Cyb3rhawk
@cyb3rhawk.bsky.social
Cyb3rhawk leads threat hunting team. Interested in DE&TH, threat intel and DFIR. Always striving to make the daily grind of SOC analysts a breeze. Always eager to learn from others and lookout for new ways to streamline what I learn
Pinned
Cyb3rhawk
@cyb3rhawk.bsky.social
· Apr 3
Hunting smarter ≠ harder.
In this week's @thorcollective.bsky.social post, Sai Molige introduces the LAYER approach, turning strategy into practical threat hunting moves.
dispatch.thorcollective.com/p/the-power-...
#infosec #threathunting #thrunting #blueteam #threatdetection #THORcollective
In this week's @thorcollective.bsky.social post, Sai Molige introduces the LAYER approach, turning strategy into practical threat hunting moves.
dispatch.thorcollective.com/p/the-power-...
#infosec #threathunting #thrunting #blueteam #threatdetection #THORcollective
The Power of the Trio
Introducing the LAYER Approach
dispatch.thorcollective.com
I had fun writing this. See how treating "bypass" as a single technique creates blind spots in our hunting. We will continue this with a practical example using Blackbasta leaks
#infosec #threathunting #thrunting #blueteam #threatdetection #THORcollective
#infosec #threathunting #thrunting #blueteam #threatdetection #THORcollective
The goal of the blog (Soul instead of Shell) is to understand constraints that force payload decisions and how they can help us detect/hunt.
Every payload has a soul - and understanding it makes us better hunters.
medium.com/@cyb3r-hawk/...
Every payload has a soul - and understanding it makes us better hunters.
medium.com/@cyb3r-hawk/...
Soul instead of Shell — Payloads with Purpose
What SharePoint’s RCE May Teach Us About Payload Design and Detection/Hunt Strategy
medium.com
August 21, 2025 at 2:18 AM
The goal of the blog (Soul instead of Shell) is to understand constraints that force payload decisions and how they can help us detect/hunt.
Every payload has a soul - and understanding it makes us better hunters.
medium.com/@cyb3r-hawk/...
Every payload has a soul - and understanding it makes us better hunters.
medium.com/@cyb3r-hawk/...
Recent #Xworm infections (esp. during tax season) follow a pattern:
mshta.exe → Scheduled Tasks → IEX execution.
#ThreatHunting #DetectionEngineering #MalwareAnalysis #DefenseEvasion
mshta.exe → Scheduled Tasks → IEX execution.
#ThreatHunting #DetectionEngineering #MalwareAnalysis #DefenseEvasion
April 28, 2025 at 8:40 PM
Recent #Xworm infections (esp. during tax season) follow a pattern:
mshta.exe → Scheduled Tasks → IEX execution.
#ThreatHunting #DetectionEngineering #MalwareAnalysis #DefenseEvasion
mshta.exe → Scheduled Tasks → IEX execution.
#ThreatHunting #DetectionEngineering #MalwareAnalysis #DefenseEvasion
Lumma Stealer is one of, if not the dominant, infostealer with a diverse distribution ecosystem from GitHub, Telegram, and multiple others. In this blog, we will look at distribution channels, credential sellers, and locations where logs are sold.
medium.com/@cyb3r-hawk/...
medium.com/@cyb3r-hawk/...
Lumma Stealer — Threat Hunting and Infrastructure Analysis
We all heard of Lumma Stealer by now and how it has positioned itself as the top infostealer market share[1] after Mirai. Its initial…
medium.com
April 25, 2025 at 7:04 AM
Lumma Stealer is one of, if not the dominant, infostealer with a diverse distribution ecosystem from GitHub, Telegram, and multiple others. In this blog, we will look at distribution channels, credential sellers, and locations where logs are sold.
medium.com/@cyb3r-hawk/...
medium.com/@cyb3r-hawk/...
My next post is live. In this one, we will build upon our previous theoretical introduction of the LAYER approach and see its practical implementation using BlackBasta chatleaks - specifically related to "bypassing EDR."
#cybersecurity #threathunting #thrunting #THORcollective
#cybersecurity #threathunting #thrunting #THORcollective
April 11, 2025 at 12:27 AM
My next post is live. In this one, we will build upon our previous theoretical introduction of the LAYER approach and see its practical implementation using BlackBasta chatleaks - specifically related to "bypassing EDR."
#cybersecurity #threathunting #thrunting #THORcollective
#cybersecurity #threathunting #thrunting #THORcollective
I had fun writing this. See how treating "bypass" as a single technique creates blind spots in our hunting. We will continue this with a practical example using Blackbasta leaks
#infosec #threathunting #thrunting #blueteam #threatdetection #THORcollective
#infosec #threathunting #thrunting #blueteam #threatdetection #THORcollective
Hunting smarter ≠ harder.
In this week's @thorcollective.bsky.social post, Sai Molige introduces the LAYER approach, turning strategy into practical threat hunting moves.
dispatch.thorcollective.com/p/the-power-...
#infosec #threathunting #thrunting #blueteam #threatdetection #THORcollective
In this week's @thorcollective.bsky.social post, Sai Molige introduces the LAYER approach, turning strategy into practical threat hunting moves.
dispatch.thorcollective.com/p/the-power-...
#infosec #threathunting #thrunting #blueteam #threatdetection #THORcollective
The Power of the Trio
Introducing the LAYER Approach
dispatch.thorcollective.com
April 3, 2025 at 3:56 PM
I had fun writing this. See how treating "bypass" as a single technique creates blind spots in our hunting. We will continue this with a practical example using Blackbasta leaks
#infosec #threathunting #thrunting #blueteam #threatdetection #THORcollective
#infosec #threathunting #thrunting #blueteam #threatdetection #THORcollective
A ransomware strain ("SuperBlack") by actor "Mora_001" is currently targeting two recent Fortinet zero-day vulnerabilities (CVE-2024-55591 and CVE-2025-24472). I investigated multiple intrusions between January and March, and most of them have a similar attack chain.
Read it at lnkd.in/g5fefgbq
Read it at lnkd.in/g5fefgbq
March 13, 2025 at 5:18 PM
A ransomware strain ("SuperBlack") by actor "Mora_001" is currently targeting two recent Fortinet zero-day vulnerabilities (CVE-2024-55591 and CVE-2025-24472). I investigated multiple intrusions between January and March, and most of them have a similar attack chain.
Read it at lnkd.in/g5fefgbq
Read it at lnkd.in/g5fefgbq
Glad to have been featured in the Cyber Focus podcast for allowing me to comment on our 2024 Threat Roundup report. we discussed Key findings, Threats to critical infrastructure, OT security risks, and Threat hunting frameworks and cyber resilience
Check it out:
youtu.be/ndOpYFiabbc?...
Check it out:
youtu.be/ndOpYFiabbc?...
February 19, 2025 at 8:40 PM
Glad to have been featured in the Cyber Focus podcast for allowing me to comment on our 2024 Threat Roundup report. we discussed Key findings, Threats to critical infrastructure, OT security risks, and Threat hunting frameworks and cyber resilience
Check it out:
youtu.be/ndOpYFiabbc?...
Check it out:
youtu.be/ndOpYFiabbc?...
Amatera Stealer:
Following the trend of infostealers, while a recent campaign of AMOS stealer targeted macOS users (lnkd.in/gD8Da4mv), a new Windows-focused stealer called Amatera was observed during my recent intrusion analysis.
#Amatera #infoStealer #windows #telegram #crypto #cyber #security
Following the trend of infostealers, while a recent campaign of AMOS stealer targeted macOS users (lnkd.in/gD8Da4mv), a new Windows-focused stealer called Amatera was observed during my recent intrusion analysis.
#Amatera #infoStealer #windows #telegram #crypto #cyber #security
LinkedIn
This link will take you to a page that’s not on LinkedIn
lnkd.in
February 1, 2025 at 3:04 AM
Amatera Stealer:
Following the trend of infostealers, while a recent campaign of AMOS stealer targeted macOS users (lnkd.in/gD8Da4mv), a new Windows-focused stealer called Amatera was observed during my recent intrusion analysis.
#Amatera #infoStealer #windows #telegram #crypto #cyber #security
Following the trend of infostealers, while a recent campaign of AMOS stealer targeted macOS users (lnkd.in/gD8Da4mv), a new Windows-focused stealer called Amatera was observed during my recent intrusion analysis.
#Amatera #infoStealer #windows #telegram #crypto #cyber #security
Wrote something on Atomic infostealers latest attempt to infect Mac users through cloned brew site and malicious curl command. medium.com/@cyb3r-hawk/...
#macos #Atomic #infostealer #MachO #brew #SEO #google #ads #telegram #google #Chromium #crypto #wallet #cyber #security #site #impersonation
#macos #Atomic #infostealer #MachO #brew #SEO #google #ads #telegram #google #Chromium #crypto #wallet #cyber #security #site #impersonation
Fake Homebrew Clone Campaign: Mapping Atomic Stealer’s Infrastructure
There’s a clone of brew (brewe[.]sh) targeted towards Mac users via the curl command. When the user executes the curl command, it downloads an update file from norikosumiya[.]com. The downloaded…
medium.com
January 21, 2025 at 5:29 AM
For some folks, Threat hunting research might lack a structured approach, leading to scattered and inefficient processes. This lack of structure hinders building upon previous hunts and scaling the threat hunting process effectively.
#ThreatHunting #Research #Cybersecurity
medium.com/p/90e020ffcf...
#ThreatHunting #Research #Cybersecurity
medium.com/p/90e020ffcf...
Medium
medium.com
January 15, 2025 at 8:20 PM
For some folks, Threat hunting research might lack a structured approach, leading to scattered and inefficient processes. This lack of structure hinders building upon previous hunts and scaling the threat hunting process effectively.
#ThreatHunting #Research #Cybersecurity
medium.com/p/90e020ffcf...
#ThreatHunting #Research #Cybersecurity
medium.com/p/90e020ffcf...
Had fun writing on Chaya_003, targeting engineering workstations. It evolved from a process-killing executable analysis to an interesting investigation. The blend of technical, geopolitical, and IT-OT aspects made it even more interesting
lnkd.in/g55hiBcP
#ICS #engineering #workstations #Discord
lnkd.in/g55hiBcP
#ICS #engineering #workstations #Discord
LinkedIn
This link will take you to a page that’s not on LinkedIn
lnkd.in
December 20, 2024 at 5:51 AM
Had fun writing on Chaya_003, targeting engineering workstations. It evolved from a process-killing executable analysis to an interesting investigation. The blend of technical, geopolitical, and IT-OT aspects made it even more interesting
lnkd.in/g55hiBcP
#ICS #engineering #workstations #Discord
lnkd.in/g55hiBcP
#ICS #engineering #workstations #Discord
Not every anomaly is malicious. In the post, I go over how to define success criteria and how you can embrace "false positives" when performing threat-hunting. I used user-agents analysis as an example to try and drive it home. open.substack.com/pub/cyb3rsec...
#threathunting
#threathunting
Inbox | Substack
open.substack.com
December 17, 2024 at 8:26 PM
Not every anomaly is malicious. In the post, I go over how to define success criteria and how you can embrace "false positives" when performing threat-hunting. I used user-agents analysis as an example to try and drive it home. open.substack.com/pub/cyb3rsec...
#threathunting
#threathunting
In my latest blog post, I showed how to use user-agent analysis in threat-hunting to spot suspicious patterns and unauthorized software using environmental knowledge and known-normal
open.substack.com/pub/cyb3rsec...
#ThreatHunting #Detection #Engineering #User #agent #analysis
open.substack.com/pub/cyb3rsec...
#ThreatHunting #Detection #Engineering #User #agent #analysis
Inbox | Substack
open.substack.com
December 11, 2024 at 8:57 PM
In my latest blog post, I showed how to use user-agent analysis in threat-hunting to spot suspicious patterns and unauthorized software using environmental knowledge and known-normal
open.substack.com/pub/cyb3rsec...
#ThreatHunting #Detection #Engineering #User #agent #analysis
open.substack.com/pub/cyb3rsec...
#ThreatHunting #Detection #Engineering #User #agent #analysis
SonicWall released an advisory on December 4th, SNWLID-2024-0018, that affects several SMA 100 Series devices. These devices include 500v, SMA 200, 210, 400, and 410 models running versions 10.2.1.13-72sv and earlier.
#CVE #SonicWall #SMA100 #ThreatIntel #SSL #VPN #vulnerabilities
#CVE #SonicWall #SMA100 #ThreatIntel #SSL #VPN #vulnerabilities
December 11, 2024 at 6:18 AM
SonicWall released an advisory on December 4th, SNWLID-2024-0018, that affects several SMA 100 Series devices. These devices include 500v, SMA 200, 210, 400, and 410 models running versions 10.2.1.13-72sv and earlier.
#CVE #SonicWall #SMA100 #ThreatIntel #SSL #VPN #vulnerabilities
#CVE #SonicWall #SMA100 #ThreatIntel #SSL #VPN #vulnerabilities
📢 Published: Threat Hunting Black Basta QR Phising: Microsoft Teams Edition
It discusses threat-hunting in Microsoft Teams for social engineering techniques used by BlackBasta actors. Will go over hunting queries using Microsoft 365 logs to detect anomalous patterns.
www.linkedin.com/pulse/threat...
It discusses threat-hunting in Microsoft Teams for social engineering techniques used by BlackBasta actors. Will go over hunting queries using Microsoft 365 logs to detect anomalous patterns.
www.linkedin.com/pulse/threat...
Threat Hunting Black Basta QR Phising: Microsoft Teams Edition - Part 1
ReliaQuest team recently published an analysis of Black Basta's social engineering techniques shift. It details how these actors are using Microsoft Teams by posing as support personnel, initiating ch...
www.linkedin.com
November 15, 2024 at 1:40 AM
📢 Published: Threat Hunting Black Basta QR Phising: Microsoft Teams Edition
It discusses threat-hunting in Microsoft Teams for social engineering techniques used by BlackBasta actors. Will go over hunting queries using Microsoft 365 logs to detect anomalous patterns.
www.linkedin.com/pulse/threat...
It discusses threat-hunting in Microsoft Teams for social engineering techniques used by BlackBasta actors. Will go over hunting queries using Microsoft 365 logs to detect anomalous patterns.
www.linkedin.com/pulse/threat...