Ján Trenčanský

@[email protected]
192 Followers
279 Following
806 Posts
EDR R&D team lead and cat herder at ESET.
"I regret to inform you that Cyber Satan is in play."
Bloghttps://death.sk
Githubhttps://github.com/j91321
Blueskyhttps://bsky.app/profile/j91321.bsky.social
Ján Trenčanský7h ago
Andrew Nesbitt12h ago

RE: https://mastodon.social/@campuscodi/116756737024675823

I’m not surprised that SBOM adoption is so low, almost all the efforts around SBOMs have been compliance theatre, not actually tackling the hard work of working out which software is being packaged.

There’s also zero incentives for open source to generate or use sboms, it’s just companies trying to sell products based on EU directives.

For developers package managers and lockfiles do almost everything they need.

Ján Trenčanský14h ago
Cyan, like the color1d ago

shot some 🩷 infrared 🩵 at the local abandoned factory complex

Fujifilm X-T30, Fujinon XF 18-55mm f/2.8-4

#queerphotography #digitalphotography #infrared #infraredphotography #fujifilm #urbex #france #abandoned

Ján Trenčanský1d ago
I've never understood the compulsion of "I need to get a degree to stop feeling like a fraud". I know quite a few people with degrees (some of them with several) who are frauds. Having or not having one has very little to do with the other.
Ján Trenčanský2d ago
2d ago
Ján Trenčanský5d ago
Show threadKevin Beaumont5d ago

Worth noting that report was out for 9 months before anybody actually challenged it.

Similar with the 80% of ransomware groups use GenAI report from MIT (which I ended up getting removed).. is anybody actually bothering to check the GenAI thing is real?

KPMG and EY aren't, they aren't even reading their own reports as they're busy cashing the cheque like MIT.

Ján Trenčanský6d ago
6d ago

Holy shit, y'all. I stopped reading at this point:

  • Avoid having vulnerabilities in systems that ransomware could exploit.

https://nvlpubs.nist.gov/nistpubs/ir/2026/NIST.IR.8374r1.pdf

Ján Trenčanský6d ago
ESET Research6d ago
#ESETresearch has discovered a supply-chain attack targeting stock investors in Vietnam, distributing SPECTRALVIPER through the update mechanism of the FireAnt Metakit stock investment platform. https://www.welivesecurity.com/en/eset-research/oceanlotus-external-espionage-domestic-targeting/
ESET telemetry suggests that the attack started around October 2025 and ended in March 2026. In our investigation, only a small subset of exposed users received the final backdoor, SPECTRALVIPER, suggesting selective targeting.
Detailed analysis of the supply chain, the contour of OceanLotus’s victimology in recent years, and the architecture of its signature backdoor, SPECTRALVIPER, is available at:
https://www.welivesecurity.com/en/eset-research/oceanlotus-external-espionage-domestic-targeting/
IoCs available in our GitHub repo: https://github.com/eset/malware-ioc/tree/master/oceanlotus
Ján TrenčanskýJun 9
Cloudflare has finally started signing the cloudflared tunneling utility, after years of ignoring the issue. Of course they ignored my other request to also populate the original filename, because that would make sense... It's still used by ransomware gangs and it's often renamed. Anyway, it's now easier to yeet this from your environment as you don't have to babysit a list of hashes.
Ján TrenčanskýJun 6
abadideaJun 6

A visual novel plotline sprung to life:

- Kids at a high school in Rome had been telling each other for decades that there were secret rooms under the school. Teachers laughed it off as playground rumors

- During a protest sit-in, the kids took the opportunity to go where they’re not supposed to go and reported that there were really, definitely secret rooms under the school

- The staff found a mysterious iron door in the basement that apparently no-one knew the purpose of; after getting it open, they found some sort of disused furnace… which opened directly into an entire ancient Roman villa

https://nos.nl/artikel/2617238-scholieren-vinden-1800-jaar-oude-romeinse-villa-onder-eigen-school-in-rome

Scholieren vinden 1800 jaar oude Romeinse villa onder eigen school in Rome

De domus ligt volgens archeologen in een gebied waar grote Romeinse figuren als Augustus, Cicero en Pompeius woonden, maar waar weinig over bekend is.

Ján TrenčanskýJun 6
Will DormannJun 5

Well, bitskrieg is public.

While Microsoft "fixed" YellowKey as CVE-2026-45585 (and by "fixed", I mean they have provided manual steps that you can perform if you want to remove autofstx.exe from the WinRE registry BootExecute value), bitskrieg still works on such a system to achieve the same goal (getting access to a TPM-only Bitlocker encrypted disk, without knowing any credentials on the system). Though it requires a second computer, or a device that can communicate on a serial port. VM reproduction requires adding a serial port to the VM. Physical machines can reproduce the same with a supported USB-to-serial device.

1. Boot into WinRe (hold [shift] when clicking reboot button)
2. Go to a command prompt, ignoring the prompt to enter a bitlocker recovery key. (Click Skip this drive)
3. Enable Emergency Management Services (EMS) to use a serial port as the EMS port.

bcdedit /set ems 1
bcdedit /set emsport 1

4. Reboot back into WinRe
5. From your other computer, connect to the serial port.
6. Type:

cmd
[esc]
tab
-
7. Enjoy your cmd.exe prompt (over serial) with a decrypted (assuming it's TPM-only) hard disk.

Note: Depending on the lineage of your Win11 installation, your WinRE experience may not give you a CMD.EXE prompt immediately upon clicking Skip this drive. Instead, it may say Command Prompt is unavailable because the OS drive is locked. In this case, you'll need to reboot into the command prompt to set up EMS.