Arda Büyükkaya
@whichbufferarda.bsky.social
Cyber Threat Intelligence Analyst
@EclecticIQ | Threat Hunter | Malware Analyst |. (All opinions expressed here are mine only). 🇹🇷🇳🇱
#cybersecurity
@EclecticIQ | Threat Hunter | Malware Analyst |. (All opinions expressed here are mine only). 🇹🇷🇳🇱
#cybersecurity
Reposted by Arda Büyükkaya
This has been confirmed today: operation-endgame.com
Europol took down servers for the Rhadamanthys infostealer, the VenomRAT, and the Elysium botnet
Europol took down servers for the Rhadamanthys infostealer, the VenomRAT, and the Elysium botnet
November 13, 2025 at 12:23 PM
This has been confirmed today: operation-endgame.com
Europol took down servers for the Rhadamanthys infostealer, the VenomRAT, and the Elysium botnet
Europol took down servers for the Rhadamanthys infostealer, the VenomRAT, and the Elysium botnet
Reposted by Arda Büyükkaya
Que "The Final Countdown" by Europe 🎶 and lock in 💻-- it's time for final submissions for #FIRSTCTI26 #lastcall #timesup 🔗 go.first.org/EHUnv
FIRST — Forum of Incident Response and Security Teams
go.first.org
November 12, 2025 at 6:43 PM
Que "The Final Countdown" by Europe 🎶 and lock in 💻-- it's time for final submissions for #FIRSTCTI26 #lastcall #timesup 🔗 go.first.org/EHUnv
🚨 New research: ShinyHunters teamed up with Scattered Spider for vishing attacks on cloud application users, bribed employees for insider access, and targeted engineering users to compromise CI/CD tools. blog.eclecticiq.com/shinyhunters...
@likethecoins.bsky.social @campuscodi.risky.biz
#CTI
@likethecoins.bsky.social @campuscodi.risky.biz
#CTI
ShinyHunters Calling: Financially Motivated Data Extortion Group Targeting Enterprise Cloud Applications
EclecticIQ analysts assess with high confidence that ShinyHunters is expanding its operations by combining AI-enabled voice phishing, supply chain compromises, and leveraging malicious insiders.
blog.eclecticiq.com
September 17, 2025 at 8:41 PM
🚨 New research: ShinyHunters teamed up with Scattered Spider for vishing attacks on cloud application users, bribed employees for insider access, and targeted engineering users to compromise CI/CD tools. blog.eclecticiq.com/shinyhunters...
@likethecoins.bsky.social @campuscodi.risky.biz
#CTI
@likethecoins.bsky.social @campuscodi.risky.biz
#CTI
Reposted by Arda Büyükkaya
Yep, I've been pwned. 2FA reset email, looked very legitimate.
Only NPM affected. I've sent an email off to @npmjs.bsky.social to see if I can get access again.
Sorry everyone, I should have paid more attention. Not like me; have had a stressful week. Will work to get this cleaned up.
Only NPM affected. I've sent an email off to @npmjs.bsky.social to see if I can get access again.
Sorry everyone, I should have paid more attention. Not like me; have had a stressful week. Will work to get this cleaned up.
@bad-at-computer.bsky.social Hey. Your npm account seems to have been compromised. 1 hour ago it started posting packages with backdoors to all your popular packages.
September 8, 2025 at 3:15 PM
Yep, I've been pwned. 2FA reset email, looked very legitimate.
Only NPM affected. I've sent an email off to @npmjs.bsky.social to see if I can get access again.
Sorry everyone, I should have paid more attention. Not like me; have had a stressful week. Will work to get this cleaned up.
Only NPM affected. I've sent an email off to @npmjs.bsky.social to see if I can get access again.
Sorry everyone, I should have paid more attention. Not like me; have had a stressful week. Will work to get this cleaned up.
Reposted by Arda Büyükkaya
New, by me: The hackers who breached Allianz Life earlier this month and stole the personal information belonging to the "majority" of its 1.4 million customers, also took Social Security numbers during the breach, per new filings with U.S. states.
Hackers stole Social Security numbers during Allianz Life cyberattack | TechCrunch
The U.S. insurance giant tells state regulators that Social Security numbers were among the personal information stolen in its mid-July cyberattack.
techcrunch.com
July 30, 2025 at 6:02 PM
New, by me: The hackers who breached Allianz Life earlier this month and stole the personal information belonging to the "majority" of its 1.4 million customers, also took Social Security numbers during the breach, per new filings with U.S. states.
Reposted by Arda Büyükkaya
LOL... someone scrapped celebrity Spotify accounts/playlists and leaked their music preferences
The *chef's kiss* here is the name of the site: Panama Playlists 😆
panamaplaylists.com
The *chef's kiss* here is the name of the site: Panama Playlists 😆
panamaplaylists.com
July 31, 2025 at 3:03 PM
LOL... someone scrapped celebrity Spotify accounts/playlists and leaked their music preferences
The *chef's kiss* here is the name of the site: Panama Playlists 😆
panamaplaylists.com
The *chef's kiss* here is the name of the site: Panama Playlists 😆
panamaplaylists.com
Reposted by Arda Büyükkaya
This is by far the coolest part in the UK's proposed ransomware ban and mandatory reporting proposal
www.gov.uk/government/n...
www.gov.uk/government/n...
July 22, 2025 at 1:22 PM
This is by far the coolest part in the UK's proposed ransomware ban and mandatory reporting proposal
www.gov.uk/government/n...
www.gov.uk/government/n...
Reposted by Arda Büyükkaya
"This report presents the first detailed study of China’s cyber militia system since 2015. It draws from an analysis of 136 individual militia units, as well as authoritative Chinese-language military writings and mobilization documents."
margin.re/mobilizing-c...
margin.re/mobilizing-c...
July 9, 2025 at 7:59 PM
"This report presents the first detailed study of China’s cyber militia system since 2015. It draws from an analysis of 136 individual militia units, as well as authoritative Chinese-language military writings and mobilization documents."
margin.re/mobilizing-c...
margin.re/mobilizing-c...
Reposted by Arda Büyükkaya
Reposted by Arda Büyükkaya
GreyNoise observed a major spike in scanning against Ivanti products weeks before two zero-days were disclosed in Ivanti EPMM. Full update: www.greynoise.io/blog/surge-i...
#Ivanti #GreyNoise #Cybersecurity #ZeroDays
#Ivanti #GreyNoise #Cybersecurity #ZeroDays
May 20, 2025 at 7:54 PM
GreyNoise observed a major spike in scanning against Ivanti products weeks before two zero-days were disclosed in Ivanti EPMM. Full update: www.greynoise.io/blog/surge-i...
#Ivanti #GreyNoise #Cybersecurity #ZeroDays
#Ivanti #GreyNoise #Cybersecurity #ZeroDays
Reposted by Arda Büyükkaya
Victoria’s Secret website down as company investigates security incident
via @jgreig.bsky.social & @therecordmedia.bsky.social
via @jgreig.bsky.social & @therecordmedia.bsky.social
Victoria’s Secret website down as company investigates security incident
The retailer's domain now features a brief message to customers explaining that it has “identified and are taking steps to address a security incident.”
therecord.media
May 29, 2025 at 3:44 PM
Victoria’s Secret website down as company investigates security incident
via @jgreig.bsky.social & @therecordmedia.bsky.social
via @jgreig.bsky.social & @therecordmedia.bsky.social
Reposted by Arda Büyükkaya
Microsoft has discovered a cluster of worldwide cloud abuse activity by new Russia-affiliated threat actor Void Blizzard (LAUNDRY BEAR), whose cyberespionage activity targets gov't, defense, transportation, media, NGO, and healthcare in Europe and North America. https://msft.it/63324S9Jkp
New Russia-affiliated actor Void Blizzard targets critical sectors for espionage | Microsoft Security Blog
Microsoft Threat Intelligence has discovered a cluster of worldwide cloud abuse activity conducted by a threat actor we track as Void Blizzard, who we assess with high confidence is Russia-affiliated and has been active since at least April 2024. Void Blizzard’s cyberespionage operations tend to be highly targeted at specific organizations of interest to Russia, including in government, defense, transportation, media, non-governmental organizations (NGOs), and healthcare sectors primarily in Europe and North America.
msft.it
May 27, 2025 at 9:55 AM
Microsoft has discovered a cluster of worldwide cloud abuse activity by new Russia-affiliated threat actor Void Blizzard (LAUNDRY BEAR), whose cyberespionage activity targets gov't, defense, transportation, media, NGO, and healthcare in Europe and North America. https://msft.it/63324S9Jkp
Reposted by Arda Büyükkaya
Dutch intelligence discover a new Russian APT—LAUNDRY BEAR
www.aivd.nl/documenten/p...
Microsoft calls it Void Blizzard. Their report is here: www.microsoft.com/en-us/securi...
www.aivd.nl/documenten/p...
Microsoft calls it Void Blizzard. Their report is here: www.microsoft.com/en-us/securi...
May 27, 2025 at 12:11 PM
Dutch intelligence discover a new Russian APT—LAUNDRY BEAR
www.aivd.nl/documenten/p...
Microsoft calls it Void Blizzard. Their report is here: www.microsoft.com/en-us/securi...
www.aivd.nl/documenten/p...
Microsoft calls it Void Blizzard. Their report is here: www.microsoft.com/en-us/securi...
Reposted by Arda Büyükkaya
Ivanti patches two zero-days under active attack as intel agency warns customers
Ivanti patches two zero-days under active attack as intel agency warns customers
Vendor says vulns are linked with 2 mystery open source libraries integrated into EPMM product
Australia's intelligence agency is warning organizations about several new Ivanti zero-days chained for remote code execution (RCE) attacks. The vendor itself has said the vulns are linked to two mystery open source libraries which it declined to name.…
dlvr.it
May 14, 2025 at 4:35 PM
Ivanti patches two zero-days under active attack as intel agency warns customers
Reposted by Arda Büyükkaya
Never a dull day in cybersecurity. Check out today's Metacurity for the critical infosec developments you need to know.
www.metacurity.com/russias-apt2...
www.metacurity.com/russias-apt2...
Russia's APT28 accused of infiltrating Western logistics, technology firms
Int'l partners destroy Lumma Stealer infrastructure, IT contractor breach led to M&S attack, Interlock stole data from West Lothian, 70K Coinbase customers exposed, EU sanctions GRU for disinformation...
www.metacurity.com
May 22, 2025 at 12:57 PM
Never a dull day in cybersecurity. Check out today's Metacurity for the critical infosec developments you need to know.
www.metacurity.com/russias-apt2...
www.metacurity.com/russias-apt2...
Reposted by Arda Büyükkaya
"A global law enforcement operation coordinated by Europol has struck a major blow to the criminal underground, with 270 arrests of dark web vendors and buyers across ten countries"
www.europol.europa.eu/media-press/...
www.europol.europa.eu/media-press/...
May 22, 2025 at 3:50 PM
"A global law enforcement operation coordinated by Europol has struck a major blow to the criminal underground, with 270 arrests of dark web vendors and buyers across ten countries"
www.europol.europa.eu/media-press/...
www.europol.europa.eu/media-press/...
Reposted by Arda Büyükkaya
A Chinese APT (UNC5221) is behind recent attacks exploiting an Ivanti zero-day (CVE-2025-4427)
This is a known Chinese APT group that seems to be specialized in Ivanti and other Western enterprise products... they have a long list of past zero-days in their name
blog.eclecticiq.com/china-nexus-...
This is a known Chinese APT group that seems to be specialized in Ivanti and other Western enterprise products... they have a long list of past zero-days in their name
blog.eclecticiq.com/china-nexus-...
China-Nexus Threat Actor Actively Exploiting Ivanti Endpoint Manager Mobile (CVE-2025-4428) Vulnerability
On Thursday, May 15, 2025, Ivanti disclosed two critical vulnerabilities - CVE-2025-4427 and CVE-2025-4428 - affecting Ivanti Endpoint Manager Mobile (EPMM) version 12.5.0.0 and earlier.
blog.eclecticiq.com
May 22, 2025 at 11:32 AM
A Chinese APT (UNC5221) is behind recent attacks exploiting an Ivanti zero-day (CVE-2025-4427)
This is a known Chinese APT group that seems to be specialized in Ivanti and other Western enterprise products... they have a long list of past zero-days in their name
blog.eclecticiq.com/china-nexus-...
This is a known Chinese APT group that seems to be specialized in Ivanti and other Western enterprise products... they have a long list of past zero-days in their name
blog.eclecticiq.com/china-nexus-...
🇨🇳 UNC5221 China-Nexus Threat Actor Actively Exploiting Ivanti EPMM (CVE-2025-4428).Targets critical networks like US airports and Telecommunications companies in EU. Exfiltrating sensitive data from managed mobile devices. #cyber
Here is the full report:
blog.eclecticiq.com/china-nexus-...
Here is the full report:
blog.eclecticiq.com/china-nexus-...
May 22, 2025 at 11:34 AM
🇨🇳 UNC5221 China-Nexus Threat Actor Actively Exploiting Ivanti EPMM (CVE-2025-4428).Targets critical networks like US airports and Telecommunications companies in EU. Exfiltrating sensitive data from managed mobile devices. #cyber
Here is the full report:
blog.eclecticiq.com/china-nexus-...
Here is the full report:
blog.eclecticiq.com/china-nexus-...
Reposted by Arda Büyükkaya
-Ransomware IAB spreads trojanized KeePass installer
-APT28 targets email servers with XSS attacks
-Good report on DPRK cyber and IT worker schemes
-Russia uses USAID shutdown in info-op targeting Moldova
-RU disinfo group Storm-1516 is behind the Macron coke memes
-APT28 targets email servers with XSS attacks
-Good report on DPRK cyber and IT worker schemes
-Russia uses USAID shutdown in info-op targeting Moldova
-RU disinfo group Storm-1516 is behind the Macron coke memes
May 16, 2025 at 8:29 AM
-Ransomware IAB spreads trojanized KeePass installer
-APT28 targets email servers with XSS attacks
-Good report on DPRK cyber and IT worker schemes
-Russia uses USAID shutdown in info-op targeting Moldova
-RU disinfo group Storm-1516 is behind the Macron coke memes
-APT28 targets email servers with XSS attacks
-Good report on DPRK cyber and IT worker schemes
-Russia uses USAID shutdown in info-op targeting Moldova
-RU disinfo group Storm-1516 is behind the Macron coke memes
Storm-1516, a pro-Kremlin 🇷🇺 disinformation group, launched an AI-driven influence operation to discredit European leaders. 🇪🇺 blog.eclecticiq.com/storm-1516-d...
@hatr.bsky.social
@hatr.bsky.social
Storm-1516 Deploys AI-Generated Media to Spread Disinformation: Targets European Leaders and Influences Istanbul Peace Talks
EclecticIQ analysts assess with high confidence that on May 11, 2025, pro-Kremlin disinformation group Storm-1516 amplified a fabricated story on X, falsely claiming European leaders used drugs while ...
blog.eclecticiq.com
May 16, 2025 at 3:55 PM
Storm-1516, a pro-Kremlin 🇷🇺 disinformation group, launched an AI-driven influence operation to discredit European leaders. 🇪🇺 blog.eclecticiq.com/storm-1516-d...
@hatr.bsky.social
@hatr.bsky.social
🎉 Happy to share that my talk has been accepted at Virus Bulletin! I’ll be presenting in 🇩🇪 Berlin on Friday, September 26 at VB2025:
Details: www.virusbulletin.com/conference/v...
See you there! #vbconference #VB2025
Details: www.virusbulletin.com/conference/v...
See you there! #vbconference #VB2025
May 2, 2025 at 2:27 PM
🎉 Happy to share that my talk has been accepted at Virus Bulletin! I’ll be presenting in 🇩🇪 Berlin on Friday, September 26 at VB2025:
Details: www.virusbulletin.com/conference/v...
See you there! #vbconference #VB2025
Details: www.virusbulletin.com/conference/v...
See you there! #vbconference #VB2025
Reposted by Arda Büyükkaya
The FBI is awaiting signals from telecom victims that Salt Typhoon is fully excised from their systems. My Q&A with Deputy Assistant Director for Cyber Operations Brett Leatherman about Salt Typhoon and other topics at #RSAC2025 below:
www.nextgov.com/cybersecurit...
www.nextgov.com/cybersecurit...
FBI awaits signal that Salt Typhoon is fully excised from telecom firms, official says
FBI Deputy Director for Cyber Operations Brett Leatherman said that "there’s a lot of work focused on containment" when it comes to the Salt Typhoon hacks.
www.nextgov.com
May 1, 2025 at 7:19 PM
The FBI is awaiting signals from telecom victims that Salt Typhoon is fully excised from their systems. My Q&A with Deputy Assistant Director for Cyber Operations Brett Leatherman about Salt Typhoon and other topics at #RSAC2025 below:
www.nextgov.com/cybersecurit...
www.nextgov.com/cybersecurit...
Microsoft Teams appears to have been used as part of the cyber kill chain in the Co-Op hack. I've recently seen similar tactics, where threat actors employed voice phishing via Teams calls. It’s a threat worth watching.
May 1, 2025 at 7:43 PM
Microsoft Teams appears to have been used as part of the cyber kill chain in the Co-Op hack. I've recently seen similar tactics, where threat actors employed voice phishing via Teams calls. It’s a threat worth watching.
Reposted by Arda Büyükkaya
Podcast: risky.biz/RBNEWS418/
Newsletter: news.risky.biz/risky-bullet...
-French government grows a spine and calls out Russia's hacks
-Marks & Spencer sends staff home after ransomware attack
-China accuses US of hacking cryptography provider
-AirBorne vulnerabilities impact Apple's AirPlay
Newsletter: news.risky.biz/risky-bullet...
-French government grows a spine and calls out Russia's hacks
-Marks & Spencer sends staff home after ransomware attack
-China accuses US of hacking cryptography provider
-AirBorne vulnerabilities impact Apple's AirPlay
April 30, 2025 at 9:30 AM
Podcast: risky.biz/RBNEWS418/
Newsletter: news.risky.biz/risky-bullet...
-French government grows a spine and calls out Russia's hacks
-Marks & Spencer sends staff home after ransomware attack
-China accuses US of hacking cryptography provider
-AirBorne vulnerabilities impact Apple's AirPlay
Newsletter: news.risky.biz/risky-bullet...
-French government grows a spine and calls out Russia's hacks
-Marks & Spencer sends staff home after ransomware attack
-China accuses US of hacking cryptography provider
-AirBorne vulnerabilities impact Apple's AirPlay
Reposted by Arda Büyükkaya
As RSA 2025 gets into full swing, stay ahead of the curve by checking out today's Metacurity for the most critical infosec developments you should know.
www.metacurity.com/france-accus...
www.metacurity.com/france-accus...
France accuses Russia's APT28 of a string of serious cyberattacks going back to 2021
Kristi Noem urges "back-to-basics" for CISA, WhatsApp to roll out private processing for new AI features, Indian court blocks Proton Mail, Nova Scotia Power copes with a cyber breach, Israeli hacker-f...
www.metacurity.com
April 30, 2025 at 1:51 PM
As RSA 2025 gets into full swing, stay ahead of the curve by checking out today's Metacurity for the most critical infosec developments you should know.
www.metacurity.com/france-accus...
www.metacurity.com/france-accus...