avallach

@[email protected]
457 Followers
1.2K Following
2.2K Posts
🇺🇦 Malware Researcher 🇺🇦
Posts are my own and do not reflect my employer.
mlgethttp://github.com/xorhex/mlget
bloghttps://blog.xorhex.com
twittodonhttps://twittodon.com/share.php?t=xorhex&[email protected]
avallach13h ago
Catalin Cimpanu14h ago

Rapid7 links BPFDoor deployments on telco networks to Chinese APT Red Menshen

https://www.rapid7.com/blog/post/tr-bpfdoor-telecom-networks-sleeper-cells-threat-research-report/

BPFdoor in Telecom Networks: Sleeper Cells in the backbone

A months-long investigation by Rapid7 Labs has uncovered evidence of an advanced China-nexus threat actor placing stealthy digital sleeper cells in telecommunications networks, in order to carry out high-level espionage – including against government networks. Read more in a new blog.

Rapid7
avallach17h ago
Squiblydoo22h ago

QuasarRAT signed by "北京谷云达吉商贸有限公司"

This signer previously signed GhostRAT.
Cert was revoked.
They received new certificate.
Revoked.
New certificate.
Revoked.

If I didn't have a database with records, I'd think I was insane.
h/t @malwrhunterteam
1/6

avallach1d ago
Boris Larin1d ago
We analyzed the Coruna exploit kit and found intriguing code overlaps with Operation Triangulation https://securelist.com/coruna-framework-updated-operation-triangulation-exploit/119228/
avallach1d ago
buherator1d ago
There is currently an insane spy thriller running in #Hungary ICYMI:

https://www.direkt36.hu/en/titkosszolgalati-nyomasra-tortent-hazkutatas-a-tiszat-segito-informatikusoknal-aztan-kibukott-egy-gyanus-muvelet-a-part-ellen/

A 90min interview with the whistleblower was released too that reveals even more pieces of the puzzle. The whole thing screams for a movie (and long prison sentences).
Inside the covert operation to bring down the party threatening Viktor Orbán’s rule - Direkt36

According to documents obtained by Direkt36, a secret operation was carried out to bring down the IT systems of the Hungarian opposition party Tisza. IT specialists affiliated with the party planned to expose this, but then police officers, pressured by the Hungarian secret services, raided them, apparently on trumped-up charges.

Direkt36 - Direkt36 is a non-profit investigative journalism center with the mission to hold powerful people and institutions accountable.
avallach1d ago
Taffer 🇨🇦1d ago

This is a really sweet hex editor, great for reverse engineering data formats: https://docs.werwolv.net/imhex

Pretty sure my fish script to turn an SVG into a macOS icns file is still not quite right though.

#HexEditor #reverseEngineering

ImHex

A Hex Editor for Reverse Engineers, Programmers and people who value their retinas when working at 3 AM

avallach1d ago
Joe Słowik1d ago
I FOUND WHERE THEY KEEP THE FURSONAS!!!
avallach1d ago
Lady Laura 1d ago
#Meme #Humour
avallach1d ago
Invoke RE1d ago
A fantastic review of the Introduction to Malware Binary Triage course from Kelvin Winborne who recently completed the course https://grepstrength.dev/invoke-res-introduction-to-malware-binary-triage-review-ff482d5228be
Invoke RE’s Introduction to Malware Binary Triage Review

Put some respect on your own name!

Medium
avallach1d ago
Taggart1d ago

Ooh baby you know I love an eBPF rootkit breakdown.

https://www.elastic.co/security-labs/illuminating-voidlink

Illuminating VoidLink: Technical analysis of the VoidLink rootkit framework — Elastic Security Labs

Elastic Security Labs analyzes VoidLink, a sophisticated Linux malware framework that combines traditional Loadable Kernel Modules with eBPF to maintain persistence.

avallach1d ago

When I sign up for services/subscriptions, I use a dedicated email for that service/subscription - so when I start getting spam or the like to that email address, I have an idea as to the source.

Took longer than I thought (since I started doing this), but today I got my first one. Not going to name the service/subscription, but either they or one of their downstream partners (yes the service/subscription clear states in the TOS that my info will be shared) disclosed/got hacked/leaked/etc. the email address to some miscreants.

It's nothing special, they just want me to call and cancel my Geek Squad subscription renewing my Internet Security Plan or else it's going to auto-renew. My favorite part is the copyright; 2024 Windows Defender 😆