golby
@golby.bsky.social
macOS Threat and Detections Researcher @ Jamf
Reposted by golby
February 14, 2026 at 4:03 PM
Reposted by golby
Some of the most popular packages on the OpenClaw official registry ClawHub are malicious
@openclaw-x.bsky.social
@openclaw-x.bsky.social
February 1, 2026 at 12:20 PM
Some of the most popular packages on the OpenClaw official registry ClawHub are malicious
@openclaw-x.bsky.social
@openclaw-x.bsky.social
Reposted by golby
Okay, this is friggin awesome! M.A.C.E is a great tool and I’m so proud of the work we’ve done on the #MSCP.
I’ll be honest, my compatriots do way more work than me, I’m just a tiny bit in this project. Still super cool to see here.
9to5mac.com/2026/01/24/m...
I’ll be honest, my compatriots do way more work than me, I’m just a tiny bit in this project. Still super cool to see here.
9to5mac.com/2026/01/24/m...
Apple @ Work: M.A.C.E. app is a prime example of the Mac admins community at work - 9to5Mac
M.A.C.E. simplifies macOS compliance with a free GUI for the mSCP. It’s a prime example of the Mac admin community solving real IT problems.
9to5mac.com
January 24, 2026 at 2:53 PM
Okay, this is friggin awesome! M.A.C.E is a great tool and I’m so proud of the work we’ve done on the #MSCP.
I’ll be honest, my compatriots do way more work than me, I’m just a tiny bit in this project. Still super cool to see here.
9to5mac.com/2026/01/24/m...
I’ll be honest, my compatriots do way more work than me, I’m just a tiny bit in this project. Still super cool to see here.
9to5mac.com/2026/01/24/m...
Reposted by golby
Hide your couches, Twin Cities
JD Vance is heading to Minneapolis on Thursday, per the White House.
He's going to "hold a roundtable with local leaders and community members and will deliver remarks focused on restoring law and order in Minnesota." Hoo boy.
He's going to "hold a roundtable with local leaders and community members and will deliver remarks focused on restoring law and order in Minnesota." Hoo boy.
January 21, 2026 at 8:00 PM
Hide your couches, Twin Cities
Reposted by golby
Updated the tracking sheet I made last year now that it's been a year — National Averages After First Year of Trump's Second Term docs.google.com/spreadsheets...
National Averages After First Year of Trump's Second Term
docs.google.com
January 19, 2026 at 6:37 PM
Updated the tracking sheet I made last year now that it's been a year — National Averages After First Year of Trump's Second Term docs.google.com/spreadsheets...
Reposted by golby
#100DaysofYARA - Day 11
In looking at automatic YARA generation, yarGen-Go is a must. Just released by @cyb3rops, it is a rewrite and advancement from the original yarGen.
We'll look at the same malware from day 10; a targeted HavocC2 loader with decoy.
rule at bottom
1/5
In looking at automatic YARA generation, yarGen-Go is a must. Just released by @cyb3rops, it is a rewrite and advancement from the original yarGen.
We'll look at the same malware from day 10; a targeted HavocC2 loader with decoy.
rule at bottom
1/5
January 12, 2026 at 2:27 PM
#100DaysofYARA - Day 11
In looking at automatic YARA generation, yarGen-Go is a must. Just released by @cyb3rops, it is a rewrite and advancement from the original yarGen.
We'll look at the same malware from day 10; a targeted HavocC2 loader with decoy.
rule at bottom
1/5
In looking at automatic YARA generation, yarGen-Go is a must. Just released by @cyb3rops, it is a rewrite and advancement from the original yarGen.
We'll look at the same malware from day 10; a targeted HavocC2 loader with decoy.
rule at bottom
1/5
Reposted by golby
#100DaysofYARA - Day 9
YARA looks for the header used in a .SCPT file used by BlueNoroff (DPRK) to target MacOS systems.
Script is delivered to victims disguised as a Zoom meeting launcher.
e.g. a7c7d75c33aa809c231f1b22521ae680248986c980b45aa0881e19c19b7b1892
Rule at end
1/3
YARA looks for the header used in a .SCPT file used by BlueNoroff (DPRK) to target MacOS systems.
Script is delivered to victims disguised as a Zoom meeting launcher.
e.g. a7c7d75c33aa809c231f1b22521ae680248986c980b45aa0881e19c19b7b1892
Rule at end
1/3
January 10, 2026 at 7:17 PM
#100DaysofYARA - Day 9
YARA looks for the header used in a .SCPT file used by BlueNoroff (DPRK) to target MacOS systems.
Script is delivered to victims disguised as a Zoom meeting launcher.
e.g. a7c7d75c33aa809c231f1b22521ae680248986c980b45aa0881e19c19b7b1892
Rule at end
1/3
YARA looks for the header used in a .SCPT file used by BlueNoroff (DPRK) to target MacOS systems.
Script is delivered to victims disguised as a Zoom meeting launcher.
e.g. a7c7d75c33aa809c231f1b22521ae680248986c980b45aa0881e19c19b7b1892
Rule at end
1/3
Reposted by golby
#100DaysofYARA - day 5
The Cert Graveyard project reports and documents abuse code-signing including Apple issued certificates.
When reporting a certificate, we want to ensure Apple has all the identifiers they need to investigate and act.
Rule at end
1/7
The Cert Graveyard project reports and documents abuse code-signing including Apple issued certificates.
When reporting a certificate, we want to ensure Apple has all the identifiers they need to investigate and act.
Rule at end
1/7
January 5, 2026 at 1:10 PM
#100DaysofYARA - day 5
The Cert Graveyard project reports and documents abuse code-signing including Apple issued certificates.
When reporting a certificate, we want to ensure Apple has all the identifiers they need to investigate and act.
Rule at end
1/7
The Cert Graveyard project reports and documents abuse code-signing including Apple issued certificates.
When reporting a certificate, we want to ensure Apple has all the identifiers they need to investigate and act.
Rule at end
1/7
Reposted by golby
Jamf Threat Labs observed a revamped MacSync Stealer variant delivered as a code-signed and notarized app. Unlike earlier drag-to-Terminal/ClickFix chains, it uses a more deceptive, hands-off approach. www.jamf.com/blog/macsync...
January 6, 2026 at 11:30 AM
Jamf Threat Labs observed a revamped MacSync Stealer variant delivered as a code-signed and notarized app. Unlike earlier drag-to-Terminal/ClickFix chains, it uses a more deceptive, hands-off approach. www.jamf.com/blog/macsync...
Reposted by golby
I have created a website, where you can share your sample analysis (via links or posts) and search samples for training based on tags and difficulty.
If you write analysis blogs, you can share them there.
samplepedia.cc
If you write analysis blogs, you can share them there.
samplepedia.cc
January 4, 2026 at 5:53 AM
I have created a website, where you can share your sample analysis (via links or posts) and search samples for training based on tags and difficulty.
If you write analysis blogs, you can share them there.
samplepedia.cc
If you write analysis blogs, you can share them there.
samplepedia.cc
Reposted by golby
#100DaysofYARA - Day 3
This relates to obfusheader discussed by @RussianPanda95 and @c0ner0ne.
If the dev is going to use hard-coded strings, lets use them to our advantage.
This thread will demo Malcat's YARA features.
Rule at end of thread
1/5
This relates to obfusheader discussed by @RussianPanda95 and @c0ner0ne.
If the dev is going to use hard-coded strings, lets use them to our advantage.
This thread will demo Malcat's YARA features.
Rule at end of thread
1/5
January 3, 2026 at 3:10 PM
#100DaysofYARA - Day 3
This relates to obfusheader discussed by @RussianPanda95 and @c0ner0ne.
If the dev is going to use hard-coded strings, lets use them to our advantage.
This thread will demo Malcat's YARA features.
Rule at end of thread
1/5
This relates to obfusheader discussed by @RussianPanda95 and @c0ner0ne.
If the dev is going to use hard-coded strings, lets use them to our advantage.
This thread will demo Malcat's YARA features.
Rule at end of thread
1/5
Reposted by golby
🚨#100DaysofYARA lives!!
2 time reigning champ Yashraj
has kindly offered to take the helm for this community effort! Give the homie a follow 👊
Check the repo to contribute: github.com/100DaysofYARA
And gear up for Jan 1 when #100DaysofYARA will kick off!
2 time reigning champ Yashraj
has kindly offered to take the helm for this community effort! Give the homie a follow 👊
Check the repo to contribute: github.com/100DaysofYARA
And gear up for Jan 1 when #100DaysofYARA will kick off!
a black and white photo of a man with a stethoscope around his neck screaming .
ALT: a black and white photo of a man with a stethoscope around his neck screaming .
media.tenor.com
December 28, 2025 at 11:21 PM
🚨#100DaysofYARA lives!!
2 time reigning champ Yashraj
has kindly offered to take the helm for this community effort! Give the homie a follow 👊
Check the repo to contribute: github.com/100DaysofYARA
And gear up for Jan 1 when #100DaysofYARA will kick off!
2 time reigning champ Yashraj
has kindly offered to take the helm for this community effort! Give the homie a follow 👊
Check the repo to contribute: github.com/100DaysofYARA
And gear up for Jan 1 when #100DaysofYARA will kick off!
Reposted by golby
If you like reading NIST special publications, I got a newly revved 800-70 for you.
csrc.nist.gov/News/2025/dr...
csrc.nist.gov/News/2025/dr...
Draft SP 800-70 Rev 5 is available for comment | CSRC
NIST Special Publication (SP) 800-70r5 ipd (Revision 5, initial public draft), National Checklist Program for IT Products – Guidelines for Checklist Users and Developers, is now available for public c...
csrc.nist.gov
December 9, 2025 at 9:17 PM
If you like reading NIST special publications, I got a newly revved 800-70 for you.
csrc.nist.gov/News/2025/dr...
csrc.nist.gov/News/2025/dr...
Reposted by golby
Jamf Threat Labs warn that fake job assessments that ask you to run terminal commands could be a social engineering scheme to deploy the FlexibleFerret malware (a malware family attributed to DPRK-aligned operators) and steal your credentials. www.jamf.com/blog/flexibl...
November 26, 2025 at 10:05 AM
Jamf Threat Labs warn that fake job assessments that ask you to run terminal commands could be a social engineering scheme to deploy the FlexibleFerret malware (a malware family attributed to DPRK-aligned operators) and steal your credentials. www.jamf.com/blog/flexibl...
Another great writeup from @txhaflaire.bsky.social on a new stealer that Jamf is calling digitstealer.
www.jamf.com/blog/jtl-dig...
www.jamf.com/blog/jtl-dig...
DigitStealer: In-Depth Analysis of a New macOS Infostealer
Jamf Threat Labs uncovers DigitStealer, a new macOS infostealer. Learn about its unique evasion techniques, multi-stage payload and how to protect your systems.
www.jamf.com
November 14, 2025 at 12:29 AM
Another great writeup from @txhaflaire.bsky.social on a new stealer that Jamf is calling digitstealer.
www.jamf.com/blog/jtl-dig...
www.jamf.com/blog/jtl-dig...
Oooh XProtect 5322 added XPScripts.yr. Guess they're going to start blocking malicious osascript and other interpreters now.
November 4, 2025 at 10:09 PM
Oooh XProtect 5322 added XPScripts.yr. Guess they're going to start blocking malicious osascript and other interpreters now.
Reposted by golby
A year into Apple Intelligence, what do we know? Well your Mac knows the answers, just gotta ask the right questions.
Read “IQ Check: On-Device vs PCC — Reading the Signals Hidden on Your Mac“ by Bob Gendler on Medium: boberito.medium.com/iq-check-on-...
Read “IQ Check: On-Device vs PCC — Reading the Signals Hidden on Your Mac“ by Bob Gendler on Medium: boberito.medium.com/iq-check-on-...
IQ Check: On-Device vs PCC — Reading the Signals Hidden on Your Mac
Your Mac knows and can tell you specifically on device vs off device for Apple Intelligence
boberito.medium.com
October 6, 2025 at 5:11 PM
A year into Apple Intelligence, what do we know? Well your Mac knows the answers, just gotta ask the right questions.
Read “IQ Check: On-Device vs PCC — Reading the Signals Hidden on Your Mac“ by Bob Gendler on Medium: boberito.medium.com/iq-check-on-...
Read “IQ Check: On-Device vs PCC — Reading the Signals Hidden on Your Mac“ by Bob Gendler on Medium: boberito.medium.com/iq-check-on-...
Interested in Mac security research, reversing macOS malware, or detection engineering?
Jamf Threat Labs is hiring! We're looking for passionate individuals to join our team and and help push the boundaries of Apple security.
- Brno, Czechia
- Austin, Eau Claire, Minneapolis
Jamf Threat Labs is hiring! We're looking for passionate individuals to join our team and and help push the boundaries of Apple security.
- Brno, Czechia
- Austin, Eau Claire, Minneapolis
September 24, 2025 at 1:26 PM
Interested in Mac security research, reversing macOS malware, or detection engineering?
Jamf Threat Labs is hiring! We're looking for passionate individuals to join our team and and help push the boundaries of Apple security.
- Brno, Czechia
- Austin, Eau Claire, Minneapolis
Jamf Threat Labs is hiring! We're looking for passionate individuals to join our team and and help push the boundaries of Apple security.
- Brno, Czechia
- Austin, Eau Claire, Minneapolis
Reposted by golby
🍎 machofile 🍏 first official release is finally live: github.com/pstirparo/ma...
It is a python module to parse #Mach-O binary files, with a focus on malware analysis and reverse engineering.
machofile is self-contained.
#macho #ios #reverseengineering #detection #threathunting #threatintel 1/3
It is a python module to parse #Mach-O binary files, with a focus on malware analysis and reverse engineering.
machofile is self-contained.
#macho #ios #reverseengineering #detection #threathunting #threatintel 1/3
GitHub - pstirparo/machofile: machofile is a module to parse Mach-O binary files
machofile is a module to parse Mach-O binary files - pstirparo/machofile
github.com
July 30, 2025 at 2:11 PM
🍎 machofile 🍏 first official release is finally live: github.com/pstirparo/ma...
It is a python module to parse #Mach-O binary files, with a focus on malware analysis and reverse engineering.
machofile is self-contained.
#macho #ios #reverseengineering #detection #threathunting #threatintel 1/3
It is a python module to parse #Mach-O binary files, with a focus on malware analysis and reverse engineering.
machofile is self-contained.
#macho #ios #reverseengineering #detection #threathunting #threatintel 1/3
A great writeup by my coworker, @txhaflaire.bsky.social about a new variant (signed and notarized) of odyssey stealer.
www.jamf.com/blog/signed-...
www.jamf.com/blog/signed-...
Evolution of macOS Odyssey Stealer: New Techniques & Signed Malware
Discover new technical insights into the Odyssey Stealer malware, including signed & notarized variants, SwiftUI-based social engineering, and advanced persistence techniques.
www.jamf.com
July 16, 2025 at 6:49 PM
A great writeup by my coworker, @txhaflaire.bsky.social about a new variant (signed and notarized) of odyssey stealer.
www.jamf.com/blog/signed-...
www.jamf.com/blog/signed-...
Reposted by golby
Forgot to post this here the other day
Compliance updatepalooza.
Newly released updated mSCP compliance information for macOS Sequoia, macOS Sonoma, macOS Ventura, iOS 18, iOS 17, iOS 16, and visionOS.
github.com/usnistgov/ma...
Compliance updatepalooza.
Newly released updated mSCP compliance information for macOS Sequoia, macOS Sonoma, macOS Ventura, iOS 18, iOS 17, iOS 16, and visionOS.
github.com/usnistgov/ma...
Releases · usnistgov/macos_security
macOS Security Compliance Project. Contribute to usnistgov/macos_security development by creating an account on GitHub.
github.com
July 4, 2025 at 10:10 AM
Forgot to post this here the other day
Compliance updatepalooza.
Newly released updated mSCP compliance information for macOS Sequoia, macOS Sonoma, macOS Ventura, iOS 18, iOS 17, iOS 16, and visionOS.
github.com/usnistgov/ma...
Compliance updatepalooza.
Newly released updated mSCP compliance information for macOS Sequoia, macOS Sonoma, macOS Ventura, iOS 18, iOS 17, iOS 16, and visionOS.
github.com/usnistgov/ma...
Reposted by golby
🤓 My talk at AUSCERT has been released!
In this session, I break down:
- How threat actors are using generative AI,
- How to respond to AI-related breaches,
- And how to improve your AI security maturity with AI-specific incident response, Indicators of Prompt Compromise, and NOVA for […]
In this session, I break down:
- How threat actors are using generative AI,
- How to respond to AI-related breaches,
- And how to improve your AI security maturity with AI-specific incident response, Indicators of Prompt Compromise, and NOVA for […]
Original post on infosec.exchange
infosec.exchange
June 26, 2025 at 5:08 AM
🤓 My talk at AUSCERT has been released!
In this session, I break down:
- How threat actors are using generative AI,
- How to respond to AI-related breaches,
- And how to improve your AI security maturity with AI-specific incident response, Indicators of Prompt Compromise, and NOVA for […]
In this session, I break down:
- How threat actors are using generative AI,
- How to respond to AI-related breaches,
- And how to improve your AI security maturity with AI-specific incident response, Indicators of Prompt Compromise, and NOVA for […]
Reposted by golby
ugh could you imagine if there wasn't a new Turnstile album
June 21, 2025 at 10:56 PM
ugh could you imagine if there wasn't a new Turnstile album