
Devon Kerr
12.5K posts

Devon Kerr
@_devonkerr_
Senior Director of Product Research @HuntressLabs and custodian of secret histories. Posts are my own.







Check out our latest research on an #AI slop of a #banking toolkit targeting mexican banking customers. We found the promts in their comments, #OPSEC failure that exposed critical parts of their infra (content write) Research by @k33b0i and myself go.es.io/4eP6VZF #malware

TELEPUZ is a new modular malware spreading via CLICKFIX-VIDAR chains. Elastic Security Labs is tracking it. Active since late April 2026. The delivery path: ClickFix social engineering tricks users into running a PowerShell command that downloads a VIDAR Go variant, which then fetches a lightweight stager and the main TELEPUZ payload. The core DLL communicates over WebSockets and pulls additional modules from C2 on demand: Keylogger Stealer Web injector: intercepts browser sessions via CDP and WebDriver BiDi, with default configs targeting financial form fields like IBANs 36 commands. Indirect syscalls. AMSI and ETW patching. NTDLL unhooking. Multiple UAC bypasses. Still in active development: the shellcode injection command returns a TODO placeholder. C2 infrastructure is small (2 domains), but fallback methods include Telegram channels, Steam profiles, DNS records, and a Polygon smart contract that doubles as a kill switch. New builds hit VirusTotal daily. The C2 footprint is small, but this thing is moving fast for something that started 2 months ago. Full technical analysis: go.es.io/4wg6i1p



Did people not realize most personal level accounts don’t have ZDR?

This morning I was HACKED! I’m a blockchain developer with over 8 years of experience. I’m familiar with many of the techniques hackers use, but they are often one step ahead. They strike when you are most vulnerable. What happened: - A few days ago, I was contacted on LinkedIn by Kostiantyn Pustovyi. They offered me a collaboration opportunity on a Web3 game. - I immediately suspected they would send me a suspicious link, ask me to download some software, or something similar. But they didn’t. - This morning, I started the interview. The person explained the role, how I would be expected to help manage the team, and other details. - They showed me the repository I was supposed to work on. - I cloned it and ran yarn install. That’s when they got me. - An obfuscated script sent the credentials stored in process.env to their server. - They also asked me to test their online game and connect my wallet. They almost certainly intercepted my wallet password as well. I’M DESPERATE! I haven’t finished investigating yet, and I still don’t know exactly how many wallets were drained. I’ll continue posting updates as I learn more. BTSG, the bridge, and other related systems do not appear to be affected.





Joanna Rutkowska demonstrated Blue Pill at Black Hat 2006 before Vista had even officially shipped. She used AMD's hardware virtualization extensions to slide a running Windows instance into a virtual machine on the fly, no reboot, no BIOS modification, no disk changes. The OS kept running inside the VM without knowing it had moved. She claimed it was 100% undetectable because any detection program would itself be running inside the hypervisor she controlled. The name was a Matrix reference. She bought a driver signing certificate from a Microsoft partner site for $250 to demonstrate that driver signing meant nothing. Microsoft's entire Vista kernel protection strategy was the presentation.














