Stuart Ashenbrenner
@stuartjash.bsky.social
Principal macOS Security Researcher @ Huntress | 🏀 Skill Development Coach | 🖼️📖
Reposted by Stuart Ashenbrenner
November 7, 2025 at 6:15 PM
Reposted by Stuart Ashenbrenner
One of the coolest new things in Binary Ninja 5.1? Pseudo Objective‑C. Huge shoutout to Mark, who actually wrote this before joining the team (talk about an overkill job application). If you’re digging into iOS, Swift, or kernelcaches, this one’s a game‑changer.
August 7, 2025 at 2:44 PM
One of the coolest new things in Binary Ninja 5.1? Pseudo Objective‑C. Huge shoutout to Mark, who actually wrote this before joining the team (talk about an overkill job application). If you’re digging into iOS, Swift, or kernelcaches, this one’s a game‑changer.
Reposted by Stuart Ashenbrenner
Hot on the heels of the researched published by @huntress.com, hunting for Zoom-themed lures from DPRK's #BlueNoroff
💥Learn hunting techniques
💥Leverage new Validin features and data
💥Full, unredacted indicator list (domains, IPs, hashes)
www.validin.com/blog/zooming...
💥Learn hunting techniques
💥Leverage new Validin features and data
💥Full, unredacted indicator list (domains, IPs, hashes)
www.validin.com/blog/zooming...
Zooming through BlueNoroff Indicators with Validin | Validin
Pivoting through recently-reported indicators to find BlueNoroff-associated domains
www.validin.com
June 20, 2025 at 5:24 PM
Hot on the heels of the researched published by @huntress.com, hunting for Zoom-themed lures from DPRK's #BlueNoroff
💥Learn hunting techniques
💥Leverage new Validin features and data
💥Full, unredacted indicator list (domains, IPs, hashes)
www.validin.com/blog/zooming...
💥Learn hunting techniques
💥Leverage new Validin features and data
💥Full, unredacted indicator list (domains, IPs, hashes)
www.validin.com/blog/zooming...
Reposted by Stuart Ashenbrenner
excited bc today @huntress.com is releasing our analysis of a gnarly intrusion into a web3 company by the DPRK's BlueNoroff!! 🤠
we've observed 8 new pieces of macOS malware from implants to infostealers! and they're actually good (for once)!
www.huntress.com/blog/inside-...
we've observed 8 new pieces of macOS malware from implants to infostealers! and they're actually good (for once)!
www.huntress.com/blog/inside-...
Inside the BlueNoroff Web3 macOS Intrusion Analysis | Huntress
Learn how DPRK's BlueNoroff group executed a Web3 macOS intrusion. Explore the attack chain, malware, and techniques in our detailed technical report.
www.huntress.com
June 18, 2025 at 8:53 PM
excited bc today @huntress.com is releasing our analysis of a gnarly intrusion into a web3 company by the DPRK's BlueNoroff!! 🤠
we've observed 8 new pieces of macOS malware from implants to infostealers! and they're actually good (for once)!
www.huntress.com/blog/inside-...
we've observed 8 new pieces of macOS malware from implants to infostealers! and they're actually good (for once)!
www.huntress.com/blog/inside-...
Been busy this week digging in to a BlueNoroff attack.
Mac's don't get viruses, right? 🍏
Deepfake Zoom calls. AppleScript lures. Rosetta 2 abuse.
Plenty of custom malware: Nim backdoor, Go infostealer, Obj-C keylogger, and more!
Amazing write-up by @re.wtf , @stuartjash.bsky.social and Jonathan Semon 🔥
🔗 www.huntress.com/blog/inside-...
Deepfake Zoom calls. AppleScript lures. Rosetta 2 abuse.
Plenty of custom malware: Nim backdoor, Go infostealer, Obj-C keylogger, and more!
Amazing write-up by @re.wtf , @stuartjash.bsky.social and Jonathan Semon 🔥
🔗 www.huntress.com/blog/inside-...
Inside the BlueNoroff Web3 macOS Intrusion Analysis | Huntress
Learn how DPRK's BlueNoroff group executed a Web3 macOS intrusion. Explore the attack chain, malware, and techniques in our detailed technical report.
www.huntress.com
June 18, 2025 at 9:52 PM
Been busy this week digging in to a BlueNoroff attack.
Reposted by Stuart Ashenbrenner
Sadly no new ES events for macOS 26. There are a few nice event property updates and additions to the process structure though :)
June 9, 2025 at 9:08 PM
Sadly no new ES events for macOS 26. There are a few nice event property updates and additions to the process structure though :)
Reposted by Stuart Ashenbrenner
Some good takeaways from @huntress.com’s recent Tradecraft Tuesday ft. Patrick Wardle:
-The impact of Apple bringing TCC events to Endpoint Security
-#Mac malware persistence techniques vs BTM
-Security alert inundation for #macOS users
Catch up here⤵️
www.huntress.com/blog/say-hel...
-The impact of Apple bringing TCC events to Endpoint Security
-#Mac malware persistence techniques vs BTM
-Security alert inundation for #macOS users
Catch up here⤵️
www.huntress.com/blog/say-hel...
Say Hello to Mac Malware | Huntress
In this month’s Tradecraft Tuesday, we talked about how threat actors are finetuning their macOS malware in order to maintain persistent access and avoid detection by Apple’s security features.
www.huntress.com
April 23, 2025 at 1:15 PM
Some good takeaways from @huntress.com’s recent Tradecraft Tuesday ft. Patrick Wardle:
-The impact of Apple bringing TCC events to Endpoint Security
-#Mac malware persistence techniques vs BTM
-Security alert inundation for #macOS users
Catch up here⤵️
www.huntress.com/blog/say-hel...
-The impact of Apple bringing TCC events to Endpoint Security
-#Mac malware persistence techniques vs BTM
-Security alert inundation for #macOS users
Catch up here⤵️
www.huntress.com/blog/say-hel...
Reposted by Stuart Ashenbrenner
You asked, we delivered: Binary Ninja 5.0 brings major iOS reversing upgrades! DYLD Shared Cache is now a first-class feature, with up to 18x faster performance and way smarter analysis across the board. binary.ninja/2025/04/23/5...
April 24, 2025 at 7:44 PM
You asked, we delivered: Binary Ninja 5.0 brings major iOS reversing upgrades! DYLD Shared Cache is now a first-class feature, with up to 18x faster performance and way smarter analysis across the board. binary.ninja/2025/04/23/5...
Reposted by Stuart Ashenbrenner
finally got around to rewriting the copy as yara binja plugin! 🥰
has a few quality of life improvements (new formats) and address wildcarding is fixed for ARM! (sorry bout that mac homies) ❤️
it's also now available in the plugin repository! 🔥
github.com/ald3ns/copy-...
has a few quality of life improvements (new formats) and address wildcarding is fixed for ARM! (sorry bout that mac homies) ❤️
it's also now available in the plugin repository! 🔥
github.com/ald3ns/copy-...
April 15, 2025 at 9:39 PM
finally got around to rewriting the copy as yara binja plugin! 🥰
has a few quality of life improvements (new formats) and address wildcarding is fixed for ARM! (sorry bout that mac homies) ❤️
it's also now available in the plugin repository! 🔥
github.com/ald3ns/copy-...
has a few quality of life improvements (new formats) and address wildcarding is fixed for ARM! (sorry bout that mac homies) ❤️
it's also now available in the plugin repository! 🔥
github.com/ald3ns/copy-...
Reposted by Stuart Ashenbrenner
✅Are you well versed in Linux?
✅Do you understand Linux internals and eBPF?
✅ Do you like building out POCs?
✅Do you understand cyber threats and forensic artifacts?
💥Become a Principal Linux Researcher at @huntress.com
Apply here:
👉 job-boards.greenhouse.io/huntress/job...
✅Do you understand Linux internals and eBPF?
✅ Do you like building out POCs?
✅Do you understand cyber threats and forensic artifacts?
💥Become a Principal Linux Researcher at @huntress.com
Apply here:
👉 job-boards.greenhouse.io/huntress/job...
Principal Security Researcher - Linux
Remote US
job-boards.greenhouse.io
April 1, 2025 at 5:13 PM
✅Are you well versed in Linux?
✅Do you understand Linux internals and eBPF?
✅ Do you like building out POCs?
✅Do you understand cyber threats and forensic artifacts?
💥Become a Principal Linux Researcher at @huntress.com
Apply here:
👉 job-boards.greenhouse.io/huntress/job...
✅Do you understand Linux internals and eBPF?
✅ Do you like building out POCs?
✅Do you understand cyber threats and forensic artifacts?
💥Become a Principal Linux Researcher at @huntress.com
Apply here:
👉 job-boards.greenhouse.io/huntress/job...
Reposted by Stuart Ashenbrenner
Finally! 🥳 objective-see.org/blog/blog_0x...
TCCing is Believing
Apple finally adds TCC events to Endpoint Security!
objective-see.org
March 28, 2025 at 1:05 AM
Finally! 🥳 objective-see.org/blog/blog_0x...
Reposted by Stuart Ashenbrenner
s1.ai/readup
🐚 Adware loaders are always the most complex! Props to @syrion89.bsky.social for helping me pull apart all these different bins and figuring out what they had in common and how to attribute and detect them. 🦾 #adware #malware #macOS #security
@sentinelone.com @sentinellabs.bsky.social
🐚 Adware loaders are always the most complex! Props to @syrion89.bsky.social for helping me pull apart all these different bins and figuring out what they had in common and how to attribute and detect them. 🦾 #adware #malware #macOS #security
@sentinelone.com @sentinellabs.bsky.social
ReaderUpdate Reforged | Melting Pot of macOS Malware Adds Go to Crystal, Nim and Rust Variants
A widespread campaign with binaries written in different source languages, ReaderUpdate presents unique challenges for detection and analysis.
s1.ai
March 25, 2025 at 9:02 PM
s1.ai/readup
🐚 Adware loaders are always the most complex! Props to @syrion89.bsky.social for helping me pull apart all these different bins and figuring out what they had in common and how to attribute and detect them. 🦾 #adware #malware #macOS #security
@sentinelone.com @sentinellabs.bsky.social
🐚 Adware loaders are always the most complex! Props to @syrion89.bsky.social for helping me pull apart all these different bins and figuring out what they had in common and how to attribute and detect them. 🦾 #adware #malware #macOS #security
@sentinelone.com @sentinellabs.bsky.social
macOS Malware Knowledge Base: I've been putting together a KB of sorts of macOS malware research. So next time you are writing about some malware family, you can just visit here and see all technical articles written about any particular family. Still a WIP.
notes.crashsecurity.io/notes/b/06C7...
notes.crashsecurity.io/notes/b/06C7...
Notes
notes.crashsecurity.io
March 21, 2025 at 5:16 PM
macOS Malware Knowledge Base: I've been putting together a KB of sorts of macOS malware research. So next time you are writing about some malware family, you can just visit here and see all technical articles written about any particular family. Still a WIP.
notes.crashsecurity.io/notes/b/06C7...
notes.crashsecurity.io/notes/b/06C7...
Reposted by Stuart Ashenbrenner
Trying to attribute DPRK cryptoheist activity?
Here’s a quick pocket attribution guide
Remember to practice your DPRK ABC(TT)s
Here’s a quick pocket attribution guide
Remember to practice your DPRK ABC(TT)s
March 16, 2025 at 5:28 PM
Trying to attribute DPRK cryptoheist activity?
Here’s a quick pocket attribution guide
Remember to practice your DPRK ABC(TT)s
Here’s a quick pocket attribution guide
Remember to practice your DPRK ABC(TT)s
Reposted by Stuart Ashenbrenner
Brilliant talk from @scott.hanselman.com on the realities on LLMs. The temperature demo is such a good way to explain the "magic" behind text generation. www.youtube.com/watch?v=kYUi...
Keynote: AI without the BS, for humans - Scott Hanselman - NDC London 2025
YouTube video by NDC Conferences
www.youtube.com
March 12, 2025 at 9:55 PM
Brilliant talk from @scott.hanselman.com on the realities on LLMs. The temperature demo is such a good way to explain the "magic" behind text generation. www.youtube.com/watch?v=kYUi...
Reposted by Stuart Ashenbrenner
Found these likely #Lazarus / #TraderTraitor domains w/ #Validin
getcoinprice[.]info
stocksindex[.]org
wfinance[.]org
stockinfo[.]io
Read my how-to on leveraging Validin's exceptional visibility, history, and pivoting features for C2 infrastructure forensics:
www.validin.com/blog/bybit_h...
getcoinprice[.]info
stocksindex[.]org
wfinance[.]org
stockinfo[.]io
Read my how-to on leveraging Validin's exceptional visibility, history, and pivoting features for C2 infrastructure forensics:
www.validin.com/blog/bybit_h...
Lazarus Group Bybit Heist: C2 forensics | Validin
An in-depth hunt for Lazarus APT group infrastructure related to the Bybit hack using Validin's host response and DNS databases.
www.validin.com
March 11, 2025 at 6:33 PM
Found these likely #Lazarus / #TraderTraitor domains w/ #Validin
getcoinprice[.]info
stocksindex[.]org
wfinance[.]org
stockinfo[.]io
Read my how-to on leveraging Validin's exceptional visibility, history, and pivoting features for C2 infrastructure forensics:
www.validin.com/blog/bybit_h...
getcoinprice[.]info
stocksindex[.]org
wfinance[.]org
stockinfo[.]io
Read my how-to on leveraging Validin's exceptional visibility, history, and pivoting features for C2 infrastructure forensics:
www.validin.com/blog/bybit_h...
Reposted by Stuart Ashenbrenner
For all my math peeps out there: 2025 is pretty amazing mathematical arrangement.
1. 2025 is a perfect square (45×45=2025)
2. 2025 is the sum of digits of cubes from 1 to 9 (1³ + 2³ + 3³ + ... + 9³ = 2025)
3. 2025 is the first square year after 1936
(Cont…)
1. 2025 is a perfect square (45×45=2025)
2. 2025 is the sum of digits of cubes from 1 to 9 (1³ + 2³ + 3³ + ... + 9³ = 2025)
3. 2025 is the first square year after 1936
(Cont…)
January 1, 2025 at 11:11 AM
For all my math peeps out there: 2025 is pretty amazing mathematical arrangement.
1. 2025 is a perfect square (45×45=2025)
2. 2025 is the sum of digits of cubes from 1 to 9 (1³ + 2³ + 3³ + ... + 9³ = 2025)
3. 2025 is the first square year after 1936
(Cont…)
1. 2025 is a perfect square (45×45=2025)
2. 2025 is the sum of digits of cubes from 1 to 9 (1³ + 2³ + 3³ + ... + 9³ = 2025)
3. 2025 is the first square year after 1936
(Cont…)
Entering EOY PTO in the throes of a sleep regression is like taking a gulp of water after a run and realizing it’s tonic.
December 24, 2024 at 12:15 AM
Entering EOY PTO in the throes of a sleep regression is like taking a gulp of water after a run and realizing it’s tonic.
Our talk from @objective-see.bsky.social is now available online. Check out @re.wtf and I yap about macOS infostealers.
www.youtube.com/watch?v=Hv6A...
www.youtube.com/watch?v=Hv6A...
#OBTS v7.0: "Stealer Crossing: New Horizons" - Alden Schmidt & Stuart Ashenbrenner
YouTube video by Objective-See Foundation
www.youtube.com
December 18, 2024 at 6:36 PM
Our talk from @objective-see.bsky.social is now available online. Check out @re.wtf and I yap about macOS infostealers.
www.youtube.com/watch?v=Hv6A...
www.youtube.com/watch?v=Hv6A...
Reposted by Stuart Ashenbrenner
📣I’m happy to announce that I’m planning to write a brand new “macOS Vulnerability Research” training. 🥳
Considering the amount of work the writing requires it will be available late 2025 or early 2026. It will be Live class only, and likely only once or twice a year.
Considering the amount of work the writing requires it will be available late 2025 or early 2026. It will be Live class only, and likely only once or twice a year.
December 9, 2024 at 12:00 PM
📣I’m happy to announce that I’m planning to write a brand new “macOS Vulnerability Research” training. 🥳
Considering the amount of work the writing requires it will be available late 2025 or early 2026. It will be Live class only, and likely only once or twice a year.
Considering the amount of work the writing requires it will be available late 2025 or early 2026. It will be Live class only, and likely only once or twice a year.
Reposted by Stuart Ashenbrenner
I'm having #OBTS FOMO, so I decided to go ahead and make my own Apple security starter pack! I'm definitely missing folks on here, so feel free to DM me about anyone else who should be added! 🍎
go.bsky.app/gE3xQq
go.bsky.app/gE3xQq
December 5, 2024 at 11:08 PM
I'm having #OBTS FOMO, so I decided to go ahead and make my own Apple security starter pack! I'm definitely missing folks on here, so feel free to DM me about anyone else who should be added! 🍎
go.bsky.app/gE3xQq
go.bsky.app/gE3xQq
#OBTS has wrapped. Next year has so much on deck 👀
- TAOMM v2 book @patrickwardle
- MacOS Threat Hunting book @jbradley89
- MacOS Vuln Training @theevilbit.bsky.social
- OFTW v3 @objective_see
- WeTalks v1 @x71n3
- OBTS v8 in Ibiza
Awesome stuff coming from the macOS security space 🙌
- TAOMM v2 book @patrickwardle
- MacOS Threat Hunting book @jbradley89
- MacOS Vuln Training @theevilbit.bsky.social
- OFTW v3 @objective_see
- WeTalks v1 @x71n3
- OBTS v8 in Ibiza
Awesome stuff coming from the macOS security space 🙌
December 8, 2024 at 5:38 PM
#OBTS has wrapped. Next year has so much on deck 👀
- TAOMM v2 book @patrickwardle
- MacOS Threat Hunting book @jbradley89
- MacOS Vuln Training @theevilbit.bsky.social
- OFTW v3 @objective_see
- WeTalks v1 @x71n3
- OBTS v8 in Ibiza
Awesome stuff coming from the macOS security space 🙌
- TAOMM v2 book @patrickwardle
- MacOS Threat Hunting book @jbradley89
- MacOS Vuln Training @theevilbit.bsky.social
- OFTW v3 @objective_see
- WeTalks v1 @x71n3
- OBTS v8 in Ibiza
Awesome stuff coming from the macOS security space 🙌
Reposted by Stuart Ashenbrenner
Shout-out to the incredible Huntress crew for the special T-shirt 🏝️ and a killer #OBTS presentation by @stuartjash.bsky.social and @re.wtf!
December 7, 2024 at 7:02 PM
Shout-out to the incredible Huntress crew for the special T-shirt 🏝️ and a killer #OBTS presentation by @stuartjash.bsky.social and @re.wtf!
Reposted by Stuart Ashenbrenner
Catch @greg-l.bsky.social and I talking about Mach-O binary similarity methods, YARA-X, and all the cool APT malware we pulled apart at #OBTS v7 today at 11:50am HST 🌺
December 6, 2024 at 8:43 PM
Catch @greg-l.bsky.social and I talking about Mach-O binary similarity methods, YARA-X, and all the cool APT malware we pulled apart at #OBTS v7 today at 11:50am HST 🌺
