Mastodawn

Several day ago, I watched a video from Security Analyst 2025 by Kaspersky.

The talk was presented by Boris Larin (@oct0xor) regarding Operation ForumTroll.

What standout about this operation is, aside from using an escaping sandbox exploit (correct me if I'm wrong about this =w=).

The malware used has intersection or probably used the DANTE spyware framework created by Hacking Labs. Which has multi layer/technique to prevent Forensic analysis.

For anyone interested, you can watch the video in link I share at this status.

https://www.youtube.com/watch?v=JJmDEZL9YuA

#Cybersecurity
#Security
#Infosec
#SecurityAnalyst2025
#OperationForumTroll
#DANTE
#MalwareAnalysis
#Forensics
#ThreatIntel

Secret Talk | Boris Larin

YouTube

AA 1d ago

New.

Elastic Security: Illuminating VoidLink: Technical analysis of the VoidLink rootkit framework https://www.elastic.co/security-labs/illuminating-voidlink #infosec #Linux #malware #malwareanalysis

Illuminating VoidLink: Technical analysis of the VoidLink rootkit framework — Elastic Security Labs

Elastic Security Labs analyzes VoidLink, a sophisticated Linux malware framework that combines traditional Loadable Kernel Modules with eBPF to maintain persistence.

AA 1d ago

New.

Any.Run: Active Magecart Campaign Targets Spain, Steals Card Data via Hijacked eStores for Bank Fraud https://any.run/cybersecurity-blog/banks-magecart-campaign/ @anyrun_app #infosec #fraud #malware #malwareanalysis

Global Magecart Campaign Puts Banks Under Pressure

Read ANY.RUN report featuring both executive-level insights and technical analysis of the campaign.

ANY.RUN's Cybersecurity Blog

Show thread

SerapHim 4d ago

[PHIM] F11 — .text section entropy: 6.59/8.0

Typical code section range: 5.0–5.5
Packed/encrypted: approaching 8.0
SparrowDoor .text: 6.59 — anomalous.

Per-section breakdown:
.text → 6.59 (ANOMALOUS)
.rdata → 5.12 (normal)
.data → 2.25 (sparse, Stage 2 not embedded)
.rsrc → 4.88 (normal)
.reloc → 4.59 (normal)

.data at 2.25 confirms MpSvc.dll loaded from disk
at runtime — payload not embedded in Stage 1.

not present in public vendor reporting.

#ReverseEngineering #MalwareAnalysis

SerapHim 4d ago

FamousSparrow / SparrowDoor static analysis.
Legacy variant (2019-2022), SHA256: 8dfaa1f579...

4 findings not present in public vendor reporting
at time of analysis (ESET, UK NCSC, Trend Micro, Microsoft)

→ Inverted anti-sandbox logic
→ Three-table substitution system
→ .text section entropy anomaly
→ 113 indirect call sites in 26KB binary

Thread: [PHIM] findings only.
Full report: https://github.com/seraphimdeck/SerapHim-CTI

#FamousSparrow #SaltTyphoon #MalwareAnalysis #CTI

GitHub - seraphimdeck/SerapHim-CTI: A collection of independent CTI reports covering active threat campaigns and attacker TTPs.

A collection of independent CTI reports covering active threat campaigns and attacker TTPs. - seraphimdeck/SerapHim-CTI

GitHub

BrightByteLabs 6d ago

ThreatLab routes all sandbox traffic through dedicated WireGuard exit nodes across the US, UK, Germany, and Spain. Kill switch prevents IP leaks if the tunnel drops. Your real IP never touches the malware's C2.

threatlabsandbox.com

#dfir #blueteam #malwareanalysis #infosec #sigma #sysmon #incidentresponse #blueteam

BrightByteLabs Mar 19

I built a local malware analysis sandbox as a solo dev. Isolated VMs, live monitoring, AI threat analysis, EVTX analyzing, and reports. Everything stays on your machine.

2-min demo: https://www.youtube.com/watch?v=KgxE3_4njpk

Beta is open and free - looking for security analysts and IR professionals to help shape the product.

https://threatlabsandbox.com

#dfir #blueteam #malwareanalysis #infosec #sigma #sysmon #incidentresponse #msp

ThreatLab - Interactive Malware Analysis Sandbox (Demo)

YouTube

BSidesLuxembourg Mar 18

🎯 New #BSidesLuxembourg2026 Session Reveal!

A Phishing Trip with Fancy Bear – Analyze APT28 Malware Together! (2h Workshop) with 𝗠𝗔𝗥𝗜𝗨𝗦 𝗚𝗘𝗡𝗛𝗘𝗜𝗠𝗘𝗥

Join this beginner-friendly 2h workshop to walk through a real Fancy Bear (APT28) attack chain: targeted phishing email, a then-0day Microsoft Office exploit, multi-stage payloads, file formats, analysis methods, and the infrastructure behind it. No domain knowledge needed – we break it down step-by-step with small exercises and a validation system.

Warning: Handle real-world malware (your risk; bring charged laptop with VM like FLARE-VM/Remnux). Basics only needed: text/hex editor, browser, ZIP tool. No photos – slides provided after.

Led by Marius Genheimer: DFIR Specialist & Threat Researcher at SECUINFRA Falcon Team, malware analysis expert, and defensive security trainer. Also presented at BSides Frankfurt. https://www.linkedin.com/in/marius-genheimer/

📅 6–8 May 2026 | 09:00–17:00
📍 14, Porte de France, Esch-sur-Alzette, Luxembourg
🎟️ Tickets: https://2026.bsides.lu/tickets/
🗓️ Schedule link: https://pretalx.com/bsidesluxembourg-2026/schedule/

Dissect APT malware hands-on – OK for beginners, VM recommended! 🐻

#BSidesLuxembourg2026 #MalwareAnalysis #Conference #Workshop #Phishing #DFIR #APT #BlueTeam

Decoder Loop Mar 17

Looking for Rust malware samples to practice your reverse engineering skills on? Just since January this year, we've added samples from 8 different malware families to the Rust Malware Sample Gallery: https://github.com/decoderloop/rust-malware-gallery/

1) KCVY OSLOCK Ransomware
2) An unnamed Rust DDoS botnet
3) FunkSec Ransomware
4) RustyWater
5) An unnamed Rust-based loader, mimicking a GoToMeeting DLL
6) Marabu Ransomware
7) An unnamed Rust-based keylogger used by SloppyLemming
8) The VENON banker RAT

Want to learn more about how to reverse these? It's the last chance to sign up for our "Deconstructing Rust Binaries" training, at @ringzer0 next week: https://ringzer0.training/countermeasure-spring-2026-deconstructing-rust-binaries/

Can't make it to Ringzer0? We're also offering the "Deconstructing Rust Binaries" training at @NorthSec, in May! https://nsec.io/training/2026-deconstructing-rust-binaries/

#rust #rustlang #malware #infosec #ReverseEngineering #MalwareAnalysis #reversing