Tom Hegel's Avatar

Tom Hegel

@hegel.bsky.social

Distinguished Threat Researcher, Research Lead @SentinelOne. Advisor with @ValidinLLC. Research Archive: https://tomhegel.com/blog.html

2,699 Followers  |  1,024 Following  |  67 Posts  |  Joined: 30.05.2023  |  1.8071

Latest posts by hegel.bsky.social on Bluesky


LABScon25 Replay | Hacktivism and War: A Clarifying Discussion | Jim Walter
YouTube video by SentinelOne LABScon25 Replay | Hacktivism and War: A Clarifying Discussion | Jim Walter

Hacktivism and War -- always worth listening to Jim πŸ‘‡

www.youtube.com/watch?v=sNaO...

10.02.2026 15:15 β€” πŸ‘ 1    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
LABScon 2025

πŸ”₯ The lineup this year is incredible, thanks to everyone who submitted!

Attendees are in for something special… and for everyone else, expect some major FOMO.

events.sentinelone.com/event/LABSco...

05.09.2025 17:57 β€” πŸ‘ 2    πŸ” 2    πŸ’¬ 0    πŸ“Œ 0
LABScon 2025

πŸ”₯ The lineup this year is incredible, thanks to everyone who submitted!

Attendees are in for something special… and for everyone else, expect some major FOMO.

events.sentinelone.com/event/LABSco...

05.09.2025 17:57 β€” πŸ‘ 2    πŸ” 2    πŸ’¬ 0    πŸ“Œ 0
Contagious Interview | North Korean Threat Actors Reveal Plans and Ops by Abusing Cyber Intel Platforms DPRK-aligned threat actors abuse CTI platforms to detect infrastructure exposure and scout for new assets.

New research from @milenkowski.bsky.social (S1) and @kennethkinion.bsky.social (Validin):

πŸ‡°πŸ‡΅ Contagious Interview | North Korean Threat Actors Reveal Plans and Ops by Abusing Cyber Intel Platforms

Research: www.sentinelone.com/labs/contagi...

Reuters story: www.reuters.com/world/asia-p...

04.09.2025 14:45 β€” πŸ‘ 7    πŸ” 5    πŸ’¬ 0    πŸ“Œ 0

The US, AU, and NZ have tested a prototype for a new cyber defense kit designed to connect and help secure any network.

The kits are operated by a nine-person team and are intended to be portable and moved to any location in the world.

www.defence.gov.au/news-events/...

02.09.2025 14:57 β€” πŸ‘ 4    πŸ” 4    πŸ’¬ 1    πŸ“Œ 1
Video thumbnail

πŸ”₯ The hunt is on for the world’s ultimate threat hunter? πŸ”

πŸ›‘οΈIntroducing Sentinels League: The Threat Hunting World Championships πŸ›‘οΈ 3 Rounds. 3 Regions. 3 Finalists. Only One World Champion.

26.08.2025 19:16 β€” πŸ‘ 5    πŸ” 3    πŸ’¬ 2    πŸ“Œ 0
Screenshot from Predatory Swallow's Telegram channel, showing folders purporting to hold IranCell data

Screenshot from Predatory Swallow's Telegram channel, showing folders purporting to hold IranCell data

Someone claiming to be Gonjeshke Darande (Predatory Sparrow) has posted ~2GB of what *appears to be* IranCell subscriber data, covering the 935-939 prefixes.

#privacy #breach #mobile #iran

17.06.2025 15:54 β€” πŸ‘ 4    πŸ” 1    πŸ’¬ 0    πŸ“Œ 0
Post image

Hefty new drop w/ @milenkowski.bsky.social

China-nexus Threat Actors Hammer At the Doors of Top Tier Targets

www.sentinelone.com/labs/follow-...

09.06.2025 16:42 β€” πŸ‘ 7    πŸ” 3    πŸ’¬ 0    πŸ“Œ 0
Post image

Dutch intelligence discover a new Russian APTβ€”LAUNDRY BEAR

www.aivd.nl/documenten/p...

Microsoft calls it Void Blizzard. Their report is here: www.microsoft.com/en-us/securi...

27.05.2025 12:11 β€” πŸ‘ 21    πŸ” 12    πŸ’¬ 1    πŸ“Œ 1
Post image

Is the era of the β€œnamed actor” done?

As the OG adversary sets diverge, get promoted, or move on

actors dispersing across the kill chain based on specialized skills increases (ORBs, criminal underground)

AND the CTI models maturing…

APTs ⬇️⬇️

UNCs ⬆️⬆️

21.05.2025 20:15 β€” πŸ‘ 28    πŸ” 8    πŸ’¬ 7    πŸ“Œ 0
Post image

NEW πŸ‘‰ FreeDrain Unmasked | Uncovering an Industrial-Scale Crypto Theft Network

Months-long research project with Validin we just dropped @pivotcon.bsky.social

πŸ–€~40k IOCs: github.com/Validin/indi...
πŸ’œ SentinelLabs: s1.ai/freedrain
πŸ’™ Validin: www.validin.com/blog/freedra...

Enjoy!

08.05.2025 15:39 β€” πŸ‘ 9    πŸ” 5    πŸ’¬ 0    πŸ“Œ 0
Post image

NEW πŸ‘‰ FreeDrain Unmasked | Uncovering an Industrial-Scale Crypto Theft Network

Months-long research project with Validin we just dropped @pivotcon.bsky.social

πŸ–€~40k IOCs: github.com/Validin/indi...
πŸ’œ SentinelLabs: s1.ai/freedrain
πŸ’™ Validin: www.validin.com/blog/freedra...

Enjoy!

08.05.2025 15:39 β€” πŸ‘ 9    πŸ” 5    πŸ’¬ 0    πŸ“Œ 0
Preview
Top Tier Target | What It Takes to Defend a Cybersecurity Company from Today's Adversaries This report highlights a rarely-discussed but crucially important attack surface: security vendors themselves.

An absolutely stunning look inside @sentinelone.com 's use of #synapse to provide intelligence context to inter-disciplinary intelligence stakeholders in defense of their own org. Truly on the leading edge of the intel driven fusion, collaboration, and impact. 🀩
www.sentinelone.com/labs/top-tie...

28.04.2025 23:36 β€” πŸ‘ 24    πŸ” 10    πŸ’¬ 1    πŸ“Œ 0
Post image

At @pivotcon.bsky.social, I'm presenting with @hegel.bsky.social and Sreekar Madabushi on the first public look at the full scope of a stealthy, long-running phishing network.

24.04.2025 14:31 β€” πŸ‘ 7    πŸ” 5    πŸ’¬ 0    πŸ“Œ 0
Text from https://www.politico.eu/article/european-parliament-iran-delegation-chair-victim-tehran-linked-hacking-hannah-neumann/

Text from https://www.politico.eu/article/european-parliament-iran-delegation-chair-victim-tehran-linked-hacking-hannah-neumann/

Text from https://www.politico.eu/article/european-parliament-iran-delegation-chair-victim-tehran-linked-hacking-hannah-neumann/

Text from https://www.politico.eu/article/european-parliament-iran-delegation-chair-victim-tehran-linked-hacking-hannah-neumann/

Text from https://www.politico.eu/article/european-parliament-iran-delegation-chair-victim-tehran-linked-hacking-hannah-neumann/

Text from https://www.politico.eu/article/european-parliament-iran-delegation-chair-victim-tehran-linked-hacking-hannah-neumann/

NEW: Iranian gov hackers targeted #EU Parliament's #Iran delegation chair @hneumannmep.bsky.social

Elaborate operation impersonated former #FBI official to seed spyware.

Good to see a MEP speaking out & sharing this insidious threat to EU institutions 1/
www.politico.eu/article/euro...

23.04.2025 20:49 β€” πŸ‘ 44    πŸ” 24    πŸ’¬ 1    πŸ“Œ 1

#apt #sidewinder "54th CISM World Military Naval Pentathlon Championship 2025.docx"
40712a087a8280425f1b317e34e265c0329ffb0057be298d519fc5e0af6cb58f
-> dirsports.milqq[.]info
blank doc decoy

11.04.2025 14:25 β€” πŸ‘ 2    πŸ” 3    πŸ’¬ 0    πŸ“Œ 0
Preview
Not Reality: Exploring Meta-themed Phishing with Validin | Validin Not Reality: Exploring Meta-themed Phishing with Validin

@bushidotoken.net explored a Meta-themed credential phishing campaign (not "Reality"). From those indicators, I pulled the "Threads" & this is far from an isolated campaign. Found great pivots in registration "Meta"data. (I'll see myself out.)

All 762 indicators πŸ’₯‡️

www.validin.com/blog/not_rea...

07.04.2025 14:49 β€” πŸ‘ 2    πŸ” 2    πŸ’¬ 0    πŸ“Œ 0

Here's the Lab Dookhtegan segment
www.youtube.com/watch?v=g-zj...

01.04.2025 17:47 β€” πŸ‘ 4    πŸ” 1    πŸ’¬ 0    πŸ“Œ 0

Really great episode this week. The Signal ID management mess, and the lab dookhtegan topics.. simply delicious 🀌

30.03.2025 21:10 β€” πŸ‘ 9    πŸ” 2    πŸ’¬ 0    πŸ“Œ 1
Preview
Pulling the Threads on the Phish of Troy Hunt | Validin Connecting a successful phishing attempt to Scattered Spider through Validin pivoting

Atomic indicators have value beyond just the day they’re observed - Age alone doesn’t always diminish their usefulness.

Attribution challenges aside, this is a common occurrence in both cybercrime and APT campaigns. Looking at you, South Asia!

28.03.2025 17:20 β€” πŸ‘ 2    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Preview
LABScon24 Replay | Kryptina RaaS: From Unsellable Cast-off to Enterprise Ransomware Jim Walter reveals how a recent leak provided insight into how Kryptina RaaS has been adapted for use in enterprise attacks.

Kryptina RaaS: From Unsellable Cast-off to Enterprise Ransomware

www.sentinelone.com/labs/labscon...

26.03.2025 14:31 β€” πŸ‘ 2    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Post image

Incredibly excited to drop some new research alongside @kennethkinion.bsky.social and Sreekar Madabushi at this years @pivotcon.bsky.social

10.03.2025 13:59 β€” πŸ‘ 7    πŸ” 1    πŸ’¬ 0    πŸ“Œ 0

Great refresher / inside-scoop on the Lamberts -- #WhereAreTheyNow

08.03.2025 22:19 β€” πŸ‘ 1    πŸ” 1    πŸ’¬ 0    πŸ“Œ 0
Post image

#dprk #apt 2024λ…„ 귀속 연말정산 μ•ˆλ‚΄λ¬Έ_μ„Έν•œ.docx.lnk
b81513f0f8d3db382bb8f931bf2b7a0d4f26f74cfcf60b5d889de87ef2f1d543 -> www.roofcolor[.]com/wp-includes/js/src/list.php , www.acschoolcatering[.]com/libraries/src/inc/ decoy:

28.02.2025 15:29 β€” πŸ‘ 1    πŸ” 1    πŸ’¬ 0    πŸ“Œ 0

Look man, I'm not saying anything but I'm also not NOT saying anything

23.02.2025 01:43 β€” πŸ‘ 21    πŸ” 5    πŸ’¬ 2    πŸ“Œ 0
Preview
Modern Approach to Attributing Hacktivist Groups - Check Point Research Research by:Β Itay Cohen (@megabeets_) Over the past few decades, hacktivism has been, in a lot of cases, characterized by minor website defacements and distributed denial-of-service (DDoS) attacks, wh...

research.checkpoint.com/2025/modern-...

27.02.2025 15:37 β€” πŸ‘ 1    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0
Preview
Ghostwriter | New Campaign Targets Ukrainian Government and Belarusian Opposition Latest Ghostwriter campaign brings Belarusian opposition into its sights for the first time as it continues weaponizing XLS docs to drop malware.

🚨 New analysis of Ghostwriter activity targeting Ukrainian government & Belarusian opposition

s1.ai/ghost-xl

25.02.2025 15:40 β€” πŸ‘ 10    πŸ” 5    πŸ’¬ 0    πŸ“Œ 0
Preview
Censorship as a Service | Leak Reveals Public-Private Collaboration to Monitor Chinese Cyberspace Data leak reveals how a top tier cybersecurity vendor helps the PRC enforce content monitoring and manipulation of public opinion in China.

Spicy new drop from the team. H/T to @milenkowski.bsky.social, @dakotaindc.bsky.social, Alex Delamotte

s1.ai/topsec

21.02.2025 15:59 β€” πŸ‘ 9    πŸ” 8    πŸ’¬ 0    πŸ“Œ 0
Preview
Signals of Trouble: Multiple Russia-Aligned Threat Actors Actively Targeting Signal Messenger | Google Cloud Blog Russia state-aligned threat actors target Signal Messenger accounts used by individuals of interest to Russia's intelligence services.

Today, Google Threat Intelligence is alerting the community to increasing efforts from several Russia state-aligned threat actors (GRU, FSB, etc.) to compromise Signal Messenger accounts.

cloud.google.com/blog/topics/...

19.02.2025 11:05 β€” πŸ‘ 168    πŸ” 119    πŸ’¬ 3    πŸ“Œ 15

If I had a dollar for every single time something is attributed vaguely to β€œβ€Mustang Panda”” I could buy a flat in London

14.02.2025 12:39 β€” πŸ‘ 22    πŸ” 4    πŸ’¬ 4    πŸ“Œ 1

@hegel is following 20 prominent accounts