Jonathan Peters

RegPhantom a signed Windows kernel rootkit that turns the registry into a covert execution channel. Gives the ability to an unprivileged usermode to reflectively load an arbitrary PE into kernel memory, invisible to PsLoadedModuleList and standard driver enumeration tools. The implant includes several stealth techniques: - Post-execution memory wipe - XOR-encoded hook pointers in-memory obfuscation - Valid code-signing certificates - CFG obfuscation with opaque predicates - 28+ samples tracked (June–August 2025), signed with certificates from two Chinese companies. We're releasing: - Full technical writeup - Extensive deobfuscation scripts - YARA detection rule Full analysis: nextron-systems.com/2026/03/20/reg… #MalwareAnalysis #Rootkit #ThreatIntel #DFIR #Windows #KernelDriver

@cyb3rops What I find interesting is that many heavily AI generated pages look very much alike. Like the typical overuse of gradients, emojis and symbols in messages. Often additional animations on almost every element. To me every site that fits that profile is an immediate red flag.

AI has killed one of the most useful filters on Internet Bad products used to look bad. Shady companies used to present themselves like shady companies. Half-baked projects usually had half-baked web sites, docs, logos and UX Now a 2h vibe-coded mess can look like a mature product: - clean website - polished logo - nice README - extensive docs And underneath it’s still hallucinated garbage AI made polish cheap. That’s a bigger change than many people realize.

@snoooopy8382 @MrSujano GitHub is basically free. If you host the infrastructure yourself you have on-going costs and additional maintenance effort.

@MrSujano Serious question. Why do developers host their repos on GitHub when DMCA requests are just a matter of time? Just privately host it or host on a decentralized network. Or perhaps I'm missing something... 🤔

Nintendo Switch Emulator, Eden, just had it's github shut down. Reportedly, Microsoft/Github ignored the legal countermeasures from the Eden team. However, Eden still lives on elsewhere.

If you haven't already, check out @washi_dev's recent writeup on .NET misconceptions, he absolutely knows his stuff. And my honest advice? Please stop publishing YARA rules that don't work. You are not helping , you are teaching people to write BAD detections. blog.washi.dev/posts/misconce…

@RussianPanda9xx @washi_dev Agreed. Good read and good points. Low quality untested rules are not helping they're setting bad examples and increasing the number of false positives in community driven detections.

Over the past couple years, I have come to know the #dotnet platform pretty well, from a developer's and a #reversing standpoint. I can’t always say the same the #infosec community. Today, I decided to rant a little (or maybe a lot 🙃) 👉 blog.washi.dev/posts/misconce…

@t3ft3lb s0 for example would be unique enough to warrant triggering just on that alone + PE header and filesize limits make that very specific already.

@t3ft3lb With strings and a pattern this specific, I would get rid of the dotnet module and avoid it entirely. Especially on larger ruleset it does have a large performance impact and we found that rarely ever we actually need to use it.

#100DaysofYARA – Day 48 YARA rule to detect Cavalry Werewolf (YoroTrooper, Tomiris) FoalShell C# reverse shell 👇 github.com/t3ft3lb/2026-1…

#NPM package author a_awerin started last Friday with simple, grounded JavaScript functions like capitalize(str). But after the weekend, things changed - the package now includes malicious code. For example: hxxps://x-ya[.]ru/FvXnR/msinit npmjs.com/package/ambar-…

de33c45b2621ae5e6a86ef405932a9f5 1 detection @nextronresearch www[.]licc[.]ca/58js/ www[.]54820268[.]xyz/k5v5/ www[.]xiyusourcing[.]com/t4ya/ www[.]itgenius[.]site/mzaf/ www[.]taxattorneyreno[.]com/zqvd/ #Formbook @ShadowOpCode @cod3nym

An LLM generated malware loader, with basic obfuscation and some well known LOLBIN execution technique. Still sits at only 1 detection on VT. We got it covered with multiple generic and technique specific rules. virustotal.com/gui/file/b3d91…

@RussianPanda9xx I would usually agree but we should call out people who are spamming broken AI detection slop. It doesnt provide any value except give people bad information and unactionable trash rules. He knows what hes doing and has been doing it for a long time.

💯 this. You can absolutely warn people about bad queries or AI slop without tearing someone down publicly. Even if they block you, there is always a way to reach out privately. Don’t be bullies. Correct the info, not the person. We are adults.

@rj @Pirat_Nation competition wont change the prices because AI companies will just gobble up any stock they get no matter the price. There is no need to enter the market with cheaper prices because people will pay the high prices anyways.

@Pirat_Nation but this adds a competitor in the ddr5 market, which is greatly needed to drive prices down.

China's leading DRAM producer, CXMT, has shifted strategy amid the ongoing global memory shortage: >DDR4 production for servers and PCs is being phased out, with output slashed. >DDR5 is now the focus: faster modules (up to 8,000 MT/s), LPDDR5X, and HBM3, with mass production targeted for late 2026. >This shift removes a major source of cheap DDR4, helping drive global prices sharply higher. >DRAM contract prices are forecast to jump 90–110% in Q1 2026. The result: high memory prices and shortages likely through 2026–2027

@fr0gger_ @Cyb3rMonk Hes been doing this grift of posting semi working queries for quite some time now. Hes been called out before and keeps doing it so I doubt there is any interest in changing.

@Cyb3rMonk Maybe reach out to him privately and help him fix the query? I am sure you did it and it probably didn’t work, but the name and shame is probably not the best solution. 🙂

Heads up! This query doesn't work. It's just another slop. I don't understand how this guy gets that much engagement. Is he reaching out to certain people to boost his post? I don't care about the engagement. He is simple doing harm by spreading misinformation.

Found #NPM packages related to #PhantomRaven (discovered by @GetKoidex [1]) that use remote dynamic dependencies to steal CI secrets via endpoint: npm[.]jpartifacts[.]com [1] koi.ai/blog/phantomra… Packages: syntax-async-functions ...

@t3ft3lb Yeah that makes sense. I just skimmed and my brain was too focused on generic rules haha

@cod3nym Of course, however, this does not apply to this particular APT group. The rule is specific rather than generic.

#100DaysofYARA - Day 12 YARA rule to detect Cloud Werewolf (Cloud Atlas) obfuscated PowerShower samples 👇 github.com/t3ft3lb/2026-1…

@smica83 @abuse_ch crowdsourced Sigma and THOR detected it :)

FUD 'main.ps1' seen from Russia @abuse_ch bazaar.abuse.ch/sample/abe68d3… Domains: bz1d0zvfi03yhn1(.)top ey267te(.)top

I have the coolest internet friends. Thanks CCC, see you next time :-)! #ttw #htp