Copy/Paste Technique Used to Deliver XWORM
Aaron Samala
XWORM is observed being distributed via Copy/Paste. XWORM C2 traffic uses a pattern that can be matched. Using Discord webhooks for C2 is not new, but it’s new to me.…
PDF Lure Delivering GoTo (LogMeIn) RMM
This documents chrunting for delivery sites that connect to api.telegramorg, finding a malicious GoTo RMM, and developing masq-monitor and Snort/Suricata detections. Tactical Pause THE CONTENT, VIEWS, AND OPINIONS EXPRESSED ON…
Unsuccessful Crypto Phishing Attempt on Me
This documents the analysis I performed on a crypto phishing domain that a phisher DM’d me. It documents how I was able to pivot on file hashes the site served,…
SVG Capabilities and Behaviors
TL;DR This documents my research into three methods an attacker could use, with an SVG file, in a phishing attack to direct the victim to the next stage in the…
Updated LandUpdate808 Analysis
It’s been a while since I’ve posted about LandUpdate808. There was a compromised site that is local to Hawaii that I recently noticed, and it prompted me to research the…
ClickFix Delivery Initiated via Phishing Email
TL;DR Phishing email uses ClickFix to initiate multi-stage delivery (incomplete analysis at final stage). Tactical Pause THE CONTENT, VIEWS, AND OPINIONS EXPRESSED ON THIS DOCUMENT ARE MY OWN AND DO…
Silent Push to find SmartApeSG, LandUpdate808, and TA582 Infra
Using Silent Push to find the following infrastructure TL;DR You can use Silent Push’s query builder to monitor certain adversary infrastructure based on simple properties such as ASN, name server,…
Lumma Stealer Delivered via YouTube Videos for Cheats
TL;DR / Summary Up Front ALOHA! This shows how you can take WatchingRac‘s post, create a profile of the delivery behavior, and search YouTube for slight variations to find other…
ClickFix Baddys via RussianPanda’s Workflow
TL;DR This documents specific steps you can take to find ClickFix infrastructure via RussianPanda‘s workflow. Summary Up Front This document builds on RussianPanda’s workflow to find ClickFix infrastructure. You can…
Open Directory Search Leads to Aged APT-C-35 Findings
TL;DR I saw a post on X that inspired me to search Shodan. I found an open directory associated with APT-C-35 (attribution based on file hashes that were listed in…