[Speakers]
Adversary Village at
DEF CON 33

DEF CON 33 Schedule

Will Thomas

Senior Threat Intel Advisor, Team Cymru

Currently working as a Senior Threat Intel Advisor at Team Cymru. Previously Will was a CTI Researcher and Threat Hunter at the Equinix Threat Analysis Center (ETAC). Prior to this, I worked for Cyjax, a UK-based CTI vendor. His other main commitment is as the co-author of the SANS FOR589: Cybercrime Intelligence course. I have also volunteered my spare time to being the co-founder and main organiser of the Curated Intelligence trust group and Bournemouth 2600.

Talk: Red Russians: How Russian APT groups closely follow offensive security research

Sunday | Aug 10th 2025
DEF CON Creator Stage 3 (Room 231) | Las Vegas Convention Center
APT
State sponsored threat-actors

Offensive security is meant to improve defenses, but what happens when hostile nation-states start learning from us too? This talk explores how Russian intelligence services and advanced persistent threat (APT) groups have adopted and adapted techniques developed by Red Teamers, sometimes within weeks of public disclosure. These campaigns involve taking newly disclosed exploits, tools, and tricks to exploit modern enterprise systems, such as Microsoft 365 services, Windows features, software development systems, authentication systems, and cloud infrastructure. Throughout the talk, detection engineering and threat hunting tips shall be provided to offer attendees a technique for detecting and preventing these types of attacks.
For Red Teamers, this talks is a wake-up call: the same tools and tradecraft used to test enterprise security are increasingly turning up in real-world espionage campaigns, sometimes targeting the very governments and public services we rely on. For Blue Teamers, this talk is a reminder to pay close attention to the cutting edge of offensive

This talk will dive deep into the Russian APT landscape and analyse years worth of campaigns and highlight trends and key takeaways for researchers to leverage.
For Red Teamers, it’s a wake-up call: the same tools and tradecraft used to test enterprise security are increasingly turning up in real-world espionage campaigns, sometimes targeting the very governments and services we rely on. For Blue Teamers, this talk is a reminder to pay close attention to the cutting edge of offensive tooling. This talk will dive deep into the Russian APT landscape and analyse years worth of campaigns and highlight trends and key takeaways for researchers to leverage for detection engineering, threat hunting, and adversary emulation.
Some of the Russian APT campaign cases studies that will be highlighted include:
- M365 Device Code Phishing
- RDP Config Phishing
- M365 Azure Password Spraying
- Microsoft Teams Phishing
- HTML Smuggling Phishing
- Browser-in-the-Browser Phishing
- TeamCity Server Exploitation
- MFA Fatigue Attacks
- Cobalt Strike cs2modrewrite obfuscated C2 traffic
- Hak5 WiFi hacking and Keylogging Devices
- Vulnerability Scanning Services

Access Everywhere.


Join Adversary Village Discord Server.

Join Adversary Village official Discord server to connect with our amazing community of adversary simulation experts and offensive security researchers!