Daniel Stepanic

Our team revisited #BLISTER, a stealthy loader recently tied to #LockBit and #SocGholish. We go through it's different capabilities, and released config extractor. Blog🔗: elastic.github.io/security-resea… Config extractor 🧰: elastic.github.io/security-resea…

#VirusBulletin round 2! 🥊(last one was 2 years ago for me) Me and @k33b0i will be there for #VB2026 presenting how #REF3927 managed to hijack 571+ IIS servers for an SEO fraud network. Swing by and catch up with the Elastic Security Labs team if you're around. virusbulletin.com/conference/vb2… #vbconference #conference #research

We uncovered a new Brazilian banking trojan campaign: TCLBANKER. What makes TCLBANKER notable isn’t just the malware itself, but how it spreads. The campaign uses compromised WhatsApp and Outlook accounts to propagate through trusted user relationships, deploys targeted banking overlays, and incorporates anti-analysis techniques designed to evade detection. For defenders, it’s another example of malware increasingly blending into legitimate user behavior and everyday communication channels, making detection harder and trust easier to exploit. Our latest research breaks down the infection chain, propagation methods, evasion tactics, and detection opportunities observed across the campaign. Read the full analysis: go.es.io/4ewvCKF

LLMs have gotten good enough at reverse engineering to recover source code from obfuscated binaries with real accuracy. So we asked the obvious next question: how fast and cheap is it to use one to build obfuscation specifically designed to beat it? We benchmarked Claude Opus 4.6 against the Tigress obfuscator across 20 targets first, to map its strengths and failure modes. 40% solve rate. Phase 3 multi-layer combos hit 0%, with cost explosions that killed the runs. Then we ran a dev/test/refine loop to build 3 purpose-built obfuscation variants targeting the same crackme, iterating directly against the model's known weaknesses. The finding: LLM-targeted obfuscation is fast and cheap to develop. Context windows, budget caps, and shortcut biases are all exploitable attack surfaces. The arms race just shifted.

Here's a fun one from our latest research: PHANTOMPULSE resolves its C2 from blockchain transactions. The malware reads the most recent transaction of a wallet to decrypt the input data, and uses it as the C2 URL. The problem? It doesn't verify the sender. 🧵

We have identified a novel social engineering campaign abusing Obsidian, the popular note taking app, to deliver a previously undocumented RAT #PHANTOMPULSE and it’s loader #PHANTOMPULL targeting individuals in finance and crypto. The attack never exploits a vulnerability. It abuses Obsidian's own plugin ecosystem to execute code the moment a victim opens a shared vault. Full analysis: go.es.io/4cld0dB

We published a pair of articles on the axios compromise and deep dive on the malware, alongside detection strategies elastic.co/security-labs/…

@soolidsnakee another banger, man

Elastic Security Labs has been observing malicious campaigns delivering a multi-stage infection involving a previously undocumented loader. The SILENTCONNECT loader delivers ScreenConnect - a RMM tool used to control victim machines - as its final payload. elastic.co/security-labs/…

Patch Diff to SYSTEM - using LLMs to exploit a LPE vuln on Windows. More importantly, some thoughts on model capabilities the implications on our security industry elastic.co/security-labs/…

@soolidsnakee uncovered a #clickfix campaign using compromised legitimate sites to deliver a five-stage chain ending in #MIMICRAT, a custom native C RAT with malleable C2, token theft, and SOCKS5 tunneling. Read more here: ela.st/mimicrat

Elastic Security Labs uncovered a large-scale SEO poisoning campaign deploying #BADIIS malware on 1,800+ IIS servers worldwide. Compromised systems—spanning government, corporate, and education sectors—are monetized to push gambling and illicit content. Learn more here: ela.st/badiis

We are tracking #clickfix campaign hosted and served by two compromised websites. Lua in-memory script loader and a #RAT that we are naming #MimicRat. A blog post will follow soon on @elasticseclabs. www.ndibstersoft[.]com d15mawx0xveem1.cloudfront[.]net xMRi[.]neTwOrk

New from the developer of #FINALDRAFT: Meet #NANOREMOTE, a newly-discovered Windows backdoor that leverages the Google Drive API for data theft and payload staging. Get the full analysis and defense strategies: ela.st/nanoremote

Nice post by @sysdig! x.com/virusbtn/statu… We’re seeing this implant as well. Looks like there is a worm module too.

Really awesome new research from @k33b0i @soolidsnakee

#ElasticSecurityLabs joins forces with @tamusystem and discloses TOLLBOOTH, an IIS module used for SEO abuse that relies on publicly exposed ASP. NET machine keys: go.es.io/3L68p57

Elastic Security Labs publishes nightMARE, a Python library (v0.16) for malware analysis and for building configuration extractors. elastic.co/security-labs/…

@elasticseclabs is currently researching a new family of IIS malware impacting a large number of organizations globally. With a US university-based MDR provider, we’ve observed a novel attack chain, RMMs, a Godzilla-forked framework, and a malicious driver. Details coming soon.

#ElasticSecurityLabs has kept tabs on #WARMCOOKIE, a backdoor we disclosed in June 2024 that used employment-related phishing lures to infect victims. Learn how this threat’s evolving: go.es.io/46O8pOo

#ElasticSecurityLabs is observing #ValleyRAT infections using the following #LOLBins for execution: - DeviceCredentialDeployment.exe (proxy execution) - Tttracer (proxy execution) - Renames curl[.]exe (masquerade) - Ttdinject (remote injection) - Pester (proxy execution)