It is really one battle after another !

GitHub - StartAutomating/Subtitles: Script Subtitles with PowerShell. Script Subtitles with PowerShell. Contribute to StartAutomating/Subtitles development by creating an account on GitHub.

Yep.

New places for attackers to hide.

It's One Battle After Another.

Which is why I just dropped a Subtitles module.

github.com/StartAutomat...

#CyberSecurity #PowerShell #Accessibility

5/5 Monitor for powershell.exe with a command line containing select -Skip targeting .srt files. That’s a 100% indicator of this campaign.

#CyberSecurity #AgentTesla #BlueTeam #Malware #Torrent #SOC #Infosec2025

4/5 The effect

We’re seeing a possible thousands of active infections. This "old" Trojan is stealing:

VPN/Email logins
Browser session tokens
Live screenshots

3/5 Persistence & Stealth

It creates a scheduled task for a fake "Realtek" diagnostic tool. Before it runs, it checks for Windows Defender. If it's clear, Agent Tesla is loaded straight into memory. No file on disk = no easy footprint for AV.

2/5 It is deep!

It extracts encrypted blocks from the video file and images, moving them to:

%LOCALAPPDATA%\Packages\Microsoft.WindowsSoundDiagnostics\Cache

By splitting the payload, it bypasses traditional static file scanners.

1/5 The "Subtitle" Trap
The attack starts with a shortcut launcher. It triggers a PowerShell command buried in a .srt file using math to evade detection.
$s=500*5 skips the subtitles.
$e=15*2 grabs the payload.
It literally "hides" the malware in the text you'd read on screen.

Your movie subtitle from torrent could be a password stealer!

A massive Agent Tesla campaign hiding in plain sight within a viral Leo DiCaprio film subtitle torrent. 🧵👇

3/5 Persistence & Stealth 🛡️
It creates a scheduled task for a fake "Realtek" diagnostic tool. Before it runs, it checks for Windows Defender. If it's clear, Agent Tesla is loaded straight into memory. No file on disk = no easy footprint for AV.

2/5 The Steganography Chain 🖼️
This is deep. It extracts encrypted blocks from the video file and images, moving them to:
%LOCALAPPDATA%\Packages\Microsoft.WindowsSoundDiagnostics\Cache
By splitting the payload, it bypasses traditional static file scanners.

1/5 The "Subtitle" Trap 🔍
The attack starts with a shortcut launcher. It triggers a PowerShell command buried in a .srt file using math to evade detection.
$s=500*5 skips the subtitles.
$e=15*2 grabs the payload.
It literally "hides" the malware in the text you'd read on screen.

Qubes OS 4.3.0 has been released! We’re pleased to announce the stable release of Qubes OS 4.3.0! This minor release includes a host of new features, improvements, and bug fixes. The ISO and associated verification files are available...

Check out the full release notes here:
www.qubes-os.org/news/2025/12...

#CyberSecurity #InfoSec #QubesOS #ZeroTrust #OpenSource #Virtualization #Privacy

5/5 Upgraded Templates: Fresh support for Whonix18, Debian13, and Fedora42 means our isolated env are running the latest security patches and toolsets.
For handling high-risk workloads, sensitive infrastructure access, or malware analysis, Qubes OS remains the gold standard for endpoint security.

4/5 New Device API: The "self-identity oriented" device assignment makes managing untrusted hardware (USB, PCI) more intuitive and granular. In an era of BadUSB and firmware attacks, this is a non-negotiable feature.

3/5 GUI Domain Evolution: The continued progress on the GUIVM (GUI/Admin domain splitting) is a massive win. By moving the graphical stack out of Dom0, the Trusted Computing Base (TCB) is further reduced, minimizing the impact of potential GPU or display driver exploits.

2/5 Xen 4.19 & Hardened Dom0: Upgrading to Xen 4.19 and Fedora 41 for Dom0 ensures the hypervisor—the heart of the system—stays ahead of the vulnerability curve with better performance and hardware support.

1/5 With the official release of version 4.3.0, the Qubes team has pushed the boundaries of compartmentalization even further. From a specialist perspective, here is why this update matters:

Moving Toward a Zero-Trust Desktop: Qubes OS 4.3.0 is Here 🛡️

The "Last Bastion" of digital security just got stronger. As cybersecurity professionals, we often talk about defense-in-depth, but Qubes OS 4.3.0 actually delivers it at the hardware and kernel level.👇🧵

Backing up Spotify We backed up Spotify (metadata and music files). It’s distributed in bulk torrents (~300TB). It’s the world’s first “preservation archive” for music which is fully open (meaning it can easily be mirro...

annas-archive.org/blog/backing...

4/4 Analyst Take: 🛠️
If your "Product" is your "Data," your DRM needs to be monitored as closely as your Firewall. If you can't see the 300TB walking out the door, you're not looking at the right logs. 🕵️‍♂️🔒

#Spotify #CyberSecurity #DRM #Piracy #TechNews2025

3/4 Human Impact: For us, it’s a "security incident." For the artist, it’s the loss of control over their work. Piracy 2.0 isn't just about "free music"—it's about the total bypass of the technical barriers that keep the industry afloat.

2/4 Why 85 Million? That number represents roughly 99.6% of all music actually listened to on the platform. This wasn't a random grab; it was a surgical "archiving" of the world's active music library.

1/4 The SOC Angle: As analysts, we track "Exfiltration." But when a scraper mimics a human listener across millions of accounts, the traffic blends in. This is why Behavioral Fingerprinting is more important than simple rate limiting.

The Spotify "85 Million" isn't a data leak—it's an Asset Heist. 🧵👇

A massive DRM bypass has reportedly allowed the scraping of 85M songs (approx. 300TB). This isn't about leaked passwords; it's about the keys to the kingdom being copied.

The "AI Pivot" is exhausting, but it’s the new baseline. If you’re a SOC Analyst in 2025, you’re also an AI Security Engineer.
Stay vigilant. The payload is in the weights. 🛡️
#CyberSecurity #SOCLife #BlueTeam #AISecurity #PickleScan #InfoSec2025 #MachineLearning

Humanizing the Blue Team: ☕
Let’s be real—I signed up to analyze network packets, and now I’m having to learn the inner workings of Neural Networks just to keep the lights on.

My current hunting stack:
✅ Semgrep to scan internal repos for unsafe deserialization.
✅ EDR custom rules for Python processes spawning /bin/bash.

The SOC Analyst Reality Check: 🛠️
We’ve had to pivot our detection logic overnight.
If you aren't monitoring sys_audit logs for unexpected pickle.load calls from unverified workstations, you have a massive blind spot.

Why is this different? 🔍
Standard EDR treats AI models as static data. But when a model is loaded via torch.load(), it’s actually executing code.
I see China-linked clusters (UAT-9686) using these Poisoned Weights to establish persistence without a single suspicious binary ever hitting the disk.