From WOMEN.dll dropper → Sleestak infrastructure:
Multi-stage JScript + PowerShell loader with AES-256 + XOR, process hollowing into aspnet_compiler.exe, Microsoft-spoofed scheduled task (logon trigger), and exposed daily-rotating payload directories on open index listing.Full chain analysis, builder artifacts, IOCs here: https://medium.com/@darkjstr/tracking-a-live-heracles-rat-campaign-from-women-dll-to-sleestak-infrastructure-7545df27646a

#HeraclesRAT #ThreatIntel #MalwareAnalysis #CyberSecurity #InfoSec #DFIR #CTI #ReverseEngineering #RAT #Sleestak

We didn't know how an actor was using EV Certificates issued to Lenovo and others.

We now do.

From DigiCert's incident report:
"the threat actor used a compromised analyst endpoint to access DigiCert's internal support portal. The threat actor used a limited function within the customer-support portal which allows authenticated DigiCert support analysts to access customer accounts from the customer's perspective to facilitate support tasks. The threat actor was able to use this function to access initialization codes for orders that were approved but pending delivery for EV Code Signing certificate orders across a finite set of customer accounts."

"Possession of the initialization code, combined with an approved order, is functionally sufficient to generate and retrieve the corresponding certificate."

The full report can be found here and explains the incident in great detail: https://bugzilla.mozilla.org/show_bug.cgi?id=2033170

The report mentions "Where we got lucky: A community member involved in security research reported the evolving pattern of misused certificates and engaged in dialogue with our support team. Without that report, the undetected compromise of ENDPOINT2 and the associated mis-issuance might have remained undiscovered for a longer period."

Special thanks goes to the regular contributors to the Cert Graveyard.

Also special thanks to DigiCert: this report has a high level of transparency, which is warranted, and also well executed.

First day of #100daysOfYara
This YARA rule detects a technique used in #TrashAgent malware. The malware has a hard-coded list of apps to check for on the system. This YARA looks for the way they parse the list.
In the image, the list is demarcated with "nepo"

rule at end
1/7

Proud to once again support our LE partners in Operation Endgame Season 3

86M stolen data items from 525K victim IPs across 226 countries included in our new Rhadamanthys Historic Bot Victims Special Report, run overnight 2025-11-12

More details:
https://shadowserver.org/news/rhadamanthys-historical-bot-infections-special-report/

Latest Operation Endgame S03E01 video "STICKY FINGERS":
https://operation-endgame.com

Europol Press Release:
https://europol.europa.eu/media-press/newsroom/news/end-of-game-for-cybercrime-infrastructure-1025-servers-taken-down

Rhadamanthys Historic Bot Victims Special Report technical details:
https://shadowserver.org/what-we-do/network-reporting/rhadamanthys-historical-bot-infections-special-report/

Did you know Chrome Enterprise Core offers a free way to report on all of the extensions in your managed browsers? Try using its APIs to do regular enrichment of what your users have installed.

https://secureannex.com/blog/retrieve-chrome-extensions

VexTrio's origins come from two distinct groups: an Italian group we can date back to 2004 and a Russian-speaking Eastern European group. The Italians were quite successful early on, with a dating app that was among the fastest growing on Facebook in 2012. But our guess is that their profits slid in the years that followed. In 2020, there is an merger-acquisition which leaves the Eastern Europeans in charge. They gain the trademarks, knowledge in spam distribution, and who knows what else.

While developers remain in eastern Europe, VexTrio created business headquarters in Lugano, Switzerland. Including the existing AdsPro, which developed the Los Pollos, Taco Loco, and Adtrafico traffic distribution systems (TDS) through their software company HolaCode. (ok it's more complicated than that, but this is the cliffsnotes version). We have identified nearly 100 businesses associated with 8 key figures in many industries, including construction, energy, and advertising.

So in the end, what is VexTrio? It's hard to say. We originally used it to refer to the TDS. Nice clean lines... but now, for us it is all the people and their labyrinth of companies.

We spoke at BlackHat last week so if you have a briefings pass you can listen to that. Otherwise, find our research online and start your own investigation.

#dns #threatintel #scam #cybercrime #vextrio #infoblox #cybersecurity #infosec #malware #tds