One compromised Microsoft Entra ID or Azure account can lead to a full tenant takeover. Our new framework ranks roles by risk and adds strong MFA + secure admin workstations to protect the most critical accounts. Read the whitepaper: bit.ly/47GbPTU

🦖An interesting Velociraptor artifact to scope Virtualisation Worker process and looking at handles to disk images. We are interested in unusual location or small disk size. 🔎Artifact: docs.velociraptor.app/exchan… 🛡️Reference: bitdefender.com/en-us/blog/b… @velocidex

JPCERT/CC reports ongoing APT-C-60 attacks in Japan, revealing updates on malware tactics, including spear-phishing with malicious VHDX files, updates to the SpyGlace malware, and ongoing GitHub distribution efforts. #CyberSecurity #APT blogs.jpcert.or.jp/en/2025/1…

Good morning! ☀️ #GootLoader woke up and chose violence (again) Grab your coffee, this one's JUICY 💣 huntress.com/blog/gootloader…

If you feel like you're bad at your job and it's making you depressed, just consider that, as the investigation of the recent heist revealed, the password to access the Louvre's videosurveillance system was "Louvre".

Awesome new threat report from Google Threat Intel Group documenting how threat actors are leveraging Gemini. A lot of information and actionable avalable in the report! Great work 👌 services.google.com/fh/files…

‼️ Meet Ryan Clifford Goldberg, a Digital Forensics and Incident Response manager at Sygnia, he is one of three insiders accused of cybercrimes. He allegedly conducted cyberattacks using ALPHV BlackCat ransomware. Goldberg and two other insiders ran ransomware operations since 2023 while employed at cybersecurity firms. After an FBI visit, Goldberg confessed. He now faces up to 50 years in prison.

🇰🇵 Meet "Mateo" and "Alfredo", two young #Lazarus agents who thought it was a good idea to steal someone else's ID and resume to try to get a job with us. 🪶 We recorded them and found interesting data on how they operate. ⬇️ Read our article on the #QuetzalTeam Blog below!

''Yet Another DCOM Object for Command Execution Part 1'' #infosec #pentest #redteam #blueteam sud0ru.ghost.io/yet-another-…

Just when you think you know your way around Linux.. binfmt_misc: Hold my beer. binfmt_misc provides a nifty way (once the attacker has gained root rights on the machine) to create a little backdoor to regain root access when the original access no longer works. This mechanism is not really known, according to blog posts and articles on the topic, which makes it a perfect fit for staying under the radar. dfir.ch/posts/today_i_learne…

YARA 4.5.5 has been released. Not everyting is going to be about the new shiny YARA-X, the old trusty YARA deserves a bit of attention too. github.com/VirusTotal/yara/r…

APT-Q-12/APT-C-60 : VHDX + GitHub/StatCounter/C2 Focused on East Asian regions such as Japan. blogs.jpcert.or.jp/ja/2025/1…

After getting fired from ungrateful AWS after outage where my job was to vibecode all the DNS entries to IPv6, happy to announce it's my 1st day at Azure Azure recognizes the value of vibecoding IPv6 DNS and I just force pushed my first 1m entries Now off to grab some coffee

How to collect memory-only filesystems on Linux systems isc.sans.edu/diary/32432

EDR-Redir: You can break EDRs/Antivirus from user mode with bind link and cloud minifilter. Because your payload deserves privacy. #antimalware #itsecurity #redteam

Proofpoint threat researchers have designed an open-source tool—named PDF Object Hashing—to track and detect the unique characteristics of PDFs used by threat actors... similar to a digital fingerprint. 🫆 We use this tool internally to help track multiple threat actors with high confidence, improving attribution in many cases. The tool has been released in the @Proofpoint Emerging Threats public #GitHub for other defenders to leverage. Learn more about it here: brnw.ch/21wWSH0 @ET_Labs #PDF #threatdetection #cyberthreat

Last month, @d_tranman and I gave a talk @MCTTP_Con called "COM to the Darkside" focusing on COM/DCOM cross-session and fileless lateral movement tradecraft. Check out the slides here: github.com/bohops/COM-to-the… Recording should be released soon.

hey hi hello we've been seeing summa dat WSUS sussy baka CVE-2025-59287 remote code execution exploitation windows servers with WSUS ports 8530 & 8531 exposed ( -- why?) getting point-and-shoot popped from a POC already public huntress.com/blog/exploitati… prolly limited ITW exploitation because those ports shouldn't be exposed but 4 incidents so far from last night patch your potatoes, IOCs and Sigma rule in da blog

Great research from Mandiant, learned a lot from their analysis. cloud.google.com/blog/topics… Found more trojanized JavaScripts communicating with the same transaction hash. Sometimes it’s shocking how well DPRK actors understand blockchain mechanics and weaponize them. 40a010ff94733fb6057806ba3c6afd17 store-v-main/backend/routes/printfulRoute.js a2c4f49789fc415a25613445f18f6477 Landhsoft-Frontend-main/tailwind.config.js b65cacd0bea799ca15cbfb1068c705de w3chat.io-main/postcss.config.mjs cac6f541b3c61f7477dae559f3468c4c portfolio-main/tailwind.config.js 6f63bee18de9b07e0e65590c0a0dbb67 NexAgent-main/frontend_app/postcss.config.mjs be90c556fdc85569745d2dd98efc712c pipeline-templates-main/scripts/validate.js

TERABYTES OF FORENSIC TEST IMAGES HUNDREDS OF CTFs dfir.training/downloads/test… #DFIR #CTF