Nick Attfield

Crossed wires: a case study of Iranian espionage and attribution | Proofpoint US Proofpoint would like to thank Josh Miller for his initial research on UNK_SmudgedSerpent and contribution to this report.  Key findings  Between June and August 2025,

New Iran drop from me tracking an attribution nightmare - UNK_SmudgedSerpent! A little Charming, a little Muddy, and a lot C5. Targeting policy experts with benign conversation starters, health-themed infra, OnlyOffice spoofs, and RMMs. Check out the full story www.proofpoint.com/us/blog/thre...

APT: Android, Phishing, microsoft A South Asian APT has been persistently targeting Sri Lanka, Bangladesh, Pakistan, and Turkey. This post walks through infrastructure and malware pivots to expose novel tooling that compromised the p...

A South Asian APT has been persistently targeting Sri Lanka, Bangladesh, Pakistan, and Turkey. This post walks through how to pivot from the well-publicized phishing infrastructure to expose APK tooling that compromised members of the military of Asian countries.

strikeready.com/blog/apt-and...

Exclusive: China-linked hackers target Taiwan's chip industry with increasing attacks, researchers say Chinese-linked hackers are targeting the Taiwanese semiconductor industry and investment analysts as part of a string of cyber espionage campaigns, researchers said on Wednesday.

New: A handful of Chinese-linked cyber espionage groups are stepping up targeting of Taiwanese semiconductor companies, per new analysis from @proofpoint.com. Campaigns include targeting of financial analysts focused on the sector as well: www.reuters.com/sustainabili...

The Bitter End: Unraveling Eight Years of Espionage Antics—Part One | Proofpoint US This is a two-part blog series, detailing research undertaken in collaboration with Threatray. Part two of this blog series can be found on their website here.  Analyst note: Throughout

Just published:

A two-part blog series in collaboration with
@threatray.bsky.social, which aims to substantiate the claim that #TA397 (Bitter) is an espionage-focused, state-backed threat actor with interests aligned to the Indian state.

Part 1: brnw.ch/21wT9A5
Part 2: brnw.ch/21wT9Ad.

Appreciate it!

The Bitter End: Unraveling Eight Years of Espionage Antics—Part One | Proofpoint US This is a two-part blog series, detailing research undertaken in collaboration with Threatray. Part two of this blog series can be found on their website here.  Analyst note: Throughout

Dropping some joint research today with Threatray on TA397/Bitter 🔍

We dive into the confluence of signals that led us to our attribution of the threat actor 🎯

Shoutout to @konstantinklinger.bsky.social and Threatray for collaborating on this research.

www.proofpoint.com/us/blog/thre...

Is the era of the “named actor” done?

As the OG adversary sets diverge, get promoted, or move on

actors dispersing across the kill chain based on specialized skills increases (ORBs, criminal underground)

AND the CTI models maturing…

APTs ⬇️⬇️

UNCs ⬆️⬆️

TA406 Pivots to the Front | Proofpoint US What happened  In February 2025, TA406 began targeting government entities in Ukraine, delivering both credential harvesting and malware in its phishing campaigns. The aim of these

@greg-l.bsky.social drops knowledge on TA406 (Konni) as North Korea shows new interest in Ukraine, likely to keep tabs on the progress of the war and Russia's ability to keep pace on the battlefield www.proofpoint.com/us/blog/thre...

Call It What You Want: Threat Actor Delivers Highly Targeted Multistage Polyglot Malware | Proofpoint US Key findings  Proofpoint researchers identified a highly targeted email-based campaign targeting fewer than five Proofpoint customers in the United Arab Emirates with a distinct

Introducing #UNK_CraftyCamel!

Leveraged Trusted Business Relationship? ✅
Low Volume, highly targeted? ✅
Interesting technique? ✅
Overlaps with other IRGC clusters? ✅
Bonus: Infrastructure still up to watch how they respond to the blog? ✅

www.proofpoint.com/us/blog/thre...

It’s low volume.

Hidden in Plain Sight: TA397’s New Attack Chain Delivers Espionage RATs | Proofpoint US Key findings  Proofpoint observed advanced persistent threat (APT) TA397 targeting a Turkish defense sector organization with a lure about public infrastructure projects in Madagascar.   The attack...

Dropping some new research on TA397/Bitter 🚨

Hidden in Plain Sight | TA397’s New Attack Chain Delivers Espionage RATs

Report:
www.proofpoint.com/us/blog/thre...

In December 11 and 12, 2024, a spearphishing campaign targeted at least 20 Autonomous System (AS) owners, predominantly Internet Service Providers (ISPs), and purported to come from the Network Operations Center (NOC) of a prominent European ISP.

🧵⤵️

I’m a little excited for this one

two men are standing next to each other with the words " we open it up " on the screen ALT: two men are standing next to each other with the words " we open it up " on the screen

#PIVOTcon25 registration is now OPEN 🤟📥📥📥
pivotcon.org
#CTI #ThreatResearch #ThreatIntel
Please read carefully the whole 🧵 for the rules about invite -> registration (1/5)

New Zero-Detection Variant of Melofee Backdoor from Winnti Strikes RHEL 7.9 Background On July 27, 2024, XLab's Cyber Threat Insight and Analysis System(CTIA) detected an ELF file named pskt from IP address 45.92.156.166. Currently undetected on VirusTotal, the file trigger...

Wait... did a Chinese security vendor just publish research on a suspected Chinese APT backdoor? 🙃

I need your thoughts here @jags.bsky.social

blog.xlab.qianxin.com/analysis_of_...