SpyNote Malware C2 Emulator - eln0ty
SpyNote is a sophisticated Android malware (aka SpyMax)| eln0ty
SpyNote is a sophisticated Android malware (aka SpyMax)| eln0ty
In this tutorial, we will learn how to leverage Malcat's scripting and patching capabilities to deobfuscate an unpacked Latrodectus sample.| MALCAT
Discover how google gemini 1.5 flash enhances malware analysis, offering unparalleled speed and accuracy. Protect your data effortlessly.| Govindhtech
A Cloud Virtual CISO is essentially a cybersecurity consultant specializing in cloud environments. They provide the same kind of leadership| Govindhtech
Verticals Targeted: Not specified Regions Targeted: None Related Families: Petya, NotPetya, NotPetyaAgain, RedPetyaOpenSSL Executive Summary HybridPetya is a ransomware variant resembling Petya/NotPetya, capable of compromising UEFI-based systems and exploiting CVE-2024-7344 to bypass UEFI Secure Boot on outdated systems. While not observed in active campaigns, its advanced capabilities warrant close monitoring by security teams.| PolySwarm Main Blog
You can now easily integrate Threat Intelligence Feeds with fresh actionable zero-false-positive IOCs into your cybersecurity infrastructure without extra costs via ANY.RUN IBM App.| ANY.RUN's Cybersecurity Blog
Explore how top attacks like Tycoon2FA, Rhadamanthys and Salty2FA unraveled in August 2025 and what insights SOC teams can take away.| ANY.RUN's Cybersecurity Blog
What started like an easy unpacking session to fill a Friday afternoon lead us to a singular black-SEO campaign. Together, we will unravel 4 different malicious loaders written in 4 different programming languages, briefly analyse the final 10MB black-seo client and reverse engineer its command and control protocol. All of this for XXL swimsuits.| MALCAT
Dive deeper into malware analysis of a PhaaS framework discovered by ANY.RUN's experts: Salty2FA, targeting industries in the USA and EU.| ANY.RUN's Cybersecurity Blog
Find crucial steps to take as a CISO to empower your SOC operations with threat intelligence to mitigate risks and improve key metrics.| ANY.RUN's Cybersecurity Blog
Discover analysis of PyLangGhost RAT, the newest Lazarus Group malware targeting finance and tech professionals.| ANY.RUN's Cybersecurity Blog
Ingest fresh IOCs from 15K SOCs into your Microsoft Sentinel SIEM to expand threat coverage and increase detection rate.| ANY.RUN's Cybersecurity Blog
See actionable steps that your SOC can take to reduce alert fatigue, increase detection rate, and cut MTTR.| ANY.RUN's Cybersecurity Blog
Discover detailed breakdown of top cyberattacks in July 2025, from DeerStealer with LNK and LOLBin abuse to Remote Access Tools exploits.| ANY.RUN's Cybersecurity Blog
In a case that redefines the boundaries of modern cybercrime, a threat actor known as UNC2891 has carried out a multi-vector cyber-heist targeting ATM infrastructure across several banking institutions. Group-IB’sRead More → The post Backdooring ATMs via Bootloader? These Hackers Showed It’s Still Possible in 2025” appeared first on Information Security Newspaper | Hacking News.| Information Security Newspaper | Hacking News
Learn actionable threat hunting techniques to proactively identify malware hidden inside your infrastructure and enrich your defense with fresh IOCs.| ANY.RUN's Cybersecurity Blog
BSides Munich 2020 Authors: Eslam Reda Jameel Nabbo Watch the talk on youtube Powershell script used for creating reverse TCP and bypasses AV FUD .NETRead More The post The Art of bypassing endpoint protections for red teaming engagements first appeared on Buffer Overflows.| Buffer Overflows
Read technical analysis of PE32, a new ransomware strain that demands ransom for both decryption and not leaking stolen data.| ANY.RUN's Cybersecurity Blog
Windows shortcut files can contain valuable data. We will see how to extract the most information out of a .lnk downloader and will manually extract the configuration file of the final cobalt strike beacon using malcat| MALCAT
In this post, I will explain how you can locate cross references programmatically using Python modules that are generally helpful in reverse engineering.| 0ffset Training Solutions | Practical and Affordable Cyber Security Training
See how ANY.RUN sources unique indicators of compromise for Threat Intelligence Feeds, helping businesses detect cyber threats.| ANY.RUN's Cybersecurity Blog
Discover a detailed technical analysis of the InvisibleFerret malware that targets businesses across different industries.| ANY.RUN's Cybersecurity Blog
Discover how YARA detection rules work and see real-world examples of rules used in ANY.RUN's Interactive Sandbox.| ANY.RUN's Cybersecurity Blog
Introduction| eln0ty
On February 23 during the war between Russia and Ukrainian, A malware which is targeting Ukrainian infrastructure (windows devices) by Russian Federation forces has since been observed in the neighboring countries of Latvia and Lithuania. HermeticWiper makes a system inoperable by corrupting its data by manipulating the MBR resulting in subsequent boot failure. Malware artifacts suggest that the attacks had been planned for several months.| eln0ty
AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers| eln0ty
Hooking is a technique to intercept function calls/messages or events passed between software, or in this case malware. The technique can be used for malicious, as well as defensive cases. Rootkits for example can hook API calls to make themselves invisible from analysis tools, while we as defenders can use hooking to gain more knowledge […]| Malware and Stuff
Case Study WhiteSnake Stealer first appeared on hacking forums at the beginning of February 2022. The stealer collects data from various browsers such as Firefox, Chrome, Chromium, Edge, Brave, Vivaldi, CocCoc, and CentBrowser. Besides browsing data, it also collects data from Thunderbird, OBS-Studio, FileZilla, Snowflake-SSH, Steam, Signal, Telegram, Discord, Pidgin, Authy, WinAuth, Outlook, Foxmail, The Bat!, CoreFTP, WinSCP, AzireVPN, WindscribeVPN. The following are crypto wallets collect...| RussianPanda Research Blog
Starting from a (backdoored) MSI installer, we will unroll the infection to chain to get the final Qakbot sample. Sticking to pure static analysis, we will then decrypt Qakbot's configuration and finally write a script in Malcat to automate the process.| MALCAT
We will statically unpack and emulate a malicious NSIS installer running multiple shellcodes, up to the final Lokibot password stealer and its configuration.| MALCAT
When one faces obfuscated code, it is sometimes more efficient to focus on the data instead. By using Malcat's different views and analyses (and a bit of guessing as well), we will show how to statically unpack an excel downloader and the following obfuscated native dropper without (much) reverse engineering.| MALCAT
We will unroll a maldoc spam exploiting CVE-2018-0798 leading to a multi-staged Delphi dropper abusing steganography and cloud services to conceal its payload| MALCAT
Our target is a 2-layers .NET dropper using multiple cipher passes (XOR, AES ECB and AES CBC + PBKDF2) to finally drop a Loki sample. Without even starting a debugger, we will show how to unpack it 100% statically using Malcat's builtin transformations and the python scripting engine.| MALCAT
If you ever used Process Monitor to track activity of a process, you might have encountered the following pattern: The image above is a snippet from events captured by Process Monitor during the execution of x32dbg.exe on Windows 7. DNSAPI.DLL and IPHLPPAPI.DLL are persisted in the System directory, so you might question yourself: Why would …The DLL Search Order And Hijacking It Read More »| Malware and Stuff
As a reverse engineer, every now and then you encounter a situation where you dive deeper into the internal structures of an operating system as usual. Be it out of simple curiosity, or because you need to understand how a binary uses specific parts of the operating system in certain ways . One of the …PEB: Where Magic Is Stored Read More »| Malware and Stuff
A domain generation algorithm is a routine/program that generates a domain dynamically. Think of the following example: An actor registers the domain evil.com. The corresponding backdoor has this domain hardcoded into its code. Once the attacker infects a target with this malware, it will start contacting its C2 server. As soon as a security company …DGAs – Generating domains dynamically Read More »| Malware and Stuff
You probably already guessed it from the title’s name, API Hashing is used to obfuscate a binary in order to hide API names from static analysis tools, hindering a reverse engineer to understand the malware’s functionality. A first approach to get an idea of an executable’s functionalities is to more or less dive through the …Deobfuscating DanaBot’s API Hashing Read More »| Malware and Stuff
It's not uncommon to come across some kind of string encryption functionality within malware samples, often more complex than a simple single-byte XOR operation which can often be brute-forced with simplicity. By encrypting strings, malware authors are able to potentially lower the detection rate by anti-malware software, obscuring strings that may be identified as "malicious",| 0ffset Training Solutions | Practical and Affordable Cyber Security Training
This is kind of a shot in the dark when it comes to content. As with most of my blog, this is mainly for my own tracking and edification but I hope to provide something adequate for others. This is a subject matter I’ve been trying to break into for a while but have been struggling for quite some time. It’s definitely out my realm of comfortability, but I’m hoping this blog will help with that.| anubissec.github.io
What if we could somehow compile some Python code that couldn’t be disassembled with your average Python interpreter? What if instead of LOAD_NAME or POP_TOP, we switched it’s opcode value with BUILD_LIST or PUSH_NULL?| 0ffset Training Solutions | Practical and Affordable Cyber Security Training
Learn about GuLoader malware's stack manipulation technique for decrypting data blobs and how to implement it. A useful resource for those interested in reverse engineering shellcode or obfuscated malware.| 0ffset Training Solutions | Practical and Affordable Cyber Security Training
Anubis is a well known android banking malware. Although it hasn’t been around for long, it had…| n1ghtw0lf
SmokeLoader is a well known bot that is been around since 2011. It’s mainly used to drop other malware families…| n1ghtw0lf
Snake Keylogger is a malware developed using .NET. It’s focused on stealing sensitive information from a victim’s device, including saved credentials, the victim’s keystrokes, screenshots of the victim’s screen, and clipboard data.| XJunior
Part 1 of analyzing the KrakenKeylogger Malware| Toxin Labs
GCleaner is a Pay-Per-Install (PPI) loader first discovered in early 2019, it has been used to deploy other malicious families like…| n1ghtw0lf
Qbot is a modular information stealer also known as Qakbot. It has been active for years since 2007. It has…| n1ghtw0lf
Breakdown of a key features stored in LummaC2 Stealer| Toxin Labs
Breakdown of a BumbleBee PowerShell Dropper & extracting the config of BumbleBee| Toxin Labs
