Sean Koessel
@5ck.bsky.social
VP and founding member @Volexity. Incident Response/DFIR/Targeted threat analysis.
Reposted by Sean Koessel
@stevenadair.bsky.social is back again!
Founder + President of Volexity leading a team of experts that deal w/ complex cyber intrusions from nation-state level intruders. His talk will cover a Chinese APT actor that Volexity tracks as UTA0388.
Check out the official agenda:
cyberwarcon.com
Founder + President of Volexity leading a team of experts that deal w/ complex cyber intrusions from nation-state level intruders. His talk will cover a Chinese APT actor that Volexity tracks as UTA0388.
Check out the official agenda:
cyberwarcon.com
October 15, 2025 at 3:11 PM
@stevenadair.bsky.social is back again!
Founder + President of Volexity leading a team of experts that deal w/ complex cyber intrusions from nation-state level intruders. His talk will cover a Chinese APT actor that Volexity tracks as UTA0388.
Check out the official agenda:
cyberwarcon.com
Founder + President of Volexity leading a team of experts that deal w/ complex cyber intrusions from nation-state level intruders. His talk will cover a Chinese APT actor that Volexity tracks as UTA0388.
Check out the official agenda:
cyberwarcon.com
Reposted by Sean Koessel
APT meets GPT: @volexity.com #threatintel is tracking #threatactor UTA0388's spear phishing campaigns against targets in North America, Europe & Asia, appearing to use LLMs to assist their ops. Letting #AI run your espionage operations? What could go wrong?
APT Meets GPT: Targeted Operations with Untamed LLMs
Starting in June 2025, Volexity detected a series of spear phishing campaigns targeting several customers and their users in North America, Asia, and Europe. The initial observed campaigns were tailor...
www.volexity.com
October 8, 2025 at 12:35 PM
APT meets GPT: @volexity.com #threatintel is tracking #threatactor UTA0388's spear phishing campaigns against targets in North America, Europe & Asia, appearing to use LLMs to assist their ops. Letting #AI run your espionage operations? What could go wrong?
Reposted by Sean Koessel
#FTSCon Speaker Spotlight: Juan Andrés Guerrero-Saade is presenting “From Threat Hunting to Threat Gathering” in the HUNTER track.
See the full list of speakers + event info, including how to register, here: volatilityfoundation.org/from-the-sou...
See the full list of speakers + event info, including how to register, here: volatilityfoundation.org/from-the-sou...
September 18, 2025 at 1:15 PM
#FTSCon Speaker Spotlight: Juan Andrés Guerrero-Saade is presenting “From Threat Hunting to Threat Gathering” in the HUNTER track.
See the full list of speakers + event info, including how to register, here: volatilityfoundation.org/from-the-sou...
See the full list of speakers + event info, including how to register, here: volatilityfoundation.org/from-the-sou...
Reposted by Sean Koessel
We are excited to announce that we are hosting a second training course for #FTSCon week! Join @joegrand.bsky.social as he leads his popular 2-day Hardware Hacking Basics course on Oct. 21-22 in Arlington VA! Registration is now OPEN!
Joe Grand's Hardware Hacking Basics [FTSCon 2025]
This two-day comprehensive course teaches fundamental hardware hacking concepts and techniques used to explore, manipulate, and exploit electronic devices.
events.humanitix.com
August 1, 2025 at 3:09 PM
We are excited to announce that we are hosting a second training course for #FTSCon week! Join @joegrand.bsky.social as he leads his popular 2-day Hardware Hacking Basics course on Oct. 21-22 in Arlington VA! Registration is now OPEN!
Reposted by Sean Koessel
The Call For Speakers for #FTSCon closes tomorrow! Make sure to submit your talks before the deadline! This is a great opportunity to share your DFIR open source tools and investigation tales with leading experts in the field.
The Call for Presentations for From the Source 2025 is open! Our Makers Track is aimed at developers of open source DFIR tools and the Hunters track covers the best Threat Intel research of the past year.
See the full details in our blog post: volatilityfoundation.org/announcing-f...
See the full details in our blog post: volatilityfoundation.org/announcing-f...
July 22, 2025 at 2:58 PM
The Call For Speakers for #FTSCon closes tomorrow! Make sure to submit your talks before the deadline! This is a great opportunity to share your DFIR open source tools and investigation tales with leading experts in the field.
Reposted by Sean Koessel
@Volexity.com Volcano Server & Volcano One v25.06.12 adds ~600 new YARA rules, new IOCs for fake registered antivirus & hooked Linux kernel functions, as well as support for custom post-processing bash scripts, segmented directory watching & database optimization. [1/2]
June 18, 2025 at 4:43 PM
@Volexity.com Volcano Server & Volcano One v25.06.12 adds ~600 new YARA rules, new IOCs for fake registered antivirus & hooked Linux kernel functions, as well as support for custom post-processing bash scripts, segmented directory watching & database optimization. [1/2]
Reposted by Sean Koessel
The Call for Presentations for From the Source 2025 is open! Our Makers Track is aimed at developers of open source DFIR tools and the Hunters track covers the best Threat Intel research of the past year.
See the full details in our blog post: volatilityfoundation.org/announcing-f...
See the full details in our blog post: volatilityfoundation.org/announcing-f...
June 5, 2025 at 4:03 PM
The Call for Presentations for From the Source 2025 is open! Our Makers Track is aimed at developers of open source DFIR tools and the Hunters track covers the best Threat Intel research of the past year.
See the full details in our blog post: volatilityfoundation.org/announcing-f...
See the full details in our blog post: volatilityfoundation.org/announcing-f...
Reposted by Sean Koessel
I will be showing off Volatility 3 during my talk on Wednesday afternoon at RVASec. Be sure to attend and come say hello if you will be around!
rvasec.com/rvasec-14-sp...
rvasec.com/rvasec-14-sp...
RVAsec 14 Speaker Feature: Andrew Case - RVAsec
Andrew Case is the Director of Research at Volexity and has significant experience in incident response handling, digital forensics, and malware analysis. Case is a core developer of Volatility, the m...
rvasec.com
May 19, 2025 at 5:06 PM
I will be showing off Volatility 3 during my talk on Wednesday afternoon at RVASec. Be sure to attend and come say hello if you will be around!
rvasec.com/rvasec-14-sp...
rvasec.com/rvasec-14-sp...
Reposted by Sean Koessel
We are excited to announce FTSCon 2025 on October 20, 2025, in Arlington VA! Registration is now OPEN + we have a Call for Speakers.
Following FTSCon will be a 4-day Malware & Memory Forensics Training course with Volatility 3.
See the full details here: volatilityfoundation.org/announcing-f...
Following FTSCon will be a 4-day Malware & Memory Forensics Training course with Volatility 3.
See the full details here: volatilityfoundation.org/announcing-f...
Announcing FTSCon 2025 & In-person Malware and Memory Forensics Training!
Mark your calendars for Monday, October 20, 2025! We will again be hosting FTSCon in Arlington, Virginia.You can read more event details here. Registration is now open!
volatilityfoundation.org
May 23, 2025 at 6:00 PM
We are excited to announce FTSCon 2025 on October 20, 2025, in Arlington VA! Registration is now OPEN + we have a Call for Speakers.
Following FTSCon will be a 4-day Malware & Memory Forensics Training course with Volatility 3.
See the full details here: volatilityfoundation.org/announcing-f...
Following FTSCon will be a 4-day Malware & Memory Forensics Training course with Volatility 3.
See the full details here: volatilityfoundation.org/announcing-f...
New research from the team: Involves clever m365 OAuth tricks + phishing via Signal and WhatsApp to compromise accounts. #dfir #threatintel
@volexity.com #threatintel: Multiple Russian threat actors are using Signal, WhatsApp & a compromised Ukrainian gov email address to impersonate EU officials. These phishing attacks abuse 1st-party Microsoft Entra apps + OAuth to compromise targets.
www.volexity.com/blog/2025/04... #dfir
www.volexity.com/blog/2025/04... #dfir
Phishing for Codes: Russian Threat Actors Target Microsoft 365 OAuth Workflows
Since early March 2025, Volexity has observed multiple suspected Russian threat actors conducting highly targeted social engineering operations aimed at gaining access to the Microsoft 365 (M365) acco...
www.volexity.com
April 22, 2025 at 4:52 PM
New research from the team: Involves clever m365 OAuth tricks + phishing via Signal and WhatsApp to compromise accounts. #dfir #threatintel
Reposted by Sean Koessel
I will be speaking at @kernelcon.bsky.social on Fri, Apr 3rd. The talk will cover previously-unreported features of the sedexp Linux malware found in the wild - including loading of a memory-only rootkit! Talk will cover how the rootkit was discovered & how to analyze with @volatilityfoundation.org
kernelcon.org
March 7, 2025 at 6:47 PM
I will be speaking at @kernelcon.bsky.social on Fri, Apr 3rd. The talk will cover previously-unreported features of the sedexp Linux malware found in the wild - including loading of a memory-only rootkit! Talk will cover how the rootkit was discovered & how to analyze with @volatilityfoundation.org
Reposted by Sean Koessel
@volexity.com regularly assists customers in combatting advanced threat actors, and we enjoy being able to assist our partners as well, including LE & federal agencies like US DOJ, as we work together to combat these advanced cyber threats.
www.justice.gov/opa/pr/justi...
#dfir #threatintel
www.justice.gov/opa/pr/justi...
#dfir #threatintel
Justice Department Charges 12 Chinese Contract Hackers and Law Enforcement Officers in Global Computer Intrusion Campaigns
The Justice Department, FBI, Naval Criminal Investigative Service, and Departments of State and the Treasury announced today their coordinated efforts to disrupt and deter the malicious cyber activiti...
www.justice.gov
March 5, 2025 at 5:57 PM
@volexity.com regularly assists customers in combatting advanced threat actors, and we enjoy being able to assist our partners as well, including LE & federal agencies like US DOJ, as we work together to combat these advanced cyber threats.
www.justice.gov/opa/pr/justi...
#dfir #threatintel
www.justice.gov/opa/pr/justi...
#dfir #threatintel
Reposted by Sean Koessel
@volexity.com Volcano Server & Volcano One v25.02.21 adds 300 new YARA rules; consistent Bash/ZSH history & sessions from Linux/macOS memory and files; and parses Linux systemd journals, macOS unified logs, and Windows USNs (search + timeline for all).
[1/2]
#dfir #memoryforensics #memoryanalysis
[1/2]
#dfir #memoryforensics #memoryanalysis
February 26, 2025 at 3:00 PM
@volexity.com Volcano Server & Volcano One v25.02.21 adds 300 new YARA rules; consistent Bash/ZSH history & sessions from Linux/macOS memory and files; and parses Linux systemd journals, macOS unified logs, and Windows USNs (search + timeline for all).
[1/2]
#dfir #memoryforensics #memoryanalysis
[1/2]
#dfir #memoryforensics #memoryanalysis
Check out the new blog: Russian APT adopts a well-known technique of m365 device code phishing. When combined with clever lures this technique proved to be extremely successful. 1/2
@volexity.com recently identified multiple Russian threat actors targeting users via #socialengineering + #spearphishing campaigns with Microsoft 365 Device Code authentication (a well-known technique) with alarming success: www.volexity.com/blog/2025/02...
#dfir #threatintel #m365security
#dfir #threatintel #m365security
Multiple Russian Threat Actors Targeting Microsoft Device Code Authentication
Starting in mid-January 2025, Volexity identified several social-engineering and spear-phishing campaigns by Russian threat actors aimed at compromising Microsoft 365 (M365) accounts. These attack cam...
www.volexity.com
February 14, 2025 at 2:50 PM
Check out the new blog: Russian APT adopts a well-known technique of m365 device code phishing. When combined with clever lures this technique proved to be extremely successful. 1/2
Reposted by Sean Koessel
As seen in this guidance from NCSC published today, memory forensics continues to play a critical role in modern digital investigations! After almost 20 years, it's encouraging to still see the need for the amazing work by the #Volatility contributors!
It’s great to see NCSC drawing attention to the ongoing issues with network devices & appliances. Hopefully vendors heed the volatile data collection guidance “Volatile data logging should support collection of… memory both at a kernel and individual process level.”
www.ncsc.gov.uk/news/cyber-a...
www.ncsc.gov.uk/news/cyber-a...
Cyber agencies unveil new guidelines to secure edge devices from increasing threat
New guidelines encourage device manufacturers to include and enable standard logging and forensic features that are robust and secure by default.
www.ncsc.gov.uk
February 4, 2025 at 4:36 PM
As seen in this guidance from NCSC published today, memory forensics continues to play a critical role in modern digital investigations! After almost 20 years, it's encouraging to still see the need for the amazing work by the #Volatility contributors!
Reposted by Sean Koessel
It’s great to see NCSC drawing attention to the ongoing issues with network devices & appliances. Hopefully vendors heed the volatile data collection guidance “Volatile data logging should support collection of… memory both at a kernel and individual process level.”
www.ncsc.gov.uk/news/cyber-a...
www.ncsc.gov.uk/news/cyber-a...
Cyber agencies unveil new guidelines to secure edge devices from increasing threat
New guidelines encourage device manufacturers to include and enable standard logging and forensic features that are robust and secure by default.
www.ncsc.gov.uk
February 4, 2025 at 3:57 PM
It’s great to see NCSC drawing attention to the ongoing issues with network devices & appliances. Hopefully vendors heed the volatile data collection guidance “Volatile data logging should support collection of… memory both at a kernel and individual process level.”
www.ncsc.gov.uk/news/cyber-a...
www.ncsc.gov.uk/news/cyber-a...
Reposted by Sean Koessel
If you will be at @wildwesthackinfest.bsky.social next week then be sure to attend my talk!
On Thursday, Feb 6, @attrc.bsky.social will be at @wildwesthackinfest.bsky.social to present "Effectively Detecting Modern Code Injection Techniques with Volatility 3".
Conference agenda:
wildwesthackinfest.com/wild-west-ha....
#dfir #memoryforensics #Volatility3 @volatilityfoundation.org
Conference agenda:
wildwesthackinfest.com/wild-west-ha....
#dfir #memoryforensics #Volatility3 @volatilityfoundation.org
February 1, 2025 at 3:44 PM
If you will be at @wildwesthackinfest.bsky.social next week then be sure to attend my talk!
Reposted by Sean Koessel
White House officials share intel with telecom executives on alleged Chinese cyber espionage operation #SaltTyphoon www.cnn.com/2024/11/23/p...
National security officials meet with US telecom execs to share intel on Chinese cyber espionage campaign, White House says | CNN Politics
Top telecom executives met with US national security officials Friday as concerns mount over a long-running Chinese cyber-espionage campaign that has targeted some of the most senior US political figu...
www.cnn.com
November 23, 2024 at 4:55 PM
White House officials share intel with telecom executives on alleged Chinese cyber espionage operation #SaltTyphoon www.cnn.com/2024/11/23/p...
We presented on this last month at #FTSCon (IYKYK). Steven is also presenting today @CYBERWARCON. Really excited to finally share this research publicly! It's probably one of the more crazy/interesting IR engagements we've ever worked 🤯 #DFIR #ThreatIntel
@volexity.com’s latest blog post describes in detail how a Russian APT used a new attack technique, the “Nearest Neighbor Attack”, to leverage Wi-Fi networks in close proximity to the intended target while the attacker was halfway around the world.
Read more here: www.volexity.com/blog/2024/11...
Read more here: www.volexity.com/blog/2024/11...
The Nearest Neighbor Attack: How A Russian APT Weaponized Nearby Wi-Fi Networks for Covert Access
In early February 2022, notably just ahead of the Russian invasion of Ukraine, Volexity made a discovery that led to one of the most fascinating and complex incident investigations Volexity had ever w...
www.volexity.com
November 22, 2024 at 5:27 PM
We presented on this last month at #FTSCon (IYKYK). Steven is also presenting today @CYBERWARCON. Really excited to finally share this research publicly! It's probably one of the more crazy/interesting IR engagements we've ever worked 🤯 #DFIR #ThreatIntel
Reposted by Sean Koessel
Russian spies—likely Russia's GRU intelligence agency—used a new trick to hack a victim in Washington, DC: They remotely infected another network in a building across the street, hijacked a laptop there, then breached the target organization via its Wifi. www.wired.com/story/russia...
Russian Spies Jumped From One Network to Another Via Wi-Fi in an Unprecedented Hack
In a first, Russia's APT28 hacking group appears to have remotely breached the Wi-Fi of an espionage target by hijacking a laptop in another building across the street.
www.wired.com
November 22, 2024 at 12:06 PM
Russian spies—likely Russia's GRU intelligence agency—used a new trick to hack a victim in Washington, DC: They remotely infected another network in a building across the street, hijacked a laptop there, then breached the target organization via its Wifi. www.wired.com/story/russia...
Reposted by Sean Koessel
@volexity.com’s latest blog post describes in detail how a Russian APT used a new attack technique, the “Nearest Neighbor Attack”, to leverage Wi-Fi networks in close proximity to the intended target while the attacker was halfway around the world.
Read more here: www.volexity.com/blog/2024/11...
Read more here: www.volexity.com/blog/2024/11...
The Nearest Neighbor Attack: How A Russian APT Weaponized Nearby Wi-Fi Networks for Covert Access
In early February 2022, notably just ahead of the Russian invasion of Ukraine, Volexity made a discovery that led to one of the most fascinating and complex incident investigations Volexity had ever w...
www.volexity.com
November 22, 2024 at 2:58 PM
@volexity.com’s latest blog post describes in detail how a Russian APT used a new attack technique, the “Nearest Neighbor Attack”, to leverage Wi-Fi networks in close proximity to the intended target while the attacker was halfway around the world.
Read more here: www.volexity.com/blog/2024/11...
Read more here: www.volexity.com/blog/2024/11...