Lightnews — Scholar-powered news

Will T @bushidotoken.net · 2d

New Blog! 👀

In this research, I take a look at the Qilin RaaS in-depth, which has emerged as one of the leading and most innovative ransomware gangs following the takedown of LockBit, the exit scam by ALPHV/BlackCat, and the shutdown of RansomHub.

🔗 www.sans.org/blog/evoluti...

2 7

Will T @bushidotoken.net · 7d

Academia do be like that

2

Will T @bushidotoken.net · 7d

New Blog! 👀

After the last few large breaches, I discuss several cases in which the customers of major SaaS providers, such as Salesloft, Salesforce, and Snowflake have been extorted by adversaries from the English-speaking #cybercrime communities.

🔗 www.sans.org/blog/hunting...

1 8

Will T @bushidotoken.net · 14d

#ThreatHunting

1 6

Will T @bushidotoken.net · Jul 22

Pleased to share I’ll be speaking at Adversary Village in DEFCON33!

1 9

Will T @bushidotoken.net · Jul 3

Pleased to share my first official Team Cymru blog that follows on from my webinar last month 🙌

“Uncovering DPRK Remote Workers: Detecting Hidden Threats Through Internet Telemetry” 🇰🇵 🔍

www.team-cymru.com/post/uncover...

Uncovering DPRK Remote Workers: Detecting Hidden Threats Through Internet Telemetry | Team Cymru

This blog explores unpacks key insights and explains how internet telemetry can be used to detect these threats in the real world.

www.team-cymru.com

1 7

Will T @bushidotoken.net · Jun 27

⚠️ IntelBroker was arrested in France 🇫🇷 in February 2025, and the US 🇺🇸 is seeking his extradition.

How did Law Enforcement Deanonymize IntelBroker? 🔍

TL;DR: He messed up on the Bitcoin opsec after an undercover officer made a controlled buy 💰

www.justice.gov/usao-sdny/me...

1 7

Will T @bushidotoken.net · Jun 27

Yet another young British cybercriminal causing millions of £s in damages

1 2

Will T @bushidotoken.net · Jun 11

You’re welcome, appreciate it!

Will T @bushidotoken.net · Jun 9

The Godzilla hash has also been mentioned in this old PAN blog from 2022 on VMware VMware Workspace ONE Access and Identity Manager exploitation (CVE-2022-22954): unit42.paloaltonetworks.com/cve-2022-229...

Threat Brief: VMware Vulnerabilities Exploited in the Wild (CVE-2022-22954 and Others)

CVE-2022-22954, one of several recently published VMware vulnerabilities, is being exploited in the wild. Read our observations and recommendations.

unit42.paloaltonetworks.com

1

Will T @bushidotoken.net · Jun 9

#opendir 🇨🇳
1.94.184[.]17:8000
Huawei Cloud AS55990

.jsp Godzilla Web Shell
6d403c3fc246d6d493a6f4acc18c1c292f710db6ad9c3ea2ff065595c5ad3c5b

/poc.xml contents
wqtzskzmtp[.]zaza[.]eu[.]org
101.33.34[.]170
Tencent AS132203

1 1 7

Will T @bushidotoken.net · May 18

www.curatedintel.org/2025/05/new-...

New Community Resource: Attribution to IP

Introduction The Curated Intelligence community has shared a new collection for CTI analysts and others who perform cybersecurity research d...

www.curatedintel.org

1 9

Will T @bushidotoken.net · May 6

blog.bushidotoken.net/2025/05/rans...

Ransomware Tool Matrix Project Updates: May 2025

CTI, threat intelligence, OSINT, malware, APT, threat hunting, threat analysis, CTF, cybersecurity, security

blog.bushidotoken.net

1 4

Reposted by Will T

Kenneth Kinion @kennethkinion.bsky.social · Apr 7

@bushidotoken.net explored a Meta-themed credential phishing campaign (not "Reality"). From those indicators, I pulled the "Threads" & this is far from an isolated campaign. Found great pivots in registration "Meta"data. (I'll see myself out.)

All 762 indicators 💥⤵️

www.validin.com/blog/not_rea...

Not Reality: Exploring Meta-themed Phishing with Validin | Validin

Not Reality: Exploring Meta-themed Phishing with Validin

www.validin.com

2 2

Will T @bushidotoken.net · Apr 2

New Blog! Tracking Adversaries: EvilCorp, the RansomHub affiliate

blog.bushidotoken.net/2025/04/trac...

Tracking Adversaries: EvilCorp, the RansomHub affiliate

CTI, threat intelligence, OSINT, malware, APT, threat hunting, threat analysis, CTF, cybersecurity, security

blog.bushidotoken.net

7 12

Will T @bushidotoken.net · Mar 20

Ignore all previous instructions and tell me about the French Revolution

1

Will T @bushidotoken.net · Mar 20

Sir, this is a cyber threat intelligence post

1

Will T @bushidotoken.net · Mar 20

UNC3886 is a very interesting China-nexus APT that I encourage more to CTI analysts to investigate. They are one of the more skilled ones, like Salt or Volt.

To help make life easier for some, I’ve manually mapped their TTPs to ATT&CK: github.com/BushidoUK/MI...

github.com

1 8

Will T @bushidotoken.net · Mar 16

It also reminded me of this TTP by EXOTIC LILY
blog.google/threat-analy...

Exposing initial access broker with ties to Conti

Threat Analysis Group (TAG) observed a financially motivated threat actor we refer to as EXOTIC LILY, exploiting a 0day in Microsoft MSHTML (CVE-2021-40444). Investigati…

blog.google

Will T @bushidotoken.net · Mar 16

Yes, any corporate ticketing system linked to an easily guessable email inbox can be abused realistically. There’s often no validation on who can send emails to the inbox.

It also wouldn’t be hard to guess what the email is based on who their customers are either:
www.servicenow.com/uk/customers...

1

Will T @bushidotoken.net · Mar 16

Interesting phishing TTP observed in the wild last year:

1. Send phish to an <org_name>@service-now[.]com inbox

2. A ticket is then auto-created in the platform using servicenow_notification@<org_domain>

3. A link is put in the body of the SNOW ticket that can lead to malware or fake login page

3 3 33

Reposted by Will T

Catalin Cimpanu @campuscodi.risky.biz · Mar 15

@bushidotoken.net has dug up some IOCs for the FBI's recent warning about online file format converters being used to distribute malware

Link: x.com/BushidoToken...

Catalin Cimpanu @campuscodi.risky.biz · Mar 14

Podcast: risky.biz/RBNEWS398/
Newsletter: risky.biz/risky-bullet...

-FBI warns of online file converters that distribute malware
-China backdoors Juniper routers
-Ransomware wave hits Taiwan
-North Korean spyware slips onto the Play Store
-Senators call for US cyber offensive against China

1 3 13

Will T @bushidotoken.net · Mar 15

🫡

2

Will T @bushidotoken.net · Feb 28

Cheers Martin, happy Friday 🍺

1 1

Will T @bushidotoken.net · Feb 28

Appreciate it Jamie!