Paul Melson

@[email protected]
539 Followers
114 Following
151 Posts
Blue Team by day, Blue Team by night. Opinions, typos, and awful code do not represent my employer. Author/Operator of https://infosec.exchange/@ScumBots
Twitterhttps://twitter.com/pmelson
GitHubhttps://github.com/pmelson
PronounsHe/Him
Show threadPaul Melson5d ago
@SwiftOnSecurity Imma let you finish, but in 2014 Lazarus Group made the best ransom note of all time. Of all time!
Paul MelsonJan 7

RE: https://infosec.exchange/@ScumBots/115850383845467081

This Meterpreter reverse shell was part of an intrusion set tied to an actor claiming to be a KeyGroup777 member and this HiddenTear ransomware payload: https://www.virustotal.com/gui/file/62ecd3ec595452e7f01a9eeab6ae619f61648e5b6cb01c23c5ca2c03f59ec778/summary

Show threadPaul MelsonOct 3
@jernej__s @Ichinin I was unaware that ‘wget’ is an alias for IWR. What version(s) of PowerShell does that work for?
Show threadPaul MelsonOct 3
@jernej__s Also, despite the comments, it’s not dropping BTC miners
Show threadPaul MelsonOct 3
@jernej__s I’m just reporting on what I’m seeing.
Show threadPaul MelsonOct 3
@mirabilos
Paul MelsonOct 3

If you’re not alreadyalerting on

CONHOST.EXE spawning CMD.EXE spawning WGET.EXE

or

CONHOST.EXE spawning CONHOST.EXE spawning CONHOST.EXE

you’re gonna want to close that gap today.

Show threadPaul MelsonSep 28
@SwiftOnSecurity I loved him in The Tick
Paul MelsonAug 12, 2025
Cats out here charging for RATs that anyone can download for free from GitHub. Good thing there's a money-back guarantee..? 🙄
Paul MelsonJul 29, 2025
@da_667 Xfce’s better, but… 😉
Here ya go: https://www.redbubble.com/i/sticker/FluxBox-by-manyroads/41042704.EJUG5