Saher

There’s always tomorrow

Elusive Iranian APT Phishes Influential US Policy Wonks Iran is spying on American foreign policy influencers. But exactly which of its government's APTs is responsible remains a mystery.

Thanks to Nate Nelson at @darkreading.bsky.social for covering my report! www.darkreading.com/cyberattacks...

Crossed wires: a case study of Iranian espionage and attribution | Proofpoint US Proofpoint would like to thank Josh Miller for his initial research on UNK_SmudgedSerpent and contribution to this report.  Key findings  Between June and August 2025,

New Iran drop from me tracking an attribution nightmare - UNK_SmudgedSerpent! A little Charming, a little Muddy, and a lot C5. Targeting policy experts with benign conversation starters, health-themed infra, OnlyOffice spoofs, and RMMs. Check out the full story www.proofpoint.com/us/blog/thre...

Check out the newest intel conference to discover the latest insights into all kinds of statecraft!

Bonus: great coverage of our research in an exclusive from one of my fave reporters @ajvicens.bsky.social www.reuters.com/sustainabili...

Phish and Chips: China-Aligned Espionage Actors Ramp Up Taiwan Semiconductor Industry Targeting  | Proofpoint US Key findings  Between March and June 2025, Proofpoint Threat Research observed three Chinese state-sponsored threat actors conduct targeted phishing campaigns against the Taiwanese

New from the one and only pun-king @mkyo.bsky.social on the increased and ongoing Chinese targeting of semiconductor-related organisations in Taiwan. Edge device exploitation may be the TTP of the moment, but Chinese groups still go phishing when the chips are down www.proofpoint.com/us/blog/thre...

Comic Sans and Cybercrime: Inside North Korea’s Global Cyber Playbook Podcast Episode · DISCARDED: Tales From the Threat Research Trenches · 07/01/2025 · 53m

New DISCARDED podcast drop! Join
@greg-l.bsky.social and me as we talk about our fave North Korean groups, DPRK as the neglected child, TA406 and the Russian connection, and finally, the dreaded but pervasive IT worker problem podcasts.apple.com/us/podcast/c...
open.spotify.com/episode/01d1...

10 Things I Hate About Attribution: RomCom vs. TransferLoader | Proofpoint US Threat Research would like to acknowledge and thank the Paranoids, Spur, and Pim Trouerbach for their collaboration to identify, track, and disrupt this activity.  Key takeaways

Fun crossover blog about TA829 (RomCom) & TransferLoader with my ecrime pals @selenalarson.bsky.social it’s got it all:

🛰️ Popped routers for sending phish

📊 ACH on attribution

👾 custom protocols

👽 cool malware

🕵️ crime

🎯 espionage

❔many unanswered questions

www.proofpoint.com/us/blog/thre...

The Bitter End: Unraveling Eight Years of Espionage Antics—Part One | Proofpoint US This is a two-part blog series, detailing research undertaken in collaboration with Threatray. Part two of this blog series can be found on their website here.  Analyst note: Throughout

From phishes to hands-on-keyboard commands 🔥 new @proofpoint.bsky.social research from @nickattfield.bsky.social and @konstantinklinger.bsky.social on Indian state-sponsored actor TA397 (Bitter) with a great story on the steps to technical and political attribution www.proofpoint.com/us/blog/thre...

The ClickFix Convergence: How Threat Actors Blur the Lines Podcast Episode · DISCARDED: Tales From the Threat Research Trenches · 05/14/2025 · 36m

Check out the new DISCARDED episode! Had too much fun recording my first podcast with @selenalarson.bsky.social and Sarah on my ClickFix crossover blog!!

Podcast: podcasts.apple.com/us/podcast/d...

Blog: www.proofpoint.com/us/blog/thre...

TA406 Pivots to the Front | Proofpoint US What happened  In February 2025, TA406 began targeting government entities in Ukraine, delivering both credential harvesting and malware in its phishing campaigns. The aim of these

@greg-l.bsky.social drops knowledge on TA406 (Konni) as North Korea shows new interest in Ukraine, likely to keep tabs on the progress of the war and Russia's ability to keep pace on the battlefield www.proofpoint.com/us/blog/thre...

Hell no, they are my nemesis. And Josh already offered - no takebacks!!

Thanks to my favorite team buddies for their collab and indulging my slight obsession 💜 @greg-l.bsky.social @mkyo.bsky.social and Josh

You love to see it! Talented super friends beating up on the bad guys

Around the World in 90 Days: State-Sponsored Actors Try ClickFix | Proofpoint US Key Findings While primarily a technique affiliated with cybercriminal actors, Proofpoint researchers discovered state-sponsored actors in multiple campaigns using the ClickFix social

My first blog with Proofpoint is live! And we love a good crossover. State-sponsored actors try their hand at ClickFix - the hottest thing in cybercrime. Meet the North Koreans, Iranians, and Russians who are upping their social engineering game www.proofpoint.com/us/blog/thre...