CyberRaiju
LightNews LightNews
banner
jaiminton.com
CyberRaiju
@jaiminton.com
280 followers 380 following 33 posts
An Aussie who does cyber things | Manager @Huntress.com | Former Principal @CrowdStrike.com and HuntressLabs | https://jaiminton.com | https://www.youtube.com/@cyberraiju/featured
Posts Replies Media Videos
jaiminton.com
Masquerading as `IO Broker Installer` on disk from the compiled MSI that seems to have artifacts from a SyslogCenter executable previously used by Octowave Loader that was still left in the MSI.

PR made to #hijacklibs github.com/wietze/Hijac...
Create tbb.yml by JPMinty · Pull Request #128 · wietze/HijackLibs
New Octowave variant using this to deliver ACR/Amatera Stealer
github.com
June 24, 2025 at 3:11 AM
jaiminton.com
TBB: www.virustotal.com/gui/file/f5c...

APP-2.3: www.virustotal.com/gui/file/b50...

ZXING:
www.virustotal.com/gui/file/f4c...

XCEED:
www.virustotal.com/gui/file/118...

BLOOD:
www.virustotal.com/gui/file/d96...
VirusTotal
VirusTotal
www.virustotal.com
June 24, 2025 at 3:11 AM
jaiminton.com
Adobe printer driver sideloads tbb.dll, tbb.dll loads app-2.3.dll which gets stego from blood.wav, uses zxing.presentation.dll and Xceed.Wpf.AvalonDock.Themes.Aero.dll

MSI:
www.virustotal.com/gui/file/f5c...

Components all with 0 VT detections. DLLs are legitimate ones that were modified.
June 24, 2025 at 3:11 AM
jaiminton.com
Their latest version 52 fixes the issue, but you need to have 50 installed to install 52, this is not a standalone installer, just an update, and the old versions are still the default download on their website.

eu.community.samsung.com/t5/samsung-s...
May 10, 2025 at 3:05 AM
jaiminton.com
Now in open Beta, simply upload an executable and the DLL it insecurely loads, fill in some extra fields and generate a rule

With a code editor and validation, this should make submitting to the project much easier!

Link: www.jaiminton.com/tools/hijack...
Direct: hijacklibs-assistant.streamlit.app
May 9, 2025 at 8:18 AM
jaiminton.com
We have reached out to Samsung. There is active exploitation in the wild.

Be sure to look for new files created in the server directory of your MagicInfo install, and child processes spawning from the Apache Tomcat process.
May 7, 2025 at 7:08 AM
jaiminton.com
The version offered on their website via the download button is currently not even the latest, so even if it was patched (it isn't, the vulnerable class has not changed at all) anyone downloading the software is getting an outdated version! No updates here:

security.samsungtv.com/securityUpda...
May 7, 2025 at 7:08 AM
jaiminton.com
The DLLs and everything, currently undetected once again:
DLL1: www.virustotal.com/gui/file/888...
DLL2: www.virustotal.com/gui/file/ea3...
DLL3: www.virustotal.com/gui/file/0c6...
Malicious WAV Stego: www.virustotal.com/gui/file/93c...
April 22, 2025 at 10:56 PM
jaiminton.com
MSI: www.virustotal.com/gui/file/625...

DLL1: www.virustotal.com/gui/file/dd9...

DLL2: www.virustotal.com/gui/file/ccf...

DLL3: www.virustotal.com/gui/file/3d7...

DLL4: www.virustotal.com/gui/file/d0f...
April 22, 2025 at 9:21 PM
jaiminton.com
Likely from a fake Cloudflare challenge. Has 4 malicious DLLs, a Progress.pak supporting file, and shellcode inside of Presentations\Application.wav

Deploys LummaC2 into memory which is now using both Telegram channel and Steam Community names for C2 fallback.

👇
April 22, 2025 at 9:21 PM