Florian Roth ⚡️
@cyb3rops
Head of Research @nextronsystems #DFIR #YARA #Sigma | detection engineer | creator of @thor_scanner, Aurora, Sigma, LOKI, YARA-Forge | always busy ⌚️🐇 | vi/vim
I've decided to put a screenshot showing the hex editor view of a Turla Kazuar sample behind acrylic glass on my desk to always remind me, why I am doing all this ... because I 💛 to be a pain in the neck of the bad guys
It seems that I have some fans over in Russia 🐻 #TurlaLicksAss thx to the FireEye analyst who brought this to my attention virustotal.com/gui/file/4417c…
😐
Amazon AI coding agent hacked to inject data wiping commands - @billtoulas bleepingcomputer.com/news/security/…
I post. I share strong views. Sometimes to challenge a perspective, sometimes just to hold up a mirror – and yes, sometimes like a bull in a china shop. It’s absolutely essential that you grow a thick skin. Mine’s backed by a block list of 920 people.
What nonsense is this, England? This just isn’t how any of this works. “no doubt there will be some who get around it, it means young kids in particular won’t be stumbling on violent and harmful porn”
Well done to everyone who campaigned to ensure age verification for pornography was in the Online Safety Act! Today it comes into force and while no doubt there will be some who get around it, it means young kids in particular won’t be stumbling on violent and harmful porn.
Every public CTI blog should start like this - by linking it to other companies’ or researchers work on the same threat actor / cluster.
Tea App still having problems. As of this writing their API does not have appropriate permissions set and anyone can query the API to dump all user geolocation data
I once joined a new org where the IT team told me were saving screenshots of user’s desktops taken periodically via a DLP app, to an s3 bucket. I asked them to immediately turn off that feature and delete the bucket. There was no reason for it other than the DLP tool offered it,…
Part of the job as a cybersecurity professional is in fact arguing to purge and not log information about your customers. Data is not oil. It's risk.
UK Online Safety Act takes effect today. Users must verify identity with a third-party and scan their face to access adult content online. Proposed screen time limits require age verification for video games exceeding two hours. - Non-compliance fines up to £18M or 10%…
This is exactly why people are against the current age verification methods on the menu.
TLDR the Tea app stores everyone's photo and ID enuncrypted in a public firebase storage bucket. Hahahahahah. Was this vibe coded?
You should look up “time zones.” They’re like VPNs for the sun.
Bro tweeted this at 3 am on a weekday lol
Wow
A huge WIN for Microsoft customers today, 𝐓𝐨𝐤𝐞𝐧 𝐏𝐫𝐨𝐭𝐞𝐜𝐭𝐢𝐨𝐧 is available in 𝐌𝐢𝐜𝐫𝐨𝐬𝐨𝐟𝐭 𝐄𝐧𝐭𝐫𝐚 𝐏𝟏 > ourcloudnetwork.com/microsoft-make… What was previously assumed to be a permanent feature of Microsoft Entra P2, although no official announcement has been made,…
Tea App, the recent trending app which allowed women to anonymously rate or discuss men, has been compromised. The application stored photos and identification in a public facing firebase storage bucket It's all going down on 4chan (as is tradition).
100 Days of YARA, YARA Rule Tips and The Current State of Email borne Threats with Greg Lesnewich x.com/i/broadcasts/1…
Others talk about exploitation. We focus on detection logic – and provide the tools to apply it. In response to CVE-2025-53770, we released: - High-quality YARA rules (low FP rate, solid coverage) - Optimized Sigma rules (web service logs, process creation, file creation) -…
Compiled version of ghostfile.aspx appeared on VT: virustotal.com/gui/file/7e9b7… virustotal.com/gui/file/d8ca5… #CVE_2025_53770
Defending against the return of Lumma Stealer? According to Trend Micro, it's spreading via: 1️⃣ Fake cracked software 2️⃣ Deceptive sites 3️⃣ Social media posts e.g. cracked software Use this SIGMA rule by @cyb3rops to catch malware using renamed AutoIt binary
Over the past few months, we’ve been dealing with growing abuse of our publicly accessible Valhalla API. Despite clear rate-limit warnings and a fair-use policy written into the service footer, some users decided to push things too far. They used automated systems to harvest…
Scrapers targeting our publicly accessible Valhalla service endpoints are becoming a real nuisance, abusing rule matches and sample info. They're even cycling through IPs to dodge our harvesting protections. Time to implement manual IP network filters and monitor usage charts…
Really enjoyed this breakdown. Any chance you’ll do a similar deep dive on the Hunter Biden laptop story? Especially that DKIM-signed “thanks for inviting me to DC” email from Burisma’s Vadym Pozharskyi. You were one of the few who actually debunked the nonsense with solid tech.…
In Windows, I right-clicked on a directory and ZIPped it up into a compressed archive. Then I right-clicked on the archive and unzipped it back into a directory. The results, shown below, is that all the timestamps were rounded up to the even 2 second mark. This comes from the…
There’s various reports of cybercriminals abusing CrowdStrike RTR, the SentinelOne installer, and the Wazuh SIEM Agent. Seems we could do with a new @MITREattack TTP for this threat. Should be a concern for orgs running any of type of EDR/SIEM agents. (Sources linked below)