Alex. Turing

🚨The iOS exploit kit #Coruna is a fascinating case. With XLAB #PDNS, its DGA C2s are easily exposed—we grabbed four ourselves. Stats show ~4,400+ infected IPs (or researchers) per day. Surprisingly, 98.5% of these IPs are located in China, why?🤔 Happy hunting 🍷@Xlab_qax

做了一些微小的工作，make the world a better place🫡 Happy hunting 🍷@Xlab_qax

@ESETresearch @felixaime Remote？

#ESETresearch is hiring! Passionate about geopolitics, cyberespionage and cyber threat intelligence? We have a new opening for a strategic threat intelligence analyst at our Montréal office. Come join the team! eset.wd3.myworkdayjobs.com/ESET_External/…

@deobfuscately @Xlab_qax Haha, Long Live Command Tracing! 🍷

Not just bigpanzi 😄 other tv boxes also observed removing it [ "com.n2.systemservice06", "com.n2.systemservice061", "com.n2.systemservice062", "com.n2.systemservice063", "com.n2.systemservice0644", "com.android.systemservice0644", "com.a.androidsvc", "com.k.sdk", "com.abcproxy.proxysdk", "com.abcproxy.lolsdk" ]

🚨#Botnet In February, an invisible war broke out within #Android TV Boxes between #Bigpanzi and #Kimwolf. Bigpanzi issued the "pm uninstall" command to remove Kimwolf's APK，哈哈，果然同行是冤家😂 Happy hunting 🍷@Xlab_qax

@birising @Xlab_qax Maybe ctf or even PLC coding practice 🤔. I’m pretty clueless when it comes to PLCs🥹🥹

@TuringAlex @Xlab_qax come CTF with OpenPLC? 🤔

🚨An interesting #ELF sample da2e396baf23de1881d06dd3377f84a6 on VT, packed by modified upx, appears to be a #PLC program for traffic light control, but why does it contain an embedded XOR code to establish a reverse shell to 173.180.247[.]200🤔? #IOC Happy hunting 🍷@Xlab_qax

@_clem1 @Now_on_VT @virustotal 大佬NB啊~

@Now_on_VT @virustotal virustotal.com/gui/file/76ff8… 🎁

To date, none of the samples mentioned by hash in the Google Coruna blog or iVerify blog have been uploaded to @virustotal. Still monitoring the situation.

@ashl3y_shen @BlackHatEvents 大佬带带我

March is already here! Only 17 days left to submit your research to @BlackHatEvents USA. If you need any preview for your submission to RE, Malware, or Threat Hunting tracks please feel free to reach out. Looking forward to see your incredible research!

@thezedwards Can't wait to see your presentation.🍷

fabulous research on FUNNULL and their ongoing supply chain attacks. You'll hear more about FUNNULL & Triad Nexus when I present at RSA on them here in a few weeks. Definitely some alignment on the research! 👀

🧨Just back from Spring Festival. 🧨 🚨a investigation into #Funnull : Udev #persistence, AES-CBC chained IV, "Azure Blob C2", malicious #Nginx module(badnginx2s)—all quite uncommon. #IOC And the stealthiest part is MacCMS supply-chain poisoning. Happy hunting 🍷@Xlab_qax

@ale_sp_brazil Thank you!!!

People have a certain difficulty in being polite. I wrote a series of 10 malware analysis articles (MAS) in the past, and thousands of people downloaded, read, and learned in detail how to do it. However, few people even thanked me. A bit more than one year ago, I started a new series (Exploiting Reversing), where: [+] I wrote two articles about kernel drivers and mini filters. [+] I wrote an initial article about Chrome. [+] I wrote a first detailed article about macOS/iOS. [+] I wrote a first detailed article about Hyper-V. Besides the fact that few people even thank me, they read the articles, learn, but don't even say thank you. Worse, they use them for their research and don't cite the articles. Interestingly, they prefer to pay for expensive training at conferences rather than simply thank those who offer public knowledge to help other professionals take their own steps. Now I've started writing a new article, and my first concern is to cite the references I either used in the past or am remembering now. I try not to forget anyone, although this may happen. Of course, these unpleasant events will not stop me from continuing to write. Since we all use each other's knowledge, thanking and citing articles is a matter of respect, politeness, and courtesy. #research #cybersecurity #exploitation #exploit #malware #macOS #hyperv #windows

@ashl3y_shen @DistrictCon 太强了

My first @DistrictCon was a blast! ❄️ Huge thanks to the organizers and volunteers. I’m really inspired and touched by the community’s passion, and I truly enjoyed the talks, villages, and the crowd. Thanks to everyone who showed up at my talk. See you next year!

@danielmakelley 哈哈，非常形象

Cybersecurity explained in a GIF:

哈哈，只做了微小的工作🤪#botnet

@banthisguy9349 Haha, read the source code downloaded in 2020😹

CTI goals for 2026. Let them be know in the comment section and maybe folks can help each other reaching these goals!

@synthient @Xlab_qax 哈哈~他们气急败坏了~~

@Xlab_qax 😆 They are not fans of the research we've been told.

You have been attacked by a new sample from the #Kimwolf group.

@kaspersky The decrypted payloads follow the same pattern as #Badbox 2.0: sensitive strings are AES-GZIP-Base64 encoding with an MD5-derived key. 🤔 Notably, C2 domains like📸keepgo123[.]com and gsonx[.]com📸linked to the @alldocube OTA server breach. Happy hunting 🍷@Xlab_qax

@Xlab_qax @synthient Let us just take a second to bask in our own brilliance… okay, done! 😎 Hats off to legendary @briankrebs🍷 Gotta hand it to #kimwolf — the way it spreads is seriously fresh. Makes you "admire" the creator's crazy imagination.🤣 krebsonsecurity.com/2026/01/the-ki…

@deobfuscately 哈哈~~太强了~

Releasing tomorrow🐺 A vulnerability like no other