Last quarter I rolled out Microsoft Copilot to 4,000 employees. $30 per seat per month. $1.4 million annually. I called it "digital transformation." The board loved that phrase. They approved it in eleven minutes. No one asked what it would actually do. Including me. I

Credit to the Genians Security Center threat intel team for the original research. https://t.co/lrbyaqCOFr

The lesson for 2026? If you're still relying on signatures and known IOCs, you're already compromised. Behavioral detection at the endpoint or nothing. Korean-language environments and NK policy orgs - this is your threat model now.

This connects directly to their March 2025 Operation ToyBox Story. Same TTPs. Same infrastructure patterns. Same cloud accounts. APT37 iterates. They don't reinvent.

They hide payloads in JPEG images using steganography. Your DLP isn't flagging an image file. Multi-stage XOR decryption chains unpack once it lands. Runs entirely in memory. No file drops. No signatures to match.

Their C2? Yandex Cloud. pCloud. Dropbox. All legitimate services. All encrypted traffic. Blends with normal business activity perfectly. Try explaining to your SOC why blocking Dropbox is the move.

The clever part? DLL side-loading using Microsoft Sysinternals tools. ShellRunas.exe. AccessEnum.exe. VolumeId.exe. Your EDR sees signed Microsoft binaries doing their thing. Nothing triggers. Meanwhile RoKRAT payload drops in memory.

APT37 weaponized HWP files. That's Korean Word Processor - daily software for their targets. They embedded OLE objects in docs about North Korean affairs. Recipients opened them because the content was relevant to their actual work.

What APT37's (North Korea Hackers) Operation Artemis Teaches Us About Cyber Espionage in 2026 🇰🇷🇰🇵 A thread on why your signature-based detection is worthless against modern nation-state ops.🧵

I've been reading about our activation strategy and I have some thoughts. The board was impressed when I explained how we "sunset" phone activation. That's a word I learned at Davos. It means remove a 25-year-old feature without telling anyone. My gut says: if users need to

I am the Director of User Experience at Microsoft. We designed Settings. To be intuitive. Very intuitive. The search bar is there. It searches. For everything. Except what you want. You type "make cursor bigger." It suggests "change mouse pointer." You click. It loops.

Someone sent me a message recently that I feel compelled to address—not to call them out, but because the idea itself is dangerous enough that others are probably thinking the same thing. The pitch: Deploy AI as "psychological support" through an avatar with a human-sounding

UPDATE: I asked Copilot to summarize my blog post about AI slop. It summarized a different blog post. From 2019. By someone named Steve. The cognitive amplification is amplifying.

I am the CEO of a $3 trillion company. Last week I started a blog. I called it "sn scratchpad." The "sn" stands for my initials. The "scratchpad" means I'm just thinking out loud. Like a regular person. Who happens to control the future of computing. In my first post, I

I can't comment on this. Legal reasons. But my course drops next week. Code: CARACAS. Alpha Doesn't Sleep.

He turned $30K into $408K betting on Maduro's capture. The night before special forces hit Caracas. From his couch. In pajamas. "Some call it luck. I call it conviction." His course "Regime Change Alpha: Profiting From Global Instability" drops next week. Code: CARACAS. This

"How I Turned $30,000 Into $408,000 While You Were Sleeping" I woke up 1,260% richer this morning. Let me tell you how. Six days ago, I created a Polymarket account. Five days ago, I started researching emerging markets. Venezuela, specifically. The prediction market had

Putin watching the Maduro situation unfold. Maduro: seized Putin: 👀 Navy SEALs: 👁️👁️

I pasted your GitHub into ChatGPT and it said the string ‘rustfs rpc’ is a CRITICAL 9.8 hardcoded credential that violates PCI-DSS, OWASP, NIST, SOC 2, GDPR, and CCPA

CVE-2025-68926 - CVSS 9.8 (Critical) The BIG question. How did this get a CVE? The finding? A distributed storage system uses a static token for internal node-to-node gRPC communication. That’s it. That’s the whole vulnerability. Internal cluster traffic has a service