X_Hunt3r
@x-hunt3r.bsky.social
Threat Hunting & Research, Network Forensics | Principal Threat Analyst @ Recorded Future | "Undesirable" | Member CuratedIntel | Views and opinions are my own
Great work by Sekoia uncovering new #BlueDelta #APT28 #Sofacy #FancyBear #ForestBlizzard #TAG110 malware samples. Linked to CERT-UA’s BeardShell & Covenant frameworks + revealed fresh weaponized docs & subtle TTPs. Activity ties to Russia-nexus ops incl. Double-Tap. blog.sekoia.io/apt28-operat...
APT28 Operation Phantom Net Voxel
APT28 Operation Phantom Net Voxel: weaponized Office lures, COM-hijack DLL, PNG stego to Covenant Grunt via Koofr, BeardShell on icedrive.
blog.sekoia.io
September 16, 2025 at 9:24 AM
Great work by Sekoia uncovering new #BlueDelta #APT28 #Sofacy #FancyBear #ForestBlizzard #TAG110 malware samples. Linked to CERT-UA’s BeardShell & Covenant frameworks + revealed fresh weaponized docs & subtle TTPs. Activity ties to Russia-nexus ops incl. Double-Tap. blog.sekoia.io/apt28-operat...
Reposted by X_Hunt3r
Ukraine claims cyberattacks on Russian election systems; Moscow confirms disruptions
therecord.media/ukraine-clai...
therecord.media/ukraine-clai...
Ukraine claims cyberattacks on Russian election systems; Moscow confirms disruptions
Ukraine said it was responsible for disrupting websites related to Russian election infrastructure as voters went to the polls in occupied territories.
therecord.media
September 15, 2025 at 10:06 PM
Ukraine claims cyberattacks on Russian election systems; Moscow confirms disruptions
therecord.media/ukraine-clai...
therecord.media/ukraine-clai...
Reposted by X_Hunt3r
New report published today from our team at Recorded Future: “Russian Influence Assets Converge on Moldovan Elections”
www.recordedfuture.com/research/rus...
www.recordedfuture.com/research/rus...
Russian Influence Assets Converge on Moldovan Elections
Ahead of Moldova’s 2025 elections, Russia-linked influence operations seek to undermine EU integration, discredit President Sandu, and destabilize democratic processes through coordinated disinformati...
www.recordedfuture.com
September 3, 2025 at 2:36 PM
New report published today from our team at Recorded Future: “Russian Influence Assets Converge on Moldovan Elections”
www.recordedfuture.com/research/rus...
www.recordedfuture.com/research/rus...
Reposted by X_Hunt3r
This report on Stark Industries is a fantastic case study in the cat-and-mouse game between hosting providers and law enforcement. The new "Threat Activity Enabler" (TAE) terminology is spot-on and highlights the critical role these providers play in the cybercrime ecosystem.
1/ Today, we published “One Step Ahead: Stark Industries Solutions Preempts EU Sanctions,” revealing how hosting provider #StarkIndustries executed a multi-phase restructuring of its operations, beginning up to a month before #EU sanctions.
August 27, 2025 at 2:57 PM
This report on Stark Industries is a fantastic case study in the cat-and-mouse game between hosting providers and law enforcement. The new "Threat Activity Enabler" (TAE) terminology is spot-on and highlights the critical role these providers play in the cybercrime ecosystem.
Reposted by X_Hunt3r
Scandi noir meets The Wire...
🇫🇮🚢
The captain of a Russia-linked oil tanker that damaged five subsea cables in the Baltic Sea on Christmas Day was instructed by his shipping company to destroy evidence after the ship was seized by Finnish authorities, according to a wiretap transcript.
🇫🇮🚢
The captain of a Russia-linked oil tanker that damaged five subsea cables in the Baltic Sea on Christmas Day was instructed by his shipping company to destroy evidence after the ship was seized by Finnish authorities, according to a wiretap transcript.
Finnish police wiretap reveals Russian ‘shadow fleet’ captain instructed to destroy evidence
The captain of a Russia-linked oil tanker that damaged five subsea cables in the Baltic Sea was reportedly instructed to destroy evidence after the ship was seized by authorities.
therecord.media
August 27, 2025 at 12:33 PM
Scandi noir meets The Wire...
🇫🇮🚢
The captain of a Russia-linked oil tanker that damaged five subsea cables in the Baltic Sea on Christmas Day was instructed by his shipping company to destroy evidence after the ship was seized by Finnish authorities, according to a wiretap transcript.
🇫🇮🚢
The captain of a Russia-linked oil tanker that damaged five subsea cables in the Baltic Sea on Christmas Day was instructed by his shipping company to destroy evidence after the ship was seized by Finnish authorities, according to a wiretap transcript.
Is it really 2025?! Cisco Smart Install and SNMP brute attacks... We are giving the FSB an easy ride. Great report by the Talos team! blog.talosintelligence.com/static-tundra/
Russian state-sponsored espionage group Static Tundra compromises unpatched end-of-life network devices
A Russian state-sponsored group, Static Tundra, is exploiting an old Cisco IOS vulnerability to compromise unpatched network devices worldwide, targeting key sectors for intelligence gathering.
blog.talosintelligence.com
August 21, 2025 at 8:30 AM
Is it really 2025?! Cisco Smart Install and SNMP brute attacks... We are giving the FSB an easy ride. Great report by the Talos team! blog.talosintelligence.com/static-tundra/
Fantastic new report by @julianferdinand.bsky.social and @aejleslie.bsky.social exposing Lumma’s vast info-stealing ecosystem—where affiliates juggle scams, MaaS platforms, and evasion tools to stay ahead of defenders💪 Great work team 🔥
1/ Today, we release a first-of-its-kind analysis of a set of Lumma affiliates within a vast info-stealing ecosystem, showing their interconnectedness and resilience even after a major law enforcement takedown attempts earlier this year: www.recordedfuture.com/research/beh...
Behind the Curtain: How Lumma Affiliates Operate
Explore a groundbreaking investigation into Lumma affiliates: uncover their tools, tactics, scams, and integration in the cybercriminal ecosystem. Essential reading for defenders.
www.recordedfuture.com
August 21, 2025 at 8:23 AM
Fantastic new report by @julianferdinand.bsky.social and @aejleslie.bsky.social exposing Lumma’s vast info-stealing ecosystem—where affiliates juggle scams, MaaS platforms, and evasion tools to stay ahead of defenders💪 Great work team 🔥
Reposted by X_Hunt3r
Saher's first blog on the scourge that is ClickFix usage in the espionage space!!
Had to sneak in the UNK_RemoteRogue RDP shenanigans as well - a thus far unattributed group we assess to be Russia-aligned, using a pretty fun set of email tactics
Had to sneak in the UNK_RemoteRogue RDP shenanigans as well - a thus far unattributed group we assess to be Russia-aligned, using a pretty fun set of email tactics
April 17, 2025 at 12:22 PM
Saher's first blog on the scourge that is ClickFix usage in the espionage space!!
Had to sneak in the UNK_RemoteRogue RDP shenanigans as well - a thus far unattributed group we assess to be Russia-aligned, using a pretty fun set of email tactics
Had to sneak in the UNK_RemoteRogue RDP shenanigans as well - a thus far unattributed group we assess to be Russia-aligned, using a pretty fun set of email tactics
Reposted by X_Hunt3r
Attention!
Check your Compromised Website Report for critical events tagged “fortinet-compromised” and follow Fortinet's mitigation advice on compromised devices:
fortinet.com/blog/psirt-b...
Data available from 2025-04-11+
shadowserver.org/what-we-do/n...
Check your Compromised Website Report for critical events tagged “fortinet-compromised” and follow Fortinet's mitigation advice on compromised devices:
fortinet.com/blog/psirt-b...
Data available from 2025-04-11+
shadowserver.org/what-we-do/n...
April 12, 2025 at 12:15 PM
Attention!
Check your Compromised Website Report for critical events tagged “fortinet-compromised” and follow Fortinet's mitigation advice on compromised devices:
fortinet.com/blog/psirt-b...
Data available from 2025-04-11+
shadowserver.org/what-we-do/n...
Check your Compromised Website Report for critical events tagged “fortinet-compromised” and follow Fortinet's mitigation advice on compromised devices:
fortinet.com/blog/psirt-b...
Data available from 2025-04-11+
shadowserver.org/what-we-do/n...
Reposted by X_Hunt3r
Snoop, a Romanian investigative journalism outlet, has linked an online advertising company named AdNow to intelligence officials from Russia's FSB and SVR services
snoop.ro/pe-urmele-ba...
snoop.ro/pe-urmele-ba...
March 4, 2025 at 2:15 PM
Snoop, a Romanian investigative journalism outlet, has linked an online advertising company named AdNow to intelligence officials from Russia's FSB and SVR services
snoop.ro/pe-urmele-ba...
snoop.ro/pe-urmele-ba...
Reposted by X_Hunt3r
🪡 Our 2024 Malicious Infrastructure Report showcases the results of our detections across hundreds of malware families and threat actors, revealing victims in 200+ countries and highlighting the global scale of cyber threats.
Blog: www.recordedfuture.com/research/202... (1/10)
Blog: www.recordedfuture.com/research/202... (1/10)
February 28, 2025 at 3:03 PM
🪡 Our 2024 Malicious Infrastructure Report showcases the results of our detections across hundreds of malware families and threat actors, revealing victims in 200+ countries and highlighting the global scale of cyber threats.
Blog: www.recordedfuture.com/research/202... (1/10)
Blog: www.recordedfuture.com/research/202... (1/10)
Reposted by X_Hunt3r
@volexity.com recently identified multiple Russian threat actors targeting users via #socialengineering + #spearphishing campaigns with Microsoft 365 Device Code authentication (a well-known technique) with alarming success: www.volexity.com/blog/2025/02...
#dfir #threatintel #m365security
#dfir #threatintel #m365security
Multiple Russian Threat Actors Targeting Microsoft Device Code Authentication
Starting in mid-January 2025, Volexity identified several social-engineering and spear-phishing campaigns by Russian threat actors aimed at compromising Microsoft 365 (M365) accounts. These attack cam...
www.volexity.com
February 13, 2025 at 10:39 PM
@volexity.com recently identified multiple Russian threat actors targeting users via #socialengineering + #spearphishing campaigns with Microsoft 365 Device Code authentication (a well-known technique) with alarming success: www.volexity.com/blog/2025/02...
#dfir #threatintel #m365security
#dfir #threatintel #m365security
New Insikt Report just landed: RedMike AKA Salt Typhoon targeting of Global Telcos.
www.recordedfuture.com/research/red...
www.recordedfuture.com/research/red...
www.recordedfuture.com
February 13, 2025 at 10:25 AM
New Insikt Report just landed: RedMike AKA Salt Typhoon targeting of Global Telcos.
www.recordedfuture.com/research/red...
www.recordedfuture.com/research/red...
Reposted by X_Hunt3r
🔥 Live streams resume this week! Greg Lesnewich joins us to talk about 100 Days of Yara, some Yara rule tips and the current state of email borne threats!
https://buff.ly/4gukMSN
🗓️ Thursday at 2pm CST
https://buff.ly/4gukMSN
🗓️ Thursday at 2pm CST
100 Days of Yara, Yara Rule Tips and The Current State of Email borne Threats with Greg Lesnewich
Yara is one of the most versatile tools in cyber security. Come learn about creating effective and efficient rules with the creator of the 100 Days of Yara, ...
buff.ly
February 10, 2025 at 7:01 PM
🔥 Live streams resume this week! Greg Lesnewich joins us to talk about 100 Days of Yara, some Yara rule tips and the current state of email borne threats!
https://buff.ly/4gukMSN
🗓️ Thursday at 2pm CST
https://buff.ly/4gukMSN
🗓️ Thursday at 2pm CST
Reposted by X_Hunt3r
Ukrainian military officials, lawmakers, and experts are discussing the creation of a separate branch of Ukraine's Armed Forces dedicated to cyberspace operations, according to the General Staff of Ukraine.
kyivindependent.com/ukraine-cons...
kyivindependent.com/ukraine-cons...
Ukrainian military considering creation of new cyber army branch
Ukrainian military, lawmakers, and experts discussed the creation of a separate branch of Ukraine's Armed Forces dedicated to cyberspace operations, the General Staff said on Oct. 24.
kyivindependent.com
January 28, 2025 at 4:32 PM
Ukrainian military officials, lawmakers, and experts are discussing the creation of a separate branch of Ukraine's Armed Forces dedicated to cyberspace operations, according to the General Staff of Ukraine.
kyivindependent.com/ukraine-cons...
kyivindependent.com/ukraine-cons...
Reposted by X_Hunt3r
New report! Check it out.
This research examines the operations of Crazy Evil — a Russian-speaking “traffer team” and cryptoscam gang — which has victimized thousands of people with infostealer malware.
Blog: www.recordedfuture.com/research/cra...
PDF: go.recordedfuture.com/hubfs/report...
This research examines the operations of Crazy Evil — a Russian-speaking “traffer team” and cryptoscam gang — which has victimized thousands of people with infostealer malware.
Blog: www.recordedfuture.com/research/cra...
PDF: go.recordedfuture.com/hubfs/report...
"Crazy Evil" Cryptoscam Gang: Unmasking a Global Threat in 2024
Explore how the "Crazy Evil" cryptoscam gang operates, infecting thousands worldwide with infostealer malware. Learn how its tactics pose a threat to the Web3 ecosystem and digital asset security.
www.recordedfuture.com
January 23, 2025 at 4:42 PM
New report! Check it out.
This research examines the operations of Crazy Evil — a Russian-speaking “traffer team” and cryptoscam gang — which has victimized thousands of people with infostealer malware.
Blog: www.recordedfuture.com/research/cra...
PDF: go.recordedfuture.com/hubfs/report...
This research examines the operations of Crazy Evil — a Russian-speaking “traffer team” and cryptoscam gang — which has victimized thousands of people with infostealer malware.
Blog: www.recordedfuture.com/research/cra...
PDF: go.recordedfuture.com/hubfs/report...
Reposted by X_Hunt3r
New Blog! Tracking Adversaries: Ghostwriter APT Infrastructure 🇧🇾
blog.bushidotoken.net/2025/01/trac...
blog.bushidotoken.net/2025/01/trac...
Tracking Adversaries: Ghostwriter APT Infrastructure
CTI, threat intelligence, OSINT, malware, APT, threat hunting, threat analysis, CTF, cybersecurity, security
blog.bushidotoken.net
January 20, 2025 at 10:35 AM
New Blog! Tracking Adversaries: Ghostwriter APT Infrastructure 🇧🇾
blog.bushidotoken.net/2025/01/trac...
blog.bushidotoken.net/2025/01/trac...
Reposted by X_Hunt3r
UK domain giant Nominet confirms cybersecurity incident linked to Ivanti VPN hacks
UK domain giant Nominet confirms cybersecurity incident linked to Ivanti VPN hacks
Nominet, the U.K. domain registry that maintains .co.uk domains, has experienced a cybersecurity incident that it confirmed is linked to the recent exploitation of a new Ivanti VPN vulnerability. In an email to customers, seen by TechCrunch, Nominet…
tcrn.ch
January 13, 2025 at 12:20 PM
UK domain giant Nominet confirms cybersecurity incident linked to Ivanti VPN hacks
Reposted by X_Hunt3r
New report! Check it out.
This research examines the global proliferation of Russian surveillance technologies, their use by repressive governments, and possible data-sharing with Russian intelligence.
Blog: www.recordedfuture.com/research/tra...
PDF: go.recordedfuture.com/hubfs/report...
This research examines the global proliferation of Russian surveillance technologies, their use by repressive governments, and possible data-sharing with Russian intelligence.
Blog: www.recordedfuture.com/research/tra...
PDF: go.recordedfuture.com/hubfs/report...
Unveiling Russian Surveillance Tech Expansion in Central Asia and Latin America
A new report by Recorded Future’s Insikt group finds that countries across Central Asia and Latin America are increasingly basing their digital surveillance practices on Russia's System for Operative ...
www.recordedfuture.com
January 7, 2025 at 4:47 PM
New report! Check it out.
This research examines the global proliferation of Russian surveillance technologies, their use by repressive governments, and possible data-sharing with Russian intelligence.
Blog: www.recordedfuture.com/research/tra...
PDF: go.recordedfuture.com/hubfs/report...
This research examines the global proliferation of Russian surveillance technologies, their use by repressive governments, and possible data-sharing with Russian intelligence.
Blog: www.recordedfuture.com/research/tra...
PDF: go.recordedfuture.com/hubfs/report...
Reposted by X_Hunt3r
Russia's 'Sovereign Runet' initiative aims to isolate its internet from the global web, posing significant challenges to the cybercrime underworld that thrives on international connectivity. #CyberSecurity #Runet
www.cybercrimediaries.com/post/russia-...
www.cybercrimediaries.com/post/russia-...
Russia's Sovereign RuNet: A Challenge to the Cybercrime Underworld?
In this blog, we will explore the extent to which the legislative and technical evolutions of the RuNet have impacted the Russian-speaking..
www.cybercrimediaries.com
December 17, 2024 at 9:06 AM
Russia's 'Sovereign Runet' initiative aims to isolate its internet from the global web, posing significant challenges to the cybercrime underworld that thrives on international connectivity. #CyberSecurity #Runet
www.cybercrimediaries.com/post/russia-...
www.cybercrimediaries.com/post/russia-...
Reposted by X_Hunt3r
New report! Check it out.
This research examines the role of Chinese international communication centers (ICCs) in amplifying propaganda via inauthentic social media activity, foreign influencers, and more.
Blog: www.recordedfuture.com/research/bre...
PDF: go.recordedfuture.com/hubfs/report...
This research examines the role of Chinese international communication centers (ICCs) in amplifying propaganda via inauthentic social media activity, foreign influencers, and more.
Blog: www.recordedfuture.com/research/bre...
PDF: go.recordedfuture.com/hubfs/report...
China’s Propaganda Expansion: Inside the Rise of International Communication Centers (ICCs)
China's ICCs reshape global propaganda via targeted messaging, social media, and influence networks to amplify the Communist Party's voice globally.
www.recordedfuture.com
December 10, 2024 at 4:13 PM
New report! Check it out.
This research examines the role of Chinese international communication centers (ICCs) in amplifying propaganda via inauthentic social media activity, foreign influencers, and more.
Blog: www.recordedfuture.com/research/bre...
PDF: go.recordedfuture.com/hubfs/report...
This research examines the role of Chinese international communication centers (ICCs) in amplifying propaganda via inauthentic social media activity, foreign influencers, and more.
Blog: www.recordedfuture.com/research/bre...
PDF: go.recordedfuture.com/hubfs/report...
Great to be back at Cyber Threat for a third year. Awesome talks, great networking, and a very fresh and fun CTF. #cyberthreat24
December 10, 2024 at 4:27 PM
Great to be back at Cyber Threat for a third year. Awesome talks, great networking, and a very fresh and fun CTF. #cyberthreat24
🚨 New Report Alert: Insikt Group has uncovered #BlueAlpha, a Russian FSB-linked threat group overlapping with #Gamaredon, conducting a cyber-espionage campaign against Ukrainian targets. www.recordedfuture.com/research/blu...
BlueAlpha Leverages Cloudflare Tunnels for GammaDrop Infrastructure
BlueAlpha, a Russian cyber group, uses Cloudflare Tunnels to deploy GammaDrop malware, escalating challenges in targeting Ukrainian entities.
www.recordedfuture.com
December 5, 2024 at 4:30 PM
🚨 New Report Alert: Insikt Group has uncovered #BlueAlpha, a Russian FSB-linked threat group overlapping with #Gamaredon, conducting a cyber-espionage campaign against Ukrainian targets. www.recordedfuture.com/research/blu...
Reposted by X_Hunt3r
@milenkowski.bsky.social and I are looking forward to presenting together at #CyberThreat2024 in London next month. We‘ll be discussing China-nexus APTs engaging in cybercriminal activities like ransomware.
November 25, 2024 at 4:20 PM
@milenkowski.bsky.social and I are looking forward to presenting together at #CyberThreat2024 in London next month. We‘ll be discussing China-nexus APTs engaging in cybercriminal activities like ransomware.