Azi Vaziri

Spyware is used against high-risk users: journalists, human rights defenders, dissidents and political opponents. I'm particularly proud of our latest work, shedding light on Commercial Surveillance Vendors who make $$$ exploiting vulnerable systems and users. 🧵

🎙️ You may have heard of the Glupteba botnet, but did you know @Google didn't just disrupt it—they sued the operators? In a wild twist, the Russian operators didn't stay in the shadows. They hired a US attorney and showed up in a New York court to fight back. In the latest episode of Behind the Binary, @pmbureau discusses the wild tale of the technical and legal takedown! 🎧 Listen here: open.spotify.com/episode/0TgHyh…

⚠️ Update: It has now been 24 hours since #Iran implemented a nationwide internet shutdown, with connectivity flatlining at 1% of ordinary levels. The ongoing digital blackout violates the fundamental rights and liberties of Iranians while masking regime violence ⏱

@itsme_urstruly Lumbergh

What would you name him? 😂

Earlier last year, we (Threat Analysis Group) published a comprehensive paper on the rise of CSVs + entire industry that threatens free speech/press/open internet: blog.google/threat-analysi… We must continue to focus on new international norms/frameworks to limit this misuse.

Also see this great research published by our friends at Amnesty: securitylab.amnesty.org/latest/2025/12…

Still Spying: even after getting hit with U.S. sanctions, spyware vendor Intellexa (Predator) is still dodging restrictions, exploiting 0days and selling digital weapons to the highest bidder. @google 🧵 #zerodayexploit #spyware cloud.google.com/blog/topics/th…

Toujours un grand plaisir d'échanger tech & cybersécurité avec @Guglielminetti à ~29:17min sur l'émergence d'outils qui modifient leur propre comportement en temps réel pour éviter la détection: moncarnet.com/2025/11/27/mon… 📄 Rapport complet: lnkd.in/e8jPAr5M

For years, public opinion research has required trade-offs: depth or breadth; stories or statistics. ⚖️ Today, we’re sharing how Jigsaw and the Napolitan Institute bridged those gaps during our We the People pilot. 🇺🇸

Of course, multiple @google teams work actively on disruption, disabling accounts/assets, and insights gained are used to strengthen safety guardrails and classifiers of our models for better resilience.

🔁Augmentation of full attack lifecycle: PRC, IR, NK continue to leverage AI to enhance all stages of operations (i.e. recon, creation of phishing lures, C2 dev, data exfiltration, etc.)

In Jan'25, we published analysis of APTs attempting to use gen AI, specifically Gemini: no novel capabilities, just common usage, largely ineffective. Check out today's update on advances in threat actor usage of #AI tools: cloud.google.com/blog/topics/th… 🧵

It's @realJGoldblum 's birthday y'all 🎉

6/ Some offensive providers quietly lobby for a world where they grow fast & unfettered, paid with your tax dollars. Nimble & filling gaps. But if you play out the scenario from past evidence? Expect a massive transfer of taxpayer-funded tech & talent to foreign governments.

Constantly iterating delivery mechanisms to evade detection, alternating between simple/complex methods (ex splitting crypto keys) as a persistent effort to maintain its core mission: intel collection against high-value targets like NGOs & policy advisors.

New infection chain uses a "ClickFix" lure (disguised as CAPTCHA) to trick users into running a downloader called NOROBOT, which 1st deploys a Python backdoor (YESROBOT) before settling on a more flexible/extensible PowerShell backdoor (MAYBEROBOT).

New Malware Attributed to RU State-Sponsored COLDRIVER (🧵) cloud.google.com/blog/topics/th… ✍️ @wxs