John Connor

Our latest GTIG AI Threat Tracker report reveals how adversaries are integrating AI into operations. We detail state-sponsored LLM phishing, AI-enabled malware like HONESTCUE, and rising model extraction attacks. Read the report: bit.ly/4adaUNk

Popular Text Editor Notepad++ was compromised by a nation state attacker presumably from June through December 2, 2025. The state actor used the access to reroute software update traffic to attacker controlled servers making this a supply chain attack. notepad-plus-plus.org/news/hijacked-…

@ImposeCost There’s a lesson there as the girl on the left was losing at the start as she figured out a new strategy and then not only caught up but dominated the competition

Your next team building exercise will be...

Knowing how and when to apply different approaches to leadership is critical. A common mistake I’ve both seen and made is looking for consensus when there should have been policy

If you’re cringing at your old work, it means you’re getting better

Axios had a great pitch for journalism in the age of Al which applies to Threat intel Al is gonna dominate making sense of a feed of intelligence But it won't have unique visibility Tl in the age of Al is gonna be all about the visibility and context you can push to a model

Think about this using LLM summaries too…

Using CTFs to benchmark LLM bug finding is pretty awesome

We’re seeing a clear trend: attackers are bypassing the endpoint entirely. Not just avoiding traditional EDR-monitored systems by pivoting to embedded and edge devices, but now also operating purely in the cloud. No shell, no malware, no persistence on the endpoint. Just an OAuth token and full access to whatever’s in the victim’s Microsoft 365, Google Workspace, or AWS console. It’s a complete inversion of how things used to be. The endpoint, once the weakest link, is now usually the most monitored, most policy-enforced part of the infrastructure. You’ve got EDRs, SIEM integration, automation, threat hunting - the full stack. But attackers don’t need to touch it anymore. Instead, they go after the new soft spots: - Cloud platforms, where logging is limited, expensive, or off by default - Network devices and appliances, which are practically blind spots - obscure OSes, no EDRs, hard to monitor, hard to forensicate. - Embedded systems and IoT junk that no one really knows how to secure, but that sit in critical network paths. Cloud especially is a mess: - Logging tiers cost extra and the good stuff is behind paywalls. - Detection content is lacking, both from vendors and the community. - You don’t get memory dumps or full control like you do on endpoints. - You’re at the mercy of the provider when it comes to visibility and response. And that’s the shift: attackers aren’t hacking computers anymore. They’re hacking trust relationships, identities, and APIs. The whole idea of detection and response needs to evolve with that. Otherwise, we’re securing the hell out of endpoints while attackers happily fish through mailboxes and cloud shares from halfway across the planet.

This is a great summary. We (and by we I mean mostly @willoram) have been using variants of this diagram to describe the inversion of attack paths to identity-based intrusions - a major trend in our incident response cases over the past year.

Parts of it may well be deemed "outdated". But the reason college curriculum is structured as it is instead of being a grand industry tour on the Hot Topic Of The Day is that by teaching fundamentals, you teach students *how* to think, learn, and work. AI just bypasses that.

Now, you can ask: "what if my tasks at work are simple enough to where GPT does solve it all, easily? Can't I just use it for that?" Congratulations. You may have discovered the path to being unemployed. If the AI does everything you can do, *why would they keep you around*?

@ImposeCost youtu.be/QEJpZjg8GuA?si… This guy coined algorithmic complacency, where people actually prefer to let a computer program decide what they will see when they log on, even when they know they have alternatives. You get a lot of bang for buck the more you curate your feeds

I have a hard time recognizing or appreciating Chinese innovation when I have spent my career responding to intrusions, particularly 🇨🇳 hacks of tech & data companies while at Mandiant. For so many in infosec, it’s impossible to differentiate breakthroughs from decades of cheating & theft. Here are some memorable quotes from my time at Mandiant (2014-2020): 🗣️ "We probably have somewhere in the order of 2,000 active investigations that are just related to the Chinese government's effort to steal information." - Christopher Wray, FBI Director, at the U.S.-China Economic and Security Review Commission, 2020 🗣️ "The Chinese government is known for using their military's cyber capabilities to hack into private U.S. tech firms. They steal I.P. and then transfer the technology to state-run companies for profit off of its development." - Rep. Matt Gaetz, at a hearing on Chinese IP theft, 2017 🗣️ "The greatest transfer of wealth in history is from the U.S. to China through cyber theft, and it's happening every single day." - Mike Rogers, NSA Director, 2015 🗣️ "There are only two types of companies in the United States: those who have been hacked by the Chinese, and those who don't know they've been hacked by the Chinese." - Robert Mueller, FBI Director, 2014

@vxunderground Spot on. The one difference I’d add on is with Malware there’s an adversarial component. Take the infostealer example, sure it’s just enumerating a directory and reading files but if you do it wrong then Defender doesn’t let your program run.

One thing noobie scoobies don't seem to understand is that malware is literally just software. Understandably, that seems kind of obvious, it's in the name — 'malicious software'. But it seems less obvious to some that, in order to write malware, you apply the exact same principles, techniques, and structures that legitimate software uses. Malware is regular ol' programming with some sprinkles of weird stuff. These weird things are documented and shared. Some try to find new weird things. When people ask what language is best for malware... it's kind of like asking 'what's the best ice cream flavor?'. It's entirely subjective. Everyone will tell you something different. You'll notice a lot of people will prefer Chocolate or Vanilla, you may encounter some who like Raspberry Banana Sprinkle Jam-Blam Blast, or Minty Schminty SpongeBob Sticks Bombs, but at the end of the day it's all still ice cream. In it's most simple form, all malware techniques are things legitimate software may do. Ransomware? - Step 1. Enumerate files in a directory - Step 2. Lock and encrypt files Information Stealers? - Step 1. Enumerate files in a directory - Step 2. Upload files somewhere RATs? - Step 1. Make program run at start - Step 2. Execute commands (cmd, powershell, other programs) - Step 3. Upload files somewhere Loaders? - Step 1. Download file from somewhere - Step 2. Run file Everything the malware does is just an expansion of what is explained above. Want to find new malware techniques? Find new ways to execute a process, find new ways to enumerate files in a directory, file new ways to upload files somewhere, find new ways to download files from somewhere, find new ways to write to files or delete files, etc. How do you do this? Read. Read everything. Blogs, Windows documentation, StackOverflow, Wikipedia, our website. Look at every DLL you find on your computer in Ida or Ghidra, just open stuff and look around. Look at other peoples work and see if you can expand on it and find something new. tl;dr learn to code, then learn weird stuff

#100DaysofYARA 2025 edition begins tomorrow! Any #CTI or #detectionengineering folks looking for a self-paced challenge to start the year with a laid back & fun community? Look no further! The challenge is simple - write a YARA rule every day for 100 days

🚀 How to build an offensive AI security agent: 🤖 I've been wanting to play with ReAct agents to see what complex workflows I can automate when it comes to offensive security testing. I finally got around it yesterday and I was able to build a functional security testing workflow after spending a few hours on it. 💡 Highlights: -  🔍 Automated Endpoint Discovery: Analyzed a JavaScript file to identify API endpoints. - 🔐 Adaptive Requirements Analysis: Used GPT-4 to parse the JS code, identify custom headers, and uncover hardcoded secrets that might be required to send a successful request to the API endpoints - 🛡️ Offensive Security Testing: Dynamically crafted curl requests to poke at each discovered endpoint, based on the requirements derived from the previous step. This step automates a major chunk of the reconnaissance and exploitation workflow. - ⚠️ Automated Response Analysis: An AI-driven module scanned HTTP response data for sensitive information and other disclosures. Check out the link below to learn more, including some learnings and observations from using ReAct agents! 👉 Blog - [anshumanbhartiya.com/posts/hackagent] If you’re curious about applying LLMs to security workflows or want to explore further collaboration, I’d love to connect and chat. Drop your thoughts in the comments below! #cybersecurity #ai #agenticai #llm #BugBounty

Great write up of using AI agents in a cybersecurity context: anshumanbhartiya.com/posts/hackagent

The best formula I've found for my career so far. Find something to hack. Research it. Hack it better. Build tooling. Tell people about it. -> repeat.