Andrew Northern
@exraritas.bsky.social
🔮 Senior Threat Researcher at @proofpoint 🔮 | Kindness and Compassion | Not a reflection of the opinions or policies of my employer | Andrew Northern
Reposted by Andrew Northern
The Justice Department and FBI announced a law enforcement operation that, alongside international partners, deleted “PlugX” malware from thousands of infected computers worldwide implanted by Chinese hackers known as “Mustang Panda” or “Twill Typhoon."
www.justice.gov/opa/pr/justi...
www.justice.gov/opa/pr/justi...
Justice Department and FBI Conduct International Operation to Delete Malware Used by China-Backed Hackers
The Justice Department and FBI today announced a multi-month law enforcement operation that, alongside international partners, deleted “PlugX” malware from thousands of infected computers worldwide. A...
www.justice.gov
January 14, 2025 at 3:49 PM
The Justice Department and FBI announced a law enforcement operation that, alongside international partners, deleted “PlugX” malware from thousands of infected computers worldwide implanted by Chinese hackers known as “Mustang Panda” or “Twill Typhoon."
www.justice.gov/opa/pr/justi...
www.justice.gov/opa/pr/justi...
Reposted by Andrew Northern
Dear Threat Researchers!
We wish you a fruitful year full of impactful research! Stay healthy, stay happy and don't stop being awesome! 🥂🕺💃🎇🎆 #HappyNewYear2025 #CTI #PIVOTcon25 #ThreatResearch #ThreatIntel
We wish you a fruitful year full of impactful research! Stay healthy, stay happy and don't stop being awesome! 🥂🕺💃🎇🎆 #HappyNewYear2025 #CTI #PIVOTcon25 #ThreatResearch #ThreatIntel
January 1, 2025 at 4:18 PM
Dear Threat Researchers!
We wish you a fruitful year full of impactful research! Stay healthy, stay happy and don't stop being awesome! 🥂🕺💃🎇🎆 #HappyNewYear2025 #CTI #PIVOTcon25 #ThreatResearch #ThreatIntel
We wish you a fruitful year full of impactful research! Stay healthy, stay happy and don't stop being awesome! 🥂🕺💃🎇🎆 #HappyNewYear2025 #CTI #PIVOTcon25 #ThreatResearch #ThreatIntel
Day 1 of giving the murder of crows 🐦⬛ a present 🎁 until we are friends.
Today’s present: Part of a Hash Brown
Today’s present: Part of a Hash Brown
January 1, 2025 at 4:45 PM
Day 1 of giving the murder of crows 🐦⬛ a present 🎁 until we are friends.
Today’s present: Part of a Hash Brown
Today’s present: Part of a Hash Brown
Joe knows ball
December 30, 2024 at 10:53 PM
Joe knows ball
Reposted by Andrew Northern
A while back, I made a thing that turns #BinDiff matches into YARA rules: https://github.com/google/vxsig #100DaysOfYARA
GitHub - google/vxsig: Automatically generate AV byte signatures from sets of similar binaries.
Automatically generate AV byte signatures from sets of similar binaries. - google/vxsig
github.com
December 7, 2024 at 9:32 PM
A while back, I made a thing that turns #BinDiff matches into YARA rules: https://github.com/google/vxsig #100DaysOfYARA
Sweet Tea
Polyphia, Aaron Marshall · Muse · Song · 2014
open.spotify.com
December 9, 2024 at 2:56 PM
Reposted by Andrew Northern
🎙️ I'm excited to announce the launch of a new podcast - Behind the Binary! #BehindTheBinary focuses on the stories of the people, technology, and events that have shaped the world of reverse engineering. You can find it on Spotify👇
open.spotify.com/show/3yWgmIu...
open.spotify.com/show/3yWgmIu...
Behind the Binary by Google Cloud Security
Podcast · Josh Stroschein · Welcome to Behind the Binary, the podcast that introduces you to the fascinating people, technology, and tools driving the world of reverse engineering. Join your host, Jos...
open.spotify.com
November 1, 2024 at 4:15 PM
🎙️ I'm excited to announce the launch of a new podcast - Behind the Binary! #BehindTheBinary focuses on the stories of the people, technology, and events that have shaped the world of reverse engineering. You can find it on Spotify👇
open.spotify.com/show/3yWgmIu...
open.spotify.com/show/3yWgmIu...
Reposted by Andrew Northern
New episode of DISCARDED where I chat with Genina Po about how she catches phish 🎣
We dive into how to write detections, what to hunt for when finding phish kits, and some of her recent research on phishing scams. Tune in wherever you get your podcasts!
Apple: podcasts.apple.com/us/podcast/d...
We dive into how to write detections, what to hunt for when finding phish kits, and some of her recent research on phishing scams. Tune in wherever you get your podcasts!
Apple: podcasts.apple.com/us/podcast/d...
Scams, Smishing, and Safety Nets: How Emerging Threats Catches Phish
Podcast Episode · DISCARDED: Tales From the Threat Research Trenches · 11/15/2024 · 51m
podcasts.apple.com
November 15, 2024 at 4:11 PM
New episode of DISCARDED where I chat with Genina Po about how she catches phish 🎣
We dive into how to write detections, what to hunt for when finding phish kits, and some of her recent research on phishing scams. Tune in wherever you get your podcasts!
Apple: podcasts.apple.com/us/podcast/d...
We dive into how to write detections, what to hunt for when finding phish kits, and some of her recent research on phishing scams. Tune in wherever you get your podcasts!
Apple: podcasts.apple.com/us/podcast/d...
Reposted by Andrew Northern
Such a thorough analysis of #RaspberryRobin in this article that taught me a lot 👇 😂
November 20, 2024 at 4:55 PM
Such a thorough analysis of #RaspberryRobin in this article that taught me a lot 👇 😂
Reposted by Andrew Northern
2024-11-25 (Monday): My thanks to the criminals who email malware directly to my inbox. This one is #AgentTesla using #FTP for #data_exfiltration. Sends to FTP server approx every 10 minutes.
Attached disk image file: bazaar.abuse.ch/sample/7a11d...
Extracted EXE: bazaar.abuse.ch/sample/2362b...
Attached disk image file: bazaar.abuse.ch/sample/7a11d...
Extracted EXE: bazaar.abuse.ch/sample/2362b...
November 25, 2024 at 9:56 PM
2024-11-25 (Monday): My thanks to the criminals who email malware directly to my inbox. This one is #AgentTesla using #FTP for #data_exfiltration. Sends to FTP server approx every 10 minutes.
Attached disk image file: bazaar.abuse.ch/sample/7a11d...
Extracted EXE: bazaar.abuse.ch/sample/2362b...
Attached disk image file: bazaar.abuse.ch/sample/7a11d...
Extracted EXE: bazaar.abuse.ch/sample/2362b...
@hultquist.bsky.social hitting us with the hottest phishing lure of all time
November 18, 2024 at 5:31 PM
@hultquist.bsky.social hitting us with the hottest phishing lure of all time
Reposted by Andrew Northern
Almost embarrassed to post this, but I've always used Fiddler or Burp for capturing things like this...
I didn't have admin rights and was trying to capture network traffic from a pop-up, so Dev Tools wasn't working
Apparently this is built into Chrome/Edge! So cool :)
edge://net-export/
I didn't have admin rights and was trying to capture network traffic from a pop-up, so Dev Tools wasn't working
Apparently this is built into Chrome/Edge! So cool :)
edge://net-export/
November 17, 2024 at 6:49 AM
Almost embarrassed to post this, but I've always used Fiddler or Burp for capturing things like this...
I didn't have admin rights and was trying to capture network traffic from a pop-up, so Dev Tools wasn't working
Apparently this is built into Chrome/Edge! So cool :)
edge://net-export/
I didn't have admin rights and was trying to capture network traffic from a pop-up, so Dev Tools wasn't working
Apparently this is built into Chrome/Edge! So cool :)
edge://net-export/
Trying to rebuild my following here. Tag other security researchers and professionals in the comments please. I’ll follow back :)
November 16, 2024 at 2:22 PM
Trying to rebuild my following here. Tag other security researchers and professionals in the comments please. I’ll follow back :)
Reposted by Andrew Northern
🧵Today’s blogpost focuses on a newer ransomware variant named SafePay. Needless to say, ransomware sucks. When this new variant appeared, it gained our attention. 👀
Let’s dig into what happened and what makes it tick ⬇️:
Let’s dig into what happened and what makes it tick ⬇️:
November 15, 2024 at 3:29 AM
🧵Today’s blogpost focuses on a newer ransomware variant named SafePay. Needless to say, ransomware sucks. When this new variant appeared, it gained our attention. 👀
Let’s dig into what happened and what makes it tick ⬇️:
Let’s dig into what happened and what makes it tick ⬇️:
Prized possession.
November 15, 2024 at 4:15 PM
Prized possession.
Started out with this set of block words. Quickly learned that there will be many more.
November 14, 2024 at 9:32 PM
Started out with this set of block words. Quickly learned that there will be many more.
Meh. A lot of engagement farming here already. Splendid
November 14, 2024 at 9:27 PM
Meh. A lot of engagement farming here already. Splendid
Reposted by Andrew Northern
#Latrodectus campaign from today
gist.github.com/myrtus0x0/cd.... If anything comes of it, I'll put in thread
gist.github.com/myrtus0x0/cd.... If anything comes of it, I'll put in thread
Latrodectus_2024_11_13.md
GitHub Gist: instantly share code, notes, and snippets.
gist.github.com
November 14, 2024 at 12:58 AM
#Latrodectus campaign from today
gist.github.com/myrtus0x0/cd.... If anything comes of it, I'll put in thread
gist.github.com/myrtus0x0/cd.... If anything comes of it, I'll put in thread