João Godinho

Our new blog post provides details on their infection chain, with changes we've seen in the past year of the campaign. The blog post contains a lot of IoCs to help identify this threat, but if you want some YARA rules or need more information about it, feel free to message me!

It's over 9000! The number of infected IPs in Portugal in 2025... This group has been targeting Portuguese speakers with a banking trojan since at least 2019, and they just don't stop spamming. bitsight.com/blog/brazil-lo…

🚀 Introducing #r2morph , a metamorphic binary transformation engine built on @radareorg + #r2pipe. It applies semantic mutations (NOPs, instruction swaps, dead code, opaque predicates…) without breaking functionality. 🧠 Perfect for research on evasion, obfuscation & malware analysis. 🔗 github.com/seifreed/r2mor… #malware #obfuscation #forensics #radare #radare2

Video up: [BSL2024] Weaponized Ads: A Stealer in Plain Sight by João Godinho (@jcfg_) #BSidesLisbon2024 youtu.be/evWSd0Eh-TM

Ever wanted to take another look at #OperationTriangulation malware? Then check out VirusTotal - we have uploaded malicious modules used in this campaign. virustotal.com/gui/file/ff2f2… virustotal.com/gui/file/7e779… virustotal.com/gui/file/c2393… virustotal.com/gui/file/ff2f2…

Check out my latest blog post about Cova loader and Nosu stealer. These two went unnoticed... but only until now :) bitsight.com/blog/cova-and-…

We (@jcfg_ and I) just published an overview of the research we've done so far on #Pseudomanuscrypt at @BitSight . It includes sample archeology, network protocol identification, DGA domains sinkholing and infection telemetry. bitsight.com/blog/zero-50k-…

Check out my latest post on @BitSight’s blog about SystemBC which showcases some of the telemetry we have from infected systems. bitsight.com/blog/systembc-…