We are now developing Elastic threat hunting queries, alongside our detection rules, and openly sharing these as well! 🎉🎉 Can visually explore these with rulexplorer.io! 🔥🔥 #ThreatHunting #DetectionEngineering

Hunting for Remote Management Tools: Detecting RMMs blog.nviso.eu/2024/10/21/hun…

Is that a (sub)technique ATT&CK J⩜⃝mie Williams ? "...injects malicious code into...mstsc.exe" "injected code is a shellcode that loads another malicious library... to steal RDP credentials by hooking specific functions of the Windows library “SspiCli.dll”

Threat Actor is using Gophish to impersonate/target KPMG (financial department). /64.227.171.144 (0/94 VT) /financeekpmg.com (0/VT) Here, we can see how the Threat Actor stayed under the radar by disabling default Gophish features and avoiding being flagged as malicious by

🌟New report out today!🌟 Confluence Exploit Leads to LockBit Ransomware Analysis & reporting completed by Angelo Violetti, mal forsec, & @teddy_ROxPin Audio: Available on Spotify, Apple, YouTube and more! thedfirreport.com/2025/02/24/con…

The malicious JS deployed by Lazarus in the ByBit hack, 0/61 on VT.

He's back!

The Offensive Phishing Operations Course has been released. 81 modules are included in the initial launch, with the first update already being worked on. More information: maldevacademy.com/phishing-course Syllabus: maldevacademy.com/phishing-cours…

Finaly payload googlerestricted.ide --> msbuild.exe. Null Pwner so stealc?

Introducing MCP on Windows! msft.it/6016SjShg

If anyone needs to convert the DarkWebInformer json into csv here is a quick script to properly convert it: github.com/Sam0x90/QuickC…

With all the fuss around #velociraptor thought I'd give a shootout to project LOST (LOL Security Tools). We started this together with Ali Hussein some time ago. Yes Velociraptor, osquery, defender, wazuh, and much more that would deserve to be documented 0xanalyst.github.io/Project-Lost/

We're hiring DFIR consultants (Senior & Principal) for Germany and KSA here at Unit 42 Germany (must be german speaker) - jobs.smartrecruiters.com/PaloAltoNetwor… KSA (must be arabic speaker) - jobs.smartrecruiters.com/PaloAltoNetwor… Let me know if you have questions. Feel free to DM me ✌🏻#dfir

GG Dirk-jan ! I wish to see more of this in the future: "After some testing and filtering with some fellow researchers that work on the blue side we came up with the following detection query" 👏

Doing "grep -iran" has never been so relevant 🙃

#ElasticSecurityLabs uncovers #RONINGLOADER, a multi-stage loader utilizing signed drivers, PPL abuse, CI Policies, and other evasion techniques to deliver #DragonBreath's gh0st RAT variant. Check it out at ela.st/roningloader

Happy New Year everyone. I wrote something sec0wn.blogspot.com/2026/01/from-n… Do I get an honorary #OSEP for analyzing their payloads? Lol. Maybe Gemini should though. H/T to GeminiPro for the assist

It turned out there are many more payloads used in the Notepad++ attack! To stay undetected, its masterminds were COMPLETELY changing execution chains about every month. Here are more IPs used in the attack: 45.76.155[.]202 45.32.144[.]255 Read below for many other IoCs! [1/8]