Andrew Pease

514 posts

Andrew Pease banner
Andrew Pease

Andrew Pease

@andythevariable

Elastic Security Labs Technical Lead. Lawful Neutral. Threat Hunting with the Elastic Stack author. Retired CW4.

Katılım Mayıs 2019
287 Takip Edilen1K Takipçiler
Sabitlenmiş Tweet
Andrew Pease
Andrew Pease@andythevariable·
I think the really big takeaway from this is the abuse of a legitimate tool's plugin capability to execute💀scripts. Many hours of work over the weekend by @soolidsnakee @DanielStepanic and @SBousseaden.
Andrew Pease tweet media
Elastic Security Labs@elasticseclabs

We have identified a novel social engineering campaign abusing Obsidian, the popular note taking app, to deliver a previously undocumented RAT #PHANTOMPULSE and it’s loader #PHANTOMPULL targeting individuals in finance and crypto. The attack never exploits a vulnerability. It abuses Obsidian's own plugin ecosystem to execute code the moment a victim opens a shared vault. Full analysis: go.es.io/4cld0dB

English
0
3
13
1.4K
Andrew Pease
Andrew Pease@andythevariable·
The attempts at environmental anti-tamper techniques to encrypt the payload were clever…just not enough. #tclbanker #ref3076
Andrew Pease tweet media
Elastic Security Labs@elasticseclabs

We uncovered a new Brazilian banking trojan campaign: TCLBANKER. What makes TCLBANKER notable isn’t just the malware itself, but how it spreads. The campaign uses compromised WhatsApp and Outlook accounts to propagate through trusted user relationships, deploys targeted banking overlays, and incorporates anti-analysis techniques designed to evade detection. For defenders, it’s another example of malware increasingly blending into legitimate user behavior and everyday communication channels, making detection harder and trust easier to exploit. Our latest research breaks down the infection chain, propagation methods, evasion tactics, and detection opportunities observed across the campaign. Read the full analysis: go.es.io/4ewvCKF

English
0
1
5
658
Andrew Pease retweetledi
🄱
🄱@lvc1ferrr·
Elastic Security Labs warned that attackers are targeting crypto users through Obsidian community plugins that silently install PHANTOMPULSE malware. They lure victims into opening a shared cloud vault in the note-taking app.
🄱 tweet media
English
6
1
6
273
Andrew Pease
Andrew Pease@andythevariable·
Seeing this tool in action is fantastic, but don’t sleep on the fact that it was also released for your environment github.com/elastic/supply…
Elastic Security Labs@elasticseclabs

One of our researchers built an AI powered supply chain monitoring tool on a Friday afternoon. The following Monday night it caught the Axios npm compromise before most people knew it existed. Elastic Security Labs is open sourcing the tool. Full story by @dez_ here: go.es.io/4bOfsuq

English
0
0
0
186
Andrew Pease retweetledi
Samir
Samir@SBousseaden·
New blog post - prioritizing alerts triage with higher-order detection rules elastic.co/security-labs/…
English
0
17
66
5.8K
Andrew Pease
Andrew Pease@andythevariable·
Speaking of finger-pointing...we're lookin' at you #UNC1069
Elastic Security Labs@elasticseclabs

We have discovered a massive supply chain compromise in the Axios npm package. A backdoored maintainer account delivered a cross-platform RAT for Linux, Windows & macOS, targeting the Axios package, which has ~100M weekly downloads and is in the top five most popular Node.js packages. We filed a GitHub Security Advisory to coordinate the disclosure, ensuring that the maintainers and the npm registry could act swiftly on the compromised versions. Full analysis: go.es.io/4sHybxr

English
0
0
2
558
Andrew Pease retweetledi
Olivia Gallucci ✨
Olivia Gallucci ✨@OliviaGalluccii·
@IceSolst This is *exactly* what I am feeling. But, after I chatting with folks at [un]prompted, it felt like everyone is ahead of me. The only person I chatted with that was able to concretely describe implementation details was at Elastic, and had access to OS and AI logs.
English
2
2
17
1.2K
Andrew Pease retweetledi
SolidSnake
SolidSnake@soolidsnakee·
We are tracking #clickfix campaign hosted and served by two compromised websites. Lua in-memory script loader and a #RAT that we are naming #MimicRat. A blog post will follow soon on @elasticseclabs. www.ndibstersoft[.]com d15mawx0xveem1.cloudfront[.]net xMRi[.]neTwOrk
English
2
7
25
2K
Devon Kerr
Devon Kerr@_devonkerr_·
@0xTriboulet If you don’t let it on the Internet, any device can be dumb. I’m sure mine would love to run all manner of things, but it’s never had an IP address.
English
2
0
1
161
Steve S.
Steve S.@0xTriboulet·
I know there's a company that makes 'dumb' washers and dryers. Is there a company that makes 'dumb' TVs?
Windows Latest@WindowsLatest

Microsoft Copilot AI comes to LG TVs, and it cannot be removed. After Windows 11, Microsoft 365, and other products, Copilot is now being automatically installed on LG TVs. LG says Copilot on TVs allow users to “efficiently find and organize complex information using contextual cues.” More recently, LG rebranded its remote to “AI Remote" and Microsoft Copilot is part of the "AI TV" efforts. Samsung is also adding Copilot to its TV.

English
4
2
7
1.3K

Keşfet

@soolidsnakee @DefSecSentinel @SBousseaden @RFGroenewoud @dez_ @elasticseclabs @IceSolst @_devonkerr_