"dll.bat" seen from Brazil: 789df0bfdf91c7990542d571597ab7baf8789fb114bd2426ba595d116870f22e Germán Fernández

"Fixer.bat": ee4960b8b58b91c85ee01ebc6f40752dd0dcb04c2695428da507484670f1091a Some boring as fuck shit... sharing only in case Florian Roth ⚡️ wants to add a rule to have THOR APT Scanner comments for this kind of samples... 🤷‍♂️

"invoice.bat": ebc3a6999612cc73ab2162c2e461018967748245cd150798c268c5821f8af10b Another case when the file is FUD on VT for the vendors, but there are THOR APT Scanner comments... 🤷‍♂️ bestsaleshoppingday[.]com 166.0.184[.]127 162.218.115[.]218

Florian Roth ⚡️ THOR APT Scanner The THOR APT Scanner comments arrived, so looks it was only a delay/quota/etc problem. But the AV detections ratio on VT is still a joke... of course, not surprising at all... 🤷‍♂️

“The largest supply chain compromise in npm, Inc. history just happened, packages with a total of 2 billion weekly downloads just got turned malicious” LinkedIn Post linkedin.com/posts/advocate… More info on hacker news news.ycombinator.com/item?id=451696…

We tested one of the compromised samples. - 0 detections on VirusTotal - Detected by THOR with three different YARA rules Sample: virustotal.com/gui/file/16f6c…

At this year’s team event we finally managed to take a group photo. Here’s Nextron’s research team⚡️– malware analysts, detection engineers, and developers. Two couldn’t join us, but this is the crew. Really appreciated meeting everyone again in the southernmost village of

A newly discovered Plague backdoor has been detected. It still contains the infamous line: ‘Uh, Mr. The Plague, sir? I think we have a hacker.’. This variant adds several new features: - Advanced string encryption using a custom S-BOX algorithm - Credential logger writing to an

The first samples of #EDRFreeze that landed on VirusTotal were already detected by our existing rules – even though we hadn’t written anything specific for it. The reason is that the authors reused previously documented techniques we had already covered in our generic YARA rules

A malicious MSI uploaded to VirusTotal on August 21 had 0 detections. It drops the Latrodectus Loader, capable of downloading payloads and executing arbitrary commands ✅ THOR detected it from day one 🔍 Detection rule: valhalla.nextron-systems.com/info/rule/MAL_… 🧪 Sample: virustotal.com/gui/file/dc25d…

Detect this activity right now using our public Sigma rules: github.com/SigmaHQ/sigma/… github.com/SigmaHQ/sigma/… github.com/SigmaHQ/sigma/… You want to monitor your system in realtime? Try our Aurora Lite scanner which includes all rules mentioned here nextron-systems.com/aurora/

Heads-up: the generic rule SUSP_ELF_Go_OBFUSC_Binary_Dec22_1 flagged BRICKSTORM samples on VT 3 weeks ago ⚡️ - 2/3 BRICKSTORM binaries were garbled -> caught - 1 clean build went past AV but fits the actor set (AV coverage is still very low -> better use the YARA rules) - Rule

A few months back I wrote a #YARA rule to detect a common batch-file obfuscation technique. Since then it continued to turn up malicious payloads frequently missed by commercial AV engines, a great reminder that focused detection rules still matter. Checkout recent matches here:

Our rule detected this UAC-0245 second stage malicious (XLL) used in targeted attacks against #Ukraine SOU. sha256:af79b600ad113df92a76bc51c61a9d775b11a146bc8dac326ae22107331443d5 CERT-UA #malware #threat #APT

Here’s a slide from our upcoming THOR v11 roadmap - a 75% rewrite with major architectural changes and new features. Beta with customers & partners starts soon, TechPreview in December. Since THOR Lite is based on the same code, free users will benefit too. Nextron Research ⚡️

Hello World John! I'm a reverse shell uploaded to npm virustotal.com/gui/file/f883f…

Found a bunch of related low detection samples. They are live on abuse.ch MalwareBazaar bazaar.abuse.ch/browse/tag/Myt… Hashes: d6a02f9ac2e9e675b88b28b9abda97e7 a29fedaa6fb77d626ae6690081002e15 5a749cb47bc62ae8adb00997b7c1875d e180bd5b6524313c0c1f4ecc9a925e02

Stealth mode at its finest. 🚀 8d16022dcfc9f2dc553d47e9c223425b45cdb015cab8468136d530eb66d2226c

🚨 #PolarEdge Botnet detected from Day One by ⚡Thor Scanner Big thanks to Sekoia TDR 🧠 for the valuable intel! Rule > valhalla.nextron-systems.com/info/rule/MAL_… Sample: virustotal.com/gui/file/a3e28…

Beyond availability - toward verified recovery Backups should do more than bring systems back online - they should bring them back clean. Together with Veeam® Software, we’ve built an integration that adds forensic assurance to backup workflows. THOR extends Veeam’s trusted recovery