Targeted threat analysis, Incident Response, Malware Analysis and Forensics (memory/disk/network). Co-Founder @Volexity
Joined July 2008
- Tweets 1,570
- Following 599
- Followers 1,129
- Likes 734
8 Photos and videos
Quick update. I am now with @Volexity :) super excited! Last few months were not the easiest but thankfully I have great friends in the field and was able to stay afloat and find the right place.
I got lucky in this current job market. Back to reversing malware and drifting :)
11
7
78
2,822
.@Volexity #threatintel tracks a wide variety of threat actors abusing Device Code & OAuth authentication workflows to phish credentials. And these techniques continue to see success due to creative social engineering. [1/2]
1
10
16
3,890
5ck retweeted
18 Oct 2025
Detecting and Preventing Obfuscated Script Execution with Tree-sitter, presented by David McDonald, Software Engineer at Volexity.
This talk shows how tree-sitter can detect and block obfuscated scripts, strengthening defenses against AMSI bypasses and malware attacks. #BSidesNYC
4
16
2,712
APT meets GPT: @Volexity #threatintel is tracking #UTA0388's spear phishing campaigns against targets in North America, Europe & Asia, that appear to use LLMs to assist the #threatactor’s ops. Letting #AI run your espionage operations? What could go wrong? [1/2]
1
24
68
20,144
5ck retweeted
18 Sep 2025
#FTSCon Speaker Spotlight: Andrew Case (@attrc) is presenting “Detection and Analysis of Memory-Only Linux Rootkits” in the MAKER track.
See the full list of speakers event info, including how to register, here: volatilityfoundation.org/fro…
7
9
2,469
#FTSCon 2025 is just a little over a month away. There are some really amazing talks lined up this year.
Don't miss out on one of the best events focused on #DFIR. Hear from researchers that build tools and analysts that work on some of the most advanced IR investigations!
18 Sep 2025
We are counting down to #FTSCon 2025! We have a slate of great speakers — you don't want to miss this event! If you haven't registered yet, register here: events.humanitix.com/from-th….
See the event page for details: volatilityfoundation.org/fro…
Stay tuned for speaker spotlights!
3
3
1,480
5ck retweeted
1 Aug 2025
This training is hosted by @Volatility in conjunction with From The Source (#FTSCon). Course registration includes a complimentary ticket to FTSCon on Monday, Oct 20, 2025. For more details about FTSCon, visit the event page: volatilityfoundation.org/fro….
3
2
791
@Volexity is looking to grow our Threat Intelligence team. New job posting for Senior Analyst role is up here: volexity.com/company/care... If you have any questions, don't hesitate to ask.
12
16
1,416
Nice work, lots of good info in this blog by @_xDeJesus!
25 Jun 2025
Did a write-up on OAuth phishing (offense and defense). It's based on phishing campaign's reported by @Volexity earlier this year.
- What are OAuth phishing links; what is the workflows behind them
- How to emulate (examples) and use ROADtools for further compromise
- Approaches to writing detections and key telemetry
I do believe we are likely to see more of these campaigns over time - I hope this blog serves y'all well.
Happy hunting folks! #azure #cloudsecurity #phishing
elastic.co/security-labs/ent…
1
3
202
5ck retweeted
23 May 2025
We are excited to announce FTSCon 2025 on October 20, 2025, in Arlington VA! Registration is now OPEN we have a Call for Speakers.
Following FTSCon will be a 4-day Malware & Memory Forensics Training course with Volatility 3.
See the full details here: volatilityfoundation.org/ann…
11
12
10,530
New research from the team: Involves clever m365 OAuth tricks phishing via Signal and WhatsApp to compromise accounts. #dfir #threatintel
.@Volexity #threatintel: Multiple Russian threat actors are using Signal, WhatsApp & a compromised Ukrainian gov email address to impersonate EU officials. These phishing attacks abuse 1st-party Microsoft Entra apps OAuth to compromise targets.
volexity.com/blog/2025/04/22…
#dfir
2
4
1,426
.@Volexity #threatintel: Multiple Russian threat actors are using Signal, WhatsApp & a compromised Ukrainian gov email address to impersonate EU officials. These phishing attacks abuse 1st-party Microsoft Entra apps OAuth to compromise targets.
volexity.com/blog/2025/04/22…
#dfir
1
61
196
133,191
Today, @Volexity released GoResolver, open-source tooling to assist reverse engineers with obfuscated Golang samples. @r00tbsd & Killian Raimbaud presented details at INCYBER Forum earlier today. Learn how GoResolver works where to download it: volexity.com/blog/2025/04/01…
#dfir
1
49
116
10,338
.@Volexity regularly assists customers in combatting advanced threat actors & we enjoy being able to assist our partners as well, including LE & federal agencies like US DOJ, as we work together to combat these advanced cyber threats.
justice.gov/opa/pr/justice-d…
#dfir #threatintel
3
21
2,868
Check out the new blog: Russian APT adopts a well-known technique of m365 device code phishing. When combined with clever lures this technique proved to be extremely successful. 1/2
.@Volexity recently identified multiple Russian threat actors targeting users via #socialengineering #spearphishing campaigns with Microsoft 365 Device Code authentication (a well-known technique) with alarming success: volexity.com/blog/2025/02/13…
#dfir #threatintel #m365security
1
5
9
1,654
One of the main takeaways -- block device code authentication flow via conditional access 2/2
#Microsoft365 #DFIR #ThreatIntel
5
6
1,002
It’s great to see @NCSC drawing attention to the ongoing issues with network devices & appliances. Hopefully, vendors will heed the volatile data collection guidance: “Volatile data logging should support collection of… memory both at a kernel and individual process level.”
1/2
🚨The UK and international allies have today issued new guidelines to help manufacturers of edge devices – like routers, smart appliances, and IoT devices – make their products more secure and easier to investigate after a cyber attack⬇️
ncsc.gov.uk/guidance/guidanc…
1
5
11
1,350
On Thursday, Feb 6, @attrc will be at @WWHackinFest to present "Effectively Detecting Modern Code Injection Techniques with Volatility 3". See the full conference agenda here: wildwesthackinfest.com/wild-….
#dfir #memoryforensics #Volatility3 @volatility
9
8
3,190
5ck retweeted
2 Dec 2024
Catch the #ThreeBuddyProblem segment on Bootkitty being a Korean university project, LogoFAIL firmware exploits, inspectability below the OS...
(with @juanandres_gs @craiu @stevenadair)
2
10
26
4,472
🧵Some follow-up thoughts regarding our “Nearest Neighbor” blog that we published last week:
#DFIR #ThreatIntel
volexity.com/blog/2024/11/22…
2
1
5
229