Simon Kenin
@k3yp0d.bsky.social
Threat Hunter at SentinelOne | curatedintel.org Member | k3yp0d.blogspot.com | Opinions are of my own voices inside my own head | memes and music are welcome
If you are hiring full remote, you must read this.
DPRK IT workers is a much bigger problem than you think, those are today's spies that infiltrate multiple organizations simultaneously without the risk of being caught.
any.run/cybersecurit...
DPRK IT workers is a much bigger problem than you think, those are today's spies that infiltrate multiple organizations simultaneously without the risk of being caught.
any.run/cybersecurit...
How We Caught Lazarus's IT Workers Scheme Live on Camera
See how Lazarus Group's IT workers scheme was exposed on a live camera using real-time monitoring inside ANY.RUN’s sandbox.
any.run
December 9, 2025 at 10:28 AM
If you are hiring full remote, you must read this.
DPRK IT workers is a much bigger problem than you think, those are today's spies that infiltrate multiple organizations simultaneously without the risk of being caught.
any.run/cybersecurit...
DPRK IT workers is a much bigger problem than you think, those are today's spies that infiltrate multiple organizations simultaneously without the risk of being caught.
any.run/cybersecurit...
1/2
ShadyPanda extension samples:
e9975e39b87a0369dba21dcc7a4dcd56
b4a828b6ea8f0faaf9a2cdbc5b7a8241
5c56346e09de3aef10d8df6b292df9b3
491518101c265a7a79040ea148bc7ae7
6619beef592118fa90dc67b103eb6d58
58a6c9a2125858e828191e51d9f30e4f
ShadyPanda extension samples:
e9975e39b87a0369dba21dcc7a4dcd56
b4a828b6ea8f0faaf9a2cdbc5b7a8241
5c56346e09de3aef10d8df6b292df9b3
491518101c265a7a79040ea148bc7ae7
6619beef592118fa90dc67b103eb6d58
58a6c9a2125858e828191e51d9f30e4f
December 9, 2025 at 10:04 AM
1/2
ShadyPanda extension samples:
e9975e39b87a0369dba21dcc7a4dcd56
b4a828b6ea8f0faaf9a2cdbc5b7a8241
5c56346e09de3aef10d8df6b292df9b3
491518101c265a7a79040ea148bc7ae7
6619beef592118fa90dc67b103eb6d58
58a6c9a2125858e828191e51d9f30e4f
ShadyPanda extension samples:
e9975e39b87a0369dba21dcc7a4dcd56
b4a828b6ea8f0faaf9a2cdbc5b7a8241
5c56346e09de3aef10d8df6b292df9b3
491518101c265a7a79040ea148bc7ae7
6619beef592118fa90dc67b103eb6d58
58a6c9a2125858e828191e51d9f30e4f
Reposted by Simon Kenin
#ESETresearch discovered a new #MuddyWater campaign targeting critical infrastructure in 🇮🇱 Israel and 🇪🇬 Egypt, using a new backdoor – MuddyViper – and a variety of post-compromise tools www.welivesecurity.com/en/eset-rese... 1/7
MuddyWater: Snakes by the riverbank
MuddyWater targets critical infrastructure in Israel and Egypt, relying on custom malware, improved tactics, and a predictable playbook.
www.welivesecurity.com
December 2, 2025 at 11:42 AM
#ESETresearch discovered a new #MuddyWater campaign targeting critical infrastructure in 🇮🇱 Israel and 🇪🇬 Egypt, using a new backdoor – MuddyViper – and a variety of post-compromise tools www.welivesecurity.com/en/eset-rese... 1/7
govextra.gov.il/national-dig...
credit where credit is due, part 2
credit where credit is due, part 2
SpearSpecter
Unmasking Iran’s IRGC Cyber Operations Targeting High-Profile Individuals
The SpearSpecter campaign linked to Iran’s IRGC / APT42 used social engineering and the TAMECAT backdoor to infiltrate high-v...
govextra.gov.il
November 18, 2025 at 9:48 PM
govextra.gov.il/national-dig...
credit where credit is due, part 2
credit where credit is due, part 2
1/4
O_o
help.pdf
02e3a2cc825b7ac3e1bad50d4088a74f
2d49a02c6e77d7ebcff87e62ab14d826f4281cba
e422c2f25fbb4951f069c6ba24e9b917e95edb9019c10d34de4309f480c342df
PDF in Hebrew contains a link to a password protected RAR archive hosted in @dropbox.com
O_o
help.pdf
02e3a2cc825b7ac3e1bad50d4088a74f
2d49a02c6e77d7ebcff87e62ab14d826f4281cba
e422c2f25fbb4951f069c6ba24e9b917e95edb9019c10d34de4309f480c342df
PDF in Hebrew contains a link to a password protected RAR archive hosted in @dropbox.com
November 16, 2025 at 3:36 PM
1/4
O_o
help.pdf
02e3a2cc825b7ac3e1bad50d4088a74f
2d49a02c6e77d7ebcff87e62ab14d826f4281cba
e422c2f25fbb4951f069c6ba24e9b917e95edb9019c10d34de4309f480c342df
PDF in Hebrew contains a link to a password protected RAR archive hosted in @dropbox.com
O_o
help.pdf
02e3a2cc825b7ac3e1bad50d4088a74f
2d49a02c6e77d7ebcff87e62ab14d826f4281cba
e422c2f25fbb4951f069c6ba24e9b917e95edb9019c10d34de4309f480c342df
PDF in Hebrew contains a link to a password protected RAR archive hosted in @dropbox.com
1/5
IRGC + MOIS
Very interesting analysis from @proofpoint.com @saffronsec.bsky.social
www.proofpoint.com/us/blog/thre...
IRGC + MOIS
Very interesting analysis from @proofpoint.com @saffronsec.bsky.social
www.proofpoint.com/us/blog/thre...
two men are standing next to each other in a room .
ALT: two men are standing next to each other in a room .
media.tenor.com
November 7, 2025 at 9:34 PM
1/5
IRGC + MOIS
Very interesting analysis from @proofpoint.com @saffronsec.bsky.social
www.proofpoint.com/us/blog/thre...
IRGC + MOIS
Very interesting analysis from @proofpoint.com @saffronsec.bsky.social
www.proofpoint.com/us/blog/thre...
October 28, 2025 at 5:23 PM
1/5
🇺🇦
Ongoing campaign targeting Ukrainians:
EML->PDF->URL->ZIP->JS->NetSupport RAT
Email 55ffcf6f4df8ab3f11a405794aa5f4d8
🇺🇦
Ongoing campaign targeting Ukrainians:
EML->PDF->URL->ZIP->JS->NetSupport RAT
Email 55ffcf6f4df8ab3f11a405794aa5f4d8
October 25, 2025 at 9:19 AM
1/5
🇺🇦
Ongoing campaign targeting Ukrainians:
EML->PDF->URL->ZIP->JS->NetSupport RAT
Email 55ffcf6f4df8ab3f11a405794aa5f4d8
🇺🇦
Ongoing campaign targeting Ukrainians:
EML->PDF->URL->ZIP->JS->NetSupport RAT
Email 55ffcf6f4df8ab3f11a405794aa5f4d8
www.youtube.com/watch?v=mSJr...
In the labyrinth of circuits and wires
An electronic maze where the signal fires
Neon pathways gleam with cold and light
In the realm of data, we take our flight
In the labyrinth of circuits and wires
An electronic maze where the signal fires
Neon pathways gleam with cold and light
In the realm of data, we take our flight
Catch One
YouTube video by Juche - Topic
www.youtube.com
October 16, 2025 at 9:02 PM
www.youtube.com/watch?v=mSJr...
In the labyrinth of circuits and wires
An electronic maze where the signal fires
Neon pathways gleam with cold and light
In the realm of data, we take our flight
In the labyrinth of circuits and wires
An electronic maze where the signal fires
Neon pathways gleam with cold and light
In the realm of data, we take our flight
1/4
PDQ which downloads ScreenConnect, the "one weird" RMM trick combo move threat actors don't want you to find out...
PDQ which downloads ScreenConnect, the "one weird" RMM trick combo move threat actors don't want you to find out...
October 5, 2025 at 12:44 PM
1/4
PDQ which downloads ScreenConnect, the "one weird" RMM trick combo move threat actors don't want you to find out...
PDQ which downloads ScreenConnect, the "one weird" RMM trick combo move threat actors don't want you to find out...
github.com/KittenBuster...
It's a Kitten, but it doesn't looking charming to me, completely different TTPs
It's a Kitten, but it doesn't looking charming to me, completely different TTPs
GitHub - KittenBusters/CharmingKitten: Exposing CharmingKitten's malicious activity for IRGC-IO devision Counterintelligence devision (1500)
Exposing CharmingKitten's malicious activity for IRGC-IO devision Counterintelligence devision (1500) - KittenBusters/CharmingKitten
github.com
October 2, 2025 at 1:32 AM
github.com/KittenBuster...
It's a Kitten, but it doesn't looking charming to me, completely different TTPs
It's a Kitten, but it doesn't looking charming to me, completely different TTPs
October 1, 2025 at 12:19 AM
1/3
UNC4444 Watering Hole
vanzen.co[.]il compromised to display an overlay pop-up for 60% discount when registering to the site.
UNC4444 Watering Hole
vanzen.co[.]il compromised to display an overlay pop-up for 60% discount when registering to the site.
September 28, 2025 at 12:33 PM
1/3
UNC4444 Watering Hole
vanzen.co[.]il compromised to display an overlay pop-up for 60% discount when registering to the site.
UNC4444 Watering Hole
vanzen.co[.]il compromised to display an overlay pop-up for 60% discount when registering to the site.
1/8
Sales Contract.pdf
9af100c85c1a58702dfb016c4cb95840
867d16c7150ea010ecbea787bd9939ea4fe93769
688a2ccc09e30bad2d235ce3895afecbbf9b5c5950c8ef2cf3eaba57f6445bb2
Sales Contract.pdf
9af100c85c1a58702dfb016c4cb95840
867d16c7150ea010ecbea787bd9939ea4fe93769
688a2ccc09e30bad2d235ce3895afecbbf9b5c5950c8ef2cf3eaba57f6445bb2
September 28, 2025 at 9:25 AM
1/8
Sales Contract.pdf
9af100c85c1a58702dfb016c4cb95840
867d16c7150ea010ecbea787bd9939ea4fe93769
688a2ccc09e30bad2d235ce3895afecbbf9b5c5950c8ef2cf3eaba57f6445bb2
Sales Contract.pdf
9af100c85c1a58702dfb016c4cb95840
867d16c7150ea010ecbea787bd9939ea4fe93769
688a2ccc09e30bad2d235ce3895afecbbf9b5c5950c8ef2cf3eaba57f6445bb2
New year, new mix.
www.youtube.com/watch?v=7CyB...
www.youtube.com/watch?v=7CyB...
Skeler - H a r d W a v e 夜勤 PART I + II
YouTube video by skeler.
www.youtube.com
September 25, 2025 at 8:13 PM
New year, new mix.
www.youtube.com/watch?v=7CyB...
www.youtube.com/watch?v=7CyB...
labs.watchtowr.com/is-this-bad-... 😍glFTPd 😍
Is This Bad? This Feels Bad. (Fortra GoAnywhere CVE-2025-10035)
File transfer used to be simple fun - fire up your favourite FTP client, log in to a glFTPd site, and you were done.
Fast forward to 2025, and the same act requires a procurement team, a web interfac...
labs.watchtowr.com
September 25, 2025 at 2:42 AM
labs.watchtowr.com/is-this-bad-... 😍glFTPd 😍
Baby, your eyes are reflecting the years of many blows
I'm the game they play every day
But you already know
Bruises fade, but scars will form
In this world, there is no shelter from the storm www.youtube.com/watch?v=bAR5...
I'm the game they play every day
But you already know
Bruises fade, but scars will form
In this world, there is no shelter from the storm www.youtube.com/watch?v=bAR5...
Saint Mars - Ocean Blues (feat. Tryzdin ) [Juche Remix]
YouTube video by FOMH
www.youtube.com
September 21, 2025 at 11:17 AM
Baby, your eyes are reflecting the years of many blows
I'm the game they play every day
But you already know
Bruises fade, but scars will form
In this world, there is no shelter from the storm www.youtube.com/watch?v=bAR5...
I'm the game they play every day
But you already know
Bruises fade, but scars will form
In this world, there is no shelter from the storm www.youtube.com/watch?v=bAR5...
www.group-ib.com
September 17, 2025 at 8:30 AM
Reposted by Simon Kenin
Your cyber threat intel is part of the North Korean strategy: DPRK operators are abusing CTI platforms to see if they’ve been seen—and moving faster because of it. 👀
September 4, 2025 at 1:58 PM
Your cyber threat intel is part of the North Korean strategy: DPRK operators are abusing CTI platforms to see if they’ve been seen—and moving faster because of it. 👀