MoBustami

Part 2 with some hashes, domains and IoCs for good measure and an ask to help identify these raw shellcode sec0wn.blogspot.com/2026/01/part-2… @James_inthe_box @tlansec @malwrhunterteam

@tlansec @DrunkBinary @ImposeCost @ItsReallyNick @James_inthe_box @cyb3rops

Happy New Year everyone. I wrote something sec0wn.blogspot.com/2026/01/from-n… Do I get an honorary #OSEP for analyzing their payloads? Lol. Maybe Gemini should though. H/T to GeminiPro for the assist

@stevenadair @Volexity @PaloAltoNtwks Hey Steven, as always great work by your team.. Any IoCs that can be shared at this time for this activity?

@Volexity @PaloAltoNtwks We have seen limited exploitation but impact at multiple customers. We first detected this just two days ago. Impressive response from the Palo Alto Networks team, as they quickly worked with us and have now pushed a Threat Protection signature with a fix to come April 14.

Our team at @Volexity has identified a new 0day exploited in the wild. This time we caught a threat actor using an unauthenticated RCE in Palo Alto Networks GlobalProtect. It has been assigned CVE-2024-3400 and is covered in this @PaloAltoNtwks advisory security.paloaltonetworks.com/CVE-2024-3400

I highly recommend watching Kris's talk from 2022. I specifically love the methodology used for their analysis and it is just a work of art.

- Legacy could indicate lack of MFA - Spray and pray attacks continue to show valuable outcomes for attackers and you don't always need 0days - IAM and account logging and monitoring is essential - more firms were probably targeted - finally, Kudos to MS for the transparency

@f0xtrot_sierra Thank you for sharing this. To help me understand a bit better, is this an indication of preexisting compromise either external or insider or is this trying to show a new tactic? I am sorry if I am missing something obvious here.

We then see the suspicious application 'eM Client' being added and assigned the permission IMAP.AccessAsUser.All, which gives the application the same access to the user's mailboxes as the user logged in via IMAP. User successfully authenticates, we log out and disable ✌️ 2/2

Interesting M365 case @HuntressLabs the other day First see user trying to authenticate from IP associated with suspicious ISP Ovh Sas with an unusual user-agent Following failed authentication we see a Service Principal account linking a new device for MFA 🧵 1/2

@ImposeCost @ItsReallyNick Am I totally off track by looking at this?

More like the chollima in the room, am I right? 🥁🥁🤣

@snkhan @Sam0x90 @MITREattack I love when amazing people collaborate on things like this. Great example by both @Sam0x90 and @snkhan

@Sam0x90 @MoBustami @MITREattack I’m going to map this into VECTR: vectr.io Thanks!

💜Adversary Simulation and Purple friends💜 I'm happy to share this simulation plan which regroups a TOP 35 @MITREattack TTPs from 22-23. Based on open source intel, it's meant to ease the onboarding of more into Purple! Have a look at the readme #CTI #TTP github.com/Sam0x90/CTI/tr…

Today we are highlighting an actor we are tracking as Volt Typhoon. This activity is targeting US and Guam critical infrastructure. Volt Typhoon has been observed mostly living off the land during our investigations.

Lo key one of the best blogs I have read in a while... Hot daaaamn!!! Well done

Waiting for @TomHegel translation of the screenshots 👀👀

@ImposeCost Would it be fair to say that attribution matters as long as it is thus serving the enablement of better detection and better understanding of the tradecraft of the TA to enable defenders better map controls and enhance prevention? Not for the whodunit chit chat?

@smoothimpact just dropped some bars on y'all's.. gawd daaaaaamnnn.. who is next? #CyberCypher @ImposeCost @juanandres_gs @ItsReallyNick @Hexacorn

Thank you @ImposeCost for this... I could not have said it any better

Today, we've released #APT43 🇰🇵. As part of this release, I wanted to highlight some of the background research that went into this. No blue checkmark, so I have to do a normal thread 😅mandiant.com/resources/blog…

@wdormann @RedDrip7 @n3mes1s Seems like it was 0/56

#APT The email that exploited #Outlook #CVE-2023-23397 in the wild was submitted to VT as early as on Apr 1st, 2022 and targeted State Migration Service of #Ukraine. Filename: "2022-03-18 - лист.eml" UNC Link: \\5[.]199.162.132\SCW virustotal.com/gui/file/ece08…

@Arkbird_SOLG @James_inthe_box @h2jazi so I guess mystery kinda solved. the JS code from the anyrun sample - 915429ec7cda5e26796835b6058b251f once decoded, creates another script that uses the original one as a loader to decrypt it's strings. the dkey, function and some sample clear output is in the below screenshot

@Arkbird_SOLG @James_inthe_box @h2jazi My question still remains on why this sample did not behave like the other sample I highlighted and nothing I can find in relation to the below image. I will keep digging and see

Nice, the php file is on Anyrun, the next steps too (loader + Persistence). app.any.run/tasks/03d10278… github.com/StrangerealInt… cc @James_inthe_box @h2jazi @MoBustami