reverse shell? do u mean hollaback curl?

So #Emotet is back once again with the traditional Email -> XLS -> XLM -> Regsvr -> Dll execution flow. IoCs are readily available checking the hashtag but as a group known to use 'hashbusting', let's complement these IoCs with some hunting #mde 🧵

Are you ever in the midst of reviewing web browser logs only to find yourself desperate to write some SQL? Me neither, so I wrote a python script to do it instead. Convert web browser history DBs into more human-readable .CSVs with BrowserDBParser github.com/CyberGoatherde…

2023-01-31 (Tuesday) - #Qakbot (#Qbot) returns after one month hiatus, now using OneNote (.one) files as initial lure. Saw #CobaltStrike on 104.237.219[.]36 using ciruvowuto[.]com as the domain. Also saw VNC traffic from this infection. IoCs available at bit.ly/3DqSszS

New report from us: ”No Pineapple”. We asses that this attack campaign is coming the 3rd Bureau of North Korean People’s Army. We believe North Korea used this attack for technological and commercial espionage. labs.withsecure.com/publications/n…

Me and @goldb3rry did a thing: labs.withsecure.com/publications/d…

Worried about malicious OneNote attachments? No need if you follow this advice, courtesy of Riccardo and @goldb3rry>> withsecure.com/en/expertise/b… #cyberattacks #OneNote #Microsoft #cybersecurity

Parent/child proc relationships are key to detecting Microsoft OneNote phishing. ezpz #ThreatHunting #DFIR

Aug 7, 2023 The Diana Initiative Westin Las Vegas Hotel and Spa "The Virtuous Cycle of Hunt-Focused Purple Teaming" presented by: Poppaea McDermott & Jojo O'Gorman Tickets on sale: tdi.mobi/tickets #TDI2023 #LeadTheChange dianainitiative.com

How long do you want to give attackers? In #CyberSauna 79, we give the floor to WithSecure’s Jojo O’Gorman and Mehmet Mert Surmeli to discuss why speed - in addition to being proactively reactive - is key to reducing the response gap> withsecure.com/en/expertise/p… #cybersecurity

First ever conference talk done!! Thanks to The Diana Initiative and WithSecure™ for the opportunity 💗

Really excited for my first talk at a security conference! I’ll be speaking Blue Team Con about the journey to security consultancy and how organisations can benefit from hiring from outside the norm! See you on the 26th! 🔊

It was my first time attending The Diana Initiative this year! Such a nice vibe and incredibly inclusive. Poppaea and @goldb3rry represented from the WithSecure™ team, and absolutely smashed their talk on Hunt-Focused Purple Teaming 💜

Earlier this week, we discovered that the Roblox Node.js library was hit by the "Destroy Loneliness" npm starjacking attack, deploying QuasarRAT. Execution of this virus would have allowed the attacker to establish command and control over affected Windows endpoints. We've

On July 22nd, our Trusty team flagged a malicious npm package, next-react-notify, shortly after it was published. This package is a modified version of the popular call-bind with an added malicious script. Our detection system identified suspicious metadata signals, revealing a

trustypkg and Stacklok threat hunter Poppaea discovered a North Korean state actor exploit. cool post-analysis by Poppy as always stacklok.com/blog/north-kor…

Attackers continue to abuse open source ecosystems as a vector to deliver malware. In this incident, at least 4 trojanized npm packages silently collected and exfiltrated users' cryptocurrency wallet secrets upon installation. Read Poppaea's analysis of this attack here:

On 8/29, we found malicious code in Python Package Index package "invokehttp." This package raised red flags due to inconsistencies in its metadata and the absence of any verified connection to its claimed GitHub repository. Full analysis here: stacklok.com/blog/cross-pla… #cybersecurity #malware

My latest blog post for Stacklok! NK APTs exploiting dependencies in the open source supply chain: Fake job coding test -> Clone repo -> Repo depends on malicious NPM pkg -> Deploy BeaverTail stealer -> Execute InvisibleFerret backdoor