Paul Rascagneres's Avatar

Paul Rascagneres

@r00tbsd.bsky.social

Lord of Loaders at Volexity

290 Followers  |  211 Following  |  1 Posts  |  Joined: 24.11.2024  |  1.7283

Latest posts by r00tbsd.bsky.social on Bluesky

Preview
Phishing for Codes: Russian Threat Actors Target Microsoft 365 OAuth Workflows Since early March 2025, Volexity has observed multiple suspected Russian threat actors conducting highly targeted social engineering operations aimed at gaining access to the Microsoft 365 (M365) acco...

@volexity.com #threatintel: Multiple Russian threat actors are using Signal, WhatsApp & a compromised Ukrainian gov email address to impersonate EU officials. These phishing attacks abuse 1st-party Microsoft Entra apps + OAuth to compromise targets.

www.volexity.com/blog/2025/04...โ€จโ€จ#dfir

22.04.2025 16:39 โ€” ๐Ÿ‘ 18    ๐Ÿ” 12    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 1
Preview
GoResolver: Using Control-flow Graph Similarity to Deobfuscate Golang Binaries, Automatically In the course of its investigations, Volexity frequently encounters malware samples written in Golang. Binaries written in Golang are often challenging to analyze because of the embedded libraries and...

Today, @volexity.com released GoResolver, open-source tooling to assist reverse engineers with obfuscated Golang samples. @r00tbsd.bsky.social & Killian Raimbaud presented details at INCYBER Forum earlier today. Learn how GoResolver works+where to download it: www.volexity.com/blog/2025/04...
#dfir

01.04.2025 13:45 โ€” ๐Ÿ‘ 24    ๐Ÿ” 14    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 1
Post image

๐Ÿ“ฃ Oops!... They did it again!!!
61 Talks submitted and so many too good that, once again, we had to increase a bit the number of accepted talks.๐Ÿ”ฅ

#PIVOTcon25 Agenda is finally here, and the caliber is insane!!! Check it outโžก๏ธ pivotcon.org/agenda-2025/
#CTI #ThreatIntel
Talks and presenters in๐Ÿงตโฌ‡๏ธ 1/18

07.03.2025 14:42 โ€” ๐Ÿ‘ 20    ๐Ÿ” 14    ๐Ÿ’ฌ 1    ๐Ÿ“Œ 5
Post image

"Edge Devices Investigation"

Paul Rascagneres, Principal Threat Researcher, Volexity (@r00tbsd , @r00tbsd.bsky.social , @r00tbsd@infosec.exchange)
5/18

07.03.2025 14:42 โ€” ๐Ÿ‘ 8    ๐Ÿ” 3    ๐Ÿ’ฌ 1    ๐Ÿ“Œ 0
Preview
Multiple Russian Threat Actors Targeting Microsoft Device Code Authentication Starting in mid-January 2025, Volexity identified several social-engineering and spear-phishing campaigns by Russian threat actors aimed at compromising Microsoft 365 (M365) accounts. These attack cam...

@volexity.com recently identified multiple Russian threat actors targeting users via #socialengineering + #spearphishing campaigns with Microsoft 365 Device Code authentication (a well-known technique) with alarming success: www.volexity.com/blog/2025/02...

#dfir #threatintel #m365security

13.02.2025 22:39 โ€” ๐Ÿ‘ 34    ๐Ÿ” 20    ๐Ÿ’ฌ 2    ๐Ÿ“Œ 7

This talk is a great way to watch/listen to the details behind the work @stevenadair.bsky.social, @5ck.bsky.social, @tlansec.bsky.social + Volexityโ€™s #threatintel & IR teams did to investigate the Nearest Neighbor Attack. The related blog post is here: www.volexity.com/blog/2024/11...

13.12.2024 13:58 โ€” ๐Ÿ‘ 8    ๐Ÿ” 6    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 0

We were happy to have @volexity.com's @stevenadair.bsky.social & @5ck.bsky.social present โ€œThe Nearest Neighbor Attack: How A Russian APT Weaponized Nearby Wi-Fi Networks for Covert Accessโ€ for the #FTSCon Keynote in October. The video of their talk is available here: youtu.be/qSNlDCg-IOM.

#dfir

13.12.2024 13:38 โ€” ๐Ÿ‘ 9    ๐Ÿ” 6    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 2
Attack chain showing attacker generating link on Moonshine, then sending it through targeted application to the victim, which after clicking the links gets compromised and delivered the DarkNimbus backdoor

Attack chain showing attacker generating link on Moonshine, then sending it through targeted application to the victim, which after clicking the links gets compromised and delivered the DarkNimbus backdoor

Validation flow that fingerprints the target by looking at user agent and delivering the proper exploit

Validation flow that fingerprints the target by looking at user agent and delivering the proper exploit

multiple Chrome vulnerabilities exploited in the third-party applications

multiple Chrome vulnerabilities exploited in the third-party applications

List of Android applications being targeted Most are very popular in South East Asia

List of Android applications being targeted Most are very popular in South East Asia

Our latest report presents Earth Minotaur, a threat actor targeting Tibetans and Uyghurs using Moonshine, an exploitation framework for Android apps described in 2019 by
@citizenlab.ca
leveraging vulnerabilities in applications embedding old versions of Chromium trendmicro.com/en_us/resear...

05.12.2024 08:48 โ€” ๐Ÿ‘ 12    ๐Ÿ” 7    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 2
Post image

#PIVOTcon25 #CfP is open and you can submit your proposals till 7 FEB 2025
Remember
- one track,30m
- no recording/streaming/tweeting. U should feel comfy to share more
- No TLP:WHITE
- Original content only
Let us guide u through with a little meme-thread
#CTI #ThreatIntel 1/10

27.11.2024 15:11 โ€” ๐Ÿ‘ 31    ๐Ÿ” 18    ๐Ÿ’ฌ 1    ๐Ÿ“Œ 4
Preview
GitHub - volexity/hwp-extract: A library and cli tool to extract HWP files. A library and cli tool to extract HWP files. Contribute to volexity/hwp-extract development by creating an account on GitHub.

@Volexity.com has developed a new open-source tool, โ€œHWP Extractโ€, a lightweight Python library & CLI for interacting with Hangul Word Processor files. It also supports object extraction from password-protected HWP files. Download here: github.com/volexity/hwp...

27.11.2024 11:53 โ€” ๐Ÿ‘ 13    ๐Ÿ” 6    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 0
Preview
two men are standing next to each other with the words " we open it up " on the screen ALT: two men are standing next to each other with the words " we open it up " on the screen

#PIVOTcon25 registration is now OPEN ๐ŸคŸ๐Ÿ“ฅ๐Ÿ“ฅ๐Ÿ“ฅ
pivotcon.org
#CTI #ThreatResearch #ThreatIntel
Please read carefully the whole ๐Ÿงต for the rules about invite -> registration (1/5)

19.11.2024 14:00 โ€” ๐Ÿ‘ 42    ๐Ÿ” 22    ๐Ÿ’ฌ 2    ๐Ÿ“Œ 11

Letโ€™s try here and see how it goes ;)

24.11.2024 20:29 โ€” ๐Ÿ‘ 3    ๐Ÿ” 0    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 0
Preview
The Nearest Neighbor Attack: How A Russian APT Weaponized Nearby Wi-Fi Networks for Covert Access In early February 2022, notably just ahead of the Russian invasion of Ukraine, Volexity made a discovery that led to one of the most fascinating and complex incident investigations Volexity had ever w...

Excited that we @volexity.com are able to share a writeup of one of our most interesting incidents! This case involves:

* A 0-day exploit
* Physical trips to the customer site to determine root cause
* Compromise via Wi-Fi.

www.volexity.com/blog/2024/11...

#nearestneighbor #threatintel

22.11.2024 15:05 โ€” ๐Ÿ‘ 46    ๐Ÿ” 17    ๐Ÿ’ฌ 3    ๐Ÿ“Œ 0
Preview
The Nearest Neighbor Attack: How A Russian APT Weaponized Nearby Wi-Fi Networks for Covert Access In early February 2022, notably just ahead of the Russian invasion of Ukraine, Volexity made a discovery that led to one of the most fascinating and complex incident investigations Volexity had ever w...

@volexity.comโ€™s latest blog post describes in detail how a Russian APT used a new attack technique, the โ€œNearest Neighbor Attackโ€, to leverage Wi-Fi networks in close proximity to the intended target while the attacker was halfway around the world.ย 
ย 
Read more here: www.volexity.com/blog/2024/11...

22.11.2024 14:58 โ€” ๐Ÿ‘ 82    ๐Ÿ” 41    ๐Ÿ’ฌ 2    ๐Ÿ“Œ 13

@r00tbsd is following 20 prominent accounts