Volexity 

@[email protected]
668 Followers
6 Following
180 Posts
A security firm providing Incident Response, Proactive Threat Assessments, Trusted Advisory, and Threat Intelligence
Websitehttps://www.volexity.com
Bloghttps://www.volexity.com/blog
Twitterhttps://twitter.com/Volexity
LinkedInhttps://www.linkedin.com/company/volexity
Volexity Jan 5

@volexity Volcano Server & Volcano One v25.12.18 adds 300+ YARA rules, full parsing of Windows prefetch and Linux cron jobs, inline syscall hooking detection, and 5-level page table support. This release also adds cross-account s3 bucket monitoring, automated health check alerts, SAML role mappings, and increased auditing.

Contact us for more information: https://volexity.com/company/contact/.

Volexity Dec 4

Dangerous Invitations: @volexity has published our #threatintel team’s findings on two new campaigns abusing Device Code & OAuth authentication workflows. Throughout 2025, Volexity has identified dozens of campaigns from state-sponsored threat actors abusing these workflows, showing no signs of slowing.

This blog post, details the creative social engineering tactics used by Russian threat actor UTA0355 in recent campaigns to impersonate European security events. Read the full blog post here: https://www.volexity.com/blog/2025/12/04/dangerous-invitations-russian-threat-actor-spoofs-european-security-events-in-targeted-phishing-attacks/

Volexity Oct 8
APT meets GPT: @volexity's latest #threatintel blog post reveals tradecraft details of threat actor UTA0388, a likely Chinese threat actor, making heavy use of LLMs for several aspects of their operations. This blog post provides evidence of AI use in almost every aspect of UTA0388’s spear phishing campaigns against targets in North America, Europe & Asia. Read more here: https://www.volexity.com/blog/2025/10/08/apt-meets-gpt-targeted-operations-with-untamed-llms
Volexity Oct 1, 2025

@volexity Volcano Server & Volcano One v25.09.21 adds memory analysis support for ARM64 Linux, macOS 26 (Tahoe), and Windows 25H2, as well as 75+ new YARA rules, 10+ new IOCs, analysis of udev rules, and rolling upgrades for managed endpoints.

Contact us for more information: https://volexity.com/company/contact/.

Volexity Jul 10, 2025
@volexity researchers will be presenting at THREE conferences in Las Vegas this August! Here’s where you can hear about some of our latest research in #memoryforensics and automated malicious script detection and de-obfuscation:
 
Monday, August 4:  Detecting, Deobfuscating, and Preventing Obfuscated Script Execution with Tree-sitter @ BSides Las Vegas (https://bsideslv.org/talks#LBQDEB)
 
Wednesday, August 6: Volatility 3 @ Black Hat Arsenal (https://www.blackhat.com/us-25/arsenal/schedule/#volatility-3-44745)
 
Friday, August 8: Effectively Detecting Modern Malware with Volatility 3 Workshop @ DEF CON 33 (https://defcon.org/html/defcon-33/dc-33-workshops.html#content_60679)
 
Many members of the @volexity team will be also in Vegas, so if you’d like to meet up with our leadership, development, engineering, services, or threat intelligence teams, please reach out or complete our contact form: https://www.volexity.com/contact/meet-up-in-vegas/
Volexity Jun 18, 2025

@volexity Volcano Server & Volcano One v25.06.12 adds ~600 new YARA rules, new IOCs for fake registered antivirus & hooked Linux kernel functions, as well as support for custom post-processing bash scripts, segmented directory watching & database optimization.

Contact us for more information about Volcano Server & Volcano One: https://volexity.com/company/contact/.

Volexity Apr 22, 2025

New on the @volexity Blog: Multiple Russian threat actors are leveraging Signal, WhatsApp, and a compromised Ukrainian government email address to impersonate EU officials. This latest round of phishing attacks abuses first-party Microsoft Entra apps and OAuth to compromise targets.

https://www.volexity.com/blog/2025/04/22/phishing-for-codes-russian-threat-actors-target-microsoft-365-oauth-workflows

#dfir #threatintel

Phishing for Codes: Russian Threat Actors Target Microsoft 365 OAuth Workflows

Since early March 2025, Volexity has observed multiple suspected Russian threat actors conducting highly targeted social engineering operations aimed at gaining access to the Microsoft 365 (M365) accounts of targeted individuals. This activity comes on the heels of attacks Volexity reported on back in February 2025, where Russian threat actors were discovered targeting users and organizations through Device Code Authentication phishing...

Volexity
Volexity Apr 1, 2025
In the course of its investigations, @volexity frequently encounters malware samples written in Golang. This reflects the increase in popularity of the Golang generally, and presents challenges to reverse engineering tools.
 
Today, @volexity is releasing GoResolver, open-source tooling to help reverse engineers understand obfuscated samples. @r00tbsd & Killian Raimbaud presented details at INCYBER Forum earlier today.
 
GoResolver uses control-flow graph similarity to identify library code in obfuscated code, leaving analysts with only malware functions to analyze. This saves time & speeds up investigations!
 
Check out the blog post on how GoResolver works and where to download it: https://www.volexity.com/blog/2025/04/01/goresolver-using-control-flow-graph-similarity-to-deobfuscate-golang-binaries-automatically/
 
#dfir #reversing #malwareanalysis
GoResolver: Using Control-flow Graph Similarity to Deobfuscate Golang Binaries, Automatically

In the course of its investigations, Volexity frequently encounters malware samples written in Golang. Binaries written in Golang are often challenging to analyze because of the embedded libraries and the sheer size of the resulting binaries. This issue is amplified when samples are obfuscated using tools such as Garble, an open-source Golang obfuscation tool.The popularity of Golang amongst malware developers, and the use of obfuscators to make reverse-engineering harder, raised the need for better tooling to assist in reverse-engineering efforts. Volexity developed GoResolver, an open-source tool...

Volexity
Volexity Feb 26, 2025

@volexity Volcano Server & Volcano One v25.02.21 adds 300 new YARA rules; consistent Bash/ZSH history & sessions from Linux/macOS memory and files; and parses Linux systemd journals, macOS unified logs, and Windows USNs (search + timeline for all).

This release also extracts cmd history from Windows 24H2 RAM; and adds admin options for SAML and S3 bucket watching. 



For more information about Volcano Server & Volcano One, contact us: https://volexity.com/company/contact/

#dfir #memoryforensics #memoryanalysis

Contact

Volexity
Volexity Feb 13, 2025

@volexity recently identified multiple Russian threat actors targeting users via #socialengineering + #spearphishing campaigns with Microsoft 365 Device Code authentication (a well-known technique) with alarming success: https://www.volexity.com/blog/2025/02/13/multiple-russian-threat-actors-targeting-microsoft-device-code-authentication/

#dfir #threatintel #m365security

Multiple Russian Threat Actors Targeting Microsoft Device Code Authentication

Starting in mid-January 2025, Volexity identified several social-engineering and spear-phishing campaigns by Russian threat actors aimed at compromising Microsoft 365 (M365) accounts. These attack campaigns were highly targeted and carried out in a variety of ways. The majority of these attacks originated via spear-phishing emails with different themes. In one case, the eventual breach began with highly tailored outreach via Signal.Through its investigations, Volexity discovered that Russian threat actors were impersonating a variety of individuals

Volexity