Da Samala Tech blogs on malware and stuffs
Intro This is the long form of my post from here: https://x.com/MalasadaTech/status/1924982337689027063. While browsing urlscan scan tasks, I found crypto-js.min.js usage for obfuscation linked to Tycoon and Storm1747 in Any…
XWORM is observed being distributed via Copy/Paste. XWORM C2 traffic uses a pattern that can be matched. Using Discord webhooks for C2 is not new, but it’s new to me.…
This documents chrunting for delivery sites that connect to api.telegramorg, finding a malicious GoTo RMM, and developing masq-monitor and Snort/Suricata detections. Tactical Pause THE CONTENT, VIEWS, AND OPINIONS EXPRESSED ON…
This documents the analysis I performed on a crypto phishing domain that a phisher DM’d me. It documents how I was able to pivot on file hashes the site served,…
TL;DR This documents my research into three methods an attacker could use, with an SVG file, in a phishing attack to direct the victim to the next stage in the…
It’s been a while since I’ve posted about LandUpdate808. There was a compromised site that is local to Hawaii that I recently noticed, and it prompted me to research the…
TL;DR Phishing email uses ClickFix to initiate multi-stage delivery (incomplete analysis at final stage). Tactical Pause THE CONTENT, VIEWS, AND OPINIONS EXPRESSED ON THIS DOCUMENT ARE MY OWN AND DO…
Using Silent Push to find the following infrastructure TL;DR You can use Silent Push’s query builder to monitor certain adversary infrastructure based on simple properties such as ASN, name server,…
TL;DR / Summary Up Front ALOHA! This shows how you can take WatchingRac‘s post, create a profile of the delivery behavior, and search YouTube for slight variations to find other…
TL;DR This documents specific steps you can take to find ClickFix infrastructure via RussianPanda‘s workflow. Summary Up Front This document builds on RussianPanda’s workflow to find ClickFix infrastructure. You can…
Aaron Samala