Feike Hacquebord
@feikeh.bsky.social
Principal Threat Researcher at Trend Micro
Reposted by Feike Hacquebord
Navalny was poisoned with exotic frog toxin, five Western nations confirm
Multiple labs have independently analyzed biological samples taken from Alexei Navalny’s body and found epibatidine, a highly toxic alkaloid sourced from a South American poisonous frog.
Multiple labs have independently analyzed biological samples taken from Alexei Navalny’s body and found epibatidine, a highly toxic alkaloid sourced from a South American poisonous frog.
Navalny was poisoned with exotic frog toxin, five Western nations confirm
Five European countries have confirmed that Navalny was poisoned with epibatidine — a high-potency neurotoxin derived from South American poison dart frogs. Traces of the toxin were found in tissue sa...
theins.press
February 14, 2026 at 12:43 PM
Navalny was poisoned with exotic frog toxin, five Western nations confirm
Multiple labs have independently analyzed biological samples taken from Alexei Navalny’s body and found epibatidine, a highly toxic alkaloid sourced from a South American poisonous frog.
Multiple labs have independently analyzed biological samples taken from Alexei Navalny’s body and found epibatidine, a highly toxic alkaloid sourced from a South American poisonous frog.
TrendAI formalizes threat attribution as a structured, repeatable discipline by combining standardized evidence scoring, relationship mapping, and bias testing, with a temporary stage that separates clustering from final naming. Article on how we attribute: www.trendmicro.com/vinfo/us/sec...
Threat Attribution Framework: How TrendAI™ Applies Structure Over Speculation
TrendAI™ brings structure and discipline to threat attribution, helping security leaders and teams make informed decisions about cyber risk, incident response, and overall defensive posture.
www.trendmicro.com
February 12, 2026 at 11:20 AM
TrendAI formalizes threat attribution as a structured, repeatable discipline by combining standardized evidence scoring, relationship mapping, and bias testing, with a temporary stage that separates clustering from final naming. Article on how we attribute: www.trendmicro.com/vinfo/us/sec...
Reposted by Feike Hacquebord
#BREAKING #ESETresearch identified the wiper #DynoWiper used in an attempted disruptive cyberattack against the Polish energy sector on Dec 29, 2025. At this point, no successful disruption is known, but the malware’s design clearly indicates destructive intent. 1/5
January 23, 2026 at 4:30 PM
#BREAKING #ESETresearch identified the wiper #DynoWiper used in an attempted disruptive cyberattack against the Polish energy sector on Dec 29, 2025. At this point, no successful disruption is known, but the malware’s design clearly indicates destructive intent. 1/5
Reposted by Feike Hacquebord
Trend Micro tracks SHADOW-VOID-042 spear-phishing (Nov 2025) using Trend Micro-themed lures and a decoy site mimicking Trend’s corporate style, targeting defence, energy, chemicals, cybersecurity and ICT sectors. www.trendmicro.com/en_us/resear...
December 12, 2025 at 10:22 AM
Trend Micro tracks SHADOW-VOID-042 spear-phishing (Nov 2025) using Trend Micro-themed lures and a decoy site mimicking Trend’s corporate style, targeting defence, energy, chemicals, cybersecurity and ICT sectors. www.trendmicro.com/en_us/resear...
Reposted by Feike Hacquebord
We investigated an #APT with links to Void Rabisu (Romcom) that used Trend Micro updates as a lure in a recent campaign involving vulnerability exploitation. There were at least 4 stages before the final payload, some of them being tailored to the targeted machine www.trendmicro.com/en_us/resear...
December 11, 2025 at 3:03 PM
We investigated an #APT with links to Void Rabisu (Romcom) that used Trend Micro updates as a lure in a recent campaign involving vulnerability exploitation. There were at least 4 stages before the final payload, some of them being tailored to the targeted machine www.trendmicro.com/en_us/resear...
Recently various industries, including Trend Micro, were targeted by a Trend Micro-themed campaign. Trend Vision One™ stopped it early in the kill chain. The campaign somewhat aligns with Void Rabisu (ROMCOM). For now we track this temporarily under SHADOW-VOID-042 www.trendmicro.com/en_us/resear...
SHADOW-VOID-042 Targets Multiple Industries with Void Rabisu-like Tactics
www.trendmicro.com
December 11, 2025 at 12:01 PM
Recently various industries, including Trend Micro, were targeted by a Trend Micro-themed campaign. Trend Vision One™ stopped it early in the kill chain. The campaign somewhat aligns with Void Rabisu (ROMCOM). For now we track this temporarily under SHADOW-VOID-042 www.trendmicro.com/en_us/resear...
Cyberespionage campaigns are becoming increasingly complex due to the close collaboration between distinct APT groups. Learn how China-aligned Earth Estries provides initial access to compromised assets for Earth Naga (Flax Typhoon) to continue exploitation: www.trendmicro.com/en_us/resear....
The Rise of Collaborative Tactics Among China-aligned Cyber Espionage Campaigns
www.trendmicro.com
October 22, 2025 at 8:34 PM
Cyberespionage campaigns are becoming increasingly complex due to the close collaboration between distinct APT groups. Learn how China-aligned Earth Estries provides initial access to compromised assets for Earth Naga (Flax Typhoon) to continue exploitation: www.trendmicro.com/en_us/resear....
Residential proxies are a key enabler of cybercrime today. This creates a growing need for connection and session-based access control. We used Ja4T fingerprinting that successfully tagged incoming connections from residential proxies to 1,500 IDS systems. www.trendmicro.com/vinfo/us/sec...
The Rise of Residential Proxies as a Cybercrime Enabler
This research discusses how residential proxies help cybercriminals bypass antifraud and IT security systems, and how vulnerabilities in the IoT supply chain are exploited where Android-based devices ...
www.trendmicro.com
June 4, 2025 at 8:15 AM
Residential proxies are a key enabler of cybercrime today. This creates a growing need for connection and session-based access control. We used Ja4T fingerprinting that successfully tagged incoming connections from residential proxies to 1,500 IDS systems. www.trendmicro.com/vinfo/us/sec...
DPRK cybercrime uses Russian infrastructure in Khasan and Khabarovsk, masked by VPNs, proxies, and RDPs. One fictitious DPRK company to lure IT professionals with interviews was BlockNovas. FBI seized BlockNovas' site and a related C&C on April 23, 2025. Read more: www.trendmicro.com/en_us/resear...
Russian Infrastructure Plays Crucial Role in North Korean Cybercrime Operations
www.trendmicro.com
April 24, 2025 at 7:51 AM
DPRK cybercrime uses Russian infrastructure in Khasan and Khabarovsk, masked by VPNs, proxies, and RDPs. One fictitious DPRK company to lure IT professionals with interviews was BlockNovas. FBI seized BlockNovas' site and a related C&C on April 23, 2025. Read more: www.trendmicro.com/en_us/resear...
Roman Dobrokhotov and Christo Grozev have extensively reported on FSB and GRU. Read this to learn about their ordeal when a team, led by Marsalek, was hunting them down. The story has fun elements and close calls. It highlights the dangers journalists face as they inform us: theins.ru/en/inv/279034
“Let’s hire an ISIS suicide bomber to blow him up in the street!”: Europe’s most wanted man plotted my murder — and that of my colleague
A jury at the Old Bailey, London’s Central Criminal Court, has just found six of my compatriots — citizens of Bulgaria — guilty of conspiring with the Kremlin to kidnap and possibly murder me and my c...
theins.ru
March 11, 2025 at 9:39 AM
Roman Dobrokhotov and Christo Grozev have extensively reported on FSB and GRU. Read this to learn about their ordeal when a team, led by Marsalek, was hunting them down. The story has fun elements and close calls. It highlights the dangers journalists face as they inform us: theins.ru/en/inv/279034
Updated Shadowpad malware used in recent attacks against the manufacturing industry led to ransomware in some incidents. Research by @thehellu.bsky.social : www.trendmicro.com/en_us/resear...
Updated Shadowpad Malware Leads to Ransomware Deployment
www.trendmicro.com
February 20, 2025 at 8:51 AM
Updated Shadowpad malware used in recent attacks against the manufacturing industry led to ransomware in some incidents. Research by @thehellu.bsky.social : www.trendmicro.com/en_us/resear...
Reposted by Feike Hacquebord
Yet another suspected case of publicly disclosed red team tools being used by an intelligence agency — allegedly the SVR — to conduct a sweeping surveillance operation.
(ht @feikeh.bsky.social)
www.trendmicro.com/en_us/resear...
(ht @feikeh.bsky.social)
www.trendmicro.com/en_us/resear...
Earth Koshchei Coopts Red Team Tools in Complex RDP Attacks
www.trendmicro.com
December 17, 2024 at 2:35 PM
Yet another suspected case of publicly disclosed red team tools being used by an intelligence agency — allegedly the SVR — to conduct a sweeping surveillance operation.
(ht @feikeh.bsky.social)
www.trendmicro.com/en_us/resear...
(ht @feikeh.bsky.social)
www.trendmicro.com/en_us/resear...
Reposted by Feike Hacquebord
Earth Koshchei (APT29): A cyberespionage group targeting critical sectors with stealthy techniques. Here’s what you need to know: www.trendmicro.com/en_us/resear... #Cybersecurity #ThreatIntel with @feikeh.bsky.social
Earth Koshchei Coopts Red Team Tools in Complex RDP Attacks
www.trendmicro.com
December 17, 2024 at 12:04 PM
Earth Koshchei (APT29): A cyberespionage group targeting critical sectors with stealthy techniques. Here’s what you need to know: www.trendmicro.com/en_us/resear... #Cybersecurity #ThreatIntel with @feikeh.bsky.social
Since Aug 2024 Earth Koshchei (APT29, Midnight Blizzard) used 193 RDP relays and 34 rogue backends against military, MFAs and others. The campaign peak was likely preceded by barely audible campaigns that ended with a bang in Oct 2024. Details and indicators here: www.trendmicro.com/en_us/resear...
Earth Koshchei Coopts Red Team Tools in Complex RDP Attacks
www.trendmicro.com
December 17, 2024 at 8:35 AM
Since Aug 2024 Earth Koshchei (APT29, Midnight Blizzard) used 193 RDP relays and 34 rogue backends against military, MFAs and others. The campaign peak was likely preceded by barely audible campaigns that ended with a bang in Oct 2024. Details and indicators here: www.trendmicro.com/en_us/resear...
Reposted by Feike Hacquebord
Our latest report presents Earth Minotaur, a threat actor targeting Tibetans and Uyghurs using Moonshine, an exploitation framework for Android apps described in 2019 by
@citizenlab.ca
leveraging vulnerabilities in applications embedding old versions of Chromium trendmicro.com/en_us/resear...
@citizenlab.ca
leveraging vulnerabilities in applications embedding old versions of Chromium trendmicro.com/en_us/resear...
December 5, 2024 at 8:48 AM
Our latest report presents Earth Minotaur, a threat actor targeting Tibetans and Uyghurs using Moonshine, an exploitation framework for Android apps described in 2019 by
@citizenlab.ca
leveraging vulnerabilities in applications embedding old versions of Chromium trendmicro.com/en_us/resear...
@citizenlab.ca
leveraging vulnerabilities in applications embedding old versions of Chromium trendmicro.com/en_us/resear...
One week ago Lumen/Shadowserver sinkholed Water Barghest C&Cs. Nsocks (alleged seller of Ngioweb bots) apparently suffers from this: US proxies down to 4494 (was 14037), EU proxies down to 2038 (was 9092). I expected a faster recovery. Still expect Water Barghest will make their botnet more robust.
November 26, 2024 at 12:53 PM
One week ago Lumen/Shadowserver sinkholed Water Barghest C&Cs. Nsocks (alleged seller of Ngioweb bots) apparently suffers from this: US proxies down to 4494 (was 14037), EU proxies down to 2038 (was 9092). I expected a faster recovery. Still expect Water Barghest will make their botnet more robust.
Water Barghest automated each step between finding vulnerable IoT devices to offering them for rent on a commercial residential proxy provider. Water Barghest's infrastructure was used to exploit Cisco IOS XE devices with a 0-day in October 2023. Read more here: www.trendmicro.com/en_us/resear...
Inside Water Barghest’s Rapid Exploit-to-Market Strategy for IoT Devices
www.trendmicro.com
November 19, 2024 at 9:09 AM
Water Barghest automated each step between finding vulnerable IoT devices to offering them for rent on a commercial residential proxy provider. Water Barghest's infrastructure was used to exploit Cisco IOS XE devices with a 0-day in October 2023. Read more here: www.trendmicro.com/en_us/resear...