@olevilladsen.bsky.social
Threat researcher @ Proofpoint. Formerly IBM X-Force, CMU, US Government, US Navy. Views are my own.
Threat actors are teaming up with organized crime to target truckers β stealing identities, placing fraudulent bids on freight, and making off with the cargo. Their entry point? Emails with links delivering Remote Monitoring and Management (RMM) tools. Together with @selenalarson.bsky.social :
03.11.2025 10:40 β π 29 π 20 π¬ 1 π 3π¨ Job seekers, watch out! π¨
Proofpoint found threat actors targeting job seekers to distribute remote management tools that can lead to data or financial theft, or potentially to install follow-on malware like ransomware.
I just call it "first lunch" or "second breakfast"
28.05.2025 22:04 β π 1 π 0 π¬ 1 π 0
Today, Proofpoint joins the cybersecurity community and the U.S. and international law enforcement in celebrating the disruption of #DanaBot, a malware-as-a-service used by sophisticated cybercriminals since 2018. brnw.ch/21wSRiZ
22.05.2025 19:48 β π 5 π 1 π¬ 1 π 1
Thanks for the shoutout and for recognizing our work at DFIR Report in tracking these threats!
πRead the article here: www.proofpoint.com/us/blog/thre...
New cyber threat research from Proofpoint highlights how attackers are adapting to law enforcement disruptions, leveraging trusted software to evade detection and compromise systems.
This blog details our team's findings: www.proofpoint.com/us/blog/thre....
#malware #ransomware #dataloss
Dropping some new research on TA397/Bitter π¨
Hidden in Plain Sight | TA397βs New Attack Chain Delivers Espionage RATs
Report:
www.proofpoint.com/us/blog/thre...
In December 11 and 12, 2024, a spearphishing campaign targeted at least 20 Autonomous System (AS) owners, predominantly Internet Service Providers (ISPs), and purported to come from the Network Operations Center (NOC) of a prominent European ISP.
π§΅β€΅οΈ
Screenshot of the email showing a TAR archive as an email attachment.
The TAR archive and its content, a Windows EXE file for AgentTesla
An update to the Windows registry showing the malware persistent on an infected Windows host.
Traffic from an infection filtered in Wireshark to show the FTP data exfiltration traffic.
2024-12-04 (Wednesday): #AgentTesla variant using #FTP for data exfiltration. A sanitized copy of the email distributing the malware, a #pcap from an infection run, the associated malware samples, and a list of indicators are available at www.malware-traffic-analysis.net/2024/12/04/i...
05.12.2024 01:14 β π 6 π 4 π¬ 1 π 0
Malicious BumbleBee PDF using Cisco AnyConnect as a lure
Malicious download page using Cisco AnyConnect as a lure to infect users with BumbleBee malware
#BumbleBee malspam using Cisco AnyConnect as a lure. It contains a PDF with a link to a fake AnyConnect installer that opens AnyConnect on the Microsoft App Store to mask the BumbleBee infection π₯
Payload delivery URLs:
π urlhaus.abuse.ch/host/95.164....
Payload:
π bazaar.abuse.ch/sample/b8794...
#BruteRatel - #Latrodectus - url > .js > .msi > .dll
wscript.exe Document-v15-51-07.js
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\fes.msi
rundll32.exe C:\Users\Admin\AppData\Roaming\avutil.dll, DLLMain
(1/3)π
IOC's
github.com/pr0xylife/La...
I really like the freedom of BlueSky's API and hope it can be maintained. I will use the API to push more IOCs.
27.11.2024 08:05 β π 1 π 1 π¬ 0 π 0T-Minus 37 days til the next season of #100DaysofYARA kicks off!!
Whoβs excited and what will you be working on?
I canβt believe it but Iβm excited to write rules for JavaScript π¬π΅βπ«
But also get to show off the new macho module from the one and only
@jacoblatonis.me
Screenshot of malicious spam (malspam) with malware file attachment.
Traffic from the XLoader (Formbook) infection filtered in Wireshark.
2024-11-22 (Friday) #XLoader / #Formbook: I've been fired by my non-existent HR department. At least I got a "salary-receipt.exe" bazaar.abuse.ch/sample/003b5...
Tria.ge and Any.Run don't identify the malware, but Joe Sandbox does: www.joesandbox.com/analysis/156...
Also runs in my lab just fine
Welcome Brad! @malware-traffic.bsky.social
22.11.2024 19:01 β π 2 π 0 π¬ 1 π 0
Very interesting story which in my opinion that shows how the Chinese surveillance state is even "knocking off" on itself when it comes to IP/Data. This is some great research from SpyCloud Labs! Very proud of the Labs Research Team! www.wired.com/story/chines...
21.11.2024 16:26 β π 8 π 2 π¬ 0 π 0For visibility - x0rz now on Blue Sky, so happy :)
18.11.2024 14:29 β π 0 π 0 π¬ 1 π 0
New blog drop with @selenalarson.bsky.social and the rest of the team. This one covers a lot of threats using the #ClickFix technique to lure targets to infect themselves by pasting malicious CMD/PS code. My "fave" is the chumbox #malvertising on major tech sites.
www.proofpoint.com/us/blog/thre...
Reuters also confirms the story about Biden allowing Ukraine to use US arms to strike inside Russia, citing three sources familiar with the matter. Ukraine plans to conduct its first long-range attacks in the coming days.
www.reuters.com/world/biden-...
Almost embarrassed to post this, but I've always used Fiddler or Burp for capturing things like this...
I didn't have admin rights and was trying to capture network traffic from a pop-up, so Dev Tools wasn't working
Apparently this is built into Chrome/Edge! So cool :)
edge://net-export/
Two great easy-to-use tools to find new follows - both worked great.
17.11.2024 01:02 β π 2 π 0 π¬ 0 π 0
Smokeloader keeps crawling its way back into the limelight. If you want a primer on it, I gave a public talk on it 2 years ago
www.youtube.com/watch?v=O69e...
I see at least AlphV/BlackCat
06.07.2023 21:00 β π 2 π 0 π¬ 1 π 0
IMO: Storm-0875 (overlaps UNC3944/Scattered Spider) is the most dangerous financial threat actor right now
Some recent developments:
1. Now deploying ransomware (had been extorting orgs before)
2. In last few months targeting large/well known enterprises (not just telcos/help desk/crypto orgs)
Thank you - are there particular ransomware families they are deploying that you can share?
06.07.2023 17:30 β π 0 π 0 π¬ 1 π 0
