@goretsky profile picture
Aryeh Goretsky {@infosec.exchange} @goretsky

Security researcher. Antivirus pioneer ● formerly w/ @ESET & @McAfee ● MS-MVP recipient ● mod: Lenovo, Neowin, ScotsNewsletter forums ● Intel Insider's Council

Joined July 2008
  • Tweets 42,608
  • Following 4,963
  • Followers 4,326
819 Photos and videos
Looking for me elsewhere? 🐘infosec.exchange/@goretsky 🦋bsky.app/profile/goretsky.bs…
8
1,218
Aryeh Goretsky {@infosec.exchange} retweeted
ESET Research
@ESETresearch
Jun 11
#ESETresearch has discovered a supply-chain attack targeting stock investors in 🇻🇳Vietnam, distributing SPECTRALVIPER through the update mechanism of the FireAnt Metakit stock investment platform. welivesecurity.com/en/eset-r… 1/4
2
32
108
8,136
Aryeh Goretsky {@infosec.exchange} retweeted
International Cyber Digest
@IntCyberDigest
Jun 9
‼️🚨 BREAKING: ServiceNow has been breached. Customers are reporting unauthorised access to their instances. One customer states their security team reported this vulnerability to them, and they closed the case twice, saying they had already known since the 7th of April.
93
731
3,860
872,625
Aryeh Goretsky {@infosec.exchange} retweeted
Ars Technica
@arstechnica
Jun 8
For the 2nd time in weeks, Microsoft packages laced with credential stealer arstechnica.com/security/202…

For the 2nd time in weeks, Microsoft packages laced with credential stealer

73 packages run self-replicating stealer as soon as they're opened by an AI agent.

arstechnica.com
3
14
25
5,740
Going to be interesting, given current interest in use of spyware by the US government (see also npr.org/2026/05/19/nx-s1-582…)

What we know about how the U.S. government uses spyware (and what we don't)

Critics of spyware, which can be used to remotely hack into phones, worry the Trump administration is eroding policies that stigmatized the commercial spyware industry.

npr.org
Ars Technica
@arstechnica
Jun 8
Meta alleges NSO violated spyware injunction with new WhatsApp attacks arstechnica.com/tech-policy/…
1
48
Some interesting research out of @UTAustin.
Ars Technica
@arstechnica
Jun 8
Tests suggest Russian satellites can jam GPS on a continental scale arstechnica.com/space/2026/0…
64
Aryeh Goretsky {@infosec.exchange} retweeted
Malwarebytes@Malwarebytes
Jun 8
"You wouldn't steal a car,"... but that pirated game might steal your passwords bit.ly/3RWcwnV

Pirated PC games are delivering password-stealing malware

Cybercriminals are hiding malware in cracked and repacked games, infecting more than 400,000 devices worldwide.

malwarebytes.com
4
16
1,137
Aryeh Goretsky {@infosec.exchange} retweeted
Virus Bulletin@virusbtn
Jun 8
Google researchers identified a financially motivated data theft extortion campaign executed by the threat cluster UNC3753 (Luna Moth/Chatty Spider/Silent Ransom Group) targeting dozens of organizations across professional, legal & financial services in US cloud.google.com/blog/topics…
6
23
1,899
Aryeh Goretsky {@infosec.exchange} retweeted
Huntress
@HuntressLabs
Jun 4
A malspam campaign abusing Google's DoubleClick delivers DesckVB RAT through a five-stage chain that evades detection and blinds Windows telemetry before persisting. Here's how they pull it off:
2
7
25
3,879
Aryeh Goretsky {@infosec.exchange} retweeted
Malwarebytes@Malwarebytes
Jun 6
A new campaign sends fake invoices impersonating PayPal, Amazon, and Geek Squad, and others to trick victims into calling a scam number. We discovered this campaign before the scammers were finished building it. Here is what we discovered. 🔎 malwarebytes.com/blog/threat…

We found this fake-invoice campaign while scammers were still building it

Invoices pretending to be from Amazon, PayPal, and others reveal how criminals use fear and phone calls to steal money and devices.

malwarebytes.com
1
10
18
1,923
Aryeh Goretsky {@infosec.exchange} retweeted
Bitdefender
@Bitdefender
Jun 5
Scam ads on social media can look like normal posts, but many are built to send people through hidden redirects to fake sites, phishing pages, or unsafe downloads. See what Bitdefender Labs uncovered across APAC and how to spot the patterns:

Inside APAC's malvertising ecosystem: How scams spread through social

bitdefender.com
13
34
284
3,780,375
Happy 35th Anniversary, PGP!
1
48
Aryeh Goretsky {@infosec.exchange} retweeted
Lukasz Olejnik
@lukOlejnik
Jun 5
Mythos AI is being used by National Security Agency in offensive cyber operations / cyberattacks. Anthropic has even embedded engineers inside the NSA to help deploy the model. Are frontier AI labs becoming active contractors in state cyber conflict? The live-ops role is still unclear. ft.com/content/d02d91b3-2636…
6
40
166
12,621
Aryeh Goretsky {@infosec.exchange} retweeted
Virus Bulletin@virusbtn
Jun 5
Volexity analyses a VerdantBamboo intrusion where a compromised Egnyte Storage Sync appliance was used to run BRICKSTORM, proxy traffic, and access Microsoft 365 while blending in with legitimate network activity. volexity.com/blog/2026/06/04…

VerdantBamboo: Just Another BRICKSTORM in the Firewall

In September 2025, Volexity conducted an incident response engagement that began after suspicious network traffic was observed from a Linux-based virtual machine appliance on a customer’s network....

volexity.com
3
7
907
Aryeh Goretsky {@infosec.exchange} retweeted
Team Cymru Research
@teamcymru_S2
Jun 3
INTEL DROP We've been tracking suspicious open directories in our detection pipeline. 14 total IPs in the 149.50.98.0/24 (MEVSPACE) range are showing a likely single operator deploying shared tools. Possibly targeting SonicWall devices based on some of the names of directory files: brute[.]py hidden_payload.zip server_obonz.jar SonicDropper.exe Sonic/ sonic_logs/ sonic_panel.py sonic_panel_v3.py sonic_panel_v5.py IP List: 149.50.98.24 149.50.98.36 149.50.98.28 149.50.98.34 149.50.98.26 149.50.98.29 149.50.98.25 149.50.98.30 149.50.98.35 149.50.98.23 149.50.98.33 149.50.98.32 149.50.98.27 149.50.98.31 #threatintel #totalinsights
5
19
87
7,681
Aryeh Goretsky {@infosec.exchange} retweeted
Lukasz Olejnik
@lukOlejnik
Jun 4
GPS navigation includes a publicly broadcast 176-bit special-message field that have carried high-entropy payloads for years. It looks like a one-way encrypted control or key-distribution channel. Effectively a GPS-transmitted, world-reachable number station. The publicly receivable GPS navigation signal appears to leak operational metadata about military cryptographic logistics? @sjmurdoch lsc-pagepro.mydigitalpublica…
3
70
378
29,373
Aryeh Goretsky {@infosec.exchange} retweeted
Virus Bulletin@virusbtn
Jun 4
Jose Martin at LevelBlue SpiderLabs details a Brazilian lure campaign. A fake NF-e invoice ZIP drops an installer that imitates Microsoft Defender DLP, then uses a stager DLL to fetch the Havoc demon shellcode at runtime. levelblue.com/blogs/spiderla…
9
34
1,534
Aryeh Goretsky {@infosec.exchange} retweeted
Florian Roth ⚡️
@cyb3rops
Jun 3
About a month ago, my team spotted recent activity tied to this Iranian threat actor and started collecting details. Then Mandiant and Check Point Research published on the same actor, so we dropped our own cluster name and decided to add what we had seen in the latest activity. The targeting is the part that matters here: aerospace, aviation, defense, telecom and software/IT services - across Europe, the Middle East and North America. Given the current geopolitical situation, that’s not just another random malware case. We published the write-up, IOCs and public YARA rules. Nice work by @cod3nym and the team
Nextron Research ⚡️
@nextronresearch
Jun 1
Detecting Nimbus Manticore (UNC1549) While previous reporting documented the threat actor’s operations, our analysis focuses on defender value: ◾ Multiple public YARA rules ◾ Campaign-specific detections ◾ Generic hunting logic ◾ IOC enrichment ◾ Detection opportunities across the full infection chain From LinkedIn lures and fake hiring portals to AppDomain hijacking, Azure infrastructure, and custom implants. Read the full research by @cod3nym: eu1.hubs.ly/H0vPgF80 #ThreatResearch #YARA #ThreatIntel
3
35
111
14,384
They cancelled the Stargate reboot, though.
Amazon MGM Studios
@AmazonMGMStudio
Jun 1
Everything coming to your watchlist this June.
1
66
Aryeh Goretsky {@infosec.exchange} retweeted
Microsoft Threat Intelligence
@MsftSecIntel
Jun 3
Microsoft has published an analysis of the npm supply chain compromise affecting 32 maliciously modified packages across >90 versions under the redhat-cloud-services npm scope and leading to credential theft and compromise of addt'l maintainer packages: msft.it/6014vjutQ

Preinstall to persistence: Inside the Red Hat npm Miasma credential-stealing campaign | Microsoft...

A large-scale npm supply chain attack compromised over 90 versions of @redhat-cloud-services packages, silently infecting CI/CD environments and developer systems. The malicious code steals credent...

microsoft.com
6
30
83
11,967
Aryeh Goretsky {@infosec.exchange} retweeted
Virus Bulletin@virusbtn
Jun 3
Unit 42 analyses Operation FlutterBridge, a macOS malvertising campaign that seems to be the next stage of JSCoreRunner. The attackers now deliver adware with full backdoor capabilities through a payload dubbed FlutterShell. unit42.paloaltonetworks.com/…
10
24
2,348
Load more