Your last saved meme is your moral philosophy

You'll never believe this but Nazi tattoos are really bad, actually

Today's theme

The Sankey essentially speaks for itself, to save you a read. 339 applications, 66 total interviews (only 26 initial interviews) - 1 job offer. Ghosted 80 times.

So when people say it's brutal - yes. It's currently pretty brutal.

Then (believe it or not) used ChatGPT to mass produce 100 different unique "cyber event" scenarios and labelled them appropriately. And - it actually, kind of works pretty well? Labelling by first - then last "Observed Tactic" more accurately captures what an analyst saw and better communicates it.

And of course I ended up making my own - originally thinking I'd have to make stuff up, eventually I realized ATT&CK just kind of works for a taxonomy in itself if done cleanly enough. Sort of like biology, just 'Kingdom-Order-Phylum' what you see and it makes a bit more sense than what I tested.

To prove that point, I cross-walked a bunch of ATT&CK techniques against three big frameworks to show how they fail. Categories overlap, or don't apply to observed behavior. Not super scientific but demonstrates how those events can cluster and analyst has to just pick a label.

Only up

Each fake app in the dashboard points to a static HTML trap hosted on Azure Static Web Apps or Cloudflare Pages. Want a fake SharePoint? Clone the UI in 15 mins, add some fake docs. Fake VPN? No need to hang some open SSH bait out on the open, you just put the whole thing behind a tile.

If I threw up a free Cloudflare page with some CanaryTokens on it, nobody would take it seriously out on the internet. But behind a tile? Clearly it must be pRoDuCtIoN /s. I'm curious if an attacker even checks the url bar after popping through a dashboard like this.

This lets you simulate real identity flows—credential stuffing, MFA fatigue, password sprays—without touching production. You can even add basic login automation for realism, like scheduled logins or profile updates.

Since Okta doesn't require domain verification, the big advantage here is.. just make up some fake employees.. and build an SSO dashboard full of fake internal apps. To an attacker, there's functionally no way to tell the difference between the two and once inside - it looks totally legit by design.

But frankly, why stop there? With the C2 on the farm's ISP connection and as lightweight as an ARP rebroadcast is - you could feasibly just have a bunch of these all meshed together. I'm betting this is what is happening. It scales. It's cheap. There's redundancy.

Where Sygnia doesn't speculate but I'm happy to shout at clouds about is how this might work more commonly. Putting it all together, a RasPi HID and Controller C2 via ARP is - dare I say, clever? Rebroadcast over ARP would allow command injection and C2 completely outside detection - all local LAN.

The C2 also contains references to Zoom meetings and Remote Control. I've seen this myself, where a foreign remote worker simply takes screen control within a Zoom meeting and works all day through screen share. It works.. low detection.. This code here is Linux stuff though, which isn't common.

Taken in context with this portion, a decoded write to /dev/hidg0, (the device file in Linux that represents a virtual HID) you might be able to start piecing together how this likely works at scale. In other words, if the ARP listen/rebroadcast is nested with the HID write - gotta be Pi or similar

They don't speculate too much but I'm just 'some guy' so I'm happy to. The code they found on that box is a WebSocket based C2 framework, with an interesting twist: an ARP rebroadcast and listener module: