Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
Tom Hegel Profile picture
Tom Hegel
@TomHegel
Technical and Strategic Threat Intelligence, Principal Threat Researcher with SentinelLabs / @SentinelOne, Advisor with @ValidinLLC
Sep 5 9 tweets 6 min read
Can't help myself.. Taking a look into some of these 32 domains sheds light on a few unmentioned Doppelganger domains still active and personas posting on Twitter. Quick 🧵 lebelligerant[.]io
Twitter Account: @lebelligerant
Image 1 - Homepage.
Image 2 - Translated Main Article.
Image 3 - Fresh tweets.
Note: The webmail subdomain mistakenly uses the 50statesoflie[.]media domain content, which was listed in the Doppelgange raffidavit.

Image
Image
Image
Mar 25 6 tweets 3 min read
I often get asked what tools I use for various aspects of threat research / analysis --

Here's a quick list of my favorites that most are not taking advantage of.. 🧵 1. Aeon Timeline (@AeonTimeline):
▪️ This is my replacement for most Maltigo-style mapping + time-lining chaotic events.
▪️ Everything I investigate starts with one of these to track pivots/clues.
▪️ $65 a year..

More about how I use it here: sentinelone.com/labs/putting-t…
This is outdated as hell, don't @me
Jul 20, 2023 5 tweets 2 min read
💜 JumpCloud Intrusion | Attacker Infrastructure Links Compromise to North Korean APT Activity

I took a look into the IOCs shared by @JumpCloud and found links to APT Infrastructure we attribute to DPRK.

Quick 🧵..

#threatintelsentinelone.com/labs/jumpcloud… Look how 144.217.92[.]197 is being used by npmaudit[.]com -- this domain links to @github's recent security alert. Nice!

Based on timing of this, I'm going to assume its related to the JumpCloud intrusion but thats just my outsider perspective here.

github.blog/2023-07-18-sec…
Mar 22, 2022 20 tweets 7 min read
Today CERT-UA released two new posts on recent attacks on Ukraine Gov and enterprises.

- UAC-0026 Delivering HeaderTip.
cert.gov.ua/article/38097

- UAC-0088 Attacks with DoubleZero Wiper.
cert.gov.ua/article/38088

Follow along for a quick thread:
🧵1/x @AeonTimeline 2/x: (threads are hard, sorry)

First lets look at UAC-0026:

Some (including me at first) are associating this with Symantec 2015's post on "Scarab", who was active since 2012.

At the time they were known to target a very small amount of individuals of interest (see map)
Feb 10, 2022 10 tweets 3 min read
Today we published a new report on the new ModifiedElephant APT, and the years of attacks against groups and individuals in India.

Blog: s1.ai/m-elephant
Full Report: s1.ai/mod-elephant

Quick 🧵 on some highlights: ME is responsible for targeted attacks on human rights activists, human rights defenders, academics, and lawyers across India with the objective of planting incriminating digital evidence.