Threat Intelligence Analyst @esthreat ๐๐| Blue Teamer
Joined August 2014
- Tweets 4,828
- Following 3,991
- Followers 2,053
- Likes 13,635
119 Photos and videos
Pinned Tweet
31 May 2021
Today marks my first day to work as a SOC analyst. Perhaps one thing I have learned over the years is to be persistent, never stop grinding, and chasing down your dream. Here is my timeline for me to achieve my dream.
12
12
161
Bohan Zhang retweeted
Jun 13
๐จ ALERT - A critical Splunk Enterprise flaw can go from โno login requiredโ to remote code execution.
Tracked as CVE-2026-20253, the bug carries a 9.8 CVSS score and affects vulnerable Splunk Enterprise servers through exposed PostgreSQL sidecar endpoints.
The exploit chain is now public.
Read the full story: thehackernews.com/2026/06/crโฆ
6
105
288
27,224
Bohan Zhang retweeted
โผ๏ธ๐จ Unauthenticated attackers are gaining SYSTEM on domain controllers with crafted packets.
The vulnerability being exploited is CVE-2026-41089, a CVSS 9.8 hole in Windows Netlogon, and exploitation in the wild has been confirmed.
A patch has existed since May 12. Every DC still behind is not just vulnerable, but according to the Centre for Cybersecurity Belgium are also actively being pwnd.
16
223
1,086
106,632
2
51
563
29,700
Bohan Zhang retweeted
Jun 11
๐ NightmareEclipse Bitlocker Bypass 0-Day Detection
GreatXML is a Windows zeroโday that bypasses BitLocker by abusing the Windows Recovery Environment (WinRE) and Defender Offline Scan workflow, allowing an attacker to gain an unrestricted shell and access encrypted drives without credentials.
Here's a GreatKQL to compliment the detection ๐คญ
github.com/SlimKQL/Detectionโฆ
#Cybersecurity #NightmareEclipse #GreatXML #GreatKQL
2
25
93
6,366
Bohan Zhang retweeted
Two zerodays this month, hope I can do more next month
58
101
1,840
58,381
Bohan Zhang retweeted
Jun 9
More AI-generated code doesn't make your team faster. It might actually slow you down.
634
2,449
19,350
6,546,734
Bohan Zhang retweeted
Jun 10
Jun 10
We detected a supply-chain compromise in onering 1.4.1, a Rust crate on crates.io with 18,000 downloads.
The latest version uses a malicious build.rs script to quietly exfiltrate git data and source code from your latest commit on every build, disguised as Sentry traffic.
The GitHub repository is also compromised, so pulling directly from git is not a safe workaround.
19
51
859
30,016
Bohan Zhang retweeted
Jun 10
Final comment on the ServiceNow incident. I've had the opportunity to review the code that was live during the incident. There are appropriate guardrails in place to prevent arbitrary table write (e.g user creation, script execution).
1
14
49
14,186
Bohan Zhang retweeted
Jun 9
Nightmare Eclipse guy has returned (as is tradition) and has released another Microsoft Windows zero day (as is tradition).
> releases zero day
> spells rogue wrong in file
> "rogeplanet"
smh
github.com/MSNightmare/Rogueโฆ
43
172
1,812
82,007
Bohan Zhang retweeted
๐จ Hackers are already exploiting a flaw in LiteLLM, a widely used open-source AI gateway.
One bug (CVE-2026-42271) lets any logged-in user run commands on the server. Chain it with a second bug, and attackers get in with no login at all.
๐ Details: thehackernews.com/2026/06/liโฆ
8
61
158
19,119
Bohan Zhang retweeted
Please stop this madness.
Jun 8
We are now tracking 471 affected artifacts across npm and PyPI in the Mini Shai-Hulud/Miasma/Hades campaign.
The newer PyPI artifacts from this wave have been added to the dedicated campaign tracker.
Full breakdown:
socket.dev/blog/mini-shai-huโฆ
21
166
1,602
74,994
Bohan Zhang retweeted
๐จ Check Point confirmed an actively exploited authentication bypass in Remote Access VPN and Mobile Access using the deprecated IKEv1 protocol. Attackers can open a VPN session with no valid authentication. One case is already linked to a Qilin ransomware affiliate. (CVE-2026-50751 / CVSS 9.3)
6
44
208
19,141
Bohan Zhang retweeted
Jun 8
We are releasing our first cloud intrusion case. One thing I liked about working on this cloud intrusion case was discovering a gap in my own experience.
Iโve worked on many endpoint intrusions, but handling an AWS account compromise is a completely different beast.
Instead of just searching for suspicious processes or odd command lines, you need to connect identity movement, API activity, role assumptions, object access, service behaviour, and more.
I needed to put in real effort to learn how to investigate this properly. I ended up doing a lot of research while building and investigating this case, so we turned that work into a field guide for investigating AWS intrusions.
We originally wrote it for THL users, but weโre sharing it publicly because more analysts should have a practical reference for AWS intrusion investigations.
Blog: threathuntinglabs.com/blog/aโฆ
๐๐ช๐ฒ ๐ฎ๐ฟ๐ฒ ๐ฟ๐ฒ๐น๐ฒ๐ฎ๐๐ถ๐ป๐ด ๐ผ๐๐ฟ ๐ณ๐ถ๐ฟ๐๐ ๐ฐ๐น๐ผ๐๐ฑ ๐ถ๐ป๐๐ฟ๐๐๐ถ๐ผ๐ป ๐ฐ๐ฎ๐๐ฒ ๐ถ๐ป ๐ง๐ต๐ฟ๐ฒ๐ฎ๐ ๐๐๐ป๐๐ถ๐ป๐ด ๐๐ฎ๐ฏ๐. ๐๐ ๐ถ๐ป๐ฐ๐น๐๐ฑ๐ฒ๐ ๐
๐ฏ ๐น๐ฎ๐ฏ๐ ๐ฎ๐ฐ๐ฟ๐ผ๐๐ ๐๐ต๐ฟ๐ฒ๐ฒ ๐ฑ๐ถ๐๐ฐ๐ถ๐ฝ๐น๐ถ๐ป๐ฒ๐!
This is our first AWS cloud intrusion release, and it asks analysts to work through a different kind of evidence than endpoint-heavy cases.
You will investigate AWS identity activity, IAM enumeration and discovery, role assumptions, trace API calls, and more.
We also published an AWS Cloud Intrusion Investigation Field Guide alongside the case.
We wrote it to help THL users reason through the investigation without giving away the answers, but the reference is useful for anyone trying to get more comfortable with AWS account-compromise investigations.
The guide covers:
- CloudTrail management and data events
- S3 access evidence
- VPC Flow Logs
- GuardDuty findings
- high-signal AWS events
- common investigation mistakes
- AWS log gaps
Blog: threathuntinglabs.com/blog/aโฆ
Case: threathuntinglabs.com/threatโฆ
14
62
7,263
Bohan Zhang retweeted
New #redteam tool for blocking EDRs: EDRChoker
Instead of fully blocking the EDR agents' connections to their server, we can throttle their bandwidth so they consistently time out when sending data, which is effectively the same as blocking but avoids triggering "block" or "drop" packet events
#pentest #cybersecurity
Github: TwoSevenOneT/EDRChoker
ALT EDRChoker run throttling EDR process list
ALT Elastic EDR blocked by EDRChoker
ALT EDRChoker run remove throttling EDR process
24
178
751
109,477
Bohan Zhang retweeted
Careful! DPRK folks are being pretty wild ATM and recruiting nearly anyone that they can find in order to make a deal with the victim. The deal consist out of the DPRK IT worker to leverage the victims upwork account and identity in return for cash.
3
9
37
4,310
Bohan Zhang retweeted
โผ๏ธ๐จ A new npm supply-chain attack compromised 57 packages across over 286 malicious versions in under 2 hours. The attackers used self-replicating malware, a new version of the Miasma worm, which also used evasion techniques to stay under the radar.
The payload targets CI/CD and developer credentials, including GitHub Actions secrets, cloud credentials, Vault tokens, SSH keys, npm and GitHub tokens, and password-manager stores. This variant also injects AI coding assistant config files at `.claude`, `.cursor`, `.gemini`, and `.vscode` paths, a separate persistence and repo-poisoning angle.
73
314
1,696
223,167
Bohan Zhang retweeted
๐จ A one-click flaw in GitHub.dev can let attackers steal #GitHub OAuth tokens with read/write access to repositories, including private ones.
Microsoft is working on a fix.
The attack abuses VS Code webviews and local workspace extensions to extract tokens. VS Code Desktop is not affected.
Read: thehackernews.com/2026/06/onโฆ
3
31
109
28,873
Bohan Zhang retweeted
โ ๏ธ New "IronWorm" supply-chain attack: 30 npm packages from @ asteroiddao shipped a malicious Rust binary firing on preinstall.
It sweeps 86 env vars 20 credential files (AWS, GCP, Vault, npm, plus AI keys like Anthropic & OpenAI), hits Exodus wallets, hides behind an eBPF rootkit, and beacons over Tor. Self-propagates via npm Trusted Publishing OIDC, with backdated commits faked as claude/dependabot/renovate.
48
186
817
609,626
Bohan Zhang retweeted
.NET malware? Still not my thing. Looking at it with Adam Mooney @HuntressLabs? Actually a good time :3
huntress.com/blog/malspam-toโฆ
1
10
44
3,060
Bohan Zhang retweeted
Jun 3
Compromised npm packages (utils-terminal@3.2.1, logger-active@3.2.1) are abusing Hugging Face repos as exfiltration infrastructure. The packages deploy a remote access trojan (RAT) that captures keystrokes, screenshots, and crypto wallet credentials.
Indicators of compromise (IOCs):
- npm user: hexalpha10 / author: toskypi
- 195.201.194[.]107:8010 (WebSocket C2)
- c2-toskypi.onrender[.]com (HTTP C2)
- huggingface[.]co/api (exfiltration endpoint)
- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\MicrosoftSystem64 (persistence)
- MicrosoftSystem64.service (Linux systemd persistence)
- \MicrosoftSystem64 (Windows scheduled task)
- MicrosoftSystem64/payload.js (payload directory)
Defenders: treat unexpected huggingface[.]co/api calls from non-ML workloads as suspicious.
ALT Graphic for supply chain attack
32
254
2,743
117,450