🇺🇦 Xorhex 🇺🇦
@xorhex.bsky.social
Reposted by 🇺🇦 Xorhex 🇺🇦
1/ Today we release a new report exposing previously undisclosed entities connected to the wider #Intellexa ecosystem as well as newly identified activity clusters in Iraq and indications of activity in Pakistan: www.recordedfuture.com/research/int...
Intellexa’s Global Corporate Web
www.recordedfuture.com
December 4, 2025 at 4:18 AM
1/ Today we release a new report exposing previously undisclosed entities connected to the wider #Intellexa ecosystem as well as newly identified activity clusters in Iraq and indications of activity in Pakistan: www.recordedfuture.com/research/int...
Reposted by 🇺🇦 Xorhex 🇺🇦
Videos and papers from this year's @virusbtn.bsky.social in Berlin are now available online. Amazing conference and looking forward to the next one: www.youtube.com/@virusbtn
Virus Bulletin
www.youtube.com
November 28, 2025 at 6:47 AM
Videos and papers from this year's @virusbtn.bsky.social in Berlin are now available online. Amazing conference and looking forward to the next one: www.youtube.com/@virusbtn
Reposted by 🇺🇦 Xorhex 🇺🇦
And #FlareOn12 Task 8: wp.me/p2mVNF-2Qf
Flare-On 12 – Task 8
In this mini-series I describe the solutions of my favorite tasks from this year’s Flare-On competition. To those of you who are not familiar, Flare-On is a marathon of reverse engineering. This ye…
wp.me
November 27, 2025 at 9:55 PM
And #FlareOn12 Task 8: wp.me/p2mVNF-2Qf
Reposted by 🇺🇦 Xorhex 🇺🇦
#PIVOTcon26 #CfP is open and you can submit your proposals till 6 FEB 2026
CfP rules and submissions here: pretalx.com/pivotcon26/cfp
#ThreatIntel #ThreatResearch #CTI
CfP rules and submissions here: pretalx.com/pivotcon26/cfp
#ThreatIntel #ThreatResearch #CTI
a little boy is driving a toy car down a street .
ALT: a little boy is driving a toy car down a street .
media.tenor.com
November 27, 2025 at 2:06 PM
#PIVOTcon26 #CfP is open and you can submit your proposals till 6 FEB 2026
CfP rules and submissions here: pretalx.com/pivotcon26/cfp
#ThreatIntel #ThreatResearch #CTI
CfP rules and submissions here: pretalx.com/pivotcon26/cfp
#ThreatIntel #ThreatResearch #CTI
As tempting as it might be, don’t use recursion when writing a #binaryninja workflow.
November 27, 2025 at 12:19 AM
As tempting as it might be, don’t use recursion when writing a #binaryninja workflow.
Reposted by 🇺🇦 Xorhex 🇺🇦
I'm offering a rare public Applied #CTI training course for cyber threat intelligence in evening North America/morning Australia/Asia in January - register your interest soon if you would like to attend mission-focused #ThreatIntel training!
forms.gle/i3n4srD6hWzf...
forms.gle/i3n4srD6hWzf...
Paralus LLC: Applied Threat Intelligence
Hello and thank you for your interest in a workshop focusing on Applied Threat Intelligence!
Scheduling:
12-16 January 2026 (Five Days)
1700-1900 US Eastern/2200-0000 Central European/0900-1100 Austr...
forms.gle
November 24, 2025 at 10:52 PM
I'm offering a rare public Applied #CTI training course for cyber threat intelligence in evening North America/morning Australia/Asia in January - register your interest soon if you would like to attend mission-focused #ThreatIntel training!
forms.gle/i3n4srD6hWzf...
forms.gle/i3n4srD6hWzf...
First release is ready! Hoping to have it included soon in @binary.ninja's plugin manager 🤞
Still testing 🤞
For those able to use #BinaryNinja projects; #BinYars can sort the files into folders based upon the #Yara-X rule metadata field, BNFolder. The folder nesting structure is determined by the number of matches that reside under each folder - check out the video below!
For those able to use #BinaryNinja projects; #BinYars can sort the files into folders based upon the #Yara-X rule metadata field, BNFolder. The folder nesting structure is determined by the number of matches that reside under each folder - check out the video below!
November 24, 2025 at 10:02 PM
First release is ready! Hoping to have it included soon in @binary.ninja's plugin manager 🤞
Don't forget to run: cargo install-update -i yara-x-cli
November 24, 2025 at 9:50 PM
Don't forget to run: cargo install-update -i yara-x-cli
Reposted by 🇺🇦 Xorhex 🇺🇦
Binary Ninja 5.2 adds support for custom string formats and constant encodings. Instead of wrestling with odd or obfuscated values, you can teach Binja how they work and let the analysis reveal the real content anywhere it appears.
November 24, 2025 at 3:44 PM
Binary Ninja 5.2 adds support for custom string formats and constant encodings. Instead of wrestling with odd or obfuscated values, you can teach Binja how they work and let the analysis reveal the real content anywhere it appears.
Reposted by 🇺🇦 Xorhex 🇺🇦
Yara-x 1.10.0 released today! It can now automatically fix some warnings, and some improvements in code generation. This is another great step forward for the project.
github.com/VirusTotal/y...
github.com/VirusTotal/y...
Release v1.10.0 · VirusTotal/yara-x
New yr fix warnings command (#493).
Generate more efficient WASM code for some expressions, reducing the size of compiled rules (5efc214, a865681).
Improve the API for traversing the AST in DFS ord...
github.com
November 20, 2025 at 6:33 PM
Yara-x 1.10.0 released today! It can now automatically fix some warnings, and some improvements in code generation. This is another great step forward for the project.
github.com/VirusTotal/y...
github.com/VirusTotal/y...
Reposted by 🇺🇦 Xorhex 🇺🇦
Came across an interesting DLL sideloading case today:
Normally when Steam\bin\steam_monitor.exe loads up, it will load Steam\crashhandler.dll as part of the loading process.
When loading the crashhandler.dll dependency, steam_monitor.exe checks for the path of the tier0_s.dll to-
Normally when Steam\bin\steam_monitor.exe loads up, it will load Steam\crashhandler.dll as part of the loading process.
When loading the crashhandler.dll dependency, steam_monitor.exe checks for the path of the tier0_s.dll to-
November 20, 2025 at 8:04 AM
Came across an interesting DLL sideloading case today:
Normally when Steam\bin\steam_monitor.exe loads up, it will load Steam\crashhandler.dll as part of the loading process.
When loading the crashhandler.dll dependency, steam_monitor.exe checks for the path of the tier0_s.dll to-
Normally when Steam\bin\steam_monitor.exe loads up, it will load Steam\crashhandler.dll as part of the loading process.
When loading the crashhandler.dll dependency, steam_monitor.exe checks for the path of the tier0_s.dll to-
Reposted by 🇺🇦 Xorhex 🇺🇦
Made this last night, it’s useful for finding a large number of domains hosting phishing kits or malware based on a consistent pattern github.com/singe/domain-p… Might be useful for some of you.
GitHub - singe/domain-probe: A utility to find identically configured domains and web-servers based on a pattern. Used to find phishing kits.
A utility to find identically configured domains and web-servers based on a pattern. Used to find phishing kits. - singe/domain-probe
github.com
November 20, 2025 at 6:22 AM
Made this last night, it’s useful for finding a large number of domains hosting phishing kits or malware based on a consistent pattern github.com/singe/domain-p… Might be useful for some of you.
Reposted by 🇺🇦 Xorhex 🇺🇦
Long overdue, but here’s my writeup for #FlareOn12 Task 9: hshrzd.wordpress.com/2025/11/20/f...
Flare-On 12 – Task 9
In this mini-series I describe the solutions of my favorite tasks from this year’s Flare-On competition. To those of you who are not familiar, Flare-On is a marathon of reverse engineering. T…
hshrzd.wordpress.com
November 20, 2025 at 5:28 AM
Long overdue, but here’s my writeup for #FlareOn12 Task 9: hshrzd.wordpress.com/2025/11/20/f...
Reposted by 🇺🇦 Xorhex 🇺🇦
Come work with Amazon Cyber Threat Intelligence (ACTI) focusing on the threats targeting Amazon, AWS, and our subsidiaries! US citizenship required, in-office across multiple US locations. DM with questions! www.amazon.jobs/en/jobs/3120...
Security Intelligence Engineer, Incident Response Threat Intelligence, ACTI
We are open to hiring candidates to work out of one of the following locations:Annapolis Junction, MD, USA | Arlington, VA, USA | Austin, TX, USA | Herndon, VA, USA | New York, NY, USA | Seattle, WA, ...
www.amazon.jobs
November 17, 2025 at 10:42 PM
Come work with Amazon Cyber Threat Intelligence (ACTI) focusing on the threats targeting Amazon, AWS, and our subsidiaries! US citizenship required, in-office across multiple US locations. DM with questions! www.amazon.jobs/en/jobs/3120...
Reposted by 🇺🇦 Xorhex 🇺🇦
Tune in at tomorrow at 10:30 AM EST for #BSidesPyongyang25.
Stream live on Twitch or YouTube
h̲t̲t̲p̲s̲://w̲w̲w̲.t̲w̲i̲t̲c̲h̲.t̲v̲/b̲s̲i̲d̲e̲s̲p̲y̲o̲n̲g̲y̲a̲n̲g̲
Stream live on Twitch or YouTube
h̲t̲t̲p̲s̲://w̲w̲w̲.t̲w̲i̲t̲c̲h̲.t̲v̲/b̲s̲i̲d̲e̲s̲p̲y̲o̲n̲g̲y̲a̲n̲g̲
November 17, 2025 at 6:00 PM
Tune in at tomorrow at 10:30 AM EST for #BSidesPyongyang25.
Stream live on Twitch or YouTube
h̲t̲t̲p̲s̲://w̲w̲w̲.t̲w̲i̲t̲c̲h̲.t̲v̲/b̲s̲i̲d̲e̲s̲p̲y̲o̲n̲g̲y̲a̲n̲g̲
Stream live on Twitch or YouTube
h̲t̲t̲p̲s̲://w̲w̲w̲.t̲w̲i̲t̲c̲h̲.t̲v̲/b̲s̲i̲d̲e̲s̲p̲y̲o̲n̲g̲y̲a̲n̲g̲
Fun little #YARA-X challenge: say you identified a string at an offset - how can you get yara-x to print the length of the string via the "console" module?
Assumptions:
- Null terminated string
- It's a string pointer versus a string match, so ! won't work
- variable name: offset
- length =< 100
Assumptions:
- Null terminated string
- It's a string pointer versus a string match, so ! won't work
- variable name: offset
- length =< 100
November 14, 2025 at 9:24 PM
Fun little #YARA-X challenge: say you identified a string at an offset - how can you get yara-x to print the length of the string via the "console" module?
Assumptions:
- Null terminated string
- It's a string pointer versus a string match, so ! won't work
- variable name: offset
- length =< 100
Assumptions:
- Null terminated string
- It's a string pointer versus a string match, so ! won't work
- variable name: offset
- length =< 100
Reposted by 🇺🇦 Xorhex 🇺🇦
Finally put this up for review in a PR (github.com/VirusTotal/y...) - it's now in it's own command and has been tested on some pretty gnarly graphs of rules. If you have huge dependency graphs the output gets messy, but it works well otherwise.
November 14, 2025 at 8:37 PM
Finally put this up for review in a PR (github.com/VirusTotal/y...) - it's now in it's own command and has been tested on some pretty gnarly graphs of rules. If you have huge dependency graphs the output gets messy, but it works well otherwise.
Reposted by 🇺🇦 Xorhex 🇺🇦
less known way to calculate sha256 of files on Windows
disksnapshot -c -k -v c:\test
will print out file info including sha256 for every file in the directory
disksnapshot -c -k -v c:\test
will print out file info including sha256 for every file in the directory
November 14, 2025 at 7:35 PM
less known way to calculate sha256 of files on Windows
disksnapshot -c -k -v c:\test
will print out file info including sha256 for every file in the directory
disksnapshot -c -k -v c:\test
will print out file info including sha256 for every file in the directory
Reposted by 🇺🇦 Xorhex 🇺🇦
The final call is here. CFP submissions close at midnight! Our review board is ready to dig in and see what you have been working on. Get your talk in now: sessionize.com/reverse-2026
RE//verse 2026: Call for Speakers
RE//verse is a highly technical conference focused on Reverse Engineering held in Orlando, FL. The goal is to gather the best research from all aspect...
sessionize.com
November 14, 2025 at 3:47 PM
The final call is here. CFP submissions close at midnight! Our review board is ready to dig in and see what you have been working on. Get your talk in now: sessionize.com/reverse-2026
Reposted by 🇺🇦 Xorhex 🇺🇦
Binary Ninja 5.2, Io, is live and it's out of this world! binary.ninja/2025/11/13/b...
With some of our most requested features of all time including bitfield support, containers, hexagon, Ghidra import, and a huge upgrade to TTD capabilities, plus a ton more, make sure to check out the changelog!
With some of our most requested features of all time including bitfield support, containers, hexagon, Ghidra import, and a huge upgrade to TTD capabilities, plus a ton more, make sure to check out the changelog!
November 13, 2025 at 9:16 PM
Binary Ninja 5.2, Io, is live and it's out of this world! binary.ninja/2025/11/13/b...
With some of our most requested features of all time including bitfield support, containers, hexagon, Ghidra import, and a huge upgrade to TTD capabilities, plus a ton more, make sure to check out the changelog!
With some of our most requested features of all time including bitfield support, containers, hexagon, Ghidra import, and a huge upgrade to TTD capabilities, plus a ton more, make sure to check out the changelog!
Reposted by 🇺🇦 Xorhex 🇺🇦
#PIVOTcon26 registration is now OPEN 🤟📷 #ThreatResearch #ThreatIntel 📷https://pivotcon.org
Please read carefully the whole 🧵 for the rules about invite -> registration (1/6)🌐
Please read carefully the whole 🧵 for the rules about invite -> registration (1/6)🌐
a man says where do i register in front of a woman
ALT: a man says where do i register in front of a woman
media.tenor.com
November 13, 2025 at 3:28 PM
#PIVOTcon26 registration is now OPEN 🤟📷 #ThreatResearch #ThreatIntel 📷https://pivotcon.org
Please read carefully the whole 🧵 for the rules about invite -> registration (1/6)🌐
Please read carefully the whole 🧵 for the rules about invite -> registration (1/6)🌐
Reposted by 🇺🇦 Xorhex 🇺🇦
1/ [UPDATE] As of November 10, 2025, metaspinner net GmbH has provided substantial evidence confirming Insikt Group’s original assessment that their identity was unlawfully and fraudulently used in the registration of #AS209800.
1/ New report from myself and @whoisnt.bsky.social: “Malicious Infrastructure Finds Stability with aurologic GmbH.”
We uncover how German ISP aurologic GmbH has become a central nexus for high-risk hosting networks, sustaining large concentrations of malicious infrastructure.
We uncover how German ISP aurologic GmbH has become a central nexus for high-risk hosting networks, sustaining large concentrations of malicious infrastructure.
November 12, 2025 at 9:51 PM
1/ [UPDATE] As of November 10, 2025, metaspinner net GmbH has provided substantial evidence confirming Insikt Group’s original assessment that their identity was unlawfully and fraudulently used in the registration of #AS209800.
Reposted by 🇺🇦 Xorhex 🇺🇦
Squeeeee 🥳 I'll be teaching my Advanced Linux Malware Reverse Engineering class at RE//verse conference in 2026!! MORE Linux APT insides and peculiarities😍🥰🤩Pls share if you can🙃
shop.binary.ninja/products/re-...
shop.binary.ninja/products/re-...
RE//verse 2026 Training - Advanced Linux Malware Reverse Engineering with Marion Marschalek
This fast-paced 3-day training explores Linux internals and Linux binary analysis techniques, before jumping right in with common Linux malware. Work through advanced samples, Linux software protectio...
shop.binary.ninja
November 12, 2025 at 6:59 PM
Squeeeee 🥳 I'll be teaching my Advanced Linux Malware Reverse Engineering class at RE//verse conference in 2026!! MORE Linux APT insides and peculiarities😍🥰🤩Pls share if you can🙃
shop.binary.ninja/products/re-...
shop.binary.ninja/products/re-...
Reposted by 🇺🇦 Xorhex 🇺🇦
Excited to share another blog where Amazon Cyber Threat Intelligence (ACTI) discovered APT exploitation of zero-day vulnerabilities in Cisco and Citrix products. Proud of the team’s work! aws.amazon.com/blogs/securi...
Amazon discovers APT exploiting Cisco and Citrix zero-days | Amazon Web Services
The Amazon threat intelligence team has identified an advanced threat actor exploiting previously undisclosed zero-day vulnerabilities in Cisco Identity Service Engine (ISE) and Citrix systems. The ca...
aws.amazon.com
November 12, 2025 at 2:36 PM
Excited to share another blog where Amazon Cyber Threat Intelligence (ACTI) discovered APT exploitation of zero-day vulnerabilities in Cisco and Citrix products. Proud of the team’s work! aws.amazon.com/blogs/securi...
Reposted by 🇺🇦 Xorhex 🇺🇦
If you're interested in my dependency querying code for yara rules check out my deps branch: github.com/wxsBSD/yara-...
You can build it with "cargo build --features=debug-cmd" and use it like "yr debug deps -h". My TODO list for this is basically:
- Write tests
- Move to it's own command
You can build it with "cargo build --features=debug-cmd" and use it like "yr debug deps -h". My TODO list for this is basically:
- Write tests
- Move to it's own command
GitHub - wxsBSD/yara-x at deps
Experimenting with YARA and Rust. Contribute to wxsBSD/yara-x development by creating an account on GitHub.
github.com
November 9, 2025 at 8:43 PM
If you're interested in my dependency querying code for yara rules check out my deps branch: github.com/wxsBSD/yara-...
You can build it with "cargo build --features=debug-cmd" and use it like "yr debug deps -h". My TODO list for this is basically:
- Write tests
- Move to it's own command
You can build it with "cargo build --features=debug-cmd" and use it like "yr debug deps -h". My TODO list for this is basically:
- Write tests
- Move to it's own command