SentinelLABS
@sentinellabs.bsky.social
We are the Threat Intelligence and Malware Analysis team of
@sentinelone.com
https://sentinellabs.com
https://labscon.io
@sentinelone.com
https://sentinellabs.com
https://labscon.io
🔥 New Research from @hegel.bsky.social 🔥
PhantomCaptcha: A short-lived, multi-stage PowerShell and WebSocket RAT operation targeting Ukraine-linked humanitarian and government entities.
Full report: s1.ai/pcapt
PhantomCaptcha: A short-lived, multi-stage PowerShell and WebSocket RAT operation targeting Ukraine-linked humanitarian and government entities.
Full report: s1.ai/pcapt
PhantomCaptcha | Multi-Stage WebSocket RAT Targets Ukraine in Single-Day Spearphishing Operation
SentinelLABS uncovers a coordinated spearphishing campaign targeting organizations critical to Ukraine's war relief efforts.
s1.ai
October 22, 2025 at 10:46 PM
🔥 New Research from @hegel.bsky.social 🔥
PhantomCaptcha: A short-lived, multi-stage PowerShell and WebSocket RAT operation targeting Ukraine-linked humanitarian and government entities.
Full report: s1.ai/pcapt
PhantomCaptcha: A short-lived, multi-stage PowerShell and WebSocket RAT operation targeting Ukraine-linked humanitarian and government entities.
Full report: s1.ai/pcapt
🔥🔥 Fresh research drop live from #labscon Arizona. @alex.leetnoob.com and @morecoffeeplz.bsky.social with @vkamluk.bsky.social
The Hunt for LLM-enabled malware #ai #cyber #threatintel
s1.ai/llm-mw
The Hunt for LLM-enabled malware #ai #cyber #threatintel
s1.ai/llm-mw
Prompts as Code & Embedded Keys | The Hunt for LLM-Enabled Malware
LLM-enabled malware poses new challenges for detection. SentinelLABS presents groundbreaking research on how to hunt for this new class of threats.
s1.ai
September 19, 2025 at 5:07 PM
🔥🔥 Fresh research drop live from #labscon Arizona. @alex.leetnoob.com and @morecoffeeplz.bsky.social with @vkamluk.bsky.social
The Hunt for LLM-enabled malware #ai #cyber #threatintel
s1.ai/llm-mw
The Hunt for LLM-enabled malware #ai #cyber #threatintel
s1.ai/llm-mw
Reddit AMA with our very own @dakotaindc.bsky.social—ask him anything here: www.reddit.com/r/geopolitic...
September 13, 2025 at 9:42 PM
Reddit AMA with our very own @dakotaindc.bsky.social—ask him anything here: www.reddit.com/r/geopolitic...
Reposted by SentinelLABS
🚨New research drop: Contagious Interview | North Korean Threat Actors Reveal Plans and Ops by Abusing Cyber Intel Platforms
It was a pleasure collaborating with Sreekar Madabushi and @kennethkinion.bsky.social from Validin!
Read our blog post: s1.ai/nk-ops
It was a pleasure collaborating with Sreekar Madabushi and @kennethkinion.bsky.social from Validin!
Read our blog post: s1.ai/nk-ops
Contagious Interview | North Korean Threat Actors Reveal Plans and Ops by Abusing Cyber Intel Platforms
DPRK-aligned threat actors abuse CTI platforms to detect infrastructure exposure and scout for new assets.
s1.ai
September 4, 2025 at 10:33 AM
🚨New research drop: Contagious Interview | North Korean Threat Actors Reveal Plans and Ops by Abusing Cyber Intel Platforms
It was a pleasure collaborating with Sreekar Madabushi and @kennethkinion.bsky.social from Validin!
Read our blog post: s1.ai/nk-ops
It was a pleasure collaborating with Sreekar Madabushi and @kennethkinion.bsky.social from Validin!
Read our blog post: s1.ai/nk-ops
Reposted by SentinelLABS
🏆 Bragging rights, a $100K Prize Pool, and an all-expenses-paid trip to SentinelOne’s OneCon conference in Las Vegas. 🎰 Step up, test your skills, and claim your crown 👑
Sign up below (includes details on terms and conditions):
Sign up below (includes details on terms and conditions):
Threat Hunting World Championship 2025 | SentinelOne
Win from a $100K prize pool in SentinelOne’s 2025 Threat Hunting Championship. Compete in detection challenges. Register today!
s1.ai
August 26, 2025 at 7:16 PM
🏆 Bragging rights, a $100K Prize Pool, and an all-expenses-paid trip to SentinelOne’s OneCon conference in Las Vegas. 🎰 Step up, test your skills, and claim your crown 👑
Sign up below (includes details on terms and conditions):
Sign up below (includes details on terms and conditions):
Reposted by SentinelLABS
The Cyber Patents China Didn’t Want Us to Find: @dakotaindc.bsky.social and @sentinellabs.bsky.social uncovered 10+ patents for highly intrusive forensics and data collection tools—filed by companies named in U.S. gov't. indictments for working with the Chinese Hafnium (aka Silk Typhoon) APT group.
China’s Covert Capabilities | Silk Spun From Hafnium
China-linked hackers used patented spyware tech from front companies tied to Hafnium, exposing gaps in cyber threat attribution.
s1.ai
August 25, 2025 at 7:29 PM
The Cyber Patents China Didn’t Want Us to Find: @dakotaindc.bsky.social and @sentinellabs.bsky.social uncovered 10+ patents for highly intrusive forensics and data collection tools—filed by companies named in U.S. gov't. indictments for working with the Chinese Hafnium (aka Silk Typhoon) APT group.
🔥 Fresh from the LABS team and our friends at Beazley Security 👇https://www.sentinelone.com/labs/ghost-in-the-zip-new-pxa-stealer-and-its-telegram-powered-ecosystem/
Ghost in the Zip | New PXA Stealer and Its Telegram-Powered Ecosystem
PXA Stealer uses advanced evasion and Telegram C2 to steal global victim data, fueling a thriving cybercrime market.
www.sentinelone.com
August 6, 2025 at 1:55 PM
🔥 Fresh from the LABS team and our friends at Beazley Security 👇https://www.sentinelone.com/labs/ghost-in-the-zip-new-pxa-stealer-and-its-telegram-powered-ecosystem/
Reposted by SentinelLABS
Our team collaborated with our friends at @sentinellabs.bsky.social to identify and disrupt a PXA infostealer campaign that has an intricate and complex delivery chain:
labs.beazley.security/articles/gho...
Thanks for the fantastic collab SentinelLabs team!
labs.beazley.security/articles/gho...
Thanks for the fantastic collab SentinelLabs team!
BSL - Ghost in the Zip | New PXA Stealer and Its Telegram-Powered Ecosystem
labs.beazley.security
August 4, 2025 at 5:58 PM
Our team collaborated with our friends at @sentinellabs.bsky.social to identify and disrupt a PXA infostealer campaign that has an intricate and complex delivery chain:
labs.beazley.security/articles/gho...
Thanks for the fantastic collab SentinelLabs team!
labs.beazley.security/articles/gho...
Thanks for the fantastic collab SentinelLabs team!
🌀🔥… the complex relationship btw CN APTs🕵️♂️ and CN PSOAs 🇨🇳 makes attribution even more challenging than defenders might have supposed. #cti #threatintel #hafnium #silktyphoon @dakotaindc.bsky.social
www.sentinelone.com/labs/chinas-...
www.sentinelone.com/labs/chinas-...
China’s Covert Capabilities | Silk Spun From Hafnium
China-linked hackers used patented spyware tech from front companies tied to Hafnium, exposing gaps in cyber threat attribution.
www.sentinelone.com
July 30, 2025 at 2:26 PM
🌀🔥… the complex relationship btw CN APTs🕵️♂️ and CN PSOAs 🇨🇳 makes attribution even more challenging than defenders might have supposed. #cti #threatintel #hafnium #silktyphoon @dakotaindc.bsky.social
www.sentinelone.com/labs/chinas-...
www.sentinelone.com/labs/chinas-...
Reposted by SentinelLABS
This week's show is YouTube ready @craiu.bsky.social @jags.bsky.social
🔥 Microsoft Sharepoint security crisis: Faulty patches, Toolshell zero-days
youtu.be/3GJuVGmpexA
🔥 Microsoft Sharepoint security crisis: Faulty patches, Toolshell zero-days
youtu.be/3GJuVGmpexA
Microsoft Sharepoint Security Crisis: Faulty Patches, Zero-Day Exploits
YouTube video by Three Buddy Problem
youtu.be
July 27, 2025 at 12:47 PM
This week's show is YouTube ready @craiu.bsky.social @jags.bsky.social
🔥 Microsoft Sharepoint security crisis: Faulty patches, Toolshell zero-days
youtu.be/3GJuVGmpexA
🔥 Microsoft Sharepoint security crisis: Faulty patches, Toolshell zero-days
youtu.be/3GJuVGmpexA
🚨 SentinelOne Uncovers 3 Distinct Attack Clusters Targeting Microsoft SharePoint: As part of the “ToolShell” Zero-Day being exploited in-the-wild, our threat researchers have identified three distinct attack clusters, each with unique tradecraft and objectives.
SharePoint ToolShell | Zero-Day Exploited in-the-Wild Targets Enterprise Servers
SentinelOne shares distinct attack clusters and a detailed timeline of events on an active exploit of the ToolShell 0-day in MS SharePoint.
s1.ai
July 27, 2025 at 1:05 PM
Reposted by SentinelLABS
👀 Apple: “macOS is secure by design.”
💻 Meanwhile, in /Users/Shared:
🕵️♂️ Persistent Malware masquerading as Apple “agent”
>> Khepri beacon in /tmp
📦 Ad-hoc signed payloads
🌍 Targeting Chinese diaspora
Deep dive from Dinesh Devadoss and me 👉 s1.ai/zuru
#icymi #macOS #malware #APT #infosec
💻 Meanwhile, in /Users/Shared:
🕵️♂️ Persistent Malware masquerading as Apple “agent”
>> Khepri beacon in /tmp
📦 Ad-hoc signed payloads
🌍 Targeting Chinese diaspora
Deep dive from Dinesh Devadoss and me 👉 s1.ai/zuru
#icymi #macOS #malware #APT #infosec
macOS.ZuRu Resurfaces | Modified Khepri C2 Hides Inside Doctored Termius App
ZuRu malware continues to prey on macOS users seeking legitimate business tools, adapting its loader and C2 techniques to backdoor its targets.
s1.ai
July 27, 2025 at 12:17 PM
💥 Fresh from LABS @philofishal.bsky.social and @syrion89.bsky.social
Our guys untangle the knots of #NimDoor: compiled Nim, macOS process injection and signals-based persistence triggers, with AppleScript (⁉️) beacons (whatever will they think up next 😅) 🌶️🌶️.
#dprk #apt #macOS
s1.ai/nimdoor
Our guys untangle the knots of #NimDoor: compiled Nim, macOS process injection and signals-based persistence triggers, with AppleScript (⁉️) beacons (whatever will they think up next 😅) 🌶️🌶️.
#dprk #apt #macOS
s1.ai/nimdoor
macOS NimDoor | DPRK Threat Actors Target Web3 and Crypto Platforms with Nim-Based Malware
NimDoor reflects a leap in DPRK’s offensive toolkit, mixing compile-time trickery with native scripting to complicate and deter analysis.
s1.ai
July 2, 2025 at 12:03 PM
💥 Fresh from LABS @philofishal.bsky.social and @syrion89.bsky.social
Our guys untangle the knots of #NimDoor: compiled Nim, macOS process injection and signals-based persistence triggers, with AppleScript (⁉️) beacons (whatever will they think up next 😅) 🌶️🌶️.
#dprk #apt #macOS
s1.ai/nimdoor
Our guys untangle the knots of #NimDoor: compiled Nim, macOS process injection and signals-based persistence triggers, with AppleScript (⁉️) beacons (whatever will they think up next 😅) 🌶️🌶️.
#dprk #apt #macOS
s1.ai/nimdoor
Reposted by SentinelLABS
This week's show is a three-hour deep dive into Predatory Sparrow and the long-simmering Iran-Israel cyberwar (with @darkcell.bsky.social @craiu.bsky.social @jags.bsky.social youtu.be/MKKzHseTUUQ?...
Israel-Iran cyberwar: Predatory Sparrow, vanishing crypto, bank hacks
YouTube video by Three Buddy Problem
youtu.be
June 21, 2025 at 5:55 PM
This week's show is a three-hour deep dive into Predatory Sparrow and the long-simmering Iran-Israel cyberwar (with @darkcell.bsky.social @craiu.bsky.social @jags.bsky.social youtu.be/MKKzHseTUUQ?...
Reposted by SentinelLABS
"The best netflow comes from asking friends for favors." -- @jags.bsky.social @craiu.bsky.social
June 14, 2025 at 4:16 PM
"The best netflow comes from asking friends for favors." -- @jags.bsky.social @craiu.bsky.social
Reposted by SentinelLABS
Reposted by SentinelLABS
We just released our findings on long-term activity clusters attributed to China-nexus actors.
We discuss a relatively underreported, yet critical, aspect of the threat landscape: the targeting of cybersecurity vendors.
Big shout out to Lumen's Black Lotus Labs for their support! [1/2]
We discuss a relatively underreported, yet critical, aspect of the threat landscape: the targeting of cybersecurity vendors.
Big shout out to Lumen's Black Lotus Labs for their support! [1/2]
June 9, 2025 at 11:42 AM
We just released our findings on long-term activity clusters attributed to China-nexus actors.
We discuss a relatively underreported, yet critical, aspect of the threat landscape: the targeting of cybersecurity vendors.
Big shout out to Lumen's Black Lotus Labs for their support! [1/2]
We discuss a relatively underreported, yet critical, aspect of the threat landscape: the targeting of cybersecurity vendors.
Big shout out to Lumen's Black Lotus Labs for their support! [1/2]
Reposted by SentinelLABS
From PhD work to award-winning cybercrime research, @milenkowski.bsky.social of SentinelLABS is a force in malware analysis.
Catch his talk at #SLEUTHCON 2025!
🎟️ Grab your ticket today >>> www.sleuthcon.com
#CyberThreatIntel #InfosecEvents
Catch his talk at #SLEUTHCON 2025!
🎟️ Grab your ticket today >>> www.sleuthcon.com
#CyberThreatIntel #InfosecEvents
May 1, 2025 at 5:50 PM
From PhD work to award-winning cybercrime research, @milenkowski.bsky.social of SentinelLABS is a force in malware analysis.
Catch his talk at #SLEUTHCON 2025!
🎟️ Grab your ticket today >>> www.sleuthcon.com
#CyberThreatIntel #InfosecEvents
Catch his talk at #SLEUTHCON 2025!
🎟️ Grab your ticket today >>> www.sleuthcon.com
#CyberThreatIntel #InfosecEvents
Reposted by SentinelLABS
📄 Read the full research: s1.ai/TopTier
Top Tier Target | What It Takes to Defend a Cybersecurity Company from Today's Adversaries
This report highlights a rarely-discussed but crucially important attack surface: security vendors themselves.
s1.ai
April 29, 2025 at 7:06 PM
📄 Read the full research: s1.ai/TopTier
Reposted by SentinelLABS
Love when we can talk about hoy dynamic the threat landscape actually is. The scope and scale of the DPRK IT workers effort alone surprised me as we worked it. Also love @sentinelone.com let us discuss this openly and viewed it as important to do so.
www.sentinelone.com/labs/top-tie...
www.sentinelone.com/labs/top-tie...
Top Tier Target | What It Takes to Defend a Cybersecurity Company from Today's Adversaries
This report highlights a rarely-discussed but crucially important attack surface: security vendors themselves.
www.sentinelone.com
April 28, 2025 at 8:57 PM
Love when we can talk about hoy dynamic the threat landscape actually is. The scope and scale of the DPRK IT workers effort alone surprised me as we worked it. Also love @sentinelone.com let us discuss this openly and viewed it as important to do so.
www.sentinelone.com/labs/top-tie...
www.sentinelone.com/labs/top-tie...
Reposted by SentinelLABS
Appreciate the shoutout @jags.bsky.social (and that you aced my last name)! If you don’t listen to the Three Buddy Podcast yet, it is absolutely amazing and you should!
open.spotify.com/show/6dXbRag...
open.spotify.com/show/6dXbRag...
Tom Rid joins the show: AI consciousness, TP-Link's China connection, trust in hardware security
open.spotify.com
April 25, 2025 at 8:28 PM
Appreciate the shoutout @jags.bsky.social (and that you aced my last name)! If you don’t listen to the Three Buddy Podcast yet, it is absolutely amazing and you should!
open.spotify.com/show/6dXbRag...
open.spotify.com/show/6dXbRag...
Reposted by SentinelLABS
At @pivotcon.bsky.social, I'm presenting with @hegel.bsky.social and Sreekar Madabushi on the first public look at the full scope of a stealthy, long-running phishing network.
April 24, 2025 at 2:31 PM
At @pivotcon.bsky.social, I'm presenting with @hegel.bsky.social and Sreekar Madabushi on the first public look at the full scope of a stealthy, long-running phishing network.
Reposted by SentinelLABS
Very excited to share that I’ll be presenting at @sleuthcon.bsky.social in June!
Jim & I will share the backstory behind AkiraBot that didn’t make it into the blog—and what they’ve been up to since.
Jim & I will share the backstory behind AkiraBot that didn’t make it into the blog—and what they’ve been up to since.
April 25, 2025 at 7:13 PM
Very excited to share that I’ll be presenting at @sleuthcon.bsky.social in June!
Jim & I will share the backstory behind AkiraBot that didn’t make it into the blog—and what they’ve been up to since.
Jim & I will share the backstory behind AkiraBot that didn’t make it into the blog—and what they’ve been up to since.