banner
LightNews
hegel.bsky.social
Tom Hegel
@hegel.bsky.social
2.7K followers 950 following 66 posts
Distinguished Threat Researcher, Research Lead @SentinelOne. Advisor with @ValidinLLC. https://tomhegel.com/blog.html
tomhegel.com
Posts Media Videos Starter Packs
Reposted by Tom Hegel
hegel.bsky.social
Tom Hegel @hegel.bsky.social · Sep 5
🔥 The lineup this year is incredible, thanks to everyone who submitted!

Attendees are in for something special… and for everyone else, expect some major FOMO.

events.sentinelone.com/event/LABSco...
LABScon 2025
events.sentinelone.com
2 2
hegel.bsky.social
Tom Hegel @hegel.bsky.social · Sep 5
🔥 The lineup this year is incredible, thanks to everyone who submitted!

Attendees are in for something special… and for everyone else, expect some major FOMO.

events.sentinelone.com/event/LABSco...
LABScon 2025
events.sentinelone.com
2 2
hegel.bsky.social
Tom Hegel @hegel.bsky.social · Sep 4
New research from @milenkowski.bsky.social (S1) and @kennethkinion.bsky.social (Validin):

🇰🇵 Contagious Interview | North Korean Threat Actors Reveal Plans and Ops by Abusing Cyber Intel Platforms

Research: www.sentinelone.com/labs/contagi...

Reuters story: www.reuters.com/world/asia-p...
Contagious Interview | North Korean Threat Actors Reveal Plans and Ops by Abusing Cyber Intel Platforms
DPRK-aligned threat actors abuse CTI platforms to detect infrastructure exposure and scout for new assets.
www.sentinelone.com
4 6
Reposted by Tom Hegel
campuscodi.risky.biz
Catalin Cimpanu @campuscodi.risky.biz · Sep 2
The US, AU, and NZ have tested a prototype for a new cyber defense kit designed to connect and help secure any network.

The kits are operated by a nine-person team and are intended to be portable and moved to any location in the world.

www.defence.gov.au/news-events/...
1 4 4
Reposted by Tom Hegel
sentinelone.com
SentinelOne @sentinelone.com · Aug 26
🔥 The hunt is on for the world’s ultimate threat hunter? 🔍

🛡️Introducing Sentinels League: The Threat Hunting World Championships 🛡️ 3 Rounds. 3 Regions. 3 Finalists. Only One World Champion.
2 3 5
Reposted by Tom Hegel
snoffle.bsky.social
Snorre Fagerland @snoffle.bsky.social · Jun 17
Someone claiming to be Gonjeshke Darande (Predatory Sparrow) has posted ~2GB of what *appears to be* IranCell subscriber data, covering the 935-939 prefixes.

#privacy #breach #mobile #iran
Screenshot from Predatory Swallow's Telegram channel, showing folders purporting to hold IranCell data
1 4
hegel.bsky.social
Tom Hegel @hegel.bsky.social · Jun 9
Hefty new drop w/ @milenkowski.bsky.social

China-nexus Threat Actors Hammer At the Doors of Top Tier Targets

www.sentinelone.com/labs/follow-...
3 6
Reposted by Tom Hegel
campuscodi.risky.biz
Catalin Cimpanu @campuscodi.risky.biz · May 27
Dutch intelligence discover a new Russian APT—LAUNDRY BEAR

www.aivd.nl/documenten/p...

Microsoft calls it Void Blizzard. Their report is here: www.microsoft.com/en-us/securi...
1 12 22
Reposted by Tom Hegel
greg-l.bsky.social
Greg Lesnewich @greg-l.bsky.social · May 21
Is the era of the “named actor” done?

As the OG adversary sets diverge, get promoted, or move on

actors dispersing across the kill chain based on specialized skills increases (ORBs, criminal underground)

AND the CTI models maturing…

APTs ⬇️⬇️

UNCs ⬆️⬆️
7 8 28
Reposted by Tom Hegel
hegel.bsky.social
Tom Hegel @hegel.bsky.social · May 8
NEW 👉 FreeDrain Unmasked | Uncovering an Industrial-Scale Crypto Theft Network

Months-long research project with Validin we just dropped @pivotcon.bsky.social

🖤~40k IOCs: github.com/Validin/indi...
💜 SentinelLabs: s1.ai/freedrain
💙 Validin: www.validin.com/blog/freedra...

Enjoy!
5 8
hegel.bsky.social
Tom Hegel @hegel.bsky.social · May 8
NEW 👉 FreeDrain Unmasked | Uncovering an Industrial-Scale Crypto Theft Network

Months-long research project with Validin we just dropped @pivotcon.bsky.social

🖤~40k IOCs: github.com/Validin/indi...
💜 SentinelLabs: s1.ai/freedrain
💙 Validin: www.validin.com/blog/freedra...

Enjoy!
5 8
Reposted by Tom Hegel
invisig0th.bsky.social
visi stark @invisig0th.bsky.social · Apr 28
An absolutely stunning look inside @sentinelone.com 's use of #synapse to provide intelligence context to inter-disciplinary intelligence stakeholders in defense of their own org. Truly on the leading edge of the intel driven fusion, collaboration, and impact. 🤩
www.sentinelone.com/labs/top-tie...
Top Tier Target | What It Takes to Defend a Cybersecurity Company from Today's Adversaries
This report highlights a rarely-discussed but crucially important attack surface: security vendors themselves.
www.sentinelone.com
1 10 24
Reposted by Tom Hegel
kennethkinion.bsky.social
Kenneth Kinion @kennethkinion.bsky.social · Apr 24
At @pivotcon.bsky.social, I'm presenting with @hegel.bsky.social and Sreekar Madabushi on the first public look at the full scope of a stealthy, long-running phishing network.
5 7
Reposted by Tom Hegel
jsrailton.bsky.social
John Scott-Railton @jsrailton.bsky.social · Apr 23
NEW: Iranian gov hackers targeted #EU Parliament's #Iran delegation chair @hneumannmep.bsky.social

Elaborate operation impersonated former #FBI official to seed spyware.

Good to see a MEP speaking out & sharing this insidious threat to EU institutions 1/
www.politico.eu/article/euro...
Text from https://www.politico.eu/article/european-parliament-iran-delegation-chair-victim-tehran-linked-hacking-hannah-neumann/ Text from https://www.politico.eu/article/european-parliament-iran-delegation-chair-victim-tehran-linked-hacking-hannah-neumann/ Text from https://www.politico.eu/article/european-parliament-iran-delegation-chair-victim-tehran-linked-hacking-hannah-neumann/
1 24 44
Reposted by Tom Hegel
strikereadylabs.com
StrikeReady Labs @strikereadylabs.com · Apr 11
#apt #sidewinder "54th CISM World Military Naval Pentathlon Championship 2025.docx"
40712a087a8280425f1b317e34e265c0329ffb0057be298d519fc5e0af6cb58f
-> dirsports.milqq[.]info
blank doc decoy
3 2
Reposted by Tom Hegel
kennethkinion.bsky.social
Kenneth Kinion @kennethkinion.bsky.social · Apr 7
@bushidotoken.net explored a Meta-themed credential phishing campaign (not "Reality"). From those indicators, I pulled the "Threads" & this is far from an isolated campaign. Found great pivots in registration "Meta"data. (I'll see myself out.)

All 762 indicators 💥⤵️

www.validin.com/blog/not_rea...
Not Reality: Exploring Meta-themed Phishing with Validin | Validin
Not Reality: Exploring Meta-themed Phishing with Validin
www.validin.com
2 2
Reposted by Tom Hegel
ryanaraine.bsky.social
Ryan Naraine @ryanaraine.bsky.social · Apr 1
Here's the Lab Dookhtegan segment
www.youtube.com/watch?v=g-zj...
1 4
hegel.bsky.social
Tom Hegel @hegel.bsky.social · Mar 30
Really great episode this week. The Signal ID management mess, and the lab dookhtegan topics.. simply delicious 🤌
ryanaraine.bsky.social
Ryan Naraine @ryanaraine.bsky.social · Mar 28
This week's problem ready on YouTube
www.youtube.com/watch?v=IDc_...
Signalgate and Signal's ID management hiccups, PuzzleMaker and Chrome 0days, Lab Dookhtegan returns
YouTube video by Three Buddy Problem
www.youtube.com
2 8
hegel.bsky.social
Tom Hegel @hegel.bsky.social · Mar 28
Atomic indicators have value beyond just the day they’re observed - Age alone doesn’t always diminish their usefulness.

Attribution challenges aside, this is a common occurrence in both cybercrime and APT campaigns. Looking at you, South Asia!
Pulling the Threads on the Phish of Troy Hunt | Validin
Connecting a successful phishing attempt to Scattered Spider through Validin pivoting
www.validin.com
2
hegel.bsky.social
Tom Hegel @hegel.bsky.social · Mar 26
Kryptina RaaS: From Unsellable Cast-off to Enterprise Ransomware

www.sentinelone.com/labs/labscon...
LABScon24 Replay | Kryptina RaaS: From Unsellable Cast-off to Enterprise Ransomware
Jim Walter reveals how a recent leak provided insight into how Kryptina RaaS has been adapted for use in enterprise attacks.
www.sentinelone.com
2
hegel.bsky.social
Tom Hegel @hegel.bsky.social · Mar 10
Incredibly excited to drop some new research alongside @kennethkinion.bsky.social and Sreekar Madabushi at this years @pivotcon.bsky.social
1 7
hegel.bsky.social
Tom Hegel @hegel.bsky.social · Mar 8
Great refresher / inside-scoop on the Lamberts -- #WhereAreTheyNow
ryanaraine.bsky.social
Ryan Naraine @ryanaraine.bsky.social · Mar 8
NEW POD ALERT: Revisiting the US/Russia cyber stand down order and the diplomatic optics. Plus, a dissection of ‘The Lamberts’ and connections to US intelligence agencies, attribution around ‘Operation Triangulation’, VMware 0days and i-Soon indictments securityconversations.com/episode/revi...
Revisiting the Lamberts, i-Soon indictments, VMware zero-days - Security Conversations
Three Buddy Problem – Episode 37: This week, we revisit the public reporting on a US/Russia cyber stand down order, CISA declaring no change to […]
securityconversations.com
1 1
Reposted by Tom Hegel
strikereadylabs.com
StrikeReady Labs @strikereadylabs.com · Feb 28
#dprk #apt 2024년 귀속 연말정산 안내문_세한.docx.lnk
b81513f0f8d3db382bb8f931bf2b7a0d4f26f74cfcf60b5d889de87ef2f1d543 -> www.roofcolor[.]com/wp-includes/js/src/list.php , www.acschoolcatering[.]com/libraries/src/inc/ decoy:
1 1
Reposted by Tom Hegel
andrewcyberkop.bsky.social
Andrew @andrewcyberkop.bsky.social · Feb 23
Look man, I'm not saying anything but I'm also not NOT saying anything
A meme about how it's weird this keeps happening
2 5 20
hegel.bsky.social
Tom Hegel @hegel.bsky.social · Feb 27
research.checkpoint.com/2025/modern-...
Modern Approach to Attributing Hacktivist Groups - Check Point Research
Research by: Itay Cohen (@megabeets_) Over the past few decades, hacktivism has been, in a lot of cases, characterized by minor website defacements and distributed denial-of-service (DDoS) attacks, wh...
research.checkpoint.com
1 1