We’ve published a quick overview of the recent DDoS attack that disrupted the Trump-Musk livestream on X. See details here blog.xlab.qianxin.com/behind-the-sce…

Our latest blog: Steam was hit by a major DDoS attack during peak playtime for Black Myth: Wukong. The AISURU botnet, claiming up to 2 Tbps attack power, was the main culprit. It seems someone wanted to spoil the fun for Wukong players. blog.xlab.qianxin.com/more_ddos_deta…

Our latest blog : Darkcracks, a sophisticated, high-persistence, and highly stealthy payload delivery and upgrade framework with 0 VT detection. Some infrastructures such as Brazil’s public transportation system, prison visitor systems have been exploited blog.xlab.qianxin.com/darkcracks-an-…

Our team has discovered a zero-detection variant of the Melofee backdoor, linked to the Winnti group, targeting RHEL 7.9 systems. blog.xlab.qianxin.com/analysis_of_ne…

Our latest blog: Glutton: A Zero-Detection PHP Backdoor, APT group Winnti is using this stealthy malware to infiltrate and exploit mainstream PHP frameworks—targeting cybercriminals themselves. blog.xlab.qianxin.com/glutton_stealt…

Our latest blog on the #Gayfemboy botnet, a unique and aggressive variant of Mirai that has been active since February 2024. It leverages 0-day exploit to target IoT devices and has over 15,000 daily active nodes(we registered the c2 domin) blog.xlab.qianxin.com/gayfemboy-en/

🚨Initially thought to be a new #IOCONTROL sample from Germany on VT, turned out to be a UPX magic tweak—"ABC!" to "GBC!". Despite this minor tweak, the detection plummeted from 32/63 to just 3/63. #C2 points to a new IP: 3.127.232.142. who’s behind this update?Xlab Claroty

Evolved from AISURU, AIRASHI uses a 0DAY cnPilot router vulnerability for spreading, employs advanced encryption for C2 comms, and has stable T-level DDoS attack capabilities. The botnet also mocks XLAB and security researchers with its C2 domain names blog.xlab.qianxin.com/large-scale-bo…

Our latest blog dives into a new variant of #Vo1d #botnet. C2 sinkhole data reveals it has infected 1.6M Android TVs across 200+ countries. Now leveraging RSA , its network can remains secure even if researchers register DGA C2s blog.xlab.qianxin.com/long-live-the-…

🚨#Speculoos #Backdoor 3db8e26f059e8b1fd3bbb96c052cfe4a belongs to #APT41 #WINNTI, has stayed undetected since 2023.04.23. #IOC #C2 is sshc.webtechnovelty[.]com. Comparing with Unit 42 samples, function names alone reveal expanded capabilities. Stay vigilant, ⏰Xlab

At Botconf 2025, we have two talks, come and see! #xlab

#IOC Rubick.ai | AI eCommerce Solutions Your servers are pwned! Attackers are leveraging them to serve up downloads for the #PickAI #backdoor. The #C2's detection rate is practically nonexistent right now. Happy hunting 🍷 & Stay vigilant! 📷Xlab

Pickai is a lightweight backdoor written in C++, designed to support remote command execution and reverse shell access. It is currently infecting the AI workflow management framework ComfyUI. #XLAB blog.xlab.qianxin.com/pickai-the_bac…

Observing Iran's Network Fluctuations Through XLAB Passive DNS Data

#XLAB's Analysis Report on the RapperBot Botnet with Over 50,000 Bots blog.xlab.qianxin.com/rapperbot-en/

🚨 #IOC #Backdoor Identified low-detection #ELF samples on VT with a VMP-like shell, 🤔. Analysis of the dumped config confirms they are #NoodleRAT . #C2 📸{ 107.148.33.2 | 43.246.209.83 }📸. Ip 43 affiliated with #APT #Higaisa. Happy hunting 🍷 & Stay vigilant⏰Xlab

🚨#APT #Higaisa Another intriguing discovery was the file 91f0ebb41949f14d16f1c70a4086cb45 utilized #AppImage as a "packing mechanism" to evade static detection🤔. It had only 7/66 on VT, while its extracted payload scored 27/66😅. Happy hunting 🍷 & Stay vigilant⏰ Xlab

#XLAB observed over 100 IP addresses attempting to exploit the Microsoft #SharePoint RCE vulnerability (CVE-2025-53770).