Daniel Stepanic

317 posts

Daniel Stepanic

Daniel Stepanic

@DanielStepanic

Malwarez at @elasticseclabs | Macrodata Refinement

Katılım Mart 2011
642 Takip Edilen1.3K Takipçiler
Daniel Stepanic retweetledi
Elastic Security Labs
Elastic Security Labs@elasticseclabs·
We tracked a new activity cluster targeting Mexican banking customers. Elastic Security Labs discovered REF6045, an operator-assisted banking fraud campaign targeting customers of Mexican banks, fintechs, and cryptocurrency platforms through ClickFix fake-CAPTCHA lures. The operation exhibits a reliance on AI-generated code and suffers from significant operational security (OPSEC) failures that exposed their infrastructure and their toolkit. The toolkit gives operators a full fraud workflow from: •Vishing overlay: lock the screen behind a fake bank warning •Browser redirect: paste a phishing URL via automated keystrokes •Clipboard swap: replace CLABE or card numbers mid-transfer •Remote access: install Remote Utilities for hands-on takeover Research by @k33b0i and @soolidsnakee. Full analysis from Elastic Security Labs: go.es.io/4eP6VZF
Elastic Security Labs tweet media
English
3
25
70
5.9K
Daniel Stepanic retweetledi
cr3ghost
cr3ghost@cr3ghost·
LLMs can now reverse engineer obfuscated malware. But what happens when malware authors use LLMs to iteratively obfuscate back? Elastic Security Labs explored the arms race between LLM-driven reverse engineering and LLM-driven obfuscation. Who wins when both sides have the same tools? This is the question every malware analyst, detection engineer, and red or blue teamer needs to be thinking about right now. elastic.co/security-labs/… Author: @elasticseclabs #MalwareAnalysis #ReverseEngineering #InfoSec
cr3ghost tweet mediacr3ghost tweet mediacr3ghost tweet mediacr3ghost tweet media
English
8
64
304
18.7K
Daniel Stepanic retweetledi
Elastic Security Labs
Elastic Security Labs@elasticseclabs·
OXLOADER is staging shellcode in the PE .reloc section. Detection rates are low. New research from Elastic Security Labs. Legitimate toolchains don't emit code into .reloc. It's a static-analysis red flag, but most engines aren't catching it in practice. Before dropping the payload, OXLOADER runs 5 checks: - Emulation: malformed WNetAddConnection2W call, expects ERROR_BAD_NAME (0x43) - CPU count: 3+ CPUs required - RAM: 3 GB minimum via GlobalMemoryStatusEx - Display refresh rate: 20 Hz floor via WMI Win32_VideoController - Geography: CIS GEOIDs and Russian LANGID excluded Pass all five, and a copied system DLL gets a new .xtext section injected with the shellcode. DonutLoader wraps the final payload: CASTLESTEALER. Distributed via Google Ads impersonating Node.js. The ad campaign targeted US-based victims. The advertiser account has since been removed. Elastic Defend catches the full chain behaviourally. Static engines largely miss it. Full technical breakdown, YARA rules, and IOCs visit go.es.io/4w1aq4V from @DanielStepanic and @k33b0i:
Elastic Security Labs tweet media
English
2
25
99
13.9K
Daniel Stepanic retweetledi
ESET Research
ESET Research@ESETresearch·
#ESETresearch has discovered a supply-chain attack targeting stock investors in 🇻🇳Vietnam, distributing SPECTRALVIPER through the update mechanism of the FireAnt Metakit stock investment platform. welivesecurity.com/en/eset-resear… 1/4
ESET Research tweet media
English
2
31
110
8.9K
Daniel Stepanic retweetledi
Elastic Security Labs
Elastic Security Labs@elasticseclabs·
PHANTOMPULSE routes C2 through Ethereum/Base/Optimism transaction inputs. The blockchain resolver has zero sender verification. That means one transaction from a defender overrides the C2 URL for every active implant simultaneously. @soolidsnakee reverse-engineered the full implant: three injection techniques, a shared HWBP primitive that kills AMSI/WLDP/ETW in a single handler, and a 580c XOR signature you can use to hunt sibling wallets right now. go.es.io/43Puuep
Elastic Security Labs tweet media
English
0
14
25
2.1K
Daniel Stepanic retweetledi
Elastic Security Labs
Elastic Security Labs@elasticseclabs·
We uncovered a new Brazilian banking trojan campaign: TCLBANKER. What makes TCLBANKER notable isn’t just the malware itself, but how it spreads. The campaign uses compromised WhatsApp and Outlook accounts to propagate through trusted user relationships, deploys targeted banking overlays, and incorporates anti-analysis techniques designed to evade detection. For defenders, it’s another example of malware increasingly blending into legitimate user behavior and everyday communication channels, making detection harder and trust easier to exploit. Our latest research breaks down the infection chain, propagation methods, evasion tactics, and detection opportunities observed across the campaign. Read the full analysis: go.es.io/4ewvCKF
Elastic Security Labs tweet media
English
1
32
86
14K
Daniel Stepanic retweetledi
Elastic Security Labs
Elastic Security Labs@elasticseclabs·
LLMs have gotten good enough at reverse engineering to recover source code from obfuscated binaries with real accuracy. So we asked the obvious next question: how fast and cheap is it to use one to build obfuscation specifically designed to beat it? We benchmarked Claude Opus 4.6 against the Tigress obfuscator across 20 targets first, to map its strengths and failure modes. 40% solve rate. Phase 3 multi-layer combos hit 0%, with cost explosions that killed the runs. Then we ran a dev/test/refine loop to build 3 purpose-built obfuscation variants targeting the same crackme, iterating directly against the model's known weaknesses. The finding: LLM-targeted obfuscation is fast and cheap to develop. Context windows, budget caps, and shortcut biases are all exploitable attack surfaces. The arms race just shifted.
Elastic Security Labs tweet media
English
5
88
319
30.6K
Daniel Stepanic retweetledi
SolidSnake
SolidSnake@soolidsnakee·
Here's a fun one from our latest research: PHANTOMPULSE resolves its C2 from blockchain transactions. The malware reads the most recent transaction of a wallet to decrypt the input data, and uses it as the C2 URL. The problem? It doesn't verify the sender. 🧵
SolidSnake@soolidsnakee

New #research together with @SBousseaden and @DanielStepanic at @elasticseclabs. We uncovered a campaign abusing Obsidian plugins and vault feature to deliver multi-platform payloads targeting both #Windows and #macOS. The final stage is #PHANTOMPULSE, an AI-built RAT that resolves its #C2 from Ethereum blockchain transactions and its loader #PHANTOMPULL A deep dive into the RAT internals is coming next. Stay tuned. elastic.co/security-labs/…

English
1
3
8
1K
Daniel Stepanic retweetledi
Elastic Security Labs
Elastic Security Labs@elasticseclabs·
We have identified a novel social engineering campaign abusing Obsidian, the popular note taking app, to deliver a previously undocumented RAT #PHANTOMPULSE and it’s loader #PHANTOMPULL targeting individuals in finance and crypto. The attack never exploits a vulnerability. It abuses Obsidian's own plugin ecosystem to execute code the moment a victim opens a shared vault. Full analysis: go.es.io/4cld0dB
English
3
42
116
14.6K
Daniel Stepanic retweetledi
Joe Desimone
Joe Desimone@dez_·
We published a pair of articles on the axios compromise and deep dive on the malware, alongside detection strategies elastic.co/security-labs/…
English
6
27
138
16.3K
Daniel Stepanic retweetledi
Daniel Stepanic retweetledi
Virus Bulletin
Virus Bulletin@virusbtn·
Elastic Security Labs has been observing malicious campaigns delivering a multi-stage infection involving a previously undocumented loader. The SILENTCONNECT loader delivers ScreenConnect - a RMM tool used to control victim machines - as its final payload. elastic.co/security-labs/…
Virus Bulletin tweet media
English
0
12
39
8.8K
Daniel Stepanic retweetledi
Joe Desimone
Joe Desimone@dez_·
Patch Diff to SYSTEM - using LLMs to exploit a LPE vuln on Windows. More importantly, some thoughts on model capabilities the implications on our security industry elastic.co/security-labs/…
Joe Desimone tweet media
English
3
75
261
22.8K
Daniel Stepanic retweetledi
Elastic Security Labs
Elastic Security Labs@elasticseclabs·
Elastic Security Labs uncovered a large-scale SEO poisoning campaign deploying #BADIIS malware on 1,800+ IIS servers worldwide. Compromised systems—spanning government, corporate, and education sectors—are monetized to push gambling and illicit content. Learn more here: ela.st/badiis
English
0
22
99
16.3K
Daniel Stepanic retweetledi
SolidSnake
SolidSnake@soolidsnakee·
We are tracking #clickfix campaign hosted and served by two compromised websites. Lua in-memory script loader and a #RAT that we are naming #MimicRat. A blog post will follow soon on @elasticseclabs. www.ndibstersoft[.]com d15mawx0xveem1.cloudfront[.]net xMRi[.]neTwOrk
English
2
7
24
2K
Daniel Stepanic retweetledi
Elastic Security Labs
Elastic Security Labs@elasticseclabs·
New from the developer of #FINALDRAFT: Meet #NANOREMOTE, a newly-discovered Windows backdoor that leverages the Google Drive API for data theft and payload staging. Get the full analysis and defense strategies: ela.st/nanoremote
English
0
27
55
14.9K
Daniel Stepanic retweetledi