@0xanalyst profile picture
Ali Hussein @0xanalyst
Joined June 2011
  • Tweets 328
  • Following 700
  • Followers 580
41 Photos and videos
9 years webshell EDR/AV/Yara testing samples left side screenshot improved to the right screenshot website using AI github.com/0xAnalyst/webshel… 0xanalyst.github.io/webshell… #EDR #Defender #yara #webshell
3
4
192
Interesting shift in DPRK tradecraft. from VS code extension abuse to crypto infrastrcuture for stealth C2 to github abuse opensourcemalware.com/blog/p…. I published detection rules to detect this activity along with high fidelity AI assisted rules #ThreatHunting #DFIR #Defender #ATP

PolinRider: DPRK Threat Actor That Compromised Hundreds of GitHub Repos Is Unmasked

A North Korean threat actor is implanting malware in hundreds of GitHub users and organizations repositories. This malware is the latest DPRK Beavertail variant that steals crednetials, crypto and...

opensourcemalware.com
1
2
163
46
Ali Hussein@0xanalyst
16 Nov 2025
A new Redline variant C2: 45.95.147.222:8080 185.215.113.117:443 91.215.85.45:80 194.36.191.128:8080 77.91.84.63:443 Exfil domains: update.chrome-service[.]com metrics.google-analytics[.]net Yara rule: yarasearch.net/details/529/ #Redline #Blueteam #Threathunting
152
Ali Hussein@0xanalyst
12 Nov 2025
Based on thedfirreport.com/2025/08/05… I have added around 6 detection rules. from rustdesk to wbadmin credential dumping github.com/0xAnalyst/Defende… github.com/0xAnalyst/Defende… github.com/0xAnalyst/Defende… find the rules at kqlsearch.com/ #threathunting #Akira #ransomware #bumblebee
207
Ali Hussein@0xanalyst
31 Aug 2025
Inspired by kqlsearch. my mentee @Qtr_Alhajj has built a Yara database and search engine here yarasearch.net/. Incredible work from the first year university student. looking for suggestions to improve the website. #Yara #database #malware
4
8
783
Ali Hussein retweeted
Sam ☁️🪵@Sam0x90
28 Aug 2025
With all the fuss around #velociraptor thought I'd give a shootout to project LOST (LOL Security Tools). We started this together with @0xanalyst some time ago. Yes Velociraptor, osquery, defender, wazuh, and much more that would deserve to be documented 0xanalyst.github.io/Project-…
3
6
539
New lumma variant app.any.run/tasks/7f5c4cd2-9… with tons of new techniques they use to obfuscate the malware #Lumma #infosec #malware #blueteam

Analysis bruh.txt (MD5: 73ACE4758F267412B1961722AF83C9EA) Malicious activity - Interactive analysis...

Interactive malware hunting service. Live testing of most type of threats in any environments. No installation and no waiting necessary.

app.any.run
2
1
5
514
This final execution of the malware seems a new way to obfuscate downloadstring dynamically. they load the ULR in a variable and then dynamically resolve function names for download and downloadstring #Lumma #infosec #malware #blueteam ChaGPT explanation follows
1
2
407
#Lumma #infosec #malware #blueteam #Threathunting
238
Ali Hussein retweeted
inversecos
@inversecos
29 Apr 2025
NEW LAB: Abu Jibal (APT34 / OilRig) 🔍💻 Iranian APT34 targets the oil and gas sector across the Middle East. Test your blue team skills on: 👀 Password Filter DLL Attacks 👀 RunPE In-Memory Execution 👀 Windows Kernel Elevation 👀 Malicious JavaScript Payloads 👀 Custom Keyloggers Lab Contributors: Adversarial Emulation: @q8fawazo Incident Response: @r3nzsec Solve it here👉xintra.org @XintraOrg
4
81
426
89,878
Ali Hussein retweeted
FullHunt@FullHunt
23 Apr 2025
New FullHunt features coming up! Stay tuned…. 🥁🚀
2
2
245
Ali Hussein@0xanalyst
14 Apr 2025
Chatgpt extracted TTPs on the ransomware negotiation chat ransomware.live/nego
1
2
204
Ali Hussein@0xanalyst
10 Apr 2025
Based on the report thedfirreport.com/2025/03/31… I have created 2 new detection rules github.com/0xAnalyst/Defende… - Detects usage of bublup[.]com for exfiltration github.com/0xAnalyst/Defende… - detection of unsigned binaries executing from suspicious locations #KQL #Threathunting #ATP
1
155
From Akira Ransomware negotiation chats this seems the generic response they give as how they compromised victims. #Blueteam #SOC #ransomware
1
6
685
Asked chatgpt to summarize the TTPs based on the chat log for each threat group. sample screenshot
1
192
Ali Hussein@0xanalyst
25 Mar 2025
Even the most advanced TAs leave traces. Great analysis by @citizenlab team citizenlab.ca/2025/03/a-firs…
151
Ali Hussein@0xanalyst
19 Mar 2025
Based on Conti leaks here is a KQL to detect 7z usage to interact with common lateral movement shares github.com/0xAnalyst/Defende… my repo didn't have lateral movement part will be adding more you can get at KQLsearch here kqlsearch.com/query/7ztosmbs… #KQL #ThreatHunting #SOC #blueteam

DefenderATPQueries/Lateral Movement/7ZToSMBshare.md at main · 0xAnalyst/DefenderATPQueries

Hunting Queries for Defender ATP. Contribute to 0xAnalyst/DefenderATPQueries development by creating an account on GitHub.

github.com
2
4
199
Ali Hussein@0xanalyst
16 Mar 2025
Based on the intel report screenshot below from Microsoft. I had added detection rules to my KQL repo github.com/0xAnalyst/Defende… github.com/0xAnalyst/Defende… github.com/0xAnalyst/Defende… Same queries can be found in kqlsearch.com see screenshot #ATP #ThreatHunting #KQL #SOC
6
466
Apple threat notifications received this week, likely compromised users in 117 countries. "Today’s notification is being sent to targeted users in 117 countries". amnesty.org/en/latest/news/2…

Apple threat notifications: What they mean and what you can do

Apple threat notifications: What they mean and what you can do

amnesty.org
1
1
1
578
Notification were received by victims around the world this week. the mentioned article is for what you need to do when you get one of those
237
Load more