🇺🇦 Xorhex 🇺🇦
@xorhex.bsky.social
Reposted by 🇺🇦 Xorhex 🇺🇦
If you're interested in my dependency querying code for yara rules check out my deps branch: github.com/wxsBSD/yara-...
You can build it with "cargo build --features=debug-cmd" and use it like "yr debug deps -h". My TODO list for this is basically:
- Write tests
- Move to it's own command
You can build it with "cargo build --features=debug-cmd" and use it like "yr debug deps -h". My TODO list for this is basically:
- Write tests
- Move to it's own command
GitHub - wxsBSD/yara-x at deps
Experimenting with YARA and Rust. Contribute to wxsBSD/yara-x development by creating an account on GitHub.
github.com
November 9, 2025 at 8:43 PM
If you're interested in my dependency querying code for yara rules check out my deps branch: github.com/wxsBSD/yara-...
You can build it with "cargo build --features=debug-cmd" and use it like "yr debug deps -h". My TODO list for this is basically:
- Write tests
- Move to it's own command
You can build it with "cargo build --features=debug-cmd" and use it like "yr debug deps -h". My TODO list for this is basically:
- Write tests
- Move to it's own command
Reposted by 🇺🇦 Xorhex 🇺🇦
The slides and materials from @cxiao.net's "Reversing a (not-so-) Simple Rust Loader" workshop at Ringzer0 COUNTERMEASURE today are now available! github.com/decoderloop/...
#rustlang #ReverseEngineering #MalwareAnalysis #infosec #reversing #malware #binaryninja #COUNTERMEASURE25 #ringzer0
#rustlang #ReverseEngineering #MalwareAnalysis #infosec #reversing #malware #binaryninja #COUNTERMEASURE25 #ringzer0
GitHub - decoderloop/2025-11-07-ringzer0-countermeasure-not-so-simple-rust-loader-workshop: Slides and materials for the workshop "Reversing a (not-so-) Simple Rust Loader" at Ringzer0 COUNTERMEASURE ...
Slides and materials for the workshop "Reversing a (not-so-) Simple Rust Loader" at Ringzer0 COUNTERMEASURE 2025. - decoderloop/2025-11-07-ringzer0-countermeasure-not-so-simple-rust-loade...
github.com
November 7, 2025 at 9:05 PM
The slides and materials from @cxiao.net's "Reversing a (not-so-) Simple Rust Loader" workshop at Ringzer0 COUNTERMEASURE today are now available! github.com/decoderloop/...
#rustlang #ReverseEngineering #MalwareAnalysis #infosec #reversing #malware #binaryninja #COUNTERMEASURE25 #ringzer0
#rustlang #ReverseEngineering #MalwareAnalysis #infosec #reversing #malware #binaryninja #COUNTERMEASURE25 #ringzer0
Reposted by 🇺🇦 Xorhex 🇺🇦
Back-to-back-to-back streams! Join us again today at 4pm ET to meet Marion Marschalek, and get a taste of what Advanced Linux Malware Reverse Engineering at RE//verse 2026 will be like! Ask your questions during the stream or reply with them here! youtube.com/live/R72mHPl...
November 7, 2025 at 7:25 PM
Back-to-back-to-back streams! Join us again today at 4pm ET to meet Marion Marschalek, and get a taste of what Advanced Linux Malware Reverse Engineering at RE//verse 2026 will be like! Ask your questions during the stream or reply with them here! youtube.com/live/R72mHPl...
Reposted by 🇺🇦 Xorhex 🇺🇦
November 7, 2025 at 6:15 PM
Reposted by 🇺🇦 Xorhex 🇺🇦
D3 viz of Symbiote malware call graph created with @binaryninja.bsky.social. Interactive, and makes pewpew sounds. The pewpew sounds are naturally the most important analysis feature, duh. Code going public soon.
November 7, 2025 at 1:52 AM
D3 viz of Symbiote malware call graph created with @binaryninja.bsky.social. Interactive, and makes pewpew sounds. The pewpew sounds are naturally the most important analysis feature, duh. Code going public soon.
Reposted by 🇺🇦 Xorhex 🇺🇦
An interesting article talking about public attribution and the lack thereof in Indonesia and India on @bindinghook.bsky.social.
bindinghook.com/india-and-in...
bindinghook.com/india-and-in...
India and Indonesia’s approach to publicly attributing cyberattacks? No naming, no shaming
India and Indonesia’s reticent approach to publicly attributing cyberattacks is the result of strategic culture, insufficient technical capacity, and the lack of clear returns
bindinghook.com
November 5, 2025 at 5:15 PM
An interesting article talking about public attribution and the lack thereof in Indonesia and India on @bindinghook.bsky.social.
bindinghook.com/india-and-in...
bindinghook.com/india-and-in...
Reposted by 🇺🇦 Xorhex 🇺🇦
We hear you! Registration opens next week, so keep an eye on our social media. The registration link, also known as the 'Ask for invite', will soon be available on pivotcon.org
#PIVOTcon26 #CTI #ThreatIntel #StayTuned
#PIVOTcon26 #CTI #ThreatIntel #StayTuned
a man wearing headphones says you don t wanna miss it
ALT: a man wearing headphones says you don t wanna miss it
media.tenor.com
November 5, 2025 at 2:24 PM
We hear you! Registration opens next week, so keep an eye on our social media. The registration link, also known as the 'Ask for invite', will soon be available on pivotcon.org
#PIVOTcon26 #CTI #ThreatIntel #StayTuned
#PIVOTcon26 #CTI #ThreatIntel #StayTuned
Reposted by 🇺🇦 Xorhex 🇺🇦
New Iran drop from me tracking an attribution nightmare - UNK_SmudgedSerpent! A little Charming, a little Muddy, and a lot C5. Targeting policy experts with benign conversation starters, health-themed infra, OnlyOffice spoofs, and RMMs. Check out the full story www.proofpoint.com/us/blog/thre...
Crossed wires: a case study of Iranian espionage and attribution | Proofpoint US
Proofpoint would like to thank Josh Miller for his initial research on UNK_SmudgedSerpent and contribution to this report. Key findings Between June and August 2025,
www.proofpoint.com
November 5, 2025 at 1:37 PM
New Iran drop from me tracking an attribution nightmare - UNK_SmudgedSerpent! A little Charming, a little Muddy, and a lot C5. Targeting policy experts with benign conversation starters, health-themed infra, OnlyOffice spoofs, and RMMs. Check out the full story www.proofpoint.com/us/blog/thre...
Reposted by 🇺🇦 Xorhex 🇺🇦
I've got something built on Victor's new DFSIter for yara-x AST that takes a set of rules and outputs the dependencies and modules used (based upon the compiled list of modules). Ultimately I want to make it output a graphviz file for visualization but for now it's dumping them to stdout...
November 4, 2025 at 3:12 AM
I've got something built on Victor's new DFSIter for yara-x AST that takes a set of rules and outputs the dependencies and modules used (based upon the compiled list of modules). Ultimately I want to make it output a graphviz file for visualization but for now it's dumping them to stdout...
Reposted by 🇺🇦 Xorhex 🇺🇦
We've uploaded our stream from Oct 24 where we continued analyzing the SORVEPOTEL infection chain, including shellcode, Maverick.Agent.StageTwo, Maverick Agent, and a PowerShells WhatsApp worm. Big shout out to unpacme, Dodo and Washi for their help with this stream. youtu.be/h6imZyQrdBk
Maverick .NET Agent Analysis and WhatsApp PowerShell Worm (Stream - 21/10/2025)
YouTube video by Invoke RE
youtu.be
November 3, 2025 at 7:00 PM
We've uploaded our stream from Oct 24 where we continued analyzing the SORVEPOTEL infection chain, including shellcode, Maverick.Agent.StageTwo, Maverick Agent, and a PowerShells WhatsApp worm. Big shout out to unpacme, Dodo and Washi for their help with this stream. youtu.be/h6imZyQrdBk
Reposted by 🇺🇦 Xorhex 🇺🇦
I had some time to work on the RE Rust Tickler challenges from @HuntressLabs recent CTF.
Specifically, I wanted to focus on @vector35 Binary Ninja's TTD implementation
Over weekend I made some quick write-ups on how I approached these easier challenges.
github.com/Rurik/CTF/tr...
Specifically, I wanted to focus on @vector35 Binary Ninja's TTD implementation
Over weekend I made some quick write-ups on how I approached these easier challenges.
github.com/Rurik/CTF/tr...
CTF/Huntress_2025 at master · Rurik/CTF
Various CTF code. Contribute to Rurik/CTF development by creating an account on GitHub.
github.com
November 3, 2025 at 4:59 PM
I had some time to work on the RE Rust Tickler challenges from @HuntressLabs recent CTF.
Specifically, I wanted to focus on @vector35 Binary Ninja's TTD implementation
Over weekend I made some quick write-ups on how I approached these easier challenges.
github.com/Rurik/CTF/tr...
Specifically, I wanted to focus on @vector35 Binary Ninja's TTD implementation
Over weekend I made some quick write-ups on how I approached these easier challenges.
github.com/Rurik/CTF/tr...
Reposted by 🇺🇦 Xorhex 🇺🇦
Thank you for your interest in Decoder Loop & #rustlang reverse engineering training so far!
This Friday, November 7th, join us at Ringzer0 COUNTERMEASURE, in Ottawa, Canada, where @cxiao.net will present the workshop "Reversing a (not-so-) Simple Rust Loader": ringzer0.training/countermeasu...
This Friday, November 7th, join us at Ringzer0 COUNTERMEASURE, in Ottawa, Canada, where @cxiao.net will present the workshop "Reversing a (not-so-) Simple Rust Loader": ringzer0.training/countermeasu...
WORKSHOP: Reversing a (not-so-) Simple Rust Loader // Cindy Xiao
Rust can be challenging for even experienced reverse engineers. We will reverse a simple Rust malware loader found in the wild with obfuscated strings and a decoy payload, making it a good example for...
ringzer0.training
November 3, 2025 at 3:30 PM
Thank you for your interest in Decoder Loop & #rustlang reverse engineering training so far!
This Friday, November 7th, join us at Ringzer0 COUNTERMEASURE, in Ottawa, Canada, where @cxiao.net will present the workshop "Reversing a (not-so-) Simple Rust Loader": ringzer0.training/countermeasu...
This Friday, November 7th, join us at Ringzer0 COUNTERMEASURE, in Ottawa, Canada, where @cxiao.net will present the workshop "Reversing a (not-so-) Simple Rust Loader": ringzer0.training/countermeasu...
Reposted by 🇺🇦 Xorhex 🇺🇦
This will be my third time speaking at Bsides but it’s already the most hilarious
No longer limited by geographical constraints, virtual conferences have opened up new possibilities for reeducation! Join us at #BSidesPyongyang on Nov 18th and discover the thrill of online learning! #BSPY25 #NewFrontiers
October 31, 2025 at 11:37 AM
This will be my third time speaking at Bsides but it’s already the most hilarious
Reposted by 🇺🇦 Xorhex 🇺🇦
New Blog 👀
This blog discusses the topic of cybercrime counterintelligence to highlight the growing threat toward the cyber threat intelligence (CTI) and law enforcement (LE) communities ⚠️
🔗 www.sans.org/blog/for589-...
This blog discusses the topic of cybercrime counterintelligence to highlight the growing threat toward the cyber threat intelligence (CTI) and law enforcement (LE) communities ⚠️
🔗 www.sans.org/blog/for589-...
October 30, 2025 at 10:42 PM
New Blog 👀
This blog discusses the topic of cybercrime counterintelligence to highlight the growing threat toward the cyber threat intelligence (CTI) and law enforcement (LE) communities ⚠️
🔗 www.sans.org/blog/for589-...
This blog discusses the topic of cybercrime counterintelligence to highlight the growing threat toward the cyber threat intelligence (CTI) and law enforcement (LE) communities ⚠️
🔗 www.sans.org/blog/for589-...
Reposted by 🇺🇦 Xorhex 🇺🇦
At hack.lu I gave a presentation about "How to better identify (weaponized) file formats":
- Why do we need to identify file formats accurately?
- Why can the current tools (libmagic, magika) sometimes be bypassed?
- How can we do better?
You can now see it here: youtu.be/Qp5GDh2sj6A
#HackLu
- Why do we need to identify file formats accurately?
- Why can the current tools (libmagic, magika) sometimes be bypassed?
- How can we do better?
You can now see it here: youtu.be/Qp5GDh2sj6A
#HackLu
hack.lu 2025
Hack.lu (and CTI summit) is an open convention/conference where people can discuss about computer security, privacy, information technology and its cultural/technical implication on society. It’s the ...
hack.lu
October 27, 2025 at 4:18 PM
At hack.lu I gave a presentation about "How to better identify (weaponized) file formats":
- Why do we need to identify file formats accurately?
- Why can the current tools (libmagic, magika) sometimes be bypassed?
- How can we do better?
You can now see it here: youtu.be/Qp5GDh2sj6A
#HackLu
- Why do we need to identify file formats accurately?
- Why can the current tools (libmagic, magika) sometimes be bypassed?
- How can we do better?
You can now see it here: youtu.be/Qp5GDh2sj6A
#HackLu
Still testing 🤞
For those able to use #BinaryNinja projects; #BinYars can sort the files into folders based upon the #Yara-X rule metadata field, BNFolder. The folder nesting structure is determined by the number of matches that reside under each folder - check out the video below!
For those able to use #BinaryNinja projects; #BinYars can sort the files into folders based upon the #Yara-X rule metadata field, BNFolder. The folder nesting structure is determined by the number of matches that reside under each folder - check out the video below!
October 26, 2025 at 8:27 AM
Still testing 🤞
For those able to use #BinaryNinja projects; #BinYars can sort the files into folders based upon the #Yara-X rule metadata field, BNFolder. The folder nesting structure is determined by the number of matches that reside under each folder - check out the video below!
For those able to use #BinaryNinja projects; #BinYars can sort the files into folders based upon the #Yara-X rule metadata field, BNFolder. The folder nesting structure is determined by the number of matches that reside under each folder - check out the video below!
Reposted by 🇺🇦 Xorhex 🇺🇦
Get tickets before they run out! (This is a free online event that will not run out)
www.eventbrite.com/e/bsides-pyo...
www.eventbrite.com/e/bsides-pyo...
BSides Pyongyang
온라인으로 열리는 보안 컨퍼런스, 함께 즐기면서 최신 보안 트렌드에 대해 배워보자! | #BSidesPyongyang2025 :A free community cyber conference on Nov 18 2025
www.eventbrite.com
October 25, 2025 at 12:12 PM
Get tickets before they run out! (This is a free online event that will not run out)
www.eventbrite.com/e/bsides-pyo...
www.eventbrite.com/e/bsides-pyo...
Reposted by 🇺🇦 Xorhex 🇺🇦
It's getting close to being done - #BinYars a #YARA-X #BinaryNinja plugin! Still testing, but plan on open sourcing it for all to use.
Shout out to Remco Sprooten for making this tool (also shown in the video) for quickly drafting Yara rules 💪 github.com/1337-42/Simp...
Video: Part 1 of 2
Shout out to Remco Sprooten for making this tool (also shown in the video) for quickly drafting Yara rules 💪 github.com/1337-42/Simp...
Video: Part 1 of 2
October 24, 2025 at 8:22 AM
It's getting close to being done - #BinYars a #YARA-X #BinaryNinja plugin! Still testing, but plan on open sourcing it for all to use.
Shout out to Remco Sprooten for making this tool (also shown in the video) for quickly drafting Yara rules 💪 github.com/1337-42/Simp...
Video: Part 1 of 2
Shout out to Remco Sprooten for making this tool (also shown in the video) for quickly drafting Yara rules 💪 github.com/1337-42/Simp...
Video: Part 1 of 2
Reposted by 🇺🇦 Xorhex 🇺🇦
PDFs have been a constant struggle and I’ve found that this helps. Might be a little biased tho
Proofpoint threat researchers have designed an open-source tool—named PDF Object Hashing—to track and detect the unique characteristics of PDFs used by threat actors... similar to a digital fingerprint.
We use this tool internally to help track multiple threat actors with high confidence.
We use this tool internally to help track multiple threat actors with high confidence.
October 23, 2025 at 6:19 PM
PDFs have been a constant struggle and I’ve found that this helps. Might be a little biased tho
Reposted by 🇺🇦 Xorhex 🇺🇦
Hell yeah check out that lineup
Our new website has launched. We will continue to update the site with information as it becomes available.
https://bsidespyongyang.com/
https://bsidespyongyang.com/
October 23, 2025 at 9:51 AM
Hell yeah check out that lineup
Reposted by 🇺🇦 Xorhex 🇺🇦
🔥 New Research from @hegel.bsky.social 🔥
PhantomCaptcha: A short-lived, multi-stage PowerShell and WebSocket RAT operation targeting Ukraine-linked humanitarian and government entities.
Full report: s1.ai/pcapt
PhantomCaptcha: A short-lived, multi-stage PowerShell and WebSocket RAT operation targeting Ukraine-linked humanitarian and government entities.
Full report: s1.ai/pcapt
PhantomCaptcha | Multi-Stage WebSocket RAT Targets Ukraine in Single-Day Spearphishing Operation
SentinelLABS uncovers a coordinated spearphishing campaign targeting organizations critical to Ukraine's war relief efforts.
s1.ai
October 22, 2025 at 10:46 PM
🔥 New Research from @hegel.bsky.social 🔥
PhantomCaptcha: A short-lived, multi-stage PowerShell and WebSocket RAT operation targeting Ukraine-linked humanitarian and government entities.
Full report: s1.ai/pcapt
PhantomCaptcha: A short-lived, multi-stage PowerShell and WebSocket RAT operation targeting Ukraine-linked humanitarian and government entities.
Full report: s1.ai/pcapt
Reposted by 🇺🇦 Xorhex 🇺🇦
We've uploaded our stream from last Tuesday where we analyzed the SORVEPOTEL PowerShell .NET infection chain www.youtube.com/watch?v=ua3s... enjoy!
SORVEPOTEL PowerShell .NET Loader Infection Chain Analysis (Stream - 14/10/2025)
YouTube video by Invoke RE
www.youtube.com
October 22, 2025 at 9:05 PM
We've uploaded our stream from last Tuesday where we analyzed the SORVEPOTEL PowerShell .NET infection chain www.youtube.com/watch?v=ua3s... enjoy!
Reposted by 🇺🇦 Xorhex 🇺🇦
We saw Earth Estries, an advanced #APT intrusion set, sharing its access to Earth Naga (Flax Typhoon). We introduce the term "Premier Pass" to describe this behavior, and propose a four-tier classification framework for collaboration types among advanced groups www.trendmicro.com/en_us/resear...
October 22, 2025 at 9:18 AM
We saw Earth Estries, an advanced #APT intrusion set, sharing its access to Earth Naga (Flax Typhoon). We introduce the term "Premier Pass" to describe this behavior, and propose a four-tier classification framework for collaboration types among advanced groups www.trendmicro.com/en_us/resear...