I wrote a blog about Understanding Internals of SmokeLoader. The Sample Consists of 3 Stages. We will look at each stages in detail in the blog. Please share your feedbacks irfan-eternal.github.io/understanding-…

ESET researchers have discovered NSPX30, a sophisticated implant used by a new China-aligned APT group they've named Blackwood. The NSPX30 implant is deployed via the update mechanisms of legitimate software such as Tencent QQ, WPS Office & Sogou Pinyin. welivesecurity.com/en/eset-resear…

🕵️‍♂️ The silent torrent of VileRAT Get an in-depth, technical look at #VileRAT, a sophisticated Python-based malware believed to be the work of the #Evilnum threat group. Read our latest #threatresearch report here: stairwell.com/resources/tech…

Looking forward to presenting some new research at BlackHat Asia 2024 🥳 - blackhat.com/asia-24/briefi… #BHASIA Black Hat.

Not sure who needs to hear this, but I was today years old when I realized how effective conditional breakpoints in x64dbg are.. I had a need to break conditionally on all VirtualAlloc calls with a size parameter > 0x3000000. Here is how to do this.😎

Happy Friday! I have gotten a lot of questions around ETW Patching as of late. I decided to write a blog on understanding ETW Patching, check it out! jsecurity101.medium.com/understanding-…

Here is a little Linux detection telemetry tool I released as part of my Black Hat Arsenal presentation 'ELFieScanner: Advanced process memory threat detection on Linux' #BlackHat: github.com/JanielDary/ELF…

Exec at Ferrari gets a call from "CEO" asking about acquisitions. Exec realizes that this could be a voice clone & asks the "CEO" which book they just talked about, catching the attacker! Thanks FORTUNE for talking with me about AI voice clones. fortune.com/2024/07/27/fer…

.Volexity shares #threatintel on how #StormBamboo compromised an ISP to conduct DNS poisoning attacks on targeted organizations & abuse insecure HTTP software updates, delivering custom malware on both macOS + Windows. Read the full analysis: volexity.com/blog/2024/08/0… #dfir

The Return of OceanLotus? During routine threat hunting here at Huntress analysts Jai Minton & Craig identified a sophisticated campaign with hallmark TTPs of APT32 aka BISMUTH, Ocean Buffalo, & Canvas Cyclone targeting human rights activists huntress.com/blog/advanced-…

I took a look at a #warmcookie infection, and wrote an investigation walk-through using a #PCAP from malware_traffic, check it out: blog.techevo.uk/analysis/netwo…

Had fun presenting #WARMCOOKIE research at #VB2024. The malware was recently updated with new handlers. Our team wrote some tooling to simulate the C2 server to help organizations build better detections. Tooling: github.com/elastic/labs-r…

Read our latest blog post and get an inside look at Warmcookie’s updated C2 infrastructure linked to its latest update. 📡 We reveal insights into newly identified servers that can assist defenders in identifying related servers hunt.io/blog/from-warm…

A threat actor testing an AV/EDR bypass tool on rogue virtual machines inadvertently exposed their methods. This allowed us a deep dive into their operational strategies and multiple toolkits, including tracing their steps to cybercrime forums. Read now: bit.ly/4eb8nlh

Check out my new blog post on declawing PUMAKIT, a sneaky #LKM #rootkit targeting Linux systems. Find out how it hides, escalates privileges, and stays under the radar. Don’t miss the deep-dive! elastic.co/security-labs/… #cybersecurity #malwareanalysis #linux

Ok I think this is REALLY cool, I've now got Event Tracing for Windows: Threat Intelligence working with my EDR (not implemented yet into the main EDR) BUT you can see it catching remote memory allocations github.com/0xflux/Sanctum… #malware #blueteam #redteam #infosec #cyber #rust

With some guidance from DebugPrivilege I've found a way to easily dump clear text implants even while they sleep. Bad day for sleep obfuscation 💤 blog.felixm.pw/rude_awakening…