Tony Lambert

In macOS Tahoe 26.4 Apple added a new security feature to Terminal that warns users of potentially malicious pastes with a "Possible malware, Paste blocked" prompt. Here how it actually works 🧵

Sometimes adversaries bring in their own tools, and if they leave behind a VM disk, analysis is fair game. In this post we look at some tools an adversary brought during a social engineering campaign. sprou.tt/1tw5BYzWIb1

In a revealing blog, we detail the #digitaltransformation of cargo theft: a criminal enterprise that leads to $34 billion in annual losses. Threat actors are combining #socialengineering w/ transportation industry knowledge to steal real physical goods. brnw.ch/21wX9UA

In early October 2025, Microsoft disrupted a Vanilla Tempest campaign by revoking over 200 certificates that the threat actor had fraudulently signed and used in fake Teams setup files to deliver the Oyster backdoor and ultimately deploy Rhysida ransomware. We identified this Vanilla Tempest campaign in late September 2025, following several months of the threat actor using fraudulently signed binaries in attacks. In addition to revoking certificates, Microsoft Defender Antivirus detects the fake setup files, Oyster backdoor, and Rhysida ransomware, and Microsoft Defender for Endpoint detects Vanilla Tempest TTPs. Vanilla Tempest, tracked by other security vendors as VICE SPIDER and Vice Society, is a financially motivated actor that focuses on deploying ransomware and exfiltrating data for extortion. The threat actor has used various ransomware payloads, including BlackCat, Quantum Locker, and Zeppelin, but more recently has been primarily deploying Rhysida ransomware. In this campaign, Vanilla Tempest used fake MSTeamsSetup.exe files hosted on malicious domains mimicking Microsoft Teams, for example, teams-download[.]buzz, teams-install[.]run, or teams-download[.]top. Users are likely directed to malicious download sites using search engine optimization (SEO) poisoning. Running the fake Microsoft Teams setups delivered a loader, which in turn delivered a fraudulently signed Oyster backdoor. Vanilla Tempest has incorporated Oyster into their attacks as early as June 2025, but they started fraudulently signing these backdoors in early September 2025. To fraudulently sign the fake installers and post-compromise tools, Vanilla Tempest was observed using Trusted Signing, as well as SSL[.]com, DigiCert, and GlobalSign code signing services. Fully enabled Microsoft Defender Antivirus blocks this threat. In addition to detections, Microsoft Defender for Endpoint has additional guidance for mitigating and investigating this attack. While these protections help secure our customers, we’re sharing this intelligence broadly to help strengthen defenses and improve resilience across the entire cybersecurity community.

It's not just you, most of the macOS stealers look the same nowadays, but there are subtle differences between stealer families to tell them apart. If you're a stickler for detail like us, you might enjoy this post showing differences between the malware. sprou.tt/1cb631gju8p

"FUD" from VirusTotal. Signed, 112 MB file. Lets analyze. File is SingleFile .NET; I see this with Malcat: Debug and Exports indicate it is SingleFile (green arrows in image) Also, Malcat carved 270 PE out of the overlay (blue arrow), indicative of SingleFile .NET 1/8

"FUD" Hijackloader signed "MRDUFORT VENTES/SERVICE INC." 38c60fd0e51b21b580552430f1ef55b7a41a1c6894ee61edc0707644d6c0b977 Binary is inflated to 600MB (image 2, malcat shows 630MB overlay.) Clicking into it shows repeated bytes (image 3), which Debloat can process (image 4) 1/2

$5 Membership sale is live for the next 24 hours: account.shodan.io/billing/member

Not only is @HuntressLabs a generous supporter of our Foundation, they also consistently publish top-notch research on emerging macOS threats 🤩 Their latest (by @birchb0y & @stuartjash): "Feeling Blue(Noroff): Inside a Sophisticated DPRK Web3 Intrusion": huntress.com/blog/inside-bl…

In our latest Analyst Skills Vault Lesson, Michael Fischler steps through analysis of the LummaC2 MaaS Infostealer. He'll demonstrate several tools and strategies for breaking down the malware's intent.

Just 2 days until the next session in our Detection Series! This time, we’re covering all things initial access — and how to better defend against these evolving tactics. 🎯 This session is a must-attend for blue teams and threat analysts. ➡️ Register now before the last-minute spots fill up: bit.ly/4df8VYx

✨ Red Canary ➕ @zscaler Today we are announcing Zscaler’s agreement to acquire Red Canary. It’s a major milestone in our journey. This is a significant step forward in our mission to improve security operations, not just for our customers, but for the entire cybersecurity community. 🧵⬇️

Do you miss @cobaltstrikebot? If so, here's a blog post showing how you can pull Cobalt Strike SpawnTo and watermark info with @shodanhq and some PowerShell: forensicitguy.github.io/squeezing-coba…

In our latest Analyst Skills Vault lesson, @ForensicITGuy walks through a dynamic analysis of the Meduza Stealer Malware, focusing on host-based artifacts.

JUST IN: Red Canary Intel has observed activity exploiting a newly-documented unrestricted file upload vulnerability in SAP NetWeaver Visual Composer, software used to develop enterprise applications for business analysts. 🔗 Read our blog for detection opportunities and indicators of compromise: bit.ly/3RF2STl

Threat Detection Highlights Webinar series – April Edition: This month’s session is extra special. zoom.us/webinar/regist… We're excited to welcome Tony Lambert @ForensicITGuy , Senior Malware Analyst at @redcanary, known for his sharp research and impactful community contributions. Joining him is Patrick Staubmann from @vmray Labs, who will bring his researcher’s lens to the latest detection techniques and platform updates. On the agenda: 🧠 Detecting CPU property queries via registry (new VTI) 🕵️‍♂️ Anti-sandbox YARA rules: Latrodectus, Hijackloader & "Paste & Run" 💥 Ransomware-focused YARA detection 🐀 RAT config extraction + DNS tunneling ⚡ Quick sandbox demo 🎯 Save your seat now — you won’t want to miss this deep dive into the latest threat detection techniques: zoom.us/webinar/regist…

Chrome 136 now has enhanced cookie security 🍪 → goo.gle/3DMf5SS Changes to remote debugging switches protect your data. Find out how the --remote-debugging-port and --remote-debugging-pipe switches are now being handled.

PSA: if you use an MDR/MSSP, name your servers, or at the very least your DCs, descriptively. Cutesy names aren't gonna be helpful when we're in the middle of a hands-on intrusion and we have to decide whether or not to lock down your whole network.