f0wL

The current @ffmpeg situation.

And so it begins! youtube.com/watch?v=m08TxI…

@jamieantisocial @_mattata I agree with Remy. One additional nuance: Removing traces of Exfil makes it harder for IR folks to determine ad-hoc which and how much data was taken. Most orgs don’t have Zeek or Sysmon data to refer to. This may influence the victim orgs decision whether to pay (👎) or not.

@_mattata 👀 strong theory

business decisions were made.

@NexusFuzzy Cool trick, thanks for sharing 🙂

I found a what I think novel approach which allowed me to list some of the content of #Lumma #Infostealer Command & Control servers with the help of left behind .DS_Store files. Blog, tool and Lumma files can be found here nexusfuzzy.medium.com/lumma-stealer-…

@evstykas Dang, that sucks :( With your track record and this title, I would find it hard to pass up. Might be a good fit for the @CYBERWARCON CFP? 👀

Unfortunately 1500 hours of research was not enough to get accepted on defcon or black hat this year…

@d4rksystem @vxunderground Unfortunately no :( Would have loved to go, but it didn’t work out this year.

@f0wlsec @vxunderground Will you be at Botconf? 😁

@PsExec64 nice rage bait

☑️#ClickFix / Fake Captchas posing as Cloudflare Verification pages We stumbled upon a web page that closely resembles Cloudfare's Anti-DoS Verification pages. Upon clicking the verification button, the familiar ClickFix verification dialogue is presented. 1/7🧵

meme.png

Forensic readiness in ICS environments explained

@aejleslie @RecordedFuture Nicely done, additional coverage on these ops is urgently needed

🇷🇺 🇩🇪 - New @RecordedFuture report! This report examines malign influence operations linked to Russia and Russia-based actors (e.g. Doppelgänger, Operation Overload, CopyCop, Operation Undercut) ahead of the upcoming German elections. Blog: recordedfuture.com/research/stimm…

🚨Malware distributed via Steam Fancy a bit of after work gaming? Beware of infostealer malware distributed via the Steam store! Using @steamdb we managed to visually identify a very suspicious file in the game files. Luckily, we managed to retrieve a sample for analysis, which will follow in this thread.

@cyb3rops That list is very long these days… Fortinet? SonicWall? Citrix?

During the initial meeting with a customer on an IR case, if they mention they don’t know the threat actor’s entry vector, ask if they own an Ivanti device. If they ask why, simply tell them they’ll find out soon. While it’s not guaranteed that this is the actual entry vector, they’ll be impressed if your guess turns out to be correct.

Happy new year! Where are you planning to travel this year? What are you planning to eat?

@d4rksystem Thanks 😃 It’s an Ooni Kona propane oven

@f0wlsec Nice. What kind of stove/oven is that?

I cooka da pizza 🍕 2024+1 edition

@vxunderground how nice of them to check in

> get call at 10pm > weird long number > answer > people speaking Mandarin > ??? > they say theyre from alibaba > ask how vx-underground is going > tell them its 10pm > "is that a problem?" > tell them we stopped using alibaba > "is that a problem?" > mfw

@Myrtus0x0 made this for you 👍

wrote a quick disassembler for some bytecode I've been analyzing. Wasn't too bad. But taking that understanding and turning it into a full VM is quite a bit more difficult 😅. Have restarted 5 times so far due to not being happy with how I've attempted to replicate.

hear me out.... Wine grape varietals would be an EXCELLENT naming convention for TAs 🤌🍇