June arrives with more heat, everywhere, and not just regarding the weather.
Law enforcement is counting up some recent disruption and arrest operation wins like Operation RapTor, covered below, or the Lumma takedown, or Operation Endgame (covered here in Srsly Risky Biz). And in the humid biomass of Washington D.C., several hundred finding-hungry investigators, hunters, and defenders gathered last week to attend SLEUTHCON.
SLEUTHCON is a popular, limited-capacity conference in Crystal City themed on financially-motivated actors and crime. The venue and setting are not a sales setup, but rather a place for practitioners to talk turkey between single-track presentations targeted enough to be relevant to most or all attendees. I was a first-timer there this year, and it has immediately become a must-attend conference for me. The relaxed nature, shared purpose, and sense of humor hooked me.
I’d be remiss if I didn’t mention that DomainTools CISO and Head of Investigations Daniel Schwalbe co-spoke with Analyst1, hunter Jon DiMaggio on the complex human realities of the Russian-affiliated ransomware ecosystem, and published a parallel post here. The research challenges our typical approach to and typology of ransomware groups, and argues for changes necessary in order to better investigate and disrupt them.
On another conference note, looking forward to this BlackHat briefing by Infoblox Threat Intel folks, as they always bring the best tea.
With all that sorted, let’s get sweaty.
Recommended Cybersecurity Podcasts
Team Cymru - Future of Threat Intelligence - 6mins - Frost & Sullivan cybersecurity principal Martin Naydenov on AI in cybersecurity right now. Contains a really interesting insight: because of the (accurate) trust gap, an AI product may differentiate itself in analyst use by providing a path to validate the AI output as accurate, alongside the GenAI output itself.
Ologies with Alie Ward - Cryptology, with author Simon Singh - Nothing groundbreaking, but thoroughly entertaining. There are few things more fun than listening to someone gush about a topic they’re passionate about, which is more or less the basis of the entire Ologies podcast.
Must-Read Cybersecurity Articles and Blog Posts
Qualys - Inside LockBit: Defense Lessons from the Leaked LockBit Negotiations - Good, brief post from Qualys threat researchers on LockBit insights gleaned from the recent dump. Worth your time.
Proofpoint - The Bitter End: Unraveling Eight Years of Espionage Antics—Part One - Excellent work by Proofpoint and Threatray, and some great passive DNS work in particular, which made digging through the provided IOCs a fun little hyperfocus.
Mandiant - Hello, Operator? A Technical Analysis of Vishing Threats - Good general information, but the point to really note is UNC6040 specifically targeting enterprise Salesforce instances for compromise, exfiltration and extortion.
Intel 471 - Two critical challenges facing CTI teams and how to overcome them: Intel 471’s additional insights into the SANS 2025 CTI Survey - The importance of including geopolitics in CTI, along with how to show the value of CTI programs - important, well-made points.
DomainTools Investigations - Eggs in a Cloudy Basket: Skeleton Spider’s Trusted Cloud Malware Delivery - We cracked, fried, and served up recent FIN6 activity leveraging a social-engineering jobseeker approach to execute phishing and malware delivery operations. IOCs, as always, up on GitHub.
Europol - 270 arrested in global dark web crackdown targeting online drug and criminal networks - “The suspects were identified through coordinated investigations based on intelligence from the takedowns of the dark web marketplaces Nemesis, Tor2Door, Bohemia and Kingdom Markets.”
KrebsOnSecurity - Proxy Services Feat on Ukraine’s IP Address Exodus - This is particularly grim. A fifth of their IP space is no longer under their control, either seized by Russian-affiliated organizations or held by opaque proxy service providers. Incredibly important to consider as an element of the cyber domain in conflicts going forward.
KrebsOnSecurity - Pakistan Arrests 21 in ‘Heartsender’ Malware Service - Krebs identified major players in 2021 after they infected themselves with their own malware. The wheels may move slowly, but it’s nice to see them move once in a while.
The Record - Major food wholesaler says cyberattack impacting distribution - Following playbooks unleashed in the UK, looks like retail first, grocery second, in current US compromises. Has me kind of wondering if some cluster is treating the UK as proving ground, the US as validating deployment. As Gossi mentioned on Mastodon, deploying shortly before a company is due for an earnings report is also a unique way to apply pressure to pay a ransom.
Natto Thoughts - Defense-Through-Offense Mindset: From a Taiwanese Hacker to the Engine of China’s Cybersecurity Industry - Excellent insights and details here that dovetail with some of our internal research. Always worth knowing better the people behind the keyboards.
SentinelOne - Follow the Smoke | China-nexus Threat Actors Hammer At The Door of Top-Tier Targets - “This research underscores the persistent threat Chinese cyberespionage actors pose to global industries and public sector organizations, while also highlighting a rarely discussed target they pursue: cybersecurity vendors.” - You don’t say…
Domain Name Wire - PayPal wants patent for system that scans newly-registered domains - Specifically scanning for typical elements of a shopping checkout system, and then simulating a checkout process in an automated manner. Clever, and probably effective - this is one of the places where AI shines, in that you can train one model in detection, and one model adversarially, and pit them against each other on staggering timescales. Both systems end up providing insight.
Semafor - The hottest new vibe coding startup may be a sitting duck for hackers - Vibe-coded app platform populated a single critical vulnerability into at least 10% of apps it created, allowing anyone to access app usernames, email addresses, financial information, and secret API keys.
Latest Cybersecurity Research Papers, Reports, and Books
caida - From Scarcity to Opportunity: Examining Abuse of the IPv4 Leasing Market - “We examine leasing market data, leveraging blocklists as an indirect measure of involvement in various forms of network abuse. In February 2025, leased prefixes were 2.89× more likely to be flagged by blocklists compared to non-leased prefixes.” - Spent a little while thinking about this one in the context of the above Krebs article on IPv4 leasing allowing Russia to increasingly isolate and infiltrate Ukrainian IP space.
arXiv - Stop Anthropomorphizing Intermediate Tokens as Reasoning/Thinking Traces! - The dangers of anthropomorphizing generative AI.
Apple Machine Learning Research - The Illusion of Thinking: Understanding the Strengths and Limitations of Reasoning Models via the Lens of Problem Complexity - Included herein, phrases like “complete accuracy collapse beyond certain complexities.”
Domain Name Wire - ICANN study links low-cost, automated registrations to phishing abuse - In other news, water makes things wet. I’d love to think hard data like this might cause registrars to start doing the right thing, but while I was born at night, it wasn’t last night.
