mkyo.bsky.social
Mark Kelly
@mkyo.bsky.social
490 followers 170 following 30 posts
🇨🇳 Threat Research at Proofpoint
Posts Media Videos Starter Packs
Reposted by Mark Kelly
pivotcon.bsky.social
PIVOTcon @pivotcon.bsky.social · 6d
📣 🔥 🛋️ SAVE THE DATE 🛋️ 🔥 📣
The next #PIVOTcon will be on 6-8 May 2026, in Malaga, ES!!!

You favorite ;) #ThreatResearch conference is coming back and we are planning to bring you the usual experience and content of utmost quality. Follow us + #StayTuned for more info
#CTI #ThreatIntel #PIVOTcon26
10 16
mkyo.bsky.social
Mark Kelly @mkyo.bsky.social · 4d
Good piece covering a big burst of TA416 activity targeting European governments last week!
strikereadylabs.com
StrikeReady Labs @strikereadylabs.com · 5d
Quite a bit of CN APT activity in europe in the past week

strikeready.com/blog/cn-apt-...

As always, if you're interested in tuning your skills, download the samples here github.com/StrikeReady-...
CN APT targets Serbian Government
Mustang Panda continues targeting European governments
strikeready.com
2 3
mkyo.bsky.social
Mark Kelly @mkyo.bsky.social · 13d
Great report @cyberoverdrive.bsky.social and team 😁
a group of people are putting their hands together in a huddle .
ALT: a group of people are putting their hands together in a huddle .
media.tenor.com
1
Reposted by Mark Kelly
cyberoverdrive.bsky.social
The Banshee Queen 👑 @cyberoverdrive.bsky.social · 14d
First public report at Recorded Future by yours truly is out! RedNovember (formerly TAG-100, a.k.a. Storm-2077) is a Chinese state-sponsored threat group focused on intelligence collection, especially on flashpoint issues of strategic interest to China. www.recordedfuture.com/research/red...
RedNovember Targets Government, Defense, and Technology Organizations
RedNovember, a likely Chinese state-sponsored cyber-espionage group, has targeted global government, defense, and tech sectors using advanced tools like Pantegana and Cobalt Strike. Discover the lates...
www.recordedfuture.com
2 14 22
Reposted by Mark Kelly
threatinsight.proofpoint.com
ThreatInsight @threatinsight.proofpoint.com · 20d
Proofpoint threat researchers have published new research identifying a new cyber-espionage campaign by #TA415 (#APT41), a China-aligned threat actor, exploiting growing uncertainty in U.S.-China economic relations.

Blog: www.proofpoint.com/us/blog/thre....
Going Underground: China-aligned TA415 Conducts U.S.-China Economic Relations Targeting Using VS Code Remote Tunnels | Proofpoint US
What happened  Throughout July and August 2025, TA415 conducted spearphishing campaigns targeting United States government, think tank, and academic organizations utilizing U.S.-China
www.proofpoint.com
1 4 7
mkyo.bsky.social
Mark Kelly @mkyo.bsky.social · 22d
Our reporting overlaps this recent WSJ article:
www.wsj.com/politics/nat...

See our full research here:
www.proofpoint.com/us/blog/thre...
mkyo.bsky.social
Mark Kelly @mkyo.bsky.social · 22d
In these campaigns, TA415 delivered infection chains to set up VS Code Remote Tunnels 🚇 This is in line with recent TA415 phishing operations over the past year, which have relied on legit services (e,g, Google Sheets, Google Calendar, VS Code) for C2 to blend w/ trusted traffic
TA415 infection chain diagram
1
mkyo.bsky.social
Mark Kelly @mkyo.bsky.social · 22d
🚨🇨🇳💰 New @threatinsight.proofpoint.com blog on TA415 (aka APT41) economy and trade-themed spearphishing against US govt, think tanks & academia.

The campaigns used U.S.-China economic lures and spoofed the Chair of the House Select Committee on CCP competition + the US-China Business Council.
1 1 3
mkyo.bsky.social
Mark Kelly @mkyo.bsky.social · 27d
It is time the Mustang Panda moniker went the way of Winnti Group ☠️
3
Reposted by Mark Kelly
julianferdinand.bsky.social
Julian-Ferdinand Vögele @julianferdinand.bsky.social · Aug 5
1/ We've just released a new report uncovering new infrastructure tied to multiple activity clusters linked to the Israeli spyware vendor #Candiru across several countries. Full report: www.recordedfuture.com/research/tra...
Tracking Candiru’s DevilsTongue Spyware in Multiple Countries
Recorded Future's Insikt Group uncovers active infrastructure linked to Candiru’s DevilsTongue spyware across multiple countries. Discover how this stealthy spyware targets high-value individuals and ...
www.recordedfuture.com
1 12 12
mkyo.bsky.social
Mark Kelly @mkyo.bsky.social · Jul 16
🚨🆕🐟🍟 New blog from me and the amazing @threatinsight.proofpoint.com team covering recent activity by multiple China-aligned threat actors targeting semiconductor companies in Taiwan over the past few months:
www.proofpoint.com/us/blog/thre...
Phish and Chips: China-Aligned Espionage Actors Ramp Up Taiwan Semiconductor Industry Targeting  | Proofpoint US
Key findings  Between March and June 2025, Proofpoint Threat Research observed three Chinese state-sponsored threat actors conduct targeted phishing campaigns against the Taiwanese
www.proofpoint.com
3 5
Reposted by Mark Kelly
ajvicens.bsky.social
AJ Vicens @ajvicens.bsky.social · Jul 16
New: A handful of Chinese-linked cyber espionage groups are stepping up targeting of Taiwanese semiconductor companies, per new analysis from @proofpoint.com. Campaigns include targeting of financial analysts focused on the sector as well: www.reuters.com/sustainabili...
Exclusive: China-linked hackers target Taiwan's chip industry with increasing attacks, researchers say
Chinese-linked hackers are targeting the Taiwanese semiconductor industry and investment analysts as part of a string of cyber espionage campaigns, researchers said on Wednesday.
www.reuters.com
1 9 16
Reposted by Mark Kelly
saffronsec.bsky.social
Saher @saffronsec.bsky.social · Jul 1
New DISCARDED podcast drop! Join
@greg-l.bsky.social and me as we talk about our fave North Korean groups, DPRK as the neglected child, TA406 and the Russian connection, and finally, the dreaded but pervasive IT worker problem podcasts.apple.com/us/podcast/c...
open.spotify.com/episode/01d1...
Comic Sans and Cybercrime: Inside North Korea’s Global Cyber Playbook
Podcast Episode · DISCARDED: Tales From the Threat Research Trenches · 07/01/2025 · 53m
podcasts.apple.com
1 4 8
Reposted by Mark Kelly
greg-l.bsky.social
Greg Lesnewich @greg-l.bsky.social · Jun 30
Fun crossover blog about TA829 (RomCom) & TransferLoader with my ecrime pals @selenalarson.bsky.social it’s got it all:

🛰️ Popped routers for sending phish

📊 ACH on attribution

👾 custom protocols

👽 cool malware

🕵️ crime

🎯 espionage

❔many unanswered questions

www.proofpoint.com/us/blog/thre...
10 Things I Hate About Attribution: RomCom vs. TransferLoader | Proofpoint US
Threat Research would like to acknowledge and thank the Paranoids, Spur, and Pim Trouerbach for their collaboration to identify, track, and disrupt this activity.  Key takeaways
www.proofpoint.com
12 17
Reposted by Mark Kelly
calwarez.bsky.social
Calwarez @calwarez.bsky.social · Jun 20
🚨 We’re hiring at Recorded Future’s Insikt Group

Two senior analyst roles are open right now. Both focus on tracking nation-state threats.

🧵
1 3 6
Reposted by Mark Kelly
julianferdinand.bsky.social
Julian-Ferdinand Vögele @julianferdinand.bsky.social · Jun 12
Today we’re publishing new findings on Predator spyware, still active despite global sanctions, now with a new client and ties to a Czech entity. Here’s what we found 🧵

www.recordedfuture.com/research/pre...
Predator Spyware Resurgence: Insikt Group Exposes New Global Infrastructure
Despite sanctions and global scrutiny, Predator spyware operations persist. Insikt Group reveals new infrastructure links in Mozambique, Africa, and Europe, highlighting ongoing threats to civil socie...
www.recordedfuture.com
1 14 20
Reposted by Mark Kelly
nickattfield.bsky.social
Nick Attfield @nickattfield.bsky.social · Jun 4
Dropping some joint research today with Threatray on TA397/Bitter 🔍

We dive into the confluence of signals that led us to our attribution of the threat actor 🎯

Shoutout to @konstantinklinger.bsky.social and Threatray for collaborating on this research.

www.proofpoint.com/us/blog/thre...
The Bitter End: Unraveling Eight Years of Espionage Antics—Part One | Proofpoint US
This is a two-part blog series, detailing research undertaken in collaboration with Threatray. Part two of this blog series can be found on their website here.  Analyst note: Throughout
www.proofpoint.com
8 11
Reposted by Mark Kelly
saffronsec.bsky.social
Saher @saffronsec.bsky.social · Jun 4
From phishes to hands-on-keyboard commands 🔥 new @proofpoint.bsky.social research from @nickattfield.bsky.social and @konstantinklinger.bsky.social on Indian state-sponsored actor TA397 (Bitter) with a great story on the steps to technical and political attribution www.proofpoint.com/us/blog/thre...
The Bitter End: Unraveling Eight Years of Espionage Antics—Part One | Proofpoint US
This is a two-part blog series, detailing research undertaken in collaboration with Threatray. Part two of this blog series can be found on their website here.  Analyst note: Throughout
www.proofpoint.com
3 11
mkyo.bsky.social
Mark Kelly @mkyo.bsky.social · May 29
ELECTRONIC ESPIONAGE and ELECTRONIC CRIME ftw
1 5
Reposted by Mark Kelly
greg-l.bsky.social
Greg Lesnewich @greg-l.bsky.social · May 21
Is the era of the “named actor” done?

As the OG adversary sets diverge, get promoted, or move on

actors dispersing across the kill chain based on specialized skills increases (ORBs, criminal underground)

AND the CTI models maturing…

APTs ⬇️⬇️

UNCs ⬆️⬆️
7 8 28
mkyo.bsky.social
Mark Kelly @mkyo.bsky.social · May 17
same tbh
1 5 210
mkyo.bsky.social
Mark Kelly @mkyo.bsky.social · May 17
Yes
5
mkyo.bsky.social
Mark Kelly @mkyo.bsky.social · May 13
Hey nice to meet you my name is @nickattfield.bsky.social
1 2
Reposted by Mark Kelly
adorais.bsky.social
adorais.bsky.social @adorais.bsky.social · May 13
New Proofpoint blog alert

We observed DPRK actor TA406 (overlaps w/ Opal Sleet/Konni) targeting government entities in Ukraine in early 2025:

www.proofpoint.com/us/blog/thre...
TA406 Pivots to the Front | Proofpoint US
What happened  In February 2025, TA406 began targeting government entities in Ukraine, delivering both credential harvesting and malware in its phishing campaigns. The aim of these
www.proofpoint.com
1 2 7
Reposted by Mark Kelly
saffronsec.bsky.social
Saher @saffronsec.bsky.social · May 13
@greg-l.bsky.social drops knowledge on TA406 (Konni) as North Korea shows new interest in Ukraine, likely to keep tabs on the progress of the war and Russia's ability to keep pace on the battlefield www.proofpoint.com/us/blog/thre...
TA406 Pivots to the Front | Proofpoint US
What happened  In February 2025, TA406 began targeting government entities in Ukraine, delivering both credential harvesting and malware in its phishing campaigns. The aim of these
www.proofpoint.com
1 13 15