Nextron Research ⚡️
@nextronresearch
Nextron Systems Threat Research Team research (att) http://nextron-systems.com
We analyzed the top 500 most successful THOR rules – “successful” meaning: they detected samples that were either ignored or missed by nearly all AV engines on VirusTotal. Some rules detect clear malware. Others reveal dual-use tools, renamed hacktools, misused admin binaries,…
This nearly FUD PS script is dropping #SheetRAT wich was a finding by @skocherhan PS: bazaar.abuse.ch/sample/f1dd442… SheetRAT EXE: bazaar.abuse.ch/sample/cf75a4b… URL(https): /codeberg(.)org/neverskidlol/backup/raw/branch/main/SKID.ps1 Of course, there's 5 comments on PS by @nextronresearch
Others talk about exploitation. We focus on detection logic – and provide the tools to apply it. In response to the recent SharePoint attacks (CVE-2025-53770), we released: - High-quality YARA rules (low FP rate, solid coverage) - Optimized Sigma rules (web service logs, process…
Compiled version of ghostfile.aspx appeared on VT: virustotal.com/gui/file/7e9b7… virustotal.com/gui/file/d8ca5… #CVE_2025_53770
Over the past few months, we’ve been dealing with growing abuse of our publicly accessible Valhalla API. Despite clear rate-limit warnings and a fair-use policy written into the service footer, some users decided to push things too far. They used automated systems to harvest…
Scrapers targeting our publicly accessible Valhalla service endpoints are becoming a real nuisance, abusing rule matches and sample info. They're even cycling through IPs to dodge our harvesting protections. Time to implement manual IP network filters and monitor usage charts…
Wrote a set of YARA rules to detect the specific web shells dropped during the SharePoint CVE-2025-53770 exploitation. - Cleartext and compiled variants - Forensic artefacts in logs and on disk Hope it helps. Rules will be available in THOR Lite and THOR Cloud Lite shortly.…
If you’re tracking the AV detection rate for the web shells dropped in recent SharePoint attacks (CVE-2025-53770), here’s the current picture: Samples: 27c45b8ed7b8a7e5fff473b50c24028bd028a9fe8e25e5cea2bf5e676e531014…
If you’re tracking the AV detection rate for the web shells dropped in recent SharePoint attacks (CVE-2025-53770), here’s the current picture: Samples: 27c45b8ed7b8a7e5fff473b50c24028bd028a9fe8e25e5cea2bf5e676e531014…
Yet another signed, low-detection sample from our 🇰🇵 friends. Caught by 3 THOR signatures. effd19ed4589151ca9774129f511f423b03e70af86f5c39fecbe825b8f6eb54c
A trojanized Autoruns DLL loading shellcode from its .data section. Currently, only @thor_scanner detects it on VirusTotal. virustotal.com/gui/file/1c962… #shellcode #peb @nextronresearch
⚡️ We’ve partnered with @Threatray to combine deep code analysis and generic YARA-based detection - Soon THOR Thunderstorm matches enrich Threatray’s platform - Our analysts gain insights from Threatray’s Binary Intelligence Platform - Detection meets classification…
'4ccc47.msi' with 0 AV detection looks like #HijackLoader @abuse_ch bazaar.abuse.ch/sample/8ac1e34… 5 comments from @nextronresearch C2: 179.43.143(.)162:4812
Amos Stealer with low detection rate. virustotal.com/gui/file/af7f1…
#HuntingTipOfTheDay: you know how to spot/decode Base64 or XOR in PowerShell… but what about SecureString? This AES-based encryption is native to PowerShell; attackers have been seen to use this for PowerShell obfuscation. 🔍 Hunt for known SecureString decoding commands
Stumbled upon a fresh specimen that's surprisingly fun to analyze. Say hello to Akanedropper, obviously in its early development phase: 🧠 AntiVM tricks 🖼️ Custom LSB steganographed config 🍷 Executes Windows payloads via Wine 🫥 Nice generic rule, @cyb3rops @thor_scanner
A fresh FUD (Fully Undetectable) Java-based stealer named Scruffy Stealer has been spotted on @VirusTotal sha256: 180c9f2f6d89217cbc1c50dfe27d0d0b59ed0b568da5ffafdd1e7e2488f3f777 🛠️ Capabilities Overview 📁 File operation - file_delete - file_move - file_send 🔍 System Recon…
A webshell that went undetected for years — #nextronresearch detection rules caught it early — and they keep getting better. 🧬 SHA-256: 6137386a6210c13153f540c9c9ae0625520f72ddae0412c5c636fed483b1c29c Make sure you're not already compromised — run a scan with thor.
Multiple low-detection "TeamViewerQS_x64.exe" trojans have appeared on VT since early June 2025. They connect to this URL: 107[.]189[.]24[.]38[:]8080/bukaka VT collection: virustotal.com/gui/collection… #TeamViewer #pebwalking #ThreatHunting @nextronresearch
Just one of many. A tiny obfuscated reverse shell script. 🧠 Clever. 📦 Only 79 bytes. 🕵️♂️ Undetected by 63 AV engines. ✔️ Flagged by our rule set. This is the kind of thing we detect that others don’t. It flies under the radar – but not under ours. virustotal.com/gui/file/fb5bd…
We analyzed the top 500 most successful THOR rules – “successful” meaning: they detected samples that were either ignored or missed by nearly all AV engines on VirusTotal. Some rules detect clear malware. Others reveal dual-use tools, renamed hacktools, misused admin binaries,…