Will T
@bushidotoken.net
🇬🇧 | Senior Threat Intelligence Advisor at Team Cymru | Co-author SANS FOR589 | Co-founder Curated Intel
New Blog 👀
This blog discusses the topic of cybercrime counterintelligence to highlight the growing threat toward the cyber threat intelligence (CTI) and law enforcement (LE) communities ⚠️
🔗 www.sans.org/blog/for589-...
This blog discusses the topic of cybercrime counterintelligence to highlight the growing threat toward the cyber threat intelligence (CTI) and law enforcement (LE) communities ⚠️
🔗 www.sans.org/blog/for589-...
October 30, 2025 at 10:42 PM
New Blog 👀
This blog discusses the topic of cybercrime counterintelligence to highlight the growing threat toward the cyber threat intelligence (CTI) and law enforcement (LE) communities ⚠️
🔗 www.sans.org/blog/for589-...
This blog discusses the topic of cybercrime counterintelligence to highlight the growing threat toward the cyber threat intelligence (CTI) and law enforcement (LE) communities ⚠️
🔗 www.sans.org/blog/for589-...
Spotted a rather Team Cymru looking fountain here in the Netherlands 🇳🇱 this week! 📸
October 22, 2025 at 5:18 AM
Spotted a rather Team Cymru looking fountain here in the Netherlands 🇳🇱 this week! 📸
New Blog! Lessons from the BlackBasta Ransomware Attack on Capita
When a company that manages data for millions of UK citizens falls victim to ransomware, the whole industry should pay attention to it. 📝
blog.bushidotoken.net/2025/10/less...
When a company that manages data for millions of UK citizens falls victim to ransomware, the whole industry should pay attention to it. 📝
blog.bushidotoken.net/2025/10/less...
Lessons from the BlackBasta Ransomware Attack on Capita
CTI, threat intelligence, OSINT, malware, APT, threat hunting, threat analysis, CTF, cybersecurity, security
blog.bushidotoken.net
October 18, 2025 at 1:30 PM
New Blog! Lessons from the BlackBasta Ransomware Attack on Capita
When a company that manages data for millions of UK citizens falls victim to ransomware, the whole industry should pay attention to it. 📝
blog.bushidotoken.net/2025/10/less...
When a company that manages data for millions of UK citizens falls victim to ransomware, the whole industry should pay attention to it. 📝
blog.bushidotoken.net/2025/10/less...
New Blog! 👀
In this research, I take a look at the Qilin RaaS in-depth, which has emerged as one of the leading and most innovative ransomware gangs following the takedown of LockBit, the exit scam by ALPHV/BlackCat, and the shutdown of RansomHub.
🔗 www.sans.org/blog/evoluti...
In this research, I take a look at the Qilin RaaS in-depth, which has emerged as one of the leading and most innovative ransomware gangs following the takedown of LockBit, the exit scam by ALPHV/BlackCat, and the shutdown of RansomHub.
🔗 www.sans.org/blog/evoluti...
October 6, 2025 at 6:04 PM
New Blog! 👀
In this research, I take a look at the Qilin RaaS in-depth, which has emerged as one of the leading and most innovative ransomware gangs following the takedown of LockBit, the exit scam by ALPHV/BlackCat, and the shutdown of RansomHub.
🔗 www.sans.org/blog/evoluti...
In this research, I take a look at the Qilin RaaS in-depth, which has emerged as one of the leading and most innovative ransomware gangs following the takedown of LockBit, the exit scam by ALPHV/BlackCat, and the shutdown of RansomHub.
🔗 www.sans.org/blog/evoluti...
New Blog! 👀
After the last few large breaches, I discuss several cases in which the customers of major SaaS providers, such as Salesloft, Salesforce, and Snowflake have been extorted by adversaries from the English-speaking #cybercrime communities.
🔗 www.sans.org/blog/hunting...
After the last few large breaches, I discuss several cases in which the customers of major SaaS providers, such as Salesloft, Salesforce, and Snowflake have been extorted by adversaries from the English-speaking #cybercrime communities.
🔗 www.sans.org/blog/hunting...
October 1, 2025 at 5:56 PM
New Blog! 👀
After the last few large breaches, I discuss several cases in which the customers of major SaaS providers, such as Salesloft, Salesforce, and Snowflake have been extorted by adversaries from the English-speaking #cybercrime communities.
🔗 www.sans.org/blog/hunting...
After the last few large breaches, I discuss several cases in which the customers of major SaaS providers, such as Salesloft, Salesforce, and Snowflake have been extorted by adversaries from the English-speaking #cybercrime communities.
🔗 www.sans.org/blog/hunting...
Pleased to share I’ll be speaking at Adversary Village in DEFCON33!
July 22, 2025 at 4:26 PM
Pleased to share I’ll be speaking at Adversary Village in DEFCON33!
Pleased to share my first official Team Cymru blog that follows on from my webinar last month 🙌
“Uncovering DPRK Remote Workers: Detecting Hidden Threats Through Internet Telemetry” 🇰🇵 🔍
www.team-cymru.com/post/uncover...
“Uncovering DPRK Remote Workers: Detecting Hidden Threats Through Internet Telemetry” 🇰🇵 🔍
www.team-cymru.com/post/uncover...
Uncovering DPRK Remote Workers: Detecting Hidden Threats Through Internet Telemetry | Team Cymru
This blog explores unpacks key insights and explains how internet telemetry can be used to detect these threats in the real world.
www.team-cymru.com
July 3, 2025 at 10:53 AM
Pleased to share my first official Team Cymru blog that follows on from my webinar last month 🙌
“Uncovering DPRK Remote Workers: Detecting Hidden Threats Through Internet Telemetry” 🇰🇵 🔍
www.team-cymru.com/post/uncover...
“Uncovering DPRK Remote Workers: Detecting Hidden Threats Through Internet Telemetry” 🇰🇵 🔍
www.team-cymru.com/post/uncover...
⚠️ IntelBroker was arrested in France 🇫🇷 in February 2025, and the US 🇺🇸 is seeking his extradition.
How did Law Enforcement Deanonymize IntelBroker? 🔍
TL;DR: He messed up on the Bitcoin opsec after an undercover officer made a controlled buy 💰
www.justice.gov/usao-sdny/me...
How did Law Enforcement Deanonymize IntelBroker? 🔍
TL;DR: He messed up on the Bitcoin opsec after an undercover officer made a controlled buy 💰
www.justice.gov/usao-sdny/me...
June 27, 2025 at 9:11 AM
⚠️ IntelBroker was arrested in France 🇫🇷 in February 2025, and the US 🇺🇸 is seeking his extradition.
How did Law Enforcement Deanonymize IntelBroker? 🔍
TL;DR: He messed up on the Bitcoin opsec after an undercover officer made a controlled buy 💰
www.justice.gov/usao-sdny/me...
How did Law Enforcement Deanonymize IntelBroker? 🔍
TL;DR: He messed up on the Bitcoin opsec after an undercover officer made a controlled buy 💰
www.justice.gov/usao-sdny/me...
#opendir 🇨🇳
1.94.184[.]17:8000
Huawei Cloud AS55990
.jsp Godzilla Web Shell
6d403c3fc246d6d493a6f4acc18c1c292f710db6ad9c3ea2ff065595c5ad3c5b
/poc.xml contents
wqtzskzmtp[.]zaza[.]eu[.]org
101.33.34[.]170
Tencent AS132203
1.94.184[.]17:8000
Huawei Cloud AS55990
.jsp Godzilla Web Shell
6d403c3fc246d6d493a6f4acc18c1c292f710db6ad9c3ea2ff065595c5ad3c5b
/poc.xml contents
wqtzskzmtp[.]zaza[.]eu[.]org
101.33.34[.]170
Tencent AS132203
June 9, 2025 at 8:34 AM
#opendir 🇨🇳
1.94.184[.]17:8000
Huawei Cloud AS55990
.jsp Godzilla Web Shell
6d403c3fc246d6d493a6f4acc18c1c292f710db6ad9c3ea2ff065595c5ad3c5b
/poc.xml contents
wqtzskzmtp[.]zaza[.]eu[.]org
101.33.34[.]170
Tencent AS132203
1.94.184[.]17:8000
Huawei Cloud AS55990
.jsp Godzilla Web Shell
6d403c3fc246d6d493a6f4acc18c1c292f710db6ad9c3ea2ff065595c5ad3c5b
/poc.xml contents
wqtzskzmtp[.]zaza[.]eu[.]org
101.33.34[.]170
Tencent AS132203
Reposted by Will T
@bushidotoken.net explored a Meta-themed credential phishing campaign (not "Reality"). From those indicators, I pulled the "Threads" & this is far from an isolated campaign. Found great pivots in registration "Meta"data. (I'll see myself out.)
All 762 indicators 💥⤵️
www.validin.com/blog/not_rea...
All 762 indicators 💥⤵️
www.validin.com/blog/not_rea...
Not Reality: Exploring Meta-themed Phishing with Validin | Validin
Not Reality: Exploring Meta-themed Phishing with Validin
www.validin.com
April 7, 2025 at 2:49 PM
@bushidotoken.net explored a Meta-themed credential phishing campaign (not "Reality"). From those indicators, I pulled the "Threads" & this is far from an isolated campaign. Found great pivots in registration "Meta"data. (I'll see myself out.)
All 762 indicators 💥⤵️
www.validin.com/blog/not_rea...
All 762 indicators 💥⤵️
www.validin.com/blog/not_rea...
New Blog! Tracking Adversaries: EvilCorp, the RansomHub affiliate
blog.bushidotoken.net/2025/04/trac...
blog.bushidotoken.net/2025/04/trac...
Tracking Adversaries: EvilCorp, the RansomHub affiliate
CTI, threat intelligence, OSINT, malware, APT, threat hunting, threat analysis, CTF, cybersecurity, security
blog.bushidotoken.net
April 2, 2025 at 4:08 PM
New Blog! Tracking Adversaries: EvilCorp, the RansomHub affiliate
blog.bushidotoken.net/2025/04/trac...
blog.bushidotoken.net/2025/04/trac...
UNC3886 is a very interesting China-nexus APT that I encourage more to CTI analysts to investigate. They are one of the more skilled ones, like Salt or Volt.
To help make life easier for some, I’ve manually mapped their TTPs to ATT&CK: github.com/BushidoUK/MI...
To help make life easier for some, I’ve manually mapped their TTPs to ATT&CK: github.com/BushidoUK/MI...
github.com
March 20, 2025 at 11:08 AM
UNC3886 is a very interesting China-nexus APT that I encourage more to CTI analysts to investigate. They are one of the more skilled ones, like Salt or Volt.
To help make life easier for some, I’ve manually mapped their TTPs to ATT&CK: github.com/BushidoUK/MI...
To help make life easier for some, I’ve manually mapped their TTPs to ATT&CK: github.com/BushidoUK/MI...
Interesting phishing TTP observed in the wild last year:
1. Send phish to an <org_name>@service-now[.]com inbox
2. A ticket is then auto-created in the platform using servicenow_notification@<org_domain>
3. A link is put in the body of the SNOW ticket that can lead to malware or fake login page
1. Send phish to an <org_name>@service-now[.]com inbox
2. A ticket is then auto-created in the platform using servicenow_notification@<org_domain>
3. A link is put in the body of the SNOW ticket that can lead to malware or fake login page
March 16, 2025 at 10:39 AM
Interesting phishing TTP observed in the wild last year:
1. Send phish to an <org_name>@service-now[.]com inbox
2. A ticket is then auto-created in the platform using servicenow_notification@<org_domain>
3. A link is put in the body of the SNOW ticket that can lead to malware or fake login page
1. Send phish to an <org_name>@service-now[.]com inbox
2. A ticket is then auto-created in the platform using servicenow_notification@<org_domain>
3. A link is put in the body of the SNOW ticket that can lead to malware or fake login page
Reposted by Will T
@bushidotoken.net has dug up some IOCs for the FBI's recent warning about online file format converters being used to distribute malware
Link: x.com/BushidoToken...
Link: x.com/BushidoToken...
Podcast: risky.biz/RBNEWS398/
Newsletter: risky.biz/risky-bullet...
-FBI warns of online file converters that distribute malware
-China backdoors Juniper routers
-Ransomware wave hits Taiwan
-North Korean spyware slips onto the Play Store
-Senators call for US cyber offensive against China
Newsletter: risky.biz/risky-bullet...
-FBI warns of online file converters that distribute malware
-China backdoors Juniper routers
-Ransomware wave hits Taiwan
-North Korean spyware slips onto the Play Store
-Senators call for US cyber offensive against China
March 15, 2025 at 8:35 PM
@bushidotoken.net has dug up some IOCs for the FBI's recent warning about online file format converters being used to distribute malware
Link: x.com/BushidoToken...
Link: x.com/BushidoToken...
New Blog! BlackBasta Leaks: Lessons from the Ascension Health attack 🏥🔒
— This is a step-by-step extraction and translation of the leaked conversation between the BlackBasta members during the Ascension Health attack
🔗 blog.bushidotoken.net/2025/02/blac...
— This is a step-by-step extraction and translation of the leaked conversation between the BlackBasta members during the Ascension Health attack
🔗 blog.bushidotoken.net/2025/02/blac...
BlackBasta Leaks: Lessons from the Ascension Health attack
CTI, threat intelligence, OSINT, malware, APT, threat hunting, threat analysis, CTF, cybersecurity, security
blog.bushidotoken.net
February 28, 2025 at 8:43 AM
New Blog! BlackBasta Leaks: Lessons from the Ascension Health attack 🏥🔒
— This is a step-by-step extraction and translation of the leaked conversation between the BlackBasta members during the Ascension Health attack
🔗 blog.bushidotoken.net/2025/02/blac...
— This is a step-by-step extraction and translation of the leaked conversation between the BlackBasta members during the Ascension Health attack
🔗 blog.bushidotoken.net/2025/02/blac...
New Blog! Investigating Anonymous VPS services used by Ransomware Gangs
h/t to @drb_ra for lending me some of their C2 data! Made my life a lot easier 🫡
🔗 blog.bushidotoken.net/2025/02/inve...
Podcast version: www.youtube.com/watch?v=xX25...
h/t to @drb_ra for lending me some of their C2 data! Made my life a lot easier 🫡
🔗 blog.bushidotoken.net/2025/02/inve...
Podcast version: www.youtube.com/watch?v=xX25...
February 15, 2025 at 5:39 PM
New Blog! Investigating Anonymous VPS services used by Ransomware Gangs
h/t to @drb_ra for lending me some of their C2 data! Made my life a lot easier 🫡
🔗 blog.bushidotoken.net/2025/02/inve...
Podcast version: www.youtube.com/watch?v=xX25...
h/t to @drb_ra for lending me some of their C2 data! Made my life a lot easier 🫡
🔗 blog.bushidotoken.net/2025/02/inve...
Podcast version: www.youtube.com/watch?v=xX25...
Glad to see LE and Gov keeping up the pressure on ransomware gangs in early 2025
ZSERVERS BPH sanctioned by the UK for enabling LockBit attacks
www.gov.uk/government/n...
Phobos & 8BASE arrests by international partners
www.europol.europa.eu/media-press/...
ZSERVERS BPH sanctioned by the UK for enabling LockBit attacks
www.gov.uk/government/n...
Phobos & 8BASE arrests by international partners
www.europol.europa.eu/media-press/...
Key figures behind Phobos and 8Base ransomware arrested in international cybercrime crackdown | Europol
A coordinated international law enforcement action has led to the arrest of four individuals leading the 8Base ransomware group. These individuals, all Russian nationals, are suspected of deploying a ...
www.europol.europa.eu
February 11, 2025 at 3:56 PM
Glad to see LE and Gov keeping up the pressure on ransomware gangs in early 2025
ZSERVERS BPH sanctioned by the UK for enabling LockBit attacks
www.gov.uk/government/n...
Phobos & 8BASE arrests by international partners
www.europol.europa.eu/media-press/...
ZSERVERS BPH sanctioned by the UK for enabling LockBit attacks
www.gov.uk/government/n...
Phobos & 8BASE arrests by international partners
www.europol.europa.eu/media-press/...
New Blog! Tracking Adversaries: Ghostwriter APT Infrastructure 🇧🇾
blog.bushidotoken.net/2025/01/trac...
blog.bushidotoken.net/2025/01/trac...
Tracking Adversaries: Ghostwriter APT Infrastructure
CTI, threat intelligence, OSINT, malware, APT, threat hunting, threat analysis, CTF, cybersecurity, security
blog.bushidotoken.net
January 20, 2025 at 10:35 AM
New Blog! Tracking Adversaries: Ghostwriter APT Infrastructure 🇧🇾
blog.bushidotoken.net/2025/01/trac...
blog.bushidotoken.net/2025/01/trac...
Bournemouth2600 Challenge Coins arrived 😎
January 8, 2025 at 5:32 PM
Bournemouth2600 Challenge Coins arrived 😎
Ransomware Zero Days 2024
January 4, 2025 at 10:11 AM
Ransomware Zero Days 2024
Very interesting screenshot in the latest FBI arrest of the main LockBit developer “Rostislav Panev”
Source code for LockBit builders for #Proxmox and #Nutanix, which have not been observed in the wild AFAIK 🧐
www.justice.gov/opa/media/13...
Source code for LockBit builders for #Proxmox and #Nutanix, which have not been observed in the wild AFAIK 🧐
www.justice.gov/opa/media/13...
December 22, 2024 at 11:58 PM
Very interesting screenshot in the latest FBI arrest of the main LockBit developer “Rostislav Panev”
Source code for LockBit builders for #Proxmox and #Nutanix, which have not been observed in the wild AFAIK 🧐
www.justice.gov/opa/media/13...
Source code for LockBit builders for #Proxmox and #Nutanix, which have not been observed in the wild AFAIK 🧐
www.justice.gov/opa/media/13...