Julian-Ferdinand Vögele

@[email protected]
886 Followers
304 Following
1.1K Posts
Threat Research @ Recorded Future. Previously @ Security Research Labs. He/Him. 🏳️‍🌈🐘

Twitter: @JulianVoeg
Blog: http://fishingtheinternet.blogspot.com
Bloghttp://fishingtheinternet.blogspot.com
Twitter@JulianVoeg
Bluesky@julianferdinand.bsky.social
Julian-Ferdinand VögeleMar 21
Ian Campbell 🏴Mar 20

NEW RESEARCH - I'm pretty proud we were able to pound out and ship a piece on this within 3 days. But its importance may get lost in the news cycle.

While we continue to struggle with things like keeping private keys secret, we're also busy introducing autonomous, nondeterministic agents into every place possible that are subject both to all the problems we still struggle with *AND* largely interminable new problems that can't be easily guardrailed-away.

Sure, this is a Chinese company so it's difficult for many folks to envision the same thing happening in the US, but we are 100% setting ourselves up for it, and companies and professionals not gleefully joining in the regressions are being continually punished.

This is a warning sign, and unfortunately, we will fail to heed it.

https://dti.domaintools.com/research/exposure-of-tls-private-key-for-myclaw-360-in-qihoo-360-security-claw-ai-platform

DomainTools Investigations | Exposure of TLS Private Key for Myclaw 360 in Qihoo 360 “Security Claw” AI Platform

DTI analysis of a leaked TLS private key from Qihoo 360's AI security platform, covering cryptographic validation, threat scenarios, and incident response.

Julian-Ferdinand VögeleAug 28, 2025
Virus BulletinAug 27, 2025
Recorded Future's Insikt Group has identified 5 distinct activity clusters linked to TAG-144 (Blind Eagle). These clusters have operated at various times throughout 2024 & 2025, targeting a significant number of victims, primarily within the Colombian government. https://www.recordedfuture.com/research/tag-144s-persistent-grip-on-south-american-organizations
Julian-Ferdinand VögeleAug 21, 2025
Yesterday, we released a first-of-its-kind analysis of a set of #Lumma affiliates within a vast info-stealing ecosystem, showing their interconnectedness and resilience even after a major law enforcement takedown attempts: https://www.recordedfuture.com/research/behind-the-curtain-how-lumma-affiliates-operate
Behind the Curtain: How Lumma Affiliates Operate

Explore a groundbreaking investigation into Lumma affiliates: uncover their tools, tactics, scams, and integration in the cybercriminal ecosystem. Essential reading for defenders.

Julian-Ferdinand VögeleJun 12, 2025
Today we’re publishing a new report on Intellexa’s #Predator #spyware, which is still active despite global sanctions, now with a new client and ties to a Czech entity. Check out the full report here: https://www.recordedfuture.com/research/predator-still-active-new-links-identified
Predator Spyware Resurgence: Insikt Group Exposes New Global Infrastructure

Despite sanctions and global scrutiny, Predator spyware operations persist. Insikt Group reveals new infrastructure links in Mozambique, Africa, and Europe, highlighting ongoing threats to civil society and political targets.

Julian-Ferdinand VögeleMar 11, 2025
Infoblox Threat IntelMar 10, 2025

We're currently tracking crypto, recruitment, and task scams that all share the same site structure, keeping their template designers busy 24/7, and appearing on thousands of fresh domains daily.

While you may be familiar with their modus operandi, please take a moment to inform your less security-savvy friends and family with the warning signs:

- Distributed via unsolicited job offers (more on this topic soon) and 'make money online' social media groups—sometimes even shared by other victims, including people you know, in the hope of increasing their earnings via referral bonuses.
- Promise high returns with seemingly little to no effort or risk, almost certainly too good to be true.
- Often abuse well-known brands to appear legitimate, with recent campaigns mimicking Adidas, Lidl and Macy's, among others.
- Start with requests for small payments that increase as the perceived earnings grow, with most transactions using the cryptocurrency Tether (USDT), a stablecoin linked to the US dollar.
- Scam domains are sometimes lookalikes, mimicking the legitimate brand, combined with numbers or generic terms like 'invest' or 'vip'.

Scammers typically create a sense of urgency and pressure victims into acting quickly without thinking. Many will fall into the sunk cost fallacy, being made to feel that investing one more time will allow them to get their promised reward.

The outcome can be devastating, with victims often reported as losing their life savings, racking up debts, and even unwittingly convincing other family members to participate in the scam.

Recently observed examples of these shared structure investment scams have used lookalike domains registered through Alibaba and protected by Cloudflare:

- `adidaso[.]top`
- `macys[.]name`
- `lidl02-vip[.]com`

#scam #investment #dns #threatintel #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel

Julian-Ferdinand VögeleNov 23, 2024
Ollie WhitehouseNov 23, 2024

Weekly summary is out..

https://ctoatncsc.substack.com/p/cto-at-ncsc-summary-week-ending-november-cf6

CTO at NCSC Summary: week ending November 24th

More AI vulnerability discovery successes.. that at a busy week of alleged state activity include close proximity attacks via Wi-Fi..

CTO at NCSC - Cyber Defence Analysis
Julian-Ferdinand VögeleNov 22, 2024
Show threadAndy GreenbergNov 22, 2024
It makes sense APT28 would do this, given members of the group were arrested carrying out close-access Wifi hacking in the Netherlands in 2018 with an antenna hidden in a car. This is a logical evolution: all the advantages of Wifi-based hacking without ever leaving Russia. /fin https://www.wired.com/story/russian-spies-indictment-hotel-wi-fi-hacking/
How Russian Spies Infiltrated Hotel Wi-Fi to Hack Their Victims Up Close

A new indictment details how Russian agents camped outside hotels when remote hacking efforts weren't enough.

WIRED
Julian-Ferdinand VögeleNov 22, 2024
Volexity Nov 22, 2024
@volexity’s latest #threatintel blog post describes in detail how a Russian APT used a new attack technique, the “Nearest Neighbor Attack”, to leverage Wi-Fi networks in close proximity to the intended target, while the attacker was halfway around the world. 
 
Read more here: https://www.volexity.com/blog/2024/11/22/the-nearest-neighbor-attack-how-a-russian-apt-weaponized-nearby-wi-fi-networks-for-covert-access/
 
#dfir  
The Nearest Neighbor Attack: How A Russian APT Weaponized Nearby Wi-Fi Networks for Covert Access

In early February 2022, notably just ahead of the Russian invasion of Ukraine, Volexity made a discovery that led to one of the most fascinating and complex incident investigations Volexity had ever worked. The investigation began when an alert from a custom detection signature Volexity had deployed at a customer site (“Organization A”) indicated a threat actor had compromised a server on the customer’s network. While Volexity quickly investigated the threat activity, more questions were raised than answers due to a very motivated and skilled advanced persistent threat (APT) actor, who was using a novel attack vector Volexity had not previously encountered.

Volexity
Show threadJulian-Ferdinand VögeleNov 16, 2024
11/ The full report can be found here: https://www.recordedfuture.com/research/china-nexus-tag-112-compromises-tibetan-websites
China-Nexus TAG-112 Compromises Tibetan Websites to Distribute Cobalt Strike

China-based TAG-112 exploited Tibetan sites to spread Cobalt Strike malware. Recorded Future reveals targeted threats by state-sponsored actors.

Show threadJulian-Ferdinand VögeleNov 16, 2024
10/ This campaign is a clear sign of China’s continued cyber espionage against Tibetan and other ethnic/religious minority groups, as part of a broader strategy to monitor and control perceived threats to the Chinese Communist Party’s power.