Nextron Research ⚡️

We analyzed the top 500 most successful THOR rules – “successful” meaning: they detected samples that were either ignored or missed by nearly all AV engines on VirusTotal. Some rules detect clear malware. Others reveal dual-use tools, renamed hacktools, misused admin binaries, or forensic leftovers. Most of these samples showed 0 AV detections, the rest only minimal hits. Not all threats are payloads. Not all detections are flashy. But these rules consistently light up the blind spots in AV and EDR coverage – where attackers hide comfortably. THOR doesn’t replace existing tools. It shows you what they forgot to tell you. nextron-systems.com/2025/06/18/the…

RegPhantom a signed Windows kernel rootkit that turns the registry into a covert execution channel. Gives the ability to an unprivileged usermode to reflectively load an arbitrary PE into kernel memory, invisible to PsLoadedModuleList and standard driver enumeration tools. The implant includes several stealth techniques: - Post-execution memory wipe - XOR-encoded hook pointers in-memory obfuscation - Valid code-signing certificates - CFG obfuscation with opaque predicates - 28+ samples tracked (June–August 2025), signed with certificates from two Chinese companies. We're releasing: - Full technical writeup - Extensive deobfuscation scripts - YARA detection rule Full analysis: nextron-systems.com/2026/03/20/reg… #MalwareAnalysis #Rootkit #ThreatIntel #DFIR #Windows #KernelDriver

0 / 63 on first submission. This obfuscated batch file was still matched by THOR using multiple rules: SUSP_Encoded_FromBase64String SUSP_Encoded_IO_Decompress ... The BAT appears to be part of a ZIP-based delivery chain linked to an installer associated with Latrodectus Later VT detections went up, but not at the start. So yes, plain old script obfuscation detection still has a job to do. VT: virustotal.com/gui/file/0017a…

I often get asked how THOR fits into a world of AV and EDR. "Don’t EDRs already detect attackers?" "Yes. But not everywhere. And not everything." So I made two simple slides to show where the gaps usually are - and what kind of coverage THOR actually adds. It’s less about replacing tools, more about eliminating blind spots. Maybe this makes it clearer. @thor_scanner @nextronsystems

Nextron Research Team output by the numbers (from the wrap-up slide deck of 2025)

Another wave of #NPM packages related to #PhantomRaven. New endpoint for remote dynamic dependencies: hxxp://package[.]storeartifacts[.]com/npm/ Packages: clean-order:8.0.0 typescript-urql:8.0.0 google-camelcase:8.0.0 add-react-displayname:0.0.6

#NPM package author a_awerin started last Friday with simple, grounded JavaScript functions like capitalize(str). But after the weekend, things changed - the package now includes malicious code. For example: hxxps://x-ya[.]ru/FvXnR/msinit npmjs.com/package/ambar-…

Our artifact scanner flagged what appears to be an LLM generated malware loader hosted on Gist. The PowerShell script targets MSBuild.exe, using crafted project files to load additional .NET payloads. It includes extensive debug messages and comments, typical indicators of LLM generated code. ☝️While not highly sophisticated, this highlights how threat actors are leveraging LLMs for malware development. Sample: virustotal.com/gui/file/b3d91… Original source: hxxps[://]gist[.]githubusercontent[.]com/kaporaliven/157347814587c26ae241385ea0d1302a/raw/72287b1c62e6b794622df9927fc19b5ddb658ff0/Poid_loader01[.]ps1

Following the #EmEditor supply‑chain compromise uncovered by @ReversingLabs - where attackers tampered MSI installers, embedded malicious scripts, and leveraged long‑running C2 infrastructure - with 0 detection on @virustotal Sample virustotal.com/gui/file/a310d… Matches valhalla.nextron-systems.com/info/rule/SUSP… valhalla.nextron-systems.com/info/rule/SUSP… valhalla.nextron-systems.com/info/rule/SUSP… ReversingLabs report reversinglabs.com/blog/emeditor-…

We spotted it right on upload - our generic YARA hit on the classic BITSAdmin + PowerShell download combo, with a Dropbox-hosted ZIP unpacked into C:\Users\Public\Documents\Adobe and then executed (wsNativePush.exe + wsUpgrade.dll), Bitsadmin, yep… still a thing in 2026(!)

55920aeaf5906c1b100627be1a403cfa 1 detection @nextronresearch MAC address: 7c:57:58:6b:04:fa Machine id: desktop-7dna8t2 @c_APT_ure @MsftSecIntel

We identified some older low-detection samples linked to the DesckVB RAT family The PowerShell loaders embed a .NET payload and use Reflection to execute the next stage from memory. Our detection rules already flagged this behavior using encoded function names and other suspicious indicators. ☝️Interesting observation: the actors have been using the same hardcoded payload paths for over half a year. Samples: virustotal.com/gui/file/e2c67… virustotal.com/gui/file/5a650… virustotal.com/gui/file/8df18…

Erratum: The referenced sample is in fact a legitimate hihttps component from the public repository: github.com/qq4108863/hiht… However, the updating functionality of the hihttps software is not publicly available. This indicates that the threat actor likely had access to unreleased source code - which remains an interesting finding Thanks to @ashl3y_shen from @TalosSecurity for helping sort this out

LSASS credential dumper (account.exe, x64, 26.5 KB) - VT shows 1/72 detections. Looks like Process Reflection (RtlCreateProcessReflection) + MiniDumpWriteDump. Uploaded from NL last month. Our generic LSASS/cred-dumper rules flagged it. virustotal.com/gui/file/606e3…

'SystemUpdate.bat' seen from India @abuse_ch bazaar.abuse.ch/sample/0ede4e1… Next stage: 'SystemConfig py' bazaar.abuse.ch/sample/36c1732… Only 1 @nextronresearch detection.

Our generic Valhalla YARA signatures matched on this ELF with 0/66 AV detections at time of writing The patterns overlap with components described in Cisco Talos’ recent #DKnife write-up (downloader: same User-Agent, same hash library usage, similar command set, and even the same “dot-style” comments/formatting in strings/config). This sample looks newer than the 2019-era DKnife artifacts already on VT (uploaded Oct 2025, source: South Korea), so it’s worth a closer look / comparison @ashl3y_shen Matched rules: MAL_DKnife_Downloader_Feb26: valhalla.nextron-systems.com/info/rule/MAL_… MAL_DKnife_VPN_Client_HA_PROXY_Feb26: valhalla.nextron-systems.com/info/rule/MAL_… by @petri_ph Blog by @TalosSecurity blog.talosintelligence.com/knife-cutting-… Newer DKnife sample virustotal.com/gui/file/13cac…

Our generic signatures matched on an unknown credential stealer VT shows 0/64, but the sample implements Chromium master-key extraction + AES-GCM cookie decryption and stages data for Telegram Bot API exfil Sample: virustotal.com/gui/file/b4c0f… Matches: valhalla.nextron-systems.com/info/rule/SUSP… valhalla.nextron-systems.com/info/rule/SUSP…

My team published detection content for the Notepad++ / Lotus Blossom activity - both the concrete post-compromise artifacts and more generic gup.exe updater anomaly hunting Sigma gup.exe anomalies - uncommon DNS - uncommon file drops - suspicious child processes) github.com/SigmaHQ/sigma/… by @_swachchhanda_ YARA - Chrysalis loader/backdoor - related components github.com/Neo23x0/signat… by @X__Junior IOCs (filenames etc.) #L4551" target="_blank" rel="nofollow noopener">github.com/Neo23x0/signat… #NotepadPlusPlusCompromise

I've been busy building a thing ⚡️ Introducing YARA Rule Skill - an LLM Agent Skill that embeds expert YARA knowledge into AI assistants. Think of it as having my brain for rule review in your chat window It used all my guides and projects as source: YARA Performance Guide, YARA Style Guide, yaraQA #100DaysOfYara yarahq.github.io/yara-rule-skil…