🔍 New Threat Actor Alert: Void Blizzard
Microsoft Threat Intelligence has identified Void Blizzard—a newly observed Russia-affiliated threat actor engaged in cyberespionage across critical sectors including government, defense, healthcare, transportation, media, and NGOs, especially in Europe and North America.
🛡️ Stay vigilant. Read the full analysis from Microsoft:
#Cybersecurity #ThreatIntelligence #VoidBlizzard #Phishing #CyberEspionage #MicrosoftSecurity
Presenting "Unveiling RIFT: Advanced Pattern Matching for Rust Libraries" at RECON Montreal 2025!
Sharing research on discovering Rust dependencies in compiled binaries.
See you there! 🚀
#RECON2025 #RustLang #ReverseEngineering
A common way for malware to disguise its C2 communication and stay under the radar is mimicking widely accepted protocols such as TLS and blend into the existing traffic.
The deep dive below into PebbleDash’s FakeTLS C2 protocol shows how North Korean APTs fake TLS handshakes and use hardcoded RC4 encryption to blend in with legit HTTPS traffic. Sneaky stuff — and a must-read for threat hunters. 🔍💻
https://malwareandstuff.com/reversing-pebbledashs-faketls-c2-protocol/
#malware #infosec #reverseengineering #pebbledash #cybersecurity #windows
Recon CFP ends in less than 2 weeks on April 28. Prices for the training and conference increase on May 1st. Register now to save with early bird price. We have already announced a few talks and workshops, and more videos from last year have been released. https://recon.cx #reverseengineering #cybersecurity #offensivesecurity #hardwarehacking @hackingump1 @mr_phrazer @nicolodev @SinSinology @hunterbr72 @clearbluejar @phLaul @oryair1999 @hookgab @TheQueenofELF @So11Deo6loria @i0n1c @pedrib1337 @MalachiJonesPhD @Pat_Ventuzelo @KB_Intel @pinkflawd @Reverse_Tactics @OnlyTheDuck @t0nvi @drch40s @BrunoPujos @mhoste1 @andreyknvl @texplained_RE @jsmnsr @pulsoid @SpecterDev @richinseattle @yarden_shafir @aionescu @hackerschoice @SinSinology @sergeybratus @SpecterOps @oryair1999 @phLaul @trailofbits @HexRaysSA @nostarch
🔍 Exploring Domain Generation Algorithms (DGAs) in Malware 🔍
Domain Generation Algorithms (DGAs) enable malware to change its domain dynamically. Below is an article I wrote years ago, which explains the difference between seed based and dictionary based algorithms.
https://malwareandstuff.com/dgas-generating-domains-dynamically/
Symbolic Execution is powerful technique that explores all possible execution paths without actual inputs. An interesting display of this technique is below:
#malware #reverseengineering #cybersecurity #infosec #symbolicexecution
Russia-Linked “BadPilot” Cyber Campaign Exposed 🚨
Microsoft has uncovered a multiyear global access operation executed by a sub group of Seashell Blizzard, a Russian nation state actor.
The operators conducted diverse compromises of Internet-facing infrastructure to enable Seashell Blizzard to persist on high-value targets and support tailored network operations.
Read the full blog article here: https://www.microsoft.com/en-us/security/blog/2025/02/12/the-badpilot-campaign-seashell-blizzard-subgroup-conducts-multiyear-global-access-operation/
🚨 Secret Blizzard, a Russian nation-state actor exploits other hackers' infrastructure to evade detection & conduct espionage.
🔍 Learn more:
🚀 MSTIC Uncovers STAR Blizzard Spear-Phishing Campaign Targeting WhatsApp Users
Microsoft has identified STAR Blizzard, a phishing campaign targeting WhatsApp accounts through social engineering.
🚨 Then vs. Now: The Evolution of DDoS Attacks 🚨
In 2016, Mirai's botnet caused chaos with a 1.2 Tbps DDoS attack(https://theguardian.com/technology/2016/oct/26/ddos-attack-dyn-mirai-botnet).
Fast forward to 2025, and we’re now witnessing 5.6 Tbps attacks—nearly 5x the scale!
https://thehackernews.com/2025/01/mirai-botnet-launches-record-56-tbps.html
Mirai botnet was first discovered in August 2016 by MalwareMustDie, a white hat malware research group, and has been used in some of the largest and most disruptive distributed denial of service (DDoS) attacks.
Ever heard about "nanomites"? 🐞🖥️
This advanced software protection technique uses the parent-child process relationship and the ptrace system call to fend off unauthorized debugging and reverse engineering.
By allowing a parent process to control its child, the technique can hinder reverse engineers from debugging a binary.
https://malwareandstuff.com/nanomites-on-linux/
#malware #cybersecurity #infosec #reverseengineering #nanomites
The Process Environment Block (PEB) – A Hacker’s Playground?
More about PEB and how Lazarus/Diamond Sleet abused it in the past here:
https://malwareandstuff.com/peb-where-magic-is-stored/
#cybersecurity #malware #infosec #reverseengineering #peb #windows
UPnP.. convenience at a cost?
Universal Plug and Play (UPnP) was designed to make our tech lives easier by allowing devices to seamlessly communicate on a network. But did you know this protocol has been a major security risk for years?
From exposing devices to external threats to enabling cyberattacks, UPnP has a long history of being exploited.
A well known malware family that exploited UPnP to deploy proxy c2 servers is QakBot. I have written about UPnP in the past.
https://malwareandstuff.com/upnp-messing-up-security-since-years/
#malware #itsecurity #networksecurity #cybersecurity #iotsecurity
The second part of the frequent freeloader blog series is out! MSTIC shares how Secret Blizzard abused tools of other threat actors to attack Ukraine.
#malware #cybersecurity #infosec #threatintelligence #microsoft #mstic #secretblizzard
Aqua Blizzard, a group likely acting on orders of Russia's Federal Security Service (FSB), abuse cloudflare services to spy on ukrainian targets
https://therecord.media/russian-state-hackers-abuse-cloudflare-tunnels-spy-on-ukraine
The russian nation state actor Secret Blizzard infiltrates other threat actors to use their infrastructure and tools for their own purposes.
In part 1 of this blog series, Microsoft Threat Intelligence discusses how Secret Blizzard has used the infrastructure of the Pakistan-based threat activity cluster we call Storm-0156.
#malware #secretblizzard #infosec #cybersecurity #threatintelligence #microsoft
Amazing article by Volexity researchers on APT28 hackers used a "Nearest Neighbor Attack" to breach a U.S. firm's Wi-Fi via compromised devices in nearby buildings.
#malware #threatintel #infosec #apt28 #reverseengineering #cybersecurity
There is a job opening for a Security Researcher to join the TI malware analysis and research team at MSTIC. An incredible opportunity to do impactful work!
https://jobs.careers.microsoft.com/global/en/job/1782706/Principal-Security-Researcher
More opportunities here:
In 2021, I wrote about section hashing, a popular anti debugging technique to detect software breakpoints.
https://malwareandstuff.com/catching-debuggers-with-section-hashing/
#malware #reverseengineering #cybersecurity #infosec #antidebug
Interesting article by Unit42 of Palo Alto Networks on an actor's toolkit and its EDR evasion testing
https://unit42.paloaltonetworks.com/edr-bypass-extortion-attempt-thwarted/
#malware #reverseengineering #infosec #threatintel #cybersecurity
