Eight Days a Newsletter: I lo-o-o-ove research!
Subscribe to the Newsletter here
Can you believe August is almost over? Here in the Pacific Northwest, Summer is making its last stand. If the weather professionals are right, we will have another 10 days or so of temperatures in the low 80s (that’s high 20s in Celsius for my international readers), before Fall settles in. As every Seattleite knows, there is that one day in September, when the temperature drops suddenly, and the rain returns, and then it’s another 9 months before the best time of the year comes back. Not that we’re bitter or anything, those 3 months of summer are glorious and make all the rain worth it.
You know where it rarely rains though? Las Vegas! And that’s where the DTI team spent 8 days at the beginning of August for Hacker Summer Camp. Some people will argue that 8 days in Vegas is about 6.5 days too long. And the heat also did not disappoint, every day peaked north
of 105F, or 40+ in Celsius. But luckily, it’s a dry heat they say 🙄
Our brilliant Marketing team had a great solution to keep us out of the heat: We chartered several shuttle buses that drove back and forth between Black Hat and the hotel where the larger DomainTools contingent stayed. Great advertising and we got to ride in style!
My other van is the DNS express!
Even if you didn’t work for DomainTools, you could catch a free ride. All for the price of being a captive audience and having to watch our demo reel 😎:
Come take a ride in my windowless black van!
The team had a packed schedule, and lots of community events to support! The Diana Initiative, BSides Las Vegas, Sober in Cyber, Black Hat, DEF CON, as well as a handful of other community events and cons that I cannot name publicly - IYKYK.
At the end of the week, I had the pleasure to present at DEF CON 33 in the Recon Village. I talked about how to use passive DNS to enumerate subdomains and how to effectively identify deep wildcards:
At the end of the week, I had the pleasure to present at DEF CON 33 in the Recon Village. I talked about how to use passive DNS to enumerate subdomains and how to effectively identify deep wildcards:
Did I mention it was hot? Shorts and T-shirt to the rescue!
My colleagues Ian Campbell and Malachi Walker also presented at DEF CON, together in the Malware Village and Malachi gave a second talk in the BIC Village
While the days were long and hot, and the nights were short and fueled by energy drinks, we loved every minute of it. Hacker Summer Camp is where “our people” meet, and we wouldn't miss it for anything!
If you are a returning reader, welcome back! If you are a new reader, what you are about to read is news from our group of researchers and analysts, where they provide their expertise in investigating, mitigating, and preventing Domain and DNS based attacks.
So without further ado, here’s what our incredible team has been up to for the rest of August:
From Laptops to Laundromats: How DPRK IT Workers Infiltrated the Global Remote Economy
In this post we discuss how the Reconnaissance General Bureau (RGB) of the DPRK orchestrated an operation that used stolen or forged identities to secure tech jobs for their operatives for the purpose of gaining access to intellectual property, and to receive salaries in cryptocurrency.
The article covers key actors like Song Kum Hyok, an officer in the Andariel subgroup, to facilitators who run "laptop farms" to create the illusion that the workers are U.S.-based. The money laundering process is also detailed, showing how funds are routed through front companies and crypto brokers in various countries to convert the fraudulently obtained wages into usable capital for North Korea's strategic programs, including weapons development.
Crypto transfers and money laundering
https://dti.domaintools.com/from-laptops-to-laundromats-how-dprk-it-workers-infiltrated-the-global-remote-economy/?utm_source=LinkedIn&utm_medium=Social&utm_campaign=DTI-Newsletter-August
Hunting for Malware Networks
For this investigation, we took a look at recently active malware-as-a-service (MaaS) operations. We analyzed their use of web-hosted PowerShell scripts as an effective initial-stage payload delivery mechanism. This technique serves to compartmentalize the attack chain, reducing the exposure of core command and control (C2) infrastructure and complicating forensic investigations.
One example detailed in this article centers around a script that connects to a commonly used C2 domain, and was observed distributing over 60 different malicious files in the past 2 months. It included multiple stealer malware families such as Amadey, Lumma, Luca, DeerStealer, and RedLine as well as other malware families like Rugmi, BlackBasta and DarkGate.
The investigation into the broader infrastructure revealed a significant concentration of malicious activity originating from a small number of IP addresses, all associated with the same ASN. It seems likely that this ASN is part of a bulletproof hosting operation.
Additionally, threat actors appear to increasingly be leveraging legitimate distributed services like Amazon CloudFront and GitHub to host and deliver malware. This makes proactive network-based blocking more difficult.
Analysis of 200 binaries in VirusTotal over the past 3 months show that there appears to be an overrepresentative share of LummaC2 and Amadey.
SpyNote Malware Part 2
The SpyNote malware campaign has resurfaced, and the threat actors are employing deceptive websites that mimic the Google Play Store to trick users into downloading an Android RAT (Remote Access Trojan).
SpyNote is designed for surveillance, data exfiltration, and remote control of a victim's device. Its capabilities include keylogging, stealing 2FA codes, capturing audio and video, and remotely wiping data. This new campaign incorporates minor changes in the actor's tactics, such as slight IP resolution changes and the addition of anti-analysis techniques in the APK dropper to protect the payload from detection.
The malicious websites use JavaScript to initiate the download of a dropper APK. This dropper conceals its functions using DEX Element Injection and decrypts a second-stage SpyNote payload. The payload then loads the command-and-control (C2) logic from a separate file, using obfuscation to hinder static analysis.
Malware execution flowchart
Cybersecurity Reading List - Week of 2025-08-25
In this latest installment of his reading list, my colleague Ian Campbell highlights a recent influx of new research and publications in the cybersecurity field. As always, he covers several different types of media, something for everybody:
- Podcasts: "Adversary Universe from Crowdstrike" for a perspective on AI, "CyberWire Research Saturday" for a deep dive into the VexTrio cybercriminal group, and "Prompt||GTFO" for demonstrations on how practitioners are using AI.
- Articles: An interview with a Kaseya hacker, and a piece on data exfiltration via DNS.
- Research Papers and Reports: Greynoise Intelligence study on how attack spikes can precede new CVEs, a RecordedFuture report on cloud threat hunting, and a CAIDA paper on early-stage traffic discovery.
- Tools and Resources: Learn about CISA's new open-source malware analysis platform, Thorium
- Entertaining Reading: "The Berners Street Hoax"
Customer Webinar: Exclusive Recap of the DTI Team DEF CON 33 Talks
For those who couldn't make it to Las Vegas, we're bringing these talks directly to you.
Here's what we'll cover:
- Malware in DNS: A look at how attackers hide malicious code in DNS TXT records.
- Pre-Identifying DNS Wildcards: Learn new techniques for subdomain enumeration and attack surface management.
- DNS Scavenger Hunt: An interactive session where you can put your skills to the test.
Webinar Details:
- Date: Tuesday, September 30th
- Time: 10:00 AM PT / 1:00 PM ET
- Duration: 1.5 hours
Where We’ll Be
- Underground Economy, France, 1-4 September
- Back to Las Vegas for private event, September 8-12
- If you find yourself in the area that week, let us know and we’d be happy to meet up over a refreshing beverage
- DC Closed Door Session, National Harbor, MD, 17 September
- TLP:RED research, please note “DFS Newsletter” in the “Referred By” section: https://dti.domaintools.com/request-an-invite/
- Intelligence & National Security Summit, National Harbor, MD, 18-19 September
- LABScon, Scottsdale, AZ, 17-20 September
Final Thoughts
As always, thank you to my returning readers! If you’re new, I hope you found this newsletter informational, helpful, and worthy of sharing with your peers. And of course I hope you will keep coming back to read future editions!
We share this newsletter via email as well - if you’d prefer to get it to your inbox, sign up here.
If you missed last month's content, here are some quick links:
- Malware in DNS: A Covert Delivery Mechanism
- Chinese Malware Delivery Domains: Part III - The "SilverFox" Campaign
- Where Everybody Knows Your Name: Observing Malice-Complicit Nameservers
- Iran's Intelligence Group 13: A Profile of a Covert Cyber Strike Unit
Thanks for reading - see you next month!
Daniel
Related Content
Welcome to the New Year, I hope you all had a restful holiday season! Similarly to the November issue, we decided to hold this edition until the post-holiday inbox avalanche has (hopefully) subsided. I wouldn’t want you to miss your favorite newsletter!
It’s hard to believe that DTI turns one year old this coming Friday! In case you haven’t been a subscriber since “Day One”, allow me a brief recap: In September of 2024, at a DomainTools onsite meeting, serendipity brought together two individuals with deep security industry connections, and a passion for community. We hatched an idea, got a few more colleagues excited about this idea, and in late 2024, we pitched it to our bosses. A scrappy program on a shoestring budget, with an agreement to fail fast and pivot as necessary. We signed up for some KPIs (you better measure success if you want to spend other peoples’ money!), and we launched on January 9th, 2025.
As I sit here, drafting this message, I can’t help but look back with pride on everything we did this past year: The countless hours of collective hard work, the travel all over the world to meet with the community, and most importantly, all the great research we published. We positively crushed it, if I do say so myself!
Now it’s late December, and the future looks decidedly less certain. One half of the DTI Leadership team is no longer with the company. She would hate it if I called her out here by name, but IYKYK. Thank you for a crazy year of collaboration, planning, organizing, problem solving, and innovating. Myself and the remaining DTI Team miss you greatly!
I’m not sure yet what 2026 will bring, but I know it will be different. Different isn’t automatically bad of course, so time will tell! Stay tuned for updates!
Back to Business
For those of you keeping score, the weather here in the Pacific Northwest has officially transitioned from damp, dark, and cold to damper and colder but a little less dark. But luckily none of that has slowed down our researchers. Fueled by hot coffee and cold redbull, they’ve been burning the 4pm oil, and we have some fascinating, and frankly brazen, campaigns to share as we kick off the year.
Our featured research for this edition looks at a massive “super-cluster” of over 5,000 Chinese malware delivery domains. What makes this investigation particularly special is how we did it: our team utilized agentic AI systems to accelerate our analysis by 10x. If you’ve been wondering how AI actually changes the game for threat hunters, this is the blueprint.
We also pulled back the curtain on the bureaucratic side of state-sponsored espionage with our second deep dive into the APT35 leaks. It turns out that Iranian intelligence operators deal with the same mundane office headaches we do: Spreadsheets, expense reports, and ticketing systems.
Finally, we took a look at a B2B2C supply chain attack targeting the hospitality industry. By compromising hotel management accounts, attackers are reaching customers directly through official Booking[.]com channels. It’s a stark reminder that if the supply chain isn’t secure, neither is the trusted platform it supports.
Hot off the Presses
B2B2C Supply Chain Attack: Hotel’s Booking Accounts Compromised to Target Customer
DTI’s investigation reveals a sophisticated campaign targeting Booking[.]com customers by compromising hotel management accounts. Since May 2025, threat actors have generated nearly 1,000 spoofed domains to execute a “verify or cancel” phishing scheme. By hijacking official hotel messaging channels, attackers send urgent alerts that direct travelers to fraudulent sites. These pages are dynamically populated with the victim’s actual reservation details which have been stolen from the hotel’s own database to create a high-trust environment for stealing payment information.
Chinese Malware Delivery Domains Part IV
DTI’s latest investigation into massive Chinese malware delivery infrastructure reveals the addition of over 1,900 new malicious domains in the super cluster of over 5,000 domains we have been tracking since early 2025. This activity, which primarily targets Chinese-speaking users, has evolved from a consolidated infrastructure into a fragmented and localized network using domestic Chinese registrars to improve operational security. The attackers employ deceptive lures such as spoofed downloads for Chrome, VPNs, and office software to deliver an array of trojans and credential stealers.
To manage this massive influx of data, our researchers deployed agentic AI systems to analyze the malicious domains, increasing analysis speed by 10x. By utilizing a “task-based AI orchestrator” paired with specialized sub-agents, the team was able to bypass anti-automation hurdles and autonomously interact with and analyze thousands of sites per day.
Agent Orchestration Flow Diagram
The APT35 Dump Episode 4: Leaking The Backstage Pass To An Iranian Intelligence Operation
DTI’s latest deep dive into the four-part leak of internal documents from APT35 (Charming Kitten) reveals the financial administration powering Iranian state-sponsored espionage. The leaked files, ranging from payment spreadsheets to internal ticketing systems, show how the group has financed and managed their operations in spite of international sanctions. These documents track everything from server procurement and crypto-payment receipts to operator attendance logs and performance metrics, illustrating a “bureaucratic metabolism” where cyberattacks are treated as standard administrative workflows.
Despite this clerical precision, the investigation highlights a glaring lack of operational hygiene. The group failed to secure their backend infrastructure and cleartext credentials even after the internal documents were leaked, allowing researchers to map the financial and administrative connections between APT35/Charming Kitten and the Iranian “Moses Staff” threat actor. By stripping away the mystery of their technical exploits, this research exposes the administration, including budgeting, invoice reconciliation, and supervisor approvals, that sustains Iran’s strategic information operations across the Middle East and beyond.
Screenshot of moses-staff[.]io homepage
What We’re Reading
In case you’re behind on your cybersecurity reading homework, DTI team member Ian Campbell’s monthly recommended reading list will get you up to speed!
- The top podcast for the month: Cyberwire – Root Access to the Great Firewall
- The top article for the month: Infoblox – Parked Domains Become Weapons with Direct Search Advertising
- The top research for the month: GA Tech et al – From Concealment to Exposure – Understanding the Lifecycle and Infrastructure of APT domains
Checkout the full reading list here
Where We’ll Be
- The DTI Travel Squad is staying local in January, but we will keep you updated on future travel once schedules get finalized!
Final Thoughts
As always, thank you to my returning readers! If you’re new, I hope you found this newsletter informational, helpful, and worthy of sharing with your peers. And of course I hope you will be coming back to read future editions!
We share this newsletter via email as well – if you’d prefer to get it to your inbox, sign up here.
If you missed last month’s content, here are some quick links:
- Threat Intelligence Report: APT35 Internal Leak of Hacking Campaigns Against Lebanon, Kuwait, Turkey, Saudi Arabia, Korea, and Domestic Iranian Targets
- Inside the Great Firewall Part 3: Geopolitical and Societal Ramifications
- Inside the Great Firewall Part 2: Technical Infrastructure
- Inside the Great Firewall Part 1: The Dump
Thanks for reading – see you next month!
-Daniel
https://www.linkedin.com/in/schwalbe
https://infosec.exchange/@danonsecurity
Dive into DomainTools Investigations' latest threat intel! Read our 3-part series on China's Great Firewall leak and an analysis of APT35 (Charming Kitten) campaigns targeting the Middle East and Korea, focusing on Exchange attacks. Get the intelligence you need!
Subscribe to the Newsletter here
The title of this month’s newsletter is a deep cut taken from the height of my favorite music genre, the admittedly awkwardly titled “Alternative Music.” What can I say, the 1990s in Seattle were wild, man - you had to be there.
Speaking of being there, last week was the Thanksgiving Holiday here in the United States. Normally my newsletter goes out on the last Tuesday of the month, but considering a lot of security professionals in the US got Thursday and likely Friday off, we decided to push publication by a week, so hopefully more of you can enjoy this edition instead of it getting buried under mashed potatoes and gravy!
The weather here in the Pacific NorthWest has firmly settled into “damp mode” (IYKYK), and the temperatures have started to creep below 40 degrees Fahrenheit (below 4 degrees Celsius for my international friends). I refuse to call it “The Big Dark” however - stop trying to make “The Big Dark” happen, Gretchen! Despite the cold, I’m happy to report that the intensity of DomainTools Investigations’ research output is only heating up.
Our flagship research for November, “Inside the Great Firewall,” is a three-part series based on a recent dump of documents and technical details of China’s censorship infrastructure. This massive leak provided us with over 500 gigabytes of internal operational data. I had the pleasure of joining Dave Bittner on the Research Saturday podcast from N2K | CyberWire to discuss our team’s work.
In addition to this deep dive, we also published a threat intelligence report based on leaked internal documents from APT35 (Charming Kitten). This report maps the Iranian state-sponsored actor's organization, tool kit, and campaign strategies. It details their campaigns against Lebanon, Kuwait, Türkiye, Saudi Arabia, Korea, and domestic Iranian targets, with a focus on their use of Microsoft Exchange attack chains. As a former Exchange Admin, I took personal note of that detail and was glad those days were behind me!
Last but not least, my team and I attended CYBERWARCON in Arlington, Virginia a couple of weeks ago. It was great to connect with the community, we had a small sponsorship booth and had many excellent conversations with fellow practitioners. I personally like the timing of this one-day conference, as it’s a nice bookend to its sister conference SLEUTHCON, which we attended earlier this year.
November was packed with research and tasty threat intelligence, so let's dive right in and get you up to speed!
Hot off the Presses
Inside the Great Firewall Part 1: The Dump
In September 2025, a historic breach of China’s censorship infrastructure leaked over 500 gigabytes of internal data detailing the infrastructure, design, and companies involved with the Great Firewall (GFW). DTI researchers analyzed more than 100,000 documents, internal source code, work logs, configuration files, emails, technical manuals, and operational runbooks.
Part 1 covers the human machinery behind the GFW and the consequences of the leak. This data links specific engineers and administrators to their roles across state-run ISPs (China Telecom, China Unicom, China Mobile), academic research institutions, and Ministry of State Security (MSS)-linked vendors.
Inside the Great Firewall Part 2: Technical Infrastructure
In Part 2, DTI analysts offer a forensic reconstruction of the Great Firewall’s technical infrastructure. From spreadsheets detailing app endpoint behavior, user monitoring intervals, and hardware configurations to blueprint files illustrating node relationships and control flows, the data illustrates a highly centralized yet distributed architecture, built on cooperation between state-run ISPs, telecom vendors, university research labs, and policy-design entities. Using this data, our researchers mapped the operational logic, software structure, and institutional alignment driving the digital surveillance regime.
🔍Read the full technical deep dive here
Inside the Great Firewall Part 3: Geopolitical and Societal Ramifications
In the final part of the series, our team analyzes the strategic doctrine behind the Great Firewall. This analysis reveals the GFW as a cornerstone of China’s broader governance model, extending internal social control mechanisms into the digital realm while also projecting power abroad. The regime serves a dual purpose of insulating the domestic population from undesired narratives and foreign influence, while exporting technologies, protocols, and ideological models of digital sovereignty to other authoritarian or aspiring technocratic regimes.
Threat Intelligence Report: APT35 Internal Leak of Hacking Campaigns Against Lebanon, Kuwait, Turkey, Saudi Arabia, Korea, and Domestic Iranian Targets
In October, internal documents from APT35, also referred to as Charming Kitten, were leaked on Github. Our researchers reviewed and analyzed the leaked documents to form a tightly linked forensic trail that maps both technique and organization. In this report, we broke down APT35’s tool kit which covers reconnaissance, initial access, and post-exploitation tooling optimized for large-scale, quota-driven compromise operations. Our team analyzed the actor’s operational profile and campaign strategies, identifying an emphasis on weaponizing exchange attack chains (ProxyShell, Autodiscover, EWS enumeration, and PowerShell driven tasks) to extract mailbox contents and Global Address Lists, maintain mailbox-level persistence, HUMINT extraction, and iterative phishing loops based on harvested address books.
What We’re Reading
In case you’re behind on your cybersecurity reading homework, DTI team member Ian Campbell’s monthly recommended reading list will get you up to speed!
- The top article for the month: GreyNoise Intelligence – When Bulletproof Hosting Proves Bulletproof: The Stark Industries Shell Game
- The top research for the month: arXiv – Adversarial Poetry as a Universal Single-Turn Jailbreak Mechanism in Large Language Models
📚Checkout the full reading list here📚
Where We’ll Be
- SANS Cyber Threat Summit 2025, London, UK, 3-4 December
Final Thoughts
As always, thank you to my returning readers! If you’re new, I hope you found this newsletter informational, helpful, and worthy of sharing with your peers. And of course I hope you will be coming back to read future editions!
We share this newsletter via email as well - if you’d prefer to get it to your inbox, sign up here.
If you missed last month's content, here are some quick links:
- DomainTools Investigations BSides NoVa Recap
- Repo the Repo - NPM Phishing
- Inside a Crypto Scam Nexus
- 18+ E-Crime
Thanks for reading - see you next month!
-Daniel
https://www.linkedin.com/in/schwalbe
https://infosec.exchange/@danonsecurity
https://www.linkedin.com/in/schwalbe
https://infosec.exchange/@danonsecurity
Cybersecurity deep dive: NPM Phishing, Crypto Scams, & 18+ E-Crime analysis. Get expert research on supply chain attacks, wallet drain schemes, and trojans targeting social media. Plus, BSides NoVa recap & top reading list.
Subscribe to the Newsletter here
For the title of this tenth edition of my newsletter, I decided to go with a hit by “The Boss” (Bruce Springsteen for those of you who aren’t familiar). The obvious choice could have been 10 by Pear Jam, who hail from my adopted home town. But 10 is an album title, and not a song title, and we have patterns to follow! Speaking of Seattle, the days have gotten really short already, temperatures are dropping overnight, and I’ve resigned myself to packing away my summer clothes for another 9 months. On the other hand, the crisp air and the promise of Halloween candy, together with the return of some truly excellent TV shows make the indoor time a little more palatable.
But most importantly, spending more time indoors means more time to dive into research! My team has been absolutely prolific this month, bringing you some must-read research and showing up to engage with the community.
We’ve published a comprehensive analysis of the NPM Phishing attacks, where we analyzed how attackers stole developer credentials and bypassed MFA to compromise high-profile software repositories. We also took you Inside a Crypto Scam Nexus, exposing a web of wallet-drain scams tied to a single threat actor’s infrastructure. Furthermore, we’ve tracked a financially motivated cluster of more than 80 spoofed domains and lure websites in our 18+ E-Crime analysis, which were used to deliver Android and Windows trojans to users of age 18+ social media, online gambling, and government tax sites. Our team also attended and presented at BSides NoVa, where Ian Campbell presented on how Domain and DNS intelligence is a critical tool for investigative journalists and Malachi Walker spoke on the attack surface of Formula 1.
Let’s dive right in and get you up to speed!
Hot off the Presses
DomainTools Investigations BSides NoVa Recap
Our commitment to a thriving cybersecurity ecosystem means we put our time and resources toward contributing to collective knowledge and the common good. That’s why we were proud sponsors of BSides NoVa on October 10th and 11th.
Our team delivered two accepted talks, including Senior Security Ops Engineer Ian Campbell’s presentation on DNS and domain intelligence in investigative journalism, and colleague Malachi Walker’s talk on cyber threats in F1 racing. In his full write-up, Ian reflects on the importance of contributing to the infosec community and answers the question: Where do I learn how to do this kind of work?
Repo the Repo – NPM Phishing
DTI researchers analyzed the series of high profile supply chain compromises caused by malicious code written to NPM repositories managed by stolen developer credentials. While developers of prominent NPM repositories have been targeted for many years,these events prompted CISA to release an alert due to their widespread nature.
Attackers used multi-stage fake NPM login pages to steal passwords and successfully intercept the legitimate email OTP/MFA code in real-time. This allowed attackers to establish their own authenticated sessions on the real npmjs[.]com while victims remained unaware their credentials had been stolen and their accounts compromised.
Inside a Crypto Scam Nexus
Our team of analysts uncovered a web of wallet-drain scams, ranging from browser extension popups and iPhone configuration profile traps to fraudulent web trading apps, were all tied to one threat actor’s infrastructure. We exposed how multiple websites such as medaigenesis[.]cc, novacrypt[.]net, and zzztd[.]com were hosted on the same server IP address, 8.221.100[.]222. These sites formed a coordinated infrastructure used to steal cryptocurrency from unsuspecting users.
This cluster of scams demonstrates how threat actors combine technical methods with deception to steal cryptocurrency. By controlling multiple domains and even a browser extension, they exploit trust at several levels: browser add-ons, app installation processes, and convincing web design. The single infrastructure behind these schemes also highlights how a determined attacker can leverage one setup to run multiple scams, from cryptocurrency theft to fake e-commerce.
Read the full investigation here
18+ E-Crime
Starting in September 2024, a financially motivated cluster of more than 80 spoofed domain names and lure websites began targeting users with fake applications and websites themed as government tax sites, consumer banking, age 18+ social media content, and Windows assistant applications. The actor used these spoofed domains to deliver Android and Windows trojans likely for the purpose of stealing credentials or more overtly through the use of fake login pages.
What We’re Reading
In case you’re behind on your cybersecurity reading homework, DTI team member Ian Campbell’s monthly recommended reading list is sure to get you up to speed!
- The top article for the month: Bloomberg – Hackers Had Been Lurking in Cyber Firm F5 Systems Since 2023
- The top podcast for the month: Three Buddy Problem – JAGS LABScon 2025 keynote: Steps to an ecology of cyber
- The top research for the month: Dartmouth ISTS – From Chaos To Capability: Building the US Market for Offensive Cyber
Checkout the full reading list here
Where We’ll Be
- AFCEA Vegas Tech & Cyber Expo, Las Vegas, NV, 4-5 November
- CYBERWARCON, Washington, DC, 19 November
Final Thoughts
As always, thank you to my returning readers! If you’re new, I hope you found this newsletter informational, helpful, and worthy of sharing with your peers. And of course I hope you will keep coming back to read future editions!
We share this newsletter via email as well – if you’d prefer to get it to your inbox, sign up here.
If you missed last month’s content, here are some quick links:
- Inside Salt Typhoon: China’s State-Corporate Advanced Persistent Threat
- Inside the Kimsuky Leak: How the “Kim” Dump Exposed North Korea’s Credential Theft Playbook
- Newly Identified Domains Likely Linked to Continued Activity from PoisonSeed E-Crime Actor
- Banker Trojan Targeting Indonesian and Vietnamese Android Users
Thanks for reading – see you next month!
-Daniel
https://www.linkedin.com/in/schwalbe
https://infosec.exchange/@danonsecurity
Heading
