David Kasabji

We detected a new somewhat sophisticated campaign abusing spoofed @MicrosoftTeams installer. The malware is hosted on a legitimate looking website, which seems to be part of redirect chain. Each new download produces a unique file hash - so that is not reliable indicator. The executable is signed so MDE did not prevent it. It was detected when it tried to connect to their C2. The initial domains / certs are newly registered in the last 2-3 days. Our investigation is ongoing, will provide more in article. So far, I share some IOCs to help you try prevent the threat: - teams-install[.]icu (hosting malware) - signer: KUTTANADAN CREATIONS INC. - nickbush24[.]com (exfil / C2 server) - Filename: MSTeamsSetup.exe (the hash changes, but here is what we saw: virustotal.com/gui/file/16915…) Tagging @cyb3rops @_JohnHammond @MsftSecIntel for visibility

One thing I noticed while benchmarking LLMs on security event data: The models often overfit on narrative plausibility and environmental assumptions. If an artifact looks like a test, lab artifact or pentest remnant, the model may start inventing an "authorized testing" story around it and dismiss the event as a false positive - even when the technical indicator itself is clearly suspicious or intentionally malicious. Examples: - "EDRTest" - "PentestPersistence" - "EICAR_Check" - "InternalSecurityTool" A human analyst can fall for this too, but with LLM-based SOC workflows this becomes interesting at scale. An attacker could intentionally name persistence keys, services or binaries in a way that nudges the model toward a benign interpretation. What surprised me most: The model often correctly understands the technical artifact first ... and then talks itself out of escalating it. This is only one of many weird benchmark-design problems I ran into while testing LLMs on DFIR / detection-engineering data 🙂

@cyb3rops @nextronsystems Big news, congrats Florian!

Big moment for Nextron, and for me personally The first version of our scanner ran in December 2012. Back then it was still a tool for consulting and incident response cases. We founded @nextronsystems in 2017 with around 35 customers. Today it’s more than 550. Most of that growth happened organically. Word of mouth, customer trust, posts on Twitter, and a lot of steady work on the product. Maybe a fairly German way to build a company: spend what you earn, focus on the substance, care more about what’s inside the box than the box itself. We were not always great at explaining that box, though. Sometimes we were probably a bit clumsy in how we communicated what the products can do and where they fit best 🙂 That also means there is still a lot we can improve around the product: clearer communication, better channels, better integrations, better support and a more professional setup for international growth. That’s why I’m genuinely happy that Eurazeo / Elevate is joining us for the next phase. Nextron has always been strongest where standard tools have blind spots: forensic scanning, compromise assessment, unusual systems, backup data, forensic images and environments where you cannot just install another agent. Thanks to the Nextron team, our customers, partners and everyone who helped us get here. Now we keep building. linkedin.com/posts/nextron-…

@HackingDave @Binary_Defense What are the connectors you support? I assume some EDR / XDR / SIEM integrations are necessary to receive telemetry based on which to trigger alarms with NB. How do you position this product - it seems like a mix of SOAR and XDRs?

NightBeacon is changing the game for us @Binary_Defense - we have this technology so dialed into every aspect of what we do. Our MTTD and MTTR has drastically been reduces to seconds and minutes, not multiple minutes or hours. Truly revolutionary technology that I've been building over the past year, and that is fully integrated into how we do work everyday at Binary Defense. We had a new customer onboarded and up and running in 7 minutes. SEVEN minutes. Full agentic workflow, full AI enrichment based on our own training models - 87.43% reduction in false positives in 7 minutes. Interested in what we are doing? Even if you don't need our MDR services, NightBeacon can be integrated into your existing technology, tooling, MDR, MSSP - doesn't matter for us - we just want to help. Not marketing fluff, real things that are working today that changes everything we do. Reach out to us anytime. #BinaryDefense binarydefense.com/company/contac…

@nikitabier Need Cybersecurity topic ASAP

Ladies and gentlemen, today we're launching one of our biggest changes to 𝕏 Introducing Custom Timelines This feature allows you to pin a specific topic to your home tab. With support for over 75 topics, you can dive deep into your favorite niche on X. It's powered by Grok's understanding of every post with the algorithm's personalization—meaning every timeline is made just for you. And it works even better when it's a topic you already engage with. This was a huge undertaking across many months, so we're excited for you take it for a spin. We're giving early access to Premium subscribers on iOS (and Android coming very soon).

@HackingLZ No privacy concerns when applying for it? I paused my application process once I saw it requires biometric data. Maybe we will evaluate the enterprise path instead. However, I handed it over to our legal team for review.

👀

I dont understand this - my experience is different. Are your referring to coding part? I dont use that much. But for CTI work, Claude is far superior than any other model currently. The OSINT techniques and report creations are truly way ahead of GPT or Grok (i dont use Gemini). It seems that Claude understands concepts of Cyber or at least CTI. I was following your posts about degradation, and just yesterday did another CTI Analysis and report creations with exact same prompts between the two, and Claude nailed it with the concepts and structure and the approach - I even used Sonnet for it.

Think about all the orgs using Claude right now that have no idea how bad it has become over the past 4 weeks ago. No statement from Claude - but a total revert to where the model was a year ago - which in comparison to when 4.6 got released is effectively last years AI model. The amount of bugs, security issues, and complete destruction of production applications is going to be felt for quite a long time due to this. Claude: nothing to see here.

Luckily techniques used to achieve AOBs remain same, because they are limited by the OS capabilities. Detecting malicious behaviour was important, but now will become cruicia. But it is not easy, you truly need to understand underlying systems and architectures, combined with adversary TTP knowledge, to craft such detections that produce high signal and low noise alerts.

For most of 2025, I was skeptical that AI was already playing a major operational role in real intrusions. Most public examples seemed limited to phishing and supporting tasks. This report by my friend Eyal Eyal lines up with what I have been hearing elsewhere, too - in recent publications and in private conversations with people seeing this stuff up close. I think that phase is over. AI is moving into the operational core of attacks. With stronger models, open models, and jailbroken variants circulating, the economics have changed. Tailored tooling, exploit adaptation, and large-scale analysis get cheaper and faster. I expect AI to play a major role in future campaigns, and that means more variation, more fresh tooling, and less reliance by attackers on recycled code. All the more reason to focus on controls and detections that do not depend only on known samples. Worth reading.

Hot take: AI-driven adversaries operating inside your network in 2026 would be EASIER to catch than humans. LLMs hallucinate, can't distinguish honeypots from production assets, and lack adversarial intuition. Deploy deception. This is the one phase where the tech works in your favor. Wrote about it here: deobfuscated.dev/posts/phases-o…

Ivanti EPMM: two pre-auth RCEs (CVE-2026-1281 / CVE-2026-1340) actively exploited. 1,400+ instances still exposed. This isn't just server RCE: EPMM is your MDM control plane. Compromise here is a force multiplier. Patch, assess, hunt. In that order. deobfuscated.dev/posts/ivanti-e…

@auralix4 The one thing that does bother me with Claude is that I run out of context fast and I have to wait. I am on Plus plan though, not on Max, but might consider upgrading if I do decide to cancel ChatGPT sub (I still think that one is useful for more 'social' interactions).

I dont understand these people saying that codex is better than claude code. I literally started building a complete new project with both of them, using same copy/paste prompts. And not only Claude built a true-working application, but just the experience of building it - how it guides you with what it is doing, and asking you questions - is whole next level compared to Codex. I have to assume you guys are trolling, or just building some small-scale apps or scripts. Once I finished the project (completely vibe-coded with Claude, since codex couldnt produce working versions and many UI bugs), I duplicated the files and asked Codex to review the codebase and propose improvements. It did propose some tweaks and 'optimizations', but what it built, it broke the entire app, which wont launch. I guess this is just another perspective - and I hope someone actually does YT video side-by-side comparison, using exact same prompts to build a medium-scale app (lets say 10k LOCs) from scratch, so that we can all see more objective perspective. I use Claude Code in VS Code.

@sama Any improvements planned for Codex App, such to make it more like IDE? Feels weird that you cant actually see any code in the app. What about support to open the project in VS Code? Currently I only see Cursor as option.

I love building with this model; it feels like more of a step forward than the benchmarks suggest. Also you can choose "pragmatic" or "friendly" for its personality; people have strong preferences one way or the other!

The #Notepad++ supply chain attack had 3 infection chains over 6 months - each with entirely different IOCs. Most defenders only scanned for Chain #3. I dug into the #WinGUp source code and built a threat hunt playbook for what the IOC lists miss. #the-three-chains-mapped" target="_blank" rel="nofollow noopener">deobfuscated.dev/posts/notepad-…

@joshm @diabrowser @browsercompany All nice and great, but we still ned SPACES on Dia. So cumbersome everyday to switch between profiles... was so seamless with Arc Spaces.

Windows (for @diabrowser) is way ahead of schedule: from features supported to craft details & visual polish. A fun thing about Season 2 of the @browsercompany is we get to NOT make the same mistakes twice (such as underinvesting in Windows). LIVE DEMO from today:

Mobile app. Some stuff we need extensions for to be built-in to Dia (adblocks, true-privacy pwd manager, Dia email, instead of reading other providers content, ..). Basically, make Dia one stop shop for everything and not rely on third-party software to extend those features which are typically used in browser (mail, pwd, adblocks, notion, …)

@PathiPreetham @ParkerOrtolani Yes @brahmgardner and @gem_ray are on it. What are your top requests?

every browser is just Arc now, amazing the kind of impact it's had

@joshm @puhlkit @ParkerOrtolani Fluidness and UX - UI design. AI is just nice to have. I also like the speed of the browser.

@puhlkit @ParkerOrtolani What do you like about Dia more than Arc?

The attempted attack was sophisticated and it happened over the weekend at 3 AM local time. The threat actor moved fast from initial compromise, internal recon, and payload installation, combined with lateral movements (some within minutes, but in total 3 hours from first payload up to exfil attempt). Unfortunately, stolen credentials made the attacker's process faster, as they were still valid in this specific scenario.

We are investigating an attack we most likely attribute to Storm-1811 (by @MsftSecIntel ) as the TTPs seem to be their modus-operandi. It started with vhishing - a phone call to a victim, posing as an IT Admin and convincing the victim to install a RMM tool (QuickAssist). The 1st stage payload was downloaded from https[:]//vtnsafety[.]com/verify.php?update SHA256: 74cc76a60c310ccaeceb7ad9387703e7135a90baf8d8e29c08c1d6be16be4d13 At the time of our investigation, it was not detected on any CTI platforms as malicious site or malware. Persistency was attempted via Startup Folder entries and RegKeys. Following actions were mostly connected to running JS / PS commands / scripts, as the 2nd stage payload downloaded the node.js package for running the JS scripts. Exfil attempt was also made, but we managed to contain the incident before that.

People keep asking if we “already have the IOCs” for this or that malware. We usually don’t need them - we already detect the malware family and its behavior. I stopped adding static file hashes on purpose. It’s outdated thinking. One byte changes, one new AWS IP, and your whole detection collapses. If that’s your detection model, you’re stuck in last decade. We build rules for methods and characteristics, not for single files that evaporate on recompile.

@infosec_fox Ebaumsworld and mIRC / MSN Messenger

For anyone who used the internet between 1991–2009… what online trend or moment do you remember the most?