Saltmyhash

@[email protected]
37 Followers
327 Following
725 Posts
Blue team. #cti #threat_hunting #ioc #reverseengineering #threatintelligence #soc #malware
Saltmyhash2d ago
Chilly  đź›ˇď¸Ź  2d ago
You can't hack me I'm out of scope
Saltmyhash2d ago
O RLY CYBER2d ago

(huntress.com) In-the-Wild Exploitation of Nightmare-Eclipse Privilege Escalation Tooling and BeigeBurrow Tunneling Agent Observed in Active Intrusion

In-the-wild exploitation of Nightmare-Eclipse tooling (BlueHammer, RedSun, UnDefend) and BeigeBurrow tunneling agent observed in active intrusion. BlueHammer (CVE-2026-33825) exploits a TOCTOU race in Windows Defender for SYSTEM-level SAM credential theft; RedSun/UnDefend remain unpatched. Initial access via compromised FortiGate SSL VPN credentials, hands-on-keyboard recon, and Go-based yamux reverse tunnel (BeigeBurrow) for persistent C2.

In brief - Threat actor leveraged novel privilege escalation tools (BlueHammer CVE-2026-33825, RedSun, UnDefend) and BeigeBurrow reverse tunnel in a failed intrusion. Initial access via FortiGate SSL VPN, post-exploitation via M365Copilot.exe. Huntress terminated activity; hunt for IOCs.

Technically - BlueHammer abuses TOCTOU in Windows Defender with Volume Shadow Copy and process suspension for SAM database read. RedSun uses oplocks/directory junctions for arbitrary write via Storage Tiers Management Engine COM. UnDefend disrupts Defender via file locks. BeigeBurrow (Go/yamux) establishes multiplexed reverse tunnel to staybud.dpdns[.]org:443. Binaries staged in user-writable paths; recon commands spawned from M365Copilot.exe.

Source: https://www.huntress.com/blog/nightmare-eclipse-intrusion

#Cybersecurity #ThreatIntel

Nightmare-Eclipse Tooling Seen in Real-World Intrusion | Huntress

Huntress observed in-the-wild use of Nightmare-Eclipse tooling, including BlueHammer, RedSun, and UnDefend, in a live intrusion involving FortiGate VPN compromise as the initial access, reconnaissance commands, and likely tunneling activity.

Huntress
Show threadSaltmyhash2d ago

@da_667 relatively weak but something is better than nothing. Might benefit from a GitHub PR if you find something interesting in network/host artifacts.

https://lolrmm.io/tools/nomachine

Saltmyhash3d ago
da_6673d ago
infosec burnout in a nutshell
Saltmyhash3d ago
Lady Laura 3d ago
Show threadSaltmyhash3d ago
@Gargron Soundtrack to Perfect Days is great. The komorebi cinematography is also equally perfect. Excellent film, highly recommend for everyone.
Saltmyhash4d ago
Jerry 🦙💝🦙4d ago
I’m going to update mastodon across the infosec, ioc, and convo instances today. There shouldn’t be any downtime but there are user interface changes and for that I will apologize in advance to everyone who doesn’t like their cheese moved. There isn’t an option to keep it like it was. And yes, this will probably continue the trend of breakage on old devices with browsers that can’t handle newer functionality. I’m sorry for that too.
Show threadSaltmyhash4d ago
@jerry good reminder for all of us to consider donating to our instance admin who could be spending their weekend relaxing instead of patching. Just sent mine. Thanks Jerry.
Saltmyhash6d ago
O RLY CYBER6d ago

(zscaler.com) Payouts King Ransomware: Technical Analysis of a BlackBasta Successor Group

New ransomware group Payouts King, linked to former BlackBasta affiliates, emerged in April 2025 with advanced TTPs and evasion techniques.

In brief - Payouts King, a BlackBasta successor, uses spam bombing, Microsoft Teams abuse, and Quick Assist for initial access. The group employs robust encryption, anti-EDR measures, and operates a Tor-based data leak site. Zscaler ThreatLabz provides IOCs and TTPs for detection.

Technically - Payouts King ransomware uses stack-based string obfuscation, FNV1/CRC32 hashing for API resolution, and command-line argument obfuscation. File encryption leverages RSA-4096 and AES-256-CTR via OpenSSL, with per-file keys and partial encryption for performance. EDR/AV evasion includes direct Zw* system calls (e.g., ZwTerminateProcess) resolved via ntdll export table walking. Persistence is via scheduled tasks, and forensic artifacts are removed by deleting shadow copies and clearing logs.

Source: https://www.zscaler.com/blogs/security-research/payouts-king-takes-aim-ransomware-throne

#Cybersecurity #ThreatIntel

Payouts King Takes Aim at the Ransomware Throne | ThreatLabz

Former BlackBasta initial access brokers are conducting new attacks; stealing large amounts of data, and selectively deploying Payouts King ransomware.

Saltmyhash6d ago
Catalin Cimpanu6d ago

A large-scale study of the Russian web hosting space has found more than 1,200 malicious command and control servers hosted inside Russia this year.

Most of the servers are for IoT malware botnets, such as Keitaro, Hajime, Mozi, and Mirai.

https://hunt.io/blog/russian-malicious-infrastructure-c2-servers-mapped