We've updated the vx-underground Linux malware paper collection 2019-08-08 - Zombie Ant Farm - Playing Hide and Seek with Linux EDRs 2021-02-26 - Linux Restricted Shell Bypass 2021-07-01 - Evasive Techniques Used By Malicious Linux Shell Scripts vx-underground.org/linux.html

GoDaddy has stated an unknown Threat Actor has maintained persistent access to their network since at least 2019. The Threat Actor unveiled themselves 4 times, without losing access, in 2019, 2020, 2021, and 2022 Intel via Gi7w0rm More information: bleepingcomputer.com/news/security/…

RE: The 3CX VOIP supply chain attack, vendors have stated that macOS was also targeted - but I couldn't find any specific technical details (yet) 🍎🐛☠️ One vendor stated, "we cannot confirm that the Mac installer is similarly trojanized" ...let's dive in! 1/n 🧵

The free-to-use software is intended to help researchers monitor and analyze macOS system events, much like ProcMon for Windows systems. Join Brandon Dalton and Matt Graeber for a webinar on how to use a new, free tool, RedRoc. redcanary.com/resources/webi…

Today, me and Alex Teixeira are releasing the EDR Telemetry project. This project aims to compare and evaluate the telemetry of various EDR products. ✅Introductory blog post: t.ly/9Ia3 ✅GitHub Repo: github.com/tsale/EDR-Tele… ✅Comparison Table: t.ly/HMht

Ransomware gangs abuse Process Explorer driver to kill security software - Sergiu Gatlan bleepingcomputer.com/news/security/…

The Havoc Framework now has its own website. All information, documentation, and tutorials are there. It's still under heavy work but I wanted to make it public so people can learn, help and contribute to the project. havocframework.com

I've just released acheron, a package that you can use to add indirect syscalls capabilities to your Go tradecraft. github.com/f1zm0/acheron

#Qakbot Infection #TTPs Fake "Microsoft Azure"🚨 #DFIR Exec Flow: one > msi > [MSI] > exe > wsf > ps1 > [WMI] > dll [+] User Execution T1204: one [+] Msiexe T1218.007: msi [+] JScript T1059.007: wsf [+] WMI T1047: Win32_Process [+] Rundll32 T1218.011: Export func "Motd"

Friendly reminder on the existence of this interactive map of the Linux kernel. High level overview of how the Line kernel is structured. Map: makelinux.github.io/kernel/map/ Source repo: github.com/makelinux/linu… #Linux

Another fantastic publication by @Lavi161! labs.withsecure.com/publications/e…

Nice read jxy-s.github.io/herpaderping/

National Hazard Agency, the sub-clique of Lockbit ransomware group responsible for the TSMC (Taiwan Semiconductor Manufacturing Company) ransomware attack has shared more photos of the compromise. Their demand for $70,000,000 makes this one of the largest ransoms of all time.

ALPHV ransomware claims to have exfiltrated 7TB of patient information from a healthcare facility in the UK. Yes, this is a profoundly large set of data. But, the question we pose: who the hell is going to download 7TB of data over TOR?

I was today years old when I learned about multiple ways to load a driver into the system that do not need SCM interaction... kernelmode.info/forum/viewtopi…

2023-08-09 (Wednesday) — Trojanized Webex .msix installer package contains PowerShell script to install #IcedID (#Bokbot). We also saw #BackConnect traffic and #KeyholeVNC from the infection. List of indicators available at bit.ly/3s1UTpL

How Havoc released

Quick hunts for #Qakbot 's return 🦆 🔍MsiExec.exe running with Args "/HideWindow rundll32" 🔍Rundll32.exe launching SearchIndexer.exe 🔍SearchIndexer.exe running NOT as SYSTEM 🔍SearchIndexer.exe loading wininet.dll / winhttp.dll 🔍POSTs to QueryPath /teorema505