Nels

Everyone wants to jump to the exciting part of threat hunting: finding the weird process tree, following attacker behavior, proving the intrusion path. But the boring work comes first. Data normalization, parsing, and configuration are the foundation. If that layer is weak, your hunt is weak. We put together a short write-up on how we handle this at Threat Hunting Labs 👇

Trembling cooter event…

@ElkinsCattleCo Ribeye all the way

X family: We’re GIVING AWAY a full beef box this weekend!!! USDA prime, grass-fed & finished, dry-aged beef— raised right here in Lampasas, Texas What’s included: – 2 ribeyes – 2 flat irons – 8 wagyu burger patties – 2 lb ground beef – king sized picanha – cross cut bone-in short ribs We’ll ship it straight to your door!! to enter: • follow @ElkinsCattleCo • repost this • comment your all-time favorite beef cut must be in the U.S. (AK/HI not included) Winner announced monday 04/27 at noon CT ships out Tuesday 04/28 1 winner will be announced + DM’d from this account only. Good luck! 🙏🥩🇺🇸

The Mustache Rides, Again. Again. Watch the trailer for SUPER TROOPERS 3 right meow. Only in theaters August 7. #SuperTroopers3

Want to know why I hate shock and awe in InfoSec? Early in my pentest career I was on an engagement with both a network pentest and a physical assessment. The network was flat, critical systems mixed in with everything else, plenty of issues to go around. On the physical side, someone walked in the front door, ended up in a conference room, plugged in got DA. When we came back for the following year, the physical side had been locked down badges, cameras, access control, the works. The network? The same issues from the previous report. Just because AI is helping find bugs and you want to scan all your internal code with LLMs doesn't mean you can take your foot off the gas with other internal security projects and fundamentals.

@HardPass4 The gift that keeps on giving.

What the FUCK…

Orange Cyberdefence recently published their research on SmokedHam. We're glad to see Cert Graveyard and the code-signing certs mentioned. While CertGraveyard tracks the campaigns, we can't investigate them to their full depth (due to capacity), so this is great to see. 1/2

My painting TOWERING STORM

@KulasanM It’s probably ok. IMHO, ones with thicker steel are better. Learn & test for awhile on a cheaper one like that, then maybe upgrade.

背中を押してくれたアメリカBBQ兄貴たち、日本で買えるこれで大丈夫かい？ Royal Gourmet CC1830SC チャコールグリル オフセットスモーカー カバー付き 810平方インチ ブラック アウトドア キャンプ amzn.asia/d/02rVQvL6 #Amazon

Thread: Deep analysis of the axios npm supply chain compromise All 5 payloads downloaded from VT, reversed in an isolated VM. Full report + detection rules: gist.github.com/N3mes1s/0c0fc7… What's in the gist (8 files): 1. Verified Threat Intel Report (all hashes VT-confirmed) 2. Full RE of every payload (source code recovered for all 3 RATs) 3. C2 protocol specification (complete JSON schema, state machine) 4. 8 YARA rules (tested, 100% detection) 5. 8 Sigma rules (Win/Mac/Linux) 6. 11 Suricata/Snort IDS rules (including Base64 beacon patterns) 7. Machine-readable IOC bundle (JSON, 14 SHA256 + network + MITRE) 8. Extension.SubRoutine research (see below) Novel findings not in any vendor report: - Extension.SubRoutine.Run2() — the .NET process injection DLL is completely undocumented. Zero results across all public sources. Custom-built injector, not from any known tool. - Linux RAT (ld.py, 0/76 detection) has a bug — peinject command references undefined variable b64_string. Binary injection crashes on Linux. - macOS RAT has zero hardcoded IPs/domains. C2 is runtime-only via argv[1]. Compiled with SDK 26.2.0 (latest Xcode). Build UUID: c848257813983360905d7ad0f7e5e3f5. - C2 server confirmed as Express.js via URLScan X-Powered-By header. - packages.npm.org in the POST body is not an npm URL — it's the National Association of Pastoral Musicians. Designed to look legit in network logs. - Hostwinds AS54290 has confirmed Lazarus infrastructure in the same /18 subnet (Hunt.io research). - macOS RAT classified as NukeSped by 4 AV engines. JA3 fingerprint 773906b0... mimics Safari 15.5 — nation-state TLS tradecraft. - All 3 RATs share identical 4-command protocol: kill, peinject, runscript, rundir with status codes "Wow"/"Zzz". - Zenbox memory dump (47MB) downloaded and analyzed — 12 PE files extracted. Extension.SubRoutine DLL not recoverable (C2 was offline during sandbox run). Setup.js fully deobfuscated — all 18 XOR-encoded strings decoded including full VBScript and AppleScript payloads. macOS binary reversed with radare2 — main(), Report(), DoWork(), DoActionIjt(), DoActionScpt(), RunProcess() all reconstructed. Uses fork+execv (not system()), CurlGuard RAII pattern, nlohmann/json v3.11.3.

@hujimari A long time ago I was blessed to attend the cherry blossom festival in Iwakuni. Treasured memory.

🇯🇵春の桜の光景が海外で話題に🌸💞

@Tony_V_usmc @Rebels_Raiders What kind of setup you got there?

@Rebels_Raiders works for me

The real winner here is actually the MARPAT Desert setup - Post is from @ xlogic_designs on Instagram

@vxunderground DFIR nerds are never happy.

Chat, I'll tell you one thing right now, this LiteLLM supply-chain attack is one big stinky mess. No information has been released publicly (yet) on vendors impacted, but the stink I've been sniffing suggests this is very serious shenanigans and DFIR nerds are not happy

AI is NOT replacing cybersecurity jobs. Full stop. I'm so tired of people parroting "AI will replace reverse engineers" and "malware analysis is solved". No. It is not. I have analyzed hundreds of malware samples using AI. Here's what actually happens: -> It gives you made-up decryption keys with full confidence -> It tries to decrypt data that is literally random garbage -> It misidentifies malware families -> It misses critical functions And have you ever tried retrohunting with the YARA rules AI writes across thousands of samples? Go ahead. Watch the false positives roll in. That alone should tell you everything you need to know. Every single output needs human validation and rigorous review. AI is a tool, a powerful one. But someone still has to build the MCPs, validate the output, understand the context, catch the hallucinations, and make the actual calls during incident response. The people saying this stuff loudest have clearly never watched AI confidently hand them completely wrong decrypted data and make them believe it's real. Stop scaring newcomers out of the field and misleading people with this nonsense. Cybersecurity still needs humans.

This has me cracking up

As also mentioned by @malwrhunterteam , the actor also signed a copy of Microsoft's OLEVIEW.exe. I analyzed it with the new MCP in @REMnux and this is what it found: It found that there was a PNG, and after the PNG was another fake PNG, which was an encrypted payload. 1/5

I always was interested how Microsoft Active Protection Service (MAPS) worked and why nobody ever published anything around it. It's the cloud based portion of Defender. github.com/HackingLZ/maps…

@vxunderground What if it is a really unique file nam? lol

I'm about to start foaming out the mouth Koi AI, sharing a file name ISN'T AN IOC GIVE ME THE FUCKING FILE HASHES

Holy Fuck. Just trying to get a VMWare Workstation download.... How can Broadcom fuck this up any worse unless it is on purpose?