Mastodawn

Why does CloudFlare insist on forwarding abuse reports to hosting providers and website owners? This makes no sense if the website operators and possibly also hosting providers are the criminals you're trying to stop!

𝙽𝙴𝚃𝚁𝙴𝚂𝙴𝙲 Jun 11

Researchers uncover how the Facebook app used localhost STUN communication with the browser to track visited websites in Covert Web-to-App Tracking via Localhost on Android. This trick works even if the user browses in incognito mode and uses a VPN.

The Meta Pixel uses a technique known as SDP Munging to insert the _fbp cookie contents to the SDP "ice-ufrag" field, resulting in a Binding Request STUN message sent to the loopback address as the following figure shows. This data flow cannot be observed using Chrome's regular debugging tools (such as DevTools).

𝙽𝙴𝚃𝚁𝙴𝚂𝙴𝙲 May 22

Thank you CISA, NCSC, @bsi et al. for publishing the advisory on Russian GRU Targeting Western Logistics Entities and Technology Companies. This list of mocking services is great for threat hunting!
#threathunting #threatintel

𝙽𝙴𝚃𝚁𝙴𝚂𝙴𝙲 May 12

DoJ, Dutch National Police and FBI have dismantled a botnet that was used to run Anyproxy and 5socks proxy networks.
https://www.theregister.com/2025/05/10/router_botnet_crashed/

Feds disrupt proxy-for-hire botnet, indict four alleged net miscreants

: The FBI also issued a list of end-of-life routers you need to replace

The Register

𝙽𝙴𝚃𝚁𝙴𝚂𝙴𝙲 May 12

Germany’s Federal Criminal Police Office (BKA) has shut down the the 'eXch' cryptocurrency exchange platform, which was used to launder stolen funds from the Bybit hack.
https://www.bleepingcomputer.com/news/security/germany-takes-down-exch-cryptocurrency-exchange-seizes-servers/

Germany takes down eXch cryptocurrency exchange, seizes servers

The Federal police in Germany (BKA) seized the server infrastructure and shut down the 'eXch' cryptocurrency exchange platform for alleged money laundering cybercrime proceeds.

BleepingComputer

Show thread

𝙽𝙴𝚃𝚁𝙴𝚂𝙴𝙲 Apr 16

StealC v2 and Aurotun Stealer seem to be interconnected. They are sometimes deployed as part of the same infection chain and share C2 infrastructure.

Example: https://tria.ge/250411-f3d2tszyhy/behavioral1
👾 StealC v2: 62.60.226.114:80
👾 Aurotun: 62.60.226.114:40101
#AurotunStealer #StealCv2

3cb57f7e67ee1985e513f6e591fe143c1b8b2d0178f06e39e39da1e0f51484d4 | Triage

Check this report malware sample 3cb57f7e67ee1985e513f6e591fe143c1b8b2d0178f06e39e39da1e0f51484d4, with a score of 10 out of 10.

𝙽𝙴𝚃𝚁𝙴𝚂𝙴𝙲 Apr 16

C2 servers of newly discovered Aurotun Stealer:
👾 45.227.252.199:7712
👾 46.4.119.125:7712
👾 62.60.226.101:40101
👾 62.60.226.101:40105
👾 62.60.226.114:40101
👾 146.190.108.105:7712
👾 155.138.150.12:7712
👾 198.251.84.107:7712
#AurotunStealer #threatintel

𝙽𝙴𝚃𝚁𝙴𝚂𝙴𝙲 Mar 27

The Honeynet Project Workshop 2025 will take place in Prague, Czech Republic, from June 2nd to 4th.
https://www.honeynet.org/2025/03/24/the-honeynet-project-workshop-2025-in-prague-czech-republic/

The Honeynet Project

Show thread

𝙽𝙴𝚃𝚁𝙴𝚂𝙴𝙲 Jan 29

Here's a #Wireshark display filter that detects this type of #LLMNR (multicast name resolution) spoofing:

dns.count.answers > 0 and lower(dns.qry.name) != lower(dns.resp.name)

𝙽𝙴𝚃𝚁𝙴𝚂𝙴𝙲 Nov 28, 2024

Nice malware lab setup using FLARE VM, #PolarProxy and #REMnux to decrypt and inspect TLS traffic.
https://www.koenmolenaar.nl/nl/write-ups/jeff0falltrades-sandbox-crackme/

jeFF0Falltrades Sandbox Crackme

A write-up of jeFF0Falltrades Crackme challenge, which was part of his DIY Malware Analysis Sandbox series.

Koen Molenaar / Home

Blog	https://www.netresec.com/?page=Blog
Bluesky	https://bsky.app/profile/netresec.com
Twitter	https://twitter.com/netresec
GitHub	https://github.com/Netresec
RSS	https://www.netresec.com/rss.ashx