Recent cyber attacks by Transparent Tribe, or APT36, utilize increasingly sophisticated malware called ElizaRAT

Read the details of the evolution, evasion techniques, and malware configurations of Ladrodectus malware in this in-depth malware analysis

The IMEEX framework is a newly discovered, custom-built malware designed to target Windows systems. Delivered as a 64-bit DLL, it offers attackers extensive control over compromised machines. This framework is notable for its robust capabilities, featuring a wide array of functionalities, including execution of additional modules, file manipulation, process management, registry modification, and remote command […]

Stroz Friedberg identified a stealthy malware, dubbed “sedexp,” utilizing Linux udev rules to achieve persistence and evade detection. This advanced threat, active since 2022, hides in plain sight while providing attackers with reverse shell capabilities and advanced concealment tactics.

Executive Summary Lumen Technologies’ Black Lotus Labs identified a destructive event, as over 600,000 small office/home office (SOHO) routers were taken offline belonging to a single internet service provider (ISP). The incident took place over a 72-hour period between October 25-27, rendered the infected devices permanently inoperable, and required a hardware-based replacement. Public scan data Lumen Technologies’ Black Lotus Labs identified a destructive event, as over 600,000 small office/home office (SOHO) routers were taken offline belonging to a single internet service provider (ISP).

https://blog.talosintelligence.com/tinyturla-next-generationhttps://blog.talosintelligence.com/tinyturla

Learn about our process for collecting telemetry data from PlugX worm-infected workstations, as well as how to disinfect them.

Avast discovered and analyzed GuptiMiner, a malware campaign hijacking an eScan antivirus update mechanism to distribute backdoors and coinminers.

Since 2019, Forest Blizzard has used a custom post-compromise tool to exploit a vulnerability in the Windows Print Spooler service that allows elevated permissions. Microsoft has issued a security update addressing this vulnerability as CVE-2022-38028.

For educational purposes only, samples of old & new malware builders including screenshots! - GitHub - yuankong666/Ultimate-RAT-Collection: For educational purposes only, samples of old &am...

BadThings.info is a dedicated resource for studying Linux-based IoT malware.

A small and portable Windows C library for sandbox detection

Authored by: Anandeshwar Unnikrishnan Stage 1: GULoader Shellcode Deployment  In recent GULoader campaigns, we are seeing a rise in NSIS-based installers

Elastic Security Labs observes that the threat behind SIESTAGRAPH has shifted priorities from data theft to persistent access, deploying new malware like NAPLISTENER to evade detection.

We take a deep dive into Roshtyak, the DLL backdoor payload associated with Raspberry Robin. Roshtyak is full of anti-analysis tricks. Some are well-known, and some we have never seen before. From a technical perspective, the lengths Roshtyak takes to protect itself are extremely interesting. Roshtyak belongs to one of the best-protected malware strains we have ever seen. We hope by publishing our research and analysis of the malware and its protection tricks we will help fellow researchers recognize and respond to similar tricks, and harden their analysis environments, making them more resistant to the evasion techniques described.

Mangle is a tool that manipulates aspects of compiled executables (.exe or DLL) to avoid detection from EDRs - GitHub - optiv/Mangle: Mangle is a tool that manipulates aspects of compiled executabl...

This is a repository of resource about Malware techniques - GitHub - fr0gger/Awesome_Malware_Techniques: This is a repository of resource about Malware techniques

A quick guide and high-level discussion on how to remove runtime dependencies when writing malware.

In a time full of ransomware as well as Advanced persistent Thread (APT) incidents the importance of detecting those attacking groups has become increasingly...

EDR / AV Evasion

Contribute to wavestone-cdt/EDRSandblast development by creating an account on GitHub.

Crypter, binder & downloader with native & .NET stub, evasive by design, user friendly UI - GitHub - bytecode77/pe-union: Crypter, binder & downloader with native & ...

Design & Implementation of a crypter in any language, using Xencrypt (Powershell) as an underlying example.

Introduction System calls are the ultimate high-level atomic actions that Malware writers might control. System calls sequences are the defacto ultimate way to divide behaviors between good and bad…

A Pin Tool for tracing API calls etc. Contribute to hasherezade/tiny_tracer development by creating an account on GitHub.

The automatic detection and classification of any given file in a reliable manner is often considered the holy grail of malware analysis. This blog will dive into DotDumper’s usage and internals.

An automatic unpacker and logger for DotNet Framework targeting files - GitHub - advanced-threat-research/DotDumper: An automatic unpacker and logger for DotNet Framework targeting files

A new document royal road v7 installs a backdoor in .NET. a first executable is dropped \os03C2.tmp. This exe has many similarities with…