Alternate Data Streams – Adversary Defense Evasion and Detection [Guest Diary] isc.sans.edu/diary/31990

Related Pdf👇 "Comprovante-Mercado-Pago-26-05-2025-.pdf" ❇️Related #XWorm V5.2 ⛔️C2 158.69.41.]120:8000 Samples bazaar.abuse.ch/browse/tag/158… ✅AnyRun app.any.run/tasks/29f57a2f… 1/2 cc Dodo on Security 🇵🇸 🇺🇦 Germán Fernández ܛܔܔܔܛܔܛܔܛ Mikhail Kasimov Kelsey

Anybody know if there is a name for this specific type of batch file obfuscation? Here is what it looks like before and after deobfuscation.

#Bumblebee from nir-soft[.]org (x.com/1ZRR4H/status/…). Botnet: grp0005 C2: 188.40.187.152 (although not flagged by any AV, the IP has been linked to Bumblebee campaigns since approximately April 2024). Bumblebee has been used in ransomware attacks. MalwareHunterTeam

Introducing: BatVision, a tool to help deobfuscate batch files affected by BatCloak. Enjoy! github.com/jcarndt/BatVis…

#Remcos #ioc 62.60.226.190:41120 172.245.208.27:1070 172.245.208.27:14645 192.153.57.112:5730 216.9.224.152:3090

#XWorm #RAT #ioc 103.82.23.218:7000 107.148.151.140:7000 172.245.21.144:1437 185.177.239.137:7000 192.159.99.123:7000

#AsyncRAT #ioc 45.80.158.24:4449 45.141.233.114:2006 98.84.132.102:4000 103.20.102.151:8848 185.49.126.59:5552 193.124.205.63:4449

Virut part II: process infection and NTDLL hooking 🦔📹 ➡️x64dbg scripting ➡️conditional breakpoints ➡️more import table resolving ➡️fixing control flow ➡️marking up hook code #MalwareAnalysisForHedgehogs #Virut youtube.com/watch?v=nuxnvj…

Germany doxxes Conti ransomware and TrickBot ring leader - Sergiu Gatlan bleepingcomputer.com/news/security/… bleepingcomputer.com/news/security/…

🔥 TitanHide has been updated to support the latest VMProtect 3.9.4 changes! The service name is now used as the device name as well, so the check for \\.\TitanHide will fail if you name the service differently 🧠

ghidraMCP is an Model Context Protocol server for allowing LLMs to autonomously reverse engineer applications. It exposes numerous tools from core Ghidra functionality to MCP clients. github.com/LaurieWired/Gh…

Memory Segmentation Cheatsheet

Top 10 last week's threats by uploads 🌐 ⬇️ #Lumma 328 (730) ⬇️ #Asyncrat 309 (490) ⬇️ #Snake 225 (425) ⬆️ #Maze 225 (4) ⬆️ #Neconyd 224 (111) ⬇️ #Xworm 169 (430) ⬇️ #Agenttesla 165 (219) ⬇️ #Remcos 151 (488) ⬆️ #Zombie 133 (131) ⬇️ #Dcrat 129 (215) Track them all:

New Blogpost: #HuluCaptcha - An example of a FakeCaptcha framework. Started investigating this after a friend was compromised by it. Some interesting/unique techniques shown, plus analysis of the compromised server. Hope you enjoy the read! :) medium.com/@gi7w0rm/huluc…

👾 #SVCStealer is an #infostealer written in C++ that emerged this January. It targets victims' credentials, credit card details, and crypto wallet data. 👨‍💻 Collect #IOCs & see analysis sessions: any.run/malware-trends…

CapLoader 2.0 released today! 🔎 Identifies over 250 protocols in #PCAP 🎨 Define protocols from example traffic 🇶 Extracts JA3, JA4 and SNI from QUIC 💻 10x faster user interface netresec.com/?b=256dbbc

🔔 Just a reminder that the next live stream is this Thursday at 5pm CDT! Thomas Roccia will be joining to talk about two of his projects - NOVA and YARA Toolkit! youtube.com/live/UWsHJAWWD…

Fake websites posing as the popular travel site are giving visitors something worse than a bad deal on a hotel stay. malwarebytes.com/blog/news/2025…

Recent trend in web spam. Unique fake styles and classes for each injected link