Author | Lightnews

Reposted by Curtis

State of Statecraft Conference @what-is-sos.bsky.social · Sep 18

🎉BEHOLD! THE AGENDA! 🎉

The inaugural agenda features 15 talks detailing operational updates on the threat landscape, matters of attribution, and unique explorations of unconventional manifestations of state presence.

Get registered quick!!!

stateofstatecraft.com/agenda

1 5

Curtis @cybershtuff.bsky.social · Aug 29

Cloud Labs is live!

🏗️ Build or increase your cloud incident response skills with realistic labs and scenarios.

Register for Cloud Labs: cloudlabs.invictus-ir.com

Cloud Labs - Choose the plan that fits your needs

cloudlabs.invictus-ir.com

Curtis @cybershtuff.bsky.social · Jul 28

💙Microsoft Extractor Suite v4 is here

𝘜𝘱𝘥𝘢𝘵𝘦-𝘔𝘰𝘥𝘶𝘭𝘦 -𝘕𝘢𝘮𝘦 𝘔𝘪𝘤𝘳𝘰𝘴𝘰𝘧𝘵-𝘌𝘹𝘵𝘳𝘢𝘤𝘵𝘰𝘳-𝘚𝘶𝘪𝘵𝘦

Learn more about the new features in the blog and thanks everyone that contributed!

invictus-ir.com/news/black-h...

#stayInvictus #CloudIncidentResponse #DFIR

Black Hat First Look: Meet the New Microsoft Extractor Suite v4

invictus-ir.com

Reposted by Curtis

Jeffrey Lewis @armscontrolwonk.bsky.social · Jun 23

Why am I so unimpressed by these strikes? Israel and the US have failed to target significant elements of Iran's nuclear materials and production infrastructure. RISING LION and MIDNIGHT HAMMER are tactically brilliant, but may turn out to be strategic failures. 🧵 1/17

93 1.1K 2.9K

Reposted by Curtis

Wesley Shields @wxs.bsky.social · Jun 18

So @gabagool.ing (who will henceforth be referred to as "gabbot") and I wrote some stuff on some ASP phishing campaigns: cloud.google.com/blog/topics/...

Citizen Lab worked closely with one of the targets and shared their work on it also: citizenlab.ca/2025/06/russ...

What’s in an ASP? Creative Phishing Attack on Prominent Academics and Critics of Russia | Google Cloud Blog

A Russia-sponsored threat actor is impersonating the U.S. Department of State, and using phishing to gain access to email accounts.

cloud.google.com

7 10

Curtis @cybershtuff.bsky.social · Jun 18

MeteorExpress | Mysterious Wiper Paralyzes Iranian Trains with Epic Troll - SentinelLabs

In the midst of an epic troll on a country-wide railway system, we discovered a new threat actor and their reusable wiper called Meteor.

www.sentinelone.com

1 1

Curtis @cybershtuff.bsky.social · Jun 10

#CharmingKitten #APT42 #TA453

Hash:
87144d0aa002a87376b673f7d0c0eb88

C2:
Telegram Bot used for error messages and auto-start messaging to the operator
computerlearning.ddns./net

Pivots:
bookstoragestore./com
lastfilterfile/.info
78.159.117./177
78.159.117./175
185.132.176./241
154.44.186./106

1

Reposted by Curtis

Catalin Cimpanu @campuscodi.risky.biz · May 27

Dutch intelligence discover a new Russian APT—LAUNDRY BEAR

www.aivd.nl/documenten/p...

Microsoft calls it Void Blizzard. Their report is here: www.microsoft.com/en-us/securi...

1 12 22

Curtis @cybershtuff.bsky.social · May 24

The limited IOCs on this pointed toward an ORB network...nice to see some reporting that supports attribution.

Catalin Cimpanu @campuscodi.risky.biz · May 23

Commvault said it was hacked by an APT and was ridiculed by some.

That APT turned out to be Silk Typhoon, which accessed Commvault's Azure cloud system back in February

David DiMolfetta @ddimolfetta.bsky.social · May 23

SCOOP: Commvault was accessed by Silk Typhoon, the same Chinese cyberespionage group that infiltrated the Treasury Department late last year, I’m told.⬇️

1

Curtis @cybershtuff.bsky.social · May 22

This isn’t recycled noise on JavaGhost. It surfaces the often-overlooked details responders and CTI analysts actually need.

Practical takeaways include:
✔️ Mapped TTPs
✔️ IR checklist
✔️ Actor context & relevancy

invictus-ir.com/news/profili...

#CTI #CloudSecurity #AWS #DFIR #JavaGhost

1

Curtis @cybershtuff.bsky.social · May 14

Call-back Proxy Network: 103.131.213[.]89 | 182.185.156[.]45 – likely a mix of anonymous activity and normal activity.
Mass SMTP Tester: 134.199.148[.]132 – banner previously responded with Mass SMTP Tester header.

Curtis @cybershtuff.bsky.social · May 14

🚨 New blog from @securitylabs.datadoghq.com on fresh AWS TTPs! I pivoted & enriched their infra data to uncover the actor #JavaGhost is likely abusing callback proxy networks and leveraging Mass SMTP Tester.

🔗 securitylabs.datadoghq.com/articles/tal...

#CloudSecurity #ThreatIntel #CTI

Tales from the cloud trenches: The Attacker doth persist too much, methinks | Datadog Security Labs

A cloud attack targeting Amazon SES and persistence via AWS Lambda, AWS IAM Identity Center and AWS IAM

securitylabs.datadoghq.com

1 1

Reposted by Curtis

MITRE ATT&CK @attack.mitre.org · Apr 22

ATT&CK v17 is now live! This release includes the first version of the ESXi platform, a pile of defensive upgrades, and fresh content across Enterprise, Mobile, and ICS.

Check out our blog post describing the changes by Amy Robertson & @whatshisface.bsky.social at medium.com/mitre-attack....

ATT&CK v17: New Platform (ESXi), Collection Optimization, & More Countermeasures

By: Amy Robertson and Adam Pennington

medium.com

2 6

Reposted by Curtis

Volexity @volexity.com · Apr 22

@volexity.com #threatintel: Multiple Russian threat actors are using Signal, WhatsApp & a compromised Ukrainian gov email address to impersonate EU officials. These phishing attacks abuse 1st-party Microsoft Entra apps + OAuth to compromise targets.

www.volexity.com/blog/2025/04...  #dfir

Phishing for Codes: Russian Threat Actors Target Microsoft 365 OAuth Workflows

Since early March 2025, Volexity has observed multiple suspected Russian threat actors conducting highly targeted social engineering operations aimed at gaining access to the Microsoft 365 (M365) acco...

www.volexity.com

12 18

Curtis @cybershtuff.bsky.social · Apr 2

🚨 New blog: BlackBasta’s leaks show how ransomware crews still exploit hybrid environments while Scattered Spider leans fully into cloud.

Two actors, two strategies. What it means for IR, cloud defense, and ransomware readiness.

👉 invictus-ir.com/news/cloud-h...

#DFIR #CloudSecurity #CTI

Cloud Heavy, Hybrid Ready: Lessons from BlackBasta and Scattered Spider

invictus-ir.com

1

Curtis @cybershtuff.bsky.social · Mar 19

🔍 New Blog: Essential Cloud Logs for Incident Response

🪵 Are you collecting the right logs for cloud security incidents? We break down the must-have logs to detect, investigate, and respond effectively in the cloud.

🔗 www.invictus-ir.com/news/cloud-i...

#dfir #aws #microsoft #google

Cloud Incident Readiness: Key logs for cloud incidents

www.invictus-ir.com

1

Curtis @cybershtuff.bsky.social · Mar 3

🚨 New Blog: Forensic Analysis of eM Client 🚨

If you handle BEC investigations, you've probably encountered eM Client more than once. We break down the forensic traces this application leaves behind.

🔍 Read now: www.invictus-ir.com/news/forensi...

#CyberSecurity #DFIR #BEC #ThreatIntel #CTI

Deep Dive: Forensic Analysis of eM ClientPermissions Table

www.invictus-ir.com

Curtis @cybershtuff.bsky.social · Feb 19

Link to the IOCs and TTPs: github.com/invictus-ir/...

#DFIR #CTI #ThreatIntel

GitHub - invictus-ir/IOCs: Invictus Threat Intelligence: IOCs and TTPs from blogs, research and more

Invictus Threat Intelligence: IOCs and TTPs from blogs, research and more - invictus-ir/IOCs

github.com

Curtis @cybershtuff.bsky.social · Feb 19

🚨 New Blog Alert: “Locked Out, Dropboxed In: When BEC Threats Innovate” 🚨

Dive into an intriguing BEC attack and discover how this threat actor navigated a cloud environment to evade detection. We’ve also mapped the TTPs and shared IOCs on our GitHub.

👉 www.invictus-ir.com/news/locked-...

www.invictus-ir.com

1 1