Mattysploit

@mattysploit@infosec.exchange
7 Followers
169 Following
16 Posts

Cyber guy. Used to be a lurker but I guess now I can be the occasional poster.

https://mattysplo.it

Sitehttps://mattysplo.it
PronounsHe/Him
Show threadMattysploit14h ago

Each fake app in the dashboard points to a static HTML trap hosted on Azure Static Web Apps or Cloudflare Pages. Want a fake SharePoint? Clone the UI in 15 mins, add some fake docs. Fake VPN? No need to hang some open SSH bait out on the open, you just put the whole thing behind a tile.

No more junk telemetry from mass scans. Instead, you get signal-rich interactions from actors who made it through your fake login, picked a fake app, and thought they’d reached the crown jewels. All of this lives outside your real infra and adds that layer of initial access telemetry. Super handy.

Show threadMattysploit14h ago
If I threw up a free Cloudflare page with some CanaryTokens on it, nobody would take it seriously out on the internet. But behind a tile? Clearly it must be pRoDuCtIoN /s. I'm curious if an attacker even checks the url bar after popping through a dashboard like this.
Show threadMattysploit14h ago

This lets you simulate real identity flows—credential stuffing, MFA fatigue, password sprays—without touching production. You can even add basic login automation for realism, like scheduled logins or profile updates.

An IdP allows you to impersonate your real login screen and then the user dashboard enables some pretty sweet modular design. As big/expensive or small/cheap as you like. Mix in throwaway "real" services with static HTML clones. Deploy a T-Pot and call it your VPN. The attacker just sees tiles.

Show threadMattysploit14h ago
Since Okta doesn't require domain verification, the big advantage here is.. just make up some fake employees.. and build an SSO dashboard full of fake internal apps. To an attacker, there's functionally no way to tell the difference between the two and once inside - it looks totally legit by design.
Mattysploit14h ago

New from me: I've been lookin into ways to stand up a cloud-based honeynet that 1) didn't look like some random nub hangin out there on open internet, 2) was as cheap/fast as possible, 3) actually looked "real" and not such an obvious trap. I found that answer in using an external IdP like Okta

Seems like honeynet in cloud has 3 options, none of which I like: Put it in your tenant and segregate it, put it in another tenant named somethin different, or hang it out there on its own w/ no real identifiers at all. None are great, as you're either increasing risk or making it look less legit.🧵

https://mattysplo.it/2025/06/22/deceptiontech.html

East, Fast, Cheap Deception in the Cloud

Why a Cloud Honeypot?

Dr. Matt Ryan, PhD
Mattysploit6d ago
https://thehackernews.com/2025/06/us-seizes-774m-in-crypto-tied-to-north.html
U.S. Seizes $7.74M in Crypto Tied to North Korea’s Global Fake IT Worker Network

U.S. DoJ seizes $7.74M in crypto linked to North Korean IT worker scheme exploiting AI, fake IDs, and BYOD loopholes.

The Hacker News
MattysploitJun 16
MattysploitJun 13

Ever since the 'great infosec splintering' of 2022, I've been lamenting the lack of sharing/content both here and Bluesky.

I've also been a longtime lurker, contributing nothing. So I guess I should put my money where my mouth is. Here's my super long start:

https://mattysplo.it/2025/06/13/laptopfarms.html

This is intended to be a "all the ways you could detect a laptop farm that I could feverishly think of" but I wanted to do a small thread on one particularly novel (or at least I think so) thing I had stumbled across.

Catching North Koreans & Laptop Farms

Since it is the flavor of the last few months and many are talking about it, I thought I would try to throw together all the detection techniques I could for catching DPRK worker schemes. I’ve also noticed that most are talking about techniques for catching them before they get hired – not many are talking about catching the ones that may already be working for them. So as a result…. have a long blog post! This is an attempt to gather every iteration of how this scheme works, at least as is currently known today.

Dr. Matt Ryan, PhD
MattysploitJun 16
Show threadMattysploitJun 13
But frankly, why stop there? With the C2 on the farm's ISP connection and as lightweight as an ARP rebroadcast is - you could feasibly just have a bunch of these all meshed together. I'm betting this is what is happening. It scales. It's cheap. There's redundancy.
Show threadMattysploitJun 13
You could ship a big box of Pi Zeros and MicroSDs for a couple hundred bucks, with instructions to put a preconfigured OS with these scripts on each. The laptop farmer simply plugs them in, none the wiser - at a time where DPRK will want to start further obfuscating where they're from.
#infosec
Show threadMattysploitJun 13
But frankly, why stop there? With the C2 on the farm's ISP connection and as lightweight as an ARP rebroadcast is - you could feasibly just have a bunch of these all meshed together. I'm betting this is what is happening. It scales. It's cheap. There's redundancy.