NtAlertThread

New Research! seqrite.com/blog/operation… We have found an interesting campaign targeting an entity of Chinese telecom with VELETRIX implant. The implant uses anti-sandbox, shellcode obfuscation technique via IPV4 and execution via EnumCalendarInfo leading to Vshell implant.

begin-re is back 🎉 Lost the domain, kept the course, improved the looks. You can find it now at ophirharpaz.com/begin.re

CrystalKit x Gargoyle lospino.so/blog/gargoyle-…

k3yp0d.blogspot.com/2026/05/the-wa… MuddyWater, salty water, doesn't matter, it's not natural water, something is going on and here's my take.

ac6f79a9986bead7133a4747891c44996b1619d85f7fc46e1c14364abc05ac9a Suspected SilverFox // GoldenEyeDog targeting India🇮🇳 @malwrhunterteam @smica83 @G60930953

Reeeeeversing....

"The malware checks for the density of the material being simulated and only acts when that value passes 30 g/cm³, the threshold uranium can only reach under the shock compression of an implosion device." Symantec advances the fast16 research security.com/threat-intelli…

Dude...

I just published a NEW blog post -> reverse engineering the multi stage file format steganography chain from TeamPCP's telnyx SDK (4.87.1 and 4.87.2) husseinmuhaisen.com/blog/reverse-e…

Have you noticed that those deep-dive stories about complex Windows malware have pretty much vanished, especially in recent years? It feels like the era of "blockbuster" Windows malware has just gone silent, and this blog post tries to give some answers why. r136a1.dev/2026/05/07/whe…

@ZackKorman it's fuckin friday man

When practicing on a VM crackme recently, I created a devirtualizer which lifts the virtual machine to LLVM to defeat the protection. LLVM-based devirtualisation is a lot of fun and I wrote down my experience and lessons learned on my blog: eversinc33.com/2026/05/07/llv…

"‘In 72 hours, India had air superiority, Pakistan was unable to operate’: US military expert on Op Sindoor," @firstpost firstpost.com/world/operatio…

NEW THREAT INTEL: OceanLotus APT32 PyPI Supply Chain Attack - 3 malicious wheels drop ZiChatBot cross-platform malware via Zulip API C2. 9 detections, 42 IOCs. #TL-2026-0467" target="_blank" rel="nofollow noopener">intel.threadlinqs.com/#TL-2026-0467 #ThreatIntel #CyberSecurity #APT32 #SupplyChain #PyPI

I wrote a blog but you can speed run it with this and this.

Interesting FUD sample, with .vhdx extension uploaded from 🇱🇻 & 🇻🇳 and some with RAR extension, DLL Sideloading into multiple executables công việc.rar 5afd45ac84838b38445cbbb0fdeb4ae178cf24f1ef096f53a9553fb8c6676368 @malwrhunterteam

VECT RaaS is making headlines via partnerships with BreachForums and TeamPCP. Behind the polished image is a weak operator: the ransomware is bug-ridden, poorly built, and most encrypted files aren’t fully recoverable, even with the decryption key. research.checkpoint.com/2026/vect-rans…

@malwrhunterteam Likely who we call TA4922, some details in proofpoint.com/us/blog/threat… Some outlets calls them "Silver Fox APT" based on... that they, like every small-time Chinese threat actors, use WinOS 4.0/ValleyRAT where the source code was leaked... in 2022... 🤷‍♂️

It is strange, that APT36 operators track very minute details about security researchers. The first version of GymRAT had no mention of "WhisperLynx", just because we published and presented various research against SilentLynx APT, blud thought they could just misattribute LOL.

@smica83 @abuse_ch APT36 🇵🇰

An interesting desktop sample seen from India @abuse_ch 'Contract_for_Procurement_of_Indigenous_Trawl_Assemblies_for_T-72_and_T-90_Main_Battle_Tanks_(MBTs).desktop' bazaar.abuse.ch/sample/4edbed6… Drops this ELF #DeskRAT bazaar.abuse.ch/sample/d62ad76… Domain: bossmaya(.)xyz chuchuchacha(.)xyz chuchuchacha(.)shop

@smica83 @abuse_ch PatchWork APT

Related sample @abuse_ch bazaar.abuse.ch/sample/9b2637b…