Golden Chickens (aka Venom Spider) is a financially motivated Eastern European threat actor operating a modular malware-as-a-service (MaaS) platform since at least 2017..
TheWizards is a China-aligned APT group, active since at least 2022, specializing in espionage and influence operations across Asia and the Middle East. Their hallmark is the use of IPv6 SLAAC spoofing to hijack legitimate software update mechanisms—most notably Tencent QQ..
PurpleHaze, an emerging Chinese state-sponsored threat group, operates highly dynamic multi-hop ORB networks that blend compromised IoT devices (notably SOHO routers with vulnerable firmware) and provisioned VPS to obscure command-and-control (C2) infrastructure.
North Korean threat actors Slow Pisces, Alluring Pisces, and Contagious Interview—operating under the Reconnaissance General Bureau—have escalated global cyber operations since 2023, focusing on cryptocurrency theft and espionage. Their campaigns employ advanced social engineering..
Lotus Panda (aka Lotus Blossom, Spring Dragon, Billbug, Bronze Elgin, Bitterbug) is a Chinese state-sponsored APT group active since at least 2009, specializing in cyber espionage against Southeast Asian governments and critical sectors.
CryptoChameleon is an advanced phishing kit distributed via phishing-as-a-service platforms, enabling rapid, scalable attacks against cryptocurrency users, financial institutions, and related sectors...
SpyNote, BadBazaar, and MOONSHINE are prominent mobile malware families primarily targeting Android devices.
The Smishing Triad, a cybercriminal group, is leveraging advanced smishing techniques to deceive victims by impersonating legitimate organizations. They exploit platforms like iMessage using compromised Apple iCloud accounts to send spam messages that bypass traditional filters..
Storm-2460, a cyber threat group, is actively exploiting a zero-day vulnerability (CVE-2025-29824) in the Windows Common Log File System (CLFS), primarily targeting the finance sector and other high-value industries.
The Houthi network, known for its involvement in the Yemeni conflict, has developed intricate operational methods to evade international sanctions and facilitate arms procurement through cryptocurrency...
I take a SPECULATIVE deep dive into what I think might be in the 2025 Mandiant M-TRENDS report.
Recent trends indicate a shared interest among these state-sponsored groups in exploiting vulnerabilities and utilizing AI tools like Google's Gemini to improve their cyberattack capabilities.
The revised analysis of Thai money laundering operations on Facebook reveals sophisticated tactics, including fraudulent schemes and the use of corporate mule accounts. These operations have a substantial financial impact, with millions of baht laundered daily.
podcast
We talk about #SilverFox, DomainTools, The Vertex Project, MISP Project (@misp@misp-community.org ), #AlphaHunt, Intelligence Graphs, #AI, #IOCs, the REN-ISAC, #TTPs and more! 🛡️ We're on a mission to help enable the next generation of intelligence analysts.. If that's you, or even if you're a
oracle
The threat actor "rose87168" has emerged as a player in the cybercriminal landscape, claiming responsibility for a major breach involving Oracle Cloud. This actor allegedly exploited vulnerabilities in Oracle's federated single sign-on (SSO) and LDAP systems...
unc3886
UNC3886 is a sophisticated China-nexus advanced persistent threat (APT) group focused on cyber espionage against high-tech sectors such as defense, technology, and telecommunications. Active for several years, the group has evolved its tactics to include the use of operational relay boxes (ORBs)...
github
A recent GitHub supply chain attack on March 17, 2025, compromised a GitHub Actions tool, affecting 23,000 organizations. This incident highlights the vulnerability of software development tools, with attackers altering code to leak secrets.
xcsset
XCSSET is a sophisticated modular malware strain that primarily targets macOS systems. It was first identified in 2020 and has since evolved, with recent variants incorporating advanced obfuscation and persistence techniques...
ragnar
Ragnar Loader, a sophisticated malware toolkit, is primarily associated with ransomware groups such as FIN7, FIN8, and Ragnar Locker. It has evolved significantly since its emergence in 2020, integrating advanced capabilities to enhance its stealth and operational effectiveness.
vmware
Recent analysis highlights the potential exploitation of VMware vulnerabilities (CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226) by APT29, APT41, and APT28. These groups are known for...
vo1d
The Vo1d botnet is a sophisticated malware campaign that has compromised approximately 1.6 million Android TV devices worldwide. Originating from cybercriminal groups exploiting outdated software and security flaws...
encrypthub
EncryptHub, also known as Larva-208, is a sophisticated cybercriminal group that has recently breached 618 organizations worldwide. Their primary method of attack is spear-phishing, utilizing social engineering to deploy infostealers and ransomware.
dprk
The Lazarus Group has intensified its focus on cryptocurrency exchanges, executing high-profile hacks on Bybit...
socgholish
The detection of SocGholish malware has advanced through techniques like behavioral analysis, signature-based detection, and anomaly detection. These methods are crucial due to the malware's ability to change its code and employ unique delivery methods.