Michael Koczwara(@MichalKoczwara) 's Twitter Profileg
Michael Koczwara

@MichalKoczwara

Threat Researcher 🎯

ID:133224082

linkhttps://www.linkedin.com/in/michaelkoczwara/ calendar_today15-04-2010 09:32:35

6,9K Tweets

16,4K Followers

1,8K Following

Chris Duggan(@TLP_R3D) 's Twitter Profile Photo

🚨 New Potential 🇨🇳 C2 45.77.65.219 📡

💻 The SSL is Linked to APT41 (Winnti), a Chinese-speaking hacker group.

🕵️‍♂️ First sighting since May 2023.

🌑Possible foothold for cyber-espionage & data exfiltration to the C2 server.

🔍 APT41's tactics: network…

🚨 New Potential 🇨🇳 #Moonbounce C2 45.77.65.219 📡 💻 The SSL is Linked to APT41 (Winnti), a Chinese-speaking hacker group. 🕵️‍♂️ First sighting since May 2023. 🌑Possible foothold for cyber-espionage & data exfiltration to the C2 server. 🔍 APT41's tactics: network…
account_circle
Germán Fernández(@1ZRR4H) 's Twitter Profile Photo

Hunting botnet C2 servers 👋

Shodan: beta.shodan.io/search?query=h…
Censys: search.censys.io/search?q=servi…

Combining the results (12 C&C):
91.92.249.96
45.142.182.95
104.248.150.52
45.156.24.179
91.92.243.156
93.123.85.86
64.227.96.75
46.29.162.49
205.185.122.208
45.63.6.19…

Hunting #Mirai botnet C2 servers 👋 Shodan: beta.shodan.io/search?query=h… Censys: search.censys.io/search?q=servi… Combining the results (12 C&C): 91.92.249.96 45.142.182.95 104.248.150.52 45.156.24.179 91.92.243.156 93.123.85.86 64.227.96.75 46.29.162.49 205.185.122.208 45.63.6.19…
account_circle
Matthew(@embee_research) 's Twitter Profile Photo

New blog looking at dealing with Encrypted strings in Ghidra.

Leveraging debuggers to semi-automate string decryption and fix up an obfuscated Ghidra file 🤓



embee-research.ghost.io/ghidra-basics-…

account_circle
The Haag™(@M_haggis) 's Twitter Profile Photo

🚀 Introducing sigZap! 🌟

Tackling network-based attacks lately got me tired of grep'ing through massive files. So, I developed sigZap! It ingests ET community & Snort community rules and offers a seamless search experience by category or string. Hope it helps you too!

I…

🚀 Introducing sigZap! 🌟 Tackling network-based attacks lately got me tired of grep'ing through massive files. So, I developed sigZap! It ingests ET community & Snort community rules and offers a seamless search experience by category or string. Hope it helps you too! I…
account_circle
Matthew(@embee_research) 's Twitter Profile Photo

🖥️Query techniques to identify potential malware Infrastructure 🖥️

A quick demo showing ways to use Censys and ThreatFox to build simple queries and find suspicous servers for further investigation.

[1/14] 🧵

🖥️Query techniques to identify potential malware Infrastructure 🖥️ A quick demo showing ways to use @censysio and ThreatFox to build simple queries and find suspicous servers for further investigation. [1/14] 🧵
account_circle
Matthew(@embee_research) 's Twitter Profile Photo

Ghidra Basics - Identifying, Decrypting and Fixing Encrypted Strings

Using Ghidra Cross Referencing and x32dbg to identify and fix obfuscated strings.

One of 4 new (paid) and in-depth posts covering common workflows.

[1/10] 🧵

embee-research.ghost.io/ghidra-basics-…

account_circle
Germán Fernández(@1ZRR4H) 's Twitter Profile Photo

94.198.53.143:8000 ✌️

🚩 Atera RMM, Ngrok, NetSupport RAT (twitter.com/1ZRR4H/status/…), PoshC2 (bazaar.abuse.ch/sample/63229da…), SystemBC (bazaar.abuse.ch/sample/63229da…) and Sliver (bazaar.abuse.ch/sample/1aecadf…) among other tools. I'm sure you remember some of these Michael Koczwara.

94.198.53.143:8000 ✌️ 🚩 Atera RMM, Ngrok, NetSupport RAT (twitter.com/1ZRR4H/status/…), PoshC2 (bazaar.abuse.ch/sample/63229da…), SystemBC (bazaar.abuse.ch/sample/63229da…) and Sliver (bazaar.abuse.ch/sample/1aecadf…) among other tools. I'm sure you remember some of these @MichalKoczwara.
account_circle
AzAl Security(@azalsecurity) 's Twitter Profile Photo

'After a quick check of these IPs in VirusTotal, 3 interesting IPs standout. These IPs are all associated with Avaddon Ransomware and have similar files all communicating in February 2023. These IPs contain the same RDP configurations as the TeamViewer IP address for our LockBit…

account_circle
Germán Fernández(@1ZRR4H) 's Twitter Profile Photo

Active ransomware affiliate using and in a potential connection ↓

SectopRAT
Package: hxxps://slimankoomer[.]com/1711[.]zip
DDR: hxxps://pastebin[.]com/raw/fmKmDx8F
C2: 80.66.66.40:15647

MalwareHunterTeam twitter.com/malwrhuntertea…

account_circle
Mostafa Farghaly(@M4lcode) 's Twitter Profile Photo

Hi folks, This is my first technical analysis report.👾
It's about Vidar stealer with IOCs
I hope you find it enjoyable, and I'm eager to hear your thoughts on it.❤️
m4lcode.github.io/malware%20anal…

Hi folks, This is my first technical analysis report.👾 It's about Vidar stealer with IOCs I hope you find it enjoyable, and I'm eager to hear your thoughts on it.❤️ m4lcode.github.io/malware%20anal…
account_circle
Alexander Leslie(@aejleslie) 's Twitter Profile Photo

🚨 👀 💰- New Recorded Future report! This report examines the role of 🇰🇵 North Korean 🇰🇵 cybercriminal operations targeting cryptocurrency.

“The regime views cryptocurrency theft as a major revenue source…for funding military and weapons programs.” recordedfuture.com/crypto-country…

account_circle
Matthew(@embee_research) 's Twitter Profile Photo

Advanced Threat Intel Queries - Catching 83 Qakbot Servers With Regex, Censys and TLS Certificates

This (Free) writeup includes a detailed walkthrough, IOC's and links to all queries used.


embee-research.ghost.io/advanced-threa…

account_circle
BertJanCyber(@BertJanCyber) 's Twitter Profile Photo

[🛡 NEW BLOG 🛡]
From Threat Report to (KQL) Hunting Query

Writing valuable hunting queries based on TI reports can be challenging. This blog explores the steps involved in going from a TI report to a query, based on two reports.

🔗kqlquery.com/posts/from-thr…

account_circle
Joshua Penny(@josh_penny) 's Twitter Profile Photo

exploiting vulnerable 'Qlik Sense' servers for Initial Access

Timely Intel from Arctic Wolf 🐺: arcticwolf.com/resources/blog…

Exploited CVE's: CVE-2023-41266, CVE-2023-41265 or potentially CVE-2023-48365 (as reported by John Hilliard)

#Cactus #Ransomware exploiting vulnerable 'Qlik Sense' servers for Initial Access Timely Intel from Arctic Wolf 🐺: arcticwolf.com/resources/blog… Exploited CVE's: CVE-2023-41266, CVE-2023-41265 or potentially CVE-2023-48365 (as reported by @praetorian)
account_circle
Matthew(@embee_research) 's Twitter Profile Photo

Manual Shellcode Analysis - Locating and Resolving Function Calls With Ghidra and x32dbg

Experimenting with a new style of (paid) post where I go in-depth on manual analysis. Showing approachable and repeatable workflows for analyzing malware.

embee-research.ghost.io/ghidra-basics-…

account_circle
Kostas(@Kostastsale) 's Twitter Profile Photo

🔍Behind the Scenes: The Daily Grind of Threat Hunter
I turned a Twitter thread into a blog post on the topic of threat hunting.

This is a real-world example of how I approach threat hunting step-by-step 🕵️‍♂️

👉 Blogpost here: kostas-ts.medium.com/behind-the-sce…

account_circle