| Website | https://www.volexity.com |
| Blog | https://www.volexity.com/blog |
| https://twitter.com/Volexity | |
| https://www.linkedin.com/company/volexity |
@volexity Volcano Server & Volcano One v25.06.12 adds ~600 new YARA rules, new IOCs for fake registered antivirus & hooked Linux kernel functions, as well as support for custom post-processing bash scripts, segmented directory watching & database optimization.
Contact us for more information about Volcano Server & Volcano One: https://volexity.com/company/contact/.
New on the @volexity Blog: Multiple Russian threat actors are leveraging Signal, WhatsApp, and a compromised Ukrainian government email address to impersonate EU officials. This latest round of phishing attacks abuses first-party Microsoft Entra apps and OAuth to compromise targets.
Since early March 2025, Volexity has observed multiple suspected Russian threat actors conducting highly targeted social engineering operations aimed at gaining access to the Microsoft 365 (M365) accounts of targeted individuals. This activity comes on the heels of attacks Volexity reported on back in February 2025, where Russian threat actors were discovered targeting users and organizations through Device Code Authentication phishing...
In the course of its investigations, Volexity frequently encounters malware samples written in Golang. Binaries written in Golang are often challenging to analyze because of the embedded libraries and the sheer size of the resulting binaries. This issue is amplified when samples are obfuscated using tools such as Garble, an open-source Golang obfuscation tool.The popularity of Golang amongst malware developers, and the use of obfuscators to make reverse-engineering harder, raised the need for better tooling to assist in reverse-engineering efforts. Volexity developed GoResolver, an open-source tool...
@volexity Volcano Server & Volcano One v25.02.21 adds 300 new YARA rules; consistent Bash/ZSH history & sessions from Linux/macOS memory and files; and parses Linux systemd journals, macOS unified logs, and Windows USNs (search + timeline for all).
This release also extracts cmd history from Windows 24H2 RAM; and adds admin options for SAML and S3 bucket watching.
For more information about Volcano Server & Volcano One, contact us: https://volexity.com/company/contact/
@volexity recently identified multiple Russian threat actors targeting users via #socialengineering + #spearphishing campaigns with Microsoft 365 Device Code authentication (a well-known technique) with alarming success: https://www.volexity.com/blog/2025/02/13/multiple-russian-threat-actors-targeting-microsoft-device-code-authentication/
Starting in mid-January 2025, Volexity identified several social-engineering and spear-phishing campaigns by Russian threat actors aimed at compromising Microsoft 365 (M365) accounts. These attack campaigns were highly targeted and carried out in a variety of ways. The majority of these attacks originated via spear-phishing emails with different themes. In one case, the eventual breach began with highly tailored outreach via Signal.Through its investigations, Volexity discovered that Russian threat actors were impersonating a variety of individuals
On Thursday, December 5, @volexity’s David McDonald will present his research on “Hunting Fileless Malware with Tree-sitter”at @bsidesaustin!
Obfuscated, fileless malware poses a significant challenge to automated detection systems and wastes valuable time during manual analysis. This challenge occurs as the many layers of obfuscation must be unraveled before the true malicious payload is revealed. In this talk, research will be presented that demonstrates how the tree-sitter parser generator library can be used to write scalable, accurate, and attributable detections and deobfuscation tools for malicious Powershell payloads.
See the full conference schedule here: https://bsidesaustin.com/schedule
In early February 2022, notably just ahead of the Russian invasion of Ukraine, Volexity made a discovery that led to one of the most fascinating and complex incident investigations Volexity had ever worked. The investigation began when an alert from a custom detection signature Volexity had deployed at a customer site (“Organization A”) indicated a threat actor had compromised a server on the customer’s network. While Volexity quickly investigated the threat activity, more questions were raised than answers due to a very motivated and skilled advanced persistent threat (APT) actor, who was using a novel attack vector Volexity had not previously encountered.
@volexity has published a blog post about BrazenBamboo, the Chinese threat actor behind the LIGHTSPY and DEEPDATA malware families. This blog post details a FortiClient vulnerability used in the DEEPDATA malware, where user VPN credentials are left in plaintext in memory long after a user has authenticated. Read more here: https://www.volexity.com/blog/2024/11/15/brazenbamboo-weaponizes-forticlient-vulnerability-to-steal-vpn-credentials-via-deepdata
In July 2024, Volexity identified exploitation of a zero-day credential disclosure vulnerability in Fortinet’s Windows VPN client that allowed credentials to be stolen from the memory of the client’s process. This vulnerability was discovered while analyzing a recent sample of the DEEPDATA malware family. DEEPDATA is a modular post-exploitation tool for the Windows operating system that is used to gather a wide range of information from target devices. Analysis of the sample revealed a plugin that was designed to extract credentials from FortiClient VPN client process memory. On July 18, 2024, Volexity notified Fortinet about this vulnerability. At the time of writing, the issue remains unresolved.
There are several opportunities coming up to hear some outstanding talks given by members of @volexity’s R&D and #threatintel teams! Here’s a list of who and where over the next few weeks:
September 24
Andrew Case will present “Defeating EDR Evading Malware with Memory Forensics” at Louisiana State University (https://www.linkedin.com/posts/andrewcase_next-tuesday-september-24th-i-will-be-presenting-activity-7242200665605730307-Ruqs)
October 1
Robert Jan Mora will present “Detecting Zero-Day Exploitation of Edge Devices” at ONE Conference (https://one-conference.nl/session/from-zero-day-to-mass-exploitation-ivanti-vpn)
October 3
Paul Rascagneres & Charles Gardner will co-present “The deck is stacked: analysis of OracleBamboo's SPYDEALER Android backdoor” at the Virus Bulletin Conference (https://www.virusbulletin.com/conference/vb2024/abstracts/deck-stacked-analysis-oraclebamboo-spydealer-backdoor/)
Andrew Case will present “Modern Memory Forensics with Volatility 3” at HTCIA Canada (https://www.htcia.org/2024-canada-cyber-investigation-summit)
October 5
David McDonald will present “Hunting Fileless Malware with Tree-Sitter” at BSides Augusta (https://pretalx.com/bsidesaugusta-2024/talk/MLQEMU/)
October 21
Andrew Case will present “Detecting & Defeating EDR-Evading Malware with Volatility 3” at From the Source, hosted by @volatility (https://volatilityfoundation.org/from-the-source-memory-forensics-training/)
Tom Lancaster will present “It Has Been [0] Days Since the Last Edge-Device Security Incident” at From the Source, hosted by @volatility (https://volatilityfoundation.org/from-the-source-memory-forensics-training/)
