Tom Hegel

YouTube video by SentinelOne LABScon25 Replay | Hacktivism and War: A Clarifying Discussion | Jim Walter

Hacktivism and War -- always worth listening to Jim 👇

www.youtube.com/watch?v=sNaO...

🔥 The lineup this year is incredible, thanks to everyone who submitted!

Attendees are in for something special… and for everyone else, expect some major FOMO.

events.sentinelone.com/event/LABSco...

🔥 The lineup this year is incredible, thanks to everyone who submitted!

Attendees are in for something special… and for everyone else, expect some major FOMO.

events.sentinelone.com/event/LABSco...

New research from @milenkowski.bsky.social (S1) and @kennethkinion.bsky.social (Validin):

🇰🇵 Contagious Interview | North Korean Threat Actors Reveal Plans and Ops by Abusing Cyber Intel Platforms

Research: www.sentinelone.com/labs/contagi...

Reuters story: www.reuters.com/world/asia-p...

The US, AU, and NZ have tested a prototype for a new cyber defense kit designed to connect and help secure any network.

The kits are operated by a nine-person team and are intended to be portable and moved to any location in the world.

www.defence.gov.au/news-events/...

🔥 The hunt is on for the world’s ultimate threat hunter? 🔍

🛡️Introducing Sentinels League: The Threat Hunting World Championships 🛡️ 3 Rounds. 3 Regions. 3 Finalists. Only One World Champion.

Screenshot from Predatory Swallow's Telegram channel, showing folders purporting to hold IranCell data

Someone claiming to be Gonjeshke Darande (Predatory Sparrow) has posted ~2GB of what *appears to be* IranCell subscriber data, covering the 935-939 prefixes.

#privacy #breach #mobile #iran

Hefty new drop w/ @milenkowski.bsky.social

China-nexus Threat Actors Hammer At the Doors of Top Tier Targets

www.sentinelone.com/labs/follow-...

Dutch intelligence discover a new Russian APT—LAUNDRY BEAR

www.aivd.nl/documenten/p...

Microsoft calls it Void Blizzard. Their report is here: www.microsoft.com/en-us/securi...

Is the era of the “named actor” done?

As the OG adversary sets diverge, get promoted, or move on

actors dispersing across the kill chain based on specialized skills increases (ORBs, criminal underground)

AND the CTI models maturing…

APTs ⬇️⬇️

UNCs ⬆️⬆️

NEW 👉 FreeDrain Unmasked | Uncovering an Industrial-Scale Crypto Theft Network

Months-long research project with Validin we just dropped @pivotcon.bsky.social

🖤~40k IOCs: github.com/Validin/indi...
💜 SentinelLabs: s1.ai/freedrain
💙 Validin: www.validin.com/blog/freedra...

Enjoy!

NEW 👉 FreeDrain Unmasked | Uncovering an Industrial-Scale Crypto Theft Network

Months-long research project with Validin we just dropped @pivotcon.bsky.social

🖤~40k IOCs: github.com/Validin/indi...
💜 SentinelLabs: s1.ai/freedrain
💙 Validin: www.validin.com/blog/freedra...

Enjoy!

Top Tier Target | What It Takes to Defend a Cybersecurity Company from Today's Adversaries This report highlights a rarely-discussed but crucially important attack surface: security vendors themselves.

An absolutely stunning look inside @sentinelone.com 's use of #synapse to provide intelligence context to inter-disciplinary intelligence stakeholders in defense of their own org. Truly on the leading edge of the intel driven fusion, collaboration, and impact. 🤩
www.sentinelone.com/labs/top-tie...

At @pivotcon.bsky.social, I'm presenting with @hegel.bsky.social and Sreekar Madabushi on the first public look at the full scope of a stealthy, long-running phishing network.

Text from https://www.politico.eu/article/european-parliament-iran-delegation-chair-victim-tehran-linked-hacking-hannah-neumann/

Text from https://www.politico.eu/article/european-parliament-iran-delegation-chair-victim-tehran-linked-hacking-hannah-neumann/

Text from https://www.politico.eu/article/european-parliament-iran-delegation-chair-victim-tehran-linked-hacking-hannah-neumann/

NEW: Iranian gov hackers targeted #EU Parliament's #Iran delegation chair @hneumannmep.bsky.social

Elaborate operation impersonated former #FBI official to seed spyware.

Good to see a MEP speaking out & sharing this insidious threat to EU institutions 1/
www.politico.eu/article/euro...

#apt #sidewinder "54th CISM World Military Naval Pentathlon Championship 2025.docx"
40712a087a8280425f1b317e34e265c0329ffb0057be298d519fc5e0af6cb58f
-> dirsports.milqq[.]info
blank doc decoy

Not Reality: Exploring Meta-themed Phishing with Validin | Validin Not Reality: Exploring Meta-themed Phishing with Validin

@bushidotoken.net explored a Meta-themed credential phishing campaign (not "Reality"). From those indicators, I pulled the "Threads" & this is far from an isolated campaign. Found great pivots in registration "Meta"data. (I'll see myself out.)

All 762 indicators 💥⤵️

www.validin.com/blog/not_rea...

Here's the Lab Dookhtegan segment
www.youtube.com/watch?v=g-zj...

Really great episode this week. The Signal ID management mess, and the lab dookhtegan topics.. simply delicious 🤌

Pulling the Threads on the Phish of Troy Hunt | Validin Connecting a successful phishing attempt to Scattered Spider through Validin pivoting

Atomic indicators have value beyond just the day they’re observed - Age alone doesn’t always diminish their usefulness.

Attribution challenges aside, this is a common occurrence in both cybercrime and APT campaigns. Looking at you, South Asia!

LABScon24 Replay | Kryptina RaaS: From Unsellable Cast-off to Enterprise Ransomware Jim Walter reveals how a recent leak provided insight into how Kryptina RaaS has been adapted for use in enterprise attacks.

Kryptina RaaS: From Unsellable Cast-off to Enterprise Ransomware

www.sentinelone.com/labs/labscon...

Incredibly excited to drop some new research alongside @kennethkinion.bsky.social and Sreekar Madabushi at this years @pivotcon.bsky.social

Great refresher / inside-scoop on the Lamberts -- #WhereAreTheyNow

#dprk #apt 2024년 귀속 연말정산 안내문_세한.docx.lnk
b81513f0f8d3db382bb8f931bf2b7a0d4f26f74cfcf60b5d889de87ef2f1d543 -> www.roofcolor[.]com/wp-includes/js/src/list.php , www.acschoolcatering[.]com/libraries/src/inc/ decoy:

Look man, I'm not saying anything but I'm also not NOT saying anything

Modern Approach to Attributing Hacktivist Groups - Check Point Research Research by: Itay Cohen (@megabeets_) Over the past few decades, hacktivism has been, in a lot of cases, characterized by minor website defacements and distributed denial-of-service (DDoS) attacks, wh...

research.checkpoint.com/2025/modern-...

Ghostwriter | New Campaign Targets Ukrainian Government and Belarusian Opposition Latest Ghostwriter campaign brings Belarusian opposition into its sights for the first time as it continues weaponizing XLS docs to drop malware.

🚨 New analysis of Ghostwriter activity targeting Ukrainian government & Belarusian opposition

s1.ai/ghost-xl

Censorship as a Service | Leak Reveals Public-Private Collaboration to Monitor Chinese Cyberspace Data leak reveals how a top tier cybersecurity vendor helps the PRC enforce content monitoring and manipulation of public opinion in China.

Spicy new drop from the team. H/T to @milenkowski.bsky.social, @dakotaindc.bsky.social, Alex Delamotte

s1.ai/topsec

Signals of Trouble: Multiple Russia-Aligned Threat Actors Actively Targeting Signal Messenger | Google Cloud Blog Russia state-aligned threat actors target Signal Messenger accounts used by individuals of interest to Russia's intelligence services.

Today, Google Threat Intelligence is alerting the community to increasing efforts from several Russia state-aligned threat actors (GRU, FSB, etc.) to compromise Signal Messenger accounts.

cloud.google.com/blog/topics/...

If I had a dollar for every single time something is attributed vaguely to “”Mustang Panda”” I could buy a flat in London