Saher
@saffronsec.bsky.social
Threat Research @ Proofpoint. Former @virtualroutes.bsky.social fellow. @warstudieskcl.bsky.social alum. She/her
New Iran drop from me tracking an attribution nightmare - UNK_SmudgedSerpent! A little Charming, a little Muddy, and a lot C5. Targeting policy experts with benign conversation starters, health-themed infra, OnlyOffice spoofs, and RMMs. Check out the full story www.proofpoint.com/us/blog/thre...
Crossed wires: a case study of Iranian espionage and attribution | Proofpoint US
Proofpoint would like to thank Josh Miller for his initial research on UNK_SmudgedSerpent and contribution to this report. Key findings Between June and August 2025,
www.proofpoint.com
November 5, 2025 at 1:37 PM
New Iran drop from me tracking an attribution nightmare - UNK_SmudgedSerpent! A little Charming, a little Muddy, and a lot C5. Targeting policy experts with benign conversation starters, health-themed infra, OnlyOffice spoofs, and RMMs. Check out the full story www.proofpoint.com/us/blog/thre...
Check out the newest intel conference to discover the latest insights into all kinds of statecraft!
The SOS conference is officially THREE months away! On October 28, we gather to discuss the latest developments in nation-state operations with leading experts!
⏰ CFP Ends September 1st!
🐧 Early Bird Tickets almost sold out!
🕵️ Come talk espionage, sabotage, ORBATs, and more!
stateofstatecraft.com
⏰ CFP Ends September 1st!
🐧 Early Bird Tickets almost sold out!
🕵️ Come talk espionage, sabotage, ORBATs, and more!
stateofstatecraft.com
July 28, 2025 at 10:17 AM
Check out the newest intel conference to discover the latest insights into all kinds of statecraft!
Bonus: great coverage of our research in an exclusive from one of my fave reporters @ajvicens.bsky.social www.reuters.com/sustainabili...
July 17, 2025 at 8:52 AM
Bonus: great coverage of our research in an exclusive from one of my fave reporters @ajvicens.bsky.social www.reuters.com/sustainabili...
New from the one and only pun-king @mkyo.bsky.social on the increased and ongoing Chinese targeting of semiconductor-related organisations in Taiwan. Edge device exploitation may be the TTP of the moment, but Chinese groups still go phishing when the chips are down www.proofpoint.com/us/blog/thre...
Phish and Chips: China-Aligned Espionage Actors Ramp Up Taiwan Semiconductor Industry Targeting | Proofpoint US
Key findings Between March and June 2025, Proofpoint Threat Research observed three Chinese state-sponsored threat actors conduct targeted phishing campaigns against the Taiwanese
www.proofpoint.com
July 17, 2025 at 8:44 AM
New from the one and only pun-king @mkyo.bsky.social on the increased and ongoing Chinese targeting of semiconductor-related organisations in Taiwan. Edge device exploitation may be the TTP of the moment, but Chinese groups still go phishing when the chips are down www.proofpoint.com/us/blog/thre...
New DISCARDED podcast drop! Join
@greg-l.bsky.social and me as we talk about our fave North Korean groups, DPRK as the neglected child, TA406 and the Russian connection, and finally, the dreaded but pervasive IT worker problem podcasts.apple.com/us/podcast/c...
open.spotify.com/episode/01d1...
@greg-l.bsky.social and me as we talk about our fave North Korean groups, DPRK as the neglected child, TA406 and the Russian connection, and finally, the dreaded but pervasive IT worker problem podcasts.apple.com/us/podcast/c...
open.spotify.com/episode/01d1...
Comic Sans and Cybercrime: Inside North Korea’s Global Cyber Playbook
Podcast Episode · DISCARDED: Tales From the Threat Research Trenches · 07/01/2025 · 53m
podcasts.apple.com
July 1, 2025 at 4:22 PM
New DISCARDED podcast drop! Join
@greg-l.bsky.social and me as we talk about our fave North Korean groups, DPRK as the neglected child, TA406 and the Russian connection, and finally, the dreaded but pervasive IT worker problem podcasts.apple.com/us/podcast/c...
open.spotify.com/episode/01d1...
@greg-l.bsky.social and me as we talk about our fave North Korean groups, DPRK as the neglected child, TA406 and the Russian connection, and finally, the dreaded but pervasive IT worker problem podcasts.apple.com/us/podcast/c...
open.spotify.com/episode/01d1...
Reposted by Saher
Fun crossover blog about TA829 (RomCom) & TransferLoader with my ecrime pals @selenalarson.bsky.social it’s got it all:
🛰️ Popped routers for sending phish
📊 ACH on attribution
👾 custom protocols
👽 cool malware
🕵️ crime
🎯 espionage
❔many unanswered questions
www.proofpoint.com/us/blog/thre...
🛰️ Popped routers for sending phish
📊 ACH on attribution
👾 custom protocols
👽 cool malware
🕵️ crime
🎯 espionage
❔many unanswered questions
www.proofpoint.com/us/blog/thre...
10 Things I Hate About Attribution: RomCom vs. TransferLoader | Proofpoint US
Threat Research would like to acknowledge and thank the Paranoids, Spur, and Pim Trouerbach for their collaboration to identify, track, and disrupt this activity. Key takeaways
www.proofpoint.com
June 30, 2025 at 10:04 AM
Fun crossover blog about TA829 (RomCom) & TransferLoader with my ecrime pals @selenalarson.bsky.social it’s got it all:
🛰️ Popped routers for sending phish
📊 ACH on attribution
👾 custom protocols
👽 cool malware
🕵️ crime
🎯 espionage
❔many unanswered questions
www.proofpoint.com/us/blog/thre...
🛰️ Popped routers for sending phish
📊 ACH on attribution
👾 custom protocols
👽 cool malware
🕵️ crime
🎯 espionage
❔many unanswered questions
www.proofpoint.com/us/blog/thre...
From phishes to hands-on-keyboard commands 🔥 new @proofpoint.bsky.social research from @nickattfield.bsky.social and @konstantinklinger.bsky.social on Indian state-sponsored actor TA397 (Bitter) with a great story on the steps to technical and political attribution www.proofpoint.com/us/blog/thre...
The Bitter End: Unraveling Eight Years of Espionage Antics—Part One | Proofpoint US
This is a two-part blog series, detailing research undertaken in collaboration with Threatray. Part two of this blog series can be found on their website here. Analyst note: Throughout
www.proofpoint.com
June 4, 2025 at 11:09 AM
From phishes to hands-on-keyboard commands 🔥 new @proofpoint.bsky.social research from @nickattfield.bsky.social and @konstantinklinger.bsky.social on Indian state-sponsored actor TA397 (Bitter) with a great story on the steps to technical and political attribution www.proofpoint.com/us/blog/thre...
Check out the new DISCARDED episode! Had too much fun recording my first podcast with @selenalarson.bsky.social and Sarah on my ClickFix crossover blog!!
Podcast: podcasts.apple.com/us/podcast/d...
Blog: www.proofpoint.com/us/blog/thre...
Podcast: podcasts.apple.com/us/podcast/d...
Blog: www.proofpoint.com/us/blog/thre...
The ClickFix Convergence: How Threat Actors Blur the Lines
Podcast Episode · DISCARDED: Tales From the Threat Research Trenches · 05/14/2025 · 36m
podcasts.apple.com
May 15, 2025 at 3:04 PM
Check out the new DISCARDED episode! Had too much fun recording my first podcast with @selenalarson.bsky.social and Sarah on my ClickFix crossover blog!!
Podcast: podcasts.apple.com/us/podcast/d...
Blog: www.proofpoint.com/us/blog/thre...
Podcast: podcasts.apple.com/us/podcast/d...
Blog: www.proofpoint.com/us/blog/thre...
@greg-l.bsky.social drops knowledge on TA406 (Konni) as North Korea shows new interest in Ukraine, likely to keep tabs on the progress of the war and Russia's ability to keep pace on the battlefield www.proofpoint.com/us/blog/thre...
TA406 Pivots to the Front | Proofpoint US
What happened In February 2025, TA406 began targeting government entities in Ukraine, delivering both credential harvesting and malware in its phishing campaigns. The aim of these
www.proofpoint.com
May 13, 2025 at 9:53 AM
@greg-l.bsky.social drops knowledge on TA406 (Konni) as North Korea shows new interest in Ukraine, likely to keep tabs on the progress of the war and Russia's ability to keep pace on the battlefield www.proofpoint.com/us/blog/thre...
Thanks to my favorite team buddies for their collab and indulging my slight obsession 💜 @greg-l.bsky.social @mkyo.bsky.social and Josh
My first blog with Proofpoint is live! And we love a good crossover. State-sponsored actors try their hand at ClickFix - the hottest thing in cybercrime. Meet the North Koreans, Iranians, and Russians who are upping their social engineering game www.proofpoint.com/us/blog/thre...
Around the World in 90 Days: State-Sponsored Actors Try ClickFix | Proofpoint US
Key Findings While primarily a technique affiliated with cybercriminal actors, Proofpoint researchers discovered state-sponsored actors in multiple campaigns using the ClickFix social
www.proofpoint.com
April 18, 2025 at 12:54 PM
Thanks to my favorite team buddies for their collab and indulging my slight obsession 💜 @greg-l.bsky.social @mkyo.bsky.social and Josh
Reposted by Saher
You love to see it! Talented super friends beating up on the bad guys
My first blog with Proofpoint is live! And we love a good crossover. State-sponsored actors try their hand at ClickFix - the hottest thing in cybercrime. Meet the North Koreans, Iranians, and Russians who are upping their social engineering game www.proofpoint.com/us/blog/thre...
Around the World in 90 Days: State-Sponsored Actors Try ClickFix | Proofpoint US
Key Findings While primarily a technique affiliated with cybercriminal actors, Proofpoint researchers discovered state-sponsored actors in multiple campaigns using the ClickFix social
www.proofpoint.com
April 17, 2025 at 3:17 PM
You love to see it! Talented super friends beating up on the bad guys
My first blog with Proofpoint is live! And we love a good crossover. State-sponsored actors try their hand at ClickFix - the hottest thing in cybercrime. Meet the North Koreans, Iranians, and Russians who are upping their social engineering game www.proofpoint.com/us/blog/thre...
Around the World in 90 Days: State-Sponsored Actors Try ClickFix | Proofpoint US
Key Findings While primarily a technique affiliated with cybercriminal actors, Proofpoint researchers discovered state-sponsored actors in multiple campaigns using the ClickFix social
www.proofpoint.com
April 17, 2025 at 11:12 AM
My first blog with Proofpoint is live! And we love a good crossover. State-sponsored actors try their hand at ClickFix - the hottest thing in cybercrime. Meet the North Koreans, Iranians, and Russians who are upping their social engineering game www.proofpoint.com/us/blog/thre...