Joined June 2016
- Tweets 17,441
- Following 171
- Followers 26,979
- Likes 77,299
1,030 Photos and videos
ExecuteMalware retweeted
Jun 12
Happy to announce my latest piece of research just dropped with #CENSYS_ARC @censysio !
censys.com/blog/following-a-…
🧵
👇👇👇
3
10
25
4,388
ExecuteMalware retweeted
Jun 11
#XWorm #AdaptixC2 #ScreenConnect
I have been working with @malbeacon and the deception.pro platform.
Here's a write up of a recent deception operation👇
blog.deception.pro/blog/xwor…
1
7
19
1,432
ExecuteMalware retweeted
Jun 10
June 19, 3pm at @reconmtl:
VMProtect, anti-cheats, DRM — how much of today's obfuscation survives agentic reverse engineering?
Find out in our talk with @nicolodev:
"Deobfuscation in the Age of Agentic Reverse Engineering"
cfp.recon.cx/recon-2026/talk…
1
31
135
7,497
ExecuteMalware retweeted
Jun 9
🚀Introducing SO-CRATES 1.0 — Security Onion Containerized Rapid Analysis of Threats, Evil, and Sus!
SO-CRATES is a single container image for analyzing pcap files, log files, and binary files. It was formerly known as OhMyPCAP.
Here's what you can do with SO-CRATES:
✅analyze pcap files and then review Suricata alerts, metadata, and extracted files
✅import log files and then review Sigma alerts and the original log entries
✅import binary files and then review YARA matches and file metadata
All of this runs in a single Docker/Podman container — perfect for air-gapped environments, malware analysis, incident response, threat hunting, forensics & teaching.
Who’s trying it out? Drop a ❤️ and reply with your main use case!
#DFIR #Cybersecurity #BlueTeam #ThreatHunting #Suricata #YARA #Sigma
@Suricata_IDS @lennyzeltser @chrissanders88 @sansforensics @TomLawrenceTech
1
24
52
11,394
ExecuteMalware retweeted
Jun 9
Phishing activity in the past 7 days 🐟
Track latest #phishing threats in TI Lookup: intelligence.any.run/analysi…
#TopPhishingThreats
5
7
991
Maximizing IOC Impact: Advice on extracting, verifying, and sharing IOCs for fast, broad protection.
netresec.com/?b=26653f3
1
2
5
1,232
ExecuteMalware retweeted
Jun 8
⚠️ Remote access malware remained resilient despite broader declines. #AsyncRAT continued to grow and #Remcos rebounded, while most other major families trended downward.
📌 Trend to watch: when fewer families account for a larger share of activity, defenders can miss the signal by focusing on overall volume alone. Concentrated campaigns often create repeated exposure to the same attack paths, increasing the likelihood of successful compromise.
Expand threat visibility in your SOC: any.run/enterprise/?utm_sour…
#Top10Malware
1
5
7
1,819
ExecuteMalware retweeted
Jun 7
The REMnux MCP server can now draft malware analysis reports using my new report template:
zeltser.com/ai-malware-analy…
5
44
165
8,287
ExecuteMalware retweeted
Jun 5
I’m hiring a sr principal threat researcher. When big things happen on the internet, you’ll lead the threat research to hunt across our vast telemetry & write the threat briefs. Senior role w/ strong comms & collab experience.
jobs.paloaltonetworks.com/en…
6
18
50
10,293
ExecuteMalware retweeted
Jun 5
1
11
47
4,553
ExecuteMalware retweeted
Jun 4
The whole chain barely touches disk.
HTML → JScript → PowerShell → .NET loader → RAT, nearly all in memory.
Full writeup and IOCs from @RussianPanda9xx and Adam Mooney.
okt.to/R5z6Zx
2
7
21
1,933
PolarProxy 2.0.1 Released 🐻❄️
💨 Improved performance
🐞 Bug fixes
⚖️ Prioritizes PCAP output over throughput
netresec.com/?b=266dc11
3
9
1,169
ExecuteMalware retweeted
Jun 4
.@_hwangstice did a detailed writeup how the equation editor exploit CVE-2017-11882 works.
hwangstice.github.io/blog/rt…
18
36
3,777
ExecuteMalware retweeted
Lookalike Ghidra, dnSpy, and other download sites turned trusted clicks into TDS redirects. CPR found click hijacking, gated routing, and multiple malware families downstream — including an evasive, previously undocumented framework we call SessionGate.
research.checkpoint.com/2026……
1
25
43
6,531
ExecuteMalware retweeted
Jun 3
10FX #Backdoor
Infection Chain:
Rust dropper → signed Apple binary (DLL sideloading) →
BYOVD kernel callback wipe → reflective C2 agent
Capabilities:
shell / keyloger / HVNC / screenshot / SOCKS5 /
Telegram tdata theft / crypto-clipper / 57 plugin commands
4 persistence methods:
• Run Key (NetPerformanceLog)
• COM hijack (ShellIconOverlayIdentifiers InprocServer32)
• WMI subscription (Win32_LogonSession trigger)
• Scheduled Task (AppTask\SyncHost)
Self-repair module restores all four if removed.
IOCs:
121.127.254[.]78:8080 (CTG Server Ltd, HK, AS152194)
TCP marker: "10FX" (0x58463031) at offset 0
SBX links:
tria.ge/260502-hlmzhsat21/
app.any.run/tasks/901d99b9-2…
#MalwareAnalysis #DFIR #ThreatIntel #Backdoor #Rust
4
7
17
1,755
ExecuteMalware retweeted
.NET malware? Still not my thing. Looking at it with Adam Mooney @HuntressLabs? Actually a good time :3
huntress.com/blog/malspam-to…
1
10
44
3,062
ExecuteMalware retweeted
Jun 2
If you've ever wanted to understand how debuggers work under the hood with a deep dive, this blog series is for you.
"Writing a Debugger From Scratch" by @timmisiak - 8 parts covering everything from attaching to a process all the way to source and symbols.
2
75
543
41,768
ExecuteMalware retweeted
Jun 2
#Vidar config extractor by @GenThreatLabs integrated into CAPE 🦾🙏
V1.9 fresh from Malware Bazaar by @abuse_ch
bazaar.abuse.ch/sample/a3d34…
capesandbox.com/analysis/688…
As we're observing active development of #Vidar, we're releasing a config extractor for the newest Vidar builds, together with an #IDA string decryption script.
Vidar has been actively developed in recent months, changing its versioning from 18.7 back to 1.0, with the latest builds now at 1.8. But the versioning was not the only thing that changed. Starting from version 1.5, Vidar was reworked, including a new string encryption mechanism, config protection, and additional anti-sandbox checks.
The released config extractor and string decryption script support versions 1.5 and later, as this is where a major rework was done. Previously, each string had its own single-byte XOR key. In versions 1.5 , each string is encrypted with a custom ChaCha-based stream cipher, using a per-string 44-byte key blob and a final single-byte XOR. As for config protection, earlier versions used a custom polyalphabetic substitution over a permuted alphabet with a position-dependent offset, whereas the new versions use a plain 16-byte repeating-key XOR, with the key stored right next to the encrypted blob. Apart from the XOR-encrypted config, Vidar also features a fallback config, which is resolved separately within the encrypted strings.
Vidar configuration extractor ↓
github.com/gendigitalinc/ioc…
Vidar IDA string decryption script ↓
github.com/gendigitalinc/ioc…
IoCs:
af992d4a96d5fcbdf3b0cd1783234ceb5ad9c2037349ec8a82e6d1aa7f2f0148 (Vidar v18.7)
4ed9e2f720e4f23ff0e57a1a032152f0452008da3447b7265d780cee3221c027 (Vidar v1.0) <--- Vidar changed versioning of their builds
ec6f4f05575a6e7401e167a8a0f2506a6755c2d832deb63a0a5ff027d5ee6c5d (Vidar v1.1)
5788e98d4f9dd24f6ff9797832229c9096cadd108aaabef8d6737aad111f77c6 (Vidar v1.2)
f9ef434791a0b9b8b5f2472a666febbbef46dc5bc196706173fa2111909fae10 (Vidar v1.3)
e130a62564efaff95fb43590e431114bb384a2a94215d07da6ce696c7709a369 (Vidar v1.4)
a9dc6cfa821c1c0d75c18fc8e07554bc8ad778ad49c39b0bbe38101c09c289b5 (Vidar v1.5)
296c97d66ac4cb05777f053fa2c17e78b415567e449d169aa3cf683a6565d28a (Vidar v1.5) <--- Vidar reworked (duplicit label v1.5)
16911bd74f0d6751a30a1be56a3752daf7bf333c0d6ec61d8746646dbe2a530d (Vidar v1.6)
27d4ad97468fa0388bc704a32dd5c5e21e6b1de76a160fbd2615530c58aa74a6 (Vidar v1.7)
155f9f56fcdab7dd03740656eaa27000ad68f76a4f7b4933fa57416278e909a7 (Vidar v1.8)
#malware #infostealer #extractor
6
17
2,027
ExecuteMalware retweeted
Jun 2
Join us at 2PM EST today for a live stream with Xusheng Li from @vector35 to go over new Time Travel Debugging functionality in Binary Ninja! twitch.tv/InvokeReversing
2
15
2,427
ExecuteMalware retweeted
Jun 2
Phishing activity in the past 7 days 🐟
Track latest #phishing threats in TI Lookup: intelligence.any.run/analysi…
#TopPhishingThreats
4
7
1,367