Tom Hegel @TomHegel

Threat Research Lead @SentinelOne, Advisor with @ValidinLLC

 United States, DC
tomhegel.com
Joined July 2015
Tom Hegel retweeted
Dakota Cary @DakotaInDC
Nov 6
Images of docs listed for sale are alarming, including details of critical information infrastructure in Taiwan.
Dakota Cary @DakotaInDC
Nov 6
Bad day for KnownSec. Hat tip to @NetAskari Images and posts on dark web forums indicate the company is subject of a data leak. substack.com/home/post/p-178…
2
7
If you’re reversing domains or mapping infrastructure - check out @ValidinLLC. DNS intelligence, WHOIS, certificates, subdomains, host responses - all in one place. Check it out here: validin.com/
The OSINT Newsletter
 @osintnewsletter
Oct 23
👋 The OSINT Newsletter Issue #83 is out! 🌍 The Future of Intelligence Is Open 🗺️ Timestamping Google Maps reviews 🧾 OSINT Field Notes 💬 Discord link analysis with Doxcord 🧠 DNS intelligence via Validin 🔍 Google Search localisation tricks osintnewsletter.com/p/83
1
19
95
0
Excited for a special episode of the Three Buddy Problem, as Dave Aitel join us to talk about the announcement of @OpenAI fabled bug finding security agent 'Aardvark' along with our usual security news roundup. Livestream in ~30m (11:30am ET): piped.video/watch?v=7IkmOXuj…

Three Buddy Problem Episode 70 Livestream

Three Buddy Problem (Episode 70) livestream. OpenAI's Dave Aitel joins the show to discuss Aardvark, bug hunting with AI, and this week's top stories

youtube.com
1
15
1
36
Tough choices in the new 2025 robot vacuum battle.. 1. US based @maticrobots doing local processing, with stronger security & privacy by design. 2. DJI Romo, uploading your home layout, location, and usage details straight to China and sharing with a few friendly third parties.
1
6
🚨 @SentinelLabs, together with the Digital Security Lab of Ukraine, has uncovered a coordinated spearphishing campaign targeting members of the Red Cross, Norwegian Refugee Council, UNICEF, and other NGOs supporting Ukraine, as well as regional government officials.
1
6
1
13
🔥New research release PhantomCaptcha: A short-lived, multi-stage PowerShell + WebSocket RAT operation targeting Ukraine-linked humanitarian & gov entities. Full report: s1.ai/pcapt

PhantomCaptcha | Multi-Stage WebSocket RAT Targets Ukraine in Single-Day Spearphishing Operation

SentinelLABS uncovers a coordinated spearphishing campaign targeting organizations critical to Ukraine's war relief efforts.

sentinelone.com
14
43
#ElasticSecurityLabs joins forces with @tamusystem and discloses TOLLBOOTH, an IIS module used for SEO abuse that relies on publicly exposed ASP. NET machine keys: go.es.io/3L68p57

TOLLBOOTH: What's yours, IIS mine — Elastic Security Labs

REF3927 abuses publicly disclosed ASP.NET machine keys to compromise IIS servers and deploy TOLLBOOTH SEO cloaking modules globally.

elastic.co
20
5
43
DPRK APTs continue to innovate in ways few other state actors do. Their creativity might be malicious, but it’s definitely impressive.
vx-underground
 @vxunderground
Oct 17
Damn, I guess we're putting malware on the blockchain now I don't know what the fuck a smart contract is, but I guess it can be abused, or something. Thanks, North Korea cloud.google.com/blog/topics…
2
Tom Hegel retweeted
Tom Hegel @TomHegel
Oct 15
1/ A pro-Hamas persona is making noise from recent airport “hacks”, including broadcast system defacements in 🇨🇦 Kelowna & 🇺🇸 Harrisburg. But digging deeper, their actions remain low-impact and opportunistic. Lets take a deeper look..🧵
1
6
8
👇
Costin Raiu
 @craiu
Oct 16
Some additional details emerge about the F5 breach: the hackers were in the company's network for at least 12 months, according to people familiar with the investigation. F5 sent customers on Wednesday a threat hunting guide for Brickstorm, which is leveraged by the UNC5221 Chinese APT group. BTW, 12 months is just a bit short of the 393 days that is the average dwell time for UNC5221. Story by Patrick Howell O'Neill and colleagues: bloomberg.com/news/articles/…
15/ Bottom line atm: - Opportunistic, low-impact activity - Heavy on propaganda, questionable on skill - Visibility ≠ capability A reminder that not all “cyber warfare” headlines represent capable adversaries. Sometimes, they’re just one person with a vpn, kali and a message.
1
2
14/ Current assessment (based on VIBESINT™): 👉 Likely a single ideological actor 👉 Not directly coordinated with Hamas or a state entity 👉 Motivated by identity, attention, and perceived alignment with global conflict narratives
1
1
13/ It’s also worth noting: this exact pattern of “hacktivist” behavior... opportunistic website defacements, Telegram propaganda, and recycled imagery, has historically been used by Western individuals and as a cover for Iranian state-sponsored actors.
1
1
12/ From an analytical perspective, this persona fits the mold of ideologically motivated but technically shallow hacktivists.. Prioritizing message reach and emotional impact over actual intrusion capability.
1
1
11/ This tactic of reusing authentic wartime media is common among low-skill influence actors. It’s a way to borrow legitimacy from real conflict footage and inflate perceived alignment with larger operations.
1
2
10/ Notably, the persona repeatedly uses Abu Obaida’s headshot, the masked spokesperson of Hamas’ military wing, despite the fact that the real Abu Obaida was reported killed in August.
1
9.5/ Fun.. in some google search hype vids they post online, their default browser language is Turkish, and using Microsoft Edge browser. Other cases its Chrome in Turkish, but local German ads. VPN be poppin'
1
9/ They’re active across Telegram and Twitter/X, posting defacement screenshots and recycling imagery from real Hamas propaganda to amplify credibility.
1
8/ Now, who’s behind it? Our analysis suggests this persona is likely a single individual, not a coordinated collective. Their style, cadence, and digital footprint indicate one operator maintaining multiple social media channels.
1
7/ These are not aviation security breaches, they’re public-facing system compromises, embarrassing but short-lived. Outsider hot take: only a disruption of commercial comms, not operations. (Flights were temporarily delayed, and airport staff reverted to manual announcements.)
1
Load more