9630
Group for Malware Analysts. Pinned message with resources and rules: https://t.me/MalwareResearch/38033
New FedBan
Fed: Libra's Empire
FedAdmin: ❤🦦
User: Eros Monson
User ID: 8542457356
Reason: illegal activity
New FedBan
Fed: Libra's Empire
FedAdmin: ❤🦦
User: lol
User ID: 7787664886
Reason: illegal activity
So you just summarize the content of each article using LLM? How much does that cost?
Читать полностью…
New FedBan
Fed: Libra's Empire
FedAdmin: ❤🦦
User: Erik2 Almonson
User ID: 7583628947
Reason: illegal activity
Many thanks for the feedback! Another guy also suggest to add code snippets in the capabilities section. Ill add them as soon as i have time.
It writes .plist function in the system location required to setup daemons. Once expanded ill ping you to check.
About the simplicity, yes, code Is quite simple to read after basic deobfuscation.
At the moment im analyzing a chinese bootkit found in the wild pe32 packed probably with vmprotect. That will imply harder time to dissecte
I keep seeing a lot of C2 using discord or telegram bots to contact home; are there any programs out there that act as a *anti virus* by seeing if any of those calls are being sent? Especially webhooks
Читать полностью…
New FedBan
Fed: Libra's Empire
FedAdmin: ❤🦦
User: lol
User ID: 7948600106
Reason: illegal activity
New FedBan
Fed: Libra's Empire
FedAdmin: ❤🦦
User: Moses Smart
User ID: 1176018937
Reason: illegal activity
humans' memories can't be trusted
this will remain here for easier reference, and as evidence that rules have been flouted before
nope, so you will remember why and not flout the rules again
Читать полностью…
User ᏀᎻᏫᏚᎢ has 1/3 warnings; be careful!
Reason:
English only and no illegal activity
New FedBan
Fed: Libra's Empire
FedAdmin: ❤🦦
User: lol
User ID: 7787597292
Reason: illegal activity
Hello everyone
there is an array of 12 bytes, at least that's how IDA marked it.
I don't really understand why 4 is displayed in red and how to interpret it correctly.
This value is used for verification, and I tried to pass it to the program as I see it (dw), but it doesn't work during the comparison process. I assume that I need to parse it somehow, but changing the encoding and converting it to dw didn't help.
Can you suggest anything I can try?
@xiaomayi i updated the article adding some code snippets, if you wanna take a look at persistence section. I wrote deobfuscated function handlers to male It easy to read.
As you said the malware Is simple to read, what I found very interesting is that It contains a lot of MacOS malicious logic all bundled in a single sample
Having summarized over 400 articles during my experimentation, it came out ~52 cents (including embeddings generation for RAG). It uses gpt-4o-mini to keep costs low. I'm satisfied with the summary accuracy having verified them against the original article.
Читать полностью…
🚨 Keeping up with the threat landscape shouldn’t feel like a full-time job.
Every day:
🔴 New malware families.
🔴 Evolving threat actors.
🔴 Fresh MITRE TTP mappings.
🔴 Numerous blog posts.
What if there were a simpler way?
⚡ That’s why I built Threat Loom — an AI-powered threat news analysis platform that:
🔴 Aggregates feeds (including Malpedia).
🔴 Summarizes news using LLMs.
🔴 Visualizes MITRE ATT&CK mappings.
🔴 Lets you ask questions like: “Which techniques did APT29 increase usage of in the last 6 months?”
I built it (in a day!) using Claude Code to solve my own problem:
✅ Daily concise threat updates.
✅ Track evolution of actors & malware families.
✅ Spot emerging techniques.
The code is open-sourced (BSD-3) on GitHub. Give it a spin!
👉 https://github.com/nikhilh-20/ThreatLoom
Humans and agents are both welcome to raise issues, ideas, and PRs!
anyone interested in osint bot? includes intelx and stealer logs, very complete
Читать полностью…
while I'm not into MacOS, it's interesting
the script isn't too complicated, so I guess there's not much to really dive into, unlike Windows malware analysis which typically comes with all kinds of analysis or even the usage of various tools and scripts to just debug or deobfuscate something
but there's one thing I'm curious about, under the Persistence section. How is persistency achieved? That's not really expanded, other than it's installed as LaunchDaemon. In typical malware analysis reports, the persistency mechanism(s) would be listed out, so it will facilitate the search of such compromise
User Goda is banned in the current federation (Libra's Empire), and so has been removed.
Reason: spam
Guys I published a brief writeup on a MacOS infostealer. There's a lot online on this topic. I analyzed it independently and tried to make a professional writeup. If someone wanna give its feedback it would be highly appreciated, many thanks.
https://itdoctor.it/posts/macos-infostealer/
besides, you have 3 chances, not as if 1 warning will result in a ban
Читать полностью…
Can you please remove the warning please 🙏
Читать полностью…
New FedBan
Fed: Libra's Empire
FedAdmin: ❤🦦
User: Data Planet Agent_03
User ID: 6599906653
Reason: illegal activity
IDA’s red 4 means it’s auto-typed (offset/reference), not raw data. Ignore the color.
Don’t use dw. Undefine it, re-define as db, remove offset typing (O), and check endianness.
If passing it directly fails, it’s being transformed before compare (memcmp/XOR/hash). Follow the verification logic, not IDA’s display.
Reported Stephanie Weaver [8122316276] to admins.