#lolbins — Public Fediverse posts
Live and recent posts from across the Fediverse tagged #lolbins, aggregated by home.social.
-
CrashFix marks a notable escalation in ClickFix tradecraft.
The campaign combines browser DoS, fake Chrome extensions, delayed execution, LOLBin abuse (finger.exe → ct.exe), and a portable Python environment to deploy a covert RAT only after identifying high-value systems.
This is a strong case for:
• Behavior-based detection
• EDR in block mode
• Restricting legacy utilities
• User-focused threat modeling💬 Which detection layer would catch this earliest in your environment?
🔔 Follow @technadu for deep technical threat analysis
#InfoSec #CrashFix #ClickFix #PythonMalware #LOLBins #EDR #ThreatHunting #DetectionEngineering #MicrosoftDefender #TechNadu
-
CrashFix marks a notable escalation in ClickFix tradecraft.
The campaign combines browser DoS, fake Chrome extensions, delayed execution, LOLBin abuse (finger.exe → ct.exe), and a portable Python environment to deploy a covert RAT only after identifying high-value systems.
This is a strong case for:
• Behavior-based detection
• EDR in block mode
• Restricting legacy utilities
• User-focused threat modeling💬 Which detection layer would catch this earliest in your environment?
🔔 Follow @technadu for deep technical threat analysis
#InfoSec #CrashFix #ClickFix #PythonMalware #LOLBins #EDR #ThreatHunting #DetectionEngineering #MicrosoftDefender #TechNadu
-
CrashFix marks a notable escalation in ClickFix tradecraft.
The campaign combines browser DoS, fake Chrome extensions, delayed execution, LOLBin abuse (finger.exe → ct.exe), and a portable Python environment to deploy a covert RAT only after identifying high-value systems.
This is a strong case for:
• Behavior-based detection
• EDR in block mode
• Restricting legacy utilities
• User-focused threat modeling💬 Which detection layer would catch this earliest in your environment?
🔔 Follow @technadu for deep technical threat analysis
#InfoSec #CrashFix #ClickFix #PythonMalware #LOLBins #EDR #ThreatHunting #DetectionEngineering #MicrosoftDefender #TechNadu
-
CrashFix marks a notable escalation in ClickFix tradecraft.
The campaign combines browser DoS, fake Chrome extensions, delayed execution, LOLBin abuse (finger.exe → ct.exe), and a portable Python environment to deploy a covert RAT only after identifying high-value systems.
This is a strong case for:
• Behavior-based detection
• EDR in block mode
• Restricting legacy utilities
• User-focused threat modeling💬 Which detection layer would catch this earliest in your environment?
🔔 Follow @technadu for deep technical threat analysis
#InfoSec #CrashFix #ClickFix #PythonMalware #LOLBins #EDR #ThreatHunting #DetectionEngineering #MicrosoftDefender #TechNadu
-
🦠 Malware Analysis
===================🦠 Malware Analysis
Executive summary: A recently observed campaign leverages malicious
Windows shortcut files (.LNK) distributed via Discord to deliver a
multi‑functional Remote Access Trojan (RAT). The LNK triggers a hidden
PowerShell that extracts a ZIP (Moq.zip) containing a malicious DLL
and executes it through the legitimate binary odbcconf.exe, a
Living‑off‑the‑Land Binary (LOLBin), to evade detection.Technical details:
• The shortcut named Cyber security.lnk opens an embedded decoy PDF
Cyber security.pdf while running a PowerShell payload in hidden mode
(via a headless conhost.exe).
• The PowerShell creates a working path (Temp and a Nuget folder under
Public), extracts an embedded PDF and the ZIP archive, then drops
Moq.zip and a malicious DLL.
• Execution is handed to odbcconf.exe to load the DLL, enabling
process execution without spawning visible consoles.
• The RAT collects system/antivirus information, attempts AMSI
bypasses, and patches EtwEventWrite to impair Windows Event Tracing
(ETW).🔹 Attack Chain Analysis
1. Initial Access (LNK): User opens Cyber security.lnk from Discord —
triggers hidden PowerShell (MITRE: T1204.002).
2. Download/Stage: PowerShell extracts embedded PDF and Moq.zip into
Temp/Public\Nuget.
3. Execution via LOLBin: odbcconf.exe is used to load the dropped DLL
(MITRE: T1218 — System Binary Proxy Execution).
4. Persistence/Control: Malicious DLL implements RAT behaviors,
including remote commands and reconnaissance.
5. Defense Evasion: AMSI bypass and EtwEventWrite patching (Impair
Defenses) reduce telemetry and impede detection.Detection guidance:
• Monitor process trees where odbcconf.exe is launched from atypical
parents (PowerShell/conhost).
• Alert on hidden PowerShell instances extracting embedded files and
writing PDFs from LNK streams.
• Watch for API patching attempts around EtwEventWrite and AMSI
initialization failures.Mitigation:
• Restrict execution of unsigned Office/shortcut attachments from
untrusted channels.
• Apply application control to prevent odbcconf.exe from loading untrusted DLLs.
• Enable telemetry and harden AMSI where possible; monitor ETW integrity.References/Notes: Preliminary detections were reported from Israel;
campaign observed distribution via Discord and use of decoy PDFs. #LNK
#RAT #AMSI #ETW #LOLBins -
Microsoft elimanará WMIC en la actualización Windows 11 25H2 https://blog.elhacker.net/2025/09/microsoft-elimanara-wmic-lolbin-windows11.html #powershell #ransomware #LOLBins #Windows #wmi
-
Microsoft elimanará WMIC en la actualización Windows 11 25H2 https://blog.elhacker.net/2025/09/microsoft-elimanara-wmic-lolbin-windows11.html #powershell #ransomware #LOLBins #Windows #wmi
-
Microsoft elimanará WMIC en la actualización Windows 11 25H2 https://blog.elhacker.net/2025/09/microsoft-elimanara-wmic-lolbin-windows11.html #powershell #ransomware #LOLBins #Windows #wmi
-
Microsoft elimanará WMIC en la actualización Windows 11 25H2 https://blog.elhacker.net/2025/09/microsoft-elimanara-wmic-lolbin-windows11.html #powershell #ransomware #LOLBins #Windows #wmi
-
No PE header? No problem.
@FortiGuardLabs dropped a deep dive into a malware sample dumped without a PE header — like a cybercriminal rage-quit halfway through packing their payload.
You ever load a binary in IDA and think, “Am I being punk’d?”
Yeah, it’s one of those samples.This sample:
Reconstructs its own PE structure at runtime
Hides config data in obfuscated blobs
Uses anti-sandbox tricks to avoid analysis
Drops yet another info-stealer, because originality is dead
It’s engineered to break basic static analysis and dodge sandboxes like it’s speedrunning DEFCON CTF.
🔗 Full breakdown:
https://www.fortinet.com/blog/threat-research/deep-dive-into-a-dumped-malware-without-a-pe-headerTL;DR for blue teamers:
Static AV signatures won’t help here
Watch for suspicious memory allocations + hollowing patterns
Endpoint heuristics > file-based detection
Log your PowerShell and LOLBins — this thing probably brings friends
If your EDR cries when it sees raw shellcode, maybe give it a hug
#ThreatIntel #MalwareAnalysis #ReverseEngineering #Infosec #PEFilesAreSo2020 #EDREvasion #LOLbins #CyberSecurity #BlueTeam
-
No PE header? No problem.
@FortiGuardLabs dropped a deep dive into a malware sample dumped without a PE header — like a cybercriminal rage-quit halfway through packing their payload.
You ever load a binary in IDA and think, “Am I being punk’d?”
Yeah, it’s one of those samples.This sample:
Reconstructs its own PE structure at runtime
Hides config data in obfuscated blobs
Uses anti-sandbox tricks to avoid analysis
Drops yet another info-stealer, because originality is dead
It’s engineered to break basic static analysis and dodge sandboxes like it’s speedrunning DEFCON CTF.
🔗 Full breakdown:
https://www.fortinet.com/blog/threat-research/deep-dive-into-a-dumped-malware-without-a-pe-headerTL;DR for blue teamers:
Static AV signatures won’t help here
Watch for suspicious memory allocations + hollowing patterns
Endpoint heuristics > file-based detection
Log your PowerShell and LOLBins — this thing probably brings friends
If your EDR cries when it sees raw shellcode, maybe give it a hug
#ThreatIntel #MalwareAnalysis #ReverseEngineering #Infosec #PEFilesAreSo2020 #EDREvasion #LOLbins #CyberSecurity #BlueTeam
-
No PE header? No problem.
@FortiGuardLabs dropped a deep dive into a malware sample dumped without a PE header — like a cybercriminal rage-quit halfway through packing their payload.
You ever load a binary in IDA and think, “Am I being punk’d?”
Yeah, it’s one of those samples.This sample:
Reconstructs its own PE structure at runtime
Hides config data in obfuscated blobs
Uses anti-sandbox tricks to avoid analysis
Drops yet another info-stealer, because originality is dead
It’s engineered to break basic static analysis and dodge sandboxes like it’s speedrunning DEFCON CTF.
🔗 Full breakdown:
https://www.fortinet.com/blog/threat-research/deep-dive-into-a-dumped-malware-without-a-pe-headerTL;DR for blue teamers:
Static AV signatures won’t help here
Watch for suspicious memory allocations + hollowing patterns
Endpoint heuristics > file-based detection
Log your PowerShell and LOLBins — this thing probably brings friends
If your EDR cries when it sees raw shellcode, maybe give it a hug
#ThreatIntel #MalwareAnalysis #ReverseEngineering #Infosec #PEFilesAreSo2020 #EDREvasion #LOLbins #CyberSecurity #BlueTeam
-
No PE header? No problem.
@FortiGuardLabs dropped a deep dive into a malware sample dumped without a PE header — like a cybercriminal rage-quit halfway through packing their payload.
You ever load a binary in IDA and think, “Am I being punk’d?”
Yeah, it’s one of those samples.This sample:
Reconstructs its own PE structure at runtime
Hides config data in obfuscated blobs
Uses anti-sandbox tricks to avoid analysis
Drops yet another info-stealer, because originality is dead
It’s engineered to break basic static analysis and dodge sandboxes like it’s speedrunning DEFCON CTF.
🔗 Full breakdown:
https://www.fortinet.com/blog/threat-research/deep-dive-into-a-dumped-malware-without-a-pe-headerTL;DR for blue teamers:
Static AV signatures won’t help here
Watch for suspicious memory allocations + hollowing patterns
Endpoint heuristics > file-based detection
Log your PowerShell and LOLBins — this thing probably brings friends
If your EDR cries when it sees raw shellcode, maybe give it a hug
#ThreatIntel #MalwareAnalysis #ReverseEngineering #Infosec #PEFilesAreSo2020 #EDREvasion #LOLbins #CyberSecurity #BlueTeam
-
No PE header? No problem.
@FortiGuardLabs dropped a deep dive into a malware sample dumped without a PE header — like a cybercriminal rage-quit halfway through packing their payload.
You ever load a binary in IDA and think, “Am I being punk’d?”
Yeah, it’s one of those samples.This sample:
Reconstructs its own PE structure at runtime
Hides config data in obfuscated blobs
Uses anti-sandbox tricks to avoid analysis
Drops yet another info-stealer, because originality is dead
It’s engineered to break basic static analysis and dodge sandboxes like it’s speedrunning DEFCON CTF.
🔗 Full breakdown:
https://www.fortinet.com/blog/threat-research/deep-dive-into-a-dumped-malware-without-a-pe-headerTL;DR for blue teamers:
Static AV signatures won’t help here
Watch for suspicious memory allocations + hollowing patterns
Endpoint heuristics > file-based detection
Log your PowerShell and LOLBins — this thing probably brings friends
If your EDR cries when it sees raw shellcode, maybe give it a hug
#ThreatIntel #MalwareAnalysis #ReverseEngineering #Infosec #PEFilesAreSo2020 #EDREvasion #LOLbins #CyberSecurity #BlueTeam
-
They don’t need malware. They weaponize what’s already trusted - PowerShell, WMI, CertUtil. This is Living Off the Land. Defend or be devoured.
#LOLBins #infosec #cybersecurity #redteam #ethicalhacking #windowssecurity #postexploitation #DeadSwitchhttp://tomsitcafe.com/2025/05/06/living-off-the-land-how-hackers-use-your-tools-against-you/
-
They don’t need malware. They weaponize what’s already trusted - PowerShell, WMI, CertUtil. This is Living Off the Land. Defend or be devoured.
#LOLBins #infosec #cybersecurity #redteam #ethicalhacking #windowssecurity #postexploitation #DeadSwitchhttp://tomsitcafe.com/2025/05/06/living-off-the-land-how-hackers-use-your-tools-against-you/
-
They don’t need malware. They weaponize what’s already trusted - PowerShell, WMI, CertUtil. This is Living Off the Land. Defend or be devoured.
#LOLBins #infosec #cybersecurity #redteam #ethicalhacking #windowssecurity #postexploitation #DeadSwitchhttp://tomsitcafe.com/2025/05/06/living-off-the-land-how-hackers-use-your-tools-against-you/
-
Was looking for a good Awesome list on Living Off the Land ( #LOL #LOtL ) tools/techniques. Found some helpful sites / repos but either nothing I could contribute to or it was limited.
So... I made one: https://github.com/danzek/awesome-lol-commonly-abused
Contributions welcome, whether by replying to this post or sending a PR on GitHub.
-
Was looking for a good Awesome list on Living Off the Land ( #LOL #LOtL ) tools/techniques. Found some helpful sites / repos but either nothing I could contribute to or it was limited.
So... I made one: https://github.com/danzek/awesome-lol-commonly-abused
Contributions welcome, whether by replying to this post or sending a PR on GitHub.
-
Was looking for a good Awesome list on Living Off the Land ( #LOL #LOtL ) tools/techniques. Found some helpful sites / repos but either nothing I could contribute to or it was limited.
So... I made one: https://github.com/danzek/awesome-lol-commonly-abused
Contributions welcome, whether by replying to this post or sending a PR on GitHub.
-
#Hackers are abusing #Microsoft tools more than ever before
Abuse of #LOLbins in #cyberattacks is skyrocketing, Sophos says
https://www.techradar.com/pro/security/hackers-are-abusing-microsoft-tools-more-than-ever-before
-
#Hackers are abusing #Microsoft tools more than ever before
Abuse of #LOLbins in #cyberattacks is skyrocketing, Sophos says
https://www.techradar.com/pro/security/hackers-are-abusing-microsoft-tools-more-than-ever-before
-
#Hackers are abusing #Microsoft tools more than ever before
Abuse of #LOLbins in #cyberattacks is skyrocketing, Sophos says
https://www.techradar.com/pro/security/hackers-are-abusing-microsoft-tools-more-than-ever-before
-
#Hackers are abusing #Microsoft tools more than ever before
Abuse of #LOLbins in #cyberattacks is skyrocketing, Sophos says
https://www.techradar.com/pro/security/hackers-are-abusing-microsoft-tools-more-than-ever-before
-
#Hackers are abusing #Microsoft tools more than ever before
Abuse of #LOLbins in #cyberattacks is skyrocketing, Sophos says
https://www.techradar.com/pro/security/hackers-are-abusing-microsoft-tools-more-than-ever-before
-
The Bite from Inside: The Sophos Active Adversary Report – Source: news.sophos.com https://ciso2ciso.com/the-bite-from-inside-the-sophos-active-adversary-report-source-news-sophos-com/ #ActiveAdversaryReport #SecurityOperations #incidentresponse #activeadversary #ThreatResearch #nakedsecurity #0CISO2CISO #featured #LoLBINs #MDR #RDP #IR
-
The Bite from Inside: The Sophos Active Adversary Report – Source: news.sophos.com https://ciso2ciso.com/the-bite-from-inside-the-sophos-active-adversary-report-source-news-sophos-com/ #ActiveAdversaryReport #SecurityOperations #incidentresponse #activeadversary #ThreatResearch #nakedsecurity #0CISO2CISO #featured #LoLBINs #MDR #RDP #IR
-
The Bite from Inside: The Sophos Active Adversary Report – Source: news.sophos.com https://ciso2ciso.com/the-bite-from-inside-the-sophos-active-adversary-report-source-news-sophos-com/ #ActiveAdversaryReport #SecurityOperations #incidentresponse #activeadversary #ThreatResearch #nakedsecurity #0CISO2CISO #featured #LoLBINs #MDR #RDP #IR
-
an awesome overview of all the LOL and GTFO stuff. Even some are well known it's a good overview.
https://github.com/sheimo/awesome-lolbins-and-beyond
#redteam #lolbin #gtfo #securityressource #lolbins #blueteam #detectionengineering
-
an awesome overview of all the LOL and GTFO stuff. Even some are well known it's a good overview.
https://github.com/sheimo/awesome-lolbins-and-beyond
#redteam #lolbin #gtfo #securityressource #lolbins #blueteam #detectionengineering
-
an awesome overview of all the LOL and GTFO stuff. Even some are well known it's a good overview.
https://github.com/sheimo/awesome-lolbins-and-beyond
#redteam #lolbin #gtfo #securityressource #lolbins #blueteam #detectionengineering
-
an awesome overview of all the LOL and GTFO stuff. Even some are well known it's a good overview.
https://github.com/sheimo/awesome-lolbins-and-beyond
#redteam #lolbin #gtfo #securityressource #lolbins #blueteam #detectionengineering
-
Detecting Malicious Use of LOLBins: https://www.huntress.com/blog/detecting-malicious-use-of-lolbins
-
Detecting Malicious Use of LOLBins: https://www.huntress.com/blog/detecting-malicious-use-of-lolbins
-
Detecting Malicious Use of LOLBins: https://www.huntress.com/blog/detecting-malicious-use-of-lolbins
-
Detecting Malicious Use of LOLBins: https://www.huntress.com/blog/detecting-malicious-use-of-lolbins
-
Detecting Malicious Use of LOLBins: https://www.huntress.com/blog/detecting-malicious-use-of-lolbins
-
Anatomía de un ataque del ransomware Akira https://blog.elhacker.net/2024/07/anatomia-de-un-ataque-del-ransomware-akira.html #ransomware #LOLBins #akira #ioc #ttp
-
Anatomía de un ataque del ransomware Akira https://blog.elhacker.net/2024/07/anatomia-de-un-ataque-del-ransomware-akira.html #ransomware #LOLBins #akira #ioc #ttp
-
Anatomía de un ataque del ransomware Akira https://blog.elhacker.net/2024/07/anatomia-de-un-ataque-del-ransomware-akira.html #ransomware #LOLBins #akira #ioc #ttp
-
Anatomía de un ataque del ransomware Akira https://blog.elhacker.net/2024/07/anatomia-de-un-ataque-del-ransomware-akira.html #ransomware #LOLBins #akira #ioc #ttp
-
Bloquear LOLbins con el firewall de Windows https://blog.elhacker.net/2023/12/bloquear-lolbins-con-el-firewall-de-windows.html #LOLBins
-
Bloquear LOLbins con el firewall de Windows https://blog.elhacker.net/2023/12/bloquear-lolbins-con-el-firewall-de-windows.html #LOLBins
-
Did you know that the finger command can be used for data exfil? We recently had an incident where this type of activity was found
https://www.huntress.com/blog/cant-touch-this-data-exfiltration-via-finger
#DFIR #lolbins #lolbas #exfil #mchammer #CTI #cybersecurity
@keydet89 -
Did you know that the finger command can be used for data exfil? We recently had an incident where this type of activity was found
https://www.huntress.com/blog/cant-touch-this-data-exfiltration-via-finger
#DFIR #lolbins #lolbas #exfil #mchammer #CTI #cybersecurity
@keydet89 -
Did you know that the finger command can be used for data exfil? We recently had an incident where this type of activity was found
https://www.huntress.com/blog/cant-touch-this-data-exfiltration-via-finger
#DFIR #lolbins #lolbas #exfil #mchammer #CTI #cybersecurity
@keydet89 -
Did you know that the finger command can be used for data exfil? We recently had an incident where this type of activity was found
https://www.huntress.com/blog/cant-touch-this-data-exfiltration-via-finger
#DFIR #lolbins #lolbas #exfil #mchammer #CTI #cybersecurity
@keydet89 -
Did you know that the finger command can be used for data exfil? We recently had an incident where this type of activity was found
https://www.huntress.com/blog/cant-touch-this-data-exfiltration-via-finger
#DFIR #lolbins #lolbas #exfil #mchammer #CTI #cybersecurity
@keydet89 -
The Song Remains the Same: The 2023 Active Adversary Report for Security Practitioners – Source: news.sophos.com https://ciso2ciso.com/the-song-remains-the-same-the-2023-active-adversary-report-for-security-practitioners-source-news-sophos-com/ #rssfeedpostgeneratorecho #ActiveAdversaryReport #CyberSecurityNews #IncidentResponse #incidentresponse #ThreatResearch #nakedsecurity #practitioners #nakedsecurity #dwelltime #FEATURED #featured #LOLbins #LoLBINs #tools #mdr #MDR
-
The Song Remains the Same: The 2023 Active Adversary Report for Security Practitioners – Source: news.sophos.com https://ciso2ciso.com/the-song-remains-the-same-the-2023-active-adversary-report-for-security-practitioners-source-news-sophos-com/ #rssfeedpostgeneratorecho #ActiveAdversaryReport #CyberSecurityNews #IncidentResponse #incidentresponse #ThreatResearch #nakedsecurity #practitioners #nakedsecurity #dwelltime #FEATURED #featured #LOLbins #LoLBINs #tools #mdr #MDR