Paul Rascagneres
@r00tbsd.bsky.social
Lord of Loaders at Volexity
Reposted by Paul Rascagneres
We saw Earth Estries, an advanced #APT intrusion set, sharing its access to Earth Naga (Flax Typhoon). We introduce the term "Premier Pass" to describe this behavior, and propose a four-tier classification framework for collaboration types among advanced groups www.trendmicro.com/en_us/resear...
October 22, 2025 at 9:18 AM
We saw Earth Estries, an advanced #APT intrusion set, sharing its access to Earth Naga (Flax Typhoon). We introduce the term "Premier Pass" to describe this behavior, and propose a four-tier classification framework for collaboration types among advanced groups www.trendmicro.com/en_us/resear...
Reposted by Paul Rascagneres
APT meets GPT: @volexity.com #threatintel is tracking #threatactor UTA0388's spear phishing campaigns against targets in North America, Europe & Asia, appearing to use LLMs to assist their ops. Letting #AI run your espionage operations? What could go wrong?
APT Meets GPT: Targeted Operations with Untamed LLMs
Starting in June 2025, Volexity detected a series of spear phishing campaigns targeting several customers and their users in North America, Asia, and Europe. The initial observed campaigns were tailor...
www.volexity.com
October 8, 2025 at 12:35 PM
APT meets GPT: @volexity.com #threatintel is tracking #threatactor UTA0388's spear phishing campaigns against targets in North America, Europe & Asia, appearing to use LLMs to assist their ops. Letting #AI run your espionage operations? What could go wrong?
Reposted by Paul Rascagneres
@volexity.com #threatintel: Multiple Russian threat actors are using Signal, WhatsApp & a compromised Ukrainian gov email address to impersonate EU officials. These phishing attacks abuse 1st-party Microsoft Entra apps + OAuth to compromise targets.
www.volexity.com/blog/2025/04... #dfir
www.volexity.com/blog/2025/04... #dfir
Phishing for Codes: Russian Threat Actors Target Microsoft 365 OAuth Workflows
Since early March 2025, Volexity has observed multiple suspected Russian threat actors conducting highly targeted social engineering operations aimed at gaining access to the Microsoft 365 (M365) acco...
www.volexity.com
April 22, 2025 at 4:39 PM
@volexity.com #threatintel: Multiple Russian threat actors are using Signal, WhatsApp & a compromised Ukrainian gov email address to impersonate EU officials. These phishing attacks abuse 1st-party Microsoft Entra apps + OAuth to compromise targets.
www.volexity.com/blog/2025/04... #dfir
www.volexity.com/blog/2025/04... #dfir
Reposted by Paul Rascagneres
Today, @volexity.com released GoResolver, open-source tooling to assist reverse engineers with obfuscated Golang samples. @r00tbsd.bsky.social & Killian Raimbaud presented details at INCYBER Forum earlier today. Learn how GoResolver works+where to download it: www.volexity.com/blog/2025/04...
#dfir
#dfir
GoResolver: Using Control-flow Graph Similarity to Deobfuscate Golang Binaries, Automatically
In the course of its investigations, Volexity frequently encounters malware samples written in Golang. Binaries written in Golang are often challenging to analyze because of the embedded libraries and...
www.volexity.com
April 1, 2025 at 1:45 PM
Today, @volexity.com released GoResolver, open-source tooling to assist reverse engineers with obfuscated Golang samples. @r00tbsd.bsky.social & Killian Raimbaud presented details at INCYBER Forum earlier today. Learn how GoResolver works+where to download it: www.volexity.com/blog/2025/04...
#dfir
#dfir
Reposted by Paul Rascagneres
📣 Oops!... They did it again!!!
61 Talks submitted and so many too good that, once again, we had to increase a bit the number of accepted talks.🔥
#PIVOTcon25 Agenda is finally here, and the caliber is insane!!! Check it out➡️ pivotcon.org/agenda-2025/
#CTI #ThreatIntel
Talks and presenters in🧵⬇️ 1/18
61 Talks submitted and so many too good that, once again, we had to increase a bit the number of accepted talks.🔥
#PIVOTcon25 Agenda is finally here, and the caliber is insane!!! Check it out➡️ pivotcon.org/agenda-2025/
#CTI #ThreatIntel
Talks and presenters in🧵⬇️ 1/18
March 7, 2025 at 2:42 PM
📣 Oops!... They did it again!!!
61 Talks submitted and so many too good that, once again, we had to increase a bit the number of accepted talks.🔥
#PIVOTcon25 Agenda is finally here, and the caliber is insane!!! Check it out➡️ pivotcon.org/agenda-2025/
#CTI #ThreatIntel
Talks and presenters in🧵⬇️ 1/18
61 Talks submitted and so many too good that, once again, we had to increase a bit the number of accepted talks.🔥
#PIVOTcon25 Agenda is finally here, and the caliber is insane!!! Check it out➡️ pivotcon.org/agenda-2025/
#CTI #ThreatIntel
Talks and presenters in🧵⬇️ 1/18
Reposted by Paul Rascagneres
"Edge Devices Investigation"
Paul Rascagneres, Principal Threat Researcher, Volexity (@r00tbsd , @r00tbsd.bsky.social , @[email protected])
5/18
Paul Rascagneres, Principal Threat Researcher, Volexity (@r00tbsd , @r00tbsd.bsky.social , @[email protected])
5/18
March 7, 2025 at 2:42 PM
"Edge Devices Investigation"
Paul Rascagneres, Principal Threat Researcher, Volexity (@r00tbsd , @r00tbsd.bsky.social , @[email protected])
5/18
Paul Rascagneres, Principal Threat Researcher, Volexity (@r00tbsd , @r00tbsd.bsky.social , @[email protected])
5/18
Reposted by Paul Rascagneres
@volexity.com recently identified multiple Russian threat actors targeting users via #socialengineering + #spearphishing campaigns with Microsoft 365 Device Code authentication (a well-known technique) with alarming success: www.volexity.com/blog/2025/02...
#dfir #threatintel #m365security
#dfir #threatintel #m365security
Multiple Russian Threat Actors Targeting Microsoft Device Code Authentication
Starting in mid-January 2025, Volexity identified several social-engineering and spear-phishing campaigns by Russian threat actors aimed at compromising Microsoft 365 (M365) accounts. These attack cam...
www.volexity.com
February 13, 2025 at 10:39 PM
@volexity.com recently identified multiple Russian threat actors targeting users via #socialengineering + #spearphishing campaigns with Microsoft 365 Device Code authentication (a well-known technique) with alarming success: www.volexity.com/blog/2025/02...
#dfir #threatintel #m365security
#dfir #threatintel #m365security
Reposted by Paul Rascagneres
This talk is a great way to watch/listen to the details behind the work @stevenadair.bsky.social, @5ck.bsky.social, @tlansec.bsky.social + Volexity’s #threatintel & IR teams did to investigate the Nearest Neighbor Attack. The related blog post is here: www.volexity.com/blog/2024/11...
December 13, 2024 at 1:58 PM
This talk is a great way to watch/listen to the details behind the work @stevenadair.bsky.social, @5ck.bsky.social, @tlansec.bsky.social + Volexity’s #threatintel & IR teams did to investigate the Nearest Neighbor Attack. The related blog post is here: www.volexity.com/blog/2024/11...
Reposted by Paul Rascagneres
We were happy to have @volexity.com's @stevenadair.bsky.social & @5ck.bsky.social present “The Nearest Neighbor Attack: How A Russian APT Weaponized Nearby Wi-Fi Networks for Covert Access” for the #FTSCon Keynote in October. The video of their talk is available here: youtu.be/qSNlDCg-IOM.
#dfir
#dfir
youtu.be
December 13, 2024 at 1:38 PM
We were happy to have @volexity.com's @stevenadair.bsky.social & @5ck.bsky.social present “The Nearest Neighbor Attack: How A Russian APT Weaponized Nearby Wi-Fi Networks for Covert Access” for the #FTSCon Keynote in October. The video of their talk is available here: youtu.be/qSNlDCg-IOM.
#dfir
#dfir
Reposted by Paul Rascagneres
Our latest report presents Earth Minotaur, a threat actor targeting Tibetans and Uyghurs using Moonshine, an exploitation framework for Android apps described in 2019 by
@citizenlab.ca
leveraging vulnerabilities in applications embedding old versions of Chromium trendmicro.com/en_us/resear...
@citizenlab.ca
leveraging vulnerabilities in applications embedding old versions of Chromium trendmicro.com/en_us/resear...
December 5, 2024 at 8:48 AM
Our latest report presents Earth Minotaur, a threat actor targeting Tibetans and Uyghurs using Moonshine, an exploitation framework for Android apps described in 2019 by
@citizenlab.ca
leveraging vulnerabilities in applications embedding old versions of Chromium trendmicro.com/en_us/resear...
@citizenlab.ca
leveraging vulnerabilities in applications embedding old versions of Chromium trendmicro.com/en_us/resear...
Reposted by Paul Rascagneres
#PIVOTcon25 #CfP is open and you can submit your proposals till 7 FEB 2025
Remember
- one track,30m
- no recording/streaming/tweeting. U should feel comfy to share more
- No TLP:WHITE
- Original content only
Let us guide u through with a little meme-thread
#CTI #ThreatIntel 1/10
Remember
- one track,30m
- no recording/streaming/tweeting. U should feel comfy to share more
- No TLP:WHITE
- Original content only
Let us guide u through with a little meme-thread
#CTI #ThreatIntel 1/10
November 27, 2024 at 3:11 PM
#PIVOTcon25 #CfP is open and you can submit your proposals till 7 FEB 2025
Remember
- one track,30m
- no recording/streaming/tweeting. U should feel comfy to share more
- No TLP:WHITE
- Original content only
Let us guide u through with a little meme-thread
#CTI #ThreatIntel 1/10
Remember
- one track,30m
- no recording/streaming/tweeting. U should feel comfy to share more
- No TLP:WHITE
- Original content only
Let us guide u through with a little meme-thread
#CTI #ThreatIntel 1/10
Reposted by Paul Rascagneres
@Volexity.com has developed a new open-source tool, “HWP Extract”, a lightweight Python library & CLI for interacting with Hangul Word Processor files. It also supports object extraction from password-protected HWP files. Download here: github.com/volexity/hwp...
GitHub - volexity/hwp-extract: A library and cli tool to extract HWP files.
A library and cli tool to extract HWP files. Contribute to volexity/hwp-extract development by creating an account on GitHub.
github.com
November 27, 2024 at 11:53 AM
@Volexity.com has developed a new open-source tool, “HWP Extract”, a lightweight Python library & CLI for interacting with Hangul Word Processor files. It also supports object extraction from password-protected HWP files. Download here: github.com/volexity/hwp...
Reposted by Paul Rascagneres
#PIVOTcon25 registration is now OPEN 🤟📥📥📥
pivotcon.org
#CTI #ThreatResearch #ThreatIntel
Please read carefully the whole 🧵 for the rules about invite -> registration (1/5)
pivotcon.org
#CTI #ThreatResearch #ThreatIntel
Please read carefully the whole 🧵 for the rules about invite -> registration (1/5)
two men are standing next to each other with the words " we open it up " on the screen
ALT: two men are standing next to each other with the words " we open it up " on the screen
media.tenor.com
November 19, 2024 at 2:00 PM
#PIVOTcon25 registration is now OPEN 🤟📥📥📥
pivotcon.org
#CTI #ThreatResearch #ThreatIntel
Please read carefully the whole 🧵 for the rules about invite -> registration (1/5)
pivotcon.org
#CTI #ThreatResearch #ThreatIntel
Please read carefully the whole 🧵 for the rules about invite -> registration (1/5)
Let’s try here and see how it goes ;)
November 24, 2024 at 8:29 PM
Let’s try here and see how it goes ;)
Reposted by Paul Rascagneres
Excited that we @volexity.com are able to share a writeup of one of our most interesting incidents! This case involves:
* A 0-day exploit
* Physical trips to the customer site to determine root cause
* Compromise via Wi-Fi.
www.volexity.com/blog/2024/11...
#nearestneighbor #threatintel
* A 0-day exploit
* Physical trips to the customer site to determine root cause
* Compromise via Wi-Fi.
www.volexity.com/blog/2024/11...
#nearestneighbor #threatintel
The Nearest Neighbor Attack: How A Russian APT Weaponized Nearby Wi-Fi Networks for Covert Access
In early February 2022, notably just ahead of the Russian invasion of Ukraine, Volexity made a discovery that led to one of the most fascinating and complex incident investigations Volexity had ever w...
www.volexity.com
November 22, 2024 at 3:05 PM
Excited that we @volexity.com are able to share a writeup of one of our most interesting incidents! This case involves:
* A 0-day exploit
* Physical trips to the customer site to determine root cause
* Compromise via Wi-Fi.
www.volexity.com/blog/2024/11...
#nearestneighbor #threatintel
* A 0-day exploit
* Physical trips to the customer site to determine root cause
* Compromise via Wi-Fi.
www.volexity.com/blog/2024/11...
#nearestneighbor #threatintel
Reposted by Paul Rascagneres
@volexity.com’s latest blog post describes in detail how a Russian APT used a new attack technique, the “Nearest Neighbor Attack”, to leverage Wi-Fi networks in close proximity to the intended target while the attacker was halfway around the world.
Read more here: www.volexity.com/blog/2024/11...
Read more here: www.volexity.com/blog/2024/11...
The Nearest Neighbor Attack: How A Russian APT Weaponized Nearby Wi-Fi Networks for Covert Access
In early February 2022, notably just ahead of the Russian invasion of Ukraine, Volexity made a discovery that led to one of the most fascinating and complex incident investigations Volexity had ever w...
www.volexity.com
November 22, 2024 at 2:58 PM
@volexity.com’s latest blog post describes in detail how a Russian APT used a new attack technique, the “Nearest Neighbor Attack”, to leverage Wi-Fi networks in close proximity to the intended target while the attacker was halfway around the world.
Read more here: www.volexity.com/blog/2024/11...
Read more here: www.volexity.com/blog/2024/11...