SentinelLABS

🔥 👀 New research from @morecoffeeplz.bsky.social
and @silascutler.bsky.social on the "silent" AI network, a massive, unmanaged layer of open-source AI infrastructure operating in the shadows.

Inside the LLM | Understanding AI & the Mechanics of Modern Attacks Learn how attackers exploit tokenization, embeddings and LLM attention mechanisms to bypass LLM security filters and hijack model behavior.

✅ #LLM literacy is table stakes for defenders, CTI analysts, and #cybersecurity professionals of all stripes now.
Still looking for a way into this complex field? 🤔
LABS has got you covered!
Start here:
s1.ai/inside-llm-1
@sentinelone.com

PhantomCaptcha | Multi-Stage WebSocket RAT Targets Ukraine in Single-Day Spearphishing Operation SentinelLABS uncovers a coordinated spearphishing campaign targeting organizations critical to Ukraine's war relief efforts.

🔥 New Research from @hegel.bsky.social 🔥

PhantomCaptcha: A short-lived, multi-stage PowerShell and WebSocket RAT operation targeting Ukraine-linked humanitarian and government entities.

Full report: s1.ai/pcapt

Prompts as Code & Embedded Keys | The Hunt for LLM-Enabled Malware LLM-enabled malware poses new challenges for detection. SentinelLABS presents groundbreaking research on how to hunt for this new class of threats.

🔥🔥 Fresh research drop live from #labscon Arizona. @alex.leetnoob.com and @morecoffeeplz.bsky.social with @vkamluk.bsky.social
The Hunt for LLM-enabled malware #ai #cyber #threatintel
s1.ai/llm-mw

Reddit AMA with our very own @dakotaindc.bsky.social—ask him anything here: www.reddit.com/r/geopolitic...

Contagious Interview | North Korean Threat Actors Reveal Plans and Ops by Abusing Cyber Intel Platforms DPRK-aligned threat actors abuse CTI platforms to detect infrastructure exposure and scout for new assets.

🚨New research drop: Contagious Interview | North Korean Threat Actors Reveal Plans and Ops by Abusing Cyber Intel Platforms

It was a pleasure collaborating with Sreekar Madabushi and @kennethkinion.bsky.social from Validin!

Read our blog post: s1.ai/nk-ops

Threat Hunting World Championship 2025 | SentinelOne Win from a $100K prize pool in SentinelOne’s 2025 Threat Hunting Championship. Compete in detection challenges. Register today!

🏆 Bragging rights, a $100K Prize Pool, and an all-expenses-paid trip to SentinelOne’s OneCon conference in Las Vegas. 🎰 Step up, test your skills, and claim your crown 👑

Sign up below (includes details on terms and conditions):

China’s Covert Capabilities | Silk Spun From Hafnium China-linked hackers used patented spyware tech from front companies tied to Hafnium, exposing gaps in cyber threat attribution.

The Cyber Patents China Didn’t Want Us to Find: @dakotaindc.bsky.social and @sentinellabs.bsky.social uncovered 10+ patents for highly intrusive forensics and data collection tools—filed by companies named in U.S. gov't. indictments for working with the Chinese Hafnium (aka Silk Typhoon) APT group.

Ghost in the Zip | New PXA Stealer and Its Telegram-Powered Ecosystem PXA Stealer uses advanced evasion and Telegram C2 to steal global victim data, fueling a thriving cybercrime market.

🔥 Fresh from the LABS team and our friends at Beazley Security 👇https://www.sentinelone.com/labs/ghost-in-the-zip-new-pxa-stealer-and-its-telegram-powered-ecosystem/

Our team collaborated with our friends at @sentinellabs.bsky.social to identify and disrupt a PXA infostealer campaign that has an intricate and complex delivery chain:

labs.beazley.security/articles/gho...

Thanks for the fantastic collab SentinelLabs team!

China’s Covert Capabilities | Silk Spun From Hafnium China-linked hackers used patented spyware tech from front companies tied to Hafnium, exposing gaps in cyber threat attribution.

🌀🔥… the complex relationship btw CN APTs🕵️‍♂️ and CN PSOAs 🇨🇳 makes attribution even more challenging than defenders might have supposed. #cti #threatintel #hafnium #silktyphoon @dakotaindc.bsky.social

www.sentinelone.com/labs/chinas-...

Microsoft Sharepoint Security Crisis: Faulty Patches, Zero-Day Exploits YouTube video by Three Buddy Problem

This week's show is YouTube ready @craiu.bsky.social @jags.bsky.social

🔥 Microsoft Sharepoint security crisis: Faulty patches, Toolshell zero-days

youtu.be/3GJuVGmpexA

⚠️ #0-DAY #Microsoft
👾 #CVE-2025-53770
🔩 #ToolShell 🪏
bsky.app/profile/sent...

macOS.ZuRu Resurfaces | Modified Khepri C2 Hides Inside Doctored Termius App ZuRu malware continues to prey on macOS users seeking legitimate business tools, adapting its loader and C2 techniques to backdoor its targets.

👀 Apple: “macOS is secure by design.”
💻 Meanwhile, in /Users/Shared:
🕵️‍♂️ Persistent Malware masquerading as Apple “agent”
>> Khepri beacon in /tmp
📦 Ad-hoc signed payloads
🌍 Targeting Chinese diaspora
Deep dive from Dinesh Devadoss and me 👉 s1.ai/zuru
#icymi #macOS #malware #APT #infosec

macOS NimDoor | DPRK Threat Actors Target Web3 and Crypto Platforms with Nim-Based Malware NimDoor reflects a leap in DPRK’s offensive toolkit, mixing compile-time trickery with native scripting to complicate and deter analysis.

💥 Fresh from LABS @philofishal.bsky.social and @syrion89.bsky.social
Our guys untangle the knots of #NimDoor: compiled Nim, macOS process injection and signals-based persistence triggers, with AppleScript (⁉️) beacons (whatever will they think up next 😅) 🌶️🌶️.
#dprk #apt #macOS
s1.ai/nimdoor

Israel-Iran cyberwar: Predatory Sparrow, vanishing crypto, bank hacks YouTube video by Three Buddy Problem

This week's show is a three-hour deep dive into Predatory Sparrow and the long-simmering Iran-Israel cyberwar (with @darkcell.bsky.social @craiu.bsky.social @jags.bsky.social youtu.be/MKKzHseTUUQ?...

"The best netflow comes from asking friends for favors." -- @jags.bsky.social @craiu.bsky.social

Follow the Smoke | China-nexus Threat Actors Hammer At the Doors of Top Tier Targets This report uncovers a set of related threat clusters linked to PurpleHaze and ShadowPad operators targeting organizations, including cybersecurity vendors.

Get the full story here:

www.sentinelone.com/labs/follow-... [2/2]

We just released our findings on long-term activity clusters attributed to China-nexus actors.

We discuss a relatively underreported, yet critical, aspect of the threat landscape: the targeting of cybersecurity vendors.

Big shout out to Lumen's Black Lotus Labs for their support! [1/2]

From PhD work to award-winning cybercrime research, @milenkowski.bsky.social of SentinelLABS is a force in malware analysis.

Catch his talk at #SLEUTHCON 2025!

🎟️ Grab your ticket today >>> www.sleuthcon.com

#CyberThreatIntel #InfosecEvents

Top Tier Target | What It Takes to Defend a Cybersecurity Company from Today's Adversaries This report highlights a rarely-discussed but crucially important attack surface: security vendors themselves.

📄 Read the full research: s1.ai/TopTier

Top Tier Target | What It Takes to Defend a Cybersecurity Company from Today's Adversaries This report highlights a rarely-discussed but crucially important attack surface: security vendors themselves.

Love when we can talk about hoy dynamic the threat landscape actually is. The scope and scale of the DPRK IT workers effort alone surprised me as we worked it. Also love @sentinelone.com let us discuss this openly and viewed it as important to do so.

www.sentinelone.com/labs/top-tie...

Tom Rid joins the show: AI consciousness, TP-Link's China connection, trust in hardware security

Appreciate the shoutout @jags.bsky.social (and that you aced my last name)! If you don’t listen to the Three Buddy Podcast yet, it is absolutely amazing and you should!

open.spotify.com/show/6dXbRag...

At @pivotcon.bsky.social, I'm presenting with @hegel.bsky.social and Sreekar Madabushi on the first public look at the full scope of a stealthy, long-running phishing network.

Very excited to share that I’ll be presenting at @sleuthcon.bsky.social in June!

Jim & I will share the backstory behind AkiraBot that didn’t make it into the blog—and what they’ve been up to since.

Published a new Pharos report today - and learned a lot in the process from @milenkowski.bsky.social Jiro, @julianferdinand.bsky.social @tgrossman.bsky.social. The report takes a closer look at how states are using ransomware.

virtual-routes.org/wp-content/u...

AkiraBot | AI-Powered Bot Bypasses CAPTCHAs, Spams Websites At Scale AkiraBot uses OpenAI to generate custom outreach messages to spam chat widgets and website contact forms at scale.

👉 s1.ai/akirabot
#OpenAI abused by spambot to carve out custom messages and beat CAPTCHAs. #security
@alex.leetnoob.com 🕸️

it feels like an useful feature so I have just implemented it under aflmc. thanks for sharing your alias! github.com/radareorg/ra...