Drew
@bugfire.io
malware detection and analysis, hunting and gathering, threat research
Reposted by Drew
I am suggesting a new malware type: the browser remote access tool (BRAT)
It's a form of browser hijacker that remotely controls your browser based on server commands.
Typical form: press key combos for copy-pasting URLs, opening tabs, context menu, downloading files etc
It's a form of browser hijacker that remotely controls your browser based on server commands.
Typical form: press key combos for copy-pasting URLs, opening tabs, context menu, downloading files etc
November 17, 2025 at 11:43 AM
I am suggesting a new malware type: the browser remote access tool (BRAT)
It's a form of browser hijacker that remotely controls your browser based on server commands.
Typical form: press key combos for copy-pasting URLs, opening tabs, context menu, downloading files etc
It's a form of browser hijacker that remotely controls your browser based on server commands.
Typical form: press key combos for copy-pasting URLs, opening tabs, context menu, downloading files etc
Reposted by Drew
Podcast thoughts on Anthropic's conflicting marketing messages about Claude Code automating Chinese APT attacks #threebuddyproblem @jags.bsky.social @craiu.bsky.social
November 15, 2025 at 5:37 PM
Podcast thoughts on Anthropic's conflicting marketing messages about Claude Code automating Chinese APT attacks #threebuddyproblem @jags.bsky.social @craiu.bsky.social
Reposted by Drew
Check Point looks at a very niche phishing group named Payroll Pirates that uses malvertising to target the users of payroll systems, credit unions, and trading platforms
cyberint.com/blog/threat-...
cyberint.com/blog/threat-...
November 13, 2025 at 10:29 AM
Check Point looks at a very niche phishing group named Payroll Pirates that uses malvertising to target the users of payroll systems, credit unions, and trading platforms
cyberint.com/blog/threat-...
cyberint.com/blog/threat-...
Reposted by Drew
2025-11-11 (Tuesday): Cryptocurrency #scam starts with an email. Potential victims must click through several web pages to finish the process. I recorded a video showing what I did after the last image in this post at youtu.be/yUV7OkQqSBk
More info on this activity at github.com/PaloAltoNetw...
More info on this activity at github.com/PaloAltoNetw...
November 12, 2025 at 4:01 AM
2025-11-11 (Tuesday): Cryptocurrency #scam starts with an email. Potential victims must click through several web pages to finish the process. I recorded a video showing what I did after the last image in this post at youtu.be/yUV7OkQqSBk
More info on this activity at github.com/PaloAltoNetw...
More info on this activity at github.com/PaloAltoNetw...
Reposted by Drew
Yesterday folks got a phishing email for a fake DMCA report-- myself included. Caught me at a good time so I could record poking at the scam and the malware it leads to: ultimately infostealer malware (the usual) from a fake domain & clearly AI slop site: youtu.be/IzKjL16-sgY
November 6, 2025 at 3:45 PM
Yesterday folks got a phishing email for a fake DMCA report-- myself included. Caught me at a good time so I could record poking at the scam and the malware it leads to: ultimately infostealer malware (the usual) from a fake domain & clearly AI slop site: youtu.be/IzKjL16-sgY
Reposted by Drew
We deployed MCP honeypots to understand how threat actors engage with AI middleware exposed to the internet. What we observed was unexpected. Full analysis ⬇️
#GreyNoise #AI #AISecurity #MCP #MCPSecurity #Cybersecurity #ThreatIntel
#GreyNoise #AI #AISecurity #MCP #MCPSecurity #Cybersecurity #ThreatIntel
What GreyNoise Learned from Deploying MCP Honeypots
GreyNoise deployed MCP honeypots to see what happens when AI middleware meets the open internet — revealing how attackers interact with this new layer of AI infrastructure.
www.greynoise.io
November 5, 2025 at 7:15 PM
We deployed MCP honeypots to understand how threat actors engage with AI middleware exposed to the internet. What we observed was unexpected. Full analysis ⬇️
#GreyNoise #AI #AISecurity #MCP #MCPSecurity #Cybersecurity #ThreatIntel
#GreyNoise #AI #AISecurity #MCP #MCPSecurity #Cybersecurity #ThreatIntel
Reposted by Drew
Here's the Wired story www.wired.com/story/peter-...
Ex-L3Harris Cyber Boss Pleads Guilty to Selling Trade Secrets to Russian Firm
Peter Williams, a former executive of Trenchant, L3Harris' cyber division, has pleaded guilty to two counts of stealing trade secrets and selling them to an unnamed Russian software broker.
www.wired.com
October 29, 2025 at 5:17 PM
Here's the Wired story www.wired.com/story/peter-...
I’m convinced there’s no better time of the week than Saturday morning
October 25, 2025 at 3:07 PM
I’m convinced there’s no better time of the week than Saturday morning
Well done AI…
I wonder how many people watching Channel 4's documentary about #AI saw this plot twist coming at the end...
October 24, 2025 at 6:48 PM
Well done AI…
Reposted by Drew
PDFs have been a constant struggle and I’ve found that this helps. Might be a little biased tho
Proofpoint threat researchers have designed an open-source tool—named PDF Object Hashing—to track and detect the unique characteristics of PDFs used by threat actors... similar to a digital fingerprint.
We use this tool internally to help track multiple threat actors with high confidence.
We use this tool internally to help track multiple threat actors with high confidence.
October 23, 2025 at 6:19 PM
PDFs have been a constant struggle and I’ve found that this helps. Might be a little biased tho
Reposted by Drew
🎙️ Ever wonder what it takes to secure a massive event like Black Hat? 🤔
Mark Overholser from Corelight joins us to pull back the curtain on how the Black Hat Network Operations Center (NOC) is built, monitored, and the craziest things that have shown up!
Spotify: open.spotify.com/episode/2F4x...
Mark Overholser from Corelight joins us to pull back the curtain on how the Black Hat Network Operations Center (NOC) is built, monitored, and the craziest things that have shown up!
Spotify: open.spotify.com/episode/2F4x...
EP17 What Lurks Beneath: Building a Robust Network at Black Hat with Mark Overholser
Behind the Binary by Google Cloud Security · Episode
open.spotify.com
October 22, 2025 at 5:01 PM
🎙️ Ever wonder what it takes to secure a massive event like Black Hat? 🤔
Mark Overholser from Corelight joins us to pull back the curtain on how the Black Hat Network Operations Center (NOC) is built, monitored, and the craziest things that have shown up!
Spotify: open.spotify.com/episode/2F4x...
Mark Overholser from Corelight joins us to pull back the curtain on how the Black Hat Network Operations Center (NOC) is built, monitored, and the craziest things that have shown up!
Spotify: open.spotify.com/episode/2F4x...
Reposted by Drew
Normally when we hear about a malware operation being disrupted, it's because it has been shut down by the cops. But in the case of Lumma Stealer, it appears to have been sabotaged by other cybercriminals.
Read more on the Fortra blog: www.fortra.com/blog/cybercr...
Read more on the Fortra blog: www.fortra.com/blog/cybercr...
Cyber-criminals Turn on Each Other: The Story of Lumma Stealer's Collapse
A malware-as-a-service operation used to steal passwords and sensitive data has been sabotaged by other cyber-criminals.
www.fortra.com
October 22, 2025 at 5:12 PM
Normally when we hear about a malware operation being disrupted, it's because it has been shut down by the cops. But in the case of Lumma Stealer, it appears to have been sabotaged by other cybercriminals.
Read more on the Fortra blog: www.fortra.com/blog/cybercr...
Read more on the Fortra blog: www.fortra.com/blog/cybercr...
Reposted by Drew
⚠️ Attackers are moving beyond credentials.
Our blog shows they’re increasingly weaponizing #OAuth applications to maintain persistent access in the cloud—even after #passwords are reset or #MFA is enforced.
This persistence poses a growing risk to modern enterprises.
Our blog shows they’re increasingly weaponizing #OAuth applications to maintain persistent access in the cloud—even after #passwords are reset or #MFA is enforced.
This persistence poses a growing risk to modern enterprises.
October 21, 2025 at 5:51 PM
⚠️ Attackers are moving beyond credentials.
Our blog shows they’re increasingly weaponizing #OAuth applications to maintain persistent access in the cloud—even after #passwords are reset or #MFA is enforced.
This persistence poses a growing risk to modern enterprises.
Our blog shows they’re increasingly weaponizing #OAuth applications to maintain persistent access in the cloud—even after #passwords are reset or #MFA is enforced.
This persistence poses a growing risk to modern enterprises.
Reposted by Drew
Our DEF CON33 ICS Village talk is now on YouTube!
@sam-hans0n.bsky.social and I share stories of malware we discovered while searching for ICS threats, and discuss our approach to assessing their reputation.
Don't Cry Wolf: Evidence-Based Assessment of ICS Threats
@sam-hans0n.bsky.social and I share stories of malware we discovered while searching for ICS threats, and discuss our approach to assessing their reputation.
Don't Cry Wolf: Evidence-Based Assessment of ICS Threats
DEF CON 33 - Don’t Cry Wolf: Evidence based assessments of ICS Threats - Jimmy Wylie & Sam Hanson
CS Malware is rare. Yet, ICS Malware like FrostyGoop and TRISIS, and related discoveries like COSMICENERGY, were all found on VirusTotal, so analysts still hunt for novel ICS Malware in public malware repositories. In the process, they discover all kinds of tools: research, CTFs, obfuscated nonsense
www.youtube.com
October 16, 2025 at 7:18 PM
Our DEF CON33 ICS Village talk is now on YouTube!
@sam-hans0n.bsky.social and I share stories of malware we discovered while searching for ICS threats, and discuss our approach to assessing their reputation.
Don't Cry Wolf: Evidence-Based Assessment of ICS Threats
@sam-hans0n.bsky.social and I share stories of malware we discovered while searching for ICS threats, and discuss our approach to assessing their reputation.
Don't Cry Wolf: Evidence-Based Assessment of ICS Threats
Reposted by Drew
Amid the security incident involving F5 BIG-IP announced today, GreyNoise is sharing recent insights into activity targeting BIG-IP to aid in defensive posturing. The anomalies reported in our blog may not necessarily relate to the 15 Oct incident. ⬇️
GreyNoise’s Recent Observations Around F5
Amid the security incident involving F5 BIG-IP announced on 15 October 2025, GreyNoise is sharing recent insights into activity targeting BIG-IP to aid in defensive posturing.
www.greynoise.io
October 15, 2025 at 11:35 PM
Amid the security incident involving F5 BIG-IP announced today, GreyNoise is sharing recent insights into activity targeting BIG-IP to aid in defensive posturing. The anomalies reported in our blog may not necessarily relate to the 15 Oct incident. ⬇️
Reposted by Drew
The Binary Ninja 5.2 dev release is showing some amazing work with their new Time Travel Debugging (TTD) interface. This makes a huge impact on analysis!
(and fits well on my UW monitor)
(and fits well on my UW monitor)
October 10, 2025 at 1:40 AM
The Binary Ninja 5.2 dev release is showing some amazing work with their new Time Travel Debugging (TTD) interface. This makes a huge impact on analysis!
(and fits well on my UW monitor)
(and fits well on my UW monitor)
Reposted by Drew
Our new research is now live, and it's full of juicy insights. From a log poisoning vulnerability, to an RMM you've likely never heard of, and a list of victim locations that span the globe! 👀 👇
1⃣ The Huntress team uncovered a campaign by a likely China-nexus threat actor. The most novel finding is use of a publicly available tool called Nezha as a post-exploitation C2 agent. This is the first public reporting of the tool I've seen.
www.huntress.com/blog/nezha-c...
www.huntress.com/blog/nezha-c...
The Crown Prince, Nezha: A New Tool Favored by China-Nexus Threat Actors | Huntress
Beginning in mid-2025, Huntress discovered a new tool being used to facilitate webserver intrusions known as Nezha, which up until now hasn’t been publicly reported on. This was used in tandem with ot...
www.huntress.com
October 10, 2025 at 2:31 AM
Our new research is now live, and it's full of juicy insights. From a log poisoning vulnerability, to an RMM you've likely never heard of, and a list of victim locations that span the globe! 👀 👇
Reposted by Drew
🔥 Live stream this Thursday at 12pm CDT! Peter Manev and Lukas Sismis are here to talk about the latest Suricata releases, which fix several high severity CVEs...
Join us on YouTube - youtube.com/live/ID9q7E4...
Join us on YouTube - youtube.com/live/ID9q7E4...
LIVE: Suricata 8.0.1 & 7.0.12 Security Release: Fixing High-Severity CVEs with the Core Team
Join us live with the Suricata core team members as we break down the crucial security updates in the newly released Suricata 8.0.1 and 7.0.12. These are imp...
youtube.com
October 7, 2025 at 3:00 PM
🔥 Live stream this Thursday at 12pm CDT! Peter Manev and Lukas Sismis are here to talk about the latest Suricata releases, which fix several high severity CVEs...
Join us on YouTube - youtube.com/live/ID9q7E4...
Join us on YouTube - youtube.com/live/ID9q7E4...
Reposted by Drew
2025-10-01 (Wed) I've posted #malware samples and a #pcap of the post-infection traffic from an infection by possible #Rhadamanthys malware at www.malware-traffic-analysis.net/2025/10/01/i...
This is from a file disguised as a cracked version of software, and I usually see #LummaStealer from this.
This is from a file disguised as a cracked version of software, and I usually see #LummaStealer from this.
October 6, 2025 at 6:52 PM
2025-10-01 (Wed) I've posted #malware samples and a #pcap of the post-infection traffic from an infection by possible #Rhadamanthys malware at www.malware-traffic-analysis.net/2025/10/01/i...
This is from a file disguised as a cracked version of software, and I usually see #LummaStealer from this.
This is from a file disguised as a cracked version of software, and I usually see #LummaStealer from this.
Reposted by Drew
🔥 The next episode of Behind the Binary is here! We're joined by renowned security researcher Hahna Kane Latonick for a deep dive into the powerful world where reverse engineering meets data science.
🎧 open.spotify.com/episode/2CFB...
🎧 open.spotify.com/episode/2CFB...
EP16 The Machine Learning Revolution in Reverse Engineering with Hahna Kane Latonick
Behind the Binary by Google Cloud Security · Episode
open.spotify.com
October 2, 2025 at 4:02 PM
🔥 The next episode of Behind the Binary is here! We're joined by renowned security researcher Hahna Kane Latonick for a deep dive into the powerful world where reverse engineering meets data science.
🎧 open.spotify.com/episode/2CFB...
🎧 open.spotify.com/episode/2CFB...
Reposted by Drew
2025-09-29 (Monday): Follow-up to my post last week. I've been seeing one or two of these emails almost every day. Details on the latest example at github.com/malware-traf...
September 30, 2025 at 5:04 PM
2025-09-29 (Monday): Follow-up to my post last week. I've been seeing one or two of these emails almost every day. Details on the latest example at github.com/malware-traf...
Reposted by Drew
🥷 FLARE-On 12 starts today - prepare yourself with this episode of Behind the Binary 👇
open.spotify.com/episode/4eS4...
open.spotify.com/episode/4eS4...
EP15 Getting Ready for FLARE-On 12 - An Inside Look at the Reverse Engineering Gauntlet
Behind the Binary by Google Cloud Security · Episode
open.spotify.com
September 26, 2025 at 7:02 PM
🥷 FLARE-On 12 starts today - prepare yourself with this episode of Behind the Binary 👇
open.spotify.com/episode/4eS4...
open.spotify.com/episode/4eS4...
Reposted by Drew
🏗️ More assembly basics - in this short, we'll cover how to create a basic FOR loop in assembly!
🎯 youtube.com/shorts/eddBB...
🎯 youtube.com/shorts/eddBB...
🏗️ Assembly Shorts - Creating a FOR Loop
In this short, we'll cover how to create a basic FOR loop in assembly.
To see how I created the printf wrapper functions: https://youtu.be/NQjJLpKkH28
Join this channel to get access to…
youtube.com
September 26, 2025 at 5:15 PM
🏗️ More assembly basics - in this short, we'll cover how to create a basic FOR loop in assembly!
🎯 youtube.com/shorts/eddBB...
🎯 youtube.com/shorts/eddBB...
Reposted by Drew
Couple of openings here in our threat research org!
Staff Security Research Engineer:
proofpoint.wd5.myworkdayjobs.com/en-US/Proofp...
Senior Threat Researcher (ecrime team):
proofpoint.wd5.myworkdayjobs.com/ProofpointCa...
Staff Security Research Engineer:
proofpoint.wd5.myworkdayjobs.com/en-US/Proofp...
Senior Threat Researcher (ecrime team):
proofpoint.wd5.myworkdayjobs.com/ProofpointCa...
Staff Security Research Engineer
About Us: We are the leader in human-centric cybersecurity. Half a million customers, including 87 of the Fortune 100, rely on Proofpoint to protect their organizations. We’re driven by a mission to s...
proofpoint.wd5.myworkdayjobs.com
September 24, 2025 at 1:59 AM
Couple of openings here in our threat research org!
Staff Security Research Engineer:
proofpoint.wd5.myworkdayjobs.com/en-US/Proofp...
Senior Threat Researcher (ecrime team):
proofpoint.wd5.myworkdayjobs.com/ProofpointCa...
Staff Security Research Engineer:
proofpoint.wd5.myworkdayjobs.com/en-US/Proofp...
Senior Threat Researcher (ecrime team):
proofpoint.wd5.myworkdayjobs.com/ProofpointCa...