hi! I'm looking for new work opportunities strongest areas are data analysis & threat hunting. I love SQL, regex, anomaly detection, data wrangling experienced designing & using honeypot systems. have created novel techniques I use python a lot, but adaptable as needed tysm💓

the backdoor builds & maintains a dynamic in-memory doubly linked list of payload modules ...and calls out to 𝚊𝚊𝚊𝚊𝚊𝚋𝚋𝚋𝚋𝚋𝚋𝚋.𝚎𝚊𝚜𝚝𝚞𝚜.𝚌𝚕օ𝚞𝚍𝚊𝚙𝚙.𝚊𝚣𝚞𝚛𝚎[.]𝚌օ𝚖:44𝟹

New hit for Odyssey Stealer teamsonsoft[.com Osscript at http[://185.93.89.62/d/vipx27099 Mikhail Kasimov L0Psec

'layer.ps1' abuse.ch bazaar.abuse.ch/sample/96cc727… ITW URL: hxxp://31.57.35(.)90/layer.ps1 ܛܔܔܔܛܔܛܔܛ

#FakeCaptcha #clickfix https[://upfilenew[.cc/ https[://speedtestcheck[.org/ Mikhail Kasimov WatchingRac Squiblydoo MalwareHunterTeam ܛܔܔܔܛܔܛܔܛ Demon Szabolcs Schmidt #CTI

Some Related Samples #RomCom 👇 bazaar.abuse.ch/browse/tag/Rom…

#WAPstealer #Pycoon HTTP Network Traffic Example tria.ge/250819-h3rc9s1…

ajax-jquery\.com bf-core\.com cloud-ajax\.com paysafe\.global sale5shop\.com sale7shop\.com wrist-sale\.com partywirks\.club www-static\.com ads.cdn-f\.net asd1.lazyno1\.net hostmaster.c-ads\.net mail.partywirks\.club

#Rat #ITALY I done some extra relation search IoCs pastebin.com/QB55Eiys Samples (updating) bazaar.abuse.ch/browse/tag/001…

Threat actor misused Acrobat Adobe Link to host malware in the phishing email attack. 📩 acrobat.adobe.com/id/urn:aaid:sc… 👇 RAR -> EXE (NSIS) -> Remcos C2 mauasas35safael1.duckdns[.]org Malware Sample bazaar.abuse.ch/browse/tag/acr… cc Adobe JAMESWT

Months ago, Ali Hadi | B!n@ry asked me to audit the Cyber 5W 's Malware Analysis course. They haven't asked me to, but I felt compelled to comment on the course: It's excellent. Highly recommend...step by step, all with open source tools. Great work!!

Excited to share our latest research on APT37(a.k.a ScarCruft, Ruby Sleet, and Velvet Chollima)’s new infection chain and C2 operation: 1⃣ Initial Access: Leveraging LNK and CHM files to deliver Rust-based and PowerShell-based malware. 2⃣ Post-Recon: Deployment of FadeStealer

'1.msi' from Hong Kong abuse.ch bazaar.abuse.ch/sample/5de5d09… URL's(http): dmoneii(.)com/1.bin cailai(.)org/1.bin ܛܔܔܔܛܔܛܔܛ

#oyster app.any.run/tasks/e2f683bf… app.any.run/tasks/39996a51… app.any.run/tasks/e92880db… cc Jane Kseniia \n

#netsupport #rat client32.ini MD5 15d827801ccc1c544cbcd6ddf737d19f stenslie.]com:3085 itnblog.]com:3085 MD5 daa0f1d6b1856657445c4d0261db38fd 45.88.104.]5:443 MD5 a7ac424709447b46683d018ba7dac685 95.179.154.]161:443 1/2 cc Mikhail Kasimov

"The Zoom installer was created using Inno Setup, a free installer for Windows programs, and served as the delivery mechanism for a multi-stage malware deployment and execution chain. The trojanized installer was a downloader, more publicly known as “d3f@ckloader”, and is..."

Raytheon’s Collins Aerospace was hit with a variant of HardBit Ransomware. Kevin Beaumont was kind to confirm the intel but he actually posted it yesterday. Mimic is the only other false flag other researchers and I can quantify now since HardBit affiliates did use Mimic as

COLDRIVER Group's ClickFix zscaler.com/blogs/security…

#oyster malware: github.com/stamparm/maltr… Related #fakeapp distribution domains: github.com/stamparm/maltr…