SentinelLABS

Ghost in the Zip | New PXA Stealer and Its Telegram-Powered Ecosystem PXA Stealer uses advanced evasion and Telegram C2 to steal global victim data, fueling a thriving cybercrime market.

🔥 Fresh from the LABS team and our friends at Beazley Security 👇https://www.sentinelone.com/labs/ghost-in-the-zip-new-pxa-stealer-and-its-telegram-powered-ecosystem/

Our team collaborated with our friends at @sentinellabs.bsky.social to identify and disrupt a PXA infostealer campaign that has an intricate and complex delivery chain:

labs.beazley.security/articles/gho...

Thanks for the fantastic collab SentinelLabs team!

China’s Covert Capabilities | Silk Spun From Hafnium China-linked hackers used patented spyware tech from front companies tied to Hafnium, exposing gaps in cyber threat attribution.

Posted this a few days ago. Going to post it again for the folks who didn't read it the first time 😆
www.sentinelone.com/labs/chinas-...

An amazing, insightful report from @dakotaindc.bsky.social and @sentinellabs.bsky.social

How did China get Microsoft's zero-day exploits? - Security Conversations Three Buddy Problem – Episode 53: We dig into news of the first-ever arrest of a Chinese intelligence-linked hacker in Italy, unpack the mystery behind […]

Thanks for the extremely kind words on the pod @ryanaraine.bsky.social @jags.bsky.social. My non paid endorsement (feel free to venmo me) is that three buddy is one of my favorite cyber pods, worth a listen every time. securityconversations.com/episode/how-...

China’s Covert Capabilities | Silk Spun From Hafnium China-linked hackers used patented spyware tech from front companies tied to Hafnium, exposing gaps in cyber threat attribution.

🌀🔥… the complex relationship btw CN APTs🕵️‍♂️ and CN PSOAs 🇨🇳 makes attribution even more challenging than defenders might have supposed. #cti #threatintel #hafnium #silktyphoon @dakotaindc.bsky.social

www.sentinelone.com/labs/chinas-...

YouTube video by Three Buddy Problem Microsoft Sharepoint Security Crisis: Faulty Patches, Zero-Day Exploits

This week's show is YouTube ready @craiu.bsky.social @jags.bsky.social

🔥 Microsoft Sharepoint security crisis: Faulty patches, Toolshell zero-days

youtu.be/3GJuVGmpexA

⚠️ #0-DAY #Microsoft
👾 #CVE-2025-53770
🔩 #ToolShell 🪏
bsky.app/profile/sent...

macOS.ZuRu Resurfaces | Modified Khepri C2 Hides Inside Doctored Termius App ZuRu malware continues to prey on macOS users seeking legitimate business tools, adapting its loader and C2 techniques to backdoor its targets.

👀 Apple: “macOS is secure by design.”
💻 Meanwhile, in /Users/Shared:
🕵️‍♂️ Persistent Malware masquerading as Apple “agent”
>> Khepri beacon in /tmp
📦 Ad-hoc signed payloads
🌍 Targeting Chinese diaspora
Deep dive from Dinesh Devadoss and me 👉 s1.ai/zuru
#icymi #macOS #malware #APT #infosec

macOS NimDoor | DPRK Threat Actors Target Web3 and Crypto Platforms with Nim-Based Malware NimDoor reflects a leap in DPRK’s offensive toolkit, mixing compile-time trickery with native scripting to complicate and deter analysis.

💥 Fresh from LABS @philofishal.bsky.social and @syrion89.bsky.social
Our guys untangle the knots of #NimDoor: compiled Nim, macOS process injection and signals-based persistence triggers, with AppleScript (⁉️) beacons (whatever will they think up next 😅) 🌶️🌶️.
#dprk #apt #macOS
s1.ai/nimdoor

YouTube video by Three Buddy Problem Israel-Iran cyberwar: Predatory Sparrow, vanishing crypto, bank hacks

This week's show is a three-hour deep dive into Predatory Sparrow and the long-simmering Iran-Israel cyberwar (with @darkcell.bsky.social @craiu.bsky.social @jags.bsky.social youtu.be/MKKzHseTUUQ?...

"The best netflow comes from asking friends for favors." -- @jags.bsky.social @craiu.bsky.social

Follow the Smoke | China-nexus Threat Actors Hammer At the Doors of Top Tier Targets This report uncovers a set of related threat clusters linked to PurpleHaze and ShadowPad operators targeting organizations, including cybersecurity vendors.

Get the full story here:

www.sentinelone.com/labs/follow-... [2/2]

We just released our findings on long-term activity clusters attributed to China-nexus actors.

We discuss a relatively underreported, yet critical, aspect of the threat landscape: the targeting of cybersecurity vendors.

Big shout out to Lumen's Black Lotus Labs for their support! [1/2]

From PhD work to award-winning cybercrime research, @milenkowski.bsky.social of SentinelLABS is a force in malware analysis.

Catch his talk at #SLEUTHCON 2025!

🎟️ Grab your ticket today >>> www.sleuthcon.com

#CyberThreatIntel #InfosecEvents

Top Tier Target | What It Takes to Defend a Cybersecurity Company from Today's Adversaries This report highlights a rarely-discussed but crucially important attack surface: security vendors themselves.

📄 Read the full research: s1.ai/TopTier

Top Tier Target | What It Takes to Defend a Cybersecurity Company from Today's Adversaries This report highlights a rarely-discussed but crucially important attack surface: security vendors themselves.

Love when we can talk about hoy dynamic the threat landscape actually is. The scope and scale of the DPRK IT workers effort alone surprised me as we worked it. Also love @sentinelone.com let us discuss this openly and viewed it as important to do so.

www.sentinelone.com/labs/top-tie...

Tom Rid joins the show: AI consciousness, TP-Link's China connection, trust in hardware security

Appreciate the shoutout @jags.bsky.social (and that you aced my last name)! If you don’t listen to the Three Buddy Podcast yet, it is absolutely amazing and you should!

open.spotify.com/show/6dXbRag...

At @pivotcon.bsky.social, I'm presenting with @hegel.bsky.social and Sreekar Madabushi on the first public look at the full scope of a stealthy, long-running phishing network.

Very excited to share that I’ll be presenting at @sleuthcon.bsky.social in June!

Jim & I will share the backstory behind AkiraBot that didn’t make it into the blog—and what they’ve been up to since.

Published a new Pharos report today - and learned a lot in the process from @milenkowski.bsky.social Jiro, @julianferdinand.bsky.social @tgrossman.bsky.social. The report takes a closer look at how states are using ransomware.

virtual-routes.org/wp-content/u...

AkiraBot | AI-Powered Bot Bypasses CAPTCHAs, Spams Websites At Scale AkiraBot uses OpenAI to generate custom outreach messages to spam chat widgets and website contact forms at scale.

👉 s1.ai/akirabot
#OpenAI abused by spambot to carve out custom messages and beat CAPTCHAs. #security
@alex.leetnoob.com 🕸️

it feels like an useful feature so I have just implemented it under aflmc. thanks for sharing your alias! github.com/radareorg/ra...

How to pivot of network indicators with Validin.

Learn how to pivot on network iocs you find in blog posts 🔥 #validin

www.validin.com/blog/x-phish...

🔥⚔️ Presenting our Just A Sec livestream. In the first-ever episode on April 10 at 2 p.m. PT, @dakotaindc.bsky.social, Drea London, @jags.bsky.social, and @stonepwn3000.bsky.social discuss the hidden forces shaping our digital world.

Really great episode this week. The Signal ID management mess, and the lab dookhtegan topics.. simply delicious 🤌

Use this r2 alias to sort and count calls in a function: $pifc='pifc | sort | uniq -c | awk '{print $1," x ",$3}' | sort -nr' (escape the pipes and inner quotes when using in .radarerc config file).

Power up your #radare2 pifc command with a $pifc alias that sorts and counts the calls in a function. #macOS #reverseengineering #r2

LABScon24 Replay | A Walking Red Flag (With Yellow Stars) Dakota Cary and Eugenio Benincasa explore China's CTF ecosystem, highlighting competitions held by the Ministry of State Security and the PLA.

s1.ai/LC24-CB
⌨️ 👉 🇨🇳 ☣️ Exploiting CTFs to
tool-up your #espionage capabilities and build out your #cyberarsenal. ⚒️ 💣
@dakotaindc.bsky.social
@sentinelone.com

LABScon24 Replay | Kryptina RaaS: From Unsellable Cast-off to Enterprise Ransomware Jim Walter reveals how a recent leak provided insight into how Kryptina RaaS has been adapted for use in enterprise attacks.

s1.ai/LC24-JW
🔥🚰 leaky opsec reveals how Kryptina made a name for itself 👇 #ransomware #security #cyber

ReaderUpdate Reforged | Melting Pot of macOS Malware Adds Go to Crystal, Nim and Rust Variants A widespread campaign with binaries written in different source languages, ReaderUpdate presents unique challenges for detection and analysis.

s1.ai/readup
🐚 Adware loaders are always the most complex! Props to @syrion89.bsky.social for helping me pull apart all these different bins and figuring out what they had in common and how to attribute and detect them. 🦾 #adware #malware #macOS #security
@sentinelone.com @sentinellabs.bsky.social

LABScon24 Replay | Resilience and Protection in the Windows Ecosystem Kim Zetter interviews David Weston on topics such as the fallout from the CrowdStrike outage, Windows Recall and improving Microsoft security.

s1.ai/LC24-WZ
@kimzetter.bsky.social @dwizzzle.bsky.social