Really awesome new research from @k33b0i @soolidsnakee

#RONINGLOADER -> PPL abuse, the new hotness.

#ElasticSecurityLabs uncovers #RONINGLOADER, a multi-stage loader utilizing signed drivers, PPL abuse, CI Policies, and other evasion techniques to deliver #DragonBreath's gh0st RAT variant. Check it out at https://t.co/Df8JLO6w4d

It's not too often we get to work shoulder-to-shoulder with the practitioners and researchers on the front lines. #REF3927 is an intrusion set that deploys SEO cloaking capabilities, RATs, webshells, and RMMs - largely using a novel IIS module we named #TOLLBOOTH

Fantastic work by the @harfanglab team describing and documenting indicators and detection logic for "RudePanda," described with complementary analysis by the @elasticseclabs team as "TOLLBOOTH." https://t.co/DS83PaxYi0

#ElasticSecurityLabs releases nightMARE, a Python-based library for malware analysts that we use to build tools for acquiring intelligence. Read more about it here:

@bluish_red_ @ValidinLLC Really great research from @bluish_red_ and the team at @elasticseclabs! Worth a read and if you're running IIS, should definitely check if you're impacted.

Amazing experience to work the great folks @elasticseclabs on this write up to showcase some interesting activity we discovered together! Excited to keep our collaboration going to give back what we can to the security community!

@Cthulhu_Sec @elasticseclabs Your team and the customer squashing it from the get go was great! Love talking about good folks doin' the good work!

This was a cool project for a few reasons. First, some of us have been working with Texas A&M since Endgame and it’s a partnership with a ton of history! Also it is a blast for us to work with other experts to achieve successes!

Thanks for being generous with your time and expertise on this @SreekarMad! Good stuff! @ValidinLLC

#ElasticSecurityLabs joins forces with @tamusystem and discloses TOLLBOOTH, an IIS module used for SEO abuse that relies on publicly exposed ASP. NET machine keys:

@M_haggis @elasticseclabs Thank y'all for reading it, Michael!

@elasticseclabs Love some IIS modules on a Tuesday. Thank you all for sharing

In September, #ElasticSecurityLabs published 78 new rules! Take a look at the overview and learn how we manage these rulesets.

Heading to my 3rd #OBTS 🌴☀️🌊today! Best conference out there. Honored to be speaking again this year alongside so many other incredible #Apple 🍎 security researchers. It’s gonna be a blast, can’t wait to see everyone! Pumped to get to share my research into using and abusing

@elasticseclabs is currently researching a new family of IIS malware impacting a large number of organizations globally. With a US university-based MDR provider, we’ve observed a novel attack chain, RMMs, a Godzilla-forked framework, and a malicious driver. Details coming soon.

i'm gonna keep on dancing at the WARMCOOKIE string_bank

Predictive indicator for WARMCOOKIE 🍪🍪🍪 infrastructure. @ValidinLLC @500mk500

#ElasticSecurityLabs has kept tabs on #WARMCOOKIE, a backdoor we disclosed in June 2024 that used employment-related phishing lures to infect victims. Learn how this threat’s evolving: