PhD. Phuc

If you’ve seen one of these PDFs and thought “is this real?” — look no further. Embassy-themed phishing lures GitHub C2 Kimsuky XenoRAT Full breakdown of this APT campaign 🇰🇵 bit.ly/3Jo3NXb #APT #Kimsuky

@smica83 @malwrhunterteam @abuse_ch @smica83 IMHO this one is PureRAT, not BlackSuit. Could you please elaborate? Extracted config looks like this: { "c2_hosts": [ "phong.11011[.]lol" ], "c2_ports": [ 56001, 56002, 56003 ], "ssl_cert": "MIIE5DCCAsygAw.." }

@malwrhunterteam Uploaded @abuse_ch bazaar.abuse.ch/sample/35f3ee5…

"oledlg.dll", seen from South Korea: 35f3ee553626b2267e4a8f35dce5b40840e5a461f13652bd2659681c31068805 phong.11011[.]lol 51.79.214[.]122 🤷‍♂️

SideWinder is abusing Microsoft ClickOnce via PDF lures

We uncovered a North Korean IT worker scheme that used a seemingly innocent job application to get inside a victim's network. This is why proactive intelligence is key. Read our latest blog by @John_Fokker and @phd_phuc. bit.ly/3Iz9Bx4

@grok What does this tell us about the evolving threat landscape in diplomatic cyber espionage?

If you’ve seen one of these PDFs and thought “is this real?” — look no further. Embassy-themed phishing lures GitHub C2 Kimsuky XenoRAT Full breakdown of this APT campaign 🇰🇵 bit.ly/3Jo3NXb #APT #Kimsuky

Detecting the APT is tricky because it uses legitimate AWS infrastructure, blending malicious traffic with normal activity, which evades traditional security tools. It abuses Microsoft’s ClickOnce to deliver malware, appearing as trusted software updates. AppDomainManager hijacking lets it run stealthily within legitimate processes. The Go-based RunnerBeacon backdoor is hard to analyze due to its compiled nature. Phishing targets specific industries like energy, making attacks tailored and harder to spot. Behavioral analysis, anomaly detection, and EDR tools can help, but no single method fully counters these advanced tactics.

@grok why is it tricky to detect this APT?

Our recent APT finding: #OneClik - Phishing + .NET loader + Go backdoor using total legit AWS infra - ClickOnce abuse → AppDomainManager hijack → stealthy RunnerBeacon - Target: Energy, Oil & Gas - Detection? Quite tricky 😵‍💫 Full write-up by @TrellixARC 👇

🚨 New APT uncovered! 🚨 @TrellixARC reveals #OneClik, targeting energy, oil, & gas via #phishing & Microsoft #ClickOnce. Stealthy "living off the land" tactics make it tough to detect. Full details here: bit.ly/4kYFblU

My new article, "Writing a Full Windows ARM64 Debugger for Reverse Engineering," covers the topic in detail, including its internals and the core differences between Windows on Intel and ARM64: keowu.re/posts/Writing-…

I recently helped a company recover their data from the Akira ransomware without paying the ransom. I’m sharing how I did it, along with the full source code. tinyhack.com/2025/03/13/dec…

Our findings on Phobos, an evolution of Dharma Ransomware (aka CrySIS), indicate unique, adaptive approaches to evade detections, revealing continuity among threat actors. Now, recent law enforcement aided in the decline of Phobos — read more. bit.ly/498GwkX

Insightful research into macOS malware trends & growth in the context of the enterprise! 🤗 (And do appreciate the many citations to @objective_see blog posts! 🥰)

Just published: 'MacOS Malware Surges as Corporate Usage Grows'. EDR is giving us broader visibility, while DPRK's targeting of macOS is escalating fast. A throwback to my Mac-A-Mal days, now things are on a whole different level. bit.ly/4f6lQw8

Iranian threat groups, such as APT35, MuddyWater, and more, continue to intensify activities targeting critical sectors and interfering with U.S. elections. @l3cr0f, @phd_phuc, and @John_Fokker with @TrellixARC provide an overview. bit.ly/4deoSws

⚠️ Recent Threat Activity ⚠️ On August 4, at the Darkzone cybercrime forum, the actor RL-0 posted a dataset exfiltrated from an unidentified source claiming to contain info about the 2024 Paris Olympics. Follow the thread for findings from Senior Researcher @phd_phuc. ⬇️

Alongside other researchers, catch our own @phd_phuc at @Bot_Conf on 26 April, unveiling groundbreaking insights on IoT malware, rootkit detection, and malware classification. Get the details here. #BotConf2024 bit.ly/3vKKJME

@FlUxIuS The multi car hjack on tv last evening was super cool 😍. Congratulations Sébastien!

Look mom! I was on TV!

New research from our team @TrellixARC & @Northwave_Sec expose RansomHouse's TTP. Group demanded $2.56M from a victim, negotiated down to $1.25M. Payment tracked on blockchain. RansomHouse "advised" victim to adopt zero trust, 2FA, update systems etc.

@kienbigmummy Awesome work and an awesome year indeed! Congratulations on all your achievements anh nhé! 🎉👏"

Here is the collection of all my personal blog posts in 2022-2023. Hope can share more in 2024💪. Happy new year to all my twitter friends!!🍾🎉 [2022-2023] [QuickNote] #Emotet epoch4 & epoch5 tactics: kienmanowar.wordpress.com/2022/01/23/qui… (1/6)