Ryan Kalember
@kalember.bsky.social
CSO @ Proofpoint. Infosec lifer. Charter member of nerd nation. MacKenzie appreciator. Forza Inter.
Reposted by Ryan Kalember
New research from Proofpoint ‼️
Threat actors are using #phishing tactics to trick users into giving access to #M365 accounts.
⚠️ Successful compromise leads to #accounttakeover, #dataexfiltration, and more.
Blog: brnw.ch/21wYtcM
Here’s what you need to know. 🧵⤵️
Threat actors are using #phishing tactics to trick users into giving access to #M365 accounts.
⚠️ Successful compromise leads to #accounttakeover, #dataexfiltration, and more.
Blog: brnw.ch/21wYtcM
Here’s what you need to know. 🧵⤵️
December 18, 2025 at 4:56 PM
New research from Proofpoint ‼️
Threat actors are using #phishing tactics to trick users into giving access to #M365 accounts.
⚠️ Successful compromise leads to #accounttakeover, #dataexfiltration, and more.
Blog: brnw.ch/21wYtcM
Here’s what you need to know. 🧵⤵️
Threat actors are using #phishing tactics to trick users into giving access to #M365 accounts.
⚠️ Successful compromise leads to #accounttakeover, #dataexfiltration, and more.
Blog: brnw.ch/21wYtcM
Here’s what you need to know. 🧵⤵️
Reposted by Ryan Kalember
This time of year, threat actors are attempting to send you gifts you’d rather not receive. 🎁
Proofpoint is seeing an increase in holiday-themed threats. Main #phishing lure themes include party invitations, holiday vouchers, end-of-year bonuses, and holiday travel.
Proofpoint is seeing an increase in holiday-themed threats. Main #phishing lure themes include party invitations, holiday vouchers, end-of-year bonuses, and holiday travel.
December 4, 2025 at 6:32 PM
This time of year, threat actors are attempting to send you gifts you’d rather not receive. 🎁
Proofpoint is seeing an increase in holiday-themed threats. Main #phishing lure themes include party invitations, holiday vouchers, end-of-year bonuses, and holiday travel.
Proofpoint is seeing an increase in holiday-themed threats. Main #phishing lure themes include party invitations, holiday vouchers, end-of-year bonuses, and holiday travel.
Reposted by Ryan Kalember
New Iran drop from me tracking an attribution nightmare - UNK_SmudgedSerpent! A little Charming, a little Muddy, and a lot C5. Targeting policy experts with benign conversation starters, health-themed infra, OnlyOffice spoofs, and RMMs. Check out the full story www.proofpoint.com/us/blog/thre...
Crossed wires: a case study of Iranian espionage and attribution | Proofpoint US
Proofpoint would like to thank Josh Miller for his initial research on UNK_SmudgedSerpent and contribution to this report. Key findings Between June and August 2025,
www.proofpoint.com
November 5, 2025 at 1:37 PM
New Iran drop from me tracking an attribution nightmare - UNK_SmudgedSerpent! A little Charming, a little Muddy, and a lot C5. Targeting policy experts with benign conversation starters, health-themed infra, OnlyOffice spoofs, and RMMs. Check out the full story www.proofpoint.com/us/blog/thre...
Reposted by Ryan Kalember
Nike's ad for the Dodgers win featuring Kendrick Lamar
November 2, 2025 at 4:29 AM
Nike's ad for the Dodgers win featuring Kendrick Lamar
Reposted by Ryan Kalember
ladies and gentlemen...we got him
October 30, 2025 at 7:10 PM
ladies and gentlemen...we got him
Reposted by Ryan Kalember
You have to be shitting me... Ohtani homered again
October 18, 2025 at 2:47 AM
You have to be shitting me... Ohtani homered again
Reposted by Ryan Kalember
TA585 is the identifier of the most recent threat actor named by Proofpoint.
The sophisticated cybercriminal, notably, appears to own its entire attack chain with multiple delivery techniques.
Learn about TA585 and one of its favored payloads, MonsterV2: brnw.ch/21wWAAU.
The sophisticated cybercriminal, notably, appears to own its entire attack chain with multiple delivery techniques.
Learn about TA585 and one of its favored payloads, MonsterV2: brnw.ch/21wWAAU.
When the monster bytes: tracking TA585 and its arsenal | Proofpoint US
Key findings TA585 is a sophisticated cybercriminal threat actor recently named by Proofpoint. It operates its entire attack chain from infrastructure to email delivery to malware
brnw.ch
October 13, 2025 at 8:35 PM
TA585 is the identifier of the most recent threat actor named by Proofpoint.
The sophisticated cybercriminal, notably, appears to own its entire attack chain with multiple delivery techniques.
Learn about TA585 and one of its favored payloads, MonsterV2: brnw.ch/21wWAAU.
The sophisticated cybercriminal, notably, appears to own its entire attack chain with multiple delivery techniques.
Learn about TA585 and one of its favored payloads, MonsterV2: brnw.ch/21wWAAU.
Reposted by Ryan Kalember
Proofpoint threat researchers have published new research identifying a new cyber-espionage campaign by #TA415 (#APT41), a China-aligned threat actor, exploiting growing uncertainty in U.S.-China economic relations.
Blog: www.proofpoint.com/us/blog/thre....
Blog: www.proofpoint.com/us/blog/thre....
Going Underground: China-aligned TA415 Conducts U.S.-China Economic Relations Targeting Using VS Code Remote Tunnels | Proofpoint US
What happened Throughout July and August 2025, TA415 conducted spearphishing campaigns targeting United States government, think tank, and academic organizations utilizing U.S.-China
www.proofpoint.com
September 18, 2025 at 5:11 PM
Proofpoint threat researchers have published new research identifying a new cyber-espionage campaign by #TA415 (#APT41), a China-aligned threat actor, exploiting growing uncertainty in U.S.-China economic relations.
Blog: www.proofpoint.com/us/blog/thre....
Blog: www.proofpoint.com/us/blog/thre....
Reposted by Ryan Kalember
Threat actors continue to abuse GitHub to deliver malware, this time: #LummaStealer. We identified GitHub notification emails that kick off the attack chain. Messages are sent when the threat actor, using an actor-controlled account, comments on existing GitHub issues. 🧵
September 3, 2025 at 6:23 PM
Threat actors continue to abuse GitHub to deliver malware, this time: #LummaStealer. We identified GitHub notification emails that kick off the attack chain. Messages are sent when the threat actor, using an actor-controlled account, comments on existing GitHub issues. 🧵
Reposted by Ryan Kalember
NEW ‼️ Researchers at @Proofpoint revealed an increase in China-aligned cyber #espionage targeting Taiwan’s #semiconductor industry—a sector critical to the global tech #supplychain.
At least 3️⃣ distinct China-aligned threat actors are behind the efforts. brnw.ch/21wUctY
At least 3️⃣ distinct China-aligned threat actors are behind the efforts. brnw.ch/21wUctY
July 16, 2025 at 9:09 PM
NEW ‼️ Researchers at @Proofpoint revealed an increase in China-aligned cyber #espionage targeting Taiwan’s #semiconductor industry—a sector critical to the global tech #supplychain.
At least 3️⃣ distinct China-aligned threat actors are behind the efforts. brnw.ch/21wUctY
At least 3️⃣ distinct China-aligned threat actors are behind the efforts. brnw.ch/21wUctY
Reposted by Ryan Kalember
Just published:
A two-part blog series in collaboration with
@threatray.bsky.social, which aims to substantiate the claim that #TA397 (Bitter) is an espionage-focused, state-backed threat actor with interests aligned to the Indian state.
Part 1: brnw.ch/21wT9A5
Part 2: brnw.ch/21wT9Ad.
A two-part blog series in collaboration with
@threatray.bsky.social, which aims to substantiate the claim that #TA397 (Bitter) is an espionage-focused, state-backed threat actor with interests aligned to the Indian state.
Part 1: brnw.ch/21wT9A5
Part 2: brnw.ch/21wT9Ad.
The Bitter End: Unraveling Eight Years of Espionage Antics—Part One | Proofpoint US
This is a two-part blog series, detailing research undertaken in collaboration with Threatray. Part two of this blog series can be found on their website here. Analyst note: Throughout
brnw.ch
June 4, 2025 at 2:56 PM
Just published:
A two-part blog series in collaboration with
@threatray.bsky.social, which aims to substantiate the claim that #TA397 (Bitter) is an espionage-focused, state-backed threat actor with interests aligned to the Indian state.
Part 1: brnw.ch/21wT9A5
Part 2: brnw.ch/21wT9Ad.
A two-part blog series in collaboration with
@threatray.bsky.social, which aims to substantiate the claim that #TA397 (Bitter) is an espionage-focused, state-backed threat actor with interests aligned to the Indian state.
Part 1: brnw.ch/21wT9A5
Part 2: brnw.ch/21wT9Ad.
Reposted by Ryan Kalember
Feds have seized infrastructure and charged 16 members of a hacker group based in Russia that allegedly sold access to the DanaBot malware, used in everything from cybercrime like bank fraud and ransomware to espionage and DDOS attacks against Ukraine. www.wired.com/story/us-cha...
Feds Charge 16 Russians Allegedly Tied to Botnets Used in Ransomware, Cyberattacks, and Spying
A new US indictment against a group of Russian nationals offers a clear example of how, authorities say, a single malware operation can enable both criminal and state-sponsored hacking.
www.wired.com
May 22, 2025 at 7:59 PM
Feds have seized infrastructure and charged 16 members of a hacker group based in Russia that allegedly sold access to the DanaBot malware, used in everything from cybercrime like bank fraud and ransomware to espionage and DDOS attacks against Ukraine. www.wired.com/story/us-cha...
Reposted by Ryan Kalember
Some good news! DanaBot takedown and charges revealed today! This is a massive win for defenders and the community. www.justice.gov/usao-cdca/pr...
Proofpoint also published a brief history of DanaBot today, including examples of the espionage overlap. www.proofpoint.com/us/blog/thre...
Proofpoint also published a brief history of DanaBot today, including examples of the espionage overlap. www.proofpoint.com/us/blog/thre...
16 Defendants Federally Charged in Connection with DanaBot Malware Scheme That Infected Computers Worldwide
A federal grand jury indictment and criminal complaint unsealed today charge 16 defendants who allegedly developed and deployed the DanaBot malware which a Russia-based cybercrime organization control...
www.justice.gov
May 22, 2025 at 8:14 PM
Some good news! DanaBot takedown and charges revealed today! This is a massive win for defenders and the community. www.justice.gov/usao-cdca/pr...
Proofpoint also published a brief history of DanaBot today, including examples of the espionage overlap. www.proofpoint.com/us/blog/thre...
Proofpoint also published a brief history of DanaBot today, including examples of the espionage overlap. www.proofpoint.com/us/blog/thre...
Went on DW to discuss the breach at Treasury. Not sure what was more predictable - that the vector was a supply chain attack on a cybersecurity vendor or the pro-PRC bots in the comments m.youtube.com/watch?v=VjA7...
China conducted state-sponsored cyber attack says US Treasury | DW News
YouTube video by DW News
m.youtube.com
January 6, 2025 at 7:41 PM
Went on DW to discuss the breach at Treasury. Not sure what was more predictable - that the vector was a supply chain attack on a cybersecurity vendor or the pro-PRC bots in the comments m.youtube.com/watch?v=VjA7...
Reposted by Ryan Kalember
Cybersecurity startup Cyberhaven, which specializes in insider threats, said it is investigating a hack of a single administrative account that spread a malicious version of its Google Chrome browser extension. https://therecord.media/cyberhaven-hack-google-chrome-extension
Cyber startup employee hacked to distribute malicious Chrome extension
Cybersecurity startup Cyberhaven, which specializes in insider threats, said it is investigating a hack of a single administrative account that spread a malicious version of its Google Chrome browser extension.
therecord.media
December 27, 2024 at 2:39 PM
Cybersecurity startup Cyberhaven, which specializes in insider threats, said it is investigating a hack of a single administrative account that spread a malicious version of its Google Chrome browser extension. https://therecord.media/cyberhaven-hack-google-chrome-extension
Reposted by Ryan Kalember
Proofpoint has published a report detailing new activity from #TA397 (AKA Bitter), a prominent South Asian advanced persistent threat (APT) group.
The campaign, which took place in November 2024, targeted a defense sector organization in Turkey.
Read the blog: ow.ly/z81o50UshPt.
The campaign, which took place in November 2024, targeted a defense sector organization in Turkey.
Read the blog: ow.ly/z81o50UshPt.
Hidden in Plain Sight: TA397’s New Attack Chain Delivers Espionage RATs | Proofpoint US
Key findings Proofpoint observed advanced persistent threat (APT) TA397 targeting a Turkish defense sector organization with a lure about public infrastructure projects in Madagascar. The attack...
ow.ly
December 17, 2024 at 6:00 PM
Proofpoint has published a report detailing new activity from #TA397 (AKA Bitter), a prominent South Asian advanced persistent threat (APT) group.
The campaign, which took place in November 2024, targeted a defense sector organization in Turkey.
Read the blog: ow.ly/z81o50UshPt.
The campaign, which took place in November 2024, targeted a defense sector organization in Turkey.
Read the blog: ow.ly/z81o50UshPt.
Reposted by Ryan Kalember
We just launched our new website... please let us know if your RSS feeds or podcatchers are doing anything weird!
Meanwhile, check out the new risky.biz website. You can get everything there -- written content, podcasts/audio and video as well.
A nice website! And it only took me 18 years!
Meanwhile, check out the new risky.biz website. You can get everything there -- written content, podcasts/audio and video as well.
A nice website! And it only took me 18 years!
December 12, 2024 at 4:29 AM
We just launched our new website... please let us know if your RSS feeds or podcatchers are doing anything weird!
Meanwhile, check out the new risky.biz website. You can get everything there -- written content, podcasts/audio and video as well.
A nice website! And it only took me 18 years!
Meanwhile, check out the new risky.biz website. You can get everything there -- written content, podcasts/audio and video as well.
A nice website! And it only took me 18 years!
Tis' the season of telco and ISP attacks apparently. First Salt Typhoon and now this super interesting campaign: bsky.app/profile/did:...
In December 11 and 12, 2024, a spearphishing campaign targeted at least 20 Autonomous System (AS) owners, predominantly Internet Service Providers (ISPs), and purported to come from the Network Operations Center (NOC) of a prominent European ISP.
🧵⤵️
🧵⤵️
Interesting susp targeted phish targeting an Italian telecom.
1) spoofing swisscom (note 'S', domain just reg'd)
2) leveraging encrypted rar + lnk + self signed pdf reader
3) BGP lure (fits with theme of email). BGP is the third leg in the outage triumvirate)
1) spoofing swisscom (note 'S', domain just reg'd)
2) leveraging encrypted rar + lnk + self signed pdf reader
3) BGP lure (fits with theme of email). BGP is the third leg in the outage triumvirate)
December 12, 2024 at 9:28 PM
Tis' the season of telco and ISP attacks apparently. First Salt Typhoon and now this super interesting campaign: bsky.app/profile/did:...
Reposted by Ryan Kalember
Stanford alums have written the university president and provost to protest their handling of a student journalist, who is facing 3 felony accusations after covering a protest:
"It was wrongful for the University to direct his arrest and encourage his prosecution" drive.google.com/file/d/1jIx1...
"It was wrongful for the University to direct his arrest and encourage his prosecution" drive.google.com/file/d/1jIx1...
Stanford alumni letter.pdf
drive.google.com
December 10, 2024 at 1:37 AM
Stanford alums have written the university president and provost to protest their handling of a student journalist, who is facing 3 felony accusations after covering a protest:
"It was wrongful for the University to direct his arrest and encourage his prosecution" drive.google.com/file/d/1jIx1...
"It was wrongful for the University to direct his arrest and encourage his prosecution" drive.google.com/file/d/1jIx1...
Reposted by Ryan Kalember
Reposted by Ryan Kalember
Reposted by Ryan Kalember
New episode of DISCARDED where we sit down with the 🐐 Mark Kelly, our lead China analyst, to talk all things China APT! Tune in wherever you get your podcasts. 🔮
Web: www.proofpoint.com/us/podcasts/...
Apple: podcasts.apple.com/us/podcast/d...
Spotify: open.spotify.com/episode/2AtJ...
Web: www.proofpoint.com/us/podcasts/...
Apple: podcasts.apple.com/us/podcast/d...
Spotify: open.spotify.com/episode/2AtJ...
DISCARDED | Proofpoint | Proofpoint US
www.proofpoint.com
December 4, 2024 at 12:38 AM
New episode of DISCARDED where we sit down with the 🐐 Mark Kelly, our lead China analyst, to talk all things China APT! Tune in wherever you get your podcasts. 🔮
Web: www.proofpoint.com/us/podcasts/...
Apple: podcasts.apple.com/us/podcast/d...
Spotify: open.spotify.com/episode/2AtJ...
Web: www.proofpoint.com/us/podcasts/...
Apple: podcasts.apple.com/us/podcast/d...
Spotify: open.spotify.com/episode/2AtJ...
Reposted by Ryan Kalember
This week's show is up! We cover Palo Alto Networks' very dumb 0days, big changes coming to Windows, Jen Easterly's imminent departure from CISA and why NSO being bad, in retrospect, might be... good?
Get it as audio from the usual places or from YouTube here:
www.youtube.com/watch?v=Rxye...
Get it as audio from the usual places or from YouTube here:
www.youtube.com/watch?v=Rxye...
Risky Business Weekly (771): Palo Alto's firewall 0days are very, very stupid
YouTube video by Risky Business Media
www.youtube.com
November 20, 2024 at 3:58 AM
This week's show is up! We cover Palo Alto Networks' very dumb 0days, big changes coming to Windows, Jen Easterly's imminent departure from CISA and why NSO being bad, in retrospect, might be... good?
Get it as audio from the usual places or from YouTube here:
www.youtube.com/watch?v=Rxye...
Get it as audio from the usual places or from YouTube here:
www.youtube.com/watch?v=Rxye...