We’re sharing more details from our investigation of the Storm-0558 campaign that targeted customer email, including our analysis of the threat actor’s techniques, tools, and infrastructure, and the steps we took to harden systems involved: msft.it/6017g26HL

CERT-UA in collab w/ Microsoft Threat Intelligence investigated UAC-0024 (susp. #Turla) using CAPIBAR & KAZUAR to target UA GOV entities. Details: cert.gov.ua/article/5213167 (UA only)

Microsoft has identified targeted attacks against the defense sector in Ukraine and Eastern Europe by the threat actor Secret Blizzard (KRYPTON, UAC-0003) leveraging DeliveryCheck, a novel .NET backdoor used to deliver a variety of second stage payloads. msft.it/6019gfoYU

Check this Microsoft x PwC research collab, coming to #LABScon23 labscon.io/speakers/adrie… labscon.io/speakers/bendi…

A few weeks ago I was honored to speak at LABScon . Great people, great talks, great venue. I honestly could not suggest any improvements except something closer to CET timezone!

Teaser: we're working on a new #YARA module to enhance in-memory matching, allowing detection engineers to craft more precise rules. Stay tuned

Microsoft has uncovered a supply chain attack by North Korean threat actor Diamond Sleet (ZINC) involving the modification of an installer file from software maker CyberLink. The payload calls back to attacker infrastructure for instructions. Learn more: msft.it/6013iHoQF

[1/4] Joined by B3ndik (PwC) and Microsoft Threat Intelligence, we release attribution information on the Sandman #APT, first revealed at LABScon '23. Link 👇 s1.ai/LuaDream

#100DaysOfYara Day 6: Yara can be used to access specific data at a given position. 👇 This feature is often used to identify Magic Numbers (used to determine the file format) to match your rule against a specific file type, such as a PE (0x4D5A), for example. Today, no

#100DaysofYARA Day 6 sometimes our pals in TA404/Zinc/Temp.HERMIT/Diamond Sleet reuse export names and add a dubya ("W") to the end of the second name. lets create a loose rule looking for duplicates like that! Examples in the second pic thanks to Ronnie Coleman

#100DaysofYARA Day 07 - another condition only rule this time looking for the HTTPSnoop and PipeSnoop families found by Talos a little avant garde, but both store config info in the .data section, XOR'd with a 1 byte key following the same structure github.com/100DaysofYARA/…

Trend Micro's Christopher So looks into two techniques used by Earth Freybug (a subset of APT41) in the UNAPIMON malware: dynamic-link library hijacking & application programming interface (API) unhooking to prevent child processes from being monitored. trendmicro.com/en_us/research…

Welcome to the future of YARA: virustotal.github.io/yara-x/blog/ya…

CrowdStrike is actively working with customers impacted by a defect found in a single content update for Windows hosts. Mac and Linux hosts are not impacted. This is not a security incident or cyberattack. The issue has been identified, isolated and a fix has been deployed. We

We are looking for a strategic threat intel analyst to join ESET Research. Interested in cyber-espionage and geopolitics? Apply! ca.linkedin.com/jobs/view/anal…

Microsoft identified multiple vulnerabilities in the open-source platform OpenVPN, integrated into millions of devices worldwide, which could be exploited to create an attack chain allowing remote code execution (RCE) and local privilege escalation (LPE). msft.it/6014llDIQ

Based on our findings and those reported by governments and other security vendors, Microsoft Threat Intelligence assesses the Russian nation-state actor we track as Secret Blizzard has used the tools and infrastructure of at least 6 other threat actors during the past 7 years.

The Microsoft Threat Intelligence Center (MSTIC) is looking for malware reverse engineers and security researchers to join our team! Come join our brilliant, world-class team of malware REs and intelligence researchers: Principal Security Researcher (United States):

Meta and Russian Yandex engaged in unprecedented internet tracking practices, likely illegal with EU data protection law. Companies designed tracking systems that exploited Android's localhost socket permissions to create covert communication channels between websites and native