Daniel Gordon
@validhorizon.bsky.social
Thought Trailer, Cyber Threat Intel, DFIR. He/Him. Bucketing, sharing, and bacon-saving as a service. https://validhorizon.medium.com/
Over the course of my career I’ve found and accomplished some pretty wild stuff. Next week I will be talking, for the first time, about one of the wildest things I ever found. The talk will be geared to analysts and practitioners but pretty sure this will be fascinating for everyone.
Comrades, Only 5 days left until #BSidesPyongyang2025. Join us on 18 November for talks on #CryptoConfiscation #Memecoins #Missiles #Juche #ITWorkers #Cyber.
Don't miss out! Register today!
https://www.eventbrite.com/e/bsides-pyongyang-tickets-1859223941859
#BSPY25
Don't miss out! Register today!
https://www.eventbrite.com/e/bsides-pyongyang-tickets-1859223941859
#BSPY25
November 14, 2025 at 2:57 AM
Over the course of my career I’ve found and accomplished some pretty wild stuff. Next week I will be talking, for the first time, about one of the wildest things I ever found. The talk will be geared to analysts and practitioners but pretty sure this will be fascinating for everyone.
Something is broken in YARA for VirusTotal right now, signatures matching on things for no apparent reason.🫡 to any folks who have to clean up
November 11, 2025 at 4:14 PM
Something is broken in YARA for VirusTotal right now, signatures matching on things for no apparent reason.🫡 to any folks who have to clean up
I know dunking on this is fun and all but if you watch the clip Christo is laughing and mocking this conspiracy theory he heard from Russian intel. I’ve heard stories about the terrible quality of Russian intel but this is bad.
"Famed spy hunter"
November 8, 2025 at 1:43 PM
I know dunking on this is fun and all but if you watch the clip Christo is laughing and mocking this conspiracy theory he heard from Russian intel. I’ve heard stories about the terrible quality of Russian intel but this is bad.
Reposted by Daniel Gordon
New Iran drop from me tracking an attribution nightmare - UNK_SmudgedSerpent! A little Charming, a little Muddy, and a lot C5. Targeting policy experts with benign conversation starters, health-themed infra, OnlyOffice spoofs, and RMMs. Check out the full story www.proofpoint.com/us/blog/thre...
Crossed wires: a case study of Iranian espionage and attribution | Proofpoint US
Proofpoint would like to thank Josh Miller for his initial research on UNK_SmudgedSerpent and contribution to this report. Key findings Between June and August 2025,
www.proofpoint.com
November 5, 2025 at 1:37 PM
New Iran drop from me tracking an attribution nightmare - UNK_SmudgedSerpent! A little Charming, a little Muddy, and a lot C5. Targeting policy experts with benign conversation starters, health-themed infra, OnlyOffice spoofs, and RMMs. Check out the full story www.proofpoint.com/us/blog/thre...
Reposted by Daniel Gordon
You need a very special personality type to be a great ft reverser and most people can’t. It’s why they can write their own ticket.
November 1, 2025 at 5:58 AM
You need a very special personality type to be a great ft reverser and most people can’t. It’s why they can write their own ticket.
This will be my third time speaking at Bsides but it’s already the most hilarious
No longer limited by geographical constraints, virtual conferences have opened up new possibilities for reeducation! Join us at #BSidesPyongyang on Nov 18th and discover the thrill of online learning! #BSPY25 #NewFrontiers
October 31, 2025 at 11:37 AM
This will be my third time speaking at Bsides but it’s already the most hilarious
I was recently talking to someone who worked on tracking Chinese botnets. We talked about ways to impact them and settled on “fixing the IoT ecosystem”. Then we had a good laugh and changed the subject because obviously that’s never going to happen.
When you hear “Internet of Things” or “connected”, think:
①useless & works badly at best,
②requires constant updates and Internet access for no reason,
③ceases to work because company decides to stop maintaining,
④gets hacked and serves to attack you/others,
⑤keeps you under constant surveillance.
①useless & works badly at best,
②requires constant updates and Internet access for no reason,
③ceases to work because company decides to stop maintaining,
④gets hacked and serves to attack you/others,
⑤keeps you under constant surveillance.
October 30, 2025 at 11:34 AM
I was recently talking to someone who worked on tracking Chinese botnets. We talked about ways to impact them and settled on “fixing the IoT ecosystem”. Then we had a good laugh and changed the subject because obviously that’s never going to happen.
Get tickets before they run out! (This is a free online event that will not run out)
www.eventbrite.com/e/bsides-pyo...
www.eventbrite.com/e/bsides-pyo...
BSides Pyongyang
온라인으로 열리는 보안 컨퍼런스, 함께 즐기면서 최신 보안 트렌드에 대해 배워보자! | #BSidesPyongyang2025 :A free community cyber conference on Nov 18 2025
www.eventbrite.com
October 25, 2025 at 12:12 PM
Get tickets before they run out! (This is a free online event that will not run out)
www.eventbrite.com/e/bsides-pyo...
www.eventbrite.com/e/bsides-pyo...
Reposted by Daniel Gordon
a useful correction on the timescale and process in that story here! (it does not, however, make the meme any better.)
It did not. The reporter took the date on my original email about the planned malware release and assumed that the graphic was begun at the same time.
I sketched out a rough version of that with the PAO in like 15 minutes of brainstorming on a whiteboard. She then sent it to the graphic contractor.
I sketched out a rough version of that with the PAO in like 15 minutes of brainstorming on a whiteboard. She then sent it to the graphic contractor.
In 2020, U.S. Cyber Command wanted to create a 'meme' to mock Russian hacking attempts. Now, bear in mind that information warfare is part of their brief, and this is well within their skill set.
It took them 22 days to come up with *this*
It took them 22 days to come up with *this*
October 24, 2025 at 4:18 PM
a useful correction on the timescale and process in that story here! (it does not, however, make the meme any better.)
Reposted by Daniel Gordon
If you’ve been laid off from a cyber threat intel position, and you want a ticket to CYBERWARCON, please reach out.
October 23, 2025 at 1:27 PM
If you’ve been laid off from a cyber threat intel position, and you want a ticket to CYBERWARCON, please reach out.
Reposted by Daniel Gordon
Sep 25: "North Korea is expanding its military drone program"
www.38north.org/2025/09/curr...
Mid-October:
www.38north.org/2025/09/curr...
Mid-October:
#ESETresearch discovered a new wave of the well-known North Korea-aligned Lazarus campaign Operation DreamJob, now targeting the drone industry.
welivesecurity.com/en/eset-rese... 1/9
welivesecurity.com/en/eset-rese... 1/9
October 23, 2025 at 10:16 AM
Sep 25: "North Korea is expanding its military drone program"
www.38north.org/2025/09/curr...
Mid-October:
www.38north.org/2025/09/curr...
Mid-October:
Hell yeah check out that lineup
Our new website has launched. We will continue to update the site with information as it becomes available.
https://bsidespyongyang.com/
https://bsidespyongyang.com/
October 23, 2025 at 9:51 AM
Hell yeah check out that lineup
Reposted by Daniel Gordon
We saw Earth Estries, an advanced #APT intrusion set, sharing its access to Earth Naga (Flax Typhoon). We introduce the term "Premier Pass" to describe this behavior, and propose a four-tier classification framework for collaboration types among advanced groups www.trendmicro.com/en_us/resear...
October 22, 2025 at 9:18 AM
We saw Earth Estries, an advanced #APT intrusion set, sharing its access to Earth Naga (Flax Typhoon). We introduce the term "Premier Pass" to describe this behavior, and propose a four-tier classification framework for collaboration types among advanced groups www.trendmicro.com/en_us/resear...
Reposted by Daniel Gordon
Thanks to @xorhex for an interesting discussion that is worth sharing here. I knew I read this somewhere but here's a fun thing you can do in YARA-X:
2 of ($a*, $b*, 3 of ($c*))
This is documented but not widely known: virustotal.github.io/yara-x/docs/...
2 of ($a*, $b*, 3 of ($c*))
This is documented but not widely known: virustotal.github.io/yara-x/docs/...
Differences with YARA
Documents the differences between YARA-X and YARA.
virustotal.github.io
October 16, 2025 at 5:48 PM
Thanks to @xorhex for an interesting discussion that is worth sharing here. I knew I read this somewhere but here's a fun thing you can do in YARA-X:
2 of ($a*, $b*, 3 of ($c*))
This is documented but not widely known: virustotal.github.io/yara-x/docs/...
2 of ($a*, $b*, 3 of ($c*))
This is documented but not widely known: virustotal.github.io/yara-x/docs/...
Reposted by Daniel Gordon
TI / IR / Threat Hunting / Forensics / Vuln Mgmt staff since BRICKSTORM, and especially since yesterday:
a cartoon dog is sitting at a table with a cup of coffee in front of a fire with the words this is fine .
ALT: a cartoon dog is sitting at a table with a cup of coffee in front of a fire with the words this is fine .
media.tenor.com
October 16, 2025 at 4:37 PM
TI / IR / Threat Hunting / Forensics / Vuln Mgmt staff since BRICKSTORM, and especially since yesterday:
On the one hand, it is very tempting to join in with everyone dunking on F5 for this but on the other hand I forget what I was going to say here
Leading ADN vendor F5 says nation-state actor had long-term access to its production environment and engineering resources. CISA is ordering agencies to update F5 products and isolate them from the internet. Passwords, API keys, data at risk.
www.cisa.gov/news-events/...
my.f5.com/manage/s/art...
www.cisa.gov/news-events/...
my.f5.com/manage/s/art...
October 15, 2025 at 4:40 PM
On the one hand, it is very tempting to join in with everyone dunking on F5 for this but on the other hand I forget what I was going to say here
Reposted by Daniel Gordon
October 9, 2025 at 6:06 PM
October 9, 2025 at 9:09 AM
Reposted by Daniel Gordon
Announcing this year's CYBERWARCON speaker lineup and agenda! We've got some fantastic talks this year, and more will be announced soon.
Don't miss your chance to register now! Thank you everyone who submitted to the CFP. The selection was a truly grueling process!
Don't miss your chance to register now! Thank you everyone who submitted to the CFP. The selection was a truly grueling process!
October 8, 2025 at 4:08 PM
Announcing this year's CYBERWARCON speaker lineup and agenda! We've got some fantastic talks this year, and more will be announced soon.
Don't miss your chance to register now! Thank you everyone who submitted to the CFP. The selection was a truly grueling process!
Don't miss your chance to register now! Thank you everyone who submitted to the CFP. The selection was a truly grueling process!
Reposted by Daniel Gordon
So, next week I'm presenting this concept on expanding Bluesky's limited form of certificate authority verification into a multi-root, multi-platform system. Still revising a final draft.
I'd love it if everyone took a look and gave me comments.
I'd love it if everyone took a look and gave me comments.
(PDF) From root to Sky: Bluesky's certification authority verification as basis for sustainable multiplatform verification system
PDF | Bluesky's recent announcement of a certi icate authority/chain of trust veri ication system for high-impact accounts is, potentially, a cheap and... | Find, read and cite all the research you ne...
www.researchgate.net
October 7, 2025 at 6:00 PM
So, next week I'm presenting this concept on expanding Bluesky's limited form of certificate authority verification into a multi-root, multi-platform system. Still revising a final draft.
I'd love it if everyone took a look and gave me comments.
I'd love it if everyone took a look and gave me comments.
Reposted by Daniel Gordon
Great piece from
@strikereadylabs.com
on a continuation of Operation Roundpress - both a great finding and walkthrough how to find, and analyze, these types of XSS phishes
strikeready.com/blog/0day-ic...
@strikereadylabs.com
on a continuation of Operation Roundpress - both a great finding and walkthrough how to find, and analyze, these types of XSS phishes
strikeready.com/blog/0day-ic...
0day .ICS attack in the wild
Earlier in 2025, an apparent sender from 193.29.58.37 spoofed the Libyan Navy’s Office of Protocol to send a then-zero-day exploit in Zimbra’s Collaboration Suite, CVE-2025-27915, targeting Brazil’s m...
strikeready.com
October 2, 2025 at 5:35 PM
Great piece from
@strikereadylabs.com
on a continuation of Operation Roundpress - both a great finding and walkthrough how to find, and analyze, these types of XSS phishes
strikeready.com/blog/0day-ic...
@strikereadylabs.com
on a continuation of Operation Roundpress - both a great finding and walkthrough how to find, and analyze, these types of XSS phishes
strikeready.com/blog/0day-ic...
Reposted by Daniel Gordon
A thread of great questions from @greg-l.bsky.social and fantastic answers (and nuance) by @invisig0th.bsky.social, about the legendary APT1 report and way more.
HI @invisig0th.bsky.social been enjoying your recent media appearances with KZ and TBP!
Was wondering two things
1. You’re obviously the lead singer of the APT1 report “band” - Without burning names, can you talk about the make up of the team (skills, backgrounds, etc) +
& what made it special?
Was wondering two things
1. You’re obviously the lead singer of the APT1 report “band” - Without burning names, can you talk about the make up of the team (skills, backgrounds, etc) +
& what made it special?
October 2, 2025 at 11:03 AM
A thread of great questions from @greg-l.bsky.social and fantastic answers (and nuance) by @invisig0th.bsky.social, about the legendary APT1 report and way more.
Reposted by Daniel Gordon
#ESETresearch has identified two campaigns targeting Android users in the 🇦🇪. The campaigns, which are still ongoing, distribute previously undocumented spyware impersonating #Signal and #ToTok via deceptive websites. www.welivesecurity.com/en/eset-rese... 1/6
New spyware campaigns target privacy-conscious Android users in the UAE
ESET researchers have discovered campaigns distributing spyware disguised as Android Signal and ToTok apps, targeting users in the United Arab Emirates.
www.welivesecurity.com
October 2, 2025 at 9:24 AM
#ESETresearch has identified two campaigns targeting Android users in the 🇦🇪. The campaigns, which are still ongoing, distribute previously undocumented spyware impersonating #Signal and #ToTok via deceptive websites. www.welivesecurity.com/en/eset-rese... 1/6
Reposted by Daniel Gordon
