Paul Melson
@pmelson.bsky.social
Reposted by Paul Melson
Check out his full talk here:
www.google.com/url?sa=t&sou...
www.google.com/url?sa=t&sou...
Keynote | SLEUTHCON 2025
June 6th, SLEUTHCON 2025 in Arlington, VA Presented by Paul Melson
www.google.com
October 17, 2025 at 3:11 PM
Check out his full talk here:
www.google.com/url?sa=t&sou...
www.google.com/url?sa=t&sou...
Reposted by Paul Melson
Paul Melson joined us this year as our keynote speaker to talk about the history of crimeware and its evolution through the years.
In his keynote he also gives some good advice to those who are in the field and creating their professional network. Check out what he had to say!
In his keynote he also gives some good advice to those who are in the field and creating their professional network. Check out what he had to say!
October 17, 2025 at 3:11 PM
Paul Melson joined us this year as our keynote speaker to talk about the history of crimeware and its evolution through the years.
In his keynote he also gives some good advice to those who are in the field and creating their professional network. Check out what he had to say!
In his keynote he also gives some good advice to those who are in the field and creating their professional network. Check out what he had to say!
If you’re not already alerting on
CONHOST.EXE spawning CMD.EXE spawning WGET.EXE
or
CONHOST.EXE spawning CONHOST.EXE spawning CONHOST.EXE
you’re gonna want to close that gap today.
CONHOST.EXE spawning CMD.EXE spawning WGET.EXE
or
CONHOST.EXE spawning CONHOST.EXE spawning CONHOST.EXE
you’re gonna want to close that gap today.
October 3, 2025 at 4:04 PM
If you’re not already alerting on
CONHOST.EXE spawning CMD.EXE spawning WGET.EXE
or
CONHOST.EXE spawning CONHOST.EXE spawning CONHOST.EXE
you’re gonna want to close that gap today.
CONHOST.EXE spawning CMD.EXE spawning WGET.EXE
or
CONHOST.EXE spawning CONHOST.EXE spawning CONHOST.EXE
you’re gonna want to close that gap today.
Are weekly dental cleanings a thing?
This is Annie. She is a dental therapy dog. Her job is to help patients experiencing anxiety by providing emotional support. While dentists go through years of schooling to treat patients Annie is able to lower their blood pressure and reduce anxiety just by being there. 14/10 (TT: funny.bunny9215)
September 26, 2025 at 12:14 AM
Are weekly dental cleanings a thing?
Reposted by Paul Melson
ICYMI: Paul Melson, VP of Cyber Intelligence Engineering at Capital One, delivered the SLEUTHCON 2025 keynote!
Watch here >> www.youtube.com/watch?v=9FvB...
Watch here >> www.youtube.com/watch?v=9FvB...
Keynote | SLEUTHCON 2025
YouTube video by SLEUTHCON
www.youtube.com
September 10, 2025 at 4:19 PM
ICYMI: Paul Melson, VP of Cyber Intelligence Engineering at Capital One, delivered the SLEUTHCON 2025 keynote!
Watch here >> www.youtube.com/watch?v=9FvB...
Watch here >> www.youtube.com/watch?v=9FvB...
Happy International Dog Day, hope you spent it with your best friends
August 26, 2025 at 11:45 PM
Happy International Dog Day, hope you spent it with your best friends
Don’t miss the use of ngrok for tunneling here. Continue to see malicious actors use this service to hide C2. Ngrok uses AWS IPs across multiple zones for egress NAT. I recommend sinkholing their domains across your network.
ngrok[.]com
ngrok[.]io
ngrok-free[.]app
www.microsoft.com/en-us/securi...
ngrok[.]com
ngrok[.]io
ngrok-free[.]app
www.microsoft.com/en-us/securi...
Disrupting active exploitation of on-premises SharePoint vulnerabilities | Microsoft Security Blog
Microsoft has observed two named Chinese nation-state actors, Linen Typhoon and Violet Typhoon, exploiting vulnerabilities targeting internet-facing SharePoint servers. In addition, we have observed a...
www.microsoft.com
July 22, 2025 at 1:43 PM
Don’t miss the use of ngrok for tunneling here. Continue to see malicious actors use this service to hide C2. Ngrok uses AWS IPs across multiple zones for egress NAT. I recommend sinkholing their domains across your network.
ngrok[.]com
ngrok[.]io
ngrok-free[.]app
www.microsoft.com/en-us/securi...
ngrok[.]com
ngrok[.]io
ngrok-free[.]app
www.microsoft.com/en-us/securi...
It’s that time again, apparently.
June 28, 2025 at 4:52 PM
It’s that time again, apparently.
Reposted by Paul Melson
Paul Melson's Brief History of Crime[ware] was a lovely (?!) trip down memory lane. I'm old too, @pmelson.bsky.social
#SLEUTHCON #traumamemories
#SLEUTHCON #traumamemories
June 6, 2025 at 1:37 PM
Paul Melson's Brief History of Crime[ware] was a lovely (?!) trip down memory lane. I'm old too, @pmelson.bsky.social
#SLEUTHCON #traumamemories
#SLEUTHCON #traumamemories
It is my position that Chatham House rules and TLP should extend to any trolling that takes place in those channels and venues.
May 4, 2025 at 3:35 PM
It is my position that Chatham House rules and TLP should extend to any trolling that takes place in those channels and venues.
Reposted by Paul Melson
New keynote drop: Paul Melson is taking the SLEUTHCON stage to dissect the rise of crime[ware]—how it started, how it scaled, and how we shut it down.
23+ yrs defending networks. ScumBots founder. Now VP @ Capital One.
🎤 June 6
📍IRL + virtual
🎟️ Tix moving fast - sleuthcon.com
🗓️ CFP closes April 18
23+ yrs defending networks. ScumBots founder. Now VP @ Capital One.
🎤 June 6
📍IRL + virtual
🎟️ Tix moving fast - sleuthcon.com
🗓️ CFP closes April 18
April 14, 2025 at 6:02 PM
New keynote drop: Paul Melson is taking the SLEUTHCON stage to dissect the rise of crime[ware]—how it started, how it scaled, and how we shut it down.
23+ yrs defending networks. ScumBots founder. Now VP @ Capital One.
🎤 June 6
📍IRL + virtual
🎟️ Tix moving fast - sleuthcon.com
🗓️ CFP closes April 18
23+ yrs defending networks. ScumBots founder. Now VP @ Capital One.
🎤 June 6
📍IRL + virtual
🎟️ Tix moving fast - sleuthcon.com
🗓️ CFP closes April 18
Today I am thankful for all of the folks working a shift and watching the wires to keep us safe. I see you and I appreciate you.
November 28, 2024 at 2:58 PM
Today I am thankful for all of the folks working a shift and watching the wires to keep us safe. I see you and I appreciate you.
Reposted by Paul Melson
@volexity.com’s latest blog post describes in detail how a Russian APT used a new attack technique, the “Nearest Neighbor Attack”, to leverage Wi-Fi networks in close proximity to the intended target while the attacker was halfway around the world.
Read more here: www.volexity.com/blog/2024/11...
Read more here: www.volexity.com/blog/2024/11...
The Nearest Neighbor Attack: How A Russian APT Weaponized Nearby Wi-Fi Networks for Covert Access
In early February 2022, notably just ahead of the Russian invasion of Ukraine, Volexity made a discovery that led to one of the most fascinating and complex incident investigations Volexity had ever w...
www.volexity.com
November 22, 2024 at 2:58 PM
@volexity.com’s latest blog post describes in detail how a Russian APT used a new attack technique, the “Nearest Neighbor Attack”, to leverage Wi-Fi networks in close proximity to the intended target while the attacker was halfway around the world.
Read more here: www.volexity.com/blog/2024/11...
Read more here: www.volexity.com/blog/2024/11...
Reposted by Paul Melson
2024-11-22 (Friday) #XLoader / #Formbook: I've been fired by my non-existent HR department. At least I got a "salary-receipt.exe" bazaar.abuse.ch/sample/003b5...
Tria.ge and Any.Run don't identify the malware, but Joe Sandbox does: www.joesandbox.com/analysis/156...
Also runs in my lab just fine
Tria.ge and Any.Run don't identify the malware, but Joe Sandbox does: www.joesandbox.com/analysis/156...
Also runs in my lab just fine
November 22, 2024 at 7:42 PM
2024-11-22 (Friday) #XLoader / #Formbook: I've been fired by my non-existent HR department. At least I got a "salary-receipt.exe" bazaar.abuse.ch/sample/003b5...
Tria.ge and Any.Run don't identify the malware, but Joe Sandbox does: www.joesandbox.com/analysis/156...
Also runs in my lab just fine
Tria.ge and Any.Run don't identify the malware, but Joe Sandbox does: www.joesandbox.com/analysis/156...
Also runs in my lab just fine
I’m in the process of migrating ScumBots from Twitter to Mastodon / infosec.exchange. You can follow the bot here now: infosec.exchange/@ScumBots
ScumBots (@ScumBots@infosec.exchange)
21 Posts, 0 Following, 83 Followers · I drop dox on scumbag bots and RATs
infosec.exchange
November 9, 2024 at 6:00 PM
I’m in the process of migrating ScumBots from Twitter to Mastodon / infosec.exchange. You can follow the bot here now: infosec.exchange/@ScumBots
I posted a writeup analyzing a malicious PDF file containing a heavily obfuscated PHP payload over on infosec[.]exchange:
infosec.exchange/@pmelson/113...
infosec.exchange/@pmelson/113...
Paul Melson (@pmelson@infosec.exchange)
Attached: 1 image
I found a PDF file that appears to be an exploit for a PHP web app. It contains a valid PDF file header but is not a valid PDF document. It also contains an HTML/PHP document that i...
infosec.exchange
October 23, 2024 at 7:38 PM
I posted a writeup analyzing a malicious PDF file containing a heavily obfuscated PHP payload over on infosec[.]exchange:
infosec.exchange/@pmelson/113...
infosec.exchange/@pmelson/113...