Happy Wednesday everyone!

I came across this article from Check Point Software's research team where they discuss a malware "prototype" they found that contained prompt injection to trick any LLM that it may be interacting with while it is being analyzed, aptly named Skynet. It attempted to sue the "Ignore all previous instructions" command adding another layer of sandbox evasion but was unsuccessful in this instance. The malware also contained an embedded TOR client which, when executed, can be later used and controlled by accessing the specified ports. After execution the malware component wipes the entire %TEMP%/skynet directory that was created. This was overall a very interesting read and could unfortunately be the first of many malware to attempt this technique. I hope you found this as interesting as I did and Happy Hunting!

In the Wild: Malware Prototype with Embedded Prompt Injection
https://research.checkpoint.com/2025/ai-evasion-prompt-injection/

Intel 471 Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday #llm

Good day everyone!

A little while ago I stumbled across an article from Trend Micro that discussed the #Anubis ransomware and its abilities to act both as a ransomware and a wiper. Now it appears that the group has gained sensitive documents related to Disneyland Paris's plans for new rides and renovations (Anubis X post is in the article). Not trying to fear-monger or anything but it goes to show how these groups will adapt their TTPs and behaviors to get to any organization.

Anubis Ransomware Lists Disneyland Paris as New Victim
https://hackread.com/anubis-ransomware-lists-disneyland-paris-new-victim/

Intel 471 Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday

Happy Wednesday all!

Sometimes its good to take it back to the basics! Cisco Talos shares their insights and trends on adversaries using legitimate tools with nefarious intent! They discuss Living-off-the-land binaries (LOLBINs) and Remote Monitoring and Management (RMM) tools and the impact they can have! Enjoy and Happy hunting!

When legitimate tools go rogue
https://blog.talosintelligence.com/when-legitimate-tools-go-rogue/

Intel 471 Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday

Good day everyone!

Trend Micro provides us insight on a "A new ransomware-as-a-service (RaaS) group has emerged and has been making a name for itself in 2025" named #Anubis. It has been designed to have "more destructive capabilities" that can wipe directories that "severely impact chances of file recovery". Researchers also provide MITRE ATT&CK mapping to help teams make this information actionable, so big thanks to them! Check out the details I missed, enjoy the article, and Happy Hunting!

Anubis: A Closer Look at an Emerging Ransomware with Built-in Wiper
https://www.trendmicro.com/en_us/research/25/f/anubis-a-closer-look-at-an-emerging-ransomware.html

Intel 471 Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday

Happy Monday Everyone!

It's that time again! Just pushing this out to the threat hunting community and beyond! If you had a question about threat hunting in the past or currently have one that is burning a hole in your brain, feel free to ask us at Intel 471! We are currently working through the back-log of all the other questions that we have, but feel free to throw yours in the ring and get it featured in a future video! Have a wonderful day and Happy Hunting!

Lee-Git Threat Hunting
https://docs.google.com/forms/d/1fYIKFwNGuwYzl3-ktMa7gRz4Uxl2vOUHbAj2CuiuQ4M/edit

Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting

Happy Wednesday everyone!

A "fully undetected #infostealer malware sample written in Rust" was identified by Trellix researchers while conducting a proactive hunt! The distribution should not come as any surprise, fraudulent gaming websites! This is not an old tactic and something that I have read about from many vendors (Remember, downloading cracked or "free" games from sites normally means you just aren't paying with money!). In this case, the "game" files were distributed as password-protected rar files which contained the stealer executable with some legitimate game-related files. This is another tactic that is commonly used to "assure" the user that they downloaded something legitimate.

The researchers also discussed the capabilities of the malware and here are just a few:
- It displayed a fake window to the user to fool them into it being a legitimate application.
- It terminates a list of processes, some that relate to browsers.
- Steals passwords, cookies, autofills, and saved credit card information from applications like Discord and Chrome.
- Drops a copy of itself in the \AppData\Roaming directory and saves a .lnkk file in the startup directory for persistence. The attackers link the executable and the .lnkk through registry keys so it can execute the .exe file properly.

Thanks goes to the researchers (who if you want tagged in here let me know!) for the great report and details! I hope you enjoy the read as much as I did and go check out the details I left out, its worth it! Happy Hunting!

Demystifying Myth Stealer: A Rust Based InfoStealer
https://www.trellix.com/en-in/blogs/research/demystifying-myth-stealer-a-rust-based-infostealer/

Intel 471 Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday

Good day everyone!

This is a really interesting read from SentinelOne Labs . Back in October 2024 they dealt with a reconnaissance operation that was related to the activity cluster tracked as #PurpleHaze and then in 2025 "they helped disrupt an intrusion linked to a wider #ShadowPad operation". The activity was attributed to China-nexus threat actors.

The article gives an in-depth view of what it looks like when an organization that is responsible for "IT services and logistics" gets compromised, which we could call a supply-chain attack. The article also provides a TON of technical details about tools and infrastructure that was used, indicators of compromise to scan for in your environment, and behaviors and commands that were observed throughout. This one may take a while to read but its worth it! Thanks to the researchers Dr Aleksandar Milenkoski and Tom Hegel for this report! I hope you all enjoy it as much as I did. Happy Hunting!

Follow the Smoke | China-nexus Threat Actors Hammer At the Doors of Top Tier Targets
https://www.sentinelone.com/labs/follow-the-smoke-china-nexus-threat-actors-hammer-at-the-doors-of-top-tier-targets/

Intel 471 Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday