Tracking Crimson Kingsnake

This report documents the Crimson Kingsnake invoice‑fraud campaign: targeted spearphishing lures and follow-up thread hijacks using compromised Office365 accounts and typo‑squatted domains to deliver PDF invoices. The author used VirusTotal pivots to identify victim organizations, recurring metadata fingerprints (PDF author 'hpins'), domain lists, file hashes, and a LiveHunt YARA rule to track the campaign and surface IOCs.