Daniel Gordon
@validhorizon.bsky.social
Thought Trailer, Cyber Threat Intel, DFIR. He/Him. Bucketing, sharing, and bacon-saving as a service. https://validhorizon.medium.com/
Reposted by Daniel Gordon
The keynote from @dmitri.silverado.org was both a heartfelt apology but also basically this xkcd.com/927/ haha
Standards
xkcd.com
November 20, 2025 at 1:54 PM
The keynote from @dmitri.silverado.org was both a heartfelt apology but also basically this xkcd.com/927/ haha
This is a pretty wild evolution. Both the integration of cyber and kinetic and the fact IRGC and that MOIS might actually be working effectively together.
New Amazon Threat Intelligence findings: Nation-state actors bridging cyber and kinetic warfare
November 19, 2025, Amazon Web Services
aws.amazon.com/blogs/securi... @awscloud.bsky.social
November 19, 2025, Amazon Web Services
aws.amazon.com/blogs/securi... @awscloud.bsky.social
New Amazon Threat Intelligence findings: Nation-state actors bridging cyber and kinetic warfare | Amazon Web Services
The new threat landscape The line between cyber warfare and traditional kinetic operations is rapidly blurring. Recent investigations by Amazon threat intelligence teams have uncovered a new trend tha...
aws.amazon.com
November 20, 2025 at 11:48 AM
This is a pretty wild evolution. Both the integration of cyber and kinetic and the fact IRGC and that MOIS might actually be working effectively together.
It was a pleasure to be a part of this event along with quite the cast of characters, including some folks who I’ve worked with over the years. Thank you to the organizers and their truly amazing promotional themes! See folks tomorrow at @cyberwarcon.bsky.social
Glory and thanks to all the attendees and speakers at #BSidesPyongyang25.
November 19, 2025 at 12:10 AM
It was a pleasure to be a part of this event along with quite the cast of characters, including some folks who I’ve worked with over the years. Thank you to the organizers and their truly amazing promotional themes! See folks tomorrow at @cyberwarcon.bsky.social
Bsides Pyongyang starts in 15 minutes if the Cloudflare gods cooperate.
youtube.com/@bsidespyong...
m.twitch.tv/bsidespyongy...
youtube.com/@bsidespyong...
m.twitch.tv/bsidespyongy...
BSides Pyongyang
🇰🇵 #BSidesPyongyang2025 :A free community cyber conference on Nov 18 2025 (Missile Industry Day) @ Lazarus HQ Pyongyang Roblox | 30th anniversary 🎂
youtube.com
November 18, 2025 at 3:14 PM
Bsides Pyongyang starts in 15 minutes if the Cloudflare gods cooperate.
youtube.com/@bsidespyong...
m.twitch.tv/bsidespyongy...
youtube.com/@bsidespyong...
m.twitch.tv/bsidespyongy...
I really enjoy when my research on unusual suspected state sponsored hacking groups is useful. *monkey paw curls*
November 17, 2025 at 11:45 AM
I really enjoy when my research on unusual suspected state sponsored hacking groups is useful. *monkey paw curls*
Over the course of my career I’ve found and accomplished some pretty wild stuff. Next week I will be talking, for the first time, about one of the wildest things I ever found. The talk will be geared to analysts and practitioners but pretty sure this will be fascinating for everyone.
Comrades, Only 5 days left until #BSidesPyongyang2025. Join us on 18 November for talks on #CryptoConfiscation #Memecoins #Missiles #Juche #ITWorkers #Cyber.
Don't miss out! Register today!
https://www.eventbrite.com/e/bsides-pyongyang-tickets-1859223941859
#BSPY25
Don't miss out! Register today!
https://www.eventbrite.com/e/bsides-pyongyang-tickets-1859223941859
#BSPY25
November 14, 2025 at 2:57 AM
Over the course of my career I’ve found and accomplished some pretty wild stuff. Next week I will be talking, for the first time, about one of the wildest things I ever found. The talk will be geared to analysts and practitioners but pretty sure this will be fascinating for everyone.
Something is broken in YARA for VirusTotal right now, signatures matching on things for no apparent reason.🫡 to any folks who have to clean up
November 11, 2025 at 4:14 PM
Something is broken in YARA for VirusTotal right now, signatures matching on things for no apparent reason.🫡 to any folks who have to clean up
I know dunking on this is fun and all but if you watch the clip Christo is laughing and mocking this conspiracy theory he heard from Russian intel. I’ve heard stories about the terrible quality of Russian intel but this is bad.
"Famed spy hunter"
November 8, 2025 at 1:43 PM
I know dunking on this is fun and all but if you watch the clip Christo is laughing and mocking this conspiracy theory he heard from Russian intel. I’ve heard stories about the terrible quality of Russian intel but this is bad.
Reposted by Daniel Gordon
New Iran drop from me tracking an attribution nightmare - UNK_SmudgedSerpent! A little Charming, a little Muddy, and a lot C5. Targeting policy experts with benign conversation starters, health-themed infra, OnlyOffice spoofs, and RMMs. Check out the full story www.proofpoint.com/us/blog/thre...
Crossed wires: a case study of Iranian espionage and attribution | Proofpoint US
Proofpoint would like to thank Josh Miller for his initial research on UNK_SmudgedSerpent and contribution to this report. Key findings Between June and August 2025,
www.proofpoint.com
November 5, 2025 at 1:37 PM
New Iran drop from me tracking an attribution nightmare - UNK_SmudgedSerpent! A little Charming, a little Muddy, and a lot C5. Targeting policy experts with benign conversation starters, health-themed infra, OnlyOffice spoofs, and RMMs. Check out the full story www.proofpoint.com/us/blog/thre...
Reposted by Daniel Gordon
You need a very special personality type to be a great ft reverser and most people can’t. It’s why they can write their own ticket.
November 1, 2025 at 5:58 AM
You need a very special personality type to be a great ft reverser and most people can’t. It’s why they can write their own ticket.
This will be my third time speaking at Bsides but it’s already the most hilarious
No longer limited by geographical constraints, virtual conferences have opened up new possibilities for reeducation! Join us at #BSidesPyongyang on Nov 18th and discover the thrill of online learning! #BSPY25 #NewFrontiers
October 31, 2025 at 11:37 AM
This will be my third time speaking at Bsides but it’s already the most hilarious
I was recently talking to someone who worked on tracking Chinese botnets. We talked about ways to impact them and settled on “fixing the IoT ecosystem”. Then we had a good laugh and changed the subject because obviously that’s never going to happen.
When you hear “Internet of Things” or “connected”, think:
①useless & works badly at best,
②requires constant updates and Internet access for no reason,
③ceases to work because company decides to stop maintaining,
④gets hacked and serves to attack you/others,
⑤keeps you under constant surveillance.
①useless & works badly at best,
②requires constant updates and Internet access for no reason,
③ceases to work because company decides to stop maintaining,
④gets hacked and serves to attack you/others,
⑤keeps you under constant surveillance.
October 30, 2025 at 11:34 AM
I was recently talking to someone who worked on tracking Chinese botnets. We talked about ways to impact them and settled on “fixing the IoT ecosystem”. Then we had a good laugh and changed the subject because obviously that’s never going to happen.
Get tickets before they run out! (This is a free online event that will not run out)
www.eventbrite.com/e/bsides-pyo...
www.eventbrite.com/e/bsides-pyo...
BSides Pyongyang
온라인으로 열리는 보안 컨퍼런스, 함께 즐기면서 최신 보안 트렌드에 대해 배워보자! | #BSidesPyongyang2025 :A free community cyber conference on Nov 18 2025
www.eventbrite.com
October 25, 2025 at 12:12 PM
Get tickets before they run out! (This is a free online event that will not run out)
www.eventbrite.com/e/bsides-pyo...
www.eventbrite.com/e/bsides-pyo...
Reposted by Daniel Gordon
a useful correction on the timescale and process in that story here! (it does not, however, make the meme any better.)
It did not. The reporter took the date on my original email about the planned malware release and assumed that the graphic was begun at the same time.
I sketched out a rough version of that with the PAO in like 15 minutes of brainstorming on a whiteboard. She then sent it to the graphic contractor.
I sketched out a rough version of that with the PAO in like 15 minutes of brainstorming on a whiteboard. She then sent it to the graphic contractor.
In 2020, U.S. Cyber Command wanted to create a 'meme' to mock Russian hacking attempts. Now, bear in mind that information warfare is part of their brief, and this is well within their skill set.
It took them 22 days to come up with *this*
It took them 22 days to come up with *this*
October 24, 2025 at 4:18 PM
a useful correction on the timescale and process in that story here! (it does not, however, make the meme any better.)
Reposted by Daniel Gordon
If you’ve been laid off from a cyber threat intel position, and you want a ticket to CYBERWARCON, please reach out.
October 23, 2025 at 1:27 PM
If you’ve been laid off from a cyber threat intel position, and you want a ticket to CYBERWARCON, please reach out.
Reposted by Daniel Gordon
Sep 25: "North Korea is expanding its military drone program"
www.38north.org/2025/09/curr...
Mid-October:
www.38north.org/2025/09/curr...
Mid-October:
#ESETresearch discovered a new wave of the well-known North Korea-aligned Lazarus campaign Operation DreamJob, now targeting the drone industry.
welivesecurity.com/en/eset-rese... 1/9
welivesecurity.com/en/eset-rese... 1/9
October 23, 2025 at 10:16 AM
Sep 25: "North Korea is expanding its military drone program"
www.38north.org/2025/09/curr...
Mid-October:
www.38north.org/2025/09/curr...
Mid-October:
Hell yeah check out that lineup
Our new website has launched. We will continue to update the site with information as it becomes available.
https://bsidespyongyang.com/
https://bsidespyongyang.com/
October 23, 2025 at 9:51 AM
Hell yeah check out that lineup
Reposted by Daniel Gordon
We saw Earth Estries, an advanced #APT intrusion set, sharing its access to Earth Naga (Flax Typhoon). We introduce the term "Premier Pass" to describe this behavior, and propose a four-tier classification framework for collaboration types among advanced groups www.trendmicro.com/en_us/resear...
October 22, 2025 at 9:18 AM
We saw Earth Estries, an advanced #APT intrusion set, sharing its access to Earth Naga (Flax Typhoon). We introduce the term "Premier Pass" to describe this behavior, and propose a four-tier classification framework for collaboration types among advanced groups www.trendmicro.com/en_us/resear...
Reposted by Daniel Gordon
Thanks to @xorhex for an interesting discussion that is worth sharing here. I knew I read this somewhere but here's a fun thing you can do in YARA-X:
2 of ($a*, $b*, 3 of ($c*))
This is documented but not widely known: virustotal.github.io/yara-x/docs/...
2 of ($a*, $b*, 3 of ($c*))
This is documented but not widely known: virustotal.github.io/yara-x/docs/...
Differences with YARA
Documents the differences between YARA-X and YARA.
virustotal.github.io
October 16, 2025 at 5:48 PM
Thanks to @xorhex for an interesting discussion that is worth sharing here. I knew I read this somewhere but here's a fun thing you can do in YARA-X:
2 of ($a*, $b*, 3 of ($c*))
This is documented but not widely known: virustotal.github.io/yara-x/docs/...
2 of ($a*, $b*, 3 of ($c*))
This is documented but not widely known: virustotal.github.io/yara-x/docs/...
Reposted by Daniel Gordon
TI / IR / Threat Hunting / Forensics / Vuln Mgmt staff since BRICKSTORM, and especially since yesterday:
a cartoon dog is sitting at a table with a cup of coffee in front of a fire with the words this is fine .
ALT: a cartoon dog is sitting at a table with a cup of coffee in front of a fire with the words this is fine .
media.tenor.com
October 16, 2025 at 4:37 PM
TI / IR / Threat Hunting / Forensics / Vuln Mgmt staff since BRICKSTORM, and especially since yesterday:
On the one hand, it is very tempting to join in with everyone dunking on F5 for this but on the other hand I forget what I was going to say here
Leading ADN vendor F5 says nation-state actor had long-term access to its production environment and engineering resources. CISA is ordering agencies to update F5 products and isolate them from the internet. Passwords, API keys, data at risk.
www.cisa.gov/news-events/...
my.f5.com/manage/s/art...
www.cisa.gov/news-events/...
my.f5.com/manage/s/art...
October 15, 2025 at 4:40 PM
On the one hand, it is very tempting to join in with everyone dunking on F5 for this but on the other hand I forget what I was going to say here
Reposted by Daniel Gordon
October 9, 2025 at 6:06 PM