Roland Emmanuel Salunga @RESalunga
Security Engineer | Former SWE w/ 10 YoE | Tweets are my own | Interested in: #DevSecOps #CloudSec #DFIR #InfoSec rolandsalunga.com Manila, PH Joined December 2019-
Tweets876
-
Followers88
-
Following181
-
Likes3K
Proton is now publicly calling Windows spyware over the Global Device ID that Microsoft uses for every Windows installation. They say users never consent to the GDID, can't remove it, and that reinstalling Windows only partially helps since Microsoft keeps the old records. The company found exactly one mention of the identifier in all of Microsoft's public documentation. Every Windows installation carries a Global Device ID that Microsoft can hand to law enforcement, and a federal complaint against an alleged Scattered Spider hacker just showed it defeating a VPN. Per the FBI affidavit, Microsoft records tied one GDID to the creation of an ngrok account used in a May 2025 jewelry retailer breach, then gave investigators the device's full IP history. Cross-referenced against the suspect's Apple, Snapchat, and Facebook logins, the VPN didn't matter.
A 19-year-old hacker used VPNs, tunneling tools, and rotated IPs across 3 countries. The FBI still caught him. Here's the Windows feature that made it possible and why it should concern everyone. Peter Stokes, an alleged member of Scattered Spider (the group behind $100M+ in ransomware extortion), was arrested at Helsinki Airport this April. Court documents revealed a key piece of evidence: Microsoft's GDID. What is a GDID? GDID = Global Device Identifier. It's a unique code baked into every Windows installation. Microsoft uses it for telemetry, crash reports, feature usage, and license verification (it's why swapping your CPU can break your Windows activation). What Microsoft gave the FBI: → Web activity with timestamps → Gaming history → IP addresses used over time → Tool usage (including Ngrok, a tunneling app) → Azure account activity All tied to one persistent device fingerprint. Even though the VPN masked his IP, it didn't affect the GDID. How they connected the dots: Every time Stokes logged in to Snapchat, Apple, or Facebook from a new IP address, the GDID was there too. Investigators matched timestamps across platforms and countries: Tallinn, New York, Thailand, Germany. Different IPs. Same machine. Same person. Microsoft had already identified him in October 2024 and filed a criminal referral. He was still 17. So they waited till He turned 18. Then they moved. Yes, Stokes is accused of serious crimes. But the GDID data exists on every Windows machine, including yours. The infrastructure that handed his entire digital life to the FBI is the same infrastructure running on your laptop right now. The unanswered questions: - There's no public policy on when Microsoft shares GDID data - No known opt-out mechanism - No transparency report specifically covering GDID disclosures - What other criminal referrals has Microsoft quietly filed?
A 19 year old kid used a VPN and change his IP across 3 countries but the FBI was still able to catch him and that’s because windows was tracking a number he didn’t even know existed….
Open directory, full toolkit, world-readable. 165.154.254[.]203 via @etugenio.
The structure tells the story before you open a single file.
Nuclei binaries and temp directories alongside a ProxyShell exploit chain, Cobalt Strike beacon artifacts, a Sliver fallback, LOLBin deployment wrappers, and a FOFA API integration for target acquisition. This isn't someone testing a PoC. The workflow is documented in the directory itself.
The recon layer: FOFA API (fofa_api.py) and Nuclei (nuclei.zip, 29.8MB) handle target discovery. exchange_scan.sh and exchange_scan.log show active scanning against Exchange Autodiscover endpoints. exchange_targets.txt has 230+ URLs, raw IPs and domains, all formatted for ProxyShell exploitation. exchange_results.txt is the confirmed-hit list.
The exploit chain is ProxyShell, three CVEs chained:
CVE-2021-34473: Path confusion to SSRF against backend
CVE-2021-34523: Privilege elevation via Exchange PowerShell
CVE-2021-31207: Arbitrary file write to webshell drop
Two exploit scripts present: a custom proxyshell_exploit.py and a full-featured exchange_proxyshell.py (Horizon3 variant). Both automate LegacyDN enumeration, SID extraction, token forgery, and PowerShell execution. Webshell drops to aspnet_client/ via EWS draft export abuse (ews_draft.py).
Post-access payload delivery goes through Certutil LOLBin:
deploy_beacon.py
drop_and_run_cs.py
deploy_min_cs.py
loader.ps1 downloads sc.bin via WebClient.DownloadFile, allocates RWX memory via VirtualAlloc, and threads execution directly. No dropper. Straight shellcode injection into process memory.
C2 architecture is dual-track. Cobalt Strike is primary: beacon.gz (11.9MB), nx_beacon.gz (9.1MB), three identical sc.bin/raw_win_x64.bin/raw_bot_relay_x64.bin at 270.5KB each, plus a full set of .cna Aggressor scripts for listener management, payload generation, and beacon tasking. Sliver is the backup: sliver_check.sh, sliver_fix.exp, sliver_commands open directory. Two C2 frameworks for resilience; both configs exposed.
Tor is active on the server ([email protected] running). openssl.cnf suggests custom cert generation for C2 listener HTTPS. xray-client-test.json and associated logs point to additional tunneling tooling, likely xray-core for traffic obfuscation.
Target profile is heavily Philippines-focused. Government infrastructure in the confirmed target list:
dpwh.gov.ph (Dept of Public Works and Highways)
gsis.gov.ph (Gov't Service Insurance System)
pagibigfund.gov.ph
ched.gov.ph (Commission on Higher Education)
pmo.gov.ph (Presidential Management Office)
philrice.gov.ph
Media and private sector alongside: gmanetwork.com, tv5.com.ph, rfm.com.ph, yakult.com.ph, ucpbsavings.com.ph.
Actor language indicators point to a Chinese-speaking operator. Inline comment in proxyshell_exploit.py: # Via 肉鸡 (zombie/bot machine, Chinese threat actor argot). Filename niaozun_key (鸟尊). FOFA API as primary recon tool, dominant in the Chinese-language security ecosystem. Multilingual README set in CN, ES, ID, JP, KR, PT-BR; an organized, maintained toolkit.
Two credential files left in the open directory:
niaozun_key (399B)
vultr_key (411B)
The Vultr key is significant. API access means the infrastructure footprint is queryable for attribution.
IOCs:
Stage server: 165.154.254[.]203:8888
Payload server: 149.28.138[.]225:8080
Payload: sc.bin (CS shellcode, ~270KB)
Webshell path: /aspnet_client/
Recent research reveals that #ScatteredSpider is not a singular organized group but a decentralized #cybercrime collective comprised of multiple, independent subclusters. This loose affiliation of operators, connected primarily through shared TTPs and social engineering techniques, poses a unique challenge for attribution. Our latest analysis explains how this structure, akin to a hacking movement, provides inherent resilience against #lawenforcement actions. It's not a single group to track, but a persistent culture of cybercrime that evolves continuously.
AWS CIRT warns of active scanning for dangling Route 53 CNAME records pointing to deleted S3, CloudFront, and Elastic Beanstalk resources (T1584.001). Hunt with AWS Config custom rules checking CNAMEs against account inventory, not DNS resolution. #DFIR_Radar
Using SSH to drop files on target machine, using military movement as a filename IOC: 45[.]77[.]242[.]76 Usernames: t0, t1 Targeting: Philippines 🇵🇵🇭 Timeline: April - June 2026 @malwrhunterteam @500mk500 @smica83
🚨 SHOCKING: LISA SU’S $1,499 LUNCHBOX ANNIHILATES NVIDIA’S $4K AI BEAST! AMD CEO Lisa Su walked on stage, held a lunchbox sized PC in one hand, and ran a 235 billion parameter model live. No data center. No cloud. No rented GPU. The chip inside is the AMD Ryzen AI Max+ 395. It is the first x86 chip where the CPU and GPU share the same pool of memory. Up to 128GB of unified memory. That one design choice is what changes everything. An RTX 5090 gives you 32GB of video memory. A 4090 gives you 24. This box gives you more than three times either of them in a chassis you can carry in a backpack. On DeepSeek R1 inference, AMD's chip beat an Nvidia RTX 5080 by more than 3x. A desktop the size of a thick paperback outrunning a dedicated graphics card that costs over a thousand dollars on a real AI workload. Now do the math on your subscriptions. Claude Code Max is $200 a month. ChatGPT Pro is another $200. Cursor is $20. Gemini is $20. That is $5,280 leaving your account every year before you build a single thing. The 128GB version of this machine starts at around $2,399. At that run rate it pays for itself in under a year and then runs free. Install Ollama. Pull Qwen3 235B. Point Claude Code at localhost. Same interface you already use. Nothing leaves your machine. Nothing costs per request. No throttling at 3am when you finally have time to build. Lawyers stop worrying about what OpenAI does with their files. Developers stop watching the token counter. Founders stop killing prototypes because the cloud bill scared them off. Private AI just became something a normal person can own.
@AnthropicAI That's why: opensourceaimustwin.com/?share=v2
The US government, citing national security authorities, has issued an export control directive to suspend all access to Fable 5 and Mythos 5 by any foreign national, whether inside or outside the United States, including foreign national Anthropic employees. The net effect of this order is that we must abruptly disable Fable 5 and Mythos 5 for all our customers to ensure compliance. Access to all other Claude models is not affected. We apologize for this disruption to our customers. We believe this is a misunderstanding and are working to restore access as soon as possible. Read our full statement: anthropic.com/news/fable-myt…
Compromised npm packages ([email protected], [email protected]) are abusing Hugging Face repos as exfiltration infrastructure. The packages deploy a remote access trojan (RAT) that captures keystrokes, screenshots, and crypto wallet credentials. Indicators of compromise
This is what we've been seeing with every company we work with. Try justifying spending 100k on token spend when only 18k even makes it to a stable prod feature. In the rush to maximize AI token spend, companies are wasting over 44% on bug fixes
Uber’s COO has said that it’s getting “harder to justify” its AI costs because there was no way to show a link between AI spend and any meaningful increase in useful features. This is the first time I’ve seen a company say this directly. businessinsider.com/uber-coo-andre…
I think AI coding hype follows roughly four stages: 1. Amazement You try it and can’t believe how much code it generates from a few prompts. 2. Expansion You start more and more projects because shipping suddenly feels cheap and fast. This is also the phase where people start convincing everyone around them: - coworkers - management - friends in other companies because nobody wants to “fall behind” in 6–12 months. That creates a massive snowball/FOMO effect. 3. The grind phase You realize the generated code has architectural issues, sloppy mistakes, weird abstractions, duplicated logic, broken edge cases, etc. So you start: - re-prompting - switching models - increasing reasoning effort - reviewing fixes - generating fixes for previous fixes And suddenly you spend your days reviewing AI-generated pull requests instead of building software. 4. Realization You realize AI coding increases output much faster than it increases certainty. The code still needs: - review - testing - ownership - architectural understanding - long-term maintenance Usually by expensive senior engineers. And the interesting thing is: this whole cycle can take many months or even more than a year because people become socially and professionally invested in the narrative themselves. Once teams, managers, and entire companies have been convinced that this is the future, it becomes psychologically and politically very hard to later say: “Actually, the ROI is much lower than we expected.”
This is what we've been seeing with every company we work with. Try justifying spending 100k on token spend when only 18k even makes it to a stable prod feature. In the rush to maximize AI token spend, companies are wasting over 44% on bug fixes
Chat, I don't want to be that guy, but I think Microsoft has really pissed off security researchers and we're approaching the tipping point. This Eclipse guy has really rocked the boat for Microsoft.
⚠️ WARNING - A malicious npm package was caught stealing files from Claude AI users’ /mnt/user-data directories and uploading them to attacker-controlled GitHub repositories. Check your installed packages: thehackernews.com/2026/05/malici… The package, “mouse5212-super-formatter,” used npm postinstall scripts, hard-coded GitHub tokens, and fake network logs to hide the theft. Downloaded 676 times so far.
Follow every Mythos discovery through our coordinated vulnerability disclosure dashboard. red.anthropic.com/2026/cvd/
@ThruntingLabs Nice. This makes me wanna sign up 👀
We are working on our first cloud intrusion investigation for Threat Hunting Labs. The lab is not live yet, but we wanted to start sharing some of the intrusion details because this case represents an important direction for THL. The intrusion began with a compromised developer macOS workstation. The workstation was infected by an infostealer. The developer had long-lived AWS access keys stored locally for a service integration and loaded them as environment variables during development. Those credentials were collected by the stealer and later used from external infrastructure to access the AWS environment. From there, the activity unfolded across 3 days and included: - enumeration - discovery - privilege escalation - lateral movement - data exfiltration This is exactly the kind of cloud intrusion we want analysts to investigate inside Threat Hunting Labs. It connects endpoint compromise, developer credential exposure, AWS access, identity activity, cloud control-plane behavior, and attacker progression across time. We are still building the lab, but we are excited about where this takes THL next. Cloud intrusions are becoming a major focus for us, and this case will be the first full cloud investigation we bring to the platform. To our knowledge, it will also be the first real cloud intrusion investigation of its kind available anywhere for hands-on analyst training.
2026-05-26 (Tuesday): Another page impersonating Claude was used to push #SHubStealer when viewed on a macOS host. Details at bit.ly/4fcekmj
PSA: Beyond The Dark (APPID: 3393800) on Steam is malware. Hidden in the unitydll is a dropper which then downloads more malware from a C2 based on what programs and chrome extensions you have (targeting crypto / defi wallets).
Can Peser @12345hsshhshh
9 Followers 46 Following
🄲🅈🄱🄴🅁 ... @Cyber_Asia_
4K Followers 547 Following Follow us for the latest #cybersecurity news in Asia.
Amirul Hafiz @amirulemrys
45 Followers 463 Following
Ayush @r00t_ak
89 Followers 2K Following Nothing, just a noob and trying to learn new things🙂 Beg Bounty Security Researcher | CTF player
Vietal @Vietal508
0 Followers 133 Following
Mooqu @Mooqu510
9 Followers 210 Following
Jeffrey @DASTraderkaren1
355 Followers 4K Following 📉Crypto trader & Youtuber. ⛔️I won't DM you first. Beware of Scammers.
Charly Wargnier @DataChaz
177K Followers 49K Following Ex @Streamlit @Snowflake Maestro • I write about AI agents, LLMs and automation • My ❤️ is open source • DM for collabs 📩
Gamiel Manbiotan @oscuridad1010
149 Followers 528 Following Offensive Security | Red Team Operations | H.O.F NASA, United Nations, U.S DoD | CRTP | CNPEN | CAPENX | CAPEN | CRTA https://t.co/hPhjiFw6N6
Scrum2success @scrum2success
0 Followers 115 Following Turbo boost your transition into your first Scrum Master Role!
AD @ADShr3k
0 Followers 48 Following
Refactor Security @refactorsec
483 Followers 1K Following We help teams build safer software through practical, engineering-driven security.
CHARToons @GandyDancer123
1K Followers 3K Following CHARToons: Your daily dose of Technical Fun-alysis, memes,satire Fin-tertainment Pioneer CHARToons-Baryanaryo-Ticker Tunes
KAsh Security @KAshSecurity
397 Followers 625 Following Cybersecurity | Bug Hunter | CompTIA Security+ | OSCP Loading... | Searching for interesting tools | DM if you know any cool projects, NO sponsorships
Learn Python For Free @LearnPython3_
35 Followers 29 Following Want to learn #Python with ease? Then follow this account for some great tips
Zzzzzz @CaffeintdCovert
17 Followers 189 Following
iam_NiiBortey @BorteyJoel
123 Followers 664 Following
123 @nepmontanez
36 Followers 892 Following
Dominic Ligot @docligot
5K Followers 2K Following Technologist, Social Impact, Data Ethics, AI Founder @ethicsPH, @cirrolytix, @aedes_ai Board @PCIJdotOrg, PAIBA
Daniele Fontani @zeppaman
3K Followers 4K Following Building better tomorrow. Trekker inside. CTO. Interested in #CloudComputing, #AgileDevelopment and #Opensource.
Fullbrain @fullbrain_org
153 Followers 250 Following Fullbrain is a social learning platform where students share and map their knowledge.
Craig Schubert @OzSchuby
62 Followers 359 Following Jack of all trades - dancers, teacher, massage therapist, DJ and curious about iOS develpment.
Creative Technologies @ctech_india
259 Followers 374 Following Creative Technologies provides consulting, IT services to clients all over the world which includes Web Designing and development, mobile applications...
:// @thepetitedev
3 Followers 93 Following
Crazy Web Developers @CrazyDevelope15
507 Followers 414 Following Web Designer , Web Developer , Android App , iOS App , SEO , Complete web solution #php #codeigniter #laravel #ecommerce #android #ios
Likith Raja Singh @likithrajasingh
147 Followers 911 Following Mechanical Engineer, Software Engineer, charvak. we need better government, better laws and better law enforcement, PHP rocks
zach Elliot @zachElliot5
0 Followers 56 Following
Egor Pavlikhin @EgorPavlikhin
327 Followers 242 Following Software dev engineer & manager. Enterprise, automation, web dev. C# | .Net | Angular | TypeScript #programming #IoT #fintech https://t.co/kJBsoG0zOB
HONEY MASSEY @honeymassey2018
573 Followers 3K Following Aspiring #FrontEndDeveloper .#html #css #Bootstrap #android studio😇😇 I Love #JESUS 💝💝 https://t.co/1i1mlvV7uw
Jeroen Desloovere @desloovere_j
676 Followers 3K Following Integration Architect at Agristo. Loves to solve the unsolvable.
Amazon Web Services @awscloud
2.2M Followers 433 Following AWS is the world's most comprehensive cloud, enabling organizations to accelerate innovation, reduce costs, and scale more efficiently.
Invictus Incident Res... @InvictusIR
2K Followers 32 Following Helping organizations respond to cyber incidents in the cloud | 🆘 24/7 support https://t.co/zfF62gimvm | 📚 Academy https://t.co/GH0u8tmjXJ
Blue Team News @blueteamsec1
56K Followers 9K Following The cybersecurity home for the latest #BlueTeam, #DFIR, and #ThreatHunting news and tools.
Threat Hunting Labs @ThruntingLabs
2K Followers 1 Following Train on raw telemetry from actual breaches. Investigate malware and reconstruct the kill chain from process creation to exfiltration and beyond.
IntelOps @IntelOpsV3
6K Followers 57 Following The internet holds vast secrets for those who know how to look A darkweb forum for security researchers
International Cyber D... @IntCyberDigest
188K Followers 255 Following Independent reporting on cybersecurity, tech, AI & digital policy.
Nagli @galnagli
48K Followers 509 Following Hacker; Red Agent & Offensive AI at @wiz_io / @Google; $3,000,000 Bug Bounty Hunter and Live Hacking Events Winner.
Craig Rowland - Agent... @CraigHRowland
11K Followers 319 Following Agentless Linux security. No endpoint agents and no drama. Linux malware, forensics, intrusion detection, and hacking. Founder @SandflySecurity.
Joe Security @joe4security
8K Followers 136 Following Deep Malware and Phishing Analysis for Windows, Android, macOS and Linux.
The DFIR Report @TheDFIRReport
68K Followers 0 Following Real Intrusions by Real Attackers, the Truth Behind the Intrusion
Marco Lancini @lancinimarco
7K Followers 384 Following 💼 Director of Security 📬 @CloudSecList 📚 https://t.co/TrQKzxfnYg 💬 I write about security strategy, technical leadership, and cloud security.
PHIVOLCS-DOST @phivolcs_dost
848K Followers 61 Following PHIVOLCS is the service institute of the DOST for monitoring and mitigation of volcanic eruptions, earthquakes and tsunami.
Ken Gannon (伊藤 �... @Yogehi
3K Followers 311 Following 95% random tweets, 5% security related tweets. Pwn2Own '23/'24/'25. YayTweetsAreMyOwnYay
Virus Bulletin @virusbtn
61K Followers 1K Following Security information portal, testing and certification body. Organisers of the annual Virus Bulletin conference. @[email protected]
Kaspersky @kaspersky
313K Followers 86 Following Kaspersky is the world’s largest privately held vendor of Internet security solutions for businesses and consumers. For support https://t.co/enRPRUIwcm
ThreatMon @MonThreat
17K Followers 2 Following ThreatMon End-to-End Threat Intelligence Platform | for IOC and C2 data: https://t.co/2ADZRdutwN
Dr. Anton Chuvakin @anton_chuvakin
42K Followers 9K Following Information security - #SIEM, #DFIR, #EDR formerly at Gartner! Now @GoogleCloud Office of the #CISO; host of @CloudSecPodcast https://t.co/VpKtfz8nXG
Nir Ohfeld @nirohfeld
5K Followers 953 Following Head of Vulnerability Research @wiz_io | @Microsoft MVR (2021-2025) | Pwn2Own 2025 | @Forbes 30 Under 30 | Ask me anything about https://t.co/QfzcO03PpS
Microsoft Threat Inte... @MsftSecIntel
196K Followers 995 Following We are Microsoft's global network of security experts. Follow for security research and threat intelligence.
MyDFIR @MyDFIR
4K Followers 162 Following I run a community showing you how to build practical hands-on skills to become a Cybersecurity SOC analyst. 👇
Watcher.Guru @WatcherGuru
4.5M Followers 3 Following Watcher Guru gives you unparalleled, unbiased coverage of all-things crypto & finance in real-time | Posts Are Not Financial Advice | @BTCPrice
Group-IB Threat Intel... @GroupIB_TI
17K Followers 182 Following Official account of the @GroupIB Threat Intelligence Unit. Latest research, analytics, IOCs and threat alerts.
IAMTrail (Previously ... @IAMTrail_
3K Followers 8 Following Archived - AWS silently updates Managed IAM policies all the time
Huntress @HuntressLabs
41K Followers 533 Following Managed #cybersecurity without the complexity. EDR, ITDR, SIEM & SAT crafted for under-resourced IT and Security teams.
Vulnlab @vulnlab_eu
6K Followers 1K Following Labs & Training by @xct_de | You are welcome to join the community @ https://t.co/p5R9zGJYHw Vulnlab is now part of Hack The Box.
CloudSecList @CloudSecList
2K Followers 1 Following The best way to stay on top of the cloud security landscape without having to be overwhelmed by all the noise | Curated by @lancinimarco
Scott Piper @0xdabbad00
20K Followers 253 Following Cloud security historian Developed https://t.co/ZXFwkuyseC, CloudMapper, and Parliament Organizer for @fwdcloudsec Researcher at @wiz_io
AWS Security @AWSSecurityInfo
61K Followers 153 Following This account is no longer active. Follow @awscloud for the latest updates from AWS.
Anshuman Bhartiya @anshuman_bh
5K Followers 3K Following I love Security, Automation, Innovation, Challenges and Changes. My opinions here, not my employers. https://t.co/MrnjVztqTu
U.S. Cyber Command @US_CYBERCOM
143K Followers 258 Following Official Twitter page of U.S. Cyber Command (Following, retweets and links do not equal endorsement)
NSA Cyber @NSACyber
157K Followers 12 Following We protect our nation’s most sensitive systems against cyber threats. Likes, retweets, and follows ≠ endorsement.
The Hacker News @TheHackersNews
1.8M Followers 2K Following The #1 trusted source for cybersecurity news, insights, and analysis — built for defenders and trusted by decision-makers.
ali @endingwithali
30K Followers 451 Following software engineer - content creator @ https://t.co/4vI4dOxzmn - threatwire host @hak5 - nyc - MIT
Cybersecurity @ NIST @NISTcyber
99K Followers 522 Following Official handle covering all things cybersecurity at NIST
Dark Web Intelligence @DailyDarkWeb
195K Followers 0 Following We work in the dark to bring clarity to the light.
Cybersecurity and Inf... @CISAgov
324K Followers 106 Following America's Cyber Defense Agency and National Coordinator for Critical Infrastructure Security & Resilience. Likes, reshares, follows ≠ endorsements.
Charly Wargnier @DataChaz
177K Followers 49K Following Ex @Streamlit @Snowflake Maestro • I write about AI agents, LLMs and automation • My ❤️ is open source • DM for collabs 📩
LetsDefend @LetsDefendIO
141K Followers 1 Following LetsDefend, now part of Hack The Box. Read more: https://t.co/jxMnGZ4Yne
Hacking Articles @hackinarticles
300K Followers 481 Following House of Pentesters Join us: https://t.co/Y6XOlSOA92
mRr3b00t @UK_Daniel_Card
124K Followers 8K Following Department of Cyber WAR. Member of the Counter Spider Collective. Wielder of AI to defend in Cyber Space. Ralph Vibe Specialist. VibeOps Operator!
ESET Research @ESETresearch
36K Followers 32 Following Security research and breaking news straight from ESET Research Labs.
Merkado Barkada @MerkadoBarkada
14K Followers 359 Following Casual market analysis | memes | commentary









































