Malwarez at @elasticseclabs | Macrodata Refinement
Joined March 2011
- Tweets 314
- Following 643
- Followers 1,280
- Likes 1,218
38 Photos and videos
Pinned Tweet
7 May 2022
Our team revisited #BLISTER, a stealthy loader recently tied to #LockBit and #SocGholish. We go through it's different capabilities, and released config extractor.
Blog🔗: elastic.github.io/security-r…
Config extractor 🧰: elastic.github.io/security-r…
1
37
71
Daniel Stepanic retweeted
Jun 11
#ESETresearch has discovered a supply-chain attack targeting stock investors in 🇻🇳Vietnam, distributing SPECTRALVIPER through the update mechanism of the FireAnt Metakit stock investment platform. welivesecurity.com/en/eset-r… 1/4
2
32
107
8,115
Daniel Stepanic retweeted
PHANTOMPULSE routes C2 through Ethereum/Base/Optimism transaction inputs.
The blockchain resolver has zero sender verification.
That means one transaction from a defender overrides the C2 URL for every active implant simultaneously.
@soolidsnakee reverse-engineered the full implant: three injection techniques, a shared HWBP primitive that kills AMSI/WLDP/ETW in a single handler, and a 580c XOR signature you can use to hunt sibling wallets right now.
go.es.io/43Puuep
13
25
2,010
Daniel Stepanic retweeted
May 14
#VirusBulletin round 2! 🥊(last one was 2 years ago for me) Me and @k33b0i will be there for #VB2026 presenting how #REF3927 managed to hijack 571 IIS servers for an SEO fraud network. Swing by and catch up with the Elastic Security Labs team if you're around. virusbulletin.com/conference…
#vbconference #conference #research
8
13
1,718
Daniel Stepanic retweeted
We uncovered a new Brazilian banking trojan campaign: TCLBANKER.
What makes TCLBANKER notable isn’t just the malware itself, but how it spreads.
The campaign uses compromised WhatsApp and Outlook accounts to propagate through trusted user relationships, deploys targeted banking overlays, and incorporates anti-analysis techniques designed to evade detection.
For defenders, it’s another example of malware increasingly blending into legitimate user behavior and everyday communication channels, making detection harder and trust easier to exploit.
Our latest research breaks down the infection chain, propagation methods, evasion tactics, and detection opportunities observed across the campaign.
Read the full analysis: go.es.io/4ewvCKF
1
32
86
13,884
Daniel Stepanic retweeted
LLMs have gotten good enough at reverse engineering to recover source code from obfuscated binaries with real accuracy.
So we asked the obvious next question: how fast and cheap is it to use one to build obfuscation specifically designed to beat it?
We benchmarked Claude Opus 4.6 against the Tigress obfuscator across 20 targets first, to map its strengths and failure modes. 40% solve rate. Phase 3 multi-layer combos hit 0%, with cost explosions that killed the runs.
Then we ran a dev/test/refine loop to build 3 purpose-built obfuscation variants targeting the same crackme, iterating directly against the model's known weaknesses.
The finding: LLM-targeted obfuscation is fast and cheap to develop. Context windows, budget caps, and shortcut biases are all exploitable attack surfaces.
The arms race just shifted.
5
88
319
30,407
Daniel Stepanic retweeted
Apr 13
Here's a fun one from our latest research:
PHANTOMPULSE resolves its C2 from blockchain transactions. The malware reads the most recent transaction of a wallet to decrypt the input data, and uses it as the C2 URL.
The problem? It doesn't verify the sender. 🧵
Apr 13
New #research together with @SBousseaden and @DanielStepanic at @elasticseclabs.
We uncovered a campaign abusing Obsidian plugins and vault feature to deliver multi-platform payloads targeting both #Windows and #macOS.
The final stage is #PHANTOMPULSE, an AI-built RAT that resolves its #C2 from Ethereum blockchain transactions and its loader #PHANTOMPULL
A deep dive into the RAT internals is coming next. Stay tuned.
elastic.co/security-labs/pha…
1
3
8
1,033
Daniel Stepanic retweeted
We have identified a novel social engineering campaign abusing Obsidian, the popular note taking app, to deliver a previously undocumented RAT #PHANTOMPULSE and it’s loader #PHANTOMPULL targeting individuals in finance and crypto.
The attack never exploits a vulnerability. It abuses Obsidian's own plugin ecosystem to execute code the moment a victim opens a shared vault.
Full analysis: go.es.io/4cld0dB
3
42
116
14,305
Daniel Stepanic retweeted
Mar 31
We published a pair of articles on the axios compromise and deep dive on the malware, alongside detection strategies
elastic.co/security-labs/axi…
6
27
138
16,195
Daniel Stepanic retweeted
Mar 26
@soolidsnakee another banger, man
Mar 26
Elastic Security Labs exposes BRUSHWORM backdoor and BRUSHLOGGER keylogger targeting South Asian financial institution. Custom malware pair features USB worm spreading, broad file theft, and system-wide keystroke capture via DLL side-loading.
Key technical details:
• BRUSHWORM (paint.exe): Modular backdoor with AES-CBC encrypted config, scheduled task persistence (MSGraphics), anti-analysis checks (screen resolution, hypervisor detection), and C2 communication to resources.dawnnewsisl[.]com/updtdll
• Creates hidden directories: C:\ProgramData\Photoes\Pics\, C:\Users\Public\Libraries\, stages stolen files in C:\Users\Public\Systeminfo\
• USB spreading uses social engineering filenames (Salary Slips.exe, Documents.exe) and exfiltrates 40 file extensions including .doc, .pdf, .pst, .py
• BRUSHLOGGER (libcurl.dll): DLL side-loading keylogger with WH_KEYBOARD_LL hook, XOR encryption (key 0x43), logs to C:\programdata\Photoes\<username>_<MD5(username)>.trn
Attack methodology employs T1053.005 (scheduled tasks), T1574.002 (DLL side-loading), T1056.001 (keylogging), T1091 (removable media replication), and maintains persistence across reboots.
Hunt for scheduled tasks named MSGraphics/MSRecorder, monitor file creation in ProgramData\Photoes\ directory, and detect abnormal rundll32.exe execution patterns.
#DFIR_Radar
1
4
20
4,153
Daniel Stepanic retweeted
Mar 19
Elastic Security Labs has been observing malicious campaigns delivering a multi-stage infection involving a previously undocumented loader. The SILENTCONNECT loader delivers ScreenConnect - a RMM tool used to control victim machines - as its final payload. elastic.co/security-labs/sil…
12
39
8,756
Daniel Stepanic retweeted
Mar 6
Patch Diff to SYSTEM - using LLMs to exploit a LPE vuln on Windows. More importantly, some thoughts on model capabilities the implications on our security industry elastic.co/security-labs/pat…
3
75
261
22,655
Daniel Stepanic retweeted
@soolidsnakee uncovered a #clickfix campaign using compromised legitimate sites to deliver a five-stage chain ending in #MIMICRAT, a custom native C RAT with malleable C2, token theft, and SOCKS5 tunneling.
Read more here: ela.st/mimicrat
8
38
6,104
Daniel Stepanic retweeted
Elastic Security Labs uncovered a large-scale SEO poisoning campaign deploying #BADIIS malware on 1,800 IIS servers worldwide. Compromised systems—spanning government, corporate, and education sectors—are monetized to push gambling and illicit content. Learn more here: ela.st/badiis
22
99
16,275
Daniel Stepanic retweeted
Feb 11
We are tracking #clickfix campaign hosted and served by two compromised websites. Lua in-memory script loader and a #RAT that we are naming #MimicRat. A blog post will follow soon on @elasticseclabs.
www.ndibstersoft[.]com
d15mawx0xveem1.cloudfront[.]net
xMRi[.]neTwOrk
2
7
24
2,023
Daniel Stepanic retweeted
10 Dec 2025
New from the developer of #FINALDRAFT: Meet #NANOREMOTE, a newly-discovered Windows backdoor that leverages the Google Drive API for data theft and payload staging.
Get the full analysis and defense strategies: ela.st/nanoremote
27
55
14,788
Daniel Stepanic retweeted
9 Dec 2025
Nice post by @sysdig! x.com/virusbtn/status/199835… We’re seeing this implant as well. Looks like there is a worm module too.
9 Dec 2025
Sysdig TRT details EtherRAT, a sophisticated backdoor dropped through recent React2Shell exploitation. The implant uses Ethereum smart contracts for C2 resolution and multiple Linux persistence mechanisms, going well beyond typical cryptomining payloads. sysdig.com/blog/etherrat-dpr…
1
5
13
3,098
14 Nov 2025
Really awesome new research from @k33b0i @soolidsnakee
14 Nov 2025
#ElasticSecurityLabs uncovers #RONINGLOADER, a multi-stage loader utilizing signed drivers, PPL abuse, CI Policies, and other evasion techniques to deliver #DragonBreath's gh0st RAT variant.
Check it out at ela.st/roningloader
ALT RONINGLOADER execution flowchart
5
29
4,983
Daniel Stepanic retweeted
21 Oct 2025
#ElasticSecurityLabs joins forces with @tamusystem and discloses TOLLBOOTH, an IIS module used for SEO abuse that relies on publicly exposed ASP. NET machine keys: go.es.io/3L68p57
20
45
11,884
Daniel Stepanic retweeted
15 Oct 2025
Elastic Security Labs publishes nightMARE, a Python library (v0.16) for malware analysis and for building configuration extractors. elastic.co/security-labs/nig…
38
139
10,664
Daniel Stepanic retweeted
9 Oct 2025
@elasticseclabs is currently researching a new family of IIS malware impacting a large number of organizations globally. With a US university-based MDR provider, we’ve observed a novel attack chain, RMMs, a Godzilla-forked framework, and a malicious driver. Details coming soon.
1
11
58
4,638