Tom Hegel
@hegel.bsky.social
Distinguished Threat Researcher, Research Lead @SentinelOne.
Advisor with @ValidinLLC.
https://tomhegel.com/blog.html
Advisor with @ValidinLLC.
https://tomhegel.com/blog.html
Reposted by Tom Hegel
🔥 The lineup this year is incredible, thanks to everyone who submitted!
Attendees are in for something special… and for everyone else, expect some major FOMO.
events.sentinelone.com/event/LABSco...
Attendees are in for something special… and for everyone else, expect some major FOMO.
events.sentinelone.com/event/LABSco...
LABScon 2025
events.sentinelone.com
September 5, 2025 at 5:57 PM
🔥 The lineup this year is incredible, thanks to everyone who submitted!
Attendees are in for something special… and for everyone else, expect some major FOMO.
events.sentinelone.com/event/LABSco...
Attendees are in for something special… and for everyone else, expect some major FOMO.
events.sentinelone.com/event/LABSco...
🔥 The lineup this year is incredible, thanks to everyone who submitted!
Attendees are in for something special… and for everyone else, expect some major FOMO.
events.sentinelone.com/event/LABSco...
Attendees are in for something special… and for everyone else, expect some major FOMO.
events.sentinelone.com/event/LABSco...
LABScon 2025
events.sentinelone.com
September 5, 2025 at 5:57 PM
🔥 The lineup this year is incredible, thanks to everyone who submitted!
Attendees are in for something special… and for everyone else, expect some major FOMO.
events.sentinelone.com/event/LABSco...
Attendees are in for something special… and for everyone else, expect some major FOMO.
events.sentinelone.com/event/LABSco...
New research from @milenkowski.bsky.social (S1) and @kennethkinion.bsky.social (Validin):
🇰🇵 Contagious Interview | North Korean Threat Actors Reveal Plans and Ops by Abusing Cyber Intel Platforms
Research: www.sentinelone.com/labs/contagi...
Reuters story: www.reuters.com/world/asia-p...
🇰🇵 Contagious Interview | North Korean Threat Actors Reveal Plans and Ops by Abusing Cyber Intel Platforms
Research: www.sentinelone.com/labs/contagi...
Reuters story: www.reuters.com/world/asia-p...
Contagious Interview | North Korean Threat Actors Reveal Plans and Ops by Abusing Cyber Intel Platforms
DPRK-aligned threat actors abuse CTI platforms to detect infrastructure exposure and scout for new assets.
www.sentinelone.com
September 4, 2025 at 2:45 PM
New research from @milenkowski.bsky.social (S1) and @kennethkinion.bsky.social (Validin):
🇰🇵 Contagious Interview | North Korean Threat Actors Reveal Plans and Ops by Abusing Cyber Intel Platforms
Research: www.sentinelone.com/labs/contagi...
Reuters story: www.reuters.com/world/asia-p...
🇰🇵 Contagious Interview | North Korean Threat Actors Reveal Plans and Ops by Abusing Cyber Intel Platforms
Research: www.sentinelone.com/labs/contagi...
Reuters story: www.reuters.com/world/asia-p...
Reposted by Tom Hegel
The US, AU, and NZ have tested a prototype for a new cyber defense kit designed to connect and help secure any network.
The kits are operated by a nine-person team and are intended to be portable and moved to any location in the world.
www.defence.gov.au/news-events/...
The kits are operated by a nine-person team and are intended to be portable and moved to any location in the world.
www.defence.gov.au/news-events/...
September 2, 2025 at 2:57 PM
The US, AU, and NZ have tested a prototype for a new cyber defense kit designed to connect and help secure any network.
The kits are operated by a nine-person team and are intended to be portable and moved to any location in the world.
www.defence.gov.au/news-events/...
The kits are operated by a nine-person team and are intended to be portable and moved to any location in the world.
www.defence.gov.au/news-events/...
Reposted by Tom Hegel
🔥 The hunt is on for the world’s ultimate threat hunter? 🔍
🛡️Introducing Sentinels League: The Threat Hunting World Championships 🛡️ 3 Rounds. 3 Regions. 3 Finalists. Only One World Champion.
🛡️Introducing Sentinels League: The Threat Hunting World Championships 🛡️ 3 Rounds. 3 Regions. 3 Finalists. Only One World Champion.
August 26, 2025 at 7:16 PM
🔥 The hunt is on for the world’s ultimate threat hunter? 🔍
🛡️Introducing Sentinels League: The Threat Hunting World Championships 🛡️ 3 Rounds. 3 Regions. 3 Finalists. Only One World Champion.
🛡️Introducing Sentinels League: The Threat Hunting World Championships 🛡️ 3 Rounds. 3 Regions. 3 Finalists. Only One World Champion.
Hefty new drop w/ @milenkowski.bsky.social
China-nexus Threat Actors Hammer At the Doors of Top Tier Targets
www.sentinelone.com/labs/follow-...
China-nexus Threat Actors Hammer At the Doors of Top Tier Targets
www.sentinelone.com/labs/follow-...
June 9, 2025 at 4:42 PM
Hefty new drop w/ @milenkowski.bsky.social
China-nexus Threat Actors Hammer At the Doors of Top Tier Targets
www.sentinelone.com/labs/follow-...
China-nexus Threat Actors Hammer At the Doors of Top Tier Targets
www.sentinelone.com/labs/follow-...
Reposted by Tom Hegel
Dutch intelligence discover a new Russian APT—LAUNDRY BEAR
www.aivd.nl/documenten/p...
Microsoft calls it Void Blizzard. Their report is here: www.microsoft.com/en-us/securi...
www.aivd.nl/documenten/p...
Microsoft calls it Void Blizzard. Their report is here: www.microsoft.com/en-us/securi...
May 27, 2025 at 12:11 PM
Dutch intelligence discover a new Russian APT—LAUNDRY BEAR
www.aivd.nl/documenten/p...
Microsoft calls it Void Blizzard. Their report is here: www.microsoft.com/en-us/securi...
www.aivd.nl/documenten/p...
Microsoft calls it Void Blizzard. Their report is here: www.microsoft.com/en-us/securi...
Reposted by Tom Hegel
Is the era of the “named actor” done?
As the OG adversary sets diverge, get promoted, or move on
actors dispersing across the kill chain based on specialized skills increases (ORBs, criminal underground)
AND the CTI models maturing…
APTs ⬇️⬇️
UNCs ⬆️⬆️
As the OG adversary sets diverge, get promoted, or move on
actors dispersing across the kill chain based on specialized skills increases (ORBs, criminal underground)
AND the CTI models maturing…
APTs ⬇️⬇️
UNCs ⬆️⬆️
May 21, 2025 at 8:15 PM
Is the era of the “named actor” done?
As the OG adversary sets diverge, get promoted, or move on
actors dispersing across the kill chain based on specialized skills increases (ORBs, criminal underground)
AND the CTI models maturing…
APTs ⬇️⬇️
UNCs ⬆️⬆️
As the OG adversary sets diverge, get promoted, or move on
actors dispersing across the kill chain based on specialized skills increases (ORBs, criminal underground)
AND the CTI models maturing…
APTs ⬇️⬇️
UNCs ⬆️⬆️
Reposted by Tom Hegel
NEW 👉 FreeDrain Unmasked | Uncovering an Industrial-Scale Crypto Theft Network
Months-long research project with Validin we just dropped @pivotcon.bsky.social
🖤~40k IOCs: github.com/Validin/indi...
💜 SentinelLabs: s1.ai/freedrain
💙 Validin: www.validin.com/blog/freedra...
Enjoy!
Months-long research project with Validin we just dropped @pivotcon.bsky.social
🖤~40k IOCs: github.com/Validin/indi...
💜 SentinelLabs: s1.ai/freedrain
💙 Validin: www.validin.com/blog/freedra...
Enjoy!
May 8, 2025 at 3:39 PM
NEW 👉 FreeDrain Unmasked | Uncovering an Industrial-Scale Crypto Theft Network
Months-long research project with Validin we just dropped @pivotcon.bsky.social
🖤~40k IOCs: github.com/Validin/indi...
💜 SentinelLabs: s1.ai/freedrain
💙 Validin: www.validin.com/blog/freedra...
Enjoy!
Months-long research project with Validin we just dropped @pivotcon.bsky.social
🖤~40k IOCs: github.com/Validin/indi...
💜 SentinelLabs: s1.ai/freedrain
💙 Validin: www.validin.com/blog/freedra...
Enjoy!
NEW 👉 FreeDrain Unmasked | Uncovering an Industrial-Scale Crypto Theft Network
Months-long research project with Validin we just dropped @pivotcon.bsky.social
🖤~40k IOCs: github.com/Validin/indi...
💜 SentinelLabs: s1.ai/freedrain
💙 Validin: www.validin.com/blog/freedra...
Enjoy!
Months-long research project with Validin we just dropped @pivotcon.bsky.social
🖤~40k IOCs: github.com/Validin/indi...
💜 SentinelLabs: s1.ai/freedrain
💙 Validin: www.validin.com/blog/freedra...
Enjoy!
May 8, 2025 at 3:39 PM
NEW 👉 FreeDrain Unmasked | Uncovering an Industrial-Scale Crypto Theft Network
Months-long research project with Validin we just dropped @pivotcon.bsky.social
🖤~40k IOCs: github.com/Validin/indi...
💜 SentinelLabs: s1.ai/freedrain
💙 Validin: www.validin.com/blog/freedra...
Enjoy!
Months-long research project with Validin we just dropped @pivotcon.bsky.social
🖤~40k IOCs: github.com/Validin/indi...
💜 SentinelLabs: s1.ai/freedrain
💙 Validin: www.validin.com/blog/freedra...
Enjoy!
Reposted by Tom Hegel
An absolutely stunning look inside @sentinelone.com 's use of #synapse to provide intelligence context to inter-disciplinary intelligence stakeholders in defense of their own org. Truly on the leading edge of the intel driven fusion, collaboration, and impact. 🤩
www.sentinelone.com/labs/top-tie...
www.sentinelone.com/labs/top-tie...
Top Tier Target | What It Takes to Defend a Cybersecurity Company from Today's Adversaries
This report highlights a rarely-discussed but crucially important attack surface: security vendors themselves.
www.sentinelone.com
April 28, 2025 at 11:35 PM
An absolutely stunning look inside @sentinelone.com 's use of #synapse to provide intelligence context to inter-disciplinary intelligence stakeholders in defense of their own org. Truly on the leading edge of the intel driven fusion, collaboration, and impact. 🤩
www.sentinelone.com/labs/top-tie...
www.sentinelone.com/labs/top-tie...
Reposted by Tom Hegel
At @pivotcon.bsky.social, I'm presenting with @hegel.bsky.social and Sreekar Madabushi on the first public look at the full scope of a stealthy, long-running phishing network.
April 24, 2025 at 2:31 PM
At @pivotcon.bsky.social, I'm presenting with @hegel.bsky.social and Sreekar Madabushi on the first public look at the full scope of a stealthy, long-running phishing network.
Reposted by Tom Hegel
NEW: Iranian gov hackers targeted #EU Parliament's #Iran delegation chair @hneumannmep.bsky.social
Elaborate operation impersonated former #FBI official to seed spyware.
Good to see a MEP speaking out & sharing this insidious threat to EU institutions 1/
www.politico.eu/article/euro...
Elaborate operation impersonated former #FBI official to seed spyware.
Good to see a MEP speaking out & sharing this insidious threat to EU institutions 1/
www.politico.eu/article/euro...
April 23, 2025 at 8:49 PM
NEW: Iranian gov hackers targeted #EU Parliament's #Iran delegation chair @hneumannmep.bsky.social
Elaborate operation impersonated former #FBI official to seed spyware.
Good to see a MEP speaking out & sharing this insidious threat to EU institutions 1/
www.politico.eu/article/euro...
Elaborate operation impersonated former #FBI official to seed spyware.
Good to see a MEP speaking out & sharing this insidious threat to EU institutions 1/
www.politico.eu/article/euro...
Reposted by Tom Hegel
#apt #sidewinder "54th CISM World Military Naval Pentathlon Championship 2025.docx"
40712a087a8280425f1b317e34e265c0329ffb0057be298d519fc5e0af6cb58f
-> dirsports.milqq[.]info
blank doc decoy
40712a087a8280425f1b317e34e265c0329ffb0057be298d519fc5e0af6cb58f
-> dirsports.milqq[.]info
blank doc decoy
April 11, 2025 at 2:25 PM
#apt #sidewinder "54th CISM World Military Naval Pentathlon Championship 2025.docx"
40712a087a8280425f1b317e34e265c0329ffb0057be298d519fc5e0af6cb58f
-> dirsports.milqq[.]info
blank doc decoy
40712a087a8280425f1b317e34e265c0329ffb0057be298d519fc5e0af6cb58f
-> dirsports.milqq[.]info
blank doc decoy
Reposted by Tom Hegel
@bushidotoken.net explored a Meta-themed credential phishing campaign (not "Reality"). From those indicators, I pulled the "Threads" & this is far from an isolated campaign. Found great pivots in registration "Meta"data. (I'll see myself out.)
All 762 indicators 💥⤵️
www.validin.com/blog/not_rea...
All 762 indicators 💥⤵️
www.validin.com/blog/not_rea...
Not Reality: Exploring Meta-themed Phishing with Validin | Validin
Not Reality: Exploring Meta-themed Phishing with Validin
www.validin.com
April 7, 2025 at 2:49 PM
@bushidotoken.net explored a Meta-themed credential phishing campaign (not "Reality"). From those indicators, I pulled the "Threads" & this is far from an isolated campaign. Found great pivots in registration "Meta"data. (I'll see myself out.)
All 762 indicators 💥⤵️
www.validin.com/blog/not_rea...
All 762 indicators 💥⤵️
www.validin.com/blog/not_rea...
Reposted by Tom Hegel
Here's the Lab Dookhtegan segment
www.youtube.com/watch?v=g-zj...
www.youtube.com/watch?v=g-zj...
April 1, 2025 at 5:47 PM
Here's the Lab Dookhtegan segment
www.youtube.com/watch?v=g-zj...
www.youtube.com/watch?v=g-zj...
Really great episode this week. The Signal ID management mess, and the lab dookhtegan topics.. simply delicious 🤌
March 30, 2025 at 9:10 PM
Really great episode this week. The Signal ID management mess, and the lab dookhtegan topics.. simply delicious 🤌
Atomic indicators have value beyond just the day they’re observed - Age alone doesn’t always diminish their usefulness.
Attribution challenges aside, this is a common occurrence in both cybercrime and APT campaigns. Looking at you, South Asia!
Attribution challenges aside, this is a common occurrence in both cybercrime and APT campaigns. Looking at you, South Asia!
Pulling the Threads on the Phish of Troy Hunt | Validin
Connecting a successful phishing attempt to Scattered Spider through Validin pivoting
www.validin.com
March 28, 2025 at 5:20 PM
Atomic indicators have value beyond just the day they’re observed - Age alone doesn’t always diminish their usefulness.
Attribution challenges aside, this is a common occurrence in both cybercrime and APT campaigns. Looking at you, South Asia!
Attribution challenges aside, this is a common occurrence in both cybercrime and APT campaigns. Looking at you, South Asia!
Kryptina RaaS: From Unsellable Cast-off to Enterprise Ransomware
www.sentinelone.com/labs/labscon...
www.sentinelone.com/labs/labscon...
LABScon24 Replay | Kryptina RaaS: From Unsellable Cast-off to Enterprise Ransomware
Jim Walter reveals how a recent leak provided insight into how Kryptina RaaS has been adapted for use in enterprise attacks.
www.sentinelone.com
March 26, 2025 at 2:31 PM
Kryptina RaaS: From Unsellable Cast-off to Enterprise Ransomware
www.sentinelone.com/labs/labscon...
www.sentinelone.com/labs/labscon...
Incredibly excited to drop some new research alongside @kennethkinion.bsky.social and Sreekar Madabushi at this years @pivotcon.bsky.social
March 10, 2025 at 1:59 PM
Incredibly excited to drop some new research alongside @kennethkinion.bsky.social and Sreekar Madabushi at this years @pivotcon.bsky.social
Great refresher / inside-scoop on the Lamberts -- #WhereAreTheyNow
NEW POD ALERT: Revisiting the US/Russia cyber stand down order and the diplomatic optics. Plus, a dissection of ‘The Lamberts’ and connections to US intelligence agencies, attribution around ‘Operation Triangulation’, VMware 0days and i-Soon indictments securityconversations.com/episode/revi...
Revisiting the Lamberts, i-Soon indictments, VMware zero-days - Security Conversations
Three Buddy Problem – Episode 37: This week, we revisit the public reporting on a US/Russia cyber stand down order, CISA declaring no change to […]
securityconversations.com
March 8, 2025 at 10:19 PM
Great refresher / inside-scoop on the Lamberts -- #WhereAreTheyNow
Reposted by Tom Hegel
Look man, I'm not saying anything but I'm also not NOT saying anything
February 23, 2025 at 1:43 AM
Look man, I'm not saying anything but I'm also not NOT saying anything
