I'll just leave this here... github.com/wmetcalf/msc_d…

Staring at your #IDAPro disassembler window and wondering if you’ve seen this code before? Get a walkthrough of our CTO and Co-founder Jonas Wagner on how Threatray brings #BinaryIntelligence into your #ReverseEngineering workflows in Part 3 of our series. youtu.be/y4oP2LGRT7g

Want to be faster at creating solid #YARA rules from a set of samples? Tune in to our CTO and Co-founder Jonas Wagner taking you through YARA rule crafting with Threatray in Part 4 of our new series. youtu.be/Pcmm8GK71K4

I'm hiring a malware reverse engineer in Munich to join Malware Operations in the FLARE team at Mandiant / Google Cloud! Could this be you? Take a look! 👇 google.com/about/careers/…

I’m looking forward to speaking at #ProofpointProtect 2024, happening October 29-30in Chicago. Register today and join @selenalarson and me. ow.ly/HM1V50TR98G

We've observed a rise in Living off the Land email attacks where attackers abuse legitimate service infrastructure. Our newest Attack Spotlight details one of these attack variants abusing Docusign to deliver malware via callback phishing: sublime.security/blog/living-of…

Proofpoint is a platinum sponsor of @oisfoundation, the host of this week's #SuriCon2024. Tomorrow, join our researchers for two valuable presentations: 🎤 Jumping Over Geofences: Konstantin Klinger & Matthew Bing 🎤 Catching Moonbeams - Lua in Suricata 8.0: Christopher Wakelin

we're seeing so much docusign abuse Sublime Security sublime.security/blog/living-of…

So, if we want to detect these concatenated zips, we should focus on the last EOCD, and make sure that the bytes at the PKCD offset are not the PKCD header. Yara: github.com/EmergingThreat….

🚨 We discovered two malicious Python packages in #PyPI repository that remained undetected for over a year. These packages mimicked tools for working with popular AI language models (#ChatGPT and #Claude), silently exfiltrating data and compromising developer environments.

Proofpoint has tracked this technique since August 2024, and call it “brooxml”. Our researchers do not consider this a zero-day or vulnerability in general. We’ve released Emerging Threats and YARA signatures at the end of this thread.

Broke my head over those brooxml files in the last months with the team.

Enjoy punching phish? Experience writing detections for phish, using regex, Yara, etc., and looking to grow as a researcher within an experienced team? Join me and the rest of the Splunk Attack Analyzer Misfits of Detection Science. US only, fully remote splunk.com/en_us/careers/…

Between December 11 and 12, 2024, a spearphishing campaign targeted at least 20 Autonomous System (AS) owners, predominantly Internet Service Providers (ISPs), and purported to come from the Network Operations Center (NOC) of a prominent European ISP. All of the observed

[1/n] In the hope that it might be useful to someone, I am happy to share with the community my basic (and cheap) implementation of a CAPE Sandbox in physical machine config, integrating Elastic Stack and Elastic agents, Suricata, Aurora-Lite agent and Sysmon. #malwareanalysis

I have been able to help Nick with this research. It describes a to me previously unknown technique to hide ADS inside archives and bypass detections. Description and YARA in the blogpost.

We are growing and looking for a researcher to lead our Cybercrime Research team🚀 — The position is completely remote! Feel free to DM me with any questions or send/retweet this to your friends 😊

Threatray's Abdallah Elshinbary and Jonas Wagner in collaboration with Proofpoint Threat Research Team have undertaken a deep dive into the India-aligned #Bitter (TA397) cyber espionage group. Read part one over at Proofpoint, where they cover campaigns, infection chains, hand-on-keyboard

Just published: A 2-part blog series in collab w/ @Threatray, which aims to substantiate the claim that #TA397 (Bitter) is an espionage-focused, state-backed threat actor w/ interests aligned to the Indian state. Part 1: brnw.ch/21wT9A5 Part 2: brnw.ch/21wT9Ad.