Abstract Shield

In collaboration w/ @abstractshield, we analysed TukTuk, a sophisticated .NET RAT disguised as Apache log4net.dll, and what we found goes well beyond the malware itself. After pivoting onto the threat actor's own dev machine, we recovered their entire AI-assisted development history: 7,016 messages, 17 projects, 48 days of offensive tooling built almost entirely with Claude. Two C2 frameworks. A terabyte-scale exfiltration utility. EDR evasion tooling tested against @CrowdStrike, @SentinelOne, @Sophos & @Bitdefender. A BYOVD process killer. Custom AD recon tools. A tunneling kit. A malware distribution platform. All of it AI-generated. All of it operational. The actors used persistent fake personas, "university professor", "senior pentester", to bypass safety guardrails. We're flagging this to @Anthropic, @Fortinet and affected vendors. The OPSEC failure that exposed all of this? .claude/ session directory on the dev machine. Full IOCs, hashes, operator IPs, C2 infrastructure, and verbatim AI session excerpts in the report. Link below. 🧵🧵🧵🧵🧵🧵🧵🧵