Will T
🇬🇧 | Senior Threat Intelligence Advisor at Team Cymru | Co-author SANS FOR589 | Co-founder Curated Intel
- My latest article for Feedly is about how CTI and Threat Hunting can actually fuse into a single, intelligence-driven workflow instead of operating in silos. If you’re trying to build a more proactive security program, I think you’ll find it useful. 👉 Read it here: feedly.com/ti-essential...
- Reposted by Will T𝗣𝗢𝗗𝗖𝗔𝗦𝗧 🎧 𝗛𝗼𝘄 𝟮𝟬𝟮𝟱 𝗦𝗵𝗮𝗽𝗲𝗱 𝘁𝗵𝗲 𝗙𝘂𝘁𝘂𝗿𝗲 𝗼𝗳 𝗖𝘆𝗯𝗲𝗿𝘀𝗲𝗰𝘂𝗿𝗶𝘁𝘆 We sat down with Rebecca Taylor from Sophos and @bushidotoken.net from @teamcymrus2.bsky.social to discuss 2025’s highs and lows in cyber and make educated guesses on what to look for in 2026. feeds.soundcloud.com/users/soundc...
- New Blog 👀 This blog discusses the topic of cybercrime counterintelligence to highlight the growing threat toward the cyber threat intelligence (CTI) and law enforcement (LE) communities ⚠️ 🔗 www.sans.org/blog/for589-...
- Spotted a rather Team Cymru looking fountain here in the Netherlands 🇳🇱 this week! 📸
- New Blog! Lessons from the BlackBasta Ransomware Attack on Capita When a company that manages data for millions of UK citizens falls victim to ransomware, the whole industry should pay attention to it. 📝 blog.bushidotoken.net/2025/10/less...
- New Blog! 👀 In this research, I take a look at the Qilin RaaS in-depth, which has emerged as one of the leading and most innovative ransomware gangs following the takedown of LockBit, the exit scam by ALPHV/BlackCat, and the shutdown of RansomHub. 🔗 www.sans.org/blog/evoluti...
- New Blog! 👀 After the last few large breaches, I discuss several cases in which the customers of major SaaS providers, such as Salesloft, Salesforce, and Snowflake have been extorted by adversaries from the English-speaking #cybercrime communities. 🔗 www.sans.org/blog/hunting...
- Pleased to share I’ll be speaking at Adversary Village in DEFCON33!
- Pleased to share my first official Team Cymru blog that follows on from my webinar last month 🙌 “Uncovering DPRK Remote Workers: Detecting Hidden Threats Through Internet Telemetry” 🇰🇵 🔍 www.team-cymru.com/post/uncover...
- ⚠️ IntelBroker was arrested in France 🇫🇷 in February 2025, and the US 🇺🇸 is seeking his extradition. How did Law Enforcement Deanonymize IntelBroker? 🔍 TL;DR: He messed up on the Bitcoin opsec after an undercover officer made a controlled buy 💰 www.justice.gov/usao-sdny/me...
- #opendir 🇨🇳 1.94.184[.]17:8000 Huawei Cloud AS55990 .jsp Godzilla Web Shell 6d403c3fc246d6d493a6f4acc18c1c292f710db6ad9c3ea2ff065595c5ad3c5b /poc.xml contents wqtzskzmtp[.]zaza[.]eu[.]org 101.33.34[.]170 Tencent AS132203
- The Godzilla hash has also been mentioned in this old PAN blog from 2022 on VMware VMware Workspace ONE Access and Identity Manager exploitation (CVE-2022-22954): unit42.paloaltonetworks.com/cve-2022-229...
- Reposted by Will T@bushidotoken.net explored a Meta-themed credential phishing campaign (not "Reality"). From those indicators, I pulled the "Threads" & this is far from an isolated campaign. Found great pivots in registration "Meta"data. (I'll see myself out.) All 762 indicators 💥⤵️ www.validin.com/blog/not_rea...
- New Blog! Tracking Adversaries: EvilCorp, the RansomHub affiliate blog.bushidotoken.net/2025/04/trac...
- UNC3886 is a very interesting China-nexus APT that I encourage more to CTI analysts to investigate. They are one of the more skilled ones, like Salt or Volt. To help make life easier for some, I’ve manually mapped their TTPs to ATT&CK: github.com/BushidoUK/MI...
- Interesting phishing TTP observed in the wild last year: 1. Send phish to an <org_name>@service-now[.]com inbox 2. A ticket is then auto-created in the platform using servicenow_notification@<org_domain> 3. A link is put in the body of the SNOW ticket that can lead to malware or fake login page
- It also reminded me of this TTP by EXOTIC LILY blog.google/threat-analy...
- Reposted by Will T@bushidotoken.net has dug up some IOCs for the FBI's recent warning about online file format converters being used to distribute malware Link: x.com/BushidoToken...
- Podcast: risky.biz/RBNEWS398/ Newsletter: risky.biz/risky-bullet... -FBI warns of online file converters that distribute malware -China backdoors Juniper routers -Ransomware wave hits Taiwan -North Korean spyware slips onto the Play Store -Senators call for US cyber offensive against China
- New Blog! BlackBasta Leaks: Lessons from the Ascension Health attack 🏥🔒 — This is a step-by-step extraction and translation of the leaked conversation between the BlackBasta members during the Ascension Health attack 🔗 blog.bushidotoken.net/2025/02/blac...
- New Blog! Investigating Anonymous VPS services used by Ransomware Gangs h/t to @drb_ra for lending me some of their C2 data! Made my life a lot easier 🫡 🔗 blog.bushidotoken.net/2025/02/inve... Podcast version: www.youtube.com/watch?v=xX25...
- Glad to see LE and Gov keeping up the pressure on ransomware gangs in early 2025 ZSERVERS BPH sanctioned by the UK for enabling LockBit attacks www.gov.uk/government/n... Phobos & 8BASE arrests by international partners www.europol.europa.eu/media-press/...
- New Blog! Tracking Adversaries: Ghostwriter APT Infrastructure 🇧🇾 blog.bushidotoken.net/2025/01/trac...
- New Blog! Analysis of Counter-Ransomware Activities in 2024 blog.bushidotoken.net/2025/01/anal...
- Bournemouth2600 Challenge Coins arrived 😎
- Ransomware Zero Days 2024
- Very interesting screenshot in the latest FBI arrest of the main LockBit developer “Rostislav Panev” Source code for LockBit builders for #Proxmox and #Nutanix, which have not been observed in the wild AFAIK 🧐 www.justice.gov/opa/media/13...
- Signal is just another area of operations for cybercrime and organised crime like any other. And CTI vendors would not be doing their job if they were not infiltrating these communities and group chats. It’s not Signal’s fault. It’s just a fact of the internet. TL;DR — No lol, Signal wasn’t hacked
- Reposted by Will TOh my gosh, @bushidotoken.net just walked on stage for his #CyberThreat24 presentation on cyber criminal OPSEC fails to John Cena's entrance music. 😁🫡
- New Blog! Top 10 Cyber Threats of 2024 Overall, this year was full of mega breaches, government hacking campaigns, massive ransomware attacks, disruptive ICS attacks, and global technology failures blog.bushidotoken.net/2024/12/top-... #cybercrime #infosec #malware #cybersecurity
- Usually I take a notebook to conferences and use it to write notes instead of using my phone so the speaker doesn’t think I am bored and playing on my phone instead lol 📝
- From seeing my the Spotify wrapped of my friends, if you were to create a Venn diagram of drum and bass fans & infosec workers, it would be a circle
- Created a new repo to publish my MITRE ATT&CK mappings for when reports don't have a section on TTPs, hopefully useful for other defenders working on detection engineering & threat hunting. github.com/BushidoUK/MI...
- Create a YARA rule and a Sigma rule recently for a USB malware I’ve been researching called UniversalMiner, first reported on by CERT-AZ. Hope defenders elsewhere find them helpful :) YARA github.com/BushidoUK/YA... Sigma github.com/BushidoUK/Si...
- I also ran a VT retro hunt with the YARA, which uncovered around 600 samples of this malware, the first sample was submitted to VT in June 2024.
