#malware-analysis — Public Fediverse posts
Live and recent posts from across the Fediverse tagged #malware-analysis, aggregated by home.social.
-
Threat attribution works at 3 levels: Tactical examines the incident, operational characterizes the campaign, and strategic asks who's responsible and why. Disciplined analysts weigh the same 6 signals at every level.
-
Threat attribution works at 3 levels: Tactical examines the incident, operational characterizes the campaign, and strategic asks who's responsible and why. Disciplined analysts weigh the same 6 signals at every level.
-
A defensive, static deep dive into the Linux malware a honeypot captured after weak logins: fake daemons, persistent backdoors, relay abuse, and detections. https://hackernoon.com/static-analysis-of-linux-malware-captured-by-a-cowrie-honeypot #malwareanalysis
-
A defensive, static deep dive into the Linux malware a honeypot captured after weak logins: fake daemons, persistent backdoors, relay abuse, and detections. https://hackernoon.com/static-analysis-of-linux-malware-captured-by-a-cowrie-honeypot #malwareanalysis
-
Hardware enclaves (AMD SEV, Intel TDX) are just expensive band-aids for a fundamental software failure. If your threat model assumes a malicious hypervisor, your RAM is already compromised.
I got tired of passive defenses. So, I engineered TITAN NEXUS: A Hostile Runtime Environment in Golang that treats the operating system as an active enemy.
Welcome to Schrödinger’s Cryptography. If the host tries to observe the memory, the memory destroys itself.
How the architecture works:
☢️ 1. GC Eradication: Go's Garbage Collector is a forensic liability. TITAN completely bypasses it. Ed25519 keys are pinned in isolated, non-pageable memory arenas. They never float.
☢️ 2. Trap & Poison: The binary actively monitors for snapshot interrupts or unprivileged state freezes.
☢️ 3. Microsecond Suicide: Before a hypervisor can successfully dump the physical RAM, TITAN triggers an aggressive `sys.Memzero` and violently corrupts its own state.I’m not building walls; I’m building a self-destructing maze.
To the elite Reverse Engineers, Memory Forensics experts, and Red Teamers on this instance:
Can your hypervisor outrace a microsecond memory trap? How do you extract an active payload from a process that intentionally poisons itself the exact millisecond you try to inspect it? 👇Let's talk offensive architectures. Link to the logic in the replies.
#ReverseEngineering #CloudSecurity #Golang #RedTeam #MalwareAnalysis #Cryptography #ZeroTrust #DFIR #InfoSec
-
We read more threat attribution claims than we make. Six signals separate the ones that hold up from the ones that don't, and analysts weigh them together to build a defensible case.
-
We read more threat attribution claims than we make. Six signals separate the ones that hold up from the ones that don't, and analysts weigh them together to build a defensible case.
-
🔍 New analysis: an Italian phishing campaign abusing Chrome Native Messaging to escape browser sandbox restrictions.
Attack chain:
Invoice phishing → obfuscated JS → DLL sideloading → malicious Chrome extension → Native Messaging Host → PowerShell execution.
Legitimate technologies chained together to turn Chrome into a backdoor.
📌 https://www.d3lab.net/breaking-out-of-chromes-sandbox-a-native-messaging-backdoor-observed-in-italy/
#ThreatIntelligence #Chrome #BrowserSecurity #MalwareAnalysis #CTI #CyberSecurity
-
🔍 New analysis: an Italian phishing campaign abusing Chrome Native Messaging to escape browser sandbox restrictions.
Attack chain:
Invoice phishing → obfuscated JS → DLL sideloading → malicious Chrome extension → Native Messaging Host → PowerShell execution.
Legitimate technologies chained together to turn Chrome into a backdoor.
📌 https://www.d3lab.net/breaking-out-of-chromes-sandbox-a-native-messaging-backdoor-observed-in-italy/
#ThreatIntelligence #Chrome #BrowserSecurity #MalwareAnalysis #CTI #CyberSecurity
-
I was tired of digging through endless random cybersecurity lists, so naturally I built another random cybersecurity list - just cleaner, prettier and actually organized.
Hack Hub is a curated directory of useful security resources.
#CyberSecurity #InfoSec #Hacking #EthicalHacking #Pentesting #RedTeam #BlueTeam #DFIR #OSINT #ThreatIntel #MalwareAnalysis #BugBounty #CloudSecurity #MobileSecurity #OpenSource #SecurityTools #SecurityResearch #Linux #Hackers #Tech
-
I was tired of digging through endless random cybersecurity lists, so naturally I built another random cybersecurity list - just cleaner, prettier and actually organized.
Hack Hub is a curated directory of useful security resources.
#CyberSecurity #InfoSec #Hacking #EthicalHacking #Pentesting #RedTeam #BlueTeam #DFIR #OSINT #ThreatIntel #MalwareAnalysis #BugBounty #CloudSecurity #MobileSecurity #OpenSource #SecurityTools #SecurityResearch #Linux #Hackers #Tech
-
The REMnux MCP server can now draft malware analysis reports using my new report template:
-
The REMnux MCP server can now draft malware analysis reports using my new report template:
-
🚀 OhMyPCAP 4.0.0 is HERE!
The ultimate FOSS PCAP analyzer just got a massive upgrade for deeper file intelligence.
New in v4.0:
• Upgraded to YARA Forge Full ruleset — more comprehensive malware & threat detection
• Exiftool + rich file metadata analysis — get more file information even if there are no YARA matchesAll the power you love is still here:
Suricata alerts, file alerts, Sankey diagrams, full-text search, ASCII transcripts, hexdumps, stream carving + single Docker/Podman container (perfect for air-gapped or quick spins).Ideal for malware analysis, incident response, threat hunting, forensics & teaching.
Who’s pulling this version right now? Drop a ❤️+ reply with your main use case (malware samples? CTFs? real-world incidents? teaching?)
#PCAP #DFIR #Cybersecurity #Infosec #BlueTeam #ThreatHunting #Suricata #YARA #MalwareAnalysis
-
We're excited to announce that the Call for Trainers is now OPEN for DEF CON Training Middle East!
Are you passionate about cybersecurity, hacking, and hands-on learning? Do you have expertise in emerging threats, defensive strategies, or cutting-edge security techniques? We want to hear from you!
Visit training.defcon.org to submit your trainer application for a two-day or three-day course by May 9, 2026.
https://training.defcon.org/pages/2026-middle-east-call-for-trainers#DEFCON #DEFCONTraining #Cybersecurity #Training #Hacking #InfoSec #SecurityCommunity #DEFCONMiddleEast #AI #RedTeam #BlueTeam #DigitalForensics #CyberTalent #MalwareAnalysis
-
We're excited to announce that the Call for Trainers is now OPEN for DEF CON Training Middle East!
Are you passionate about cybersecurity, hacking, and hands-on learning? Do you have expertise in emerging threats, defensive strategies, or cutting-edge security techniques? We want to hear from you!
Visit training.defcon.org to submit your trainer application for a two-day or three-day course by May 9, 2026.
https://training.defcon.org/pages/2026-middle-east-call-for-trainers#DEFCON #DEFCONTraining #Cybersecurity #Training #Hacking #InfoSec #SecurityCommunity #DEFCONMiddleEast #AI #RedTeam #BlueTeam #DigitalForensics #CyberTalent #MalwareAnalysis
-
🧠 Agent Tesla Daily Report
⬇️ Trend: declining (28%)
📊 17 new samples
🌐 0 C2 serversFull analysis, IOCs, and hashes:
https://www.yazoul.net/malware/agent-tesla/reports/2026-04-21 -
🧠 Formbook Daily Report
⬇️ Trend: declining (40%)
📊 8 new samples
🌐 55 C2 serversFull analysis, IOCs, and hashes:
https://www.yazoul.net/malware/formbook/reports/2026-04-19 -
🧠 Formbook Daily Report
⬇️ Trend: declining (30%)
📊 9 new samples
🌐 55 C2 serversFull analysis, IOCs, and hashes:
https://www.yazoul.net/malware/formbook/reports/2026-04-18 -
🧠 Vidar Daily Report
⬆️ Trend: rising (47%)
📊 16 new samples
🌐 100 C2 serversFull analysis, IOCs, and hashes:
https://www.yazoul.net/malware/vidar/reports/2026-04-18 -
🧠 Vidar Daily Report
⬆️ Trend: rising (75%)
📊 16 new samples
🌐 100 C2 serversFull analysis, IOCs, and hashes:
https://www.yazoul.net/malware/vidar/reports/2026-04-17 -
🧠 Formbook Daily Report
⬆️ Trend: rising (161%)
📊 28 new samples
🌐 55 C2 serversFull analysis, IOCs, and hashes:
https://www.yazoul.net/malware/formbook/reports/2026-04-16 -
🧠 Formbook Daily Report
⬆️ Trend: rising (229%)
📊 24 new samples
🌐 55 C2 serversFull analysis, IOCs, and hashes:
https://www.yazoul.net/malware/formbook/reports/2026-04-15 -
🧠 Formbook Daily Report
⬆️ Trend: rising (69%)
📊 13 new samples
🌐 55 C2 serversFull analysis, IOCs, and hashes:
https://www.yazoul.net/malware/formbook/reports/2026-04-14 -
🧠 QuasarRAT Daily Report
➡️ Trend: stable (4%)
📊 4 new samples
🌐 0 C2 serversFull analysis, IOCs, and hashes:
https://www.yazoul.net/malware/quasar-rat/reports/2026-04-13 -
🧠 AsyncRAT Daily Report
⬇️ Trend: declining (36%)
📊 4 new samples
🌐 100 C2 serversFull analysis, IOCs, and hashes:
https://www.yazoul.net/malware/async-rat/reports/2026-04-12 -
🧠 AsyncRAT Daily Report
➡️ Trend: stable (2%)
📊 6 new samples
🌐 100 C2 serversFull analysis, IOCs, and hashes:
https://www.yazoul.net/malware/async-rat/reports/2026-04-11 -
🧠 AsyncRAT Daily Report
⬆️ Trend: rising (289%)
📊 15 new samples
🌐 100 C2 serversFull analysis, IOCs, and hashes:
https://www.yazoul.net/malware/async-rat/reports/2026-04-10 -
🧠 Agent Tesla Daily Report
⬇️ Trend: declining (21%)
📊 9 new samples
🌐 0 C2 serversFull analysis, IOCs, and hashes:
https://www.yazoul.net/malware/agent-tesla/reports/2026-04-08 -
🧠 Formbook Daily Report
➡️ Trend: stable (9%)
📊 8 new samples
🌐 55 C2 serversFull analysis, IOCs, and hashes:
https://www.yazoul.net/malware/formbook/reports/2026-04-07 -
CW: Full toolkit (3 samples + scripts + YARA):(no download needed)
https://archive.org/details/500ms-supply-chain-verification-toolkit
The name references Andres Freund's 500ms SSH delay that uncovered the
XZ backdoor.The core finding: JsonSchema.Net.dll shipped in Microsoft's
DesktopAppInstaller has a SHA256 that doesn't match any official NuGet
release. It has a PE timestamp of year 2095. And it's signed by
Microsoft's HSM.You can verify this on your own Windows 11 machine without downloading
anything from me:Get-FileHash "C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller*\ConfigurationRemotingServer\JsonSchema.Net.dll"
Compare with NuGet official: https://www.nuget.org/packages/JsonSchema.Net/7.2.3
The toolkit also includes anomalies in Google's cloudcode_cli (104K
internal refs) and Intel's IGCCTray (GCP data exfil in a graphics driver).🔍 500ms — Supply chain anomalies in Windows 11 default binaries
JsonSchema.Net.dll in Microsoft DesktopAppInstaller:
→ Hash ≠ any official NuGet release
→ PE timestamp: year 2095
→ Signed by Microsoft HSM post-modificationVerify on YOUR OWN Windows 11 (no download needed):
Get-FileHash "C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller*\...\JsonSchema.Net.dll"
Compare: nuget.org/packages/JsonSchema.Net/7.2.3#infosec #supplychainattack #malwareanalysis #microsoft #cybersecurity #threatintel #windows11 #forensics
-
CW: Full toolkit (3 samples + scripts + YARA):(no download needed)
https://archive.org/details/500ms-supply-chain-verification-toolkit
The name references Andres Freund's 500ms SSH delay that uncovered the
XZ backdoor.The core finding: JsonSchema.Net.dll shipped in Microsoft's
DesktopAppInstaller has a SHA256 that doesn't match any official NuGet
release. It has a PE timestamp of year 2095. And it's signed by
Microsoft's HSM.You can verify this on your own Windows 11 machine without downloading
anything from me:Get-FileHash "C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller*\ConfigurationRemotingServer\JsonSchema.Net.dll"
Compare with NuGet official: https://www.nuget.org/packages/JsonSchema.Net/7.2.3
The toolkit also includes anomalies in Google's cloudcode_cli (104K
internal refs) and Intel's IGCCTray (GCP data exfil in a graphics driver).🔍 500ms — Supply chain anomalies in Windows 11 default binaries
JsonSchema.Net.dll in Microsoft DesktopAppInstaller:
→ Hash ≠ any official NuGet release
→ PE timestamp: year 2095
→ Signed by Microsoft HSM post-modificationVerify on YOUR OWN Windows 11 (no download needed):
Get-FileHash "C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller*\...\JsonSchema.Net.dll"
Compare: nuget.org/packages/JsonSchema.Net/7.2.3#infosec #supplychainattack #malwareanalysis #microsoft #cybersecurity #threatintel #windows11 #forensics
-
🧠 AsyncRAT Daily Report
⬇️ Trend: declining (62%)
📊 3 new samples
🌐 100 C2 serversFull analysis, IOCs, and hashes:
https://www.yazoul.net/malware/async-rat/reports/2026-04-06 -
🧠 QuasarRAT Daily Report
⬇️ Trend: declining (46%)
📊 5 new samples
🌐 0 C2 serversFull analysis, IOCs, and hashes:
https://www.yazoul.net/malware/quasar-rat/reports/2026-04-04 -
Tried to book a bar. Ended up reverse engineering a malware campaign instead.
A fake "Cloudflare verify" page copied an obfuscated PowerShell loader to my clipboard. So I broke it down:
XOR-obfuscated script
Payload delivery
RedCap infostealer analysis
REMnux, Ghidra & Hybrid AnalysisAlso watched the infrastructure get taken down mid-write-up.
First time doing any RE
https://blog.michaelrbparker.com/post/17
(Still haven't booked that drink.)
-
🚀 Just released smali-lsp!
A Language Server for Smali with:
• Goto definition
• Cross-references
• Symbols & hover
• Works with any IDE (minimal setup)Also includes an MCP server → plug into AI agents for faster APK analysis 🤖
🔗 https://github.com/Surendrajat/smali-lsp
#AndroidDev #ReverseEngineering #MalwareAnalysis #LSP #InfoSec #RE #security #dalvik
-
#ReverseEngineering mit #KI? @martin_fmi erklärt, wie #LLMs Malware-Muster erkennen, externe Systemaufrufe rekonstruieren & versteckte Architekturen sichtbar machen. Selbst bei obfuskiertem Code.
Lesen & auf den Ernstfall vorbereiten: https://javapro.io/de/ki-gesteuertes-reverse-engineering-von-java-anwendungen/
-
APT37’s Ruby Jumper campaign demonstrates a mature approach to air-gap traversal.
Observed tradecraft includes:
• LNK-based initial execution
• Embedded PowerShell payload extraction
• Ruby interpreter abuse (v3.3.0)
• Scheduled task persistence (5-minute interval)
• USB-based covert bidirectional C2
• Multi-stage backdoor deployment
Toolset: RESTLEAF, SNAKEDROPPER, THUMBSBD, VIRUSTASK, FOOTWINE, BLUELIGHT.The removable media relay model enables:
– Command staging offline
– Data exfiltration without internet access
– Lateral spread across isolated systems
– Surveillance via Windows spyware
This reinforces a critical point:
Air-gap controls must extend beyond physical disconnection — including USB governance, device auditing, behavioral monitoring, and strict runtime execution policies.Are critical infrastructure operators prepared for USB-mediated C2 relays?
Engage below.
Follow TechNadu for high-signal threat intelligence insights.
Repost to elevate awareness.#Infosec #APT37 #AirGapSecurity #ThreatModeling #MalwareAnalysis #NationStateThreats #USBExfiltration #SOC #DetectionEngineering #CyberDefense #OperationalSecurity #ThreatHunting #ZeroTrustArchitecture
-
RE: https://infosec.exchange/@washi/116109971111061839
MY MORTAL ENEMY IS THAT ONE zgRAT YARA RULE IT SHOWS UP FREAKING EVERYWHERE AND IS SO WRONG ASDHFJDSHFHASFHSDJAH
thank you for this Washi! I learned some things about .NET from this post as well!
popping on the #ReverseEngineering #MalwareAnalysis tags too