Alexander Leslie
@aejleslie.bsky.social
Cybercrime & Hacktivism @ Recorded Future | Insikt Group | Curated Intelligence | @aejleslie everywhere else.
🚨 👀 New Insikt Group report! As NATO leaders gather in The Hague next week, the upcoming summit comes under threat from adversary activity: state-sponsored espionage, malign influence operations, and a surge of chatter across the dark web.
Blog: www.recordedfuture.com/research/thr...
Blog: www.recordedfuture.com/research/thr...
Threats to the 2025 NATO Summit: Cyber, Influence, and Hybrid Risks
Explore how state-sponsored actors, cybercriminals, and hacktivists are targeting the 2025 NATO Summit. Insight from Recorded Future’s Insikt Group reveals escalating cyber, AI, and hybrid threats fro...
www.recordedfuture.com
June 18, 2025 at 7:51 PM
🚨 👀 New Insikt Group report! As NATO leaders gather in The Hague next week, the upcoming summit comes under threat from adversary activity: state-sponsored espionage, malign influence operations, and a surge of chatter across the dark web.
Blog: www.recordedfuture.com/research/thr...
Blog: www.recordedfuture.com/research/thr...
🇨🇳 🤖 New Insikt Group report! This research details how the People’s Liberation Army is rapidly experimenting with generative AI to augment — and potentially transform — its military intelligence capabilities.
Blog: www.recordedfuture.com/research/art...
Blog: www.recordedfuture.com/research/art...
China’s PLA Leverages Generative AI for Military Intelligence: Insikt Group Report
Explore how China’s PLA is adopting generative AI for military intelligence. This Insikt Group report reveals AI-driven intelligence tools, strategic adaptations, and implications for global security.
www.recordedfuture.com
June 18, 2025 at 5:33 PM
🇨🇳 🤖 New Insikt Group report! This research details how the People’s Liberation Army is rapidly experimenting with generative AI to augment — and potentially transform — its military intelligence capabilities.
Blog: www.recordedfuture.com/research/art...
Blog: www.recordedfuture.com/research/art...
Join me tomorrow for a live briefing on the conflict between Israel and Iran.
We’ll address specific geopolitical risks, cybercriminal and hacktivist groups, state-sponsored cyber threats, influence operations, and more.
Registration: recordedfuture.registration.goldcast.io/webinar/4b72...
We’ll address specific geopolitical risks, cybercriminal and hacktivist groups, state-sponsored cyber threats, influence operations, and more.
Registration: recordedfuture.registration.goldcast.io/webinar/4b72...
June 17, 2025 at 6:29 PM
Join me tomorrow for a live briefing on the conflict between Israel and Iran.
We’ll address specific geopolitical risks, cybercriminal and hacktivist groups, state-sponsored cyber threats, influence operations, and more.
Registration: recordedfuture.registration.goldcast.io/webinar/4b72...
We’ll address specific geopolitical risks, cybercriminal and hacktivist groups, state-sponsored cyber threats, influence operations, and more.
Registration: recordedfuture.registration.goldcast.io/webinar/4b72...
Thank you to everyone who attended my session at our inaugural Insikt After Dark conference in New York City!
I spoke on our recent efforts to disrupt traffer teams, infostealer operators, and global scam infrastructure.
It’s always an honor to represent Recorded Future!
I spoke on our recent efforts to disrupt traffer teams, infostealer operators, and global scam infrastructure.
It’s always an honor to represent Recorded Future!
June 13, 2025 at 7:03 PM
Thank you to everyone who attended my session at our inaugural Insikt After Dark conference in New York City!
I spoke on our recent efforts to disrupt traffer teams, infostealer operators, and global scam infrastructure.
It’s always an honor to represent Recorded Future!
I spoke on our recent efforts to disrupt traffer teams, infostealer operators, and global scam infrastructure.
It’s always an honor to represent Recorded Future!
Outstanding work from @julianferdinand.bsky.social, @lawrencesec.bsky.social, and our Malicious Infrastructure Discovery (MID) team.
GrayAlpha shows how financially motivated actors operate with APT-level tradecraft.
Time to retire old threat models. Think in terms of ecosystems, not just malware.
GrayAlpha shows how financially motivated actors operate with APT-level tradecraft.
Time to retire old threat models. Think in terms of ecosystems, not just malware.
Today we are releasing a report on new infrastructure and tooling linked to GrayAlpha, a financially motivated threat actor overlapping with FIN7 🧵
www.recordedfuture.com/research/gra...
www.recordedfuture.com/research/gra...
GrayAlpha Unmasked: New FIN7-Linked Infrastructure, PowerNet Loader, and Fake Update Attacks
Insikt Group exposes GrayAlpha’s evolving infrastructure and infection methods—including PowerNet and MaskBat loaders, fake 7-Zip sites, and the undocumented TAG-124 network—linking the group to FIN7’...
www.recordedfuture.com
June 13, 2025 at 3:27 PM
Outstanding work from @julianferdinand.bsky.social, @lawrencesec.bsky.social, and our Malicious Infrastructure Discovery (MID) team.
GrayAlpha shows how financially motivated actors operate with APT-level tradecraft.
Time to retire old threat models. Think in terms of ecosystems, not just malware.
GrayAlpha shows how financially motivated actors operate with APT-level tradecraft.
Time to retire old threat models. Think in terms of ecosystems, not just malware.
Predator isn’t dead — it’s mutating.
New reporting from @julianferdinand.bsky.social just dropped. It confirms that Predator C2 is very much alive and attracting new clients.
Targets? The same. Activists, politicians, journalists, executives. The spyware economy isn’t slowing — it’s adapting.
New reporting from @julianferdinand.bsky.social just dropped. It confirms that Predator C2 is very much alive and attracting new clients.
Targets? The same. Activists, politicians, journalists, executives. The spyware economy isn’t slowing — it’s adapting.
Today we’re publishing new findings on Predator spyware, still active despite global sanctions, now with a new client and ties to a Czech entity. Here’s what we found 🧵
www.recordedfuture.com/research/pre...
www.recordedfuture.com/research/pre...
Predator Spyware Resurgence: Insikt Group Exposes New Global Infrastructure
Despite sanctions and global scrutiny, Predator spyware operations persist. Insikt Group reveals new infrastructure links in Mozambique, Africa, and Europe, highlighting ongoing threats to civil socie...
www.recordedfuture.com
June 12, 2025 at 5:35 PM
Predator isn’t dead — it’s mutating.
New reporting from @julianferdinand.bsky.social just dropped. It confirms that Predator C2 is very much alive and attracting new clients.
Targets? The same. Activists, politicians, journalists, executives. The spyware economy isn’t slowing — it’s adapting.
New reporting from @julianferdinand.bsky.social just dropped. It confirms that Predator C2 is very much alive and attracting new clients.
Targets? The same. Activists, politicians, journalists, executives. The spyware economy isn’t slowing — it’s adapting.
New report! Check it out.
🇷🇺 🇹🇯 This research examines a campaign targeting Tajikistan attributed to Russia-aligned TAG-110 — linked to BlueDelta (APT28). This campaign is likely targeting government, educational, and research institutions.
Link: www.recordedfuture.com/research/rus...
🇷🇺 🇹🇯 This research examines a campaign targeting Tajikistan attributed to Russia-aligned TAG-110 — linked to BlueDelta (APT28). This campaign is likely targeting government, educational, and research institutions.
Link: www.recordedfuture.com/research/rus...
TAG-110 Targets Tajikistan: New Macro Word Documents Phishing Tactics
Russia-aligned TAG-110 shifts to .dotm phishing lures in a 2025 campaign against Tajikistan’s public sector, advancing cyber-espionage in Central Asia.
www.recordedfuture.com
May 22, 2025 at 2:52 PM
New report! Check it out.
🇷🇺 🇹🇯 This research examines a campaign targeting Tajikistan attributed to Russia-aligned TAG-110 — linked to BlueDelta (APT28). This campaign is likely targeting government, educational, and research institutions.
Link: www.recordedfuture.com/research/rus...
🇷🇺 🇹🇯 This research examines a campaign targeting Tajikistan attributed to Russia-aligned TAG-110 — linked to BlueDelta (APT28). This campaign is likely targeting government, educational, and research institutions.
Link: www.recordedfuture.com/research/rus...
Good riddance! This should make a sizable dent in the ecosystem.
🪦 Lumma Stealer 🪦
Link: www.europol.europa.eu/media-press/...
🪦 Lumma Stealer 🪦
Link: www.europol.europa.eu/media-press/...
Europol and Microsoft disrupt world’s largest infostealer Lumma | Europol
Europol’s European Cybercrime Centre has worked with Microsoft to disrupt Lumma Stealer (“Lumma”), the world’s most significant infostealer threat.
https://www.europol.europa.eu/media-press/newsroom/news/europol-and-microsoft-disrupt-world’s-largest-infostealer-lumma
May 21, 2025 at 4:41 PM
Good riddance! This should make a sizable dent in the ecosystem.
🪦 Lumma Stealer 🪦
Link: www.europol.europa.eu/media-press/...
🪦 Lumma Stealer 🪦
Link: www.europol.europa.eu/media-press/...
New report! Check it out.
This research examines US-China AI gap and the drivers of competition. Insikt Group assesses that China is unlikely to sustainably surpass the US on its desired timeline to become the world leader in AI by 2030.
Link: www.recordedfuture.com/research/mea...
This research examines US-China AI gap and the drivers of competition. Insikt Group assesses that China is unlikely to sustainably surpass the US on its desired timeline to become the world leader in AI by 2030.
Link: www.recordedfuture.com/research/mea...
US-China AI Gap: 2025 Analysis of Model Performance, Investment, and Innovation
Explore Insikt Group's in-depth 2025 report on the US-China AI race—comparing funding, talent, regulation, compute capacity, and model benchmarks. Discover why China trails the US and what could chang...
www.recordedfuture.com
May 8, 2025 at 2:47 PM
New report! Check it out.
This research examines US-China AI gap and the drivers of competition. Insikt Group assesses that China is unlikely to sustainably surpass the US on its desired timeline to become the world leader in AI by 2030.
Link: www.recordedfuture.com/research/mea...
This research examines US-China AI gap and the drivers of competition. Insikt Group assesses that China is unlikely to sustainably surpass the US on its desired timeline to become the world leader in AI by 2030.
Link: www.recordedfuture.com/research/mea...
I had a great time talking with @gregotto.bsky.social from @cyberscoop.bsky.social at RSAC 2025. Always fun!
Check out our conversation about my work on cryptoscam gangs, infostealer “traffer” teams, and the “Marko Polo” cybercriminal group.
Link: open.spotify.com/episode/70AY...
Check out our conversation about my work on cryptoscam gangs, infostealer “traffer” teams, and the “Marko Polo” cybercriminal group.
Link: open.spotify.com/episode/70AY...
Recorded Future’s Alexander Leslie on the ‘MarkoPolo’ traffer team
Safe Mode Podcast · Episode
open.spotify.com
May 2, 2025 at 8:08 PM
I had a great time talking with @gregotto.bsky.social from @cyberscoop.bsky.social at RSAC 2025. Always fun!
Check out our conversation about my work on cryptoscam gangs, infostealer “traffer” teams, and the “Marko Polo” cybercriminal group.
Link: open.spotify.com/episode/70AY...
Check out our conversation about my work on cryptoscam gangs, infostealer “traffer” teams, and the “Marko Polo” cybercriminal group.
Link: open.spotify.com/episode/70AY...
New report! Check it out.
This research uncovers two new malware families — TerraStealerV2 and TerraLogger — linked to the financially motivated threat activity group Golden Chickens (VENOM SPIDER).
Link: www.recordedfuture.com/research/ter...
This research uncovers two new malware families — TerraStealerV2 and TerraLogger — linked to the financially motivated threat activity group Golden Chickens (VENOM SPIDER).
Link: www.recordedfuture.com/research/ter...
Golden Chickens Unveils TerraStealerV2 and TerraLogger: New Credential Theft Tools Identified by Insikt Group
Insikt Group reveals two emerging malware strains—TerraStealerV2 and TerraLogger—linked to Golden Chickens, a threat actor behind credential theft and keylogging MaaS platforms. Learn how these tools ...
www.recordedfuture.com
May 2, 2025 at 5:06 PM
New report! Check it out.
This research uncovers two new malware families — TerraStealerV2 and TerraLogger — linked to the financially motivated threat activity group Golden Chickens (VENOM SPIDER).
Link: www.recordedfuture.com/research/ter...
This research uncovers two new malware families — TerraStealerV2 and TerraLogger — linked to the financially motivated threat activity group Golden Chickens (VENOM SPIDER).
Link: www.recordedfuture.com/research/ter...
New report! Check it out.
This research examines MintsLoader, linked to groups like TAG-124 (LandUpdate808), to deploy capabilities like GhostWeaver and StealC.
Link: www.recordedfuture.com/research/unc...
This research examines MintsLoader, linked to groups like TAG-124 (LandUpdate808), to deploy capabilities like GhostWeaver and StealC.
Link: www.recordedfuture.com/research/unc...
MintsLoader Malware Analysis: Multi-Stage Loader Used by TAG-124 and SocGholish
Discover how MintsLoader operates as a stealthy, obfuscated malware loader distributing GhostWeaver, StealC, and BOINC. Read Recorded Future’s in-depth analysis of its evasion tactics, DGA-based C2s, ...
www.recordedfuture.com
April 29, 2025 at 3:44 PM
New report! Check it out.
This research examines MintsLoader, linked to groups like TAG-124 (LandUpdate808), to deploy capabilities like GhostWeaver and StealC.
Link: www.recordedfuture.com/research/unc...
This research examines MintsLoader, linked to groups like TAG-124 (LandUpdate808), to deploy capabilities like GhostWeaver and StealC.
Link: www.recordedfuture.com/research/unc...
Thank you to everyone who attended my session at RSAC 2025 on cryptoscam gangs, infostealer operators, and the notorious “Marko Polo” traffer team. A lot of friendly faces in the crowd! (Find me roaming around this week, I have stickers!)
April 28, 2025 at 9:30 PM
Thank you to everyone who attended my session at RSAC 2025 on cryptoscam gangs, infostealer operators, and the notorious “Marko Polo” traffer team. A lot of friendly faces in the crowd! (Find me roaming around this week, I have stickers!)
See y’all tomorrow! 😎
April 27, 2025 at 8:34 PM
See y’all tomorrow! 😎
New Recorded Future report! Check it out.
This research examines the critical role of artificial intelligence in the future economic, regional influence, and national security interests of Iran, and the implementation of those capabilities.
Link: www.recordedfuture.com/research/ira...
This research examines the critical role of artificial intelligence in the future economic, regional influence, and national security interests of Iran, and the implementation of those capabilities.
Link: www.recordedfuture.com/research/ira...
Iran’s AI Ambitions: National Security, Global Influence, and Strategic Challenges
Explore how Iran is leveraging AI for cyberwarfare, influence ops, military tech, and domestic surveillance. A deep dive into Tehran’s top-down AI strategy, partnerships with China and Russia, and imp...
www.recordedfuture.com
April 18, 2025 at 5:49 PM
New Recorded Future report! Check it out.
This research examines the critical role of artificial intelligence in the future economic, regional influence, and national security interests of Iran, and the implementation of those capabilities.
Link: www.recordedfuture.com/research/ira...
This research examines the critical role of artificial intelligence in the future economic, regional influence, and national security interests of Iran, and the implementation of those capabilities.
Link: www.recordedfuture.com/research/ira...
“More than 60 people in Tibetan areas of China have been arrested since 2021 for offenses connected to phone and internet use…”
“Many of the arrests have involved the possession of outlawed content on phones… sharing of content on social media…”
h/t: therecord.media/tibetans-arr...
“Many of the arrests have involved the possession of outlawed content on phones… sharing of content on social media…”
h/t: therecord.media/tibetans-arr...
Chinese police ensnaring Tibetans over phone and internet activity, Human Rights Watch says
Dozens of people in Tibet have been arrested by Chinese authorities in recent years for "simply using a cellphone," according to the nonprofit Human Rights Watch.
therecord.media
April 14, 2025 at 11:47 PM
“More than 60 people in Tibetan areas of China have been arrested since 2021 for offenses connected to phone and internet use…”
“Many of the arrests have involved the possession of outlawed content on phones… sharing of content on social media…”
h/t: therecord.media/tibetans-arr...
“Many of the arrests have involved the possession of outlawed content on phones… sharing of content on social media…”
h/t: therecord.media/tibetans-arr...
🤖 “Artificial Intelligence has supercharged an array of tax-season scams this year, with fraudsters using deepfake audio and other techniques to intercept funds and trick taxpayers into sending them financial documents.”
h/t: therecord.media/hackers-use-...
h/t: therecord.media/hackers-use-...
Hackers using AI-produced audio to impersonate tax preparers, IRS
Artificial Intelligence has supercharged an array of tax-season scams this year, with fraudsters using deepfake audio and other techniques to trick taxpayers into sending them money and financial docu...
therecord.media
April 14, 2025 at 5:37 PM
🤖 “Artificial Intelligence has supercharged an array of tax-season scams this year, with fraudsters using deepfake audio and other techniques to intercept funds and trick taxpayers into sending them financial documents.”
h/t: therecord.media/hackers-use-...
h/t: therecord.media/hackers-use-...
Album of the day. Eclectic, individual, and absorbing. Not everything here works, but that doesn’t matter, because it’s so much fun.
Link: open.spotify.com/album/3XFwJR...
Link: open.spotify.com/album/3XFwJR...
Where Malefic Icons do Eons Keep
Luminous Veil · Album · 2025 · 8 songs
open.spotify.com
April 14, 2025 at 5:09 PM
Album of the day. Eclectic, individual, and absorbing. Not everything here works, but that doesn’t matter, because it’s so much fun.
Link: open.spotify.com/album/3XFwJR...
Link: open.spotify.com/album/3XFwJR...
“Talos assesses… that multiple threat actors are operating the toll road smishing campaign by leveraging a smishing kit developed by the actor known as ‘Wang Duo Yu’ … used by the organized cybercrime group known as the ‘Smishing Triad.’”
h/t: blog.talosintelligence.com/unraveling-t...
h/t: blog.talosintelligence.com/unraveling-t...
Unraveling the U.S. toll road smishing scams
Cisco Talos has observed a widespread and ongoing financial theft SMS phishing (smishing) campaign since October 2024 that targets toll road users in the United States of America.
blog.talosintelligence.com
April 13, 2025 at 8:11 PM
“Talos assesses… that multiple threat actors are operating the toll road smishing campaign by leveraging a smishing kit developed by the actor known as ‘Wang Duo Yu’ … used by the organized cybercrime group known as the ‘Smishing Triad.’”
h/t: blog.talosintelligence.com/unraveling-t...
h/t: blog.talosintelligence.com/unraveling-t...
👀 🇷🇺 “The Russia-backed threat group Gamaredon, typically known for spreading malware via phishing emails, recently appeared to have used an infected removable drive to target a Ukraine-based military mission of an unnamed Western country…”
h/t: therecord.media/gamaredon-re...
h/t: therecord.media/gamaredon-re...
Tainted drive appears to be source of malware attack on Western military mission in Ukraine
Researchers at Symantec said the Russia-linked group known as Gamaredon appears to have departed from its usual email phishing tactics in hacking a Western military mission in Ukraine.
therecord.media
April 13, 2025 at 6:50 PM
👀 🇷🇺 “The Russia-backed threat group Gamaredon, typically known for spreading malware via phishing emails, recently appeared to have used an infected removable drive to target a Ukraine-based military mission of an unnamed Western country…”
h/t: therecord.media/gamaredon-re...
h/t: therecord.media/gamaredon-re...
“Deceptive websites hosted on newly registered domains are being used to deliver AndroidOS SpyNote malware… mimic the Google Chrome install page on the Google Play Store…”
“While no definitive attribution is currently available, a China nexus is suspected.”
h/t: dti.domaintools.com/newly-regist...
“While no definitive attribution is currently available, a China nexus is suspected.”
h/t: dti.domaintools.com/newly-regist...
Newly Registered Domains Distributing SpyNote Malware - DomainTools Investigations | DTI
Deceptive websites hosted on newly registered domains are being used to deliver AndroidOS SpyNote malware. These sites mimic the Google Chrome install page on the Google Play Store.
dti.domaintools.com
April 13, 2025 at 5:22 PM
“Deceptive websites hosted on newly registered domains are being used to deliver AndroidOS SpyNote malware… mimic the Google Chrome install page on the Google Play Store…”
“While no definitive attribution is currently available, a China nexus is suspected.”
h/t: dti.domaintools.com/newly-regist...
“While no definitive attribution is currently available, a China nexus is suspected.”
h/t: dti.domaintools.com/newly-regist...
Album of the day. This rocks. Callback to Swedish blackened death metal. I hear echoes of Sacramentum, Necrophobic, and Dissection here. Riffs, solos, and Lovecraftian aesthetics? Count me in.
Link: youtu.be/KUqppuhKVWI?...
Link: youtu.be/KUqppuhKVWI?...
The Infernal Deceit - The True Harmful Black (Full Album Premiere)
YouTube video by Black Metal Promotion
youtu.be
April 13, 2025 at 5:14 PM
Album of the day. This rocks. Callback to Swedish blackened death metal. I hear echoes of Sacramentum, Necrophobic, and Dissection here. Riffs, solos, and Lovecraftian aesthetics? Count me in.
Link: youtu.be/KUqppuhKVWI?...
Link: youtu.be/KUqppuhKVWI?...
🇬🇧 “British police on Wednesday announced that a 38-year-old Romanian man has been arrested on suspicion of assisting a foreign intelligence service.”
“…identified as part of an investigation into a fire at a DHL warehouse in Birmingham.”
h/t: therecord.media/romanian-man...
“…identified as part of an investigation into a fire at a DHL warehouse in Birmingham.”
h/t: therecord.media/romanian-man...
Romanian man arrested in UK on suspicion of aiding Russian sabotage campaign
British police arrested a 38-year-old Romanian man suspected of connections to a fire at a DHL warehouse that appeared to be part of a larger sabotage campaign attributed to Russian intelligence.
therecord.media
April 12, 2025 at 11:29 PM
🇬🇧 “British police on Wednesday announced that a 38-year-old Romanian man has been arrested on suspicion of assisting a foreign intelligence service.”
“…identified as part of an investigation into a fire at a DHL warehouse in Birmingham.”
h/t: therecord.media/romanian-man...
“…identified as part of an investigation into a fire at a DHL warehouse in Birmingham.”
h/t: therecord.media/romanian-man...
PowerModul: BE1D0FAF1C253FAACBA1059971B01D1D646256D7B2E557DA55ED059542AFDBCD
Mythic HTA:
AFC7302D0BD55CFC603FDAF58F5483B0CC00D354274F379C75CFA17F6BA6F97D
Mythic HTA:
AFC7302D0BD55CFC603FDAF58F5483B0CC00D354274F379C75CFA17F6BA6F97D
🇷🇺 “A little-known hacking group is using custom malware to steal sensitive files from flash drives connected to Russian computers…”
“The group… has deployed a tool dubbed PowerModul that includes components designed specifically to target removable media.”
h/t: therecord.media/goffee-espio...
“The group… has deployed a tool dubbed PowerModul that includes components designed specifically to target removable media.”
h/t: therecord.media/goffee-espio...
Researchers warn about ‘Goffee’ spilling onto Russian flash drives
A cyber-espionage campaign aimed at Russia has added malware that specifically targets flash drives, analysts at Kaspersky said.
therecord.media
April 12, 2025 at 8:14 PM
PowerModul: BE1D0FAF1C253FAACBA1059971B01D1D646256D7B2E557DA55ED059542AFDBCD
Mythic HTA:
AFC7302D0BD55CFC603FDAF58F5483B0CC00D354274F379C75CFA17F6BA6F97D
Mythic HTA:
AFC7302D0BD55CFC603FDAF58F5483B0CC00D354274F379C75CFA17F6BA6F97D
🇷🇺 “A little-known hacking group is using custom malware to steal sensitive files from flash drives connected to Russian computers…”
“The group… has deployed a tool dubbed PowerModul that includes components designed specifically to target removable media.”
h/t: therecord.media/goffee-espio...
“The group… has deployed a tool dubbed PowerModul that includes components designed specifically to target removable media.”
h/t: therecord.media/goffee-espio...
Researchers warn about ‘Goffee’ spilling onto Russian flash drives
A cyber-espionage campaign aimed at Russia has added malware that specifically targets flash drives, analysts at Kaspersky said.
therecord.media
April 12, 2025 at 7:29 PM
🇷🇺 “A little-known hacking group is using custom malware to steal sensitive files from flash drives connected to Russian computers…”
“The group… has deployed a tool dubbed PowerModul that includes components designed specifically to target removable media.”
h/t: therecord.media/goffee-espio...
“The group… has deployed a tool dubbed PowerModul that includes components designed specifically to target removable media.”
h/t: therecord.media/goffee-espio...