Florian Roth ⚡️

37.1K posts

Florian Roth ⚡️ banner
Florian Roth ⚡️

Florian Roth ⚡️

@cyb3rops

Head of Research @nextronsystems #DFIR #YARA #Sigma | detection engineer | creator of @thor_scanner, Aurora, Sigma, LOKI, YARA-Forge | always busy ⌚️🐇 | vi/vim

Frankfurt, Germany Katılım Haziran 2013
2.6K Takip Edilen219.1K Takipçiler
Sabitlenmiş Tweet
Florian Roth ⚡️
Florian Roth ⚡️@cyb3rops·
I've decided to put a screenshot showing the hex editor view of a Turla Kazuar sample behind acrylic glass on my desk to always remind me, why I am doing all this ... because I 💛 to be a pain in the neck of the bad guys twitter.com/cyb3rops/statu…
Florian Roth ⚡️ tweet mediaFlorian Roth ⚡️ tweet media
Florian Roth ⚡️@cyb3rops

It seems that I have some fans over in Russia 🐻 #TurlaLicksAss thx to the FireEye analyst who brought this to my attention virustotal.com/gui/file/4417c…

English
181
314
2.1K
0
Florian Roth ⚡️
Florian Roth ⚡️@cyb3rops·
Checking a Linux system for CopyFail exploitation traces with THOR Cloud Lite The video is 1 min long It shows: - creating a THOR Cloud Lite campaign - copying the one-liner - running it on a Linux system - reviewing the first findings in the report Actual scan time: ~3 minutes The scan shows traces in: - SSH session memory - Bash history - command execution artifacts So with less than a minute of manual work, you can check a Linux system for CopyFail exploitation traces using a free tool No agent rollout, no complex setup, no “please install this platform first” ritual thorcloud-lite.nextron-systems.com/ui/campaign
English
0
17
61
6.4K
Michi
Michi@j3gm0194·
@JulianAdrat Wetten, dass diese massive Sachbeschädigung nicht verfolgt wird? Die Unfähigkeit der Polizei zeigt sich daran, dass im Vorfeld keine Observation dieser Örtlichkeit stattfand. Sachbeschädigung ist offenbar im linksgrünen Interesse dieses versifften Molochs.
Deutsch
2
0
20
2K
Julian Adrat
Julian Adrat@JulianAdrat·
„Blowjobs“ aus dem Himmel – am 1. Mai zelebriert Berlins saturierte „Kulturszene“ ihre dekadente Selbstbespiegelung, während draußen ein ganzes Land ins Rutschen gerät. Verfall als Lifestyle. Berlin ist nicht einfach nur kaputt – Berlin ist krank. Wie viele Beweise braucht es noch?
Deutsch
97
169
1.6K
89.2K
Florian Roth ⚡️
Florian Roth ⚡️@cyb3rops·
Built a fun little project this weekend: surface-watch It’s a lightweight external attack surface monitoring framework that builds scope from known FQDNs and IPs plus automatic root-domain discovery using passive providers like DNSDumpster, Chaos, and OTX, resolves candidate hosts, scans externally reachable ports with nmap, stores history in SQLite, detects meaningful changes between scans, and sends grouped alerts to Slack, Teams, or Discord I also added an AGENTS.md setup guide so you can just point your agent at the repo, answer a few setup questions, and get going pretty quickly github.com/Nextron-Labs/s…
Florian Roth ⚡️ tweet mediaFlorian Roth ⚡️ tweet mediaFlorian Roth ⚡️ tweet mediaFlorian Roth ⚡️ tweet media
English
3
34
186
14.2K
Florian Roth ⚡️
Florian Roth ⚡️@cyb3rops·
x.com/cyb3rops/statu…
Florian Roth ⚡️@cyb3rops

Small correction / clarification: The DigiCert Bugzilla incident around misissued code signing certificates may be unrelated to this Defender issue. That incident affected a limited set of code signing certificates. It did not mean DigiCert root certificates themselves were compromised. So Defender flagging/removing DigiCert AuthRoot registry entries currently looks more like an unfortunate detection mistake than an intentional trust-store response. Still waiting for Microsoft confirmation, but that distinction matters

ZXX
0
2
10
6.7K
Florian Roth ⚡️
Florian Roth ⚡️@cyb3rops·
Okay, wow bugzilla.mozilla.org/show_bug.cgi?i…
Florian Roth ⚡️ tweet media
Florian Roth ⚡️@cyb3rops

Anyone else seeing Microsoft #Defender flagging #DigiCert root certificate registry keys as malware? We’ve seen reports that Defender signature update from April 30 added a detection called: Trojan:Win32/Cerdigent.A!dha In some environments, Defender apparently detected DigiCert Root CA certificate registry entries and removed them from the trust store. The affected cert hashes mentioned so far: 0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 Example path: HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 There’s also a Reddit comment suggesting Microsoft has started restoring the certs and that admins can check this via Advanced Hunting in Defender: DeviceRegistryEvents | where RegistryKey contains "0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43" or RegistryKey contains "DDFB16CD4931C973A2037D3FC83A4D7D775D05E4" | where ActionType == "RegistryKeyCreated" | where Timestamp > datetime(2026-05-03T04:00:00) | project Timestamp, DeviceName, ActionType, InitiatingProcessFileName | order by Timestamp desc On an affected device, this can also be checked with: certutil -store AuthRoot | findstr -i "digicert" Could become an annoying day for admins if this spreads reddit.com/r/cybersecurit…

English
16
139
904
148.9K
Squiblydoo
Squiblydoo@SquiblydooBlog·
@cyb3rops @itquartz Maybe you’ve seen this, but the bugzilla issue seems unrelated. That issue had not impacted DigiCert’s certificate. The Defender issue seems like an unfortunate mistake.
English
1
0
3
603
Florian Roth ⚡️
Florian Roth ⚡️@cyb3rops·
Anyone else seeing Microsoft #Defender flagging #DigiCert root certificate registry keys as malware? We’ve seen reports that Defender signature update from April 30 added a detection called: Trojan:Win32/Cerdigent.A!dha In some environments, Defender apparently detected DigiCert Root CA certificate registry entries and removed them from the trust store. The affected cert hashes mentioned so far: 0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 Example path: HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 There’s also a Reddit comment suggesting Microsoft has started restoring the certs and that admins can check this via Advanced Hunting in Defender: DeviceRegistryEvents | where RegistryKey contains "0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43" or RegistryKey contains "DDFB16CD4931C973A2037D3FC83A4D7D775D05E4" | where ActionType == "RegistryKeyCreated" | where Timestamp > datetime(2026-05-03T04:00:00) | project Timestamp, DeviceName, ActionType, InitiatingProcessFileName | order by Timestamp desc On an affected device, this can also be checked with: certutil -store AuthRoot | findstr -i "digicert" Could become an annoying day for admins if this spreads reddit.com/r/cybersecurit…
English
27
83
393
191K
Florian Roth ⚡️
Florian Roth ⚡️@cyb3rops·
Small correction / clarification: The DigiCert Bugzilla incident around misissued code signing certificates may be unrelated to this Defender issue. That incident affected a limited set of code signing certificates. It did not mean DigiCert root certificates themselves were compromised. So Defender flagging/removing DigiCert AuthRoot registry entries currently looks more like an unfortunate detection mistake than an intentional trust-store response. Still waiting for Microsoft confirmation, but that distinction matters
Florian Roth ⚡️@cyb3rops

Okay, wow bugzilla.mozilla.org/show_bug.cgi?i…

English
3
16
84
19.5K
Florian Roth ⚡️ retweetledi
Dark Web Informer
Dark Web Informer@DarkWebInformer·
🚨 The cPanel Situation Is Spiraling Fast On April 29, CVE-2026-41940 was disclosed: a critical pre-authentication bypass in cPanel/WHM that lets remote attackers skip the login flow entirely and gain elevated access. Within 24 hours, it was already being weaponized. Censys watched the fallout in real time. The 6-day timeline (cPanel hosts flagged malicious): Apr 26: 117 Apr 27: 47 Apr 28: 106 Apr 29: 70 Apr 30: 146 May 1: 15,448 On May 1 alone, total malicious hosts jumped by +19,131, and 15,302 of those (roughly 80%) were cPanel/WHM systems. Compare that to the prior days where cPanel made up well under 1.2% of daily changes. This was not background noise. It was a coordinated spike. Top affected providers: DigitalOcean: 1,043 Contabo: 716 OVH: 501 Vultr: 391 Oracle: 321 Unified Layer: 280 Hetzner: 277 Akamai/Linode: 275 GoDaddy: 209 Microsoft: 169 With 1,052,657 cPanel/WHM hosts exposed on the public internet and only 9,595 currently flagged as malicious, the attack surface is enormous and growing. At least two campaigns are running in parallel: a Mirai botnet variant (nuclear.x86) deployed post-compromise, and a ransomware campaign tied to the Sorry/Hidden-Tear family. Ransomware footprint: ~7,000 cPanel servers with ".sorry" encrypted files 6,465 hosts: index.html.sorry 1,637 hosts: index.php.sorry 795 hosts: wp-config.php.sorry Victims directed to attackers via qTox If you run cPanel/WHM, patch immediately. Source: censys.com/blog/the-cpane…
Dark Web Informer tweet media
English
13
124
504
59.2K
Florian Roth ⚡️ retweetledi
Iceman
Iceman@herrmann1001·
Mind blown 🤯 Some smartphones sold in mainland China (like certain OPPO models) can read MIFARE Classic cards, crack the keys in seconds, store them, and then fully emulate the card directly on the phone. No extra hardware. Just the phone. Access control, transit cards, hotel keys… game over. Huge thanks to Ian for showing me this in person. Really eye-opening how far NFC capabilities have gone in some regions. Who else has seen this in the wild? #NFC #MIFARE #TechSecurity​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​ #oppo
English
98
610
3.9K
417K
Florian Roth ⚡️
Florian Roth ⚡️@cyb3rops·
Interesting detail: the last revoked #DigiCert code signing cert in that incident was on Apr 17 The Defender signature update that apparently started flagging/removing DigiCert AuthRoot entries came more than 10 days later So I’m wondering what the intended mechanism was here. Maybe Microsoft tried to force Windows to rebuild or refresh some certificate trust state?? Still weird to see this implemented by removing root cert registry keys from the trust store, given the possible side effects Pretty brutal way to do it
Florian Roth ⚡️ tweet mediaFlorian Roth ⚡️ tweet media
Florian Roth ⚡️@cyb3rops

Anyone else seeing Microsoft #Defender flagging #DigiCert root certificate registry keys as malware? We’ve seen reports that Defender signature update from April 30 added a detection called: Trojan:Win32/Cerdigent.A!dha In some environments, Defender apparently detected DigiCert Root CA certificate registry entries and removed them from the trust store. The affected cert hashes mentioned so far: 0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 Example path: HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 There’s also a Reddit comment suggesting Microsoft has started restoring the certs and that admins can check this via Advanced Hunting in Defender: DeviceRegistryEvents | where RegistryKey contains "0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43" or RegistryKey contains "DDFB16CD4931C973A2037D3FC83A4D7D775D05E4" | where ActionType == "RegistryKeyCreated" | where Timestamp > datetime(2026-05-03T04:00:00) | project Timestamp, DeviceName, ActionType, InitiatingProcessFileName | order by Timestamp desc On an affected device, this can also be checked with: certutil -store AuthRoot | findstr -i "digicert" Could become an annoying day for admins if this spreads reddit.com/r/cybersecurit…

English
6
29
134
22.9K
Florian Roth ⚡️ retweetledi
Mike Benz
Mike Benz@MikeBenzCyber·
Incredible. The public pressure on the EU over its Digital Censorship Act has led EU censors to move to closed-doors meetings and auto-delete messages in coordinating their censorship ops.
Mike Benz tweet media
James Holland@James7Holland

In Politico today: Senior 🇪🇺 official admits greater public scrutiny of DSA has lead to meetings becoming secret and his staff using Signal to communicate—thereby making it virtually impossible for voters/journalists to probe work of this EU department. Something to hide?

English
163
3.5K
9.5K
210.5K
Florian Roth ⚡️ retweetledi
H4x0r.DZ 🇰🇵
H4x0r.DZ 🇰🇵@h4x0r_dz·
HackerOne just got a company breached. ClickUp's April 27th data leak? Directly caused by HackerOne's triage failure. They closed a critical report (893 exposed emails + a live API token) as a "duplicate" twice. Their AI or analysts auto-close valid findings as "informative" while real vulnerabilities fester. This wasn't a one-off. HackerOne did it to ClickUp at least three times. If you run a bug bounty on HackerOne, your security is in the hands of broken triage. Don't wait for a public shaming to find out they buried your next breach. Ditch HackerOne. clickup.com/blog/april-27t…
H4x0r.DZ 🇰🇵 tweet media
English
25
34
373
59.7K
Florian Roth ⚡️ retweetledi
Konstantine Buhler
Konstantine Buhler@Konstantine·
Narrative violation and great insight from the latest Citadel Securities banger by Frank Flight: "We illustrated back in February that demand for software engineers, the most AI exposed occupation was accelerating higher, which we argued violates the displacement narrative. Indeed the acceleration in software job postings has continued, now up 18% from the inflection point in May last year."
Konstantine Buhler tweet media
English
63
227
1.2K
627.4K
Florian Roth ⚡️ retweetledi
luthira
luthira@luthiraabeykoon·
We implemented @karpathy 's MicroGPT fully on FPGA fabric. No GPU. No PyTorch. No CPU inference loop. Just a transformer burned into hardware, generating 50,000+ tokens/sec. The model is small, but the idea is not: inference does not have to live only in software 👇
English
272
698
7.5K
820.5K
Stjepan
Stjepan@sosojni·
@Schuldensuehner All Germany needs is battery systems like South Australia and some US states. No more negative prices + cheaper electricity in times when usage spikes.
English
16
1
95
8K
Holger Zschaepitz
Holger Zschaepitz@Schuldensuehner·
Good Morning from Germany, where electricity prices are now regularly falling below zero around midday. On May 1, they even dropped to the floor at -49.999 cents per kilowatt hour. The reason is simple: we are generating more solar power than we can use or store. As a result, Germany has to cover the gap between these negative market prices and the guaranteed feed-in tariffs paid to producers—an expensive outcome. These prices are a clear indication of the utterly disastrous energy transition.
Holger Zschaepitz tweet mediaHolger Zschaepitz tweet media
English
370
642
3.7K
337.7K

Keşfet

@j3gm0194 @JulianAdrat @SquiblydooBlog @itquartz @elonmusk @BarackObama @taylorswift13 @cristiano