Andrew Pease

It's not too often we get to work shoulder-to-shoulder with the practitioners and researchers on the front lines. #REF3927 is an intrusion set that deploys SEO cloaking capabilities, RATs, webshells, and RMMs - largely using a novel IIS module we named #TOLLBOOTH

@IceSolst This is *exactly* what I am feeling. But, after I chatting with folks at [un]prompted, it felt like everyone is ahead of me. The only person I chatted with that was able to concretely describe implementation details was at Elastic, and had access to OS and AI logs.

We are tracking #clickfix campaign hosted and served by two compromised websites. Lua in-memory script loader and a #RAT that we are naming #MimicRat. A blog post will follow soon on @elasticseclabs. www.ndibstersoft[.]com d15mawx0xveem1.cloudfront[.]net xMRi[.]neTwOrk

@_devonkerr_ @0xTriboulet

@0xTriboulet If you don’t let it on the Internet, any device can be dumb. I’m sure mine would love to run all manner of things, but it’s never had an IP address.

I know there's a company that makes 'dumb' washers and dryers. Is there a company that makes 'dumb' TVs?

All Python spin for the Elastic Container Project is available if anyone wants to kick the tires. Probably going to archive the Bash version at the end of 2025(ish) #elasticcontainerproject github.com/peasead/elasti…

@DanielStepanic and @elasticseclabs are keeping on top of #REF7707 and their new RAT - #NANOREMOTE

In regards to "cyber influencers", here is a list of people I think are actually great. However, I am extremely biased toward malware related content and/or low-level programming stuff. Unfortunately, some of the really technical people I like also do not post too often. They seem to appear out of thin air, release something spectacular, then disappear back into the ether. - @vx_herm1t, inspiration of vx-underground - @tmpout, linux malware stuff - @LloydLabs, malware researcher - @_ForrestOrr, malware researcher - @_winterknife_, low-level development - @splinter_code, security researcher - @decoder_it, security researcher - @gynvael, security researcher - @LukasStefanko, malware researcher - @bmmaloney97, DFIR researcher - @hasherezade, malware researcher - @SBousseaden, security researcher - @Intel80x86, low-level development - @0gtweet, security researcher - @push_pnx, malware researcher - @_xpn_, security researcher - @ItsGamerDoc, anti-cheat researcher - @herrcore, malware researcher - @CyberCakeX, Windows defense, hardening - @TwoSevenOneT, security researcher - @NTDEV_, low-level development - @daaximus, reverse engineering - @JRoosen, malware researcher - @PetrBenes, low-level development - @x86matthew, low-level development - @0xrepnz, low-level development I'm getting tired of listing people now. This is just a brief list. All of these people are exceptionally talented and have inspired me in my personal research. There are a lot more who are also super talented and do great things.

@greglesnewich @L0Psec @malwrhunterteam @patrickwardle @moonlock_lab @txhaflaire @soolidsnakee <-Salim

@L0Psec @malwrhunterteam @patrickwardle @moonlock_lab @txhaflaire Salim from Elastic had a great paper about the obfuscatory: virusbulletin.com/uploads/pdf/co…

"dsstorebackup" seen from Taiwan: eab38fff15b885790083ba4d4e27f51f8a6a50fdd0be204569d71704818e3f07 Only 2 AV detections on VT, but both are suggesting this is a sample of some North Korean actors... Maybe @L0Psec @patrickwardle @moonlock_lab @txhaflaire or any other Mac expert will look into this shit and tell if it's anything interesting... 🤷‍♂️

#RONINGLOADER -> PPL abuse, the new hotness.

Excited to publish this in a few days…

YAAAHHHSSSS

@SBousseaden This is how open source research is supposed to work. Responsible disclosure coupled with solid defense research. Rising tides, raises all ships. #teamwork

nice research & high likely this will be abused ITW, new detections out using new term rule type to alert on first time seen SubjectUserName in last 10 days creating a new dMSA account or modifying the msDS-ManagedAccountPrecededByLink attribute. github.com/elastic/detect…

As defenders it’s always interesting to see how TAs view the landscape vs. the commercial checkboxes. Iron sharpens iron, good red teams make good blue teams.

some detection/hunt rules to get started for SAP vuln CVE-2025-31324 : - JSP/JAVA/Class creation in the SAP IRJ dir. - Suspicious child processes indicating execution. github.com/elastic/detect…

Huh? That’s weird… what is that? It kind of looks like it’s a… new #cybersecurity report? 🤔 We’re excited about this one. Look out for more this week.

Sometimes naming intrusions and families can be tough - but sometimes TAs do all the hard work. Sorry Shelby's, but @soolidsnakee and @bluish_red_ had to put you to the canvas. #shelbyc2 #shelbyloader #ref8685

The significant thing to note with the ABYSSWORKER intrusion is that this isn't just BYOD; it's BYO(Malicious)D, something that's not super common. Solid research and analysis by @cyril_t_f

92 new OPEN, 106 new PRO (92 + 14) SocGholish, Lumma Stealer, REF7707, TA2726, NetSupport RAT, TA4903, TA399.... community.emergingthreats.net/t/ruleset-upda…

Elastic Security Labs researchers look into the REF7707 campaign targeting the foreign ministry of a South American country. The intrusion set utilized by REF7707 includes novel malware families such as FINALDRAFT, GUIDLOADER and PATHLOADER. elastic.co/security-labs/…

A very rewarding analysis of the #REF7707 intrusion set and infra as a compendium to the #FINALDRAFT and #PATHLOADER malware disclosure from #ElasticSecurityLabs.