Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
Will Profile picture
Will
@BushidoToken
Senior Threat Intel Advisor @TeamCymru | Co-founder @CuratedIntel | Co-author @SANSForensics FOR589 | Co-founder @BSidesBournemth | @darknetdiaries #126: REvil
Jan 13 9 tweets 2 min read
🧵 My Key Takeaways from counter-ransomware activities in 2024 🔍

Read the blog for more details:

#cybercrime #ransomware #lockbit blog.bushidotoken.net/2025/01/analys…Image 1. Law enforcement face three main challenges when it comes to ransomware:
- Ransomware-as-a-Service
- Cryptocurrency
- Safe Havens

In 2024 we saw counter-ransomware action that attempts to combat all three of these issues
Apr 4, 2024 7 tweets 2 min read
⚠️ SEXi Ransomware attack on IXMETRO POWERHOST linked to broader campaign that has hit at least three Latin American countries and Thailand 🧵

"LIMPOPOx32.bin" an ELF 32-bit Babuk-tagged Binary
58ba94be5c2c7d740b6192fea1cc829756da955bb0f2fcf478ab8355bf33a31a

1/n
Image
Image I believe this ransomware binary is connected to the SEXi attack on IXMETRO POWERHOST.

From a simple VirusTotal search for contents of the note in the BleepingComputer article, I found three other variants of this ransomware using Session targeting Latin American countries. 2/n Image
Feb 19, 2024 6 tweets 4 min read
Interesting Thread on a massive dump from a Chinese 🇨🇳 Ministry of Public Security (MPS) private industry contractor called iSoon (aka Anxun)

Leak contains:
- Spyware
- Espionage Ops
- “Twitter Monitoring Platform”
- And a lot more 🔥

This is a crazy NTC Vulkan-level leak ⚠️ Literal APT operations sales pitch slides to the Chinese MPS


Image
Image
Image
Image
Oct 8, 2023 4 tweets 1 min read
Tracking hacktivism & the 🇮🇱Israel/🇵🇸Hamas War from: 🇸🇩🇲🇦🇧🇩🇮🇳🇵🇰🇮🇷🇷🇺

(Since 7-Oct-23)
Types of hacktivists attacks shared on Telegram so far:
- DDoSing *.il websites
- Sharing of credentials for *.il sites
- Hijacking APIs to send mobile push messages
- Leaking stolen documents Regional APT actors worth researching, are as follows:
- 🇵🇸 Molerats / Gaza Cybergang / Extreme Jackal, AridViper / Desert Falcon / APT-C-23 / Mantis
- 🇱🇧 POLONIUM / Plaid Rain, Dark Caracal, Volatile Cedar, Tempting Cedar
- 🇮🇷 MERCURY / MuddyWater, DarkBit, Agrius, BlackShadow
Jun 19, 2023 6 tweets 2 min read
🧵New #CTI assessment based on OSINT research:

🔎ScatteredSpider/0ktapus is a BlackCat (ALPHV) affiliate, but doesn't deploy ransomware

- Based on some temporal, technical, and behavioral analysis

Follow me 🐇🕳 (1/6) 9 Feb 23, Reddit faced a 'highly-targeted phishing attack' & had docs and source code stolen

TTPs are very similar to ScatteredSpider/0ktapus campaigns:
- a landing page impersonating its intranet site
- stolen employees' credentials and 2FA codes
reddit.com/r/reddit/comme… (2/6)
May 10, 2023 6 tweets 3 min read
Kudos to @DragosInc for being transparent over a recent security incident:
dragos.com/blog/deconstru… CTI vendors and their platforms are lucrative target for cybercriminals. They host tons of valuable reports and threat intel data, including breach data.

Cybercriminals have targeted multiple CTI platforms to see this information. Cybercrime Counterintelligence, if you will.
May 23, 2020 4 tweets 4 min read
My iCloud is recently getting a few #16Shop #phishing emails, I RE'd the links (for lack of a better term) and found a whole trawl of their previous phish. Highly organised operation which has been going on for a few years. The links are text which have been highlighted and use s[.]id URL shorteners & IP logging service from (surprise surprise) Indonesia. More specifically: Pengelola Nama Domain Internet Indonesia.
They also use app[.]link from Branch.io that uses "Deep Linking".