Proofpoint has directly observed a targeted email campaign that delivers DarkSword RCE, and we attribute the messages to Russian FSB threat actor TA446 with high confidence. 🧵

The cloud threat research team at Proofpoint has discovered an account takeover campaign targeting around 40,000 users.

Malicious activity has been recorded as early as Feb. 2nd, with a surge on Feb. 10th and a peak on Feb. 12th.

There's a new ClickFix variation called FileFix

This one works by tricking users into copying a file path in Windows Explorer.

Attackers modify the clipboard, so you're actually pasting and running PowerShell ahead of the file path

mrd0x.com/filefix-clic...

Graphite Caught: First Forensic Confirmation of Paragon’s iOS Mercenary Spyware Finds Journalists Targeted - The Citizen Lab We conducted a forensic analysis of devices belonging to two journalists who were notified by Apple that they were targeted with advanced spyware.

NEW @citizenlab.ca report confirms the targeting of two more journalist with #Paragon spyware in the context of 🇮🇹

Details here: citizenlab.ca/2025/06/firs...

@billmarczak.org @jsrailton.bsky.social

The #FBI and #DCIS disrupted #Danabot. #ESET was one of several companies that cooperated in this effort. www.welivesecurity.com/en/eset-rese... 1/6

First page of the paper

Wrote a paper, with Daniel Nakov, on comparing the #quality & the speed of #malware analysis assisted by #r2ai, or without.

Spoiler 1: quality is =, speed is ++.
Spoiler 2: do not expect to get good results in a single question.

arxiv.org/pdf/2504.07574

cc: @radareorg.bsky.social #arxiv #radare2

Malicious VSCode extensions infect Windows with cryptominers Nine VSCode extensions on Microsoft's Visual Studio Code Marketplace pose as legitimate development tools while infecting users with the XMRig cryptominer for Monero.

Malicious VSCode extensions infect Windows with cryptominers #cybersecurity #hacking #news #infosec #security #technology #privacy www.bleepingcomputer...

#ESETresearch has discovered a zero day exploit abusing #CVE-2025-24983 vulnerability in Windows Kernel to elevate privileges (#LPE). First seen in the wild in March 2023, the exploit was deployed through #PipeMagic backdoor on the compromised machines. 1/4

Hindsight v2025.03 Released! Hindsight v2025.03 focuses on Extensions - parsing more activity and state records, highlighting Extension permissions, and making it easier to examine Manifests.

There's a new Hindsight release!

Hindsight v2025.03 focuses on Extensions - parsing more activity and state records, highlighting Extension permissions, and making it easier to examine Manifests.

🌐 Blog: dfir.blog/hindsight-pa...
🛠️ Tool download: hindsig.ht/release

#DFIR #Chrome #Extensions

Chrome 134 is out and there's a new system that automatically blocks unpacked Chrome extensions from running if Developer Mode is not enabled first.

No more platform-hopping! 🕵️‍♂️ Hunt across all abuse.ch platforms with just 1️⃣ simple query. 🔎 Search for any IPv4, domain, URL, or file hash, and instantly see if it’s been identified on any abuse.ch platform!

Start your hunt now 👉 hunting.abuse.ch

Comparing Decai decompilation using @anthropic.com 's Claude 3.5 vs 3.7 with a simple strcoll wrapper function #r2ai #radare2

You receive a laptop (powered off) in a high-stakes case. You are told the owner is extremely technical but given no useful technical details. The laptop is modern, with chassis intrusion features, and you must assume Secure Boot & BitLocker are in use. How do you proceed? #DFIR

An inside look at NSA (Equation Group) TTPs from China’s lense

If you live in the West, it's not often you read about CIA/NSA cyber operations against China. But here's one: "How the NSA Allegedly Hacked China’s Northwestern Polytechnical," a leading Chinese university specializing in aerospace & defence. www.inversecos.com/2025/02/an-i...

Screenshot showing the execution of the proof-of-concept named PowerChell in comparison to a typical PowerShell prompt. In particular, it shows that PowerChell is able to bypass the Constrained Language Mode (CLM).

In this blog post, I explain how I was able to create a PowerShell console in C/C++, and disable all its security features (AMSI, logging, transcription, execution policy, CLM) in doing so. 💪

👉 blog.scrt.ch/2025/02/18/r...

Multiple Russian Threat Actors Targeting Microsoft Device Code Authentication Starting in mid-January 2025, Volexity identified several social-engineering and spear-phishing campaigns by Russian threat actors aimed at compromising Microsoft 365 (M365) accounts. These attack cam...

@volexity.com recently identified multiple Russian threat actors targeting users via #socialengineering + #spearphishing campaigns with Microsoft 365 Device Code authentication (a well-known technique) with alarming success: www.volexity.com/blog/2025/02...

#dfir #threatintel #m365security

Release v0.13.0 · VirusTotal/yara-x Implemented basic linting via the check command. Refactor the format of JSON output (#281). Parse Mach-O certificates (#276). Allow using previously defined variables in with statements (#287). BUG...

YARA-X 0.13.0 is out: github.com/VirusTotal/y...

As always, Victor and the contributors are cranking out quality improvements!

In particular, check out the docs on how to use the formatter and linter and open issues (or tell me somehow) if you hit bugs or have things you want to see.

The threat landscape in H2 2024 was quite tumultuous when it comes to some of the most prominent infostealer threats. One of them, the notorious #RedLine Stealer, finally met its demise after being taken down by law enforcement in #OperationMagnus. #ESETresearch 🧵 1/5

by savage | 2025-01-22

A "code family" is a basic concept in @vertexproject.bsky.social's approach to tool analysis. Check out the next installment in Mary Beth Lee's malware manifesto as she defines "code family", how it differs from "malware family", and how this aids your #CTI analysis!

vertex.link/blogs/catego...

#100daysofyara todays rule is detecting patched clr.dll in memory AmsiScanBuffer bypass. My @velocidex Windows.System.VAD artifact can be used to target clr.dll mapped sections for an easy detection.

Rule: github.com/mgreen27/100...
VQL: github.com/mgreen27/100...

Venture Windows Log Viewer: Early Alpha Overview Introducing Venture, a cross-platform viewer for Windows Event Logs! This is an overview of the early alpha at v0.2.0. Grab Venture at https://github.com/mttaggart/venture/releases/latest!

Here's a video overview of Venture, the cross-platform Windows Event Viewer. Version 0.2.0 now has the ability to join multiple .evtx files into a single view!

www.youtube.com/watc...

Grab Venture here: github.com/mttaggart...

Intune Attack Paths — Part 1 Intune is an attractive system for adversaries to target…

Check out this new blog post from @andyrobbins.bsky.social discussing the fundamental components & mechanics that enable the emergence of critical Attack Paths in Microsoft's increasingly popular Intune product. ghst.ly/3Cd5cwH

live #dprk fake interview site up and running if you're looking to experiment ... digitptalent[.]com ... both windows and mac malware

Even on Friday evenings? 😈

I know the feeling! 🤣

GitHub - Santandersecurityresearch/DrHeader: drHEADer helps with the audit of security headers received in response to a single request or a list of requests. drHEADer helps with the audit of security headers received in response to a single request or a list of requests. - Santandersecurityresearch/DrHeader

You might find this helpful
github.com/Santandersec...

*non-cyber people 😄

Phishing platform Rockstar 2FA trips, and “FlowerStorm” picks up the pieces A sudden disruption of a major phishing-as-a-service provider leads to the rise of another…that looks very familiar

Just put out this research on MiTM PaaS kits labeled Rockstar and Flowerstorm over the past few months. While my name is on this I partnered with two researchers, Josh Rawles and Jordon Olness who did a bulk of the work alongside @thepacketrat.net, and Colin Cowie who are all individually brilliant!

GitHub - yo-yo-yo-jbo/dictiopwn: Unix-based dictionary attack utility Unix-based dictionary attack utility. Contribute to yo-yo-yo-jbo/dictiopwn development by creating an account on GitHub.

Did you know that you can conduct an easy local dictionary attack on Linux without lockout times? Wrote a small tool for that, feel free to check it out:
github.com/yo-yo-yo-jbo...