Kelsey
@k3dg3
Followers
3K
Following
2K
Media
165
Statuses
691
Friendly NEIGHborhood Threat Researcher | Reverse Engineer
United States
Joined November 2018
We're hiring on our Threat Research team at @proofpoint! If you enjoy making threat actor's lives more difficult (and you want to work with me and lots of other smart people) apply below! 🤓 https://t.co/hUgwJCYdzv
10
43
231
#Latrodectus, pls come back to email. I'm bored. Feels like a "my views do not reflect the views of my employer" moment
1
1
12
I vote we normalize providing at least an associated month and year for IOCs shared in blogs / published research - researcher who has been catching up on too many blogs this week
3
1
11
#NetSupport #Rat from @SquiblydooBlog submission Samples https://t.co/mW6CuZgVHv Client32.ini MD5 17c5e53b00782ded1b35e7caae4db226 First Submission 2025-07-09 cc @skocherhan @500mk500 @k3dg3
0
5
23
#netsupport #rat GatewayAddress=summer25hot.]org:443 88.218.93[.]71 Main Sample from @abuse_ch 👇👇👇 https://t.co/P4QKUn4ibO Client32.ini dabe4273412d4d8ae67e8bc1786b3eac ⚠️First Sub 2025-07-07 LIC 7215675bdba98bd30c8e89aafba519de ⚠️First Sub 2025-06-19 cc @500mk500 @k3dg3
2
7
27
Related Pdf👇 "Comprovante-Mercado-Pago-26-05-2025-.pdf" ❇️Related #XWorm V5.2 ⛔️C2 158.69.41.]120:8000 Samples https://t.co/Ywoh4gelYj ✅AnyRun https://t.co/d8eVYuNu67 1/2 cc @dodo_sec @1ZRR4H @skocherhan @500mk500 @k3dg3
@Jane_0sint #StegoCampain Related Samples + extra 👇 https://t.co/qOLR2Wl6Vm 😎Better AnyRun https://t.co/CuxXGs4BIf ❇️Urls+extra https://t.co/0z2t9tyKDI
@Namecheap 👇 ⛔️javascriptplugin].com ⚠️javascriptplugin.lovestoblog].com ❇️ https://t.co/aTYIVBABD5 ❇️ https://t.co/pL6YGYmMKC
4
9
25
#booking #clickfix #fakecaptcha 👇 1nspiricity.]com pather-cancels.]com room-id039054.]com 👇 ggetsvverif.]com 👇 80.64.18.]173/nhf7/555.exe Sample https://t.co/18KuTsbSk6 AnyRun https://t.co/A3Z6rT1mvw cc @500mk500 @skocherhan @k3dg3
#booking #clickfix #fakecaptcha 👇 booking.partner-id897123.]com/sign-in?op_token=zXj81EgVvYXV0aCKyAQoUNlo 👇 ⛔️80.64.18.]173/nhf7/knfl.exe Sample https://t.co/18KuTsbSk6 AnyRun https://t.co/WIkfrHS5mL
https://t.co/qnQ356AMMa cc @500mk500 @skocherhan @k3dg3
4
14
36
#booking #clickfix #fakecaptcha 👇 booking.partner-id897123.]com/sign-in?op_token=zXj81EgVvYXV0aCKyAQoUNlo 👇 ⛔️80.64.18.]173/nhf7/knfl.exe Sample https://t.co/18KuTsbSk6 AnyRun https://t.co/WIkfrHS5mL
https://t.co/qnQ356AMMa cc @500mk500 @skocherhan @k3dg3
3
9
31
Update #booking #clickfix #asyncrat from https://grupo-positivo.]com/GUP.zip
https://pastebin.]com/raw/XuBRH7G6 Samples https://t.co/QhBPkXtoBP Ip Related https://t.co/dn8QNGpfiU AnyRun https://t.co/Y1CdlEs9RS cc @500mk500 @skocherhan @k3dg3
#booking #clickfix #asyncrat 👇 ⛔️booking-visitorviewdetails-64464043.]com 👇 ⛔️penawarhippotherapy.]com/ 👇 rayidverifications.txt (PS1) 👇 ys32careservicedrive .zip C2👇 ⛔️micromissingservicx86checksup].com Samples https://t.co/dn8QNGpfiU AnyRun https://t.co/6Hy2uMVQGh
2
11
32
Catching up on reading external blogs this week. Question: When you read external research and they get something dead wrong, like there is no wiggle room or potential to be even a little correct, what do you do?
0
0
2
Forget the bird flu, anyone looking for #More_Eggs? #TA4557
https://t.co/f00QwvqrXy
https://t.co/LqhjEQN9sk
bazaar.abuse.ch
Threat intel on contactme (MD5 9b3954d8e3f79ea24ba838352b0d500d)
0
6
19
🌟New report out today!🌟 The Curious Case of an Egg-Cellent Resume Analysis & reporting completed by @_pete_0, @svch0st and guest contributor @k3dg3 from @proofpoint! Audio: Available on Spotify, Apple, YouTube and more! 👇 Click the link below to read the report!
1
34
80
Too excited it's back in email not to share: incoming: doc_inv_09-12\#[0-9]{1,4}\.pdf CampaignID: "Alpha" hxxps://isomicrotich.com/test/ hxxps://rilomenifis.com/test/ tldr high level: Email > PDF > URL > JS > MSI > #Latrodectus Samples in comments, IOCs on bazaar
1
15
37
I don’t repost much, but @greglesnewich is kind of awesome!
Tis the season for understanding #TA422’s latest activity AND for singing podcast guests! 🎤 In this episode, Greg Lesnewich, sr. threat researcher at Proofpoint, shares his insight on the tactics, techniques, and procedures employed by the APT. Stream: https://t.co/CPGVfs9R5M.
0
2
12
#Pikabot with updates Attack chain 1/x delivered via html attachments. MSI: https://t.co/5g4rKMwP6p html: https://t.co/FGKp8DATaz DLL: https://t.co/riyrqgBnrO
1
21
57
#Bumblebee lg1010 rolled in today via Cookie Reloaded (prometheus tds) URLs RC4Key: NEW_BLACK C2: 192.168.0.101:444 C2: 186.85.54.111:149 https://t.co/0G5l5PqyyX
https://t.co/fJtnLW8oPf
tria.ge
Check this bumblebee report malware sample 15b7cb2818530bbf0b55ea608d85df1bd97004a8556a358c11f84dbb93b893f7, with a score of 10 out of 10.
1
13
37
#Bumblebee "rar28" rolling in via DocuSign-themed emails with compressed exes rc4:"new_black" 192\.168.0.101:444 134\.156.166.37:332 https://t.co/uCG2fvaQdU
https://t.co/qg3KMtlP5y
@Myrtus0x0
tria.ge
Check this bumblebee report malware sample d0e01dcc6c4cb19e8848d18c1a7e6f6aac8ba48ce6a9052576e60e36cbb7596f, with a score of 10 out of 10.
1
16
57