Proofpoint has directly observed a targeted email campaign that delivers DarkSword RCE, and we attribute the messages to Russian FSB threat actor TA446 with high confidence. 🧵

Multiple reports have documented specific TA397 campaigns, this one takes a holistic look at the group's activity and puts forward attribution elements pointing towards Indian state interests alignment.

Stellar work by @nickattfield.bsky.social and @threatray.bsky.social's researchers

We assess the motivation was to better understand the appetite to continue fighting against the RU invasion and assess the medium-term outlook of the conflict.

Great work by @greg-l.bsky.social @saffronsec.bsky.social and @mkyo.bsky.social !

TA406 Pivots to the Front | Proofpoint US What happened  In February 2025, TA406 began targeting government entities in Ukraine, delivering both credential harvesting and malware in its phishing campaigns. The aim of these

New Proofpoint blog alert

We observed DPRK actor TA406 (overlaps w/ Opal Sleet/Konni) targeting government entities in Ukraine in early 2025:

www.proofpoint.com/us/blog/thre...

Personal bias aside, that is still a must-read. Impressive work by @saffronsec.bsky.social grouping together multiple campaigns to provide a comprehensive view of APT state-sponsored actors using ClickFix. Here's to your first blog with us! 🥂

Great team collab by @saffronsec.bsky.social
@mkyo.bsky.social @greg-l.bsky.social and Josh Miller 🤝

Today, we release a new blog that highlights how state-sponsored groups from North Korea, Iran, and Russia were all seen using the ClickFix technique in their routine activity. We also release key IOCs for all campaigns. Happy hunting!

Around the World in 90 Days: State-Sponsored Actors Try ClickFix | Proofpoint US Key Findings While primarily a technique affiliated with cybercriminal actors, Proofpoint researchers discovered state-sponsored actors in multiple campaigns using the ClickFix social

🎯New Proofpoint research: Around the World in 90 Days: State-Sponsored Actors Try ClickFix 🎯
www.proofpoint.com/us/blog/thre...

In 2024 we released two blogs on cybercrime actors using ClickFix in their attack chains:
www.proofpoint.com/us/blog/thre...
www.proofpoint.com/us/blog/thre...

Network iocs:
academymusica[.]com
samsnewlooker[.]com
jacknwoods[.]com
38.180.142[.]228
96.9.215[.]155

Hot off the press - new report on TA397 (aka Bitter) by Proofpoint's Threat Research team
- Targeted the Turkish defense sector in Fall 2024
- Uses Alternate Data Streams in RAR archives

www.proofpoint.com/us/blog/thre...

Developing story - attack against #BGP peers of a European telco. The malicious emails impersonated that same telco and included the ASN of each recipient in the subject line.
The emails contained a password-protected RAR attachment with the malicious payload.

since I'm cold and missing #OBTS I wanted to reflect on what
@jacoblatonis.me and Tomas have gifted us with the YARA-X Macho module

the OG YARA macho parsing left a lot to be desired, and the new YARA-X ver has all sorts of goodies