Enjoiying talk about #DynamoRIO at #bSidesLjubljana, a dynamic instrumenation tool that can be used for #MalwareAnalysis and is very good at passing anti-analysis checks.
This is because it does not virtualize, but works like a just-in-time compiler.
Good thing I took dynamic compilers class at #TUvienna.

🌟 Welcome to Another #BSidesLuxembourg2026 Highlight!

Training announcement:

Full-Day Malware Training on May 6th our workshop/training day: 𝗠𝗔𝗟𝗪𝗔𝗥𝗘 𝗗𝗘𝗩𝗘𝗟𝗢𝗣𝗠𝗘𝗡𝗧 𝗙𝗢𝗥 𝗘𝗧𝗛𝗜𝗖𝗔𝗟 𝗛𝗔𝗖𝗞𝗘𝗥𝗦 (𝗪𝗜𝗡𝗗𝗢𝗪𝗦, 𝗟𝗜𝗡𝗨𝗫, 𝗔𝗡𝗗𝗥𝗢𝗜𝗗) with Zhassulan Zhussupov aka cocomelonc @cocomelonckz

Price: Included in your BSides 3-days ticket.

Whether you’re on the Red Team or Blue Team, this 8-hour, hands-on training reveals how real-world malware is built and evades defenses across Windows, Linux, and Android. Master injection techniques, persistence, privilege escalation (LSASS dump, UAC bypass), AV/EDR evasion (Anti‑VM, crypto tricks), Linux kernel injection, and Android malware abusing legit APIs – all via labs and homework exercises.

Led by cocomelonc: Author of Malware Development for Ethical Hackers (Packt), MALWILD, MD MZ, and AIYA Mobile Malware. Malpedia contributor, HVCK writer, cybersecurity lab co-founder, and speaker at Black Hat, DEFCON, Hack.lu, Security BSides, and more.

Requires Python, Kotlin, C/C++; assembly optional.

📅Conference: 6–8 May 2026 | 09:00–17:00
📍 14, Porte de France, Esch-sur-Alzette, Luxembourg
🎟️ Tickets: https://2026.bsides.lu/tickets/

Seats limited – turn malware reports into real skills! 🔥

#BSides #Community #ReverseEngineering #DFIR #MalwareAnalysis

Last day before prices go up for Deconstructing Rust Binaries at @ringzer0, March 23-26! If you've been thinking about this fully remote, 16-hour Rust reverse engineering training: now is the time to book!

https://ringzer0.training/countermeasure-spring-2026-deconstructing-rust-binaries/

#infosec #ReverseEngineering #rustlang #MalwareAnalysis #malware #reversing

A comprehensive article from #CheckPoint Research

"Beating XLoader at Speed: Generative AI as a Force Multiplier for Reverse Engineering"

https://research.checkpoint.com/2025/generative-ai-for-reverse-engineering/

From the article:
"The use of AI doesn’t eliminate the need for human expertise. XLoader’s most sophisticated protections, such as scattered key derivation logic and multi-layer function encryption, still require manual analysis and targeted adjustments. But the heavy lifting of triage, #deobfuscation, and scripting can now be accelerated dramatically. What once took days can now be compressed into hours."

#ai #aislop #hype #reverse #reverseengineering #reversing #malware #malwareanalysis #mcp

#ReverseEngineering mit #KI? @martin_fmi erklärt, wie #LLMs Malware-Muster erkennen, externe Systemaufrufe rekonstruieren & versteckte Architekturen sichtbar machen. Selbst bei obfuskiertem Code.

Lesen & auf den Ernstfall vorbereiten: https://javapro.io/de/ki-gesteuertes-reverse-engineering-von-java-anwendungen/

#MalwareAnalysis

APT37’s Ruby Jumper campaign demonstrates a mature approach to air-gap traversal.

Observed tradecraft includes:
• LNK-based initial execution
• Embedded PowerShell payload extraction
• Ruby interpreter abuse (v3.3.0)
• Scheduled task persistence (5-minute interval)
• USB-based covert bidirectional C2
• Multi-stage backdoor deployment
Toolset: RESTLEAF, SNAKEDROPPER, THUMBSBD, VIRUSTASK, FOOTWINE, BLUELIGHT.

The removable media relay model enables:
– Command staging offline
– Data exfiltration without internet access
– Lateral spread across isolated systems
– Surveillance via Windows spyware
This reinforces a critical point:
Air-gap controls must extend beyond physical disconnection — including USB governance, device auditing, behavioral monitoring, and strict runtime execution policies.

Are critical infrastructure operators prepared for USB-mediated C2 relays?

Source: https://www.bleepingcomputer.com/news/security/apt37-hackers-use-new-malware-to-breach-air-gapped-networks/

Engage below.

Follow TechNadu for high-signal threat intelligence insights.
Repost to elevate awareness.

#Infosec #APT37 #AirGapSecurity #ThreatModeling #MalwareAnalysis #NationStateThreats #USBExfiltration #SOC #DetectionEngineering #CyberDefense #OperationalSecurity #ThreatHunting #ZeroTrustArchitecture

Just a few weeks left until our training, Deconstructing Rust Binaries, at Ringzer0 COUNTERMEASURE Spring 2026!

For any reverse engineer who wants to learn practical Rust reversing tips and real Rust malware analysis techniques: this is the course you've been looking for.

4 hours each day across 4 days of fully remote training, March 23-26. Prices go up March 8, so reserve your spot now!

https://ringzer0.training/countermeasure-spring-2026-deconstructing-rust-binaries/

#MalwareAnalysis #Rust #RustLang #ReverseEngineering #Reversing #Infosec

RE: https://infosec.exchange/@washi/116109971111061839

MY MORTAL ENEMY IS THAT ONE zgRAT YARA RULE IT SHOWS UP FREAKING EVERYWHERE AND IS SO WRONG ASDHFJDSHFHASFHSDJAH

thank you for this Washi! I learned some things about .NET from this post as well!

popping on the #ReverseEngineering #MalwareAnalysis tags too

A Nigerian national sentenced to 8 years for compromising CPA firms using Warzone RAT.
Attack methodology:
• Targeted spear-phishing (CEO impersonation)
• Domain/email spoofing
• Malicious executable disguised via crypter
• Dropbox-hosted payload delivery
• RAT deployment for lateral movement + data exfil
• Harvesting SSNs + historical tax data
• Filing 1,000+ fraudulent returns
The indictment describes AV evasion and silent RAT installation once the executable was triggered.

Detection questions:
Would EDR behavioral analysis have flagged unusual outbound traffic?
Were macro restrictions or executable policies enforced?
Was there email authentication enforcement (DMARC, SPF, DKIM)?
Was MFA enforced across admin endpoints?

Source: https://www.bleepingcomputer.com/news/security/nigerian-man-gets-eight-years-in-prison-for-hacking-tax-firms/

Financial services remain high-value PII targets.
Drop your technical perspective below.

Follow @technadu for advanced threat intelligence reporting.

#Infosec #ThreatModeling #RAT #EDR #BlueTeam #RedTeam #MalwareAnalysis #PhishingDefense #CyberForensics #DigitalEvidence #DataExfiltration #SOC

DNS-based staging via ClickFix represents tactical evolution.

Per Microsoft:
• Cmd.exe → nslookup execution
• Hardcoded external DNS resolver
• Payload embedded in DNS Name: response
• ZIP retrieval from azwsappdev[.]com
• Python-based reconnaissance
• VBScript persistence via Startup LNK
• ModeloRAT deployment
• Lumma Stealer distribution via CastleLoader (GrayBravo)

Campaign telemetry also discussed by Bitdefender and Kaspersky.

DNS offers:
• Reduced dependency on HTTP
• Traffic blending with legitimate queries
• Lightweight validation signaling

Detection priorities:
• Anomalous nslookup patterns
• External DNS resolver usage
• Suspicious Startup LNK creation
• DNS response content inspection

Is your EDR correlating DNS queries with process lineage?
Engage below.
Follow @technadu for advanced threat analysis.

#ThreatIntel #ClickFix #DNSStaging #ModeloRAT #LummaStealer #CastleLoader #DetectionEngineering #BlueTeam #SOC #Infosec #CyberOperations #MalwareAnalysis

REMnux 8 è la nuova versione della distribuzione Linux dedicata all’analisi di malware, con strumenti aggiornati, container ottimizzati e un ambiente più stabile per ricercatori e analisti. #REMnux #MalwareAnalysis #Forensics #CyberSecurity #Linux

https://www.linuxeasy.org/remnux-8-la-nuova-versione-della-distro-per-lanalisi-di-malware-e-la-sicurezza-digitale/?utm_source=mastodon&utm_medium=jetpack_social

REMnux 8 Linux Toolkit for Malware Analysis Is Out to Celebrate 15th Anniversary

https://fed.brid.gy/r/https://9to5linux.com/remnux-8-linux-toolkit-for-malware-analysis-is-out-to-celebrate-15th-anniversary

The CANFAIL campaign demonstrates structured, LLM-assisted phishing operations attributed to a suspected Russian-linked actor.

Per Google Threat Intelligence Group:
• Sectoral targeting: defense, military, energy, aerospace
• Regionally tailored email list generation
• Google Drive-hosted RAR payload delivery
• Double-extension obfuscation (*.pdf.js)
• JavaScript loader → PowerShell execution
• Memory-only dropper
• Fake error decoy
• Links to PhantomCaptcha activity (via SentinelOne)

LLMs were used for reconnaissance, lure generation, and post-compromise operational guidance.

This signals operational AI integration into state-aligned cyber campaigns.

Are detection models prepared for LLM-generated phishing artifacts?

Engage below.
Follow TechNadu for deep technical analysis.

#ThreatIntel #CANFAIL #APTActivity #PhishingDetection #LLMThreats #PowerShellAbuse #UkraineCyber #C2Infrastructure #SOC #BlueTeam #CyberOperations #MalwareAnalysis #Infosec

ClickFix campaigns are now leveraging LLM-generated public artifacts for malware distribution.

Per Moonlock Lab and AdGuard:
• Abuse of Claude artifact pages
• Google Ads search poisoning
• Obfuscated shell execution (base64 decode → zsh)
• Second-stage loader for MacSync infostealer
• Hardcoded API key + token-protected C2
• AppleScript (osascript) handling data theft
• Archive staging at /tmp/osalogging.zip
• Multi-attempt POST exfiltration

Previous campaigns exploited ChatGPT and Grok sharing features.
LLM trust is now an operational risk vector.
Should EDR flag suspicious AI-guided shell patterns?

Source: https://www.bleepingcomputer.com/news/security/claude-llm-artifacts-abused-to-push-mac-infostealers-in-clickfix-attack/

Engage below.
Follow @technadu for deep technical threat analysis.

#ThreatIntel #MacOSSecurity #Infostealer #C2Traffic #ClickFix #LLMSecurity #MalwareAnalysis #AppSec #BlueTeam #EDR #ThreatHunting #CyberThreats #ZeroTrust

The “Graphalgo” campaign represents a modular software supply-chain intrusion targeting developers directly.

Per ReversingLabs findings:
• 192 malicious npm/PyPI packages
• Delayed payload activation (post-version change)
• GitHub repos clean — malicious logic introduced via dependency chain
• RAT variants in JS, Python, VBS
• MetaMask wallet targeting
• Token-protected C2 channels
• GMT+9 commit indicators

Attribution aligns with historical tradecraft associated with Lazarus Group:
Crypto-focused targeting
Recruitment vector infection
Patience-based staged activation

This is a direct developer-layer attack bypassing enterprise perimeter defenses.

Source: https://www.bleepingcomputer.com/news/security/fake-job-recruiters-hide-malware-in-developer-coding-challenges/

Are dependency registries the new primary attack surface?
Engage below.

Follow @technadu for advanced threat analysis.

#ThreatIntel #SupplyChainSecurity #MalwareAnalysis #RAT #OpenSourceSecurity #DevSecOps #LazarusGroup #PackageSecurity #AppSec #BlueTeam #CyberThreats #IoC #Infosec

REMnux v8 represents a structural modernization of a long-standing malware analysis distribution.

Technical highlights:
• Migration to Ubuntu 24.04 (modern kernel + LTS support)
• Cast-based installer replacing legacy CLI deployment
• AI-assisted workflows via MCP server
• Integration support for Ghidra with AI plugins

Tooling refresh includes:
YARA-X (Rust rewrite for performance improvements)
GoReSym (symbol recovery for Go binaries)
APKiD (Android packer detection)
Manalyze (PE/ELF/MachO static parsing)
This release signals an industry shift toward AI-augmented reverse engineering pipelines.
Is AI-assisted RE the new baseline for threat labs?

Source: https://cyberpress.org/remnux-v8-released/

Engage below.
Follow @technadu for deep technical cybersecurity updates.

#ThreatResearch #MalwareAnalysis #ReverseEngineering #YARAX #GoBinary #DFIR #Infosec #AIinSecurity #BlueTeam #StaticAnalysis #OpenSourceSecurity #SOC #ThreatHunting

Google Threat Intelligence Group assesses the Defense Industrial Base as being under sustained, multi-vector intrusion attempts.

Key clusters:
• APT44 – Signal data exfiltration tooling
• APT45 – SmallTiger malware
• Volt Typhoon – Portal reconnaissance & obfuscation
• Lazarus Group – Dream Job social engineering

TTP trends:
- EDR evasion via single-endpoint targeting
- Android malware targeting battlefield apps
- Recruitment workflow compromise
- ORB network reconnaissance
- Manufacturing supply chain exploitation

The DIB threat surface spans personnel, infrastructure, battlefield software, and manufacturing.

Source:
https://thehackernews.com/2026/02/google-links-china-iran-russia-north.html

How are you segmenting defense-critical assets against advanced persistent threats?
Engage below.

Follow @technadu for deep-dive threat analysis.

#APT #ThreatHunting #EDR #DefenseSecurity #CyberEspionage #BlueTeam #ThreatModeling #ZeroTrust #NationalSecurity #InfoSec #MalwareAnalysis #SupplyChainSecurity

🏋️ 𝗡𝗼𝗿𝘁𝗵𝗦𝗲𝗰 𝟮𝟬𝟮𝟲 𝗙𝗼𝗿𝗺𝗮𝘁𝗶𝗼𝗻𝘀/𝗧𝗿𝗮𝗶𝗻𝗶𝗻𝗴𝘀 (5/12): "Deconstructing Rust Binaries" 𝗽𝗮𝗿/𝗯𝘆 Cindy Xiao

📅 Dates: May 11, 12 and 13, 2026 (3 days)
📊 Difficulty: Medium
🖥️ Mode: Hybrid (on-site & remote)

Description:
"𝘙𝘶𝘴𝘵-𝘣𝘢𝘴𝘦𝘥 𝘮𝘢𝘭𝘸𝘢𝘳𝘦 𝘪𝘴 𝘢 𝘨𝘳𝘰𝘸𝘪𝘯𝘨 𝘵𝘩𝘳𝘦𝘢𝘵. 𝘋𝘦𝘤𝘰𝘯𝘴𝘵𝘳𝘶𝘤𝘵𝘪𝘯𝘨 𝘙𝘶𝘴𝘵 𝘉𝘪𝘯𝘢𝘳𝘪𝘦𝘴 𝘦𝘲𝘶𝘪𝘱𝘴 𝘳𝘦𝘷𝘦𝘳𝘴𝘦 𝘦𝘯𝘨𝘪𝘯𝘦𝘦𝘳𝘴 𝘢𝘯𝘥 𝘮𝘢𝘭𝘸𝘢𝘳𝘦 𝘢𝘯𝘢𝘭𝘺𝘴𝘵𝘴 𝘸𝘪𝘵𝘩 𝘦𝘴𝘴𝘦𝘯𝘵𝘪𝘢𝘭 𝘴𝘬𝘪𝘭𝘭𝘴 𝘧𝘰𝘳 𝘵𝘢𝘤𝘬𝘭𝘪𝘯𝘨 𝘢 𝘯𝘦𝘸 𝘤𝘩𝘢𝘭𝘭𝘦𝘯𝘨𝘦. 𝘋𝘺𝘯𝘢𝘮𝘪𝘤 𝘣𝘪𝘯𝘢𝘳𝘪𝘦𝘴 𝘢𝘳𝘦 𝘪𝘯𝘤𝘳𝘦𝘢𝘴𝘪𝘯𝘨𝘭𝘺 𝘮𝘰𝘷𝘪𝘯𝘨 𝘵𝘰𝘸𝘢𝘳𝘥𝘴 𝘙𝘶𝘴𝘵, 𝘺𝘦𝘵 𝘳𝘦𝘷𝘦𝘳𝘴𝘦 𝘦𝘯𝘨𝘪𝘯𝘦𝘦𝘳𝘴 𝘭𝘢𝘤𝘬 𝘵𝘩𝘦 𝘴𝘱𝘦𝘤𝘪𝘢𝘭𝘪𝘻𝘦𝘥 𝘬𝘯𝘰𝘸𝘭𝘦𝘥𝘨𝘦 𝘵𝘰 𝘥𝘦𝘤𝘰𝘥𝘦 𝘵𝘩𝘦𝘮. 𝘛𝘩𝘪𝘴 𝘧𝘪𝘳𝘴𝘵-𝘰𝘧-𝘪𝘵𝘴-𝘬𝘪𝘯𝘥 𝘤𝘰𝘶𝘳𝘴𝘦 𝘣𝘳𝘪𝘥𝘨𝘦𝘴 𝘵𝘩𝘢𝘵 𝘤𝘳𝘪𝘵𝘪𝘤𝘢𝘭 𝘨𝘢𝘱. 𝘛𝘩𝘳𝘰𝘶𝘨𝘩 𝘢 𝘭𝘢𝘯𝘨𝘶𝘢𝘨𝘦-𝘤𝘦𝘯𝘵𝘳𝘪𝘤 𝘢𝘱𝘱𝘳𝘰𝘢𝘤𝘩, 𝘺𝘰𝘶'𝘭𝘭 𝘭𝘦𝘢𝘳𝘯 𝘙𝘶𝘴𝘵 𝘧𝘶𝘯𝘥𝘢𝘮𝘦𝘯𝘵𝘢𝘭𝘴, 𝘶𝘯𝘥𝘦𝘳𝘴𝘵𝘢𝘯𝘥 𝘩𝘰𝘸 𝘙𝘶𝘴𝘵 𝘤𝘰𝘯𝘴𝘵𝘳𝘶𝘤𝘵𝘴 𝘵𝘳𝘢𝘯𝘴𝘭𝘢𝘵𝘦 𝘵𝘰 𝘢𝘴𝘴𝘦𝘮𝘣𝘭𝘺, 𝘢𝘯𝘥 𝘮𝘢𝘴𝘵𝘦𝘳 𝘱𝘳𝘢𝘤𝘵𝘪𝘤𝘢𝘭 𝘵𝘳𝘪𝘢𝘨𝘦 𝘵𝘦𝘤𝘩𝘯𝘪𝘲𝘶𝘦𝘴. 𝘠𝘰𝘶'𝘭𝘭 𝘵𝘳𝘢𝘤𝘦 𝘥𝘢𝘵𝘢 𝘧𝘭𝘰𝘸𝘴, 𝘪𝘥𝘦𝘯𝘵𝘪𝘧𝘺 𝘧𝘶𝘯𝘤𝘵𝘪𝘰𝘯𝘢𝘭𝘪𝘵𝘺, 𝘢𝘯𝘥 𝘥𝘦𝘤𝘰𝘯𝘴𝘵𝘳𝘶𝘤𝘵 𝘳𝘦𝘢𝘭 𝘙𝘶𝘴𝘵 𝘮𝘢𝘭𝘸𝘢𝘳𝘦 𝘴𝘢𝘮𝘱𝘭𝘦𝘴 𝘪𝘯 𝘢 𝘴𝘵𝘳𝘶𝘤𝘵𝘶𝘳𝘦𝘥, 𝘦𝘧𝘧𝘪𝘤𝘪𝘦𝘯𝘵 𝘸𝘢𝘺. 𝘞𝘩𝘦𝘵𝘩𝘦𝘳 𝘺𝘰𝘶'𝘳𝘦 𝘢𝘯𝘢𝘭𝘺𝘻𝘪𝘯𝘨 𝘳𝘢𝘯𝘴𝘰𝘮𝘸𝘢𝘳𝘦 𝘰𝘳 𝘢𝘯𝘢𝘭𝘺𝘻𝘪𝘯𝘨 𝘭𝘦𝘨𝘪𝘵𝘪𝘮𝘢𝘵𝘦 𝘙𝘶𝘴𝘵-𝘣𝘢𝘴𝘦𝘥 𝘴𝘺𝘴𝘵𝘦𝘮𝘴, 𝘺𝘰𝘶'𝘭𝘭 𝘥𝘦𝘷𝘦𝘭𝘰𝘱 𝘵𝘩𝘦 𝘵𝘳𝘢𝘥𝘦𝘤𝘳𝘢𝘧𝘵 𝘯𝘦𝘦𝘥𝘦𝘥 𝘵𝘰 𝘲𝘶𝘪𝘤𝘬𝘭𝘺 𝘶𝘯𝘥𝘦𝘳𝘴𝘵𝘢𝘯𝘥 𝘢𝘯𝘥 𝘣𝘳𝘦𝘢𝘬 𝘥𝘰𝘸𝘯 𝘙𝘶𝘴𝘵 𝘣𝘪𝘯𝘢𝘳𝘪𝘦𝘴 𝘸𝘪𝘵𝘩 𝘤𝘰𝘯𝘧𝘪𝘥𝘦𝘯𝘤𝘦."

About the trainer:
Cindy Xiao is an experienced malware reverse engineer with specialized expertise in analyzing Rust binaries. She brings real-world knowledge of emerging Rust-based threats and combines technical depth with practical, hands-on instruction to help security professionals rapidly upskill in this critical domain.

🔗 Training details: https://nsec.io/training/2026-deconstructing-rust-binaries/

#NorthSec #cybersecurity #infosec #malwareanalysis #reverseengineering

The new REMnux MCP server connects AI agents to 200+ malware analysis tools. I was surprised at the depth of investigation it can deliver: https://zeltser.com/ai-malware-analysis-remnux

Most of my time on this project went into capturing how I approach malware analysis and making sure the server provides the right guidance at the right time, so that AI can think and adapt as it creates the workflow. The post includes interactive replays of real analysis sessions.

#malware #malwareanalysis #infosec #cybersecurity #tools #artificialintelligence #AI

A supply chain incident affecting the Open VSX Registry demonstrates how compromised developer credentials can be used to distribute malware through trusted tooling.

Researchers observed malicious updates embedding the GlassWorm loader, using encrypted runtime execution and EtherHiding techniques for C2 retrieval. The incident differs from earlier GlassWorm activity by relying on a legitimate developer account rather than typosquatting.

What defensive signals matter most when static indicators lose value?

Source: https://thehackernews.com/2026/02/open-vsx-supply-chain-attack-used.html

Follow TechNadu for measured security analysis.

#InfoSec #SupplyChainSecurity #DeveloperEcosystem #MalwareAnalysis #ThreatIntel #TechNadu