Mastodawn

https://www.jamf.com/blog/predator-spyware-anti-analysis-techniques-ios-error-codes-detection/

Predator iOS Spyware: Undocumented Anti-Analysis Techniques

Jamf Threat Labs reveals Predator spyware's sophisticated anti-analysis capabilities including error code taxonomy, crash monitoring and detection evasion.

kurt baumgartner Jan 23

“Everything indicates that these attacks were prepared by groups directly linked to the Russian services.”

https://www.zetter-zeroday.com/cyberattack-targeting-polands-energy-grid-used-a-wiper/

Cyberattack Targeting Poland’s Energy Grid Used a Wiper

A cyberattack that targeted power plants and other energy producers in Poland at the end of December used malware known as a “wiper” that was intended to erase computers and cause a power outage and other disruption to services, says European security firm ESET, which obtained a copy of the

ZERO DAY

kurt baumgartner Jan 17

great start with opsec tips...
1. don't upset the tail.
2. if you end up face to face, just ask for the time and DO NOT take a selfie with them. :)
3. oh yeah, and use google docs, at the appropriate time. no surprises.

https://youtu.be/pooCY4ZOYSM?si=ATZRMNqYMfdVcQFp

Google Pixel 'zero-click' exploit caused by AI, mysterious Poland grid attacks, China bans US cyb...

YouTube

kurt baumgartner Jan 13

Tillmann Werner Dec 29

Got a little nerd sniped by the last slide of the "APT Down" talk at #39c3 and looked at that payload.bin file. It's x86_64 shellcode, and that string that was mentioned is an API function name that gets decrypted in a basic decoder loop. Hunting for related files with that bytecode pattern leads to samples uploaded to VirusTotal from KR, CN, TW, HK, VN. This indicates a broader East-Asian focus. Context: https://phrack.org/issues/72/7_md

APT Down - The North Korea Files

Click to read the article on phrack

Phrack

kurt baumgartner Jan 13

kevin still maintains the title for the best business card i received

kurt baumgartner Dec 23

Advertising is coming (to AI)

https://confer.to/blog/2025/12/confessions-to-a-data-lake/

Confessions to a data lake

I’ve been building Confer: end-to-end encryption for AI chats. With Confer, your conversations are encrypted so that nobody else can see them. Confer can’t read them, train on them, or hand them over – because only you have access to them.

Confer Blog

kurt baumgartner Dec 18

Looking Back at 2025's Cybersecurity Landscape: Key Trends to Watch in 2026
https://tlpblack.net/blog/20251218-cybersecurity-year-in-review

Looking Back at 2025's Cybersecurity Landscape: Key Trends to Watch in 2026

An intelligence analyst's perspective on the dominant cybersecurity trends of 2025, from AI-driven threats to supply chain vulnerabilities and the evolving APT landscape

kurt baumgartner Dec 9

TLPBLACK Dec 9

React2Shell Exploitation in the Wild: CVE-2025-55182 Analysis

Within 24 hours of the React Server Components RCE disclosure (CVE-2025-55182, CVSS 10.0), we observed active exploitation campaigns targeting vulnerable Next.JS applications, leading to cryptojacking operations across multiple continents.

Our latest blog post details:

• Real-world incident response from compromised production servers
• Timeline of attack progression from initial recon to persistence
• Multiple threat actor clusters exploiting the same vulnerability
• AI-assisted malware development patterns
• Forensic analysis of deployed cryptominers and backdoors

Key Findings:
- First exploitation attempts detected as early as December 5th, 2025
- Attackers refined their tooling within 18 hours between reinfection attempts
- Targets span US, Europe, and Southeast Asia, including large enterprise environments
- Multiple persistence mechanisms: systemd units, shell injection, custom SSH servers

Full technical analysis on our blog:

https://tlpblack.net/blog/20251209-the-anatomy-of-a-react2shell-compromise

Hashes:
0c748b9e8bc6b5b4fe989df67655f3301d28ef81617b9cbe8e0f6a19d4f9b657
129cfbfbe4c37a970abab20202639c1481ed0674ff9420d507f6ca4f2ed7796a
466a46ed4f80ef12d2e2ba1c8014315a4aa33483135386af57bec5d6a57a8359
5bae25736a09de5f4a0f9761d2b7bfa81ca8dba39de2a724473c9d021a65daa9
609e5af9394e68d96a8a906a893d0544e39f4b88e15f3b4131494c1f1b278b6f
67aea5b0ffceacaa932c47b3cddd527d393856fa900a19a225afe9203ce005e0
69f2789a539fc2867570f3bbb71102373a94c7153239599478af84b9c81f2a03
865d0bbf8b953ff317dd3aafde10d9fe0f95c2befd83b570c02ab802b177cda0
9674bf61fc78daf4eec4e378df3f746ddccf532de5609e278ddcd02b98c24de1
9959ee0d49894fe9e3d753bf8847f522bafec4f7c644ead5648d18e9d32de252
ba43e447e63611d365300bf2e8e43ccb02ea112778d0d555ef9a9ccf6169808b
dd630c880e628fde6018d2d6a276007d01de7e6c7d46e10000231f4a35cf0f9e
e76f54b7b98ba3a08f39392e6886a9cb3e97d57b8a076e6b948968d0be392ed8

C2 IP Addresses:
39.97.229[.]220
43.247.134[.]215
45.76.155[.]14
45.157.233[.]80
46.36.37[.]85
47.84.113[.]198
192.9.245[.]121
193.34.213[.]150

Stay safe!

The Anatomy of a React2Shell Compromise

Analysis of React Server Components RCE vulnerability (CVE-2025-55182) exploitation leading to cryptojacking campaigns targeting Next.JS applications

kurt baumgartner Dec 9

https://tlpblack.net/blog/20251209-the-anatomy-of-a-react2shell-compromise

The Anatomy of a React2Shell Compromise

Analysis of React Server Components RCE vulnerability (CVE-2025-55182) exploitation leading to cryptojacking campaigns targeting Next.JS applications

kurt baumgartner Nov 26

a list of infected packages here https://socket.dev/blog/shai-hulud-strikes-again-v2

Shai Hulud Strikes Again (v2) - Socket

Another wave of Shai-Hulud campaign hits npm.

Socket