Tom Hegel
@hegel.bsky.social
Distinguished Threat Researcher, Research Lead @SentinelOne.
Advisor with @ValidinLLC.
https://tomhegel.com/blog.html
Advisor with @ValidinLLC.
https://tomhegel.com/blog.html
Hefty new drop w/ @milenkowski.bsky.social
China-nexus Threat Actors Hammer At the Doors of Top Tier Targets
www.sentinelone.com/labs/follow-...
China-nexus Threat Actors Hammer At the Doors of Top Tier Targets
www.sentinelone.com/labs/follow-...
June 9, 2025 at 4:42 PM
Hefty new drop w/ @milenkowski.bsky.social
China-nexus Threat Actors Hammer At the Doors of Top Tier Targets
www.sentinelone.com/labs/follow-...
China-nexus Threat Actors Hammer At the Doors of Top Tier Targets
www.sentinelone.com/labs/follow-...
NEW 👉 FreeDrain Unmasked | Uncovering an Industrial-Scale Crypto Theft Network
Months-long research project with Validin we just dropped @pivotcon.bsky.social
🖤~40k IOCs: github.com/Validin/indi...
💜 SentinelLabs: s1.ai/freedrain
💙 Validin: www.validin.com/blog/freedra...
Enjoy!
Months-long research project with Validin we just dropped @pivotcon.bsky.social
🖤~40k IOCs: github.com/Validin/indi...
💜 SentinelLabs: s1.ai/freedrain
💙 Validin: www.validin.com/blog/freedra...
Enjoy!
May 8, 2025 at 3:39 PM
NEW 👉 FreeDrain Unmasked | Uncovering an Industrial-Scale Crypto Theft Network
Months-long research project with Validin we just dropped @pivotcon.bsky.social
🖤~40k IOCs: github.com/Validin/indi...
💜 SentinelLabs: s1.ai/freedrain
💙 Validin: www.validin.com/blog/freedra...
Enjoy!
Months-long research project with Validin we just dropped @pivotcon.bsky.social
🖤~40k IOCs: github.com/Validin/indi...
💜 SentinelLabs: s1.ai/freedrain
💙 Validin: www.validin.com/blog/freedra...
Enjoy!
Incredibly excited to drop some new research alongside @kennethkinion.bsky.social and Sreekar Madabushi at this years @pivotcon.bsky.social
March 10, 2025 at 1:59 PM
Incredibly excited to drop some new research alongside @kennethkinion.bsky.social and Sreekar Madabushi at this years @pivotcon.bsky.social
136.244.115.219 is very similar, with lots of other domains, extension themed, going back to early 2024. I fully expect more pivots can be found with minimal effort.
🔹 IOC List (both): pastebin.com/8vKED1NC
🔹 Heavy Namecheap use for registering
🔹 IOC List (both): pastebin.com/8vKED1NC
🔹 Heavy Namecheap use for registering
December 27, 2024 at 5:47 AM
136.244.115.219 is very similar, with lots of other domains, extension themed, going back to early 2024. I fully expect more pivots can be found with minimal effort.
🔹 IOC List (both): pastebin.com/8vKED1NC
🔹 Heavy Namecheap use for registering
🔹 IOC List (both): pastebin.com/8vKED1NC
🔹 Heavy Namecheap use for registering
Infra breakdown:
Newest activity is sitting on 149.28.124.84 (🇺🇸 AS 20473 CHOOPA). One of the first related domains on this is ext.linewizeconnect[.]com, which has its root domain sitting on 136.244.115.219 (🇺🇸 AS 20473 CHOOPA).
🔹 Timeline from Validin (h/t @kennethkinion.bsky.social)
Newest activity is sitting on 149.28.124.84 (🇺🇸 AS 20473 CHOOPA). One of the first related domains on this is ext.linewizeconnect[.]com, which has its root domain sitting on 136.244.115.219 (🇺🇸 AS 20473 CHOOPA).
🔹 Timeline from Validin (h/t @kennethkinion.bsky.social)
December 27, 2024 at 5:47 AM
Infra breakdown:
Newest activity is sitting on 149.28.124.84 (🇺🇸 AS 20473 CHOOPA). One of the first related domains on this is ext.linewizeconnect[.]com, which has its root domain sitting on 136.244.115.219 (🇺🇸 AS 20473 CHOOPA).
🔹 Timeline from Validin (h/t @kennethkinion.bsky.social)
Newest activity is sitting on 149.28.124.84 (🇺🇸 AS 20473 CHOOPA). One of the first related domains on this is ext.linewizeconnect[.]com, which has its root domain sitting on 136.244.115.219 (🇺🇸 AS 20473 CHOOPA).
🔹 Timeline from Validin (h/t @kennethkinion.bsky.social)
December 12, 2024 at 6:34 PM
Incredible research from the @volexity.com crew here -- a must read!
November 22, 2024 at 5:40 PM
Incredible research from the @volexity.com crew here -- a must read!
4/4:
Sunlotustech resolving to 103.103.128[.]165. Live but struggling to function, however the content lines up with Softiba IT Solutions, a legitimate organization based in Istanbul.
So, some additional work required here, but sunlotustech overall fits the profile. Happy hunting!
Sunlotustech resolving to 103.103.128[.]165. Live but struggling to function, however the content lines up with Softiba IT Solutions, a legitimate organization based in Istanbul.
So, some additional work required here, but sunlotustech overall fits the profile. Happy hunting!
November 21, 2024 at 6:07 PM
4/4:
Sunlotustech resolving to 103.103.128[.]165. Live but struggling to function, however the content lines up with Softiba IT Solutions, a legitimate organization based in Istanbul.
So, some additional work required here, but sunlotustech overall fits the profile. Happy hunting!
Sunlotustech resolving to 103.103.128[.]165. Live but struggling to function, however the content lines up with Softiba IT Solutions, a legitimate organization based in Istanbul.
So, some additional work required here, but sunlotustech overall fits the profile. Happy hunting!
3/4:
Look at matching registration results tab, and filter by NameCheap (commonly used as noted in the blog).
Results show two interesting domains, one of which certainly fits our profile of tech orgs -- sunlotustech[.]com
Look at matching registration results tab, and filter by NameCheap (commonly used as noted in the blog).
Results show two interesting domains, one of which certainly fits our profile of tech orgs -- sunlotustech[.]com
November 21, 2024 at 6:07 PM
3/4:
Look at matching registration results tab, and filter by NameCheap (commonly used as noted in the blog).
Results show two interesting domains, one of which certainly fits our profile of tech orgs -- sunlotustech[.]com
Look at matching registration results tab, and filter by NameCheap (commonly used as noted in the blog).
Results show two interesting domains, one of which certainly fits our profile of tech orgs -- sunlotustech[.]com
2/4:
For ambitious out there, here are some bonus pivots and additional findings worth exploring! h/t @kennethkinion.bsky.social
In Validin, take one of our domains (inditechlab[.]com in this case), pivot on the seconds the registration was changed by actor. Check out 2024-04-10T17:14:08Z
For ambitious out there, here are some bonus pivots and additional findings worth exploring! h/t @kennethkinion.bsky.social
In Validin, take one of our domains (inditechlab[.]com in this case), pivot on the seconds the registration was changed by actor. Check out 2024-04-10T17:14:08Z
November 21, 2024 at 6:07 PM
2/4:
For ambitious out there, here are some bonus pivots and additional findings worth exploring! h/t @kennethkinion.bsky.social
In Validin, take one of our domains (inditechlab[.]com in this case), pivot on the seconds the registration was changed by actor. Check out 2024-04-10T17:14:08Z
For ambitious out there, here are some bonus pivots and additional findings worth exploring! h/t @kennethkinion.bsky.social
In Validin, take one of our domains (inditechlab[.]com in this case), pivot on the seconds the registration was changed by actor. Check out 2024-04-10T17:14:08Z
Deny and deflect baby, love it.
November 11, 2024 at 8:31 PM
Deny and deflect baby, love it.
November 7, 2024 at 6:54 PM
Big thank you to the #FTSCon / @volexity.bsky.social team for the invite to come and share my research. Outstanding event with such quality talks. Highly recommend adding it to your CTI conference list. 💜
October 23, 2024 at 9:00 PM
Big thank you to the #FTSCon / @volexity.bsky.social team for the invite to come and share my research. Outstanding event with such quality talks. Highly recommend adding it to your CTI conference list. 💜
The Old Church - such a unique conference venue (The Hague TIX)
June 12, 2023 at 7:08 AM
The Old Church - such a unique conference venue (The Hague TIX)
- Interesting new APT research from Group-IB --- "Dark Pink expanded its operations to Belgium, Brunei, and Thailand". https://www.group-ib.com/blog/dark-pink-episode-2/
- Great summary from @ajvicens.bsky.social --> https://cyberscoop.com/hacking-southeast-asia-dark-pink/
- Great summary from @ajvicens.bsky.social --> https://cyberscoop.com/hacking-southeast-asia-dark-pink/
May 31, 2023 at 3:37 PM
- Interesting new APT research from Group-IB --- "Dark Pink expanded its operations to Belgium, Brunei, and Thailand". https://www.group-ib.com/blog/dark-pink-episode-2/
- Great summary from @ajvicens.bsky.social --> https://cyberscoop.com/hacking-southeast-asia-dark-pink/
- Great summary from @ajvicens.bsky.social --> https://cyberscoop.com/hacking-southeast-asia-dark-pink/