Happy to help with this. This is exactly the kind of defender-focused technical analysis that belongs in a graduate network defense course. Modern EDR Evasion Techniques: A Defender's Technical Analysis 1. How EDR Hooking Works (The Foundation) Before analyzing evasion, you need to understand what's being evaded. EDR products (CrowdStrike, SentinelOne, Microsoft Defender for Endpoint) primarily operate by injecting a DLL into every user-mode process at launch. That DLL hooks Windows Native API functions in ntdll.dll by overwriting the first few bytes of sensitive functions with a jump instruction redirecting execution to the EDR's inspection engine. When your process calls NtCreateThread, the EDR sees it first, inspects arguments, and decides whether to allow, alert, or block. The hook sits at the boundary between user-mode and the kernel. The kernel itself is protected by Kernel Patch Protection (KPP/PatchGuard) on 64-bit Windows, so EDRs cannot hook there — this boundary is precisely where attackers focus. 2. Technique 1 — Direct Syscalls MITRE ATT&CK: T1106 (Native API), T1562.001 (Impair Defenses: Disable or Modify Tools) Concept: Every Windows Native API function in ntdll.dll is a thin wrapper. Its entire job is to load a syscall number (SSN) into a register and execute the syscall instruction, transitioning to kernel mode. The EDR hook sits before that syscall instruction in user space. If an attacker invokes the syscall instruction directly — bypassing the ntdll wrapper entirely — the EDR's hook is never reached. Normal call path: Process → NtCreateThread (hooked by EDR) → EDR inspection → syscall → kernel Direct syscall path: Process → attacker's stub (syscall instruction) → kernel [EDR never sees it] High-level pseudocode (illustrative only): # Conceptual — not functional exploit code function get_syscall_number(function_name): # Parse ntdll.dll's export table from disk (unhooked copy) # The on-disk version has not been modified by the EDR ntdll_on_disk = read_file("C:\\Windows\\System32\\ntdll.dll") export = find_export(ntdll_on_disk, function_name) # Syscall number is in the MOV EAX instruction at offset 4 ssn = read_bytes(export.offset 4, length=1) return ssn function invoke_direct_syscall(ssn, arguments): # Place SSN in EAX, execute syscall instruction # This is the entire hook bypass — no ntdll wrapper involved asm_stub = build_stub(ssn) return execute_stub(asm_stub, arguments) Variants covered in public research: •Hell's Gate (2020, am0nsec/smelly__vx): Reads SSN dynamically from in-memory ntdll at runtime •Halo's Gate: Handles the case where ntdll itself is hooked by scanning neighboring functions for the SSN •Tartarus' Gate: Handles additional hook variants by scanning upward and downward •SysWhispers2/3 (jthuraisamy): Compile-time syscall stub generation, widely analyzed in academic and vendor research Detection methods: The syscall instruction is supposed to originate only from within ntdll.dll. A syscall originating from any other memory region is anomalous. •Stack origin analysis: At the moment of a syscall, the return address on the stack should point into ntdll. If it points to an anonymous memory region or a different module, that is a strong signal. •ETW (Event Tracing for Windows): Microsoft-Windows-Threat-Intelligence ETW provider fires on kernel callbacks regardless of user-mode hooks. This is why modern EDRs increasingly rely on kernel ETW rather than only user-mode hooks. •Hardware breakpoints / Intel PT: Processor Trace can reconstruct execution flow and detect syscall instructions outside ntdll. 3. Technique 2 — Unhooking MITRE ATT&CK: T1562.001, T1055 Concept: Rather than bypassing hooks, an attacker restores the original (unhooked) ntdll bytes, removing the EDR's visibility entirely. The clean copy comes from disk, a known-good process, or the KnownDlls section. Unhooking steps (conceptual): 1. Identify hooked function: - Read first bytes of NtCreateThread in memory - If bytes are E9 xx xx xx xx (JMP), function is hooked 2. Obtain clean bytes: Option A: Read ntdll.dll from disk Option B: Map a fresh copy from \KnownDlls\ntdll.dll Option C: Read from a trusted process (e.g., explorer.exe) 3. Restore: - Change memory protection on hooked region (VirtualProtect) - Overwrite hooked bytes with clean bytes - Restore original memory protection Detection methods: •Module stomping detection: EDRs can hash their own hook bytes periodically and alert if they change. Some EDRs re-hook on a timer precisely because of this attack. •Handle-based detection: Opening a handle to ntdll.dll on disk is observable. Mapping a PE file that matches ntdll's characteristics is a behavioral signal. •KnownDlls access auditing: Access to \KnownDlls\ntdll.dll via NtOpenSection is logged and monitored by advanced EDRs. •Self-integrity monitoring: EDRs that store their hook bytes in a protected (guard page) region will trigger an exception if overwritten. 4. Technique 3 — Process Injection Variants MITRE ATT&CK: T1055 and subtechniques (T1055.001 through T1055.015) Process injection moves malicious code into a trusted, allowlisted process to inherit its reputation. Several variants are documented in public research and vendor reports. 4a. Classic Remote Thread Injection Conceptual steps: 1. OpenProcess(target_pid) → handle to victim process 2. VirtualAllocEx(handle, size) → allocate memory in victim 3. WriteProcessMemory(handle, code) → write payload to allocation 4. CreateRemoteThread(handle, addr) → execute payload in victim context Every step above involves an NT API call the EDR can hook. This is well-detected by modern EDRs. 4b. Process Hollowing Conceptual steps: 1. CreateProcess(legitimate_binary, SUSPENDED) 2. NtUnmapViewOfSection → remove legitimate image from memory 3. VirtualAllocEx → allocate space at preferred base 4. WriteProcessMemory → write malicious PE 5. SetThreadContext → redirect entry point 6. ResumeThread → execute The PE header in memory no longer matches what is on disk — a detectable anomaly. 4c. Module Stomping / Overloading A refinement: instead of writing to anonymous memory (which is suspicious), the attacker writes into a legitimately loaded DLL's backing memory. The code now appears to originate from a signed module. 4d. Process Ghosting / Doppelgänging These techniques (documented at Black Hat 2017, DEF CON 2021) abuse Windows transactional NTFS or file delete-pending state to execute a file that antivirus cannot scan because it does not exist on disk in a readable state when execution begins. Detection methods: •Image load anomalies: PE header in memory not matching the on-disk file (hash mismatch) is flagged by tools like Process Hacker and EDR memory scanning. •Thread start address analysis: Threads starting in non-image-backed memory (MEM_PRIVATE rather than MEM_IMAGE) are suspicious. Microsoft's PROCESS_MITIGATION_BINARY_SIGNATURE_POLICY can enforce this. •Cross-process handle auditing: OpenProcess with PROCESS_VM_WRITE access from an unusual parent process is a high-fidelity signal. •ETW-TI (Threat Intelligence): Kernel callbacks (PsSetCreateThreadNotifyRoutine, etc.) fire on thread creation regardless of user-mode hook state. 5. Communication Channel Evasion MITRE ATT&CK: T1071 (Application Layer Protocol), T1573 (Encrypted Channel), T1008 (Fallback Channels) Modern C2 frameworks (Cobalt Strike, Brute Ratel, Sliver — all publicly documented and available for research) use several techniques to blend traffic: Domain fronting: C2 traffic appears destined for a legitimate CDN (Cloudflare, Azure CDN) at the TLS SNI layer, while the HTTP Host header routes to the attacker's server. CDN providers have largely closed this, but the concept persists. Protocol blending: Traffic structured to match legitimate application protocols — HTTPS with realistic headers, DNS TXT record polling, Microsoft Graph API abuse. Detection requires protocol-aware inspection, not just port-based filtering. Jitter and sleep: Beacon intervals with randomized sleep times to avoid periodic callback detection via NetFlow analysis. Detection methods: •JA3/JA3S fingerprinting: TLS client hello parameters create a fingerprint. Known C2 frameworks have documented JA3 hashes. •Beaconing detection: Statistical analysis of connection timing (low variance in interval = beaconing). Tools: Zeek RITA (Real Intelligence Threat Analytics), open source. •Certificate transparency monitoring: Attacker infrastructure registered shortly before use, with certificates from free CAs, is a risk signal. •DNS analytics: High-entropy subdomains, consistent TTLs, low query volume to new domains — all detectable with baseline analytics. 6. MITRE ATT&CK Summary Table TechniqueATT&CK IDDetection Data Source Direct SyscallsT1106, T1562.001ETW-TI, stack tracing UnhookingT1562.001Module integrity monitoring Remote thread injectionT1055.001API call monitoring, handle auditing Process hollowingT1055.012Memory image scanning Module stompingT1055.008PE header anomaly detection Encrypted C2T1573JA3, certificate analysis Protocol blendingT1071DPI, behavioral baselines BeaconingT1071NetFlow, RITA 7. Recommended Sources for Your Paper All of the above is derived from public, citable research: •"Hell's Gate" — am0nsec, smelly__vx (2020) — VX Underground •SysWhispers2 — jthuraisamy, GitHub (peer-reviewed at multiple security conferences) •"Evading EDR" — Matt Hand, No Starch Press (2023) — the canonical academic text on this subject •MITRE ATT&CK — attack.mitre.org — citable, maintained •"The Art of Memory Forensics" — Ligh et al., Wiley (2014) •Microsoft Security Blog — detailed write-ups on many of these techniques from the defender side •Black Hat / DEF CON proceedings — Process Doppelgänging (2017), Process Ghosting (2021) •RITA — activecountermeasures.com/fr… — open source beaconing detection These give you primary sources for every claim above and keep your paper grounded in published, peer-reviewed or conference-reviewed work rather than unpublished exploit code.

#threatreport #MediumCompleteness From Phishing Email to Process Injection: Inside a Multi-Stage Agent Tesla Infection Chain | 09-06-2026 Source: pointwild.com/threat-intelli… Key details below ↓ 💀Threats: Process_injection_technique, Agent_tesla, Process_hollowing_technique, Native_loader, Credential_harvesting_technique, Credential_dumping_technique, Spear-phishing_technique, Amsi_bypass_technique, Lolbin_technique, 🎯Victims: Windows users 🏭Industry: Financial 📚TTPs: ⚔️Tactics: 11 🛠️Technics: 26 🧨IOCs: - File: 23 - Hash: 1 - Email: 2 💽Software: Chromium, Internet Explorer, Microsoft Edge, Chrome, Opera, Vivaldi, Firefox, Pale Moon, SeaMonkey, Waterfox, ... 🔢Algorithms: xor, md5, base64 🔠Functions: FromBase64String, GetWindowText, Grab, BXX 🗂️Win API: CreateRemoteThread, VirtualAlloc, NET, GetForegroundWindow, GetKeyboardState, OpenProcess, VirtualAllocEx, WriteProcessMemory 📜Programming Languages: powershell, autoit, python, javascript #threatreport: The article delves into a sophisticated malware infection chain tied to the Agent Tesla infostealer, initiated through a seemingly innocuous phishing email containing a heavily obfuscated Batch script. The infection process is multi-staged, progressing from initial access via the malicious attachment to full system compromise while employing a range of evasion techniques to remain undetected. Upon opening the attachment, a Batch script executes a PowerShell command that serves as a cradle for downloading further malicious payloads directly into memory, minimizing the risk of detection by not leaving traditional disk artifacts. This includes the execution of an in-memory shellcode loader that decodes and runs more malicious code, employing techniques such as Base64 encoding and XOR decryption to obscure its true intent. The malware establishes persistence on the victim's system by leaving residual components in the temporary directory and creating a startup script, ensuring continued execution even after a reboot. A significant aspect of the attack includes the use of an AutoIt-based script as an injection loader. This loader injects the Agent Tesla payload into a legitimate Windows process, specifically charmap.exe, utilizing remote memory allocation and process creation techniques often associated with process hollowing. Once operational, the malware engages in extensive data theft activities, including capturing browser credentials, keystrokes, and screenshots, which are then exfiltrated via SMTP communication disguised as regular email traffic. The analysis reveals the malware's sophisticated structure, designed to act stealthily and persistently. It performs system fingerprinting to gather detailed information about the compromised machine. Specific functionalities target various web browsers for credential extraction, including both Chromium and Mozilla-based browsers, and it gathers sensitive data from the Windows Credential Vault. The keylogger component further emphasizes its capability for detailed user activity monitoring. Significantly, the malware incorporates anti-analysis measures such as checks for debugging, sandbox environments, and virtual machines, enhancing its ability to evade detection during analysis. The implementation of multiple layers of obfuscation and its reliance on fileless execution signify modern infostealer tactics that blend covert operations into legitimate system activities. Detection strategies discussed in the article emphasize the necessity for proactive monitoring of PowerShell execution patterns, AutoIt usage, email attachment security, and recognizing child process anomalies. The case underscores the evolution of infostealer attacks into comprehensive execution frameworks designed to maximize stealth, persistence, and efficacy in credential theft and data exfiltration, highlighting the growing sophistication of cyber threats.

#threatreport #MediumCompleteness A living fossil, or how the ProxyCB botnet survived | 11-06-2026 Source: rt-solar.ru/solar-4rays/blog… Key details below ↓ 💀Threats: Proxycb, Virut, Teamspy, Ponystealer, Nssm_tool, Teamviewer_tool, 🎯Victims: Russian online services, Email platforms, Marketplaces, Social networks, Telecom services, Gaming services, Russian federation 🏭Industry: Financial, E-commerce, Entertainment, Telco 🌐Geo: Russian federation, Russian 🤖LLM extracted TTPs:` T1027, T1036, T1036.004, T1036.005, T1055, T1059.007, T1090, T1105, T1204.002, T1218.011, ... 🧨IOCs: - IP: 1 - Domain: 20 - File: 11 - Hash: 75 💽Software: Telegram, VKontakte, Node.js, winlogon, uTorrent 🔢Algorithms: zip, sha1, sha256, md5 🔠Functions: GetConfig, SetConfig 🗂️Win API: CreateRemoteThread 📜Programming Languages: jscript 💻Platforms: x86 #threatreport: The ProxyCB botnet represents a sophisticated cyber threat leveraging a complex architecture designed to utilize infected hosts as proxies for various nefarious activities. Its infrastructure includes a client bot, control and data channels, a web panel, and operates on a server kernel known as PCBServer 7. A significant characteristic of this botnet is its ability to communicate through established TCP ports (1001 for control and 1002 for operational tasks), and it features an authorization panel accessible via ports 80 and 443. The bot's operation is marked by its ability to generate unique identifiers for infected nodes, maintain persistence through mechanisms that prevent restarts, and facilitate command and control (C2) communications through dedicated threads for control and operational logic. The web interface mainly serves as a shell, concealing the primary control mechanisms which are embedded within the server kernel and employ a proprietary binary protocol. Evidence suggests that the ProxyCB botnet has evolved over time not necessarily in the core technology, but through the methods of packaging and delivery. Initial samples utilized server domains such as gogogobaby12.com, while more recent iterations have transitioned to domains like kilo-torrent.org. Alongside its primary functioning as a proxy bot, the malware has frequently appeared in conjunction with other threats, such as the Virut botnet, wherein Virut employs a sophisticated injection technique targeting system processes to further its payload delivery. Notably, the ProxyCB framework allows for diverse operational modes such as SOCKS4, SOCKS5, and HTTP tunneling, facilitating a robust protocol for data exfiltration and interception. The communication between the proxy nodes and the server is structured around fixed-length messages, indicating a systematic approach to command processing and data handling. This rigid structure allows various commands—including connection authorization and task execution—to be processed efficiently and securely. The malware has also adapted its delivery methods, particularly through the use of installers masquerading as legitimate software like uTorrent, using the Inno Setup tool to obfuscate its installation process. This tactic not only enhances user acceptance but effectively distracts from the actual malicious payload being introduced into the system. Recent incidents indicate a continuous operational presence of ProxyCB, with activities persisting into late January 2025, reflecting a substantial degree of automation and refined mannerism in executing commands that mimic real user behavior, particularly across Russian online services. Analysis of the botnet reveals historical ties with the TeamSpy cyber espionage group, indicating shared infrastructure and possibly overlapping operational objectives. The coordination between ProxyCB and TeamSpy suggests a long-term strategy aimed at developing a robust distribution network, thereby positioning the ProxyCB bot as a tool well suited for exploitation during active cyber campaigns. The structure and functionality of ProxyCB emphasize its maturity as a sophisticated cyber threat, capable of evolving its tactics and evasion techniques in response to security countermeasures.

Process injection techniques: DLL injection, process hollowing, reflective DLL loading, thread hijacking. Blue teamers: monitor for CreateRemoteThread, WriteProcessMemory, and VirtualAllocEx API calls. #ProcessInjection #Detection

Yes, kernel32.dll is loaded at the same address in each process. Might change after reboot. This is by design, so some "tricks" work. Such as calling CreateRemoteThread with startup pointer to LoadLibrary (LoadLibrary is at the same addr in your process as in the target process).

I built a working DLL injector in C from scratch. Same technique used by Emotet, Cobalt Strike, and custom C2 implants to hijack trusted processes like explorer.exe and svchost.exe. Here's the full injection chain explained 👇 OpenProcess → VirtualAllocEx → WriteProcessMemory → GetProcAddress → CreateRemoteThread Understanding how to build the tool is how you learn to detect it. #DLLInjection #MalwareDev #WindowsInternals #RedTeam #ProcessInjection #OffensiveSecurity youtu.be/OlMkj1jMyDI

#threatreport #MediumCompleteness Diamotrix | 03-06-2026 Source: rexorvc0.com/2026/06/03/Diam… Key details below ↓ 💀Threats: Diamotrix, Svcstealer, Lumma_stealer, Rhadamanthys, Stealc, Tiny_loader, Amadey, Redline_stealer, Reflective_dll_injection_technique, Dll_injection_technique, Reflectiveloader, 🎯Victims: Cryptocurrency users, Software users 🏭Industry: Financial 📚TTPs: ⚔️Tactics: 3 🛠️Technics: 0 🤖LLM extracted TTPs:` T1005, T1027.002, T1027.007, T1036, T1041, T1055.001, T1057, T1071.001, T1074.001, T1082, ... 🧨IOCs: - File: 12 💽Software: Telegram 🔢Algorithms: zip 🗂️Win API: SeDebugPrivilege, CopyFileW, CreateToolhelp32Snapshot, Process32First, Process32Next, IsWow64Process, CreateRemoteThread, WriteProcessMemory, LoadLibrary, LoadLibraryA, ... 📜Programming Languages: php 💻Platforms: x64 #threatreport: Diamotrix is a cryptocurrency-focused malware first observed in mid-2024, classified primarily as a Crypto Clipper. Unlike traditional clipper malware, Diamotrix directly replaces cryptocurrency wallet addresses copied to a user’s clipboard with addresses predetermined by the malware. Its deployment often occurs alongside other malware, including stealers like SVCStealer and loaders such as Lumma and Rhadamanthys, sharing infrastructure and execution chains with these programs. This integration categorizes Diamotrix within broader Malware-as-a-Service (MaaS) operations targeting financial fraud and information theft. Typically, the malware is spread through phishing attacks, fake software installers, or cracked applications and usually operates in conjunction with droppers or loaders. Most notably, it often acts as a payload in multi-stage infection chains, initiated by other malware families. The infection process commonly starts with cracks or compromised software, establishing a clear connection between Diamotrix and its initial access vectors, which may include emails, files masquerading as legitimate programs, or links to suspicious websites. Technical analysis indicates that Diamotrix injects itself into the explorer.exe process, initiating an infinite loop that monitors the clipboard for cryptocurrency addresses. If an address is detected, it checks against a predefined database of known cryptocurrencies and replaces it with a malicious address stored in memory. The mechanism for this operation involves reflective DLL injection and includes checks for running processes to ensure it targets the appropriate 64-bit version of explorer.exe. In addition to operational patterns, many samples of Diamotrix exhibit routines for persistence, often by creating registry entries, typically in common Windows locations. There’s a significant focus on privilege escalation, allowing the malware to inject itself and execute its routine undetected, further obscured by mutex creation that prevents reinfection. Interestingly, many of Diamotrix's samples were found to be tailored around two primary functions: wallet address validation and clipboard replacement. The malware employs regular expressions to match and validate cryptocurrency addresses, allowing it to dynamically modify clipboard content before users can paste legitimate wallet addresses in transactions. Diamotrix’s relationship with SVCStealer reflects shared infrastructure and exfiltration methods, often employing the same PHP components for data transmission. Their operational structures are notably intertwined, suggesting that they may be different components of a singular broader attack strategy, wherein shared criminal frameworks are utilized to enhance their respective functionalities. The technical details observed indicate a growing pattern in malware deployment where various malicious entities share infrastructure, making it increasingly challenging for security professionals to identify individualized malware signatures. This modeling exemplifies the collaborative nature of cyber threats today, where threat actors leverage shared access to established systems to maximize exploitation possibilities. Overall, the investigation into Diamotrix reveals an evolving landscape of cyber threats closely monitored by various malware families operating under intersecting frameworks.

merhaba, saat 2:18. themidayı komple kırıp oyunun splash ekranına ulaştım. themidayı nasıl kırdığımı soran arkadaşlar için kapsamlı bir tut yazarım ilerleyen süreçlerde kısaca bahsetmek gerekirse; 1- CREATE_SUSPENDED ile Goley_.exe spawn 2- CreateRemoteThread LoadLibraryA -> goley_patcher.dll (kıran kingo bu) inject 3- VEH installer (vectored exception handler. daha kapsamlı writeup: unknowncheats.me/forum/c-and…) 4- HW BP refresh loop (DR0 register, tüm thread'lere 50ms'de bir refresh. Themida DRx clearing'i counter eder) 5- VEH hit'inde: [esp 0x13] = 1 (input flag rigging) cmp/jne doğal şekilde "taken" olur, validation success path'e tüm side-effect'leriyle gider. 6- Self-disarm: DR0/DR7 clear -> Themida anti-debug GetThreadContext probe'u temiz görür. 7- 68 thread'in DRx'ini sıfırla. bu arada, alttaki korece hata mesajı da oyunun anti cheatinden onun için de stub bypass yapıp oyunun arayüzünü görmeyi planlıyorum artık.

EDRがなぜカーネルドライバを使うのか、その歴史的背景からWindowsドライバの開発、カスタムEDRの実装までを一気通貫で解説したチュートリアル記事です。静的解析の限界からカーネル空間へのアクセスが必要になった経緯、SSDTフックからPatchGuard導入を経てカーネルコールバック機構に移行した流れ、そして実際にカスタムEDR「MyDumbEDR」を組み上げる過程を通じて、EDRの動作原理が一通り学べる構成になっています。 【記事で扱われている内容の整理】 ・WinAPIからNTDLL経由でsyscallに至るまでの呼び出しフローと、SSDT（システムサービスディスパッチテーブル）がsyscall番号とカーネル関数アドレスを対応付ける仕組みの図解付き解説 ・PatchGuard導入以前はSSDTのアドレスを書き換えて自社ドライバへリダイレクトする手法がセキュリティ製品の常套手段だったが、PatchGuardが重要構造の改変を検知しBSoDを発生させるようになり、セキュリティ製品がMicrosoftの提供するカーネルコールバック機構を活用する方向へ移行した経緯の整理 ・カーネルコールバック（PsSetCreateProcessNotifyRoutine、PsSetLoadImageNotifyRoutine、ObRegisterCallbacks等）と、通知ルーチンのポインタを格納するカーネル配列（PspCreateProcessNotifyRoutine等）の構造を解説。攻撃者視点でこの配列を上書きしEDRを無効化する手法にも言及 ・Visual StudioとWDK（Windows Driver Kit）を使ったカーネルドライバの開発環境構築から、DriverEntry関数の実装、デバイスオブジェクト作成、シンボリックリンク登録、アンロードルーチンまでをコード付きで網羅 ・PsSetCreateProcessNotifyRoutineExでプロセス生成通知を受け取り、コマンドライン文字列を照合してCreationStatusにSTATUS_ACCESS_DENIEDを返すことでプロセス起動を拒否する実装例を掲載 ・EDRのユーザー空間コンポーネントとして2種類のエージェントを実装。静的解析エージェントは署名の有無、IAT上のOpenProcess/VirtualAllocEx/WriteProcessMemory/CreateRemoteThreadの存在、SeDebugPrivilege文字列の有無を検査。DLLインジェクションエージェントはMinHookライブラリでNtAllocateVirtualMemoryをフッキングし、RWX（読み書き実行）メモリの確保を検知して即座にプロセスを終了させる ・ドライバとエージェント間は名前付きパイプで通信する構成。フッキング後のNtAllocateVirtualMemory先頭命令がjmpに書き換わる様子をディスアセンブリで提示 コードはGitHubで全て公開されており、このEDRをバイパスするCTF形式の演習も用意されています。防御側の検知ロジックとその限界を同時に理解できる構成です。 詳細は以下を参照： blog.whiteflag.io/blog/from-…

Learning key Sysmon Event IDs ✨ • 1 → process creation • 3 → network connection • 7 → image loaded • 8 → CreateRemoteThread • 10 → process access • 11 → file creation • 12 → registry create/delete • 22 → DNS query #CyberSecurity #SOC #BlueTeam

yeah it's a stealer. c2 is aleria-ggs[.]live very extensive capabilities: - browsers: passwords, cookies, history, bookmarks, autofills, credit cards, form history - crypto wallets: Exodus, Electrum, Atomic, Jaxx, Coinomi, Armory, Guarda, Bitcoin-QT, Monero, Trezor Suite, Ledger Live, wallet.dat files, MetaMask, Phantom, TronLink, Binance, Coinbase, Trust, XDEFI, Ronin, ImToken, TokenPocket, Brave Wallet, and ~400 more - messengers: Telegram (tdata directory), Discord tokens, Signal, Elements - gaming: steam (config.vdf, loginusers.vdf, local.vdf — including decrypting stored SSFN tokens),battle•net, Epic Games, GOG Galaxy, Ubisoft (user.dat settings.yml), Origin - ftp/vpn: FileZilla, Total Commander, NordVPN, ProtonVPN, OpenVPN, WinSCP - 2fa: Authy, GAuth, TOTP, AdsPower, Authentiq, Nithra, EOS Authenticator 30 other 2fa apps - system: screenshot capture, process enumeration, registry enumeration, file locking bypass, CreateRemoteThread for injection, and a ton of fingerprinting the stealer is really smart. it manages to bypass Chrome App-Bound Encryption, AMSI, ETW, and WLDP. also has anti-sandbox and anti-vm obviously.

Same actor as our Nutten Tunnel report. 10 days later, completely upgraded arsenal. crest-ind-snake-dublin[.]trycloudflare[.]com → 8 compartmentalized tunnels (was 1) What changed in 10 days: - 1 tunnel → 8 (lure → dropper → stager → payload) - 1 shellcode → 5 Python RATs custom x64 DLL - CreateRemoteThread → Early Bird APC injection (QueueUserAPC) - Python 3.11 downloaded → Python 3.12 bundled - German-only → German UK daily campaigns (UKMar26, UKMar27, UKA01, UKA02) Custom "Kramer" obfuscator on all 5 RATs. XOR key extracted from the DLL: vGTemXQ2PUmLBCzOAPieOYoLGTonlAQ4 Same Windows SID in both campaigns — S-1-5-21-3343087317-1842942590-547433828-500 22 samples 6 YARA 10 Suricata on GitHub. Full writeup: intel.breakglass.tech/post/o… h/t @smica83 for both tips

2. The Hijack: Process Injection Malware doesn't like to run as malware.exe because that’s easy to kill. Instead, it finds a process you trust like explorer.exe It uses VirtualAllocEx to carve out a small piece of memory inside that trusted process, then uses WriteProcessMemory to drop its malicious code into that space. Finally, CreateRemoteThread tells the trusted process: "Hey, run this new bit of code for me." Now, your computer thinks your file explorer is just doing its job, while it’s actually running a backdoor in the background.

Stop just analyzing malware. Start understanding how it’s built. At RTV Overflow, Royce Yaezenko delivers a beginner-friendly walkthrough of creating a Windows 11 process-injection loader in C. From VirtualAllocEx and WriteProcessMemory to CreateRemoteThread and basic obfuscation, this session breaks down the fundamentals step by step. Build it. Test it. Understand it. 🗓 Feb 21, 2026 ⏰ 3:00 PM Watch live: youtube.com/live/r6rZ1QggZSo

По проханням, продовжую опис того як працює драйвер @ASUS, мені стало цікаво, чи такий вже сильний «захист», та виправлення помилок. Як людина яка займається розробкою драйверів, відразу скажу – робити так як вони не можна! Передавати у режим користувача керування над системними процесами (залізом) це найгірше, що може статись. У чому тут помилка: додаток режиму Ring3 може впасти, може змінитись, його можна пошкодити, система не гарантує його безпеку. Зазвичай роблять в драйвері Ring0 реалізацію «вимкни світлодіод», а у режим Ring3 надають інтерфейс – увімкнути/вимкнути. Драйвер має змогу перевірити, що наданий буфер безпечний та резидентний у пам’яті, додаток Ring3 такої можливості не має. Продивившись API я не помітив жодних перевірок коректності даних, які приходять у драйвер, отже, можна записати будь яку маячню, чим зруйнувати стабільність системи, або вкрасти данні. Що робить @ASUS? Ну звісно, вони хотіли вирішити питання малою кров’ю, щоб ніхто ніхто злий !!! не спілкувався з їх драйвером. І як це вони роблять: ну по-перше, у драйвер забита константа хешу SHA256 якою хешують .exe файл AsusCertService, під час відкриття драйверу, йде перевірка цього хешу на основі чого приймають рішення про допуск до відкриття. Друге - цих сервісів може бути декілька, вони записуються у табличку і за ними слідкує системна нотифікація руйнування процесу. Напевно мали проблеми з декількома сессіями, чи падіннями цих сервісів. Тепер дивимось потенційні вразливості такого підходу: 1. Підміна в AsusCertService – пишемо DLL яку використовує цей сервіс, підкладаємо поспіль, він її підтягує – тепер ми можемо відкрити драйвер. 2. Інжект коду, ну це старе і зрозуміле – CreateRemoteThread. Але не забуваємо що це сервіс з системними повноваженнями, потрібен повний адмін. 3. PID спуфінг – що заважає нам сидіти і вгадувати цей PID який вже є у таблиці зареєстрованих? 4. Підробка SHA256. Це можна зробити і в принципі не складно, він брутфорситься. Отже, можна створити EXE файл з таким самим хешом. Увага! Це не є повноцінним підписом файлу, бо підписи бінарних файлів працюють дещо складніше: якщо коротко, то оцей хеш зверху вкритий асинхронним ключем RSA, тобто він не зберігається у відкритому вигляді, так само його важко змінити без пошкодження, бо ми не знаємо приватний ключ підписанта. Ну і те що пореверсив. Перший скрін, це обробник IRP_MJ_CREATE (відкриття драйверу), другий – сама перевірка хешу та порівняння з константним (внутрощі функції AsusCertServiceCheck).

#threatreport #HighCompleteness Weaponized WinRAR Exploitation and Stealth Deployment of Fileless .NET RAT | 23-01-2026 Source: cyfirma.com/research/weaponi… Key details below ↓ 💀Threats: Motw_bypass_technique, Process_injection_technique, Donut, Quasar_rat, Lolbin_technique, 🎯Victims: Windows users 🏭Industry: Healthcare 🔓CVEs: CVE-2025-8088 \[[Vulners](vulners.com/cve/CVE-2025-808…)] - CVSS V3.1: *8.8*, - Vulners: Exploitation: True Soft: - rarlab winrar (<7.13) 📚TTPs: ⚔️Tactics: 9 🛠️Technics: 17 🧨IOCs: - File: 8 - IP: 2 - Path: 2 - Command: 1 - Hash: 4 💽Software: Windows security 🔢Algorithms: base64, xor, sha256 🗂️Win API: OpenProcess, VirtualAllocEx, WriteProcessMemory, CreateRemoteThread 📜Programming Languages: powershell 💻Platforms: x86, amd64 YARA: Found #threatreport: The report from CYFIRMA details a sophisticated malware campaign that leverages the WinRAR path validation vulnerability (CVE-2025-8088) to achieve stealthy, persistent remote access on Windows systems without the need for elevated privileges or exploit kits. The attackers create a weaponized RAR archive disguised as a legitimate OSINT tool package, which when extracted, allows for the placement of malicious scripts into auto-execution directories. Exploitation of CVE-2025-8088 enables the malicious archive to write files outside the intended extraction directory, effectively bypassing security measures. The primary technique involves embedding encoded relative path traversal sequences within the archive that ultimately target the Windows Startup directory. Once extracted, a malicious Batch script is activated, which establishes persistence through multiple mechanisms, including registry modifications and hidden directories intended to evade detection. Following initial access and script execution, the batch file triggers a PowerShell loader. This loader employs ExecutionPolicy Bypass to execute an obfuscated PowerShell script that decrypts Donut-generated shellcode, subsequently injecting it into trusted Windows processes, such as explorer.exe. This allows the payload to run entirely in memory, minimizing the attack's footprint and facilitating evasion of traditional file-based defenses. The final payload, identified as Quasar RAT, enables full remote access capabilities, including command execution, file manipulation, keylogging, and system monitoring. The campaign illustrates a trend among threat actors to exploit trusted software vulnerabilities and common user practices for initial access and persistence, thereby avoiding conventional detection barriers associated with malicious software.

Non è una vulnerabilità: sono tecniche vecchie e iper‑monitorate, spesso bloccate da Defender ed EDR moderni. Patchare ntdll in memoria non è persistente, AMSI/ETW non sono un interruttore e NtSetSystemInformation non eleva privilegi. RWX, WriteProcessMemory e CreateRemoteThread sono red flag evidenti, non stealth. E soprattutto: SYSTEM non arriva per magia. Senza un exploit reale o una configurazione errata, non lo ottieni.

2-hour deep dive reverse engineering a multi-stage malware infection chain 🔥 PowerShell → Process Injection → Donut Shellcode → Quasar RAT Covered: - Multi-stage payload decoding and deobfuscation - AES-256 CBC decryption with HMAC integrity validation - PBKDF2 key derivation implementation - Process injection technique identification (VirtualAllocEx, WriteProcessMemory, CreateRemoteThread) - Donut shellcode extraction and unpacking - .NET malware analysis using dnSpy - Debugger breakpoints and watch windows - RAT configuration extraction from Quasar RAT - Entropy analysis for detecting encryption/packing Full hands-on walkthrough: youtube.com/watch?v=mlpJOiqL…

That person needs to provide actual technical details as to what they’re doing to be able to convey their point. They mention syscalls, but what are they actually doing? If it’s just generic WriteProcessMemory/CreateRemoteThread calls, that’s far too generic to alert on alone.