Lightnews — Scholar-powered news

@adorais.bsky.social

73 followers 120 following 10 posts

Manager, APT Research Team @ Proofpoint

Posts Media Videos Starter Packs

Pinned

adorais.bsky.social @adorais.bsky.social · Apr 17

🎯New Proofpoint research: Around the World in 90 Days: State-Sponsored Actors Try ClickFix 🎯
www.proofpoint.com/us/blog/thre...

In 2024 we released two blogs on cybercrime actors using ClickFix in their attack chains:
www.proofpoint.com/us/blog/thre...
www.proofpoint.com/us/blog/thre...

Around the World in 90 Days: State-Sponsored Actors Try ClickFix | Proofpoint US

Key Findings While primarily a technique affiliated with cybercriminal actors, Proofpoint researchers discovered state-sponsored actors in multiple campaigns using the ClickFix social

www.proofpoint.com

1 1 2

adorais.bsky.social @adorais.bsky.social · Jun 6

Multiple reports have documented specific TA397 campaigns, this one takes a holistic look at the group's activity and puts forward attribution elements pointing towards Indian state interests alignment.

Stellar work by @nickattfield.bsky.social and @threatray.bsky.social's researchers

ThreatInsight @threatinsight.proofpoint.com · Jun 4

Just published:

A two-part blog series in collaboration with
@threatray.bsky.social, which aims to substantiate the claim that #TA397 (Bitter) is an espionage-focused, state-backed threat actor with interests aligned to the Indian state.

Part 1: brnw.ch/21wT9A5
Part 2: brnw.ch/21wT9Ad.

The Bitter End: Unraveling Eight Years of Espionage Antics—Part One | Proofpoint US

This is a two-part blog series, detailing research undertaken in collaboration with Threatray. Part two of this blog series can be found on their website here. Analyst note: Throughout

brnw.ch

adorais.bsky.social @adorais.bsky.social · May 13

We assess the motivation was to better understand the appetite to continue fighting against the RU invasion and assess the medium-term outlook of the conflict.

Great work by @greg-l.bsky.social @saffronsec.bsky.social and @mkyo.bsky.social !

adorais.bsky.social @adorais.bsky.social · May 13

New Proofpoint blog alert

We observed DPRK actor TA406 (overlaps w/ Opal Sleet/Konni) targeting government entities in Ukraine in early 2025:

www.proofpoint.com/us/blog/thre...

TA406 Pivots to the Front | Proofpoint US

What happened In February 2025, TA406 began targeting government entities in Ukraine, delivering both credential harvesting and malware in its phishing campaigns. The aim of these

www.proofpoint.com

1 2 7

adorais.bsky.social @adorais.bsky.social · Apr 17

Personal bias aside, that is still a must-read. Impressive work by @saffronsec.bsky.social grouping together multiple campaigns to provide a comprehensive view of APT state-sponsored actors using ClickFix. Here's to your first blog with us! 🥂

Saher @saffronsec.bsky.social · Apr 17

My first blog with Proofpoint is live! And we love a good crossover. State-sponsored actors try their hand at ClickFix - the hottest thing in cybercrime. Meet the North Koreans, Iranians, and Russians who are upping their social engineering game www.proofpoint.com/us/blog/thre...

Around the World in 90 Days: State-Sponsored Actors Try ClickFix | Proofpoint US

Key Findings While primarily a technique affiliated with cybercriminal actors, Proofpoint researchers discovered state-sponsored actors in multiple campaigns using the ClickFix social

www.proofpoint.com

adorais.bsky.social @adorais.bsky.social · Apr 17

Great team collab by @saffronsec.bsky.social
@mkyo.bsky.social @greg-l.bsky.social and Josh Miller 🤝

adorais.bsky.social @adorais.bsky.social · Apr 17

Today, we release a new blog that highlights how state-sponsored groups from North Korea, Iran, and Russia were all seen using the ClickFix technique in their routine activity. We also release key IOCs for all campaigns. Happy hunting!

1 1

adorais.bsky.social @adorais.bsky.social · Apr 17

Around the World in 90 Days: State-Sponsored Actors Try ClickFix | Proofpoint US

Key Findings While primarily a technique affiliated with cybercriminal actors, Proofpoint researchers discovered state-sponsored actors in multiple campaigns using the ClickFix social

www.proofpoint.com

1 1 2

adorais.bsky.social @adorais.bsky.social · Dec 17

Network iocs:
academymusica[.]com
samsnewlooker[.]com
jacknwoods[.]com
38.180.142[.]228
96.9.215[.]155

adorais.bsky.social @adorais.bsky.social · Dec 17

Hot off the press - new report on TA397 (aka Bitter) by Proofpoint's Threat Research team
- Targeted the Turkish defense sector in Fall 2024
- Uses Alternate Data Streams in RAR archives

www.proofpoint.com/us/blog/thre...

1 3

adorais.bsky.social @adorais.bsky.social · Dec 12

Developing story - attack against #BGP peers of a European telco. The malicious emails impersonated that same telco and included the ASN of each recipient in the subject line.
The emails contained a password-protected RAR attachment with the malicious payload.

ThreatInsight @threatinsight.proofpoint.com · Dec 12

In December 11 and 12, 2024, a spearphishing campaign targeted at least 20 Autonomous System (AS) owners, predominantly Internet Service Providers (ISPs), and purported to come from the Network Operations Center (NOC) of a prominent European ISP.

🧵⤵️

StrikeReady Labs @strikereadylabs.com · Dec 12

Interesting susp targeted phish targeting an Italian telecom.
1) spoofing swisscom (note 'S', domain just reg'd)
2) leveraging encrypted rar + lnk + self signed pdf reader
3) BGP lure (fits with theme of email). BGP is the third leg in the outage triumvirate)

3 5

Reposted

Greg Lesnewich @greg-l.bsky.social · Dec 12

since I'm cold and missing #OBTS I wanted to reflect on what
@jacoblatonis.me and Tomas have gifted us with the YARA-X Macho module

the OG YARA macho parsing left a lot to be desired, and the new YARA-X ver has all sorts of goodies

2 8 19