Tom Hegel
Distinguished Threat Researcher, Research Lead @SentinelOne.
Advisor with @ValidinLLC.
tomhegel.com/blog.html
- 🔥 The lineup this year is incredible, thanks to everyone who submitted! Attendees are in for something special… and for everyone else, expect some major FOMO. events.sentinelone.com/event/LABSco...
- New research from @milenkowski.bsky.social (S1) and @kennethkinion.bsky.social (Validin): 🇰🇵 Contagious Interview | North Korean Threat Actors Reveal Plans and Ops by Abusing Cyber Intel Platforms Research: www.sentinelone.com/labs/contagi... Reuters story: www.reuters.com/world/asia-p...
- Reposted by Tom HegelThe US, AU, and NZ have tested a prototype for a new cyber defense kit designed to connect and help secure any network. The kits are operated by a nine-person team and are intended to be portable and moved to any location in the world. www.defence.gov.au/news-events/...
- Reposted by Tom Hegel🔥 The hunt is on for the world’s ultimate threat hunter? 🔍 🛡️Introducing Sentinels League: The Threat Hunting World Championships 🛡️ 3 Rounds. 3 Regions. 3 Finalists. Only One World Champion.
- Reposted by Tom HegelSomeone claiming to be Gonjeshke Darande (Predatory Sparrow) has posted ~2GB of what *appears to be* IranCell subscriber data, covering the 935-939 prefixes. #privacy #breach #mobile #iran
- Hefty new drop w/ @milenkowski.bsky.social China-nexus Threat Actors Hammer At the Doors of Top Tier Targets www.sentinelone.com/labs/follow-...
- Reposted by Tom HegelDutch intelligence discover a new Russian APT—LAUNDRY BEAR www.aivd.nl/documenten/p... Microsoft calls it Void Blizzard. Their report is here: www.microsoft.com/en-us/securi...
- Reposted by Tom HegelIs the era of the “named actor” done? As the OG adversary sets diverge, get promoted, or move on actors dispersing across the kill chain based on specialized skills increases (ORBs, criminal underground) AND the CTI models maturing… APTs ⬇️⬇️ UNCs ⬆️⬆️
- NEW 👉 FreeDrain Unmasked | Uncovering an Industrial-Scale Crypto Theft Network Months-long research project with Validin we just dropped @pivotcon.bsky.social 🖤~40k IOCs: github.com/Validin/indi... 💜 SentinelLabs: s1.ai/freedrain 💙 Validin: www.validin.com/blog/freedra... Enjoy!
- Reposted by Tom HegelAn absolutely stunning look inside @sentinelone.com 's use of #synapse to provide intelligence context to inter-disciplinary intelligence stakeholders in defense of their own org. Truly on the leading edge of the intel driven fusion, collaboration, and impact. 🤩 www.sentinelone.com/labs/top-tie...
- Reposted by Tom HegelAt @pivotcon.bsky.social, I'm presenting with @hegel.bsky.social and Sreekar Madabushi on the first public look at the full scope of a stealthy, long-running phishing network.
- Reposted by Tom HegelNEW: Iranian gov hackers targeted #EU Parliament's #Iran delegation chair @hneumannmep.bsky.social Elaborate operation impersonated former #FBI official to seed spyware. Good to see a MEP speaking out & sharing this insidious threat to EU institutions 1/ www.politico.eu/article/euro...
- Reposted by Tom Hegel#apt #sidewinder "54th CISM World Military Naval Pentathlon Championship 2025.docx" 40712a087a8280425f1b317e34e265c0329ffb0057be298d519fc5e0af6cb58f -> dirsports.milqq[.]info blank doc decoy
- Reposted by Tom Hegel@bushidotoken.net explored a Meta-themed credential phishing campaign (not "Reality"). From those indicators, I pulled the "Threads" & this is far from an isolated campaign. Found great pivots in registration "Meta"data. (I'll see myself out.) All 762 indicators 💥⤵️ www.validin.com/blog/not_rea...
- Reposted by Tom HegelHere's the Lab Dookhtegan segment www.youtube.com/watch?v=g-zj...
- Really great episode this week. The Signal ID management mess, and the lab dookhtegan topics.. simply delicious 🤌
- This week's problem ready on YouTube www.youtube.com/watch?v=IDc_...
- Atomic indicators have value beyond just the day they’re observed - Age alone doesn’t always diminish their usefulness. Attribution challenges aside, this is a common occurrence in both cybercrime and APT campaigns. Looking at you, South Asia!
- Kryptina RaaS: From Unsellable Cast-off to Enterprise Ransomware www.sentinelone.com/labs/labscon...
- Incredibly excited to drop some new research alongside @kennethkinion.bsky.social and Sreekar Madabushi at this years @pivotcon.bsky.social
- Great refresher / inside-scoop on the Lamberts -- #WhereAreTheyNow
- NEW POD ALERT: Revisiting the US/Russia cyber stand down order and the diplomatic optics. Plus, a dissection of ‘The Lamberts’ and connections to US intelligence agencies, attribution around ‘Operation Triangulation’, VMware 0days and i-Soon indictments securityconversations.com/episode/revi...
- Reposted by Tom Hegel#dprk #apt 2024년 귀속 연말정산 안내문_세한.docx.lnk b81513f0f8d3db382bb8f931bf2b7a0d4f26f74cfcf60b5d889de87ef2f1d543 -> www.roofcolor[.]com/wp-includes/js/src/list.php , www.acschoolcatering[.]com/libraries/src/inc/ decoy:
- Reposted by Tom HegelLook man, I'm not saying anything but I'm also not NOT saying anything
- 🚨 New analysis of Ghostwriter activity targeting Ukrainian government & Belarusian opposition s1.ai/ghost-xl
- Spicy new drop from the team. H/T to @milenkowski.bsky.social, @dakotaindc.bsky.social, Alex Delamotte s1.ai/topsec
- Reposted by Tom HegelToday, Google Threat Intelligence is alerting the community to increasing efforts from several Russia state-aligned threat actors (GRU, FSB, etc.) to compromise Signal Messenger accounts. cloud.google.com/blog/topics/...
- Reposted by Tom HegelIf I had a dollar for every single time something is attributed vaguely to “”Mustang Panda”” I could buy a flat in London
- Reposted by Tom HegelWe have been tracking multiple Russian APT groups aggressively targeting organizations with Microsoft Device Code authentication phishing. The attackers got creative with tricking users into granting them access to their accounts. Have a look at our blog for all the details!
- Reposted by Tom HegelSharing the project I've been working on for the last month. Here's GTIG's paper on the severe threat to national security posed by cyber crime.
- The American woman arrested last year for assisting DPRK IT Workers pled guilty. but.. Did you know the original a search warrant for her home mentioned a TikTok that happened to show her laptop farm? lol oops www.justice.gov/usao-dc/pr/a...
- Reposted by Tom HegelCrap crap crap. www.washingtonpost.com/technology/2...
- Reposted by Tom HegelSneaky! 🫣😶🌫️ #DPRK FERRET #macOS #malware has been tricking users into installing backdoors and trying to hide out behind fake Zoom, Chrome and Apple logd files. @philofishal.bsky.social @hegel.bsky.social s1.ai/Ferret
- X Phishing | Campaign Targeting High Profile Accounts Returns, Promoting Crypto Scams Blog --> s1.ai/XCrypto
- 🔥 Validin did some killer work detailing various creative pivoting techniques --> more indicators worth exploring! www.validin.com/blog/x-phish...
- Reposted by Tom HegelTimely research on high-value targeting fro @hegel.bsky.social and the @sentinelone.com team. ITS ALWAYS ABOUT ILLICIT VALID ACCESS FOLKS!!!!!
- X Phishing | Campaign Targeting High Profile Accounts Returns, Promoting Crypto Scams Blog --> s1.ai/XCrypto
- Great research here! "PlushDaemon" 👀
- #ESETresearch discovered + named 🇨🇳 China-aligned #APT group #PlushDaemon who did a supply-chain compromise of a 🇰🇷 South Korean #VPN provider, trojanizing its legitimate software installer with a Windows backdoor we named #SlowStepper www.welivesecurity.com/en/eset-rese... 🧵1/6
- Reposted by Tom HegelNew pod is up on YouTube! www.youtube.com/watch?v=sczd...
- I’m biased, but wow—it’s so refreshing to get updates that genuinely help me better track threat actors. 🔥 www.validin.com/blog/threat_...
- Reposted by Tom Hegel🔥 new blog detailing 0day exploitation of Ivanti appliances as well as some newly observed malware families tracked as PHASEJAM and DRYHOOK. We also detail activity related to the previously observed SPAWN* malware ecosystem tied to China-nexus cluster UNC5337. cloud.google.com/blog/topics/...
- Reposted by Tom HegelThe talented reporting crew of @raphae.li @razhael& @ajvicens.bsky.social point to a recent posting by #BeyondTrust about an incident involving remote support, which sounds a lot like what Treasury has announced. #cybersecurity #infosec www.beyondtrust.com/remote-suppo...
- Jaime flagging popular extensions here. My findings/thoughts: 🔹 15ish fresh (this week) domains, each w/ their own extension tie-in. 🔹 Links back to early 2024 extensions, similar abuse, but focused on ad-blocking, AI, youtube, extensions. 🔹 VIBESINT = opportunistic scam. 🧵...
- Infra breakdown: Newest activity is sitting on 149.28.124.84 (🇺🇸 AS 20473 CHOOPA). One of the first related domains on this is ext.linewizeconnect[.]com, which has its root domain sitting on 136.244.115.219 (🇺🇸 AS 20473 CHOOPA). 🔹 Timeline from Validin (h/t @kennethkinion.bsky.social)
- 136.244.115.219 is very similar, with lots of other domains, extension themed, going back to early 2024. I fully expect more pivots can be found with minimal effort. 🔹 IOC List (both): pastebin.com/8vKED1NC 🔹 Heavy Namecheap use for registering
- Its pretty easy to look into the email, telegrams, and stolen headshots used in this set of activity. I suspect its centered around illicit bulk data collection/selling, but the opportunity for greater impact is obviously high here. 🔹 Nuke these extensions from your networks.
- NEW: Operation Digital Eye | Chinese APT Compromises Critical Digital Infrastructure via Visual Studio Code Tunnels www.sentinelone.com/labs/operati... Collab from @milenkowski.bsky.social and Luigi Martire (Tinexta Cyber)
- Love the recent RU reporting! GruesomeLarch and now Turla... 🖤
- Second time we've seen Turla sit on top of someone else's operation. blog.lumen.com/snowblind-th...
- Reposted by Tom HegelLook mom, the problem is on TV youtu.be/Pq866OmE-u0
- Incredible research from the @volexity.com crew here -- a must read!
- @volexity.com’s latest blog post describes in detail how a Russian APT used a new attack technique, the “Nearest Neighbor Attack”, to leverage Wi-Fi networks in close proximity to the intended target while the attacker was halfway around the world. Read more here: www.volexity.com/blog/2024/11...
- Reposted by Tom HegelThe DPRK IT Worker apparatus is a well oiled machine. Few grasp the depth of how many pieces enable these operations.
- 🚨 New Research Drop: 🇰🇵 DPRK IT Workers | A Network of Active Front Companies and Their Links to China Summary: ⚪ Newly Disrupted Front Companies by USG ⚪ Impersonating US based software and tech orgs ⚪ Links to still-active front orgs, CN association Report: www.sentinelone.com/labs/dprk-it...
- Reposted by Tom HegelFBI seizes websites that North Koreans allegedly used to impersonate American companies www.cnn.com/2024/11/21/p...
- 🚨 New Research Drop: 🇰🇵 DPRK IT Workers | A Network of Active Front Companies and Their Links to China Summary: ⚪ Newly Disrupted Front Companies by USG ⚪ Impersonating US based software and tech orgs ⚪ Links to still-active front orgs, CN association Report: www.sentinelone.com/labs/dprk-it...
- 2/4: For ambitious out there, here are some bonus pivots and additional findings worth exploring! h/t @kennethkinion.bsky.social In Validin, take one of our domains (inditechlab[.]com in this case), pivot on the seconds the registration was changed by actor. Check out 2024-04-10T17:14:08Z
- 3/4: Look at matching registration results tab, and filter by NameCheap (commonly used as noted in the blog). Results show two interesting domains, one of which certainly fits our profile of tech orgs -- sunlotustech[.]com
- 4/4: Sunlotustech resolving to 103.103.128[.]165. Live but struggling to function, however the content lines up with Softiba IT Solutions, a legitimate organization based in Istanbul. So, some additional work required here, but sunlotustech overall fits the profile. Happy hunting!
- Reposted by Tom HegelGreat research on the front companies used by North Korean IT workers. These guys are showing up EVERYWHERE. www.sentinelone.com/labs/dprk-it...
- Outstanding threat intelligence conference -- be there!
- #PIVOTcon25 registration is now OPEN 🤟📥📥📥 pivotcon.org #CTI #ThreatResearch #ThreatIntel Please read carefully the whole 🧵 for the rules about invite -> registration (1/5)
- Reposted by Tom HegelI made a Detection Engineering starter pack, will be adding more as more folks jump over to bluesky! go.bsky.app/HenXJURat://did:plc:pddw53nuvq4linelhyg5uvj4/app.bsky.graph.starterpack/3lbaaehq44n2q
- The Iran report is indeed a great bit of work that was pretty widely missed it seems. Much to explore, read it here: www.ic3.gov/CSA/2024/241...
- The Three Buddies Problem podcast episode 21 is now live! Together with @ryanaraine.bsky.social and @jags.bsky.social we talk geography, cyber magic walls, Aria Sepehr Ayandehsazan aka Emennet Pasargad, Predatory Sparrow and of course, magic money #bitcoin: securityconversations.com/episode/what...
- Nice starter pack -- thanks @oxley.io !
- Specific to cyber threat intel…(and you’re on it) 😅 go.bsky.app/TxQYHapat://did:plc:dv44yhm2prt4m5ahnt3ieb47/app.bsky.graph.starterpack/3lakfo2u4gq26
- Anyone have a starter pack for starter packs?
- Reposted by Tom HegelI wrote a post on the realities of cloud & webserver ransomware. Check it out to see some of the toolsets & frameworks that can be used for these attacks.
- Reposted by Tom Hegel[This post could not be retrieved]
- 🇨🇳👉 👈🇮🇳 me:🍿
- Wait... did a Chinese security vendor just publish research on a suspected Chinese APT backdoor? 🙃 I need your thoughts here @jags.bsky.social blog.xlab.qianxin.com/analysis_of_...
- Deny and deflect baby, love it.
- ICYMI, from @dakotaindc.bsky.social 👇 China’s Influence Ops | Twisting Tales of Volt Typhoon at Home and Abroad www.sentinelone.com/labs/chinas-...
- Reposted by Tom HegelMy colleagues from ESET Threat Research released their findings into the backend modules of RedLine infostealer following it's takedown in Operation Magnus. www.welivesecurity.com/en/eset-rese...
- Reposted by Tom Hegel
An intriguing new detail in the Mossad pagers story: Taiwanese prosecutors name a previously unreported firm, Frontier Group Entity, as being behind the manufacturing, trading, and shipping of the weaponised pagers: www.reuters.com/world/middle... - Killer new report from TrendMicro -- Earth Estries (aka Salt Typhoon). www.trendmicro.com/en_us/resear...
- Reposted by Tom HegelThis is what our CI/CD pipelines are missing.
- 🔥 New from Phil Stokes, Raffaele Sabato and Me: 🇰🇵 BlueNoroff Hidden Risk | Threat Actor Targets Macs with Fake Crypto News and Novel Persistence www.sentinelone.com/labs/bluenor...
- 👀👉 We uploaded Stage 2 to VT: virustotal.com/gui/file/bd2... Enjoy!
- Reposted by Tom HegelBellingcat recently relaunched its investigative toolkit, containing a wide variety of tools and an AI-powered search engine to help you find the right tool for the job. www.bellingcat.com/resources/20...
- Big thank you to the #FTSCon / @volexity.bsky.social team for the invite to come and share my research. Outstanding event with such quality talks. Highly recommend adding it to your CTI conference list. 💜
- Back here for the first time in awhile. Just hoping it becomes more than a feed about why twitter sucks.
- Does it count as 'imposing cost' if the APT pays to sick their legal goons on ya? #AchievementUnlocked?
- Reposted by Tom HegelMake sure you also read @hegel.bsky.social's related analysis www.sentinelone.com/labs/elephan...
- 💜 New research released today: Elephant Hunting | Inside an Indian Hack-For-Hire Group: www.sentinelone.com/labs/elephan... ➡ The related, must-read, story from Reuters (@chrisbing.bsky.social, @zebawrites.bsky.social, @razhael.bsky.social): www.reuters.com/investigates...
- Reposted by Tom HegelNew: The aggressive extortion group “Scattered Spider” has been on the warpath; some responders fear they’ve been enabled by a stumbling FBI response. (w/ @chrisbing.bsky.social & @zebawrites.bsky.social) www.reuters.com/technology/c...
- Pre-war Gaza Cybergang activity. Nice blog from Proofpoint: www.proofpoint.com/us/blog/thre...
- Lots of movement in Middle East threat landscape: - Agrius targeting IL Edu/Tech (unit42.paloaltonetworks.com/agonizing-se... ) - Onyx Sleet targeting defense firm - Arid Viper Mobile (www.sentinelone.com/labs/arid-vi... )
- The Israel-Hamas War | Cyber Domain State-Sponsored Activity of Interest👇 www.sentinelone.com/labs/the-isr...
- Updated - new findings on Arid Viper / ShroudedSnooper #ThreatIntel
- Reposted by Tom HegelWhat happens when you fight disinformation with more disinformation? Two Israelis in the "disinformation-for-hire" business found out when they uncovered Russian plots to overthrow governments in Africa while using fake social media profiles of their own. From @washingtonpost.com's Lizza Dwoskin:
- Reposted by Tom Hegelcrazy episode of Hot Ones
- Great additional findings from ESET's Operation Jacana research. --> China targeting Guyana Gov. Unsurprisingly denied by all involved 👀 Stairwell: stairwell.com/resources/st... ESET: www.welivesecurity.com/en/eset-rese...
