Marius Benthin

even if the final payloads IOCs were not available on VT, after extracting it you will find that this new campaign payloads are detected by Thor 8b6acc087e403b913254dd7d99f09136dc54fa45cf3029a8566151120d34d1c2 969fb3e705ba8afe757ba7617e75d1096d4793d14796e2734613cfcc50675652

Others talk about exploitation. We focus on detection logic – and provide the tools to apply it. In response to CVE-2025-53770, we released: - High-quality YARA rules (low FP rate, solid coverage) - Optimized Sigma rules (web service logs, process creation, file creation) -…

Yet another signed, low-detection sample from our 🇰🇵 friends. Caught by 3 THOR signatures. effd19ed4589151ca9774129f511f423b03e70af86f5c39fecbe825b8f6eb54c

⚡️ We’ve partnered with @Threatray to combine deep code analysis and generic YARA-based detection - Soon THOR Thunderstorm matches enrich Threatray’s platform - Our analysts gain insights from Threatray’s Binary Intelligence Platform - Detection meets classification…

Stumbled upon a fresh specimen that's surprisingly fun to analyze. Say hello to Akanedropper, obviously in its early development phase: 🧠 AntiVM tricks 🖼️ Custom LSB steganographed config 🍷 Executes Windows payloads via Wine 🫥 Nice generic rule, @cyb3rops @thor_scanner

A fresh FUD (Fully Undetectable) Java-based stealer named Scruffy Stealer has been spotted on @VirusTotal sha256: 180c9f2f6d89217cbc1c50dfe27d0d0b59ed0b568da5ffafdd1e7e2488f3f777 🛠️ Capabilities Overview 📁 File operation - file_delete - file_move - file_send 🔍 System Recon…

A webshell that went undetected for years — #nextronresearch detection rules caught it early — and they keep getting better. 🧬 SHA-256: 6137386a6210c13153f540c9c9ae0625520f72ddae0412c5c636fed483b1c29c Make sure you're not already compromised — run a scan with thor.

Just one of many. A tiny obfuscated reverse shell script. 🧠 Clever. 📦 Only 79 bytes. 🕵️‍♂️ Undetected by 63 AV engines. ✔️ Flagged by our rule set. This is the kind of thing we detect that others don’t. It flies under the radar – but not under ours. virustotal.com/gui/file/fb5bd…

Discovered a new Voldemort sample with the exported DLL name "ponhubc.dll". It uses #LNK + #VBS and #DLLHijacking, similar to a previous campaign detailed by @proofpoint [1]. ZIP: e646e78344d99913b541d87ccebfb467 DLL: 4cc3443f56264cee94da3c23cce2a977 [1] proofpoint.com/us/blog/threat…

🚨 About CVE-2025-33053 - a crazy Windows execution flow vulnerability This flaw abuses how Windows resolves executable paths when trusted binaries spawn child processes without full paths. For example, a legitimate tool like iediagcmd.exe is launched from a .url file that…

Low detection rate on "WindowsSecurity.dll" - likely crafted for side-loading through WeChat in place of "xweb_elf.dll" virustotal.com/gui/file/89990… @thor_scanner #apihashing #rc4 #pebwalking

New PITHOOK samples related to Ivanti SparkGateway plugin abuse with low AV detection rate: 5ead3ef675fa610f061c3cb409b438b3 1563fe9c8b396baee62a1ce81fbaaeff 0b0193fc14b95600b7dd105cebb0a93c virustotal.com/gui/file/b6ed7…

Filtering macOS binaries by magic bytes is trickier than with PE files There are some public YARA rules for Universal binaries whose condition could be improved with regards to superfluous magic byte checks or false positives on Java class files A Thread 🧵 #100DaysOfYara

How to use knowledge about .NET structures and streams for writing better .NET Yara signatures. E.g. IL code patterns, method signature definitions, GUIDs, compressed length. #100DaysOfYara #GDATATechblog @GDATA #GDATA gdatasoftware.com/blog/2025/04/3…