Update: We identified two new UNC1549 / Nimbus Manticore phishing domains hosting the same fake Ebix recruitment portal from our previous reporting: hxxps://ebix[.]portal-career[.]com hxxps://ebix-exam[.]com IOCs and rules are available in THOR Lite and THOR Cloud Lite. Sign-up and scan your systems for free right now: thorcloud-lite.nextron-syste…

🚨 Our artifact scanner detected a malicious PyPI package: "cache-compat-utils@0.1.0" (publisher: "electracrimson"). The package uses "_patch.py" as a dropper to fetch the Bun runtime from GitHub and execute "_runtime.bin". Deobfuscated, the payload is a CI/CD secret stealer self-propagator with Shai-Hulud-style worm behavior: 🔑 Steals AWS, GitHub & npm credentials ☁️ Targets AWS IMDS, ECS, Vault & k8s tokens 🐙 Uses GitHub GraphQL npm recon to spread virustotal.com/gui/file/95d4…

@npmjs author "t-in-one" published multiple credential-harvesting infostealer packages. C2: oob[.]moika[.]tech MacOS second stage payload detected by THOR Sigma rule "NodeJS Execution of JavaScript File" created by @_swachchhanda_: virustotal.com/gui/file/de1a…

Following the initial report from @wiz_io on compromised MistralAI packages, our artifact‑scanning pipeline has identified additional Shai Hulud–infected NPM artifacts: mistralai/mistralai-gcp v1.7.3 mistraliai/mistralai-azure v1.7.3 These packages are used for direct cloud deployments, and should be considered compromised as part of the ongoing Mini Shai-Hulud supply-chain campaign. Until the situation is resolved, we recommend treating all recent mistralai releases with caution and reviewing any CI/CD systems where these versions may have been installed. THOR APT Scanner already provides coverage for the currently known Shai Hulud–infected Mistral AI NPM and PyPI artifacts. related: wiz.io/blog/mini-shai-hulud-… github.com/mistralai/client-…

One more heads-up on the DAEMON Tools supply chain incident: Besides the YARA rules and IoCs, my teammate Swachchhanda also contributed Sigma rules covering several useful detection points - including DNS lookups to the typosquatted C2 domain, execution of compromised DAEMON Tools binaries by known bad file versions, and stage-drop activity such as envchk.exe download and mcrypto payload execution. A nice addition for defenders who want to hunt for traces in telemetry, not just by matching file hashes. github.com/SigmaHQ/sigma/pul…

Most of you have probably already seen the reports about the DAEMON Tools supply chain compromise According to Kaspersky, the campaign has been active since April 8 and affected victims in more than 100 countries On our side, we took the published indicators and turned them into practical detection content The Nextron Research Team shared YARA rules to detect the trojanized packages, added coverage for free scanners like LOKI, Loki RS and THOR Lite, and already made the coverage available in THOR Cloud Lite so users can scan their systems for traces related to this incident The signature-base PR is merged, and the rules should also show up in YARA Forge soon YARA Rules by @MalGamy12 & @cod3nym github.com/Neo23x0/signature… YARA Forge yarahq.github.io/ THOR Cloud (Lite = Free) nextron-systems.com/thor-clo…

We released first detection rules for Copy Fail / CVE-2026-31431. YARA rules by me: github.com/Neo23x0/signature… It covers public PoC artifacts, including known payloads, exploit code fragments and URLs seen in shared material. More generic rules for customer environments are still in testing. Sigma rules by @_swachchhanda_: github.com/SigmaHQ/sigma/pul… They cover suspicious Copy Fail-related exploitation patterns, including setuid binary execution behavior and NULL argv shell execution. More updates soon.

Low-detection macOS malware used in job / interview-themed phishing. We recently observed a submitted DMG with only 3 / 62 detections on VirusTotal at the time of analysis: WebEx.dmg SHA256: 5fc61384dd6f15e6bb510e0421000c1301a40d7acf05cedbeb6bc789c0a99d00 THOR APT Scanner detected it with: MAL_MACOS_Phishing_Dropper_Feb26 The sample fits a pattern that has become very common in the last months: - fake job or interview flows - fake Zoom / WebEx meeting links - “audio problem” or “meeting component required” lures - macOS DMGs or scripts pushed as required fixes - user-level execution instead of exploits - follow-up payloads focused on credentials, tokens, browser sessions and developer data This tradecraft has been described in recent public reporting around North Korea-linked activity, including fake Zoom meeting flows and macOS backdoors. A separate public incident write-up also described a fake WebEx interview flow that ended with a malicious macOS DMG. We are not making an attribution claim for this specific sample based on a filename and lure alone. But the detection point is the same: these attacks do not need a 0-day or kernel exploit. A plausible meeting flow, a convincing DMG and one bad Terminal step can be enough. That is why detection needs to cover the boring parts too: - suspicious DMG contents - phishing-style dropper behavior - LaunchAgent persistence - osascript / JXA abuse - staged payload retrieval - fake meeting-tool infrastructure patterns References: thehackernews.com/2025/06/bl… linkedin.com/pulse/real-maco…

Interesting PAM backdoor pattern worth dissecting The sample was found inside a ZIP archive that contained multiple older variants, patch files and build scripts The ZIP parent was first submitted to VirusTotal on 2020-11-29 (!) Bundled ELF variants: 23315bfc9baf3f732c5801ae229cf9da86f35c22d4e23ed01a6e8f6d36aa6960 - d00mer-1.1.8.so 3d763ccbeafcd7154529b82214dfd7800b12dfff36930078ff36cce0c7034573 - d00mer-1.2.0.so 90e2643e5174feb3030c88cfa1200e2623ad5c4f564a148d878c7be1f270b15b - d00mer-1.2.1.so 6ee22f4d81ab1b7f90c2caacfdd709132abc8ea06bcb54f40c7b26f4254da6ea - d00mer-1.3.0.so 68af3e8a70cbb84ea4632df5675e52a193db88a2f6eee5a69dc49ad30c742f46 - d00mer-1.3.1.so 8d1e5cbf207a812711933e99b7b8e13c596e1e35813b8ed689196982faff71b9 - d00mer-1.3.1.so We also got the patch source code, which makes this one more useful to understand. The backdoor does not use a static hardcoded password. Instead, it accepts a time-based value. The patch calls ctime() and then compares only the first 10 characters: strncmp(p, cts, 10) So the “password” effectively becomes the current day string, for example: Mon Apr 27 If the supplied password does not match that value, normal PAM password verification continues. If it does match, the module returns PAM_SUCCESS. Because PAM sits directly on the authentication boundary, the impact is system-wide: SSH, sudo, login and anything else using PAM. The actual patch is only a few lines added to pam_unix_auth.c. Enough to bypass authentication through the patched PAM module. This ZIP has been around since 2020. The bundled ELF variants still have no AV detections today. Detected by our rule: MAL_LNX_PAM_Backdoor_Aug25

I wrote some of the rules that caught this #PhantomCLR campaign. They are not campaign-specific, they focus on common techniques used by a wide range of threat actors. If you are interested in how defenders can take advantage of code reuse to build better detections, and just how much code is shared across actors, I will be speaking at #Area41 in Zürich this June. I will be looking into code reuse across the .NET malware ecosystem and show some practical detection approaches. This will be my first public talk :) You can check out the conference here: area41.io/

After Microsoft fixed BlueHammer, another Windows Defender privesc showed up: RedSun. What makes this one interesting is that it’s not a classic memory corruption or logic bug. It looks more like Defender doing something… unexpected. When Defender flags a file as malicious and it has a cloud verdict attached, it can end up writing that file back to its original location instead of removing it. If you can control that file and trigger the right behavior, you basically get Defender to write data for you with its elevated privileges. The RedSun PoC shows that this can be abused to overwrite system files and escalate privileges to SYSTEM. We took a closer look at the exploit and built detections. We’re publishing: - Sigma rules covering different stages of the chain - a YARA rule for the PoC All rules are free on GitHub and also included in the free THOR Lite and THOR Lite Cloud scanner. Sigma rules: github.com/SigmaHQ/sigma/pul… by @swachchhanda YARA rule: github.com/Neo23x0/signature… by @cod3nym

The CertGraveyard was created in 2025, but never received a proper introduction. We track abused code-signing certificates. When I created the site, we had 600 entries and now we have 2,250. See the blogpost below for a full overview. 1/3

We saw NovaViewer being signed with a new EV certificate "Xiamen Duohanbeiwei Network Co., Ltd". This certificate was reported and revoked before the certificate was used in a BumbleBee campaign. 6d6a861c133ff3e1aa09c8744de52413 Special thanks to @luke92881 and @g0njxa 1/4

AIX is still running critical workloads - but it often sits outside the default endpoint coverage model - THOR runs natively on IBM AIX - actively built tested on AIX 7.2 / 7.3 - scans for signs of compromise - works as a gap-closer next to AV/EDR nextron-systems.com/2026/03/…

RegPhantom a signed Windows kernel rootkit that turns the registry into a covert execution channel. Gives the ability to an unprivileged usermode to reflectively load an arbitrary PE into kernel memory, invisible to PsLoadedModuleList and standard driver enumeration tools. The implant includes several stealth techniques: - Post-execution memory wipe - XOR-encoded hook pointers in-memory obfuscation - Valid code-signing certificates - CFG obfuscation with opaque predicates - 28 samples tracked (June–August 2025), signed with certificates from two Chinese companies. We're releasing: - Full technical writeup - Extensive deobfuscation scripts - YARA detection rule Full analysis: nextron-systems.com/2026/03/… #MalwareAnalysis #Rootkit #ThreatIntel #DFIR #Windows #KernelDriver

If you haven't already, check out @washi_dev's recent writeup on .NET misconceptions, he absolutely knows his stuff. And my honest advice? Please stop publishing YARA rules that don't work. You are not helping , you are teaching people to write BAD detections. blog.washi.dev/posts/misconc…

Over the past couple years, I have come to know the #dotnet platform pretty well, from a developer's and a #reversing standpoint. I can’t always say the same the #infosec community. Today, I decided to rant a little (or maybe a lot 🙃) 👉 blog.washi.dev/posts/misconc…

#NPM package author a_awerin started last Friday with simple, grounded JavaScript functions like capitalize(str). But after the weekend, things changed - the package now includes malicious code. For example: hxxps://x-ya[.]ru/FvXnR/msinit npmjs.com/package/ambar-src

de33c45b2621ae5e6a86ef405932a9f5 1 detection @nextronresearch www[.]licc[.]ca/58js/ www[.]54820268[.]xyz/k5v5/ www[.]xiyusourcing[.]com/t4ya/ www[.]itgenius[.]site/mzaf/ www[.]taxattorneyreno[.]com/zqvd/ #Formbook @ShadowOpCode @cod3nym

An LLM generated malware loader, with basic obfuscation and some well known LOLBIN execution technique. Still sits at only 1 detection on VT. We got it covered with multiple generic and technique specific rules. virustotal.com/gui/file/b3d9…