home.social

#malwareresearch — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #malwareresearch, aggregated by home.social.

  1. Proton Reports Malicious Proton VPN Impersonators in Chrome Web Store

    Impact reportedly included:
    • Credential harvesting
    • Personal data collection
    • Potential traffic relay
    • Abuse of brand trust
    Repeated reporting allegedly led to delayed removal.

    Security takeaways:
    • Extension ecosystems remain high-risk
    • Search-based brand targeting is effective for attackers
    • Store review latency increases exposure window

    Community question:
    Should browser vendors implement stricter publisher verification or cryptographic signing tied to corporate identity?

    Source: cyberinsider.com/proton-warns-

    Engage below and follow @technadu for threat ecosystem analysis and digital trust reporting.

    #ThreatIntel #BrowserSecurity #ExtensionSecurity #ProtonVPN #CyberRisk #AppStoreSecurity #Infosec #MalwareResearch

  2. Proton Reports Malicious Proton VPN Impersonators in Chrome Web Store

    Impact reportedly included:
    • Credential harvesting
    • Personal data collection
    • Potential traffic relay
    • Abuse of brand trust
    Repeated reporting allegedly led to delayed removal.

    Security takeaways:
    • Extension ecosystems remain high-risk
    • Search-based brand targeting is effective for attackers
    • Store review latency increases exposure window

    Community question:
    Should browser vendors implement stricter publisher verification or cryptographic signing tied to corporate identity?

    Source: cyberinsider.com/proton-warns-

    Engage below and follow @technadu for threat ecosystem analysis and digital trust reporting.

    #ThreatIntel #BrowserSecurity #ExtensionSecurity #ProtonVPN #CyberRisk #AppStoreSecurity #Infosec #MalwareResearch

  3. Proton Reports Malicious Proton VPN Impersonators in Chrome Web Store

    Impact reportedly included:
    • Credential harvesting
    • Personal data collection
    • Potential traffic relay
    • Abuse of brand trust
    Repeated reporting allegedly led to delayed removal.

    Security takeaways:
    • Extension ecosystems remain high-risk
    • Search-based brand targeting is effective for attackers
    • Store review latency increases exposure window

    Community question:
    Should browser vendors implement stricter publisher verification or cryptographic signing tied to corporate identity?

    Source: cyberinsider.com/proton-warns-

    Engage below and follow @technadu for threat ecosystem analysis and digital trust reporting.

    #ThreatIntel #BrowserSecurity #ExtensionSecurity #ProtonVPN #CyberRisk #AppStoreSecurity #Infosec #MalwareResearch

  4. Proton Reports Malicious Proton VPN Impersonators in Chrome Web Store

    Impact reportedly included:
    • Credential harvesting
    • Personal data collection
    • Potential traffic relay
    • Abuse of brand trust
    Repeated reporting allegedly led to delayed removal.

    Security takeaways:
    • Extension ecosystems remain high-risk
    • Search-based brand targeting is effective for attackers
    • Store review latency increases exposure window

    Community question:
    Should browser vendors implement stricter publisher verification or cryptographic signing tied to corporate identity?

    Source: cyberinsider.com/proton-warns-

    Engage below and follow @technadu for threat ecosystem analysis and digital trust reporting.

    #ThreatIntel #BrowserSecurity #ExtensionSecurity #ProtonVPN #CyberRisk #AppStoreSecurity #Infosec #MalwareResearch

  5. Proton Reports Malicious Proton VPN Impersonators in Chrome Web Store

    Impact reportedly included:
    • Credential harvesting
    • Personal data collection
    • Potential traffic relay
    • Abuse of brand trust
    Repeated reporting allegedly led to delayed removal.

    Security takeaways:
    • Extension ecosystems remain high-risk
    • Search-based brand targeting is effective for attackers
    • Store review latency increases exposure window

    Community question:
    Should browser vendors implement stricter publisher verification or cryptographic signing tied to corporate identity?

    Source: cyberinsider.com/proton-warns-

    Engage below and follow @technadu for threat ecosystem analysis and digital trust reporting.

    #ThreatIntel #BrowserSecurity #ExtensionSecurity #ProtonVPN #CyberRisk #AppStoreSecurity #Infosec #MalwareResearch

  6. TrustConnect = RAT disguised as RMM.
    Discovered by Proofpoint.
    Technical observations:
    • Centralized multi-customer C2
    • API-driven agent registration (/api/agents/register)
    • WebSocket RDP streaming
    • EV certificate abuse (revoked Feb 6, 2026)
    • Branded payload generation per org token
    • Rapid infra pivot → “DocConnect” (SignalR integration)
    Subscription model: $300/month via BTC/USDT.
    Operators tracked victims across tenants.
    This is MaaS evolving toward operational maturity — automation, AI-assisted site generation, and SaaS-style lifecycle management.

    How should defenders adjust detection logic when malware is digitally signed and infrastructure rotates quickly?

    Source: proofpoint.com/us/blog/threat-

    Engage below.
    Follow TechNadu for technical threat intelligence coverage.

    #ThreatIntelligence #ReverseEngineering #MalwareResearch #RAT #MaaS #SOC #DFIR #CyberOperations #DetectionEngineering

  7. TrustConnect = RAT disguised as RMM.
    Discovered by Proofpoint.
    Technical observations:
    • Centralized multi-customer C2
    • API-driven agent registration (/api/agents/register)
    • WebSocket RDP streaming
    • EV certificate abuse (revoked Feb 6, 2026)
    • Branded payload generation per org token
    • Rapid infra pivot → “DocConnect” (SignalR integration)
    Subscription model: $300/month via BTC/USDT.
    Operators tracked victims across tenants.
    This is MaaS evolving toward operational maturity — automation, AI-assisted site generation, and SaaS-style lifecycle management.

    How should defenders adjust detection logic when malware is digitally signed and infrastructure rotates quickly?

    Source: proofpoint.com/us/blog/threat-

    Engage below.
    Follow TechNadu for technical threat intelligence coverage.

    #ThreatIntelligence #ReverseEngineering #MalwareResearch #RAT #MaaS #SOC #DFIR #CyberOperations #DetectionEngineering

  8. TrustConnect = RAT disguised as RMM.
    Discovered by Proofpoint.
    Technical observations:
    • Centralized multi-customer C2
    • API-driven agent registration (/api/agents/register)
    • WebSocket RDP streaming
    • EV certificate abuse (revoked Feb 6, 2026)
    • Branded payload generation per org token
    • Rapid infra pivot → “DocConnect” (SignalR integration)
    Subscription model: $300/month via BTC/USDT.
    Operators tracked victims across tenants.
    This is MaaS evolving toward operational maturity — automation, AI-assisted site generation, and SaaS-style lifecycle management.

    How should defenders adjust detection logic when malware is digitally signed and infrastructure rotates quickly?

    Source: proofpoint.com/us/blog/threat-

    Engage below.
    Follow TechNadu for technical threat intelligence coverage.

    #ThreatIntelligence #ReverseEngineering #MalwareResearch #RAT #MaaS #SOC #DFIR #CyberOperations #DetectionEngineering

  9. TrustConnect = RAT disguised as RMM.
    Discovered by Proofpoint.
    Technical observations:
    • Centralized multi-customer C2
    • API-driven agent registration (/api/agents/register)
    • WebSocket RDP streaming
    • EV certificate abuse (revoked Feb 6, 2026)
    • Branded payload generation per org token
    • Rapid infra pivot → “DocConnect” (SignalR integration)
    Subscription model: $300/month via BTC/USDT.
    Operators tracked victims across tenants.
    This is MaaS evolving toward operational maturity — automation, AI-assisted site generation, and SaaS-style lifecycle management.

    How should defenders adjust detection logic when malware is digitally signed and infrastructure rotates quickly?

    Source: proofpoint.com/us/blog/threat-

    Engage below.
    Follow TechNadu for technical threat intelligence coverage.

    #ThreatIntelligence #ReverseEngineering #MalwareResearch #RAT #MaaS #SOC #DFIR #CyberOperations #DetectionEngineering

  10. CTM360 identifies an active campaign leveraging Google Groups and Google-hosted redirect chains to deliver Lumma Stealer (Windows) and a trojanized Chromium fork branded “Ninja Browser” (Linux).
    Technical highlights:
    • 950MB padded executable (null-byte inflation)
    • AutoIt loader reconstruction
    • Memory-resident payload execution
    • Multipart/form-data POST exfiltration
    • Malicious extension “NinjaBrowserMonetisation”
    • XOR + Base56-like JS obfuscation
    • Scheduled task persistence
    • Russian search engine default modification

    This campaign reinforces a critical shift: SaaS platforms are now delivery infrastructure.
    Defensive priorities:
    – IoC blocking at firewall + EDR
    – Redirect chain inspection
    – Extension audit controls
    – Endpoint scheduled task monitoring

    How are you adjusting detection engineering for SaaS-based malware distribution?
    Engage below.

    Source: ctm360.com/reports/ninja-brows

    Follow @technadu for ongoing threat intelligence coverage.

    #ThreatIntel #MalwareResearch #DetectionEngineering #SOCOperations #EDR #CloudSecurity #SaaSAbuse #LummaStealer #LinuxThreats #CTM360 #IncidentResponse

  11. CTM360 identifies an active campaign leveraging Google Groups and Google-hosted redirect chains to deliver Lumma Stealer (Windows) and a trojanized Chromium fork branded “Ninja Browser” (Linux).
    Technical highlights:
    • 950MB padded executable (null-byte inflation)
    • AutoIt loader reconstruction
    • Memory-resident payload execution
    • Multipart/form-data POST exfiltration
    • Malicious extension “NinjaBrowserMonetisation”
    • XOR + Base56-like JS obfuscation
    • Scheduled task persistence
    • Russian search engine default modification

    This campaign reinforces a critical shift: SaaS platforms are now delivery infrastructure.
    Defensive priorities:
    – IoC blocking at firewall + EDR
    – Redirect chain inspection
    – Extension audit controls
    – Endpoint scheduled task monitoring

    How are you adjusting detection engineering for SaaS-based malware distribution?
    Engage below.

    Source: ctm360.com/reports/ninja-brows

    Follow @technadu for ongoing threat intelligence coverage.

    #ThreatIntel #MalwareResearch #DetectionEngineering #SOCOperations #EDR #CloudSecurity #SaaSAbuse #LummaStealer #LinuxThreats #CTM360 #IncidentResponse

  12. CTM360 identifies an active campaign leveraging Google Groups and Google-hosted redirect chains to deliver Lumma Stealer (Windows) and a trojanized Chromium fork branded “Ninja Browser” (Linux).
    Technical highlights:
    • 950MB padded executable (null-byte inflation)
    • AutoIt loader reconstruction
    • Memory-resident payload execution
    • Multipart/form-data POST exfiltration
    • Malicious extension “NinjaBrowserMonetisation”
    • XOR + Base56-like JS obfuscation
    • Scheduled task persistence
    • Russian search engine default modification

    This campaign reinforces a critical shift: SaaS platforms are now delivery infrastructure.
    Defensive priorities:
    – IoC blocking at firewall + EDR
    – Redirect chain inspection
    – Extension audit controls
    – Endpoint scheduled task monitoring

    How are you adjusting detection engineering for SaaS-based malware distribution?
    Engage below.

    Source: ctm360.com/reports/ninja-brows

    Follow @technadu for ongoing threat intelligence coverage.

    #ThreatIntel #MalwareResearch #DetectionEngineering #SOCOperations #EDR #CloudSecurity #SaaSAbuse #LummaStealer #LinuxThreats #CTM360 #IncidentResponse

  13. CTM360 identifies an active campaign leveraging Google Groups and Google-hosted redirect chains to deliver Lumma Stealer (Windows) and a trojanized Chromium fork branded “Ninja Browser” (Linux).
    Technical highlights:
    • 950MB padded executable (null-byte inflation)
    • AutoIt loader reconstruction
    • Memory-resident payload execution
    • Multipart/form-data POST exfiltration
    • Malicious extension “NinjaBrowserMonetisation”
    • XOR + Base56-like JS obfuscation
    • Scheduled task persistence
    • Russian search engine default modification

    This campaign reinforces a critical shift: SaaS platforms are now delivery infrastructure.
    Defensive priorities:
    – IoC blocking at firewall + EDR
    – Redirect chain inspection
    – Extension audit controls
    – Endpoint scheduled task monitoring

    How are you adjusting detection engineering for SaaS-based malware distribution?
    Engage below.

    Source: ctm360.com/reports/ninja-brows

    Follow @technadu for ongoing threat intelligence coverage.

    #ThreatIntel #MalwareResearch #DetectionEngineering #SOCOperations #EDR #CloudSecurity #SaaSAbuse #LummaStealer #LinuxThreats #CTM360 #IncidentResponse

  14. Observed campaign summary:

    Initial Access:
    • Phishing emails with Excel (.XLAM) attachments
    Execution:
    • CVE-2018-0802 (EQNEDT32.EXE)
    • HTA → mshta.exe
    • PowerShell in-memory decoding
    Deployment:
    • Fileless .NET loader disguised as Microsoft.Win32.TaskScheduler
    • Process hollowing into Msbuild.exe
    • AES-encrypted C2 packets
    • delimited command protocol
    • Plugin-based architecture (50+ modules)

    Capabilities include credential theft, ransomware, DDoS, system control, registry persistence, and remote command execution.

    This campaign demonstrates mature modular RAT engineering combined with social engineering entry points.

    Blue teamers - which telemetry source provides the strongest signal here?

    Source: fortinet.com/blog/threat-resea

    Follow @technadu for ongoing malware analysis and threat intelligence coverage.

    #Infosec #MalwareResearch #ThreatIntel #XWorm #RAT #ProcessInjection #EDR #DFIR #CyberDefense #BlueTeam #TechNadu

  15. Observed campaign summary:

    Initial Access:
    • Phishing emails with Excel (.XLAM) attachments
    Execution:
    • CVE-2018-0802 (EQNEDT32.EXE)
    • HTA → mshta.exe
    • PowerShell in-memory decoding
    Deployment:
    • Fileless .NET loader disguised as Microsoft.Win32.TaskScheduler
    • Process hollowing into Msbuild.exe
    • AES-encrypted C2 packets
    • delimited command protocol
    • Plugin-based architecture (50+ modules)

    Capabilities include credential theft, ransomware, DDoS, system control, registry persistence, and remote command execution.

    This campaign demonstrates mature modular RAT engineering combined with social engineering entry points.

    Blue teamers - which telemetry source provides the strongest signal here?

    Source: fortinet.com/blog/threat-resea

    Follow @technadu for ongoing malware analysis and threat intelligence coverage.

    #Infosec #MalwareResearch #ThreatIntel #XWorm #RAT #ProcessInjection #EDR #DFIR #CyberDefense #BlueTeam #TechNadu

  16. Observed campaign summary:

    Initial Access:
    • Phishing emails with Excel (.XLAM) attachments
    Execution:
    • CVE-2018-0802 (EQNEDT32.EXE)
    • HTA → mshta.exe
    • PowerShell in-memory decoding
    Deployment:
    • Fileless .NET loader disguised as Microsoft.Win32.TaskScheduler
    • Process hollowing into Msbuild.exe
    • AES-encrypted C2 packets
    • delimited command protocol
    • Plugin-based architecture (50+ modules)

    Capabilities include credential theft, ransomware, DDoS, system control, registry persistence, and remote command execution.

    This campaign demonstrates mature modular RAT engineering combined with social engineering entry points.

    Blue teamers - which telemetry source provides the strongest signal here?

    Source: fortinet.com/blog/threat-resea

    Follow @technadu for ongoing malware analysis and threat intelligence coverage.

    #Infosec #MalwareResearch #ThreatIntel #XWorm #RAT #ProcessInjection #EDR #DFIR #CyberDefense #BlueTeam #TechNadu

  17. Observed campaign summary:

    Initial Access:
    • Phishing emails with Excel (.XLAM) attachments
    Execution:
    • CVE-2018-0802 (EQNEDT32.EXE)
    • HTA → mshta.exe
    • PowerShell in-memory decoding
    Deployment:
    • Fileless .NET loader disguised as Microsoft.Win32.TaskScheduler
    • Process hollowing into Msbuild.exe
    • AES-encrypted C2 packets
    • delimited command protocol
    • Plugin-based architecture (50+ modules)

    Capabilities include credential theft, ransomware, DDoS, system control, registry persistence, and remote command execution.

    This campaign demonstrates mature modular RAT engineering combined with social engineering entry points.

    Blue teamers - which telemetry source provides the strongest signal here?

    Source: fortinet.com/blog/threat-resea

    Follow @technadu for ongoing malware analysis and threat intelligence coverage.

    #Infosec #MalwareResearch #ThreatIntel #XWorm #RAT #ProcessInjection #EDR #DFIR #CyberDefense #BlueTeam #TechNadu

  18. Proofpoint reports TA584 activity using Tsundere Bot, a Node.js-based MaaS platform, to establish access that could enable ransomware deployment.

    The malware supports system profiling, remote JavaScript execution, SOCKS proxying, and C2 resolution via Ethereum-based EtherHiding techniques. Campaign volume and geographic scope have increased notably.

    What detection or control points matter most here?

    Follow @technadu for objective infosec coverage.

    #ThreatIntelligence #MalwareResearch #InitialAccess #EmailThreats #C2Infrastructure #Ransomware

  19. Proofpoint reports TA584 activity using Tsundere Bot, a Node.js-based MaaS platform, to establish access that could enable ransomware deployment.

    The malware supports system profiling, remote JavaScript execution, SOCKS proxying, and C2 resolution via Ethereum-based EtherHiding techniques. Campaign volume and geographic scope have increased notably.

    What detection or control points matter most here?

    Follow @technadu for objective infosec coverage.

    #ThreatIntelligence #MalwareResearch #InitialAccess #EmailThreats #C2Infrastructure #Ransomware

  20. Proofpoint reports TA584 activity using Tsundere Bot, a Node.js-based MaaS platform, to establish access that could enable ransomware deployment.

    The malware supports system profiling, remote JavaScript execution, SOCKS proxying, and C2 resolution via Ethereum-based EtherHiding techniques. Campaign volume and geographic scope have increased notably.

    What detection or control points matter most here?

    Follow @technadu for objective infosec coverage.

    #ThreatIntelligence #MalwareResearch #InitialAccess #EmailThreats #C2Infrastructure #Ransomware

  21. Proofpoint reports TA584 activity using Tsundere Bot, a Node.js-based MaaS platform, to establish access that could enable ransomware deployment.

    The malware supports system profiling, remote JavaScript execution, SOCKS proxying, and C2 resolution via Ethereum-based EtherHiding techniques. Campaign volume and geographic scope have increased notably.

    What detection or control points matter most here?

    Follow @technadu for objective infosec coverage.

    #ThreatIntelligence #MalwareResearch #InitialAccess #EmailThreats #C2Infrastructure #Ransomware

  22. This multi-stage Windows attack chain highlights how modern campaigns increasingly avoid exploits in favor of social engineering, cloud-hosted payloads, OS trust assumptions, and layered persistence.

    The abuse of Defender configuration, Security Center trust models, and legitimate services underscores the importance of behavioral monitoring over signature-based detection.

    Early-stage visibility appears critical - once recovery and security controls are disabled, response options narrow quickly.

    Source: fortinet.com/blog/threat-resea

    Thoughts welcome. Follow @technadu for neutral, practitioner-focused cybersecurity reporting.

    #ThreatHunting #EDR #WindowsDefense #MalwareResearch #CyberOperations #SecurityEngineering

  23. This multi-stage Windows attack chain highlights how modern campaigns increasingly avoid exploits in favor of social engineering, cloud-hosted payloads, OS trust assumptions, and layered persistence.

    The abuse of Defender configuration, Security Center trust models, and legitimate services underscores the importance of behavioral monitoring over signature-based detection.

    Early-stage visibility appears critical - once recovery and security controls are disabled, response options narrow quickly.

    Source: fortinet.com/blog/threat-resea

    Thoughts welcome. Follow @technadu for neutral, practitioner-focused cybersecurity reporting.

    #ThreatHunting #EDR #WindowsDefense #MalwareResearch #CyberOperations #SecurityEngineering

  24. This multi-stage Windows attack chain highlights how modern campaigns increasingly avoid exploits in favor of social engineering, cloud-hosted payloads, OS trust assumptions, and layered persistence.

    The abuse of Defender configuration, Security Center trust models, and legitimate services underscores the importance of behavioral monitoring over signature-based detection.

    Early-stage visibility appears critical - once recovery and security controls are disabled, response options narrow quickly.

    Source: fortinet.com/blog/threat-resea

    Thoughts welcome. Follow @technadu for neutral, practitioner-focused cybersecurity reporting.

    #ThreatHunting #EDR #WindowsDefense #MalwareResearch #CyberOperations #SecurityEngineering

  25. This multi-stage Windows attack chain highlights how modern campaigns increasingly avoid exploits in favor of social engineering, cloud-hosted payloads, OS trust assumptions, and layered persistence.

    The abuse of Defender configuration, Security Center trust models, and legitimate services underscores the importance of behavioral monitoring over signature-based detection.

    Early-stage visibility appears critical - once recovery and security controls are disabled, response options narrow quickly.

    Source: fortinet.com/blog/threat-resea

    Thoughts welcome. Follow @technadu for neutral, practitioner-focused cybersecurity reporting.

    #ThreatHunting #EDR #WindowsDefense #MalwareResearch #CyberOperations #SecurityEngineering

  26. Amazon refunded my plant hangers so now I have the four android phones they sent to me instead. They are of questionable origin up for grabs for any researchers. Sent to me by a random Chinese Amazon seller. Who wants some questionable android phones? #malware #android #malwareresearch

  27. Hey there! I stumbled upon a fresh sample of Formbook info-stealer malware. During analysis I found this malware hides its payload into a vulnerable WordPress website.
    Read the article to know more.
    #FormBook #Stealer #MalwareAnalysis #MalwareResearch #CTI #ThreatIntel #InfoSec ashishranax.github.io/posts/Fo

  28. Join me for an Elastic Security Community virtual event. I will be giving a tech talk on my Journey Into Malware Research and Reverse Engineering.

    Hope to see you there! 🤩🙌

    Date: Thursday, October 19
    Time: 8am PST/11am EST

    #Elastic #ElasticSecurity #reverseengineering #malwareresearch #securityresearch
    #womenincyber #womenincybersecurity

    Meetup link:
    meetup.com/elastic-united-stat

    Session will be recorded and shared on the YouTube Elastic Community page for those who are unable to attend.

  29. Exciting news! 📣 Join me at ATT&CK CON 4.0 on October 24-25, 2023, in McLean, VA or online. I'll be presenting alongside my colleague Michael Raggi from Mandiant/Google Cloud. We're unveiling a groundbreaking technique, never seen before, exploiting the .lnk shortcut format. Don't miss out! Register here: [Registration Link](na.eventscloud.com/website/586) #ATTACKCON #malwareresearch