RT @muha2xmad: As-salamu Alaykum.I wrote 3 #yara rules about #RedLine stealer , #ArrowRAT, and #MilleniumRat. RedLine:.

Just wrote a deep-dive APT profiling report on Mustang Panda, the Chinese state-aligned cyberespionage group. The report covers adversary focus areas, tactics and tradecraft, abuse of Visual Studio Code tunneling, kernel-level EDR evasion, custom malware and toolsets, exploited

PureLogs is live. A new challenge created by me. good luck.

RT @mSult4n: Just published a new blog post on how Microsoft’s “Mouse Without Borders” can be abused for data exfiltration & lateral moveme….

Open directory spotted: 20.243.255[.]185.Hosting multiple suspicious files, including:. shell_le: Metasploit ELF payload - recently submitted to VirusTotal. true.png: PNG file with embedded VBScript (1/61 on VT) - recently submitted to VirusTotal. main_mips: ELF binary flagged

#DiscoQueen stealer panel spotted . https://41.216.188[.]41/. It uses the same domain discoqueen[.]lol, which previously resolved to 41[.]216.183.17. @500mk500 @ViriBack

#clickfix #booking #fakecaptcha.bokparthub[.]click → (Under Construction). apartmenr-di16[.]click → PowerShell ( → → LightYellow4.pfx Hex-based ZIP reconstructed → payload cleaned → executed via regsvr32.exe abuse (LOLBins)

This is my first time in tracking APTs, so I'm open for any advices and corrections.

Low Confidence Infrastructure – APT43 (Kimsuky).222[.]73[.]105[.]195 --> 0/94.This IP refers to 2 malicious files imperosnate Yunda Express . 91[.]210[.]106[.]42 --> 0/94. 146[.]70[.]81[.]61 --> 0/94 resolves --> health15hde[.]xyz. 124[.]40[.]247[.]67 --> 0/94.

38[.]54[.]50[.]57 --> 1/94.156[.]244[.]19[.]218 --> 1/94

95[.]196[.]78[.]150 --> 0/94.206[.]72[.]192[.]71 --> 0/94.91[.]195[.]240[.]123 --> 9/94

just hunted down fresh undetected & low detected APT43 (kimsuky) infra by pivoting using HTTP header analysis and SSL JARM fingerprinting. 162[.]220[.]11[.]84 --> 0/94.194[.]63[.]129[.]86 --> 0/94.3[.]89[.]115[.]251 --> 0/94.110[.]142[.]212[.]109 --> 1/94.More IOCs in replies

RT @MalGamy12: We’re excited to announce the launch of , a platform built by analysts, for analysts and it’s compl….

Lately, I've been working on analyzing several stealers and a PE injector. Take a look 😃. Fileless pe injector uses reflective loading : Purelogger: Salat Stealer: Flesh Stealer:

RT @vxunderground:

FExcited to share that now supports Android OS inside its interactive sandbox! You can analyze APK behavior in real time, right in the cloud. 🔥 Available for ALL plans (yes, even free!). 📷 Let’s check it out together!

RT @dexpose_io: A .NET PE injector hid on flagged clean & raising no alarms. Our Threat Intel team analyzed it, e….

Fake job interviews are a growing attack vector One example here is InvisibleFerret, a malware from North Korea, that targets tech professionals.See detailed analysis of its code and collect IOCs to avoid infection . by @MauroEldritch .@anyrun_app.

Check out my latest report on s blog🤠.