Interesting hands-on-keyboard case today @HuntressLabs . -> Suspected VPN initial access.-> TA used this to RDP to DC & RDS.-> TA created a hidden accounts for persistence.-> TA attempted to clear logs for defence evasion.-> Huntress evicted TA 😎.

RT @gleeda: We’ve started seeing Crux ransomware, which seems to be related to / affiliated with BlackByte ransomware (maybe?). Since we ha….

RT @EncapsulateJ: If your organisation uses a third-party managed IT provider, and said IT provider says you have a shiny VPN with logging….

RT @HuntressLabs: Congratulations to @RussianPanda9xx & @polygonben for having talks accepted at #defcon33! . Follow these folks and if you….

RT @virusbtn: Researchers from The DFIR Report, in partnership with Proofpoint, have identified a PHP variant of Interlock RAT (aka NodeSna….

RT @BSidesChelt: It's the week of BSides Cheltenham, and we're looking for some final prize donations for our Charity Raffle. We're suppo….

RT @sudo_Rem: I've started the rather tedious project of labeling every Cloudflared account ID that is observed on multiple, unrelated orga….

RT @0xBurgers: Always learned about these but never seen ITW myself until yesterday. WebDAV abuse in phishing kits isn’t dead. file:// UNC….

'обытия_очистить.cmd' (translates to Event_clear.cmd) is a script that clears every event log on the host.

'Genry.bat' is used to enumerate the Administrator's group before creating a new hidden account 'Administratar' with the password 'SL?yl2025' for persistence. Registry entry for 'Administratar' in 'HKLM\Software\Microsoft\Windows

After landing on the DC, the threat actor dropped two scripts:. C:\Users\<username>\Desktop\Genry.bat.C:\Users\<useranme>\Pictures\События_очистить.cmd.

RT @ajpc500: Turns out the same ClickFix mitigation of ‘disabling’ the Win+R shortcut (HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Polic….

RT @MalwareVillage: The Call for Sponsors for #MalwareVillage at @DEFCON 33 is open until July 7, 2025!. 📄 Sponsor Package: .

RT @BSidesChelt: Announcing our Opening Keynote 🎉. @NCSC CTO @ollieatnowhere will give us an overview of what a nation scale set of challen….

RT @Antonlovesdnb: Coming up on my 1 year anniversary with @HuntressLabs ! . Taking this opportunity to go over some things myself and the….

RT @Level_Effect: Workshops, or dare we say "micro courses"? We’re talking full malware labs, not just slides and talking for 20 minutes. T….

The above TAs BTC address has recieved currently $106,198. $7k to the Litecoin address . Couldn’t track the USDT, will try later!.

1 year - Phantom Stealer basic - $750. 3 months $189. 1 month - $70

1 year - Phantom Stealer advanced - $1080. 3 month = $270. 1 month = $100