Author | Lightnews

CyberRaiju

@jaiminton.com

280 followers 380 following 33 posts

An Aussie who does cyber things | Manager @Huntress.com | Former Principal @CrowdStrike.com and HuntressLabs | https://jaiminton.com | https://www.youtube.com/@cyberraiju/featured

jaiminton.com

Posts Media Videos Starter Packs

Pinned

CyberRaiju @jaiminton.com · Dec 8

How do you submit a pull request to a malware author?🤔

Celestial Stealer is checking for my name or online handle and it won't execute if it's found, but my RE machine is using the name Barry so this check will fail.

Who do I reach out to about this? 😅

www.trellix.com/blogs/resear...

Screenshot showing Celestial Stealer looking for keywords Jai Minton and cyberraiju

CyberRaiju @jaiminton.com · 24d

Our new research is now live, and it's full of juicy insights. From a log poisoning vulnerability, to an RMM you've likely never heard of, and a list of victim locations that span the globe! 👀 👇

Max Rogers @maxrogers5.com · 24d

1⃣ The Huntress team uncovered a campaign by a likely China-nexus threat actor. The most novel finding is use of a publicly available tool called Nezha as a post-exploitation C2 agent. This is the first public reporting of the tool I've seen.

www.huntress.com/blog/nezha-c...

The Crown Prince, Nezha: A New Tool Favored by China-Nexus Threat Actors | Huntress

Beginning in mid-2025, Huntress discovered a new tool being used to facilitate webserver intrusions known as Nezha, which up until now hasn’t been publicly reported on. This was used in tandem with ot...

www.huntress.com

1 3

CyberRaiju @jaiminton.com · Aug 16

As of Thurs Aug 14th we're seeing clear indications that a threat actor has now weaponised and is exploiting vulnerabilities in Axis camera software (CVE-2025-30023/4/5/6) which was presented at DEFCON.

Indicators on Xitter/LinkedIn

www.linkedin.com/posts/activi...

x.com/CyberRaiju/s...

500 million+ members | Manage your professional identity. Build and engage with your professional network. Access knowledge, insights and opportunities.

www.linkedin.com

CyberRaiju @jaiminton.com · Jun 24

Masquerading as `IO Broker Installer` on disk from the compiled MSI that seems to have artifacts from a SyslogCenter executable previously used by Octowave Loader that was still left in the MSI.

PR made to #hijacklibs github.com/wietze/Hijac...

Create tbb.yml by JPMinty · Pull Request #128 · wietze/HijackLibs

New Octowave variant using this to deliver ACR/Amatera Stealer

github.com

CyberRaiju @jaiminton.com · Jun 24

TBB: www.virustotal.com/gui/file/f5c...

APP-2.3: www.virustotal.com/gui/file/b50...

ZXING:
www.virustotal.com/gui/file/f4c...

XCEED:
www.virustotal.com/gui/file/118...

BLOOD:
www.virustotal.com/gui/file/d96...

VirusTotal

www.virustotal.com

1 2

CyberRaiju @jaiminton.com · Jun 24

Adobe printer driver sideloads tbb.dll, tbb.dll loads app-2.3.dll which gets stego from blood.wav, uses zxing.presentation.dll and Xceed.Wpf.AvalonDock.Themes.Aero.dll

MSI:
www.virustotal.com/gui/file/f5c...

Components all with 0 VT detections. DLLs are legitimate ones that were modified.

1 1

CyberRaiju @jaiminton.com · Jun 24

New Octowave Loader sample is leading to Amatera Stealer deployment over the past week.

0 VT detections on any component of the malware loader.
Proofpoint rules detect the outbound C2 traffic.
My Yara rule detects the installer.

2 4 6

CyberRaiju @jaiminton.com · May 16

I've been thinking a lot about recent layoffs, AI advancements, and what it means for this industry as a whole. Hopefully at least some of this resonates with others and hits the mark.

www.jaiminton.com/internal-blo...

Job Security in Cyber Security is Changing

At what point is your “secure” job at risk?

www.jaiminton.com

CyberRaiju @jaiminton.com · May 10

Their latest version 52 fixes the issue, but you need to have 50 installed to install 52, this is not a standalone installer, just an update, and the old versions are still the default download on their website.

eu.community.samsung.com/t5/samsung-s...

CyberRaiju @jaiminton.com · May 9

Now in open Beta, simply upload an executable and the DLL it insecurely loads, fill in some extra fields and generate a rule

With a code editor and validation, this should make submitting to the project much easier!

Link: www.jaiminton.com/tools/hijack...
Direct: hijacklibs-assistant.streamlit.app

CyberRaiju @jaiminton.com · May 9

HijackLibs.net details hundreds of publicly disclosed DLL Hijacking opportunities. With over 700 stars on GitHub and a growing list, @wietzebeukema.nl does an amazing job maintaining it.

Despite this contributing can be time consuming. That's why I've created HijackLibs Helper!👇

1 1 3

CyberRaiju @jaiminton.com · May 7

We have reached out to Samsung. There is active exploitation in the wild.

Be sure to look for new files created in the server directory of your MagicInfo install, and child processes spawning from the Apache Tomcat process.

1 1

CyberRaiju @jaiminton.com · May 7

The version offered on their website via the download button is currently not even the latest, so even if it was patched (it isn't, the vulnerable class has not changed at all) anyone downloading the software is getting an outdated version! No updates here:

security.samsungtv.com/securityUpda...

1 1

CyberRaiju @jaiminton.com · May 7

I've confirmed Samsung's MagicINFO 21.1050 is VULNERABLE to the publicly reported POC in the blog below.

ssd-disclosure.com/ssd-advisory...

The media is reporting this as CVE-2024-7399, but if it is then the patch is incomplete. There is currently NO PATCH AVAILABLE!