5hid

RE tip of the day: To debug a DLL in IDA, set the path to the loader (for example, rundll32) in the Application field and the path to the DLL with the name of the export function in the Parameters field. Don't forget to set the breakpoints! #infosec #malware #reverseengineering

NEW BLOG: The Great VM Escape 💕 We caught threat actors deploying a VMware ESXi exploit toolkit in the wild - potentially was a zero-day developed over a year before VMware's disclosure 👀 If anyone has thoughts on it let me know, but I needed almost a full case of beer to wrap my head around this one 🍺 Full technical breakdown 👇 huntress.com/blog/esxi-vm-e…

The Art of Pivoting - Techniques for Intelligence Analysts to Discover New Relationships in a Complex World This book explores how intelligence and cyber-security analysts can uncover hidden links between threat actor infrastructure and ongoing investigations by pivoting on both classic and unconventional indicators — many of which are often overlooked. The material is grounded in empirical, field-tested strategies used in cyber-security, digital forensics, cyber threat intelligence, and intelligence analysis more broadly. Our goal is to provide analysts with a practical toolkit of analytical methods, supported by real-world examples, to enhance investigative workflows without locking them into a single mindset, strict model, or overly rigid technical strategy. Instead, the book encourages creative exploration, data-driven reasoning, and the use of diverse data points — from traditional IOCs to subtle metadata traces — as part of a flexible and repeatable analytical process. #threathunting github.com/blackorbird/AP…

Shoutout to Sandworm aka APT28 and Unit 74455 for implementing my exact Cordyceps backdoor plugin system for Outlook that I wrote in 2017. Right down to the email triggering mechanism, command system and injection. prezi.com/view/eZ3CSNMxP…

The entire AV, EDR, and SOC industry is a SCAM. Has your organization been a victim of ransomware? Start the computer in DEBUG MODE. DUH. Then simply delete the malware. It's as simple as that.

In a truly brilliant move, employees from DigitalMint and Sygnia, responsible for handling ransomware negotiations, were indicted for performing ransomware attacks under ALPHV ransomware group. - Kevin Tyler Martin, ransomware negotiator from DigitalMint - Ryan Clifford Goldberg, Digital Forensics and Incident Response manager from Sygnia - Unnamed co-conspirator-1 The motive, per court documents, were the individuals were motivated to "get out of debt". All 3 men began performing ransomware attacks in May, 2023 and continued performing ransomware attacks until on or around April, 2025. The attacks stopped when the United States Federal Bureau of Investigation approached Ryan Clifford Goldberg regarding the ransomware attacks. Unsurprisingly, Mr. Goldberg initially denied having any knowledge of the ransomware attacks. However, he cracked during the interview and placed the blame on the currently unnamed co-conspirator. He stated he was recruited by him. After the interview concluded, Mr. Goldberg and his wife purchased 1-way tickets to France (???). Unsurprisingly (again), he has been detained in France because he is not a citizen of France and France doesn't give a fuck about a non-citizen. Mr. Kevin Tyler Martin, currently residing in Texas, spoke in 2024 at a technology conference where he spoke about his experiences defending ransomware attacks and handling negotiations. Both Mr. Goldberg and Mr. Martin have been charged with: - Violation of the Hobbs Act (18 U.S.C. § 1951) x2 - Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030 (x1) Under max penalty of law, Mr. Goldberg and Mr. Martin could face as long as 50 years in prison.

‼️ Meet Ryan Clifford Goldberg, a Digital Forensics and Incident Response manager at Sygnia, he is one of three insiders accused of cybercrimes. He allegedly conducted cyberattacks using ALPHV BlackCat ransomware. Goldberg and two other insiders ran ransomware operations since 2023 while employed at cybersecurity firms. After an FBI visit, Goldberg confessed. He now faces up to 50 years in prison.

If you're wondering about the attack surface for @TwoSevenOneT's recent publications with PPL spawnage - I let AI write a hacky scanner to see which processes can be spawned as PPL process with a good list of results 🙂 gist.github.com/S3cur3Th1sSh1t…

If you place a dll in a protected folder it will get executed? *mild shock* ... How can this get a CVE? This is a Proxy dll.

Exciting times. I'm publishing Dittobytes today after presenting it at @OrangeCon_nl ! Dittobytes is a true metamorphic cross-compiler aimed at evasion. Use Dittobytes to compile your malware. Each compilation produces unique, functional shellcode. github.com/tijme/dittobyt…

Fighting malware to the death ⚔️ @MalFuzzer 's book is arrived!! 🔥

#ESETResearch has discovered the first known AI-powered ransomware, which we named #PromptLock. The PromptLock malware uses the gpt-oss:20b model from OpenAI locally via the Ollama API to generate malicious Lua scripts on the fly, which it then executes 1/6

Phrack turns 40. The digital drop is live. Download it. Archive it. Pass it on. 💾 phrack.org #phrackat40 #phrack72

#ESETresearch has discovered a zero-day vulnerability in WinRAR, exploited in the wild by Russia-aligned #RomCom @dmnsch @cherepanov74 welivesecurity.com/en/eset-resear… 1/7

I just supported @MalwareVillage on buy me a coffee! 🎉 Love @LambdaMamba Malmons!! You can buy them a coffee here buymeacoffee.com/malwarevillage…

- lets summon something - @vxunderground

Dissect Packed Malware 101 What under the hood: - 🔬 The anatomy of packed malware; - ✅ Key indicators to identify packed samples; - 🔓 Step-by-step examples of manual unpacking; Read the full blog post here: shorturl.at/jgOWT #MalwareAnalysis #ReverseEngineering

I was writing a "server side" polymorphic mutator for malware. The concept is generating a pseudo-random array of instructions then subsequently inserting the instructions programmatically into areas of the source solution during the compilation process. The final result post-compilation would be a completely "unique" malicious payload. The payload should function the same, but the mutator would introduce additional (and unnecessary) instructions which would frustrate malware reverse engineers (ideally, it would initially but they'd get over it). You can't strip the polymorphic* My solution was using D.H. Lehmer's 1948 "uniform" random number generator with a seed being the current tick count (64bit). Using a randomly generated number, a random number of structures would be allocated which house "random" arithmetic operations. Each "random" arithmetic operation would also be the result of the implementation described above. In other words, pseudo-random array of pseudo-random arithmetic operators on pseudo-random integers. Further complexity would be introduced by inserting conditional statements or loop constructs. Slipping this during the compilation process would be based on identification of ";"'s, and (trying) to intelligently identify "critical" locations where this sort of convolution would be of value. Anyway, I was locked in and working on it. Then my newborn son began screaming, shit his pants, and it exploded out his diaper. That was like, a week ago, or something. I haven't been able to return to the project since. He destroyed my will. Thanks for coming to my Ted Talk. Maybe someone here will do it

>make post >check comments >"remove the polymorphic" >"enter the code cave" >*cat picture* mfw

We're excited to announce a major new release of x64dbg! The main new feature is support for bitfields, enums and anonymous types, which allows all types in the Windows SDK to be represented and displayed 🔥