CyberRaiju
@jaiminton.com
An Aussie who does cyber things | Manager @Huntress.com | Former Principal @CrowdStrike.com and HuntressLabs | https://jaiminton.com | https://www.youtube.com/@cyberraiju/featured
Pinned
CyberRaiju
@jaiminton.com
· Dec 8
How do you submit a pull request to a malware author?🤔
Celestial Stealer is checking for my name or online handle and it won't execute if it's found, but my RE machine is using the name Barry so this check will fail.
Who do I reach out to about this? 😅
www.trellix.com/blogs/resear...
Celestial Stealer is checking for my name or online handle and it won't execute if it's found, but my RE machine is using the name Barry so this check will fail.
Who do I reach out to about this? 😅
www.trellix.com/blogs/resear...
Our new research is now live, and it's full of juicy insights. From a log poisoning vulnerability, to an RMM you've likely never heard of, and a list of victim locations that span the globe! 👀 👇
1⃣ The Huntress team uncovered a campaign by a likely China-nexus threat actor. The most novel finding is use of a publicly available tool called Nezha as a post-exploitation C2 agent. This is the first public reporting of the tool I've seen.
www.huntress.com/blog/nezha-c...
www.huntress.com/blog/nezha-c...
The Crown Prince, Nezha: A New Tool Favored by China-Nexus Threat Actors | Huntress
Beginning in mid-2025, Huntress discovered a new tool being used to facilitate webserver intrusions known as Nezha, which up until now hasn’t been publicly reported on. This was used in tandem with ot...
www.huntress.com
October 10, 2025 at 2:31 AM
Our new research is now live, and it's full of juicy insights. From a log poisoning vulnerability, to an RMM you've likely never heard of, and a list of victim locations that span the globe! 👀 👇
As of Thurs Aug 14th we're seeing clear indications that a threat actor has now weaponised and is exploiting vulnerabilities in Axis camera software (CVE-2025-30023/4/5/6) which was presented at DEFCON.
Indicators on Xitter/LinkedIn
www.linkedin.com/posts/activi...
x.com/CyberRaiju/s...
Indicators on Xitter/LinkedIn
www.linkedin.com/posts/activi...
x.com/CyberRaiju/s...
Sign Up | LinkedIn
500 million+ members | Manage your professional identity. Build and engage with your professional network. Access knowledge, insights and opportunities.
www.linkedin.com
August 16, 2025 at 6:45 AM
As of Thurs Aug 14th we're seeing clear indications that a threat actor has now weaponised and is exploiting vulnerabilities in Axis camera software (CVE-2025-30023/4/5/6) which was presented at DEFCON.
Indicators on Xitter/LinkedIn
www.linkedin.com/posts/activi...
x.com/CyberRaiju/s...
Indicators on Xitter/LinkedIn
www.linkedin.com/posts/activi...
x.com/CyberRaiju/s...
New Octowave Loader sample is leading to Amatera Stealer deployment over the past week.
0 VT detections on any component of the malware loader.
Proofpoint rules detect the outbound C2 traffic.
My Yara rule detects the installer.
0 VT detections on any component of the malware loader.
Proofpoint rules detect the outbound C2 traffic.
My Yara rule detects the installer.
June 24, 2025 at 3:11 AM
New Octowave Loader sample is leading to Amatera Stealer deployment over the past week.
0 VT detections on any component of the malware loader.
Proofpoint rules detect the outbound C2 traffic.
My Yara rule detects the installer.
0 VT detections on any component of the malware loader.
Proofpoint rules detect the outbound C2 traffic.
My Yara rule detects the installer.
I've been thinking a lot about recent layoffs, AI advancements, and what it means for this industry as a whole. Hopefully at least some of this resonates with others and hits the mark.
www.jaiminton.com/internal-blo...
www.jaiminton.com/internal-blo...
Job Security in Cyber Security is Changing
At what point is your “secure” job at risk?
www.jaiminton.com
May 16, 2025 at 8:10 AM
I've been thinking a lot about recent layoffs, AI advancements, and what it means for this industry as a whole. Hopefully at least some of this resonates with others and hits the mark.
www.jaiminton.com/internal-blo...
www.jaiminton.com/internal-blo...
HijackLibs.net details hundreds of publicly disclosed DLL Hijacking opportunities. With over 700 stars on GitHub and a growing list, @wietzebeukema.nl does an amazing job maintaining it.
Despite this contributing can be time consuming. That's why I've created HijackLibs Helper!👇
Despite this contributing can be time consuming. That's why I've created HijackLibs Helper!👇
May 9, 2025 at 8:18 AM
HijackLibs.net details hundreds of publicly disclosed DLL Hijacking opportunities. With over 700 stars on GitHub and a growing list, @wietzebeukema.nl does an amazing job maintaining it.
Despite this contributing can be time consuming. That's why I've created HijackLibs Helper!👇
Despite this contributing can be time consuming. That's why I've created HijackLibs Helper!👇
I've confirmed Samsung's MagicINFO 21.1050 is VULNERABLE to the publicly reported POC in the blog below.
ssd-disclosure.com/ssd-advisory...
The media is reporting this as CVE-2024-7399, but if it is then the patch is incomplete. There is currently NO PATCH AVAILABLE!
ssd-disclosure.com/ssd-advisory...
The media is reporting this as CVE-2024-7399, but if it is then the patch is incomplete. There is currently NO PATCH AVAILABLE!
May 7, 2025 at 7:08 AM
I've confirmed Samsung's MagicINFO 21.1050 is VULNERABLE to the publicly reported POC in the blog below.
ssd-disclosure.com/ssd-advisory...
The media is reporting this as CVE-2024-7399, but if it is then the patch is incomplete. There is currently NO PATCH AVAILABLE!
ssd-disclosure.com/ssd-advisory...
The media is reporting this as CVE-2024-7399, but if it is then the patch is incomplete. There is currently NO PATCH AVAILABLE!
It keeps going, new sample: www.virustotal.com/gui/file/d70...
At the time of scanning 1 vendor detected it, still only 3 at the moment. Deploying LummaC2 unsurprisingly.
This time a binary signed by 'ONE UP LTD' from the Nuclear Coffee VideoGet application used to load into memory.👇
At the time of scanning 1 vendor detected it, still only 3 at the moment. Deploying LummaC2 unsurprisingly.
This time a binary signed by 'ONE UP LTD' from the Nuclear Coffee VideoGet application used to load into memory.👇
April 22, 2025 at 10:56 PM
It keeps going, new sample: www.virustotal.com/gui/file/d70...
At the time of scanning 1 vendor detected it, still only 3 at the moment. Deploying LummaC2 unsurprisingly.
This time a binary signed by 'ONE UP LTD' from the Nuclear Coffee VideoGet application used to load into memory.👇
At the time of scanning 1 vendor detected it, still only 3 at the moment. Deploying LummaC2 unsurprisingly.
This time a binary signed by 'ONE UP LTD' from the Nuclear Coffee VideoGet application used to load into memory.👇
Another notable Octowave Loader sample with installer MSI showing low VT hits, and malicious DLL's being completely undetected. Sideloads into the legitimate Audacity.
Installs itself as 'Directory Converter' in the user LocalAppData 'Programs' directory.
👇
Installs itself as 'Directory Converter' in the user LocalAppData 'Programs' directory.
👇
April 22, 2025 at 9:21 PM
Another notable Octowave Loader sample with installer MSI showing low VT hits, and malicious DLL's being completely undetected. Sideloads into the legitimate Audacity.
Installs itself as 'Directory Converter' in the user LocalAppData 'Programs' directory.
👇
Installs itself as 'Directory Converter' in the user LocalAppData 'Programs' directory.
👇
New video released 🎉: Once again looking at malware sent over Discord, but this time we can analyse it statically after performing AES decryption. You may also see reference in the video to some stealers which have since shutdown or rebranded 😎 Enjoy!
www.youtube.com/watch?v=knu0...
www.youtube.com/watch?v=knu0...
DISCORD "try my game" MALWARE | Reverse Engineering Leet Stealer, Electron Malware Used By HACKERS
YouTube video by Jai Minton - CyberRaiju
www.youtube.com
April 3, 2025 at 11:34 AM
New video released 🎉: Once again looking at malware sent over Discord, but this time we can analyse it statically after performing AES decryption. You may also see reference in the video to some stealers which have since shutdown or rebranded 😎 Enjoy!
www.youtube.com/watch?v=knu0...
www.youtube.com/watch?v=knu0...
Are you interested in Generative AI and 💉 Prompt Injection techniques? I've just released a short video exploring the Main Gandalf challenge by Lakera AI and how you can convince 🧙♂️ to give you his secrets through specifically crafted prompts.
Enjoy!
www.youtube.com/watch?v=pQ5K...
Enjoy!
www.youtube.com/watch?v=pQ5K...
Hacking Gandalf AI (LLM) to reveal SECRETS | Basic PROMPT INJECTION techniques
YouTube video by Jai Minton - CyberRaiju
www.youtube.com
March 23, 2025 at 1:39 AM
Are you interested in Generative AI and 💉 Prompt Injection techniques? I've just released a short video exploring the Main Gandalf challenge by Lakera AI and how you can convince 🧙♂️ to give you his secrets through specifically crafted prompts.
Enjoy!
www.youtube.com/watch?v=pQ5K...
Enjoy!
www.youtube.com/watch?v=pQ5K...
Just released 🎉 In classic copycat form, now we have real CAPTCHAs protecting fake installers that use the ClickFix 'WIN + R technique'🤦♂️. New video released where I fail a legitimate CAPTCHA multiple times while searching for malware 😂
youtu.be/LrOJBiWOHbE
youtu.be/LrOJBiWOHbE
Forget FAKE CAPTCHAs, I got MALWARE via a REAL CAPTCHA! | I2Parcae Malware Analysis
YouTube video by Jai Minton - CyberRaiju
youtu.be
March 15, 2025 at 9:16 PM
Just released 🎉 In classic copycat form, now we have real CAPTCHAs protecting fake installers that use the ClickFix 'WIN + R technique'🤦♂️. New video released where I fail a legitimate CAPTCHA multiple times while searching for malware 😂
youtu.be/LrOJBiWOHbE
youtu.be/LrOJBiWOHbE
I took a look at a new malware loader which uses steganography within WAV 🌊 files to deliver its payload on an endpoint. Enjoy!
www.youtube.com/watch?v=NiNI...
www.youtube.com/watch?v=NiNI...
I found MALWARE inside of MUSIC! (Octowave Steganography Malware Analysis)
YouTube video by Jai Minton - CyberRaiju
www.youtube.com
March 4, 2025 at 10:26 AM
I took a look at a new malware loader which uses steganography within WAV 🌊 files to deliver its payload on an endpoint. Enjoy!
www.youtube.com/watch?v=NiNI...
www.youtube.com/watch?v=NiNI...
Termite had access to Genea for 2 weeks through their Citrix environment before exfiltrating 900gb+ of patient records to Digital Ocean.
This is an org that helps couples have a family.
🤬😡
www.genea.com.au/pages/import...
www.genea.com.au/sfsites/c/cm...
This is an org that helps couples have a family.
🤬😡
www.genea.com.au/pages/import...
www.genea.com.au/sfsites/c/cm...
February 27, 2025 at 4:08 AM
Termite had access to Genea for 2 weeks through their Citrix environment before exfiltrating 900gb+ of patient records to Digital Ocean.
This is an org that helps couples have a family.
🤬😡
www.genea.com.au/pages/import...
www.genea.com.au/sfsites/c/cm...
This is an org that helps couples have a family.
🤬😡
www.genea.com.au/pages/import...
www.genea.com.au/sfsites/c/cm...
I frequently get asked is "what skills do I need need to excel as an analyst", so I figure this is a good opportunity to shed some light on what analysis is, and why certifications alone won't make you a good analyst.
www.jaiminton.com/high-impact-...
www.jaiminton.com/high-impact-...
HISAC - High Impact Security Analysis and Communication
How to be a well rounded SOC/MDR/Cyber/Information Security Analyst.
www.jaiminton.com
February 2, 2025 at 9:28 AM
I frequently get asked is "what skills do I need need to excel as an analyst", so I figure this is a good opportunity to shed some light on what analysis is, and why certifications alone won't make you a good analyst.
www.jaiminton.com/high-impact-...
www.jaiminton.com/high-impact-...
This is really big at the moment and you should absolutely be looking at your M365 logs to identify this activity.
www.speartip.com/fasthttp-use...
We're observing a large number of IPs involved after successful authentication, but a common IP is 113.23.43[.]76
www.speartip.com/fasthttp-use...
We're observing a large number of IPs involved after successful authentication, but a common IP is 113.23.43[.]76
fasthttp Used in New Bruteforce Campaign
SpearTip Security Operations Center, together with the SaaS Alerts team, identified an emerging threat involving the fastHTTP library
www.speartip.com
January 21, 2025 at 4:19 AM
This is really big at the moment and you should absolutely be looking at your M365 logs to identify this activity.
www.speartip.com/fasthttp-use...
We're observing a large number of IPs involved after successful authentication, but a common IP is 113.23.43[.]76
www.speartip.com/fasthttp-use...
We're observing a large number of IPs involved after successful authentication, but a common IP is 113.23.43[.]76
Reposted by CyberRaiju
This threat actor has started using @github.com to host the PowerShell downloaders making it fairly trivial to find accounts hosting a copy of Vidar Stealer. Some have low, and some have high VT hits.
www.virustotal.com/gui/file/f9d...
www.virustotal.com/gui/file/847...
www.virustotal.com/gui/file/f9d...
www.virustotal.com/gui/file/847...
December 30, 2024 at 4:48 AM
This threat actor has started using @github.com to host the PowerShell downloaders making it fairly trivial to find accounts hosting a copy of Vidar Stealer. Some have low, and some have high VT hits.
www.virustotal.com/gui/file/f9d...
www.virustotal.com/gui/file/847...
www.virustotal.com/gui/file/f9d...
www.virustotal.com/gui/file/847...
This. Multiple criticals on our end also. If you think ransomware actors weren't sitting on access waiting until Christmas Eve to strike then you're mistaken. Holidays are prime time for ransomware gangs who would love to give you a ransom message for Christmas in the hope 2025 lands them some $$$
December 24, 2024 at 9:03 AM
This. Multiple criticals on our end also. If you think ransomware actors weren't sitting on access waiting until Christmas Eve to strike then you're mistaken. Holidays are prime time for ransomware gangs who would love to give you a ransom message for Christmas in the hope 2025 lands them some $$$
Sure sex is good, but have you ever stopped an environment from being ransomed on Christmas Eve?
December 24, 2024 at 8:49 AM
Sure sex is good, but have you ever stopped an environment from being ransomed on Christmas Eve?
👀 The domain saaadnesss[.]shop registered a month ago used to track infected victims in a Fake Captcha /ClickFix/Clearfake campaign is now already being seen as one of the top 1 million domains as a result of being served from compromised websites.
urlscan.io/search/#saaa...
urlscan.io/search/#saaa...
December 23, 2024 at 2:07 AM
👀 The domain saaadnesss[.]shop registered a month ago used to track infected victims in a Fake Captcha /ClickFix/Clearfake campaign is now already being seen as one of the top 1 million domains as a result of being served from compromised websites.
urlscan.io/search/#saaa...
urlscan.io/search/#saaa...
It's Dec 2024 and there's a new Telerik deserialisation vulnerability.
www.cve.org/CVERecord?id...
Meanwhile we're still seeing people exploit CVE-2019-18935 from 5 years ago...
www.cve.org/CVERecord?id...
Meanwhile we're still seeing people exploit CVE-2019-18935 from 5 years ago...
a white squirrel is making a funny face with the words just why below it
ALT: a white squirrel is making a funny face with the words just why below it
media.tenor.com
December 20, 2024 at 3:29 AM
It's Dec 2024 and there's a new Telerik deserialisation vulnerability.
www.cve.org/CVERecord?id...
Meanwhile we're still seeing people exploit CVE-2019-18935 from 5 years ago...
www.cve.org/CVERecord?id...
Meanwhile we're still seeing people exploit CVE-2019-18935 from 5 years ago...
Had some fun with Alden, @laughingmantis.bsky.social, and Tanner digging into the Java implant that was being deployed by the Cleo 0-day. Our analysis is now live!
www.huntress.com/blog/cleo-so...
TL;DR: Custom malware specifically targeting Cleo software we called Malichus.
Enjoy!
www.huntress.com/blog/cleo-so...
TL;DR: Custom malware specifically targeting Cleo software we called Malichus.
Enjoy!
Team Huntress has analyzed Cleo's software vulnerability. Take a look at the technical breakdown of a new family of malware we’ve named Malichus.
www.huntress.com
December 12, 2024 at 4:17 AM
Had some fun with Alden, @laughingmantis.bsky.social, and Tanner digging into the Java implant that was being deployed by the Cleo 0-day. Our analysis is now live!
www.huntress.com/blog/cleo-so...
TL;DR: Custom malware specifically targeting Cleo software we called Malichus.
Enjoy!
www.huntress.com/blog/cleo-so...
TL;DR: Custom malware specifically targeting Cleo software we called Malichus.
Enjoy!
Reposted by CyberRaiju
We’ve identified an emerging threat involving Cleo’s LexiCom, VLTransfer, and Harmony software, commonly used to manage file transfers.
#dfir #vulnerability
www.huntress.com/blog/threat-...
#dfir #vulnerability
www.huntress.com/blog/threat-...
Cleo Software Actively Being Exploited in the Wild | Huntress
Huntress identified an emerging threat involving Cleo’s LexiCom, VLTransfer, and Harmony software, commonly used to manage file transfers. Read more about this emerging threat on the Huntress Blog.
www.huntress.com
December 10, 2024 at 3:48 AM
We’ve identified an emerging threat involving Cleo’s LexiCom, VLTransfer, and Harmony software, commonly used to manage file transfers.
#dfir #vulnerability
www.huntress.com/blog/threat-...
#dfir #vulnerability
www.huntress.com/blog/threat-...