Joe Security

🚀 Joe Reverser 1.0.0 “Silver Wolf” is officially out! This stable release brings major upgrades for automated malware & phishing analysis: • Full Chromium web agent for realistic attack navigation • Redesigned Code Sandbox for faster deobfuscation workflows • Skill Only Mode for precise analyst control • Chat Report for full analysis traceability • Office document analysis for phishing campaigns From phishing lure to final payload — analyze the full attack chain with greater depth and transparency. Read the release: buff.ly/dfj94NA #cybersecurity #malware #threatintel #phishing

Google: “We’ve added protections to stop potentially unwanted apps from changing your search engine.” PUA devs: fine, we’ll just politely navigate there with 40 Tabs and hit Enter until it works (source Joe Reverser)

@belkin_jr @fr0gger_ You might have a look at this: x.com/joe4security/s…

@fr0gger_ I’m still sceptical about getting the full picture with this setup. What if there are second/third/fourth stage payloads that need to be retrieved and analyzed independently? What if there are sandbox detections in place? Does this pipeline do both static and dynamic analysis?

🚨 From Joe Reverser Phishing investigation highlights 🧵 📧 Email: 🔎 SPF/DMARC failure 🖼️ Domain mismatch confirmed 📎 PDF attachment: ⚠️ High-entropy metadata 📷 QR code detected & extracted 🔗 Malicious URL uncovered 🧼 Clean structure (no JavaScript) 🌐 Multi-stage redirect chain 🛡️ Cloudflare verification layers 🔐 Fake Microsoft login → credential harvesting #phishing #cybersecurity buff.ly/xFSW9wo

@fr0gger_ @chris_heredia It already exists, have a look here: joesecurity.org/blog/442723558…

@chris_heredia I am sure it will be offered to businesses soon. I am surprised this is not already the case tbh.

This might be one of the most polished ClickFix pages we’ve seen 👀✨ Clean UX, smooth animations — it almost feels legit at first glance. Check out the video 👇 Joe Reverser’s full web agent captures the full flow, including clipboard activity 📋 and download detection ⬇️ 🔎 Dropper summary: 📦 Delivers a legitimate Notepad++ updater (GUP.exe) 🧩 Bundled with a malicious DLL 🔐 Uses ChaCha20 encryption 🪞 Reflective PE loading 📚 DLL sideloading 🎯 Deploys an encrypted final payload (Vidar) 🔀 API forwarding for stealth 🧹 Anti-forensic memory wiping to evade detection Polished on the surface — serious tradecraft underneath. 🎭 buff.ly/Ve3R11F

@Splintersfury Full chat: joesandbox.com/joereverser/an…

@joe4security So how? HAHA

Ever wondered how Joe Reverser powers agentic reverse engineering to dismantle multi-stage malware? 🤖🧠 From dropper ➝ loader ➝ payload — every layer is automatically unpacked, analyzed, and connected. 🔍💥 This is how modern malware analysis should work. Deep dive below 👇🔥 buff.ly/3Ty9DPO

Another day, another #OpenClaw skill 😈 “Moltbook” skill pretends to be harmless — but drops a macOS stealer instead 🍏🕵️‍♂️ Behind the scenes: base64-obfuscated commands fetching the payload. Full infection chain breakdown in the Joe Reverser report 🔎📄 buff.ly/FKoO7NS

🛠️ Joe Reverser 📥 Program.cs in ➜ 📦 unpacked binary out   ⬇️ 🧪 Analysis Report buff.ly/VE680mS   ⬇️ 💬 Chat Report buff.ly/GD5hQVu

Niiice, Joe Sandbox is still able to see those encrypted strings: joesandbox.com/analysis/18559…

@SpinkaMilan Good that Joe Sandbox already covers that with String Decryption: joesandbox.com/analysis/18559…

Previously, Vidar left all strings and C2 configuration in plaintext, allowing for easy tracking. Now, most (but not all!) interesting strings are xored with a single byte constant (so consider updating your Yaras with the appropriate modifier :)) and the C2 info is encrypted.

We're observing #Vidar Stealer v2 samples adopting new control flow obfuscation techniques, string obfuscation using single byte xor, and C2 configuration encryption using a polyalphabetic substitution cipher. I've published a little decryption helper: gist.github.com/mspinka-r7/3c2…

Clipboard hijacker (crypto clipper) spotted in Joe Reverser 🕵️‍♂️📋: watches for 25+ wallet formats (BTC/bc1/BCH/ETH/XMR/SOL/ADA/etc.) 💸, validates prefix/length/charset to avoid false positives ✅, then silently swaps in hardcoded attacker wallets 🔁😈 via CF_TEXT clipboard write 🧷. buff.ly/XM0OlhL

Joe Sandbox v44 Smoke Quartz is out 🚀📝👀⏳💥😄🎉✨ Check-out our blog post to learn more about the new features and improvements: buff.ly/DLUHz5G

Here is #VoidLink (kudos to @_CPResearch_ for the find) fully dissected by Joe Reverser: Stage 0: buff.ly/swOCG7N Stage 1: buff.ly/LFpmgoV Rootkit: buff.ly/igANcW0

@_CPResearch_ Kudos for the find and analysis! Here are the samples analyzed by Joe Reverser: Stage 0 joesandbox.com/joereverser/an… State 1 joesandbox.com/joereverser/an… Rootkit joesandbox.com/joereverser/an…

Check Point Research unveils #VoidLink, a highly modular Linux malware framework with 30+ plugins, cloud/container persistence, robust OPSEC (runtime encryption, rootkits, self-delete), and links to Chinese-affiliated actors. Full analysis on our blog research.checkpoint.com/2026/voidlink-…