Greg Lesnewich
@greg-l.bsky.social
oh great, now I’m on bluesky
lol at the names
BUT
Idk anything about defections. What would Park Jin Hyok (or another prolific DPRK operator) have to walk out of Pyongyang with for US/SK services to not just throw dude in prison?
Because CN or RU operators I feel like you jail for use later in a strategic trade.
BUT
Idk anything about defections. What would Park Jin Hyok (or another prolific DPRK operator) have to walk out of Pyongyang with for US/SK services to not just throw dude in prison?
Because CN or RU operators I feel like you jail for use later in a strategic trade.
Australia sanctions North Korean hackers (one person and four entities)
-Park Jin Hyok (WannaCry dude)
-Kimsuky
-Lazarus Group
-Andariel
-Chosun Expo
Presser: www.foreignminister.gov.au/minister/pen...
Sanction details: www.dfat.gov.au/news/news/on...
-Park Jin Hyok (WannaCry dude)
-Kimsuky
-Lazarus Group
-Andariel
-Chosun Expo
Presser: www.foreignminister.gov.au/minister/pen...
Sanction details: www.dfat.gov.au/news/news/on...
November 9, 2025 at 8:52 PM
lol at the names
BUT
Idk anything about defections. What would Park Jin Hyok (or another prolific DPRK operator) have to walk out of Pyongyang with for US/SK services to not just throw dude in prison?
Because CN or RU operators I feel like you jail for use later in a strategic trade.
BUT
Idk anything about defections. What would Park Jin Hyok (or another prolific DPRK operator) have to walk out of Pyongyang with for US/SK services to not just throw dude in prison?
Because CN or RU operators I feel like you jail for use later in a strategic trade.
Reposted by Greg Lesnewich
New Iran drop from me tracking an attribution nightmare - UNK_SmudgedSerpent! A little Charming, a little Muddy, and a lot C5. Targeting policy experts with benign conversation starters, health-themed infra, OnlyOffice spoofs, and RMMs. Check out the full story www.proofpoint.com/us/blog/thre...
Crossed wires: a case study of Iranian espionage and attribution | Proofpoint US
Proofpoint would like to thank Josh Miller for his initial research on UNK_SmudgedSerpent and contribution to this report. Key findings Between June and August 2025,
www.proofpoint.com
November 5, 2025 at 1:37 PM
New Iran drop from me tracking an attribution nightmare - UNK_SmudgedSerpent! A little Charming, a little Muddy, and a lot C5. Targeting policy experts with benign conversation starters, health-themed infra, OnlyOffice spoofs, and RMMs. Check out the full story www.proofpoint.com/us/blog/thre...
Reposted by Greg Lesnewich
Threat actors are teaming up with organized crime to target truckers — stealing identities, placing fraudulent bids on freight, and making off with the cargo. Their entry point? Emails with links delivering Remote Monitoring and Management (RMM) tools. Together with @selenalarson.bsky.social :
Remote access, real cargo: cybercriminals targeting trucking and logistics | Proofpoint US
Key findings Cybercriminals are compromising trucking and freight companies in elaborate attack chains to steal cargo freight. Cargo theft is a multi-million-dollar criminal
www.proofpoint.com
November 3, 2025 at 10:40 AM
Threat actors are teaming up with organized crime to target truckers — stealing identities, placing fraudulent bids on freight, and making off with the cargo. Their entry point? Emails with links delivering Remote Monitoring and Management (RMM) tools. Together with @selenalarson.bsky.social :
Reposted by Greg Lesnewich
Still testing 🤞
For those able to use #BinaryNinja projects; #BinYars can sort the files into folders based upon the #Yara-X rule metadata field, BNFolder. The folder nesting structure is determined by the number of matches that reside under each folder - check out the video below!
For those able to use #BinaryNinja projects; #BinYars can sort the files into folders based upon the #Yara-X rule metadata field, BNFolder. The folder nesting structure is determined by the number of matches that reside under each folder - check out the video below!
October 26, 2025 at 8:27 AM
Still testing 🤞
For those able to use #BinaryNinja projects; #BinYars can sort the files into folders based upon the #Yara-X rule metadata field, BNFolder. The folder nesting structure is determined by the number of matches that reside under each folder - check out the video below!
For those able to use #BinaryNinja projects; #BinYars can sort the files into folders based upon the #Yara-X rule metadata field, BNFolder. The folder nesting structure is determined by the number of matches that reside under each folder - check out the video below!
Reposted by Greg Lesnewich
It's getting close to being done - #BinYars a #YARA-X #BinaryNinja plugin! Still testing, but plan on open sourcing it for all to use.
Shout out to Remco Sprooten for making this tool (also shown in the video) for quickly drafting Yara rules 💪 github.com/1337-42/Simp...
Video: Part 1 of 2
Shout out to Remco Sprooten for making this tool (also shown in the video) for quickly drafting Yara rules 💪 github.com/1337-42/Simp...
Video: Part 1 of 2
October 24, 2025 at 8:22 AM
It's getting close to being done - #BinYars a #YARA-X #BinaryNinja plugin! Still testing, but plan on open sourcing it for all to use.
Shout out to Remco Sprooten for making this tool (also shown in the video) for quickly drafting Yara rules 💪 github.com/1337-42/Simp...
Video: Part 1 of 2
Shout out to Remco Sprooten for making this tool (also shown in the video) for quickly drafting Yara rules 💪 github.com/1337-42/Simp...
Video: Part 1 of 2
Reposted by Greg Lesnewich
The tool has been released in the Proofpoint Emerging Threats public #GitHub for other defenders to leverage.
Learn more about it here: brnw.ch/21wWSH0
#PDF #threatdetection #cyberthreat
Learn more about it here: brnw.ch/21wWSH0
#PDF #threatdetection #cyberthreat
Proofpoint releases innovative detections for threat hunting: PDF Object Hashing | Proofpoint US
Key findings Proofpoint created a new open-source tool for creating threat detection rules based on unique characteristics in PDFs called “PDF Object Hashing”. This technique can
brnw.ch
October 23, 2025 at 6:05 PM
The tool has been released in the Proofpoint Emerging Threats public #GitHub for other defenders to leverage.
Learn more about it here: brnw.ch/21wWSH0
#PDF #threatdetection #cyberthreat
Learn more about it here: brnw.ch/21wWSH0
#PDF #threatdetection #cyberthreat
Reposted by Greg Lesnewich
Proofpoint threat researchers have designed an open-source tool—named PDF Object Hashing—to track and detect the unique characteristics of PDFs used by threat actors... similar to a digital fingerprint.
We use this tool internally to help track multiple threat actors with high confidence.
We use this tool internally to help track multiple threat actors with high confidence.
October 23, 2025 at 6:05 PM
Proofpoint threat researchers have designed an open-source tool—named PDF Object Hashing—to track and detect the unique characteristics of PDFs used by threat actors... similar to a digital fingerprint.
We use this tool internally to help track multiple threat actors with high confidence.
We use this tool internally to help track multiple threat actors with high confidence.
Reposted by Greg Lesnewich
What Athens was to Ancient Greece, NJ is to America
October 20, 2025 at 12:38 AM
What Athens was to Ancient Greece, NJ is to America
Warm October days are great because it’s sunny enough for key lime pie after lunch
And cool enough at night for pumpkin pie after dinner
And cool enough at night for pumpkin pie after dinner
October 17, 2025 at 3:27 PM
Warm October days are great because it’s sunny enough for key lime pie after lunch
And cool enough at night for pumpkin pie after dinner
And cool enough at night for pumpkin pie after dinner
Reposted by Greg Lesnewich
The amazing @cxiao.net is offering training at decoderloop.com for
#Rust #Malware #ReverseEngineering 😱
Her insight is absolutely priceless, she's taught me all I know about this. If you are organizing an event: This is the state-of-the-art training you are looking for.
#Rust #Malware #ReverseEngineering 😱
Her insight is absolutely priceless, she's taught me all I know about this. If you are organizing an event: This is the state-of-the-art training you are looking for.
Decoder Loop | Reverse Engineering Training
Decoder Loop | Reverse Engineering Training
decoderloop.com
October 17, 2025 at 6:32 AM
The amazing @cxiao.net is offering training at decoderloop.com for
#Rust #Malware #ReverseEngineering 😱
Her insight is absolutely priceless, she's taught me all I know about this. If you are organizing an event: This is the state-of-the-art training you are looking for.
#Rust #Malware #ReverseEngineering 😱
Her insight is absolutely priceless, she's taught me all I know about this. If you are organizing an event: This is the state-of-the-art training you are looking for.
“You can get lost in the Sauce, but without the Sauce, you are lost”
Saw this Timothee Chamalet post elsewhere and immediately thought of @gabagool.ing @bigbadw0lf.bsky.social
Saw this Timothee Chamalet post elsewhere and immediately thought of @gabagool.ing @bigbadw0lf.bsky.social
October 16, 2025 at 9:50 PM
“You can get lost in the Sauce, but without the Sauce, you are lost”
Saw this Timothee Chamalet post elsewhere and immediately thought of @gabagool.ing @bigbadw0lf.bsky.social
Saw this Timothee Chamalet post elsewhere and immediately thought of @gabagool.ing @bigbadw0lf.bsky.social
Reposted by Greg Lesnewich
In C YARA the grammar requires the stuff after the "of" to be a string set (string identifiers or string identifiers with wildcards). YARA-X just takes a tuple of boolean expressions.
This is incredibly useful. You can now say things like:
2 of ($a, pe.exports("foo"), pe.imphash() == "pants")
This is incredibly useful. You can now say things like:
2 of ($a, pe.exports("foo"), pe.imphash() == "pants")
October 16, 2025 at 5:48 PM
In C YARA the grammar requires the stuff after the "of" to be a string set (string identifiers or string identifiers with wildcards). YARA-X just takes a tuple of boolean expressions.
This is incredibly useful. You can now say things like:
2 of ($a, pe.exports("foo"), pe.imphash() == "pants")
This is incredibly useful. You can now say things like:
2 of ($a, pe.exports("foo"), pe.imphash() == "pants")
Reposted by Greg Lesnewich
Thanks to @xorhex for an interesting discussion that is worth sharing here. I knew I read this somewhere but here's a fun thing you can do in YARA-X:
2 of ($a*, $b*, 3 of ($c*))
This is documented but not widely known: virustotal.github.io/yara-x/docs/...
2 of ($a*, $b*, 3 of ($c*))
This is documented but not widely known: virustotal.github.io/yara-x/docs/...
Differences with YARA
Documents the differences between YARA-X and YARA.
virustotal.github.io
October 16, 2025 at 5:48 PM
Thanks to @xorhex for an interesting discussion that is worth sharing here. I knew I read this somewhere but here's a fun thing you can do in YARA-X:
2 of ($a*, $b*, 3 of ($c*))
This is documented but not widely known: virustotal.github.io/yara-x/docs/...
2 of ($a*, $b*, 3 of ($c*))
This is documented but not widely known: virustotal.github.io/yara-x/docs/...
Reposted by Greg Lesnewich
“sir, the hut has been out-pizza’d”
October 14, 2025 at 12:10 AM
“sir, the hut has been out-pizza’d”
Reposted by Greg Lesnewich
Quite a bit of CN APT activity in europe in the past week
strikeready.com/blog/cn-apt-...
As always, if you're interested in tuning your skills, download the samples here github.com/StrikeReady-...
strikeready.com/blog/cn-apt-...
As always, if you're interested in tuning your skills, download the samples here github.com/StrikeReady-...
CN APT targets Serbian Government
Mustang Panda continues targeting European governments
strikeready.com
October 3, 2025 at 2:30 PM
Quite a bit of CN APT activity in europe in the past week
strikeready.com/blog/cn-apt-...
As always, if you're interested in tuning your skills, download the samples here github.com/StrikeReady-...
strikeready.com/blog/cn-apt-...
As always, if you're interested in tuning your skills, download the samples here github.com/StrikeReady-...
Great piece from
@strikereadylabs.com
on a continuation of Operation Roundpress - both a great finding and walkthrough how to find, and analyze, these types of XSS phishes
strikeready.com/blog/0day-ic...
@strikereadylabs.com
on a continuation of Operation Roundpress - both a great finding and walkthrough how to find, and analyze, these types of XSS phishes
strikeready.com/blog/0day-ic...
0day .ICS attack in the wild
Earlier in 2025, an apparent sender from 193.29.58.37 spoofed the Libyan Navy’s Office of Protocol to send a then-zero-day exploit in Zimbra’s Collaboration Suite, CVE-2025-27915, targeting Brazil’s m...
strikeready.com
October 2, 2025 at 5:35 PM
Great piece from
@strikereadylabs.com
on a continuation of Operation Roundpress - both a great finding and walkthrough how to find, and analyze, these types of XSS phishes
strikeready.com/blog/0day-ic...
@strikereadylabs.com
on a continuation of Operation Roundpress - both a great finding and walkthrough how to find, and analyze, these types of XSS phishes
strikeready.com/blog/0day-ic...
Reposted by Greg Lesnewich
That being said, my true love is still state affiliated actors (and hybrid ecosystems) engaged in sophisticated high-risk / high-reward attacks with creative and nimble trade-craft 💚 But that's probably due to my experience being on the other side of the microscope lens 😉
October 1, 2025 at 10:22 PM
That being said, my true love is still state affiliated actors (and hybrid ecosystems) engaged in sophisticated high-risk / high-reward attacks with creative and nimble trade-craft 💚 But that's probably due to my experience being on the other side of the microscope lens 😉
Reposted by Greg Lesnewich
Actually authoring the report was mainly ( but not exclusively ) squirrely folks, some with previous experience writing finished intel for the US intelligence community. A couple from a more strategic/policy perspective and a few with more tactical/operational use.
October 1, 2025 at 10:22 PM
Actually authoring the report was mainly ( but not exclusively ) squirrely folks, some with previous experience writing finished intel for the US intelligence community. A couple from a more strategic/policy perspective and a few with more tactical/operational use.
Reposted by Greg Lesnewich
Re 2: I had already been following several other state directed/affiliated threat groups, several of which we had associated MUCDs and individuals identified. APT5, APT8, APT12, APT17, APT18 all come to mind readily as groups that i found *far* more interesting at the time.
October 1, 2025 at 10:22 PM
Re 2: I had already been following several other state directed/affiliated threat groups, several of which we had associated MUCDs and individuals identified. APT5, APT8, APT12, APT17, APT18 all come to mind readily as groups that i found *far* more interesting at the time.
Reposted by Greg Lesnewich
As both a Jew and a scholar of international affairs (2 degrees!): if someone actually listens to Mamdani’s explanation here and still (a) thinks he supports Hamas and/or (b) is antisemitic, then that person is acting in bad faith and should jump up their own asshole until they suffocate.
Zohran Mamdani calling it a genocide on The View and getting applause.
October 1, 2025 at 5:49 PM
As both a Jew and a scholar of international affairs (2 degrees!): if someone actually listens to Mamdani’s explanation here and still (a) thinks he supports Hamas and/or (b) is antisemitic, then that person is acting in bad faith and should jump up their own asshole until they suffocate.
Reposted by Greg Lesnewich
I don’t think I’ve seen a vendor do this before. Just add YARA support.
www.validin.com/blog/yara_hu...
www.validin.com/blog/yara_hu...
Introducing YARA Rules: Search and Monitor the Internet’s Infrastructure with YARA | Validin
Learn how to threat hunt with YARA rules in the Validin platform using host response data. We show you how to uncover exposed LLM Keys using a YARA rule
www.validin.com
October 1, 2025 at 9:20 AM
I don’t think I’ve seen a vendor do this before. Just add YARA support.
www.validin.com/blog/yara_hu...
www.validin.com/blog/yara_hu...
HI @invisig0th.bsky.social been enjoying your recent media appearances with KZ and TBP!
Was wondering two things
1. You’re obviously the lead singer of the APT1 report “band” - Without burning names, can you talk about the make up of the team (skills, backgrounds, etc) +
& what made it special?
Was wondering two things
1. You’re obviously the lead singer of the APT1 report “band” - Without burning names, can you talk about the make up of the team (skills, backgrounds, etc) +
& what made it special?
September 30, 2025 at 10:30 PM
HI @invisig0th.bsky.social been enjoying your recent media appearances with KZ and TBP!
Was wondering two things
1. You’re obviously the lead singer of the APT1 report “band” - Without burning names, can you talk about the make up of the team (skills, backgrounds, etc) +
& what made it special?
Was wondering two things
1. You’re obviously the lead singer of the APT1 report “band” - Without burning names, can you talk about the make up of the team (skills, backgrounds, etc) +
& what made it special?
Reposted by Greg Lesnewich
#ESETresearch has observed #Gamaredon exploiting CVE-2025-8088 (#WinRAR path traversal) in an ongoing spearphishing campaign. This vulnerability allows arbitrary file write via crafted RAR archives. 1/6
September 26, 2025 at 1:13 PM
#ESETresearch has observed #Gamaredon exploiting CVE-2025-8088 (#WinRAR path traversal) in an ongoing spearphishing campaign. This vulnerability allows arbitrary file write via crafted RAR archives. 1/6