Alex. Turing

299 posts

Alex. Turing

@TuringAlex

Kernel Developer | Security REsearcher | Basketball Fan {Botconf | VirusBulletin | Kaspersky SAS} Speaker Current: @Xlab_qax EX: @360Netlab @Kaspersky AKA 渣兔

Katılım Aralık 2014

375 Takip Edilen1.4K Takipçiler

Alex. Turing@TuringAlex·3d

🚨写写简单的威胁快讯，刷一刷KPI也挺开心😂。 By the way, are there any #Telegram experts who can uncover the real identity of 0xWR?🤔 Happy hunting 🍷@Xlab_qax

GIF

Xlab@Xlab_qax

A mysterious hacker group known as #Mr_Rot13, which has operated covertly for six years, is exploiting critical cPanel vulnerabilities to deploy backdoor malware. blog.xlab.qianxin.com/mr_rot13-the-e…

中文

468

Alex. Turing@TuringAlex·6 May

@vkamluk 哈哈😆

日本語

Vitaly Kamluk@vkamluk·6 May

Cyberpaleontology should be taught as a subject in high school!

Costin Raiu@craiu

@lorenzofb @juanandres_gs I guess the idea was promoted in this 2014 blogpost "APT research is like paleontology...", that I wrote together with @vkamluk and @ryanaraine - securelist.com/the-art-of-fin… - this came right after Regin, which required some deep cyberpaleontology to figure out

English

4.8K

Alex. Turing@TuringAlex·6 May

@twtayaan 🤣

QME

Ayaan 🐧@twtayaan·5 May

i finally understand why it’s called linux porn 😭

English

103

718

8.6K

769.9K

Alex. Turing@TuringAlex·1 May

#botnet #ioc #c2 👉 xlabslover[.]lol and the console output had us in stitches. 😂 📸"To love or hate, that is the question". 📸 By the way, @Huntio about "The xlab 2 Rivalry" part… hmm, I'm thinking "F-word xlab 2" — may be "F-word xlab too."🤣 Happy hunting 🍷@Xlab_qax

Hunt.io@Huntio

🚨 NEW RESEARCH: xlabs_v1 DDoS-for-Hire IoT Botnet Exposed - One Open Directory. An Entire Operation Revealed. hunt.io/blog/xlabs-v1-… The operator built a full commercial DDoS-for-hire operation. Tiered pricing, 21 flood variants, competitor-killing routines baked in. Then left the whole toolkit on a public server with no login. Hunt.io AttackCapture tool had it indexed before they noticed. Key findings: - Botnet branded xlabs_v1, operator handle Tadashi, targeting game servers and Minecraft hosts - 21 flood variants including RakNet and OpenVPN-shaped UDP to dodge common filters - TCP/5555 observed open on 4M+ hosts in the past 180 days, any running ADB is a potential target - ChaCha20 encryption broken via known-plaintext, full nonce reuse across all 16 calls - C2, staging, distribution, and Monero cryptojacking all inside one bulletproof /24 in the Netherlands 👉 Full IOCs, MITRE mapping, and HuntSQL queries: hunt.io/blog/xlabs-v1-…

English

Alex. Turing@TuringAlex·25 Nis

@KWinsock @chendahuamode 俩位哥哥别逗，我也是跟着大佬们整，你们要是有线索，会了教教我啊😭

中文

Kollin Wins@KWinsock·25 Nis

@chendahuamode @TuringAlex 先交学费

中文

Alex. Turing@TuringAlex·24 Nis

🚨#fast16 🫡向大佬们脱帽致敬，这溯源能力太强了！ Lua brings me back to the days of analyzing Project Sauron and Godlua. For the lazy ones out there, I’ve uploaded the decrypted and preliminarily decompiled Lua payloads to VT 18735eebaa648c22d68a3a362d89dc6a. Happy hunting

English

Alex. Turing@TuringAlex·25 Nis

最近最有意思的故事 #fast16 🫡，真想当面八卦一下他们研究背后的故事😂，感觉大家还是低估了shadowbroker泄漏出来的东西，再研究研究，说不定还有新的发现或新的线索🧐🤔

Tom Hegel@TomHegel

Fresh research from the team (@vkamluk / @juanandres_gs) - this one goes back quite awhile! fast16 | Mystery ShadowBrokers Reference Reveals High-Precision Software Sabotage 5 Years Before Stuxnet sentinelone.com/labs/fast16-my…

中文

2.3K

Alex. Turing@TuringAlex·24 Nis

@juanandres_gs @frdfzi @vkamluk Orz，太太太强了🫡！Is there gonna be a recording of your talk? I can’t wait to hear all the juicy tea behind it.🧐🧐

English

101

J. A. Guerrero-Saade@juanandres_gs·24 Nis

Master @vkamluk is on stage at #BlackhatAsia solving a legendary mystery of CTI— fast16, a unique cyber sabotage operation from 2005, preceding Stuxnet by ~2-3 years.

English

6.7K

Alex. Turing@TuringAlex·24 Nis

@TomHegel @vkamluk @juanandres_gs 太强了

中文

206

Tom Hegel@TomHegel·24 Nis

English

34.3K

Alex. Turing@TuringAlex·9 Nis

@zachxbt @OldEBT haha~~

Filipino

191

ZachXBT@zachxbt·9 Nis

@OldEBT No they still cannot build a missile that has accurately hit neighboring enemy countries

English

5.6K

ZachXBT@zachxbt·8 Nis

1/ Recently an unnamed source shared data exfiltrated from an internal North Korean payment server containing 390 accounts, chat logs, crypto transactions. I spent long hours going through all of it, none of which has ever been publicly released. It revealed an intricate ~$1M/month scheme of fraudulent identities, forged legal documents, and crypto-to-fiat conversion. Enjoy the findings!

English

337

886

6.1K

1.1M

Alex. Turing@TuringAlex·9 Nis

@ashl3y_shen @58_158_177_102 @TalosSecurity 大佬太强了

中文

Chi-en (Ashley) Shen (@ashl3y-shen.bsky.social)@ashl3y_shen·8 Nis

1/♟️Just published new research on LucidRook, a Lua-based malware framework observed in spearphishing campaigns targeting Taiwan. LucidRook uses Rust libraries and an embedded Lua interpreter to execute payloads downloaded from FTP servers. blog.talosintelligence.com/new-lua-based-… @TalosSecurity

English

6.6K

Alex. Turing@TuringAlex·8 Nis

@av_eip @Xlab_qax 🤔The Winnti ELF backdoor is ~80-200KB in size. If it had been packed with something like UPX, the size should be reduced, not bloated to 2MB as it is now. APT41 commonly packages their malware with VMProtect, you can take a look at KEYPLUG 900ca3ee85dfc109baeed4888ccb5d39😄

English

149

av_eip@av_eip·8 Nis

@TuringAlex @Xlab_qax Don't think it is VMProtect. Seems like the binary uses a modified UPX packer with custom ELF section names .eDM0 and .eDM1 in place of the standard UPX0/UPX1 sections.

English

159

Alex. Turing@TuringAlex·31 Mar

🚨#APT41 Just spotted a fresh #Winnti #ELF backdoor f1403192ad7a762c235d670e13b703c3— 0 detections on VT and packed with VMProtect. 📸One of the #C2 "ai.qianxing[.]co" is clearly impersonating our company’s domain. They’re getting bold.🤣#IOC Happy hunting 🍷@Xlab_qax

English

132

19.9K

Alex. Turing@TuringAlex·21 Mar

@craiu @AndreGironda 传奇!!!

中文

134

Costin Raiu@craiu·21 Mar

A 2.5hr opus, for your weekend earholes. We remember GReAT teammate Sergey Mineev, the legendary malware hunter behind discoveries like Equation Group and Project Sauron (Remsec), including stories about his methods and why he was the best to ever do it. Plus, another in-the-wild iOS exploit kit discovery and a long overdue conversation about Apple's responsibility to hundreds of millions of users on older iOS versions... securityconversations.com/episode/the-gr…

English

Alex. Turing@TuringAlex·20 Mar

🚨The iOS exploit kit #Coruna is a fascinating case. With XLAB #PDNS, its DGA C2s are easily exposed—we grabbed four ourselves. Stats show ~4,400+ infected IPs (or researchers) per day. Surprisingly, 98.5% of these IPs are located in China, why?🤔 Happy hunting 🍷@Xlab_qax

English

2.3K

Alex. Turing@TuringAlex·20 Mar

做了一些微小的工作，make the world a better place🫡 Happy hunting 🍷@Xlab_qax

日本語

810

Alex. Turing@TuringAlex·20 Mar

@ESETresearch @felixaime Remote？

English

284

ESET Research@ESETresearch·20 Mar

#ESETresearch is hiring! Passionate about geopolitics, cyberespionage and cyber threat intelligence? We have a new opening for a strategic threat intelligence analyst at our Montréal office. Come join the team! eset.wd3.myworkdayjobs.com/ESET_External/…

English

8.8K

Alex. Turing@TuringAlex·13 Mar

@deobfuscately @Xlab_qax Haha, Long Live Command Tracing! 🍷

English

287

Ben@deobfuscately·13 Mar

Not just bigpanzi 😄 other tv boxes also observed removing it [ "com.n2.systemservice06", "com.n2.systemservice061", "com.n2.systemservice062", "com.n2.systemservice063", "com.n2.systemservice0644", "com.android.systemservice0644", "com.a.androidsvc", "com.k.sdk", "com.abcproxy.proxysdk", "com.abcproxy.lolsdk" ]

English

367

Alex. Turing@TuringAlex·13 Mar

🚨#Botnet In February, an invisible war broke out within #Android TV Boxes between #Bigpanzi and #Kimwolf. Bigpanzi issued the "pm uninstall" command to remove Kimwolf's APK，哈哈，果然同行是冤家😂 Happy hunting 🍷@Xlab_qax

English

5.5K

Alex. Turing@TuringAlex·12 Mar

@birising @Xlab_qax Maybe ctf or even PLC coding practice 🤔. I’m pretty clueless when it comes to PLCs🥹🥹

English

191

HR@birising·12 Mar

@TuringAlex @Xlab_qax come CTF with OpenPLC? 🤔

English

180

Alex. Turing@TuringAlex·12 Mar

🚨An interesting #ELF sample da2e396baf23de1881d06dd3377f84a6 on VT, packed by modified upx, appears to be a #PLC program for traffic light control, but why does it contain an embedded XOR code to establish a reverse shell to 173.180.247[.]200🤔? #IOC Happy hunting 🍷@Xlab_qax

English

Keşfet

@Xlab_qax @vkamluk @twtayaan @Huntio @KWinsock @chendahuamode @juanandres_gs @frdfzi