Know Your Adversary

Hello everyone! Another group has started using social engineering to deliver a Linux backdoor - though in this case, they essentially rewrote a Windows version of it. Let’s take a look at the techniques they used and how they can be detected or proactively hunted. This time, the source of information is a report by the Symantec and Carbon Black Threat Hunter Team on a group called Harvester . To disguise a malicious ELF file, the attackers used the Masquerade File Type (T1036.008) technique by giving the malicious file a “. pdf” extension—for example, “Details Format. pdf”. As you can see, there’s a space after the dot, which creates an opportunity for detection: Look for events involving the creation or execution of suspicious files with the “. pdf” extension. The attackers used two persistence methods on the compromised system. First, the GoGra backdoor creates a new service at ~/.config/systemd/user/userservice ( Systemd Service (T1543.002) ). Second, it creates an autostart entr...

Hello everyone! Today we’ll talk about another forensic tool that attackers used in the context of the Impair Defenses technique: Disable or Modify Tools (T1562.001) . Once again, the topic is ransomware. This time, we’re looking at the STAC4713 cluster, which distributes the PayoutsKing ransomware. To add exclusions to Windows Defender, the attackers used FTK Imager - a forensic tool designed for creating disk images. The key point is that during installation, this tool allows a selected path to be added to exclusions, which is exactly what the attackers exploited. The following command is executed: powershell -command $ExclusionType;$ExclusionFile = '"ExterroExclusions.txt"';if(Test-Path -path $ExclusionFile ){ $Exclusions = Get-Content $ExclusionFile; foreach ($Item in $Exclusions ) { $ItemTrimmed = $Item.trim(); if($Item.length -gt 0){ if($ItemTrimmed.StartsWith('-')) { $ExclusionType = $ItemTrimmed; Write-Host $ExclusionType; } elseif ( !($ItemTrimmed.St...

Hello everyone! Today we’ll take a look at a creative implementation of a very popular technique - Spearphishing Link (T1566.002) . According to this research , in February 2026 the TA416 cluster was distributing phishing emails containing links that led to Google Drive or compromised SharePoint instances. These links hosted archives that contained a renamed MSBuild executable (for example, Invitation_Letter_No.02_2026 ) along with a CSPROJ project file, which is what actually got executed after launch - MSBuild by default looks for the corresponding project file in the current directory. A successful execution resulted in the download of three files, which were later used to implement the DLL sideloading technique. Despite the attackers’ creative approach, detecting this kind of MSBuild abuse is fairly straightforward. For example: event_type: "processcreatewin" AND proc_file_originalfilename: "msbuild.exe" AND NOT proc_file_path: "msbuild.exe" See you s...

Hello everyone! Today we’re going to talk about collecting data from compromised systems, and we’ll look at an example of the technique Archive Collected Data: Archive via Utility (T1560.001) . The example comes from a Microsoft Threat Intelligence report on the activity of the Storm-1175 cluster, which is associated with the distribution of the Medusa ransomware. Despite the attackers using zero-day vulnerabilities to gain initial access, most of their tactics, techniques, and procedures were fairly trivial. Nevertheless, one of the tools caught my attention. To collect data for later publication on DLS, the attackers used Bandizip — a legitimate file archiving tool. This tool is not encountered very often and is quite suitable for proactive hunting, for example: event_type: "processcreatewin" AND proc_file_productname: "bandzip" See you soon!

Hello everyone! Today we will once again talk about the User Account Control (UAC) Bypass technique (T1548.002) and look at an interesting way to implement it. To help us with this, we’ll refer to the report on the "TrueChaos" operation. At one stage of the attack lifecycle, the threat actors modified the current user’s PATH variable: reg add "hkcu\environment" /v path /t REG_SZ /d "C:\users\<redacted>\appdata\local\temp" /f After that, the attackers launched a legitimate Microsoft tool - iSCSI Initiator Control Panel ( iscsicpl.exe ), which was used to bypass User Account Control and perform DLL hijacking. The malicious iscsiexe.dll was placed by the attackers in the same location that had been written to the registry in the previous step. In this case, for example, we can hunt for suspicious values being added to the corresponding registry key: event_type: "registryvaluesetwin" AND reg_key_path: "environment\\path" AND reg_v...

Hello everyone! Another day, another Dead Drop Resolver (T1102.001). And this time, the exploited web services are even more interesting than usual. According to Solar’s research on MaskGram Stealer , in addition to the already popular platforms among attackers - Steam and Telegram - threat actors also used Spotify and Chess.com. As before, it’s important to pay attention to communications with legitimate web services that attackers leverage as part of this technique, and to identify unusual processes: event_type: "dnsreqwin" AND dns_rname: ("spotify.com" OR "chess.com") AND NOT proc_file_path: ("your_exclusion_list") See you soon!