Jeremy Wiedner

Learn how to investigate Iranian cyber actors 🇮🇷 From IRGC-linked networks and proxy companies to real OSINT pivots, attribution, and ethical tradecraft. Watch the full webinar: us06web.zoom.us/rec/share/X24E… Passcode: R*2GXqfu

(EXCLUSIVE) New investigation: Who runs Cl0p ransomware? Months of reporting, cross-referencing forum records, dossiers, and confidential sources identifies the group's operators, developers, access brokers, and infrastructure. rmoskovy.github.io/posts/who-runs… #Ransomware #Cl0p #ThreatIntel #osint #clop #security #research

One of the biggest pain points for macOS-based DFIR analysts: "I have a raw Master File Table ($MFT) or USN Journal ($J), but I need a Windows VM just to parse it." Not anymore. IRFlow Timeline now imports raw $MFT and $J files directly: a two-pass binary parser extracts 22 columns matching MFTECmd output format, with full path reconstruction via parent reference chain-walking (thanks to CyberCX UsnJrnl Rewind). New Feature: Resident Data Extraction When a threat actor drops a small script or config (<700 bytes), it’s stored inline within the MFT record. Even if the file is "deleted," the content often survives. IRFlow now recovers resident MFT data with a single click. In recent ransomware cases, this has surfaced: - Deleted batch scripts & PowerShell loaders - Hidden ransomware configs - Attacker "cleanup" artifacts #DFIR #CyberSecurity #DigitalForensics #IncidentResponse #Infosec #macOS

Just released my modified version of the #OpenCTI connector that imports the data from #C2Tracker by @_montysecurity . Still working on the docker component but the #python script works great. #ThreatIntel, #HuntingAdversaryInfrastructure github.com/cybersheepdog/…

Windows API arsenal by @0x6970 for reversers blog.fautl.com/api-list.html

Taking some time to update the Analyst Tool I created and add new functionality. Just added #lolbin and #loldriver support. Just copy an ip, domain, filename, etc... and let the tool do the work for you. #soc #infosec #securityanalysis #cybersecurity github.com/cybersheepdog/…

Google Dork - Exposed Configs 🔍 site:example[.]com ext:log | ext:txt | ext:conf | ext:cnf | ext:ini | ext:env | ext:sh | ext:bak | ext:backup | ext:swp | ext:old | ext:~ | ext:git | ext:svn | ext:htpasswd | ext:htaccess | ext:json

I have released the first half of "Binary Exploitation 101", a beginner-friendly guide to binary exploitation. You can learn from classic buffer overflow to ret2dlresolve through CTF-like challenges. I am working on the second half now. Stay tuned🔥 r1ru.github.io/categories/bin…

Dropping a new malware config parser for #Amadey! Update your CAPEv2 parsers: > sudo -u cape bash -c 'cd /opt/CAPEv2 && poetry add CAPE-parsers@latest && systemctl restart cape cape-web cape-processor' Check it out here: github.com/CAPESandbox/CA…

The attacker accidentally left their entire malicious extension playbook for @cursor_ai sitting in the same folder their extension was downloaded from 🤡

Mega Malware Analysis Tutorial Featuring Donut github.com/PaloAltoNetwor… TL;DR The purpose of this blog post is to walk our readers, particularly those who are just stepping into the realm of malware analysis, through our process of analyzing a unique .NET PE malware that loads Remcos.

For the life of me I can never remember the registry tweaks to avoid TPM checks when installing Win11 in a VM. I finally took note of the `reg add` commands to just copy and paste into the Shift+F10 terminal. reg add "HKLM\SYSTEM\Setup\LabConfig" /f reg add "HKLM\SYSTEM\Setup\LabConfig" /v BypassTPMCheck /t REG_DWORD /d 1 /f reg add "HKLM\SYSTEM\Setup\LabConfig" /v BypassSecureBootCheck /t REG_DWORD /d 1 /f reg add "HKLM\SYSTEM\Setup\LabConfig" /v BypassRAMCheck /t REG_DWORD /d 1 /f reg add "HKLM\SYSTEM\Setup\LabConfig" /v BypassCPUCheck /t REG_DWORD /d 1 /f reg add "HKLM\SYSTEM\Setup\LabConfig" /v BypassStorageCheck /t REG_DWORD /d 1 /f

I updated the Analyst-Tool github.com/cybersheepdog/… to also query the local version of C2Live as a data source. It prints out every C2 framework associated with the IP as well as the first and last seen date for each. #SOC #threatintel #infosec #infosecurity

The original C2Live has not been updated in 2 years. It pulled in Nightly updates github.com/montysecurity/…. However, after July 2, 2024 they became weekly updates.

While taking the Hunting Adversary Infrastructure Training Course by @Intel_Ops_io, @MichalKoczwara I came across C2-Tracker & C2Live on Github. TLDR; I forked C2 live and updated to pull in nightly and weekly updates. github.com/cybersheepdog/…

$5 Membership sale is live for the next 24 hours: account.shodan.io/billing/member

Really like what @yamatosecurity is doing with Suzaku - applying Sigma to cloud logs is something we absolutely need. The cloud is a fragmented mess, and tools like this help defenders bring visibility into dark corners. They’re using the Detection Rule License 1.1, which is great. Let’s hope the community joins in and contributes rules for other cloud platforms too. Suzaku rules: github.com/Yamato-Securit… Sigma cloud rules: github.com/SigmaHQ/sigma/… Let’s get all cloud services covered eventually.

Leaked BlackBasta chat logs contain messages spanning from September 18, 2023, to September 28, 2024. Let's analyze the statements disclosed by the leaker: - Lapa is one of the key administrators of BlackBasta and is constantly busy with administrative tasks. Holding this high-trust position, Lapa is frequently insulted by his boss, who persistently demands major changes. The role causes Lapa significant stress, yet he earns significantly less compensation compared to others in the group. It appears that ransom payments might be an additional source of income for him to support his family during these difficult times. Under his administration, there was a brute force attack on the infrastructure of some Russian banks. So far, no actions seem to have been taken by law enforcement, suggesting that this situation could pose a serious problem and potentially provoke reactions from these authorities. - "Cortes" is associated with the Qakbot group, which had dealings with Americans last year, likely attracting the attention of intelligence services. When BlackBasta conducted these attacks on Russian banks, "Cortes" distanced himself from these actions, probably surprised that this Russian group would target its own country. This might be why Qakbot didn't participate in the attacks against Russia. - "YY" is also a main administrator of BlackBasta, seemingly very busy with support tasks and receives a good salary. The arrest of BlackBasta’s leader creates significant risks for the remaining members of the group. It turns out that the personal financial interests of Oleg, the group's boss, dictate the operations, disregarding the team's interests. Under his administration, there was also a brute force attack on the infrastructure of some Russian banks It seems that no measures have been taken by law enforcement, which could present a serious problem and provoke reactions from these authorities. - When "Trump" and "Bio" worked together in Conti, disputes over fees issues were common. Bio is paid more in his current position to continue managing such high-level risks. Bio changed his nickname from "bio" to "pumba" while working at Conti, but has now reverted to his old nickname in BlackBasta, so his reputation in BlackBasta should not be associated with the nickname "pumba". The recent arrest of "Bio" and the police's treatment likely caused concern among the BlackBasta group members. - Bio identifies "GG" as "Trump". It can be inferred that "GG", "AA", and "Trump" are all aliases used by Oleg Nefedov, the group's boss.

Thread 1 / If you're gonna read one #CTI thread today, make it this one!! – How one IP unraveled an Access Broker's Ransomware Network! 🚨🧵 🚨 Unmasking Adversary Infrastructure – New Findings on 193.29.13.167! #ThreatIntel #Rustdoor #GateDoor 📌 My previous tweet spotlighted IP 193.29.13.167, tied to an Access Broker linked to #Rustdoor, sparking a cascade of findings across domains like datasmetric[.]com and historic indicators from maconlineoffice[.]com. Here’s how that single thread pulled open the ransomware landscape….....

#WhiteSnake Stealer has recently announced an update featuring the creation of malicious .SLN (Visual Studio Solution files) as downloaders from a remote host in order to serve malware Full changelog statement below: 👇👇