Simon Kenin
@k3yp0d.bsky.social
Threat Hunter at SentinelOne | curatedintel.org Member | k3yp0d.blogspot.com | Opinions are of my own voices inside my own head | memes and music are welcome
govextra.gov.il/national-dig...
credit where credit is due, part 2
credit where credit is due, part 2
SpearSpecter
Unmasking Iran’s IRGC Cyber Operations Targeting High-Profile Individuals
The SpearSpecter campaign linked to Iran’s IRGC / APT42 used social engineering and the TAMECAT backdoor to infiltrate high-v...
govextra.gov.il
November 18, 2025 at 9:48 PM
govextra.gov.il/national-dig...
credit where credit is due, part 2
credit where credit is due, part 2
1/4
O_o
help.pdf
02e3a2cc825b7ac3e1bad50d4088a74f
2d49a02c6e77d7ebcff87e62ab14d826f4281cba
e422c2f25fbb4951f069c6ba24e9b917e95edb9019c10d34de4309f480c342df
PDF in Hebrew contains a link to a password protected RAR archive hosted in @dropbox.com
O_o
help.pdf
02e3a2cc825b7ac3e1bad50d4088a74f
2d49a02c6e77d7ebcff87e62ab14d826f4281cba
e422c2f25fbb4951f069c6ba24e9b917e95edb9019c10d34de4309f480c342df
PDF in Hebrew contains a link to a password protected RAR archive hosted in @dropbox.com
November 16, 2025 at 3:36 PM
1/4
O_o
help.pdf
02e3a2cc825b7ac3e1bad50d4088a74f
2d49a02c6e77d7ebcff87e62ab14d826f4281cba
e422c2f25fbb4951f069c6ba24e9b917e95edb9019c10d34de4309f480c342df
PDF in Hebrew contains a link to a password protected RAR archive hosted in @dropbox.com
O_o
help.pdf
02e3a2cc825b7ac3e1bad50d4088a74f
2d49a02c6e77d7ebcff87e62ab14d826f4281cba
e422c2f25fbb4951f069c6ba24e9b917e95edb9019c10d34de4309f480c342df
PDF in Hebrew contains a link to a password protected RAR archive hosted in @dropbox.com
1/5
IRGC + MOIS
Very interesting analysis from @proofpoint.com @saffronsec.bsky.social
www.proofpoint.com/us/blog/thre...
IRGC + MOIS
Very interesting analysis from @proofpoint.com @saffronsec.bsky.social
www.proofpoint.com/us/blog/thre...
two men are standing next to each other in a room .
ALT: two men are standing next to each other in a room .
media.tenor.com
November 7, 2025 at 9:34 PM
1/5
IRGC + MOIS
Very interesting analysis from @proofpoint.com @saffronsec.bsky.social
www.proofpoint.com/us/blog/thre...
IRGC + MOIS
Very interesting analysis from @proofpoint.com @saffronsec.bsky.social
www.proofpoint.com/us/blog/thre...
October 28, 2025 at 5:23 PM
1/5
🇺🇦
Ongoing campaign targeting Ukrainians:
EML->PDF->URL->ZIP->JS->NetSupport RAT
Email 55ffcf6f4df8ab3f11a405794aa5f4d8
🇺🇦
Ongoing campaign targeting Ukrainians:
EML->PDF->URL->ZIP->JS->NetSupport RAT
Email 55ffcf6f4df8ab3f11a405794aa5f4d8
October 25, 2025 at 9:19 AM
1/5
🇺🇦
Ongoing campaign targeting Ukrainians:
EML->PDF->URL->ZIP->JS->NetSupport RAT
Email 55ffcf6f4df8ab3f11a405794aa5f4d8
🇺🇦
Ongoing campaign targeting Ukrainians:
EML->PDF->URL->ZIP->JS->NetSupport RAT
Email 55ffcf6f4df8ab3f11a405794aa5f4d8
www.youtube.com/watch?v=mSJr...
In the labyrinth of circuits and wires
An electronic maze where the signal fires
Neon pathways gleam with cold and light
In the realm of data, we take our flight
In the labyrinth of circuits and wires
An electronic maze where the signal fires
Neon pathways gleam with cold and light
In the realm of data, we take our flight
Catch One
YouTube video by Juche - Topic
www.youtube.com
October 16, 2025 at 9:02 PM
www.youtube.com/watch?v=mSJr...
In the labyrinth of circuits and wires
An electronic maze where the signal fires
Neon pathways gleam with cold and light
In the realm of data, we take our flight
In the labyrinth of circuits and wires
An electronic maze where the signal fires
Neon pathways gleam with cold and light
In the realm of data, we take our flight
1/4
PDQ which downloads ScreenConnect, the "one weird" RMM trick combo move threat actors don't want you to find out...
PDQ which downloads ScreenConnect, the "one weird" RMM trick combo move threat actors don't want you to find out...
October 5, 2025 at 12:44 PM
1/4
PDQ which downloads ScreenConnect, the "one weird" RMM trick combo move threat actors don't want you to find out...
PDQ which downloads ScreenConnect, the "one weird" RMM trick combo move threat actors don't want you to find out...
github.com/KittenBuster...
It's a Kitten, but it doesn't looking charming to me, completely different TTPs
It's a Kitten, but it doesn't looking charming to me, completely different TTPs
GitHub - KittenBusters/CharmingKitten: Exposing CharmingKitten's malicious activity for IRGC-IO devision Counterintelligence devision (1500)
Exposing CharmingKitten's malicious activity for IRGC-IO devision Counterintelligence devision (1500) - KittenBusters/CharmingKitten
github.com
October 2, 2025 at 1:32 AM
github.com/KittenBuster...
It's a Kitten, but it doesn't looking charming to me, completely different TTPs
It's a Kitten, but it doesn't looking charming to me, completely different TTPs
October 1, 2025 at 12:19 AM
1/3
UNC4444 Watering Hole
vanzen.co[.]il compromised to display an overlay pop-up for 60% discount when registering to the site.
UNC4444 Watering Hole
vanzen.co[.]il compromised to display an overlay pop-up for 60% discount when registering to the site.
September 28, 2025 at 12:33 PM
1/3
UNC4444 Watering Hole
vanzen.co[.]il compromised to display an overlay pop-up for 60% discount when registering to the site.
UNC4444 Watering Hole
vanzen.co[.]il compromised to display an overlay pop-up for 60% discount when registering to the site.
1/8
Sales Contract.pdf
9af100c85c1a58702dfb016c4cb95840
867d16c7150ea010ecbea787bd9939ea4fe93769
688a2ccc09e30bad2d235ce3895afecbbf9b5c5950c8ef2cf3eaba57f6445bb2
Sales Contract.pdf
9af100c85c1a58702dfb016c4cb95840
867d16c7150ea010ecbea787bd9939ea4fe93769
688a2ccc09e30bad2d235ce3895afecbbf9b5c5950c8ef2cf3eaba57f6445bb2
September 28, 2025 at 9:25 AM
1/8
Sales Contract.pdf
9af100c85c1a58702dfb016c4cb95840
867d16c7150ea010ecbea787bd9939ea4fe93769
688a2ccc09e30bad2d235ce3895afecbbf9b5c5950c8ef2cf3eaba57f6445bb2
Sales Contract.pdf
9af100c85c1a58702dfb016c4cb95840
867d16c7150ea010ecbea787bd9939ea4fe93769
688a2ccc09e30bad2d235ce3895afecbbf9b5c5950c8ef2cf3eaba57f6445bb2
New year, new mix.
www.youtube.com/watch?v=7CyB...
www.youtube.com/watch?v=7CyB...
Skeler - H a r d W a v e 夜勤 PART I + II
YouTube video by skeler.
www.youtube.com
September 25, 2025 at 8:13 PM
New year, new mix.
www.youtube.com/watch?v=7CyB...
www.youtube.com/watch?v=7CyB...
labs.watchtowr.com/is-this-bad-... 😍glFTPd 😍
Is This Bad? This Feels Bad. (Fortra GoAnywhere CVE-2025-10035)
File transfer used to be simple fun - fire up your favourite FTP client, log in to a glFTPd site, and you were done.
Fast forward to 2025, and the same act requires a procurement team, a web interfac...
labs.watchtowr.com
September 25, 2025 at 2:42 AM
labs.watchtowr.com/is-this-bad-... 😍glFTPd 😍
Baby, your eyes are reflecting the years of many blows
I'm the game they play every day
But you already know
Bruises fade, but scars will form
In this world, there is no shelter from the storm www.youtube.com/watch?v=bAR5...
I'm the game they play every day
But you already know
Bruises fade, but scars will form
In this world, there is no shelter from the storm www.youtube.com/watch?v=bAR5...
Saint Mars - Ocean Blues (feat. Tryzdin ) [Juche Remix]
YouTube video by FOMH
www.youtube.com
September 21, 2025 at 11:17 AM
Baby, your eyes are reflecting the years of many blows
I'm the game they play every day
But you already know
Bruises fade, but scars will form
In this world, there is no shelter from the storm www.youtube.com/watch?v=bAR5...
I'm the game they play every day
But you already know
Bruises fade, but scars will form
In this world, there is no shelter from the storm www.youtube.com/watch?v=bAR5...
www.group-ib.com
September 17, 2025 at 8:30 AM
Reposted by Simon Kenin
Your cyber threat intel is part of the North Korean strategy: DPRK operators are abusing CTI platforms to see if they’ve been seen—and moving faster because of it. 👀
September 4, 2025 at 1:58 PM
Your cyber threat intel is part of the North Korean strategy: DPRK operators are abusing CTI platforms to see if they’ve been seen—and moving faster because of it. 👀
1/7
🎯EDU 🎯
drive.google[.]com/file/d/1KgP4IsEYVV78g8Ofo9GCwmp1ng3kiNlF/view?usp=drive_link ->
Updated 2025 Compensation for NCSU Faculty and Staff.pdf
9db4cccb4745a533ac4c41f8aac2e18bcf7e8198
7158fbc2a796b0c4afe7a2dd63c5c3b76df70ced1c7cd232c570f135b94a9e88
@ncsulibraries.bsky.social
🎯EDU 🎯
drive.google[.]com/file/d/1KgP4IsEYVV78g8Ofo9GCwmp1ng3kiNlF/view?usp=drive_link ->
Updated 2025 Compensation for NCSU Faculty and Staff.pdf
9db4cccb4745a533ac4c41f8aac2e18bcf7e8198
7158fbc2a796b0c4afe7a2dd63c5c3b76df70ced1c7cd232c570f135b94a9e88
@ncsulibraries.bsky.social
September 3, 2025 at 9:32 AM
1/7
🎯EDU 🎯
drive.google[.]com/file/d/1KgP4IsEYVV78g8Ofo9GCwmp1ng3kiNlF/view?usp=drive_link ->
Updated 2025 Compensation for NCSU Faculty and Staff.pdf
9db4cccb4745a533ac4c41f8aac2e18bcf7e8198
7158fbc2a796b0c4afe7a2dd63c5c3b76df70ced1c7cd232c570f135b94a9e88
@ncsulibraries.bsky.social
🎯EDU 🎯
drive.google[.]com/file/d/1KgP4IsEYVV78g8Ofo9GCwmp1ng3kiNlF/view?usp=drive_link ->
Updated 2025 Compensation for NCSU Faculty and Staff.pdf
9db4cccb4745a533ac4c41f8aac2e18bcf7e8198
7158fbc2a796b0c4afe7a2dd63c5c3b76df70ced1c7cd232c570f135b94a9e88
@ncsulibraries.bsky.social
1/4
A.ExE / main.txt
213c7af6fbbe05f9e4f4ed6ee8533a87
6bb092b33f86c0ef2e9d6d0ccb0d1a6f478d3725
f6db77be038980e9dbbf9f11e0f7ae7d2d4d3f1a53199958f1f55137dde5efd3
C:/Users/admin/Desktop/quic-reverse-http-tunnel/cmd/client/main.go
GO tunneler using the QUIC protocol linked to UNC2428
A.ExE / main.txt
213c7af6fbbe05f9e4f4ed6ee8533a87
6bb092b33f86c0ef2e9d6d0ccb0d1a6f478d3725
f6db77be038980e9dbbf9f11e0f7ae7d2d4d3f1a53199958f1f55137dde5efd3
C:/Users/admin/Desktop/quic-reverse-http-tunnel/cmd/client/main.go
GO tunneler using the QUIC protocol linked to UNC2428
September 1, 2025 at 8:51 PM
1/4
A.ExE / main.txt
213c7af6fbbe05f9e4f4ed6ee8533a87
6bb092b33f86c0ef2e9d6d0ccb0d1a6f478d3725
f6db77be038980e9dbbf9f11e0f7ae7d2d4d3f1a53199958f1f55137dde5efd3
C:/Users/admin/Desktop/quic-reverse-http-tunnel/cmd/client/main.go
GO tunneler using the QUIC protocol linked to UNC2428
A.ExE / main.txt
213c7af6fbbe05f9e4f4ed6ee8533a87
6bb092b33f86c0ef2e9d6d0ccb0d1a6f478d3725
f6db77be038980e9dbbf9f11e0f7ae7d2d4d3f1a53199958f1f55137dde5efd3
C:/Users/admin/Desktop/quic-reverse-http-tunnel/cmd/client/main.go
GO tunneler using the QUIC protocol linked to UNC2428