Devon Kerr

12.5K posts

Devon Kerr banner
Devon Kerr

Devon Kerr

@_devonkerr_

Senior Director of Product Research @HuntressLabs and custodian of secret histories. Posts are my own.

New York State Katılım Ekim 2014
778 Takip Edilen8K Takipçiler
Devon Kerr retweetledi
Steve YARA Synapse Miller
Steve YARA Synapse Miller@stvemillertime·
@ImposeCost Information has a spectrum of resolution, form factors, use cases and consumers. Yesterday's data is today's decision advantage and by tomorrow its just history. Finished intelligence?! Finished to whom, amirite?
English
0
1
5
307
Devon Kerr retweetledi
Elastic Security Labs
Elastic Security Labs@elasticseclabs·
7 trojanized repos targeting developers. Zero detections across every AV vendor. Elastic Security Labs is tracking a new Contagious Interview campaign (REF9403) where DPRK-aligned actors distribute fake coding challenges through Slack job postings. The repos masquerade as real Next.js e-commerce projects. The code was copied from a legitimate template called GoCart. The difference is steganography. Base64 payload fragments are hidden inside HTML comments in SVG flag images. A script reassembles them alphabetically, decodes with a custom function, and runs on server start. What deploys: - Credential stealer targeting 25 crypto wallet extensions plus browser login data - File stealer scanning for .env, .pem, .ssh, .aws, documents, images, shell history, and source code - Socket. IO RAT providing real-time interactive shell access - Clipboard stealer polling every 500ms, plus a Windows dropper downloading 3 disguised executables from the C2 Full analysis from Elastic Security Labs by @danielstepanic : go.es.io/4fqEhgp
Elastic Security Labs tweet media
English
1
25
67
3.6K
Devon Kerr retweetledi
𝕡𝕨𝕟𝕚𝕖
APT41 built malware called Calendarwalk that uses Google Calendar events as its command and control channel. The malware reads instructions embedded in calendar event descriptions. Google Calendar is on virtually every corporate allowlist. No unusual domain. No suspicious traffic pattern. Just calendar sync. A companion malware called Tabbywalk from the same group uses Google Drive in the same role. Both variants share the same loader, which is how analysts linked them to the same threat actor.
𝕡𝕨𝕟𝕚𝕖 tweet media𝕡𝕨𝕟𝕚𝕖 tweet media
English
8
40
163
57K
Devon Kerr retweetledi
Adam Chester 🏴‍☠️
Receiving connection requests from "CEO & Founder of <Some AI Slop InfoSec Company>" is the new "I wanted to connect to discuss an exciting role" on LinkedIn 🤦‍♂️
English
2
1
15
2.5K
Devon Kerr retweetledi
SolidSnake
SolidSnake@soolidsnakee·
#Threat actor left an unauthenticated write functionality in their server that lets you modify config files. The AI slop is hitting hard, inexperienced threat actors relying too much on it are leaving massive security gaps and digital footprints behind them. We will see even more #OPSEC failure in the near future 🙂‍↕️
SolidSnake@soolidsnakee

Check out our latest research on an #AI slop of a #banking toolkit targeting mexican banking customers. We found the promts in their comments, #OPSEC failure that exposed critical parts of their infra (content write) Research by @k33b0i and myself go.es.io/4eP6VZF #malware

English
0
2
8
781
Devon Kerr retweetledi
Devon Kerr retweetledi
Elastic Security Labs
Elastic Security Labs@elasticseclabs·
TELEPUZ is a new modular malware spreading via CLICKFIX-VIDAR chains. Elastic Security Labs is tracking it. Active since late April 2026. The delivery path: ClickFix social engineering tricks users into running a PowerShell command that downloads a VIDAR Go variant, which then fetches a lightweight stager and the main TELEPUZ payload. The core DLL communicates over WebSockets and pulls additional modules from C2 on demand: Keylogger Stealer Web injector: intercepts browser sessions via CDP and WebDriver BiDi, with default configs targeting financial form fields like IBANs 36 commands. Indirect syscalls. AMSI and ETW patching. NTDLL unhooking. Multiple UAC bypasses. Still in active development: the shellcode injection command returns a TODO placeholder. C2 infrastructure is small (2 domains), but fallback methods include Telegram channels, Steam profiles, DNS records, and a Polygon smart contract that doubles as a kill switch. New builds hit VirusTotal daily. The C2 footprint is small, but this thing is moving fast for something that started 2 months ago. Full technical analysis: go.es.io/4wg6i1p
Elastic Security Labs tweet media
English
0
20
63
6.1K
Devon Kerr retweetledi
SolidSnake
SolidSnake@soolidsnakee·
Ongoing #infostealer #campaign hitting devs. It's the "Contagious Interview" (DPRK style). Shows up as a coding test or job-interview repo. You run it, it beacons out, steals your whole environment, and opens a JS eval() backdoor. Been collecting #IOCs, sharing below 🧵
bitangel84@bitangel84

This morning I was HACKED! I’m a blockchain developer with over 8 years of experience. I’m familiar with many of the techniques hackers use, but they are often one step ahead. They strike when you are most vulnerable. What happened: - A few days ago, I was contacted on LinkedIn by Kostiantyn Pustovyi. They offered me a collaboration opportunity on a Web3 game. - I immediately suspected they would send me a suspicious link, ask me to download some software, or something similar. But they didn’t. - This morning, I started the interview. The person explained the role, how I would be expected to help manage the team, and other details. - They showed me the repository I was supposed to work on. - I cloned it and ran yarn install. That’s when they got me. - An obfuscated script sent the credentials stored in process.env to their server. - They also asked me to test their online game and connect my wallet. They almost certainly intercepted my wallet password as well. I’M DESPERATE! I haven’t finished investigating yet, and I still don’t know exactly how many wallets were drained. I’ll continue posting updates as I learn more. BTSG, the bridge, and other related systems do not appear to be affected.

English
3
12
29
6.4K
spencer
spencer@techspence·
Read any threat report and you will see, one singular defensive control/security product is never enough. Coverage and layered defense is the game. Not silver bullets and crossing your fingers.
English
8
3
25
4.9K
Devon Kerr retweetledi
𝕡𝕨𝕟𝕚𝕖
𝕡𝕨𝕟𝕚𝕖@0xpwnie·
It'll be rude of me to not talk about one of the most pragmatic trailblazers in the industry: @rootkovska Joanna Rutkowska (pronounced root-kov-ska) is a polish computer security researcher known for her pioneering in low-level system security, stealth malware, and building one of the most security focused desktop operating systems. Major achievements n contributions: > In 2006, she demonstrated Blue Pill at Black Hat Briefings(aforementioned in the tweet below). She was named one of Five Hackers Who Put A Mark on 2006 by eWeek. > She coined the term 'Evil Maid attack'(physical compromise via firmware/bootloader tampering, e.g., via USB) and researched related defenses(Anti EVil Maid). > She founded Invisible Things Lab (2007) and led the development of Qubes OS (starting 2010), a security-oriented OS that uses Xen virtualization for strong compartmentalization ('security by compartmentalization'). It has been praised by experts including Edward Snowden, who said it was the best OS for security. she has spoken at major conferences and published influential papers, such as 'Intel x86 Considered Harmful (2015) Career timeline and shift -- Early career: off sec research on Windows/LInux kernel malware, virtualization insecurities, intel technologies (TXT, vPro/AMT, etc.). -- 2007-2018: Founded and led Invisible Things Lab: developed Qubes OS. -- 2018 onward: stepped down from day-to-day Qubes/ITL leadership to join the Golem Foundation (as Chief Strategy/Security Officer), focusing on decentralized systems and the Wildland project. -- Recent years: Continued architectural work on Wildland/Golem-related efforts. -- As of early 2026: she has largely stepped away from active computer security work. In February 2026, she launched a new personal blog called Traces Of Humanity (tracesofhumanity[.]org), describing it as a place for her struggles between rationality and humanism, and discussing personal projects. she has described her philosophy as : 'Distrusts computers. Keeps embracing them anyway.' Online presence: -twitter @rootkovska - bluesky @rootkovska.bsky.social - mastodon @[rootkovska] - github [github.com/rootkovska - personal website/blog (tracesofhumanity[.]org)
𝕡𝕨𝕟𝕚𝕖 tweet media𝕡𝕨𝕟𝕚𝕖 tweet media𝕡𝕨𝕟𝕚𝕖 tweet media
𝕡𝕨𝕟𝕚𝕖@0xpwnie

Joanna Rutkowska demonstrated Blue Pill at Black Hat 2006 before Vista had even officially shipped. She used AMD's hardware virtualization extensions to slide a running Windows instance into a virtual machine on the fly, no reboot, no BIOS modification, no disk changes. The OS kept running inside the VM without knowing it had moved. She claimed it was 100% undetectable because any detection program would itself be running inside the hypervisor she controlled. The name was a Matrix reference. She bought a driver signing certificate from a Microsoft partner site for $250 to demonstrate that driver signing meant nothing. Microsoft's entire Vista kernel protection strategy was the presentation.

English
10
43
479
30.6K
Devon Kerr retweetledi
SolidSnake
SolidSnake@soolidsnakee·
Check out our latest research on an #AI slop of a #banking toolkit targeting mexican banking customers. We found the promts in their comments, #OPSEC failure that exposed critical parts of their infra (content write) Research by @k33b0i and myself go.es.io/4eP6VZF #malware
English
0
12
21
2.9K
Devon Kerr retweetledi
Lontz
Lontz@lontze7·
The second part of the #FortiBleed campaign analysis is out. Important Findings: -Links to #INC & #Lynx ransomware groups -Internal structure of affiliates -FortiGate attacking playbooks -AI-assisted vulnerability research. socradar.io/resources/whit…
Lontz tweet media
English
0
12
50
3.6K
Devon Kerr retweetledi
Terrance DeJesus
Terrance DeJesus@_xDeJesus·
TIL: Entra ID Sign-In Logs... Legacy apps. I'm so used to "What is the app ID & name?", I overlooked the 'client_app_used' field which clearly states a MSFT-labeled legacy app, SMTP at that where "Office 365 Exchange Online" is the app. So show me client apps used that are known legacy. First occurrence on UPN. Or just make sure "Block legacy authentication" CAP is enabled 😅 #threathunting
Terrance DeJesus tweet media
English
1
4
25
2K
Devon Kerr retweetledi
Terrance DeJesus
Terrance DeJesus@_xDeJesus·
To no surprise. The more phishing infra I hunt, the more I see ops leverage/abuse Cloudflare captchas/workers.dev/etc. #threathunting
Terrance DeJesus tweet media
English
2
5
21
2K
Devon Kerr retweetledi
Martin Sohn Christensen
Martin Sohn Christensen@martinsohndk·
#TROOPERS26 afterglow: @4ndr3w6S on building a solid LDAP detection stack - why signature-based detection is failing and volume-based detection generally wins. Lots of tips for detecting SharpHound, ldapnomnom, SOAPy & more. Detection engineering is so cool..
Martin Sohn Christensen tweet media
English
2
10
30
4.6K
Devon Kerr retweetledi
Terrance DeJesus
Terrance DeJesus@_xDeJesus·
Reminder to monitor for ROPC-based auth. Not just Entra ID sign-in logs, but UAL as well. BAV2ROPC user-agent may suggest legacy app usage. First-occurrence based rules for this are generally low volume from telemetry I've seen. Aggregation-based queries can help identify more stats driven anomalies like password spraying. Happy hunting! #azure #password github.com/elastic/detect…
Terrance DeJesus tweet media
English
0
5
17
1.4K