Brian Baskin

🚨 Zoom impersonation attacks are on the rise, and getting more convincing. We found a fake Zoom invite that launches a JS-based “meeting” with simulated lag, then delivers a malicious update download. Not simple phishing, a high-fidelity attack built to gain trust before delivering malware. Breakdown: sublime.security/blog/advanced-…

Threat Actors are "Bringing Their Own Forensics" In a recent ClickFix campaign, we saw threat actors likely related to Interlock Ransomware, running Volatility (vol.py) directly on victim machines. Commonly a tool for defenders, the TAs are using it to:

We would like to send out a big THANK YOU to a returning sponsor - @BHinfoSecurity - #BSidesCharm 2026 Gold sponsor!

Remember, a ticket to #BSidesCharm 2026 gets you access to our awesome Hiring Village on Sat 4/25, where you can get career help & talk with companies looking to hire! Details at bsidescharm.org/hiringvillage/

RE//verse 2026 talks are live on YouTube! Want to revisit a talk or catch the ones you missed? The full playlist is now available: youtube.com/playlist?list=…

Day 3 of #ClaudeForBlueTeam We'll stick with the ATT&CK theme - working with the data kind of sucks on the website alone. It's static, you can't really take any notes and there's no cool graph view. Prompt Claude to make you a backlinked & tag filled Obsidian vault containing the ATT&CK data - and specifically data sources. From here, you can do some powerful stuff like look at what data sources are required for SaaS type techniques. You can also visualize detection coverage for a particular technique.

New blog post: Building a Pipeline for Agentic Malware Analysis Agentic RE + malware analysis with custom skills, MCP tooling, and persistent case state to automate intial triage Link: synthesis.to/2026/03/18/age… Github: github.com/mrphrazer/agen…

LOLFSAAS Living off Free SaaS Hundreds of SaaS platforms with free tiers, documenting abuse surface, opsec risks, authent methods, C2 framework mappings, and operational limits. lolfsaas.github.io

Tickets for #BSidesCharm 2026 are now available - go to eventbrite.com/e/bsidescharm-… - 1 ticket gets you in for BOTH days!

In 2021 I mined 1.55 ETH into a crypto wallet. When I needed to access it recently my seed phrase didn't work in any standard tool. Turns out the wallet software (coinwallet) back in 2021 had a bug that gave people the WRONG SEED PHRASE! Anyone who created a wallet during that period can't access it by normal approaches. After weeks of forensics, I found the bug and recovered my ETH. Posting the full story and recovery code below! Full story: robmulla.substack.com/p/how-my-sons-… Repo: github.com/RobMulla/coins…

Funniest investigation of the week: Attacker logs in as admin → Opens the browser → Googles how to uninstall tools → Downloads a cracked Russian copy of "Revo Uninstaller" with an activation key → Installs it → Then uninstalls the tools they just used 🤦 😂 💀 The whole cycle and everything else they did is coming to you through a flash hunt in the @ThruntingLabs soon. You'll have a laugh as well 😆

Well, sometimes you hit the send button too quickly - Tuesday's post should have been announcing ROBERT M. LEE as the #BSidesCharm 2026 keynote!!

It appears that the room block has filled up in record time - we have posted potential alternatives on bsidescharm.org/venue/

@TheUncleBob @facebook That is truly the best solution. In Facebook's quest to remain relevant, they've destroyed any reason to keep it installed.

@bbaskin @facebook Real easy way to disable it. Uninstall. 🤣

A whole new level of enshittification is constant notifications from @Facebook app about random junk. It cannot be disabled at all, even with help from Facebook support AI.

Tickets for #BSidesCharm 2026 are now available - go to eventbrite.com/e/bsidescharm-… - remember to order a t-shirt as well!

PSA: I just survived the best phishing attempt I've ever seen. A "reporter" at TechCrunch with a 10-year-old account and 9k followers DMed me asking if I'd be interested in giving input to an article that sounded relevant. When I said yes, they sent me to a real cal.com link to book with the name of an actual TC reporter. After booking, I got redirected to another page saying I had to verify myself to complete the booking. The auth request looks somewhat legit, except for a small red note that it's not approved. My spidey sense had been tripped and I realized the domain was sketchy, but if I wasn't on autopilot (or if I was an OpenClaw) I might have easily given them full access to my account. Stay safe out there.

🧵 We recently had an incident that involved a MuddyWater hands-on attacker who couldn't spell "administrators" Full timeline breakdown below. 1/

> be me, buy a minipc sporting a shiny rgb stripe > can i turn it off? > found a windows binary blob that can control it, welp > download the zip and fire up pi > gpt-5.4: "reverse engineer LedControl_S3A_F3A.exe, i'd like to control the LEDs from Linux" (that's the full prompt) > 10 minutes of `objdump -d` later: "Yes — I dug into it." > i can now control my rgb stripe from linux > what.

made a hook that adds a bouncing dvd logo to claude code whenever it's thinking