home.social

#malware-analysis — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #malware-analysis, aggregated by home.social.

fetched live
  1. Threat attribution works at 3 levels: Tactical examines the incident, operational characterizes the campaign, and strategic asks who's responsible and why. Disciplined analysts weigh the same 6 signals at every level.

    zeltser.com/six-signals-for-th

    #malwareanalysis #incidentresponse

  2. Threat attribution works at 3 levels: Tactical examines the incident, operational characterizes the campaign, and strategic asks who's responsible and why. Disciplined analysts weigh the same 6 signals at every level.

    zeltser.com/six-signals-for-th

    #malwareanalysis #incidentresponse

  3. A defensive, static deep dive into the Linux malware a honeypot captured after weak logins: fake daemons, persistent backdoors, relay abuse, and detections. hackernoon.com/static-analysis #malwareanalysis

  4. A defensive, static deep dive into the Linux malware a honeypot captured after weak logins: fake daemons, persistent backdoors, relay abuse, and detections. hackernoon.com/static-analysis #malwareanalysis

  5. Hardware enclaves (AMD SEV, Intel TDX) are just expensive band-aids for a fundamental software failure. If your threat model assumes a malicious hypervisor, your RAM is already compromised.

    I got tired of passive defenses. So, I engineered TITAN NEXUS: A Hostile Runtime Environment in Golang that treats the operating system as an active enemy.

    Welcome to Schrödinger’s Cryptography. If the host tries to observe the memory, the memory destroys itself.

    How the architecture works:
    ☢️ 1. GC Eradication: Go's Garbage Collector is a forensic liability. TITAN completely bypasses it. Ed25519 keys are pinned in isolated, non-pageable memory arenas. They never float.
    ☢️ 2. Trap & Poison: The binary actively monitors for snapshot interrupts or unprivileged state freezes.
    ☢️ 3. Microsecond Suicide: Before a hypervisor can successfully dump the physical RAM, TITAN triggers an aggressive `sys.Memzero` and violently corrupts its own state.

    I’m not building walls; I’m building a self-destructing maze.

    To the elite Reverse Engineers, Memory Forensics experts, and Red Teamers on this instance:
    Can your hypervisor outrace a microsecond memory trap? How do you extract an active payload from a process that intentionally poisons itself the exact millisecond you try to inspect it? 👇

    Let's talk offensive architectures. Link to the logic in the replies.

    #ReverseEngineering #CloudSecurity #Golang #RedTeam #MalwareAnalysis #Cryptography #ZeroTrust #DFIR #InfoSec

  6. We read more threat attribution claims than we make. Six signals separate the ones that hold up from the ones that don't, and analysts weigh them together to build a defensible case.

    zeltser.com/six-signals-for-th

    #malwareanalysis #incidentresponse

  7. We read more threat attribution claims than we make. Six signals separate the ones that hold up from the ones that don't, and analysts weigh them together to build a defensible case.

    zeltser.com/six-signals-for-th

    #malwareanalysis #incidentresponse

  8. 🔍 New analysis: an Italian phishing campaign abusing Chrome Native Messaging to escape browser sandbox restrictions.

    Attack chain:

    Invoice phishing → obfuscated JS → DLL sideloading → malicious Chrome extension → Native Messaging Host → PowerShell execution.

    Legitimate technologies chained together to turn Chrome into a backdoor.

    📌 d3lab.net/breaking-out-of-chro

    #ThreatIntelligence #Chrome #BrowserSecurity #MalwareAnalysis #CTI #CyberSecurity

  9. 🔍 New analysis: an Italian phishing campaign abusing Chrome Native Messaging to escape browser sandbox restrictions.

    Attack chain:

    Invoice phishing → obfuscated JS → DLL sideloading → malicious Chrome extension → Native Messaging Host → PowerShell execution.

    Legitimate technologies chained together to turn Chrome into a backdoor.

    📌 d3lab.net/breaking-out-of-chro

    #ThreatIntelligence #Chrome #BrowserSecurity #MalwareAnalysis #CTI #CyberSecurity

  10. I was tired of digging through endless random cybersecurity lists, so naturally I built another random cybersecurity list - just cleaner, prettier and actually organized.

    Hack Hub is a curated directory of useful security resources.

    hackhub.fyi

    #CyberSecurity #InfoSec #Hacking #EthicalHacking #Pentesting #RedTeam #BlueTeam #DFIR #OSINT #ThreatIntel #MalwareAnalysis #BugBounty #CloudSecurity #MobileSecurity #OpenSource #SecurityTools #SecurityResearch #Linux #Hackers #Tech

  11. I was tired of digging through endless random cybersecurity lists, so naturally I built another random cybersecurity list - just cleaner, prettier and actually organized.

    Hack Hub is a curated directory of useful security resources.

    hackhub.fyi

    #CyberSecurity #InfoSec #Hacking #EthicalHacking #Pentesting #RedTeam #BlueTeam #DFIR #OSINT #ThreatIntel #MalwareAnalysis #BugBounty #CloudSecurity #MobileSecurity #OpenSource #SecurityTools #SecurityResearch #Linux #Hackers #Tech

  12. The REMnux MCP server can now draft malware analysis reports using my new report template:

    zeltser.com/ai-malware-analysi

    #malwareanalysis #remnux

  13. The REMnux MCP server can now draft malware analysis reports using my new report template:

    zeltser.com/ai-malware-analysi

    #malwareanalysis #remnux

  14. 🚀 OhMyPCAP 4.0.0 is HERE!

    The ultimate FOSS PCAP analyzer just got a massive upgrade for deeper file intelligence.

    New in v4.0:
    • Upgraded to YARA Forge Full ruleset — more comprehensive malware & threat detection
    • Exiftool + rich file metadata analysis — get more file information even if there are no YARA matches

    All the power you love is still here:
    Suricata alerts, file alerts, Sankey diagrams, full-text search, ASCII transcripts, hexdumps, stream carving + single Docker/Podman container (perfect for air-gapped or quick spins).

    Ideal for malware analysis, incident response, threat hunting, forensics & teaching.

    Who’s pulling this version right now? Drop a ❤️+ reply with your main use case (malware samples? CTFs? real-world incidents? teaching?)

    #PCAP #DFIR #Cybersecurity #Infosec #BlueTeam #ThreatHunting #Suricata #YARA #MalwareAnalysis

    @chrissanders88 @lennyzeltser

  15. We're excited to announce that the Call for Trainers is now OPEN for DEF CON Training Middle East!

    Are you passionate about cybersecurity, hacking, and hands-on learning? Do you have expertise in emerging threats, defensive strategies, or cutting-edge security techniques? We want to hear from you!

    Visit training.defcon.org to submit your trainer application for a two-day or three-day course by May 9, 2026.
    training.defcon.org/pages/2026

    #DEFCON #DEFCONTraining #Cybersecurity #Training #Hacking #InfoSec #SecurityCommunity #DEFCONMiddleEast #AI #RedTeam #BlueTeam #DigitalForensics #CyberTalent #MalwareAnalysis

  16. We're excited to announce that the Call for Trainers is now OPEN for DEF CON Training Middle East!

    Are you passionate about cybersecurity, hacking, and hands-on learning? Do you have expertise in emerging threats, defensive strategies, or cutting-edge security techniques? We want to hear from you!

    Visit training.defcon.org to submit your trainer application for a two-day or three-day course by May 9, 2026.
    training.defcon.org/pages/2026

    #DEFCON #DEFCONTraining #Cybersecurity #Training #Hacking #InfoSec #SecurityCommunity #DEFCONMiddleEast #AI #RedTeam #BlueTeam #DigitalForensics #CyberTalent #MalwareAnalysis

  17. 🧠 Agent Tesla Daily Report

    ⬇️ Trend: declining (28%)
    📊 17 new samples
    🌐 0 C2 servers

    Full analysis, IOCs, and hashes:
    yazoul.net/malware/agent-tesla

    #CyberSecurity #MalwareAnalysis #SOC

  18. 🧠 Formbook Daily Report

    ⬇️ Trend: declining (40%)
    📊 8 new samples
    🌐 55 C2 servers

    Full analysis, IOCs, and hashes:
    yazoul.net/malware/formbook/re

    #CyberSecurity #MalwareAnalysis #SOC

  19. 🧠 Formbook Daily Report

    ⬇️ Trend: declining (30%)
    📊 9 new samples
    🌐 55 C2 servers

    Full analysis, IOCs, and hashes:
    yazoul.net/malware/formbook/re

    #CyberSecurity #MalwareAnalysis #SOC

  20. 🧠 Vidar Daily Report

    ⬆️ Trend: rising (47%)
    📊 16 new samples
    🌐 100 C2 servers

    Full analysis, IOCs, and hashes:
    yazoul.net/malware/vidar/repor

    #CyberSecurity #MalwareAnalysis #SOC

  21. 🧠 Vidar Daily Report

    ⬆️ Trend: rising (75%)
    📊 16 new samples
    🌐 100 C2 servers

    Full analysis, IOCs, and hashes:
    yazoul.net/malware/vidar/repor

    #CyberSecurity #MalwareAnalysis #SOC

  22. 🧠 Formbook Daily Report

    ⬆️ Trend: rising (161%)
    📊 28 new samples
    🌐 55 C2 servers

    Full analysis, IOCs, and hashes:
    yazoul.net/malware/formbook/re

    #CyberSecurity #MalwareAnalysis #SOC

  23. 🧠 Formbook Daily Report

    ⬆️ Trend: rising (229%)
    📊 24 new samples
    🌐 55 C2 servers

    Full analysis, IOCs, and hashes:
    yazoul.net/malware/formbook/re

    #CyberSecurity #MalwareAnalysis #SOC

  24. 🧠 Formbook Daily Report

    ⬆️ Trend: rising (69%)
    📊 13 new samples
    🌐 55 C2 servers

    Full analysis, IOCs, and hashes:
    yazoul.net/malware/formbook/re

    #CyberSecurity #MalwareAnalysis #SOC

  25. 🧠 AsyncRAT Daily Report

    ⬇️ Trend: declining (36%)
    📊 4 new samples
    🌐 100 C2 servers

    Full analysis, IOCs, and hashes:
    yazoul.net/malware/async-rat/r

    #CyberSecurity #MalwareAnalysis #SOC

  26. 🧠 AsyncRAT Daily Report

    ⬆️ Trend: rising (289%)
    📊 15 new samples
    🌐 100 C2 servers

    Full analysis, IOCs, and hashes:
    yazoul.net/malware/async-rat/r

    #CyberSecurity #MalwareAnalysis #SOC

  27. 🧠 Agent Tesla Daily Report

    ⬇️ Trend: declining (21%)
    📊 9 new samples
    🌐 0 C2 servers

    Full analysis, IOCs, and hashes:
    yazoul.net/malware/agent-tesla

    #CyberSecurity #MalwareAnalysis #SOC

  28. CW: Full toolkit (3 samples + scripts + YARA):(no download needed)

    archive.org/details/500ms-supp

    The name references Andres Freund's 500ms SSH delay that uncovered the
    XZ backdoor.

    The core finding: JsonSchema.Net.dll shipped in Microsoft's
    DesktopAppInstaller has a SHA256 that doesn't match any official NuGet
    release. It has a PE timestamp of year 2095. And it's signed by
    Microsoft's HSM.

    You can verify this on your own Windows 11 machine without downloading
    anything from me:

    Get-FileHash "C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller*\ConfigurationRemotingServer\JsonSchema.Net.dll"

    Compare with NuGet official: nuget.org/packages/JsonSchema.

    The toolkit also includes anomalies in Google's cloudcode_cli (104K
    internal refs) and Intel's IGCCTray (GCP data exfil in a graphics driver).

    🔍 500ms — Supply chain anomalies in Windows 11 default binaries

    JsonSchema.Net.dll in Microsoft DesktopAppInstaller:
    → Hash ≠ any official NuGet release
    → PE timestamp: year 2095
    → Signed by Microsoft HSM post-modification

    Verify on YOUR OWN Windows 11 (no download needed):
    Get-FileHash "C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller*\...\JsonSchema.Net.dll"
    Compare: nuget.org/packages/JsonSchema.Net/7.2.3

    #infosec #supplychainattack #malwareanalysis #microsoft #cybersecurity #threatintel #windows11 #forensics

  29. CW: Full toolkit (3 samples + scripts + YARA):(no download needed)

    archive.org/details/500ms-supp

    The name references Andres Freund's 500ms SSH delay that uncovered the
    XZ backdoor.

    The core finding: JsonSchema.Net.dll shipped in Microsoft's
    DesktopAppInstaller has a SHA256 that doesn't match any official NuGet
    release. It has a PE timestamp of year 2095. And it's signed by
    Microsoft's HSM.

    You can verify this on your own Windows 11 machine without downloading
    anything from me:

    Get-FileHash "C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller*\ConfigurationRemotingServer\JsonSchema.Net.dll"

    Compare with NuGet official: nuget.org/packages/JsonSchema.

    The toolkit also includes anomalies in Google's cloudcode_cli (104K
    internal refs) and Intel's IGCCTray (GCP data exfil in a graphics driver).

    🔍 500ms — Supply chain anomalies in Windows 11 default binaries

    JsonSchema.Net.dll in Microsoft DesktopAppInstaller:
    → Hash ≠ any official NuGet release
    → PE timestamp: year 2095
    → Signed by Microsoft HSM post-modification

    Verify on YOUR OWN Windows 11 (no download needed):
    Get-FileHash "C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller*\...\JsonSchema.Net.dll"
    Compare: nuget.org/packages/JsonSchema.Net/7.2.3

    #infosec #supplychainattack #malwareanalysis #microsoft #cybersecurity #threatintel #windows11 #forensics

  30. 🧠 AsyncRAT Daily Report

    ⬇️ Trend: declining (62%)
    📊 3 new samples
    🌐 100 C2 servers

    Full analysis, IOCs, and hashes:
    yazoul.net/malware/async-rat/r

    #CyberSecurity #MalwareAnalysis #SOC

  31. 🧠 QuasarRAT Daily Report

    ⬇️ Trend: declining (46%)
    📊 5 new samples
    🌐 0 C2 servers

    Full analysis, IOCs, and hashes:
    yazoul.net/malware/quasar-rat/

    #CyberSecurity #MalwareAnalysis #SOC

  32. Tried to book a bar. Ended up reverse engineering a malware campaign instead.

    A fake "Cloudflare verify" page copied an obfuscated PowerShell loader to my clipboard. So I broke it down:

    XOR-obfuscated script
    Payload delivery
    RedCap infostealer analysis
    REMnux, Ghidra & Hybrid Analysis

    Also watched the infrastructure get taken down mid-write-up.

    First time doing any RE

    blog.michaelrbparker.com/post/

    (Still haven't booked that drink.)

    #CyberSecurity #MalwareAnalysis #ThreatAnalysis

  33. 🚀 Just released smali-lsp!

    A Language Server for Smali with:
    • Goto definition
    • Cross-references
    • Symbols & hover
    • Works with any IDE (minimal setup)

    Also includes an MCP server → plug into AI agents for faster APK analysis 🤖

    🔗 github.com/Surendrajat/smali-l

  34. #ReverseEngineering mit #KI? @martin_fmi erklärt, wie #LLMs Malware-Muster erkennen, externe Systemaufrufe rekonstruieren & versteckte Architekturen sichtbar machen. Selbst bei obfuskiertem Code.

    Lesen & auf den Ernstfall vorbereiten: javapro.io/de/ki-gesteuertes-r

    #MalwareAnalysis

  35. APT37’s Ruby Jumper campaign demonstrates a mature approach to air-gap traversal.

    Observed tradecraft includes:
    • LNK-based initial execution
    • Embedded PowerShell payload extraction
    • Ruby interpreter abuse (v3.3.0)
    • Scheduled task persistence (5-minute interval)
    • USB-based covert bidirectional C2
    • Multi-stage backdoor deployment
    Toolset: RESTLEAF, SNAKEDROPPER, THUMBSBD, VIRUSTASK, FOOTWINE, BLUELIGHT.

    The removable media relay model enables:
    – Command staging offline
    – Data exfiltration without internet access
    – Lateral spread across isolated systems
    – Surveillance via Windows spyware
    This reinforces a critical point:
    Air-gap controls must extend beyond physical disconnection — including USB governance, device auditing, behavioral monitoring, and strict runtime execution policies.

    Are critical infrastructure operators prepared for USB-mediated C2 relays?

    Source: bleepingcomputer.com/news/secu

    Engage below.

    Follow TechNadu for high-signal threat intelligence insights.
    Repost to elevate awareness.

    #Infosec #APT37 #AirGapSecurity #ThreatModeling #MalwareAnalysis #NationStateThreats #USBExfiltration #SOC #DetectionEngineering #CyberDefense #OperationalSecurity #ThreatHunting #ZeroTrustArchitecture

  36. RE: infosec.exchange/@washi/116109

    MY MORTAL ENEMY IS THAT ONE zgRAT YARA RULE IT SHOWS UP FREAKING EVERYWHERE AND IS SO WRONG ASDHFJDSHFHASFHSDJAH

    thank you for this Washi! I learned some things about .NET from this post as well!

    popping on the #ReverseEngineering #MalwareAnalysis tags too