@volexity.com tracks a variety of threat actors abusing Device Code & OAuth authentication workflows to phish credentials, which continue to see success due to creative social engineering. Our latest blog post details Russian threat actor UTA0355βs campaigns impersonating European security events.
04.12.2025 18:36 β π 10 π 8 π¬ 0 π 0
Earth Estries and Earth Naga malware links
List of Earth Estries and Earth Naga targets, classified by targeted industry and location
Collaboration types and the related MITRE tactic stage where such collaboration occurs
Earth Estries and Earth Naga malware toolkits
We saw Earth Estries, an advanced #APT intrusion set, sharing its access to Earth Naga (Flax Typhoon). We introduce the term "Premier Pass" to describe this behavior, and propose a four-tier classification framework for collaboration types among advanced groups www.trendmicro.com/en_us/resear...
22.10.2025 09:18 β π 20 π 14 π¬ 2 π 1
APT meets GPT: @volexity.com #threatintel is tracking #threatactor UTA0388's spear phishing campaigns against targets in North America, Europe & Asia, appearing to use LLMs to assist their ops. Letting #AI run your espionage operations? What could go wrong?
08.10.2025 12:35 β π 3 π 3 π¬ 0 π 0
@volexity.com #threatintel: Multiple Russian threat actors are using Signal, WhatsApp & a compromised Ukrainian gov email address to impersonate EU officials. These phishing attacks abuse 1st-party Microsoft Entra apps + OAuth to compromise targets.
www.volexity.com/blog/2025/04...β¨β¨#dfir
Today, @volexity.com released GoResolver, open-source tooling to assist reverse engineers with obfuscated Golang samples. @r00tbsd.bsky.social & Killian Raimbaud presented details at INCYBER Forum earlier today. Learn how GoResolver works+where to download it: www.volexity.com/blog/2025/04...
#dfir
π£ Oops!... They did it again!!!
61 Talks submitted and so many too good that, once again, we had to increase a bit the number of accepted talks.π₯
#PIVOTcon25 Agenda is finally here, and the caliber is insane!!! Check it outβ‘οΈ pivotcon.org/agenda-2025/
#CTI #ThreatIntel
Talks and presenters inπ§΅β¬οΈ 1/18
"Edge Devices Investigation"
Paul Rascagneres, Principal Threat Researcher, Volexity (@r00tbsd , @r00tbsd.bsky.social , @r00tbsd@infosec.exchange)
5/18
@volexity.com recently identified multiple Russian threat actors targeting users via #socialengineering + #spearphishing campaigns with Microsoft 365 Device Code authentication (a well-known technique) with alarming success: www.volexity.com/blog/2025/02...
#dfir #threatintel #m365security
This talk is a great way to watch/listen to the details behind the work @stevenadair.bsky.social, @5ck.bsky.social, @tlansec.bsky.social + Volexityβs #threatintel & IR teams did to investigate the Nearest Neighbor Attack. The related blog post is here: www.volexity.com/blog/2024/11...
13.12.2024 13:58 β π 8 π 6 π¬ 0 π 0
We were happy to have @volexity.com's @stevenadair.bsky.social & @5ck.bsky.social present βThe Nearest Neighbor Attack: How A Russian APT Weaponized Nearby Wi-Fi Networks for Covert Accessβ for the #FTSCon Keynote in October. The video of their talk is available here: youtu.be/qSNlDCg-IOM.
#dfir
Attack chain showing attacker generating link on Moonshine, then sending it through targeted application to the victim, which after clicking the links gets compromised and delivered the DarkNimbus backdoor
Validation flow that fingerprints the target by looking at user agent and delivering the proper exploit
multiple Chrome vulnerabilities exploited in the third-party applications
List of Android applications being targeted Most are very popular in South East Asia
Our latest report presents Earth Minotaur, a threat actor targeting Tibetans and Uyghurs using Moonshine, an exploitation framework for Android apps described in 2019 by
@citizenlab.ca
leveraging vulnerabilities in applications embedding old versions of Chromium trendmicro.com/en_us/resear...
#PIVOTcon25 #CfP is open and you can submit your proposals till 7 FEB 2025
Remember
- one track,30m
- no recording/streaming/tweeting. U should feel comfy to share more
- No TLP:WHITE
- Original content only
Let us guide u through with a little meme-thread
#CTI #ThreatIntel 1/10
@Volexity.com has developed a new open-source tool, βHWP Extractβ, a lightweight Python library & CLI for interacting with Hangul Word Processor files. It also supports object extraction from password-protected HWP files. Download here: github.com/volexity/hwp...
27.11.2024 11:53 β π 12 π 6 π¬ 0 π 0
#PIVOTcon25 registration is now OPEN π€π₯π₯π₯
pivotcon.org
#CTI #ThreatResearch #ThreatIntel
Please read carefully the whole 𧡠for the rules about invite -> registration (1/5)
Letβs try here and see how it goes ;)
24.11.2024 20:29 β π 3 π 0 π¬ 0 π 0
Excited that we @volexity.com are able to share a writeup of one of our most interesting incidents! This case involves:
* A 0-day exploit
* Physical trips to the customer site to determine root cause
* Compromise via Wi-Fi.
www.volexity.com/blog/2024/11...
#nearestneighbor #threatintel
@volexity.comβs latest blog post describes in detail how a Russian APT used a new attack technique, the βNearest Neighbor Attackβ, to leverage Wi-Fi networks in close proximity to the intended target while the attacker was halfway around the world.Β
Β
Read more here: www.volexity.com/blog/2024/11...
