Proofpoint has directly observed a targeted email campaign that delivers DarkSword RCE, and we attribute the messages to Russian FSB threat actor TA446 with high confidence. 🧵

!!! It actually fits?

Remote Monitoring & Management (RMM) tooling is taking over the cybercrime landscape. And it keeps growing.

Alongside Deception.Pro, we observed follow-on activity from a Bluetrait campaign in an environment built to resemble a travel firm. Result? Even more RMMs. blog.deception.pro/blog/hok-int...

In addition to espionage threat actors, financially motivated cybercriminals have been exploiting the WinRAR vulnerability CVE-2025-8088.

The highly effective ecrime actor, typically seen distributing Koi Stealer/Koi Loader (TA4561), was observed doing so in Fall 2025.

Details. ⤵️

Would love to get a fuller version of your take on The Dawn of Everything.

Redirection to adding authorized device.

New research from Proofpoint ‼️

Threat actors are using #phishing tactics to trick users into giving access to #M365 accounts.

⚠️ Successful compromise leads to #accounttakeover, #dataexfiltration, and more.

Blog: brnw.ch/21wYtcM

Here’s what you need to know. 🧵⤵️

This time of year, threat actors are attempting to send you gifts you’d rather not receive. 🎁

Proofpoint is seeing an increase in holiday-themed threats. Main #phishing lure themes include party invitations, holiday vouchers, end-of-year bonuses, and holiday travel.

This is the correct answer. LSJUMB already has it in their (admittedly limited) repertoire that somehow still includes Zoot Suit Riot and more than one Offspring song

Crossed wires: a case study of Iranian espionage and attribution | Proofpoint US Proofpoint would like to thank Josh Miller for his initial research on UNK_SmudgedSerpent and contribution to this report.  Key findings  Between June and August 2025,

New Iran drop from me tracking an attribution nightmare - UNK_SmudgedSerpent! A little Charming, a little Muddy, and a lot C5. Targeting policy experts with benign conversation starters, health-themed infra, OnlyOffice spoofs, and RMMs. Check out the full story www.proofpoint.com/us/blog/thre...

Nike's ad for the Dodgers win featuring Kendrick Lamar

ladies and gentlemen...we got him

You have to be shitting me... Ohtani homered again

When the monster bytes: tracking TA585 and its arsenal | Proofpoint US Key findings  TA585 is a sophisticated cybercriminal threat actor recently named by Proofpoint. It operates its entire attack chain from infrastructure to email delivery to malware

TA585 is the identifier of the most recent threat actor named by Proofpoint.

The sophisticated cybercriminal, notably, appears to own its entire attack chain with multiple delivery techniques.

Learn about TA585 and one of its favored payloads, MonsterV2: brnw.ch/21wWAAU.

Going Underground: China-aligned TA415 Conducts U.S.-China Economic Relations Targeting Using VS Code Remote Tunnels | Proofpoint US What happened  Throughout July and August 2025, TA415 conducted spearphishing campaigns targeting United States government, think tank, and academic organizations utilizing U.S.-China

Proofpoint threat researchers have published new research identifying a new cyber-espionage campaign by #TA415 (#APT41), a China-aligned threat actor, exploiting growing uncertainty in U.S.-China economic relations.

Blog: www.proofpoint.com/us/blog/thre....

Threat actors continue to abuse GitHub to deliver malware, this time: #LummaStealer. We identified GitHub notification emails that kick off the attack chain. Messages are sent when the threat actor, using an actor-controlled account, comments on existing GitHub issues. 🧵

NEW ‼️ Researchers at @Proofpoint revealed an increase in China-aligned cyber #espionage targeting Taiwan’s #semiconductor industry—a sector critical to the global tech #supplychain.

At least 3️⃣ distinct China-aligned threat actors are behind the efforts. brnw.ch/21wUctY

The Bitter End: Unraveling Eight Years of Espionage Antics—Part One | Proofpoint US This is a two-part blog series, detailing research undertaken in collaboration with Threatray. Part two of this blog series can be found on their website here.  Analyst note: Throughout

Just published:

A two-part blog series in collaboration with
@threatray.bsky.social, which aims to substantiate the claim that #TA397 (Bitter) is an espionage-focused, state-backed threat actor with interests aligned to the Indian state.

Part 1: brnw.ch/21wT9A5
Part 2: brnw.ch/21wT9Ad.

Feds Charge 16 Russians Allegedly Tied to Botnets Used in Ransomware, Cyberattacks, and Spying A new US indictment against a group of Russian nationals offers a clear example of how, authorities say, a single malware operation can enable both criminal and state-sponsored hacking.

Feds have seized infrastructure and charged 16 members of a hacker group based in Russia that allegedly sold access to the DanaBot malware, used in everything from cybercrime like bank fraud and ransomware to espionage and DDOS attacks against Ukraine. www.wired.com/story/us-cha...

16 Defendants Federally Charged in Connection with DanaBot Malware Scheme That Infected Computers Worldwide A federal grand jury indictment and criminal complaint unsealed today charge 16 defendants who allegedly developed and deployed the DanaBot malware which a Russia-based cybercrime organization control...

Some good news! DanaBot takedown and charges revealed today! This is a massive win for defenders and the community. www.justice.gov/usao-cdca/pr...

Proofpoint also published a brief history of DanaBot today, including examples of the espionage overlap. www.proofpoint.com/us/blog/thre...

China conducted state-sponsored cyber attack says US Treasury | DW News YouTube video by DW News

Went on DW to discuss the breach at Treasury. Not sure what was more predictable - that the vector was a supply chain attack on a cybersecurity vendor or the pro-PRC bots in the comments m.youtube.com/watch?v=VjA7...

Cyber startup employee hacked to distribute malicious Chrome extension Cybersecurity startup Cyberhaven, which specializes in insider threats, said it is investigating a hack of a single administrative account that spread a malicious version of its Google Chrome browser extension.

Cybersecurity startup Cyberhaven, which specializes in insider threats, said it is investigating a hack of a single administrative account that spread a malicious version of its Google Chrome browser extension. therecord.media/cyberhaven-hack-google-c...

Hidden in Plain Sight: TA397’s New Attack Chain Delivers Espionage RATs | Proofpoint US Key findings  Proofpoint observed advanced persistent threat (APT) TA397 targeting a Turkish defense sector organization with a lure about public infrastructure projects in Madagascar.   The attack...

Proofpoint has published a report detailing new activity from #TA397 (AKA Bitter), a prominent South Asian advanced persistent threat (APT) group.

The campaign, which took place in November 2024, targeted a defense sector organization in Turkey.

Read the blog: ow.ly/z81o50UshPt.

We just launched our new website... please let us know if your RSS feeds or podcatchers are doing anything weird!

Meanwhile, check out the new risky.biz website. You can get everything there -- written content, podcasts/audio and video as well.

A nice website! And it only took me 18 years!

Tis' the season of telco and ISP attacks apparently. First Salt Typhoon and now this super interesting campaign: bsky.app/profile/did:...

Stanford alums have written the university president and provost to protest their handling of a student journalist, who is facing 3 felony accusations after covering a protest:

"It was wrongful for the University to direct his arrest and encourage his prosecution" drive.google.com/file/d/1jIx1...

The rabbit beat Oregon that day, 18-7. The Big Ten could never

Risky Business Weekly (773): Cybercriminals are dropping like flies in Russia YouTube video by Risky Business Media

This week’s show is up! Go go go!

youtu.be/cstfm5FbRFI

New episode of DISCARDED where we sit down with the 🐐 Mark Kelly, our lead China analyst, to talk all things China APT! Tune in wherever you get your podcasts. 🔮

Web: www.proofpoint.com/us/podcasts/...

Apple: podcasts.apple.com/us/podcast/d...

Spotify: open.spotify.com/episode/2AtJ...

Risky Business Weekly (771): Palo Alto's firewall 0days are very, very stupid YouTube video by Risky Business Media

This week's show is up! We cover Palo Alto Networks' very dumb 0days, big changes coming to Windows, Jen Easterly's imminent departure from CISA and why NSO being bad, in retrospect, might be... good?

Get it as audio from the usual places or from YouTube here:

www.youtube.com/watch?v=Rxye...