Andrew Northern 𓅓 @ex_raritas Twitter profile | Pikagi

Pikagi

Andrew Northern 𓅓

@ex_raritas

4,423

Followers

931

Following

1,726

Media

15,679

Statuses

🔮 Senior Threat Researcher at @proofpoint 🔮 | Knowledge Piñata 🪅 | Attack Chain Connoisseur | Epicurean

https://t.co/IsxF1RH6zF

Joined April 2009

Don't wanna be here? Send us removal request.

Pinned Tweet

@ex_raritas

Andrew Northern 𓅓

7 months

Extremely proud to announce that my second 🥇🥇contribution to the @MITREattack framework has been published in version 14. T1026.012: Obfuscated Files or Information: LNK Icon Smuggling ⚔️ Big shout out to my co-contributors @greglesnewich and

Tweet media one

4

21

84

Last Seen Profiles

@BsYuriSnow

@kitenjp

@LangDiv2023

@aec0nic

@peterldp

@bgLBMObWVpKVtUQ

@Bonaro_Brasil

@re_hoshino

@ABSC_Georgian

@hayden_johnson_

@AntoniodiCarmi1

@Reaktanse

@lapetite_momo

@MehdiBensid

@KasihLudah

@_Dr_ASA

@QuoteBuffett

@42Lt9w5F8NST0LE

@ReeveSwainston

@WanasatimeE

@maligodp

@dormitobene

@MarineNRG

@NiraNaresh

@JessicaUSAF

@AmicsSeuVella

@YUSUKE_SCFC

@2020_WHSIndians

@negociosyempren

@NeFeR_T_

@GuidanceTHS

@GuidanceTHS

@AllroundArsenal

@AllroundArsenal

@HollandNegin

@hashiuraadel

@ex_raritas

Andrew Northern 𓅓

8 months

@r0wdy_

Tweet media one

5

30

988

@ex_raritas

Andrew Northern 𓅓

2 years

How did this dude get so many followers 😂 I don’t get it. I still haven’t broken 1k and I find actual malware.

Tweet media one

162

34

961

@ex_raritas

Andrew Northern 𓅓

9 months

What F35 doing?

Tweet media one

16

155

794

@ex_raritas

Andrew Northern 𓅓

6 months

Fun prank visit a coworker in another city and swap their yubikey for a blank one.

Tweet media one

29

36

732

@ex_raritas

Andrew Northern 𓅓

2 years

Thanks for the inspiration :)

Tweet media one

@ankit_anubhav

Ankit Anubhav

2 years

#Malware in 2022

Tweet media one

6

130

532

5

61

276

@ex_raritas

Andrew Northern 𓅓

11 months

What did you just say about me, you little jerk? Allow me to inform you that I graduated with top honors from the SANS Institute. Throughout my career, I have gained expertise in email security and combating viruses. I possess extensive knowledge in defensive strategies and have

29

28

223

@ex_raritas

Andrew Northern 𓅓

2 years

I highly recommend that infosec professionals should work on both red and blue. Ideally blue, red, and then blue again. Defenders need to think like an attacker. Attackers need to not forget what their purpose is.

19

28

211

@ex_raritas

Andrew Northern 𓅓

10 months

What security products or services are you a “fan” of? This isn’t an endorsement or formal thing…I just find myself cheering for a couple of brands over the years that have consistently been doing good work. Just off the top of my head Malwarebytes, Publicwww, and UrlscanIO

62

24

191

@ex_raritas

Andrew Northern 𓅓

2 years

Maybe, just maybe we should consider locking an account after a few mfa pushes. 🤔

13

5

143

@ex_raritas

Andrew Northern 𓅓

1 year

Tweet media one

1

23

136

@ex_raritas

Andrew Northern 𓅓

2 years

I just want to take a moment to thank Cisco and their researcher team for their transparency and for their willingness to address the issues I raised regarding part of their latest write up. This response speaks to the integrity of their team and their commitment to the community

Tweet media one

4

8

134

@ex_raritas

Andrew Northern 𓅓

1 year

📖

Tweet media one

10

9

129

@ex_raritas

Andrew Northern 𓅓

1 year

I'm proud to announce that part 2 of my report on #TA569 is out: A big thank you to co-authors and contributors: @0xkyle and the Threat Research Team. And @selenalarson for her editing prowess. CC: @threatinsight @proofpoint 1/N 🧵 👇👇👇👇

5

51

126

@ex_raritas

Andrew Northern 𓅓

2 years

🧵1/2 Happy to announce that after many years of sitting on this code for personal use I'm releasing my Rapid Response Reporting corpus. A series of images and "quick win" documentation for helping incident responders based on malware family. eg. Agent Tesla

Tweet media one

2

29

113

@ex_raritas

Andrew Northern 𓅓

2 years

I was trying to stage my record with my distro service but I accidentally submitted it so i guess I have a new record coming out next week. 🤷‍♂️ 😅 Made the artwork today as well. Pretty proud of the whole thing.

Tweet media one

1

3

105

@ex_raritas

Andrew Northern 𓅓

2 years

Tweet media one

5

16

106

@ex_raritas

Andrew Northern 𓅓

2 years

I saw this in the park earlier, does anyone know what it means?

Tweet media one

11

11

105

@ex_raritas

Andrew Northern 𓅓

2 years

Hey gang! Thanks for all the new followers! I primarily deal with tracking #TA569 / #socgholish . I also have a vested interest in Emotet as well as general Conti activity. Below I’ll link to some of my other research with my peers. 👇👇👇

3

12

99

@ex_raritas

Andrew Northern 𓅓

1 year

I can't recommend this enough:

Tweet media one

3

18

101

@ex_raritas

Andrew Northern 𓅓

3 years

You fall in love with a turtle, climb on its back, it goes in the water, you die. - @BenKissel

2

8

93

@ex_raritas

Andrew Northern 𓅓

4 years

@afatassfeminist @angrybIackgirI Respectfully, though you may not be overtly homophobic I’d encourage you to consider this: The potential for homosexual attraction in your mate is what you find repulsive. That is indeed a way that internalized homophobia presents itself. It’s not a preference, it’s a bias.

2

2

74

@ex_raritas

Andrew Northern 𓅓

2 years

@__no_nah_nope__ @evacide

Tweet media one

1

0

76

@ex_raritas

Andrew Northern 𓅓

2 years

🧵 My first of two reports coving #ta569 and #socgholish is out this morning. This first report is a primer and overview of the specific #socgholish threat. The second will cover the entire #ta569 ecosystem. This is a great read if you plan on attending my talk today.

2

17

73

@ex_raritas

Andrew Northern 𓅓

6 months

@HackingLZ @ha888t Sorry is something in this picture?

1

0

69

@ex_raritas

Andrew Northern 𓅓

1 year

I’m proud to announce that this year’s Human Factor report is now available. The 2023 Human Factor report delves deeper into recent advancements in the threat landscape, with a particular focus on the intersection of technology and psychology that enhances the potency of the

Tweet media one

2

34

67

@ex_raritas

Andrew Northern 𓅓

2 years

Hey gang. I know a lot of you follow me because of my research on #SocGholish and #TA569 . Next week I'm doing a deep dive webinar on this topic. You will have an hour of my time where I cover what you need to know as a defender and responder. Link to sign-up in comments:

1

23

65

@ex_raritas

Andrew Northern 𓅓

1 year

Omw to ruin your ransomware campaign.

Tweet media one

5

1

62

@ex_raritas

Andrew Northern 𓅓

2 years

New @proofpoint podcast Discarded just dropped. Join us as we discuss: • The journey leading to Emotet’s return • The importance of the Conti group leaks • What defenders should be thinking about against cyber threats

Tweet media one

3

12

60

@ex_raritas

Andrew Northern 𓅓

4 months

@BushidoToken RIP. MI6 about to drive an Aston Martin through your wall.

2

0

63

@ex_raritas

Andrew Northern 𓅓

4 years

@RealDiscoDonnie you should book @BirthdayyPartyy for ubbi dubbi Zoom Room

5

1

61

@ex_raritas

Andrew Northern 𓅓

4 months

This but the powershell logo

Tweet media one

1

9

61

@ex_raritas

Andrew Northern 𓅓

2 years

@HackingLZ This is the best reply 😂

0

0

58

@ex_raritas

Andrew Northern 𓅓

2 years

MSFT disabling macros.

Tweet media one

1

3

58

@ex_raritas

Andrew Northern 𓅓

1 year

Tweet media one

0

5

57

@ex_raritas

Andrew Northern 𓅓

4 years

I’m a bisexual man and I exist. I’m not confused. I’m not greedy. I’m not testing the water. Im not 50% gay and 50% straight. I’m 100% bisexual. #BiVisibilityDay

1

5

53

@ex_raritas

Andrew Northern 𓅓

5 years

Imma tell my kids this was @RealDiscoDonnie

Tweet media one

0

9

54

@ex_raritas

Andrew Northern 𓅓

4 months

Which Red Teamer lost their *gestures broadly at everything* @techspence @AugustVansickl2 ?? 😂

Tweet media one

6

5

55

@ex_raritas

Andrew Northern 𓅓

1 month

Wanna join the team? Day to day: Write intrusion detection rules for the Snort and Suricata platforms Answer support questions about rule guidance and false positives Work with the open source community to maintain and optimize the ETOpen ruleset

4

20

56

@ex_raritas

Andrew Northern 𓅓

2 years

🃏 Emotet Update 🤡 Past 24 hours ~6000 Samples analyzed ~90 C2 ips >13000 unique payload URLS Volume still increasing Same regserver -> .ocx *Interesting* Most are randomized directories on a handful of hosts. *Interesting* Use of Covid-19 Lures

3

15

54

@ex_raritas

Andrew Northern 𓅓

5 years

@lazo_jenn @nprpolitics Lots of companies pay their interns quite well.

0

0

42

@ex_raritas

Andrew Northern 𓅓

1 year

Tweet media one

@BleepinComputer

BleepingComputer

@BleepinComputer

1 year

Hackers start using Havoc post-exploitation framework in attacks - @serghei

1

38

87

2

6

48

@ex_raritas

Andrew Northern 𓅓

6 months

Yet another wave of “I’m leaving Twitter forever” infosec influencers are back I see.

10

1

49

@ex_raritas

Andrew Northern 𓅓

2 years

Here is a classic

Tweet media one

Tweet media two

1

4

49

@ex_raritas

Andrew Northern 𓅓

2 years

@badtakeblake My previous Twitter handles (a short list): Old Saint Thicc Yungsnakedaddy The Crunchwrap of Notre Dame

3

0

48

@ex_raritas

Andrew Northern 𓅓

2 years

🧵 Today is a big day for me. It’s been a career aspiration of mine since I learned about the @MITREattack framework to become a named contributor. Thanks to my peers( @selenalarson , @bry_campbell , and @ZackDoesML ) on the @threatinsight team at @proofpoint we have done it!

@MITREattack

ATT&CK

2 years

We're releasing ATT&CK on the perfect date! Put on your light jacket and jump into structured detections, subs for mobile beta, and ICS on our main site. Changelog is up at and @_whatshisface & @JasonAjmo describe what's new in .

5

65

122

4

3

48

@ex_raritas

Andrew Northern 𓅓

4 months

Me looking a threat actors commit history where they accidentally add and frantically remove hardcoded credentials.

Tweet media one

0

6

46

@ex_raritas

Andrew Northern 𓅓

3 years

@WeOutcheaAgain @anarchygigi This game is called Super Hot if anyone is interested

0

0

45

@ex_raritas

Andrew Northern 𓅓

2 months

@SwiftOnSecurity Glad you are still here. Read the whole thing. Can relate. I was also a depressed teenager who became a drop out and got my GED. ❤️‍🩹❤️‍🩹❤️‍🩹

0

0

45

@ex_raritas

Andrew Northern 𓅓

6 months

Finally read(listened to) The Cuckoo’s egg 13 years into my career in infosec. What’s next?

Tweet media one

18

0

45

@ex_raritas

Andrew Northern 𓅓

2 years

Tweet media one

1

6

44

@ex_raritas

Andrew Northern 𓅓

2 years

For anyone playing at home: #ContiLeaks #Conti

Tweet media one

1

11

45

@ex_raritas

Andrew Northern 𓅓

2 years

Really proud to announce my first published report with Proofpoint. @selenalarson @ZackDoesML @bry_campbell

@threatinsight

Threat Insight

2 years

Proofpoint observed new activity impacting French entities in the construction, real estate and government sectors. The attack is highly targeted and dates back to February with activity seen as recently as last week. 🐍 Our latest blog has the details:

Tweet media one

4

46

90

3

8

45

@ex_raritas

Andrew Northern 𓅓

1 year

@vxunderground This is my favorite part:

Tweet media one

0

2

42

@ex_raritas

Andrew Northern 𓅓

4 years

@TalbertSwan @GallupNews All of them.

1

0

36

@ex_raritas

Andrew Northern 𓅓

2 years

Just had the biggest two weeks of my professional career back to back. 🧵 Discovered and submitted a new procedure to @MITREattack that is forthcoming.

2

0

43

@ex_raritas

Andrew Northern 𓅓

5 months

This is where my brain goes whenever i see the world's worst obfuscation:

Tweet media one

2

4

43

@ex_raritas

Andrew Northern 𓅓

2 years

Me trying to have a weekend. My brain 🧠: I wonder what my threat actors are doing?

7

4

42

@ex_raritas

Andrew Northern 𓅓

27 days

@Royals Send Melendez down

3

1

42

@ex_raritas

Andrew Northern 𓅓

1 year

Just Threat Research things:

Tweet media one

Tweet media two

Tweet media three

2

1

41

@ex_raritas

Andrew Northern 𓅓

2 years

Some new updates on #TA569 #SocGholish today. Bonus Zoom Background for people who hate #TA569 like me. A thread 🧵👇 H/T : @0xkyle and @DustyMMiller

Tweet media one

1

15

41

@ex_raritas

Andrew Northern 𓅓

29 days

Happy baseball ⚾️

Tweet media one

6

0

41

@ex_raritas

Andrew Northern 𓅓

2 years

"Are we the baddies?" More "red team" bullshit the world didn't ask for or need.

Tweet media one

7

1

39

@ex_raritas

Andrew Northern 𓅓

2 years

Really looking getting after #TA569 tomorrow. I didn’t expect my commentary on Twitter followers to net me so many new friends, but I can assure you that I will continue to focus on fact based research with a healthy dose of memes and infosec commentary. :)

2

0

38

@ex_raritas

Andrew Northern 𓅓

5 months

My wife just surprised me with a vintage floor length original Gianni Versace leather coat from the 1980’s. It is in exceptional condition and I am one step closer to realizing my absolute villain form.

5

2

39

@ex_raritas

Andrew Northern 𓅓

4 years

@SwiftOnSecurity Rapid7 brought 3 medium pizzas to a lunch to 30 people.

4

1

39

@ex_raritas

Andrew Northern 𓅓

3 months

@dieworkwear Such a good topic. I find some luxury sneakers like St. Laurent are fantastic quality but others like Prada are terrible. Versace, Alexander McQueen, Rick Owens are great too. Any opinions on major fashion house “sneaker” offerings? Materials, construction, etc. I find the

5

1

38

@ex_raritas

Andrew Northern 𓅓

2 years

Hey @Namecheap I have 115 domains hosting active SocGholish injects on you infrastructure. DM?

2

3

38

@ex_raritas

Andrew Northern 𓅓

11 months

@AnFam17 Lol nothing this is a modification of an old Copy-Pasta of a “tough guy” rant from a long time ago on the internet.

2

0

36

@ex_raritas

Andrew Northern 𓅓

5 years

@zackwhittaker @TimiHealth This has to be the single worst PR response to an incident that i've ever read.

0

0

38

@ex_raritas

Andrew Northern 𓅓

7 months

I’m presenting at ATT&CKcon in a few days. I’m stoked.

5

1

37

@ex_raritas

Andrew Northern 𓅓

3 years

@TheFaveBisexual @heykelechi sir. He is not tall

1

0

34

@ex_raritas

Andrew Northern 𓅓

2 years

I unapologetically love Powershell.

5

6

35

@ex_raritas

Andrew Northern 𓅓

2 years

Malware is attracted to the rich history, warm culture, and abundant food choices of Italy.

3

5

36

@ex_raritas

Andrew Northern 𓅓

23 days

🚨✨ Job Opportunity with Proofpoint Threat Research ✨🚨 Read the whole thread first: 👇👇👇

2

12

37

@ex_raritas

Andrew Northern 𓅓

2 years

🧵🐰🕳️ 1/?: Stumbled down a rabbit hole yesterday and I'm still making sense of it. I don't have all the answers nor do I even have a name for the type of TDS JS nightmare that I ran into but its a pretty wild ride! 🔜 H/T: @lshirley30 for asking me about this

2

17

37

@ex_raritas

Andrew Northern 𓅓

2 years

Report here

SocGholish Malware: A Real Threat from a Fake Update | Proofpoint US

SocGholish malware is a very real threat from a very fake update. Proofpoint breaks down the threat, what it is, how it's delivered, and more.

www.proofpoint.com

2

9

37

@ex_raritas

Andrew Northern 𓅓

3 months

🍦🍦Conference Announcement🍦🍦 I'm proud to announce that I'll be speaking at the University of Kansas ( @UnivOfKansas ) at the FBI AND KU CYBERSECURITY CONFERENCE on 04/04. cc @FBIKansasCity @sec_kc

Tweet media one

6

4

37

@ex_raritas

Andrew Northern 𓅓

4 years

Happy @UbbiDubbiFam weekend

Tweet media one

0

15

37

@ex_raritas

Andrew Northern 𓅓

3 years

Today I unfollowed 300 EDM twitter accounts 💕

2

0

36

@ex_raritas

Andrew Northern 𓅓

2 years

What if we kissed while doing crime? j/k unless... #TA569 #socgholish

Tweet media one

1

4

36

@ex_raritas

Andrew Northern 𓅓

1 year

Good morning to everyone except for the person plagiarizing my research and graphics I made without even crediting me in the slightest.

6

2

36

@ex_raritas

Andrew Northern 𓅓

2 years

Today my new report with ⁦ @da_667 ⁩, @Myrtus0x0 ⁩, and Axel F dropped. Read all about Nerbian RAT.

Nerbian RAT Using COVID-19 Themes Features Sophisticated Evasion Techniques | Proofpoint US

www.proofpoint.com

1

10

34

@ex_raritas

Andrew Northern 𓅓

2 years

Virus almost full. What do I do?

Tweet media one

18

3

35

@ex_raritas

Andrew Northern 𓅓

4 months

About 8 years ago I fell ill with fever, body pain, vertigo and neuralgia. After quite a bit of testing it was determined that I had Zoster sine herpete (ZSH) aka shingles with no rash. Unfortunately this isn’t something that just goes away and every so often it raises its ugly

7

0

35

@ex_raritas

Andrew Northern 𓅓

2 years

You might be drunk in Vegas but I’m drunk a few blocks from my own house. Touché

4

0

33

@ex_raritas

Andrew Northern 𓅓

2 years

SocGholish infra dump: #SocGholish #TA569 Thread: @C0ryInTheHous3 @bigmacjpg @th3_protoCOL @pr0xylife @0xkyle @thinkpoison @nicastronaut

1

8

34

@ex_raritas

Andrew Northern 𓅓

2 years

Tweet media one

2

4

32

@ex_raritas

Andrew Northern 𓅓

1 year

I want to take a moment to highlight some really fantastic work by @k3dg3 , @Myrtus0x0 , and @joewise34 . Proofpoint researchers hypothesize the original operators behind Emotet are using an IcedID variant with different functionality.

Fork in the Ice: IcedID Malware Analysis | Proofpoint US

Learn about the new variants of the IcedID malware. Find out what Proofpoint researchers found and what you should know.

www.proofpoint.com

0

5

34

@ex_raritas

Andrew Northern 𓅓

11 months

Tweet media one

3

0

34

@ex_raritas

Andrew Northern 𓅓

1 year

uhhh excuse me what?

Tweet media one

2

4

33

@ex_raritas

Andrew Northern 𓅓

2 years

I hit 3k followers today! 🎉 How many of them are TAs lurking? 🤔🤔😂😂

1

0

32

@ex_raritas

Andrew Northern 𓅓

2 years

Bruteratel for sale anyone?

Tweet media one

4

3

32

@ex_raritas

Andrew Northern 𓅓

4 years

@NickHintonn @houseofSWARM is now doing the announcements

1

0

28

@ex_raritas

Andrew Northern 𓅓

2 years

What F1 team should Lockbit sponsor?

9

3

30

@ex_raritas

Andrew Northern 𓅓

2 years

I love my team so much. The only downside of remote work is that I wish I could go grab beers with them on the weekend.

2

0

31

@ex_raritas

Andrew Northern 𓅓

2 years

Despite having absolutely no credibility @aRtAGGI just smashed his presentation at @CYBERWARCON . Proud to be his peer.

Tweet media one

1

1

30

@ex_raritas

Andrew Northern 𓅓

3 years

@Pilnok jesus christ I just started a new job and didn't need this. 😅😅😅😅😅

0

0

30

@ex_raritas

Andrew Northern 𓅓

5 years

I’m never surprised by music. That’s a fact. But what @WHIPPEDCREAM did at 515 is something I’ve never seen. Big respect.

0

0

25

@ex_raritas

Andrew Northern 𓅓

1 year

Good morning.

Tweet media one

6

0

30