ThreatInsight
@threatinsight.proofpoint.com
Proofpoint's insights on targeted attacks and the cybersecurity threat landscape.
Proofpoint Discarded is a wrap for 2025! 🎬 Our last episode of the year offers grounded, experience-driven perspectives on what really mattered in 2025.
Stream now for an end-of-year look at how the cyber threat landscape evolved—and what defenders need to know as we enter 2026.
🎧: brnw.ch/21wYKI6
Stream now for an end-of-year look at how the cyber threat landscape evolved—and what defenders need to know as we enter 2026.
🎧: brnw.ch/21wYKI6
December 31, 2025 at 8:01 PM
Proofpoint Discarded is a wrap for 2025! 🎬 Our last episode of the year offers grounded, experience-driven perspectives on what really mattered in 2025.
Stream now for an end-of-year look at how the cyber threat landscape evolved—and what defenders need to know as we enter 2026.
🎧: brnw.ch/21wYKI6
Stream now for an end-of-year look at how the cyber threat landscape evolved—and what defenders need to know as we enter 2026.
🎧: brnw.ch/21wYKI6
New research from Proofpoint ‼️
Threat actors are using #phishing tactics to trick users into giving access to #M365 accounts.
⚠️ Successful compromise leads to #accounttakeover, #dataexfiltration, and more.
Blog: brnw.ch/21wYtcM
Here’s what you need to know. 🧵⤵️
Threat actors are using #phishing tactics to trick users into giving access to #M365 accounts.
⚠️ Successful compromise leads to #accounttakeover, #dataexfiltration, and more.
Blog: brnw.ch/21wYtcM
Here’s what you need to know. 🧵⤵️
December 18, 2025 at 4:56 PM
New research from Proofpoint ‼️
Threat actors are using #phishing tactics to trick users into giving access to #M365 accounts.
⚠️ Successful compromise leads to #accounttakeover, #dataexfiltration, and more.
Blog: brnw.ch/21wYtcM
Here’s what you need to know. 🧵⤵️
Threat actors are using #phishing tactics to trick users into giving access to #M365 accounts.
⚠️ Successful compromise leads to #accounttakeover, #dataexfiltration, and more.
Blog: brnw.ch/21wYtcM
Here’s what you need to know. 🧵⤵️
Iran's cyber operations are now a formidable challenge for organizations.
Our observations of #UNK_SmudgedSerpent, a newly identified cluster linked to Iran, exemplify the evolving complexity and resourcefulness of the country's modern threat ops.
Saher Naumaan shared her insights. brnw.ch/21wYrCZ
Our observations of #UNK_SmudgedSerpent, a newly identified cluster linked to Iran, exemplify the evolving complexity and resourcefulness of the country's modern threat ops.
Saher Naumaan shared her insights. brnw.ch/21wYrCZ
December 17, 2025 at 7:23 PM
Iran's cyber operations are now a formidable challenge for organizations.
Our observations of #UNK_SmudgedSerpent, a newly identified cluster linked to Iran, exemplify the evolving complexity and resourcefulness of the country's modern threat ops.
Saher Naumaan shared her insights. brnw.ch/21wYrCZ
Our observations of #UNK_SmudgedSerpent, a newly identified cluster linked to Iran, exemplify the evolving complexity and resourcefulness of the country's modern threat ops.
Saher Naumaan shared her insights. brnw.ch/21wYrCZ
WHAT 👏 A 👏 YEAR! Our Discarded podcast increased its listenership by 188% in 2025, and that's all because of 𝘺𝘰𝘶. 🎙️
Here, @selenalarson.bsky.social shares her gratitude and a look at what’s to come in the new year.
Stay tuned for more threat insight and behind-the-scenes analysis in 2026! 🎊
Here, @selenalarson.bsky.social shares her gratitude and a look at what’s to come in the new year.
Stay tuned for more threat insight and behind-the-scenes analysis in 2026! 🎊
December 16, 2025 at 8:15 PM
WHAT 👏 A 👏 YEAR! Our Discarded podcast increased its listenership by 188% in 2025, and that's all because of 𝘺𝘰𝘶. 🎙️
Here, @selenalarson.bsky.social shares her gratitude and a look at what’s to come in the new year.
Stay tuned for more threat insight and behind-the-scenes analysis in 2026! 🎊
Here, @selenalarson.bsky.social shares her gratitude and a look at what’s to come in the new year.
Stay tuned for more threat insight and behind-the-scenes analysis in 2026! 🎊
New Discarded podcast ‼️
Join our ho-ho-hosts for a fun, insightful and very festive episode that highlights the seasonal threats that might be landing under your digital tree this year. ⛄
Stream now to explore how cybercriminals use seasonal themes to trick consumers & enterprises. brnw.ch/21wYf9o
Join our ho-ho-hosts for a fun, insightful and very festive episode that highlights the seasonal threats that might be landing under your digital tree this year. ⛄
Stream now to explore how cybercriminals use seasonal themes to trick consumers & enterprises. brnw.ch/21wYf9o
December 10, 2025 at 8:49 PM
New Discarded podcast ‼️
Join our ho-ho-hosts for a fun, insightful and very festive episode that highlights the seasonal threats that might be landing under your digital tree this year. ⛄
Stream now to explore how cybercriminals use seasonal themes to trick consumers & enterprises. brnw.ch/21wYf9o
Join our ho-ho-hosts for a fun, insightful and very festive episode that highlights the seasonal threats that might be landing under your digital tree this year. ⛄
Stream now to explore how cybercriminals use seasonal themes to trick consumers & enterprises. brnw.ch/21wYf9o
This time of year, threat actors are attempting to send you gifts you’d rather not receive. 🎁
Proofpoint is seeing an increase in holiday-themed threats. Main #phishing lure themes include party invitations, holiday vouchers, end-of-year bonuses, and holiday travel.
Proofpoint is seeing an increase in holiday-themed threats. Main #phishing lure themes include party invitations, holiday vouchers, end-of-year bonuses, and holiday travel.
December 4, 2025 at 6:32 PM
This time of year, threat actors are attempting to send you gifts you’d rather not receive. 🎁
Proofpoint is seeing an increase in holiday-themed threats. Main #phishing lure themes include party invitations, holiday vouchers, end-of-year bonuses, and holiday travel.
Proofpoint is seeing an increase in holiday-themed threats. Main #phishing lure themes include party invitations, holiday vouchers, end-of-year bonuses, and holiday travel.
Proofpoint's Emerging Threats "rule magician," Tony Robinson, is featured on this latest Discarded #podcast episode. 🪄
Listen as he shares the story behind his open-source tool, IoT Hunter, and explains how, through automation, it helps defenders cover hundreds of CVEs. brnw.ch/21wXDRr
Listen as he shares the story behind his open-source tool, IoT Hunter, and explains how, through automation, it helps defenders cover hundreds of CVEs. brnw.ch/21wXDRr
November 19, 2025 at 10:09 PM
Proofpoint's Emerging Threats "rule magician," Tony Robinson, is featured on this latest Discarded #podcast episode. 🪄
Listen as he shares the story behind his open-source tool, IoT Hunter, and explains how, through automation, it helps defenders cover hundreds of CVEs. brnw.ch/21wXDRr
Listen as he shares the story behind his open-source tool, IoT Hunter, and explains how, through automation, it helps defenders cover hundreds of CVEs. brnw.ch/21wXDRr
Proofpoint is proud to have assisted law enforcement in the #OperationEndgame investigation that led to the November 13, 2025 disruption of #Rhadamanthys and #VenomRAT, both malicious infrastructure used by multiple cybercriminals.
Rhadamanthys: brnw.ch/21wXsCc
VenomRAT: brnw.ch/21wXsCd
Rhadamanthys: brnw.ch/21wXsCc
VenomRAT: brnw.ch/21wXsCd
November 13, 2025 at 3:55 PM
Proofpoint is proud to have assisted law enforcement in the #OperationEndgame investigation that led to the November 13, 2025 disruption of #Rhadamanthys and #VenomRAT, both malicious infrastructure used by multiple cybercriminals.
Rhadamanthys: brnw.ch/21wXsCc
VenomRAT: brnw.ch/21wXsCd
Rhadamanthys: brnw.ch/21wXsCc
VenomRAT: brnw.ch/21wXsCd
Proofpoint researchers say with high confidence that cybercriminals are working with organized crime groups to commit physical cargo theft. 🚚
@bloomberg.com spoke with our #ecrime experts who warned, "It is a full-scale supply chain threat."
Read the article: www.bloomberg.com/news/article....
@bloomberg.com spoke with our #ecrime experts who warned, "It is a full-scale supply chain threat."
Read the article: www.bloomberg.com/news/article....
Hackers and Crime Rings Are Teaming Up to Steal Cargo, Cyber Firm Says
Hackers are infiltrating trucking and freight companies in a scheme to steal and sell cargo shipments, a growing campaign that could end up costing companies and consumers billions of dollars, accordi...
www.bloomberg.com
November 11, 2025 at 12:07 AM
Proofpoint researchers say with high confidence that cybercriminals are working with organized crime groups to commit physical cargo theft. 🚚
@bloomberg.com spoke with our #ecrime experts who warned, "It is a full-scale supply chain threat."
Read the article: www.bloomberg.com/news/article....
@bloomberg.com spoke with our #ecrime experts who warned, "It is a full-scale supply chain threat."
Read the article: www.bloomberg.com/news/article....
New research from @ThreatInsight 🚨 Deviations in typical activities by known Iranian-linked threat actors has resulted in Proofpoint threat researchers naming a new temporary threat actor cluster, UNK_SmudgedSerpent.
Blog: www.proofpoint.com/us/blog/thre...
Blog: www.proofpoint.com/us/blog/thre...
November 6, 2025 at 5:05 PM
New research from @ThreatInsight 🚨 Deviations in typical activities by known Iranian-linked threat actors has resulted in Proofpoint threat researchers naming a new temporary threat actor cluster, UNK_SmudgedSerpent.
Blog: www.proofpoint.com/us/blog/thre...
Blog: www.proofpoint.com/us/blog/thre...
From Old West train robbers 🚂 to 1960s mobsters 💰, #cargotheft is an age-old problem.
Today, cargo theft is commonly conducted digitally by hacking the #supplychain to exploit gaps and steal #freight remotely.
🧵⤵️
Today, cargo theft is commonly conducted digitally by hacking the #supplychain to exploit gaps and steal #freight remotely.
🧵⤵️
November 3, 2025 at 1:45 PM
From Old West train robbers 🚂 to 1960s mobsters 💰, #cargotheft is an age-old problem.
Today, cargo theft is commonly conducted digitally by hacking the #supplychain to exploit gaps and steal #freight remotely.
🧵⤵️
Today, cargo theft is commonly conducted digitally by hacking the #supplychain to exploit gaps and steal #freight remotely.
🧵⤵️
Proofpoint threat researchers have designed an open-source tool—named PDF Object Hashing—to track and detect the unique characteristics of PDFs used by threat actors... similar to a digital fingerprint.
We use this tool internally to help track multiple threat actors with high confidence.
We use this tool internally to help track multiple threat actors with high confidence.
October 23, 2025 at 6:05 PM
Proofpoint threat researchers have designed an open-source tool—named PDF Object Hashing—to track and detect the unique characteristics of PDFs used by threat actors... similar to a digital fingerprint.
We use this tool internally to help track multiple threat actors with high confidence.
We use this tool internally to help track multiple threat actors with high confidence.
With the goal of better understanding cloud account takeover (#ATO) attacks, we developed a tool that automates the creation of malicious internal apps within a #compromised #cloud environment.
Here, we detail our findings and security implications. ⤵️ brnw.ch/21wWOgL
Here, we detail our findings and security implications. ⤵️ brnw.ch/21wWOgL
Beyond credentials: weaponizing OAuth applications for persistent cloud access | Proofpoint US
Key takeaways OAuth applications can be used to gain persistent access within compromised environments. OAuth applications maintain their authorized access even if user
brnw.ch
October 21, 2025 at 5:51 PM
With the goal of better understanding cloud account takeover (#ATO) attacks, we developed a tool that automates the creation of malicious internal apps within a #compromised #cloud environment.
Here, we detail our findings and security implications. ⤵️ brnw.ch/21wWOgL
Here, we detail our findings and security implications. ⤵️ brnw.ch/21wWOgL
Since 14 October, we’ve tracked a high volume XWorm campaign targeting Germany. The activity is attributed to TA584, a sophisticated #cybercrime group tracked since 2020.
Messages are sent from hundreds of compromised sender accounts impersonating ELSTER and contain malicious URLs.
Messages are sent from hundreds of compromised sender accounts impersonating ELSTER and contain malicious URLs.
October 20, 2025 at 9:31 PM
Since 14 October, we’ve tracked a high volume XWorm campaign targeting Germany. The activity is attributed to TA584, a sophisticated #cybercrime group tracked since 2020.
Messages are sent from hundreds of compromised sender accounts impersonating ELSTER and contain malicious URLs.
Messages are sent from hundreds of compromised sender accounts impersonating ELSTER and contain malicious URLs.
TA585 is the identifier of the most recent threat actor named by Proofpoint.
The sophisticated cybercriminal, notably, appears to own its entire attack chain with multiple delivery techniques.
Learn about TA585 and one of its favored payloads, MonsterV2: brnw.ch/21wWAAU.
The sophisticated cybercriminal, notably, appears to own its entire attack chain with multiple delivery techniques.
Learn about TA585 and one of its favored payloads, MonsterV2: brnw.ch/21wWAAU.
When the monster bytes: tracking TA585 and its arsenal | Proofpoint US
Key findings TA585 is a sophisticated cybercriminal threat actor recently named by Proofpoint. It operates its entire attack chain from infrastructure to email delivery to malware
brnw.ch
October 13, 2025 at 8:35 PM
TA585 is the identifier of the most recent threat actor named by Proofpoint.
The sophisticated cybercriminal, notably, appears to own its entire attack chain with multiple delivery techniques.
Learn about TA585 and one of its favored payloads, MonsterV2: brnw.ch/21wWAAU.
The sophisticated cybercriminal, notably, appears to own its entire attack chain with multiple delivery techniques.
Learn about TA585 and one of its favored payloads, MonsterV2: brnw.ch/21wWAAU.
Researchers at Proofpoint have uncovered a recent brute force campaign, tracked as UNK_CustomCloak, targeting the first-party app, Windows Live Custom Domains.
Activity was observed from September 20-30th, affecting nearly half a million users in over 4,000 tenants.
Activity was observed from September 20-30th, affecting nearly half a million users in over 4,000 tenants.
October 10, 2025 at 3:40 PM
Researchers at Proofpoint have uncovered a recent brute force campaign, tracked as UNK_CustomCloak, targeting the first-party app, Windows Live Custom Domains.
Activity was observed from September 20-30th, affecting nearly half a million users in over 4,000 tenants.
Activity was observed from September 20-30th, affecting nearly half a million users in over 4,000 tenants.
Proofpoint threat researchers have published new research identifying a new cyber-espionage campaign by #TA415 (#APT41), a China-aligned threat actor, exploiting growing uncertainty in U.S.-China economic relations.
Blog: www.proofpoint.com/us/blog/thre....
Blog: www.proofpoint.com/us/blog/thre....
Going Underground: China-aligned TA415 Conducts U.S.-China Economic Relations Targeting Using VS Code Remote Tunnels | Proofpoint US
What happened Throughout July and August 2025, TA415 conducted spearphishing campaigns targeting United States government, think tank, and academic organizations utilizing U.S.-China
www.proofpoint.com
September 18, 2025 at 5:11 PM
Proofpoint threat researchers have published new research identifying a new cyber-espionage campaign by #TA415 (#APT41), a China-aligned threat actor, exploiting growing uncertainty in U.S.-China economic relations.
Blog: www.proofpoint.com/us/blog/thre....
Blog: www.proofpoint.com/us/blog/thre....
Threat actors continue to abuse GitHub to deliver malware, this time: #LummaStealer. We identified GitHub notification emails that kick off the attack chain. Messages are sent when the threat actor, using an actor-controlled account, comments on existing GitHub issues. 🧵
September 3, 2025 at 6:23 PM
Threat actors continue to abuse GitHub to deliver malware, this time: #LummaStealer. We identified GitHub notification emails that kick off the attack chain. Messages are sent when the threat actor, using an actor-controlled account, comments on existing GitHub issues. 🧵
Threat actors are exploiting #Microsoft365 Direct Send to make their phishing campaigns appear to originate from inside an organization.
On this episode of DISCARDED, you'll hear why legacy features like Direct Send are a prime target for cybercriminals.
Stream now on our website: brnw.ch/21wVja5
On this episode of DISCARDED, you'll hear why legacy features like Direct Send are a prime target for cybercriminals.
Stream now on our website: brnw.ch/21wVja5
August 29, 2025 at 8:09 PM
Threat actors are exploiting #Microsoft365 Direct Send to make their phishing campaigns appear to originate from inside an organization.
On this episode of DISCARDED, you'll hear why legacy features like Direct Send are a prime target for cybercriminals.
Stream now on our website: brnw.ch/21wVja5
On this episode of DISCARDED, you'll hear why legacy features like Direct Send are a prime target for cybercriminals.
Stream now on our website: brnw.ch/21wVja5
Something #spicy is coming to the next Only Malware in the Building podcast—dropping September 2. 🌶️
Bookmark the show page and reserve your seat at the table 🪑 alongside Selena Larson, Dave Bittner and Keith Mularski.
🔥 You won't want to miss it! thecyberwire.com/podcasts/onl...
#podcast #hotones
Bookmark the show page and reserve your seat at the table 🪑 alongside Selena Larson, Dave Bittner and Keith Mularski.
🔥 You won't want to miss it! thecyberwire.com/podcasts/onl...
#podcast #hotones
August 21, 2025 at 7:15 PM
Something #spicy is coming to the next Only Malware in the Building podcast—dropping September 2. 🌶️
Bookmark the show page and reserve your seat at the table 🪑 alongside Selena Larson, Dave Bittner and Keith Mularski.
🔥 You won't want to miss it! thecyberwire.com/podcasts/onl...
#podcast #hotones
Bookmark the show page and reserve your seat at the table 🪑 alongside Selena Larson, Dave Bittner and Keith Mularski.
🔥 You won't want to miss it! thecyberwire.com/podcasts/onl...
#podcast #hotones
You asked, we answered. AI tools are significantly lowering the barrier to entry for cybercriminals.
We have observed threat actor campaigns leveraging the AI-generated website builder Lovable to create and host cred phishing, malware, and fraud websites.
Learn more in our blog: brnw.ch/21wV3Zo
We have observed threat actor campaigns leveraging the AI-generated website builder Lovable to create and host cred phishing, malware, and fraud websites.
Learn more in our blog: brnw.ch/21wV3Zo
August 20, 2025 at 3:40 PM
You asked, we answered. AI tools are significantly lowering the barrier to entry for cybercriminals.
We have observed threat actor campaigns leveraging the AI-generated website builder Lovable to create and host cred phishing, malware, and fraud websites.
Learn more in our blog: brnw.ch/21wV3Zo
We have observed threat actor campaigns leveraging the AI-generated website builder Lovable to create and host cred phishing, malware, and fraud websites.
Learn more in our blog: brnw.ch/21wV3Zo
Proofpoint identified a unique attack chain leveraging GitHub notifications to deliver #Rhadamanthys.
We first spotted this post by ANY.RUN about ClickFix delivering Rhadamanthys and began investigating. infosec.exchange/@anyrun_app/...
We first spotted this post by ANY.RUN about ClickFix delivering Rhadamanthys and began investigating. infosec.exchange/@anyrun_app/...
ANY.RUN (@anyrun_app@infosec.exchange)
#IOCs:
SHA256:
560afd97f03f2ed11bf0087d551ae45f2046d6d52f0fa3d7c1df882981e8b346
8b079bae684fd287c605de8acae338401a76a412c6a802faf2cf6e9ec0cf6224
0ba3b2871e0ad3b4fba615ea76e2d5f7cefa80e87468c6dcfc9b4...
infosec.exchange
August 18, 2025 at 6:31 PM
Proofpoint identified a unique attack chain leveraging GitHub notifications to deliver #Rhadamanthys.
We first spotted this post by ANY.RUN about ClickFix delivering Rhadamanthys and began investigating. infosec.exchange/@anyrun_app/...
We first spotted this post by ANY.RUN about ClickFix delivering Rhadamanthys and began investigating. infosec.exchange/@anyrun_app/...
Threat researchers from Proofpoint have found a way to sidestep FIDO-based #authentication, a discovery that could expose targets to credential phishing attacks, account takeover (#ATO), and adversary-in-the-middle (AiTM) threats.
#FIDO #MFA
All the details in our blog: brnw.ch/21wURuW.
#FIDO #MFA
All the details in our blog: brnw.ch/21wURuW.
Don’t Phish-let Me Down: FIDO Authentication Downgrade | Proofpoint US
Key takeaways FIDO-based passkeys remain a highly recommended authentication method to protect against prevalent credential phishing and account takeover (ATO) threats.
brnw.ch
August 12, 2025 at 7:00 PM
Threat researchers from Proofpoint have found a way to sidestep FIDO-based #authentication, a discovery that could expose targets to credential phishing attacks, account takeover (#ATO), and adversary-in-the-middle (AiTM) threats.
#FIDO #MFA
All the details in our blog: brnw.ch/21wURuW.
#FIDO #MFA
All the details in our blog: brnw.ch/21wURuW.
In a new technical blog, Proofpoint threat researchers detailed their observations of threat actors impersonating well-known enterprises with fake #Microsoft #OAuth applications that redirect to malicious URLs, enabling credential phishing. brnw.ch/21wUA69
Microsoft OAuth App Impersonation Campaign Leads to MFA Phishing | Proofpoint US
Key findings Threat actors are impersonating various enterprises with fake Microsoft OAuth applications to steal credentials. These campaigns bypass multifactor authentication
brnw.ch
July 31, 2025 at 11:44 PM
In a new technical blog, Proofpoint threat researchers detailed their observations of threat actors impersonating well-known enterprises with fake #Microsoft #OAuth applications that redirect to malicious URLs, enabling credential phishing. brnw.ch/21wUA69
Each threat actor has its own tactics, techniques, and procedures (TTPs).
On this DISCARDED episode, we discuss the chaotic brilliance of mid-tier eCrime actors, why shared commodity tooling can make attribution difficult, why TA582 is so interesting, and much more.
Stream here 👉 brnw.ch/21wUw3L
On this DISCARDED episode, we discuss the chaotic brilliance of mid-tier eCrime actors, why shared commodity tooling can make attribution difficult, why TA582 is so interesting, and much more.
Stream here 👉 brnw.ch/21wUw3L
July 29, 2025 at 6:46 PM
Each threat actor has its own tactics, techniques, and procedures (TTPs).
On this DISCARDED episode, we discuss the chaotic brilliance of mid-tier eCrime actors, why shared commodity tooling can make attribution difficult, why TA582 is so interesting, and much more.
Stream here 👉 brnw.ch/21wUw3L
On this DISCARDED episode, we discuss the chaotic brilliance of mid-tier eCrime actors, why shared commodity tooling can make attribution difficult, why TA582 is so interesting, and much more.
Stream here 👉 brnw.ch/21wUw3L