Silas Cutler
@silascutler.bsky.social
You may know me from your server logs.
#Malware, Hacks, Internet Scanning, #CTI
#Malware, Hacks, Internet Scanning, #CTI
Mostly marketing.
However, there are some folks doing good research into the art of the possible: www.sentinelone.com/labs/prompts...
However, there are some folks doing good research into the art of the possible: www.sentinelone.com/labs/prompts...
Prompts as Code & Embedded Keys | The Hunt for LLM-Enabled Malware
LLM-enabled malware poses new challenges for detection. SentinelLABS presents groundbreaking research on how to hunt for this new class of threats.
www.sentinelone.com
October 21, 2025 at 6:03 PM
Mostly marketing.
However, there are some folks doing good research into the art of the possible: www.sentinelone.com/labs/prompts...
However, there are some folks doing good research into the art of the possible: www.sentinelone.com/labs/prompts...
Not seeing any good connections beyond. While the `banner_hash_sha256` on @censysio shows 4 other hosts, normally a good sign when looking for unique malware, the underlying conditions (content length / server header) are weak in this case.
October 7, 2025 at 1:00 PM
Not seeing any good connections beyond. While the `banner_hash_sha256` on @censysio shows 4 other hosts, normally a good sign when looking for unique malware, the underlying conditions (content length / server header) are weak in this case.
Back in the rest of the #opendir, uploads/ is used by app.py, I don't see where downloads_cache is used, but similar agent-[0-9]+ structure. The SANS PDF "All-books-in-oneSANSSEC670RedTeamingTools-DevelopingCustomToolsforWindows.pdf" may be the inspiration behind app.py/agent.go
October 7, 2025 at 1:00 PM
Back in the rest of the #opendir, uploads/ is used by app.py, I don't see where downloads_cache is used, but similar agent-[0-9]+ structure. The SANS PDF "All-books-in-oneSANSSEC670RedTeamingTools-DevelopingCustomToolsforWindows.pdf" may be the inspiration behind app.py/agent.go
stealer.go (SHA256: bf9bbcc1692140d5aeaabb839a96e90d4c6df9b75e01ef79585ee07324b984ab) is a stand alone tool, for extracting logins. Looks to be custom, debug messages unique.
October 7, 2025 at 1:00 PM
stealer.go (SHA256: bf9bbcc1692140d5aeaabb839a96e90d4c6df9b75e01ef79585ee07324b984ab) is a stand alone tool, for extracting logins. Looks to be custom, debug messages unique.
Case statements in agent.go show a bit of the functionality :
- start_shell
- cd / list_files / delete
- upload / download
- clipboard_on / keylog_on
- shutdown / restart
mouse_move and mouse_click are interesting to see. Less common to see at this level of functionality implementation.
- start_shell
- cd / list_files / delete
- upload / download
- clipboard_on / keylog_on
- shutdown / restart
mouse_move and mouse_click are interesting to see. Less common to see at this level of functionality implementation.
October 7, 2025 at 1:00 PM
Case statements in agent.go show a bit of the functionality :
- start_shell
- cd / list_files / delete
- upload / download
- clipboard_on / keylog_on
- shutdown / restart
mouse_move and mouse_click are interesting to see. Less common to see at this level of functionality implementation.
- start_shell
- cd / list_files / delete
- upload / download
- clipboard_on / keylog_on
- shutdown / restart
mouse_move and mouse_click are interesting to see. Less common to see at this level of functionality implementation.
app.py (SHA256: 707cd46cd390072ba79f2655c562a205cba586f3634ef52e8c034c8a6a607a8c)
looks to be the C2 server and agent.go (SHA256: 8342dd353a95bd8f8884eef0cd1ba5b4e81751f669babf8c91b068e10ea64d99) as the client.
looks to be the C2 server and agent.go (SHA256: 8342dd353a95bd8f8884eef0cd1ba5b4e81751f669babf8c91b068e10ea64d99) as the client.
October 7, 2025 at 1:00 PM
app.py (SHA256: 707cd46cd390072ba79f2655c562a205cba586f3634ef52e8c034c8a6a607a8c)
looks to be the C2 server and agent.go (SHA256: 8342dd353a95bd8f8884eef0cd1ba5b4e81751f669babf8c91b068e10ea64d99) as the client.
looks to be the C2 server and agent.go (SHA256: 8342dd353a95bd8f8884eef0cd1ba5b4e81751f669babf8c91b068e10ea64d99) as the client.