John
@bigbadw0lf.bsky.social
Frontline Intelligence with #AdvancedPractices 🦅 @Google Threat Intel | views are my own
Was on my morning run and while listening to Words to Me by Sugar Ray I realized if you change the chorus to “Xi sings these words to me” it’s a song about the CCP working for reunification with Taiwan.
November 6, 2025 at 1:31 PM
Was on my morning run and while listening to Words to Me by Sugar Ray I realized if you change the chorus to “Xi sings these words to me” it’s a song about the CCP working for reunification with Taiwan.
what are we without the sauce
October 16, 2025 at 10:16 PM
what are we without the sauce
Reposted by John
🚨🚨🚨 Google released a report on "Brickstorm" this morning — a next-level, suspected China-linked campaign targeting U.S. firms. Ultra-stealthy, 400+ day dwell times, focus on stealing IP, finding zero-days, and focused on long-term cyberespionage. cyberscoop.com/chinese-cybe...
Brickstorm malware powering ‘next-level’ Chinese cyberespionage campaign
Mandiant and Google have identified “Brickstorm,” a sophisticated, suspected China-linked hacking campaign targeting U.S. tech firms, legal organizations, and BPOs. The operation often goes undetected...
cyberscoop.com
September 24, 2025 at 2:03 PM
🚨🚨🚨 Google released a report on "Brickstorm" this morning — a next-level, suspected China-linked campaign targeting U.S. firms. Ultra-stealthy, 400+ day dwell times, focus on stealing IP, finding zero-days, and focused on long-term cyberespionage. cyberscoop.com/chinese-cybe...
Reposted by John
Not me losing my mind tracking ORBs lalalala I can't hear you over the sound of how many darned ORB networks there are 🫠
a close up of a woman 's face with a purple shirt on .
ALT: a close up of a woman 's face with a purple shirt on .
media.tenor.com
May 20, 2025 at 11:03 AM
Not me losing my mind tracking ORBs lalalala I can't hear you over the sound of how many darned ORB networks there are 🫠
Reposted by John
I wrote some details on LOSTKEYS: malware which we directly attribute to COLDRIVER. They don't deploy it often, but we have seen it a few times and want to make people aware of it.
cloud.google.com/blog/topics/...
cloud.google.com/blog/topics/...
COLDRIVER Using New Malware To Steal Documents From Western Targets and NGOs | Google Cloud Blog
Russian government-backed group COLDRIVER is using LOSTKEYS malware to steal files and system information from NGOs and western targets.
cloud.google.com
May 7, 2025 at 2:14 PM
I wrote some details on LOSTKEYS: malware which we directly attribute to COLDRIVER. They don't deploy it often, but we have seen it a few times and want to make people aware of it.
cloud.google.com/blog/topics/...
cloud.google.com/blog/topics/...
Hot off the press is a new blog detailing our observations from in the wild exploitation of CVE-2025-22457 by UNC5221 including two newly observed malware families tracked as BRUSHFIRE and TRAILBLAZE.
cloud.google.com/blog/topics/...
cloud.google.com/blog/topics/...
Suspected China-Nexus Threat Actor Actively Exploiting Critical Ivanti Connect Secure Vulnerability (CVE-2025-22457) | Google Cloud Blog
cloud.google.com
April 3, 2025 at 4:26 PM
Hot off the press is a new blog detailing our observations from in the wild exploitation of CVE-2025-22457 by UNC5221 including two newly observed malware families tracked as BRUSHFIRE and TRAILBLAZE.
cloud.google.com/blog/topics/...
cloud.google.com/blog/topics/...
🔥 new blog covering recent UNC3886 ops. Massive S/O to all the authors for dropping such a great blog.
March 12, 2025 at 6:29 PM
🔥 new blog covering recent UNC3886 ops. Massive S/O to all the authors for dropping such a great blog.
Reposted by John
Super happy this blog is finally released. Dive into the intricacies of backdoors targeting Juniper devices, veriexec bypass zero-day and other interesting TTPs, all with UNC3886, a China-nexus cyber espionage group as your guide!
cloud.google.com/blog/topics/...
cloud.google.com/blog/topics/...
Ghost in the Router: China-Nexus Espionage Actor UNC3886 Targets Juniper Routers | Google Cloud Blog
We discovered China-nexus threat actors deployed custom backdoors on Juniper Networks’ Junos OS routers.
cloud.google.com
March 12, 2025 at 4:26 PM
Super happy this blog is finally released. Dive into the intricacies of backdoors targeting Juniper devices, veriexec bypass zero-day and other interesting TTPs, all with UNC3886, a China-nexus cyber espionage group as your guide!
cloud.google.com/blog/topics/...
cloud.google.com/blog/topics/...
The universe doesn’t want me to get a pair of the Vaporfly 4s
March 8, 2025 at 8:23 PM
The universe doesn’t want me to get a pair of the Vaporfly 4s
Friday playlist brought to you by all of @stonepwn3000.bsky.social’s favorite bands open.spotify.com/playlist/4B0...
You Think You Hate This But You Don't
Playlist · turkehbacon · 34 items · 2 saves
open.spotify.com
March 7, 2025 at 5:13 PM
Friday playlist brought to you by all of @stonepwn3000.bsky.social’s favorite bands open.spotify.com/playlist/4B0...
Reposted by John
What I feel is ashamed.
Trump to Zelenskyy: "Don't tell us what we're gonna feel. You're in no position to dictate that. You're in no position to dictate what we're gonna feel. We're gonna feel very good and very strong. You're right now not in a very good position. You're gambling with World War 3."
February 28, 2025 at 5:49 PM
What I feel is ashamed.
Submitted without comment
February 22, 2025 at 4:44 PM
Submitted without comment
Reposted by John
Today, Google Threat Intelligence is alerting the community to increasing efforts from several Russia state-aligned threat actors (GRU, FSB, etc.) to compromise Signal Messenger accounts.
cloud.google.com/blog/topics/...
cloud.google.com/blog/topics/...
Signals of Trouble: Multiple Russia-Aligned Threat Actors Actively Targeting Signal Messenger | Google Cloud Blog
Russia state-aligned threat actors target Signal Messenger accounts used by individuals of interest to Russia's intelligence services.
cloud.google.com
February 19, 2025 at 11:05 AM
Today, Google Threat Intelligence is alerting the community to increasing efforts from several Russia state-aligned threat actors (GRU, FSB, etc.) to compromise Signal Messenger accounts.
cloud.google.com/blog/topics/...
cloud.google.com/blog/topics/...
Reposted by John
Fantastic work here from the MSTIC folks re: 74455. So many threads to pull.
www.microsoft.com/en-us/securi...
www.microsoft.com/en-us/securi...
The BadPilot campaign: Seashell Blizzard subgroup conducts multiyear global access operation | Microsoft Security Blog
Microsoft is publishing for the first time our research into a subgroup within the Russian state actor Seashell Blizzard and its multiyear initial access operation, tracked by Microsoft Threat Intelli...
www.microsoft.com
February 12, 2025 at 7:15 PM
Fantastic work here from the MSTIC folks re: 74455. So many threads to pull.
www.microsoft.com/en-us/securi...
www.microsoft.com/en-us/securi...
Next generation hater and I’m here for it
February 10, 2025 at 1:41 AM
Next generation hater and I’m here for it
The internal debate on whether to buy another pair of superblast 2’s or getting the Pegasus premium’s.
January 24, 2025 at 4:13 PM
The internal debate on whether to buy another pair of superblast 2’s or getting the Pegasus premium’s.
After trying Neversecond a few times I don’t think I’ll use maurten again.
January 11, 2025 at 6:40 PM
After trying Neversecond a few times I don’t think I’ll use maurten again.
Starting the day with homemade bagels and affogato is the way.
January 10, 2025 at 6:16 PM
Starting the day with homemade bagels and affogato is the way.
Reposted by John
Mandiant has previously only observed the deployment of the SPAWN ecosystem of malware on Ivanti Connect Secure appliances by UNC5337, a China-nexus cluster of espionage activity | cloud.google.com/blog/topics/...
Ivanti Connect Secure VPN Targeted in New Zero-Day Exploitation | Google Cloud Blog
Zero-day exploitation of Ivanti Connect Secure VPN vulnerabilities since as far back as December 2024.
cloud.google.com
January 10, 2025 at 11:07 AM
Mandiant has previously only observed the deployment of the SPAWN ecosystem of malware on Ivanti Connect Secure appliances by UNC5337, a China-nexus cluster of espionage activity | cloud.google.com/blog/topics/...
Mfw I get to name some new malware
January 9, 2025 at 5:46 PM
Mfw I get to name some new malware
Reposted by John
MSTIC is hiring in the UK and EU for entry level and senior analyst roles!
jobs.careers.microsoft.com/global/en/jo...
jobs.careers.microsoft.com/global/en/jo...
jobs.careers.microsoft.com/global/en/jo...
jobs.careers.microsoft.com/global/en/jo...
January 9, 2025 at 12:03 PM
MSTIC is hiring in the UK and EU for entry level and senior analyst roles!
jobs.careers.microsoft.com/global/en/jo...
jobs.careers.microsoft.com/global/en/jo...
jobs.careers.microsoft.com/global/en/jo...
jobs.careers.microsoft.com/global/en/jo...
Reposted by John
New Year - New Ivanti Zero-Day. Almost exactly 1 year later, UNC5337 returns with their SPAWN malware family.
Blog: cloud.google.com/blog/topics/...
Blog: cloud.google.com/blog/topics/...
Ivanti Connect Secure VPN Targeted in New Zero-Day Exploitation | Google Cloud Blog
Zero-day exploitation of Ivanti Connect Secure VPN vulnerabilities since as far back as December 2024.
cloud.google.com
January 9, 2025 at 12:11 AM
New Year - New Ivanti Zero-Day. Almost exactly 1 year later, UNC5337 returns with their SPAWN malware family.
Blog: cloud.google.com/blog/topics/...
Blog: cloud.google.com/blog/topics/...
🔥 new blog detailing 0day exploitation of Ivanti appliances as well as some newly observed malware families tracked as PHASEJAM and DRYHOOK. We also detail activity related to the previously observed SPAWN* malware ecosystem tied to China-nexus cluster UNC5337.
cloud.google.com/blog/topics/...
cloud.google.com/blog/topics/...
Ivanti Connect Secure VPN Targeted in New Zero-Day Exploitation | Google Cloud Blog
Zero-day exploitation of Ivanti Connect Secure VPN vulnerabilities since as far back as December 2024.
cloud.google.com
January 9, 2025 at 12:42 AM
🔥 new blog detailing 0day exploitation of Ivanti appliances as well as some newly observed malware families tracked as PHASEJAM and DRYHOOK. We also detail activity related to the previously observed SPAWN* malware ecosystem tied to China-nexus cluster UNC5337.
cloud.google.com/blog/topics/...
cloud.google.com/blog/topics/...
The Vaporfly 4 looks 🔥🔥🔥
January 8, 2025 at 12:47 PM
The Vaporfly 4 looks 🔥🔥🔥