Itay Cohen 🌱

I am incredibly honored and grateful to have been selected to the Forbes 30 Under 30 list for 2023! 🎉 This recognition is deeply important to me. I’ll continue pursuing my biggest goal — making the world a safer and more just place for all of us, humans & animals.❤️ #30under30

@_devonkerr_ Congratulations! You're awesome

After 8+ years between @EndgameInc and @elastic, my tenure is coming to an end. I couldn’t be more proud of what we achieved with @elasticseclabs, enabling more than 50 researchers to share their knowledge and experiences; many for the first time. Thanks, team. More soon.

Name: RedAlert.apk Sample: virustotal.com/gui/file/83651… Asset: virustotal.com/gui/file/0cba6… C2: virustotal.com/gui/domain/api…

The loader spoofs the original app's signing cert at runtime via IPackageManager hook and redirects DEX loading to an embedded payload in `assets/umgdn`. Every string in the APK is XOR+Base64 obfuscated with unique per-string keys, which is why the code is so bloated.

Trojanized Red Alert rocket-alert app being pushed via SMS pretending to be from the Israeli Home Front Command ("Oref") asking to update the app to the latest version ASAP. Sample: virustotal.com/gui/file/0cba6… C2: https://api[.]ra-backup[.]com/analytics/submit.php >>

Excited to share my latest research on APT37 (aka ScarCruft) and their evolving campaign targeting so-called "isolated" networks through a carefully orchestrated multi-stage infection chain. Key findings: ▶️Ruby-based loader: APT37 is deploying full Ruby runtimes with trojanized script to blend execution within legitimate environments. ▶️USB dead-drop technique: A refined removable media workflow bridges air-gapped segments, leveraging hidden directories to stage tasking and exfiltrate data. ▶️Cloud C2 evolution: The group has expanded its cloud abuse playbook, incorporating Zoho WorkDrive as an operational command-and-control channel. In this research, I detail the full intrusion lifecycle from the initial LNK lure to the deployment of the surveillance backdoors with technical breakdowns. Blog: zscaler.com/blogs/security…

In 2025, Amaranth-Dragon APT weaponized the popular WinRAR CVE-2025-8088 for targeted espionage across Southeast Asia. Custom loader, Telegram RAT, geofenced C2, and event-themed lures. research.checkpoint.com/2026/amaranth-…

#BREAKNG #ESETresearch identified the wiper #DynoWiper used in an attempted disruptive cyberattack against the 🇵🇱 Polish energy sector on Dec 29, 2025. At this point, no successful disruption is known, but the malware’s design clearly indicates destructive intent. 1/5

Samsung: libimagecodec.quram.so buffer overflow in WINKJ_YcbcrWriteOutput1to1_YUV422_H1V2_toRGBA8888 during JPEG decoding project-zero.issues.chromium.org/issues/4508842…

IDA has a plugin manager now! I hope this makes it so much easier for you to try new extensions, like after the Plugin Contest. hex-rays.com/blog/introduci…

DNG vulnerabilities are everywhere recently. From itw 0-days in iOS and Android (as exploited by LANDFALL) to the many proactively found by Google Project Zero. This excellent talk by @DarkNavyOrg dissecting DNG vulns and a recent WhatsApp 0-click chain. media.ccc.de/v/39c3-dngerou…

Samsung: QuramDng FixBadPixelList opcode out-of-bounds read/write project-zero.issues.chromium.org/issues/4482419…

Samsung: QuramDng opcodes ignore PixelType, leading to out-of-bounds read/writes project-zero.issues.chromium.org/issues/4474793…

#ESETresearch has discovered a new 🇨🇳-aligned APT group, #LongNosedGoblin. This group focuses on cyberespionage and targets mainly governmental entities in Southeast Asia and 🇯🇵. welivesecurity.com/en/eset-resear… 1/7

An analysis of a recent 0-click exploit targeting Samsung devices: googleprojectzero.blogspot.com/2025/12/a-look…

Samsung: QuramDng TrimBounds Opcode leads to out-of-bounds reads project-zero.issues.chromium.org/issues/4437932…

Samsung: QuramDng invalid LossyJpeg component assumption, leading to out-of-bounds write project-zero.issues.chromium.org/issues/4443465…

@omerbenj @haaretzcom @amnesty Amazing work!

New investigation reveals Intellexa is thriving despite US sanctions, with new ops in Pakistan & Kazakhstan Internal docs obtained by @InsideStoryGR/@haaretzcom & analyzed by @amnesty reveal new tools & access. THREAD haaretz.com/israel-news/se…

This is a great reporting and collaboration! Across all four publications, it is clear that Intellexa remains active post-sanctions, maintains access to high-end 0-days, and continues supplying Predator to governments across Africa, the Middle East, and Central Asia.

RF updates Predator’s infrastructure state, including active communications attributed to customers in Saudi Arabia, Kazakhstan, Angola, Mongolia, and activity connected to Pakistan. They also link certain ad-tech fronts directly to the Aladdin delivery vector. 9/

New coordinated reporting from @googlecloud, @AmnestyTech, @RecordedFuture, and @haaretzcom / @insidestory_gr, built on leaked Intellexa material and technical findings, outlines Intellexa’s exploits, corporate structure, and continued activity despite U.S. sanctions. 👇 1/