Nick Attfield
@nickattfield.bsky.social
Threat Researcher @ Proofpoint | Views are my own.
Reposted by Nick Attfield
New Iran drop from me tracking an attribution nightmare - UNK_SmudgedSerpent! A little Charming, a little Muddy, and a lot C5. Targeting policy experts with benign conversation starters, health-themed infra, OnlyOffice spoofs, and RMMs. Check out the full story www.proofpoint.com/us/blog/thre...
Crossed wires: a case study of Iranian espionage and attribution | Proofpoint US
Proofpoint would like to thank Josh Miller for his initial research on UNK_SmudgedSerpent and contribution to this report. Key findings Between June and August 2025,
www.proofpoint.com
November 5, 2025 at 1:37 PM
New Iran drop from me tracking an attribution nightmare - UNK_SmudgedSerpent! A little Charming, a little Muddy, and a lot C5. Targeting policy experts with benign conversation starters, health-themed infra, OnlyOffice spoofs, and RMMs. Check out the full story www.proofpoint.com/us/blog/thre...
Reposted by Nick Attfield
A South Asian APT has been persistently targeting Sri Lanka, Bangladesh, Pakistan, and Turkey. This post walks through how to pivot from the well-publicized phishing infrastructure to expose APK tooling that compromised members of the military of Asian countries.
strikeready.com/blog/apt-and...
strikeready.com/blog/apt-and...
APT: Android, Phishing, microsoft
A South Asian APT has been persistently targeting Sri Lanka, Bangladesh, Pakistan, and Turkey. This post walks through infrastructure and malware pivots to expose novel tooling that compromised the p...
strikeready.com
August 19, 2025 at 10:45 AM
A South Asian APT has been persistently targeting Sri Lanka, Bangladesh, Pakistan, and Turkey. This post walks through how to pivot from the well-publicized phishing infrastructure to expose APK tooling that compromised members of the military of Asian countries.
strikeready.com/blog/apt-and...
strikeready.com/blog/apt-and...
Reposted by Nick Attfield
New: A handful of Chinese-linked cyber espionage groups are stepping up targeting of Taiwanese semiconductor companies, per new analysis from @proofpoint.com. Campaigns include targeting of financial analysts focused on the sector as well: www.reuters.com/sustainabili...
Exclusive: China-linked hackers target Taiwan's chip industry with increasing attacks, researchers say
Chinese-linked hackers are targeting the Taiwanese semiconductor industry and investment analysts as part of a string of cyber espionage campaigns, researchers said on Wednesday.
www.reuters.com
July 16, 2025 at 9:16 PM
New: A handful of Chinese-linked cyber espionage groups are stepping up targeting of Taiwanese semiconductor companies, per new analysis from @proofpoint.com. Campaigns include targeting of financial analysts focused on the sector as well: www.reuters.com/sustainabili...
Reposted by Nick Attfield
Just published:
A two-part blog series in collaboration with
@threatray.bsky.social, which aims to substantiate the claim that #TA397 (Bitter) is an espionage-focused, state-backed threat actor with interests aligned to the Indian state.
Part 1: brnw.ch/21wT9A5
Part 2: brnw.ch/21wT9Ad.
A two-part blog series in collaboration with
@threatray.bsky.social, which aims to substantiate the claim that #TA397 (Bitter) is an espionage-focused, state-backed threat actor with interests aligned to the Indian state.
Part 1: brnw.ch/21wT9A5
Part 2: brnw.ch/21wT9Ad.
The Bitter End: Unraveling Eight Years of Espionage Antics—Part One | Proofpoint US
This is a two-part blog series, detailing research undertaken in collaboration with Threatray. Part two of this blog series can be found on their website here. Analyst note: Throughout
brnw.ch
June 4, 2025 at 2:56 PM
Just published:
A two-part blog series in collaboration with
@threatray.bsky.social, which aims to substantiate the claim that #TA397 (Bitter) is an espionage-focused, state-backed threat actor with interests aligned to the Indian state.
Part 1: brnw.ch/21wT9A5
Part 2: brnw.ch/21wT9Ad.
A two-part blog series in collaboration with
@threatray.bsky.social, which aims to substantiate the claim that #TA397 (Bitter) is an espionage-focused, state-backed threat actor with interests aligned to the Indian state.
Part 1: brnw.ch/21wT9A5
Part 2: brnw.ch/21wT9Ad.
Dropping some joint research today with Threatray on TA397/Bitter 🔍
We dive into the confluence of signals that led us to our attribution of the threat actor 🎯
Shoutout to @konstantinklinger.bsky.social and Threatray for collaborating on this research.
www.proofpoint.com/us/blog/thre...
We dive into the confluence of signals that led us to our attribution of the threat actor 🎯
Shoutout to @konstantinklinger.bsky.social and Threatray for collaborating on this research.
www.proofpoint.com/us/blog/thre...
The Bitter End: Unraveling Eight Years of Espionage Antics—Part One | Proofpoint US
This is a two-part blog series, detailing research undertaken in collaboration with Threatray. Part two of this blog series can be found on their website here. Analyst note: Throughout
www.proofpoint.com
June 4, 2025 at 11:13 AM
Dropping some joint research today with Threatray on TA397/Bitter 🔍
We dive into the confluence of signals that led us to our attribution of the threat actor 🎯
Shoutout to @konstantinklinger.bsky.social and Threatray for collaborating on this research.
www.proofpoint.com/us/blog/thre...
We dive into the confluence of signals that led us to our attribution of the threat actor 🎯
Shoutout to @konstantinklinger.bsky.social and Threatray for collaborating on this research.
www.proofpoint.com/us/blog/thre...
Reposted by Nick Attfield
Is the era of the “named actor” done?
As the OG adversary sets diverge, get promoted, or move on
actors dispersing across the kill chain based on specialized skills increases (ORBs, criminal underground)
AND the CTI models maturing…
APTs ⬇️⬇️
UNCs ⬆️⬆️
As the OG adversary sets diverge, get promoted, or move on
actors dispersing across the kill chain based on specialized skills increases (ORBs, criminal underground)
AND the CTI models maturing…
APTs ⬇️⬇️
UNCs ⬆️⬆️
May 21, 2025 at 8:15 PM
Is the era of the “named actor” done?
As the OG adversary sets diverge, get promoted, or move on
actors dispersing across the kill chain based on specialized skills increases (ORBs, criminal underground)
AND the CTI models maturing…
APTs ⬇️⬇️
UNCs ⬆️⬆️
As the OG adversary sets diverge, get promoted, or move on
actors dispersing across the kill chain based on specialized skills increases (ORBs, criminal underground)
AND the CTI models maturing…
APTs ⬇️⬇️
UNCs ⬆️⬆️
Reposted by Nick Attfield
@greg-l.bsky.social drops knowledge on TA406 (Konni) as North Korea shows new interest in Ukraine, likely to keep tabs on the progress of the war and Russia's ability to keep pace on the battlefield www.proofpoint.com/us/blog/thre...
TA406 Pivots to the Front | Proofpoint US
What happened In February 2025, TA406 began targeting government entities in Ukraine, delivering both credential harvesting and malware in its phishing campaigns. The aim of these
www.proofpoint.com
May 13, 2025 at 9:53 AM
@greg-l.bsky.social drops knowledge on TA406 (Konni) as North Korea shows new interest in Ukraine, likely to keep tabs on the progress of the war and Russia's ability to keep pace on the battlefield www.proofpoint.com/us/blog/thre...
Reposted by Nick Attfield
Introducing #UNK_CraftyCamel!
Leveraged Trusted Business Relationship? ✅
Low Volume, highly targeted? ✅
Interesting technique? ✅
Overlaps with other IRGC clusters? ✅
Bonus: Infrastructure still up to watch how they respond to the blog? ✅
www.proofpoint.com/us/blog/thre...
Leveraged Trusted Business Relationship? ✅
Low Volume, highly targeted? ✅
Interesting technique? ✅
Overlaps with other IRGC clusters? ✅
Bonus: Infrastructure still up to watch how they respond to the blog? ✅
www.proofpoint.com/us/blog/thre...
Call It What You Want: Threat Actor Delivers Highly Targeted Multistage Polyglot Malware | Proofpoint US
Key findings Proofpoint researchers identified a highly targeted email-based campaign targeting fewer than five Proofpoint customers in the United Arab Emirates with a distinct
www.proofpoint.com
March 4, 2025 at 9:18 PM
Introducing #UNK_CraftyCamel!
Leveraged Trusted Business Relationship? ✅
Low Volume, highly targeted? ✅
Interesting technique? ✅
Overlaps with other IRGC clusters? ✅
Bonus: Infrastructure still up to watch how they respond to the blog? ✅
www.proofpoint.com/us/blog/thre...
Leveraged Trusted Business Relationship? ✅
Low Volume, highly targeted? ✅
Interesting technique? ✅
Overlaps with other IRGC clusters? ✅
Bonus: Infrastructure still up to watch how they respond to the blog? ✅
www.proofpoint.com/us/blog/thre...
Dropping some new research on TA397/Bitter 🚨
Hidden in Plain Sight | TA397’s New Attack Chain Delivers Espionage RATs
Report:
www.proofpoint.com/us/blog/thre...
Hidden in Plain Sight | TA397’s New Attack Chain Delivers Espionage RATs
Report:
www.proofpoint.com/us/blog/thre...
Hidden in Plain Sight: TA397’s New Attack Chain Delivers Espionage RATs | Proofpoint US
Key findings Proofpoint observed advanced persistent threat (APT) TA397 targeting a Turkish defense sector organization with a lure about public infrastructure projects in Madagascar. The attack...
www.proofpoint.com
December 17, 2024 at 12:10 PM
Dropping some new research on TA397/Bitter 🚨
Hidden in Plain Sight | TA397’s New Attack Chain Delivers Espionage RATs
Report:
www.proofpoint.com/us/blog/thre...
Hidden in Plain Sight | TA397’s New Attack Chain Delivers Espionage RATs
Report:
www.proofpoint.com/us/blog/thre...
Reposted by Nick Attfield
In December 11 and 12, 2024, a spearphishing campaign targeted at least 20 Autonomous System (AS) owners, predominantly Internet Service Providers (ISPs), and purported to come from the Network Operations Center (NOC) of a prominent European ISP.
🧵⤵️
🧵⤵️
Interesting susp targeted phish targeting an Italian telecom.
1) spoofing swisscom (note 'S', domain just reg'd)
2) leveraging encrypted rar + lnk + self signed pdf reader
3) BGP lure (fits with theme of email). BGP is the third leg in the outage triumvirate)
1) spoofing swisscom (note 'S', domain just reg'd)
2) leveraging encrypted rar + lnk + self signed pdf reader
3) BGP lure (fits with theme of email). BGP is the third leg in the outage triumvirate)
December 12, 2024 at 9:18 PM
In December 11 and 12, 2024, a spearphishing campaign targeted at least 20 Autonomous System (AS) owners, predominantly Internet Service Providers (ISPs), and purported to come from the Network Operations Center (NOC) of a prominent European ISP.
🧵⤵️
🧵⤵️
I’m a little excited for this one
November 19, 2024 at 11:30 PM
I’m a little excited for this one
Reposted by Nick Attfield
#PIVOTcon25 registration is now OPEN 🤟📥📥📥
pivotcon.org
#CTI #ThreatResearch #ThreatIntel
Please read carefully the whole 🧵 for the rules about invite -> registration (1/5)
pivotcon.org
#CTI #ThreatResearch #ThreatIntel
Please read carefully the whole 🧵 for the rules about invite -> registration (1/5)
two men are standing next to each other with the words " we open it up " on the screen
ALT: two men are standing next to each other with the words " we open it up " on the screen
media.tenor.com
November 19, 2024 at 2:00 PM
#PIVOTcon25 registration is now OPEN 🤟📥📥📥
pivotcon.org
#CTI #ThreatResearch #ThreatIntel
Please read carefully the whole 🧵 for the rules about invite -> registration (1/5)
pivotcon.org
#CTI #ThreatResearch #ThreatIntel
Please read carefully the whole 🧵 for the rules about invite -> registration (1/5)
Reposted by Nick Attfield
Wait... did a Chinese security vendor just publish research on a suspected Chinese APT backdoor? 🙃
I need your thoughts here @jags.bsky.social
blog.xlab.qianxin.com/analysis_of_...
I need your thoughts here @jags.bsky.social
blog.xlab.qianxin.com/analysis_of_...
New Zero-Detection Variant of Melofee Backdoor from Winnti Strikes RHEL 7.9
Background
On July 27, 2024, XLab's Cyber Threat Insight and Analysis System(CTIA) detected an ELF file named pskt from IP address 45.92.156.166. Currently undetected on VirusTotal, the file trigger...
blog.xlab.qianxin.com
November 12, 2024 at 7:19 PM
Wait... did a Chinese security vendor just publish research on a suspected Chinese APT backdoor? 🙃
I need your thoughts here @jags.bsky.social
blog.xlab.qianxin.com/analysis_of_...
I need your thoughts here @jags.bsky.social
blog.xlab.qianxin.com/analysis_of_...