Report an incident

Get 24/7 incident response assistance from our global team

Talk to sales

Just fill out the form, and our representative will contact you soon.

Join the Cybercrime Fighters Club

Please review the following rules before submitting your application:

1. Our main objective is to foster a community of like-minded individuals dedicated to combatting cybercrime and who have never engaged in Blackhat activities.

2. All applications must include research or a research draft. You can find content criteria in the blog. Please provide a link to your research or research draft using the form below.

Nam Le Phuong

Senior Digital Forensics & Incident Response Specialist | Group-IB

Nam Le has over 13 years of experience in cybersecurity. He currently serves as a Senior Digital Forensics and Incident Response (DFIR) Specialist at Group-IB, where he focuses on investigating sophisticated cyber threats and helping organizations respond to and recover from complex security incidents.

Throughout his career, Nam has led numerous investigations into advanced threat actors, ransomware campaigns, and post-compromise activity targeting critical infrastructure and enterprise environments. His technical research has been published in several in-depth blogs, including analyses of the RansomHub ransomware group, TeamTNT’s operations in cloud-native environments, abuse of Linux Pluggable Authentication Modules (PAM), and stealth techniques involving Linux /proc manipulation.

Nam is a recognized contributor to the MITRE ATT&CK® framework, specifically for Technique T1564.013 (https://attack.mitre.org/techniques/T1564/013/), where he provided insight into evasion tactics involving hidden or obfuscated files and directories. He also holds the GIAC Network Forensic Analyst (GNFA) certification and actively participates in DFIR conferences, sharing field experience and advanced investigation techniques with the broader security community.

In addition to his technical work, Nam has helped build and strengthen customer and partner ecosystems by developing hands-on training and enablement programs. His expertise spans a wide range of areas including digital forensics, virtualization, computer investigations, privileged activity monitoring, anti-fraud, and secure infrastructure design.

Blog posts by Nam Le Phuong

Technologies
November 5, 2025
Ghosts in /proc: Manipulation and Timeline Corruption
Discover how attackers could manipulate the Linux /proc filesystem to hide malicious processes and distort forensic timelines. This technical deep dive highlights examples of command-line substitution and start time corruption, and offers detection and defense strategies for incident responders and security analysts.
361
Digital Forensics & Incident Response
July 30, 2025
UNC2891 Bank Heist: Physical ATM Backdoor & Linux Forensic Evasion
Deep dive into UNC2891’s multi‑stage bank intrusion: Raspberry Pi ATM implant, bind mount evasion, Dynamic DNS C2, and a CAKETAP move toward HSM manipulation.
7,854
Digital Forensics & Incident Response
May 8, 2025
Understanding Credential Harvesting via PAM: A Real-World Threat
Learn how attackers exploit Pluggable Authentication Modules (PAM) for credential harvesting—and discover defenses to harden Linux authentication.
29,149
RansomHub Never Sleeps Episode 1
Ransomware
February 12, 2025
RansomHub Never Sleeps Episode 1: The evolution of modern ransomware
Discover how ransomware has evolved into a sophisticated cyber threat, with groups like RansomHub leading the charge. Learn more about their adaptability, TTPs, and the rise of Ransomware-as-a-service in this first-of-three-part trilogy.
4,672
Storm clouds on the horizon: Resurgence of TeamTNT?
Cyber Investigations
September 18, 2024
Storm clouds on the horizon: Resurgence of TeamTNT?
Investigations into recent campaigns may suggest the reemergence of TeamTNT in 2023 to present day, since evaporating in 2022.
7,467
Blog Banner PAM blog
Digital Forensics & Incident Response
September 6, 2024
The Duality of the Pluggable Authentication Module (PAM)
The Group-IB DFIR Team has identified a new technique not yet included in the MITRE ATT&CK framework, which could lead to use the module pam_exec to obtain a privileged shell on a host and grant a full persistence to a threat actor.
1,106
Hiding in plain sight_ Techniques and defenses against `_proc` filesystem manipulation in Linux cover blog
Digital Forensics & Incident Response
August 26, 2024
Hiding in plain sight: Techniques and defenses against `/proc` filesystem manipulation in Linux
Group-IB explores methods of process visibility evasion through /proc filesystem manipulation in Linux, along with effective defenses to counteract these tactics.
1,869