Alex Delamotte
@spiderspiders_
Followers
724
Following
1,274
Media
135
Statuses
1,053
Threat Researcher @ SentinelLabs. Resident of Las Vegas. Unabashed Futurist. Probably a Shiny Pokémon in human-like form. Opinions are mine. she/they
Mars Vegas
Joined January 2021
Don't wanna be here?
Send us removal request.
Explore trending content on Musk Viewer
White Dudes for Harris
• 157344 Tweets
広瀬めぐみ
• 37157 Tweets
#TrainAccident
• 34598 Tweets
Astros
• 33870 Tweets
Kikuchi
• 18375 Tweets
大麻パーティ
• 17819 Tweets
キラーT細胞
• 16904 Tweets
BINI BOYCOTT GENOCIDE FUNDERS
• 15281 Tweets
रेल मंत्री
• 14212 Tweets
東京地検特捜部
• 13320 Tweets
Soler
• 11654 Tweets
Pinned Tweet
@SLEUTHCON
thank you so much for having me yesterday! It’s an honor to speak among such legends & I am so impressed with how the team handled the power outage.
I had a great time presenting and I’m so appreciative for all the support (and amazing swag). A+ con, loved it!
1
1
27
Ransomware lineage is an absolute mess these days, so I created this tracker detailing which ransomware families are based on leaked source code/builders.
(1/2)
1
39
156
You know those persistent, pesky USPS smishing texts?
The ones that say you have a package that needs to be redelivered?
In this post, I dive into SNS Sender, a script that abuses AWS SNS to send smishes, and some of the related phishing kits.
🔍 New from SentinelLabs! Our latest analysis by
@spiderspiders_
reveals a smishing method using AWS SNS, dubbed SNS Sender. Read more:
#CloudSecurity
#Smishing
#CyberThreats
#awscloud
#aws
#SentinelLabs
0
6
21
2
33
92
I am beyond excited to continue my villain arc by speaking at
@SLEUTHCON
2024!
Come watch me speak about the SLOPSEC driving attribution of open-source cloud attack tools.
Stay for the afters to see who wears the Wazawaka wedding suit better:
@BushidoToken
or Yours Truly.
We're excited to share our full speaker lineup for
#SLEUTHCON
2024! 🎉
Visit for more reasons to get your tix!
0
24
59
7
8
43
Me whenever I successfully decompile an APK (please clap)
1
3
39
@LasVegasLocally
Friends always come to visit from far away! Living here, I see certain friends more often than when we lived 30 min apart
0
0
25
I am stoked to be presenting at
@HushCon
on December 8!
Come see me talk about cloud malware, or as I say: “Malware, But on Someone Else’s Computer”
Bring your 🍿 and 🍌—it’s going to get cloudy ☁️
Hopefully using their their own machine,
@spiderspiders_
will be presenting "Malware, But on Someone Else's Computer"
0
0
4
5
6
27
Arid Viper is an interesting group with a rich history of mobile malware development. In this post, I focus on recent activity in this space.
These apps are highly modular and designed to mimic messaging and dating applications. (1/3)
🐍 New by
@LabsSentinel
! Threat actor Arid Viper is delivering SpyC23, an Android spyware family, to Arabic-speaking targets through weaponized apps posing as Telegram or as a dating app called Skipped. By
@spiderspiders_
📄 Read more:
0
3
11
1
8
20
@LasVegasLocally
“Sphere charges a 23% service charge for VIP suites but that goes to the venue itself.”
2
2
23
I try not to romanticize ransomware operators, but this is incredible energy. 🤷♀️
LockBitSupp: "I love the FBI — without the FBI my life wouldn't be as fun, and they're just doing their job."
3
23
66
2
7
22
This is too fun! Looks like you can hunt for more bot fails using the ChatGPT error string.
Russia forgot to pay its chatgpt bill so a bunch of angry Twitter accounts suddenly went haywire
186
9K
59K
3
8
22
Back in 2021, the Babuk source code leaks fascinated me. At the time, it was unprecedented ransomware drama. 🍿 Like any self-respecting malware archivist, I grabbed the zip file and threw away the key for a few years. 1/?
🔐
@LabsSentinel
researcher
@spiderspiders_
unpacks the growing trend of ESXi locker use among ransomware groups. The report exposes how groups like
@Conti
and
@REvil
are exploiting ESXi lockers.
#infosec
#ranosmware
#Sentinellabs
0
2
4
1
7
19
FBot was a joy to research—aside from having to open an AWS account again for testing. 😂
This little Bot keeps popping up, with its most recent appearance on New Year’s Day. (1/x)
💜 New from
@spiderspiders_
Exploring FBot | Python-Based Malware Targeting Cloud and Payment Services 👇
1
4
10
2
7
17
THE NET GALA was incredible and exceeded my wildest expectations. Thank you so much to the old & new friends who joined us from near & far, and to our sponsors for making it possible.
A huge thank you to everyone who attended The Net Gala. We are so grateful for each and every one of you!
This was truly a special event. We will share photos over the next few days!
XOXO,
The Gala Girlies / The AAA Girls
@aaronsdevera
,
@spiderspiders_
,
@endingwithali
1
3
21
2
3
17
@mattjay
Great question! SCARLETEEL is the best recent example that I know of. Actor exploited a vulnerable Kubernetes container and pivoted to the underlying cloud service account.
0
5
16
Don’t let anyone tell you dreams never come true! On this glorious day, my AWS account was finally closed. 🥹
1
0
15
In today’s
@LabsSentinel
blog post , I dug into several versions of a large toolset targeting credentials from multiple cloud service providers. 🧵1/?
1
5
15
Attention, researchers and detection engineers: I’ve found the Yara Bag.
0
3
14
Another important link for sock aficionados: the Lockheed Martin Pride Socks from AliExpress. Best $3 I’ve spent.
2
4
14
So much of cloud threat research is rewriting peoples' tools so they actually work as intended. WTAF.
I did not sign up to be a Python dev.
0
1
13
Thank you to all who attended my talk at
@HushCon
this afternoon! 🙏
Here are the links:
AlienFox:
Predator AI:
TeamTNT:
@permisosecurity
-
Cloud malware GH repo to follow soon :)
I am stoked to be presenting at
@HushCon
on December 8!
Come see me talk about cloud malware, or as I say: “Malware, But on Someone Else’s Computer”
Bring your 🍿 and 🍌—it’s going to get cloudy ☁️
5
6
27
1
6
13
Transparent Tribe is back again. This campaign was quite similar to the CapraTube campaign I reported in September. As is tradition, this actor relies heavily on social engineering pretexts to design apps that appeal to their targets. 🧵 (1/4)
🔥📱 New from
@spiderspiders_
: CapraTube Remix | Transparent Tribe’s Android Spyware Targeting Gamers, Weapons Enthusiasts
0
7
11
1
5
13
A deep dive by my colleague Jim on the activities of the NullBulge group, which allegedly leaked Disney’s Slack data last week. Grab a coffee and check it out! ☕️
New Research Drop 🤖
NullBulge | Threat Actor Masquerades as Hacktivist Group Rebelling Against AI
0
10
26
0
1
13
Come see me yell about cloud threat intelligence on Saturday afternoon!
This is a very fortuitous time to talk about where cloud threat intel is and where it could be. Grab the popcorn 🍿
📢 Drumroll, please!
@spiderspiders_
will be presenting a talk “Bridging the Gap: Cloud Threat Intelligence for Detection and Offensive Security Practitioners” on August 12th (Day 2) 14:10 PT at
@cloudvillage_dc
@defcon
📝More details on
#defcon31
0
3
8
0
3
12
I’m always proud to be a part of this team, but today was extra special ✨
We 💜
#LABScon23
-- New from our team today:
🟣 by
@milenkowski
(Sandman APT | A Mystery Group Targeting Telcos with a LuaJIT Toolkit). Related blog from
@juanandres_gs
coming soon ;)
🟣 by
@TomHegel
(Cyber Soft Power | China’s
1
10
17
0
0
12
SLOPSec FTW!
2
1
22
2
1
12
Ayy, researchers. Friendly Monday reminder to constantly SNAPSHOT YOUR VMs!
I was looking for a TA's website & social media acts & found they were taken down since I researched a few months ago. Opened my VM snapshot from when I researched the actor's tool & found everything.
1
0
12
When the night *starts with*
@endingwithali
The
@cabalcx
DoD party was so good we apparently summoned ghosts for this pic 🫡
0
2
11
I have officially written enough blog posts that I have completely forgotten writing some of them. AMA
3
0
11
I spoke with
@LindseyOD123
about my favorite things: cloud threat intel &
@_thenetgala
Thanks for having me, Lindsey &
@DecipherSec
team!
New
@DecipherSec
podcast with Alex Delamotte (
@spiderspiders_
) of
@SentinelOneLabs
Decipher Podcast: Alex Delamotte
#decipher
#deciphersec
0
2
2
0
5
11
The Snowflake debacle is undoubtedly a headache for security teams of companies using it. I chatted with
@LindseyOD123
about the situation and what we can infer from Snowflake’s recommendations. Check it out!
0
4
11
Happy Friday and early Xmas! Here is the promised Cloud Malware & Hacktools collection:
I would love to see this code rolled into Detections & Red Team Ops.
Thanks for having me
@HushCon
! And thanks for all the interest from attendees of my talk! 🙇♀️
Thank you to all who attended my talk at
@HushCon
this afternoon! 🙏
Here are the links:
AlienFox:
Predator AI:
TeamTNT:
@permisosecurity
-
Cloud malware GH repo to follow soon :)
1
6
13
0
1
10
I love Berlin so much that I missed my flight home like everyone warned I would 🥰
1
0
11
This is the first time I’ve woken up with 0 unread messages in Signal
Everyone must have gotten *really* hammered at Shmoocon last night 🤣
1
0
11
@vxunderground
@Ubiquiti
@briankrebs
Every incident responder who had a weekend fire drill thanks to Krebs posting at 5 PM on Friday is entitled to schadenfreude rn.
1
0
9
@RocketPunch1221
@kenklippenstein
Fendi’s prices qualify them as a terrorist organization. Or at a minimum an extortion operation
0
0
10
Wearing my cursed jacket to the F1 practice session tonight in an attempt to induce some disaster tourism.
Good luck, everyone!
0
0
9
Looking for the leaked LockBit source code.
This happened at some point, right?? Pls share, I need 🥺🥺🥺
2
0
9
Quiet quitting, but for interpersonal relationships instead of work
1
0
9
I’m horrified to share that this is the character I’m slowly turning into, minus the problematic tendencies that come with being from a certain generation
0
0
9
For anyone new to knowing or following me, here is what I do for $dayjob: track how actors in developing countries abuse western megacorp services to make a quick buck (or rupiah) 💁♀️
📬 Have you gotten
@USPS
Smishing texts, the ones that say you have a package that needs to be redelivered? In this
@LabsSentinel
post,
@spiderspiders_
dives into SNS Sender, a script that abuses AWS SNS to send smishes and some related phishing kits.
0
2
5
0
2
9
@SynapticRewrite
Vegas local here. Any gripes you have against the Strip are 1000% valid. I hate the Strip!
There are nice parts of town away from the Strip. There is no capacity for the # people coming into town for cons, yet.
If you hate the heat, can’t solve that aside from new con dates.
0
0
9
Girls only want one thing and it’s disgusting (1 click RCE 0days)
0
2
9
*gently pats case of Intel Mac*
"When you're gone in a year, I'm going to miss your ability to run VMs." 🥲
2
0
9
What an honor to be the Defcon Saturday episode of
@thecyberwire
! I enjoyed chatting with Dave about the TeamTnt-like activity now targeting service credentials from each of the big 3 CSPs. Check it out!
It's raining credentials on
#ResearchSaturday
. Dave's joined by Alex Delamotte of
@SentinelOne
's
@LabsSentinel
to discuss their research "Cloudy With a Chance of Credentials | AWS-Targeting Cred Stealer Expands to Azure, GCP."
@spiderspiders_
Listen in:
6
3
5
0
3
9
Ok I’ll play. What are five topics you can talk about for 30 minutes with zero prep?
1. Detection Engineering
2. Tech company hiring
3. Dance music (my opinions are fact here)
4. Human rights in the USA
5. Languages
What are five topics you can talk about for 30 minutes with zero prep?
My Infosec ones are:
1. Ransomware
2. Advanced Persistent Threats
3. Cybercrime Forums
4. How Bitcoin Works
5. Basic OPSEC practices
1
0
21
1
0
9
Windows ransomware is like a comfort food for me: familiar & I know what to expect.
Rhysida is an odd newcomer with certain techniques that resemble older ransomware.
It is a dev’s passion project and they are working on some shiny features. ✨ This one is sure to be continued.
🇨🇱 Stay ahead of Rhysida ransomware and its unusual combination of techniques. Our latest blog post offers a high-level overview of its activity, technical details of the malware payloads, hunting rules, and IoCs. By
@spiderspiders_
& Jim Walter
0
2
4
1
4
7
Hey Hackers, remember when, like, every digital billboard was vulnerable to RCE? The Sphere was a 2.3B USD project. How much do we think was allocated to AppSec?
DEFCON is coming soon 🍿
Imagine you're driving down the street trying to get to the Flamingo and you see this
203
1K
15K
2
1
8
I will not be at RSA this week. 🙏
To all who were sentenced to hard labor in SF, good luck & have fun
1
0
8
Check out
@0xFawaz
’s blog posts on AWS persistence & privilege escalation from the red & purple team lens!
I’m excited to see more from this researcher. Props to
@techyteachme
for highlighting their blog in Detection Engineering Weekly.
After privilege escalation in AWS, the next goal of an adversary could be to create backdoors in their target AWS account to maintain access.
In this post, we explore some methods that can allow persistence in any AWS environment.
#aws
#cloudsecurity
1
14
30
1
0
8
Today
@ESETresearch
shared great research on more mobile spyware shenanigans from AridViper.
Thanks for referencing my 2023 report on SpyC23
@TheHackersNews
!
🔒 Arid Viper launches mobile espionage campaign using trojanized
#Android
apps to deliver AridSpy
#spyware
, targeting Middle East users via fake messaging and job apps.
Read details:
#cybersecurity
0
22
47
0
1
8
This was an awesome talk! I highly recommend folks check this out.
@_vventura
& the
@TalosSecurity
team dive into the timeline behind a well-funded mobile spyware ecosystem targeting both Android & iOS
🔥 New LABSCon Replay is up!
Intellexa and Cytrox: From Fixer-Upper to Intel Agency Grade Spyware from
@_vventura
& Michael Gentile.
0
5
12
0
1
8
0
2
8
If you need to hit a cloud service but can’t forge your own auth tokens, a credential stealer may be for you!
Check out the potential comeback of cryptojacking OG, TeamTNT. Featuring a cameo from Silent Bob.
New joint release with our friends at
@permisosecurity
/
@P0Labs
👇
AWS-Targeting Cred Stealer Expands to Azure, GCP
💜
💜
@spiderspiders_
@TekDefense
@danielhbohannon
#ThreatIntel
0
13
17
1
2
8
Annnnnd it’s gone. Evidently MS decided that
@nyxgeek
’s Teams enumeration technique leveraged a bug, not a feature.
This inspired so many data collection ideas, too. 😭
CVEID & CVSS score, please.
Well, that was short-lived.
If you just get a "doh" error when you run the tool, that's because the request now gives a 403.
This might be the fastest fix that I've seen from Microsoft. I did not expect them to fix it, because it would break the Graph Explorer demo.
2
10
67
0
2
8
POV: You log into your computer on a Friday morning and see this. What do you do?
5
3
8
Cloud Village
@cloudvillage_dc
was a lovely & accommodating place to give my first conference talk. I highly recommend anyone with a cloud focus submits to the CFP!
Howdy Folks,
The
#cfp
for Cloud Village
@defcon
32 is open now!
Submit us the cool
#cloudsecurity
research y'all have been doing!
Submission Link -
Visit us for more details -
Cheers!
#dc32
#defcon
1
25
32
0
1
8
Spotted at Luxor last week. Luxor is an MGM property.
Why should I pay for parking if they can’t pay for a Windows license?
2
0
8
For everyone who is already asking: Don’t stay at Fontainebleau for Defcon—service and logistics are a mess.
Go for Wynn or Resorts World first. You’re welcome.
2
1
8
OK the SLEUTHCON design team hit it out of the park with this year’s GTA theme 👩🍳💋 Check out the site!
SLEUTHCON is coming!!! Registration and CFP are now open for this year's SLEUTHCON! This year's keynote will be given by Bryan Vorndran, FBI's Assistant Director Cyber Division. We are virtual and in-person in Arlington, VA on May 24th! 1/x
4
53
109
0
4
7
You ever get an error message that feels wayyyyy too pointed?
I’ve never seen “Catastrophic failure” before 😂
0
0
7
I love this city
Las Vegas - Casino Security on the LV Strip responding on a welfare check - report of a male being walked through the casino on a leash by a tall muscular woman - caller says it “doesn’t look consensual”
51
107
678
0
0
7
This week is amazing.
@LasVegasLocally
retweeting
@vxunderground
is like my skater friends and internet nerd friends are suddenly hanging out after years of being completely unaware the other group exists
No idea if this is how MGM got hacked but it's very possible. Social engineering works well when your employees are overworked.
22
36
371
1
0
7
There are still seats available for my &
@sud0suw
’s Blackhoodie workshop at Recon in Montréal!
We will cover ransomware design fundamentals & how they’re implemented on Linux & Windows RW, as evasion. & the amazing
@0x0bea
is joining to lead a section on writing decryptors!
BlackHoodie is coming back to
@reconmtl
this June 26 & 27 with a training on Reverse Engineering Ransomware brought to you by
@sud0suw
and
@spiderspiders_
, registration is now open
0
11
17
0
2
7
I’m a named author! 😭
Is this where I thank The Academy and give an acceptance speech??
🧊 🔥 New on SentinelLabs! A
#Linux
version of the
#IceFire
#ransomware
has been observed in recent network intrusions of media and entertainment enterprises. By
@spiderspiders_
@LabsSentinel
1
5
12
1
2
7
This person f***s
0
0
7
Instead I manifested the worst disaster: boredom 😭
Wearing my cursed jacket to the F1 practice session tonight in an attempt to induce some disaster tourism.
Good luck, everyone!
0
0
9
1
0
7
Security & Threat Researchers who use a Mac: where do you run IDA or Ghidra?
No, I’m not trying to backdoor you.
On my Mac
31
In a Windows VM
62
7
1
7
ChatGPT is already tripping from that pallet of Zyns
0
0
7
Bob is very silent…but there is an even stealthier C2 domain in this campaign.
Check out our collab detailing what a TeamTNT-like actor has been up to in 2023!
Thanks for working with us,
@danielhbohannon
CLOUD TOOLSET BLOG: If you've ever been interested in re-winding all the incremental code & infrastructure changes an attacker makes to expand their victim targeting in the cloud then you'll enjoy this blog by
@permisosecurity
! (esp the attacker's FQDNs)
2
11
19
0
2
7
Me: It’s so nice to wake up in my own bed on a Sunday and not have massive obligations hanging over my head for the first time in weeks!
Apple Watch:
0
0
7
This is why we can’t have nice things.
The mysterious mountain monolith near Las Vegas has been taken down because people were going to die of heat stroke trying to find it. (📸 LVMPD)
108
119
1K
0
0
7
@sherrod_im
Aside from the redundancy of “all time,” I like the exploit question.
It shows you’re in touch with news & how attacks work. Mostly measures how you respond to open-ended questions—or as tech companies like to say, “navigating ambiguity.”
0
0
7
I ordered these stickers for the OpenAI devs.
Will have some extras by Sleuthcon. Be sure to ask for one if you’re a true Zyncel!
Just saw this getting unloaded in front of OpenAI. We are getting AGI this year.
139
785
18K
1
0
6
@pivot_con
Amazing thread. Feeling good about my submission thanks to all these helpful memes ☺️
0
0
6
I already feel for
@techyteachme
— I’m a tough act to follow.
But I love that the cloud talks are happening B2B! ☁️
1
1
6
Is it just me or did Signal just die? It’s so much more obtrusive than any other social media outage 🤣
2
0
6
Join us next Wednesday for the
@redcanary
Detection Series to talk crypters & loaders! I’ll be discussing where they intersect with the cloud and how detection differs from traditional endpoint threats.
Register here:
We're zagging slightly with the Detection Series and focusing on threats rather than techniques/tactics. Join
@jfslowik
,
@spiderspiders_
, &
@ForensicITGuy
7/24 @ 2 PM ET to talk crypters and loaders, why they matter, and what you can do about them!
0
3
5
0
1
6
Possibly the best high-level vuln analysis I’ve seen thus far on the topic. Back to watching anime now 👋
Rumors are circulating about a Signal 0day.
If a Signal 0day existed it would be worth roughly $33,560,600,000,000 (just enough to pay off the United States national debt).
It would be used by state-sponsored threat actors. It would not be used to spy on anime hoarding nerds
47
244
2K
0
1
6
Before people freak out about the Signal outage being a hack, I’d like to note that it started exactly at 4 PM PST aka 00:00 UTC. Prime for a ‘cron job gone wrong’ kind of outage.
0
0
6
Thanks for the shoutout,
@virusbtn
! 👽🦊
SentinelOne's
@spiderspiders_
writes about a new toolkit dubbed AlienFox. Actors use multiple scripts in this toolset to extract sensitive information such as API keys & exposed configuration files to compromise email & web hosting services.
1
1
4
1
2
6
- writes a tool in cleartext Python
- tells people not to steal it
🤡🤡🤡
0
0
6
KLM gave me a tiny house. idk what to do with all this responsibility
1
0
4
But where are Northrop Grumman’s pride socks? They have nothing on Lockheed Martin.
0
1
6
Thanks
@InformationWeek
for sharing my thoughts on Azure AD misconfigurations!
Astute readers will also see a familiar refrain of mine: Downfall & other speculative execution bugs still live in the theoretical attack space, e.g. no confirmed ITW exploitation. Don’t lose sleep.
🎙
@LabsSentinel
's
@spiderspiders_
in
@InformationWeek
: She comments on two big vulnerabilities discussed at
#BlackHat
2023 to consider: Azure AD misconfigurations and the "Downfall" bug.
"[An Azure AD misconfiguration] can be a massive project depending on the org's
0
0
2
0
3
6