Operation FrostBeacon: Multi-Cluster Cobalt Strike Campaign Targets Russia

Operation FrostBeacon is a targeted malware campaign delivering Cobalt Strike beacons to companies in Russia. It uses two infection clusters: one leveraging malicious archive files with LNK shortcuts, and another exploiting CVE-2017-0199 and CVE-2017-11882 vulnerabilities. Both clusters lead to remote HTA execution and deployment of an obfuscated PowerShell loader that decrypts and runs Cobalt Strike shellcode in memory. The campaign targets finance and legal departments of B2B enterprises in logistics, industrial production, construction, and technical supply. It employs phishing emails with Russian-language lures related to contracts, payments, and legal matters. The infrastructure uses multiple Russian-controlled domains as command-and-control servers.

Pulse ID: 693709f10b18abd6b3644445
Pulse Link: https://otx.alienvault.com/pulse/693709f10b18abd6b3644445
Pulse Author: AlienVault
Created: 2025-12-08 17:25:05

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CobaltStrike #CyberSecurity #Email #ICS #InfoSec #LNK #Malware #OTX #OpenThreatExchange #Phishing #PowerShell #RAT #Russia #ShellCode #Troll #bot #AlienVault

Operation DupeHike: Targeting Russian employees with DUPERUNNER and AdaptixC2

A campaign targeting Russian corporate entities, particularly HR, payroll, and administrative departments, has been uncovered. The attack uses realistic decoy documents themed around employee bonuses and financial policies. The malware ecosystem involves a malicious LNK file leading to an implant dubbed DUPERUNNER, which then loads the AdaptixC2 Beacon to connect to the threat actor's infrastructure. The infection chain begins with a spear-phishing ZIP archive containing PDF-themed LNK files. The DUPERUNNER implant, programmed in C++, performs various functions including downloading and opening decoy PDFs, process enumeration, and shellcode injection. The final stage involves the AdaptixC2 Beacon, which communicates with the command-and-control server. The campaign, tracked as UNG0902, uses multiple malicious infrastructures and is believed to be targeting employees of various organizations.

Pulse ID: 69304959476d2ade5f1c7ff2
Pulse Link: https://otx.alienvault.com/pulse/69304959476d2ade5f1c7ff2
Pulse Author: AlienVault
Created: 2025-12-03 14:29:45

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CodeInjection #CyberSecurity #InfoSec #LNK #Malware #OTX #OpenThreatExchange #PDF #Phishing #RAT #Russia #ShellCode #SpearPhishing #ZIP #bot #AlienVault

ClickFix Gets Creative: Malware Buried in Images

A multi-stage malware execution chain originating from a ClickFix lure has been discovered, leading to the delivery of infostealing malware like LummaC2 and Rhadamanthys. The campaign utilizes steganography to hide malicious code within PNG images. Two distinct ClickFix lures were observed: a standard 'Human Verification' and a convincing fake Windows Update screen. The execution chain involves mshta.exe, PowerShell, and .NET assemblies, ultimately extracting and injecting shellcode into target processes. The steganographic technique encodes malicious data directly into image pixel data, using specific color channels for payload reconstruction and decryption in memory. This sophisticated approach helps evade signature-based detection and complicates analysis.

Pulse ID: 6924c9a94b1c7374cf444b82
Pulse Link: https://otx.alienvault.com/pulse/6924c9a94b1c7374cf444b82
Pulse Author: AlienVault
Created: 2025-11-24 21:10:01

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #LummaC2 #Mac #Malware #NET #OTX #OpenThreatExchange #PowerShell #Rhadamanthys #ShellCode #Steganography #Windows #bot #AlienVault

How would you prefer to name macros that generate syscalls in assembly?

#namingthings #syscalls #assembly #asm #shellcode

Прячем shellcode в приложениях

В этой статье мы рассмотрим одну из наиболее эффективных техник обхода традиционных систем защиты — сокрытие шеллкода. Уязвимости в программном обеспечении могут стать отличной возможностью для злоумышленников, а шеллкод, благодаря своей компактности и скрытности, становится идеальным инструментом для эксплуатации таких уязвимостей. Мы не только объясним, как скрывают вредоносный код, но и подробно рассмотрим методы преобразования стандартных исполняемых файлов в шеллкод, а также покажем, как этот процесс может быть использован для обхода современных средств защиты.

https://habr.com/ru/companies/otus/articles/910474/

#reverseengineering #exploit #shellcode #payload #windows_internals #reverse #reverse_engineering

→ #Speedrunners are #vulnerability researchers, they just don't know it yet
https://zetier.com/speedrunners-are-vulnerability-researchers/

“Super Mario World runners will place items in extremely precise locations so that the X,Y coordinates form #shellcode they can jump to with a dangling reference. Legend of #Zelda: Ocarina of Time players will do heap grooming and write a #function pointer […] so the game “wrong warps” directly to the #end #credit sequence… with nothing more than a #game #controller and a steady #hand”

#Mario

Decai decompiling a malicious shellcode.
The instructions are not so readable, if you're not used to syscalls int 0x80. AI does it for you.

https://asciinema.org/a/4PY8wn2TPg2oBdDQ0Q5bgMYjk

#r2ai #decai #r2 #malware #shellcode #syscall #linux

What are people using as a syscall database?

#reverseengineering #assembly #asm #shellcode

The nineth article (38 pages) of the Malware Analysis Series (MAS) is available on:

https://exploitreversing.com/2025/01/08/malware-analysis-series-mas-article-09/

I would like to thank Ilfak Guilfanov @ilfak and @HexRaysSA (on X) for their constant and uninterrupted support, which have helped me write these articles.

Even though I haven't been on this subject for years, I promised I would write a series of ten articles, and the last one will be released next week (JAN/15).

Have a great day.

#shellcode #malware #reverseengineering

The nineth article (38 pages) of the Malware Analysis Series (MAS) is available on:

https://exploitreversing.com/2025/01/08/malware-analysis-series-mas-article-09/

I would like to thank Ilfak Guilfanov @ilfak and @HexRaysSA (on X) for their constant and uninterrupted support, which have helped me write these articles.

Even though I haven't been on this subject for years, I promised I would write a series of ten articles, and the last one will be released next week (JAN/15).

Have a great day.

#windows #shellcode #malware #reverseengineering #reversing #idapro #malwareanalysis

Is there an example of shellcode or other malware needing to use Floating Point assembly instructions?

#shellcode #asm #malware

World’s First MIDI #RCE #Shellcode https://psi3.ru/blog/swl01u/

Basics of Windows shellcode writing

Dive into crafting Windows shellcode, from assembly basics to execution techniques. Essential for exploit development and system understanding.

https://idafchev.github.io/exploit/2017/09/26/writing_windows_shellcode.html

#shellcode #windows

[Перевод] Создание Powershell Shellcode Downloader для обхода Defender (Без обхода Amsi)

Сегодня я покажу, как модифицировать powershell shellcode runner для загрузки и выполнения нагрузки в обход Windows Defender. Я буду использовать shellcode runner, который применял ранее: https://github.com/dievus/PowerShellRunner/blob/main/runner.ps1 Для демонстрации я использую виртуальную машину Windows с временно отключённым Defender. Я скопирую код и создам на его основе новый файл, используя PowerShell ISE.

https://habr.com/ru/articles/868622/

#paylaoad #shellcode #av #bypass #информационная_безопасность #хакинг

From C to shellcode (simple way)

This post explains the journey of turning C code into shellcode, including techniques to create compact and executable shellcode suitable for exploitation.

https://print3m.github.io/blog/from-c-to-shellcode

#shellcode #c

Thread execution hijacking. Исполнение шелл-кода в удаленном процессе

В статье разберем технику T1055.003 Подменим контекст потока удаленного процесса и рассмотрим способ доставки шелл-кода в процесс с помощью удаленного маппинга. В ОС Windows существует возможность получения контекста потока и последующего управления значениями регистров. Это дает возможность изменения потока выполнения, например, с помощью модификации регистра rip. Этим и будем пользоваться.

https://habr.com/ru/articles/855710/

#hijacking #shellcode #mapping #thread

Ready to navigate the treacherous waters of buffer overflows?

Check my latest blog post: "Wherein We Study A Buffer Overflow And Ready Our Aim: testing the waters"

We'll now be ready to actually exploit the return address and use it for our own means.

Consider this the first step before shellcoding gallore.

🦶 Dip your toe here: https://dreaming-of-dragons.blogspot.com/2024/10/wherein-we-study-buffer-overflow.html

#Shellcode #CyberSecurity #ReverseEngineering #LowLevelProgramming #TechBlog #ExploitDevelopment

Ready for the troubled waters of shellcode? I'm not. Not just yet, at least. But I'm by the shore and telling you about it in my latest blog post: "Wherein We Wade Through A Shellcode Shore: before the dive

"

Spoiler alert: shellcode remains relevant (and fun).

👉 Check out: https://dreaming-of-dragons.blogspot.com/2024/10/wherein-we-wade-through-shellcode-shore.html

#Shellcode #CyberSecurity #ReverseEngineering #LowLevelProgramming #TechBlog #ExploitDevelopment

See Sharem in action, emulating a Windows shellcode: https://www.youtube.com/watch?v=S1PI9O-q6eM

I don't think it supports Linux shellcodes, does it? Also, I wonder what disassembler it uses.

NB. AI for Sharem was presented @VirusBulletin

#vb2024 #shellcode #emulation #disassembly

En el número #ROOR07 iniciamos una nueva sección llamada #AprendeHacking escribiendo tus propias herramientas. En este primer artículo escribimos una herramienta para volcar shellcodes

#Hacking #Shellcode #Capstone #desensamblador #programming #C #programacion

https://ibolcode.net/roor/2024-08-volcando-shellcodes--desensamblador-basico