Bohan Zhang

Today marks my first day to work as a SOC analyst. Perhaps one thing I have learned over the years is to be persistent, never stop grinding, and chasing down your dream. Here is my timeline for me to achieve my dream.

The Gentlemen is a newly emerged Ransomware-as-a-Service (RaaS) operation consisting of approximately 20 members. Originating from a #Qilin payment dispute, the operator "hastalamuerte" had already developed a locker while still an affiliate. Their primary initial access? A database of ~14,700 compromised FortiGate devices (CVE-2024-55591) and over 900 brute-forced VPN credentials ready for deployment. #Ransomware #DFIR

A lot of malware analysts, myself included, are building something similar, so it’s amazing to see a Docker environment already bundled with the tools, MCP backend, and skills. Definitely gonna try this. Thanks for sharing!!

Nice update to @anyrun_app that seems easy to miss: HTTPS decryption. If you look at the network traffic, click Network Threats, you can click into the analysis to see the decrypted traffic You can also just download the entire decrypted PCAP. 1/3

eSentire's TRU team investigated an open-directory web server attributed to the Iranian state-sponsored MuddyWater group and identified a file that deploys the Tsundere botnet, a suspected malware-as-a-service (MaaS) offering of Russian origin. esentire.com/blog/muddywate…

🦔 📹 Video: Building your own AI Malware Analysis Lab ➡️ old system, 16 GB RAM ➡️ using Remnux #MalwareAnalysisForHedgehogs #LLM youtube.com/watch?v=YOduz8…

New blog! We found an open directory attributed to #MuddyWater Iranian APT and found vulnerabilities/victims they've been targeting, red-team tools, and a loader that deploys a persistent variant of #Tsundere botnet - a MaaS sold by a Russian threat actor that is known for using #EtherHiding to store C2 addresses on the Ethereum blockchain. esentire.com/blog/muddywate…

A cybercriminal gang that launched large-scale targeted attacks against the AI application ecosystem including #OpenClaw and Claude. The gang’s attack model has been identified as a typical threat paradigm in the AI application ecosystem, which is highly likely to be emulated by more cybercriminal groups in the future. Counterfeit installation page phishing via Google Ads Technical tutorial-based phishing Exploiting large model conversation sharing mechanisms Malicious Skills upload for supply chain attacks mp.weixin.qq.com/s/0M1sZq1HqwAA…

G DATA's John Dador looks inside the infrastructure of a new ACRStealer variant and highlights evasion techniques, C2 communication, and its stealing capabilities. blog.gdatasoftware.com/2026/03/38385-…

A really really big company was confirmed to have been compromised. They primarily handle work-force outsourcing and call-center stuff. The amount of data this company possessed was SICKENING and over ONE PETABYTE of data was stolen. I'll do a write-up on it later. It'll take me 45 minutes to discuss everything that was stolen and how many things it impacts. Dawg, we have GOT TO STOP giving random companies user data.

🚨 Don't let AI Skills become your "Insider Threat"! Recent monitoring by Knownsec has identified 1,200+ active malicious Skills, fueling 63% of data-layer attacks and 31% of execution-layer threats. As traditional defenses fail in the AI era, we are proud to launch TrustTools—the secure, trusted distribution platform for AI Skills. We’re here to guard your AI Agent supply chain with rigorous admission standards! 🔗Link: trusttools.seebug.ai 📖 Deep Dive: Read our full analysis on the AI Agent supply chain security: x.com/zoomeye_team/s… #Openclaw #Skills #CyberSecurity #TrustTools

Telegram Hacktivist Activity Timeline of Iran – Israel & US War What started as DDoS campaigns against Israeli government sites quickly expanded into a global coalition of pro-Iranian, pro-Palestinian, and Russian-aligned collectives hitting Gulf states, European targets, and US infrastructure. This blog post tracks that activity day by day, since the first coalitions forming on March 1. socradar.io/blog/telegram-…

I have said this quite a few times, but there is this misconception that the scanning engines on VT tell you whether the AV product detects the malware. They do not.

🚨Alert: New cryptocurrency stealer likely written in Zig 🔬Report: vmray.com/analyses/vidar… We found a multi-stage infection chain delivering what appears to be a new cryptocurrency clipper, likely written in Zig. The infection begins with Vidar, which drops a heavily obfuscated AutoIt script that injects and executes the Zig-based stealer. This stealer resolves its C2 address through a BSC smart contract, a technique known as EtherHiding. Its primary purpose appears to be replacing cryptocurrency addresses in the clipboard with an attacker-controlled wallet. 🔎 In a nutshell: -Vidar → SFX → AutoIt Loader → Zig Crypto Stealer -The AutoIt script is heavily obfuscated, the next-stage payload is RC4-decrypted then LZNT1-decompressed at runtime before injection -Script contains junk code and performs multiple anti-sandbox and anti-AV checks, timing-based evasion, and a DNS request to a non-existing domain -C2 address is resolved via a BSC smart contract (EtherHiding) -Constantly polls clipboard for multiple cryptocurrency address formats: BTC, ETH, etc. -When a match is found: exfiltrates the victim's original address to the C2 and replaces it with attacker wallet -Likely written in Zig as some strings are uniquely associated with that language -Querying the attackers smart contract transactions, one can identify many more C2 addresses -In recent days the sample seems to drop a different payload, no longer the Zig crypto stealer 🧬 IoCs: -Zig sample SHA256: a82d031d99b15f8eb5a1d8cc24e55fec6d393d549edde8da9507f3cf17503ce1 -C2: quartermaster-sec[.]cc -Smart contract address: 0x7CC3cFC1Ac007B8c6566fD2C7419b15a75473468 via API endpoint hxxps[:]//data-seed-prebsc-1-s1[.]binance[.]org:8545 -Vidar sample SHA256: 62338c7764f4e82105ea52fab868e1f04dc2f54bb44c5a47ddac685eacd6ed3c -C2: 65.21.165[.]15 -Steam profile: hxxps[:]//steamcommunity[.]com/profiles/76561198736378968 🧩 More C2's from other smart contracts by the same creator: -artisan-advertising[.]cc -brain-game[.]cc -celebration-internet[.]cc -cmicrosoft1[.]click -devops-offensive[.]cc -ed-security-buff[.]cc -en.hugo-lapp[.]co -evil-toy[.]cc -fast-node[.]com -firewall-sentinel[.]cc -flame-guard[.]cc -kr.hugo-lapp[.]co -lavande-rocket[.]cc -quartermaster-sec[.]cc ⭐ Credits: Likely related sample documented by @0xfluxsec via fluxsec.red/analysing-an-A… (but their AutoIt script does not seem to drop the Zig crypto clipper highlighted here)

⚠️Watch out for a SEO poisoning campaign impersonating VMware vSphere downloads leveraging MeshCentral RMM tool bundled into fake installers targeting enterprise environments. Sample: dbfe1f915f40122a336cd5d0de802a6f3ec0204ab75321934a06dafbc1964446 Detonation: app.any.run/tasks/e0937ead… From malicious search results -> vmware-vsphere[.]com (associates, vmwarevsphere[.]com, vmware-remote-console[.]com, remote-console-vmware[.]com, vsphere-client[.]com, vsphere-client[.]org ) leading to vmware-repository[.]com A malicious build with EV signature issued to malicious signer "Pacex Learning Private Limited" (Globalsign) is delivered from Dropbox. The build connects to 103.65.230.86 (MeshCentral RMM C2) and installs legit VMware product as decoy

Analysis Update #Coruna nadsec.online/blog/coruna-te…

eSentire's TRU analyses DEV#POPPER RAT & introduces a specialized automation tool for the deobfuscation of intermediary stagers. The RAT is attributed with high confidence to a North Korean state-sponsored APT group due to shared TTPs in similar campaigns. esentire.com/blog/north-kor…

I infected my iPhone with the ‘Coruna’ spyware. Here’s what I found. youtu.be/XQvZ2mLnZVI

If true, this is VERY interesting! Iranian APT using deno for second stage execution. We caught this intrusion and will be making the data available in our Threat Hunting Labs that will be released next week! - @ThruntingLabs

🧵 We recently had an incident that involved a MuddyWater hands-on attacker who couldn't spell "administrators" Full timeline breakdown below. 1/

The Microsoft Defender Security Research Team warns that fake AI assistant browser extensions can quietly collect full URLs, chat histories and browsing data from tools like ChatGPT and DeepSeek. microsoft.com/en-us/security…