Daniel Gordon's Avatar

Daniel Gordon

@validhorizon

Thought Trailer, Cyber Threat Intel, DFIR. He/Him. Bucketing, sharing, and bacon-saving as a service. https://validhorizon.medium.com/

3,278
Followers 205
Following 715
Posts 24.07.2023
Joined
Posts Following

Latest posts by Daniel Gordon @validhorizon

Every single word. Except when you post about video games, I tune right out lol

01.03.2026 18:57 πŸ‘ 0 πŸ” 0 πŸ’¬ 1 πŸ“Œ 0
Preview
ScarCruft continues to evolve, introduces Bluetooth harvester After publishing our initial series of blogposts back in 2016, we have continued to track the ScarCruft threat actor. ScarCruft is a Korean-speaking and allegedly state-sponsored threat actor that usu...

Just @ me next time lol. Definitely a USB propagation mechanism in 2022. securelist.com/updated-mata...

Maybe this Bluetooth harvester in 2019.

securelist.com/scarcruft-co...

01.03.2026 16:11 πŸ‘ 2 πŸ” 0 πŸ’¬ 1 πŸ“Œ 0
Post image
01.03.2026 11:19 πŸ‘ 1 πŸ” 0 πŸ’¬ 0 πŸ“Œ 0

Just a reminder that in the absence of reliable information, you can just wait for more information before reacting. You can even touch grass while you’re waiting.

01.03.2026 11:13 πŸ‘ 2 πŸ” 0 πŸ’¬ 0 πŸ“Œ 0
Preview
Statement from Dario Amodei on our discussions with the Department of War A statement from our CEO on national security uses of AI

This kinda sounds like Anthropic actually standing up for itself, I’m guessing for long term reasons.

www.anthropic.com/news/stateme...

26.02.2026 23:15 πŸ‘ 5 πŸ” 0 πŸ’¬ 0 πŸ“Œ 0

The future is bright... I will never be unemployed as a cybersecurity reporter

25.02.2026 22:53 πŸ‘ 77 πŸ” 12 πŸ’¬ 0 πŸ“Œ 0
Cisco Security Advisory: Cisco Catalyst SD-WAN Controller Authentication Bypass Vulnerability A vulnerability in the peering authentication in Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, and Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an unauthenticated, r...

New Cisco zero-day, this one one discovered by the ASD

sec.cloudapps.cisco.com/security/cen...

25.02.2026 21:13 πŸ‘ 7 πŸ” 1 πŸ’¬ 1 πŸ“Œ 0
Post image

Google Threat Intelligence Group took down a massive, longterm intrusion campaign into global telcos and government. This PRC-nexus actor built a vast surveillance tool across 42 confirmed countries and another 20 suspected countries. 1/x

25.02.2026 15:06 πŸ‘ 77 πŸ” 25 πŸ’¬ 3 πŸ“Œ 1

For offense, I used to think AI would be mostly abused for social engineering and that AI companies would put in effective guardrails in response to wider abuse. I no longer think that. Anthropic was used in a wide ranging compromise of the Mexican government. archive.md/Qlgtr

25.02.2026 14:50 πŸ‘ 0 πŸ” 0 πŸ’¬ 0 πŸ“Œ 0
Preview
Google disrupts Chinese-linked hackers that attacked 53 groups globally Google disrupted a Chinese-linked hacking group that breached at least 53 organizations across 42 countries, the company said Wednesday.

Google disrupts Chinese-linked hackers that attacked 53 groups globally - www.reuters.com/sustainabili...

25.02.2026 11:51 πŸ‘ 12 πŸ” 7 πŸ’¬ 0 πŸ“Œ 0

This is Contagious Interview and I’m not sure why Microsoft didn’t attribute in the blog. I have a couple guesses but that’s all they would be: guesses.

25.02.2026 04:08 πŸ‘ 5 πŸ” 2 πŸ’¬ 1 πŸ“Œ 0

Microsoft’s naming convention is the worst, other than all the other ones lol. Moonstone is memorable for being a ransomware crew that makes ridiculous NFT-based tank video games though lol

24.02.2026 15:01 πŸ‘ 2 πŸ” 0 πŸ’¬ 0 πŸ“Œ 0

I've been seeing Vshell in #opendirs for a few years. With the recent attention, it was time to do a proper write-up on it:
https://censys.com/blog/vshell/

24.02.2026 14:50 πŸ‘ 3 πŸ” 2 πŸ’¬ 0 πŸ“Œ 0
Preview
North Korean Lazarus Group Now Working With Medusa Ransomware North Korean attackers continuing to mount extortion attacks against the U.S. healthcare sector despite indictment.

Moonstone Sleet using Medusa ransomware www.security.com/threat-intel...

24.02.2026 12:41 πŸ‘ 2 πŸ” 3 πŸ’¬ 1 πŸ“Œ 0

Eating crackers (joking mostly)

23.02.2026 19:33 πŸ‘ 0 πŸ” 0 πŸ’¬ 0 πŸ“Œ 0
Post image
23.02.2026 10:29 πŸ‘ 0 πŸ” 0 πŸ’¬ 0 πŸ“Œ 0
Post image

#100DaysOfYARA - Day 15 (a little behind)

I used @REMnux 's MCP, to extract a payload from an (unknown to me) malware, I'm now tracking as AxolotlLoader. I used the MCP to build a YARA rule based off of the XOR decryption function.

Rule at end
1/5

22.02.2026 20:46 πŸ‘ 7 πŸ” 2 πŸ’¬ 1 πŸ“Œ 0
Preview
GitLab Threat Intelligence Team reveals North Korean tradecraft Gain threat intelligence about North Korea’s Contagious Interview and fake IT worker campaigns and learn how GitLab disrupted their operations.

Without exaggeration, one of the most epic DPRK reports ever about.gitlab.com/blog/gitlab-...

20.02.2026 00:15 πŸ‘ 31 πŸ” 13 πŸ’¬ 2 πŸ“Œ 2

About half of it is the world’s largest list of IOCs, which makes sense given how high volume this adversary is and how much GitLab could see. Definitely not a quick read though πŸ˜‚

20.02.2026 11:46 πŸ‘ 1 πŸ” 1 πŸ’¬ 0 πŸ“Œ 0
Post image

Oh I forgot HERE ARE THEIR PERFORMANCE REVIEWS LOL

20.02.2026 00:53 πŸ‘ 4 πŸ” 0 πŸ’¬ 0 πŸ“Œ 0

Contagious Interview is famously bad at opsec but holy smokes I have never seen a threat actor so comprehensively put on blast since APT1.

20.02.2026 00:40 πŸ‘ 5 πŸ” 1 πŸ’¬ 1 πŸ“Œ 0

We found a process for scraping images and creating synthetic images at scale. We found OPERATORS IN BEIJING AND MOSCOW and THIS IS THEIR ADDRESS LOL. res.cloudinary.com/about-gitlab...

20.02.2026 00:38 πŸ‘ 5 πŸ” 0 πŸ’¬ 1 πŸ“Œ 0
Post image

Oh we noticed a COVERT COMM CHANNEL IN HTML CODE COMMENTS. res.cloudinary.com/about-gitlab...

20.02.2026 00:27 πŸ‘ 6 πŸ” 0 πŸ’¬ 1 πŸ“Œ 0
Post image

Oh check out THIS SPREADSHEET OF THEIR FINANCES res.cloudinary.com/about-gitlab...

20.02.2026 00:25 πŸ‘ 3 πŸ” 0 πŸ’¬ 1 πŸ“Œ 0
Post image

Here is THEIR ORG CHART res.cloudinary.com/about-gitlab...

20.02.2026 00:21 πŸ‘ 4 πŸ” 0 πŸ’¬ 1 πŸ“Œ 0
Post image

They found a TARGET LIST.

20.02.2026 00:21 πŸ‘ 3 πŸ” 0 πŸ’¬ 1 πŸ“Œ 0
Preview
GitLab Threat Intelligence Team reveals North Korean tradecraft Gain threat intelligence about North Korea’s Contagious Interview and fake IT worker campaigns and learn how GitLab disrupted their operations.

Without exaggeration, one of the most epic DPRK reports ever about.gitlab.com/blog/gitlab-...

20.02.2026 00:15 πŸ‘ 31 πŸ” 13 πŸ’¬ 2 πŸ“Œ 2
Post image

SOS returns to Brussels on October 22, 2026!

As the geopolitical landscape rifts, hybrid threats continue to adapt & evolve. We provide a forum for observers of state-aligned sabotage, espionage, and more to share research with an action-oriented community.

Stay tuned for more announcements!

19.02.2026 21:37 πŸ‘ 6 πŸ” 5 πŸ’¬ 0 πŸ“Œ 0
Preview
Password managers' promise that they can't see your vaults isn't always true Contrary to what password managers say, a server compromise can mean game over.

The makers of password managers like Bitwarden, 1Password, Dashlane and LastPass promise they can't see your password vault. But that's not always true. A server compromise can mean game over for you, say researchers who examined some of the top password managers on the market

18.02.2026 18:24 πŸ‘ 18 πŸ” 11 πŸ’¬ 2 πŸ“Œ 2
Preview
UNC6201 Exploiting a Dell RecoverPoint for Virtual Machines Zero-Day | Google Cloud Blog UNC6201 utilizes a newly discovered zero-day in Dell RecoverPoint for Virtual Machines to deliver BRICKSTORM and subsequently backdoors.

0day -> webshell -> Brickstorm malware ☹️

cloud.google.com/blog/topics/...

18.02.2026 16:49 πŸ‘ 0 πŸ” 0 πŸ’¬ 0 πŸ“Œ 0