Sean Koessel's Avatar

Sean Koessel

@5ck.bsky.social

VP and founding member @Volexity. Incident Response/DFIR/Targeted threat analysis.

83 Followers  |  41 Following  |  4 Posts  |  Joined: 20.12.2023  |  1.8203

Latest posts by 5ck.bsky.social on Bluesky

Preview
Dangerous Invitations: Russian Threat Actor Spoofs European Security Events in Targeted Phishing Attacks In early 2025, Volexity published two blog posts detailing a new trend among Russian threat actors targeting organizations through the abuse of Microsoft 365 OAuth and Device Code authentication workf...

@volexity.com tracks a variety of threat actors abusing Device Code & OAuth authentication workflows to phish credentials, which continue to see success due to creative social engineering. Our latest blog post details Russian threat actor UTA0355’s campaigns impersonating European security events.

04.12.2025 18:36 β€” πŸ‘ 6    πŸ” 7    πŸ’¬ 0    πŸ“Œ 0
Post image

@stevenadair.bsky.social is back again!

Founder + President of Volexity leading a team of experts that deal w/ complex cyber intrusions from nation-state level intruders. His talk will cover a Chinese APT actor that Volexity tracks as UTA0388.

Check out the official agenda:
cyberwarcon.com

15.10.2025 15:11 β€” πŸ‘ 2    πŸ” 5    πŸ’¬ 0    πŸ“Œ 1
Preview
APT Meets GPT: Targeted Operations with Untamed LLMs Starting in June 2025, Volexity detected a series of spear phishing campaigns targeting several customers and their users in North America, Asia, and Europe. The initial observed campaigns were tailor...

APT meets GPT: @volexity.com #threatintel is tracking #threatactor UTA0388's spear phishing campaigns against targets in North America, Europe & Asia, appearing to use LLMs to assist their ops. Letting #AI run your espionage operations? What could go wrong?

08.10.2025 12:35 β€” πŸ‘ 3    πŸ” 3    πŸ’¬ 0    πŸ“Œ 0
Post image

#FTSCon Speaker Spotlight: Juan AndrΓ©s Guerrero-Saade is presenting β€œFrom Threat Hunting to Threat Gathering” in the HUNTER track.

See the full list of speakers + event info, including how to register, here: volatilityfoundation.org/from-the-sou...

18.09.2025 13:15 β€” πŸ‘ 1    πŸ” 4    πŸ’¬ 0    πŸ“Œ 0
Preview
Joe Grand's Hardware Hacking Basics [FTSCon 2025] This two-day comprehensive course teaches fundamental hardware hacking concepts and techniques used to explore, manipulate, and exploit electronic devices.

We are excited to announce that we are hosting a second training course for #FTSCon week! Join @joegrand.bsky.social as he leads his popular 2-day Hardware Hacking Basics course on Oct. 21-22 in Arlington VA! Registration is now OPEN!

01.08.2025 15:09 β€” πŸ‘ 4    πŸ” 5    πŸ’¬ 1    πŸ“Œ 0

The Call For Speakers for #FTSCon closes tomorrow! Make sure to submit your talks before the deadline! This is a great opportunity to share your DFIR open source tools and investigation tales with leading experts in the field.

22.07.2025 14:58 β€” πŸ‘ 2    πŸ” 3    πŸ’¬ 0    πŸ“Œ 0
The stylized blue, orange and black Volexity Volcano logo is centered, with the Volcano wordmark below it. The words β€œby Volexity” appear below the Volcano logo. There is a dark blue banner in the upper left with white letters that read β€œNew Release”. The background is a faded gray abstract illustration evoking smoke.

The stylized blue, orange and black Volexity Volcano logo is centered, with the Volcano wordmark below it. The words β€œby Volexity” appear below the Volcano logo. There is a dark blue banner in the upper left with white letters that read β€œNew Release”. The background is a faded gray abstract illustration evoking smoke.

@Volexity.com Volcano Server & Volcano One v25.06.12 adds ~600 new YARA rules, new IOCs for fake registered antivirus & hooked Linux kernel functions, as well as support for custom post-processing bash scripts, segmented directory watching & database optimization. [1/2]

18.06.2025 16:42 β€” πŸ‘ 3    πŸ” 3    πŸ’¬ 1    πŸ“Œ 1

The Call for Presentations for From the Source 2025 is open! Our Makers Track is aimed at developers of open source DFIR tools and the Hunters track covers the best Threat Intel research of the past year. 



See the full details in our blog post: volatilityfoundation.org/announcing-f...

05.06.2025 16:03 β€” πŸ‘ 4    πŸ” 6    πŸ’¬ 0    πŸ“Œ 1
Preview
RVAsec 14 Speaker Feature: Andrew Case - RVAsec Andrew Case is the Director of Research at Volexity and has significant experience in incident response handling, digital forensics, and malware analysis. Case is a core developer of Volatility, the m...

I will be showing off Volatility 3 during my talk on Wednesday afternoon at RVASec. Be sure to attend and come say hello if you will be around!

rvasec.com/rvasec-14-sp...

19.05.2025 17:06 β€” πŸ‘ 9    πŸ” 7    πŸ’¬ 0    πŸ“Œ 0
Preview
Announcing FTSCon 2025 & In-person Malware and Memory Forensics Training! Mark your calendars for Monday, October 20, 2025! We will again be hosting FTSCon in Arlington, Virginia.You can read more event details here. Registration is now open!

We are excited to announce FTSCon 2025 on October 20, 2025, in Arlington VA! Registration is now OPEN + we have a Call for Speakers.

Following FTSCon will be a 4-day Malware & Memory Forensics Training course with Volatility 3.

See the full details here: volatilityfoundation.org/announcing-f...

23.05.2025 18:00 β€” πŸ‘ 7    πŸ” 9    πŸ’¬ 0    πŸ“Œ 2

New research from the team: Involves clever m365 OAuth tricks + phishing via Signal and WhatsApp to compromise accounts. #dfir #threatintel

22.04.2025 16:52 β€” πŸ‘ 2    πŸ” 1    πŸ’¬ 0    πŸ“Œ 0

I will be speaking at @kernelcon.bsky.social on Fri, Apr 3rd. The talk will cover previously-unreported features of the sedexp Linux malware found in the wild - including loading of a memory-only rootkit! Talk will cover how the rootkit was discovered & how to analyze with @volatilityfoundation.org

07.03.2025 18:47 β€” πŸ‘ 12    πŸ” 9    πŸ’¬ 0    πŸ“Œ 0
Preview
Justice Department Charges 12 Chinese Contract Hackers and Law Enforcement Officers in Global Computer Intrusion Campaigns The Justice Department, FBI, Naval Criminal Investigative Service, and Departments of State and the Treasury announced today their coordinated efforts to disrupt and deter the malicious cyber activiti...

@volexity.com regularly assists customers in combatting advanced threat actors, and we enjoy being able to assist our partners as well, including LE & federal agencies like US DOJ, as we work together to combat these advanced cyber threats.

www.justice.gov/opa/pr/justi...

#dfir #threatintel

05.03.2025 17:57 β€” πŸ‘ 7    πŸ” 5    πŸ’¬ 0    πŸ“Œ 1
An image of the blue and orange Volexity Volcano logo with a New Release banner to announce the release of Volcano Server & Volcano One v25.02.21

An image of the blue and orange Volexity Volcano logo with a New Release banner to announce the release of Volcano Server & Volcano One v25.02.21

@volexity.com Volcano Server & Volcano One v25.02.21 adds 300 new YARA rules; consistent Bash/ZSH history & sessions from Linux/macOS memory and files; and parses Linux systemd journals, macOS unified logs, and Windows USNs (search + timeline for all).
[1/2]

#dfir #memoryforensics #memoryanalysis

26.02.2025 15:00 β€” πŸ‘ 6    πŸ” 5    πŸ’¬ 1    πŸ“Œ 1
Post image

One of the main takeaways -- block device code authentication flow via conditional access 2/2
#Microsoft365 #DFIR #ThreatIntel

14.02.2025 14:50 β€” πŸ‘ 4    πŸ” 2    πŸ’¬ 0    πŸ“Œ 0

Check out the new blog: Russian APT adopts a well-known technique of m365 device code phishing. When combined with clever lures this technique proved to be extremely successful. 1/2

14.02.2025 14:50 β€” πŸ‘ 5    πŸ” 3    πŸ’¬ 1    πŸ“Œ 0

As seen in this guidance from NCSC published today, memory forensics continues to play a critical role in modern digital investigations! After almost 20 years, it's encouraging to still see the need for the amazing work by the #Volatility contributors!

04.02.2025 16:36 β€” πŸ‘ 6    πŸ” 5    πŸ’¬ 0    πŸ“Œ 0
Preview
Cyber agencies unveil new guidelines to secure edge devices from increasing threat New guidelines encourage device manufacturers to include and enable standard logging and forensic features that are robust and secure by default.

It’s great to see NCSC drawing attention to the ongoing issues with network devices & appliances. Hopefully vendors heed the volatile data collection guidance β€œVolatile data logging should support collection of… memory both at a kernel and individual process level.”
www.ncsc.gov.uk/news/cyber-a...

04.02.2025 15:57 β€” πŸ‘ 7    πŸ” 7    πŸ’¬ 1    πŸ“Œ 1

If you will be at @wildwesthackinfest.bsky.social next week then be sure to attend my talk!

01.02.2025 15:44 β€” πŸ‘ 6    πŸ” 4    πŸ’¬ 0    πŸ“Œ 0
Preview
National security officials meet with US telecom execs to share intel on Chinese cyber espionage campaign, White House says | CNN Politics Top telecom executives met with US national security officials Friday as concerns mount over a long-running Chinese cyber-espionage campaign that has targeted some of the most senior US political figu...

White House officials share intel with telecom executives on alleged Chinese cyber espionage operation #SaltTyphoon www.cnn.com/2024/11/23/p...

23.11.2024 16:55 β€” πŸ‘ 15    πŸ” 11    πŸ’¬ 2    πŸ“Œ 0

We presented on this last month at #FTSCon (IYKYK). Steven is also presenting today @CYBERWARCON. Really excited to finally share this research publicly! It's probably one of the more crazy/interesting IR engagements we've ever worked 🀯 #DFIR #ThreatIntel

22.11.2024 17:27 β€” πŸ‘ 12    πŸ” 4    πŸ’¬ 2    πŸ“Œ 1
Preview
Russian Spies Jumped From One Network to Another Via Wi-Fi in an Unprecedented Hack In a first, Russia's APT28 hacking group appears to have remotely breached the Wi-Fi of an espionage target by hijacking a laptop in another building across the street.

Russian spiesβ€”likely Russia's GRU intelligence agencyβ€”used a new trick to hack a victim in Washington, DC: They remotely infected another network in a building across the street, hijacked a laptop there, then breached the target organization via its Wifi. www.wired.com/story/russia...

22.11.2024 12:06 β€” πŸ‘ 580    πŸ” 329    πŸ’¬ 12    πŸ“Œ 46
Preview
The Nearest Neighbor Attack: How A Russian APT Weaponized Nearby Wi-Fi Networks for Covert Access In early February 2022, notably just ahead of the Russian invasion of Ukraine, Volexity made a discovery that led to one of the most fascinating and complex incident investigations Volexity had ever w...

@volexity.com’s latest blog post describes in detail how a Russian APT used a new attack technique, the β€œNearest Neighbor Attack”, to leverage Wi-Fi networks in close proximity to the intended target while the attacker was halfway around the world.Β 
Β 
Read more here: www.volexity.com/blog/2024/11...

22.11.2024 14:58 β€” πŸ‘ 81    πŸ” 41    πŸ’¬ 2    πŸ“Œ 13

@5ck is following 19 prominent accounts