ExecuteMalware

New blog post covering what's changed in Amatera Stealer 4.0.2 Beta! Plus a bug I found that can be used as a vaccine. - XTEA-encrypted strings - C2 protocol changes (AES -> ECDH P256 + ChaCha20-Poly1305) making decryption more difficult - SysCall SSN encoding, decoded just before WoW64Transition esentire.com/blog/amatera-s…

🍪 Stolen browser sessions and authentication tokens are becoming more valuable than stolen passwords. 🛡️ @flaresystems explains how the REMUS infostealer evolved around session theft and operational scalability. ➡️ bleepingcomputer.com/news/security/… #cybersecurity #sponsored #infostealer

After months of active development, #Amatera has gradually become the most prevalent #infostealer in our userbase. And it's not slowing down – we're now observing fresh Amatera builds newly introducing control-flow flattening and indirect control-flow obfuscation. IoCs ↓ 0bf1eda8374ff2e3eb705e37eac8d65750a4d85454f535346100056399eba16f e72ec2cbe762ca672a14a7ee660c0cab61ba020267c56f9ab8982e3be1f61a8b 58fe4ed4bc57c28b4da6b9230ff4c9d62528cdc00bba79b9f105d2a742426f4b

I'm excited to announce that I'll be returning to Vegas for @BlackHatEvents with the FLARE team to help deliver our 4 day advanced class! This is an almost entirely rewritten course that now features: ✅ Reversing GO and Rust binaries ✅ Leveraging time-travel debugging ✅ Deobfuscating scattered control flow 👉 #the-flare-teams-advanced-guide-to-defeating-modern-malware-50978" target="_blank" rel="nofollow noopener">blackhat.com/us-26/training… Hope to see you there! DMs are open if you have any questions.

KongTuke hackers now use Microsoft Teams for corporate breaches bleepingcomputer.com/news/security/… bleepingcomputer.com/news/security/…

🤔 Can you truly dismantle what you don't know how to build...? In my upcoming @BlackHatEvents 2-day training, we’re using modern LLVM pipelines to write the same obfuscation passes used by nation-states. Once you see the "why" behind the transform, the "how" of the reversal becomes more apparent. Learn how compilers work effectively so you can too 😉 ⏳ Early bird pricing ends May 22. Join me in Vegas: 🔗 #syntactical-supremacy-defeating-and-designing-nation-state-obfuscation-50977" target="_blank" rel="nofollow noopener">blackhat.com/us-26/training…

The Exploiting Reversing Series (ERS) currently features 1051 pages of exploit development based on real-world targets: [+] ERS 09: exploitreversing.com/2026/04/28/exp… [+] ERS 08: exploitreversing.com/2026/03/31/exp… [+] ERS 07: exploitreversing.com/2026/03/04/exp… [+] ERS 06: exploitreversing.com/2026/02/11/exp… [+] ERS 05: exploitreversing.com/2025/03/12/exp… [+] ERS 04: exploitreversing.com/2025/02/04/exp… [+] ERS 03: exploitreversing.com/2025/01/22/exp… [+] ERS 02: exploitreversing.com/2024/01/03/exp… [+] ERS 01: exploitreversing.com/2023/04/11/exp… Now is the time to take a break to dedicate all my energy and focus to security research and new projects that will be announced in the coming weeks and months. Have a great day and enjoy reading. #exploit #exploitation #windows #chrome #macOS #iOS #hypervisors #vulnerability #research

🚨 𝗙𝗮𝗸𝗲 𝗪𝗼𝗿𝗱 𝗢𝗻𝗹𝗶𝗻𝗲 ➡️ 𝗥𝗲𝗺𝗼𝘁𝗲 𝗔𝗰𝗰𝗲𝘀𝘀: 𝗗𝗲𝘁𝗲𝗰𝘁𝗶𝗼𝗻 𝗕𝗹𝗶𝗻𝗱 𝗦𝗽𝗼𝘁𝘀 𝗶𝗻 𝗔𝗰𝘁𝗶𝗼𝗻 A #phishing attack starting from an Outlook email redirects victims to a fake Word Online / OneDrive page, leading to stealthy remote access under the guise of a document preview. ⚠️ Instead of traditional malware loaders, the chain relies on legitimate tools to establish remote access while blending into normal corporate activity. This reduces visibility for traditional detection and increases the risk of delayed detection and prolonged attacker presence. ⚡️ In #ANYRUN Sandbox, analysts can observe high-value detection signals early in the execution chain, including suspicious document-delivery domains, silent software installation behavior, intermediate deployment stages, and utilities used to hide installed programs. ❗️ These artifacts help teams build detections around trusted-tool abuse, suspicious command-line behavior, and phishing infrastructure instead of relying only on file hashes. Execution chain: Outlook .eml ➡️ Word Online phishing page ➡️ MSI installer ➡️ Ninite /silent execution ➡️ Remote access via ScreenConnect ➡️ Activity concealment via HideUL 👨‍💻 See the full attack flow and collect IOCs to improve detection coverage: app.any.run/tasks/d6a45c89… 🔍 Explore related activity and validate hunting patterns using this TI Lookup query: intelligence.any.run/analysis/looku… Hunt for HideUL-related activity: intelligence.any.run/analysis/looku… Hunt for Ninite-based delivery chains: intelligence.any.run/analysis/looku… 🚀 Strengthen your SOC, detect complex threats faster, and boost team performance with #ANYRUN: any.run/enterprise/?ut…

Huntress's Andrew Brandt writes about a less known RMM called Tiflux, which is being used in a growing number of attacks that aim to establish persistence, transmit screenshots, and run commands to collect system profiling information. huntress.com/blog/tiflux-rm…

⚠️ Remote access tooling remained active last week. #AsyncRAT, #Remcos, #Warzone, and #Netwire all increased, while #Vidar continued to decline. 📌 Trend to watch: the activity points to attackers prioritizing persistence and operator access over large-scale credential theft. For defenders, that usually means fewer obvious indicators and more time between initial compromise and detection. Expand threat visibility in your SOC: any.run/enterprise/?ut… #Top10Malware

We observed a phishing campaign pivot to evade static analysis, shifting from credential theft to #OAuth device code phishing. Attackers replaced hardcoded URLs with runtime-fetched landing pages and generated images as blob URLs. Details at: bit.ly/4uCtzJQ

🚨 Active US #phishing campaign exposed by its own reusable infrastructure. 🔍 Domains rotate, lure pages don't: same request chain, same POST endpoints. That repetition is the detection surface. Get the IOCs from real analysis sessions:  1️⃣ app.any.run/tasks/a1b85a4f… 2️⃣ app.any.run/tasks/590eb0b6… Full campaign breakdown: any.run/cybersecurity-…

Threat actors are abusing a Javascript runtime called Bun to spread NWHStealer. Bun’s relatively newer ecosystem helps attackers hide malicious code in larger executables and potentially evade detection.

What we track as "APX Loader" is a Powershell loader leading to a Python-based RAT we have been observing lately whose operators are relying on malicious EV certs to sign their builds. Seen delivered from fake malicious search results impersonating Nord Pass and 1Password 1pass[.]md >>> 1pasword[.]at Sample - 69eaaa0e2f0b414b96b50b088d978cfe56a074a626d7179a67a5ee02b1830662 nordpass[.]to >>> nordpas[.]at Sample - f36a0dd43a2c10a585c81b968d108fd0a43f885cf394a54b4e44221dc3724833 File connects to C2 apx-broadord[.]com/login.php and retrieves further loader payload. Find complete here: db77101f82d391df882509bca61b8455703c7545152c7e436bfdc34f5969daf5 The loader adds Windows Defender exclusions, collects system information and sends the info to the C2 apx-broadord[.]com/utm.php encrypted using a defined RSA encryption function, then also downloads a Python payload, creating persistence on this file via Scheduled Task, and also downloads, decrypts and run a second .NET payload in memory. The first file, a Python-based RAT, is loaded from vaci-cloud.b-cdn[.]net/Peton.zip. Inside zip, main.pyc file is executed. Find it here: .zip - 02b507b498e280578b56974382519a5fee608208d6ad8e724032eade83bec8d9 .pyc - 7c54bcf3aea8348e8902cac80eb0df31b43a71601a62e2514087fef40a416bfd This file decompiles into a Python-based RAT designed for persistence, remote control, payload delivery, in-memory malware execution, and post-exploitation activity It establishes persistent encrypted WebSocket communication to C2 novayastaruxa[.]com. It collects system information and sends this data to the C2. It also provides full remote command execution capabilities through hidden cmd.exe and PowerShell sessions. It can upload and execute EXE, DLL, MSI, and PowerShell payloads, including fully in-memory PE execution, executable memory permissions, and reflective loading techniques. It also supports file transfer operations, hidden console sessions, named pipe communication, and process spawning, and a self-deletion capability. The second payload is download from vaci-cloud.b-cdn[.]net/MM_SS.jar , AES decrypted and executed in memory. Find it here: e2109616b1c737f9cd99bd24e5832fab306722d9928a911f0420eb9c1695d9af It seems to be some kind of PE executable whose behaviour has not been analysed.

The latest episode of Behind the Binary is here! Debugger architect Xusheng Li (@vector35 ) breaks down why Time Travel Debugging (TTD) is the future of debugging—from solving the "granularity problem" in malware analysis to catching hardware-level microcode bugs. 🎧 podcasts.apple.com/us/podcast/ep2…

Really excited to have the opportunity to speak at the SANS Spring Cyber Cyber Solutions Fest 2026 today! I’ll be discussing some of my research at @censysio about Living Off The Web. @SANSInstitute Want to learn more about Living Off The Web? 👇

After not receiving a raise in the four years I’ve worked at BHIS they’ve now decided to reduce my pay by $40k after coming back from maternity leave and moving my role to solely pentesting. So I am looking for a new position effective immediately if anyone has any leads 😇

🚨 #BlobPhish credential-phishing campaign targets Microsoft 365, major U.S. financial institutions, and webmail services. ⚠️ Compromised accounts enable BEC, data exfiltration, and lateral movement, creating direct financial and operational risk. This campaign generates phishing pages directly inside the browser using blob objects instead of loading them over the network. The payload exists entirely in memory, which breaks network visibility and makes traditional detection unreliable. ⚡️ #ANYRUN Sandbox helps SOC teams observe this behavior, exposing in-memory phishing and enabling faster detection and response. See how the attack unfolds and collect IOCs: app.any.run/tasks/191b74fc…   📌 Explore full technical breakdown to understand detection gaps, validate your coverage, and strengthen phishing defenses: any.run/cybersecurity-…

A fake RVTools build, signed "Xiamen Lunwei Huage Network Co., Ltd." (Sectigo), delivered from an unknown source leading to a Python-based RAT likely used as an initial access tool: d0f5e98fb840fb5656d3f50613b6f1ec60e57392643159841bc1fa95396087a4 Detonation: app.any.run/tasks/7583b22d… Installer downloads via Powershell from Dropbox a .zip containing two obfuscated Python Scripts and executes them: collector .py (fc146e0907d2c1f182f01bb7417c9e4b1b9854395fa267c1093b4f5a0f7f526c) It collects detailed system reconnaissance data: machine ID, hostname, username, domain, privilege level, full system info, running processes, services, network connections, ARP table, and Active Directory-related data, writing results to a file "configA.json" Pmanager .py aeb1cca563df283b3d4065e601f0ac053559f20c681eb70ded38717c1fc259a9 It connects to any of the following C2 using custom encryption communication: 45.61.136.94 64.95.12.238 162.33.179.149 64.95.13.76 64.95.10.14 It also performs system reconnaissance, sending information to C2, and can execute arbitrary PowerShell commands received from C2 as a full remote shell, save and execute exe, dll, msi or python files and also installing persistence on infected machine. All tasks performed on machine are tracked back to C2.

Couple #reverseloader -> #xloader #opendir at: http://107.175.246 .42/25/ http://89.40.31 .143/img/