Alireza Gharib
@alirezagharib.net
Just a Techi Talkie Boy !
https://alirezagharib.net
https://alirezagharib.net
It is really one battle after another !
December 23, 2025 at 8:24 PM
It is really one battle after another !
Reposted by Alireza Gharib
Yep.
New places for attackers to hide.
It's One Battle After Another.
Which is why I just dropped a Subtitles module.
github.com/StartAutomat...
#CyberSecurity #PowerShell #Accessibility
New places for attackers to hide.
It's One Battle After Another.
Which is why I just dropped a Subtitles module.
github.com/StartAutomat...
#CyberSecurity #PowerShell #Accessibility
GitHub - StartAutomating/Subtitles: Script Subtitles with PowerShell.
Script Subtitles with PowerShell. Contribute to StartAutomating/Subtitles development by creating an account on GitHub.
github.com
December 23, 2025 at 8:19 PM
Yep.
New places for attackers to hide.
It's One Battle After Another.
Which is why I just dropped a Subtitles module.
github.com/StartAutomat...
#CyberSecurity #PowerShell #Accessibility
New places for attackers to hide.
It's One Battle After Another.
Which is why I just dropped a Subtitles module.
github.com/StartAutomat...
#CyberSecurity #PowerShell #Accessibility
5/5 Monitor for powershell.exe with a command line containing select -Skip targeting .srt files. That’s a 100% indicator of this campaign.
#CyberSecurity #AgentTesla #BlueTeam #Malware #Torrent #SOC #Infosec2025
#CyberSecurity #AgentTesla #BlueTeam #Malware #Torrent #SOC #Infosec2025
December 23, 2025 at 2:36 PM
5/5 Monitor for powershell.exe with a command line containing select -Skip targeting .srt files. That’s a 100% indicator of this campaign.
#CyberSecurity #AgentTesla #BlueTeam #Malware #Torrent #SOC #Infosec2025
#CyberSecurity #AgentTesla #BlueTeam #Malware #Torrent #SOC #Infosec2025
4/5 The effect
We’re seeing a possible thousands of active infections. This "old" Trojan is stealing:
VPN/Email logins
Browser session tokens
Live screenshots
We’re seeing a possible thousands of active infections. This "old" Trojan is stealing:
VPN/Email logins
Browser session tokens
Live screenshots
December 23, 2025 at 2:36 PM
4/5 The effect
We’re seeing a possible thousands of active infections. This "old" Trojan is stealing:
VPN/Email logins
Browser session tokens
Live screenshots
We’re seeing a possible thousands of active infections. This "old" Trojan is stealing:
VPN/Email logins
Browser session tokens
Live screenshots
3/5 Persistence & Stealth
It creates a scheduled task for a fake "Realtek" diagnostic tool. Before it runs, it checks for Windows Defender. If it's clear, Agent Tesla is loaded straight into memory. No file on disk = no easy footprint for AV.
It creates a scheduled task for a fake "Realtek" diagnostic tool. Before it runs, it checks for Windows Defender. If it's clear, Agent Tesla is loaded straight into memory. No file on disk = no easy footprint for AV.
December 23, 2025 at 2:36 PM
3/5 Persistence & Stealth
It creates a scheduled task for a fake "Realtek" diagnostic tool. Before it runs, it checks for Windows Defender. If it's clear, Agent Tesla is loaded straight into memory. No file on disk = no easy footprint for AV.
It creates a scheduled task for a fake "Realtek" diagnostic tool. Before it runs, it checks for Windows Defender. If it's clear, Agent Tesla is loaded straight into memory. No file on disk = no easy footprint for AV.
2/5 It is deep!
It extracts encrypted blocks from the video file and images, moving them to:
%LOCALAPPDATA%\Packages\Microsoft.WindowsSoundDiagnostics\Cache
By splitting the payload, it bypasses traditional static file scanners.
It extracts encrypted blocks from the video file and images, moving them to:
%LOCALAPPDATA%\Packages\Microsoft.WindowsSoundDiagnostics\Cache
By splitting the payload, it bypasses traditional static file scanners.
December 23, 2025 at 2:36 PM
2/5 It is deep!
It extracts encrypted blocks from the video file and images, moving them to:
%LOCALAPPDATA%\Packages\Microsoft.WindowsSoundDiagnostics\Cache
By splitting the payload, it bypasses traditional static file scanners.
It extracts encrypted blocks from the video file and images, moving them to:
%LOCALAPPDATA%\Packages\Microsoft.WindowsSoundDiagnostics\Cache
By splitting the payload, it bypasses traditional static file scanners.
1/5 The "Subtitle" Trap
The attack starts with a shortcut launcher. It triggers a PowerShell command buried in a .srt file using math to evade detection.
$s=500*5 skips the subtitles.
$e=15*2 grabs the payload.
It literally "hides" the malware in the text you'd read on screen.
The attack starts with a shortcut launcher. It triggers a PowerShell command buried in a .srt file using math to evade detection.
$s=500*5 skips the subtitles.
$e=15*2 grabs the payload.
It literally "hides" the malware in the text you'd read on screen.
December 23, 2025 at 2:36 PM
1/5 The "Subtitle" Trap
The attack starts with a shortcut launcher. It triggers a PowerShell command buried in a .srt file using math to evade detection.
$s=500*5 skips the subtitles.
$e=15*2 grabs the payload.
It literally "hides" the malware in the text you'd read on screen.
The attack starts with a shortcut launcher. It triggers a PowerShell command buried in a .srt file using math to evade detection.
$s=500*5 skips the subtitles.
$e=15*2 grabs the payload.
It literally "hides" the malware in the text you'd read on screen.
3/5 Persistence & Stealth 🛡️
It creates a scheduled task for a fake "Realtek" diagnostic tool. Before it runs, it checks for Windows Defender. If it's clear, Agent Tesla is loaded straight into memory. No file on disk = no easy footprint for AV.
It creates a scheduled task for a fake "Realtek" diagnostic tool. Before it runs, it checks for Windows Defender. If it's clear, Agent Tesla is loaded straight into memory. No file on disk = no easy footprint for AV.
December 23, 2025 at 2:06 PM
3/5 Persistence & Stealth 🛡️
It creates a scheduled task for a fake "Realtek" diagnostic tool. Before it runs, it checks for Windows Defender. If it's clear, Agent Tesla is loaded straight into memory. No file on disk = no easy footprint for AV.
It creates a scheduled task for a fake "Realtek" diagnostic tool. Before it runs, it checks for Windows Defender. If it's clear, Agent Tesla is loaded straight into memory. No file on disk = no easy footprint for AV.
2/5 The Steganography Chain 🖼️
This is deep. It extracts encrypted blocks from the video file and images, moving them to:
%LOCALAPPDATA%\Packages\Microsoft.WindowsSoundDiagnostics\Cache
By splitting the payload, it bypasses traditional static file scanners.
This is deep. It extracts encrypted blocks from the video file and images, moving them to:
%LOCALAPPDATA%\Packages\Microsoft.WindowsSoundDiagnostics\Cache
By splitting the payload, it bypasses traditional static file scanners.
December 23, 2025 at 2:06 PM
2/5 The Steganography Chain 🖼️
This is deep. It extracts encrypted blocks from the video file and images, moving them to:
%LOCALAPPDATA%\Packages\Microsoft.WindowsSoundDiagnostics\Cache
By splitting the payload, it bypasses traditional static file scanners.
This is deep. It extracts encrypted blocks from the video file and images, moving them to:
%LOCALAPPDATA%\Packages\Microsoft.WindowsSoundDiagnostics\Cache
By splitting the payload, it bypasses traditional static file scanners.
1/5 The "Subtitle" Trap 🔍
The attack starts with a shortcut launcher. It triggers a PowerShell command buried in a .srt file using math to evade detection.
$s=500*5 skips the subtitles.
$e=15*2 grabs the payload.
It literally "hides" the malware in the text you'd read on screen.
The attack starts with a shortcut launcher. It triggers a PowerShell command buried in a .srt file using math to evade detection.
$s=500*5 skips the subtitles.
$e=15*2 grabs the payload.
It literally "hides" the malware in the text you'd read on screen.
December 23, 2025 at 2:06 PM
1/5 The "Subtitle" Trap 🔍
The attack starts with a shortcut launcher. It triggers a PowerShell command buried in a .srt file using math to evade detection.
$s=500*5 skips the subtitles.
$e=15*2 grabs the payload.
It literally "hides" the malware in the text you'd read on screen.
The attack starts with a shortcut launcher. It triggers a PowerShell command buried in a .srt file using math to evade detection.
$s=500*5 skips the subtitles.
$e=15*2 grabs the payload.
It literally "hides" the malware in the text you'd read on screen.
Check out the full release notes here:
www.qubes-os.org/news/2025/12...
#CyberSecurity #InfoSec #QubesOS #ZeroTrust #OpenSource #Virtualization #Privacy
www.qubes-os.org/news/2025/12...
#CyberSecurity #InfoSec #QubesOS #ZeroTrust #OpenSource #Virtualization #Privacy
Qubes OS 4.3.0 has been released!
We’re pleased to announce the stable release of Qubes OS 4.3.0! This minor release includes a host of new features, improvements, and bug fixes. The ISO and associated verification files are available...
www.qubes-os.org
December 22, 2025 at 1:15 PM
Check out the full release notes here:
www.qubes-os.org/news/2025/12...
#CyberSecurity #InfoSec #QubesOS #ZeroTrust #OpenSource #Virtualization #Privacy
www.qubes-os.org/news/2025/12...
#CyberSecurity #InfoSec #QubesOS #ZeroTrust #OpenSource #Virtualization #Privacy
5/5 Upgraded Templates: Fresh support for Whonix18, Debian13, and Fedora42 means our isolated env are running the latest security patches and toolsets.
For handling high-risk workloads, sensitive infrastructure access, or malware analysis, Qubes OS remains the gold standard for endpoint security.
For handling high-risk workloads, sensitive infrastructure access, or malware analysis, Qubes OS remains the gold standard for endpoint security.
December 22, 2025 at 1:15 PM
5/5 Upgraded Templates: Fresh support for Whonix18, Debian13, and Fedora42 means our isolated env are running the latest security patches and toolsets.
For handling high-risk workloads, sensitive infrastructure access, or malware analysis, Qubes OS remains the gold standard for endpoint security.
For handling high-risk workloads, sensitive infrastructure access, or malware analysis, Qubes OS remains the gold standard for endpoint security.
4/5 New Device API: The "self-identity oriented" device assignment makes managing untrusted hardware (USB, PCI) more intuitive and granular. In an era of BadUSB and firmware attacks, this is a non-negotiable feature.
December 22, 2025 at 1:15 PM
4/5 New Device API: The "self-identity oriented" device assignment makes managing untrusted hardware (USB, PCI) more intuitive and granular. In an era of BadUSB and firmware attacks, this is a non-negotiable feature.
3/5 GUI Domain Evolution: The continued progress on the GUIVM (GUI/Admin domain splitting) is a massive win. By moving the graphical stack out of Dom0, the Trusted Computing Base (TCB) is further reduced, minimizing the impact of potential GPU or display driver exploits.
December 22, 2025 at 1:15 PM
3/5 GUI Domain Evolution: The continued progress on the GUIVM (GUI/Admin domain splitting) is a massive win. By moving the graphical stack out of Dom0, the Trusted Computing Base (TCB) is further reduced, minimizing the impact of potential GPU or display driver exploits.
2/5 Xen 4.19 & Hardened Dom0: Upgrading to Xen 4.19 and Fedora 41 for Dom0 ensures the hypervisor—the heart of the system—stays ahead of the vulnerability curve with better performance and hardware support.
December 22, 2025 at 1:15 PM
2/5 Xen 4.19 & Hardened Dom0: Upgrading to Xen 4.19 and Fedora 41 for Dom0 ensures the hypervisor—the heart of the system—stays ahead of the vulnerability curve with better performance and hardware support.
1/5 With the official release of version 4.3.0, the Qubes team has pushed the boundaries of compartmentalization even further. From a specialist perspective, here is why this update matters:
December 22, 2025 at 1:15 PM
1/5 With the official release of version 4.3.0, the Qubes team has pushed the boundaries of compartmentalization even further. From a specialist perspective, here is why this update matters:
4/4 Analyst Take: 🛠️
If your "Product" is your "Data," your DRM needs to be monitored as closely as your Firewall. If you can't see the 300TB walking out the door, you're not looking at the right logs. 🕵️♂️🔒
#Spotify #CyberSecurity #DRM #Piracy #TechNews2025
If your "Product" is your "Data," your DRM needs to be monitored as closely as your Firewall. If you can't see the 300TB walking out the door, you're not looking at the right logs. 🕵️♂️🔒
#Spotify #CyberSecurity #DRM #Piracy #TechNews2025
December 22, 2025 at 11:24 AM
4/4 Analyst Take: 🛠️
If your "Product" is your "Data," your DRM needs to be monitored as closely as your Firewall. If you can't see the 300TB walking out the door, you're not looking at the right logs. 🕵️♂️🔒
#Spotify #CyberSecurity #DRM #Piracy #TechNews2025
If your "Product" is your "Data," your DRM needs to be monitored as closely as your Firewall. If you can't see the 300TB walking out the door, you're not looking at the right logs. 🕵️♂️🔒
#Spotify #CyberSecurity #DRM #Piracy #TechNews2025
3/4 Human Impact: For us, it’s a "security incident." For the artist, it’s the loss of control over their work. Piracy 2.0 isn't just about "free music"—it's about the total bypass of the technical barriers that keep the industry afloat.
December 22, 2025 at 11:24 AM
3/4 Human Impact: For us, it’s a "security incident." For the artist, it’s the loss of control over their work. Piracy 2.0 isn't just about "free music"—it's about the total bypass of the technical barriers that keep the industry afloat.
2/4 Why 85 Million? That number represents roughly 99.6% of all music actually listened to on the platform. This wasn't a random grab; it was a surgical "archiving" of the world's active music library.
December 22, 2025 at 11:24 AM
2/4 Why 85 Million? That number represents roughly 99.6% of all music actually listened to on the platform. This wasn't a random grab; it was a surgical "archiving" of the world's active music library.
1/4 The SOC Angle: As analysts, we track "Exfiltration." But when a scraper mimics a human listener across millions of accounts, the traffic blends in. This is why Behavioral Fingerprinting is more important than simple rate limiting.
December 22, 2025 at 11:24 AM
1/4 The SOC Angle: As analysts, we track "Exfiltration." But when a scraper mimics a human listener across millions of accounts, the traffic blends in. This is why Behavioral Fingerprinting is more important than simple rate limiting.