Max Rogers

You can find me here: bsky.app/profile/maxrog…

My team published detection content for the Notepad++ / Lotus Blossom activity - both the concrete post-compromise artifacts and more generic gup.exe updater anomaly hunting Sigma gup.exe anomalies - uncommon DNS - uncommon file drops - suspicious child processes) github.com/SigmaHQ/sigma/… by @_swachchhanda_ YARA - Chrysalis loader/backdoor - related components github.com/Neo23x0/signat… by @X__Junior IOCs (filenames etc.) #L4551" target="_blank" rel="nofollow noopener">github.com/Neo23x0/signat… #NotepadPlusPlusCompromise

Episode 2 of Breach Log is now available! Special thanks to Max Margolis for joining me and telling his story. If you have a story you'd like to share, get in contact and we can have some fun. open.spotify.com/episode/4SDz0R…

@fr0gger_ This^^^

Also, I think it is because people have not realized that Claude Code is a general agent, useful not only for coding!

The Cybersecurity Company of the Year Award 🏢 celebrates a company delivering top-tier security services and products while leading with integrity and community spirit. The Community Winner for 2025 goes to @HuntressLabs. Congratulations! #SANSDMA

Congrats @RussianPanda9xx for winning the Community Cyber Defender Practitioner of the Year award in the 2025 SANS Difference Makers Awards! First award for a @HuntressLabs teammate! #SANSDMA

Congrats to @fr0gger_ for winning Innovation of the Year at the 2025 SANS Difference Makers Awards for his tool NOVA. An impressive tool enabling threat detection in a new AI based attack surface. #SANSDMA

We are kicking off the SANS Difference Makers Awards! It’s great to share space with so many people working to advance cyber security. I’ll be hanging out on behalf of @HuntressLabs. I’m also thrilled to see many friends like @fr0gger_ nominated! #SANSDMA

@BushidoToken @banthisguy9349 *Takes notes*

It’s always bemused me how after years of CTI sharing, we’ve still not standardised intel sharing on IP addresses… Funnily enough, Salesforce actually did the best job here IMO versus two veteran cybersecurity vendors CrowdStrike & ESET

When sharing CTI on IPs, Context is Key 🔑 - First/Last Seen (Timestamps!) - Observables (like VPN brand / proxy network) - Hosting Provider (ASN) - DNS Records (relevant domains on the IP) - Purpose and/or Type (C2, Payload Host, Proxy, etc) 🫳🎤

It’s SANS Difference Maker Eve! #SANSDMA @HuntressLabs has a few folks nominated and is also nominated for Cyber Security Company of the Year! If you’re attending please come find me and say hello! 👋 See you tomorrow @SANSInstitute!

The 2025 SANS #HolidayHack Challenge is officially open! 🎄 Celebrate 10 yrs of festive hacking fun with fast micro-challenges, epic capstone puzzles, a new CTF-only mode, and more! Can you uncover what’s stirring beneath the 8-bit neighborhood? ❄️ Join free → go.sans.org/eumn5C

The @HuntressLabs blog has been on fire lately - tons of content and cool tradecraft around Linux, macOS & ESXi - honestly even I can’t keep up with it all and I work there and get to see all this come together 😅 Worth a bookmark: huntress.com/blog

Super hyped to share that @HuntressLabs published a Rapid Response blog on the recent #React2Shell post-exploitations observed. We discovered and analyzed a few payloads that were named #PeerBlight, #CowTunnel and #ZinFoq. We also observed a variant of #Kaiji malware. 3 Modelo's 🍺 in and the malware started making sense. By the 4th one I was naming them like Pokémon except way more unhinged. PeerBlight, I choose you! Thank you for your contributions @sudo_Rem, @LindseyOD123, @_JohnHammond, @bumbucha, and @aaron_deal. Couldn’t have done it without your support ❤️ huntress.com/blog/peerbligh…

⚠️ Super excited to release TWO React2Shell blogs with @xorJosh! ctrlaltint3l.github.io/threat%20resea… ctrlaltint3l.github.io/threat%20resea… We've been hunting down TAs causing havoc, scanning and exploiting React2Shell on the internet. Especially the ones making OPSEC Ls... One group we've tracked decided to attack a @HuntressLabs partner today. They were contained quickly and were not happy with us 😎 #React2Shell #OPSEC

Errybody screaming about React2Shell so we wanted to give ya something you haven't already heard😁 Here's a beast of a blog post on malware we've seen from post-exploitation, detailing a wild Linux backdoor and more -- all from the amazing & incredible @RussianPanda9xx & co.😎 huntress.com/blog/peerbligh…

It’s almost 2026 and everyone is talking about React2Shell. Wondering when @HuntressLabs is dropping something on it? We are cooking. Trust me, you will want to read this one.

CVE-2025-55182 (React2Shell) pre-auth RCE is likely to have a long tail time similar to Log4Shell Log4j injection and Telerik deserialisation vulnerabilities have in the past. This is already being weaponised by threat actors with public POCs available. react2shell.com

GUESS WHAT?! Our talk with @g0njxa is LIVE! youtube.com/watch?v=ayXu5w… Massive thank you to @virusbtn for having us - we had an amazing time! ❤️

My first @HuntressLabs blog is live: we break down some funky ClickFix lures that lead to a loader which uses steganography to extract shellcode and ultimately deliver LummaC2/Rhadamanyths stealers. Big thanks to @RussianPanda9xx for the help! 😇 huntress.com/blog/clickfix-…

New report by yours truly. Censys Threat Overview: Mapping Remcos C2 Activity at Internet Scale 👇👇👇