I've decided to put a screenshot showing the hex editor view of a Turla Kazuar sample behind acrylic glass on my desk to always remind me, why I am doing all this ... because I 💛 to be a pain in the neck of the bad guys https://t.co/LnoC5rwkWV

My award for the best guardrails in an APT group's close access operation: https://t.co/rQoipMxUzD 👀 enjoy! Installs a hard-coded attacker-controlled wireless access point to a victim with a specific TP-LINK USB WiFi adapter 📶 Wonder if they got the USB stick at a conference 🔥

They can run, but they can’t hide

Slides for "ToolShell Patch Bypass and the AI That Might Have Seen It Coming" at @NDC_Conferences {Manchester} 2025. https://t.co/SDMTE43kDS Bonus: WAF & workarounds bypass! #AppSec #SharePoint #TolShell

I beg you, please stop adding IPs for Telegram and other legitimate platforms to your blogs in the IOC section, it leads to this kind of noise in VT comments and pollutes threat intel feeds.

Our latest blog post is up! https://t.co/n6UEOlj46M C2 IP Addresses (for hashes check our post): 39.97.229[.]220 43.247.134[.]215 45.76.155[.]14 45.157.233[.]80 46.36.37[.]85 47.84.113[.]198 192.9.245[.]121 193.34.213[.]150

Wanting more from today's #BHEU talk on SCOM? Check out this two part blog series! 1️⃣ @unsigned_sh0rt maps SCOM’s roles, accounts, & trust boundaries, then shows how attackers can chain insecure defaults into full management group compromise. https://t.co/Ai4TqTtc4O 🧵: 1/2

Be extra boss - go passwordless ;) Hello for Business and Platform SSO are pretty easy to configure, and even passkeys on mobile aren't too bad You don't have to move everyone all at one time - start a pilot, migrate in phases, start reducing password use as soon as possible :)

Enjoy the best experience on X.

Cracking ValleyRAT(SilverFox): From Builder Secrets to Kernel Rootkits Targeted Deletion of EDR/AV Drivers https://t.co/8hPrQofTa6 winos4.0 source code ref: https://t.co/lZMelJ0b6g https://t.co/1aOPuNI7S8

So the state rolls out heavy-handed age-gating and erosion of privacy rights… because some parents never figured out Google Family Link or Apple’s Screentime. There are entire ecosystems of parental-control tools that already do the job. Instead we get face or national ID checks

Google’s new Infographic generator is pretty damn good, I asked it to make this diagram based on all DOJ & OFAC public reports on 🇰🇵 DPRK IT worker schemes. I checked its workings and it all checks out as far as I can tell.

🚨 Earlier this year, Rapid7 researchers discovered a stored cross-site scripting (XSS) vuln. in #Ivanti Endpoint Manager (EPM) – affecting versions 2024 SU4 and below. Now patched, CVE-2025-10573 has been assigned a CVSS score of 9.6. More in our blog: https://t.co/FtdADlLLee

We live in weird times where someone pops thousands of systems in hundreds of orgs just to drop a crypto miner that makes maybe $2 a day In a way we should almost thank them. Their stuff is noisy as fuck and makes people aware of exploitable services before something more

This is out of control 🤦‍♂️

Need a job? Join ICE today. ICE offers competitive salaries & benefits like health insurance and retirement plans.

I have spent some time this past day to investigate NodeJS source code and how a typical process tree from a react/next.js app will look like. If you are building detections for React2Shell give this a read. as it'll help you identify the right strings to use to filter down FPs

Generic detection rules FTW 🙌 The post-exploitation activity @wiz_io showed yesterday makes these scripts light up like a Christmas tree🎄: bash reverse shells, crypto miner indicators, history resets, wget/curl from http to bare IPs, base64 decoding, etc If you keep your

You'll probably hear the term #memshell more often. It is used for shells (web shells) that get implanted into memory. the most common ones used in the exploitation of #React2shell register two API endpoints that respond to a cmd=xxx command /exec /nodesync example:

🔴 Watch out, someone is "patching" (?) servers vulnerable to #React2Shell and leaving a warning message about CVE-2025-55182 in English, Chinese, Japanese, and Spanish. According to Censys, 314 servers had/have this condition at this very moment. The vast majority of domains

The Solana Era is here—fast, open, unstoppable. But smart policy makes it thrive. Dive into SPI's work to empower builders & investors. Visit us in the Policy Hub at Breakpoint Dec 11-13

Here's our new blogpost with a technical deepdive into exploitation we're observing in the wild of CVE-2025-55182 (aka react2shell): https://t.co/jBvMgTqjEO

It’s always bemused me how after years of CTI sharing, we’ve still not standardised intel sharing on IP addresses… Funnily enough, Salesforce actually did the best job here IMO versus two veteran cybersecurity vendors CrowdStrike & ESET

Like others we are seeing attacks attempting to exploit React CVE-2025-55182 at scale, incl. botnet related activity. How successful have these attacks been? You can get a view here, where we track compromised host with Next.js attacking our sensors: https://t.co/5HLkkIHMlg