TTPs Things that Threat Actors do when they Perform a cyber attack

Never assume your audience knows what acronyms stand for.

If you’ve been laid off from a cyber threat intel position, and you want a ticket to CYBERWARCON, please reach out.

Well now I need to buy a ticket 🫶

CFP closes this Friday, September 26th at 11:59pm EST!

If you'd like to speak at CYBERWARCON this year, get your talk submission in ASAP to be considered!

Submit your talk here >> www.cyberwarcon.com/cfp2025

#CYBERWARCON #CFP

This may be one of the sickest coins I’ve seen in a while

B I G facts

But it did use AI?

These are our favorite cyber books on hacking, espionage, crypto, surveillance, and more | TechCrunch These are our favorite cybersecurity books, both by fiction authors, as well as journalists and researchers.

We published a reading list of our favorite cyber and cyber-adjacent books.

We're keeping it relatively broad. Books about privacy and surveillance are and will be a part of this.

This is meant to be a post to be updated regularly. If you have suggestions on what we should read next, please share!

Those white papers were a golden age but reports like those also cause more clusters to pop up as actors change to avoid detections

#what_is_sos

Unveiling RIFT: Enhancing Rust malware analysis through pattern matching | Microsoft Security Blog Threat actors are adopting Rust for malware development. RIFT, an open-source tool, helps reverse engineers analyze Rust malware, solving challenges in the security industry.

Today, Microsoft Threat Intelligence Center is proud to announce the release of RIFT, an open-source tool designed to assist malware analysts automate the identification of attacker-written code within Rust binaries. https://msft.it/63324SLarg

JS analysis is absolutely terrible

I’ve been fortunate enough to go to at least one F1 race a year since 2021 but this year I won’t be going to any and I’m not sure how to feel

Fwiw - I believe all the major email providers have them but it’s things like this that are making them phase it out

More CVE-2024-42009 exploitation from invoice[@]b-s-r[.]eu from May 29, 2025

Same subject and payload that CERT-PL found, but sent via TOR node instead of freemail provider

cert.pl/en/posts/202...

I know AI / LLMs get a lot of flack these days but I’ve thoroughly been enjoying whipping up a quick script or summarizing 50+ pages of legalese. I guess we’ll see how long it takes for me to regret those words though

New Russia-affiliated actor Void Blizzard targets critical sectors for espionage | Microsoft Security Blog Microsoft Threat Intelligence has discovered a cluster of worldwide cloud abuse activity conducted by a threat actor we track as Void Blizzard, who we assess with high confidence is Russia-affiliated and has been active since at least April 2024. Void Blizzard’s cyberespionage operations tend to be highly targeted at specific organizations of interest to Russia, including in government, defense, transportation, media, non-governmental organizations (NGOs), and healthcare sectors primarily in Europe and North America.

Microsoft has discovered a cluster of worldwide cloud abuse activity by new Russia-affiliated threat actor Void Blizzard (LAUNDRY BEAR), whose cyberespionage activity targets gov't, defense, transportation, media, NGO, and healthcare in Europe and North America. https://msft.it/63324S9Jkp

100 days of yara really got to you huh?

China provides several map services that can be useful for open source researchers. Gaode Maps is one of them. Conveniently, it is also accessible to people based outside of China. Have a look at @bellingcat.com's Online Investigation Toolkit to learn more: bellingcat.gitbook.io/toolkit/more...

You mean “by the truckload”?

The amount of medicine I’ve taken the last 24 hours to be a semi-functioning parent should be researched

Maaaan what a loaded and complicated question to answer haha

He’s cooked chat

Operation RoundPress targeting high-value webmail servers ESET researchers uncover a Russia-aligned espionage operation that they named RoundPress and that targets webmail servers via XSS vulnerabilities.

#ESETresearch publishes its investigation of Operation RoundPress, which uses XSS vulnerabilities to target high-value webmail servers. We attribute the operation to Sednit with medium confidence. www.welivesecurity.com/en/eset-rese... 1/5

Great stuff as always

Not all heroes wear capes

Russie – Attribution de cyberattaques contre la France au service de renseignement militaire russe (APT28) (29.04.25) La France condamne avec la plus grande fermeté le recours par le service de renseignement militaire russe (GRU) au mode opératoire d'attaque APT28, (…)

Fascinating to see reference to GRU unit 20728 from FR relative to Russia's offensive cyber program -- as far as I'm aware, a first from a Western service?

www.diplomatie.gouv.fr/fr/dossiers-...

Getting warmer…

No worries! I was hoping to hit FIRST and PivotCon this year but just wasn’t in the cards