# ![@AndreGironda Avatar](https://lunarcrush.com/gi/w:26/cr:twitter::327015253.png) @AndreGironda Andre Gironda

Andre Gironda posts on X about c2, apt, polyswarm, [----] the most. They currently have [-----] followers and [---] posts still getting attention that total [--] engagements in the last [--] hours.

### Engagements: [--] [#](/creator/twitter::327015253/interactions)
![Engagements Line Chart](https://lunarcrush.com/gi/w:600/cr:twitter::327015253/c:line/m:interactions.svg)

- [--] Week [-----] -58%
- [--] Month [------] -60%
- [--] Months [------] -6.60%
- [--] Year [-------] +842%

### Mentions: [--] [#](/creator/twitter::327015253/posts_active)
![Mentions Line Chart](https://lunarcrush.com/gi/w:600/cr:twitter::327015253/c:line/m:posts_active.svg)

- [--] Week [--] +80%
- [--] Month [--] +133%
- [--] Months [---] -10%
- [--] Year [---] +536%

### Followers: [-----] [#](/creator/twitter::327015253/followers)
![Followers Line Chart](https://lunarcrush.com/gi/w:600/cr:twitter::327015253/c:line/m:followers.svg)

- [--] Week [-----] +0.46%
- [--] Month [-----] +3.40%
- [--] Months [-----] +11%
- [--] Year [-----] +26%

### CreatorRank: [---------] [#](/creator/twitter::327015253/influencer_rank)
![CreatorRank Line Chart](https://lunarcrush.com/gi/w:600/cr:twitter::327015253/c:line/m:influencer_rank.svg)

### Social Influence

**Social category influence**
[technology brands](/list/technology-brands)  7.62% [stocks](/list/stocks)  5.71% [social networks](/list/social-networks)  2.86% [cryptocurrencies](/list/cryptocurrencies)  2.86% [finance](/list/finance)  1.9% [countries](/list/countries)  0.95% [exchanges](/list/exchanges)  0.48%

**Social topic influence**
[c2](/topic/c2) 2.86%, [apt](/topic/apt) 2.86%, [polyswarm](/topic/polyswarm) 2.38%, [6969](/topic/6969) 1.9%, [tools](/topic/tools) 1.9%, [in the](/topic/in-the) 1.9%, [playbook](/topic/playbook) 1.9%, [windows](/topic/windows) 1.9%, [red](/topic/red) 1.9%, [ai](/topic/ai) 1.9%

**Top accounts mentioned or mentioned by**
[@chrissanders88](/creator/undefined) [@nullenc0de](/creator/undefined) [@antonchuvakin](/creator/undefined) [@imposecost](/creator/undefined) [@malwarejake](/creator/undefined) [@banthisguy9349](/creator/undefined) [@michalkoczwara](/creator/undefined) [@redteamtactics](/creator/undefined) [@icesolst](/creator/undefined) [@frankmcg](/creator/undefined) [@bleepincomputer](/creator/undefined) [@serghei](/creator/undefined) [@iamericabooted](/creator/undefined) [@varonis](/creator/undefined) [@msftsecintel](/creator/undefined) [@haozhixiang](/creator/undefined) [@1zrr4h](/creator/undefined) [@psyb3rm0nkmalwareanalysisamadeyd0e32b54aee5](/creator/undefined) [@jaimeblascob](/creator/undefined) [@notdan](/creator/undefined)

**Top assets mentioned**
[PolySwarm (NCT)](/topic/polyswarm) [Alphabet Inc Class A (GOOGL)](/topic/$googl) [Microsoft Corp. (MSFT)](/topic/microsoft) [Ethereum (ETH)](/topic/ethereum)
### Top Social Posts
Top posts by engagements in the last [--] hours

"@nullenc0de Thank you. I create custom lists after initial targeting with Photon. merge_webpath_list sorts from several sources namely leaky-paths ffufplus commonspeak2 SecLists Sn1per RobotsDisallowed and assetnote lists. Tweak further with GoldenNuggets-1 + IIS-ShortName-Scanner"  
[X Link](https://x.com/anyuser/status/1417675703982592002)  2021-07-21T02:40Z [----] followers, [--] engagements


"@MichalKoczwara search tag:cve-2021-40444 on VT (yara retrohunting pulls these) you'll also see asdasdas.com caribarena.com exployt.com and vitlescaux.com -- much more interesting than dodefoh.com hidusi.com and joxinu.com although pawevi.com is in a class of its own"  
[X Link](https://x.com/anyuser/status/1437206134037704707)  2021-09-13T00:06Z [----] followers, [--] engagements


"@RedTeamTactics Downloading malicious logic is an Event. Executing or Installing malicious logic are Incidents. Events can lead to Incidents but only Incidents come with a promise of "cleanup on aisle four""  
[X Link](https://x.com/AndreGironda/status/1919078620603068636)  2025-05-04T17:16Z [----] followers, [---] engagements


"@chrissanders88 Could be a C2 config being pulled down in order to consume (by the malware) and then use as transports likely connecting to one a time either first last or selected randomly from the list; trying the others when the initial(s) don't connect. Onimai malware uses Gist this way"  
[X Link](https://x.com/anyuser/status/1927467638784925703)  2025-05-27T20:51Z [----] followers, [---] engagements


"Trend Investigation of AWS credential leaks via container infrastructure -- https://www.trendmicro.com/en_us/research/25/f/aws-credential-exposure-overprivileged-containers.html https://www.trendmicro.com/en_us/research/25/f/aws-credential-exposure-overprivileged-containers.html"  
[X Link](https://x.com/AndreGironda/status/1936972715564626374)  2025-06-23T02:20Z [----] followers, [---] engagements


"KazakRat your malware my c2 -- https://ctrlaltintel.com/threat%20research/KazakRAT/ https://ctrlaltintel.com/threat%20research/KazakRAT/"  
[X Link](https://x.com/AndreGironda/status/2017183783955710413)  2026-01-30T10:31Z [----] followers, [--] engagements


"Storm-1811 and PhantomCaptcha complex cybercrime ecosystem levers Microsoft Teams voice-phishing campaign for execution of Quick Assist -- https://fieldeffect.com/blog/quick-you-need-assistance https://fieldeffect.com/blog/quick-you-need-assistance"  
[X Link](https://x.com/AndreGironda/status/2018314711691915394)  2026-02-02T13:25Z [----] followers, [---] engagements


"Malicious use of virtual machine infrastructure -- https://www.sophos.com/en-us/blog/malicious-use-of-virtual-machine-infrastructure https://www.sophos.com/en-us/blog/malicious-use-of-virtual-machine-infrastructure"  
[X Link](https://x.com/AndreGironda/status/2019058917095977098)  2026-02-04T14:42Z [----] followers, [---] engagements


"Brew Hijack serving malware over Homebrews core tap -- https://www.koi.ai/blog/brew-hijack-serving-malware https://www.koi.ai/blog/brew-hijack-serving-malware"  
[X Link](https://x.com/AndreGironda/status/2019060891833045128)  2026-02-04T14:50Z [----] followers, [---] engagements


"Quick Howto extract URLs from RTF files -- https://isc.sans.edu/forums/diary/Quick+Howto+Extract+URLs+from+RTF+files/32692/ https://isc.sans.edu/forums/diary/Quick+Howto+Extract+URLs+from+RTF+files/32692/"  
[X Link](https://x.com/AndreGironda/status/2020887835952508929)  2026-02-09T15:49Z [----] followers, [---] engagements


"More than 135k OpenClaw instances exposed to internet in latest vibe-coded disaster -- https://www.theregister.com/2026/02/09/openclaw_instances_exposed_vibe_code/ https://www.theregister.com/2026/02/09/openclaw_instances_exposed_vibe_code/"  
[X Link](https://x.com/AndreGironda/status/2020918544267895044)  2026-02-09T17:51Z [----] followers, [---] engagements


"Inside Gunra RaaS from affiliate recruitment on the dark web to full technical dissection of their locker -- https://www.cloudsek.com/blog/inside-gunra-raas-from-affiliate-recruitment-on-the-dark-web-to-full-technical-dissection-of-their-locker https://www.cloudsek.com/blog/inside-gunra-raas-from-affiliate-recruitment-on-the-dark-web-to-full-technical-dissection-of-their-locker"  
[X Link](https://x.com/AndreGironda/status/2021597688353931490)  2026-02-11T14:50Z [----] followers, [---] engagements


"The North Korean on your payroll -- https://www.okta.com/blog/threat-intelligence/the-north-korean-on-your-payroll/ https://www.okta.com/blog/threat-intelligence/the-north-korean-on-your-payroll/"  
[X Link](https://x.com/AndreGironda/status/2021646710456684985)  2026-02-11T18:05Z [----] followers, [--] engagements


"Google/Mandiant says China's APT31 used Gemini to plan cyberattacks against US orgs -- https://www.theregister.com/2026/02/12/google_china_apt31_gemini/ https://www.theregister.com/2026/02/12/google_china_apt31_gemini/"  
[X Link](https://x.com/AndreGironda/status/2021880417604055392)  2026-02-12T09:33Z [----] followers, [---] engagements


"PowerShell Security: PowerShell Attack Tools Mitigation & Detection -- https://adsecurity.org/p=2921 https://adsecurity.org/p=2921"  
[X Link](https://x.com/anyuser/status/764670820970921984)  2016-08-14T03:51Z [----] followers, [--] engagements


"jenkins to meterpreter toying with powersploit -- https://leonjza.github.io/blog/2015/05/27/jenkins-to-meterpreter-toying-with-powersploit/ https://leonjza.github.io/blog/2015/05/27/jenkins-to-meterpreter-toying-with-powersploit/"  
[X Link](https://x.com/anyuser/status/825058653665320961)  2017-01-27T19:11Z [----] followers, [--] engagements


"A Safe Browsing Blocker in a phishkit technical analysis and why it fails -- https://www.d3lab.net/a-safe-browsing-blocker-in-a-phishing-kit-technical-analysis-and-why-it-fails https://www.d3lab.net/a-safe-browsing-blocker-in-a-phishing-kit-technical-analysis-and-why-it-fails"  
[X Link](https://x.com/AndreGironda/status/2021597871435403470)  2026-02-11T14:51Z [----] followers, [---] engagements


"Koi Security VK Styles 500K users infected by Chrome Extensions that hijack VKontakte creds -- https://www.koi.ai/blog/vk-styles-500k-users-infected-by-chrome-extensions-that-hijack-vkontakte-accounts https://www.koi.ai/blog/vk-styles-500k-users-infected-by-chrome-extensions-that-hijack-vkontakte-accounts"  
[X Link](https://x.com/AndreGironda/status/2022168186641428918)  2026-02-13T04:37Z [----] followers, [---] engagements


"XWorm RAT campaign uses themed phishing lures and CVE20180802 Excel exploit to evade detection -- https://cybersecuritynews.com/new-xworm-rat-campaign-uses-themed-phishing-lures https://cybersecuritynews.com/new-xworm-rat-campaign-uses-themed-phishing-lures"  
[X Link](https://x.com/AndreGironda/status/2022294152940306795)  2026-02-13T12:57Z [----] followers, [---] engagements


"PolySwarm Shadow campaigns show evidence of global espionage using ShadowGuard rootkit -- https://blog.polyswarm.io/shadow-campaigns-show-evidence-of-global-espionage-using-shadowguard-rootkit https://blog.polyswarm.io/shadow-campaigns-show-evidence-of-global-espionage-using-shadowguard-rootkit"  
[X Link](https://x.com/AndreGironda/status/2022374824384053341)  2026-02-13T18:18Z [----] followers, [---] engagements


"@nullenc0de I use this exact technique but generally will set the Host header and use the IP in the -u to speed it up just a bit more. ffuf is the fastest around and -ac has an excellent analyzer that produces basically-zero errors"  
[X Link](https://x.com/AndreGironda/status/1417667422002114562)  2021-07-21T02:07Z [----] followers, [--] engagements


"Automated attacks breach FortiGate firewalls exposing configuration data -- https://rewterz.com/threat-advisory/automated-attacks-breach-fortigate-firewalls-exposing-configuration-data-active-iocs https://rewterz.com/threat-advisory/automated-attacks-breach-fortigate-firewalls-exposing-configuration-data-active-iocs"  
[X Link](https://x.com/AndreGironda/status/2016160701858119968)  2026-01-27T14:45Z [----] followers, [---] engagements


"The Open-Source Cybersecurity Playbook -- https://www.barkly.com/comprehensive-it-security-plan https://www.barkly.com/comprehensive-it-security-plan"  
[X Link](https://x.com/AndreGironda/status/804407057759641600)  2016-12-01T19:29Z [----] followers, [--] engagements


"ICIT Analysis: Signature-based Malware Detection is Dead -- http://icitech.org/icit-analysis-signature-based-malware-detection-is-dead/ http://icitech.org/icit-analysis-signature-based-malware-detection-is-dead/"  
[X Link](https://x.com/AndreGironda/status/829742988129480706)  2017-02-09T17:25Z [----] followers, [--] engagements


"Windows Incident Response: Understanding What The Data Is Telling You -- http://windowsir.blogspot.com/2017/04/understanding-what-data-is-telling-you.html http://windowsir.blogspot.com/2017/04/understanding-what-data-is-telling-you.html"  
[X Link](https://x.com/anyuser/status/851433530823290880)  2017-04-10T13:55Z [----] followers, [--] engagements


"CVE-2017-4971 Remote Code Execution Vulnerability in the Spring Web Flow Framework -- https://blog.gdssecurity.com/labs/2017/7/17/cve-2017-4971-remote-code-execution-vulnerability-in-the-spr.html https://blog.gdssecurity.com/labs/2017/7/17/cve-2017-4971-remote-code-execution-vulnerability-in-the-spr.html"  
[X Link](https://x.com/AndreGironda/status/886982130336538624)  2017-07-17T16:13Z [----] followers, [--] engagements


"I am in a possession of a #DerbyCon ticket that I want to sell. It's also a training ticket"  
[X Link](https://x.com/AndreGironda/status/910165011175170053)  2017-09-19T15:33Z [----] followers, [--] engagements


"HUMANs Satori Threat Intelligence and Research team has disrupted Scallywag a sophisticated ad-fraud operation using a collection of WordPress extensions to monetize digital piracy with hundreds of cashout domains and URL shorteners -- https://www.humansecurity.com/scallywag-open-redirectors/ https://www.humansecurity.com/scallywag-open-redirectors/"  
[X Link](https://x.com/anyuser/status/1914504076433481885)  2025-04-22T02:18Z [----] followers, [---] engagements


"BlackSuit hybrid approach with exfiltration and encryption -- https://www.cybereason.com/blog/blacksuit-data-exfil https://www.cybereason.com/blog/blacksuit-data-exfil"  
[X Link](https://x.com/anyuser/status/1944203358480609518)  2025-07-13T01:12Z [----] followers, [---] engagements


"Rainbow Hyena strikes again with new backdoor and shift in tactics -- https://bi-zone.medium.com/rainbow-hyena-strikes-again-new-backdoor-and-shift-in-tactics-2dd99a10aea9 https://bi-zone.medium.com/rainbow-hyena-strikes-again-new-backdoor-and-shift-in-tactics-2dd99a10aea9"  
[X Link](https://x.com/anyuser/status/1945525414291800163)  2025-07-16T16:46Z [----] followers, [---] engagements


"Trend Revisiting UNC3886 tactics to defend against present risk -- https://www.trendmicro.com/en_us/research/25/g/revisiting-unc3886-tactics-to-defend-against-present-risk.html https://www.trendmicro.com/en_us/research/25/g/revisiting-unc3886-tactics-to-defend-against-present-risk.html"  
[X Link](https://x.com/AndreGironda/status/1950071014886457493)  2025-07-29T05:48Z [----] followers, [---] engagements


"@IceSolst This question is a red herring because IR and playbook craft are not equal amongst CIRTs working incidents. Most can't even provide accurate terminology or standardization on what an Incident is. Even compare to pre-2010 era DHS NCCIC. They had thresholds built into their craft"  
[X Link](https://x.com/AndreGironda/status/1952523765004611639)  2025-08-05T00:15Z [----] followers, [---] engagements


"SublimeSec Multi-RMM attack Splashtop Streamer and Atera payloads delivered via Discord CDN link -- https://sublime.security/blog/multi-rmm-attack-splashtop-streamer-and-atera-payloads-delivered-via-discord-cdn-link/ https://sublime.security/blog/multi-rmm-attack-splashtop-streamer-and-atera-payloads-delivered-via-discord-cdn-link/"  
[X Link](https://x.com/AndreGironda/status/1952934825591255431)  2025-08-06T03:28Z [----] followers, [---] engagements


"SilentPush Unmasking Socgholish -- -- The report details the activities of SocGholish a Malware-as-a-Service (MaaS) operated by TA569 https://www.silentpush.com/blog/socgholish/ https://www.silentpush.com/blog/socgholish/"  
[X Link](https://x.com/anyuser/status/1953153013935423755)  2025-08-06T17:55Z [----] followers, [----] engagements


"Unpacking KiwiStealer diving into Bitter APT malware for file exfil -- https://blog.pulsedive.com/unpacking-kiwistealer-diving-into-bitter-apts-malware-for-file-exfiltration https://blog.pulsedive.com/unpacking-kiwistealer-diving-into-bitter-apts-malware-for-file-exfiltration"  
[X Link](https://x.com/anyuser/status/1955692280825962846)  2025-08-13T18:05Z [----] followers, [----] engagements


"ICIT Analysis: Sowing the Seeds of US Cyber Talent -- http://icitech.org/icit-analysis-sowing-the-seeds-of-u-s-cyber-talent/ http://icitech.org/icit-analysis-sowing-the-seeds-of-u-s-cyber-talent/"  
[X Link](https://x.com/anyuser/status/854422458438361088)  2017-04-18T19:52Z [----] followers, [--] engagements


"@FrankMcG I can name [--] SANS courses worth the money and that have no competition. I can name [--] SANS courses not worth the money and that you can learn the entire material in [--] or [--] hours of Googling"  
[X Link](https://x.com/anyuser/status/1419849064527532032)  2021-07-27T02:36Z [----] followers, [--] engagements


"@anton_chuvakin My takeaway here is that red teamers even good ones tend to reuse their craft -- including TTPs that bypass EDR (which red teamers tend to overfocus on). However these require composite indicators that build up as custom SIEM detections (oft unique to an org or business unit)"  
[X Link](https://x.com/anyuser/status/1864028831306149973)  2024-12-03T19:28Z [----] followers, [---] engagements


"@BleepinComputer @serghei There have been interactions between DPRK cyber threat actors and the ransomware scene going back to as early as [----]. This isn't their first rodeo together"  
[X Link](https://x.com/anyuser/status/1898033766876238192)  2025-03-07T15:31Z [----] followers, [---] engagements


"Ontinues CDC uncovered Storm-1811s multi-stage attack exploiting Teams vishing QuickAssist and signed DLL sideloads. The attack deploys a malicious PowerShell payload TV.dll and Node.js C2 -- https://www.ontinue.com/resource/blog-signed-sideloaded-compromised/ https://www.ontinue.com/resource/blog-signed-sideloaded-compromised/"  
[X Link](https://x.com/anyuser/status/1907142492845457679)  2025-04-01T18:46Z [----] followers, [---] engagements


"Trend Clone Compile Compromise -- Water Curses Open-Source Malware Trap on GitHub -- https://www.trendmicro.com/en_us/research/25/f/water-curse.html https://www.trendmicro.com/en_us/research/25/f/water-curse.html"  
[X Link](https://x.com/anyuser/status/1934629162679140532)  2025-06-16T15:08Z [----] followers, [---] engagements


"Group-IB Exploiting trust how signed drivers fuel modern kernel-level attacks on Windows -- https://www.group-ib.com/blog/kernel-driver-threats/ https://www.group-ib.com/blog/kernel-driver-threats/"  
[X Link](https://x.com/anyuser/status/1942050731177234480)  2025-07-07T02:39Z [----] followers, [----] engagements


"Technical analysis of malspam campaigns targeting the defense industry delivering Snake keylogger -- https://www.malwation.com/blog/technical-analysis-of-phishing-campaigns-targeting-the-defense-industry-delivering-snake-keylogger https://www.malwation.com/blog/technical-analysis-of-phishing-campaigns-targeting-the-defense-industry-delivering-snake-keylogger"  
[X Link](https://x.com/AndreGironda/status/1945945606113091882)  2025-07-17T20:36Z [----] followers, [----] engagements


"The Amnban Files inside Iran's cyber-espionage factory targeting global airlines -- https://blog.narimangharib.com/posts/2025%2F07%2F1752917718209lang=en https://blog.narimangharib.com/posts/2025%2F07%2F1752917718209lang=en"  
[X Link](https://x.com/anyuser/status/1947305317437464946)  2025-07-21T14:39Z [----] followers, [---] engagements


"Aqua AI-generated malware in Panda Image hides persistent Linux threat -- https://www.aquasec.com/blog/ai-generated-malware-in-panda-image-hides-persistent-linux-threat https://www.aquasec.com/blog/ai-generated-malware-in-panda-image-hides-persistent-linux-threat"  
[X Link](https://x.com/AndreGironda/status/1948402729614991853)  2025-07-24T15:19Z [----] followers, [----] engagements


"@IAMERICAbooted SecurityRiskAdvisors/letItGo is my go-to above aadinternals and those others are staples -- good call. Zetalytics and are my next in line along with spamhaus and some of their partners urlscan OTX AV http://urlquery.net http://abuse.ch http://Hunt.io http://urlquery.net http://abuse.ch http://Hunt.io"  
[X Link](https://x.com/AndreGironda/status/1954635123149906241)  2025-08-10T20:05Z [----] followers, [----] engagements


"From drone strike to file recovery. outsmarting a nation state -- https://profero.io/blog/from-drone-strike-to-file-recovery-outsmarting-a-nation-state https://profero.io/blog/from-drone-strike-to-file-recovery-outsmarting-a-nation-state"  
[X Link](https://x.com/anyuser/status/1954923869145534871)  2025-08-11T15:12Z [----] followers, [---] engagements


"Pen Testing Active Directory Environments Part V: Admins and Graphs -- via @varonis https://blog.varonis.com/pen-testing-active-directory-v-admins-graphs/ https://blog.varonis.com/pen-testing-active-directory-v-admins-graphs/"  
[X Link](https://x.com/anyuser/status/849731916869681152)  2017-04-05T21:14Z [----] followers, [--] engagements


"@MsftSecIntel Do you have a blog post threat bulletin paper a set of analytic rules and/or an IOC/TTP dump Can you provide a yara on the QuasarLoader ShadowPad Webpack or other malware sighted"  
[X Link](https://x.com/AndreGironda/status/1625183502227632129)  2023-02-13T17:21Z [----] followers, [----] engagements


"@HaoZhixiang I think I found the maldoc builder for this Transparent Tribe / APT-C-56 / APT36 / Mythic Leopard jank -- https://www.virustotal.com/gui/file/b62cb4a4fe1e2a932dc7d0bf307fe4d655ef045e44cb3c24be24fdaaf1ed794e https://www.virustotal.com/gui/file/b62cb4a4fe1e2a932dc7d0bf307fe4d655ef045e44cb3c24be24fdaaf1ed794e"  
[X Link](https://x.com/anyuser/status/1627884603771064320)  2023-02-21T04:15Z [----] followers, [---] engagements


"GuLoader Malware Disguised as Tax Invoices and Shipping Statements -- https://asec.ahnlab.com/en/55978/ https://asec.ahnlab.com/en/55978/"  
[X Link](https://x.com/AndreGironda/status/1690083049550282753)  2023-08-11T19:29Z [----] followers, [---] engagements


"A First Look at ESQL -- https://docs.tenzir.com/blog/a-first-look-at-esql https://docs.tenzir.com/blog/a-first-look-at-esql"  
[X Link](https://x.com/AndreGironda/status/1696397907765965092)  2023-08-29T05:42Z [----] followers, [----] engagements


"@1ZRR4H I also see these payloads same references and apparently same sources. Also see JA3 of 8c23d614aa018ed7bc6c88b545ece240"  
[X Link](https://x.com/AndreGironda/status/1849655736617390258)  2024-10-25T03:34Z [----] followers, [---] engagements


"@anton_chuvakin Not in 3+ decades of working with SIM SEM and SIEM. Never once. SIEM is a total failure. GenAI Cybersecurity tools won't find those either. People do -- and MOST of the time they're not detection engineers blue team or even cyber or infosec people at all"  
[X Link](https://x.com/anyuser/status/1864022195405525107)  2024-12-03T19:01Z [----] followers, [----] engagements


"Malware Analysis of Amadey -- https://medium.com/@psyb3rm0nk/malware-analysis-amadey-d0e32b54aee5 https://medium.com/@psyb3rm0nk/malware-analysis-amadey-d0e32b54aee5"  
[X Link](https://x.com/AndreGironda/status/1871629975025254909)  2024-12-24T18:52Z [----] followers, [----] engagements


"@jaimeblascob "2024-11-05" "linewizeconnect.com" "2024-12-07" "moonsift.store" "2024-12-07" "readermodeext.info" "2024-12-12" "vpncity.live" "2024-12-12" "wayinai.live" "2024-12-23" "censortracker.pro" "2024-12-24" "parrottalks.info" "2024-12-25" "cyberhavenext.pro""  
[X Link](https://x.com/AndreGironda/status/1872463896742871095)  2024-12-27T02:05Z [----] followers, [----] engagements


"@notdan If by secret you mean openly-available in this report -- -- since late-Apr [----] https://blog.sekoia.io/unplugging-plugx-sinkholing-the-plugx-usb-worm-botnet https://blog.sekoia.io/unplugging-plugx-sinkholing-the-plugx-usb-worm-botnet"  
[X Link](https://x.com/AndreGironda/status/1879310225561551245)  2025-01-14T23:30Z [----] followers, [----] engagements


"@Jhaddix With GenAI Defense and Offense are still the same double-edge. Learning to Probe Systems and People will continue to be core skills. Arch and Eng around AI must be Unix-philosophy style for proper alignment"  
[X Link](https://x.com/anyuser/status/1883167056708997494)  2025-01-25T14:56Z [----] followers, [---] engagements


"Zimperiums Coverage Against Android Malware in Donot APT Operations and Extended Indicators of Compromise -- https://www.zimperium.com/blog/android-malware-in-donot-apt-operations-and-extended-indicators-of-compromise/ https://www.zimperium.com/blog/android-malware-in-donot-apt-operations-and-extended-indicators-of-compromise/"  
[X Link](https://x.com/AndreGironda/status/1884251313325904144)  2025-01-28T14:44Z [----] followers, [---] engagements


"@chrissanders88 Revisit org-wide policies for Local Group Policy Object Processing. It should be set to off to prevent the following actions: Actors will open gpedit.msc to disable WinEvt/Defender logging to hide their activities or to enable multiple RDP sessions to aid access expansion"  
[X Link](https://x.com/AndreGironda/status/1884275420973142465)  2025-01-28T16:20Z [----] followers, [---] engagements


"https://medium.com/@rayssac/infostealer-malware-linked-to-lazarus-group-campaigns-a510ad5f3e4f https://medium.com/@rayssac/infostealer-malware-linked-to-lazarus-group-campaigns-a510ad5f3e4f"  
[X Link](https://x.com/AndreGironda/status/1888741065034993810)  2025-02-10T00:05Z [----] followers, [---] engagements


"@chrissanders88 RedCanary also has a page for the test cases around this technique -- -- Graphics.CopyFromScreen CopyFromScreen xwd or screencapture being key method instantiators http://System.Drawing.Graphics https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1113/T1113.md http://System.Drawing.Graphics https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1113/T1113.md"  
[X Link](https://x.com/AndreGironda/status/1896948122972226041)  2025-03-04T15:37Z [----] followers, [---] engagements


"Ghostwriter UAC-0173 resumes intrusions vs Ukrainian notary offices via DarkCrystalRat -- https://cyble.com/blog/uac-0173-targeted-cyberattacks-on-ua-notary/ https://cyble.com/blog/uac-0173-targeted-cyberattacks-on-ua-notary/"  
[X Link](https://x.com/AndreGironda/status/1897675735256773085)  2025-03-06T15:48Z [----] followers, [----] engagements


"@ImposeCost SpecterOps and NetSPI. Chronicle Splunk and Sigma all have giant free github repos full of Azure detections. If you need help with one please ask me. is also very good -- take a few -- and the Antisyphon ones can even be free last I checked http://NetworkDefense.io http://NetworkDefense.io"  
[X Link](https://x.com/anyuser/status/1897777980589719671)  2025-03-06T22:35Z [----] followers, [----] engagements


"Working cyber kill chains and diamond models against 0-day crisis which is putting tens of thousands at risk -- https://osintteam.blog/threat-intelligence-a-deep-dive-into-cyber-kill-chains-diamond-models-and-the-zero-day-crisis-b55d9277b07b https://osintteam.blog/threat-intelligence-a-deep-dive-into-cyber-kill-chains-diamond-models-and-the-zero-day-crisis-b55d9277b07b"  
[X Link](https://x.com/AndreGironda/status/1899104372623306760)  2025-03-10T14:25Z [----] followers, [---] engagements


"@MalwareJake Asked the CobaltStrike team to look into this back in [----]. Wish they got around to it sooner it's been a decade too-late"  
[X Link](https://x.com/AndreGironda/status/1899104912551936125)  2025-03-10T14:27Z [----] followers, [---] engagements


"ProofPoint Remote Monitoring and Management (RMM) tooling as threat actor first-choice -- https://www.proofpoint.com/us/blog/threat-insight/remote-monitoring-and-management-rmm-tooling-increasingly-attackers-first-choice https://www.proofpoint.com/us/blog/threat-insight/remote-monitoring-and-management-rmm-tooling-increasingly-attackers-first-choice"  
[X Link](https://x.com/AndreGironda/status/1899482316864389194)  2025-03-11T15:27Z [----] followers, [---] engagements


"Azure log entry to look for when a threat actor is in -- https://www.hecfblog.com/2025/03/daily-blog-775-azure-log-entry-to-look.html https://www.hecfblog.com/2025/03/daily-blog-775-azure-log-entry-to-look.html"  
[X Link](https://x.com/AndreGironda/status/1900045342265237869)  2025-03-13T04:44Z [----] followers, [---] engagements


"AnubisBackdoor -- https://medium.com/@keontrewalker/new-threat-alert-anubisbackdoor-238a1fdb905b https://medium.com/@keontrewalker/new-threat-alert-anubisbackdoor-238a1fdb905b"  
[X Link](https://x.com/AndreGironda/status/1900061766920593720)  2025-03-13T05:50Z [----] followers, [---] engagements


"Veriti OpenAI under attack -- CVE-2024-27564 actively-exploited in-the wild -- https://veriti.ai/blog/cve-2024-27564-actively-exploited/ https://veriti.ai/blog/cve-2024-27564-actively-exploited/"  
[X Link](https://x.com/AndreGironda/status/1901818083737801206)  2025-03-18T02:08Z [----] followers, [----] engagements


"@_RastaMouse itm4n/PrivescCheck RealBlindingEDR Reaper CVE-2022-34709 and (indirectly) -- swisskyrepo/SharpLAPS rdps-remote-credential-guard-with-rubeus-ptt (bypass RCG) plus Outflank"  
[X Link](https://x.com/anyuser/status/1902133648301945150)  2025-03-18T23:02Z [----] followers, [----] engagements


"Adversary-in-the-middle (AitM) -- DNS workings of Sneaky2FA -- https://circleid.com/posts/sneaking-a-peek-into-the-inner-dns-workings-of-sneaky-2fa https://circleid.com/posts/sneaking-a-peek-into-the-inner-dns-workings-of-sneaky-2fa"  
[X Link](https://x.com/AndreGironda/status/1902423837406626247)  2025-03-19T18:16Z [----] followers, [---] engagements


"Unboxing Anubis exploring the stealthy tactics of FIN7 -- https://www.gdatasoftware.com/blog/2025/03/38161-analysis-fin7-anubis-backdoor https://www.gdatasoftware.com/blog/2025/03/38161-analysis-fin7-anubis-backdoor"  
[X Link](https://x.com/AndreGironda/status/1902760375784968238)  2025-03-20T16:33Z [----] followers, [---] engagements


"Rilide -- https://blog.pulsedive.com/rilide-an-information-stealing-browser-extension https://blog.pulsedive.com/rilide-an-information-stealing-browser-extension"  
[X Link](https://x.com/anyuser/status/1903109108544557253)  2025-03-21T15:39Z [----] followers, [----] engagements


"@greglesnewich YaraFlux GhidraMCP r2ai and I can think of a few others. Did you know there are quantized models such as Lily-Cybersecurity Have you tried openrouter llama-index"  
[X Link](https://x.com/AndreGironda/status/1904716708843323745)  2025-03-26T02:07Z [----] followers, [---] engagements


"https://medium.com/@pavol.kluka/network-traffic-analysis-exercise-how-to-deploy-a-fake-authenticatoor-0968077ed8eb https://medium.com/@pavol.kluka/network-traffic-analysis-exercise-how-to-deploy-a-fake-authenticatoor-0968077ed8eb"  
[X Link](https://x.com/AndreGironda/status/1907801582231761082)  2025-04-03T14:25Z [----] followers, [---] engagements


"Hijacking TypeLib for persistence -- https://reliaquest.com/blog/threat-spotlight-hijacked-and-hidden-new-backdoor-and-persistence-technique/ https://reliaquest.com/blog/threat-spotlight-hijacked-and-hidden-new-backdoor-and-persistence-technique/"  
[X Link](https://x.com/AndreGironda/status/1911778719154545137)  2025-04-14T13:49Z [----] followers, [---] engagements


"FingerprintJS and Cleave.js Toll-of-Deception lures -- Where evasion drives phishing forward -- https://www.group-ib.com/blog/toll-of-deception/ https://www.group-ib.com/blog/toll-of-deception/"  
[X Link](https://x.com/AndreGironda/status/1915238697660006618)  2025-04-24T02:57Z [----] followers, [---] engagements


"How AI services power the DPRKs IT contracting scams -- https://sec.okta.com/articles/2025/04/GenAIDPRK/ https://sec.okta.com/articles/2025/04/GenAIDPRK/"  
[X Link](https://x.com/AndreGironda/status/1915503300897829258)  2025-04-24T20:29Z [----] followers, [---] engagements


"Opswat Security analysis of Rack Ruby Framework -- CVE-2025-25184 CVE-2025-27111 and CVE-2025-27610 -- https://www.opswat.com/blog/security-analysis-of-rack-ruby-framework-cve-2025-25184-cve-2025-27111-and-cve-2025-27610 https://www.opswat.com/blog/security-analysis-of-rack-ruby-framework-cve-2025-25184-cve-2025-27111-and-cve-2025-27610"  
[X Link](https://x.com/AndreGironda/status/1916912842831499642)  2025-04-28T17:50Z [----] followers, [---] engagements


"OceanLotus APT32 attacks GitHub targeting national cybersecurity professionals and specific large enterprises -- APT32 GitHub -- https://www.ctfiot.com/236884.html https://www.ctfiot.com/236884.html"  
[X Link](https://x.com/AndreGironda/status/1917258808403058779)  2025-04-29T16:44Z [----] followers, [----] engagements


"Hunting malicious desktop files with Google Threat Intelligence which is sort of like VirusTotal -- https://www.googlecloudcommunity.com/gc/Community-Blog/Actionable-threat-hunting-with-Google-Threat-Intelligence-I/ba-p/895333 https://www.googlecloudcommunity.com/gc/Community-Blog/Actionable-threat-hunting-with-Google-Threat-Intelligence-I/ba-p/895333"  
[X Link](https://x.com/AndreGironda/status/1921971975380947054)  2025-05-12T16:53Z [----] followers, [---] engagements


"Flashpoint Uncovering the DPRKs remote IT Worker fraud scheme -- https://flashpoint.io/blog/flashpoint-investigation-uncovering-the-dprks-remote-it-worker-fraud-scheme/ https://flashpoint.io/blog/flashpoint-investigation-uncovering-the-dprks-remote-it-worker-fraud-scheme/"  
[X Link](https://x.com/AndreGironda/status/1922142132036370727)  2025-05-13T04:09Z [----] followers, [---] engagements


"@banthisguy9349 zetalytics hunt-io spur-us urlscan-io hunting_abuse-ch threatfox_abuse-ch urlhaus_abuse-ch bazaar_abuse-ch shodan trends_shodan virustotal/gui/hunting hybrid-analysis malpedia otx.alienvault Securonix/AutonomousThreatSweeper inoreader raycast_cyberchef threatbook"  
[X Link](https://x.com/AndreGironda/status/1935843271013810300)  2025-06-19T23:32Z [----] followers, [----] engagements


"@chrissanders88 macOS logs are stored in tracev3 formatted files in /var/db/diagnostics -- accessible and binary-parsed via log show --last 24h grep -i '.onion' and similar logics. macos/execution_initial_access_suspicious_browser_childproc from Elastic protect tags ATT&CK Initial Access"  
[X Link](https://x.com/anyuser/status/1937521570026778922)  2025-06-24T14:41Z [----] followers, [---] engagements


"@chrissanders88 APT38's COVERTCATCH/RUSTBUCKET malwares and the intrusion craft of DPRK actor sets targeting macOS over recent years is likely. UNC1069 the tied-in North Korean financial crime group is steeped in malicious LONEJOGGER shortcuts which load LONERUNNER WHITEHAUL or POWERHOUSE"  
[X Link](https://x.com/AndreGironda/status/1937523457279033661)  2025-06-24T14:49Z [----] followers, [---] engagements


"Qilin rising ransomware threat using tailored attacks to quietly cripple targets -- https://tehtris.com/en/blog/rage-against-the-powershell-qilin-in-the-name/ https://tehtris.com/en/blog/rage-against-the-powershell-qilin-in-the-name/"  
[X Link](https://x.com/AndreGironda/status/1939731131651490182)  2025-06-30T17:01Z [----] followers, [---] engagements


"FortiNet DCRat using Columbia government lure -- https://www.fortinet.com/blog/threat-research/dcrat-impersonating-the-columbian-government https://www.fortinet.com/blog/threat-research/dcrat-impersonating-the-columbian-government"  
[X Link](https://x.com/anyuser/status/1940097314091360317)  2025-07-01T17:16Z [----] followers, [---] engagements


"Arctic Wolf Malvertising campaign delivers Oyster/Broomstick backdoor via SEO-poisoning -- https://arcticwolf.com/resources/blog-uk/malvertising-campaign-delivers-oyster-broomstick-backdoor-via-seo-poisoning-and-trojanized-tools https://arcticwolf.com/resources/blog-uk/malvertising-campaign-delivers-oyster-broomstick-backdoor-via-seo-poisoning-and-trojanized-tools"  
[X Link](https://x.com/AndreGironda/status/1940905385948508501)  2025-07-03T22:47Z [----] followers, [---] engagements


"ASEC Xworm distrbuted with stegonography -- https://asec.ahnlab.com/en/88885 https://asec.ahnlab.com/en/88885"  
[X Link](https://x.com/AndreGironda/status/1942249250899030294)  2025-07-07T15:48Z [----] followers, [---] engagements


"PolySwarm SparkKitty targets mobile users with cross-platform espionage -- https://blog.polyswarm.io/sparkkitty-trojan-targets-mobile-users-with-cross-platform-espionage https://blog.polyswarm.io/sparkkitty-trojan-targets-mobile-users-with-cross-platform-espionage"  
[X Link](https://x.com/AndreGironda/status/1942672789917557049)  2025-07-08T19:51Z [----] followers, [---] engagements


"MoonLock Labs New North Korean malware targets crypto startups via fake Zoom invites -- https://moonlock.com/malware-fake-zoom-invites https://moonlock.com/malware-fake-zoom-invites"  
[X Link](https://x.com/anyuser/status/1944045769121837090)  2025-07-12T14:46Z [----] followers, [---] engagements


"0xCH4S3 Hunting China-nexus threat actor -- https://0xch4s3.gitbook.io/0xch4s3-or-threat-research/adversary-hunting/hunting-china-nexus-threat-actor https://0xch4s3.gitbook.io/0xch4s3-or-threat-research/adversary-hunting/hunting-china-nexus-threat-actor"  
[X Link](https://x.com/anyuser/status/1944807459287392539)  2025-07-14T17:13Z [----] followers, [----] engagements


"Likely Belarus-nexus threat actor delivers loader to Poland -- https://dmpdump.github.io/posts/Belarus-nexus_Threat_Actor_Target_Poland https://dmpdump.github.io/posts/Belarus-nexus_Threat_Actor_Target_Poland"  
[X Link](https://x.com/anyuser/status/1944807899932582123)  2025-07-14T17:15Z [----] followers, [---] engagements


"PolySwarm NimDoor macOS malware -- https://blog.polyswarm.io/nimdoor-macos-malware https://blog.polyswarm.io/nimdoor-macos-malware"  
[X Link](https://x.com/AndreGironda/status/1944842098894888975)  2025-07-14T19:31Z [----] followers, [---] engagements


"Unmasking malicious APKs Android malware blending click fraud and credential theft -- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/unmasking-malicious-apks-android-malware-blending-click-fraud-and-credential-theft https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/unmasking-malicious-apks-android-malware-blending-click-fraud-and-credential-theft"  
[X Link](https://x.com/AndreGironda/status/1946230523631894532)  2025-07-18T15:28Z [----] followers, [---] engagements


""According to a statement made by ShinyHunters yesterday . Scattered Spider and . they are one and the same" -- https://databreaches.net/2025/08/03/are-scattered-spider-and-shinyhunters-one-group-or-two-and-who-did-france-arrest/ https://databreaches.net/2025/08/03/are-scattered-spider-and-shinyhunters-one-group-or-two-and-who-did-france-arrest/"  
[X Link](https://x.com/anyuser/status/1952166414531666283)  2025-08-04T00:35Z [----] followers, [----] engagements


"RoKRAT shellcode and steganographic -- https://www.genians.co.kr/blog/threat_intelligence/rokrat_shellcode_steganographic https://www.genians.co.kr/blog/threat_intelligence/rokrat_shellcode_steganographic"  
[X Link](https://x.com/AndreGironda/status/1952359434258411691)  2025-08-04T13:22Z [----] followers, [---] engagements


"Lazarus hackers trick users into believing their camera or microphone is blocked to deliver PylangGhostRat -- https://cybersecuritynews.com/lazarus-pylangghost-rat https://cybersecuritynews.com/lazarus-pylangghost-rat"  
[X Link](https://x.com/anyuser/status/1953171500263195091)  2025-08-06T19:09Z [----] followers, [---] engagements


"FortiNet Odyssey Stealer ClickFix malware attacks macOS users for creds and crypto wallets -- https://www.forcepoint.com/blog/x-labs/odyssey-stealer-attacks-macos-users https://www.forcepoint.com/blog/x-labs/odyssey-stealer-attacks-macos-users"  
[X Link](https://x.com/anyuser/status/1953832034251538851)  2025-08-08T14:53Z [----] followers, [----] engagements


"@chrissanders88 Link the network traffic to the process and then dump either the process memory locate the file(s) associated with the process (ideally both) and check artifacts such as SRUM that indicate this activity further. I also would dump kernel mem"  
[X Link](https://x.com/anyuser/status/1955294678607188432)  2025-08-12T15:45Z [----] followers, [---] engagements


"Lazarops APT tactics targeting the developers' supply chain in Operation Silent Recruiter -- https://www.securityjoes.com/post/operation-silent-recruiter-over-50-github-accounts-tied-to-lazarus-fake-recruiter-campaign https://www.securityjoes.com/post/operation-silent-recruiter-over-50-github-accounts-tied-to-lazarus-fake-recruiter-campaign"  
[X Link](https://x.com/AndreGironda/status/1956096799028208011)  2025-08-14T20:53Z [----] followers, [---] engagements


"PolySwarm Recent ransomware threats to the healthcare vertical -- https://blog.polyswarm.io/recent-ransomware-threats-to-the-healthcare-vertical https://blog.polyswarm.io/recent-ransomware-threats-to-the-healthcare-vertical"  
[X Link](https://x.com/AndreGironda/status/1965123998058250567)  2025-09-08T18:44Z [----] followers, [---] engagements


"Shai-Hulud V2 poses risk to NPM supply chain -- https://www.zscaler.com/blogs/security-research/shai-hulud-v2-poses-risk-npm-supply-chain https://www.zscaler.com/blogs/security-research/shai-hulud-v2-poses-risk-npm-supply-chain"  
[X Link](https://x.com/AndreGironda/status/1996236529094774879)  2025-12-03T15:14Z [----] followers, [---] engagements


"PolySwarm Variant of ClayRat transmutes -- https://blog.polyswarm.io/a-new-variant-of-clayrat-transmutes https://blog.polyswarm.io/a-new-variant-of-clayrat-transmutes"  
[X Link](https://x.com/AndreGironda/status/1999559068168655045)  2025-12-12T19:16Z [----] followers, [---] engagements


"Automating Security at Slack -- https://www.infoq.com/presentations/security-slack https://www.infoq.com/presentations/security-slack"  
[X Link](https://x.com/AndreGironda/status/754793929162174464)  2016-07-17T21:44Z [----] followers, [--] engagements


"How to Bypass Anti-Virus to Run Mimikatz -- via @BHInfoSecurity http://www.blackhillsinfosec.com/p=5555 http://www.blackhillsinfosec.com/p=5555"  
[X Link](https://x.com/AndreGironda/status/828682813679341568)  2017-02-06T19:12Z [----] followers, [--] engagements


"Exploring The Gap Between Cybersecurity Perception And Reality -- http://www.forbes.com/sites/tonybradley/2017/03/09/exploring-the-gap-between-cybersecurity-perception-and-reality/ http://www.forbes.com/sites/tonybradley/2017/03/09/exploring-the-gap-between-cybersecurity-perception-and-reality/"  
[X Link](https://x.com/AndreGironda/status/840356501646594048)  2017-03-11T00:19Z [----] followers, [--] engagements


"Fileless UAC Bypass using CompMgmtLauncher.exe -- http://x42.obscurechannel.com/p=368 http://x42.obscurechannel.com/p=368"  
[X Link](https://x.com/AndreGironda/status/841870615334293505)  2017-03-15T04:36Z [----] followers, [---] engagements


"iOS vs. Android: Physical Data Extraction and Data Protection Compared -- https://blog.elcomsoft.com/2017/10/ios-vs-android-physical-data-extraction-and-data-protection-compared/ https://blog.elcomsoft.com/2017/10/ios-vs-android-physical-data-extraction-and-data-protection-compared/"  
[X Link](https://x.com/AndreGironda/status/922588190753505280)  2017-10-23T22:19Z [----] followers, [--] engagements


"@_RastaMouse itm4n/PrivescCheck RealBlindingEDR Reaper CVE-2022-34709 and (indirectly) -- swisskyrepo/SharpLAPS rdps-remote-credential-guard-with-rubeus-ptt (bypass RCG) plus Outflank"  
[X Link](https://x.com/anyuser/status/1902133648301945150)  2025-03-18T23:02Z [----] followers, [----] engagements


"Malware Analysis of Amadey -- https://medium.com/@psyb3rm0nk/malware-analysis-amadey-d0e32b54aee5 https://medium.com/@psyb3rm0nk/malware-analysis-amadey-d0e32b54aee5"  
[X Link](https://x.com/AndreGironda/status/1871629975025254909)  2024-12-24T18:52Z [----] followers, [----] engagements


"Identifying and Defending Against Qakbot's Evolving TTPs -- http://www.tidalcyber.com/blog/identifying-and-defending-against-qakbots-evolving-ttps http://www.tidalcyber.com/blog/identifying-and-defending-against-qakbots-evolving-ttps"  
[X Link](https://x.com/anyuser/status/1598179614928818176)  2022-12-01T04:58Z [----] followers, [---] engagements


"Fileless UAC Bypass using CompMgmtLauncher.exe -- http://x42.obscurechannel.com/p=368 http://x42.obscurechannel.com/p=368"  
[X Link](https://x.com/AndreGironda/status/841870615334293505)  2017-03-15T04:36Z [----] followers, [---] engagements


"APT37 mobile malware -- https://www.lookout.com/threat-intelligence/article/lookout-discovers-new-spyware-by-north-korean-apt37 https://www.lookout.com/threat-intelligence/article/lookout-discovers-new-spyware-by-north-korean-apt37"  
[X Link](https://x.com/AndreGironda/status/1899867841949786113)  2025-03-12T16:59Z [----] followers, [----] engagements


"@ImposeCost SpecterOps and NetSPI. Chronicle Splunk and Sigma all have giant free github repos full of Azure detections. If you need help with one please ask me. is also very good -- take a few -- and the Antisyphon ones can even be free last I checked http://NetworkDefense.io http://NetworkDefense.io"  
[X Link](https://x.com/anyuser/status/1897777980589719671)  2025-03-06T22:35Z [----] followers, [----] engagements


"SilentPush Unmasking Socgholish -- -- The report details the activities of SocGholish a Malware-as-a-Service (MaaS) operated by TA569 https://www.silentpush.com/blog/socgholish/ https://www.silentpush.com/blog/socgholish/"  
[X Link](https://x.com/anyuser/status/1953153013935423755)  2025-08-06T17:55Z [----] followers, [----] engagements


"Technical analysis of malspam campaigns targeting the defense industry delivering Snake keylogger -- https://www.malwation.com/blog/technical-analysis-of-phishing-campaigns-targeting-the-defense-industry-delivering-snake-keylogger https://www.malwation.com/blog/technical-analysis-of-phishing-campaigns-targeting-the-defense-industry-delivering-snake-keylogger"  
[X Link](https://x.com/AndreGironda/status/1945945606113091882)  2025-07-17T20:36Z [----] followers, [----] engagements


"0xCH4S3 Hunting China-nexus threat actor -- https://0xch4s3.gitbook.io/0xch4s3-or-threat-research/adversary-hunting/hunting-china-nexus-threat-actor https://0xch4s3.gitbook.io/0xch4s3-or-threat-research/adversary-hunting/hunting-china-nexus-threat-actor"  
[X Link](https://x.com/anyuser/status/1944807459287392539)  2025-07-14T17:13Z [----] followers, [----] engagements


"@IAMERICAbooted SecurityRiskAdvisors/letItGo is my go-to above aadinternals and those others are staples -- good call. Zetalytics and are my next in line along with spamhaus and some of their partners urlscan OTX AV http://urlquery.net http://abuse.ch http://Hunt.io http://urlquery.net http://abuse.ch http://Hunt.io"  
[X Link](https://x.com/AndreGironda/status/1954635123149906241)  2025-08-10T20:05Z [----] followers, [----] engagements


"@banthisguy9349 zetalytics hunt-io spur-us urlscan-io hunting_abuse-ch threatfox_abuse-ch urlhaus_abuse-ch bazaar_abuse-ch shodan trends_shodan virustotal/gui/hunting hybrid-analysis malpedia otx.alienvault Securonix/AutonomousThreatSweeper inoreader raycast_cyberchef threatbook"  
[X Link](https://x.com/AndreGironda/status/1935843271013810300)  2025-06-19T23:32Z [----] followers, [----] engagements


"OceanLotus APT32 attacks GitHub targeting national cybersecurity professionals and specific large enterprises -- APT32 GitHub -- https://www.ctfiot.com/236884.html https://www.ctfiot.com/236884.html"  
[X Link](https://x.com/AndreGironda/status/1917258808403058779)  2025-04-29T16:44Z [----] followers, [----] engagements


"Automating Security at Slack -- https://www.infoq.com/presentations/security-slack https://www.infoq.com/presentations/security-slack"  
[X Link](https://x.com/AndreGironda/status/754793929162174464)  2016-07-17T21:44Z [----] followers, [--] engagements


"Rilide -- https://blog.pulsedive.com/rilide-an-information-stealing-browser-extension https://blog.pulsedive.com/rilide-an-information-stealing-browser-extension"  
[X Link](https://x.com/anyuser/status/1903109108544557253)  2025-03-21T15:39Z [----] followers, [----] engagements


""According to a statement made by ShinyHunters yesterday . Scattered Spider and . they are one and the same" -- https://databreaches.net/2025/08/03/are-scattered-spider-and-shinyhunters-one-group-or-two-and-who-did-france-arrest/ https://databreaches.net/2025/08/03/are-scattered-spider-and-shinyhunters-one-group-or-two-and-who-did-france-arrest/"  
[X Link](https://x.com/anyuser/status/1952166414531666283)  2025-08-04T00:35Z [----] followers, [----] engagements


"The Open-Source Cybersecurity Playbook -- https://www.barkly.com/comprehensive-it-security-plan https://www.barkly.com/comprehensive-it-security-plan"  
[X Link](https://x.com/AndreGironda/status/804407057759641600)  2016-12-01T19:29Z [----] followers, [--] engagements


"How to Bypass Anti-Virus to Run Mimikatz -- via @BHInfoSecurity http://www.blackhillsinfosec.com/p=5555 http://www.blackhillsinfosec.com/p=5555"  
[X Link](https://x.com/AndreGironda/status/828682813679341568)  2017-02-06T19:12Z [----] followers, [--] engagements


"@anton_chuvakin Not in 3+ decades of working with SIM SEM and SIEM. Never once. SIEM is a total failure. GenAI Cybersecurity tools won't find those either. People do -- and MOST of the time they're not detection engineers blue team or even cyber or infosec people at all"  
[X Link](https://x.com/anyuser/status/1864022195405525107)  2024-12-03T19:01Z [----] followers, [----] engagements


"ICIT Analysis: Signature-based Malware Detection is Dead -- http://icitech.org/icit-analysis-signature-based-malware-detection-is-dead/ http://icitech.org/icit-analysis-signature-based-malware-detection-is-dead/"  
[X Link](https://x.com/AndreGironda/status/829742988129480706)  2017-02-09T17:25Z [----] followers, [--] engagements


"Lazarus hackers trick users into believing their camera or microphone is blocked to deliver PylangGhostRat -- https://cybersecuritynews.com/lazarus-pylangghost-rat https://cybersecuritynews.com/lazarus-pylangghost-rat"  
[X Link](https://x.com/anyuser/status/1953171500263195091)  2025-08-06T19:09Z [----] followers, [---] engagements


"RoKRAT shellcode and steganographic -- https://www.genians.co.kr/blog/threat_intelligence/rokrat_shellcode_steganographic https://www.genians.co.kr/blog/threat_intelligence/rokrat_shellcode_steganographic"  
[X Link](https://x.com/AndreGironda/status/1952359434258411691)  2025-08-04T13:22Z [----] followers, [---] engagements


"@chrissanders88 macOS logs are stored in tracev3 formatted files in /var/db/diagnostics -- accessible and binary-parsed via log show --last 24h grep -i '.onion' and similar logics. macos/execution_initial_access_suspicious_browser_childproc from Elastic protect tags ATT&CK Initial Access"  
[X Link](https://x.com/anyuser/status/1937521570026778922)  2025-06-24T14:41Z [----] followers, [---] engagements


"PowerShell Security: PowerShell Attack Tools Mitigation & Detection -- https://adsecurity.org/p=2921 https://adsecurity.org/p=2921"  
[X Link](https://x.com/anyuser/status/764670820970921984)  2016-08-14T03:51Z [----] followers, [--] engagements


"ASEC Xworm distrbuted with stegonography -- https://asec.ahnlab.com/en/88885 https://asec.ahnlab.com/en/88885"  
[X Link](https://x.com/AndreGironda/status/1942249250899030294)  2025-07-07T15:48Z [----] followers, [---] engagements


"@nullenc0de I use this exact technique but generally will set the Host header and use the IP in the -u to speed it up just a bit more. ffuf is the fastest around and -ac has an excellent analyzer that produces basically-zero errors"  
[X Link](https://x.com/AndreGironda/status/1417667422002114562)  2021-07-21T02:07Z [----] followers, [--] engagements


"@jaimeblascob "2024-11-05" "linewizeconnect.com" "2024-12-07" "moonsift.store" "2024-12-07" "readermodeext.info" "2024-12-12" "vpncity.live" "2024-12-12" "wayinai.live" "2024-12-23" "censortracker.pro" "2024-12-24" "parrottalks.info" "2024-12-25" "cyberhavenext.pro""  
[X Link](https://x.com/AndreGironda/status/1872463896742871095)  2024-12-27T02:05Z [----] followers, [----] engagements


"FortiNet Odyssey Stealer ClickFix malware attacks macOS users for creds and crypto wallets -- https://www.forcepoint.com/blog/x-labs/odyssey-stealer-attacks-macos-users https://www.forcepoint.com/blog/x-labs/odyssey-stealer-attacks-macos-users"  
[X Link](https://x.com/anyuser/status/1953832034251538851)  2025-08-08T14:53Z [----] followers, [----] engagements


"Unmasking malicious APKs Android malware blending click fraud and credential theft -- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/unmasking-malicious-apks-android-malware-blending-click-fraud-and-credential-theft https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/unmasking-malicious-apks-android-malware-blending-click-fraud-and-credential-theft"  
[X Link](https://x.com/AndreGironda/status/1946230523631894532)  2025-07-18T15:28Z [----] followers, [---] engagements


"@nullenc0de Thank you. I create custom lists after initial targeting with Photon. merge_webpath_list sorts from several sources namely leaky-paths ffufplus commonspeak2 SecLists Sn1per RobotsDisallowed and assetnote lists. Tweak further with GoldenNuggets-1 + IIS-ShortName-Scanner"  
[X Link](https://x.com/anyuser/status/1417675703982592002)  2021-07-21T02:40Z [----] followers, [--] engagements


"@MalwareJake Asked the CobaltStrike team to look into this back in [----]. Wish they got around to it sooner it's been a decade too-late"  
[X Link](https://x.com/AndreGironda/status/1899104912551936125)  2025-03-10T14:27Z [----] followers, [---] engagements


"GuLoader Malware Disguised as Tax Invoices and Shipping Statements -- https://asec.ahnlab.com/en/55978/ https://asec.ahnlab.com/en/55978/"  
[X Link](https://x.com/AndreGironda/status/1690083049550282753)  2023-08-11T19:29Z [----] followers, [---] engagements


"@notdan If by secret you mean openly-available in this report -- -- since late-Apr [----] https://blog.sekoia.io/unplugging-plugx-sinkholing-the-plugx-usb-worm-botnet https://blog.sekoia.io/unplugging-plugx-sinkholing-the-plugx-usb-worm-botnet"  
[X Link](https://x.com/AndreGironda/status/1879310225561551245)  2025-01-14T23:30Z [----] followers, [----] engagements


"Azure log entry to look for when a threat actor is in -- https://www.hecfblog.com/2025/03/daily-blog-775-azure-log-entry-to-look.html https://www.hecfblog.com/2025/03/daily-blog-775-azure-log-entry-to-look.html"  
[X Link](https://x.com/AndreGironda/status/1900045342265237869)  2025-03-13T04:44Z [----] followers, [---] engagements


"Unpacking KiwiStealer diving into Bitter APT malware for file exfil -- https://blog.pulsedive.com/unpacking-kiwistealer-diving-into-bitter-apts-malware-for-file-exfiltration https://blog.pulsedive.com/unpacking-kiwistealer-diving-into-bitter-apts-malware-for-file-exfiltration"  
[X Link](https://x.com/anyuser/status/1955692280825962846)  2025-08-13T18:05Z [----] followers, [----] engagements


"Group-IB Exploiting trust how signed drivers fuel modern kernel-level attacks on Windows -- https://www.group-ib.com/blog/kernel-driver-threats/ https://www.group-ib.com/blog/kernel-driver-threats/"  
[X Link](https://x.com/anyuser/status/1942050731177234480)  2025-07-07T02:39Z [----] followers, [----] engagements


"Hijacking TypeLib for persistence -- https://reliaquest.com/blog/threat-spotlight-hijacked-and-hidden-new-backdoor-and-persistence-technique/ https://reliaquest.com/blog/threat-spotlight-hijacked-and-hidden-new-backdoor-and-persistence-technique/"  
[X Link](https://x.com/AndreGironda/status/1911778719154545137)  2025-04-14T13:49Z [----] followers, [---] engagements


"Aqua AI-generated malware in Panda Image hides persistent Linux threat -- https://www.aquasec.com/blog/ai-generated-malware-in-panda-image-hides-persistent-linux-threat https://www.aquasec.com/blog/ai-generated-malware-in-panda-image-hides-persistent-linux-threat"  
[X Link](https://x.com/AndreGironda/status/1948402729614991853)  2025-07-24T15:19Z [----] followers, [----] engagements


"@greglesnewich YaraFlux GhidraMCP r2ai and I can think of a few others. Did you know there are quantized models such as Lily-Cybersecurity Have you tried openrouter llama-index"  
[X Link](https://x.com/AndreGironda/status/1904716708843323745)  2025-03-26T02:07Z [----] followers, [---] engagements


"SublimeSec Multi-RMM attack Splashtop Streamer and Atera payloads delivered via Discord CDN link -- https://sublime.security/blog/multi-rmm-attack-splashtop-streamer-and-atera-payloads-delivered-via-discord-cdn-link/ https://sublime.security/blog/multi-rmm-attack-splashtop-streamer-and-atera-payloads-delivered-via-discord-cdn-link/"  
[X Link](https://x.com/AndreGironda/status/1952934825591255431)  2025-08-06T03:28Z [----] followers, [---] engagements


"Qilin rising ransomware threat using tailored attacks to quietly cripple targets -- https://tehtris.com/en/blog/rage-against-the-powershell-qilin-in-the-name/ https://tehtris.com/en/blog/rage-against-the-powershell-qilin-in-the-name/"  
[X Link](https://x.com/AndreGironda/status/1939731131651490182)  2025-06-30T17:01Z [----] followers, [---] engagements


"https://medium.com/@pavol.kluka/network-traffic-analysis-exercise-how-to-deploy-a-fake-authenticatoor-0968077ed8eb https://medium.com/@pavol.kluka/network-traffic-analysis-exercise-how-to-deploy-a-fake-authenticatoor-0968077ed8eb"  
[X Link](https://x.com/AndreGironda/status/1907801582231761082)  2025-04-03T14:25Z [----] followers, [---] engagements


"FingerprintJS and Cleave.js Toll-of-Deception lures -- Where evasion drives phishing forward -- https://www.group-ib.com/blog/toll-of-deception/ https://www.group-ib.com/blog/toll-of-deception/"  
[X Link](https://x.com/AndreGironda/status/1915238697660006618)  2025-04-24T02:57Z [----] followers, [---] engagements


"BlackSuit hybrid approach with exfiltration and encryption -- https://www.cybereason.com/blog/blacksuit-data-exfil https://www.cybereason.com/blog/blacksuit-data-exfil"  
[X Link](https://x.com/anyuser/status/1944203358480609518)  2025-07-13T01:12Z [----] followers, [---] engagements


"From drone strike to file recovery. outsmarting a nation state -- https://profero.io/blog/from-drone-strike-to-file-recovery-outsmarting-a-nation-state https://profero.io/blog/from-drone-strike-to-file-recovery-outsmarting-a-nation-state"  
[X Link](https://x.com/anyuser/status/1954923869145534871)  2025-08-11T15:12Z [----] followers, [---] engagements


"Working cyber kill chains and diamond models against 0-day crisis which is putting tens of thousands at risk -- https://osintteam.blog/threat-intelligence-a-deep-dive-into-cyber-kill-chains-diamond-models-and-the-zero-day-crisis-b55d9277b07b https://osintteam.blog/threat-intelligence-a-deep-dive-into-cyber-kill-chains-diamond-models-and-the-zero-day-crisis-b55d9277b07b"  
[X Link](https://x.com/AndreGironda/status/1899104372623306760)  2025-03-10T14:25Z [----] followers, [---] engagements


"@MsftSecIntel Do you have a blog post threat bulletin paper a set of analytic rules and/or an IOC/TTP dump Can you provide a yara on the QuasarLoader ShadowPad Webpack or other malware sighted"  
[X Link](https://x.com/AndreGironda/status/1625183502227632129)  2023-02-13T17:21Z [----] followers, [----] engagements


"@chrissanders88 Revisit org-wide policies for Local Group Policy Object Processing. It should be set to off to prevent the following actions: Actors will open gpedit.msc to disable WinEvt/Defender logging to hide their activities or to enable multiple RDP sessions to aid access expansion"  
[X Link](https://x.com/AndreGironda/status/1884275420973142465)  2025-01-28T16:20Z [----] followers, [---] engagements


"@Jhaddix With GenAI Defense and Offense are still the same double-edge. Learning to Probe Systems and People will continue to be core skills. Arch and Eng around AI must be Unix-philosophy style for proper alignment"  
[X Link](https://x.com/anyuser/status/1883167056708997494)  2025-01-25T14:56Z [----] followers, [---] engagements


"Lazarops APT tactics targeting the developers' supply chain in Operation Silent Recruiter -- https://www.securityjoes.com/post/operation-silent-recruiter-over-50-github-accounts-tied-to-lazarus-fake-recruiter-campaign https://www.securityjoes.com/post/operation-silent-recruiter-over-50-github-accounts-tied-to-lazarus-fake-recruiter-campaign"  
[X Link](https://x.com/AndreGironda/status/1956096799028208011)  2025-08-14T20:53Z [----] followers, [---] engagements


"Flashpoint Uncovering the DPRKs remote IT Worker fraud scheme -- https://flashpoint.io/blog/flashpoint-investigation-uncovering-the-dprks-remote-it-worker-fraud-scheme/ https://flashpoint.io/blog/flashpoint-investigation-uncovering-the-dprks-remote-it-worker-fraud-scheme/"  
[X Link](https://x.com/AndreGironda/status/1922142132036370727)  2025-05-13T04:09Z [----] followers, [---] engagements


"ICIT Analysis: Sowing the Seeds of US Cyber Talent -- http://icitech.org/icit-analysis-sowing-the-seeds-of-u-s-cyber-talent/ http://icitech.org/icit-analysis-sowing-the-seeds-of-u-s-cyber-talent/"  
[X Link](https://x.com/anyuser/status/854422458438361088)  2017-04-18T19:52Z [----] followers, [--] engagements


"Unboxing Anubis exploring the stealthy tactics of FIN7 -- https://www.gdatasoftware.com/blog/2025/03/38161-analysis-fin7-anubis-backdoor https://www.gdatasoftware.com/blog/2025/03/38161-analysis-fin7-anubis-backdoor"  
[X Link](https://x.com/AndreGironda/status/1902760375784968238)  2025-03-20T16:33Z [----] followers, [---] engagements


"Ontinues CDC uncovered Storm-1811s multi-stage attack exploiting Teams vishing QuickAssist and signed DLL sideloads. The attack deploys a malicious PowerShell payload TV.dll and Node.js C2 -- https://www.ontinue.com/resource/blog-signed-sideloaded-compromised/ https://www.ontinue.com/resource/blog-signed-sideloaded-compromised/"  
[X Link](https://x.com/anyuser/status/1907142492845457679)  2025-04-01T18:46Z [----] followers, [---] engagements


"@chrissanders88 Link the network traffic to the process and then dump either the process memory locate the file(s) associated with the process (ideally both) and check artifacts such as SRUM that indicate this activity further. I also would dump kernel mem"  
[X Link](https://x.com/anyuser/status/1955294678607188432)  2025-08-12T15:45Z [----] followers, [---] engagements


"@FrankMcG I can name [--] SANS courses worth the money and that have no competition. I can name [--] SANS courses not worth the money and that you can learn the entire material in [--] or [--] hours of Googling"  
[X Link](https://x.com/anyuser/status/1419849064527532032)  2021-07-27T02:36Z [----] followers, [--] engagements


"https://medium.com/@rayssac/infostealer-malware-linked-to-lazarus-group-campaigns-a510ad5f3e4f https://medium.com/@rayssac/infostealer-malware-linked-to-lazarus-group-campaigns-a510ad5f3e4f"  
[X Link](https://x.com/AndreGironda/status/1888741065034993810)  2025-02-10T00:05Z [----] followers, [---] engagements


"@1ZRR4H I also see these payloads same references and apparently same sources. Also see JA3 of 8c23d614aa018ed7bc6c88b545ece240"  
[X Link](https://x.com/AndreGironda/status/1849655736617390258)  2024-10-25T03:34Z [----] followers, [---] engagements


"HUMANs Satori Threat Intelligence and Research team has disrupted Scallywag a sophisticated ad-fraud operation using a collection of WordPress extensions to monetize digital piracy with hundreds of cashout domains and URL shorteners -- https://www.humansecurity.com/scallywag-open-redirectors/ https://www.humansecurity.com/scallywag-open-redirectors/"  
[X Link](https://x.com/anyuser/status/1914504076433481885)  2025-04-22T02:18Z [----] followers, [---] engagements


"@BleepinComputer @serghei There have been interactions between DPRK cyber threat actors and the ransomware scene going back to as early as [----]. This isn't their first rodeo together"  
[X Link](https://x.com/anyuser/status/1898033766876238192)  2025-03-07T15:31Z [----] followers, [---] engagements


"@HaoZhixiang I think I found the maldoc builder for this Transparent Tribe / APT-C-56 / APT36 / Mythic Leopard jank -- https://www.virustotal.com/gui/file/b62cb4a4fe1e2a932dc7d0bf307fe4d655ef045e44cb3c24be24fdaaf1ed794e https://www.virustotal.com/gui/file/b62cb4a4fe1e2a932dc7d0bf307fe4d655ef045e44cb3c24be24fdaaf1ed794e"  
[X Link](https://x.com/anyuser/status/1627884603771064320)  2023-02-21T04:15Z [----] followers, [---] engagements


"@MichalKoczwara search tag:cve-2021-40444 on VT (yara retrohunting pulls these) you'll also see asdasdas.com caribarena.com exployt.com and vitlescaux.com -- much more interesting than dodefoh.com hidusi.com and joxinu.com although pawevi.com is in a class of its own"  
[X Link](https://x.com/anyuser/status/1437206134037704707)  2021-09-13T00:06Z [----] followers, [--] engagements


"FortiNet DCRat using Columbia government lure -- https://www.fortinet.com/blog/threat-research/dcrat-impersonating-the-columbian-government https://www.fortinet.com/blog/threat-research/dcrat-impersonating-the-columbian-government"  
[X Link](https://x.com/anyuser/status/1940097314091360317)  2025-07-01T17:16Z [----] followers, [---] engagements


"Likely Belarus-nexus threat actor delivers loader to Poland -- https://dmpdump.github.io/posts/Belarus-nexus_Threat_Actor_Target_Poland https://dmpdump.github.io/posts/Belarus-nexus_Threat_Actor_Target_Poland"  
[X Link](https://x.com/anyuser/status/1944807899932582123)  2025-07-14T17:15Z [----] followers, [---] engagements


"Arctic Wolf Malvertising campaign delivers Oyster/Broomstick backdoor via SEO-poisoning -- https://arcticwolf.com/resources/blog-uk/malvertising-campaign-delivers-oyster-broomstick-backdoor-via-seo-poisoning-and-trojanized-tools https://arcticwolf.com/resources/blog-uk/malvertising-campaign-delivers-oyster-broomstick-backdoor-via-seo-poisoning-and-trojanized-tools"  
[X Link](https://x.com/AndreGironda/status/1940905385948508501)  2025-07-03T22:47Z [----] followers, [---] engagements


"Exploring The Gap Between Cybersecurity Perception And Reality -- http://www.forbes.com/sites/tonybradley/2017/03/09/exploring-the-gap-between-cybersecurity-perception-and-reality/ http://www.forbes.com/sites/tonybradley/2017/03/09/exploring-the-gap-between-cybersecurity-perception-and-reality/"  
[X Link](https://x.com/AndreGironda/status/840356501646594048)  2017-03-11T00:19Z [----] followers, [--] engagements


"CVE-2017-4971 Remote Code Execution Vulnerability in the Spring Web Flow Framework -- https://blog.gdssecurity.com/labs/2017/7/17/cve-2017-4971-remote-code-execution-vulnerability-in-the-spr.html https://blog.gdssecurity.com/labs/2017/7/17/cve-2017-4971-remote-code-execution-vulnerability-in-the-spr.html"  
[X Link](https://x.com/AndreGironda/status/886982130336538624)  2017-07-17T16:13Z [----] followers, [--] engagements


"MoonLock Labs New North Korean malware targets crypto startups via fake Zoom invites -- https://moonlock.com/malware-fake-zoom-invites https://moonlock.com/malware-fake-zoom-invites"  
[X Link](https://x.com/anyuser/status/1944045769121837090)  2025-07-12T14:46Z [----] followers, [---] engagements


"IPython Support for Binary Ninja https://insinuator.net/2018/08/ipython-support-for-binary-ninja/ https://insinuator.net/2018/08/ipython-support-for-binary-ninja/"  
[X Link](https://x.com/AndreGironda/status/1031551803282743296)  2018-08-20T14:41Z [----] followers, [--] engagements


"Trend Clone Compile Compromise -- Water Curses Open-Source Malware Trap on GitHub -- https://www.trendmicro.com/en_us/research/25/f/water-curse.html https://www.trendmicro.com/en_us/research/25/f/water-curse.html"  
[X Link](https://x.com/anyuser/status/1934629162679140532)  2025-06-16T15:08Z [----] followers, [---] engagements


"A First Look at ESQL -- https://docs.tenzir.com/blog/a-first-look-at-esql https://docs.tenzir.com/blog/a-first-look-at-esql"  
[X Link](https://x.com/AndreGironda/status/1696397907765965092)  2023-08-29T05:42Z [----] followers, [----] engagements


"The Amnban Files inside Iran's cyber-espionage factory targeting global airlines -- https://blog.narimangharib.com/posts/2025%2F07%2F1752917718209lang=en https://blog.narimangharib.com/posts/2025%2F07%2F1752917718209lang=en"  
[X Link](https://x.com/anyuser/status/1947305317437464946)  2025-07-21T14:39Z [----] followers, [---] engagements


"@anton_chuvakin My takeaway here is that red teamers even good ones tend to reuse their craft -- including TTPs that bypass EDR (which red teamers tend to overfocus on). However these require composite indicators that build up as custom SIEM detections (oft unique to an org or business unit)"  
[X Link](https://x.com/anyuser/status/1864028831306149973)  2024-12-03T19:28Z [----] followers, [---] engagements


"@chrissanders88 Could be a C2 config being pulled down in order to consume (by the malware) and then use as transports likely connecting to one a time either first last or selected randomly from the list; trying the others when the initial(s) don't connect. Onimai malware uses Gist this way"  
[X Link](https://x.com/anyuser/status/1927467638784925703)  2025-05-27T20:51Z [----] followers, [---] engagements


"@RedTeamTactics Downloading malicious logic is an Event. Executing or Installing malicious logic are Incidents. Events can lead to Incidents but only Incidents come with a promise of "cleanup on aisle four""  
[X Link](https://x.com/AndreGironda/status/1919078620603068636)  2025-05-04T17:16Z [----] followers, [---] engagements


"jenkins to meterpreter toying with powersploit -- https://leonjza.github.io/blog/2015/05/27/jenkins-to-meterpreter-toying-with-powersploit/ https://leonjza.github.io/blog/2015/05/27/jenkins-to-meterpreter-toying-with-powersploit/"  
[X Link](https://x.com/anyuser/status/825058653665320961)  2017-01-27T19:11Z [----] followers, [--] engagements


"@IceSolst This question is a red herring because IR and playbook craft are not equal amongst CIRTs working incidents. Most can't even provide accurate terminology or standardization on what an Incident is. Even compare to pre-2010 era DHS NCCIC. They had thresholds built into their craft"  
[X Link](https://x.com/AndreGironda/status/1952523765004611639)  2025-08-05T00:15Z [----] followers, [---] engagements


"ProofPoint Remote Monitoring and Management (RMM) tooling as threat actor first-choice -- https://www.proofpoint.com/us/blog/threat-insight/remote-monitoring-and-management-rmm-tooling-increasingly-attackers-first-choice https://www.proofpoint.com/us/blog/threat-insight/remote-monitoring-and-management-rmm-tooling-increasingly-attackers-first-choice"  
[X Link](https://x.com/AndreGironda/status/1899482316864389194)  2025-03-11T15:27Z [----] followers, [---] engagements


"How AI services power the DPRKs IT contracting scams -- https://sec.okta.com/articles/2025/04/GenAIDPRK/ https://sec.okta.com/articles/2025/04/GenAIDPRK/"  
[X Link](https://x.com/AndreGironda/status/1915503300897829258)  2025-04-24T20:29Z [----] followers, [---] engagements


"Ghostwriter UAC-0173 resumes intrusions vs Ukrainian notary offices via DarkCrystalRat -- https://cyble.com/blog/uac-0173-targeted-cyberattacks-on-ua-notary/ https://cyble.com/blog/uac-0173-targeted-cyberattacks-on-ua-notary/"  
[X Link](https://x.com/AndreGironda/status/1897675735256773085)  2025-03-06T15:48Z [----] followers, [----] engagements


"@ImposeCost Packets sighted to a known-live C2 server -- whether acting as a blind-drop or not -- matching IPv4 with the corresponding name-service resolving is a substantial notable (or observable) but I agree it's not immediately an IOC confirmed intrusion etc. You're investigating"  
[X Link](https://x.com/AndreGironda/status/1902121947779231866)  2025-03-18T22:16Z [----] followers, [---] engagements


"Veriti OpenAI under attack -- CVE-2024-27564 actively-exploited in-the wild -- https://veriti.ai/blog/cve-2024-27564-actively-exploited/ https://veriti.ai/blog/cve-2024-27564-actively-exploited/"  
[X Link](https://x.com/AndreGironda/status/1901818083737801206)  2025-03-18T02:08Z [----] followers, [----] engagements


"@banthisguy9349 The construction and setup-teardown of scam-centric lures infrastructure capabilities and results has caused would-be malware devops to shift toward lure-based scams over credphish and over malicious logic. It's now cheaper to deploy a scamkit than a phishkit or a distnet"  
[X Link](https://x.com/AndreGironda/status/1913221079436325184)  2025-04-18T13:20Z [----] followers, [---] engagements


"Hunting malicious desktop files with Google Threat Intelligence which is sort of like VirusTotal -- https://www.googlecloudcommunity.com/gc/Community-Blog/Actionable-threat-hunting-with-Google-Threat-Intelligence-I/ba-p/895333 https://www.googlecloudcommunity.com/gc/Community-Blog/Actionable-threat-hunting-with-Google-Threat-Intelligence-I/ba-p/895333"  
[X Link](https://x.com/AndreGironda/status/1921971975380947054)  2025-05-12T16:53Z [----] followers, [---] engagements


"Windows Incident Response: Understanding What The Data Is Telling You -- http://windowsir.blogspot.com/2017/04/understanding-what-data-is-telling-you.html http://windowsir.blogspot.com/2017/04/understanding-what-data-is-telling-you.html"  
[X Link](https://x.com/anyuser/status/851433530823290880)  2017-04-10T13:55Z [----] followers, [--] engagements


"Trend Revisiting UNC3886 tactics to defend against present risk -- https://www.trendmicro.com/en_us/research/25/g/revisiting-unc3886-tactics-to-defend-against-present-risk.html https://www.trendmicro.com/en_us/research/25/g/revisiting-unc3886-tactics-to-defend-against-present-risk.html"  
[X Link](https://x.com/AndreGironda/status/1950071014886457493)  2025-07-29T05:48Z [----] followers, [---] engagements


"Rainbow Hyena strikes again with new backdoor and shift in tactics -- https://bi-zone.medium.com/rainbow-hyena-strikes-again-new-backdoor-and-shift-in-tactics-2dd99a10aea9 https://bi-zone.medium.com/rainbow-hyena-strikes-again-new-backdoor-and-shift-in-tactics-2dd99a10aea9"  
[X Link](https://x.com/anyuser/status/1945525414291800163)  2025-07-16T16:46Z [----] followers, [---] engagements


"AnubisBackdoor -- https://medium.com/@keontrewalker/new-threat-alert-anubisbackdoor-238a1fdb905b https://medium.com/@keontrewalker/new-threat-alert-anubisbackdoor-238a1fdb905b"  
[X Link](https://x.com/AndreGironda/status/1900061766920593720)  2025-03-13T05:50Z [----] followers, [---] engagements


"The Bybit intrusion by actor UNC4899 in Feb [----] involved unauth access to Ethereum cold wallets. Attackers compromised a SafeWallet developer machine manipulated transactions and exploited smart contracts to steal 400kETH sans multisig approval -- https://www.sygnia.co/blog/sygnia-investigation-bybit-hack https://www.sygnia.co/blog/sygnia-investigation-bybit-hack"  
[X Link](https://x.com/anyuser/status/1901753324963323992)  2025-03-17T21:51Z [----] followers, [---] engagements


"TA577-associated NTLM-hash cred-style intrusions -- https://darktrace.com/blog/hashing-out-ta577-darktraces-detection-of-ntlm-hash-theft https://darktrace.com/blog/hashing-out-ta577-darktraces-detection-of-ntlm-hash-theft"  
[X Link](https://x.com/anyuser/status/1905657690954891288)  2025-03-28T16:26Z [----] followers, [---] engagements


"@chrissanders88 RedCanary also has a page for the test cases around this technique -- -- Graphics.CopyFromScreen CopyFromScreen xwd or screencapture being key method instantiators http://System.Drawing.Graphics https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1113/T1113.md http://System.Drawing.Graphics https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1113/T1113.md"  
[X Link](https://x.com/AndreGironda/status/1896948122972226041)  2025-03-04T15:37Z [----] followers, [---] engagements

Limited data mode. Full metrics available with subscription: lunarcrush.com/pricing