Sabitlenmiş Tweet
For those who want to go step-by-step and actually learn the reversing process, I’ve written a walkthrough that starts beginner-friendly and ramps up into advanced malware RE:
👉 links.darkrym.com/pxa
English
James Northey
11 posts
James Northey
@darkrym11
SOC Analyst @HuntressLabs | Malware junkie | AI Glazer - Always curious, always learning!
Australia Katılım Haziran 2025
98 Takip Edilen220 Takipçiler
Got to work on this with the legend @_JohnHammond. A user asked Codex to fix suspicious behaviour on their machine. Codex "solved" it, but the cryptominer kept running.
Plus: How Gen-AI noise is complicating investigations and how SOCs need to evolve.
huntress.com/blog/codex-par…
English
Found some very common adware quietly killing antivirus products. Then we found an unregistered update domain, and anyone with $10 could have pushed any payload to 25,000+ endpoints, AV already disabled.
So we registered it first.
huntress.com/blog/pups-grow…
Big thanks to @_rdowd
English
Great peek behind the curtain for how we do what we do, if your looking at getting into SOC work or just curious how we investigate this is well worth a read.
Jevon_Ang@Jev_3ng
Most SOC reports and write-ups are punchy, to-the-point, polished reports. After all, every investigation (regardless of vertical) starts out as a chaotic mix of different threads that we corral into order like a tired sheepdog dreaming of making it as an internet meme and retiring on the royalties. Unfortunately, these polished reports don't capture how we actually form our suspicions, the pivots, the dead ends, the moment it all starts to make some semblance of sense. If you've ever wondered what that process actually looks like, I've spun up a blog series that breaks down real MDR incidents to capture what it's like riding the investigation roller-coaster, so those new to the industry can see how we progress from start to end within the context of a SOC investigation. Please enjoy this breakdown of a threat actor's attempt to enumerate and pivot further into the victim's environment — made with 100% organic human analyst tears! jevonang.com/Investigations…
English
Investigated a very interesting attack at @HuntressLabs . Where the threat actors weaponised a slew of legitimate tools (Velociraptor, VS Code, and Cloudflared) to establish persistent access, culminating in Warlock ransomware.
Check out the full technical breakdown!
Lindsey O’Donnell Welch@LindseyOD123
Second part of a two-part @HuntressLabs blog series is here, which looks at several incidents where the threat actor used the Velociraptor DFIR tool - featuring ToolShell, Warlock ransomware, and a series of attacker fumbles. @darkrym11 huntress.com/blog/velocirap…
English
James Northey retweetledi
My first @HuntressLabs blog is live: we break down some funky ClickFix lures that lead to a loader which uses steganography to extract shellcode and ultimately deliver LummaC2/Rhadamanyths stealers.
Big thanks to @RussianPanda9xx for the help! 😇
huntress.com/blog/clickfix-…
English
@netresec I actually found my sample back in may - a few days before it showed up on VT, just took me a while to figure out the PureRAT stage, actually your blog help me identify it so thanks! virustotal.com/gui/file/a3963…
English
@darkrym11 The sample analyzed by plainbit might actually be slightly older than the one you looked at. Their blog post was published back in August and their analysis starts off with an email received on June 13 (see screenshot).
English
The technical detail in this #PureRAT analysis by Heejae Hwang (황희재) is fantastic!
blog.plainbit.co.kr/sanae-yuib-seu…
English
The analyzed #PureRAT sample looks very similar to the one @darkrym11 recently blogged about. It even uses the same C2 157.66.26.209:56001.
threatfox.abuse.ch/ioc/1567749/
English
In a recent investigation @HuntressLabs we uncovered how attackers used LFI for log-poisoning with an AntSword Shell to drop Nezha and then Ghost RAT. Big shoutout to @CyberRaiju and @birchb0y learnt heaps from them while working this one.
Max Rogers@MaxRogers5
1⃣ The @Huntress team uncovered a campaign by a likely China-nexus threat actor. The most novel finding is use of a publicly available tool called Nezha as a post-exploitation C2 agent. This is the first public reporting of the tool I've seen. huntress.com/blog/nezha-chi…
English
@polygonben Thanks, Ben! I thought this was gonna be a quick write-up on some Python malware, but then I hit the .NET stages and took a whole lot longer.
English
These series of blogs are 🔥🔥, major thanks to @darkrym11 for your dedication 🫡
James Northey@darkrym11
For those who want to go step-by-step and actually learn the reversing process, I’ve written a walkthrough that starts beginner-friendly and ramps up into advanced malware RE: 👉 links.darkrym.com/pxa
English
For those who want to go step-by-step and actually learn the reversing process, I’ve written a walkthrough that starts beginner-friendly and ramps up into advanced malware RE:
👉 links.darkrym.com/pxa
English
I found a sample of PXA Stealer @HuntressLabs, which wasn’t quite right. After a lot of analysis, I discovered it was loading PureRAT, a commercially available, modular backdoor focused on surveillance of the Victim.
huntress.com/blog/purerat-t…
English