Yooooo idk what you’re talking about. That stuffed animal looks awesome!

I’ve been reading further and it seems like it was a third party provider who was like a business process outsourcer.

This is similar to the recent Air France and stellantis breaches but no idea if they’re related.

I think this is probably Salesforce compromised via Salesloft drift?

It aligns with the salesloft drift stuff we’ve seen. Most of the other parties were also using SalesForce for support ticketing and had salesforce auth tokens stolen from drift.

I encourage cybersecurity professionals to read this report to understand the type of capabilities that can be deployed against citizens at scale by autocratic regimes.

Organizations designing products that support privacy should understand these capabilities and design to protect users from them.

"The requirements for future development also mention adding the ability to check which users are connected to specific mobile base stations in order to support location triangulation through these stations and detect when a large number of people congregate in a particular area"

" It uses the in-path injection capability in TSG to effectively recruit unsuspecting users' computers to participate in the attack, thereby creating a botnet"

"however, a closer examination reveals that it is actually a platform for launching DDoS attacks against websites and other internet services deemed politically undesirable. This would appear to be Geedge's own implementation of China's Great Cannon, as described in a 2015 Citizen Lab report"

"TSG's in-path injection capability system allows for sophisticated targeting of this malicious code for the specific user, facilitating on-the-fly modifications across a variety of file formats [...] complemented by Cyber Narrator [...] hijack in order to infect specific individuals."

"TSG is also capable of modifying HTTP sessions in realtime through techniques such as spoofing redirect responses, altering headers, injecting scripts, replacing text, and overriding response bodies."

From the report:

"Cyber Narrator is a powerful tool capable of tracking network traffic at the individual customer level and can identify the geographic location of mobile subscribers in real time [..]. The system also allows the government client to see aggregated network traffic."

This report from @interseclab.bsky.social on how a Chinese company is exporting some of the capabilities of "The Great Wall of China" to other autocratic countries is INSANELY INTERESTING:

interseclab.org/wp-content/u...

*EVERY Page is worth reading*

Some interesting tidbits in the thread

Incredible work, Yael!

Plex was hacked. It included usernames, emails, and hashed passwords.

Change your passwords when you can,

#ESETResearch has discovered the first known AI-powered ransomware, which we named #PromptLock. The PromptLock malware uses the gpt-oss:20b model from OpenAI locally via the Ollama API to generate malicious Lua scripts on the fly, which it then executes 1/7

SentinelOne and Beazley Security have discovered a new Windows infostealer used in the wild named PXA Stealer, most likely the work of a Vietnamese-speaking cybercrime group.

www.sentinelone.com/labs/ghost-i...

labs.beazley.security/articles/gho...

I mean I’ve been urging people to toss their sonicwall devices into a shredder for years now 🤷🏻‍♂️

Our team collaborated with our friends at @sentinellabs.bsky.social to identify and disrupt a PXA infostealer campaign that has an intricate and complex delivery chain:

labs.beazley.security/articles/gho...

Thanks for the fantastic collab SentinelLabs team!

Look forward to seeing you!!!

👀 Update from @threatintel.microsoft.com: 'our continued monitoring of exploitation activity by Storm-2603 leading to the deployment of Warlock ransomware' www.microsoft.com/en-us/securi... #Microsoft #SharePoint #cybersecurity #ransomware @gate15.bsky.social @ransomwaresommelier.com @ecrime.ch

We’re actively seeing this exploitation as well.

Here is my team’s advisory on this vulnerability:

labs.beazley.security/advisories/B...

Is your have a publicly exposed SharePoint server, its probably already compromised so get ready to do some IR.

🩸& #threatintel | We (GreyNoise) just published a quick note (www.greynoise.io/blo...) regarding CVE-2025-5777 - CitrixBleed 2
1/2

Two high-severity patches are coming to Node.js on Tuesday

nodejs.org/en/blog/vuln...

Context:
labs.watchtowr.com/pre-auth-sql...