< ciso
brief />
Tag Banner

All news with #malware analysis tag

45 articles

Verify threat indicators before acting on feeds

πŸ” The author recounts multiple cases where threat intelligence feeds and advisories mischaracterized malware or buried stronger indicators in machine-readable files. They describe a commercial feed mislabeling a Windows DonutLoader variant as the Linux Chalubo RAT, an official advisory whose PDF lacked stronger hashes present in the STIX bundle, and a CERT report with binary-level discrepancies. The piece stresses that labels and pipeline metadata are guesses until validated and urges analysts to open structured files and detonate samples when stakes are high.
read more β†’

Introduction to COM Usage by Windows Threats

🧭 This post introduces Component Object Model (COM) fundamentals and explains how analysts can identify and analyze COM usage in binaries. It covers GUIDs, CLSIDs, IIDs, ProgIDs, vtables, and activation APIs such as CoCreateInstance and CoCreateInstanceEx. The article highlights DCOM and COM security concepts, common Windows examples like Task Scheduler, and practical tools (e.g., OleView.NET) and workflows for reversing COM-dependent malware.
read more β†’

StealC and Amadey: Infostealer Ecosystem Disruption

πŸ” Microsoft analyzes how infostealers like StealC and loaders such as Amadey fuel a commodified cybercrime economy by harvesting credentials, cookies, and tokens from unmanaged devices. The post details methods of delivery (SEO poisoning, malicious ads, ClickFix, phishing), StealC’s data collection and C2 behaviors, and how stolen logs are monetized. It also describes a coordinated takedown on June 24, 2026, by Microsoft DCU and partners that disrupted hundreds of domains and C2 servers.
read more β†’

Automating Disassembly with Local AI Agents

πŸ› οΈ This blog demonstrates using AI agents to automate a VB6 disassembler by exposing its parsed model through the Windows Running Object Table and providing an operator briefing plus auto-generated prototypes. The agent (Claude Code in the examples) binds to the COM object, runs scripts to extract P-code, reconstruct source, generate call graphs, and export function metadata to SQLite, all locally without uploading binaries. The approach decouples tool features from fixed menus, enables repeatable exhaustive analysis, and preserves sensitive data on the analyst's workstation.
read more β†’

Analysis of The Gentlemen self‑propagating ransomware

πŸ›‘οΈ This Microsoft Threat Intelligence blog dissects The Gentlemen, a Go-based RaaS that combines per-file ephemeral Curve25519/XChaCha20 encryption with aggressive self-propagation across networks. The post details operator models, command-line controls, speed modes, privilege elevation via scheduled tasks, and extensive defense-evasion steps including disabling Defender, deleting shadow copies, clearing logs, and terminating backup, database, virtualization, and EDR services. Practical mitigations, Defender detections, hunting queries, and IOCs are provided for defenders and incident responders.
read more β†’

Researchers Disrupt Glassworm's Resilient Botnet C2

πŸ›‘οΈ CrowdStrike, Google, and The Shadowserver Foundation coordinated to disrupt the Glassworm botnet by simultaneously takedown of four resilient C2 channels. The threat abused Solana blockchain memo fields, the BitTorrent DHT, Google Calendar events, and traditional VPS-hosted servers to persist and evade mitigation. Active campaigns targeted developers via malicious OpenVSX and VS Code extensions and later poisoned GitHub and npm artifacts. Infected hosts now beacon to a CrowdStrike-controlled IP and YARA rules have been published to detect compromise.
read more β†’

Analysis: Fast16 Malware Targeted Nuclear Simulations

πŸ”Ž Symantec and Carbon Black confirm the Lua-based fast16 malware was a pre-Stuxnet sabotage tool designed to corrupt nuclear weapons testing simulations. The threat specifically targets high-explosive runs in LS-DYNA and AUTODYN, activating only when simulated material density reaches ~30 g/cmΒ³. With 101 hook rules organized into 9–10 groups, the framework tracked software versions and spread laterally while avoiding some security products, indicating a methodical, long-running operation.
read more β†’

Critical Flaw Turns Vect Ransomware into Data Wiper

⚠ Check Point Research discovered a critical implementation bug in Vect 2.0 that causes files larger than 131,072 bytes (128 KB) to be permanently destroyed rather than recoverably encrypted. The ransomware uses raw ChaCha20-IETF without the Poly1305 MAC and a faulty nonce-handling routine that discards three of four decryption nonces, effectively turning the RaaS into a wiper across Windows, Linux and ESXi variants. Researchers also identified multiple additional coding and design errors that undermine the group's RaaS ambitions and affiliate program.
read more β†’

VECT 2.0 Ransomware Bug Destroys Large Files in Enterprises

⚠️ VECT 2.0 ransomware contains a nonce-handling defect that overwrites per-chunk nonces when encrypting files, leaving only the final nonce saved. As a result, files larger than about 128 KB are partially unrecoverable β€” roughly only the last quarter can be decrypted β€” causing the malware to act like a wiper for many enterprise assets. Check Point researchers report the flaw affects Windows, Linux and ESXi builds and means victims cannot recover corrupted data even if they pay.
read more β†’

Fast16 Sabotage Malware Discovered Predating Stuxnet

πŸ”Ž SentinelOne researchers have identified a sabotage-focused malware framework from around 2005 that predates Stuxnet by at least five years. The investigation uncovered a service binary (svcmgmt.exe) embedding a Lua 5.0 VM and a boot-start kernel driver (fast16.sys) that intercepts and patches executables at the storage layer. Fast16 acted as a wormable carrier with multiple 'wormlet' payloads, targeted Windows 2000/XP file shares using weak credentials, and included environmental checks to avoid specific security software. The framework was designed to corrupt outputs from engineering and simulation suites, and was later referenced in the Shadow Brokers leak.
read more β†’

CISA Malware Analysis: FIRESTARTER Backdoor on Cisco

πŸ”’ CISA and the U.K. NCSC analyzed a sample of the FIRESTARTER Linux ELF backdoor affecting Cisco Firepower and Secure Firewall devices running ASA/FTD. The agency assesses the malware provides persistent remote access, installs a hook into LINA to execute arbitrary shellcode, and can survive firmware updates and reboots. CISA provides YARA rules for detection and directs U.S. FCEB agencies to collect and submit core dumps per V1: ED 25-03, and to await further guidance.
read more β†’

Automated Magic Packet Generation from BPF Filters

πŸ›‘οΈ Cloudflare demonstrates an automated method to reverse-engineer classic BPF socket filters and generate the exact β€œmagic” packets that trigger stealthy Linux backdoors. By combining symbolic execution with the Z3 theorem prover and translating the resulting constraints into concrete byte values, the approach reduces manual analysis of complex BPF bytecode from hours or days to seconds. The team uses scapy to assemble crafted packets and has open-sourced the filterforge tool to accelerate threat research and detection.
read more β†’

Transparent COM Instrumentation for Malware Analysis

πŸ” Cisco Talos introduces DispatchLogger, an open-source DLL that transparently instruments late-bound COM (IDispatch) interactions to enhance malware analysis visibility. The tool hooks COM instantiation APIs and returns proxy objects that forward calls while logging method names, parameters, return values, and object relationships. It supports recursive wrapping, enumerator proxies, and moniker handling to reveal high-level automation events often missed by low-level API tracing. Deployment requires injecting the DLL into target processes and preserves COM lifetime and threading semantics.
read more β†’

Threatsday Bulletin: Speed, Deception, and New Vectors

πŸ”” Recent signals show attackers moving faster and hiding in plain sight. Kali Linux added an integration with Anthropic's Claude via the Model Context Protocol to translate natural-language prompts into technical commands, enabling AI-assisted command execution in a red‑team distro. Censys analyzed ResidentBat, an Android spyware implant used for mass surveillance that exfiltrates audio, messages and files. Alongside Bitpanda-themed phishing, ClickFix-based macOS stealers, ActiveMQ-enabled LockBit intrusions and a widespread WinRAR patch lag, these developments underscore shrinking breakout times, improved cloaking and persistent patching gaps that defenders must address.
read more β†’

CISA Updates RESURGE Malware Analysis, Highlights Stealth

πŸ”’ CISA released an updated Malware Analysis Report detailing new findings on RESURGE, a sophisticated implant that exploits vulnerabilities to establish covert SSH-based command-and-control access. The update shows advanced network-level evasion, forged TLS certificates, and authentication techniques that allow RESURGE to remain dormant on Ivanti Connect Secure devices until an operator connects, evading routine scans. CISA publishes IOCs, detection signatures, and directs use of mitigation guidance for CVE-2025-0282 to aid defenders.
read more β†’

Disrupting GRIDTIDE: Global Telecom Cyber Espionage

πŸ›‘οΈ Google Threat Intelligence Group, Mandiant, and partners executed a coordinated disruption against a global espionage campaign attributed to UNC2814 that abused cloud services for covert command and control. Investigators identified a novel C-based backdoor called GRIDTIDE that uses Google Sheets APIs as a high-availability C2 channel, protected by an AES-128-CBC key and service account credentials. Actions included terminating attacker-controlled Google Cloud projects, disabling accounts and Sheets API access, sinkholing infrastructure, and publishing IOCs and detection guidance to support defenders.
read more β†’

Unmasking Agent Tesla: Multi-Stage Campaign Analysis

πŸ” This Fortinet analysis dissects a recent multi-stage campaign deploying Agent Tesla, which targets Windows users with credential theft and keylogging. The chain uses spearphishing with RAR attachments containing obfuscated JSE loaders that fetch encrypted PowerShell scripts and reflectively load .NET assemblies in memory. Operators leverage process hollowing, virtualization and sandbox checks, and SMTP-based exfiltration to minimize detection. Fortinet telemetry and cross-product protections are highlighted to help organizations mitigate the threat.
read more β†’

Infy Hackers Resume Operations with New C2 Infrastructure

πŸ” SafeBreach reported that the Iranian-linked threat group Infy resumed operations on January 26, 2026, deploying new command-and-control (C2) servers and replacing infrastructure for its Foudre and Tonnerre tool families. The actor introduced Tornado v51, which supports both HTTP and Telegram-based C2 and uses a hybrid domain-generation approach combining a new DGA and blockchain-derived fixed names. Researchers observed signs the group exploited a disclosed WinRAR extraction flaw to deliver a self-extracting archive that drops a Tornado DLL and an installer that checks for Avast before establishing persistence. SafeBreach also recovered Telegram artifacts, a ZZ Stealer chain, and a malicious PyPI package used for targeted deployments.
read more β†’

VoidLink Signals a New Era in AI-Generated Malware

πŸ€– Check Point Research's analysis of VoidLink describes one of the first advanced malware families largely generated using artificial intelligence. Unlike earlier AI-assisted samples, which were often low-quality or derivative, VoidLink exhibits clear sophistication, modularity, and rapid evolution. AI appears to have enabled a single actor to plan, build, and iterate a complex malware framework in days rather than months, compressing development cycles and increasing operational tempo. Security teams must adapt detection, attribution, and incident response to meet this emerging threat class.
read more β†’

pkr_mtsi Loader Used in Malvertising to Deploy Payloads

πŸ›‘οΈ ReversingLabs has identified a versatile Windows packer, pkr_mtsi, used since April 2025 in large-scale malvertising and SEO-poisoning campaigns to deliver trojanized installers pretending to be utilities like PuTTY, Rufus and Microsoft Teams. The infections arise from fake download sites promoted via paid search ads rather than vendor compromise. The loader drops varied follow-on payloads (Oyster, Vidar, Vanguard Stealer, Supper), increasingly employs obfuscation and anti‑analysis techniques, and RL has released an expanded YARA rule to improve detection.
read more β†’