There's a new ClickFix variation called FileFix
This one works by tricking users into copying a file path in Windows Explorer.
Attackers modify the clipboard, so you're actually pasting and running PowerShell ahead of the file path
mrd0x.com/filefix-clic...
NEW @citizenlab.ca report confirms the targeting of two more journalist with #Paragon spyware in the context of ๐ฎ๐น
Details here: citizenlab.ca/2025/06/firs...
@billmarczak.org @jsrailton.bsky.social
The #FBI and #DCIS disrupted #Danabot. #ESET was one of several companies that cooperated in this effort. www.welivesecurity.com/en/eset-rese... 1/6
First page of the paper
Wrote a paper, with Daniel Nakov, on comparing the #quality & the speed of #malware analysis assisted by #r2ai, or without.
Spoiler 1: quality is =, speed is ++.
Spoiler 2: do not expect to get good results in a single question.
arxiv.org/pdf/2504.07574
cc: @radareorg.bsky.social #arxiv #radare2
Malicious VSCode extensions infect Windows with cryptominers #cybersecurity #hacking #news #infosec #security #technology #privacy www.bleepingcomputer...
#ESETresearch has discovered a zero day exploit abusing #CVE-2025-24983 vulnerability in Windows Kernel to elevate privileges (#LPE). First seen in the wild in March 2023, the exploit was deployed through #PipeMagic backdoor on the compromised machines. 1/4
There's a new Hindsight release!
Hindsight v2025.03 focuses on Extensions - parsing more activity and state records, highlighting Extension permissions, and making it easier to examine Manifests.
๐ Blog: dfir.blog/hindsight-pa...
๐ ๏ธ Tool download: hindsig.ht/release
#DFIR #Chrome #Extensions
Chrome 134 is out and there's a new system that automatically blocks unpacked Chrome extensions from running if Developer Mode is not enabled first.
No more platform-hopping! ๐ต๏ธโโ๏ธ Hunt across all abuse.ch platforms with just 1๏ธโฃ simple query. ๐ Search for any IPv4, domain, URL, or file hash, and instantly see if itโs been identified on any abuse.ch platform!
Start your hunt now ๐ hunting.abuse.ch
Comparing Decai decompilation using @anthropic.com 's Claude 3.5 vs 3.7 with a simple strcoll wrapper function #r2ai #radare2
You receive a laptop (powered off) in a high-stakes case. You are told the owner is extremely technical but given no useful technical details. The laptop is modern, with chassis intrusion features, and you must assume Secure Boot & BitLocker are in use. How do you proceed? #DFIR
If you live in the West, it's not often you read about CIA/NSA cyber operations against China. But here's one: "How the NSA Allegedly Hacked Chinaโs Northwestern Polytechnical," a leading Chinese university specializing in aerospace & defence. www.inversecos.com/2025/02/an-i...
Screenshot showing the execution of the proof-of-concept named PowerChell in comparison to a typical PowerShell prompt. In particular, it shows that PowerChell is able to bypass the Constrained Language Mode (CLM).
In this blog post, I explain how I was able to create a PowerShell console in C/C++, and disable all its security features (AMSI, logging, transcription, execution policy, CLM) in doing so. ๐ช
๐ blog.scrt.ch/2025/02/18/r...
@volexity.com recently identified multiple Russian threat actors targeting users via #socialengineering + #spearphishing campaigns with Microsoft 365 Device Code authentication (a well-known technique) with alarming success: www.volexity.com/blog/2025/02...
#dfir #threatintel #m365security
YARA-X 0.13.0 is out: github.com/VirusTotal/y...
As always, Victor and the contributors are cranking out quality improvements!
In particular, check out the docs on how to use the formatter and linter and open issues (or tell me somehow) if you hit bugs or have things you want to see.
The threat landscape in H2 2024 was quite tumultuous when it comes to some of the most prominent infostealer threats. One of them, the notorious #RedLine Stealer, finally met its demise after being taken down by law enforcement in #OperationMagnus. #ESETresearch ๐งต 1/5
A "code family" is a basic concept in @vertexproject.bsky.social's approach to tool analysis. Check out the next installment in Mary Beth Lee's malware manifesto as she defines "code family", how it differs from "malware family", and how this aids your #CTI analysis!
vertex.link/blogs/catego...
#100daysofyara todays rule is detecting patched clr.dll in memory AmsiScanBuffer bypass. My @velocidex Windows.System.VAD artifact can be used to target clr.dll mapped sections for an easy detection.
Rule: github.com/mgreen27/100...
VQL: github.com/mgreen27/100...
Here's a video overview of Venture, the cross-platform Windows Event Viewer. Version 0.2.0 now has the ability to join multiple .evtx files into a single view!
www.youtube.com/watc...
Grab Venture here: github.com/mttaggart...
Check out this new blog post from @andyrobbins.bsky.social discussing the fundamental components & mechanics that enable the emergence of critical Attack Paths in Microsoft's increasingly popular Intune product. ghst.ly/3Cd5cwH
live #dprk fake interview site up and running if you're looking to experiment ... digitptalent[.]com ... both windows and mac malware
Even on Friday evenings? ๐
I know the feeling! ๐คฃ
*non-cyber people ๐
Just put out this research on MiTM PaaS kits labeled Rockstar and Flowerstorm over the past few months. While my name is on this I partnered with two researchers, Josh Rawles and Jordon Olness who did a bulk of the work alongside @thepacketrat.net, and Colin Cowie who are all individually brilliant!
Did you know that you can conduct an easy local dictionary attack on Linux without lockout times? Wrote a small tool for that, feel free to check it out:
github.com/yo-yo-yo-jbo...
Dropping some new research on TA397/Bitter ๐จ
Hidden in Plain Sight | TA397โs New Attack Chain Delivers Espionage RATs
Report:
www.proofpoint.com/us/blog/thre...
๐ง Itโs finally here! ๐
The Linux EDR Telemetry Project results are live! After months of testing and collaboration, weโre excited to share how well EDR solutions handle Linux visibility.
Read the full blog here: ๐๐
kostas-ts.medium.com...
1/2
