alden
@birchb0y
sr detection engineer @ huntress • re/malware enjoyer • macOS security
excited bc today @HuntressLabs is releasing our analysis of a gnarly intrusion into a web3 company by the DPRK's BlueNoroff!! 🤠 we've observed 8 new pieces of macOS malware from implants to infostealers! and they're actually good (for once)! huntress.com/blog/inside-bl…
🗞️ We couldn't fit our analysis of a new #AMOS #macOS #backdoor into a thread here, so we published a whole article! We appreciate @SANSInstitute, @BleepinComputer, and others for sharing it! Give it a read! moonlock.com/amos-backdoor-…
If you aren’t keeping an eye on #transferloader, I recommend changing that. This malware has consumed way too much of my time
Fun crossover blog about TA829 (RomCom) & TransferLoader with my ecrime pals it’s got everything: 🛰️ Popped routers for sending phish 📊 ACH on attribution 👾 custom protocols 👽 cool malware 🕵️ crime 🎯 espionage ❔many unanswered questions proofpoint.com/us/blog/threat…
im so pumped to be talking through some fun north korean malware with @stuartjash at #OBTS v8 🤠 it's truly a goated lineup and i'm very humbled to be speaking along side so many sick researchers (also dw i will be dressed up in a blues clues onesie for the talk)
📢 Just dropped: the full #OBTS v8 talk lineup! objectivebythesea.org/v8/talks.html And for the first time we'll have 3 full days of presentations! 🤩 Congrats to the selected speakers and mahalo to all who submitted. With ~100 submissions, selecting the final talks was a daunting task! 😫
My tolerance for snake oil in this industry is getting way too thin
New RE Video: youtube.com/watch?v=skOsJj… In this video, I reverse engineer a malicious SwiftUI dropper. Swift is fun to RE so I thought it would be a good idea :) Shout out to @txhaflaire for their recent blog post that covers this malware.
🥹💕
Sad it expired While we dunk on PA products we recognize Unit 42 along with @elasticseclabs and @HuntressLabs being the 3 most impressive threat analysis teams. Nothing but love for all 3 groups
New writeup: Early last month, @samwcyo, @sshell_, and I found a Django ORM injection in an online shooter game that let us steal cryptocurrency from the game's wallet. Read the blog post here: blog.p1.gs/writeup/2025/0…
goated stuff 🔥🔥🔥
Fun crossover blog about TA829 (RomCom) & TransferLoader with my ecrime pals it’s got everything: 🛰️ Popped routers for sending phish 📊 ACH on attribution 👾 custom protocols 👽 cool malware 🕵️ crime 🎯 espionage ❔many unanswered questions proofpoint.com/us/blog/threat…
🚨 NEW PAPER on the 0day Supply Chain 🚨: I gathered open source data & interviewed Gov employees, VR and China researchers to figure out what the zero day marketplace looks like in the U.S. and how it compares to China. Key findings below ⬇️ 0/🧵 atlanticcouncil.org/in-depth-resea…
this is what he meant by the americanization of lockbit x.com/lockbitsupp/st…
The Americans got me
phenomenal stuff from @ValidinLLC 🫡
Hot on the heels of the researched published by @HuntressLabs, hunting for Zoom-themed lures from DPRK's #BlueNoroff 💥Learn hunting techniques 💥Leverage new Validin features and data 💥Full, unredacted indicator list (domains, IPs, hashes) validin.com/blog/zooming_t…
What I talk about when I talk about IRs bernsteinbear.com/blog/irs/
the paper "Inspecting Compiler Optimizations on Mixed Boolean Arithmetic Obfuscation" (ndss-symposium.org/wp-content/upl…), BAR'25 compares compilers' (GCC, Clang, MSVC) ability to simplify MBA expressions