Happy Monday Everyone!

I usually use this space to share workshops, articles, or insights from the community but today is a little different. I was humbled to see my name listed alongside so many amazing professionals as a nominee for the SANS Institute Difference Makers Award.

This recognition isn’t about me, though. It’s about celebrating the people who push our field forward, make an impact, and inspire others. If someone has made a difference in your journey, I encourage you to take a moment to recognize them.

Nomination form:
https://lnkd.in/dNNeTQKJ

Have a wonderful day, and as always Happy Hunting!

Original Post from Rob T. Lee:
https://www.linkedin.com/posts/leerob_our-core-mission-in-sans-institute-dfir-classes-activity-7372981624734576640-zrwN?utm_source=share&utm_medium=member_desktop&rcm=ACoAABd7OUoBVN750zcbzPTXBcB9nFZcxIiKpRc

Intel 471 Cyborg Security, Now Part of Intel 471
#ThreatIntel #ThreatHunting #ThreatDetection #DFIR #HappyHunting

Happy Monday everyone!

CrowdStrike is reminding us that just because some of us use Macs, doesn't mean we are malware proof! In this case the cybercriminal group dubbed #COOKIESPIDER was deploying their stealer known as #SHAMOS.

Using a combination of malvertising and the #ClickFix technique, the group would trick their victim's into installing the Shamos stealer which leads to it running "host reconnaissance and data collection tasks, including searching for known cryptocurrency-related wallet files and sensitive credential-based files on disk".

As always, take a read for yourself to see all the details I left out! Enjoy and Happy Hunting!

Falcon Platform Prevents COOKIE SPIDER’s SHAMOS Delivery on macOS
https://www.crowdstrike.com/en-us/blog/falcon-prevents-cookie-spider-shamos-delivery-macos/

Intel 471 Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday

Happy Wednesday everyone!

#GodRAT is a new remote trojan that is targeting financial institutions as reported by Kaspersky. According to their analysis, GodRAT is based on the #Gh0stRAT codebase and uses steganography to evade detection. It supports additional plugins that are used to explore the victim's systems, deploy browser password stealers, and during the attack they even deployed the #AsyncRAT as a backup to maintain access.

Looking at two password stealer payloads, it can give us some ideas of where to begin a hunt focused on this threat: Both the Chrome and MS Edge password stealer added an executable to the path %ALLUSERSPROFILE%\google\ and named them after the browser they were after ("chrome.exe" and "msedge.exe" respectfully). An interesting hunt would be to look at new executables added to this directory OR hunt for executables that may be masquerading as browser related executables! However you do it, get hunting!

GodRAT – New RAT targeting financial institutions
https://securelist.com/godrat/117119/

Intel 471 Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #IntelDriveThreatHunting

Happy Monday everyone!

Cisco Talos researchers report on a "malvertising campaign" that involved the #PS1Bot, which is modular and has "several modules delivered to perform a variety of malicious activities on infected systems." It has the capability to capture keystrokes from their victim, conduct reconnaissance and establish persistence.

This campaign involved Search Engine Optimization (SEO) poisoning and/or malvertising where the file name matched the keywords used in this target. The victim received a compressed archive that had a single file named "FULL DOCUMENT" which functioned as the downloader and retrieved the next stage. Powershell modules cam into play later that had the capability to detect which antivirus was being used by the victim, capture screen shots and key strokes, collect wallet information, and gain persistence, which is a pretty creative way of achieving it! But I won't spoil it! Find out for yourself and discover all the other details I left out! Enjoy and Happy Hunting!

Malvertising campaign leads to PS1Bot, a multi-stage malware framework
https://blog.talosintelligence.com/ps1bot-malvertising-campaign/

Intel 471 Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday #inteldriventhreathunting

Happy Friday everyone!

Really thankful for the opportunity to join Arun Warikoo at the SANS Digital Forensics and Incident Response Summit to talk about my passion, Threat Hunting. We focused on how to prioritize a structured-hunt (hypothesis driven) and when to conduct an unstructured, or a data-structured hunt.

A big thank you to Heather Barnhart and Phil Hagen for hosting and providing us the opportunity to speak at the event, it truly was an honor and an unforgettable experience! If you missed it in person or virtually during the event, here it is! Enjoy and Happy Hunting!

Making Sense of the Chaos: When to Conduct Structured and Unstructured Threat Hunts
https://www.youtube.com/watch?v=VAVj1JE6dG0

Intel 471 Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting

Good day everyone!

Somehow I missed this article when it first dropped but at least I found it! The DFIR Report published another great article that involved the #Bumblebee malware as the initial access vector that was installed after a user fell victim to an SEO poisoning campaign. The report states that "the threat actor moved laterally to a domain controller, dumped credentials, installed persistent remote access tools, and exfiltrated data using an SFTP client." The adversary also created two new domain accounts and used one to connect to a domain controller via RDP and dumped the NTDS.dit file using wbadmin.exe.

There are more technical details along with some great queries to use to aid your threat hunting and detection engineering efforts! As always, thank you to the authors for a great report! Happy Hunting!

From Bing Search to Ransomware: Bumblebee and AdaptixC2 Deliver Akira
https://thedfirreport.com/2025/08/05/from-bing-search-to-ransomware-bumblebee-and-adaptixc2-deliver-akira/

Intel 471 Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #IntelDrivenThreatHunting #HappyHunting #readoftheday

Happy Friday everyone!

Researchers from the FortiCNAPP team, part of FortiGuard Labs identified a new variant of the #Lcryx ransomware called #Lcrypt0rx. The report states that it "is a relatively new VBScript-based ransomware strain first observed in November 2024" and "exhibits several unusual characteristics that suggest it may have been generated using AI." According to the researchers, it currently only targets Windows machines.

Indicators that led the researchers to believe it is AI generated include:
- Function Duplication
- Incorrect Persistence Mechanisms
- Nonexistent Target Paths
- Invalid Ransom Note URL
- Ineffective AV Disabling

These are just a few indicators and the article provides more details about each indicator, but I am not going to spoil the fun! Go and check it out for yourself! Enjoy and Happy Hunting!

Old Miner, New Tricks: H2miner Resurfaces with Lcrypt0rx Ransomware
https://www.fortinet.com/blog/threat-research/old-miner-new-tricks

Intel 471 Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday #ransomware #AI #artificialintelligence

Good day everyone!

Cisco Talos researchers report on a malware-as-a-service (MaaS) operation that was targeting Ukrainian entities and involved the #Amadey trojan, known for "collecting system information and downloading secondary payloads" and the #Emmenhtal downloader.

Behaviors that are observed in this attack include a BUNCH of powershell activity with obfuscation and dropping a legitimate copy of PuTTY.exe. Looking at the technical details, they also us some URLs that may look legitimate to their targets in Ukraine as they add the value "ukraine2" in the URL. Finally, the attack involved multiple variants of the Emmenhtal downloader that were masquerading as MP4 files.

As usual, I glossed over many of the technical details so you can go enjoy the article without me spoiling it! Thanks to the researchers and authors and Happy Hunting!

MaaS operation using Emmenhtal and Amadey linked to threats against Ukrainian entities
https://lnkd.in/gUisprru

Intel 471 Cyborg Security, Now Part of Intel 471#ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday

Happy Wednesday everyone!

News broke that #SaltTyphoon gained access to the U.S. National Guard's network "and, among other things, collected its network configuration and its data traffic with its counterparts’ networks in every other US state and at least four US territories, according to a DOD report. This data also included these networks’ administrator credentials and network diagrams—which could be used to facilitate follow-on Salt Typhoon hacks of these units."

I am posting this as situational awareness and I never try to strike fear in the community, so I want to remind everyone of the great resources that exist out there when you want to threat hunt or you are trying to detect activity related to different #APT groups or malware! Check out the article posted below and check the comments for resources I would recommend using to supplement your threat hunting or blue team efforts! Enjoy and Happy Hunting!

DHS Salt Typhoon
https://www.documentcloud.org/documents/25998809-20250611-dhs-salt-typhoon/

Intel 471 Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday

Good day everyone!

Morphisec released an insightful report covering Iranian Cyber Warfare that is targeting the West and other enemies of Iran. The APT involved is #Pay2Key, "an Iranian-backed ransomware-as-as-service (RaaS) operation" that is linked to the Fox Kitten APT group and "closely tied to the well-known #Mimic ransomware."

Normally I call out behaviors and TTPs related but for this report I want to call out the completeness of the report. Not only does it provide more than enough technical details to make actionable in any environment but it also provides a TON of threat intel to support their claims giving the readers and audience an idea if they would be a target or not. It is a great report and I encourage you all to read it! Enjoy and Happy Hunting!

Pay2Key’s Resurgence: Iranian Cyber Warfare Targets the West
https://www.morphisec.com/blog/pay2key-resurgence-iranian-cyber-warfare/

Intel 471 Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday