Hi everyone. @threatresearch taking over the X-Ops feed today with a cool story.
Beginning in November 2024, we began to see an uptick in the number of spam emails that had an unusual attachment – an .svg file. This is a graphics format, and one might think that a picture can’t be unsafe, but in this case, one would be wrong.
https://news.sophos.com/en-us/2025/02/05/svg-phishing/
1/9
🎉 And we’re on Mastodon!
If you’re new to The Spamhaus Project, check out our bio above 🔝
Ultimately, we’re here to build a community. A community of like-minded individuals, who want to make the internet a safer place. On Mastodon, we’ll be sharing latest threat intelligence from our researchers and threat hunters, and we’d like to invite you to do the same….
Earlier this month, we launched our Threat Intel Community, giving anyone the ability to submit malicious domains, IPs, email source codes, or URLs to Spamhaus through our user-friendly portal.
If you’re curious to know more, read this blog:
https://www.spamhaus.org/news/article/821/want-to-submit-data-be-our-guest
Or visit the Threat Intel Community here:
https://submit.spamhaus.org
#ThreatHunter #ThreatIntelligence #SecurityResearch #Phishing #Malware #Botnets #CyberThreats
So far I have published 13 articles (862 pages) to help other professionals in the cybersecurity community:
ERS 03: https://exploitreversing.com/2025/01/22/exploiting-reversing-er-series-article-03/
ERS 02: https://exploitreversing.com/2024/01/03/exploiting-reversing-er-series-article-02/
ERS 01: https://exploitreversing.com/2023/04/11/exploiting-reversing-er-series/
MAS 10: https://exploitreversing.com/2025/01/15/malware-analysis-series-mas-article-10/
MAS 09: https://exploitreversing.com/2025/01/08/malware-analysis-series-mas-article-09/
MAS 09: https://exploitreversing.com/2024/08/07/malware-analysis-series-mas-article-08/
MAS 07: https://exploitreversing.com/2023/01/05/malware-analysis-series-mas-article-7/
MAS 06: https://exploitreversing.com/2022/11/24/malware-analysis-series-mas-article-6/
MAS 05: https://exploitreversing.com/2022/09/14/malware-analysis-series-mas-article-5/
MAS 04: https://exploitreversing.com/2022/05/12/malware-analysis-series-mas-article-4/
MAS 03: https://exploitreversing.com/2022/05/05/malware-analysis-series-mas-article-3/
MAS 02: https://exploitreversing.com/2022/02/03/malware-analysis-series-mas-article-2/
MAS 01: https://exploitreversing.com/2021/12/03/malware-analysis-series-mas-article-1/
Even though I have very limited time to write, I hope to be able to share new articles soon.
Have a great day.
#reverseengineering #vulnerability #research #windows #chrome #informationsecurity #infosec #kernel #drivers #malware #windows #macOS #linux
📨 Latest issue of my curated #cybersecurity and #infosec list of resources for week #03/2025 is out!
It includes the following and much more:
➝ Data of 15K of #FortiGate Devices Dumped
➝ Biden's New Cyber Executive Order
➝ PlugX #Malware Deleted from over 4,200 Infected Systems
➝ Governments Call For #Spyware Regulations
Subscribe to the #infosecMASHUP newsletter to have it piping hot in your inbox every week-end ⬇️
https://infosec-mashup.santolaria.net/p/infosec-mashup-032025?r=299go8
This makes me extremely happy.
https://therecord.media/judge-rules-nso-group-liable-for-hack-of-1400-whatsapp-users
For the first time a malware written in GDScript has been spotted in the wild. The attack vector are spam-repos on Github with infected cracked game executables targeting Windows devices. The code uses a bunch of OS.execute statements to run malicious shell code. More interesting are the employed anti-emulation techniques. One of them uses Godot’s rendering capability detection to check for 3D Video Acceleration.
#GodotEngine #OpenSource #GameDev #Malware #InfoSec #Security #Godot4
Low-polygon style hacker design, made in 2016 for a printed sticker series.
#hacker #malware #LowPoly #CharacterDesign #design #artwork #sculpture #3DModeling #illustration #illustrator #digital #DigitalArt #art #arts #arte #artist #artists #GraphicDesign #3D #blender #Blender3D #B3D #CreativeToots #FediArt #MastoArt #ArtistsOnMastodon #laptop
As a way of #introduction:
Hello, I'm Lenny Zeltser. In the past two decades, took on several types of cybersecurity roles.
I'm presently a CISO at Axonius. Earlier I worked as a Product Manager building #security products and services. I also spent some time in consulting, which provided me with experience in penetration testing and incident response.
I'm also a Faculty Fellow at SANS Institute, where I create and deliver training on #malware analysis and #cybersecurity writing.
I'm good at giving shape to an idea and turning the initial thought into something that thrives in the real world. This has been a common thread throughout my professional activities.
I used to be hands-on in many areas of cybersecurity and IT. Now I focus on strategy and leadership, treating security as an enabler that helps companies achieve their goals.
I have a blog with lots of content I've written over the years: https://zeltser.com/blog.
📨 Latest issue of my curated #cybersecurity and #infosec list of resources for week #46/2024 is out!
It includes the following and much more:
➝ Amazon Confirms Employee Data Stolen
➝ Security Flaws in Popular #MachineLearning Toolkits
➝ US DoJ Sentencing Various Cybercriminals
➝ Government Abuse Using Pegasus #Spyware
➝ Android #Malware via Letter in #Switzerland
Subscribe to the #infosecMASHUP newsletter to have it piping hot in your inbox every week-end ⬇️
https://infosec-mashup.santolaria.net/p/infosec-mashup-462024?r=299go8
I wrote a report on a recent #Python #malware package uploaded to #PyPI over here: https://blog.pypi.org/posts/2024-11-25-aiocpa-attack-analysis/
From the ar(t)chive…
"The anti-virus lab," an illustration to accompany an article about virus research in the Dutch PC-Active magazine, in the first half of the 2000s.
#CharacterDesign #virus #malware #InfoSec #security #safety #character #design #artwork #sculpture #3DModeling #illustration #illustrator #digital #DigitalArt #art #arts #arte #artist #artists #GraphicDesign #3D #blender #Blender3D #B3D #CreativeToots #FediArt #MastoArt #ArtistsOnMastodon
Reposting from Twitter this as it gives context for the sorts of things I work on:
I wrote a blog summarizing the results of our PIPEDREAM (7th #ICS #malware) analysis so far. It’s basically a condensed version of my #DEFCON30 talk in August. Links to that talk and our original release/whitepaper are included. Enjoy!
https://www.dragos.com/blog/analyzing-pipedream-results-from-runtime-testing/
#introduction: I used to write a lot of C++, some for embedded systems. Now I look at fun and interesting malware all day! (ie cry in front of IDA)
I’ve recently become interested in #macos security and its malware ecosystem, so definitely would like to chat about that if that’s what you’re into 
I’ve learned a lot from lurking infosec twitter, and hope to learn more here.
Moar hashtags: #infosec #malware #introductions
Starting a small thread of malware analysis tools for those times when you NEED INDICATORS YESTERDAY, ie tools I have used that are easy to use and give good leads for further analysis with minimal effort.
First: GarbageMan for .NET binaries, from WithSecure Labs: https://labs.withsecure.com/tools/garbageman
This tool displays the values of objects and relationships between objects inside the .NET runtime’s managed heap memory. It can either work off a memory dump file, or snapshot a running process at regular intervals. It also capture stack traces, and a list of loaded assemblies.
I have done all of the following with it:
Look at all System.Byte[] objects and grab those with values that have the PE headers at the beginning. There’s actually a built in menu option for this (along with tons of other useful searches, such as just grabbing everything that looks remotely like an URL)
Look for “interesting” object types like HttpWebRequest or anything under System.Security.Cryptography, and look at the parents or children of those objects to either find plain text indicators, or to get an idea of how indicators are obfuscated / encrypted
Snapshot a process every 20ms, and look at the list of loaded assemblies in each snapshot to see if / when the binary starts delivering another payload assembly.
Use as a very rough tracing tool by snapshotting at regular intervals, and seeing how the stack trace changes for each snapshot.
Also it persists all of the values of parsed objects to a plain SQLite database 
So you can just do arbitrary SQL queries on the results as well. I haven’t even begun exploring this yet.
While I may publish a more complete blog post about this later
I also sent this on twitter to make #Github aware of it quicker
However I felt that I should also publish it here.
I recently came upon this post on reddit: https://www.reddit.com/r/cybersecurity_help/comments/196qhup/how_do_i_remove_this_malware/
Which awakened my curiosity about this user who has quite a few repo's with multiple stars: github[.]com/AppsForDesktop
looking at their profile I noticed various repo's claiming to be desktop app for various popular websites and apps.
When I investigated these repo's in my sandboxes I discovered they installed the file: cnertucbrcaj[.]exe and performed various persistence techniques,
Adding several exclusions to defender
and uninstalling various windows security components such as MRT.
After which it of course connected to various Monero mining pools.
#malware #cybersecurity #cryptominers #cybersec #securityresearch
From the ar(t)chive…
Isometric 3D cover illustration about anti-spyware software, for a 2005 special issue of the Dutch Webwereld computer magazine.
#spyware #malware #virus #antivirus #security #safety #crime #InfoSec #design #artwork #sculpture #3DModeling #illustration #illustrator #art #arts #arte #artist #artists #DigitalArt #ArtMatters #GraphicDesign #3D #B3D #CreativeToots #FediArt #MastoArt #ArtistsOnMastodon
I love it when cybersecurity shills block me because I'm willing to call bullshit to their face.
Let's be clear: If you are arguing in favor of CrowdStrike today, you are a fucking failboat as a professional and the sooner you are excommunicated from the industry the better.
From the ar(t)chive…
3D illustration for an early-2000s article in the Dutch PC-Active magazine. The article was titled "A virus like a pocket knife."
#virus #malware #security #safety #InfoSec #tech #technology #design #artwork #sculpture #3DModeling #illustration #illustrator #art #arte #artist #DigitalArt #ArtMatters #GraphicDesign #3D #B3D #CreativeToots #FediArt #MastoArt #ArtistsOnMastodon
A new threat actor known as #LilacSquid is using several different pieces of #malware to silently infiltrate networks and steal sensitive data. Read more about this group and the TTPs they share with some North Korean state-sponsored actors https://blog.talosintelligence.com/lilacsquid/
WTF? Is #Tenacity on the #Flatpak store #MALWARE? Apparently it was running in the bg AS IF it was an invincible #Gnome extension so SystemMonitor/htop would NOT see it as a process. But #MissionCenter (also from flatpak store) saw it as it is: an app running on startup! Killing it killed Gnome session! It was also spiking wifi, and was leaking the Gnome gjs service from 4MB RAM to 120MB. Uninstalling fixed the prob
Third party flatpak/snaps should be vetted.
xz-Backdoor – eine Aufarbeitung
Von Kollegen aus dem Maschinenraum der @hisolutions 👌❤️
#Backdoor #SupplyChain #Malware #0day
https://research.hisolutions.com/2024/04/xz-backdoor-eine-aufarbeitung/
PyPI now has an improved way to report #malware, via #PyPI itself! Available on web and preview beta API. Learn more and sign up to help test:
https://blog.pypi.org/posts/2024-03-06-malware-reporting-evolved/
Should I be concerned that Trend is flagging the official Mastodon app on Android as suspect? Or is it just Trend being a goofball again? #mastodon #android #malware #trendmicro #security
Fuck me🫠
#ArsTechnica used in #malware campaign with never-before-seen obfuscation, 20240130,
by Dan G,
https://arstechnica.com/security/2024/01/ars-technica-used-in-malware-campaign-with-never-before-seen-obfuscation/
『A benign image of a pizza was uploaded to a third-party website and was then linked with a URL pasted into the “about” page of a registered Ars user. Buried in that URL was a string of characters that appeared to be random—but were actually a payload [...] Devices already infected with the first-stage malware used in the campaign automatically retrieved these strings and installed the second stage
...
Mandiant researchers said there were no consequences for people who may have viewed the image, either as displayed on the Ars page or on the website that hosted it. It’s also not clear that any Ars users visited the about page.』
📨 Latest issue of my curated #cybersecurity and #infosec list of resources for week #02/2024 is out! It includes the following and much more:
➝ 🔓 🎽 Halara probes breach after hacker leaks data for 950,000 people
➝ 🔓 💥 #Mandiant's X Account Was Hacked Using Brute-Force Attack
➝ 🔓 🇵🇾 #Paraguay warns of Black Hunt #ransomware attacks after Tigo Business #breach
➝ 🇺🇸 💸 US SEC’s X account hacked to announce fake #Bitcoin ETF approval
➝ 🔓 🇨🇦 Toronto Zoo: Ransomware attack had no impact on animal #wellbeing
➝ 🔓 Mortgage firm loanDepot #cyberattack impacts IT systems, payment portal
➝ 🇫🇮 💸 #Finland warns of Akira ransomware wiping NAS and tape #backup devices
➝ 🇩🇰 🇷🇺 #Sandworm probably wasn’t behind Danish critical infrastructure cyberattack, report says
➝ 🇺🇦 🇷🇺 Pro-Ukraine hackers breach Russian ISP in revenge for #KyivStar attack
➝ 🇫🇷 🇺🇸 French Computer Hacker Jailed in US
➝ 🇳🇬 ⚖️ Nigerian gets 10 years for laundering millions stolen from elderly
➝ 🇹🇷 Turkish Hackers Exploiting Poorly Secured #MSSQL Servers Across the Globe
➝ 🇹🇷 🇳🇱 Turkish #Cyberspies Targeting Netherlands
➝ ☁️ 🇪🇺 #Microsoft Lets Cloud Users Keep Personal Data Within #Europe to Ease #Privacy Fears
➝ 🇺🇸 🇨🇳 #AI is helping US spies catch stealthy Chinese hacking ops, #NSA official says
➝ 🇱🇧 ✈️ Beirut Airport Screens Hacked with Anti-Hezbollah Message
➝ 🇸🇦 Saudi Ministry exposed sensitive data for 15 months
➝ 🇬🇷 #Greece to Establish New Authority to Counter Cyber-Attacks
➝ 🩹 #Siemens, #SchneiderElectric Release First #ICS Patch Tuesday Advisories of 2024
➝ 🐍 ☁️ New #Python-based FBot Hacking Toolkit Aims at #Cloud and #SaaS Platforms
➝ 🦠 📺 #YouTube Videos Promoting Cracked Software Distribute Lumma Stealer
➝ 🦠 🐧 #Linux devices are under attack by a never-before-seen worm
➝ 🦠 🇳🇱 Dutch Engineer Used Water Pump to Get Billion-Dollar #Stuxnet #Malware Into Iranian Nuclear Facility
➝ 🐡 🔐 DSA removal from #OpenSSH
➝ 🩹 #PatchTuesday
➝ 🐛 🔓 Actively exploited 0-days in #Ivanti VPN are letting hackers #backdoor networks
➝ 🔓 🔧 Hackers can infect network-connected wrenches to install ransomware
➝ 🇨🇳 🔓 #AirDrop cracked by #China, revealing phone number and email address of sender
➝ 🩹 #QNAP Patches High-Severity Flaws in QTS, Video Station, QuMagie, Netatalk Products
➝ 🐛 🔓 KyberSlash attacks put #quantum #encryption projects at risk
Subscribe to the #infosecMASHUP newsletter to have it piping hot in your inbox every week-end ⬇️
https://infosec-mashup.santolaria.net/p/infosec-mashup-week-022024
