Dio9sysFeb 24

It's been extremely hard to keep this one under wraps.

I just published a new blog post, where one weird string that looks like a cookie value turned out to be a whole cryptostealer and database wiping operation.

https://www.labs.greynoise.io/grimoire/2026-02-24-whats-that-string/

I spent some late nights on this one, and am a little bit ridiculously proud of the work I did.

What’s That String? That Time a Weird String Revealed a Whole Operation – GreyNoise Labs

One weird payload turned out to be a loose thread on an active hacking operation.

GreyNoise Labs
Show threadIan Campbell 🏴Feb 24

@Dio9sys "hey that looks like backwards base64"

i love those moments.

Show threadfmarl
@neurovagrant @Dio9sys "hey that looks like AES-GCM, encrypted with the Key ..." would be very handy.
Feb 24 at 9:17pmWeb