Pleased to share my first official Team Cymru blog that follows on from my webinar last month 🙌 . “Uncovering DPRK Remote Workers: Detecting Hidden Threats Through Internet Telemetry” 🇰🇵 🔍 .

Sending out vulnerability notifications is always difficult. But Friday afternoons, while the US is off on a national holiday, makes things much harder. @CuratedIntel members are doing gods work behind the scenes to stop the next wave of ransomware attacks as best we can 🫡.

More blogs are on the way, so stay tuned!.

It’s fantastic to have Julien come and Keynote for our conference! Looking forward to this talk very much. If you use on a daily basis, come and meet the creator at BSides Bournemouth!. Tickets still available here:.

ICYMI:

Anyone on the forensics side of the house who worked a Hunters International case in the past may want to look into the free decryption keys for victims who’ve saved any locked files. Several other ransomware gangs have done this before, namely Avaddon. #DFIR #IncidentResponse.

Summary report on a lot of the surrounding miscellaneous hacktivist activity related to the 🇮🇷 🇮🇱 war 👇 .

Qantas has disclosed a breach 🦘 ✈️ . “The incident occurred when a cyber criminal targeted a call centre and gained access to a third party customer servicing platform.” . Sounds like the same crew to me.

Check your inboxes if you submitted to the CFP!.

Aeza Group sanctioned 👇 🇺🇸 🇬🇧.

Interesting discovery, an 🇮🇷 hacktivist group called “APT-Iran” has shared their apparent usage of LockBit Black (the leaked version) 👇 .

US law enforcement has point out a warning about Iranian adversaries targeting US organisations 👇 .

🫡 @AviationISAC Godspeed ✈️.

Mandiant & PAN are sounding the alarm 🚨 that Scattered Spider style attacks are now targeting the ✈️ aviation sector: Recent airline attacks reported have been:.- Hawaiian Airlines (.- WestJet (.

More dumb ways cybercriminals got caught!. alpha02: left his personal email in a welcome message to new members of AlphaBay. NetWalker: logged into Gmail from a C2 IP and sent a Google home mini to his address and used his real name. ChipMixer Admin: bought BTC at KYC exchange.

Also an interesting side note here is how law enforcement tracked VPN usage between IntelBroker’s X/Twitter account and his email account 📧 . Exploiting cybercriminal infrastructure TTPs is another key method to link identities together 🔍

Exploiting Bitcoin opsec fails continues to be a fruitful tactic to catch cybercrims for LE, which is 100% exactly why we teach it in #FOR589 with our partners @chainalysis.

⚠️ IntelBroker was arrested in France 🇫🇷 in February 2025, and the US 🇺🇸 is seeking his extradition. How did Law Enforcement Deanonymize IntelBroker? 🔍 . TL;DR: He messed up on the Bitcoin opsec after an undercover officer made a controlled buy 💰 .

Many CTI companies create and manage Threat Actor databases, myself included in past roles. But one thing I don’t see often is Researcher profiles, which can provide context & awareness about vuln or offsec researchers and why orgs should take them seriously.

Three insurance firms named as victims: Erie, Philadelphia, and Aflac. “All three insurance-company hacks are consistent with the techniques of a young and rampant cybercrime group known as Scattered Spider, people familiar the investigation tell CNN.”.