Félix AIME

Principal Threat Researcher

Articles by
Félix AIME

Thank you! Your submission has been received!

Oops! Something went wrong while submitting the form.

Threat Research & Intelligence

TDR

September 2, 2025

Predators for Hire: A Global Overview of Commercial Surveillance Vendors

This report provides an overview of the commercial surveillance vendors ecosystem between 2010 and 2025, analysing their spyware offerings, business models, client base, target profiles, and infection chains.

Threat Detection & Research Team

Maxime ARQUILLIERE

Coline CHAVANE

Félix AIME

Threat Research & Intelligence

TDR

May 22, 2025

ViciousTrap - Infiltrate, Control, Lure: Turning edge devices into honeypots en masse.

This blog post analyzes the Vicious Trap, a honeypot network deployed on compromised edge devices.

Félix AIME

Jérémy SCION

Threat Detection & Research Team

Threat Research & Intelligence

TDR

March 31, 2025

From Contagious to ClickFake Interview: Lazarus leveraging the ClickFix tactic

Discover how Lazarus leverages fake job sites in the ClickFake Interview campaign targeting crypto firms using the ClickFix tactic.

Amaury-Jacques GARCON

Coline CHAVANE

Félix AIME

Threat Detection & Research Team

Threat Research & Intelligence

TDR

February 25, 2025

PolarEdge: Unveiling an uncovered ORB network

This blog post analyzes the PolarEdge backdoor and its associated botnet, offering insights into the adversary’s infrastructure.

Jérémy SCION

Félix AIME

Threat Detection & Research Team

Threat Research & Intelligence

TDR

January 13, 2025

Double-Tap Campaign: Russia-nexus APT possibly related to APT28 conducts cyber espionage on Central Asia and Kazakhstan diplomatic relations

Uncover the details of UAC-0063 cyberespionage campaign in Kazakhstan and its potential connection to APT28

Amaury-Jacques GARCON

Maxime ARQUILLIERE

Erwan CHEVALIER

Félix AIME

Threat Detection & Research Team

Threat Research & Intelligence

TDR

October 2, 2024

Bulbature, beneath the waves of GobRAT

Since mid 2023, Sekoia Threat Detection & Research team (TDR) investigated an infrastructure which controls compromised edge devices transformed into Operational Relay Boxes used to launch offensive cyber attack.

Threat Detection & Research Team

Amaury-Jacques GARCON

Félix AIME

Threat Research & Intelligence

TDR

September 25, 2024

SilentSelfie: Uncovering a major watering hole campaign against Kurdish websites

Our investigation uncovered 25 kurdish websites compromised by four different variants of a malicious script, ranging from the simplest, which obtains the device's location, to the most complex, which prompts selected users to install a malicious And

Threat Detection & Research Team

Félix AIME

Maxime ARQUILLIERE

Threat Research & Intelligence

TDR

September 9, 2024

A glimpse into the Quad7 operators' next moves and associated botnets

Uncover the secrets of the Quad7 botnet and its ever-evolving toolset. Learn about the new backdoors and protocols used by these operators.

Threat Detection & Research Team

Félix AIME

Pierre-Antoine DUCHANGE

Charles MESLAY

Threat Research & Intelligence

TDR

July 23, 2024

Solving the 7777 Botnet enigma: A cybersecurity quest

Discover 7777 botnet (aka Quad7) and its activity, targets, and use of TP-Link routers in Microsoft 365 attacks in our latest investigation.

Threat Detection & Research Team

Félix AIME

Pierre-Antoine DUCHANGE

Charles MESLAY

Grégoire CLERMONT

Threat Research & Intelligence

TDR

April 25, 2024

Unplugging PlugX: Sinkholing the PlugX USB worm botnet

Learn about our process for collecting telemetry data from PlugX worm-infected workstations, as well as how to disinfect them.

Threat Detection & Research Team

Félix AIME

Charles MESLAY

Threat Research & Intelligence

TDR

February 28, 2024

The Predator spyware ecosystem is not dead

Discover our TDR team's revelations about Predator spyware: its C2 infrastructure and list of countries still using its cyber espionage tool.

Threat Detection & Research Team

Félix AIME

Maxime ARQUILLIERE

Threat Research & Intelligence

TDR

October 2, 2023

Active Lycantrox infrastructure illumination

Sekoia.io is actively monitoring hundreds of malicious infrastructure clusters to protect its customers. In light of the recent Citizenlab blogspot and in solidarity with the efforts against cyber mercenaries, we have chosen to shed light on one of t

Félix AIME

Maxime ARQUILLIERE

Threat Detection & Research Team

Threat Research & Intelligence

TDR

May 17, 2023

APT28 leverages multiple phishing techniques to target Ukrainian civil society

The APT28 intrusion set (aka. Sofacy, PawnStorm, Fancy Bear), associated to the Russian GRU was observed using multiple phishing techniques to target the Ukrainian civil society.

Félix AIME

Threat Detection & Research Team

Threat Research & Intelligence

TDR

March 30, 2023

SEKOIA.IO analysis of the #VulkanFiles leak

In January 2023, French newspaper Le Monde offered SEKOIA.IO to cooperate on investigating exfiltrated Russian-written documents related to the Moscow-based private company Vulkan.

Félix AIME

Maxime ARQUILLIERE

Threat Detection & Research Team

Threat Research & Intelligence

TDR

March 16, 2023

Peeking at Reaper’s surveillance operations

In this blogpost you will find the results of a survey conducted by our analysts on two Command and Control servers (C2s) of the North Korea-nexus intrusion set Reaper (aka APT37). This investigation led to the uncovering of several phishing webpages

Charles MESLAY

Félix AIME

Threat Research & Intelligence

TDR

January 10, 2023

Raspberry Robin's botnet second life

As many botnets and worms, Sekoia analysts demonstrate through this article that Raspberry Robin can be repurposed by other threat actors to deploy their own implants.

Félix AIME

Threat Detection & Research Team

Threat Research & Intelligence

TDR

December 5, 2022

Calisto show interests into entities involved in Ukraine war support

Calisto (aka Callisto, COLDRIVER) is suspected to be a Russian-nexus intrusion set active since at least April 2017. Although it was not publicly attributed to any Russian intelligence service, past Calisto operations showed objectives and victimolog

Félix AIME

Maxime ARQUILLIERE

Threat Detection & Research Team

Threat Research & Intelligence

TDR

August 12, 2022

LuckyMouse uses a backdoored Electron app to target MacOS

LuckyMouse uses a backdoored Electron app to target MacOS. This is the first time that Sekoia observed LuckyMouse targeting MacOS.

Félix AIME

Charles MESLAY

Threat Detection & Research Team

Threat Research & Intelligence

TDR

June 22, 2022

CALISTO continues its credential harvesting campaign

March 30, 2022, Google TAG published several IOCs related to CALISTO - a Russia-nexus threat actor. Discover our analysis.

Félix AIME

Threat Detection & Research Team

Threat Research & Intelligence

TDR

June 1, 2022

MSDT abused to achieve RCE on Microsoft Office

Discover through our article, how attackers hijack the Microsoft Support Diagnostic Tool to remotely execute arbitrary code under Windows

Félix AIME

Threat Detection & Research Team

Threat Research & Intelligence

TDR

November 10, 2021

Walking on APT31 infrastructure footprints

APT31 is an Advanced Persistent Threat group whose mission is likely to gather intelligence on behalf of the Chinese government.

Félix AIME

Threat Research & Intelligence

TDR

December 13, 2021

Log4Shell: the defender’s worst nightmare ?

In this blogpost, our Threat & Detection Research team answers your interrogations on Log4Shell.

Félix AIME

Threat Detection & Research Team

Threat Research & Intelligence

TDR

January 6, 2022

NOBELIUM’s EnvyScout infection chain goes in the registry, targeting embassies

NOBELIUM is another name for the APT29 intrusion set, operated by a threat actor allegedly linked to the SVR

Félix AIME

Threat Detection & Research Team

Félix AIME

Articles byFélix AIME

Predators for Hire: A Global Overview of Commercial Surveillance Vendors

ViciousTrap - Infiltrate, Control, Lure: Turning edge devices into honeypots en masse.

From Contagious to ClickFake Interview: Lazarus leveraging the ClickFix tactic

PolarEdge: Unveiling an uncovered ORB network

Double-Tap Campaign: Russia-nexus APT possibly related to APT28 conducts cyber espionage on Central Asia and Kazakhstan diplomatic relations

Bulbature, beneath the waves of GobRAT

SilentSelfie: Uncovering a major watering hole campaign against Kurdish websites

A glimpse into the Quad7 operators' next moves and associated botnets

Solving the 7777 Botnet enigma: A cybersecurity quest

Unplugging PlugX: Sinkholing the PlugX USB worm botnet

The Predator spyware ecosystem is not dead

Active Lycantrox infrastructure illumination

APT28 leverages multiple phishing techniques to target Ukrainian civil society

SEKOIA.IO analysis of the #VulkanFiles leak

Peeking at Reaper’s surveillance operations

Raspberry Robin's botnet second life

Calisto show interests into entities involved in Ukraine war support

LuckyMouse uses a backdoored Electron app to target MacOS

CALISTO continues its credential harvesting campaign

MSDT abused to achieve RCE on Microsoft Office

Walking on APT31 infrastructure footprints

Log4Shell: the defender’s worst nightmare ?

NOBELIUM’s EnvyScout infection chain goes in the registry, targeting embassies

Articles by
Félix AIME