🧠 Agent Tesla Daily Report

⬇️ Trend: declining (21%)
📊 9 new samples
🌐 0 C2 servers

Full analysis, IOCs, and hashes:
https://www.yazoul.net/malware/agent-tesla/reports/2026-04-08

#CyberSecurity #MalwareAnalysis #SOC

🧠 Formbook Daily Report

➡️ Trend: stable (9%)
📊 8 new samples
🌐 55 C2 servers

Full analysis, IOCs, and hashes:
https://www.yazoul.net/malware/formbook/reports/2026-04-07

#CyberSecurity #MalwareAnalysis #SOC

https://archive.org/details/500ms-supply-chain-verification-toolkit

The name references Andres Freund's 500ms SSH delay that uncovered the
XZ backdoor.

The core finding: JsonSchema.Net.dll shipped in Microsoft's
DesktopAppInstaller has a SHA256 that doesn't match any official NuGet
release. It has a PE timestamp of year 2095. And it's signed by
Microsoft's HSM.

You can verify this on your own Windows 11 machine without downloading
anything from me:

Get-FileHash "C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller*\ConfigurationRemotingServer\JsonSchema.Net.dll"

Compare with NuGet official: https://www.nuget.org/packages/JsonSchema.Net/7.2.3

The toolkit also includes anomalies in Google's cloudcode_cli (104K
internal refs) and Intel's IGCCTray (GCP data exfil in a graphics driver).

🔍 500ms — Supply chain anomalies in Windows 11 default binaries

JsonSchema.Net.dll in Microsoft DesktopAppInstaller:
→ Hash ≠ any official NuGet release
→ PE timestamp: year 2095
→ Signed by Microsoft HSM post-modification

Verify on YOUR OWN Windows 11 (no download needed):
Get-FileHash "C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller*\...\JsonSchema.Net.dll"
Compare: nuget.org/packages/JsonSchema.Net/7.2.3

#infosec #supplychainattack #malwareanalysis #microsoft #cybersecurity #threatintel #windows11 #forensics

🧠 AsyncRAT Daily Report

⬇️ Trend: declining (62%)
📊 3 new samples
🌐 100 C2 servers

Full analysis, IOCs, and hashes:
https://www.yazoul.net/malware/async-rat/reports/2026-04-06

#CyberSecurity #MalwareAnalysis #SOC

🧠 QuasarRAT Daily Report

⬇️ Trend: declining (46%)
📊 5 new samples
🌐 0 C2 servers

Full analysis, IOCs, and hashes:
https://www.yazoul.net/malware/quasar-rat/reports/2026-04-04

#CyberSecurity #MalwareAnalysis #SOC

🧠 Agent Tesla Daily Report

⬇️ Trend: declining (54%)
📊 10 new samples
🌐 0 C2 servers

Full analysis, IOCs, and hashes:
https://www.yazoul.net/malware/agent-tesla/reports/2026-04-04

#CyberSecurity #MalwareAnalysis #SOC

🧠 Vidar Daily Report

⬇️ Trend: declining (39%)
📊 19 new samples
🌐 100 C2 servers

Full analysis, IOCs, and hashes:
https://www.yazoul.net/malware/vidar/reports/2026-04-03

#CyberSecurity #MalwareAnalysis #SOC

FLARE Learning Hub

Free hub with reverse engineering, malware analysis, labs, and debugging modules for hands-on Windows x64 training.

https://github.com/mandiant/flare-learning-hub

#ReverseEngineering #MalwareAnalysis

BSides Luxembourg talk announcement!

🐧🚨 𝗡𝗢𝗧 𝗦𝗢 𝗛𝗔𝗥𝗠𝗟𝗘𝗦𝗦: 𝗧𝗛𝗘 𝗛𝗜𝗗𝗗𝗘𝗡 𝗪𝗢𝗥𝗟𝗗 𝗢𝗙 𝗟𝗜𝗡𝗨𝗫 𝗣𝗔𝗖𝗞𝗘𝗥𝗦 𝗔𝗡𝗗 𝗗𝗘𝗧𝗘𝗖𝗧𝗜𝗢𝗡 𝗖𝗛𝗔𝗟𝗟𝗘𝗡𝗚𝗘𝗦 - 𝗠𝗔𝗦𝗦𝗜𝗠𝗢 𝗕𝗘𝗥𝗧𝗢𝗖𝗖𝗛𝗜 🛡️🔍

Linux packers and loaders are a sneaky blind spot in cybersecurity. They hide code with encryption and obfuscation, then run it straight from memory to dodge detection. This talk dives into the “hARMless” ARM64 packer, showing off tricks like layered encryption and direct syscalls, while exposing a harsh truth: many defenses on Linux barely see it coming.

Massimo Bertocchi https://pretalx.com/bsidesluxembourg-2026/speaker/SU38N8/ Massimo Bertocchi is a Zürich-based Threat Hunter and Detection Engineer with dual Master’s degrees from KTH Royal Institute of Technology and Aalto University, recognized for his award-winning research uncovering covert C2 channels in Microsoft Teams that enable high-speed data exfiltration and expose critical gaps in enterprise security monitoring.

📅 Conference dates: 6–8 May 2026 | 09:00–18:00
📍 14, Porte de France, Esch-sur-Alzette, Luxembourg
🎟️ Tickets: https://2026.bsides.lu/tickets/
📅 Schedule Link: https://pretalx.com/bsidesluxembourg-2026/schedule/
#BSidesLuxembourg2026 #CyberSecurity #ThreatHunting #MalwareAnalysis #CloudSecurity #DetectionEngineering

Tried to book a bar. Ended up reverse engineering a malware campaign instead.

A fake "Cloudflare verify" page copied an obfuscated PowerShell loader to my clipboard. So I broke it down:

XOR-obfuscated script
Payload delivery
RedCap infostealer analysis
REMnux, Ghidra & Hybrid Analysis

Also watched the infrastructure get taken down mid-write-up.

First time doing any RE

https://blog.michaelrbparker.com/post/17

(Still haven't booked that drink.)

#CyberSecurity #MalwareAnalysis #ThreatAnalysis