alden
LightNews LightNews
banner
re.wtf
alden
@re.wtf
670 followers 410 following 13 posts
sr detection engineer @ huntress • malware enjoyer • macOS security

https://alden.io
Posts Replies Media Videos
Reposted by alden
kennethkinion.bsky.social
Hot on the heels of the researched published by @huntress.com, hunting for Zoom-themed lures from DPRK's #BlueNoroff

💥Learn hunting techniques
💥Leverage new Validin features and data
💥Full, unredacted indicator list (domains, IPs, hashes)

www.validin.com/blog/zooming...
Zooming through BlueNoroff Indicators with Validin | Validin
Pivoting through recently-reported indicators to find BlueNoroff-associated domains
www.validin.com
June 20, 2025 at 5:24 PM
re.wtf
excited bc today @huntress.com is releasing our analysis of a gnarly intrusion into a web3 company by the DPRK's BlueNoroff!! 🤠

we've observed 8 new pieces of macOS malware from implants to infostealers! and they're actually good (for once)!

www.huntress.com/blog/inside-...
Inside the BlueNoroff Web3 macOS Intrusion Analysis | Huntress
Learn how DPRK's BlueNoroff group executed a Web3 macOS intrusion. Explore the attack chain, malware, and techniques in our detailed technical report.
www.huntress.com
June 18, 2025 at 8:53 PM
re.wtf
finally got around to rewriting the copy as yara binja plugin! 🥰

has a few quality of life improvements (new formats) and address wildcarding is fixed for ARM! (sorry bout that mac homies) ❤️

it's also now available in the plugin repository! 🔥

github.com/ald3ns/copy-...
April 15, 2025 at 9:39 PM
Reposted by alden
gleeda.bsky.social
CVE-2025-2825 or CVE-2025-31161: A vulnerability by any other name is still a threat 😇: We've updated the blog to reflect some new attacker tradecraft observed yesterday

cc @huntress.com @re.wtf @johnhammond.bsky.social

#DFIR #vuln #CVE

www.huntress.com/blog/crushft...
CrushFTP CVE-2025-31161 Auth Bypass and Post-Exploitation | Huntress
Huntress observed in-the-wild exploitation of CVE-2025-31161, an authentication bypass vulnerability in versions of CrushFTP and further post-exploitation leveraging MeshCentral and other malware.
www.huntress.com
April 8, 2025 at 9:05 PM
re.wtf
pwning my FTP server is a weird way to say you have a Crush on me but okay 🥰

anyways check out our analysis of some CrushFTP CVE-2025-31161 post exploitation activity!

www.huntress.com/blog/crushft...
https://www.huntress.com/blog/crushftp-cve-2025-31161-auth-bypass-and-post-exploitation
t.co
April 4, 2025 at 9:57 PM
Reposted by alden
selenalarson.bsky.social
Published some new research on how RMMs are taking over as a first-stage payload www.proofpoint.com/us/blog/thre...
Remote Monitoring and Management (RMM) Tooling Increasingly an Attacker’s First Choice | Proofpoint US
Key findings    More threat actors are using legitimate remote monitoring and management (RMM) tools as a first-stage payload in email campaigns.  RMMs can be used for
www.proofpoint.com
March 11, 2025 at 3:24 PM
Reposted by alden
jacoblatonis.me
nightmare blunt rotation
a screenshot of the "Languages" section of a GitHub repo, showing 58.8% C, 28.6% JavaScript, and 12.6% Python
March 8, 2025 at 6:24 AM
re.wtf
BREAKING: DOGE has uncovered that the CIA spent $10,000,000 on zyns and has been feeding them to analysts to increase productivity! 😱
Cool mint zyn containers that are CIA branded
February 14, 2025 at 6:53 PM
Reposted by alden
cabal.cx
our network has raised hundreds of dollars to give firefighters the zyn they need to keep protecting LA from the fires. Thank you!!
January 14, 2025 at 9:59 PM
re.wtf
reminder to say happy new years to the russian espionage groups in ur network 🥰🇷🇺

@nosecurething.bsky.social, @laughingmantis.bsky.social, and I just dropped a new blog detailing a series of redcurl intrusions across several huntress customer environments 😳

www.huntress.com/blog/the-hun...
Hunt for RedCurl | Huntress
Huntress discovered RedCurl activity across several organizations in Canada going back to 2023. Learn more about how this APT operates and how they aim to remain undetected while exfiltrating sensitiv...
www.huntress.com
January 9, 2025 at 11:11 PM
Reposted by alden
greg-l.bsky.social
#100DaysofYARA day 1 - the Amos stealer is regularly evolving and updating its obfuscation techniques

You know what isn't changing?

the dylibs it depends on and the entitlements it requests from the OS. Combined, they give us excellent signal

github.com/100DaysofYAR...
January 1, 2025 at 4:36 PM
Reposted by alden
whatthefuzzvr.bsky.social
Binary diff'ing is hard. But it's super powerful to apply markup from previous reverse engineering efforts to a new binary.

Binary Ninja is switching up how they match function signatures with WARP.

www.seandeaton.com/binary-ninja...

#binaryninja #reverseengineering #ghidra #ida #decompiler
Trying Out Binary Ninja's new WARP Signatures with IPSW Diff'ing
Binary diff'ing is pretty complex, but being able to apply markup from one binary to another is quite powerful. Binary Ninja's new WARP extends previous efforts, using SigKit, to quickly identify libr...
www.seandeaton.com
December 27, 2024 at 1:07 PM
re.wtf
i gotta step up my whitepaper game smh, my dad is doin numbers
craigschmidt.com Craig Schmidt @craigschmidt.com · Nov 28
I really enjoyed #EMNLP2024. It was an honor to present our tokenization paper aclanthology.org/2024.emnlp-m.... I’m planning to post about some of my favorite papers soon, but here is a nice write up.
December 21, 2024 at 5:15 AM
Reposted by alden
stuartjash.bsky.social
Our talk from @objective-see.bsky.social is now available online. Check out @re.wtf and I yap about macOS infostealers.
www.youtube.com/watch?v=Hv6A...
#OBTS v7.0: "Stealer Crossing: New Horizons" - Alden Schmidt & Stuart Ashenbrenner
YouTube video by Objective-See Foundation
www.youtube.com
December 18, 2024 at 6:36 PM
Reposted by alden
greg-l.bsky.social
since I'm cold and missing #OBTS I wanted to reflect on what
@jacoblatonis.me and Tomas have gifted us with the YARA-X Macho module

the OG YARA macho parsing left a lot to be desired, and the new YARA-X ver has all sorts of goodies
December 12, 2024 at 8:26 PM
Reposted by alden
aaron.cat.gf
this holiday season
December 13, 2024 at 3:16 AM
re.wtf
following the recent cleo ITW exploitation, @huntress.com has released our analysis of the full post exploitation chain 🚀

the final java based implant framework is really neat and includes a custom C2 protocol 🔥

huntress.com/blog/cleo-soft…
https://huntress.com/blog/cleo-soft…
December 12, 2024 at 4:14 AM
Reposted by alden
aaron.cat.gf
hotties only want one thing and its the operation triangulation exploit chain
aaron.cat.gf aaron @aaron.cat.gf · Dec 9
blunt versus beauty
A simple black and white cartoon illustration showing a stylized representation of "ALL MODERN DIGITAL INFRASTRUCTURE" as a tower-like structure made of various rectangular blocks and components. Each component and layer of the structure is labeled with the word "backdoor" multiple times, suggesting widespread security vulnerabilities in digital systems. The illustration uses a minimalist style with basic geometric shapes and text annotations connected by lines pointing to different parts of the structure. A diagram from Kaspersky showing the Operation Triangulation attack chain with neon green icons and text connected by dotted arrows. The chain begins with an “Attackers iMessage account” and progresses through multiple stages including PDF file, TrueType font exploit, ROP/JOP, NSExpression, bplist, and other technical components. Various CVE numbers are listed, including CVE-2023-41990, CVE-2023-32434, and CVE-2023-38606. The chain culminates in malware deployment through multiple exploitation steps involving Safari, kernel exploits, and validators.
December 9, 2024 at 6:02 PM
Reposted by alden
stuartjash.bsky.social
Yesterday I got to present with the 🐐 @re.wtf. Such a blast talking thru infostealers and the telenovela that they’ve become. #OBTS really is the best, chillest conference out there. Excited for a second day of talks 🤓🍎
December 6, 2024 at 8:22 PM
re.wtf
🍎🤝🔥
December 6, 2024 at 3:20 AM
re.wtf
we cookin' for #100DaysofYARA 🤝🔥
November 27, 2024 at 4:41 PM
Reposted by alden
naehrdine.bsky.social
How does the new iOS inactivity reboot work? What does it protect from?

I reverse engineered the kernel extension and the secure enclave processor, where this feature is implemented.

naehrdine.blogspot.com/2024/11/reve...
Reverse Engineering iOS 18 Inactivity Reboot
Wireless and firmware hacking, PhD life, Technology
naehrdine.blogspot.com
November 17, 2024 at 9:42 PM
Reposted by alden
gleeda.bsky.social
🧵Today’s blogpost focuses on a newer ransomware variant named SafePay. Needless to say, ransomware sucks. When this new variant appeared, it gained our attention. 👀

Let’s dig into what happened and what makes it tick ⬇️:
A redacted view of the SafePay onion website hosting information about compromised machines Directory listing from the attacker's onion site Apache Server info page
November 15, 2024 at 3:29 AM
Reposted by alden
alex.leetnoob.com
I wrote a post on the realities of cloud & webserver ransomware. Check it out to see some of the toolsets & frameworks that can be used for these attacks.
philofishal.bsky.social Phil Stokes ⫍🐠⫎ @philofishal.bsky.social · Nov 14
🔥 In a report on the state of cloud ransomware,
@alex.leetnoob.com has identified several tools designed to target web servers with ransomware or to leverage cloud services to upload files before encrypting local files on an endpoint.
s1.ai/cloud-rw
The State of Cloud Ransomware in 2024
In this new report, learn how threat actors are leveraging cloud services to target web services with ransomware attackers.
s1.ai
November 14, 2024 at 9:30 PM
re.wtf
some huntress homies cooked a blog on a new ransom group called safepay

RE was fun until we realized it was ripped lockbit code 💀😭 imagine not being able to write your own ransomware, true skill issue smh

some funny opsec fails too, watch ya status

www.huntress.com/blog/its-not...
https://www.huntress.com/blog/its-not-safe-to-pay-safepay
t.co
November 14, 2024 at 7:38 PM