Francis Guibernau

Author
Francis Guibernau is an Adversary Research Engineer and member of the Adversary Research Team (ART) at AttackIQ. Francis conducts in-depth threat research and analysis to design and create highly sophisticated and realistic adversary emulations. He also coordinates the Cyber Threat Intelligence (CTI) project which focuses on the research, analysis, tracking and documentation of adversaries, malware families and cybersecurity incidents. Francis has extensive experience in adversary intelligence, encompassing both Nation-State and eCrime threats, as well as in vulnerability assessment and management, having previously worked at Deloitte and BNP Paribas.
Francis Guibernau

See other articles by Francis Guibernau

Response to CISA Advisory (AA24-290A): Iranian Cyber Actors’ Brute Force and Credential Access Activity Compromises Critical Infrastructure Organizations
Adversary Emulation

Response to CISA Advisory (AA24-290A): Iranian Cyber Actors’ Brute Force and Credential Access Activity Compromises Critical Infrastructure Organizations

AttackIQ has released a new assessment template in response to the CISA Advisory (AA24-290A), published on October 16, 2024. The advisory highlights that since October 2023, Iranian cyber actors have used password spraying and multifactor authentication (MFA) ‘push bombing’ to compromise user accounts and gain access to organizations across various critical infrastructure sectors.
Read More
Emulating the Opportunistic and Lightweight Lumma Stealer
Adversary Emulation

Emulating the Opportunistic and Lightweight Lumma Stealer

AttackIQ has released a new assessment template that addresses the numerous post-compromise Tactics, Techniques, and Procedures (TTPs) associated with the subscription-based information stealer known as Lumma Stealer.
Read More
Emulating the Surging Hadooken Malware
Adversary Emulation

Emulating the Surging Hadooken Malware

AttackIQ has released a new attack graph that emulates the behaviors exhibited by the Hadooken malware during intrusions that abused misconfigurations and critical Remote Code Execution (RCE) vulnerabilities on public-facing Oracle Weblogic Servers.
Read More
Emulating the Petrifying Medusa Ransomware
Adversary Emulation

Emulating the Petrifying Medusa Ransomware

AttackIQ has released a new attack graph that emulates the behaviors exhibited by Medusa ransomware since the beginning of its activities in June 2021. Medusa is predominantly propagated through the exploitation of vulnerable services, such as public-facing assets or applications with known unpatched vulnerabilities, and the hijacking of legitimate accounts, often using Initial Access Brokers (IABs) for infiltration.
Read More
Response to CISA Advisory (AA24-249A): Russian Military Cyber Actors Target US and Global Critical Infrastructure
Adversary Emulation

Response to CISA Advisory (AA24-249A): Russian Military Cyber Actors Target US and Global Critical Infrastructure

AttackIQ has released a new assessment template in response to the CISA Advisory (AA24-249A) published on September 5, 2024, that assesses cyber actors affiliated with the Russian General Staff Main Intelligence Directorate (GRU) 161st Specialist Training Center (Unit 29155), who are responsible for computer network operations against global targets for the purposes of espionage, sabotage, and reputational harm since at least 2020.
Read More
Response to CISA Advisory (AA24-242A): #StopRansomware: RansomHub Ransomware
Adversary Emulation

Response to CISA Advisory (AA24-242A): #StopRansomware: RansomHub Ransomware

AttackIQ has released a new assessment template in response to the CISA Advisory (AA24-207A) published on August 29, 2024, that disseminates known RansomHub ransomware IOCs and TTPs that have been identified through FBI threat response activities and third-party reporting as recently as August 2024.
Read More
Emulating the Extortionist Mallox Ransomware
Adversary Emulation

Emulating the Extortionist Mallox Ransomware

AttackIQ has released a new attack graph that emulates the behaviors exhibited by Mallox ransomware since the beginning of its activities in June 2021. Mallox primarily gains access to victim networks through dictionary brute-force attacks against unsecured MS-SQL servers.
Read More
Emulating Sandworm’s Prestige Ransomware
Adversary Emulation

Emulating Sandworm’s Prestige Ransomware

AttackIQ has released a new attack graph that emulates the behaviors exhibited by Prestige ransomware since the beginning of its activities in October 2022. Prestige has been observed targeting organizations in the transportation and related logistics sectors located in Ukraine and Poland. In November 2022, it was assessed that the Russian adversary known as Sandworm was most likely behind these attacks.
Read More
Emulating the Politically Motivated North Korean Adversary Andariel – Part 2
Adversary Emulation

Emulating the Politically Motivated North Korean Adversary Andariel – Part 2

AttackIQ has released a new attack graph that emulates the behaviors exhibited by the North Korean state-sponsored adversary Andariel during Operation Blacksmith which affected manufacturing, agricultural and physical security companies in multiple regions.
Read More
Emulating the Prickly Cactus Ransomware
Adversary Emulation

Emulating the Prickly Cactus Ransomware

AttackIQ has released a new attack graph that emulates the behaviors exhibited by the Cactus ransomware since the beginning of its activities in March 2023. Cactus has targeted a wide variety of organizations since its inception and has breached more than 140 entities as of July 2024.
Read More
Emulating the Long-Term Extortionist Nefilim Ransomware
Adversary Emulation

Emulating the Long-Term Extortionist Nefilim Ransomware

AttackIQ has released a new attack graph that emulates the behaviors exhibited by the extortionist ransomware Nefilim during activities against multiple organizations, primarily based in North or South America, distributed in the financial, manufacturing, or transportation industries since its emergence in March 2020.
Read More
Emulating the Sabotage-Focused Russian Adversary Sandworm<br>– Part 2
Adversary Emulation

Emulating the Sabotage-Focused Russian Adversary Sandworm
– Part 2

AttackIQ has released two new attack graphs that emulate the behaviors exhibited by the highly sophisticated Russian adversary Sandworm during various destructive activities against targets in Ukraine and other countries in the region shortly before the launch of the Russian invasion on February 24, 2022.
Read More