Paul Melson

@[email protected]
542 Followers
114 Following
154 Posts
Blue Team by day, Blue Team by night. Opinions, typos, and awful code do not represent my employer. Author/Operator of https://infosec.exchange/@ScumBots
Twitterhttps://twitter.com/pmelson
GitHubhttps://github.com/pmelson
PronounsHe/Him
Show threadPaul MelsonMay 1
@james_inthe_box Just using the name, or..?
Paul MelsonMay 1
@krypt3ia I have this shirt in white on black. Gets lots of comments, but zero folks have actually recognized it yet. 😂
Paul MelsonMar 27
Ugh, why does this work?! (I mean, I know how it works, but what was the thought process behind what’s essentially executing the stdout of a command? We’ve come so far and learned so little from our past mistakes.)
Show threadPaul MelsonMar 14
@SwiftOnSecurity Imma let you finish, but in 2014 Lazarus Group made the best ransom note of all time. Of all time!
Paul MelsonJan 7

RE: https://infosec.exchange/@ScumBots/115850383845467081

This Meterpreter reverse shell was part of an intrusion set tied to an actor claiming to be a KeyGroup777 member and this HiddenTear ransomware payload: https://www.virustotal.com/gui/file/62ecd3ec595452e7f01a9eeab6ae619f61648e5b6cb01c23c5ca2c03f59ec778/summary

Show threadPaul MelsonOct 3, 2025
@jernej__s @Ichinin I was unaware that ‘wget’ is an alias for IWR. What version(s) of PowerShell does that work for?
Show threadPaul MelsonOct 3, 2025
@jernej__s Also, despite the comments, it’s not dropping BTC miners
Show threadPaul MelsonOct 3, 2025
@jernej__s I’m just reporting on what I’m seeing.
Show threadPaul MelsonOct 3, 2025
@mirabilos
Paul MelsonOct 3, 2025

If you’re not alreadyalerting on

CONHOST.EXE spawning CMD.EXE spawning WGET.EXE

or

CONHOST.EXE spawning CONHOST.EXE spawning CONHOST.EXE

you’re gonna want to close that gap today.