Malware Researcher, Internet Protector, Cyber researcher
Joined August 2013
- Tweets 2,354
- Following 294
- Followers 471
- Likes 4,015
31 Photos and videos
Jan 13
Part 2 with some hashes, domains and IoCs for good measure and an ask to help identify these raw shellcode
sec0wn.blogspot.com/2026/01/β¦
@James_inthe_box @tlansec @malwrhunterteam
1
3
17
1,401
Jan 5
Happy New Year everyone. I wrote something
sec0wn.blogspot.com/2026/01/β¦
Do I get an honorary #OSEP for analyzing their payloads? Lol. Maybe Gemini should though. H/T to GeminiPro for the assist
1
1
4
151
22 Feb 2024
I highly recommend watching Kris's talk from 2022. I specifically love the methodology used for their analysis and it is just a work of art.
22 Feb 2024
In September 2022, attendees at the inaugural @labscon_io heard about an actor I described then as "one of the most prolific, most deeply connected, and most technically advanced actors around". Events this week were a reminder that the video never went out, so here it is π
1
214
19 Jan 2024
- Legacy could indicate lack of MFA
- Spray and pray attacks continue to show valuable outcomes for attackers and you don't always need 0days
- IAM and account logging and monitoring is essential
- more firms were probably targeted
- finally, Kudos to MS for the transparency
19 Jan 2024
APT29/Cozy Bear/Midnight Blizzard is the Russian SVR crew that pulled off SolarWinds. msrc.microsoft.com/blog/2024β¦
199
17 Nov 2023
More like the chollima in the room, am I right? π₯π₯π€£
16 Nov 2023
Just stumbled upon the results of this year's Flare challenge, and I can't ignore the elephant in the room. ππ
mandiant.com/resources/blog/β¦
234
MoBustami retweeted
11 Nov 2023
πAdversary Simulation and Purple friendsπ
I'm happy to share this simulation plan which regroups a TOP 35 @MITREattack TTPs from 22-23.
Based on open source intel, it's meant to ease the onboarding of more into Purple!
Have a look at the readme #CTI #TTP
github.com/Sam0x90/CTI/tree/β¦
10
103
381
74,880
MoBustami retweeted
24 May 2023
Today we are highlighting an actor we are tracking as Volt Typhoon. This activity is targeting US and Guam critical infrastructure. Volt Typhoon has been observed mostly living off the land during our investigations.
24 May 2023
Volt Typhoon, a Chinese state-sponsored actor, uses living-off-the-land (LotL) and hands-on-keyboard TTPs to evade detection and persist in an espionage campaign targeting critical infrastructure organizations in Guam and the rest of the United States. msft.it/6019gj8eH
4
32
79
17,600
16 May 2023
Lo key one of the best blogs I have read in a while... Hot daaaamn!!! Well done
16 May 2023
I'm very excited to share our latest research which uncovers a malicious firmware implant for TP-Link routers, linked to Chinese state-sponsored APT group #CamaroDragon.
Read our blog @ research.checkpoint.com/2023β¦ >>
1
257
15 May 2023
Waiting for @TomHegel translation of the screenshots ππ
15 May 2023
We hope you used yesterday's day off wisely to digest our findings so far. We are back with article 4 - suspicious goings on at Wuhan Xiaoruizhi intrusiontruth.wordpress.comβ¦
153
MoBustami retweeted
28 Mar 2023
Today, we've released #APT43 π°π΅. As part of this release, I wanted to highlight some of the background research that went into this. No blue checkmark, so I have to do a normal thread π
mandiant.com/resources/blog/β¦
2
44
117
19,503
10 Mar 2023
Well, what do you know, dusted the old keyboard and wrote a quick blog @James_inthe_box @Arkbird_SOLG @tylabs @juanandres_gs @h2jazi
π₯π₯π₯
sec0wn.blogspot.com/2023/03/β¦
1
6
10
6,365
MoBustami retweeted
2 Mar 2023
My 2c on the #BlackLotus UEFI bootkit (thanks, @ESETresearch):
- "Exploitation Less Likely" is proven wrong, hope for a new DBX revocation list.
- not trusting UEFI CA saves the day yet again.
- having a single NV BS variable as a gateway to booting whatever is a bad idea.
2
27
81
24,084
27 Feb 2023
I highly recommend folks to go and read the latest blog from LastPass on their recent incident. Thank you for the transparency so far. I think one question I have would be who/what is the ultimate target/s of this
support.lastpass.com/help/inβ¦
1
2
652
MoBustami retweeted
31 Jan 2023
- Malvertising: notepadplusplus[.]site
- #Vidar stealer:
download-notepad-plus-plus.duckdns[.]org
- Gets C2 location from Telegram and Steam
- C2s:
95.217.16[.]127
157.90.148[.]112
116.203.6[.]107
More indicators in this blog post I wrote: darktrace.com/blog/vidar-infβ¦
1
4
390
MoBustami retweeted
SickKids is responding to a cybersecurity incident affecting several network systems and has called a Code Grey β system failure. The code is ongoing. Patient care is unaffected at this time. Read more: bit.ly/3VaeUDm
3
33
56
33,542
8 Dec 2022
Anybody got a good place/website for Ugly Christmas sweater APT style? Think of crowdstrike APT logos but on a Christmas sweater, any idea @tylabs @ChicagoCyber @juanandres_gs @likethecoins
1
3