aridjourney
@aridjourney.bsky.social
Threat research at HarfangLab. Opinions are my own.
Recently, our team at HarfangLab had a look at samples of archives containing weaponized XLS spreadsheets which drop C# and C++ downloaders, and likely intended to be delivered to targets in Ukraine and in Poland.
August 20, 2025 at 12:38 PM
Recently, our team at HarfangLab had a look at samples of archives containing weaponized XLS spreadsheets which drop C# and C++ downloaders, and likely intended to be delivered to targets in Ukraine and in Poland.
Following our recent #Gamaredon publication, the actor upgraded their PteroLNK malware and expanded infrastructure. Key changes:
- NTFS Alternative Data Streams (ADS) storage
- Randomized HTTP headers breaking network sigs
- Expanded tunneling services
- More robust DDR approach
- NTFS Alternative Data Streams (ADS) storage
- Randomized HTTP headers breaking network sigs
- Expanded tunneling services
- More robust DDR approach
June 23, 2025 at 5:08 PM
Following our recent #Gamaredon publication, the actor upgraded their PteroLNK malware and expanded infrastructure. Key changes:
- NTFS Alternative Data Streams (ADS) storage
- Randomized HTTP headers breaking network sigs
- Expanded tunneling services
- More robust DDR approach
- NTFS Alternative Data Streams (ADS) storage
- Randomized HTTP headers breaking network sigs
- Expanded tunneling services
- More robust DDR approach
Dropping new research - this time on recent #XDSpy operations. Out of hundreds of LNK files leveraging ZDI-CAN-25373, we isolated a tiny cluster using an additional LNK parsing trick, leading us to uncover a multi-stage infection chain actively targeting government entities
June 16, 2025 at 12:52 PM
Dropping new research - this time on recent #XDSpy operations. Out of hundreds of LNK files leveraging ZDI-CAN-25373, we isolated a tiny cluster using an additional LNK parsing trick, leading us to uncover a multi-stage infection chain actively targeting government entities