🎯 We're kicking off #ThreatrayTuesday — a weekly drop of new malware families we spot in the wild. This week, 8 new malware families spotted, including a stealer abusing Gofile for exfiltration. #WoolexaStealer — custom domain C2 #KeshXrdStealer — Discord webhook exfil #BaggerBauenStealer — exfils via Gofile #CorebotStealer — Discord webhook exfil #XYZStealer #VileRansomware #Windows12Ransomware #BallerWareRansomware 🧬 Find the #IOCs here: github.com/threatray/threat-…

New blog post: how AI code intelligence can help analysts rapidly identify trojanized DLLs and accelerate malware investigations. We preview our upcoming AI analysis feature, combining LLMs with Threatray’s code similarity engine to surface suspicious functionality, separate benign code from attacker logic, and speed up triage. Read it here: threatray.com/blog/leveragin…

New tutorial: From Binary Code to #YARA Rule — A Threatray Walkthrough with #Eddiestealer We just published a hands-on walkthrough showing how to build a reliable YARA rule for Eddiestealer, the Rust-based info-stealer, using Threatray’s unique binary analysis and intelligence capabilities. Since Eddiestealer encrypts and obfuscates its strings, string-based detection doesn’t work — we need a code-based YARA rule. The core challenge with code-based rules is finding pieces of code that guarantee a high true-positive and low false-positive rate. Rust binaries make this especially hard: they’re packed with statically linked runtime and library code, making it extremely difficult to separate malware logic from benign noise and to select the right code to base a YARA rule on. In this tutorial, we show how Threatray’s unique code analysis and intelligence capabilities can simplify and speed up the process of writing code-based YARA rules. Starting from 1,300 functions in an Eddiestealer binary, we narrow them down to just 2 strong candidate functions through a largely automated process — and use those as the foundation for the final rule. Read it here: docs.threatray.com/docs/buil… A big thank you to @craiu (@wearetlpblack) and @X__Junior (@nextronsystems) for reviewing early drafts and providing valuable feedback.

🚨 We’ve identified a new, previously unreported variant of #SantaStealer (first reported by @Rapid7 last December). Using our code-similarity engine, we uncovered overlaps between the original and the new samples, which triggered a deeper investigation. 💡 The new variant maintains similar behavior and core functionality, but introduces several notable changes: - Uses Mastodon as its C2 infrastructure - Encrypts many strings with AES-256-CBC - Protects the C2 address and URL path with three layers of AES-256-CBC Through retrohunting, we traced the earliest sample back to early January. Early builds contained fewer encrypted strings, while more recent samples show progressively heavier string encryption. 🧬 #IOCs: 756bbdb069db144f16dd62dc9ddbe0ac0b4d62ca303d48f65e95e5265bdc9f45 ace0a0d6615f233f3c71781e59d6438bf3ca35ead4123cf4e02b97effd45a75c d3fb6919ce5b708d7e4f50e49050d5c497f658f89951418c4f590d9476764271 055d777c3d38269f07d454f07abc985dfa52493b669cd3cc687304a0a6425122 885b57ac755eb84c505fd41c55bc451746b29fb8101a8e1cff74d46e85a80bee b4d1b2f81992764178c6fbee4b91118f0350d4fa3a70abc9a9abfaf7b7b77b37 5621c4c3f8fd7a9b62894a79c44d29dfb35143dd833e7ac47bd06b3f0c8d9102 14e2358e66c2dfd1aa283cc030a49110b06fd057cdebb9e96ff10e44ef0c012b b54cc77250a22c94b7acbd1bbdab6bba650d4d3a6bf6b37c6128fab13c2c0813 763f815d2fca9acd9266fa0129954a6d219baaf34e447f333d880f5a51521a67 cc1de746b577bf949aeeab2db18c07f6be0346e9f519a39c8bb1b7effca0458d 391158e325043bfd5b6bc0d66dc0fda3455bfe76e519deaf1ee46c966e0f2fc4 99f4a1e2d828e2c4e32084c51b26bd0ba22a8e982776537204e119653e2e2db1 3545ae95ec6e180adb41914e1c22fa726d5f769195d539a774fe8f9daba1d8ee 6ba6373af16ae34d3f0322e6f54087bc33e620a0a369323bc76a1addc8175ace

🚀 We are proud to announce the availability of Threatray Release v2.2, bringing a powerful set of enhancements and new capabilities to the platform. 🔍 Function-level retro-hunting and pivoting is now available directly in the UI. Point and click on any unknown function to hunt for similar functions across our database of over 1 billion malware and goodware functions - uncovering relationships in seconds and accelerating analysis, pivoting, and detection workflows. 🧠 We’ve significantly improved our Go and Rust library identification engine, yielding up to 40 % more goodware function identifications, while reducing false matches. Library attribution is now more specific, enabling clearer distinction between known good code and potential threats. 👁️ YARA matches are now better visible throughout the UI, making detection results more accessible and intuitive. YARA classification works alongside our core code similarity engine, helping analysts quickly see all relevant classification and detection signals in one place. Explore all the new features and improvements: threatray.com/blog/threatray…

Head on over to our research account for content like this 👇

Check out the latest research, insights, and fresh IOCs from our threat intelligence team - now live at @ThreatrayLabs.

🚀 We are proud to announce the availability of Threatray Release v2.1, bringing an exciting set of additions and improvements to the platform. 🤝 We’ve partnered with @nextronsystems, a pioneer in YARA and Sigma rule detection, to bring their industry-leading detection capabilities directly into Threatray. THOR Thunderstorm YARA detection and classification is now fully integrated into the Threatray platform. 🔍 We made Hunting and Pivoting effortless – find a unified YARA search and family name autocomplete, making it easier to connect the dots between millions of analyses and hunt for threats. See details and screenshots here: threatray.com/blog/threatray…

⚡ Exciting Update ⚡ We're thrilled to announce our new partnership with @nextronsystems to take YARA rule development and malware classification to a whole new level. 🚀 This collaboration brings Nextron's high-quality YARA rules from THOR Thunderstorm directly into Threatray's Binary Intelligence Platform for even more accurate malware classification. Nextron will in turn leverage Threatray’s unique code reuse technology to accelerate their malware analysis and YARA rule development. Stay tuned for more updates as our collaboration progresses! 👉 threatray.com/blog/threatray… #cybersecurity #malwareanalysis #yara #threatintel

Threatray's @_n1ghtw0lf and @_jwagner in collaboration with @proofpoint Threat Research Team have undertaken a deep dive into the India-aligned #Bitter (TA397) cyber espionage group. Read part one over at Proofpoint, where they cover campaigns, infection chains, hand-on-keyboard activity and attribution: proofpoint.com/us/blog/threa… Then read part two, where we cover their vast payload arsenal, shared TTPs, IoCs and YARA rules: threatray.com/blog/the-bitte… We will also be presenting this research at #VB2025 later this year.

🚀 We are proud to announce the availability of Threatray Release v2.0, bringing a huge set of additions and improvements to the platform. ✅ The introduction of Goodware Identification enhances analysis by identifying benign code from runtime, third-party libraries and legitimate executables at the function level, streamlining processes such as detecting backdoors, creating YARA rules, and focusing on relevant code. 📊 We bring Code Intelligence to a new level, providing a detailed breakdown of malicious and benign code within binaries, along with capability analysis. These features accelerate investigation and triage of unknown binary code. ⚙️The IDA Pro plugin enhances reverse engineering with features such as cluster analysis to identify code overlaps and function-level retro-hunt to search through our vast code repository. We bring YARA rule development, malware tracking, and code reuse research to the next level. 🌐 Our new Chrome Extension allows for fast threat report analysis by summarizing reports, annotating hashes with malware family classifications, and enabling direct pivoting to detailed analysis in the Threatray platform. See details and screenshots here: threatray.com/blog/threatray…

⚡ Exciting Update ⚡ @TeamT5_Official and Threatray are teaming up in a joint research collaboration to level up threat actor tracking and malware analysis. 🔍 TeamT5’s threat intelligence analysis experts Threatray’s cutting-edge malware detection and binary intelligence capabilities = stronger insights. This partnership will bring sharper threat landscape reporting and enhanced research capabilities for both teams. Continued insights ahead! threatray.com/blog/uniting-f… #Cybersecurity #ThreatIntelligence

⚡ Exciting Update ⚡ TeamT5 and @Threatray are teaming up in a joint research #collaboration to level up threat actor tracking and malware analysis. 🔍 TeamT5’s threat #intelligence analysis experts Threatray’s cutting-edge #malware detection and binary intelligence capabilities = stronger insights. This partnership will bring sharper threat landscape reporting and enhanced research capabilities for both teams. Continued insights ahead! 👉pse.is/7gfdk7 #CyberSecurity

Our code analysis engine has found that the malware sample 5bd8f9cbd108abc53fb1c44b8d10239a2a0a9dd20c698fd2fb5dc1938ae7ba96 is a variant of Beast ransomware. This sample was recently reported as Boramae ransomware by @CyfirmaR cyfirma.com/research/boramae…. We compared this sample with the Beast ransomware sample 4c44ac1eea4bc7f4ea542d611b5658d7ac2729d79abe750da83f1581cd832eaf discovered by @cybereason in October 2024 cybereason.com/blog/threat-a… Our findings show that: 1. Both samples share nearly identical code, however Boramae is statically linked with OpenSSL 1.1.0. 2. Boramae features enhanced string obfuscation techniques, including a more sophisticated XOR decryption routine and subtractive decryption. 3. It maintains Beast's GUI (accessible via Ctrl Alt 666) but includes changes to the ransom note, file extension (.boramae), and mutex handling. For more details, check our report: threatray.com/blog/threat-up… This discovery demonstrates how older ransomware threats continue to evolve, not only through rebranding but also by incorporating enhanced functionality to avoid detection. #cybersecurity #malware #ransomware

📢Thank you @threatray for being #PIVOTcon25 Bronze Sponsor‼️ Read more about Threatray: threatray.com Threatray provides malware detection and intelligence products Our sponsors: pivotcon.org/sponsors #ThreatIntel #CTI #ThreatResearch

🚨 Following up on @SentinelOne recent ransomware analysis: Our code search engine has discovered AidLocker/Frag, variants of HellCat/Morpheus. Our findings show that: (1) Like HellCat/Morpheus, AidLocker/Frag are code-wise identical but use different branding in their ransom messages. (2) AidLocker/Frag share substantial code with HellCat/Morpheus, confirming they belong to the same family. For more details, check our report: threatray.com/blog/threat-up… Special thanks to our friends @InfoGuardAG for sharing a recent in-the-wild sample of AidLocker. #Ransomware #Malware #ThreatIntel