#malwareresearch — Public Fediverse posts
Live and recent posts from across the Fediverse tagged #malwareresearch, aggregated by home.social.
-
🧠 Formbook Daily Report
⬇️ Trend: declining (21%)
📊 11 new samples
🌐 55 C2 serversFull analysis, IOCs, and hashes:
https://www.yazoul.net/malware/formbook/reports/2026-04-21 -
🧠 Formbook Daily Report
⬇️ Trend: declining (21%)
📊 11 new samples
🌐 55 C2 serversFull analysis, IOCs, and hashes:
https://www.yazoul.net/malware/formbook/reports/2026-04-21 -
🧠 AsyncRAT Daily Report
⬇️ Trend: declining (18%)
📊 7 new samples
🌐 100 C2 serversFull analysis, IOCs, and hashes:
https://www.yazoul.net/malware/async-rat/reports/2026-04-18 -
🧠 AsyncRAT Daily Report
⬇️ Trend: declining (18%)
📊 7 new samples
🌐 100 C2 serversFull analysis, IOCs, and hashes:
https://www.yazoul.net/malware/async-rat/reports/2026-04-18 -
🧠 Vidar Daily Report
⬇️ Trend: declining (28%)
📊 9 new samples
🌐 100 C2 serversFull analysis, IOCs, and hashes:
https://www.yazoul.net/malware/vidar/reports/2026-04-19 -
🧠 Vidar Daily Report
⬇️ Trend: declining (28%)
📊 9 new samples
🌐 100 C2 serversFull analysis, IOCs, and hashes:
https://www.yazoul.net/malware/vidar/reports/2026-04-19 -
🧠 Vidar Daily Report
⬆️ Trend: rising (35%)
📊 11 new samples
🌐 100 C2 serversFull analysis, IOCs, and hashes:
https://www.yazoul.net/malware/vidar/reports/2026-04-16 -
🧠 AsyncRAT Daily Report
⬆️ Trend: rising (50%)
📊 15 new samples
🌐 100 C2 serversFull analysis, IOCs, and hashes:
https://www.yazoul.net/malware/async-rat/reports/2026-04-16 -
Proton Reports Malicious Proton VPN Impersonators in Chrome Web Store
Impact reportedly included:
• Credential harvesting
• Personal data collection
• Potential traffic relay
• Abuse of brand trust
Repeated reporting allegedly led to delayed removal.Security takeaways:
• Extension ecosystems remain high-risk
• Search-based brand targeting is effective for attackers
• Store review latency increases exposure windowCommunity question:
Should browser vendors implement stricter publisher verification or cryptographic signing tied to corporate identity?Source: https://cyberinsider.com/proton-warns-of-malicious-chrome-extensions-impersonating-its-vpn-service/
Engage below and follow @technadu for threat ecosystem analysis and digital trust reporting.
#ThreatIntel #BrowserSecurity #ExtensionSecurity #ProtonVPN #CyberRisk #AppStoreSecurity #Infosec #MalwareResearch
-
Proton Reports Malicious Proton VPN Impersonators in Chrome Web Store
Impact reportedly included:
• Credential harvesting
• Personal data collection
• Potential traffic relay
• Abuse of brand trust
Repeated reporting allegedly led to delayed removal.Security takeaways:
• Extension ecosystems remain high-risk
• Search-based brand targeting is effective for attackers
• Store review latency increases exposure windowCommunity question:
Should browser vendors implement stricter publisher verification or cryptographic signing tied to corporate identity?Source: https://cyberinsider.com/proton-warns-of-malicious-chrome-extensions-impersonating-its-vpn-service/
Engage below and follow @technadu for threat ecosystem analysis and digital trust reporting.
#ThreatIntel #BrowserSecurity #ExtensionSecurity #ProtonVPN #CyberRisk #AppStoreSecurity #Infosec #MalwareResearch
-
Proton Reports Malicious Proton VPN Impersonators in Chrome Web Store
Impact reportedly included:
• Credential harvesting
• Personal data collection
• Potential traffic relay
• Abuse of brand trust
Repeated reporting allegedly led to delayed removal.Security takeaways:
• Extension ecosystems remain high-risk
• Search-based brand targeting is effective for attackers
• Store review latency increases exposure windowCommunity question:
Should browser vendors implement stricter publisher verification or cryptographic signing tied to corporate identity?Source: https://cyberinsider.com/proton-warns-of-malicious-chrome-extensions-impersonating-its-vpn-service/
Engage below and follow @technadu for threat ecosystem analysis and digital trust reporting.
#ThreatIntel #BrowserSecurity #ExtensionSecurity #ProtonVPN #CyberRisk #AppStoreSecurity #Infosec #MalwareResearch
-
Proton Reports Malicious Proton VPN Impersonators in Chrome Web Store
Impact reportedly included:
• Credential harvesting
• Personal data collection
• Potential traffic relay
• Abuse of brand trust
Repeated reporting allegedly led to delayed removal.Security takeaways:
• Extension ecosystems remain high-risk
• Search-based brand targeting is effective for attackers
• Store review latency increases exposure windowCommunity question:
Should browser vendors implement stricter publisher verification or cryptographic signing tied to corporate identity?Source: https://cyberinsider.com/proton-warns-of-malicious-chrome-extensions-impersonating-its-vpn-service/
Engage below and follow @technadu for threat ecosystem analysis and digital trust reporting.
#ThreatIntel #BrowserSecurity #ExtensionSecurity #ProtonVPN #CyberRisk #AppStoreSecurity #Infosec #MalwareResearch
-
Proton Reports Malicious Proton VPN Impersonators in Chrome Web Store
Impact reportedly included:
• Credential harvesting
• Personal data collection
• Potential traffic relay
• Abuse of brand trust
Repeated reporting allegedly led to delayed removal.Security takeaways:
• Extension ecosystems remain high-risk
• Search-based brand targeting is effective for attackers
• Store review latency increases exposure windowCommunity question:
Should browser vendors implement stricter publisher verification or cryptographic signing tied to corporate identity?Source: https://cyberinsider.com/proton-warns-of-malicious-chrome-extensions-impersonating-its-vpn-service/
Engage below and follow @technadu for threat ecosystem analysis and digital trust reporting.
#ThreatIntel #BrowserSecurity #ExtensionSecurity #ProtonVPN #CyberRisk #AppStoreSecurity #Infosec #MalwareResearch
-
TrustConnect = RAT disguised as RMM.
Discovered by Proofpoint.
Technical observations:
• Centralized multi-customer C2
• API-driven agent registration (/api/agents/register)
• WebSocket RDP streaming
• EV certificate abuse (revoked Feb 6, 2026)
• Branded payload generation per org token
• Rapid infra pivot → “DocConnect” (SignalR integration)
Subscription model: $300/month via BTC/USDT.
Operators tracked victims across tenants.
This is MaaS evolving toward operational maturity — automation, AI-assisted site generation, and SaaS-style lifecycle management.How should defenders adjust detection logic when malware is digitally signed and infrastructure rotates quickly?
Source: https://www.proofpoint.com/us/blog/threat-insight/dont-trustconnect-its-a-rat
Engage below.
Follow TechNadu for technical threat intelligence coverage.#ThreatIntelligence #ReverseEngineering #MalwareResearch #RAT #MaaS #SOC #DFIR #CyberOperations #DetectionEngineering
-
TrustConnect = RAT disguised as RMM.
Discovered by Proofpoint.
Technical observations:
• Centralized multi-customer C2
• API-driven agent registration (/api/agents/register)
• WebSocket RDP streaming
• EV certificate abuse (revoked Feb 6, 2026)
• Branded payload generation per org token
• Rapid infra pivot → “DocConnect” (SignalR integration)
Subscription model: $300/month via BTC/USDT.
Operators tracked victims across tenants.
This is MaaS evolving toward operational maturity — automation, AI-assisted site generation, and SaaS-style lifecycle management.How should defenders adjust detection logic when malware is digitally signed and infrastructure rotates quickly?
Source: https://www.proofpoint.com/us/blog/threat-insight/dont-trustconnect-its-a-rat
Engage below.
Follow TechNadu for technical threat intelligence coverage.#ThreatIntelligence #ReverseEngineering #MalwareResearch #RAT #MaaS #SOC #DFIR #CyberOperations #DetectionEngineering
-
TrustConnect = RAT disguised as RMM.
Discovered by Proofpoint.
Technical observations:
• Centralized multi-customer C2
• API-driven agent registration (/api/agents/register)
• WebSocket RDP streaming
• EV certificate abuse (revoked Feb 6, 2026)
• Branded payload generation per org token
• Rapid infra pivot → “DocConnect” (SignalR integration)
Subscription model: $300/month via BTC/USDT.
Operators tracked victims across tenants.
This is MaaS evolving toward operational maturity — automation, AI-assisted site generation, and SaaS-style lifecycle management.How should defenders adjust detection logic when malware is digitally signed and infrastructure rotates quickly?
Source: https://www.proofpoint.com/us/blog/threat-insight/dont-trustconnect-its-a-rat
Engage below.
Follow TechNadu for technical threat intelligence coverage.#ThreatIntelligence #ReverseEngineering #MalwareResearch #RAT #MaaS #SOC #DFIR #CyberOperations #DetectionEngineering
-
TrustConnect = RAT disguised as RMM.
Discovered by Proofpoint.
Technical observations:
• Centralized multi-customer C2
• API-driven agent registration (/api/agents/register)
• WebSocket RDP streaming
• EV certificate abuse (revoked Feb 6, 2026)
• Branded payload generation per org token
• Rapid infra pivot → “DocConnect” (SignalR integration)
Subscription model: $300/month via BTC/USDT.
Operators tracked victims across tenants.
This is MaaS evolving toward operational maturity — automation, AI-assisted site generation, and SaaS-style lifecycle management.How should defenders adjust detection logic when malware is digitally signed and infrastructure rotates quickly?
Source: https://www.proofpoint.com/us/blog/threat-insight/dont-trustconnect-its-a-rat
Engage below.
Follow TechNadu for technical threat intelligence coverage.#ThreatIntelligence #ReverseEngineering #MalwareResearch #RAT #MaaS #SOC #DFIR #CyberOperations #DetectionEngineering
-
CTM360 identifies an active campaign leveraging Google Groups and Google-hosted redirect chains to deliver Lumma Stealer (Windows) and a trojanized Chromium fork branded “Ninja Browser” (Linux).
Technical highlights:
• 950MB padded executable (null-byte inflation)
• AutoIt loader reconstruction
• Memory-resident payload execution
• Multipart/form-data POST exfiltration
• Malicious extension “NinjaBrowserMonetisation”
• XOR + Base56-like JS obfuscation
• Scheduled task persistence
• Russian search engine default modificationThis campaign reinforces a critical shift: SaaS platforms are now delivery infrastructure.
Defensive priorities:
– IoC blocking at firewall + EDR
– Redirect chain inspection
– Extension audit controls
– Endpoint scheduled task monitoringHow are you adjusting detection engineering for SaaS-based malware distribution?
Engage below.Source: https://www.ctm360.com/reports/ninja-browser-lumma-infostealer
Follow @technadu for ongoing threat intelligence coverage.
#ThreatIntel #MalwareResearch #DetectionEngineering #SOCOperations #EDR #CloudSecurity #SaaSAbuse #LummaStealer #LinuxThreats #CTM360 #IncidentResponse
-
CTM360 identifies an active campaign leveraging Google Groups and Google-hosted redirect chains to deliver Lumma Stealer (Windows) and a trojanized Chromium fork branded “Ninja Browser” (Linux).
Technical highlights:
• 950MB padded executable (null-byte inflation)
• AutoIt loader reconstruction
• Memory-resident payload execution
• Multipart/form-data POST exfiltration
• Malicious extension “NinjaBrowserMonetisation”
• XOR + Base56-like JS obfuscation
• Scheduled task persistence
• Russian search engine default modificationThis campaign reinforces a critical shift: SaaS platforms are now delivery infrastructure.
Defensive priorities:
– IoC blocking at firewall + EDR
– Redirect chain inspection
– Extension audit controls
– Endpoint scheduled task monitoringHow are you adjusting detection engineering for SaaS-based malware distribution?
Engage below.Source: https://www.ctm360.com/reports/ninja-browser-lumma-infostealer
Follow @technadu for ongoing threat intelligence coverage.
#ThreatIntel #MalwareResearch #DetectionEngineering #SOCOperations #EDR #CloudSecurity #SaaSAbuse #LummaStealer #LinuxThreats #CTM360 #IncidentResponse
-
CTM360 identifies an active campaign leveraging Google Groups and Google-hosted redirect chains to deliver Lumma Stealer (Windows) and a trojanized Chromium fork branded “Ninja Browser” (Linux).
Technical highlights:
• 950MB padded executable (null-byte inflation)
• AutoIt loader reconstruction
• Memory-resident payload execution
• Multipart/form-data POST exfiltration
• Malicious extension “NinjaBrowserMonetisation”
• XOR + Base56-like JS obfuscation
• Scheduled task persistence
• Russian search engine default modificationThis campaign reinforces a critical shift: SaaS platforms are now delivery infrastructure.
Defensive priorities:
– IoC blocking at firewall + EDR
– Redirect chain inspection
– Extension audit controls
– Endpoint scheduled task monitoringHow are you adjusting detection engineering for SaaS-based malware distribution?
Engage below.Source: https://www.ctm360.com/reports/ninja-browser-lumma-infostealer
Follow @technadu for ongoing threat intelligence coverage.
#ThreatIntel #MalwareResearch #DetectionEngineering #SOCOperations #EDR #CloudSecurity #SaaSAbuse #LummaStealer #LinuxThreats #CTM360 #IncidentResponse
-
CTM360 identifies an active campaign leveraging Google Groups and Google-hosted redirect chains to deliver Lumma Stealer (Windows) and a trojanized Chromium fork branded “Ninja Browser” (Linux).
Technical highlights:
• 950MB padded executable (null-byte inflation)
• AutoIt loader reconstruction
• Memory-resident payload execution
• Multipart/form-data POST exfiltration
• Malicious extension “NinjaBrowserMonetisation”
• XOR + Base56-like JS obfuscation
• Scheduled task persistence
• Russian search engine default modificationThis campaign reinforces a critical shift: SaaS platforms are now delivery infrastructure.
Defensive priorities:
– IoC blocking at firewall + EDR
– Redirect chain inspection
– Extension audit controls
– Endpoint scheduled task monitoringHow are you adjusting detection engineering for SaaS-based malware distribution?
Engage below.Source: https://www.ctm360.com/reports/ninja-browser-lumma-infostealer
Follow @technadu for ongoing threat intelligence coverage.
#ThreatIntel #MalwareResearch #DetectionEngineering #SOCOperations #EDR #CloudSecurity #SaaSAbuse #LummaStealer #LinuxThreats #CTM360 #IncidentResponse
-
Observed campaign summary:
Initial Access:
• Phishing emails with Excel (.XLAM) attachments
Execution:
• CVE-2018-0802 (EQNEDT32.EXE)
• HTA → mshta.exe
• PowerShell in-memory decoding
Deployment:
• Fileless .NET loader disguised as Microsoft.Win32.TaskScheduler
• Process hollowing into Msbuild.exe
• AES-encrypted C2 packets
• delimited command protocol
• Plugin-based architecture (50+ modules)Capabilities include credential theft, ransomware, DDoS, system control, registry persistence, and remote command execution.
This campaign demonstrates mature modular RAT engineering combined with social engineering entry points.
Blue teamers - which telemetry source provides the strongest signal here?
Follow @technadu for ongoing malware analysis and threat intelligence coverage.
#Infosec #MalwareResearch #ThreatIntel #XWorm #RAT #ProcessInjection #EDR #DFIR #CyberDefense #BlueTeam #TechNadu
-
Observed campaign summary:
Initial Access:
• Phishing emails with Excel (.XLAM) attachments
Execution:
• CVE-2018-0802 (EQNEDT32.EXE)
• HTA → mshta.exe
• PowerShell in-memory decoding
Deployment:
• Fileless .NET loader disguised as Microsoft.Win32.TaskScheduler
• Process hollowing into Msbuild.exe
• AES-encrypted C2 packets
• delimited command protocol
• Plugin-based architecture (50+ modules)Capabilities include credential theft, ransomware, DDoS, system control, registry persistence, and remote command execution.
This campaign demonstrates mature modular RAT engineering combined with social engineering entry points.
Blue teamers - which telemetry source provides the strongest signal here?
Follow @technadu for ongoing malware analysis and threat intelligence coverage.
#Infosec #MalwareResearch #ThreatIntel #XWorm #RAT #ProcessInjection #EDR #DFIR #CyberDefense #BlueTeam #TechNadu
-
Observed campaign summary:
Initial Access:
• Phishing emails with Excel (.XLAM) attachments
Execution:
• CVE-2018-0802 (EQNEDT32.EXE)
• HTA → mshta.exe
• PowerShell in-memory decoding
Deployment:
• Fileless .NET loader disguised as Microsoft.Win32.TaskScheduler
• Process hollowing into Msbuild.exe
• AES-encrypted C2 packets
• delimited command protocol
• Plugin-based architecture (50+ modules)Capabilities include credential theft, ransomware, DDoS, system control, registry persistence, and remote command execution.
This campaign demonstrates mature modular RAT engineering combined with social engineering entry points.
Blue teamers - which telemetry source provides the strongest signal here?
Follow @technadu for ongoing malware analysis and threat intelligence coverage.
#Infosec #MalwareResearch #ThreatIntel #XWorm #RAT #ProcessInjection #EDR #DFIR #CyberDefense #BlueTeam #TechNadu
-
Observed campaign summary:
Initial Access:
• Phishing emails with Excel (.XLAM) attachments
Execution:
• CVE-2018-0802 (EQNEDT32.EXE)
• HTA → mshta.exe
• PowerShell in-memory decoding
Deployment:
• Fileless .NET loader disguised as Microsoft.Win32.TaskScheduler
• Process hollowing into Msbuild.exe
• AES-encrypted C2 packets
• delimited command protocol
• Plugin-based architecture (50+ modules)Capabilities include credential theft, ransomware, DDoS, system control, registry persistence, and remote command execution.
This campaign demonstrates mature modular RAT engineering combined with social engineering entry points.
Blue teamers - which telemetry source provides the strongest signal here?
Follow @technadu for ongoing malware analysis and threat intelligence coverage.
#Infosec #MalwareResearch #ThreatIntel #XWorm #RAT #ProcessInjection #EDR #DFIR #CyberDefense #BlueTeam #TechNadu
-
Proofpoint reports TA584 activity using Tsundere Bot, a Node.js-based MaaS platform, to establish access that could enable ransomware deployment.
The malware supports system profiling, remote JavaScript execution, SOCKS proxying, and C2 resolution via Ethereum-based EtherHiding techniques. Campaign volume and geographic scope have increased notably.
What detection or control points matter most here?
Follow @technadu for objective infosec coverage.
#ThreatIntelligence #MalwareResearch #InitialAccess #EmailThreats #C2Infrastructure #Ransomware
-
Proofpoint reports TA584 activity using Tsundere Bot, a Node.js-based MaaS platform, to establish access that could enable ransomware deployment.
The malware supports system profiling, remote JavaScript execution, SOCKS proxying, and C2 resolution via Ethereum-based EtherHiding techniques. Campaign volume and geographic scope have increased notably.
What detection or control points matter most here?
Follow @technadu for objective infosec coverage.
#ThreatIntelligence #MalwareResearch #InitialAccess #EmailThreats #C2Infrastructure #Ransomware
-
Proofpoint reports TA584 activity using Tsundere Bot, a Node.js-based MaaS platform, to establish access that could enable ransomware deployment.
The malware supports system profiling, remote JavaScript execution, SOCKS proxying, and C2 resolution via Ethereum-based EtherHiding techniques. Campaign volume and geographic scope have increased notably.
What detection or control points matter most here?
Follow @technadu for objective infosec coverage.
#ThreatIntelligence #MalwareResearch #InitialAccess #EmailThreats #C2Infrastructure #Ransomware
-
Proofpoint reports TA584 activity using Tsundere Bot, a Node.js-based MaaS platform, to establish access that could enable ransomware deployment.
The malware supports system profiling, remote JavaScript execution, SOCKS proxying, and C2 resolution via Ethereum-based EtherHiding techniques. Campaign volume and geographic scope have increased notably.
What detection or control points matter most here?
Follow @technadu for objective infosec coverage.
#ThreatIntelligence #MalwareResearch #InitialAccess #EmailThreats #C2Infrastructure #Ransomware
-
This multi-stage Windows attack chain highlights how modern campaigns increasingly avoid exploits in favor of social engineering, cloud-hosted payloads, OS trust assumptions, and layered persistence.
The abuse of Defender configuration, Security Center trust models, and legitimate services underscores the importance of behavioral monitoring over signature-based detection.
Early-stage visibility appears critical - once recovery and security controls are disabled, response options narrow quickly.
Thoughts welcome. Follow @technadu for neutral, practitioner-focused cybersecurity reporting.
#ThreatHunting #EDR #WindowsDefense #MalwareResearch #CyberOperations #SecurityEngineering
-
This multi-stage Windows attack chain highlights how modern campaigns increasingly avoid exploits in favor of social engineering, cloud-hosted payloads, OS trust assumptions, and layered persistence.
The abuse of Defender configuration, Security Center trust models, and legitimate services underscores the importance of behavioral monitoring over signature-based detection.
Early-stage visibility appears critical - once recovery and security controls are disabled, response options narrow quickly.
Thoughts welcome. Follow @technadu for neutral, practitioner-focused cybersecurity reporting.
#ThreatHunting #EDR #WindowsDefense #MalwareResearch #CyberOperations #SecurityEngineering
-
This multi-stage Windows attack chain highlights how modern campaigns increasingly avoid exploits in favor of social engineering, cloud-hosted payloads, OS trust assumptions, and layered persistence.
The abuse of Defender configuration, Security Center trust models, and legitimate services underscores the importance of behavioral monitoring over signature-based detection.
Early-stage visibility appears critical - once recovery and security controls are disabled, response options narrow quickly.
Thoughts welcome. Follow @technadu for neutral, practitioner-focused cybersecurity reporting.
#ThreatHunting #EDR #WindowsDefense #MalwareResearch #CyberOperations #SecurityEngineering
-
This multi-stage Windows attack chain highlights how modern campaigns increasingly avoid exploits in favor of social engineering, cloud-hosted payloads, OS trust assumptions, and layered persistence.
The abuse of Defender configuration, Security Center trust models, and legitimate services underscores the importance of behavioral monitoring over signature-based detection.
Early-stage visibility appears critical - once recovery and security controls are disabled, response options narrow quickly.
Thoughts welcome. Follow @technadu for neutral, practitioner-focused cybersecurity reporting.
#ThreatHunting #EDR #WindowsDefense #MalwareResearch #CyberOperations #SecurityEngineering
-
Amazon refunded my plant hangers so now I have the four android phones they sent to me instead. They are of questionable origin up for grabs for any researchers. Sent to me by a random Chinese Amazon seller. Who wants some questionable android phones? #malware #android #malwareresearch
-
Hey there! I stumbled upon a fresh sample of Formbook info-stealer malware. During analysis I found this malware hides its payload into a vulnerable WordPress website.
Read the article to know more.
#FormBook #Stealer #MalwareAnalysis #MalwareResearch #CTI #ThreatIntel #InfoSec https://ashishranax.github.io/posts/FormBook-Malware-The-Uninvited-Guest-of-WordPress/ -
MalwareDB v0.0.9 released! Mostly minor internal and VT improvements. https://github.com/malwaredb/malwaredb-rs/releases/tag/v0.0.9 #MalwareResearch #MalwareMachineLearning
-
Join me for an Elastic Security Community virtual event. I will be giving a tech talk on my Journey Into Malware Research and Reverse Engineering.
Hope to see you there! 🤩🙌
Date: Thursday, October 19
Time: 8am PST/11am EST#Elastic #ElasticSecurity #reverseengineering #malwareresearch #securityresearch
#womenincyber #womenincybersecurityMeetup link:
https://www.meetup.com/elastic-united-states-and-canada-virtual/events/296510147/Session will be recorded and shared on the YouTube Elastic Community page for those who are unable to attend.
-
Exciting news! 📣 Join me at ATT&CK CON 4.0 on October 24-25, 2023, in McLean, VA or online. I'll be presenting alongside my colleague Michael Raggi from Mandiant/Google Cloud. We're unveiling a groundbreaking technique, never seen before, exploiting the .lnk shortcut format. Don't miss out! Register here: [Registration Link](https://na.eventscloud.com/website/58627/) #ATTACKCON #malwareresearch