home.social

#edr — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #edr, aggregated by home.social.

  1. RemotePE: The Lazarus RAT that lives in memory

    A sophisticated memory-only toolset used by a North Korean Lazarus subgroup targeting financial and cryptocurrency organizations consists of three malware families forming a chain. DPAPILoader decrypts and loads RemotePELoader from disk using Windows Data Protection API. RemotePELoader beacons to command-and-control servers and retrieves RemotePE, a fully-fledged remote access trojan executed entirely in memory without filesystem artifacts. The toolset employs environmental keying via DPAPI, EDR evasion through HellsGate technique and ETW patching, actor-in-the-loop payload delivery, and shared hosting infrastructure on Namecheap. RemotePE features comprehensive RAT capabilities including file operations, process management, command execution, and a plugin system for dynamically loading additional payloads, while maintaining persistence through masquerading as legitimate Windows services.

    Pulse ID: 6a1447f25db6bc082d5093cb
    Pulse Link: otx.alienvault.com/pulse/6a144
    Pulse Author: AlienVault
    Created: 2026-05-25 13:00:34

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #CyberSecurity #EDR #Edge #InfoSec #Korea #Lazarus #Malware #Namecheap #NorthKorea #OTX #OpenThreatExchange #RAT #RemoteAccessTrojan #Trojan #Windows #bot #cryptocurrency #AlienVault

  2. RemotePE: The Lazarus RAT that lives in memory

    A sophisticated memory-only toolset used by a North Korean Lazarus subgroup targeting financial and cryptocurrency organizations consists of three malware families forming a chain. DPAPILoader decrypts and loads RemotePELoader from disk using Windows Data Protection API. RemotePELoader beacons to command-and-control servers and retrieves RemotePE, a fully-fledged remote access trojan executed entirely in memory without filesystem artifacts. The toolset employs environmental keying via DPAPI, EDR evasion through HellsGate technique and ETW patching, actor-in-the-loop payload delivery, and shared hosting infrastructure on Namecheap. RemotePE features comprehensive RAT capabilities including file operations, process management, command execution, and a plugin system for dynamically loading additional payloads, while maintaining persistence through masquerading as legitimate Windows services.

    Pulse ID: 6a1447f25db6bc082d5093cb
    Pulse Link: otx.alienvault.com/pulse/6a144
    Pulse Author: AlienVault
    Created: 2026-05-25 13:00:34

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #CyberSecurity #EDR #Edge #InfoSec #Korea #Lazarus #Malware #Namecheap #NorthKorea #OTX #OpenThreatExchange #RAT #RemoteAccessTrojan #Trojan #Windows #bot #cryptocurrency #AlienVault

  3. RemotePE: The Lazarus RAT that lives in memory

    A sophisticated memory-only toolset used by a North Korean Lazarus subgroup targeting financial and cryptocurrency organizations consists of three malware families forming a chain. DPAPILoader decrypts and loads RemotePELoader from disk using Windows Data Protection API. RemotePELoader beacons to command-and-control servers and retrieves RemotePE, a fully-fledged remote access trojan executed entirely in memory without filesystem artifacts. The toolset employs environmental keying via DPAPI, EDR evasion through HellsGate technique and ETW patching, actor-in-the-loop payload delivery, and shared hosting infrastructure on Namecheap. RemotePE features comprehensive RAT capabilities including file operations, process management, command execution, and a plugin system for dynamically loading additional payloads, while maintaining persistence through masquerading as legitimate Windows services.

    Pulse ID: 6a1447f25db6bc082d5093cb
    Pulse Link: otx.alienvault.com/pulse/6a144
    Pulse Author: AlienVault
    Created: 2026-05-25 13:00:34

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #CyberSecurity #EDR #Edge #InfoSec #Korea #Lazarus #Malware #Namecheap #NorthKorea #OTX #OpenThreatExchange #RAT #RemoteAccessTrojan #Trojan #Windows #bot #cryptocurrency #AlienVault

  4. RemotePE: The Lazarus RAT that lives in memory

    A sophisticated memory-only toolset used by a North Korean Lazarus subgroup targeting financial and cryptocurrency organizations consists of three malware families forming a chain. DPAPILoader decrypts and loads RemotePELoader from disk using Windows Data Protection API. RemotePELoader beacons to command-and-control servers and retrieves RemotePE, a fully-fledged remote access trojan executed entirely in memory without filesystem artifacts. The toolset employs environmental keying via DPAPI, EDR evasion through HellsGate technique and ETW patching, actor-in-the-loop payload delivery, and shared hosting infrastructure on Namecheap. RemotePE features comprehensive RAT capabilities including file operations, process management, command execution, and a plugin system for dynamically loading additional payloads, while maintaining persistence through masquerading as legitimate Windows services.

    Pulse ID: 6a1447f25db6bc082d5093cb
    Pulse Link: otx.alienvault.com/pulse/6a144
    Pulse Author: AlienVault
    Created: 2026-05-25 13:00:34

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #CyberSecurity #EDR #Edge #InfoSec #Korea #Lazarus #Malware #Namecheap #NorthKorea #OTX #OpenThreatExchange #RAT #RemoteAccessTrojan #Trojan #Windows #bot #cryptocurrency #AlienVault

  5. RemotePE: The Lazarus RAT that lives in memory

    A sophisticated memory-only toolset used by a North Korean Lazarus subgroup targeting financial and cryptocurrency organizations consists of three malware families forming a chain. DPAPILoader decrypts and loads RemotePELoader from disk using Windows Data Protection API. RemotePELoader beacons to command-and-control servers and retrieves RemotePE, a fully-fledged remote access trojan executed entirely in memory without filesystem artifacts. The toolset employs environmental keying via DPAPI, EDR evasion through HellsGate technique and ETW patching, actor-in-the-loop payload delivery, and shared hosting infrastructure on Namecheap. RemotePE features comprehensive RAT capabilities including file operations, process management, command execution, and a plugin system for dynamically loading additional payloads, while maintaining persistence through masquerading as legitimate Windows services.

    Pulse ID: 6a1447f25db6bc082d5093cb
    Pulse Link: otx.alienvault.com/pulse/6a144
    Pulse Author: AlienVault
    Created: 2026-05-25 13:00:34

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #CyberSecurity #EDR #Edge #InfoSec #Korea #Lazarus #Malware #Namecheap #NorthKorea #OTX #OpenThreatExchange #RAT #RemoteAccessTrojan #Trojan #Windows #bot #cryptocurrency #AlienVault

  6. GhostTree : une technique qui force les outils EDR à se bloquer sur certains fichiers, les laissant non analysés. Ce n'est pas un exploit classique — c'est une attaque sur le mécanisme de détection lui-même. Quand le bouclier devient la cible, la surface d'attaque change de forme. #infosec #EDR #evasion
    gbhackers.com/new-ghosttree-at

  7. If you're focused on "defending against #Mythos", you're worried about the wrong problem.

    If you're focused on "protecting against #AI hackers", you're worried about the wrong problem.

    As described recently by #infosec expert and IANS Faculty member Davi Ottenheimer:

    "Your patching SLA, #EDR coverage, network segmentation, #MFA enforcement, and asset inventory are still the things that determine your exposure. In particular, using AI to scan code for flaws internally is a leveling move, and using AI to remediate code by rearchitecting it away from flaws is an uplift. An AI-assisted offensive tool does not change that calculus because it moves the attacker marginally closer to the ceiling of what a competent human red team already does against targets that have no defenses anyway."

    And I absolutely love this quote:

    "[The Mythos paper] is the worst form of FUD: anchor to something true, then extend the credibility to something unproven. The emergency is built on the myth, and some of the most credentialed people in the industry just co-signed it without checking the facts."

    How about, let's work on getting the basics right.

    References:

  8. New Stealthy Vidar Stealer Campaign Bypass EDR and Steal Credentials

    Pulse ID: 6a0952a57e16da067219eda8
    Pulse Link: otx.alienvault.com/pulse/6a095
    Pulse Author: cryptocti
    Created: 2026-05-17 05:31:17

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #CyberSecurity #EDR #InfoSec #OTX #OpenThreatExchange #Vidar #bot #cryptocti

  9. @da_667 youtube is so great - what a good buy, a bargain buy for them #edr sales enjoyer #fd youtube consumer bias

  10. OPERATION SILENTCANVAS: JPEG BASED MULTISTAGE POWERSHELL INTRUSION

    A sophisticated multi-stage intrusion campaign was identified leveraging a weaponized PowerShell payload disguised as a JPEG image file (sysupdate.jpeg) to deploy a trojanized ConnectWise ScreenConnect instance for covert remote access. The attack likely originates through social engineering techniques including phishing emails or malicious attachments. Upon execution, the malware establishes a staging environment, retrieves additional payloads from attacker-controlled infrastructure, and dynamically compiles a custom launcher using Microsoft's legitimate .NET compiler (csc.exe) to evade detection. The intrusion abuses ComputerDefaults.exe and a malicious ms-settings registry hijack to perform a fileless UAC bypass and obtain elevated privileges. Once elevated, the malware deploys a persistent service masquerading as OneDriveServers and launches a modified ScreenConnect framework capable of credential interception, remote command execution, surveillance operations, SYSTEM-level execution, encrypted command...

    Pulse ID: 6a008382641183db3b20fef5
    Pulse Link: otx.alienvault.com/pulse/6a008
    Pulse Author: AlienVault
    Created: 2026-05-10 13:09:22

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #ConnectWise #CyberSecurity #EDR #Email #InfoSec #Malware #Microsoft #NET #OTX #OpenThreatExchange #Phishing #PowerShell #RAT #RCE #RemoteCommandExecution #ScreenConnect #SocialEngineering #Trojan #Troll #bot #AlienVault

  11. OPERATION SILENTCANVAS: JPEG BASED MULTISTAGE POWERSHELL INTRUSION

    A sophisticated multi-stage intrusion campaign was identified leveraging a weaponized PowerShell payload disguised as a JPEG image file (sysupdate.jpeg) to deploy a trojanized ConnectWise ScreenConnect instance for covert remote access. The attack likely originates through social engineering techniques including phishing emails or malicious attachments. Upon execution, the malware establishes a staging environment, retrieves additional payloads from attacker-controlled infrastructure, and dynamically compiles a custom launcher using Microsoft's legitimate .NET compiler (csc.exe) to evade detection. The intrusion abuses ComputerDefaults.exe and a malicious ms-settings registry hijack to perform a fileless UAC bypass and obtain elevated privileges. Once elevated, the malware deploys a persistent service masquerading as OneDriveServers and launches a modified ScreenConnect framework capable of credential interception, remote command execution, surveillance operations, SYSTEM-level execution, encrypted command...

    Pulse ID: 6a008382641183db3b20fef5
    Pulse Link: otx.alienvault.com/pulse/6a008
    Pulse Author: AlienVault
    Created: 2026-05-10 13:09:22

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #ConnectWise #CyberSecurity #EDR #Email #InfoSec #Malware #Microsoft #NET #OTX #OpenThreatExchange #Phishing #PowerShell #RAT #RCE #RemoteCommandExecution #ScreenConnect #SocialEngineering #Trojan #Troll #bot #AlienVault

  12. OPERATION SILENTCANVAS: JPEG BASED MULTISTAGE POWERSHELL INTRUSION

    A sophisticated multi-stage intrusion campaign was identified leveraging a weaponized PowerShell payload disguised as a JPEG image file (sysupdate.jpeg) to deploy a trojanized ConnectWise ScreenConnect instance for covert remote access. The attack likely originates through social engineering techniques including phishing emails or malicious attachments. Upon execution, the malware establishes a staging environment, retrieves additional payloads from attacker-controlled infrastructure, and dynamically compiles a custom launcher using Microsoft's legitimate .NET compiler (csc.exe) to evade detection. The intrusion abuses ComputerDefaults.exe and a malicious ms-settings registry hijack to perform a fileless UAC bypass and obtain elevated privileges. Once elevated, the malware deploys a persistent service masquerading as OneDriveServers and launches a modified ScreenConnect framework capable of credential interception, remote command execution, surveillance operations, SYSTEM-level execution, encrypted command...

    Pulse ID: 6a008382641183db3b20fef5
    Pulse Link: otx.alienvault.com/pulse/6a008
    Pulse Author: AlienVault
    Created: 2026-05-10 13:09:22

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #ConnectWise #CyberSecurity #EDR #Email #InfoSec #Malware #Microsoft #NET #OTX #OpenThreatExchange #Phishing #PowerShell #RAT #RCE #RemoteCommandExecution #ScreenConnect #SocialEngineering #Trojan #Troll #bot #AlienVault

  13. OPERATION SILENTCANVAS: JPEG BASED MULTISTAGE POWERSHELL INTRUSION

    A sophisticated multi-stage intrusion campaign was identified leveraging a weaponized PowerShell payload disguised as a JPEG image file (sysupdate.jpeg) to deploy a trojanized ConnectWise ScreenConnect instance for covert remote access. The attack likely originates through social engineering techniques including phishing emails or malicious attachments. Upon execution, the malware establishes a staging environment, retrieves additional payloads from attacker-controlled infrastructure, and dynamically compiles a custom launcher using Microsoft's legitimate .NET compiler (csc.exe) to evade detection. The intrusion abuses ComputerDefaults.exe and a malicious ms-settings registry hijack to perform a fileless UAC bypass and obtain elevated privileges. Once elevated, the malware deploys a persistent service masquerading as OneDriveServers and launches a modified ScreenConnect framework capable of credential interception, remote command execution, surveillance operations, SYSTEM-level execution, encrypted command...

    Pulse ID: 6a008382641183db3b20fef5
    Pulse Link: otx.alienvault.com/pulse/6a008
    Pulse Author: AlienVault
    Created: 2026-05-10 13:09:22

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #ConnectWise #CyberSecurity #EDR #Email #InfoSec #Malware #Microsoft #NET #OTX #OpenThreatExchange #Phishing #PowerShell #RAT #RCE #RemoteCommandExecution #ScreenConnect #SocialEngineering #Trojan #Troll #bot #AlienVault

  14. OPERATION SILENTCANVAS: JPEG BASED MULTISTAGE POWERSHELL INTRUSION

    A sophisticated multi-stage intrusion campaign was identified leveraging a weaponized PowerShell payload disguised as a JPEG image file (sysupdate.jpeg) to deploy a trojanized ConnectWise ScreenConnect instance for covert remote access. The attack likely originates through social engineering techniques including phishing emails or malicious attachments. Upon execution, the malware establishes a staging environment, retrieves additional payloads from attacker-controlled infrastructure, and dynamically compiles a custom launcher using Microsoft's legitimate .NET compiler (csc.exe) to evade detection. The intrusion abuses ComputerDefaults.exe and a malicious ms-settings registry hijack to perform a fileless UAC bypass and obtain elevated privileges. Once elevated, the malware deploys a persistent service masquerading as OneDriveServers and launches a modified ScreenConnect framework capable of credential interception, remote command execution, surveillance operations, SYSTEM-level execution, encrypted command...

    Pulse ID: 6a008382641183db3b20fef5
    Pulse Link: otx.alienvault.com/pulse/6a008
    Pulse Author: AlienVault
    Created: 2026-05-10 13:09:22

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #ConnectWise #CyberSecurity #EDR #Email #InfoSec #Malware #Microsoft #NET #OTX #OpenThreatExchange #Phishing #PowerShell #RAT #RCE #RemoteCommandExecution #ScreenConnect #SocialEngineering #Trojan #Troll #bot #AlienVault

  15. ----------------

    🛠️ Tool
    ===================

    Opening: This repository documents a practicable method for extracting Windows account hashes by combining built-in registry export, a local reduction step, BootKey extraction and secretsdump. The author provides source artifacts including RegReduction.ps1, BootKey.c and a compiled BootKey.exe, plus guidance on exporting the three core hives (SAM, SYSTEM, SECURITY) from a target machine.

    Key Features:
    • Exposes a flow that leverages the system binary reg.exe to export registry hives at scale.
    • Supplies a PowerShell-based reduction tool (RegReduction.ps1) to reconstruct binary hive files from exported .reg artifacts.
    • Includes BootKey.c and BootKey.exe to extract the system BootKey without requiring administrative privileges in the tested environments.
    • Demonstrates final credential extraction using secretsdump against the reconstructed hives.

    Technical Implementation:
    • The workflow relies on exporting HKLM\SAM, HKLM\SYSTEM and HKLM\SECURITY via the system registry export facility, then reconstructing the binary hive representation locally with RegReduction.ps1.
    • BootKey extraction is implemented in a C utility (BootKey.c) provided in the repo; the binary derived BootKey is consumed by offline tools capable of decrypting LSA secrets and NT hashes.
    • The final extraction step uses secretsdump-style logic to parse the SAM/SECURITY blobs with the BootKey to recover account NTLM credentials.

    Use Cases:
    • Red team operations seeking post-exploitation credential harvesting where standard EDR detection blocks direct memory dumping.
    • Forensic practitioners needing an offline method to reconstruct registry hive artifacts from exported textual dumps for analysis.
    • Research into living-off-the-land (LotL) techniques that abuse trusted system utilities to evade behavioral detections.

    Limitations:
    • The method depends on the ability to export registry hives from the target; test notes indicate reg.exe export may require SYSTEM privileges on some Windows versions (notably Win10/Win11 and Windows Server 2025), while older servers may allow export with administrator rights.
    • The BootKey extraction utility was observed by the author to run without elevated rights in tests; detection coverage by endpoint products varied and a VirusTotal snapshot was referenced by the author as part of testing.
    • The repo author later acknowledged similar prior public research touching on LSA/Task decorrelation techniques.

    Final note: The release is presented as a GitHub tool with source artifacts and practical testing notes; the repo documents concrete filenames and steps for reconstruction and extraction rather than providing high-level theory. #tool #EDR #DumpHash #SAM #secretsdump

    🔗 Source: github.com/AabyssZG/HashDump-B

  16. UAT-8302 and its box full of malware

    UAT-8302 is a sophisticated China-nexus advanced persistent threat group targeting government entities in South America since late 2024 and southeastern Europe in 2025. The actor deploys multiple custom-made malware families including NetDraft, a .NET-based backdoor variant of FinalDraft/SquidDoor, and CloudSorcerer version 3. Post-compromise activities involve extensive reconnaissance, credential extraction, information collection from Active Directory, and network proliferation using tools like Impacket. The group establishes persistence through scheduled tasks and deploys additional malware including VSHELL, SNAPPYBEE/DeedRAT, and ZingDoor. UAT-8302 demonstrates connections to several China-nexus threat clusters through shared tooling, including Draculoader and SNOWLIGHT stager. The actor uses legitimate services like MS Graph and OneDrive for command-and-control infrastructure and establishes backdoor access through proxy servers using tools written in Simplified Chinese.

    Pulse ID: 69f9f99c0dc1060430bf089e
    Pulse Link: otx.alienvault.com/pulse/69f9f
    Pulse Author: AlienVault
    Created: 2026-05-05 14:07:24

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #BackDoor #China #Chinese #Cloud #CyberSecurity #DRat #EDR #EasternEurope #Europe #Government #InfoSec #Malware #NET #OTX #OpenThreatExchange #Proxy #RAT #RCE #SouthAmerica #bot #AlienVault

  17. ----------------

    🎯 Threat Intelligence
    ===================

    Executive summary: DSCourier describes a technique that invokes WinGet's configuration engine directly through its COM API to apply Desired State Configuration (DSC) YAML payloads, resulting in arbitrary PowerShell execution inside a Microsoft‑signed process (ConfigurationRemotingServer.exe) without winget.exe, powershell.exe or cmd.exe in the observable process tree.

    Technical details:
    • The technique targets the WinGet configure capability that consumes YAML-based DSC resources.
    • Payloads use PSDscResources/Script to run arbitrary PowerShell logic; execution occurs via the configuration host process rather than a traditional PowerShell executable.
    • The COM API interop layer is used to invoke the configuration engine directly, removing the winget.exe CLI process from the initial execution chain.
    • The author documents YAML construction, an interop wrapper that calls the COM interfaces, and the resulting process tree where the top-level trusted binary is ConfigurationRemotingServer.exe.

    Analysis:
    • Running DSC Script resources inside a Microsoft-signed binary creates a living‑off‑the‑land (LOTL) execution vector that may bypass telemetry focused on common hosts like powershell.exe.
    • Visibility loss occurs at the initiation point: no winget.exe command line is logged when using the COM API approach, reducing forensic artifacts visible in standard process creation logs.
    • The approach preserves signed‑binary provenance while enabling arbitrary code execution, increasing difficulty for EDR heuristic rules that rely on suspicious parent/child relationships or command lines.

    Detection:
    • The original winget configure method is detectable via process command line searches such as:
    process.name: "winget.exe" and process.command_line: (configure or configuration or dsc)
    • For the COM API technique, detection requires monitoring of DSC-related host processes and behavioral indicators inside ConfigurationRemotingServer.exe, such as unexpected DSC resource usage, abnormal network retrieval of YAML content, or scripted activity originating from that process.

    Mitigations / Defensive notes (as presented):
    • Instrumentation should expand visibility beyond common hosts to include signed configuration hosts and inspect invoked DSC resources and YAML content sources.
    • Correlate file retrievals of YAML payloads with subsequent activity in configuration host processes and flag atypical PSDscResources/Script usage in enterprise environments.

    References:
    • The post details YAML payload construction, the COM interop layer, and EDR bypass testing against CrowdStrike Falcon, Microsoft Defender for Endpoint, and Elastic Security. #winget #DSC #EDR

    🔗 Source: dylansec.com/DSCourier/

  18. LofyStealer: Malware targeting Minecraft players.

    A sophisticated two-stage infostealer named LofyStealer, also known as GrabBot/Slinky, targets Minecraft players through social engineering. The malware comprises a 53.5MB Node.js-based loader disguised within legitimate libraries and a 1.4MB native C++ payload that executes directly in memory. It extracts cookies, passwords, tokens, credit cards, and IBANs from eight different browsers including Chrome, Edge, Brave, Opera GX, and Firefox. The loader uses GitHub Actions for automated compilation while the payload employs direct syscalls to bypass EDR detection. Data is compressed via PowerShell, Base64-encoded, and exfiltrated to a Brazilian-hosted C2 server at 24.152.36.241. The operation is attributed with high confidence to the Brazilian cybercrime group LofyGang, operating a Malware-as-a-Service platform with Free and Premium tiers through a web panel branded as LofyStealer Advanced C2 Platform V2.0.

    Pulse ID: 69f1f50b6a5e5d1ca31204bb
    Pulse Link: otx.alienvault.com/pulse/69f1f
    Pulse Author: AlienVault
    Created: 2026-04-29 12:09:47

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #Brave #Brazil #Browser #Chrome #Cookies #CreditCard #CreditCards #CyberCrime #CyberSecurity #EDR #Edge #FireFox #GitHub #InfoSec #InfoStealer #Malware #MalwareAsAService #Minecraft #Nodejs #OTX #OpenThreatExchange #Opera #Password #Passwords #PowerShell #RAT #SocialEngineering #Word #bot #AlienVault

  19. LofyStealer: Malware targeting Minecraft players.

    A sophisticated two-stage infostealer named LofyStealer, also known as GrabBot/Slinky, targets Minecraft players through social engineering. The malware comprises a 53.5MB Node.js-based loader disguised within legitimate libraries and a 1.4MB native C++ payload that executes directly in memory. It extracts cookies, passwords, tokens, credit cards, and IBANs from eight different browsers including Chrome, Edge, Brave, Opera GX, and Firefox. The loader uses GitHub Actions for automated compilation while the payload employs direct syscalls to bypass EDR detection. Data is compressed via PowerShell, Base64-encoded, and exfiltrated to a Brazilian-hosted C2 server at 24.152.36.241. The operation is attributed with high confidence to the Brazilian cybercrime group LofyGang, operating a Malware-as-a-Service platform with Free and Premium tiers through a web panel branded as LofyStealer Advanced C2 Platform V2.0.

    Pulse ID: 69f1f50b6a5e5d1ca31204bb
    Pulse Link: otx.alienvault.com/pulse/69f1f
    Pulse Author: AlienVault
    Created: 2026-04-29 12:09:47

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #Brave #Brazil #Browser #Chrome #Cookies #CreditCard #CreditCards #CyberCrime #CyberSecurity #EDR #Edge #FireFox #GitHub #InfoSec #InfoStealer #Malware #MalwareAsAService #Minecraft #Nodejs #OTX #OpenThreatExchange #Opera #Password #Passwords #PowerShell #RAT #SocialEngineering #Word #bot #AlienVault

  20. LofyStealer: Malware targeting Minecraft players.

    A sophisticated two-stage infostealer named LofyStealer, also known as GrabBot/Slinky, targets Minecraft players through social engineering. The malware comprises a 53.5MB Node.js-based loader disguised within legitimate libraries and a 1.4MB native C++ payload that executes directly in memory. It extracts cookies, passwords, tokens, credit cards, and IBANs from eight different browsers including Chrome, Edge, Brave, Opera GX, and Firefox. The loader uses GitHub Actions for automated compilation while the payload employs direct syscalls to bypass EDR detection. Data is compressed via PowerShell, Base64-encoded, and exfiltrated to a Brazilian-hosted C2 server at 24.152.36.241. The operation is attributed with high confidence to the Brazilian cybercrime group LofyGang, operating a Malware-as-a-Service platform with Free and Premium tiers through a web panel branded as LofyStealer Advanced C2 Platform V2.0.

    Pulse ID: 69f1f50b6a5e5d1ca31204bb
    Pulse Link: otx.alienvault.com/pulse/69f1f
    Pulse Author: AlienVault
    Created: 2026-04-29 12:09:47

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #Brave #Brazil #Browser #Chrome #Cookies #CreditCard #CreditCards #CyberCrime #CyberSecurity #EDR #Edge #FireFox #GitHub #InfoSec #InfoStealer #Malware #MalwareAsAService #Minecraft #Nodejs #OTX #OpenThreatExchange #Opera #Password #Passwords #PowerShell #RAT #SocialEngineering #Word #bot #AlienVault

  21. LofyStealer: Malware targeting Minecraft players.

    A sophisticated two-stage infostealer named LofyStealer, also known as GrabBot/Slinky, targets Minecraft players through social engineering. The malware comprises a 53.5MB Node.js-based loader disguised within legitimate libraries and a 1.4MB native C++ payload that executes directly in memory. It extracts cookies, passwords, tokens, credit cards, and IBANs from eight different browsers including Chrome, Edge, Brave, Opera GX, and Firefox. The loader uses GitHub Actions for automated compilation while the payload employs direct syscalls to bypass EDR detection. Data is compressed via PowerShell, Base64-encoded, and exfiltrated to a Brazilian-hosted C2 server at 24.152.36.241. The operation is attributed with high confidence to the Brazilian cybercrime group LofyGang, operating a Malware-as-a-Service platform with Free and Premium tiers through a web panel branded as LofyStealer Advanced C2 Platform V2.0.

    Pulse ID: 69f1f50b6a5e5d1ca31204bb
    Pulse Link: otx.alienvault.com/pulse/69f1f
    Pulse Author: AlienVault
    Created: 2026-04-29 12:09:47

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #Brave #Brazil #Browser #Chrome #Cookies #CreditCard #CreditCards #CyberCrime #CyberSecurity #EDR #Edge #FireFox #GitHub #InfoSec #InfoStealer #Malware #MalwareAsAService #Minecraft #Nodejs #OTX #OpenThreatExchange #Opera #Password #Passwords #PowerShell #RAT #SocialEngineering #Word #bot #AlienVault

  22. ИИ против ИИ: кто победит в кибербезопасности

    Привет! Меня зовут Денис, я руковожу группой мониторинга и анализа инцидентов информационной безопасности. Мы отслеживаем события в инфраструктуре, ищем подозрительную активность, расследуем инциденты, взаимодействуем с внешним SOC и помогаем сотрудникам разбираться с вопросами киберграмотности. За последние пару лет стало особенно заметно: атаки меняются быстрее, чем процессы защиты успевают адаптироваться. Они становятся дешевле, масштабнее и доступнее — во многом за счет ИИ. В этой статье разбираю, какие именно изменения привнес ИИ в атаки, почему классическая модель защиты начинает давать сбои и где ИИ в защите действительно приносит практическую пользу.

    habr.com/ru/companies/naumen/a

    #кибербезопасность #искусственный_интеллект #soc #дипфейки #уязвимости #siem #edr #поведенческий_анализ

  23. ИИ против ИИ: кто победит в кибербезопасности

    Привет! Меня зовут Денис, я руковожу группой мониторинга и анализа инцидентов информационной безопасности. Мы отслеживаем события в инфраструктуре, ищем подозрительную активность, расследуем инциденты, взаимодействуем с внешним SOC и помогаем сотрудникам разбираться с вопросами киберграмотности. За последние пару лет стало особенно заметно: атаки меняются быстрее, чем процессы защиты успевают адаптироваться. Они становятся дешевле, масштабнее и доступнее — во многом за счет ИИ. В этой статье разбираю, какие именно изменения привнес ИИ в атаки, почему классическая модель защиты начинает давать сбои и где ИИ в защите действительно приносит практическую пользу.

    habr.com/ru/companies/naumen/a

    #кибербезопасность #искусственный_интеллект #soc #дипфейки #уязвимости #siem #edr #поведенческий_анализ

  24. ИИ против ИИ: кто победит в кибербезопасности

    Привет! Меня зовут Денис, я руковожу группой мониторинга и анализа инцидентов информационной безопасности. Мы отслеживаем события в инфраструктуре, ищем подозрительную активность, расследуем инциденты, взаимодействуем с внешним SOC и помогаем сотрудникам разбираться с вопросами киберграмотности. За последние пару лет стало особенно заметно: атаки меняются быстрее, чем процессы защиты успевают адаптироваться. Они становятся дешевле, масштабнее и доступнее — во многом за счет ИИ. В этой статье разбираю, какие именно изменения привнес ИИ в атаки, почему классическая модель защиты начинает давать сбои и где ИИ в защите действительно приносит практическую пользу.

    habr.com/ru/companies/naumen/a

    #кибербезопасность #искусственный_интеллект #soc #дипфейки #уязвимости #siem #edr #поведенческий_анализ

  25. ИИ против ИИ: кто победит в кибербезопасности

    Привет! Меня зовут Денис, я руковожу группой мониторинга и анализа инцидентов информационной безопасности. Мы отслеживаем события в инфраструктуре, ищем подозрительную активность, расследуем инциденты, взаимодействуем с внешним SOC и помогаем сотрудникам разбираться с вопросами киберграмотности. За последние пару лет стало особенно заметно: атаки меняются быстрее, чем процессы защиты успевают адаптироваться. Они становятся дешевле, масштабнее и доступнее — во многом за счет ИИ. В этой статье разбираю, какие именно изменения привнес ИИ в атаки, почему классическая модель защиты начинает давать сбои и где ИИ в защите действительно приносит практическую пользу.

    habr.com/ru/companies/naumen/a

    #кибербезопасность #искусственный_интеллект #soc #дипфейки #уязвимости #siem #edr #поведенческий_анализ

  26. One of the things that pentesters are always concerned about is EDR and XDR. In this article, we covered how endpoints are monitored and how detection works

    We also showed how to install Wazuh. You need to have your own lab to test techniques and understand how detection mechanisms work so you can bypass them

    hackers-arise.com/edr-xdr-for-

    #edr #cybersecurity

  27. Untangling a Linux Incident With an OpenAI Twist (Part 2)

    A Linux endpoint was simultaneously compromised by at least two distinct threat actors while the developer user relied on OpenAI's Codex AI agent for security remediation. Actor A deployed a cryptominer mining Monero to a private pool. Actor B installed a multi-revenue botnet including XMRig mining, residential proxy services, and bandwidth-selling components with eight different persistence mechanisms. Actor C, potentially affiliated with Actor B, executed mass data exfiltration of 15 categories including SSH keys, cloud credentials, and API tokens. The threat actors exploited CVE-2025-55182 (React2Shell) affecting Next.js and React applications. While Codex identified some threats, it lacked contextual awareness and privileged access needed for comprehensive incident response, creating additional noise that complicated SOC investigation. The endpoint was ultimately secured through managed EDR telemetry and expert SOC analysis.

    Pulse ID: 69e95245cf3877ded3870cff
    Pulse Link: otx.alienvault.com/pulse/69e95
    Pulse Author: AlienVault
    Created: 2026-04-22 22:57:09

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #Cloud #CryptoMiner #CyberSecurity #EDR #Endpoint #InfoSec #Linux #OTX #OpenThreatExchange #Proxy #RAT #SMS #SSH #bot #botnet #AlienVault

  28. Mach-O Man Malware: What CISOs Need to Know

    Lazarus Group is conducting an active campaign targeting businesses through ClickFix attacks, distributing a newly identified macOS malware kit called "Mach-O Man". The attack begins with fake meeting invitations via Telegram, redirecting victims to fraudulent collaboration platforms impersonating Zoom, Microsoft Teams, or Google Meet. Victims are tricked into executing terminal commands that install the malware. The kit consists of Go-based Mach-O binaries including a stager, profiler, persistence mechanism, and stealer. The malware collects credentials, browser data, and macOS Keychain entries, exfiltrating data through Telegram. Primary targets include fintech, crypto, and high-value environments where macOS is prevalent. The campaign leverages social engineering and native macOS binaries to evade traditional EDR detection, ultimately enabling account takeover, unauthorized infrastructure access, and financial loss.

    Pulse ID: 69e82714e5cf2d1fb9fe1b0a
    Pulse Link: otx.alienvault.com/pulse/69e82
    Pulse Author: AlienVault
    Created: 2026-04-22 01:40:36

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #Browser #CyberSecurity #EDR #Google #GoogleMeet #InfoSec #Lazarus #Mac #MacOS #Malware #Microsoft #MicrosoftTeams #OTX #OpenThreatExchange #RAT #SocialEngineering #Telegram #Zoom #bot #AlienVault

  29. Mach-O Man Malware: What CISOs Need to Know

    Lazarus Group is conducting an active campaign targeting businesses through ClickFix attacks, distributing a newly identified macOS malware kit called "Mach-O Man". The attack begins with fake meeting invitations via Telegram, redirecting victims to fraudulent collaboration platforms impersonating Zoom, Microsoft Teams, or Google Meet. Victims are tricked into executing terminal commands that install the malware. The kit consists of Go-based Mach-O binaries including a stager, profiler, persistence mechanism, and stealer. The malware collects credentials, browser data, and macOS Keychain entries, exfiltrating data through Telegram. Primary targets include fintech, crypto, and high-value environments where macOS is prevalent. The campaign leverages social engineering and native macOS binaries to evade traditional EDR detection, ultimately enabling account takeover, unauthorized infrastructure access, and financial loss.

    Pulse ID: 69e82714e5cf2d1fb9fe1b0a
    Pulse Link: otx.alienvault.com/pulse/69e82
    Pulse Author: AlienVault
    Created: 2026-04-22 01:40:36

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #Browser #CyberSecurity #EDR #Google #GoogleMeet #InfoSec #Lazarus #Mac #MacOS #Malware #Microsoft #MicrosoftTeams #OTX #OpenThreatExchange #RAT #SocialEngineering #Telegram #Zoom #bot #AlienVault

  30. Mach-O Man Malware: What CISOs Need to Know

    Lazarus Group is conducting an active campaign targeting businesses through ClickFix attacks, distributing a newly identified macOS malware kit called "Mach-O Man". The attack begins with fake meeting invitations via Telegram, redirecting victims to fraudulent collaboration platforms impersonating Zoom, Microsoft Teams, or Google Meet. Victims are tricked into executing terminal commands that install the malware. The kit consists of Go-based Mach-O binaries including a stager, profiler, persistence mechanism, and stealer. The malware collects credentials, browser data, and macOS Keychain entries, exfiltrating data through Telegram. Primary targets include fintech, crypto, and high-value environments where macOS is prevalent. The campaign leverages social engineering and native macOS binaries to evade traditional EDR detection, ultimately enabling account takeover, unauthorized infrastructure access, and financial loss.

    Pulse ID: 69e82714e5cf2d1fb9fe1b0a
    Pulse Link: otx.alienvault.com/pulse/69e82
    Pulse Author: AlienVault
    Created: 2026-04-22 01:40:36

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #Browser #CyberSecurity #EDR #Google #GoogleMeet #InfoSec #Lazarus #Mac #MacOS #Malware #Microsoft #MicrosoftTeams #OTX #OpenThreatExchange #RAT #SocialEngineering #Telegram #Zoom #bot #AlienVault

  31. Mach-O Man Malware: What CISOs Need to Know

    Lazarus Group is conducting an active campaign targeting businesses through ClickFix attacks, distributing a newly identified macOS malware kit called "Mach-O Man". The attack begins with fake meeting invitations via Telegram, redirecting victims to fraudulent collaboration platforms impersonating Zoom, Microsoft Teams, or Google Meet. Victims are tricked into executing terminal commands that install the malware. The kit consists of Go-based Mach-O binaries including a stager, profiler, persistence mechanism, and stealer. The malware collects credentials, browser data, and macOS Keychain entries, exfiltrating data through Telegram. Primary targets include fintech, crypto, and high-value environments where macOS is prevalent. The campaign leverages social engineering and native macOS binaries to evade traditional EDR detection, ultimately enabling account takeover, unauthorized infrastructure access, and financial loss.

    Pulse ID: 69e82714e5cf2d1fb9fe1b0a
    Pulse Link: otx.alienvault.com/pulse/69e82
    Pulse Author: AlienVault
    Created: 2026-04-22 01:40:36

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #Browser #CyberSecurity #EDR #Google #GoogleMeet #InfoSec #Lazarus #Mac #MacOS #Malware #Microsoft #MicrosoftTeams #OTX #OpenThreatExchange #RAT #SocialEngineering #Telegram #Zoom #bot #AlienVault

  32. Mach-O Man Malware: What CISOs Need to Know

    Lazarus Group is conducting an active campaign targeting businesses through ClickFix attacks, distributing a newly identified macOS malware kit called "Mach-O Man". The attack begins with fake meeting invitations via Telegram, redirecting victims to fraudulent collaboration platforms impersonating Zoom, Microsoft Teams, or Google Meet. Victims are tricked into executing terminal commands that install the malware. The kit consists of Go-based Mach-O binaries including a stager, profiler, persistence mechanism, and stealer. The malware collects credentials, browser data, and macOS Keychain entries, exfiltrating data through Telegram. Primary targets include fintech, crypto, and high-value environments where macOS is prevalent. The campaign leverages social engineering and native macOS binaries to evade traditional EDR detection, ultimately enabling account takeover, unauthorized infrastructure access, and financial loss.

    Pulse ID: 69e82714e5cf2d1fb9fe1b0a
    Pulse Link: otx.alienvault.com/pulse/69e82
    Pulse Author: AlienVault
    Created: 2026-04-22 01:40:36

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #Browser #CyberSecurity #EDR #Google #GoogleMeet #InfoSec #Lazarus #Mac #MacOS #Malware #Microsoft #MicrosoftTeams #OTX #OpenThreatExchange #RAT #SocialEngineering #Telegram #Zoom #bot #AlienVault

  33. 📰 Qilin Ransomware Blinds Defenses with Advanced EDR Killer, Abusing Vulnerable Drivers

    🔥 Qilin ransomware deploys a sophisticated EDR killer, using a vulnerable signed driver (BYOVD) to disable over 300 security products at the kernel level. A major escalation in defense evasion tactics. #Ransomware #Qilin #EDR #CyberSecurity #BYOVD

    🔗 cyber.netsecops.io/articles/qi

  34. 📰 Qilin Ransomware Blinds Defenses with Advanced EDR Killer, Abusing Vulnerable Drivers

    🔥 Qilin ransomware deploys a sophisticated EDR killer, using a vulnerable signed driver (BYOVD) to disable over 300 security products at the kernel level. A major escalation in defense evasion tactics. #Ransomware #Qilin #EDR #CyberSecurity #BYOVD

    🔗 cyber.netsecops.io/articles/qi

  35. ¿Qué es el EDR moderno? La evolución hacia una protección endpoint de nivel empresarial

    El EDR moderno tiende un puente entre el antivirus y las herramientas complejas, utilizando IA y automatización para ofrecer una detección sólida, una respuesta rápida y una seguridad escalable para pymes y MSP (Fuente WatchGuard Technologies, Inc).

    Durante años, las organizaciones se han enfrentado a una elección difícil en materia de seguridad endpoint.
    Por un lado, existen soluciones asequibles como el antivirus (AV) o las plataformas de protección de endpoints (EPP), diseñadas principalmente para prevenir amenazas conocidas. Por otro, están las complejas plataformas de detección y respuesta en endpoints (EDR) de nivel empresarial, pensadas para organizaciones con equipos de seguridad dedicados.

    Para muchas pequeñas y medianas empresas (pymes) y los proveedores de servicios gestionados (MSP) que las respaldan, ninguna de estas opciones responde por completo a sus necesidades.

    El panorama actual de amenazas exige una capacidad de detección más sólida y una respuesta más rápida. Pero también requiere simplicidad, automatización y eficiencia operativa. Las organizaciones necesitan una seguridad endpoint que ofrezca protección avanzada sin introducir costes elevados ni una complejidad excesiva.

    Aquí es donde entra en juego el EDR moderno.

    ¿Por qué el antivirus tradicional y la protección básica de endpoints ya no son suficientes?

    El antivirus tradicional y las herramientas EPP de primera generación se diseñaron para detener amenazas conocidas mediante firmas y métodos de detección estáticos. Los ataques modernos están concebidos para eludirlos.

    Hoy en día, los ciberdelincuentes recurren a:

    malware sin archivos (fileless malware) y técnicas living-off-the-land
    herramientas administrativas legítimas utilizadas con fines maliciosos
    movimiento lateral automatizado
    modelos de ransomware-as-a-service

    Estas amenazas están diseñadas específicamente para sortear los controles basados únicamente en la prevención.

    Aunque la prevención sigue siendo fundamental, las organizaciones necesitan ahora monitorización continua, detección basada en el comportamiento y capacidades de respuesta automatizada para identificar y contener amenazas avanzadas.

    Por eso, las herramientas EDR se han convertido en un elemento esencial, no opcional, de la seguridad moderna.

    ¿Por qué es tan crítico el EDR para las pymes y los MSP?

    El EDR proporciona una visibilidad más profunda de la actividad en los endpoints, lo que permite a las organizaciones detectar comportamientos sospechosos, investigar incidentes y contener amenazas con rapidez.

    Para las pymes, el EDR moderno ofrece visibilidad y capacidades de nivel empresarial sin necesidad de contar con un equipo de seguridad.

    Para los MSP, un EDR moderno aporta eficiencia operativa al reducir el ruido, proporcionar alertas con contexto enriquecido y proteger de forma coherente múltiples entornos de clientes.

    Las organizaciones de cualquier tamaño pueden ser víctimas de ransomware u otros ataques similares. Por eso, una solución EDR moderna es un componente fundamental de una ciberseguridad eficaz.

    ¿Cuál es el reto de la mayoría de las soluciones EDR?

    Aunque el EDR es fundamental, muchas de las soluciones disponibles en el mercado fueron diseñadas para grandes empresas con operaciones de seguridad maduras.

    Para sacarles el máximo partido, se necesita:

    analistas de seguridad dedicados
    equipos de centro de operaciones de seguridad (SOC) disponibles 24/7
    conocimientos avanzados de threat hunting
    presupuestos operativos significativos

    Sin estos recursos, las organizaciones tienen dificultades para gestionar grandes volúmenes de alertas, investigaciones complejas y necesidades continuas de ajuste.

    Para los equipos de TI más pequeños y los MSP, esto supone un reto importante. Necesitan una solución EDR que entienda sus desafíos y esté pensada para equipos reducidos y ágiles, no para grandes SOC empresariales. Por eso, la siguiente evolución del EDR está impulsada por la automatización y la inteligencia artificial (IA).

    ¿Cómo mejoran la automatización y la IA la detección y respuesta moderna en endpoints?

    Las soluciones EDR modernas impulsadas por IA ayudan a los equipos de seguridad a pasar de la sobrecarga de alertas a información útil y accionable.

    En lugar de presentar telemetría en bruto y alertas desconectadas entre sí, estas plataformas conectan los eventos y aportan un contexto significativo.

    Sus capacidades incluyen:

    Detecciones basadas en el contexto y el comportamiento para reducir los falsos positivos
    Correlación automatizada de incidentes que vincula actividades relacionadas en una única historia de amenaza
    Cronologías visuales enriquecidas de los incidentes que muestran con claridad cómo se desarrolló un ataque
    Contención y remediación automatizadas para detener las amenazas con mayor rapidez y sin intervención humana

    En lugar de abrumar a los equipos con datos en bruto, estas capacidades transforman esa información en incidentes priorizados y contextualizados.

    ¿Cómo pueden los MSP ofrecer seguridad de endpoints de nivel empresarial a escala?

    Para los proveedores de servicios gestionados, la escalabilidad es fundamental. Cada alerta investigada manualmente, cada escalado innecesario y cada falso positivo afectan directamente a los márgenes y a la calidad del servicio.

    El EDR moderno aprovecha la automatización y las correlaciones impulsadas por IA para reducir el tiempo de investigación, disminuir los costes operativos y acelerar los tiempos de respuesta, al tiempo que refuerza la protección.

    Esto permite a los MSP optimizar sus operaciones de seguridad mediante:

    Estandarización de los flujos de respuesta entre clientes
    Reducción del tiempo de investigación por incidente
    Protección de más endpoints sin aumentar la plantilla
    Prestación de capacidades avanzadas de EDR a un mayor número de clientes pyme

    Al reducir la complejidad y la carga operativa, las soluciones EDR modernas ayudan a los MSP a mejorar tanto los resultados de ciberseguridad como el rendimiento del negocio.

    El futuro de la seguridad endpoint

    Durante demasiado tiempo, el mercado de la ciberseguridad ha obligado a las organizaciones a elegir entre una protección básica o una complejidad propia de entornos empresariales avanzados.

    Pero el panorama actual de amenazas ya no admite ese modelo.

    El endpoint sigue siendo uno de los puntos de entrada más atacados en los ciberataques. Por eso, el futuro de la seguridad endpoint se centra en la automatización inteligente, una mayor visibilidad y modelos de protección escalables que funcionen para empresas de todos los tamaños.

    Al combinar una sólida capacidad de prevención con funciones avanzadas de detección y respuesta en endpoints, las plataformas modernas de seguridad endpoinnt están ayudando a cerrar la brecha entre el antivirus básico y la protección de nivel empresarial, haciendo que unas capacidades de ciberseguridad potentes sean más accesibles que nunca. Para las organizaciones que desean una capa adicional de supervisión humana, la integración de un servicio de detección y respuesta gestionadas (MDR) refuerza sus defensas con monitorización experta 24/7, threat hunting y una respuesta rápida.

    En el panorama actual de amenazas, una seguridad de endpoints eficaz no consiste solo en detener ataques. Se trata de detectar amenazas de forma temprana, responder con rapidez y garantizar que todas las organizaciones tengan acceso a la protección que necesitan.-

    #ciberseguridad #edr #epp #PORTADA #watchguard
  36. Nightmare-Eclipse Tooling Seen in Real-World Intrusion | Huntress

    Managed EDR, Managed Security Awareness Training, and Secure Security Professional (SPC) are all available on the Huntress product website, here is a full guide to all the products.

    Pulse ID: 69e774f76e3a38500a84beec
    Pulse Link: otx.alienvault.com/pulse/69e77
    Pulse Author: CyberHunter_NL
    Created: 2026-04-21 13:00:39

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #CyberSecurity #EDR #InfoSec #OTX #OpenThreatExchange #bot #CyberHunter_NL

  37. Using KATA and KEDR to detect the AdaptixC2 agent

    Pulse ID: 69e6fbbf75365c73146dab55
    Pulse Link: otx.alienvault.com/pulse/69e6f
    Pulse Author: Tr1sa111
    Created: 2026-04-21 04:23:27

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #CyberSecurity #EDR #InfoSec #OTX #OpenThreatExchange #bot #Tr1sa111

  38. Untangling a Linux Incident With an OpenAI Twist

    A technology sector organization experienced a multi-actor compromise on a Linux endpoint where cryptominers were deployed and credential harvesting occurred. The incident became complex when the legitimate user attempted to troubleshoot suspected malicious activity using OpenAI's Codex AI agent while threat actors remained active on the system. The EDR agent was installed mid-compromise, limiting historical visibility. Codex-generated commands created investigative challenges as they mimicked attacker techniques, triggering security detections and complicating the distinction between legitimate troubleshooting and malicious activity. While Codex helped terminate some malicious processes, it failed to provide complete remediation, allowing threat actors to continue exfiltrating credentials, tokens, and cloud metadata through multiple persistence mechanisms.

    Pulse ID: 69e2417e5e4fdd5f16c75dbe
    Pulse Link: otx.alienvault.com/pulse/69e24
    Pulse Author: AlienVault
    Created: 2026-04-17 14:19:42

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #Cloud #CredentialHarvesting #CryptoMiner #CyberSecurity #EDR #Endpoint #InfoSec #Linux #Mimic #OTX #OpenThreatExchange #RAT #SMS #bot #AlienVault

  39. Using KATA and KEDR to detect the AdaptixC2 agent

    AdaptixC2 is an emerging open-source post-exploitation framework rapidly adopted by threat actors in APT attacks and ransomware campaigns. Written in Go and C++, it supports Windows, macOS, and Linux with extensive modularity through Beacon Object Files (BOFs). The framework enables diverse command-and-control channels including HTTP/S, TCP, mTLS, DNS, DoH, and SMB with RC4 encryption throughout. It implements sophisticated evasion techniques targeting both network detection systems and endpoint defenses. Despite advanced obfuscation capabilities, network-level detection remains viable through analysis of distinctive communication patterns, header structures, and behavioral indicators. The framework supports credential harvesting via LSASS dumping, LAPS exploitation, and Kerberos attacks, alongside defense evasion through process injection and lateral movement via WinRM and PsExec. Combined NDR and EDR solutions provide effective multi-layered detection coverage against AdaptixC2 operations across network ...

    Pulse ID: 69e2824daddc65cc4bab207d
    Pulse Link: otx.alienvault.com/pulse/69e28
    Pulse Author: AlienVault
    Created: 2026-04-17 18:56:13

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #CredentialHarvesting #CyberSecurity #DNS #EDR #Encryption #Endpoint #HTTP #InfoSec #Linux #Mac #MacOS #OTX #OpenThreatExchange #PsExec #RAT #RCE #RansomWare #SMB #TCP #TLS #Windows #bot #AlienVault

  40. Using KATA and KEDR to detect the AdaptixC2 agent

    AdaptixC2 is an emerging open-source post-exploitation framework rapidly adopted by threat actors in APT attacks and ransomware campaigns. Written in Go and C++, it supports Windows, macOS, and Linux with extensive modularity through Beacon Object Files (BOFs). The framework enables diverse command-and-control channels including HTTP/S, TCP, mTLS, DNS, DoH, and SMB with RC4 encryption throughout. It implements sophisticated evasion techniques targeting both network detection systems and endpoint defenses. Despite advanced obfuscation capabilities, network-level detection remains viable through analysis of distinctive communication patterns, header structures, and behavioral indicators. The framework supports credential harvesting via LSASS dumping, LAPS exploitation, and Kerberos attacks, alongside defense evasion through process injection and lateral movement via WinRM and PsExec. Combined NDR and EDR solutions provide effective multi-layered detection coverage against AdaptixC2 operations across network ...

    Pulse ID: 69e2824daddc65cc4bab207d
    Pulse Link: otx.alienvault.com/pulse/69e28
    Pulse Author: AlienVault
    Created: 2026-04-17 18:56:13

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #CredentialHarvesting #CyberSecurity #DNS #EDR #Encryption #Endpoint #HTTP #InfoSec #Linux #Mac #MacOS #OTX #OpenThreatExchange #PsExec #RAT #RCE #RansomWare #SMB #TCP #TLS #Windows #bot #AlienVault

  41. Using KATA and KEDR to detect the AdaptixC2 agent

    AdaptixC2 is an emerging open-source post-exploitation framework rapidly adopted by threat actors in APT attacks and ransomware campaigns. Written in Go and C++, it supports Windows, macOS, and Linux with extensive modularity through Beacon Object Files (BOFs). The framework enables diverse command-and-control channels including HTTP/S, TCP, mTLS, DNS, DoH, and SMB with RC4 encryption throughout. It implements sophisticated evasion techniques targeting both network detection systems and endpoint defenses. Despite advanced obfuscation capabilities, network-level detection remains viable through analysis of distinctive communication patterns, header structures, and behavioral indicators. The framework supports credential harvesting via LSASS dumping, LAPS exploitation, and Kerberos attacks, alongside defense evasion through process injection and lateral movement via WinRM and PsExec. Combined NDR and EDR solutions provide effective multi-layered detection coverage against AdaptixC2 operations across network ...

    Pulse ID: 69e2824daddc65cc4bab207d
    Pulse Link: otx.alienvault.com/pulse/69e28
    Pulse Author: AlienVault
    Created: 2026-04-17 18:56:13

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #CredentialHarvesting #CyberSecurity #DNS #EDR #Encryption #Endpoint #HTTP #InfoSec #Linux #Mac #MacOS #OTX #OpenThreatExchange #PsExec #RAT #RCE #RansomWare #SMB #TCP #TLS #Windows #bot #AlienVault

  42. Using KATA and KEDR to detect the AdaptixC2 agent

    AdaptixC2 is an emerging open-source post-exploitation framework rapidly adopted by threat actors in APT attacks and ransomware campaigns. Written in Go and C++, it supports Windows, macOS, and Linux with extensive modularity through Beacon Object Files (BOFs). The framework enables diverse command-and-control channels including HTTP/S, TCP, mTLS, DNS, DoH, and SMB with RC4 encryption throughout. It implements sophisticated evasion techniques targeting both network detection systems and endpoint defenses. Despite advanced obfuscation capabilities, network-level detection remains viable through analysis of distinctive communication patterns, header structures, and behavioral indicators. The framework supports credential harvesting via LSASS dumping, LAPS exploitation, and Kerberos attacks, alongside defense evasion through process injection and lateral movement via WinRM and PsExec. Combined NDR and EDR solutions provide effective multi-layered detection coverage against AdaptixC2 operations across network ...

    Pulse ID: 69e2824daddc65cc4bab207d
    Pulse Link: otx.alienvault.com/pulse/69e28
    Pulse Author: AlienVault
    Created: 2026-04-17 18:56:13

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #CredentialHarvesting #CyberSecurity #DNS #EDR #Encryption #Endpoint #HTTP #InfoSec #Linux #Mac #MacOS #OTX #OpenThreatExchange #PsExec #RAT #RCE #RansomWare #SMB #TCP #TLS #Windows #bot #AlienVault

  43. Using KATA and KEDR to detect the AdaptixC2 agent

    AdaptixC2 is an emerging open-source post-exploitation framework rapidly adopted by threat actors in APT attacks and ransomware campaigns. Written in Go and C++, it supports Windows, macOS, and Linux with extensive modularity through Beacon Object Files (BOFs). The framework enables diverse command-and-control channels including HTTP/S, TCP, mTLS, DNS, DoH, and SMB with RC4 encryption throughout. It implements sophisticated evasion techniques targeting both network detection systems and endpoint defenses. Despite advanced obfuscation capabilities, network-level detection remains viable through analysis of distinctive communication patterns, header structures, and behavioral indicators. The framework supports credential harvesting via LSASS dumping, LAPS exploitation, and Kerberos attacks, alongside defense evasion through process injection and lateral movement via WinRM and PsExec. Combined NDR and EDR solutions provide effective multi-layered detection coverage against AdaptixC2 operations across network ...

    Pulse ID: 69e2824daddc65cc4bab207d
    Pulse Link: otx.alienvault.com/pulse/69e28
    Pulse Author: AlienVault
    Created: 2026-04-17 18:56:13

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #CredentialHarvesting #CyberSecurity #DNS #EDR #Encryption #Endpoint #HTTP #InfoSec #Linux #Mac #MacOS #OTX #OpenThreatExchange #PsExec #RAT #RCE #RansomWare #SMB #TCP #TLS #Windows #bot #AlienVault

  44. Operation PhantomCLR: Stealth Execution via AppDomain Hijacking and In-Memory .NET Abuse

    A highly sophisticated multi-stage post-exploitation framework targeting organizations in the Middle East and EMEA financial sectors exploits legitimate digitally signed Intel utilities through .NET AppDomainManager mechanism abuse. The attack leverages trusted binary proxy execution, bypassing EDR and antivirus solutions through JIT-based memory execution and sandbox evasion using computational delays and cryptographic key derivation loops. Initial access occurs via spear-phishing with Arabic-language decoys impersonating Saudi government documents. Once executed, the framework establishes command-and-control communication through Amazon CloudFront CDN domain fronting, employing reflective DLL loading, direct syscall usage, and anti-forensic memory cleanup techniques. The modular plugin-based architecture demonstrates capabilities consistent with advanced persistent threat actors, featuring sophisticated evasion mechanisms including PEB-based API resolution, custom PE export walking, and heap-walking cont...

    Pulse ID: 69e389bd5760ef67b7f37472
    Pulse Link: otx.alienvault.com/pulse/69e38
    Pulse Author: AlienVault
    Created: 2026-04-18 13:40:13

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #Amazon #Arabic #CDN #Cloud #CyberSecurity #EDR #Government #InfoSec #MiddleEast #NET #OTX #OpenThreatExchange #Phishing #Proxy #RAT #Rust #SMS #SpearPhishing #bot #AlienVault

  45. Operation PhantomCLR: Stealth Execution via AppDomain Hijacking and In-Memory .NET Abuse

    A highly sophisticated multi-stage post-exploitation framework targeting organizations in the Middle East and EMEA financial sectors exploits legitimate digitally signed Intel utilities through .NET AppDomainManager mechanism abuse. The attack leverages trusted binary proxy execution, bypassing EDR and antivirus solutions through JIT-based memory execution and sandbox evasion using computational delays and cryptographic key derivation loops. Initial access occurs via spear-phishing with Arabic-language decoys impersonating Saudi government documents. Once executed, the framework establishes command-and-control communication through Amazon CloudFront CDN domain fronting, employing reflective DLL loading, direct syscall usage, and anti-forensic memory cleanup techniques. The modular plugin-based architecture demonstrates capabilities consistent with advanced persistent threat actors, featuring sophisticated evasion mechanisms including PEB-based API resolution, custom PE export walking, and heap-walking cont...

    Pulse ID: 69e389bd5760ef67b7f37472
    Pulse Link: otx.alienvault.com/pulse/69e38
    Pulse Author: AlienVault
    Created: 2026-04-18 13:40:13

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #Amazon #Arabic #CDN #Cloud #CyberSecurity #EDR #Government #InfoSec #MiddleEast #NET #OTX #OpenThreatExchange #Phishing #Proxy #RAT #Rust #SMS #SpearPhishing #bot #AlienVault