Mark Kelly's Avatar

Mark Kelly

@mkyo.bsky.social

πŸ‡¨πŸ‡³ Threat Research at Proofpoint

522 Followers  |  170 Following  |  35 Posts  |  Joined: 12.07.2023  |  1.5814

Latest posts by mkyo.bsky.social on Bluesky

One of the fastest ways to trigger me in a work context these days is to whisper "Mustang Panda". Instant menty b ✨

29.01.2026 13:50 β€” πŸ‘ 2    πŸ” 1    πŸ’¬ 1    πŸ“Œ 0

In addition to espionage threat actors, financially motivated cybercriminals have been exploiting the WinRAR vulnerability CVE-2025-8088.

The highly effective ecrime actor, typically seen distributing Koi Stealer/Koi Loader (TA4561), was observed doing so in Fall 2025.

Details. ‡️

28.01.2026 21:40 β€” πŸ‘ 3    πŸ” 3    πŸ’¬ 1    πŸ“Œ 0

Alongside this activity recently highlighted by Google (cloud.google.com/blog/topics/...), Proofpoint threat researchers have observed additional exploitation of WinRAR vulnerability CVE-2025-8088 by state‑aligned groups linked to China and the DPRK.

28.01.2026 21:34 β€” πŸ‘ 2    πŸ” 1    πŸ’¬ 1    πŸ“Œ 0

The report includes a section on suspected RU-aligned actor UNK_AcademicFlare, which has been very active using compromised gov/mil emails to target gov, think tanks, academia & transport sectors in US/EU, often via weeks-long benign rapport building prior to delivering a device code phish.

18.12.2025 17:20 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0

New espionage/e-crime crossover blog from the team on the continued rise of device code phishing by state-aligned and financially motivated groups.

18.12.2025 17:18 β€” πŸ‘ 7    πŸ” 3    πŸ’¬ 1    πŸ“Œ 0
Post image

A study in the evolution of SVR cyberespionage tradecraft

06.12.2025 19:07 β€” πŸ‘ 22    πŸ” 4    πŸ’¬ 0    πŸ“Œ 1
Preview
Dangerous Invitations: Russian Threat Actor Spoofs European Security Events in Targeted Phishing Attacks In early 2025, Volexity published two blog posts detailing a new trend among Russian threat actors targeting organizations through the abuse of Microsoft 365 OAuth and Device Code authentication workf...

@volexity.com tracks a variety of threat actors abusing Device Code & OAuth authentication workflows to phish credentials, which continue to see success due to creative social engineering. Our latest blog post details Russian threat actor UTA0355’s campaigns impersonating European security events.

04.12.2025 18:36 β€” πŸ‘ 10    πŸ” 8    πŸ’¬ 0    πŸ“Œ 0
Preview
Intellexa’s Global Corporate Web

1/ Today we release a new report exposing previously undisclosed entities connected to the wider #Intellexa ecosystem as well as newly identified activity clusters in Iraq and indications of activity in Pakistan: www.recordedfuture.com/research/int...

04.12.2025 04:17 β€” πŸ‘ 26    πŸ” 18    πŸ’¬ 2    πŸ“Œ 4

PlugX C2: doorforum[.]com

25.11.2025 18:57 β€” πŸ‘ 3    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0

I'm just glad I'm not the one being shut up this time

05.11.2025 17:39 β€” πŸ‘ 3    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0
Preview
Crossed wires: a case study of Iranian espionage and attribution | Proofpoint US Proofpoint would like to thank Josh Miller for his initial research on UNK_SmudgedSerpent and contribution to this report.Β  Key findingsΒ  Between June and August 2025,

New Iran drop from me tracking an attribution nightmare - UNK_SmudgedSerpent! A little Charming, a little Muddy, and a lot C5. Targeting policy experts with benign conversation starters, health-themed infra, OnlyOffice spoofs, and RMMs. Check out the full story www.proofpoint.com/us/blog/thre...

05.11.2025 13:37 β€” πŸ‘ 19    πŸ” 12    πŸ’¬ 2    πŸ“Œ 0

Proofpoint threat researchers have designed an open-source toolβ€”named PDF Object Hashingβ€”to track and detect the unique characteristics of PDFs used by threat actors... similar to a digital fingerprint. πŸ«†

We use this tool internally to help track multiple threat actors with high confidence.

23.10.2025 18:05 β€” πŸ‘ 19    πŸ” 9    πŸ’¬ 1    πŸ“Œ 2
Video thumbnail

πŸ“£ πŸ”₯ πŸ›‹οΈ SAVE THE DATE πŸ›‹οΈ πŸ”₯ πŸ“£
The next #PIVOTcon will be on 6-8 May 2026, in Malaga, ES!!!

You favorite ;) #ThreatResearch conference is coming back and we are planning to bring you the usual experience and content of utmost quality. Follow us + #StayTuned for more info
#CTI #ThreatIntel #PIVOTcon26

02.10.2025 14:51 β€” πŸ‘ 17    πŸ” 10    πŸ’¬ 0    πŸ“Œ 1

Good piece covering a big burst of TA416 activity targeting European governments last week!

04.10.2025 11:32 β€” πŸ‘ 4    πŸ” 2    πŸ’¬ 0    πŸ“Œ 0
Preview
a group of people are putting their hands together in a huddle . ALT: a group of people are putting their hands together in a huddle .

Great report @cyberoverdrive.bsky.social and team 😁

25.09.2025 08:37 β€” πŸ‘ 1    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Preview
RedNovember Targets Government, Defense, and Technology Organizations RedNovember, a likely Chinese state-sponsored cyber-espionage group, has targeted global government, defense, and tech sectors using advanced tools like Pantegana and Cobalt Strike. Discover the lates...

First public report at Recorded Future by yours truly is out! RedNovember (formerly TAG-100, a.k.a. Storm-2077) is a Chinese state-sponsored threat group focused on intelligence collection, especially on flashpoint issues of strategic interest to China. www.recordedfuture.com/research/red...

24.09.2025 18:57 β€” πŸ‘ 22    πŸ” 14    πŸ’¬ 2    πŸ“Œ 0
Preview
Going Underground: China-aligned TA415 Conducts U.S.-China Economic Relations Targeting Using VS Code Remote Tunnels | Proofpoint US What happenedΒ  Throughout July and August 2025, TA415 conducted spearphishing campaigns targeting United States government, think tank, and academic organizations utilizing U.S.-China

Proofpoint threat researchers have published new research identifying a new cyber-espionage campaign by #TA415 (#APT41), a China-aligned threat actor, exploiting growing uncertainty in U.S.-China economic relations.

Blog: www.proofpoint.com/us/blog/thre....

18.09.2025 17:10 β€” πŸ‘ 7    πŸ” 4    πŸ’¬ 1    πŸ“Œ 0

Our reporting overlaps this recent WSJ article:
www.wsj.com/politics/nat...

See our full research here:
www.proofpoint.com/us/blog/thre...

16.09.2025 12:49 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
TA415 infection chain diagram

TA415 infection chain diagram

In these campaigns, TA415 delivered infection chains to set up VS Code Remote Tunnels πŸš‡ This is in line with recent TA415 phishing operations over the past year, which have relied on legit services (e,g, Google Sheets, Google Calendar, VS Code) for C2 to blend w/ trusted traffic

16.09.2025 12:49 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0

πŸš¨πŸ‡¨πŸ‡³πŸ’° New @threatinsight.proofpoint.com blog on TA415 (aka APT41) economy and trade-themed spearphishing against US govt, think tanks & academia.

The campaigns used U.S.-China economic lures and spoofed the Chair of the House Select Committee on CCP competition + the US-China Business Council.

16.09.2025 12:49 β€” πŸ‘ 3    πŸ” 1    πŸ’¬ 1    πŸ“Œ 0

It is time the Mustang Panda moniker went the way of Winnti Group ☠️

11.09.2025 10:24 β€” πŸ‘ 5    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0
Preview
Tracking Candiru’s DevilsTongue Spyware in Multiple Countries Recorded Future's Insikt Group uncovers active infrastructure linked to Candiru’s DevilsTongue spyware across multiple countries. Discover how this stealthy spyware targets high-value individuals and ...

1/ We've just released a new report uncovering new infrastructure tied to multiple activity clusters linked to the Israeli spyware vendor #Candiru across several countries. Full report: www.recordedfuture.com/research/tra...

05.08.2025 14:18 β€” πŸ‘ 12    πŸ” 12    πŸ’¬ 1    πŸ“Œ 0
Preview
Phish and Chips: China-Aligned Espionage Actors Ramp Up Taiwan Semiconductor Industry TargetingΒ  | Proofpoint US Key findingsΒ  Between March and June 2025, Proofpoint Threat Research observed three Chinese state-sponsored threat actors conduct targeted phishing campaigns against the Taiwanese

πŸš¨πŸ†•πŸŸπŸŸ New blog from me and the amazing @threatinsight.proofpoint.com team covering recent activity by multiple China-aligned threat actors targeting semiconductor companies in Taiwan over the past few months:
www.proofpoint.com/us/blog/thre...

16.07.2025 21:35 β€” πŸ‘ 5    πŸ” 3    πŸ’¬ 0    πŸ“Œ 0
Preview
Exclusive: China-linked hackers target Taiwan's chip industry with increasing attacks, researchers say Chinese-linked hackers are targeting the Taiwanese semiconductor industry and investment analysts as part of a string of cyber espionage campaigns, researchers said on Wednesday.

New: A handful of Chinese-linked cyber espionage groups are stepping up targeting of Taiwanese semiconductor companies, per new analysis from @proofpoint.com. Campaigns include targeting of financial analysts focused on the sector as well: www.reuters.com/sustainabili...

16.07.2025 21:16 β€” πŸ‘ 16    πŸ” 9    πŸ’¬ 1    πŸ“Œ 0
Preview
Comic Sans and Cybercrime: Inside North Korea’s Global Cyber Playbook Podcast Episode Β· DISCARDED: Tales From the Threat Research Trenches Β· 07/01/2025 Β· 53m

New DISCARDED podcast drop! Join
@greg-l.bsky.social and me as we talk about our fave North Korean groups, DPRK as the neglected child, TA406 and the Russian connection, and finally, the dreaded but pervasive IT worker problem podcasts.apple.com/us/podcast/c...
open.spotify.com/episode/01d1...

01.07.2025 16:22 β€” πŸ‘ 8    πŸ” 4    πŸ’¬ 1    πŸ“Œ 0
Preview
10 Things I Hate About Attribution: RomCom vs. TransferLoader | Proofpoint US Threat Research would like to acknowledge and thank the Paranoids, Spur, and Pim Trouerbach for their collaboration to identify, track, and disrupt this activity.Β  Key takeaways

Fun crossover blog about TA829 (RomCom) & TransferLoader with my ecrime pals @selenalarson.bsky.social it’s got it all:

πŸ›°οΈ Popped routers for sending phish

πŸ“Š ACH on attribution

πŸ‘Ύ custom protocols

πŸ‘½ cool malware

πŸ•΅οΈ crime

🎯 espionage

❔many unanswered questions

www.proofpoint.com/us/blog/thre...

30.06.2025 10:04 β€” πŸ‘ 17    πŸ” 12    πŸ’¬ 0    πŸ“Œ 2

🚨 We’re hiring at Recorded Future’s Insikt Group

Two senior analyst roles are open right now. Both focus on tracking nation-state threats.

🧡

20.06.2025 10:20 β€” πŸ‘ 6    πŸ” 3    πŸ’¬ 1    πŸ“Œ 1
Preview
Predator Spyware Resurgence: Insikt Group Exposes New Global Infrastructure Despite sanctions and global scrutiny, Predator spyware operations persist. Insikt Group reveals new infrastructure links in Mozambique, Africa, and Europe, highlighting ongoing threats to civil socie...

Today we’re publishing new findings on Predator spyware, still active despite global sanctions, now with a new client and ties to a Czech entity. Here’s what we found 🧡

www.recordedfuture.com/research/pre...

12.06.2025 14:22 β€” πŸ‘ 20    πŸ” 13    πŸ’¬ 1    πŸ“Œ 3
Preview
The Bitter End: Unraveling Eight Years of Espionage Anticsβ€”Part One | Proofpoint US This is a two-part blog series, detailing research undertaken in collaboration with Threatray. Part two of this blog series can be found on their website here.Β  Analyst note: Throughout

Dropping some joint research today with Threatray on TA397/Bitter πŸ”

We dive into the confluence of signals that led us to our attribution of the threat actor 🎯

Shoutout to @konstantinklinger.bsky.social and Threatray for collaborating on this research.

www.proofpoint.com/us/blog/thre...

04.06.2025 11:13 β€” πŸ‘ 11    πŸ” 8    πŸ’¬ 0    πŸ“Œ 1
Preview
The Bitter End: Unraveling Eight Years of Espionage Anticsβ€”Part One | Proofpoint US This is a two-part blog series, detailing research undertaken in collaboration with Threatray. Part two of this blog series can be found on their website here.Β  Analyst note: Throughout

From phishes to hands-on-keyboard commands πŸ”₯ new @proofpoint.bsky.social research from @nickattfield.bsky.social and @konstantinklinger.bsky.social on Indian state-sponsored actor TA397 (Bitter) with a great story on the steps to technical and political attribution www.proofpoint.com/us/blog/thre...

04.06.2025 11:08 β€” πŸ‘ 11    πŸ” 3    πŸ’¬ 0    πŸ“Œ 0

@mkyo is following 20 prominent accounts