Daniel Stepanic

305 posts

Daniel Stepanic

@DanielStepanic

Malwarez at @elasticseclabs | Macrodata Refinement

Entrou em Mart 2011

648 Seguindo1.2K Seguidores

Tweet fixado

Daniel Stepanic@DanielStepanic·7 May

Our team revisited #BLISTER, a stealthy loader recently tied to #LockBit and #SocGholish. We go through it's different capabilities, and released config extractor. Blog🔗: elastic.github.io/security-resea… Config extractor 🧰: elastic.github.io/security-resea…

English

Daniel Stepanic retweetou

Virus Bulletin@virusbtn·2d

Elastic Security Labs has been observing malicious campaigns delivering a multi-stage infection involving a previously undocumented loader. The SILENTCONNECT loader delivers ScreenConnect - a RMM tool used to control victim machines - as its final payload. elastic.co/security-labs/…

English

1.5K

Daniel Stepanic retweetou

Joe Desimone@dez_·6 Mar

Patch Diff to SYSTEM - using LLMs to exploit a LPE vuln on Windows. More importantly, some thoughts on model capabilities the implications on our security industry elastic.co/security-labs/…

English

263

19.4K

Daniel Stepanic retweetou

Elastic Security Labs@elasticseclabs·20 Şub

@soolidsnakee uncovered a #clickfix campaign using compromised legitimate sites to deliver a five-stage chain ending in #MIMICRAT, a custom native C RAT with malleable C2, token theft, and SOCKS5 tunneling. Read more here: ela.st/mimicrat

English

Daniel Stepanic retweetou

Elastic Security Labs@elasticseclabs·12 Şub

Elastic Security Labs uncovered a large-scale SEO poisoning campaign deploying #BADIIS malware on 1,800+ IIS servers worldwide. Compromised systems—spanning government, corporate, and education sectors—are monetized to push gambling and illicit content. Learn more here: ela.st/badiis

English

100

16.1K

Daniel Stepanic retweetou

SolidSnake@soolidsnakee·11 Şub

We are tracking #clickfix campaign hosted and served by two compromised websites. Lua in-memory script loader and a #RAT that we are naming #MimicRat. A blog post will follow soon on @elasticseclabs. www.ndibstersoft[.]com d15mawx0xveem1.cloudfront[.]net xMRi[.]neTwOrk

English

Daniel Stepanic retweetou

Elastic Security Labs@elasticseclabs·10 Ara

New from the developer of #FINALDRAFT: Meet #NANOREMOTE, a newly-discovered Windows backdoor that leverages the Google Drive API for data theft and payload staging. Get the full analysis and defense strategies: ela.st/nanoremote

English

14.6K

Daniel Stepanic retweetou

Jia Yu Chan@k33b0i·9 Ara

Nice post by @sysdig! x.com/virusbtn/statu… We’re seeing this implant as well. Looks like there is a worm module too.

Virus Bulletin@virusbtn

Sysdig TRT details EtherRAT, a sophisticated backdoor dropped through recent React2Shell exploitation. The implant uses Ethereum smart contracts for C2 resolution and multiple Linux persistence mechanisms, going well beyond typical cryptomining payloads. sysdig.com/blog/etherrat-…

English

Daniel Stepanic@DanielStepanic·14 Kas

Really awesome new research from @k33b0i @soolidsnakee

Elastic Security Labs@elasticseclabs

#ElasticSecurityLabs uncovers #RONINGLOADER, a multi-stage loader utilizing signed drivers, PPL abuse, CI Policies, and other evasion techniques to deliver #DragonBreath's gh0st RAT variant. Check it out at ela.st/roningloader

English

Daniel Stepanic retweetou

Elastic Security Labs@elasticseclabs·21 Eki

#ElasticSecurityLabs joins forces with @tamusystem and discloses TOLLBOOTH, an IIS module used for SEO abuse that relies on publicly exposed ASP. NET machine keys: go.es.io/3L68p57

English

11.8K

Daniel Stepanic retweetou

Virus Bulletin@virusbtn·15 Eki

Elastic Security Labs publishes nightMARE, a Python library (v0.16) for malware analysis and for building configuration extractors. elastic.co/security-labs/…

English

141

10.6K

Daniel Stepanic retweetou

Devon Kerr@_devonkerr_·9 Eki

@elasticseclabs is currently researching a new family of IIS malware impacting a large number of organizations globally. With a US university-based MDR provider, we’ve observed a novel attack chain, RMMs, a Godzilla-forked framework, and a malicious driver. Details coming soon.

English

4.6K

Daniel Stepanic retweetou

Elastic Security Labs@elasticseclabs·1 Eki

#ElasticSecurityLabs has kept tabs on #WARMCOOKIE, a backdoor we disclosed in June 2024 that used employment-related phishing lures to infect victims. Learn how this threat’s evolving: go.es.io/46O8pOo

English

8.7K

Daniel Stepanic retweetou

Elastic Security Labs@elasticseclabs·16 Eyl

#ElasticSecurityLabs is observing #ValleyRAT infections using the following #LOLBins for execution: - DeviceCredentialDeployment.exe (proxy execution) - Tttracer (proxy execution) - Renames curl[.]exe (masquerade) - Ttdinject (remote injection) - Pester (proxy execution)

English

4.7K

Daniel Stepanic retweetou

Elastic Security Labs@elasticseclabs·28 Ağu

#ElasticSecurityLabs continues to observe phishing campaigns leveraging Cloudflare tunnels distributing multiple malware families (#VenomRAT, #DCRat, #XWorm) simultaneously. These threat actors are abusing LLMs to produce simple Python shellcode loaders for injection

English

117

28.3K

Daniel Stepanic retweetou

Elastic Security Labs@elasticseclabs·29 Tem

New research on NOVABLIGHT, a NodeJS infostealer sold as MaaS! Discover its tactics, from credential theft & cryptowallet compromise to advanced obfuscation & anti-analysis techniques: go.es.io/459JGDA #ElasticSecurityLabs #infostealer

English

3.9K

Daniel Stepanic retweetou

Elastic Security Labs@elasticseclabs·3 Tem

New research from our #ElasticSecurityLabs team: we dive into how infostealers are leveraging a stolen Shellter evasion tool to deploy data-stealing malware. Learn more & get our unpacker: go.es.io/4ldCM72 #malware #rhadamanthys #ghostpulse

English

146

25.1K

Daniel Stepanic retweetou

SolidSnake@soolidsnakee·17 Haz

ClickFix is everywhere, checkout our newest research #malware #ghostpulse #reverseengineer #clickfix

Elastic Security Labs@elasticseclabs

New research from #ElasticSecurityLabs uncovers a new ClickFix campaign! Learn how attackers are using GHOSTPULSE and ARECHCLIENT2 (SECTOPRAT) in multi-stage attacks to deploy RATs and steal data. Stay informed: go.es.io/4l912GO

English

1.7K

Daniel Stepanic retweetou

Devon Kerr@_devonkerr_·3 Haz

This is a great opportunity to highlight the researcher behind this article (and the most recent member of my operation) @k33b0i! Jia Yu worked on our FINALDRAFT, GOSAR, and STEALC research— you’re gonna want to keep an eye on this young gun.

Elastic Security Labs@elasticseclabs

#ElasticSecurityLabs has uncovered EDDIESTEALER, a novel Rust-based info stealer distributed via fake CAPTCHA campaigns. This malware targets credentials, browser info, & crypto wallets. Read our full analysis here: go.es.io/3St6tnY #Cybersecurity #MalwareAnalysis

English

886

Daniel Stepanic retweetou

Elastic Security Labs@elasticseclabs·29 May

English

5.1K

Daniel Stepanic@DanielStepanic·22 May

@keowu @birdrockrock @elasticseclabs That’s my fault, I have amended the post with a reference. I didn’t come across this research until afterwards. I think the approaches are pretty different but yeh there is overlap as it’s the same protection scheme.

English

187

João Vitor(Keowu)@keowu·22 May

@birdrockrock I don't think it can be the kind of relationship you mentioned. I don't think you're correct... The structure and approach are very similar, yes, but there's no way to be sure. The way @elasticseclabs did it is the same in the sense that it's exactly the protector's structure.

English

142

Descobrir

@soolidsnakee @elasticseclabs @sysdig @k33b0i @tamusystem @keowu @birdrockrock @elonmusk