New blog on #Sinobi ransomware! They used an MSP's compromised SonicWall SSL VPN creds for initial access. Decryption is impossible w/o the attacker's private key, unless of course you hooked CryptGenRandom😜.

Seeing a (potential new?) python-based backdoor we're tracking as #PyNightshade for the second time delivered via #ClickFix that uses sockets for C2. Supports several commands from C2, including: remote shell, uploading files from the victim host, and self-deletion. It uses RC4

Dropping a new malware config parser for #Amadey!. Update your CAPEv2 parsers:. > sudo -u cape bash -c 'cd /opt/CAPEv2 && poetry add CAPE-parsers@latest && systemctl restart cape cape-web cape-processor'. Check it out here:.

Fun tip, if you find you're unable to retrieve a "fileless" stage in a malware chain, e.g. invoked .NET DLL stage, you can download memory dumps from VirusTotal, search through them for known strings or bytes that should be in the payload, open in hex editor, and find the

Literally me after stepping outside for 5 minutes in this Vegas heat 🥵

Dropping a new tool to extract malware configurations from #MonsterV2 samples, enjoy! 🙂.

New blog is out on #InterlockGroup and has a wealth of TTPs for detection engineers, tools for security researchers, deobfuscated scripts, and a C2 simulation script for #InterlockRAT ! Screenshots below show the deobfuscated PHP-based backdoor and annotated communications of

New blog is out on a python-based stealer we discovered being used by ShadowCoil (ex-RansomHub affiliate)! Included in the blog is a tool to unpack scripts automatically, screenshot below shows what one of these packed scripts look like.

Indicators of Compromise can be found here ->

Here's some hashes for those interested!. e5ce3951f82531943d68b4eb1a8e13c2.cfeffd65de53fcc69a7b98dec9e83d93.9c24b44d27161ad72a0931fa5057faf3.015338c3eaf42c0da81867df798173bd.1d490b4312d5624b98fc3bd76e444e1a.223e6354ed974886e4ea8ae7ae3da0db.8cfed2d9889352d1a14a4a17d8c3b753.

#CyberStealer malware targets everything from crypto wallets to password managers. New malware analysis blog out now!.

RT @p3bt3b: Just dropped a blog uncovering #GhostCrypt👻, a novel crypter powering the #PureRAT (successor of #PureHVNC). It uses #Process….

Looks like #Interlock #Ransomware group has logic in their backend to detect sandboxes and virtual machines by sending data retrieved via the systeminfo command and matching strings, then they return a benign PowerShell command that downloads/executes a .NET SDK installer rather

Introducing ThreadSlayer: a tool I created to securely prepare hacking forum thread content for internal sharing. It does this by parsing a PDF dump of the thread and sanitizing embedded URLs/redacting specified usernames, userIDs, etc.

Threat actors decompiled and recompiled SonicWall's .NET based NetExtender client to include a backdoor that harvests VPN credentials ->.

Updated #Lumma stealer C2 extractor! See