Human-led, AI-accelerated security.
Joined August 2016
- Tweets 4,165
- Following 281
- Followers 12,788
- Likes 2,156
2,009 Photos and videos
May 13
š§
Gentlemen Ransomware group apparently liked our blog.
Reposting it so that others can check it out for themselves:
expel.com/blog/code-signing-ā¦
"The Gentlemen" ran a tight RaaS operation.
Then they got breached.
CPR analyzed the full leak: org structure, access brokers, active CVEs, victim comms, and financials.
Real operators, real tradecraft, fully exposed.
research.checkpoint.com/2026ā¦
3
5
1,032
May 13
Need a high-level overview of the latest Mini Shai Hulud? Aaron Walton breaks down how the latest supply chain attack happened, what defenders should do now, and prepare for the next one. expel.com/blog/mini-shai-hulā¦[ā¦]pl/?utm_medium=social&utm_source=twitter&utm_campaign=blog-promo
1
1
296
Expel retweeted
May 12
Come join our own @DennisF and our friends from @ExpelSecurity on June 1 in National Harbor for a candid, off-the-record conversation about the new era of AI-assisted vulnerability research, patching pain, and what's coming next.
info.expel.com/event-mythos-ā¦
1
1
368
May 12
By now you've probably seen the Mini Shai Hulud supply chain story. TeamPCP compromised 170 npm and PyPI packagesāTanStack, Mistral AI, OpenSearch, and more. Here's what you need to know if you're responding right now. (1/7)
1
1
2
476
May 12
If you suspect compromise: containment before rotation. Disable unauthorized services first, then rotate GitHub PATs, npm publish tokens, AWS access keys, and HashiCorp Vault tokens. Pin your dependencies to verified hashes going forward. (6/7)
1
1
147
May 12
Full breakdownāIOCs, attack chain, and step-by-step remediationāon the Expel blog: expel.com/blog/mini-shai-hulā¦ (7/7)
1
126
Expel retweeted
May 11
Flash Alert: EtherRat and TukTuk C2 End in The Gentleman Ransomware
In April, we observed an intrusion that began with a malicious MSI masquerading as Sysinternals RAMMap and ended in domain-wide deployment of The Gentlemen ransomware.
The intrusion featured EtherRAT, Ethereum-based EtherHiding C2 configuration, TryCloudflare tunnels, GoTo Resolve, Rclone exfiltration to Wasabi, and a newer malware framework named TukTuk.
TukTuk stood out for its resilient C2 design, using SaaS and cloud platforms such as ClickHouse and Supabase, with support for Ably, Dropbox, GitHub Issues, direct HTTP, Slack, and Arweave-based dead-drop configuration retrieval.
Detection opportunities included!
ā”ļø Full report is linked in the replies.
#ThreatIntel #ThreatHunting #DigitalForensics
4
38
99
27,133
One group of hackers used AI for everything from vibe coding their malware to creating fake company websitesāand stole as much as $12 million in three months. wired.com/story/ai-tools-areā¦
27
56
31,826
Apr 22
Marcus Hutchins, principal threat researcher at Expel, has been tracking the group we call HexagonalRodent, a subgroup likely affiliated with DPRK's Famous Chollima, since late 2025.
1/6
4
7
65
8,736
Apr 15
Beware of what you copy and paste. In March 2026, a new watering hole attack called "InstallFix" accounted for 13% of all malware incidents we observed. The lure? Fake install pages for Claude Code. Here is how it works and how to defend your environment. 1/7
1
2
483
Apr 15
Defense strategy 2, Lock down LoLBins: On Windows, use WDAC policies to restrict unexpected living-off-the-land binaries like mshta and PowerShell. On macOS, lean on EDR and MDM systems to monitor and control the execution of curl and osascript. 6/7
1
158
Apr 15
Developers are prime targets for cybercriminals, and blindly pasting terminal commands is a massive security risk. Always verify the domain before copying installation instructions, and implement strict execution controls. Read our full breakdown: expel.com/blog/installfix-noā¦
139