HaxRob
@haxrob.net
Telco / mobile and IoT security.
Surfing the information super highway one keystroke at a time.
https://haxrob.net
Surfing the information super highway one keystroke at a time.
https://haxrob.net
A relatively unknown but particularly stealthy technique to hide files on Linux hosts. On unhardened boxes, unprivileged users can conceal files from even the root user. Disk content remains in memory, hindering disk acquisition during forensic investigation. (1/7) 👇
July 13, 2025 at 7:39 AM
A relatively unknown but particularly stealthy technique to hide files on Linux hosts. On unhardened boxes, unprivileged users can conceal files from even the root user. Disk content remains in memory, hindering disk acquisition during forensic investigation. (1/7) 👇
Newer variants of the #BPFDoor has an interesting modification made that avoids detections looking for processes with raw sockets. The kernel reports SOCK_DGRAM rather then rather loud "SOCK_RAW". Here we have a sample found in the recent SK telco breach.
(1/21)
(1/21)
June 2, 2025 at 2:27 PM
Newer variants of the #BPFDoor has an interesting modification made that avoids detections looking for processes with raw sockets. The kernel reports SOCK_DGRAM rather then rather loud "SOCK_RAW". Here we have a sample found in the recent SK telco breach.
(1/21)
(1/21)
Reposted by HaxRob
#ESET research has identified #Linux malware samples, one of which we named #WolfsBane and attribute with high confidence to #Gelsemium. This 🇨🇳 China-aligned APT group, active since 2014, has not previously been publicly reported to use Linux malware. www.welivesecurity.com/en/eset-rese... 🧵(1/6)
Unveiling WolfsBane: Gelsemium’s Linux counterpart to Gelsevirine
ESET researchers analyzed previously unknown Linux backdoors that are connected to known Windows malware used by the China-aligned Gelsemium group, as well as to Project Wood.
www.welivesecurity.com
November 21, 2024 at 10:30 AM
#ESET research has identified #Linux malware samples, one of which we named #WolfsBane and attribute with high confidence to #Gelsemium. This 🇨🇳 China-aligned APT group, active since 2014, has not previously been publicly reported to use Linux malware. www.welivesecurity.com/en/eset-rese... 🧵(1/6)
There is an interesting idea in here. Imagine a signalling firewall integrated in a way that detects SS7 / Diameter attacks originating from the GRX/IPX and informs the subscriber in real time to - offering immediate situational awareness to the customer.
November 22, 2024 at 1:55 AM
There is an interesting idea in here. Imagine a signalling firewall integrated in a way that detects SS7 / Diameter attacks originating from the GRX/IPX and informs the subscriber in real time to - offering immediate situational awareness to the customer.
I've lost count of the number of times I've found myself landing on nickvsnetworking.com when doing research. High quality content.
November 22, 2024 at 12:10 AM
I've lost count of the number of times I've found myself landing on nickvsnetworking.com when doing research. High quality content.
Reposted by HaxRob
DEC VT-100 (1978)
November 19, 2024 at 10:05 AM
DEC VT-100 (1978)
GoblinRAT 👀
✅ Tailored process name masquerading
✅ Port knocking
✅ Self destruct capability
✅ Overwrites disk artefacts with /dev/urandom
✅ Found on compromised gov infrastructure
✅ Linux / #golang
❌ IoCs but no samples anywhere to be found 😭
✅ Tailored process name masquerading
✅ Port knocking
✅ Self destruct capability
✅ Overwrites disk artefacts with /dev/urandom
✅ Found on compromised gov infrastructure
✅ Linux / #golang
❌ IoCs but no samples anywhere to be found 😭
November 16, 2024 at 9:49 PM
GoblinRAT 👀
✅ Tailored process name masquerading
✅ Port knocking
✅ Self destruct capability
✅ Overwrites disk artefacts with /dev/urandom
✅ Found on compromised gov infrastructure
✅ Linux / #golang
❌ IoCs but no samples anywhere to be found 😭
✅ Tailored process name masquerading
✅ Port knocking
✅ Self destruct capability
✅ Overwrites disk artefacts with /dev/urandom
✅ Found on compromised gov infrastructure
✅ Linux / #golang
❌ IoCs but no samples anywhere to be found 😭