

abuse.ch
3.4K posts

@abuse_ch
Fighting malware and botnets





❗️Spamhaus’ Cyber Threat Intelligence Unit has identified a new malware loader, "SolarisLoader," used to deliver additional malware and stealers while using evasion and persistence techniques to avoid detection. Key findings and link to the full report below ⤵️⤵️ 📄 Research: spamhaus.com/resource-cente… 🕵Author: Nikolaos Totosis, Senior Threat Researcher Key findings: ➡️ SolarisLoader is being used by an unknown threat actor to actively deliver additional loaders and stealers. ➡️ Rather than relying on obfuscation, it abuses the Safetica Windows Driver to disable Windows services and terminate EDR processes, helping it avoid detection and improve infection success. ➡️ It patches Windows' internal Antimalware Scan Interface (AMSI) and Event Tracing for Windows (ETW) through direct opcode modification, effectively blinding Windows telemetry before persistence is established. ➡️ Persistence is reinforced through a combination of scheduled task registration, registry-based self-backup, and a watchdog process that automatically relaunches the implant after the victim reboots. ➡️ The malware stealer has already evolved through 10 distinct versions, confirming active development and ongoing operational use by the threat actor. #ThreatIntelligence #Solaris #Malware #ThreatResearch










Countdown is real ⌛️ Next week‼️ #ThreatResearch community gathers in Málaga 🇪🇸 Time to remind our PIVOTcon song: soundcloud.com/argonix/pivotc… But watch out — it's a banger! thx: @JReisdorffer #CTI #ThreatIntel #PIVOTcon26










New c2. Also dropped a bunch of their sensitive malware related files here urlhaus.abuse.ch/host/248bestmo… All I can say is that they are morons. Also his name is likely 'arthu' C:\Users\arthu\socks5\socks5.ps1