In the third part of our series “Advent of Configuration Extraction”, we dissect #SNOWLIGHT, a lightweight ELF downloader designed to retrieve and execute a remote payload on #Linux systems.

buff.ly/Crz8rDh

In the second part, we unwrap #QuasarRAT, a popular .NET remote access trojan, and show how to extract its encrypted configuration out of the binary.

buff.ly/agWWCnp

The first part introduces #Assemblyline, the analysis pipeline used by #TDR and more specifically, the configextractor service.

buff.ly/mpEzALh

The series outlines the methodology we employ at Sekoia’s Threat Detection & Research (#TDR) team to automate the extraction of #malware configuration data, from initial analysis to the production of usable intelligence.

🌐 Infrastructure patterns: Redirectors hosted on compromised websites, domains registered via Namecheap/Regway, and access routed through Big Mama Proxy.

🕸️ AiTM phishing kit: A homemade ProtonMail kit enabled credential theft and 2FA relay through injected JavaScript and attacker-controlled APIs.

📄 Fake PDFs & redirectors: Decoy PDFs (sometimes disguised ZIP files) redirected victims through compromised websites to Calisto’s phishing kit.

Key takeaways:
🎯 Trusted-contact impersonation: Calisto used ProtonMail accounts to send missing or faulty attachments, prompting victims to request a resend containing the malicious link.

Our blog post provides an overview of the services facilitating this modus operandi and the market for infostealer logs tied to booking platforms, including underground activities around Booking[.]com data on Russian-speaking cybercrime forums.

In this report, we analysed a widespread, persistent campaign distributing the PureRAT malware via the #ClickFix social engineering tactic and emails impersonating Booking[.]com.

We also detailed the fraud scheme targeting hotel customers.

Attackers target hotel establishments to harvest credentials that grant access to booking platforms.

Those credentials are used to launch personalised fraud campaigns against hotel guests, impersonating billing services and tricking them into paying twice for their reservation.

By correlating #Office365 events with Entra ID sign-in logs, we’ve mapped each bit in the UserAuthenticationMethod field to its corresponding authentication factor—Password Hash Sync, Windows Hello for Business, Passkeys, SMS sign-in, and more.

🐻❄️ These exploitations led to the deployment of an undocumented TLS backdoor we dubbed the “PolarEdge Backdoor.”
🔬 This follow-up provides a detailed analysis of the backdoor, including the anti-analysis techniques it employs.

🔙 In early 2025, we discovered the PolarEdge botnet through our honeypots.
🎯 This botnet has been active since at least November 2023 and exploits multiple vulnerabilities across a wide range of edge devices, notably Asus, QNAP, and Synology.

🇪🇺 Target profiles: campaigns hit Belgian numbers (+32) heavily and also France, Sweden, Italy and beyond
🕸️ Infrastructure insights: tracking domains and IP clusters reveals a persistent, multi-regional smishing operation

Key takeaways:

✉️ API exploitation: attackers leverage an exposed /cgi endpoint to push malicious SMS without authentication
🌐 Scale of exposure: over 18,000 routers accessible on the internet; 572 confirmed vulnerable