October infostealer ποΈ. March extortion emails π§. 5 months of dwell time. This is what undetected credential compromise looks like in practice. And with AI tools lowering the automation barrier, expect that timeline to speed up fast π.
www.bleepingcomputer.com/news/securit...
Recorded Futureβs Insikt Group uncovered four GrayBravo activity clusters. TAG-160 impersonates logistics firms, while TAG-161 impersonates Booking.com, employing ClickFix to deliver CastleLoader and Matanbuchus. www.recordedfuture.com/research/gra...
"There is a lack of consensus regarding the current state of AI malware maturity."
So we put together #AIM3 to help #malware researchers describe the maturity level of an #AI_Malware Threat.
www.recordedfuture.com/blog/ai-malw...
We all spent the last year vibe coding the shit out of web apps in React without knowing a single thing about JavaScript. Then enters #CVE-2025-55182 #React2Shell... poetry.
βThe spirits that I summoned I now cannot rid myself of again.β
Excited to join a discussion on the second edition of The Mythical Beast by Jen Roberts (@atlanticcouncil.bsky.social), exploring the complex networks behind the spyware ecosystem. This kicks off the new Colloquium series by @virtualroutes.bsky.social: virtual-routes.org/event/mythic...
Great blog post from @briankrebs.infosec.exchange.ap.brid.gy on #StarkIndustries. Makes a great point by highlighting it's links to MIRHosting. Where there are Dutch prefixes under these providers, there is usually always MIRHosting upstream.
Not a lot of public reporting on this, but we are seeing a mountain of activity π
1/ Today @whoisnt.bsky.social, Marius, and I release a report on a new threat actor, #TAG-150, active since at least March 2025, which stands out for its rapid development, sophistication, responsiveness to reporting, and a large, evolving infrastructure: www.recordedfuture.com/research/fro...
Big report from our team at Recorded Future around #ThreatActivityEnablers (all of the hostings and services that power malicious infrastructure). Great Research on #StarkIndustries!
Please give me the strength not to buy this hotswap GPU framework laptop with maxed-out specs. π¬
1/ We just released a new report on TAG-144 (also known as Blind Eagle), where we identified five distinct activity clusters that have been active throughout 2024 and 2025, primarily targeting the Colombian government at multiple levels. Link to the report: www.recordedfuture.com/research/tag...
π A day in the life of a #Lumma malware operator... this is a must-read! πͺ
1/ We've just released a new report uncovering new infrastructure tied to multiple activity clusters linked to the Israeli spyware vendor #Candiru across several countries. Full report: www.recordedfuture.com/research/tra...
"By 2025, 96% of companies are expected to use public cloud services, and 84% will adopt private cloud services. Additionally, 92% of organizations are projected to implement a multicloud strategy, reflecting the growing trend of cloud adoption across various industries." - Nextwork
Amazing DDoSia Project Research by @calwarez.bsky.social, great work!!! www.recordedfuture.com/research/ana...
NoName057(16) had thousands of targets in their crosshairs π―, and they utilized their DDoSia Project and a crowdsourced army πͺ to take them down... This is a must-read Report!
simonwillison.net/2025/Jul/6/s... This is likely the beginning of the new "open S3 bucket" wave of attacks. MCP is awesome and a greatly needed standard, but we know how this will go for the next year or two. π«€
#Remcos #malware is now at v7.0. No significant changes to the payload side, but improvements to enhance reliability and address bugs based on operator experience added.
Samples:
tria.ge/250709-3vxwa...
tria.ge/250710-vba87...
Looks to be distributed via email campaigns from reboundue[.]com emails
Today we are releasing a report on new infrastructure and tooling linked to GrayAlpha, a financially motivated threat actor overlapping with FIN7 π§΅
www.recordedfuture.com/research/gra...
Today weβre publishing new findings on Predator spyware, still active despite global sanctions, now with a new client and ties to a Czech entity. Hereβs what we found π§΅
www.recordedfuture.com/research/pre...
Another report by Insikt Group on newly identified malware families #TerraStealerV2 as well as #TerraLogger, both attributed to the threat actor Golden Chickens: www.recordedfuture.com/research/ter...
The memo acknowledges that the list includes many terms that are used by the NSA in contexts that have nothing to do with DEI. For example, the term "privilege" is used by the NSA in the context of "privilege escalation." In the intelligence world, privilege escalation refers to "techniques that adversaries use to gain higher-level permissions on a system or network."
Oh my god, they just unintentionally wrecked a ton of red team playbooks at the NSA popular.info/p/the-nsas-b...
Today was the first day I reflexively went to Bsky for a quick check-in on the world of social media. Post-Twitter, as someone who does not use other platforms, I missed seeing authentic commentary without all the other madness.
Threat model around controlling an AI-driven IDE like Cursor and now Trae (Bytedance) www.trae.ai
Imagine being a MiTM of code generation and shipment to git repos. You could lean the developer toward vulnerabilities and Just-in-time code injection for PRs.
We will still be busy, that's for sure.
therecord.media/kristi-noem-...
- Give someone a fish... they eat for a day π΄
- Teach someone to fish... they eat for a lifetime πͺ
- Convince someone that fish are evil, and you should not listen to fish or eat anything in general... they starve π
When top Infostealers do the press rounds π¬... it's a good reminder for me.
Cybercrime isnβt lurking in the shadows anymoreβitβs running PR campaigns.
The game has changed so much and is probably driving the disruption ops that LE has been doing. π€
g0njxa.medium.com/lumma-steale...
π Triage Link for that sample: tria.ge/241218-yx89w...
π¦ It drops a PowerShell script 'init.ps1' π¦(86039bc8b1a6bb823f5cbf27d1a4a3b319b83d242f09ffcd96f38bbdbbaaa78f) tria.ge/241218-z9xx3...
RE: Comment - Why don't technical people want to go into leadership? In other industries, technical leaders are common. The top cybersecurity firms were started by practitioners who helped define the industry. What changed? I would argue that the gap is on the leadership side.
However, anyone who has mentored knows many people are looking to get into or get promoted in #cybersecurity. The people (and talent) are there, but there needs to be more/better leadership talent to guide those newcomers into roles we genuinely need.
