Julian-Ferdinand Vögele
@julianferdinand.bsky.social
Threat Research @ Recorded Future. Previously @ Security Research Labs. He/Him. 🏳️🌈
Reposted by Julian-Ferdinand Vögele
A secretive unit inside Iran's IRGC cyber branch is responsible for using hacked data for assassination operations
blog.narimangharib.com/posts/2025%2...
content.iranintl.com/unit40/index...
blog.narimangharib.com/posts/2025%2...
content.iranintl.com/unit40/index...
Department 40 Exposed: Inside the IRGC Unit Connecting Cyber Ops to Assassinations
A massive leak of internal documents has blown the cover off one of Iran's most active hacking groups. For years, the cybersecurity community tracked them as AP...
blog.narimangharib.com
November 24, 2025 at 8:46 PM
A secretive unit inside Iran's IRGC cyber branch is responsible for using hacked data for assassination operations
blog.narimangharib.com/posts/2025%2...
content.iranintl.com/unit40/index...
blog.narimangharib.com/posts/2025%2...
content.iranintl.com/unit40/index...
Reposted by Julian-Ferdinand Vögele
Hackers stole a trove of data from a company used by major Wall Street banks for real-estate loans and mortgages, setting off a scramble to determine what was taken. The firm, SitusAMC, sent notifications to JPMorgan Chase, Citi, and other banks indicating that their customer data could be affected
Wall Street banks scramble to assess fallout from hack of real-estate data firm | CNN Business
Hackers stole a trove of data from a company used by major Wall Street banks for real-estate loans and mortgages, setting off a scramble to determine what was taken and which banks were affected, acco...
www.cnn.com
November 24, 2025 at 4:59 PM
Hackers stole a trove of data from a company used by major Wall Street banks for real-estate loans and mortgages, setting off a scramble to determine what was taken. The firm, SitusAMC, sent notifications to JPMorgan Chase, Citi, and other banks indicating that their customer data could be affected
Reposted by Julian-Ferdinand Vögele
NEW: Salesforse says said it’s investigating an incident where hackers compromised some of its customers' data after breaching customer experience company Gainsight.
Notorious hacking group ShinyHunters has reportedly claimed responsibility for this new wave of data breaches.
Notorious hacking group ShinyHunters has reportedly claimed responsibility for this new wave of data breaches.
Salesforce says some of its customers' data was accessed after Gainsight breach | TechCrunch
Salesforce said it’s investigating an incident where hackers compromised some of its customers' data after breaching customer experience company Gainsight.
techcrunch.com
November 20, 2025 at 7:17 PM
NEW: Salesforse says said it’s investigating an incident where hackers compromised some of its customers' data after breaching customer experience company Gainsight.
Notorious hacking group ShinyHunters has reportedly claimed responsibility for this new wave of data breaches.
Notorious hacking group ShinyHunters has reportedly claimed responsibility for this new wave of data breaches.
Reposted by Julian-Ferdinand Vögele
⚠️ NSO Group Technologies has filed an appeal with the US Court of Appeals for the Ninth Circuit following a judge's ruling that it must pay $4.4 million verdict in #spyware litigation brought by WhatsApp.
www.mlex.com/mlex/data-pr...
www.mlex.com/mlex/data-pr...
NSO appeals $4.4 million verdict in spyware litigation brought by WhatsApp | MLex | Specialist news and analysis on legal risk and regulation
MLex Summary: NSO Group Technologies has filed an appeal with the US Court of Appeals for the Ninth Circuit following a judge's ruling that it must pay $4.4 million to Meta Platforms' WhatsApp for usi...
www.mlex.com
November 20, 2025 at 1:35 AM
⚠️ NSO Group Technologies has filed an appeal with the US Court of Appeals for the Ninth Circuit following a judge's ruling that it must pay $4.4 million verdict in #spyware litigation brought by WhatsApp.
www.mlex.com/mlex/data-pr...
www.mlex.com/mlex/data-pr...
Reposted by Julian-Ferdinand Vögele
@activemeasures.bsky.social (which is a real llc!) and I assume @wylienewmark.bsky.social with a jaw dropping presentation. Best analysis of SVR vs GRU and history of the forgeries in 2016 leaks I’ve ever heard. #cyberwarcon
November 19, 2025 at 3:05 PM
@activemeasures.bsky.social (which is a real llc!) and I assume @wylienewmark.bsky.social with a jaw dropping presentation. Best analysis of SVR vs GRU and history of the forgeries in 2016 leaks I’ve ever heard. #cyberwarcon
Reposted by Julian-Ferdinand Vögele
1/ United States, Australia, and United Kingdom sanction Russian threat activity enabler Media Land (Yalishanda) and follow up on recent designations targeting Aeza. ofac.treasury.gov/recent-actio...
ofac.treasury.gov
November 19, 2025 at 5:17 PM
1/ United States, Australia, and United Kingdom sanction Russian threat activity enabler Media Land (Yalishanda) and follow up on recent designations targeting Aeza. ofac.treasury.gov/recent-actio...
Reposted by Julian-Ferdinand Vögele
#ESETresearch discovered and analyzed a previously undocumented malicious tool for network devices that we have named #EdgeStepper, enabling China-aligned #PlushDaemon APT to perform adversary-in-the-middle to hijack updates to deliver malware. www.welivesecurity.com/en/eset-rese... 1/5
PlushDaemon compromises network devices for adversary-in-the-middle attacks
ESET researchers have discovered a network implant used by the China-aligned PlushDaemon APT group to perform adversary-in-the-middle attacks.
www.welivesecurity.com
November 19, 2025 at 10:12 AM
#ESETresearch discovered and analyzed a previously undocumented malicious tool for network devices that we have named #EdgeStepper, enabling China-aligned #PlushDaemon APT to perform adversary-in-the-middle to hijack updates to deliver malware. www.welivesecurity.com/en/eset-rese... 1/5
Reposted by Julian-Ferdinand Vögele
Just as China’s approach to cyber operations has developed, so has its counter-attribution strategy. Western attribution strategies haven’t kept pace, argues @weberv.bsky.social in his latest for Binding Hook: bindinghook.com/chinas-attri...
China’s attribution strategy has changed; it’s time for us to catch up
To effectively counter Chinese efforts, Western countries and their partners must adapt by expanding joint attribution, broadening global audiences, and pre-empting disinformation narratives.
bindinghook.com
November 18, 2025 at 7:08 AM
Just as China’s approach to cyber operations has developed, so has its counter-attribution strategy. Western attribution strategies haven’t kept pace, argues @weberv.bsky.social in his latest for Binding Hook: bindinghook.com/chinas-attri...
Reposted by Julian-Ferdinand Vögele
NEW: @derekbjohnson.bsky.social spoke with @anthropic.com's threat intel team about Thursday's report. Lots in there, but one key takeaway: Despite being labeled as 'autonomous,' there was a tremendous amount of human effort needed to pull off the attacks. cyberscoop.com/anthropic-ai...
![However, Klein also made it clear that “most autonomous” is a relative term. There is plenty of evidence to indicate this hacking group devoted significant human and technical resources into the way it used Claude.
Namely, the automation detailed in Anthropic’s report performed by Claude was made possible through a frontend framework designed to orchestrate and support its operations. The framework handled tasks such as scripting, provisioning related servers, and significant backend development to ensure every step was followed correctly. Klein noted this development process was the most difficult — and, importantly, human-led — step in the operation.
“The first part that is not autonomous is building the framework, so you needed a human being to put this all together,” Klein said. “You had a human operator that would put in a target, they would click a button and then use this framework that was created [ahead of time]. The hardest part of this entire system was building this framework, that’s what was human intensive.”](https://cdn.bsky.app/img/feed_thumbnail/plain/did:plc:pz7u4quefs7ajp25ujbe4xhk/bafkreibabm4oal3ub5tr7o5hnr5lsvikpf22nbnuzvach7hcec6dmwt5eu@jpeg)
November 14, 2025 at 7:26 PM
NEW: @derekbjohnson.bsky.social spoke with @anthropic.com's threat intel team about Thursday's report. Lots in there, but one key takeaway: Despite being labeled as 'autonomous,' there was a tremendous amount of human effort needed to pull off the attacks. cyberscoop.com/anthropic-ai...
Reposted by Julian-Ferdinand Vögele
A brand-new pod for your weekend earholes! (sponsored by our friends at Material Security) @craiu.bsky.social @jags.bsky.social
securityconversations.com/episode/anth...
securityconversations.com/episode/anth...
Anthropic Claude Code automating APT hacks, KnownSec leak, Chinese buses with remote access - Security Conversations
Presented by Material Security: We protect your company’s most valuable materials — the emails, files, and accounts that live in your Google Workspace and Microsoft […]
securityconversations.com
November 14, 2025 at 8:22 PM
A brand-new pod for your weekend earholes! (sponsored by our friends at Material Security) @craiu.bsky.social @jags.bsky.social
securityconversations.com/episode/anth...
securityconversations.com/episode/anth...
Reposted by Julian-Ferdinand Vögele
NEW: Five people who live in the U.S. pleaded guily for "facilitating" and helping the North Korean regime place fake remote IT workers inside American companies.
U.S. Department of Justice said their actions affected 136 U.S. companies and netted Kim Jong Un’s regime $2.2 million in revenue.
U.S. Department of Justice said their actions affected 136 U.S. companies and netted Kim Jong Un’s regime $2.2 million in revenue.
Five people plead guilty to helping North Koreans infiltrate US companies as 'remote IT workers' | TechCrunch
The U.S. Department of Justice said five people — including four U.S. nationals — "facilitated" North Korean IT workers to get jobs at American companies, allowing the regime to earn money from their ...
techcrunch.com
November 14, 2025 at 5:16 PM
NEW: Five people who live in the U.S. pleaded guily for "facilitating" and helping the North Korean regime place fake remote IT workers inside American companies.
U.S. Department of Justice said their actions affected 136 U.S. companies and netted Kim Jong Un’s regime $2.2 million in revenue.
U.S. Department of Justice said their actions affected 136 U.S. companies and netted Kim Jong Un’s regime $2.2 million in revenue.
Reposted by Julian-Ferdinand Vögele
The final call is here. CFP submissions close at midnight! Our review board is ready to dig in and see what you have been working on. Get your talk in now: sessionize.com/reverse-2026
RE//verse 2026: Call for Speakers
RE//verse is a highly technical conference focused on Reverse Engineering held in Orlando, FL. The goal is to gather the best research from all aspect...
sessionize.com
November 14, 2025 at 3:47 PM
The final call is here. CFP submissions close at midnight! Our review board is ready to dig in and see what you have been working on. Get your talk in now: sessionize.com/reverse-2026
Reposted by Julian-Ferdinand Vögele
#PIVOTcon26 registration is now OPEN 🤟📷 #ThreatResearch #ThreatIntel 📷https://pivotcon.org
Please read carefully the whole 🧵 for the rules about invite -> registration (1/6)🌐
Please read carefully the whole 🧵 for the rules about invite -> registration (1/6)🌐
a man says where do i register in front of a woman
ALT: a man says where do i register in front of a woman
media.tenor.com
November 13, 2025 at 3:28 PM
#PIVOTcon26 registration is now OPEN 🤟📷 #ThreatResearch #ThreatIntel 📷https://pivotcon.org
Please read carefully the whole 🧵 for the rules about invite -> registration (1/6)🌐
Please read carefully the whole 🧵 for the rules about invite -> registration (1/6)🌐
Reposted by Julian-Ferdinand Vögele
Ok my beloved APT crowd.... it's time to update all those APT charts
The DPRK RGB is now the RIGB
Let's go! I want new charts by next month!
The DPRK RGB is now the RIGB
Let's go! I want new charts by next month!
November 13, 2025 at 12:53 AM
Ok my beloved APT crowd.... it's time to update all those APT charts
The DPRK RGB is now the RIGB
Let's go! I want new charts by next month!
The DPRK RGB is now the RIGB
Let's go! I want new charts by next month!
Reposted by Julian-Ferdinand Vögele
Excited to share another blog where Amazon Cyber Threat Intelligence (ACTI) discovered APT exploitation of zero-day vulnerabilities in Cisco and Citrix products. Proud of the team’s work! aws.amazon.com/blogs/securi...
Amazon discovers APT exploiting Cisco and Citrix zero-days | Amazon Web Services
The Amazon threat intelligence team has identified an advanced threat actor exploiting previously undisclosed zero-day vulnerabilities in Cisco Identity Service Engine (ISE) and Citrix systems. The ca...
aws.amazon.com
November 12, 2025 at 2:36 PM
Excited to share another blog where Amazon Cyber Threat Intelligence (ACTI) discovered APT exploitation of zero-day vulnerabilities in Cisco and Citrix products. Proud of the team’s work! aws.amazon.com/blogs/securi...
Reposted by Julian-Ferdinand Vögele
📢 We're hiring! 👋
Are you interested in contributing to the success of Virtual Routes? We’d love to hear from you!
Read more & apply: virtual-routes.org/vacancies/
Are you interested in contributing to the success of Virtual Routes? We’d love to hear from you!
Read more & apply: virtual-routes.org/vacancies/
November 12, 2025 at 8:12 AM
📢 We're hiring! 👋
Are you interested in contributing to the success of Virtual Routes? We’d love to hear from you!
Read more & apply: virtual-routes.org/vacancies/
Are you interested in contributing to the success of Virtual Routes? We’d love to hear from you!
Read more & apply: virtual-routes.org/vacancies/
Reposted by Julian-Ferdinand Vögele
For Economist subscribers: a new episode of Inside Defence. I spoke to John Foreman, UK defence attaché in Moscow at the time of the invasion. We looked at the culture, strengths & weaknesses of Russia's armed forces, challenge of working in Moscow & much else www.economist.com/insider/insi...
How strong is the Russian army? | The Economist Insider
Shashank Joshi, The Economist’s defence editor, returns for the second edition of Inside Defence. This month he interviews a former navy captain who has been Britain’s military man in both Moscow and ...
share.google
November 11, 2025 at 9:10 PM
For Economist subscribers: a new episode of Inside Defence. I spoke to John Foreman, UK defence attaché in Moscow at the time of the invasion. We looked at the culture, strengths & weaknesses of Russia's armed forces, challenge of working in Moscow & much else www.economist.com/insider/insi...
Reposted by Julian-Ferdinand Vögele
Good analysis from @veracode.bsky.social on this typosquat GitHub actions package.
www.veracode.com/blog/malicio...
www.veracode.com/blog/malicio...
Malicious NPM Package Found Targeting GitHub By Typosquatting on GitHub Action Packages | Veracode
Application Security for the AI Era | Veracode
www.veracode.com
November 11, 2025 at 2:49 PM
Good analysis from @veracode.bsky.social on this typosquat GitHub actions package.
www.veracode.com/blog/malicio...
www.veracode.com/blog/malicio...
Reposted by Julian-Ferdinand Vögele
Breaking News: At least 12 people were killed and 27 others wounded in an explosion in Pakistan’s capital on Tuesday, officials said, a day after a similar incident in neighboring India killed at least eight people.
Explosion in Pakistan’s Capital Kills at Least 12
A military official accused the Pakistani Taliban of staging the attack, which took place near a courthouse in Islamabad.
nyti.ms
November 11, 2025 at 11:19 AM
Breaking News: At least 12 people were killed and 27 others wounded in an explosion in Pakistan’s capital on Tuesday, officials said, a day after a similar incident in neighboring India killed at least eight people.
Reposted by Julian-Ferdinand Vögele
This summer I obtained an internal document of Germany‘s domestic #intelligence service #BfV, written by the counter-espionage unit, dated August 1993. It is pretty interesting, dealing with the question: Will the new #Russia continue the KGB‘s „Illegals“ spy program? 🧵 ⬇️ #history #Verfassungsschutz
two men in trench coats are reading newspapers one of which has a headline which starts with the word ' berg '
ALT: two men in trench coats are reading newspapers one of which has a headline which starts with the word ' berg '
media.tenor.com
November 11, 2025 at 7:32 AM
This summer I obtained an internal document of Germany‘s domestic #intelligence service #BfV, written by the counter-espionage unit, dated August 1993. It is pretty interesting, dealing with the question: Will the new #Russia continue the KGB‘s „Illegals“ spy program? 🧵 ⬇️ #history #Verfassungsschutz
Reposted by Julian-Ferdinand Vögele
My latest for Journalist and Spy: Pablo González, Russian-Spanish journalist, alleged GRU agent. Wrote for EU + U.S. media, @drewhinshaw.bsky.social & Joe Parkinson say he began working for GRU in 2010. Arrested in Poland in '22, swapped with Russia in '24. www.journalistandspy.com/p/pablo-gonz...
Pablo González
Pablo González is a Russian-Spanish journalist and an alleged agent of the GRU, Russia’s military intelligence agency.
www.journalistandspy.com
November 10, 2025 at 3:57 PM
My latest for Journalist and Spy: Pablo González, Russian-Spanish journalist, alleged GRU agent. Wrote for EU + U.S. media, @drewhinshaw.bsky.social & Joe Parkinson say he began working for GRU in 2010. Arrested in Poland in '22, swapped with Russia in '24. www.journalistandspy.com/p/pablo-gonz...
Reposted by Julian-Ferdinand Vögele
Politico is reporting that the breach at the Congressional Budget Office is "ongoing."
“Do NOT click on any links in emails from CBO. Do NOT share sensitive information with CBO colleagues over email, Microsoft Teams, or Zoom at this time,” the email to CBO staff reads.
“Do NOT click on any links in emails from CBO. Do NOT share sensitive information with CBO colleagues over email, Microsoft Teams, or Zoom at this time,” the email to CBO staff reads.
Cybersecurity breach at Congressional Budget Office remains a live threat
Library of Congress employees were informed to take caution when emailing the office of the congressional scorekeeper.
www.politico.com
November 10, 2025 at 9:40 PM
Politico is reporting that the breach at the Congressional Budget Office is "ongoing."
“Do NOT click on any links in emails from CBO. Do NOT share sensitive information with CBO colleagues over email, Microsoft Teams, or Zoom at this time,” the email to CBO staff reads.
“Do NOT click on any links in emails from CBO. Do NOT share sensitive information with CBO colleagues over email, Microsoft Teams, or Zoom at this time,” the email to CBO staff reads.
Reposted by Julian-Ferdinand Vögele
NEW: I tried to explain why there are so many victims of spyware, despite the fact that its makers have been telling us for years that the tech is only intended to be used in limited cases.
There are several reasons, including how the spyware systems are designed, and how powerful they are.
There are several reasons, including how the spyware systems are designed, and how powerful they are.
Why a lot of people are getting hacked with government spyware | TechCrunch
Government surveillance vendors want us to believe their spyware products are only used in limited and targeted operations against terrorists and serious criminals. That claim is increasingly difficul...
techcrunch.com
November 10, 2025 at 2:16 PM
NEW: I tried to explain why there are so many victims of spyware, despite the fact that its makers have been telling us for years that the tech is only intended to be used in limited cases.
There are several reasons, including how the spyware systems are designed, and how powerful they are.
There are several reasons, including how the spyware systems are designed, and how powerful they are.
Reposted by Julian-Ferdinand Vögele
The spyware that is now in ICE's hands has been (by another government) against journalists and activists in Italy, as well as a top CEO, and a political consultant. Matteo Renzi, Italy's former prime minister, calls it the Italian Watergate. Now it's landed here: www.theguardian.com/technology/2...
Tech giants vow to defend users in US as spyware companies make inroads with Trump administration
Apple and WhatsApp say they will keep warning users if their phones are targeted by governments using hacking software against them
www.theguardian.com
November 10, 2025 at 6:22 PM
The spyware that is now in ICE's hands has been (by another government) against journalists and activists in Italy, as well as a top CEO, and a political consultant. Matteo Renzi, Italy's former prime minister, calls it the Italian Watergate. Now it's landed here: www.theguardian.com/technology/2...
Reposted by Julian-Ferdinand Vögele
Kyiv and other Ukrainian cities faced widespread internet and communication outages following one of Russia's largest missile and drone strikes on Ukraine's energy infrastructure since the start of the year therecord.media/russian-miss...
Russian missile barrage disrupts internet, customs databases in Ukraine
Emergency blackouts lasting up to 12 hours were introduced following the attack, with Kyiv and other regions facing widespread internet and communication outages, according to internet watchdog NetBlo...
therecord.media
November 10, 2025 at 3:16 PM
Kyiv and other Ukrainian cities faced widespread internet and communication outages following one of Russia's largest missile and drone strikes on Ukraine's energy infrastructure since the start of the year therecord.media/russian-miss...