aptwhatnow

⚠️Advisory on DPRK (UNC1069) Fake Microsoft Teams and Zoom calls DPRK (UNC1069) is expanding beyond the crypto sector - we are publishing 164 IOCs and detailing their currently active social engineering approaches. radar.securityalliance.org/advisory-on-dp…

This comment from @tanuki42_ is really whats catching my eye here: "... recruited facilitators to go and meet specific people who worked for the company irl at major crypto conferences, built relationships over 6 months then dropped malware on them" Multiple in person meet ups

@banthisguy9349 We made a newer one but the name rings here cloud.google.com/blog/topics/th…

Stop attributing everything to Lazarus. Instead call it North Korea if you are not sure which actor group is behind the threat cluster.

@browsercookies x.com/i/status/19132…

Minus that ridiculous rainbow keyboard this piece turned really well. We were tracking these particular goobers before the crew grew exponentially mid 2025 but we have a few more name and shames left in the tank 👀 @browsercookies youtu.be/kIcw6vpmAHI?si…

Money right here flare.io/learn/resource…

@IceSolst @TLV4d3r Asking caleb about rim. OOF

@TLV4d3r Lmao what’s with your profile banner

Gonna be real, Mandiant feels like a US propaganda arm, they only ever publish attributions to NK or Russia And the evidence is always “um it smells NKorean, you wouldn’t get it” Not once has a campaign been attributed to teenagers or local groups UNCs indeed

Vendor: "We uhh, found this vulnerability you should patch" Cookie: Wait, you forgot to mention you discovered this due to active nation-state exploitation and <actor> may had/have full access & pivoted in your network (you're fucked). 🚨 NBD, just a patch! 🚨 @aptwhatnow

@browsercookies just a patch 🫥

This is a huge story in China right now given how big an outcry the installation of this caused back in 2017: Chinese tourism to South Korea was stopped, the Lotte Group was essentially shut down in China (nearly all of Lotte Mart's 112 Chinese stores were closed down due to "fire safety issues"), Hyundai and Kia had to close factories, k-pop disappeared from Chinese media, etc. And now the US is just dismantling it to send it to the Middle-East... So, quite literally, to have this, South Korea endured tens of billions in economic damage and did enormous harm to its relationship with its neighbor and largest trading partner... only for the US to take it back whenever it suited them. The lesson writes itself.

While the use of AI in cyber operations isn't brand new, Microsoft’s latest blog reveals just how deeply threat actors are embedding AI into their daily workflows. Of particular note are DPRK threat actors, who are aggressively adopting AI as a "force multiplier" across the entire attack lifecycle: ▶️Jasper & Coral Sleet: Using LLMs to create highly convincing fraudulent personas and tailored job lures. ▶️Emerald Sleet: Leveraging AI to accelerate vulnerability research (e.g., CVE-2022-30190) and identify exploitation paths. ▶️Moonstone Sleet: Utilizing AI platforms as research assistants for post-compromise environment analysis and monetization strategies. AI isn't replacing the human attacker yet, but it is drastically reducing technical friction and increasing the scale of their operations. Blog: microsoft.com/en-us/security…

Can someone tell me why malicious hoster Cloudzy share the same phone number as with another malicious hoster Ponynet! Search phone number: +1-778-977-8246 On google!

Look at this image carefully. You are looking at a Chinese commercial satellite photograph of Prince Sultan Air Base in Saudi Arabia. Every red box is an artificial intelligence model identifying a US military aircraft by type. Every label is in Mandarin. And the base you are looking at is the one Iran fired ballistic missiles at on Saturday night. A company called MizarVision, founded five years ago in Hangzhou, published this. Not the Pentagon. Not the CIA. Not a classified intelligence briefing delivered to the Situation Room. A Chinese startup with access to sub-meter resolution Earth observation satellites and an AI object detection model that can distinguish a KC-135 Stratotanker from a KC-46 Pegasus from orbit. Aviation Week confirmed what the image shows. Fifteen KC-135 aerial refueling tankers. Six KC-46 Pegasus tankers. Six E-3 Sentry airborne early warning aircraft, which is significant because only thirty one E-3s remain in the entire US Air Force inventory worldwide, meaning roughly a fifth of America’s operational AWACS fleet is parked on a single ramp in the Saudi desert. Two E-11A Battlefield Airborne Communications Nodes. C-130 Hercules transports. C-5 Galaxy heavy lifters. The backbone of Operation Epic Fury, catalogued from space and published on Weibo. This is the base that Iran targeted. AFP journalists in Riyadh reported explosions in the eastern part of the capital with thick smoke rising. The Saudi Foreign Ministry condemned Iranian attacks targeting Riyadh and the Eastern Province. Saudi air defenses intercepted the projectiles. But the image you are looking at was published days before the strike. Which means Iran had exactly the same intelligence picture that MizarVision gave the entire world for free. This is what the democratization of intelligence looks like. In 1991, only the United States could see individual aircraft on a ramp from space. In 2003, a handful of nations had that capability. In 2026, a Chinese startup publishes annotated satellite imagery of American force dispositions on social media, and Aviation Week runs the analysis before the first missile is fired. Defence Security Asia captured what this means: sub-meter resolution imagery distinguishing individual aircraft types fundamentally alters the secrecy calculus of pre-strike deployments. You cannot mass two hundred aircraft across half a dozen bases and keep it secret when commercial satellites photograph every ramp twice a day and AI models label every airframe before an analyst finishes their coffee. The age of hidden buildups is over. Every deployment is now observable, catalogued, and published in near real time by companies with no security clearance and no allegiance to anyone. The next war will not be planned in secret. It will be watched from orbit by everyone, in every language, simultaneously. open.substack.com/pub/shanakaans…

and that is why daddy built nuclear weapons

The Pentagon’s own wargames show China can sink the USS Gerald R. Ford. And China just handed Iran the tools to prove it. The leaked 2025 Overmatch Brief, the most classified US naval simulation conducted last year, concluded that in a Taiwan conflict, Chinese hypersonic anti-ship missiles overwhelm carrier strike group defenses and send the Ford to the bottom. The $13.3 billion crown jewel of American naval power, destroyed in a simulation by the same country that is now selling CM-302 supersonic anti-ship missiles to Iran and delivering electronic warfare systems capable of jamming F-35s operating from carrier decks. The Ford departed Souda Bay, Greece yesterday. She is heading directly toward the theater where those weapons are being transferred. China is running the most elegant strategic operation of the 21st century and doing it in plain sight. Step one: prove in your own wargames that you can kill the carrier. Step two: sell the missile technology to the country the carrier is being sent against. Step three: deliver electronic warfare packages that degrade the carrier’s air wing. Step four: photograph every asset in the strike architecture and publish it so the target knows exactly what is coming and from where. Step five: sit back and watch whether America sails its most valuable warship into the kill zone anyway. If the Ford survives, China learns how American carrier defenses actually perform against the weapon systems China designed. If the Ford is hit, China has achieved the single most consequential military intelligence victory since Enigma: real-world combat data on how to sink an American supercarrier without firing a shot themselves. Iran is not the opponent. Iran is the laboratory. MizarVision has photographed the F-22s at Ovda, the empty berths at Bahrain, the tankers at Diego Garcia, and now the Ford’s departure from Greece. Beijing has constructed a real-time intelligence mosaic of the entire American order of battle and distributed it freely. Every satellite pass is a page in the targeting manual China is writing through Iranian hands. Pentagon insiders told Politico they have 7 to 10 days of munitions. Trump decides tomorrow at 3 PM. Task Force Scorpion’s kamikaze drones stand ready to extend the campaign with $35,000 Shahed clones when the Tomahawks run dry. Geneva produced “progress” without agreement. The demands remain unbridgeable. And the Ford sails toward missiles that were designed in Chinese laboratories, tested in Chinese simulations, and sold to the country America says it will strike by March. China did not pick a side. China built the chessboard, armed both players, and positioned itself to learn from whoever loses. The Ford is not sailing toward Iran. The Ford is sailing into a Chinese experiment. And the results will determine who controls the Pacific for the next fifty years.

Excited to share my latest research on APT37 (aka ScarCruft) and their evolving campaign targeting so-called "isolated" networks through a carefully orchestrated multi-stage infection chain. Key findings: ▶️Ruby-based loader: APT37 is deploying full Ruby runtimes with trojanized script to blend execution within legitimate environments. ▶️USB dead-drop technique: A refined removable media workflow bridges air-gapped segments, leveraging hidden directories to stage tasking and exfiltrate data. ▶️Cloud C2 evolution: The group has expanded its cloud abuse playbook, incorporating Zoho WorkDrive as an operational command-and-control channel. In this research, I detail the full intrusion lifecycle from the initial LNK lure to the deployment of the surveillance backdoors with technical breakdowns. Blog: zscaler.com/blogs/security…

🚨[EXCLUSIVE] North Korea’s Bureau 39 Gets New Chief as Kim Jong-un Reshuffles Key Financial Office North Korea’s powerful Bureau 39/Office 39, which manages Kim’s personal slush fund and hard-currency operations, has quietly gained a new chief following the regime’s 9th Party Congress. Sin Ryong-man, who led the bureau since 2017, has disappeared from newly released Party rosters — a strong sign he’s been dismissed. His likely successor: Han Sang-man, a long-time insider who rose through the bureau’s ranks and is now listed as a Central Committee candidate member. Notably, Choe Ryong-hae, once considered North Korea’s No. 2, has also been dropped from the lists — fueling speculation of a deeper political reshuffle in Pyongyang. #NorthKorea #KimJongUn #Bureau39 #Exclusive #NKPolitics open.substack.com/pub/pyongyange…

Good stuff from Oliver about.gitlab.com/blog/gitlab-th…

@Narcass3 @sexinfochina

Contrary to the quoted tweet, @sexinfochina is in fact the admin of the Chinese darknet market FreeCity. Behind the handle is Xiao He, a Chinese national who is a prolific launderer of DPRK stolen funds, supporter of DPRK IT Worker ops, and pusher of fake viagra.