| Website | https://www.jaiminton.com/ |
| BlueSky | https://bsky.app/profile/jaiminton.com |
| https://twitter.com/CyberRaiju | |
| YouTube | https://youtube.com/@cyberraiju |
Episode 4 of Breach Log is now out! In this episode I'm joined by Cameron Cottam who tells his story about responding to a critical alert at 2am. Enjoy.
Spotify: https://open.spotify.com/episode/26Lr7euOqa3ma2FaYQMpsr?si=_LmUaNv2SauM0uQEaFWVog
Other Providers: https://creators.spotify.com/pod/profile/breachlog/
Episode 3 of Breach Log is now available! Whether you're heading into the weekend or beginning your Friday, I hope you can carve out a mere 20 minutes to enjoy another story from the vault of detecting and responding to hacks around the world. As always if you have a story to share get in touch, you don't need to work on the format of it we can do that together ๐
https://open.spotify.com/episode/7MY3S511BfQOw9FxH4uMDH?si=YkRqLmwfSeqlnFpuLMiTxg
I teamed up with Ryan Dowd to investigate a fake OpenClaw installer hosted on GitHub. This was also picked up by Bing's AI and recommended as the correct way to install OpenClaw on Windows.
The executable had 0 VT hits, and the MacOS variant would deploy a binary likely to be Atomic MacOS Stealer. The executable didn't run in sandboxed environments, and was deploying information stealers in addition to GhostSocks.
The addition of GhostSocks is interesting as it turns compromised systems into a proxy the threat actor can use to route their logins through. This enables them to bypass anti-fraud checks from online services. It also contained a hidden parameter which if given would launch in a debugging mode providing complete insight into the GhostSocks configuration.
This is a current campaign impersonating popular GitHub repositories claiming to be easier methods of installation, and the threat actor is posting issues on legitimate GitHub projects to help drive traffic to their malicious repositories.
Have a read, hope you enjoy.
https://www.huntress.com/blog/openclaw-github-ghostsocks-infostealer
Happy start of the week.
As a treat the first episode of a new podcast 'Breach Log' is now available.
If you like defensive cyber security stories being told then this may appeal to you. It's available on all good podcast providers, but the RSS and Spotify link are included below.
RSS: https://rss.com/podcasts/breachlog/2439149/
Spotify: https://open.spotify.com/episode/4WViEcKqIlFIGoSDuvK61G
Please let me know your thoughts and feelings, and if you have a story to tell get in contact and we'll have a chat to get your story told with a format that has more back and forth ๐ ๐
It's all fun and games until a researcher identifies a backdoor with ransomware capability, global victims, and hacked systems all around the world. Now if only someone would listen.This story comes from the host of the show, Jai Minton.Want to get technical? Read the Reverse Engineering write-up here---------Credits:Music from Uppbeat:AlertCold FireDistanceMusic and SFX by various artists from Pixabay
As of Thurs Aug 14th we're seeing clear indications that a threat actor has now weaponised and is exploiting vulnerabilities in Axis camera software (CVE-2025-30023/4/5/6) which was presented at DEFCON.
Indicators on Xitter/LinkedIn
https://x.com/CyberRaiju/status/1956566419388182954?t=ja3SIvBipXuzd1aPrKlLfA&s=19
https://www.linkedin.com/posts/activity-7362332110327570433-7AEV
As of Thurs Aug 14th we're seeing clear indications that a threat actor has now weaponised and is exploiting vulnerabilities in Axis camera software (CVE-2025-30023/4/5/6) which was presented at DEFCON. Props to @Cyber4a53 for find. https://t.co/ktPlOJkekW CC: @HuntressLabs ๐
Another notable Octowave Loader sample with installer MSI showing low VT hits, and malicious DLL's being completely undetected. Sideloads into the legitimate Audacity.
Installs itself as 'Directory Converter' in the user LocalAppData 'Programs' directory.
Likely from a fake Cloudflare challenge. Has 4 malicious DLLs, a Progress.pak supporting file, and shellcode inside of Presentations\Application.wav
Deploys LummaC2 into memory which is now using both Telegram channel and Steam Community names for C2 fallback.
MSI: https://www.virustotal.com/gui/file/6251d8f0af660e1e92506d6cea15fd9a7d332a669a6e1b3cf47914b45267b16d
DLL2:
https://www.virustotal.com/gui/file/ccfa5f475659d3ee9503cc4d80ecccd34c7f012a17a74bd5a4a43c6223db5adb
Are you interested in Generative AI and ๐ Prompt Injection techniques? I've just released a short video exploring the Main Gandalf challenge by Lakera AI and how you can convince ๐งโโ๏ธ to give you his secrets through specifically crafted prompts.
Enjoy!
Stumbled into a supply chain attack yesterday affecting over 100 auto dealerships. The third party was informed and has remediated.
https://rmceoin.github.io/malware-analysis/2025/03/13/supply-chain.html
Randy