Costin Raiu

The malicious JS deployed by Lazarus in the ByBit hack, 0/61 on VT.

🧵Found what might be a bulletproof hosting operation during threat hunting! Qwins LTD (ASN 213702) showing some red flags Organized malicious infrastructure across 4 network segments intelinsights.substack.com/p/bulletproof-… #BulletproofHosting #ThreatIntel

WATCH full episode youtube.com/watch?v=3GJuVG…

#OffTopicWeekend Sit down and watch this with your kids. Flow is a timeless masterpiece – a magical tale of fate, unlikely friendships, and quiet courage. No dialogue. Just pure emotion, beautifully told. It’s not streaming or AI that’ll kill Hollywood. It’s the inability to…

This week's show is YouTube ready 📺 @craiu @juanandres_gs 🔥Microsoft Sharepoint Security Crisis: Faulty Patches, Zero-day chains youtu.be/3GJuVGmpexA

Every public CTI blog should start like this - by linking it to other companies’ or researchers work on the same threat actor / cluster.

🚨 New blog post 🚨 Hunting Laundry Bear: Infrastructure Analysis Guide and Findings How to enrich previous reporting with Validin to find dozens of indicators not previously reported. #LaundryBear #VoidBlizzard #APT validin.com/blog/laundry_b…

This week's Three Buddy Problem is live on all podcast platforms 🔥 @juanandres_gs @costin 🧨 Microsoft Sharepoint security crisis: Faulty patches, Toolshell zero-days LISTEN episodes.fm/1414525622

ℹ️ Update: Connectivity has been restored on Starlink (AS14593) after an international outage affecting multiple countries; the operator has not issued an explanation; incident duration ~2h 📈

There’s various reports of cybercriminals abusing CrowdStrike RTR, the SentinelOne installer, and the Wazuh SIEM Agent. Seems we could do with a new @MITREattack TTP for this threat. Should be a concern for orgs running any of type of EDR/SIEM agents. (Sources linked below)

Along with a group of other researchers, I've been tracking attacks from the DDoSia participatory DDoS botnet operated by NoName0157(16) . Targets of this botnet have been primarily Ukrainian, NATO and other European targets. Today, we published collected logs from tracking…

Hackers reportedly breached the National Nuclear Security Administration and other parts of the Department of Energy through the Microsoft SharePoint vulnerability. bloomberg.com/news/articles/…

Interestingly, after the malicious package was removed from the extension store, attackers republished it, inflating the number of its downloads to 2M. The descriptions of the two packages in the screenshot look so much alike, and it's very easy to download the wrong one! [5/6]

🏆 Péter Szőr Award 2025 Recognising outstanding technical security research, selected by the VB advisory board from community nominations. Award to be presented at VB2025 in Berlin, 24–26 Sept. Submit your nomination 👉 tinyurl.com/tf9fyz3n

Brief analysis of Chrome vuln #CVE-2025-6554, which was exploited in the wild. ti.qianxin.com/blog/articles/…

Tap in to the stream this week for some YARA fun, highlighting some crazy rules, how I think about learning yara (or anything) as a mid-career professional, and more!

Write-up on our perspective at #Censys on ToolShell / CVE-2025-53770 exploit in SharePoint: censys.com/advisory/cve-2…

I am honored to be speaking at The Mob Museum in Vegas on August 7th about my two-year undercover operation inside the LockBit ransomware group. This is the last time I plan to tell this story publicly, so if you are in Vegas for #DEFCON, come hear it in person! In this session,…

Nothing too exciting by APT41 🇨🇳 here IMO, using Impacket, CobaltStrike, Mimikatz, Pillager, RawCopy, Neo-reGeorg Using a compromised SharePoint server for C2 is interesting I guess, especially with this new ToolShell exploit for SharePoint servers securelist.com/apt41-in-afric…