Zak
@zakthoreson.bsky.social
SecOps | Cloud | OT
Interested in F1 🏎️ and Cycling 🚴
📝 https://medium.com/@zakthoreson
👾 https://github.com/ZakThoreson
Great read! Very interesting use of stenography to obfuscate payloads.
Huntress researchers Anna Pham (@RussianPanda9xx) & Ben Folland detail a multi-stage malware execution chain, originating from a ClickFix lure, that leads to the delivery of infostealing malware, including LummaC2 & Rhadamanthys. www.huntress.com/blog/clickfi...
November 25, 2025 at 1:49 PM
Great read! Very interesting use of stenography to obfuscate payloads.
Reposted by Zak
Scoop: CISA plans to embark on a hiring spree and change some workforce policies in an effort to rebuild its depleted ranks ahead of a possible conflict with China, according to a memo from its acting director that I obtained.
www.cybersecuritydive.com/news/cisa-hi...
www.cybersecuritydive.com/news/cisa-hi...
CISA, eyeing China, plans hiring spree to rebuild its depleted ranks
The agency will also change some of its workforce policies to avoid driving away talented staff.
www.cybersecuritydive.com
November 17, 2025 at 9:30 PM
Scoop: CISA plans to embark on a hiring spree and change some workforce policies in an effort to rebuild its depleted ranks ahead of a possible conflict with China, according to a memo from its acting director that I obtained.
www.cybersecuritydive.com/news/cisa-hi...
www.cybersecuritydive.com/news/cisa-hi...
Reposted by Zak
We identified a malvertising campaign targeting users searching for legitimate software, leading to the download of a trojanized WinSCP installer that deployed Broomstick/OysterLoader.
All files involved in the initial access phase were signed with valid certificates.
All files involved in the initial access phase were signed with valid certificates.
October 16, 2025 at 1:29 PM
We identified a malvertising campaign targeting users searching for legitimate software, leading to the download of a trojanized WinSCP installer that deployed Broomstick/OysterLoader.
All files involved in the initial access phase were signed with valid certificates.
All files involved in the initial access phase were signed with valid certificates.
Seems the 1 billion records is a collection of all the organizations breached. Salesforce will not be paying the ransom. Also, an interesting note at the end about the leak site potentially being seized
www.bleepingcomputer.com/news/securit...
www.bleepingcomputer.com/news/securit...
Salesforce refuses to pay ransom over widespread data theft attacks
Salesforce has confirmed that it will not negotiate with or pay a ransom to the threat actors behind a massive wave of data theft attacks that impacted the company's customers this year.
www.bleepingcomputer.com
October 8, 2025 at 1:58 PM
Seems the 1 billion records is a collection of all the organizations breached. Salesforce will not be paying the ransom. Also, an interesting note at the end about the leak site potentially being seized
www.bleepingcomputer.com/news/securit...
www.bleepingcomputer.com/news/securit...
Reposted by Zak
LAPSUS have the Red Hat gitlab breach up on their portal
They’ve posted Consulting Engagement Requests for AIR, AMEX_GBT, Atos_Group (NHS Scotland), BOC, HSBC and Walmart. Also a file tree, 370,852 directories, 3,438,976 files.
cyberplace.social/@GossiTheDog...
They’ve posted Consulting Engagement Requests for AIR, AMEX_GBT, Atos_Group (NHS Scotland), BOC, HSBC and Walmart. Also a file tree, 370,852 directories, 3,438,976 files.
cyberplace.social/@GossiTheDog...
Kevin Beaumont (@GossiTheDog@cyberplace.social)
Attached: 1 image
LAPSUS$ have now listed the breach at Red Hat on their portal.
They have posted CER - Consulting Engagement Requests. Sensitive info, for AMEX, Atos, HSBC, Walmart, NHS Scotland am...
cyberplace.social
October 5, 2025 at 11:45 PM
LAPSUS have the Red Hat gitlab breach up on their portal
They’ve posted Consulting Engagement Requests for AIR, AMEX_GBT, Atos_Group (NHS Scotland), BOC, HSBC and Walmart. Also a file tree, 370,852 directories, 3,438,976 files.
cyberplace.social/@GossiTheDog...
They’ve posted Consulting Engagement Requests for AIR, AMEX_GBT, Atos_Group (NHS Scotland), BOC, HSBC and Walmart. Also a file tree, 370,852 directories, 3,438,976 files.
cyberplace.social/@GossiTheDog...
Reposted by Zak
The lead U.S. cyber defense agency has furloughed 65% of its staff. The 20-year-old law that encourages organizations to share information on attacks just expired. Happy Cybersecurity Awareness Month! wapo.st/46Nk53R
Shutdown guts U.S. cybersecurity agency at perilous time
The lead U.S. agency for protecting the electric grid, water supply and other critical services from hacking has furloughed most of its staff.
wapo.st
October 2, 2025 at 2:51 PM
The lead U.S. cyber defense agency has furloughed 65% of its staff. The 20-year-old law that encourages organizations to share information on attacks just expired. Happy Cybersecurity Awareness Month! wapo.st/46Nk53R
Reposted by Zak
New: The Multi-State Information Sharing and Analysis Center lost its federal funding at midnight. Here's my story about what happened, why it matters, and how the group — a critical resource for state and local governments — is trying to move forward: www.cybersecuritydive.com/news/ms-isac...
October 1, 2025 at 2:05 PM
New: The Multi-State Information Sharing and Analysis Center lost its federal funding at midnight. Here's my story about what happened, why it matters, and how the group — a critical resource for state and local governments — is trying to move forward: www.cybersecuritydive.com/news/ms-isac...
Great write-up from NVISO Labs on #CVE-2025-41244
blog.nviso.eu/2025/09/29/y...
Privilege escalation zero-day in VMWare Tools & Aria Operations actively exploited
blog.nviso.eu/2025/09/29/y...
Privilege escalation zero-day in VMWare Tools & Aria Operations actively exploited
You name it, VMware elevates it (CVE-2025-41244)
NVISO has identified zero-day exploitation of CVE-2025-41244, a local privilege escalation vulnerability impacting VMware's guest service discovery features.
blog.nviso.eu
September 30, 2025 at 6:25 PM
Great write-up from NVISO Labs on #CVE-2025-41244
blog.nviso.eu/2025/09/29/y...
Privilege escalation zero-day in VMWare Tools & Aria Operations actively exploited
blog.nviso.eu/2025/09/29/y...
Privilege escalation zero-day in VMWare Tools & Aria Operations actively exploited
When sharing articles or open-source intel, be sure to read and digest the entire article. Be an expert on the data or information you're communicating, or things may slip through the cracks.
Don't just be a reposter; communicate *how* or *why* the information being shared is important.
Don't just be a reposter; communicate *how* or *why* the information being shared is important.
September 29, 2025 at 1:39 PM
When sharing articles or open-source intel, be sure to read and digest the entire article. Be an expert on the data or information you're communicating, or things may slip through the cracks.
Don't just be a reposter; communicate *how* or *why* the information being shared is important.
Don't just be a reposter; communicate *how* or *why* the information being shared is important.
Public S3 Bucket is not a mistake, it's a 'Growth Hacking Funnel'
www.youtube.com/watch?v=xIk0...
www.youtube.com/watch?v=xIk0...
Interview with Cloud Architect in 2025
YouTube video by Kai Lentit
www.youtube.com
September 25, 2025 at 5:43 PM
Public S3 Bucket is not a mistake, it's a 'Growth Hacking Funnel'
www.youtube.com/watch?v=xIk0...
www.youtube.com/watch?v=xIk0...
Reposted by Zak
Supply chains are so much fun! jdstaerk.substack.com/p/we-just-fo...
Anatomy of a Billion-Download NPM Supply-Chain Attack
A massive NPM supply chain attack has compromised foundational packages like Chalk, affecting over 1 billion weekly downloads. We dissect the crypto-stealing malware and show you how to protect your p...
jdstaerk.substack.com
September 9, 2025 at 2:54 PM
Supply chains are so much fun! jdstaerk.substack.com/p/we-just-fo...
Reposted by Zak
August 27, 2025 at 3:01 PM
Reposted by Zak
FBI has issued an alert about Russian hackers exploiting a vulnerability in Cisco networking devices to target critical infrastructure orgs & do recon on industrial control systems: www.ic3.gov/PSA/2025/PSA...
Cisco also published research on the group: blog.talosintelligence.com/static-tundra/
Cisco also published research on the group: blog.talosintelligence.com/static-tundra/
August 20, 2025 at 5:00 PM
FBI has issued an alert about Russian hackers exploiting a vulnerability in Cisco networking devices to target critical infrastructure orgs & do recon on industrial control systems: www.ic3.gov/PSA/2025/PSA...
Cisco also published research on the group: blog.talosintelligence.com/static-tundra/
Cisco also published research on the group: blog.talosintelligence.com/static-tundra/
Reposted by Zak
Cariddi is a CLI tool for IT pros, developers & infosec pros that scans websites to find hidden endpoints, exposed secrets like API keys and credentials, and sensitive files. It's an ideal tool for bug pentester, providing customizable scans with options for custom endpoint lists, regex patterns etc
GitHub - edoardottt/cariddi: Take a list of domains, crawl urls and scan for endpoints, secrets, api keys, file extensions, tokens and more
Take a list of domains, crawl urls and scan for endpoints, secrets, api keys, file extensions, tokens and more - edoardottt/cariddi
github.com
August 19, 2025 at 7:03 PM
Cariddi is a CLI tool for IT pros, developers & infosec pros that scans websites to find hidden endpoints, exposed secrets like API keys and credentials, and sensitive files. It's an ideal tool for bug pentester, providing customizable scans with options for custom endpoint lists, regex patterns etc
Reposted by Zak
It’s wild that the same day the president did a weird roof dance for no apparent reason, the state dept implements huge visa fees and the head of the HHS cancels vaccine research. This is just one day! And not even all the terrible things that happened! I feel insane!
August 6, 2025 at 3:02 AM
It’s wild that the same day the president did a weird roof dance for no apparent reason, the state dept implements huge visa fees and the head of the HHS cancels vaccine research. This is just one day! And not even all the terrible things that happened! I feel insane!
Reposted by Zak
Scoop: CISA's contract with ICF has expired, reducing the JCDC's contractor workforce from 100+ to just 10. CISA can use emergency money & 2-week extensions to keep those 10 around, but only through Sept. Other contracts also caught up in huge backlog. www.cybersecuritydive.com/news/cisa-jo...
July 30, 2025 at 2:53 PM
Scoop: CISA's contract with ICF has expired, reducing the JCDC's contractor workforce from 100+ to just 10. CISA can use emergency money & 2-week extensions to keep those 10 around, but only through Sept. Other contracts also caught up in huge backlog. www.cybersecuritydive.com/news/cisa-jo...
Bose + Windows 11 + Updates rechecking 'handsfree telophony' has one of the deepest rabbit holes through the Windows 11 settings menu. If your audio sucks, check this out.
www.reddit.com/r/Windows11/...
www.reddit.com/r/Windows11/...
How to disable handsfree mode for bluetooth headphones on windows 11
www.reddit.com
July 25, 2025 at 3:09 PM
Bose + Windows 11 + Updates rechecking 'handsfree telophony' has one of the deepest rabbit holes through the Windows 11 settings menu. If your audio sucks, check this out.
www.reddit.com/r/Windows11/...
www.reddit.com/r/Windows11/...
YouTube's changes for payout of AI generated content is promising. There's so much AI garage that pushes genuine and creative content down.
www.merca20.com/goodbye-yout...
www.merca20.com/goodbye-yout...
YouTube’s July 15th Update: Is Your AI Channel About to Get Demonetized?
For the past few weeks, there’s been a lot of nervous chatter in the YouTube community, especially among creators who use Artificial…
medium.com
July 9, 2025 at 1:29 PM
YouTube's changes for payout of AI generated content is promising. There's so much AI garage that pushes genuine and creative content down.
www.merca20.com/goodbye-yout...
www.merca20.com/goodbye-yout...
Reposted by Zak
Reposted by Zak
I Tried Pre-Ordering the Trump Phone. The Page Failed and It Charged My Credit Card the Wrong Amount
🔗
🔗
I Tried Pre-Ordering the Trump Phone. The Page Failed and It Charged My Credit Card the Wrong Amount
I got a confirmation email saying I'll get another confirmation when it's shipped. But I haven't provided a shipping address.
www.404media.co
June 17, 2025 at 4:00 PM
I Tried Pre-Ordering the Trump Phone. The Page Failed and It Charged My Credit Card the Wrong Amount
🔗
🔗
Reposted by Zak
This is a big deal. Predatory Sparrow’s past cyber attacks on Iranian steel plants and gas stations have demonstrated tangible effects in Iran. Disrupting the availability of this bank’s funds, or triggering a broader collapse of trust in Iranian banks, could have major impacts there.
June 17, 2025 at 12:07 PM
This is a big deal. Predatory Sparrow’s past cyber attacks on Iranian steel plants and gas stations have demonstrated tangible effects in Iran. Disrupting the availability of this bank’s funds, or triggering a broader collapse of trust in Iranian banks, could have major impacts there.
Reposted by Zak
CVE-2025-33053 is really interesting. Setting a working directory to a remote WebDAV location and it works. Even worse than hash coercion since you can run something.
June 12, 2025 at 1:29 PM
CVE-2025-33053 is really interesting. Setting a working directory to a remote WebDAV location and it works. Even worse than hash coercion since you can run something.
Reposted by Zak
Abuse will continue until we fix the legal system to the point they are afraid to do this on camera.
That's the bare minimum. They must be afraid to be recorded in their misdeeds. If we can't hit that VERY LOW bar, abuse will continue unchecked. That was so obviously assault.
That's the bare minimum. They must be afraid to be recorded in their misdeeds. If we can't hit that VERY LOW bar, abuse will continue unchecked. That was so obviously assault.
Incredibly chaotic scene Los Angeles as LAPD is pushing forward a skirmish line and violently arresting anti-ICE protesters. You can also hear me grunt when police shoot me in the abdomen with some kind of projectile.
June 10, 2025 at 10:30 AM
Abuse will continue until we fix the legal system to the point they are afraid to do this on camera.
That's the bare minimum. They must be afraid to be recorded in their misdeeds. If we can't hit that VERY LOW bar, abuse will continue unchecked. That was so obviously assault.
That's the bare minimum. They must be afraid to be recorded in their misdeeds. If we can't hit that VERY LOW bar, abuse will continue unchecked. That was so obviously assault.
Reposted by Zak
🎙️ New Podcast Episode Dropping Soon!
We dive into our latest public report with Randy Pargman, Jake Ouellette, Kostas T., and Mangatas Tondang.
Stay tuned for deep insights, behind-the-scenes analysis, and expert commentary from the front lines of DFIR. 🔍
We dive into our latest public report with Randy Pargman, Jake Ouellette, Kostas T., and Mangatas Tondang.
Stay tuned for deep insights, behind-the-scenes analysis, and expert commentary from the front lines of DFIR. 🔍
June 10, 2025 at 12:06 PM
🎙️ New Podcast Episode Dropping Soon!
We dive into our latest public report with Randy Pargman, Jake Ouellette, Kostas T., and Mangatas Tondang.
Stay tuned for deep insights, behind-the-scenes analysis, and expert commentary from the front lines of DFIR. 🔍
We dive into our latest public report with Randy Pargman, Jake Ouellette, Kostas T., and Mangatas Tondang.
Stay tuned for deep insights, behind-the-scenes analysis, and expert commentary from the front lines of DFIR. 🔍