TechNaduFeb 11

Observed campaign summary:

Initial Access:
• Phishing emails with Excel (.XLAM) attachments
Execution:
• CVE-2018-0802 (EQNEDT32.EXE)
• HTA → mshta.exe
• PowerShell in-memory decoding
Deployment:
• Fileless .NET loader disguised as Microsoft.Win32.TaskScheduler
• Process hollowing into Msbuild.exe
• AES-encrypted C2 packets
• delimited command protocol
• Plugin-based architecture (50+ modules)

Capabilities include credential theft, ransomware, DDoS, system control, registry persistence, and remote command execution.

This campaign demonstrates mature modular RAT engineering combined with social engineering entry points.

Blue teamers - which telemetry source provides the strongest signal here?

Source: https://www.fortinet.com/blog/threat-research/deep-dive-into-new-xworm-campaign-utilizing-multiple-themed-phishing-emails?lctg=330010614

Follow @technadu for ongoing malware analysis and threat intelligence coverage.

#Infosec #MalwareResearch #ThreatIntel #XWorm #RAT #ProcessInjection #EDR #DFIR #CyberDefense #BlueTeam #TechNadu

intuentis0x0May 19, 2025

RedirectThread: Building more evasive primitives to use as alternative for existing process injection techniques

https://github.com/Friends-Security/RedirectThread

#processinjection #infosec

GitHub - Friends-Security/RedirectThread: Playing around with Thread Context Hijacking. Building more evasive primitives to use as alternative for existing process injection techniques

Playing around with Thread Context Hijacking. Building more evasive primitives to use as alternative for existing process injection techniques - Friends-Security/RedirectThread

GitHub
hasherezadeApr 14, 2025
My new blog for CPR: introducing Waiting Thread Hijacking - a remote process injection technique targeting waiting threads: https://research.checkpoint.com/2025/waiting-thread-hijacking // #ProcessInjection
Waiting Thread Hijacking: A Stealthier Version of Thread Execution Hijacking - Check Point Research

Research by: hasherezade Key Points Introduction Process injection is one of the important techniques used by attackers. We can find its variants implemented in almost every malware. It serves purposes such as: In our previous blog on process injections we explained the foundations of this topic and basic ideas behind detection and prevention. We also proposed a new technique dubbed Thread […]

Check Point Research
intuentis0x0Apr 14, 2025

Just read this amazing article about #processinjection technique #doppelganger

This one here gives a detailed and understandable inside of this technique for #redteam and #blueteam equally.

https://vari-sh.github.io/posts/doppelganger/

Doppelganger: Cloning and Dumping LSASS to Evade Detection

Technique for cloning and dumping LSASS to evade detection using RTCore64.sys, NtCreateProcessEx and MiniDumpWriteDump.

vari.sh's Blog
acrypthash👨🏻‍💻Dec 2, 2024

It's been quite a bit since I have been on here. A small update:
- I have a security analyst working with me, the help has been great!
- I going back to Penn State for the third time to do a security talk about process injection!
- I am prepping our annual penetration tests against our web app!

I continue to grow and learn more about my field in Security and am so grateful for the fun I get to have!
#security #updates #gratitude #processinjection #pennstate

intuentis0x0Oct 15, 2024

A good read about Process injection techniques.

https://www.outflank.nl/blog/2024/10/15/introducing-early-cascade-injection-from-windows-process-creation-to-stealthy-injection/

#redteam #processinjection #pentesting

Introducting Early Cascade Injection | Outflank Blog

Get an introdcution to Early Cascade, a novel process injection technique that is effective against top tier EDRs while avoiding detection.

Outflank
hasherezadeJul 26, 2024
In my new blog for #CheckPointResearch I propose a new injection technique, using the Thread Name API - check it out! 💙 : https://research.checkpoint.com/2024/thread-name-calling-using-thread-name-for-offense // #ThreadNameCalling #processInjection
Thread Name-Calling - using Thread Name for offense - Check Point Research

Research by: hasherezade Highlights: Introduction Process injection is one of the important techniques used by attackers. We can find its variants implemented in almost every malware. It serves purposes such as: Due to the fact that interference in the memory of a process by malicious modules can cause a lot of damage, all sorts of AV […]

Check Point Research
0xberserkrFeb 26, 2024
Abusing Windows Internals - I have just completed this room! Check it out: https://tryhackme.com/room/abusingwindowsinternals #tryhackme #Windows #Evasion #ProcessInjection #RedTeam #PortableExecutable #DLLInjection #PEInjection #ProcessHollowing #abusingwindowsinternals via @RealTryHackMe
TryHackMe | Cyber Security Training

TryHackMe is a free online platform for learning cyber security, using hands-on exercises and labs, all through your browser!

TryHackMe
Geekmaster 👽Dec 12, 2023

Well, isn't this just "punch you in the gut while I rip your teeth out" peachy. Never thought a #PoolParty would be such a downer #Hacking #ProcessInjection

https://securityaffairs.com/155464/hacking/pool-party-bypassing-edr.html

Bypassing major EDRs using Pool Party process injection techniques

Researchers devised novel attack vector for process injection, dubbed Pool Party, that evades EDR solutions.

Security Affairs
0xor0neNov 18, 2023

A couple of blog posts for learning about Linux process injection (specifically sshd injection for credential harvesting)

https://blog.xpnsec.com/linux-process-injection-aka-injecting-into-sshd-for-fun/

https://jm33.me/sshd-injection-and-password-harvesting.html

#processinjection #redteam #cybersecurity

Linux ptrace introduction AKA injecting into sshd for fun

If there is one thing I've come to appreciate over this past few weeks, it's just how much support you are provided from the Win32 API. That being said, I wanted to tackle some Linux process injection, with the aim of loading a shared object into another process address space without having to resort to LD_PRELOAD, or stopping the process. The goal I set myself was quite simple, could I recover plain text credentials from the sshd process using ptrace. Granted, this is a bit of an arbitrary goa

XPN InfoSec Blog