Curtis
@cybershtuff.bsky.social
Cloud, Incident Response, Threat Intelligence | ثريت انتل | @Invictus-ir.com | Previously U42 and PwC GTI
Reposted by Curtis
🎉BEHOLD! THE AGENDA! 🎉
The inaugural agenda features 15 talks detailing operational updates on the threat landscape, matters of attribution, and unique explorations of unconventional manifestations of state presence.
Get registered quick!!!
stateofstatecraft.com/agenda
The inaugural agenda features 15 talks detailing operational updates on the threat landscape, matters of attribution, and unique explorations of unconventional manifestations of state presence.
Get registered quick!!!
stateofstatecraft.com/agenda
September 18, 2025 at 4:39 PM
🎉BEHOLD! THE AGENDA! 🎉
The inaugural agenda features 15 talks detailing operational updates on the threat landscape, matters of attribution, and unique explorations of unconventional manifestations of state presence.
Get registered quick!!!
stateofstatecraft.com/agenda
The inaugural agenda features 15 talks detailing operational updates on the threat landscape, matters of attribution, and unique explorations of unconventional manifestations of state presence.
Get registered quick!!!
stateofstatecraft.com/agenda
Cloud Labs is live!
🏗️ Build or increase your cloud incident response skills with realistic labs and scenarios.
Register for Cloud Labs: cloudlabs.invictus-ir.com
🏗️ Build or increase your cloud incident response skills with realistic labs and scenarios.
Register for Cloud Labs: cloudlabs.invictus-ir.com
Cloud Labs - Choose the plan that fits your needs
cloudlabs.invictus-ir.com
August 29, 2025 at 12:38 PM
Cloud Labs is live!
🏗️ Build or increase your cloud incident response skills with realistic labs and scenarios.
Register for Cloud Labs: cloudlabs.invictus-ir.com
🏗️ Build or increase your cloud incident response skills with realistic labs and scenarios.
Register for Cloud Labs: cloudlabs.invictus-ir.com
💙Microsoft Extractor Suite v4 is here
𝘜𝘱𝘥𝘢𝘵𝘦-𝘔𝘰𝘥𝘶𝘭𝘦 -𝘕𝘢𝘮𝘦 𝘔𝘪𝘤𝘳𝘰𝘴𝘰𝘧𝘵-𝘌𝘹𝘵𝘳𝘢𝘤𝘵𝘰𝘳-𝘚𝘶𝘪𝘵𝘦
Learn more about the new features in the blog and thanks everyone that contributed!
invictus-ir.com/news/black-h...
#stayInvictus #CloudIncidentResponse #DFIR
𝘜𝘱𝘥𝘢𝘵𝘦-𝘔𝘰𝘥𝘶𝘭𝘦 -𝘕𝘢𝘮𝘦 𝘔𝘪𝘤𝘳𝘰𝘴𝘰𝘧𝘵-𝘌𝘹𝘵𝘳𝘢𝘤𝘵𝘰𝘳-𝘚𝘶𝘪𝘵𝘦
Learn more about the new features in the blog and thanks everyone that contributed!
invictus-ir.com/news/black-h...
#stayInvictus #CloudIncidentResponse #DFIR
Black Hat First Look: Meet the New Microsoft Extractor Suite v4
invictus-ir.com
July 28, 2025 at 9:48 AM
💙Microsoft Extractor Suite v4 is here
𝘜𝘱𝘥𝘢𝘵𝘦-𝘔𝘰𝘥𝘶𝘭𝘦 -𝘕𝘢𝘮𝘦 𝘔𝘪𝘤𝘳𝘰𝘴𝘰𝘧𝘵-𝘌𝘹𝘵𝘳𝘢𝘤𝘵𝘰𝘳-𝘚𝘶𝘪𝘵𝘦
Learn more about the new features in the blog and thanks everyone that contributed!
invictus-ir.com/news/black-h...
#stayInvictus #CloudIncidentResponse #DFIR
𝘜𝘱𝘥𝘢𝘵𝘦-𝘔𝘰𝘥𝘶𝘭𝘦 -𝘕𝘢𝘮𝘦 𝘔𝘪𝘤𝘳𝘰𝘴𝘰𝘧𝘵-𝘌𝘹𝘵𝘳𝘢𝘤𝘵𝘰𝘳-𝘚𝘶𝘪𝘵𝘦
Learn more about the new features in the blog and thanks everyone that contributed!
invictus-ir.com/news/black-h...
#stayInvictus #CloudIncidentResponse #DFIR
Reposted by Curtis
Why am I so unimpressed by these strikes? Israel and the US have failed to target significant elements of Iran's nuclear materials and production infrastructure. RISING LION and MIDNIGHT HAMMER are tactically brilliant, but may turn out to be strategic failures. 🧵 1/17
June 23, 2025 at 1:27 AM
Why am I so unimpressed by these strikes? Israel and the US have failed to target significant elements of Iran's nuclear materials and production infrastructure. RISING LION and MIDNIGHT HAMMER are tactically brilliant, but may turn out to be strategic failures. 🧵 1/17
Reposted by Curtis
So @gabagool.ing (who will henceforth be referred to as "gabbot") and I wrote some stuff on some ASP phishing campaigns: cloud.google.com/blog/topics/...
Citizen Lab worked closely with one of the targets and shared their work on it also: citizenlab.ca/2025/06/russ...
Citizen Lab worked closely with one of the targets and shared their work on it also: citizenlab.ca/2025/06/russ...
What’s in an ASP? Creative Phishing Attack on Prominent Academics and Critics of Russia | Google Cloud Blog
A Russia-sponsored threat actor is impersonating the U.S. Department of State, and using phishing to gain access to email accounts.
cloud.google.com
June 18, 2025 at 5:05 PM
So @gabagool.ing (who will henceforth be referred to as "gabbot") and I wrote some stuff on some ASP phishing campaigns: cloud.google.com/blog/topics/...
Citizen Lab worked closely with one of the targets and shared their work on it also: citizenlab.ca/2025/06/russ...
Citizen Lab worked closely with one of the targets and shared their work on it also: citizenlab.ca/2025/06/russ...
#CharmingKitten #APT42 #TA453
Hash:
87144d0aa002a87376b673f7d0c0eb88
C2:
Telegram Bot used for error messages and auto-start messaging to the operator
computerlearning.ddns./net
Pivots:
bookstoragestore./com
lastfilterfile/.info
78.159.117./177
78.159.117./175
185.132.176./241
154.44.186./106
Hash:
87144d0aa002a87376b673f7d0c0eb88
C2:
Telegram Bot used for error messages and auto-start messaging to the operator
computerlearning.ddns./net
Pivots:
bookstoragestore./com
lastfilterfile/.info
78.159.117./177
78.159.117./175
185.132.176./241
154.44.186./106
June 10, 2025 at 11:47 AM
#CharmingKitten #APT42 #TA453
Hash:
87144d0aa002a87376b673f7d0c0eb88
C2:
Telegram Bot used for error messages and auto-start messaging to the operator
computerlearning.ddns./net
Pivots:
bookstoragestore./com
lastfilterfile/.info
78.159.117./177
78.159.117./175
185.132.176./241
154.44.186./106
Hash:
87144d0aa002a87376b673f7d0c0eb88
C2:
Telegram Bot used for error messages and auto-start messaging to the operator
computerlearning.ddns./net
Pivots:
bookstoragestore./com
lastfilterfile/.info
78.159.117./177
78.159.117./175
185.132.176./241
154.44.186./106
Reposted by Curtis
Dutch intelligence discover a new Russian APT—LAUNDRY BEAR
www.aivd.nl/documenten/p...
Microsoft calls it Void Blizzard. Their report is here: www.microsoft.com/en-us/securi...
www.aivd.nl/documenten/p...
Microsoft calls it Void Blizzard. Their report is here: www.microsoft.com/en-us/securi...
May 27, 2025 at 12:11 PM
Dutch intelligence discover a new Russian APT—LAUNDRY BEAR
www.aivd.nl/documenten/p...
Microsoft calls it Void Blizzard. Their report is here: www.microsoft.com/en-us/securi...
www.aivd.nl/documenten/p...
Microsoft calls it Void Blizzard. Their report is here: www.microsoft.com/en-us/securi...
The limited IOCs on this pointed toward an ORB network...nice to see some reporting that supports attribution.
Commvault said it was hacked by an APT and was ridiculed by some.
That APT turned out to be Silk Typhoon, which accessed Commvault's Azure cloud system back in February
That APT turned out to be Silk Typhoon, which accessed Commvault's Azure cloud system back in February
SCOOP: Commvault was accessed by Silk Typhoon, the same Chinese cyberespionage group that infiltrated the Treasury Department late last year, I’m told.⬇️
May 24, 2025 at 9:49 PM
The limited IOCs on this pointed toward an ORB network...nice to see some reporting that supports attribution.
This isn’t recycled noise on JavaGhost. It surfaces the often-overlooked details responders and CTI analysts actually need.
Practical takeaways include:
✔️ Mapped TTPs
✔️ IR checklist
✔️ Actor context & relevancy
invictus-ir.com/news/profili...
#CTI #CloudSecurity #AWS #DFIR #JavaGhost
Practical takeaways include:
✔️ Mapped TTPs
✔️ IR checklist
✔️ Actor context & relevancy
invictus-ir.com/news/profili...
#CTI #CloudSecurity #AWS #DFIR #JavaGhost
May 22, 2025 at 11:52 AM
This isn’t recycled noise on JavaGhost. It surfaces the often-overlooked details responders and CTI analysts actually need.
Practical takeaways include:
✔️ Mapped TTPs
✔️ IR checklist
✔️ Actor context & relevancy
invictus-ir.com/news/profili...
#CTI #CloudSecurity #AWS #DFIR #JavaGhost
Practical takeaways include:
✔️ Mapped TTPs
✔️ IR checklist
✔️ Actor context & relevancy
invictus-ir.com/news/profili...
#CTI #CloudSecurity #AWS #DFIR #JavaGhost
🚨 New blog from @securitylabs.datadoghq.com on fresh AWS TTPs! I pivoted & enriched their infra data to uncover the actor #JavaGhost is likely abusing callback proxy networks and leveraging Mass SMTP Tester.
🔗 securitylabs.datadoghq.com/articles/tal...
#CloudSecurity #ThreatIntel #CTI
🔗 securitylabs.datadoghq.com/articles/tal...
#CloudSecurity #ThreatIntel #CTI
Tales from the cloud trenches: The Attacker doth persist too much, methinks | Datadog Security Labs
A cloud attack targeting Amazon SES and persistence via AWS Lambda, AWS IAM Identity Center and AWS IAM
securitylabs.datadoghq.com
May 14, 2025 at 12:46 PM
🚨 New blog from @securitylabs.datadoghq.com on fresh AWS TTPs! I pivoted & enriched their infra data to uncover the actor #JavaGhost is likely abusing callback proxy networks and leveraging Mass SMTP Tester.
🔗 securitylabs.datadoghq.com/articles/tal...
#CloudSecurity #ThreatIntel #CTI
🔗 securitylabs.datadoghq.com/articles/tal...
#CloudSecurity #ThreatIntel #CTI
Reposted by Curtis
ATT&CK v17 is now live! This release includes the first version of the ESXi platform, a pile of defensive upgrades, and fresh content across Enterprise, Mobile, and ICS.
Check out our blog post describing the changes by Amy Robertson & @whatshisface.bsky.social at medium.com/mitre-attack....
Check out our blog post describing the changes by Amy Robertson & @whatshisface.bsky.social at medium.com/mitre-attack....
ATT&CK v17: New Platform (ESXi), Collection Optimization, & More Countermeasures
By: Amy Robertson and Adam Pennington
medium.com
April 22, 2025 at 3:22 PM
ATT&CK v17 is now live! This release includes the first version of the ESXi platform, a pile of defensive upgrades, and fresh content across Enterprise, Mobile, and ICS.
Check out our blog post describing the changes by Amy Robertson & @whatshisface.bsky.social at medium.com/mitre-attack....
Check out our blog post describing the changes by Amy Robertson & @whatshisface.bsky.social at medium.com/mitre-attack....
Reposted by Curtis
@volexity.com #threatintel: Multiple Russian threat actors are using Signal, WhatsApp & a compromised Ukrainian gov email address to impersonate EU officials. These phishing attacks abuse 1st-party Microsoft Entra apps + OAuth to compromise targets.
www.volexity.com/blog/2025/04... #dfir
www.volexity.com/blog/2025/04... #dfir
Phishing for Codes: Russian Threat Actors Target Microsoft 365 OAuth Workflows
Since early March 2025, Volexity has observed multiple suspected Russian threat actors conducting highly targeted social engineering operations aimed at gaining access to the Microsoft 365 (M365) acco...
www.volexity.com
April 22, 2025 at 4:39 PM
@volexity.com #threatintel: Multiple Russian threat actors are using Signal, WhatsApp & a compromised Ukrainian gov email address to impersonate EU officials. These phishing attacks abuse 1st-party Microsoft Entra apps + OAuth to compromise targets.
www.volexity.com/blog/2025/04... #dfir
www.volexity.com/blog/2025/04... #dfir
🚨 New blog: BlackBasta’s leaks show how ransomware crews still exploit hybrid environments while Scattered Spider leans fully into cloud.
Two actors, two strategies. What it means for IR, cloud defense, and ransomware readiness.
👉 invictus-ir.com/news/cloud-h...
#DFIR #CloudSecurity #CTI
Two actors, two strategies. What it means for IR, cloud defense, and ransomware readiness.
👉 invictus-ir.com/news/cloud-h...
#DFIR #CloudSecurity #CTI
Cloud Heavy, Hybrid Ready: Lessons from BlackBasta and Scattered Spider
invictus-ir.com
April 2, 2025 at 12:57 PM
🚨 New blog: BlackBasta’s leaks show how ransomware crews still exploit hybrid environments while Scattered Spider leans fully into cloud.
Two actors, two strategies. What it means for IR, cloud defense, and ransomware readiness.
👉 invictus-ir.com/news/cloud-h...
#DFIR #CloudSecurity #CTI
Two actors, two strategies. What it means for IR, cloud defense, and ransomware readiness.
👉 invictus-ir.com/news/cloud-h...
#DFIR #CloudSecurity #CTI
🔍 New Blog: Essential Cloud Logs for Incident Response
🪵 Are you collecting the right logs for cloud security incidents? We break down the must-have logs to detect, investigate, and respond effectively in the cloud.
🔗 www.invictus-ir.com/news/cloud-i...
#dfir #aws #microsoft #google
🪵 Are you collecting the right logs for cloud security incidents? We break down the must-have logs to detect, investigate, and respond effectively in the cloud.
🔗 www.invictus-ir.com/news/cloud-i...
#dfir #aws #microsoft #google
Cloud Incident Readiness: Key logs for cloud incidents
www.invictus-ir.com
March 19, 2025 at 12:53 PM
🔍 New Blog: Essential Cloud Logs for Incident Response
🪵 Are you collecting the right logs for cloud security incidents? We break down the must-have logs to detect, investigate, and respond effectively in the cloud.
🔗 www.invictus-ir.com/news/cloud-i...
#dfir #aws #microsoft #google
🪵 Are you collecting the right logs for cloud security incidents? We break down the must-have logs to detect, investigate, and respond effectively in the cloud.
🔗 www.invictus-ir.com/news/cloud-i...
#dfir #aws #microsoft #google
🚨 New Blog: Forensic Analysis of eM Client 🚨
If you handle BEC investigations, you've probably encountered eM Client more than once. We break down the forensic traces this application leaves behind.
🔍 Read now: www.invictus-ir.com/news/forensi...
#CyberSecurity #DFIR #BEC #ThreatIntel #CTI
If you handle BEC investigations, you've probably encountered eM Client more than once. We break down the forensic traces this application leaves behind.
🔍 Read now: www.invictus-ir.com/news/forensi...
#CyberSecurity #DFIR #BEC #ThreatIntel #CTI
Deep Dive: Forensic Analysis of eM ClientPermissions Table
www.invictus-ir.com
March 3, 2025 at 5:40 PM
🚨 New Blog: Forensic Analysis of eM Client 🚨
If you handle BEC investigations, you've probably encountered eM Client more than once. We break down the forensic traces this application leaves behind.
🔍 Read now: www.invictus-ir.com/news/forensi...
#CyberSecurity #DFIR #BEC #ThreatIntel #CTI
If you handle BEC investigations, you've probably encountered eM Client more than once. We break down the forensic traces this application leaves behind.
🔍 Read now: www.invictus-ir.com/news/forensi...
#CyberSecurity #DFIR #BEC #ThreatIntel #CTI
🚨 New Blog Alert: “Locked Out, Dropboxed In: When BEC Threats Innovate” 🚨
Dive into an intriguing BEC attack and discover how this threat actor navigated a cloud environment to evade detection. We’ve also mapped the TTPs and shared IOCs on our GitHub.
👉 www.invictus-ir.com/news/locked-...
Dive into an intriguing BEC attack and discover how this threat actor navigated a cloud environment to evade detection. We’ve also mapped the TTPs and shared IOCs on our GitHub.
👉 www.invictus-ir.com/news/locked-...
www.invictus-ir.com
February 19, 2025 at 2:52 PM
🚨 New Blog Alert: “Locked Out, Dropboxed In: When BEC Threats Innovate” 🚨
Dive into an intriguing BEC attack and discover how this threat actor navigated a cloud environment to evade detection. We’ve also mapped the TTPs and shared IOCs on our GitHub.
👉 www.invictus-ir.com/news/locked-...
Dive into an intriguing BEC attack and discover how this threat actor navigated a cloud environment to evade detection. We’ve also mapped the TTPs and shared IOCs on our GitHub.
👉 www.invictus-ir.com/news/locked-...