Manuel Urueña

US charges and extradites 33-year-old Ukrainian woman for her alleged role in pro-Russia hacking group that caused spillage at a Texas water plant and an ammonia leak at a meat processing plant in LA. cnn.com/2025/12/10/pol…

DOJ confirms our earlier assessment of ties between hacktivist front Cyber Army of Russia Reborn (CARR) and Russia’s military intelligence service, the GRU. CARR carried out cyberattacks on US and European critical infrastructure but hid behind this false persona. justice.gov/opa/pr/justice…

A new wiper attack has been identified by ClearSky Cyber Security affecting Ukraine. We named this wiper "GamaWiper" (VBS-based wiper). The intrusion chain begins with the exploitation of a vulnerable WinRAR version (CVE-2025-80880). We assess with moderate confidence that this activity is linked to the Gamaredon APT group. This marks the first observed instance of Gamaredon conducting destructive operations rather than its traditional espionage activities. Related IoCs: 95262c4094a9a5e589a218e354ef54b3800aa0abc3b6a343bbcfdcbf021fc04f – initial ZIP with vulnerability CVE-2025-80880 68e21d7599d20444232415a7e74214ce50d7b4643215d83b8320e74c95a9dfd3 – downloaded VBA aafa4c206495163a5e408aa5c296139fe9f330a9f819a226c6934921493de9c6 – downloaded (padded+base64) wiper d4ce4776bdad9b741a1e8345b41737245b80f4cf8d361ebb1ae5415c7a4fe1eb – base64 encrypted wiper 9a39423ec90dc06a3058279cd744c08d83252d1c7096633b9853e435cc205755 – deobfuscated wiper Network: dears[.]serveirc[.]com whitesalad[.]zzrak08526[.]workers[.]dev

This is simply an amazing talk. Except the subject itself and the REALLY GOOD explanations, Some really interesting research and detection methods hide in this post. BTW, I used the same methods in some of my researches lately, and found similar insights. knowing I'm in the "right" research mindset makes me so proud. It was worth the wait! @WEareTROOPERS @fabian_bader @_dirkjan youtube.com/watch?v=yYQBeD…

At @NCSC we have just released guidance on using Privileged Access Workstations (PAWs) in Operational Technology (OT) environments.. ncsc.gov.uk/collection/ope…

GRU's Spy Airbnb: check out our latest video investigation into Unit 29155, and the "Czech" spy couple they used to help them plant explosives in weapons depots. youtu.be/tRqcJV0Z55c?si…

Let me explain where this incredible vulnerability in Notepad++ comes from... my blog post from 3w ago. The problem is there's no vuln. I described this as sneaky init access. You might as well do binary patching of any PE file in the world. #infosec print3m.github.io/blog/dll-sidel…

*turns on loudspeaker at 5,000 person venue* "Hey Meta, text my ex and say I miss her"

The vast majority of hacking is just credentials. There are four basic ways to get creds: STAB Steal: using malware, etc. Try: brute force, guessing, etc. Ask: social engineering, etc. Buy: infostealer logs, etc. Steal. Try. Ask. Buy. A collab with @UK_Daniel_Card

Right now, the media is hyping up a story that a SECRET HACKER FIRMWARE FOR FLIPPER ZERO HAS APPEARED ON THE DARKNET THAT CAN HACK ANY CAR!!!11 WE’RE ALL IN DANGER. Let’s break it down and see if that’s actually true (spoiler: it’s not): blog.flipper.net/can-flipper-ze…

Microsoft isn’t disclosing this so: M365 Copilot allowed users to access files without producing an audit log. All you had to do was ask Copilot to not link to the file. You don’t even have to ask; it sometimes just happens. If your org uses Copilot your audit log is likely wrong

Two yrs ago when researchers found backdoor in encryption algo used to secure radio comms for police/military/intel agencies, the org behind algo told users to deploy end-to-end encryption on top of it. Now researchers found security prob with the E2E too wired.com/story/encrypti…

Mandiant has observed an increasing number of attacks targeting VMware vSphere in recent years, notably for deploying ransomware. Dive deep into what specifically is fueling this trend and get actionable guidance to defend your VMware vSphere estate in our latest blog posts. 👇

Russia’s military intelligence agency (GRU) is targeting Western logistics and technology companies, the US Department of Defense warned in May. cepa.org/article/russia… @cepa

Dudes... please enable Detailed File Share auditing in your environment. All these attackers who switched over to the Impacket suite still run the default configs and it takes like 2 seconds to find them.

New @TheDFIRReport Hide Your RDP: Password Spray Leads to RansomHub Deployment thedfirreport.com/2025/06/30/hid…

🚨NEW REPORT: exposing a new hacking tactic. 🇷🇺Russian state-backed hackers used an App-Specific Password attack against prominent Russia expert @KeirGiles & others. It's like they know what we all expect from them...and then did the opposite 1/ By us @citizenlab & @google's GTIG

MeteorExpress (aka Predatory Sparrow, @GonjeshkeDarand, Adelat Ali, Indra, CodeBreakers, etc) represents the most significant effort at cyber signaling and force projection in nearly a decade. #NoRegerts sentinelone.com/labs/meteorexp…

1.CodeBreakers emerges, hacking Sepah bank. 2.They demand $42M for ransom, 3. Release the most valuable chunks of records for free, while hardly pushing sponsored PR! 4.They disappear and the tg. group is gone 5.Predatory Sparrows drops in and nuke the Sepah bank. 2+2=3.14?

Predatory Sparrow’s past cyber attacks on Iranian steel plants and gas stations have demonstrated tangible effects in Iran. Disrupting the availability of this bank’s funds, or triggering a broader collapse of trust in Iranian banks, could have major impacts there.