taiwan's chip industry with increasing attacks, researchers say
Chinese-linked hackers are targeting the Taiwanese semiconductor industry and investment analysts as part of a string of cyber espionage campaigns, researchers said on Wednesday.
www.reuters.com
July 16, 2025 at 9:16 PM
New: A handful of Chinese-linked cyber espionage groups are stepping up targeting of Taiwanese semiconductor companies, per new analysis from @proofpoint.com. Campaigns include targeting of financial analysts focused on the sector as well: www.reuters.com/sustainabili...
Reposted by Mark Kelly
New DISCARDED podcast drop! Join
@greg-l.bsky.social and me as we talk about our fave North Korean groups, DPRK as the neglected child, TA406 and the Russian connection, and finally, the dreaded but pervasive IT worker problem podcasts.apple.com/us/podcast/c...
open.spotify.com/episode/01d1...
@greg-l.bsky.social and me as we talk about our fave North Korean groups, DPRK as the neglected child, TA406 and the Russian connection, and finally, the dreaded but pervasive IT worker problem podcasts.apple.com/us/podcast/c...
open.spotify.com/episode/01d1...
Comic Sans and Cybercrime: Inside North Korea’s Global Cyber Playbook
Podcast Episode · DISCARDED: Tales From the Threat Research Trenches · 07/01/2025 · 53m
podcasts.apple.com
July 1, 2025 at 4:22 PM
New DISCARDED podcast drop! Join
@greg-l.bsky.social and me as we talk about our fave North Korean groups, DPRK as the neglected child, TA406 and the Russian connection, and finally, the dreaded but pervasive IT worker problem podcasts.apple.com/us/podcast/c...
open.spotify.com/episode/01d1...
@greg-l.bsky.social and me as we talk about our fave North Korean groups, DPRK as the neglected child, TA406 and the Russian connection, and finally, the dreaded but pervasive IT worker problem podcasts.apple.com/us/podcast/c...
open.spotify.com/episode/01d1...
Reposted by Mark Kelly
Fun crossover blog about TA829 (RomCom) & TransferLoader with my ecrime pals @selenalarson.bsky.social it’s got it all:
🛰️ Popped routers for sending phish
📊 ACH on attribution
👾 custom protocols
👽 cool malware
🕵️ crime
🎯 espionage
❔many unanswered questions
www.proofpoint.com/us/blog/thre...
🛰️ Popped routers for sending phish
📊 ACH on attribution
👾 custom protocols
👽 cool malware
🕵️ crime
🎯 espionage
❔many unanswered questions
www.proofpoint.com/us/blog/thre...
10 Things I Hate About Attribution: RomCom vs. TransferLoader | Proofpoint US
Threat Research would like to acknowledge and thank the Paranoids, Spur, and Pim Trouerbach for their collaboration to identify, track, and disrupt this activity. Key takeaways
www.proofpoint.com
June 30, 2025 at 10:04 AM
Fun crossover blog about TA829 (RomCom) & TransferLoader with my ecrime pals @selenalarson.bsky.social it’s got it all:
🛰️ Popped routers for sending phish
📊 ACH on attribution
👾 custom protocols
👽 cool malware
🕵️ crime
🎯 espionage
❔many unanswered questions
www.proofpoint.com/us/blog/thre...
🛰️ Popped routers for sending phish
📊 ACH on attribution
👾 custom protocols
👽 cool malware
🕵️ crime
🎯 espionage
❔many unanswered questions
www.proofpoint.com/us/blog/thre...
Reposted by Mark Kelly
🚨 We’re hiring at Recorded Future’s Insikt Group
Two senior analyst roles are open right now. Both focus on tracking nation-state threats.
🧵
Two senior analyst roles are open right now. Both focus on tracking nation-state threats.
🧵
June 20, 2025 at 10:20 AM
🚨 We’re hiring at Recorded Future’s Insikt Group
Two senior analyst roles are open right now. Both focus on tracking nation-state threats.
🧵
Two senior analyst roles are open right now. Both focus on tracking nation-state threats.
🧵
Reposted by Mark Kelly
Today we’re publishing new findings on Predator spyware, still active despite global sanctions, now with a new client and ties to a Czech entity. Here’s what we found 🧵
www.recordedfuture.com/research/pre...
www.recordedfuture.com/research/pre...
Predator Spyware Resurgence: Insikt Group Exposes New Global Infrastructure
Despite sanctions and global scrutiny, Predator spyware operations persist. Insikt Group reveals new infrastructure links in Mozambique, Africa, and Europe, highlighting ongoing threats to civil socie...
www.recordedfuture.com
June 12, 2025 at 2:23 PM
Today we’re publishing new findings on Predator spyware, still active despite global sanctions, now with a new client and ties to a Czech entity. Here’s what we found 🧵
www.recordedfuture.com/research/pre...
www.recordedfuture.com/research/pre...
Reposted by Mark Kelly
Dropping some joint research today with Threatray on TA397/Bitter 🔍
We dive into the confluence of signals that led us to our attribution of the threat actor 🎯
Shoutout to @konstantinklinger.bsky.social and Threatray for collaborating on this research.
www.proofpoint.com/us/blog/thre...
We dive into the confluence of signals that led us to our attribution of the threat actor 🎯
Shoutout to @konstantinklinger.bsky.social and Threatray for collaborating on this research.
www.proofpoint.com/us/blog/thre...
The Bitter End: Unraveling Eight Years of Espionage Antics—Part One | Proofpoint US
This is a two-part blog series, detailing research undertaken in collaboration with Threatray. Part two of this blog series can be found on their website here. Analyst note: Throughout
www.proofpoint.com
June 4, 2025 at 11:13 AM
Dropping some joint research today with Threatray on TA397/Bitter 🔍
We dive into the confluence of signals that led us to our attribution of the threat actor 🎯
Shoutout to @konstantinklinger.bsky.social and Threatray for collaborating on this research.
www.proofpoint.com/us/blog/thre...
We dive into the confluence of signals that led us to our attribution of the threat actor 🎯
Shoutout to @konstantinklinger.bsky.social and Threatray for collaborating on this research.
www.proofpoint.com/us/blog/thre...
Reposted by Mark Kelly
From phishes to hands-on-keyboard commands 🔥 new @proofpoint.bsky.social research from @nickattfield.bsky.social and @konstantinklinger.bsky.social on Indian state-sponsored actor TA397 (Bitter) with a great story on the steps to technical and political attribution www.proofpoint.com/us/blog/thre...
The Bitter End: Unraveling Eight Years of Espionage Antics—Part One | Proofpoint US
This is a two-part blog series, detailing research undertaken in collaboration with Threatray. Part two of this blog series can be found on their website here. Analyst note: Throughout
www.proofpoint.com
June 4, 2025 at 11:09 AM
From phishes to hands-on-keyboard commands 🔥 new @proofpoint.bsky.social research from @nickattfield.bsky.social and @konstantinklinger.bsky.social on Indian state-sponsored actor TA397 (Bitter) with a great story on the steps to technical and political attribution www.proofpoint.com/us/blog/thre...
Reposted by Mark Kelly
Is the era of the “named actor” done?
As the OG adversary sets diverge, get promoted, or move on
actors dispersing across the kill chain based on specialized skills increases (ORBs, criminal underground)
AND the CTI models maturing…
APTs ⬇️⬇️
UNCs ⬆️⬆️
As the OG adversary sets diverge, get promoted, or move on
actors dispersing across the kill chain based on specialized skills increases (ORBs, criminal underground)
AND the CTI models maturing…
APTs ⬇️⬇️
UNCs ⬆️⬆️
May 21, 2025 at 8:15 PM
Is the era of the “named actor” done?
As the OG adversary sets diverge, get promoted, or move on
actors dispersing across the kill chain based on specialized skills increases (ORBs, criminal underground)
AND the CTI models maturing…
APTs ⬇️⬇️
UNCs ⬆️⬆️
As the OG adversary sets diverge, get promoted, or move on
actors dispersing across the kill chain based on specialized skills increases (ORBs, criminal underground)
AND the CTI models maturing…
APTs ⬇️⬇️
UNCs ⬆️⬆️
Reposted by Mark Kelly
New Proofpoint blog alert
We observed DPRK actor TA406 (overlaps w/ Opal Sleet/Konni) targeting government entities in Ukraine in early 2025:
www.proofpoint.com/us/blog/thre...
We observed DPRK actor TA406 (overlaps w/ Opal Sleet/Konni) targeting government entities in Ukraine in early 2025:
www.proofpoint.com/us/blog/thre...
TA406 Pivots to the Front | Proofpoint US
What happened In February 2025, TA406 began targeting government entities in Ukraine, delivering both credential harvesting and malware in its phishing campaigns. The aim of these
www.proofpoint.com
May 13, 2025 at 2:08 PM
New Proofpoint blog alert
We observed DPRK actor TA406 (overlaps w/ Opal Sleet/Konni) targeting government entities in Ukraine in early 2025:
www.proofpoint.com/us/blog/thre...
We observed DPRK actor TA406 (overlaps w/ Opal Sleet/Konni) targeting government entities in Ukraine in early 2025:
www.proofpoint.com/us/blog/thre...
Reposted by Mark Kelly
@greg-l.bsky.social drops knowledge on TA406 (Konni) as North Korea shows new interest in Ukraine, likely to keep tabs on the progress of the war and Russia's ability to keep pace on the battlefield www.proofpoint.com/us/blog/thre...
TA406 Pivots to the Front | Proofpoint US
What happened In February 2025, TA406 began targeting government entities in Ukraine, delivering both credential harvesting and malware in its phishing campaigns. The aim of these
www.proofpoint.com
May 13, 2025 at 9:53 AM
@greg-l.bsky.social drops knowledge on TA406 (Konni) as North Korea shows new interest in Ukraine, likely to keep tabs on the progress of the war and Russia's ability to keep pace on the battlefield www.proofpoint.com/us/blog/thre...
Had such a great time at PIVOTcon @pivotcon.bsky.social - what a brilliant conference and the location isn't half bad either 🇪🇸
May 10, 2025 at 3:55 PM
Had such a great time at PIVOTcon @pivotcon.bsky.social - what a brilliant conference and the location isn't half bad either 🇪🇸
Reposted by Mark Kelly
If you're looking at email headers and they're not pretty, you need to install @jacoblatonis.me's @vscode.dev extension
marketplace.visualstudio.com/items?itemNa...
marketplace.visualstudio.com/items?itemNa...
Email Headers Highlighting - Visual Studio Marketplace
Extension for Visual Studio Code - This language extension serves as a syntax highlighter that enables quicker analysis of email headers
marketplace.visualstudio.com
April 24, 2025 at 8:18 PM
If you're looking at email headers and they're not pretty, you need to install @jacoblatonis.me's @vscode.dev extension
marketplace.visualstudio.com/items?itemNa...
marketplace.visualstudio.com/items?itemNa...
Reposted by Mark Kelly
Thanks to my favorite team buddies for their collab and indulging my slight obsession 💜 @greg-l.bsky.social @mkyo.bsky.social and Josh
My first blog with Proofpoint is live! And we love a good crossover. State-sponsored actors try their hand at ClickFix - the hottest thing in cybercrime. Meet the North Koreans, Iranians, and Russians who are upping their social engineering game www.proofpoint.com/us/blog/thre...
Around the World in 90 Days: State-Sponsored Actors Try ClickFix | Proofpoint US
Key Findings While primarily a technique affiliated with cybercriminal actors, Proofpoint researchers discovered state-sponsored actors in multiple campaigns using the ClickFix social
www.proofpoint.com
April 18, 2025 at 12:54 PM
Thanks to my favorite team buddies for their collab and indulging my slight obsession 💜 @greg-l.bsky.social @mkyo.bsky.social and Josh
Reposted by Mark Kelly
Saher's first blog on the scourge that is ClickFix usage in the espionage space!!
Had to sneak in the UNK_RemoteRogue RDP shenanigans as well - a thus far unattributed group we assess to be Russia-aligned, using a pretty fun set of email tactics
Had to sneak in the UNK_RemoteRogue RDP shenanigans as well - a thus far unattributed group we assess to be Russia-aligned, using a pretty fun set of email tactics
April 17, 2025 at 12:22 PM
Saher's first blog on the scourge that is ClickFix usage in the espionage space!!
Had to sneak in the UNK_RemoteRogue RDP shenanigans as well - a thus far unattributed group we assess to be Russia-aligned, using a pretty fun set of email tactics
Had to sneak in the UNK_RemoteRogue RDP shenanigans as well - a thus far unattributed group we assess to be Russia-aligned, using a pretty fun set of email tactics