"Proven play? Replay".
This is not a one time hit. Mandiant has observed UNC1069 using these techniques to target both corporate entities and individuals within the cryptocurrency industry, as well as venture capital firms and their employees or executives. The list will expand.
๐ธ Embedded within the string of commands is a single command that initiates a multi-stage infection chain, ultimately deploying 7 distinct malware families (described in the report).
13.02.2026 17:27 โ ๐ 0 ๐ 0 ๐ฌ 1 ๐ 0
๐ธ And then hey, "the audio is broken!". If only that could quickly get fixed...there are only 20 minutes left in the call.
This is where the ClickFix-style social engineering begins. The the threat actor directs the victim to run troubleshooting commands on their system to fix the issue.
๐ธ The call begins. The victim sees the video of a CEO from another company.
Or, purportedly, their deepfake version.
๐๐ถ๐ต, ๐ธ๐ฉ๐ฆ๐ฏ ๐ข ๐ต๐ฉ๐ณ๐ฆ๐ข๐ต ๐ข๐ค๐ต๐ฐ๐ณ ๐ต๐ข๐ฌ๐ฆ๐ด ๐ต๐ฉ๐ฆ ๐ต๐ช๐ฎ๐ฆ ๐ต๐ฐ ๐ฃ๐ถ๐ช๐ญ๐ฅ ๐ต๐ณ๐ถ๐ด๐ต ๐ธ๐ช๐ต๐ฉ ๐ข ๐ต๐ข๐ณ๐จ๐ฆ๐ต ๐ง๐ช๐ณ๐ด๐ต, ๐ต๐ฉ๐ฆ ๐ต๐ณ๐ถ๐ด๐ต-๐ต๐ณ๐ข๐ฏ๐ด๐ง๐ฆ๐ณ๐ฆ๐ฏ๐ค๐ฆ ๐ฎ๐ฆ๐ค๐ฉ๐ข๐ฏ๐ช๐ด๐ฎ ๐ฌ๐ช๐ค๐ฌ๐ด ๐ช๐ฏ. ๐๐ฏ๐ฅ ๐ต๐ฉ๐ฆ๐ฏ, ๐ต๐ฉ๐ฆ ๐ญ๐ช๐ต๐ต๐ญ๐ฆ ๐ณ๐ฆ๐ฅ ๐ง๐ญ๐ข๐จ๐ด ๐ต๐ฉ๐ข๐ต ๐ง๐ฐ๐ญ๐ญ๐ฐ๐ธ ๐ต๐ฆ๐ฏ๐ฅ ๐ต๐ฐ ๐จ๐ฆ๐ต ๐ฐ๐ท๐ฆ๐ณ๐ญ๐ฐ๐ฐ๐ฌ๐ฆ๐ฅ. ๐๐ด ๐ต๐ฉ๐ฆ๐บ ๐ฅ๐ช๐ฅ.
13.02.2026 17:27 โ ๐ 0 ๐ 0 ๐ฌ 1 ๐ 0
๐ธ The Calendly link redirects to a spoofed Zoom meeting hosted on the threat actor's infrastructure: zoom[.]uswe05[.]us
๐๐ฉ๐ช๐ด ๐ช๐ด ๐ต๐ฉ๐ฆ ๐ง๐ช๐ณ๐ด๐ต ๐ฐ๐ฃ๐ท๐ช๐ฐ๐ถ๐ด ๐ณ๐ฆ๐ฅ ๐ง๐ญ๐ข๐จ ๐ต๐ฉ๐ข๐ต *๐ค๐ฐ๐ถ๐ญ๐ฅ* ๐ฉ๐ข๐ท๐ฆ ๐ฃ๐ฆ๐ฆ๐ฏ ๐ด๐ฑ๐ฐ๐ต๐ต๐ฆ๐ฅ.
๐๐ก๐๐ญ ๐ก๐๐ฉ๐ฉ๐๐ง๐๐?
๐ธ The threat actor initiates contact with a specific victim via Telegram, using a legit but compromised account of an executive,leverageing existing trust.
๐ธ After building rapport through industry-specific conversation, they invite the victim to a call & send a Calendly link.
If you think AI and deepfakes are THE name of the game in "sophisticated" social engineering attacks, think again. AI-gen deepfakes are often just one step (a final blow) in a larger social engineering kill-chain.
In this week's SE case, we see a layered intrusion.
cloud.google.com/blog/topics/...
You will learn how to conduct an in-depth digital investigation on a subject, discover new leads, uncover and utilize all the evidence that are hiding in plain sight (and beyond) & conduct virtual HUMINT in an uncomplicated, step-by-step process.
P.S. There will be a class challenge, and a reward :)
Join @osintgeek.de and me on the 21st & 22nd of April for two days full of learning, hands-on exercises, real life case studies and the latests developments in #OSINT #SOCMINT and #HUMINT.
03.02.2026 16:40 โ ๐ 0 ๐ 0 ๐ฌ 1 ๐ 0
๐๐ฎ๐ซ "๐
๐ฎ๐ง๐๐๐ฆ๐๐ง๐ญ๐๐ฅ๐ฌ ๐จ๐ ๐๐ฒ๐๐๐ซ ๐๐ง๐ฏ๐๐ฌ๐ญ๐ข๐ ๐๐ญ๐ข๐จ๐ง๐ฌ ๐๐ง๐ ๐๐ฎ๐ฆ๐๐ง ๐๐ง๐ญ๐๐ฅ๐ฅ๐ข๐ ๐๐ง๐๐" ๐๐ฅ๐๐ฌ๐ฌ ๐ข๐ฌ ๐ซ๐๐ญ๐ฎ๐ซ๐ง๐ข๐ง๐ ๐ญ๐ก๐ข๐ฌ ๐ฌ๐ฉ๐ซ๐ข๐ง๐ ๐ญ๐จ @blackhatevents.bsky.social ๐๐ฌ๐ข๐ ๐ข๐ง ๐๐ข๐ง๐ ๐๐ฉ๐จ๐ซ๐! ๐
For details & registrations:
blackhat.com/asia-26/trai...
Aim for less detail in what can be visible, even through crowdsourced images.
๐น Prioritize based on risk and take practical steps to implement better security measures on those vulnerable, identified spots before an adversary exploits them.
May the odds ever be in our favor โจ๏ธ
What can be done? If you work on securing a critical infrastructure entity:
๐น Run your own OSINT analysis to identify vulnerabilities in advance. Know your level of exposure.
Control what you can:
๐น Where possible, ask platforms to add blur or remove certain imagery.
It is scary easy for saboteurs or other attackers to find vulnerabilities on critical infrastructure free & available online, and to focus on the locations/points where an attack could have the maximum impact.
This incident has not been an isolated event.
There is more publicly available information and databases that can be researched, found, and used in similar acts of sabotage (or worse, given the geopolitical state we are currently in).
08.01.2026 09:45 โ ๐ 1 ๐ 0 ๐ฌ 1 ๐ 0
The Google street view imagery provides some extra help in reviewing some of the physical security and the surrounding area in preparation of a better plan.
The OpenInfraMap in combination with Google maps is just one simple example of potential adversarial OSINT.
Looking at the OpenInfraMap data in combination with satellite imagery, it is easy to see why this point of attack was chosen: all the 110 ฮilovolt high-voltage lines that supply southwest Berlin converge into a single cable bridge that is overground, and easily accessible.
08.01.2026 09:45 โ ๐ 1 ๐ 0 ๐ฌ 1 ๐ 0Don't think that searching this map needs to take a lot of time. By using Overpass Turbo (also with the help of with any LLM that it is compatible with) one can significantly trim the search time and concentrate their research through queries.
08.01.2026 09:45 โ ๐ 1 ๐ 0 ๐ฌ 1 ๐ 0
๐๐ฉ๐๐ง๐๐ง๐๐ซ๐๐๐๐ฉ (๐ก๐ญ๐ญ๐ฉ๐ฌ://๐จ๐ฉ๐๐ง๐ข๐ง๐๐ซ๐๐ฆ๐๐ฉ.๐จ๐ซ๐ /) is an open-source web platform that provides a layered, detailed visualization on global infrastructure data like ๐ฑ๐ฐ๐ธ๐ฆ๐ณ, ๐ต๐ฆ๐ญ๐ฆ๐ค๐ฐ๐ฎ, ๐ฐ๐ช๐ญ ๐ข๐ฏ๐ฅ ๐จ๐ข๐ด ๐ฏ๐ฆ๐ต๐ธ๐ฐ๐ณ๐ฌ๐ด, ๐ธ๐ข๐ต๐ฆ๐ณ ๐ช๐ฏ๐ง๐ณ๐ข๐ด๐ต๐ณ๐ถ๐ค๐ต๐ถ๐ณ๐ฆ ๐ข๐ฏ๐ฅ ๐ฎ๐ข๐ซ๐ฐ๐ณ ๐ณ๐ข๐ช๐ญ ๐ฑ๐ฐ๐ธ๐ฆ๐ณ ๐ด๐บ๐ด๐ต๐ฆ๐ฎ๐ด ๐ช๐ฏ๐ง๐ณ๐ข๐ด๐ต๐ณ๐ถ๐ค๐ต๐ถ๐ณ๐ฆ (data is crowdsourced from OpenStreetMap).
08.01.2026 09:45 โ ๐ 2 ๐ 0 ๐ฌ 1 ๐ 0
How did they know to set on fire one specific bridge that contained 5 high-voltage and 10 med-voltage cables,causing a major power outage?
Can one find enough information on a city's power grid infrastructure available online?
Yes,they can. With more detail than there should be.
Berlin was faced with a 2nd arson attack on their power grid within a few months, leaving thousands of households without power, for days. Several systems were damaged simultaneously deeming any backup systems, ineffective.
An attack like this requires some reconnaissance.
๐งต
Report by Google (government-backed threat actor use of the Gemini): cloud.google.com/blog/topics/...
04.08.2025 10:11 โ ๐ 2 ๐ 0 ๐ฌ 1 ๐ 0
2 additional reports on how GenAI has been used in social engineering attacks. They provide a more holistic understanding on how these tools are being used by adversaries:
Report by Anthropic (Claude): www.anthropic.com/news/detecti...
๐น I know that some of you in my network (and some of our clients) had to deal with the attacks documented. This will hit home.
๐น Ultimately, we can use this report help us further improve our defense strategies with reality in mind.
๐น The operations described in the report help give us a better understanding of how threat actors are *realistically* trying to abuse GenAI models. No guesses, no fancy assumptions, just the observed TTPs.
04.08.2025 10:11 โ ๐ 0 ๐ 0 ๐ฌ 1 ๐ 0
3 resources in 1 post:
Open AI has released a new report outlining the ways in which threat actors used their generative AI products to support their social engineering attack operations. They provide the case studies.
openai.com/global-affai...
Why is this useful? ๐งต
Happy news!! This September at @brucon we will be taking a deep dive into #socialengineering and #OSINT through a 3-day, hands-on training class!
I SO look forward to it and to meeting the participants!! ๐คฉ๐ฉ๐ปโ๐ป
Full class content & details: www.brucon.org/training-det...
Always fun hanging out with you @cyber.coffee! ๐๐ป
17.06.2025 11:37 โ ๐ 1 ๐ 0 ๐ฌ 0 ๐ 0
Very grateful for last week spent at X33fcon in Poland!
It started with 2 days full of #socialengineering & #OSINT training where I had the privilege to teach a class that was present, curious, and ready to try things out.
Big bonus: reconnecting with friends during the conference days afterwards๐
Agentic AI has opened new frontiers for adversaries looking to automate and scale attacks.
I wrote an article explaining what Agentic AI really is & how it can shape the future of the social engineering threat landscape.
christina-lekati.medium.com/when-ai-goes...
