Proofpoint has directly observed a targeted email campaign that delivers DarkSword RCE, and we attribute the messages to Russian FSB threat actor TA446 with high confidence. 🧵
3 weeks ago
18
13
1
2
Posts by Nick Attfield
Proofpoint identified a targeted campaign against operations personnel at energy firms linked to projects in Pakistan.
The messages were sent on 18 March 2026, and mimicked invitations to the upcoming Pakistan Energy Exhibition & Conference (PEEC).
We track the activity as UNK_VaporVibes. 1/8
1 month ago
10
6
1
0
Conflict in Iran is accelerating cyber espionage across the Middle East.
Since the start of Operation Epic Fury on February 28, 2026,
Proofpoint researchers have observed heightened cyber activity against Middle East targets tied to the war.
Details: brnw.ch/21x0EJi.
1 month ago
3
5
1
0
New Iran drop from me tracking an attribution nightmare - UNK_SmudgedSerpent! A little Charming, a little Muddy, and a lot C5. Targeting policy experts with benign conversation starters, health-themed infra, OnlyOffice spoofs, and RMMs. Check out the full story www.proofpoint.com/us/blog/thre...
5 months ago
18
12
2
0
A South Asian APT has been persistently targeting Sri Lanka, Bangladesh, Pakistan, and Turkey. This post walks through how to pivot from the well-publicized phishing infrastructure to expose APK tooling that compromised members of the military of Asian countries.
strikeready.com/blog/apt-and...
8 months ago
4
3
0
0
New: A handful of Chinese-linked cyber espionage groups are stepping up targeting of Taiwanese semiconductor companies, per new analysis from @proofpoint.com. Campaigns include targeting of financial analysts focused on the sector as well: www.reuters.com/sustainabili...
9 months ago
15
9
1
0
Just published:
A two-part blog series in collaboration with
@threatray.bsky.social, which aims to substantiate the claim that #TA397 (Bitter) is an espionage-focused, state-backed threat actor with interests aligned to the Indian state.
Part 1: brnw.ch/21wT9A5
Part 2: brnw.ch/21wT9Ad.
10 months ago
3
2
1
1
Appreciate it!
10 months ago
0
0
0
0
Dropping some joint research today with Threatray on TA397/Bitter 🔍
We dive into the confluence of signals that led us to our attribution of the threat actor 🎯
Shoutout to @konstantinklinger.bsky.social and Threatray for collaborating on this research.
www.proofpoint.com/us/blog/thre...
10 months ago
11
8
0
1
Advertisement
Is the era of the “named actor” done?
As the OG adversary sets diverge, get promoted, or move on
actors dispersing across the kill chain based on specialized skills increases (ORBs, criminal underground)
AND the CTI models maturing…
APTs ⬇️⬇️
UNCs ⬆️⬆️
11 months ago
28
8
7
0
@greg-l.bsky.social drops knowledge on TA406 (Konni) as North Korea shows new interest in Ukraine, likely to keep tabs on the progress of the war and Russia's ability to keep pace on the battlefield www.proofpoint.com/us/blog/thre...
11 months ago
15
13
1
1
Introducing #UNK_CraftyCamel!
Leveraged Trusted Business Relationship? ✅
Low Volume, highly targeted? ✅
Interesting technique? ✅
Overlaps with other IRGC clusters? ✅
Bonus: Infrastructure still up to watch how they respond to the blog? ✅
www.proofpoint.com/us/blog/thre...
1 year ago
7
5
0
0
It’s low volume.
1 year ago
1
0
0
0
Dropping some new research on TA397/Bitter 🚨
Hidden in Plain Sight | TA397’s New Attack Chain Delivers Espionage RATs
Report:
www.proofpoint.com/us/blog/thre...
1 year ago
16
13
2
1
In December 11 and 12, 2024, a spearphishing campaign targeted at least 20 Autonomous System (AS) owners, predominantly Internet Service Providers (ISPs), and purported to come from the Network Operations Center (NOC) of a prominent European ISP.
🧵⤵️
1 year ago
17
11
1
5
I’m a little excited for this one
1 year ago
1
0
0
0
Advertisement
#PIVOTcon25 registration is now OPEN 🤟📥📥📥
pivotcon.org
#CTI #ThreatResearch #ThreatIntel
Please read carefully the whole 🧵 for the rules about invite -> registration (1/5)
1 year ago
42
22
2
11
