Lightnews — Scholar-powered news

Reposted by alden

Kenneth Kinion @kennethkinion.bsky.social · Jun 20

Hot on the heels of the researched published by @huntress.com, hunting for Zoom-themed lures from DPRK's #BlueNoroff

💥Learn hunting techniques
💥Leverage new Validin features and data
💥Full, unredacted indicator list (domains, IPs, hashes)

www.validin.com/blog/zooming...

Zooming through BlueNoroff Indicators with Validin | Validin

Pivoting through recently-reported indicators to find BlueNoroff-associated domains

www.validin.com

1 2 2

alden @re.wtf · Jun 18

LMFAO woah woah it's good by comparison! 😭 we take what we can get in macOS land

alden @re.wtf · Jun 18

excited bc today @huntress.com is releasing our analysis of a gnarly intrusion into a web3 company by the DPRK's BlueNoroff!! 🤠

we've observed 8 new pieces of macOS malware from implants to infostealers! and they're actually good (for once)!

www.huntress.com/blog/inside-...

Inside the BlueNoroff Web3 macOS Intrusion Analysis | Huntress

Learn how DPRK's BlueNoroff group executed a Web3 macOS intrusion. Explore the attack chain, malware, and techniques in our detailed technical report.

www.huntress.com

1 19 29

alden @re.wtf · Apr 15

finally got around to rewriting the copy as yara binja plugin! 🥰

has a few quality of life improvements (new formats) and address wildcarding is fixed for ARM! (sorry bout that mac homies) ❤️

it's also now available in the plugin repository! 🔥

github.com/ald3ns/copy-...

2 7

Reposted by alden

Jamie Levy 🦉 @gleeda.bsky.social · Apr 8

CVE-2025-2825 or CVE-2025-31161: A vulnerability by any other name is still a threat 😇: We've updated the blog to reflect some new attacker tradecraft observed yesterday

cc @huntress.com @re.wtf @johnhammond.bsky.social

#DFIR #vuln #CVE

www.huntress.com/blog/crushft...

CrushFTP CVE-2025-31161 Auth Bypass and Post-Exploitation | Huntress

Huntress observed in-the-wild exploitation of CVE-2025-31161, an authentication bypass vulnerability in versions of CrushFTP and further post-exploitation leveraging MeshCentral and other malware.

www.huntress.com

1 4

alden @re.wtf · Apr 4

pwning my FTP server is a weird way to say you have a Crush on me but okay 🥰

anyways check out our analysis of some CrushFTP CVE-2025-31161 post exploitation activity!

www.huntress.com/blog/crushft...

https://www.huntress.com/blog/crushftp-cve-2025-31161-auth-bypass-and-post-exploitation

t.co

3 6

Reposted by alden

Selena Larson @selenalarson.bsky.social · Mar 11

Published some new research on how RMMs are taking over as a first-stage payload www.proofpoint.com/us/blog/thre...

Remote Monitoring and Management (RMM) Tooling Increasingly an Attacker’s First Choice | Proofpoint US

Key findings More threat actors are using legitimate remote monitoring and management (RMM) tools as a first-stage payload in email campaigns. RMMs can be used for

www.proofpoint.com

17 35

Reposted by alden

Jacob Latonis @jacoblatonis.me · Mar 8

nightmare blunt rotation

a screenshot of the "Languages" section of a GitHub repo, showing 58.8% C, 28.6% JavaScript, and 12.6% Python

2 8 37

alden @re.wtf · Feb 14

BREAKING: DOGE has uncovered that the CIA spent $10,000,000 on zyns and has been feeding them to analysts to increase productivity! 😱

Cool mint zyn containers that are CIA branded

7

Reposted by alden

cabal @cabal.cx · Jan 14

our network has raised hundreds of dollars to give firefighters the zyn they need to keep protecting LA from the fires. Thank you!!

1 8 19

alden @re.wtf · Jan 9

🫶

1

alden @re.wtf · Jan 9

reminder to say happy new years to the russian espionage groups in ur network 🥰🇷🇺

@nosecurething.bsky.social, @laughingmantis.bsky.social, and I just dropped a new blog detailing a series of redcurl intrusions across several huntress customer environments 😳

www.huntress.com/blog/the-hun...

Hunt for RedCurl | Huntress

Huntress discovered RedCurl activity across several organizations in Canada going back to 2023. Learn more about how this APT operates and how they aim to remain undetected while exfiltrating sensitiv...

www.huntress.com

1 4 18

Reposted by alden

Greg Lesnewich @greg-l.bsky.social · Jan 1

#100DaysofYARA day 1 - the Amos stealer is regularly evolving and updating its obfuscation techniques

You know what isn't changing?

the dylibs it depends on and the entitlements it requests from the OS. Combined, they give us excellent signal

github.com/100DaysofYAR...

2 5 16

Reposted by alden

Sean @whatthefuzzvr.bsky.social · Dec 27

Binary diff'ing is hard. But it's super powerful to apply markup from previous reverse engineering efforts to a new binary.

Binary Ninja is switching up how they match function signatures with WARP.

www.seandeaton.com/binary-ninja...

#binaryninja #reverseengineering #ghidra #ida #decompiler

Trying Out Binary Ninja's new WARP Signatures with IPSW Diff'ing

Binary diff'ing is pretty complex, but being able to apply markup from one binary to another is quite powerful. Binary Ninja's new WARP extends previous efforts, using SigKit, to quickly identify libr...

www.seandeaton.com

6 25

alden @re.wtf · Dec 21

i gotta step up my whitepaper game smh, my dad is doin numbers

Craig Schmidt @craigschmidt.com · Nov 28

I really enjoyed #EMNLP2024. It was an honor to present our tokenization paper aclanthology.org/2024.emnlp-m.... I’m planning to post about some of my favorite papers soon, but here is a nice write up.

13

Reposted by alden

Stuart Ashenbrenner @stuartjash.bsky.social · Dec 18

Our talk from @objective-see.bsky.social is now available online. Check out @re.wtf and I yap about macOS infostealers.
www.youtube.com/watch?v=Hv6A...

#OBTS v7.0: "Stealer Crossing: New Horizons" - Alden Schmidt & Stuart Ashenbrenner

YouTube video by Objective-See Foundation

www.youtube.com

1 4 10

Reposted by alden

Greg Lesnewich @greg-l.bsky.social · Dec 12

since I'm cold and missing #OBTS I wanted to reflect on what
@jacoblatonis.me and Tomas have gifted us with the YARA-X Macho module

the OG YARA macho parsing left a lot to be desired, and the new YARA-X ver has all sorts of goodies

2 8 19

Reposted by alden

aaron @aaron.cat.gf · Dec 13

this holiday season

8 17

alden @re.wtf · Dec 12

following the recent cleo ITW exploitation, @huntress.com has released our analysis of the full post exploitation chain 🚀

the final java based implant framework is really neat and includes a custom C2 protocol 🔥

huntress.com/blog/cleo-soft…

https://huntress.com/blog/cleo-soft…

2 14

Reposted by alden

aaron @aaron.cat.gf · Dec 9

hotties only want one thing and its the operation triangulation exploit chain

aaron @aaron.cat.gf · Dec 9

blunt versus beauty

A simple black and white cartoon illustration showing a stylized representation of "ALL MODERN DIGITAL INFRASTRUCTURE" as a tower-like structure made of various rectangular blocks and components. Each component and layer of the structure is labeled with the word "backdoor" multiple times, suggesting widespread security vulnerabilities in digital systems. The illustration uses a minimalist style with basic geometric shapes and text annotations connected by lines pointing to different parts of the structure.

A diagram from Kaspersky showing the Operation Triangulation attack chain with neon green icons and text connected by dotted arrows. The chain begins with an “Attackers iMessage account” and progresses through multiple stages including PDF file, TrueType font exploit, ROP/JOP, NSExpression, bplist, and other technical components. Various CVE numbers are listed, including CVE-2023-41990, CVE-2023-32434, and CVE-2023-38606. The chain culminates in malware deployment through multiple exploitation steps involving Safari, kernel exploits, and validators.

5 7

Reposted by alden

Stuart Ashenbrenner @stuartjash.bsky.social · Dec 6

Yesterday I got to present with the 🐐 @re.wtf. Such a blast talking thru infostealers and the telenovela that they’ve become. #OBTS really is the best, chillest conference out there. Excited for a second day of talks 🤓🍎

1 13

alden @re.wtf · Dec 6

🍎🤝🔥

Jacob Latonis @jacoblatonis.me · Dec 6

@re.wtf 🐐 @stuartjash.bsky.social 🐐

7

alden @re.wtf · Nov 27

we cookin' for #100DaysofYARA 🤝🔥

Steve YARA Synapse Miller @stvemillertime.bsky.social · Nov 27

Binary Ninja plugin for copy and pasting bytes into YARA friendly format, courtesy of @re.wtf

github.com/ald3ns/copy-...

Rumor has it there's a next-generation version in the works that will probably blow your mind.

GitHub - ald3ns/copy-as-yara: This is a little plugin to copy disassembly in a way that is usable in YARA rules!

This is a little plugin to copy disassembly in a way that is usable in YARA rules! - ald3ns/copy-as-yara

github.com

4 19

Reposted by alden

jiska @naehrdine.bsky.social · Nov 17

How does the new iOS inactivity reboot work? What does it protect from?

I reverse engineered the kernel extension and the secure enclave processor, where this feature is implemented.

naehrdine.blogspot.com/2024/11/reve...

Reverse Engineering iOS 18 Inactivity Reboot

Wireless and firmware hacking, PhD life, Technology

naehrdine.blogspot.com

12 110 280

Reposted by alden

Jamie Levy 🦉 @gleeda.bsky.social · Nov 15

🧵Today’s blogpost focuses on a newer ransomware variant named SafePay. Needless to say, ransomware sucks. When this new variant appeared, it gained our attention. 👀

Let’s dig into what happened and what makes it tick ⬇️:

A redacted view of the SafePay onion website hosting information about compromised machines

Directory listing from the attacker's onion site

2 12 36