A few weeks ago Microsoft released #CVE_2022_41120, a “Microsoft Windows #Sysmon Elevation of Privilege Vulnerability” reported by Filip Dragovic . With the #vulnerability and original #PoC released, I can now share the first time I #diff'ed a patch. thiebaut.dev/articles/diffi…

🔎 IcedID’s VNC Backdoors: Dark Cat, Anubis & Keyhole A summary of #VNC #backdoor capabilities Maxime Thiebaut reconstructed from network traffic. 👀 Screenshots, videos and clipboard data at blog.nviso.eu/2023/03/20/ice… #Malware #PCAP #Reversing

MalwareHunterTeam Shadow Chaser Group Jazi maybe that someone was Maxime Thiebaut

A new report will be out June 12th by Kostas, Zach & Maxime Thiebaut! This report will have a few things we haven't covered before, you won't want to miss it! Want to receive an email when we publish the report? Subscribe below thedfirreport.com/subscribe/

A Truly Graceful Wipe Out ➡️Initial Access: Email > TDS > Truebot download ➡️Credentials: LSASS & Registry Dump ➡️Persistence: Scheduled Task ➡️C2: Truebot, FlawedGrace, Cobalt Strike ➡️Exfiltration: FlawedGrace ➡️Impact: MBR Killer thedfirreport.com/2023/06/12/a-t… 1/X

Got the account locked because of DMCA. 🤦‍♂️ Forget to screenshot the step after the first screenshot, but anyway, it did not include which tweet got reported and by who, should check emails it said. So going to check now...

IcedID & Qakbot's VNC Backdoors: Dark Cat, Anubis & Keyhole blog.nviso.eu/2023/03/20/ice…

JAMESWT_MHT Awesome article, and here is the tool that came with it put together by Maxime Thiebaut: github.com/0xThiebaut/PCA… Works like a charm; I used it more than once 🙂

From ScreenConnect to Hive Ransomware in 61 hours ➡️Initial Access: ScreenConnect ➡️Defense Evasion: BITS Jobs, Embedded Payloads ➡️Lateral Movement: Impacket, RDP, SMB ➡️C2: ScreenConnect, Atera, Splashtop, Cobalt Strike, Metasploit ➡️Exfil: Rclone thedfirreport.com/2023/09/25/fro… 1/X

New blog post! Title: Covert TLS n-day backdoors: SparkCockpit & SparkTar | by NVISO Incident Response Link: wp.me/p84lDr-4w7 #Forensics #ReverseEngineering #CVE #Ivanti #PulseSecure

At #RansomwareSummit, Pete & Maxime Thiebaut will explore the evolving landscape of #Ransomware tactics and strategies, providing actionable insights for bolstering #Cybersecurity defenses. Register for Free Live Online: sans.org/u/1soB

Tune in now!

We're closing out today's #RansomwareSummit w/ Pete & Maxime Thiebaut exploring the evolving landscape of #ransomware tactics and strategies, providing actionable insights for bolstering #cybersecurity defenses. Register Free to Join / Access Recordings: sans.org/u/1soB

ScriptBlock Smuggling is a new technique, developed by Hubbl3 & Cx01N that allows that allows for the spoofing of PowerShell security logs & bypasses AMSI without the need for reflection or memory patching. Learn all about in our new blog post! bc-security.org/scriptblock-sm…

Respectfully, your proposal does break encryption. I am happy to spend as much time as you need reviewing in as much detail as you are comfortable with exactly how it breaks encryption, and why this is so dangerous.

New blog post! Title: MEGAsync Forensics and Intrusion Attribution | By Maxime Thiebaut (Maxime Thiebaut) Link: wp.me/p84lDr-4FS #Forensics #MEGAsync #LockBit #Python #Statecache

New blog post! Title: Hunting Chromium Notifications | By Maxime Thiebaut (Maxime Thiebaut) Link: wp.me/p84lDr-4sj #ThreatHunting #Phishing #Chromium #Chrome #Edge #Forensics

Holy shit David Schuetz darthnull.org/noisestorms/

On September 29th, 2025, Broadcom disclosed a local privilege escalation vulnerability, CVE-2025-41244, impacting VMware’s guest service discovery features. NVISO has identified zero-day exploitation in the wild beginning mid-October 2024. All details - blog.nviso.eu/2025/09/29/you…