Ole Villadsen
@olevilladsen.bsky.social
Threat researcher @ Proofpoint. Formerly IBM X-Force, CMU, US Government, US Navy. Views are my own.
Threat actors are teaming up with organized crime to target truckers — stealing identities, placing fraudulent bids on freight, and making off with the cargo. Their entry point? Emails with links delivering Remote Monitoring and Management (RMM) tools. Together with @selenalarson.bsky.social :
Remote access, real cargo: cybercriminals targeting trucking and logistics | Proofpoint US
Key findings Cybercriminals are compromising trucking and freight companies in elaborate attack chains to steal cargo freight. Cargo theft is a multi-million-dollar criminal
www.proofpoint.com
November 3, 2025 at 10:40 AM
Threat actors are teaming up with organized crime to target truckers — stealing identities, placing fraudulent bids on freight, and making off with the cargo. Their entry point? Emails with links delivering Remote Monitoring and Management (RMM) tools. Together with @selenalarson.bsky.social :
Reposted by Ole Villadsen
🚨 Job seekers, watch out! 🚨
Proofpoint found threat actors targeting job seekers to distribute remote management tools that can lead to data or financial theft, or potentially to install follow-on malware like ransomware.
Proofpoint found threat actors targeting job seekers to distribute remote management tools that can lead to data or financial theft, or potentially to install follow-on malware like ransomware.
July 24, 2025 at 3:41 PM
🚨 Job seekers, watch out! 🚨
Proofpoint found threat actors targeting job seekers to distribute remote management tools that can lead to data or financial theft, or potentially to install follow-on malware like ransomware.
Proofpoint found threat actors targeting job seekers to distribute remote management tools that can lead to data or financial theft, or potentially to install follow-on malware like ransomware.
Reposted by Ole Villadsen
Today, Proofpoint joins the cybersecurity community and the U.S. and international law enforcement in celebrating the disruption of #DanaBot, a malware-as-a-service used by sophisticated cybercriminals since 2018. brnw.ch/21wSRiZ
A Brief History of DanaBot, Longtime Ecrime Juggernaut Disrupted by Operation Endgame | Proofpoint US
Key Findings: Proofpoint first identified and named DanaBot in May 2018. Initially developed as a banking trojan, DanaBot was also used as an information stealer and loader for follow-on
brnw.ch
May 22, 2025 at 7:48 PM
Today, Proofpoint joins the cybersecurity community and the U.S. and international law enforcement in celebrating the disruption of #DanaBot, a malware-as-a-service used by sophisticated cybercriminals since 2018. brnw.ch/21wSRiZ
Reposted by Ole Villadsen
Thanks for the shoutout and for recognizing our work at DFIR Report in tracking these threats!
🔗Read the article here: www.proofpoint.com/us/blog/thre...
🔗Read the article here: www.proofpoint.com/us/blog/thre...
Remote Monitoring and Management (RMM) Tooling Increasingly an Attacker’s First Choice | Proofpoint US
Key findings More threat actors are using legitimate remote monitoring and management (RMM) tools as a first-stage payload in email campaigns. RMMs can be used for
www.proofpoint.com
March 13, 2025 at 12:59 AM
Thanks for the shoutout and for recognizing our work at DFIR Report in tracking these threats!
🔗Read the article here: www.proofpoint.com/us/blog/thre...
🔗Read the article here: www.proofpoint.com/us/blog/thre...
Reposted by Ole Villadsen
New cyber threat research from Proofpoint highlights how attackers are adapting to law enforcement disruptions, leveraging trusted software to evade detection and compromise systems.
This blog details our team's findings: www.proofpoint.com/us/blog/thre....
#malware #ransomware #dataloss
This blog details our team's findings: www.proofpoint.com/us/blog/thre....
#malware #ransomware #dataloss
Remote Monitoring and Management (RMM) Tooling Increasingly an Attacker’s First Choice | Proofpoint US
Key findings More threat actors are using legitimate remote monitoring and management (RMM) tools as a first-stage payload in email campaigns. RMMs can be used for
brnw.ch
March 11, 2025 at 4:14 PM
New cyber threat research from Proofpoint highlights how attackers are adapting to law enforcement disruptions, leveraging trusted software to evade detection and compromise systems.
This blog details our team's findings: www.proofpoint.com/us/blog/thre....
#malware #ransomware #dataloss
This blog details our team's findings: www.proofpoint.com/us/blog/thre....
#malware #ransomware #dataloss
Reposted by Ole Villadsen
Dropping some new research on TA397/Bitter 🚨
Hidden in Plain Sight | TA397’s New Attack Chain Delivers Espionage RATs
Report:
www.proofpoint.com/us/blog/thre...
Hidden in Plain Sight | TA397’s New Attack Chain Delivers Espionage RATs
Report:
www.proofpoint.com/us/blog/thre...
Hidden in Plain Sight: TA397’s New Attack Chain Delivers Espionage RATs | Proofpoint US
Key findings Proofpoint observed advanced persistent threat (APT) TA397 targeting a Turkish defense sector organization with a lure about public infrastructure projects in Madagascar. The attack...
www.proofpoint.com
December 17, 2024 at 12:10 PM
Dropping some new research on TA397/Bitter 🚨
Hidden in Plain Sight | TA397’s New Attack Chain Delivers Espionage RATs
Report:
www.proofpoint.com/us/blog/thre...
Hidden in Plain Sight | TA397’s New Attack Chain Delivers Espionage RATs
Report:
www.proofpoint.com/us/blog/thre...
Reposted by Ole Villadsen
In December 11 and 12, 2024, a spearphishing campaign targeted at least 20 Autonomous System (AS) owners, predominantly Internet Service Providers (ISPs), and purported to come from the Network Operations Center (NOC) of a prominent European ISP.
🧵⤵️
🧵⤵️
Interesting susp targeted phish targeting an Italian telecom.
1) spoofing swisscom (note 'S', domain just reg'd)
2) leveraging encrypted rar + lnk + self signed pdf reader
3) BGP lure (fits with theme of email). BGP is the third leg in the outage triumvirate)
1) spoofing swisscom (note 'S', domain just reg'd)
2) leveraging encrypted rar + lnk + self signed pdf reader
3) BGP lure (fits with theme of email). BGP is the third leg in the outage triumvirate)
December 12, 2024 at 9:18 PM
In December 11 and 12, 2024, a spearphishing campaign targeted at least 20 Autonomous System (AS) owners, predominantly Internet Service Providers (ISPs), and purported to come from the Network Operations Center (NOC) of a prominent European ISP.
🧵⤵️
🧵⤵️
Reposted by Ole Villadsen
2024-12-04 (Wednesday): #AgentTesla variant using #FTP for data exfiltration. A sanitized copy of the email distributing the malware, a #pcap from an infection run, the associated malware samples, and a list of indicators are available at www.malware-traffic-analysis.net/2024/12/04/i...
December 5, 2024 at 1:15 AM
2024-12-04 (Wednesday): #AgentTesla variant using #FTP for data exfiltration. A sanitized copy of the email distributing the malware, a #pcap from an infection run, the associated malware samples, and a list of indicators are available at www.malware-traffic-analysis.net/2024/12/04/i...
Reposted by Ole Villadsen
#BumbleBee malspam using Cisco AnyConnect as a lure. It contains a PDF with a link to a fake AnyConnect installer that opens AnyConnect on the Microsoft App Store to mask the BumbleBee infection 🔥
Payload delivery URLs:
🌐 urlhaus.abuse.ch/host/95.164....
Payload:
📄 bazaar.abuse.ch/sample/b8794...
Payload delivery URLs:
🌐 urlhaus.abuse.ch/host/95.164....
Payload:
📄 bazaar.abuse.ch/sample/b8794...
December 4, 2024 at 10:06 AM
#BumbleBee malspam using Cisco AnyConnect as a lure. It contains a PDF with a link to a fake AnyConnect installer that opens AnyConnect on the Microsoft App Store to mask the BumbleBee infection 🔥
Payload delivery URLs:
🌐 urlhaus.abuse.ch/host/95.164....
Payload:
📄 bazaar.abuse.ch/sample/b8794...
Payload delivery URLs:
🌐 urlhaus.abuse.ch/host/95.164....
Payload:
📄 bazaar.abuse.ch/sample/b8794...
Reposted by Ole Villadsen
#BruteRatel - #Latrodectus - url > .js > .msi > .dll
wscript.exe Document-v15-51-07.js
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\fes.msi
rundll32.exe C:\Users\Admin\AppData\Roaming\avutil.dll, DLLMain
(1/3)👇
IOC's
github.com/pr0xylife/La...
wscript.exe Document-v15-51-07.js
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\fes.msi
rundll32.exe C:\Users\Admin\AppData\Roaming\avutil.dll, DLLMain
(1/3)👇
IOC's
github.com/pr0xylife/La...
December 3, 2024 at 9:22 PM
#BruteRatel - #Latrodectus - url > .js > .msi > .dll
wscript.exe Document-v15-51-07.js
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\fes.msi
rundll32.exe C:\Users\Admin\AppData\Roaming\avutil.dll, DLLMain
(1/3)👇
IOC's
github.com/pr0xylife/La...
wscript.exe Document-v15-51-07.js
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\fes.msi
rundll32.exe C:\Users\Admin\AppData\Roaming\avutil.dll, DLLMain
(1/3)👇
IOC's
github.com/pr0xylife/La...
Reposted by Ole Villadsen
I really like the freedom of BlueSky's API and hope it can be maintained. I will use the API to push more IOCs.
November 27, 2024 at 8:05 AM
I really like the freedom of BlueSky's API and hope it can be maintained. I will use the API to push more IOCs.
Reposted by Ole Villadsen
T-Minus 37 days til the next season of #100DaysofYARA kicks off!!
Who’s excited and what will you be working on?
I can’t believe it but I’m excited to write rules for JavaScript 😬😵💫
But also get to show off the new macho module from the one and only
@jacoblatonis.me
Who’s excited and what will you be working on?
I can’t believe it but I’m excited to write rules for JavaScript 😬😵💫
But also get to show off the new macho module from the one and only
@jacoblatonis.me
November 25, 2024 at 9:57 PM
T-Minus 37 days til the next season of #100DaysofYARA kicks off!!
Who’s excited and what will you be working on?
I can’t believe it but I’m excited to write rules for JavaScript 😬😵💫
But also get to show off the new macho module from the one and only
@jacoblatonis.me
Who’s excited and what will you be working on?
I can’t believe it but I’m excited to write rules for JavaScript 😬😵💫
But also get to show off the new macho module from the one and only
@jacoblatonis.me
Reposted by Ole Villadsen
2024-11-22 (Friday) #XLoader / #Formbook: I've been fired by my non-existent HR department. At least I got a "salary-receipt.exe" bazaar.abuse.ch/sample/003b5...
Tria.ge and Any.Run don't identify the malware, but Joe Sandbox does: www.joesandbox.com/analysis/156...
Also runs in my lab just fine
Tria.ge and Any.Run don't identify the malware, but Joe Sandbox does: www.joesandbox.com/analysis/156...
Also runs in my lab just fine
November 22, 2024 at 7:42 PM
2024-11-22 (Friday) #XLoader / #Formbook: I've been fired by my non-existent HR department. At least I got a "salary-receipt.exe" bazaar.abuse.ch/sample/003b5...
Tria.ge and Any.Run don't identify the malware, but Joe Sandbox does: www.joesandbox.com/analysis/156...
Also runs in my lab just fine
Tria.ge and Any.Run don't identify the malware, but Joe Sandbox does: www.joesandbox.com/analysis/156...
Also runs in my lab just fine
Welcome Brad! @malware-traffic.bsky.social
November 22, 2024 at 7:01 PM
Welcome Brad! @malware-traffic.bsky.social
Reposted by Ole Villadsen
Very interesting story which in my opinion that shows how the Chinese surveillance state is even "knocking off" on itself when it comes to IP/Data. This is some great research from SpyCloud Labs! Very proud of the Labs Research Team! www.wired.com/story/chines...
China’s Surveillance State Is Selling Citizen Data as a Side Hustle
Chinese black market operators are openly recruiting government agency insiders, paying them for access to surveillance data and then reselling it online—no questions asked.
www.wired.com
November 21, 2024 at 4:26 PM
Very interesting story which in my opinion that shows how the Chinese surveillance state is even "knocking off" on itself when it comes to IP/Data. This is some great research from SpyCloud Labs! Very proud of the Labs Research Team! www.wired.com/story/chines...
For visibility - x0rz now on Blue Sky, so happy :)
First tweet (?) or whatever this is called here
November 18, 2024 at 2:29 PM
For visibility - x0rz now on Blue Sky, so happy :)
Reposted by Ole Villadsen
New blog drop with @selenalarson.bsky.social and the rest of the team. This one covers a lot of threats using the #ClickFix technique to lure targets to infect themselves by pasting malicious CMD/PS code. My "fave" is the chumbox #malvertising on major tech sites.
www.proofpoint.com/us/blog/thre...
www.proofpoint.com/us/blog/thre...
November 18, 2024 at 12:44 PM
New blog drop with @selenalarson.bsky.social and the rest of the team. This one covers a lot of threats using the #ClickFix technique to lure targets to infect themselves by pasting malicious CMD/PS code. My "fave" is the chumbox #malvertising on major tech sites.
www.proofpoint.com/us/blog/thre...
www.proofpoint.com/us/blog/thre...
Reposted by Ole Villadsen
Reuters also confirms the story about Biden allowing Ukraine to use US arms to strike inside Russia, citing three sources familiar with the matter. Ukraine plans to conduct its first long-range attacks in the coming days.
www.reuters.com/world/biden-...
www.reuters.com/world/biden-...
November 17, 2024 at 6:53 PM
Reuters also confirms the story about Biden allowing Ukraine to use US arms to strike inside Russia, citing three sources familiar with the matter. Ukraine plans to conduct its first long-range attacks in the coming days.
www.reuters.com/world/biden-...
www.reuters.com/world/biden-...
Reposted by Ole Villadsen
Almost embarrassed to post this, but I've always used Fiddler or Burp for capturing things like this...
I didn't have admin rights and was trying to capture network traffic from a pop-up, so Dev Tools wasn't working
Apparently this is built into Chrome/Edge! So cool :)
edge://net-export/
I didn't have admin rights and was trying to capture network traffic from a pop-up, so Dev Tools wasn't working
Apparently this is built into Chrome/Edge! So cool :)
edge://net-export/
November 17, 2024 at 6:49 AM
Almost embarrassed to post this, but I've always used Fiddler or Burp for capturing things like this...
I didn't have admin rights and was trying to capture network traffic from a pop-up, so Dev Tools wasn't working
Apparently this is built into Chrome/Edge! So cool :)
edge://net-export/
I didn't have admin rights and was trying to capture network traffic from a pop-up, so Dev Tools wasn't working
Apparently this is built into Chrome/Edge! So cool :)
edge://net-export/
Two great easy-to-use tools to find new follows - both worked great.
These two Bluesky tools are really useful for finding people to follow:
Network analyzer: See which accounts people you follow are following, but you don’t. By @theo.io bsky-follow-finder.theo.io
Bluesky Directory: 6,000+ starter packs. By @mubashariqbal.com blueskydirectory.com/starter-pack...
Network analyzer: See which accounts people you follow are following, but you don’t. By @theo.io bsky-follow-finder.theo.io
Bluesky Directory: 6,000+ starter packs. By @mubashariqbal.com blueskydirectory.com/starter-pack...
November 17, 2024 at 1:02 AM
Two great easy-to-use tools to find new follows - both worked great.
Reposted by Ole Villadsen
Smokeloader keeps crawling its way back into the limelight. If you want a primer on it, I gave a public talk on it 2 years ago
www.youtube.com/watch?v=O69e...
www.youtube.com/watch?v=O69e...
Smokeloader: The Pandora’s box of tricks, payloads and anti-analysis - BSides Portland 2022
YouTube video by BSides Portland
www.youtube.com
November 16, 2024 at 3:42 AM
Smokeloader keeps crawling its way back into the limelight. If you want a primer on it, I gave a public talk on it 2 years ago
www.youtube.com/watch?v=O69e...
www.youtube.com/watch?v=O69e...
Reposted by Ole Villadsen
IMO: Storm-0875 (overlaps UNC3944/Scattered Spider) is the most dangerous financial threat actor right now
Some recent developments:
1. Now deploying ransomware (had been extorting orgs before)
2. In last few months targeting large/well known enterprises (not just telcos/help desk/crypto orgs)
Some recent developments:
1. Now deploying ransomware (had been extorting orgs before)
2. In last few months targeting large/well known enterprises (not just telcos/help desk/crypto orgs)
July 6, 2023 at 12:45 PM
IMO: Storm-0875 (overlaps UNC3944/Scattered Spider) is the most dangerous financial threat actor right now
Some recent developments:
1. Now deploying ransomware (had been extorting orgs before)
2. In last few months targeting large/well known enterprises (not just telcos/help desk/crypto orgs)
Some recent developments:
1. Now deploying ransomware (had been extorting orgs before)
2. In last few months targeting large/well known enterprises (not just telcos/help desk/crypto orgs)