y0sh1mitsu
@y0sh1mitsu.bsky.social
DFIR Consultant - GCFR | https://linktr.ee/y0sh1mitsu
Pinned
y0sh1mitsu
@y0sh1mitsu.bsky.social
· May 27
From Alert to Insight: The Art of Incident Qualification - y0sh1mitsu's blog
A short guide for those wishing to qualify an incident
y0sh1mitsu.github.io
How you qualify an incident determines how well you’ll contain it.
I broke down my real-world process for getting accurate, useful answers fast, even when the info is chaotic or wrong.
If you’re in DFIR, this one’s for you !
y0sh1mitsu.github.io/posts/qualif...
I broke down my real-world process for getting accurate, useful answers fast, even when the info is chaotic or wrong.
If you’re in DFIR, this one’s for you !
y0sh1mitsu.github.io/posts/qualif...
Reposted by y0sh1mitsu
The job posts here are a good example of how companies are starting to recognize the value of students learning from OST2 and seek self-starter employees who are using our classes to skill up! www.linkedin.com/posts/piment...
🔥 We're hiring Senior and Lead Offensive Security Engineers at Humana's Cyber Threat Simulation Program! | Robert Pimentel
🔥 We're hiring Senior and Lead Offensive Security Engineers at Humana's Cyber Threat Simulation Program! 🔥
You'll be:
💥 Running high-fidelity threat simulations
💥 Working side-by-side with our Red Team on covert campaigns
💥 Partnering on Purple Team ops to emulate real threat actors
💥 Targeting and testing specific countermeasure stacks
You'll have full access to HTB Pro Labs, role-based certification paths, conference and training budgets, and Fridays set aside for R&D (LLMs, malware development, AI, and more).
👊 What we're looking for:
- Python-fluent operators who can turn threat intel into test cases.
- Folks who don't just ask "can we test this?" - You already did.
- People who thrive in remote, high-autonomy roles.
- Engineers and leaders who want to influence detection and defense at scale
🔗 Links:
👉 Senior Offensive Security Engineer: https://lnkd.in/d7SH9BFC
👉 Lead Offensive Security Engineer: https://lnkd.in/d_dtjGmr
Feel free to message me if you have any questions, and repost for others who might be interested!
#RedTeam
#OffensiveSecurity
#BugBounty
#PenetrationTesting
#AdversarySimulation
www.linkedin.com
July 11, 2025 at 12:06 PM
The job posts here are a good example of how companies are starting to recognize the value of students learning from OST2 and seek self-starter employees who are using our classes to skill up! www.linkedin.com/posts/piment...
Reposted by y0sh1mitsu
When the vulnerability in third-party code isn't in the third-party code:
labs.watchtowr.com/expression-p...
labs.watchtowr.com/expression-p...
Expression Payloads Meet Mayhem - Ivanti EPMM Unauth RCE Chain (CVE-2025-4427 and CVE-2025-4428)
Keeping your ears to the ground and eyes wide open for the latest vulnerability news at watchTowr is a given. Despite rummaging through enterprise code looking for 0days on a daily basis, our interest...
labs.watchtowr.com
May 15, 2025 at 4:10 PM
When the vulnerability in third-party code isn't in the third-party code:
labs.watchtowr.com/expression-p...
labs.watchtowr.com/expression-p...
Reposted by y0sh1mitsu
Congratulations to all of the Volatility contributors - this was no small feat! We are proud to be a sustaining sponsor of this important open-source project that remains the world’s most widely used memory forensics platform. #dfir
We are very excited to announce that Volatility 3 has reached parity with Volatility 2! With this achievement, Volatility 2 is now deprecated. See the full details in our blog post: volatilityfoundation.org/announcing-t...
Announcing the Official Parity Release of Volatility 3!
Visit the post for more.
volatilityfoundation.org
May 16, 2025 at 3:20 PM
Congratulations to all of the Volatility contributors - this was no small feat! We are proud to be a sustaining sponsor of this important open-source project that remains the world’s most widely used memory forensics platform. #dfir
Reposted by y0sh1mitsu
#ESETresearch, in collaboration with #Microsoft, BitSight, Lumen, Cloudflare, CleanDNS, and GMO Registry, has helped disrupt #LummaStealer – a notorious malware-as-a-service infostealer. @jakubtomanek.bsky.social www.welivesecurity.com/en/eset-rese... 1/5
ESET takes part in global operation to disrupt Lumma Stealer
Our intense monitoring of tens of thousands of malicious samples helped this global disruption operation
www.welivesecurity.com
May 21, 2025 at 4:16 PM
#ESETresearch, in collaboration with #Microsoft, BitSight, Lumen, Cloudflare, CleanDNS, and GMO Registry, has helped disrupt #LummaStealer – a notorious malware-as-a-service infostealer. @jakubtomanek.bsky.social www.welivesecurity.com/en/eset-rese... 1/5
Reposted by y0sh1mitsu
Dropping new research - this time on recent #XDSpy operations. Out of hundreds of LNK files leveraging ZDI-CAN-25373, we isolated a tiny cluster using an additional LNK parsing trick, leading us to uncover a multi-stage infection chain actively targeting government entities
June 16, 2025 at 12:52 PM
Dropping new research - this time on recent #XDSpy operations. Out of hundreds of LNK files leveraging ZDI-CAN-25373, we isolated a tiny cluster using an additional LNK parsing trick, leading us to uncover a multi-stage infection chain actively targeting government entities
How you qualify an incident determines how well you’ll contain it.
I broke down my real-world process for getting accurate, useful answers fast, even when the info is chaotic or wrong.
If you’re in DFIR, this one’s for you !
y0sh1mitsu.github.io/posts/qualif...
I broke down my real-world process for getting accurate, useful answers fast, even when the info is chaotic or wrong.
If you’re in DFIR, this one’s for you !
y0sh1mitsu.github.io/posts/qualif...
From Alert to Insight: The Art of Incident Qualification - y0sh1mitsu's blog
A short guide for those wishing to qualify an incident
y0sh1mitsu.github.io
May 27, 2025 at 6:22 AM
How you qualify an incident determines how well you’ll contain it.
I broke down my real-world process for getting accurate, useful answers fast, even when the info is chaotic or wrong.
If you’re in DFIR, this one’s for you !
y0sh1mitsu.github.io/posts/qualif...
I broke down my real-world process for getting accurate, useful answers fast, even when the info is chaotic or wrong.
If you’re in DFIR, this one’s for you !
y0sh1mitsu.github.io/posts/qualif...
Reposted by y0sh1mitsu
Check out our new report on a TA4557 intrusion.
Make sure your team that handles resumes recognises these fake lures!
Make sure your team that handles resumes recognises these fake lures!
December 2, 2024 at 12:48 PM
Check out our new report on a TA4557 intrusion.
Make sure your team that handles resumes recognises these fake lures!
Make sure your team that handles resumes recognises these fake lures!
Reposted by y0sh1mitsu
Investments in EU cybersecurity startups is lagging way behind both the US and Israel... by a lot-lot!
PDF: www.tikehaucapital.com/~/media/File...
PDF: www.tikehaucapital.com/~/media/File...
April 13, 2025 at 10:57 AM
Investments in EU cybersecurity startups is lagging way behind both the US and Israel... by a lot-lot!
PDF: www.tikehaucapital.com/~/media/File...
PDF: www.tikehaucapital.com/~/media/File...
Reposted by y0sh1mitsu
Zyxel has no plans to release patches for two zero-days under attack and is advising customers to replace vulnerable routers. The company says these devices have been “EOL for years” - but the devices are not on Zyxel’s EOL page, and some are still available to buy techcrunch.com/2025/02/05/r...
Router maker Zyxel tells customers to replace vulnerable hardware exploited by hackers | TechCrunch
The Taiwanese hardware maker says it has no plans patch the flaws impacting legacy router models
techcrunch.com
February 5, 2025 at 10:10 AM
Zyxel has no plans to release patches for two zero-days under attack and is advising customers to replace vulnerable routers. The company says these devices have been “EOL for years” - but the devices are not on Zyxel’s EOL page, and some are still available to buy techcrunch.com/2025/02/05/r...
Reposted by y0sh1mitsu
The best way to start with malware reverse engineering is to start reverse engineering malware.
There’s a ton of free samples everywhere (shout out to @vxundergroundre.bsky.social).
If you want to start with Android take a look at the link below
maldroid.github.io/android-malw...
There’s a ton of free samples everywhere (shout out to @vxundergroundre.bsky.social).
If you want to start with Android take a look at the link below
maldroid.github.io/android-malw...
Not so boring Android malware
A collection of interesting and diverse Android malware samples
maldroid.github.io
December 10, 2024 at 10:55 PM
The best way to start with malware reverse engineering is to start reverse engineering malware.
There’s a ton of free samples everywhere (shout out to @vxundergroundre.bsky.social).
If you want to start with Android take a look at the link below
maldroid.github.io/android-malw...
There’s a ton of free samples everywhere (shout out to @vxundergroundre.bsky.social).
If you want to start with Android take a look at the link below
maldroid.github.io/android-malw...
Reposted by y0sh1mitsu
🚀 New OpenRelik release
Role-based access control, folder sharing, database improvements, optimisations for file listings, chunked file uploads, bug fixes and refactoring efforts to improve stability.
📝 https://openrelik.org/changelog/
🔗 https://discord.gg/hg652gktwX
#DFIR
Role-based access control, folder sharing, database improvements, optimisations for file listings, chunked file uploads, bug fixes and refactoring efforts to improve stability.
📝 https://openrelik.org/changelog/
🔗 https://discord.gg/hg652gktwX
#DFIR
November 27, 2024 at 3:41 PM
🚀 New OpenRelik release
Role-based access control, folder sharing, database improvements, optimisations for file listings, chunked file uploads, bug fixes and refactoring efforts to improve stability.
📝 https://openrelik.org/changelog/
🔗 https://discord.gg/hg652gktwX
#DFIR
Role-based access control, folder sharing, database improvements, optimisations for file listings, chunked file uploads, bug fixes and refactoring efforts to improve stability.
📝 https://openrelik.org/changelog/
🔗 https://discord.gg/hg652gktwX
#DFIR
Reposted by y0sh1mitsu
#ESETresearch reveals the first Linux UEFI bootkit, Bootkitty. It disables kernel signature verification and preloads two ELFs unknown during our analysis. Also discovered, a possibly related unsigned LKM – both were uploaded to VT early this month. www.welivesecurity.com/en/eset-rese... 🧵
Bootkitty: Analyzing the first UEFI bootkit for Linux
ESET's discovery of the first UEFI bootkit designed for Linux sendss an important message: UEFI bootkits are no longer confined to Windows systems alone.
www.welivesecurity.com
November 27, 2024 at 8:34 AM
#ESETresearch reveals the first Linux UEFI bootkit, Bootkitty. It disables kernel signature verification and preloads two ELFs unknown during our analysis. Also discovered, a possibly related unsigned LKM – both were uploaded to VT early this month. www.welivesecurity.com/en/eset-rese... 🧵
Reposted by y0sh1mitsu
Good morning, or evening.
After a months, we're finally releasing the Dispossessor ransomware leaks. They're now available to download.
Please exercise extreme caution. This archive contains ransomware payloads.
vx-underground.org/Archive/Disp...
After a months, we're finally releasing the Dispossessor ransomware leaks. They're now available to download.
Please exercise extreme caution. This archive contains ransomware payloads.
vx-underground.org/Archive/Disp...
Vx Underground
The largest collection of malware source code, samples, and papers on the internet.
vx-underground.org
November 25, 2024 at 3:34 AM
Good morning, or evening.
After a months, we're finally releasing the Dispossessor ransomware leaks. They're now available to download.
Please exercise extreme caution. This archive contains ransomware payloads.
vx-underground.org/Archive/Disp...
After a months, we're finally releasing the Dispossessor ransomware leaks. They're now available to download.
Please exercise extreme caution. This archive contains ransomware payloads.
vx-underground.org/Archive/Disp...
Reposted by y0sh1mitsu
Excited that we @volexity.com are able to share a writeup of one of our most interesting incidents! This case involves:
* A 0-day exploit
* Physical trips to the customer site to determine root cause
* Compromise via Wi-Fi.
www.volexity.com/blog/2024/11...
#nearestneighbor #threatintel
* A 0-day exploit
* Physical trips to the customer site to determine root cause
* Compromise via Wi-Fi.
www.volexity.com/blog/2024/11...
#nearestneighbor #threatintel
The Nearest Neighbor Attack: How A Russian APT Weaponized Nearby Wi-Fi Networks for Covert Access
In early February 2022, notably just ahead of the Russian invasion of Ukraine, Volexity made a discovery that led to one of the most fascinating and complex incident investigations Volexity had ever w...
www.volexity.com
November 22, 2024 at 3:05 PM
Excited that we @volexity.com are able to share a writeup of one of our most interesting incidents! This case involves:
* A 0-day exploit
* Physical trips to the customer site to determine root cause
* Compromise via Wi-Fi.
www.volexity.com/blog/2024/11...
#nearestneighbor #threatintel
* A 0-day exploit
* Physical trips to the customer site to determine root cause
* Compromise via Wi-Fi.
www.volexity.com/blog/2024/11...
#nearestneighbor #threatintel
Reposted by y0sh1mitsu
🚨 New Research Drop:
🇰🇵 DPRK IT Workers | A Network of Active Front Companies and Their Links to China
Summary:
⚪ Newly Disrupted Front Companies by USG
⚪ Impersonating US based software and tech orgs
⚪ Links to still-active front orgs, CN association
Report:
www.sentinelone.com/labs/dprk-it...
🇰🇵 DPRK IT Workers | A Network of Active Front Companies and Their Links to China
Summary:
⚪ Newly Disrupted Front Companies by USG
⚪ Impersonating US based software and tech orgs
⚪ Links to still-active front orgs, CN association
Report:
www.sentinelone.com/labs/dprk-it...
DPRK IT Workers | A Network of Active Front Companies and Their Links to China
SentinelLabs has identified multiple deceptive websites linked to businesses in China fronting for North Korea's fake IT workers scheme.
www.sentinelone.com
November 21, 2024 at 3:00 PM
🚨 New Research Drop:
🇰🇵 DPRK IT Workers | A Network of Active Front Companies and Their Links to China
Summary:
⚪ Newly Disrupted Front Companies by USG
⚪ Impersonating US based software and tech orgs
⚪ Links to still-active front orgs, CN association
Report:
www.sentinelone.com/labs/dprk-it...
🇰🇵 DPRK IT Workers | A Network of Active Front Companies and Their Links to China
Summary:
⚪ Newly Disrupted Front Companies by USG
⚪ Impersonating US based software and tech orgs
⚪ Links to still-active front orgs, CN association
Report:
www.sentinelone.com/labs/dprk-it...
Reposted by y0sh1mitsu
Cyberattackers may have compromised lots of organizations by exploiting two zero-day vulnerabilities found in widely used Palo Alto Networks systems. unit42.paloaltonetworks.com/cve-2024-001...
November 22, 2024 at 9:54 AM
Cyberattackers may have compromised lots of organizations by exploiting two zero-day vulnerabilities found in widely used Palo Alto Networks systems. unit42.paloaltonetworks.com/cve-2024-001...
Reposted by y0sh1mitsu
Podcast: risky.biz/RBNEWS364/
Newsletter: news.risky.biz/risky-biz-ne...
-US charges five Scattered Spider members
-Apple fixes macOS zero-days
-T-Mobile finally stops a breach
-US takes down PopeyeTools carding portal
-Thailand throws out NSO lawsuit
-Microsoft develops something dumb, part 9,136
Newsletter: news.risky.biz/risky-biz-ne...
-US charges five Scattered Spider members
-Apple fixes macOS zero-days
-T-Mobile finally stops a breach
-US takes down PopeyeTools carding portal
-Thailand throws out NSO lawsuit
-Microsoft develops something dumb, part 9,136
November 22, 2024 at 10:40 AM
Podcast: risky.biz/RBNEWS364/
Newsletter: news.risky.biz/risky-biz-ne...
-US charges five Scattered Spider members
-Apple fixes macOS zero-days
-T-Mobile finally stops a breach
-US takes down PopeyeTools carding portal
-Thailand throws out NSO lawsuit
-Microsoft develops something dumb, part 9,136
Newsletter: news.risky.biz/risky-biz-ne...
-US charges five Scattered Spider members
-Apple fixes macOS zero-days
-T-Mobile finally stops a breach
-US takes down PopeyeTools carding portal
-Thailand throws out NSO lawsuit
-Microsoft develops something dumb, part 9,136
Reposted by y0sh1mitsu
Uncover one of Volexity's toughest cases!
Join Steven Adair at #CYBERWARCON as he details how his team traced a major incident to a Russian APT, tackling zero-day exploits and stealthy tactics.
Don’t miss it—grab your ticket! 🎟️
www.cyberwarcon.com/registration
Join Steven Adair at #CYBERWARCON as he details how his team traced a major incident to a Russian APT, tackling zero-day exploits and stealthy tactics.
Don’t miss it—grab your ticket! 🎟️
www.cyberwarcon.com/registration
November 18, 2024 at 10:39 PM
Uncover one of Volexity's toughest cases!
Join Steven Adair at #CYBERWARCON as he details how his team traced a major incident to a Russian APT, tackling zero-day exploits and stealthy tactics.
Don’t miss it—grab your ticket! 🎟️
www.cyberwarcon.com/registration
Join Steven Adair at #CYBERWARCON as he details how his team traced a major incident to a Russian APT, tackling zero-day exploits and stealthy tactics.
Don’t miss it—grab your ticket! 🎟️
www.cyberwarcon.com/registration
Reposted by y0sh1mitsu
November 10, 2024 at 6:20 AM
Reposted by y0sh1mitsu
@volexity.bsky.social has published a blog post detailing variants of LIGHTSPY & DEEPDATA malware discovered in the summer of 2024, including exploitation of a vulnerability in FortiClient to extract credentials from memory. Read more here: www.volexity.com/blog/2024/11...
BrazenBamboo Weaponizes FortiClient Vulnerability to Steal VPN Credentials via DEEPDATA
In July 2024, Volexity identified exploitation of a zero-day credential disclosure vulnerability in Fortinet’s Windows VPN client that allowed credentials to be stolen from the memory of the client’s ...
www.volexity.com
November 15, 2024 at 8:02 PM
@volexity.bsky.social has published a blog post detailing variants of LIGHTSPY & DEEPDATA malware discovered in the summer of 2024, including exploitation of a vulnerability in FortiClient to extract credentials from memory. Read more here: www.volexity.com/blog/2024/11...
Reposted by y0sh1mitsu
Hello! 👋 Joining all the cool kids over here. Follow @13Cubed.bsky.social for 13Cubed content.
November 14, 2024 at 3:38 PM
Hello! 👋 Joining all the cool kids over here. Follow @13Cubed.bsky.social for 13Cubed content.
Reposted by y0sh1mitsu
#Linux lacks a resource like the Windows Master File Table ($MFT). I've developed this #Velociraptor artifact to collect metadata from files and folders recursively in selected paths to create a bodyfile. This may bring an MFT-like feel to filesystem analysis. #dfir
github.com/chrisdfir/Ve...
github.com/chrisdfir/Ve...
github.com
November 12, 2024 at 9:01 PM
#Linux lacks a resource like the Windows Master File Table ($MFT). I've developed this #Velociraptor artifact to collect metadata from files and folders recursively in selected paths to create a bodyfile. This may bring an MFT-like feel to filesystem analysis. #dfir
github.com/chrisdfir/Ve...
github.com/chrisdfir/Ve...
Reposted by y0sh1mitsu
Supply chain malware from an infected game mod 🤯😱 Long-form reverse engineering and a WILD ride: Binary Ninja, x64dbg, 010 Editor, PEB walking, reworking API function hashing in Python, DLL search-order hijacking, hooked functions & more. MASSIVE video: jh.live/bvyklJ5Wie0
November 14, 2024 at 2:00 PM
Supply chain malware from an infected game mod 🤯😱 Long-form reverse engineering and a WILD ride: Binary Ninja, x64dbg, 010 Editor, PEB walking, reworking API function hashing in Python, DLL search-order hijacking, hooked functions & more. MASSIVE video: jh.live/bvyklJ5Wie0