This "JWT_SESSION" cookie sure looks funky, with base64 encoded data between "metaPrefix" and "metaSuffix"!
π₯ 66.234.147.10:8080
3 weeks ago
3
1
0
0
Posts by π½π΄πππ΄ππ΄π²
β¨ DFRWS EU 2026 Workshops Led by Erik Hjelmvik (Netresec, Sweden), the session is designed for practitioners and researchers working with network and memory forensics in real-world investigations. π Workshop Dates 23β24 March 2026 π§Ώ Details here: https://buff.ly/oT8OtbE
β¨ DFRWS EU 2026 Workshops
Led by Erik Hjelmvik (Netresec, Sweden), the session is designed for practitioners and researchers working with network and memory forensics in real-world investigations.
π Workshop Dates 23β24 March 2026
π§Ώ Details here: buff.ly/oT8OtbE
#MemoryForensics #PCAP #TOR
1 month ago
1
1
0
0
β¨DFRWS EU 2026 Workshops π Workshop Dates 23β24 March 2026 π Hybrid β’ LinkΓΆping, Sweden Explore workshop details π https://buff.ly/Q45nyji Register π https://buff.ly/lsQrqiZ
β¨DFRWS EU 2026 Workshops
All DFRWS #Workshops and Social Events are inclusive in Registration. π
π Workshop Dates 23β24 March 2026
π Hybrid β’ LinkΓΆping, Sweden
Explore workshop details π buff.ly/Q45nyji
Register π buff.ly/lsQrqiZ
#NetworkTrafficAnalysis #MemoryForensics #DFIR #TorAnalysis
1 month ago
3
1
0
0
π A major phishing-as-a-service platform disrupted.
Tycoon2FA enabled large-scale account compromise by bypassing MFA protections.
Through Europolβs Cyber Intelligence Extension Programme, industry intelligence was turned into operational results.
Read more here: https://ow.ly/GECE50YoZIO
1 month ago
8
4
0
0
I'm interested in getting in touch with anyone who was involved in the WANK/OILZ worm outbreak at NASA/CERN/DoE in 1989.
I've talked to a few folks, but there are still blanks in this story - if you were part of that please ping me.
1 month ago
6
8
0
0
![GRU unit 26165 domains:
accesscan[.]org glize[.]com
Youβve verified them, right?
Youβve verified them, right?](https://cdn.bsky.app/img/feed_thumbnail/plain/did:plc:2qrgzoyfwkguclususquvdz2/bafkreieqr5ak3wrx6vczmx3gow5c4nyfa7m37e6muuo7iryw5elfoejmja)
GRU unit 26165 domains: accesscan[.]org glize[.]com Youβve verified them, right? Youβve verified them, right?
21 of the world's best intelligence and security agencies cannot be wrong... right?
netresec.com?b=26233f4
1 month ago
2
1
1
0
β¨ DFRWS EU 2026 Workshops Hands-on Analysis of Network Packets Carved from Memory & PCAP Analysis of Unencrypted Tor Traffic Led by Erik Hjelmvik (Netresec, Sweden), the session is designed for practitioners and researchers working with network and memory forensics in real-world investigations. π Workshop Dates 23β24 March 2026 Details here: π https://buff.ly/oT8OtbE
β¨ DFRWS EU 2026 Workshops
Led by Erik Hjelmvik (Netresec, Sweden), the session is designed for practitioners and researchers working with network and memory forensics in real-world investigations.
π Workshop Dates 23β24 March 2026
π Details here: π buff.ly/oT8OtbE
2 months ago
1
1
0
0
Erik Hjelmvik will run a hands-on network forensic workshop at the upcoming Digital Forensics Research Conference in Sweden. Participants will get the chance to analyze:
πͺ Packets carved from memory dumps
π§
Unencrypted Tor traffic
dfrws.org/dfrws-eu-202...
2 months ago
2
1
0
0
Advertisement
Decoding #njRAT C2 traffic to extract screenshots, commands and transferred files
netresec.com?b=262adb9
2 months ago
3
2
0
0
Some initial thoughts on recent disclosures concerning the December 2025 incident targeting the Polish electric sector - with a focus on #CTI elements such as attribution implications and methodology:
pylos.co/2026/01/31/a...
2 months ago
7
3
1
1
NetworkMiner has been around for a long time, and it shows β in a good way. It feels opinionated. It feels calm. It feels like a tool made by people whoβve already had a few bad days in incident response. No hype. No buzzwords. Just packets telling you what happened.
Thank you for those kind words! π
www.linkedin.com/pulse/issue-...
2 months ago
2
2
0
0
The early bird discount, for our live online network forensics class, expires by the end of this week. Sign up if youβd like to analyze PCAP files together with Erik Hjelmvik (creator of NetworkMiner and PolarProxy).
netresec.com?b=25A2e4f
2 months ago
0
1
0
0
DFRWS EU 2026 is seeking posters showcasing interesting digital forensics research for presentation in LinkΓΆping, Sweden, 24β27th March 2026. π₯ Submit via EasyChair (PDF) - Rolling notification until the program is full! #DFRWSEU2026 #DFRWS #DigitalForensics
2 months ago
0
1
0
0
π¬ Video: Decoding malware C2 with #CyberChef
netresec.com?b=261f535
2 months ago
2
2
0
0
Big thank you to @thedfirreport.bsky.social for capturing this intrusion traffic! π
4 months ago
1
0
0
0
Advertisement
Keylog extracted from BackConnect VNC network traffic by NetworkMiner
Keylog of attacker's hands-on keyboard actions from BackConnect VNC session
4 months ago
0
1
1
0
Attacker fails to inspect ad_users.txt
Here's one of the screenshots from the BackConnect VNC sessions in the blog post
4 months ago
0
0
1
0
Extracting VNC screenshots and keylog data from #Latrodectus π·οΈ BackConnect
netresec.com?b=25Cfd08
4 months ago
6
2
1
0
NetworkMiner 3.1 Released!
π More usernames, passwords and hostnames from #PCAP
π» Improved user interface
πΎ Better details from malware C2 traffic
netresec.com?b=25C4039
4 months ago
2
2
0
0
CN #APT targeting attendees of a diabetes conference in Singapore in December
attd.z23.web.core[.]windows[.]net/ATTD-ASIA-2025.zip (live link, careful!)
ATTD-ASIA-2025.lnk a12357ff6c0f7b021f32b0c9cd3d01c4
ATTD-ASIA-2025.zip a8082a80cef9ccee9d7a35f5366e3afb
gzv.msi 32e7dcbd26b6455974d5b2c52c3ca421 π΄
4 months ago
3
1
2
0
C2 runs on:
π₯ portabalbufe[.]com
π₯ 172.67.212.147:443
Other C2 indicators:
π₯ JA3 a0e9f5d64349fb13191bc781f81f42e1
π₯ JA4 t12d190800_d83cc789557e_7af1ed941c26
π₯ Cert hash 25aa00e75ca12bc66ff475ebe9c6bfbd466e91ed
4 months ago
3
0
0
0
That's great! Long lived IOCs like that are golden.
5 months ago
0
0
0
0
The boring answer is of course "it depends". But most incident responders would probably agree that a C2 IP address can be considered "old" when a couple of weeks have passed since it was last seen active.
5 months ago
0
0
1
0
Agreed, real-world IOC decay/score varies depending on TA choices as well as the actions we take as defenders.
Fantastic that you like our ASCII Pyramid of Pain π
Here's a CC0 licensed copy-paste friendly version:
infosec.exchange/@netresec/11...
5 months ago
0
0
0
0
Advertisement
I love the idea of calculating the decay rate of an IOC. It's not always strictly mathematical, because it also relies on threat actors' choices about how they use the IOCs, but as an estimate and for decision making, this seems promising.
Also, I really like @netresec.com's ASCII art Pyramid. π
5 months ago
6
1
2
0
Monitoring for too many old indicators not only costs money, it can even inhibit detection of real intrusions.
π Include "last seen" date when publishing IOCs
β Prune old IOCs
π Prioritize long lived IOCs over short lived ones
netresec.com?b=25Be9dd
5 months ago
3
1
1
1
π¨ The #DFRWSEU 2026 paper submission deadline has been extended to 10th October 2025 π
Submit your paper showcasing cutting-edge digital forensics research.
π€ Submit here: buff.ly/BN8Jlnb
βΉοΈ Conference details: buff.ly/KOw9Xpr
#DFRWS #DigitalForensics #CFP
6 months ago
3
1
0
0