Ever tried to get a good stretch on a long section of fence? When I build a netwire fence I won't stretch much more than a 330' roll and even then it's difficult to get it as tight as I would like. Putting braces where each roll will end allows you to stretch one at a time.

Hibernation Recon has recovered smoking guns in some of the highest-stakes cases involving digital forensics anywhere, ever. Here's a network packet recovered from the third level of a NetWire victim's Windows hibernation slack involving file transfer to an attacker's C2. #DFIR

⚠️ Threat volume increased across nearly every major malware family last week. #XWorm, #Netwire, #Warzone, and #DCRat all saw strong growth, alongside continued #Vidar activity. 📌 Trend to watch: this kind of broad growth usually points to multiple active distribution chains running in parallel. For SOC teams, that means overlapping alerts, noisier triage, and a higher chance of missing escalation paths early. ⚡️ Gain absolute threat visibility inside your SIEM/SOAR. Get an exclusive 10th anniversary deal for your team: app.any.run/plans/?utm_sourc… #Top10Malware

⚠️ Remote access tooling remained active last week. #AsyncRAT, #Remcos, #Warzone, and #Netwire all increased, while #Vidar continued to decline. 📌 Trend to watch: the activity points to attackers prioritizing persistence and operator access over large-scale credential theft. For defenders, that usually means fewer obvious indicators and more time between initial compromise and detection. Expand threat visibility in your SOC: any.run/enterprise/?utm_sour… #Top10Malware

🔥 We uncovered notable shifts in how threat actors stage payload delivery, including emerging combinations of preferred loader, dropper and payload pairings. We think these insights reveal interesting patterns that were previously not shared, and provide a view of the ecosystem’s strategic changes through VMRay's own telemetry. 💡 Few takeaways: - Amadey seems to take the first entry of point quite often in multi-stage loader scenarios (3 ) - Lumma to take an intermediate position in between loaders and final dropped families - StealCv2 and Vidar almost exclusively dropped as a final payload - Combination of Netwire and Warzone is the leading contributor to 2-stage delivery chains - Rhadamanthys solely deploys XMRig and StealCv2 as final payload 🔍 Check out VMRay's Dynamic Analysis report to get insights on behavior and detections others have missed: vmray.com/analyses/most-comm…

@cassiefrey_wx @MaxArcherWX @Chasaru3 Chase rig appreciation.... This is Red Thunder. 134k miles Temperamental at times on minor things, but it gets me there and back. Brush guard with netwire protection for the headlights. As the slogan says, "When it storms Red Thunder rolls."

This is a tweet "aggregating" the headline an article from Yahoo Sports, which actually was posted to NetWire, which aggregated a report from Action Network, which says the following, nothing of which is actual reporting. Media literacy is just absolutely cooked

Our investigations reveal that from 2014, the NetWire malware was used to infiltrate devices of Indian human rights defenders, leading to fabricated evidence in the Bhima Koregaon case of 2018. #Humanrights #Cybercrime thepolisproject.com/read/mal…

The Masters of Espionage: Inside APT33 (Elfin) APT33, also known as Elfin, is a sophisticated Iranian state-sponsored cyber threat group that has been active since at least 2013. The group primarily targets organizations in the aerospace and energy sectors, with a focus on the United States, Saudi Arabia, and South Korea. APT33 is known for its advanced tactics, techniques, and procedures (TTPs) in cyber espionage and destructive operations. Key Figures in APT33 1. Nader Saedi: A senior operative who has played a crucial role in orchestrating attacks on aerospace and energy sectors. Saedi is known for his expertise in network infiltration and data exfiltration techniques. He has been instrumental in developing the group's strategies for targeting critical infrastructure. Saedi's strategic oversight and technical prowess make him a key player in APT33’s operational success. His deep understanding of network vulnerabilities and penetration testing allows the group to execute precise and effective cyber-attacks, ensuring high-value data exfiltration and minimal detection. 2. Ali Zadeh: A highly skilled malware developer responsible for creating and maintaining the custom tools used by APT33. Zadeh has been particularly active in developing malware targeting industrial control systems (ICS) in Western critical infrastructure. His work has significantly enhanced the group's capabilities in compromising and potentially disrupting energy facilities. Zadeh's technical innovations ensure that APT33’s malware remains sophisticated and effective against robust security measures. His continuous improvement of malware like DROPSHOT and TURNEDUP demonstrates his commitment to advancing the group's technical arsenal. 3. Hossein Yazd: A key strategist within APT33, Yazd is involved in planning and executing complex cyber-espionage campaigns. He has been credited with developing innovative social engineering tactics that have allowed the group to successfully penetrate high-value targets. Yazd's expertise lies in crafting convincing spear-phishing emails and creating fake online personas to gain trust and access. His strategic planning and social engineering skills have enabled APT33 to achieve significant operational successes. Yazd’s ability to adapt and refine social engineering techniques ensures that APT33 can continue to deceive and infiltrate targets effectively. 4. Mehdi Shah: A talented software engineer who serves as one of APT33's primary malware developers. Shah has been responsible for creating and refining the group's custom malware, including the DROPSHOT (also known as Stonedrill) wiper malware. His work has been crucial in enabling APT33 to maintain persistence in compromised networks and evade detection by security software. Shah’s continuous refinement of malware tools ensures that APT33’s operations remain effective and stealthy. His ability to integrate advanced obfuscation and persistence mechanisms into malware like TURNEDUP highlights his technical acumen and importance to the group. 5. Reza Hashemi: A senior figure within APT33, Reza Hashemi plays a significant role in coordinating the group’s operations and managing its technical infrastructure. His oversight ensures that APT33’s campaigns are well-coordinated and aligned with Iran's strategic objectives. Hashemi’s role in ensuring operational cohesion and efficiency is critical to the group’s sustained success in cyber espionage. 6. Kaveh Mostofi: An expert in cyber reconnaissance and initial access operations, Kaveh Mostofi is responsible for identifying high-value targets and vulnerabilities. His work enables APT33 to strategically plan their campaigns and exploit weaknesses effectively. Mostofi’s expertise in reconnaissance ensures that APT33’s operations are meticulously planned and executed, increasing the likelihood of successful infiltration. Operations and Tactics APT33 has been involved in a wide range of cyber espionage activities, employing various tactics and techniques to achieve its objectives. The group’s operations are characterized by their sophistication and persistence, targeting sectors such as aerospace, telecommunications, healthcare, biotechnology, and government. Spear-Phishing Campaigns: APT33 heavily relies on spear-phishing emails with malicious attachments, often masquerading as job postings or industry-specific content. These emails typically contain malicious attachments or links that, when opened, execute malware on the victim's system. APT33’s spear-phishing campaigns are meticulously crafted to target specific individuals, increasing the likelihood of successful infiltration. Their use of convincing job-related lures has proven effective in deceiving targets into executing malicious payloads. The group's ability to create highly tailored and deceptive spear-phishing emails demonstrates their understanding of social engineering and human psychology. Malware and Tools APT33 employs a variety of malware and tools in its operations, including: - DROPSHOT: Also known as Stonedrill, DROPSHOT is a sophisticated wiper malware designed to destroy data on infected systems. It has been used in destructive attacks targeting critical infrastructure and is notable for its ability to evade detection and persist within compromised networks. DROPSHOT's destructive capabilities highlight APT33's potential to cause significant operational disruptions. - TURNEDUP: A custom backdoor used for maintaining persistence and executing commands on compromised machines. TURNEDUP’s capabilities include remote control and data exfiltration, making it a versatile tool in APT33’s arsenal. TURNEDUP’s adaptability and stealth features make it a critical component of the group’s long-term infiltration strategy. - NANOCORE, NETWIRE, and ALFA Shell: These commercial remote access tools (RATs) have been modified by APT33 to suit their specific needs. These tools enable the group to maintain control over infected systems and exfiltrate valuable data. The modification and utilization of commercial RATs demonstrate APT33's resourcefulness and technical proficiency. - SHAPESHIFT: Custom malware developed by APT33 for versatile attacks, including data theft and system manipulation. SHAPESHIFT's multifunctional capabilities allow APT33 to adapt their attacks to various scenarios and objectives. - PupyRAT: An open-source remote administration tool used by APT33 for remote control and data exfiltration. PupyRAT’s flexibility and open-source nature make it a valuable tool for APT33’s diverse operational needs. - PowerSploit and Mimikatz: Used for credential harvesting and privilege escalation within compromised networks. These tools enable APT33 to gain elevated access within target networks, facilitating deeper penetration and data exfiltration. Notable Attacks and Operations Campaigns Against Saudi Aviation Firms and Energy Companies (2017): APT33 launched targeted attacks against Saudi aviation firms and energy companies in 2017. These campaigns involved spear-phishing emails and the deployment of custom malware to infiltrate and gather intelligence from targeted organizations. The group's focus on Saudi Arabia reflects Iran’s strategic interest in monitoring and potentially disrupting its regional rival’s critical infrastructure. The successful penetration of these high-value targets underscores APT33’s technical capabilities and operational effectiveness. Attacks on U.S. Aerospace Companies and Saudi Petrochemical Firms (2018): In 2018, APT33 targeted U.S. aerospace companies and Saudi petrochemical firms, demonstrating the group’s capability to conduct cross-sector cyber espionage. These operations aimed to steal sensitive information related to aerospace technologies and petrochemical production processes, which are critical to both military and economic interests. The targeting of these sectors highlights APT33’s focus on gathering intelligence that supports Iran's strategic objectives in both defense and economic domains. Ongoing Espionage Operations Against Military and Civilian Aviation Entities: APT33 continues to conduct espionage operations against military and civilian aviation entities worldwide. Their focus on aviation targets suggests an interest in gathering intelligence on both commercial and defense-related aviation technologies. These ongoing campaigns involve advanced malware and sophisticated tactics designed to remain undetected within targeted networks. The group's persistent targeting of aviation entities indicates a long-term strategic goal of enhancing Iran's aviation capabilities and gaining competitive intelligence. Techniques and Procedures Exploitation of Vulnerabilities: APT33 is known for exploiting vulnerabilities in popular software, including Microsoft Office and web browsers. By leveraging both known and zero-day vulnerabilities, the group can gain initial access to target systems and deploy their custom malware. APT33’s ability to exploit vulnerabilities effectively demonstrates their technical expertise and access to advanced resources. Their proactive approach to identifying and exploiting software vulnerabilities ensures that they can infiltrate even well-protected networks. Domain Masquerading and Typosquatting: APT33 employs domain name typosquatting to create convincing fake websites for credential harvesting. These fake domains closely mimic legitimate websites, deceiving users into entering their credentials. This technique allows APT33 to gain unauthorized access to sensitive systems and gather valuable information. The use of domain masquerading and typosquatting demonstrates APT33’s ingenuity in creating deceptive attack vectors that exploit human error. Long-Term Persistence and Data Exfiltration: Once inside a target network, APT33 uses a combination of custom and modified commercial malware to maintain long-term persistence and exfiltrate data. Their tools are designed to evade detection by security software and ensure continuous access to compromised systems. The group’s emphasis on maintaining persistence highlights their strategic approach to cyber espionage, aiming for prolonged access and comprehensive data collection. APT33’s ability to remain undetected within target networks for extended periods allows them to gather extensive intelligence and conduct detailed reconnaissance. Conclusion APT33, also known as Elfin, is a highly sophisticated and persistent cyber espionage group with strong ties to the Iranian government. The group's ability to conduct extensive and prolonged cyber espionage campaigns has made it a significant threat to organizations worldwide. By understanding the key figures, operations, and tactics of APT33, organizations can better prepare and defend against this formidable adversary. The comprehensive analysis of APT33's members and operations underscores the importance of robust cybersecurity measures to protect against state-sponsored cyber threats. #cybersecurity #infosec #cti #apt

Sometimes I feel like an annoying wife who came to clean her husband’s room🧹 ⚠️But still, tell me, is it necessary to put the #trojan tag if there is already a tag for the family? (#netwire #loki #rat etc)

Was wondering if this was up for the chop soon ever since the Netwire takedown

@timb_machine the trial version of Netwire in this archive is the one with the Solaris and Linux implants. Just waiting for a Windows ISO to download so I can see about generating some binaries for the collection :)

Using NwStacks this morning, identifying extremely valuable remnants of an attacker’s use of the NetWire RAT found within a victim’s Windows 10 swap file. If you have ever dealt with a NetWire victim, check out NwStacks on our GitHub at github.com/ArsenalRecon/NetW…. #DFIR

The Supreme Court has an opportunity to ringfence surveillance: not just mass surveillance with CMS, Natgrid and Aadhaar linked data collection, but also illegal usage cyberweapons against citizens with tools like Pegasus, Netwire and Predator. That is national interest, & 12/n

Honored to have won the High Technology Crime Investigation Association's (@HTCIA) Case of the Year award based on our work in the Bhima Koregaon case. @JoakimSchicht's NetWire reversing which led to new analysis techniques & open source tools was truly awesome. #HTCIA2023 #DFIR

"Trust" Lol. What a joke. Does the jio notebook come preloaded with - Pegasus - used on opposition leaders, ministers, journalists, ECI head, even a number linked to an SC judge. Netwire - used to plant evidence in the Bhima Koregaon case.

#Throwback to September 2022 with #ElasticSecurityLabs analysis for REF2731, featuring the PARALLAX loader and NETWIRE RAT. Check it out: go.es.io/43qrYJ2

"bash", NetWire macOS sample: c4314879495da2117def21687e74cd903f7baf620f7ff57f85d4997ed3280c47

Tochimboti paari hapana ‘netwire’