Jonathan Peters

Did anyone already notice this webshell dropped with the name spinstallp.aspx It's a different minified ASPX webshell #SharePoint virustotal.com/gui/file/2f270…

A trojanized Autoruns DLL loading shellcode from its .data section. Currently, only @thor_scanner detects it on VirusTotal. virustotal.com/gui/file/1c962… #shellcode #peb @nextronresearch

Introducing Havoc Professional: A Lethal Presence We’re excited to share a first look at Havoc Professional, a next-generation, highly modular Command and Control framework, and Kaine-kit our fully Position Independent Code agent engineered for stealth! infinitycurve.org/blog/introduct…

'Villa - Home Decor - Architectural Design Drawing - Prinsiri Developement - 2605h01.bat' @abuse_ch bazaar.abuse.ch/sample/43a8084… @cod3nym @nextronresearch

a good & quick read: deceptiq.com/blog/rethinkin…

New blog post from @MalGamy12 and me: we analyze Katz Stealer. Focusing on bypassing App-Bound Chrome Encryption and compromising Electron apps; and how those behaviors can be leveraged for detection. We highlight key detection vectors uncovered during our analysis and provide…

Related "x-ray-health-records-qdf.bat": 69ae32f8fa7bdda3f215db7f0bf57305e82ed38a28974884b75b7015dbfa43b4 AV vendors on VT not detected this too, but at least there is a @thor_scanner comment... 🤷‍♂️

We’re excited to announce the launch of malops.io , a platform built by analysts, for analysts and it’s completely free. You can join and enjoin with our frist challenge about RokRat Loader.

🚀 THOR Cloud & THOR Cloud Lite now support YARA Forge Upgrade from the 4,300-rule built-in rules to 11,310+ curated rules from 40+ sources 🧠 Broader detection ⚙️ Simple activation ✅ Free for all users 📖 nextron-systems.com/2025/04/30/yar… 📊 github.com/YARAHQ/yara-fo…

Stumbled over this new AMSI bypass. It works by manipulating the COM RPC communication used by AMSI to talk to AV engines. By hooking NdrClientCall3 which handles the RPC calls we can intercept AMSI scan requests before they reach the AV engine. I wrote a simplified version that…

Thanks to tremendous dev work by Fukusuke Takahashi and DustInDark, we have our first alpha version release of Suzaku - "Hayabusa for cloud logs". Still lots to implement but the basic sigma detection is working for AWS CloudTrail logs so try it out and give us feedback on how we…

After #flareon11 challenge 7, I got inspired to build tooling for #dotnet Native AOT reverse engineering. As such, I built a #Ghidra Analyzer that can automatically recover most .NET types, methods and frozen objects (e.g., strings). Blog:👉blog.washi.dev/posts/recoveri…

I wrote a simple website to check GitHub repositories for potentially infected MSBuild project files. cod3nym.github.io/github-backdoo… Checkout the details below.

In the past few days we have observed an increasing amount of backdoored malware source code releases on GitHub. The repositories were spread by multiple threat intelligence accounts on X. The malware uses MSBuild project files with build events to execute malicious code. The…

A new threat, closely resembling #SUDDENICON’s supply chain attack has surfaced in our threat intelligence feeds. This campaign delivers a malicious MSI installer that deploys a Python executable with encrypted payload append at the end of the executable. The payload is…

Another "intelligence" account spreading backdoored and infected source code repositories... Setup is basically the same as this one I previously wrote about x.com/cod3nym/status…

Malicious .svg files with embedded JS are flooding @VirusTotal with almost zero AV detections - looks like a massive phishing campaign We just published a YARA rule to help you catch them YARA github.com/Neo23x0/signat…

Tired of repetitive manual unpacking? x64dbg Automate helps you reduce strain, tame complexity, scale analysis, and share reproducible wins. Watch it unpack encrypted code in action! 🔐 Check out the new blog post 'Analysis at Scale with x64dbg Automate' by Darius Houle ↓

Same vibe #YARA