Mercenary spyware vendor Paragon claims it's "responsible", (unlike NSO Group)
But our investigations @citizenlab.ca show Paragon's spyware was abused in Italy 🇮🇹 to target civil society
@accessnow.org sent them a letter with questions, and I signed on 👇
www.accessnow.org/press-releas...
"Typically the Iranians have deployed wipers against targets in critical infrastructure and other organizations," Google threat intelligence group chief analyst John Hultquist told The Register. "We will probably see more of that in Israel and we could see it in the US as well."
Mysterious leaker GangExposed outs Conti kingpins in massive ransomware data dump
It’s amazing to me that it can take 6 years from the first attack until the trial starts.
via @jgreig.bsky.social & @therecordmedia.bsky.social
NASA simulation for what you'd see while plunging into a black hole:
youtu.be/chhcwk4-esM
There's actually a lot left to see after passing the event horizon!
#ESETresearch has published its latest APT Activity Report, covering October 2024 to March 2025 (Q4 2024–Q1 2025). China-aligned groups like Mustang Panda and DigitalRecyclers continued their espionage campaigns targeting the EU government and maritime sectors. 1/2
Here's how the TM SGNL server, which had access to plaintext chat logs from people like Mike Waltz, got hacked in about 20 minutes www.wired.com/story/how-th... (my first article in @wired.com!)
Learn about monitoring inauthentic accounts and conducting investigations into Foreign Information Manipulation and Interference (FIMI) in our next Stage Talk on Thursday, 4pm CEST/10am EDT. We're joined by the @doublethinklab.bsky.social team live in our Discord Server
discord.gg/FGq4XfYm?eve...
Layoffs at CrowdStrike. I’m safe, but if you’re looking for IR consultants I know a bunch of fucking amazing ones that will be looking for jobs 🫠
Socket Security has discovered a malicious Python library that contained a remote access trojan and went undetected for over three years
socket.dev/blog/malicio...
I'm analyzing the TM SGNL source code and will publish findings tomorrow. But the for a sneak peak, here's how it seems TeleMessage's system works:
There's E2EE between TM SGNL and Signal, but NOT between TM SGNL and archive destinations. TM's archive server can read the chat logs.
Stay tuned.
No as a service
Demo naas.isalman.dev/no
Repo github.com/hotheadhacke...
Recorded Future Insikt Group researchers analyse MintsLoader, a malicious loader deployed through multiple infection vectors that commonly deploys second-stage payloads such as GhostWeaver, StealC, and a modified BOINC client. www.recordedfuture.com/research/unc...
ESET researchers provide an analysis of Spellbinder, a lateral movement tool for performing adversary-in-the-middle attacks, used by TheWizards, a China-aligned threat actor. www.welivesecurity.com/en/eset-rese...
Trustwave researchers observed a notable increase in NodeJS-based backdoor deployments across multiple malware campaigns, including KongTuke, Fake CAPTCHA schemes, Mispadu, and Lumma stealers. www.trustwave.com/en-us/resour...
Security leaders at Mandiant and Google Cloud say nearly every major company has hired or received applications from North Korean nationals working on behalf of the country’s regime. via @mattkapko.com cyberscoop.com/north-korea-...
CVE-2024-10442 (CVSS 10): Zero-Click RCE in Synology DiskStation, PoC Publishes
So regarding this behavior: I've confirmed it, and there's more detail than is in the story. Let's go.
arstechnica.com/security/202...
Ako ransomware affiliate gets five years in prison
#ESETResearch analyzed the toolset of the China-aligned APT group that we have named #TheWizards. It can move laterally on compromised networks by performing adversary-in-the-middle (AitM) attacks to hijack software updates. www.welivesecurity.com/en/eset-rese... 1/6
Russia attempting cyber sabotage attacks against Dutch critical infrastructure therecord.media/dutch-mivd-r...
@volexity.com #threatintel: Multiple Russian threat actors are using Signal, WhatsApp & a compromised Ukrainian gov email address to impersonate EU officials. These phishing attacks abuse 1st-party Microsoft Entra apps + OAuth to compromise targets.
www.volexity.com/blog/2025/04...
#dfir
Rocky ❤️
Check Point published a write-up of CVE-2025-24054, an NTLM leak that Microsoft patched last month.
The company says the vulnerability is now being exploited in the wild, with one campaign targeting government and private institutions in Poland and Romania.
research.checkpoint.com/2025/cve-202...
After years of the West naming and shaming nation-state hackers I have wondered (and written about) the lack of similar finger pointing back at the US etc. This new shift from China to out western hackers for cyber spying is overall a good thing for transparency. www.theregister.com/2025/04/15/c...
My first blog with Proofpoint is live! And we love a good crossover. State-sponsored actors try their hand at ClickFix - the hottest thing in cybercrime. Meet the North Koreans, Iranians, and Russians who are upping their social engineering game www.proofpoint.com/us/blog/thre...
NEW: In a hearing last week, an NSO Group lawyer said that Mexico, Saudi Arabia, and Uzbekistan were among the governments responsible for a 2019 hacking campaign against WhatsApp users.
This is the first time representatives of the spyware maker admit who its customers are.
MITRE’s CVE database was hours from disappearing. CISA saved it at the last minute with a contract extension. Here’s what you need to know.
Read Cynthia Brumfield's @metacurity.com news article:
www.csoonline.com/article/3963...
#InfoSec #ThreatIntel #CVE
👏 "Active CVE Board members have spent the past year developing a strategy to transition CVE to a dedicated, non-profit foundation." www.thecvefoundation.org/home
