Filescan.io

Commodity implants still need deep triage, not just AV labels. Especially for threat hunters! New sample of APT28's Covenant .NET: obfuscated methods, crypto + HttpClient API C2. See the full report: filescan.io/uploads/69df6d… #ThreatHunting #Malware

Stealers are hiding loaders inside fake certificates — decoded at runtime, clean on disk. Standard AV often misses it. Know what to look for and how to hunt it yourself: filescan.io/search-result?… #ThreatHunting #Malware #Evasion

🧵 Tweet 3/3: ATT&CK and MBC coverage, YARA hits, live AES key extraction, and all extracted IOCs in one report. See everything filescan.io caught 👇 filescan.io/uploads/69ca88…

🧵 Tweet 2/3: The full chain: BAT dropper > PowerShell with -ep bypass + hidden window + reversed API strings > reflective .NET assembly load, never touching disk. Packed with .NET Reactor 6.x (Anti-Tamper + Anti-ILDASM). 12 files extracted from a single 1.6 MB script.

🧵 Tweet 1/3: A batch script hiding a 3-stage loader: AES-encrypted payload, hardcoded key extracted live during emulation. No execution needed, filescan.io peels back every layer 🔍 #MalwareAnalysis #ThreatIntel #CTI #Sandbox #Infosec

Time to hunt with Filescan! 🔍 Malware config extraction turned recent samples into quick hunting leads: - #AsyncRAT masquerading as Netflix/Spotify/Copilot/Roblox - #Remcos using DuckDNS for C2 - #XWorm using portmap[.]host and *.ply.gg tunnels filescan.io/search-result?…

🎯 Emulation catches what static misses! New underdetected sample flagged as Confirmed Threat🚨 The execution chain mirrors #FairyWolf activity across Russian industries, deploying Unicorn Stealer HTA→VBS Script→Unicorn Report: filescan.io/uploads/699d22… #zeroday #sandbox

New malware sample spotted 🔍👀 Fresh JS dropper linked to an ongoing phishing campaign from October still delivering #Remcos #RAT. FileScan’s emulation decoded a reversed-Base64 payload, extracting dropped artefacts + Remcos config & C2 IoCs. Report: filescan.io/uploads/69673f…

What to hunt more? filescan.io/search-result?… SonicWall's Threat Report: sonicwall.com/blog/dbatloade…

Yesterday's Report of the Day showed a nice threat: JS > autoit > payload. Then similarity search quickly revealed it’s part of an active campaign, reported by SonicWall months ago. A reminder of how powerful is for hunting campaigns fast. #remcos #intel filescan.io/uploads/695fc9…

Geopolitics used as bait by Kimsuky Always catchy to see geopolitics used as bait! 🇺🇸📄 Malicious .LNK impersonates the 2025 U.S. National Security Strategy to deploy malware (initially attributed to #Kimsuky 🇰🇵) filescan.io/uploads/693a53… #threat #intelligence #sandbox #DFIR

Fully undetected loader script 🚨 Flagged by Filescan.io!🦉 Linked to the latest #MuddyWater APT campaign targeting critical infrastructure in Israel & Egypt. The sample remains undetected by most AV vendors. Check out our report: filescan.io/uploads/69394d… // #sandbox

Vietnam gov #phishing campaign Attack chain: 📩eml->js->bat-> PowerShell☠️ 4 days ago, a malicious file disguised as a tax notice from Vietnam's Government was uploaded and detected as a threat by Filescan’s emulation. Check out how we flagged this! 🦉 filescan.io/uploads/691ad8…

Still malware in MP3s? 🎧 @TrendMicro uncovered Fake CAPTCHA campaigns abusing MP3s with obfuscated JS — and the audio still plays. Want to rip open the track, emulate hidden code, and expose this threat's insights — all in a single run? 🔍 filescan.io/uploads/6900d7… #sandbox #DFIR

@JustWantToQ1 @skocherhan We will fix this asap, thx for reporting!

@skocherhan @filescan_itsec >UK flag = Ukranian lmao

Want to hunt the most used .NET loader today?🎯 #RoboSki It stealthy poses as a harmless app, decrypts a bitmap to load a protected .NET DLL, then drops the payload. Don’t want to unpack it yourself? 💥 Hunting query: filescan.io/search-result?… Report: filescan.io/uploads/686fac…

🚀 Malicious #AI models aren’t theory—they’re a real supply-chain threat. Attackers use new evasion tricks to slip past scanners. See how filescan.io detects poisoned models before they reach production: opsw.at/cDGW3Zh #AI #SecOps #Infosec #Sandbox

Attackers abused Alibaba #AI brand to push fake #PyPI packages with malicious #Pickle stealer 😈🥒. Though online less than 24 hours, they were downloaded ~1,600 times. This shows how fast supply chain attacks can spread Check out sandbox's Pickle scan: filescan.io/uploads/68bf95…

How cool is it when AI flags a malicious email at entry, and sandbox emulates the infection chain in seconds? email > doc > shellcode > vbs > ps > payload Check out a #phishing email we received last week in our community instance: filescan.io/uploads/68b8b0… #aidetect #sandbox

Nothing beats a .NET holiday! 🎶 Wait... 🦸 Our #sandbox does! The sample hides malicious DLLs in image resources using #steganography 🖼️🐀 which will then perform the decrypting and loading of the final #stealer payload ⚙️ Our detection: filescan.io/uploads/689ca1… #malware