This was an interesting one to work on! tldr: Chinese aligned actor uses LLM to empower their malware development, target gathering, and phishing operation. Goes wrong and starts randomly including pornographic material and other random files/info.

www.volexity.com/blog/2025/10...

@volexity.com has released updates to its #opensource GoResolver project and more! This work was part of a project for one of our #summerinternship students. Read more details about Volexity’s updated GoResolver projects + other #golang tools in our special blog post!

This training course will be led by Andrew Case @attrc.bsky.social, Michael Ligh & Dave Lassalle. This is a great opportunity to gain valuable knowledge about #Volatility3 + learn all about #memoryforensics from Volatility core developers! Seats are filling up quickly so don't wait!

New by me - although Citrix say there is no evidence of exploitation of CitrixBleed 2 vulnerability, they are wrong - it has been under active exploitation since mid June by an IP associated to a ransomware group, with multiple IP addresses now involved.

doublepulsar.com/citrixbleed-...

It can tell you some forensic artifacts that can exist due to execution (e.g. for .NET) and it can also tell you what possible systems it can run on in the environment you're investigating.

For clarity this isn't an argument that inclusion of this is right in reporting, other info could be better.

@volexity.com #threatintel: Multiple Russian threat actors are using Signal, WhatsApp & a compromised Ukrainian gov email address to impersonate EU officials. These phishing attacks abuse 1st-party Microsoft Entra apps + OAuth to compromise targets.

www.volexity.com/blog/2025/04...

#dfir

The NCSC and partners have revealed new details about how malicious cyber actors are using two forms of spyware to target individuals in Uyghur, Tibetan and Taiwanese communities as well as civil society groups.
www.ncsc.gov.uk/news/ncsc-pa...

tired of looking at email headers as disgusting plaintext? only want things of value to stand out?

look no further than this VSCode extension built by @jacoblatonis.me

marketplace.visualstudio.com/items?itemNa...

"It is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware."

With the amount of Next.js-based sites around, especially on infosec sites, I'd say this looks like a problem.

CVSS: 9.1

github.com/vercel/next....

We have been tracking multiple Russian APT groups aggressively targeting organizations with Microsoft Device Code authentication phishing. The attackers got creative with tricking users into granting them access to their accounts. Have a look at our blog for all the details!

@volexity.com recently identified multiple Russian threat actors targeting users via #socialengineering + #spearphishing campaigns with Microsoft 365 Device Code authentication (a well-known technique) with alarming success: www.volexity.com/blog/2025/02...

#dfir #threatintel #m365security

CTI is the cause of my brainrot but I really cooked on this #salttyphoon #telecomhack

@volexity.bsky.social has published a blog post detailing variants of LIGHTSPY & DEEPDATA malware discovered in the summer of 2024, including exploitation of a vulnerability in FortiClient to extract credentials from memory. Read more here: www.volexity.com/blog/2024/11...

www.volexity.com/blog/2024/11...

Key:
- Unpatched credential disclosure 0day in VPN client that's actively exploited in the wild
- Volexity assesses with medium confidence that BrazenBamboo is a private enterprise that produces capabilities for governmental operators concerned with domestic targets