Diogo Fernandes 🤙🏼
@diogowski.bsky.social
Pinned
I am building out this pack featuring individuals and companies that more often than not post technical content on #dfir, #reverseengineering, #malware, #pentesting, #exploitation and #appsec. Reach out if you are not in there yet!
👇🏼👇🏼👇🏼
go.bsky.app/P9JUTfw
👇🏼👇🏼👇🏼
go.bsky.app/P9JUTfw
Reposted by Diogo Fernandes 🤙🏼
There's a new ClickFix variation called FileFix
This one works by tricking users into copying a file path in Windows Explorer.
Attackers modify the clipboard, so you're actually pasting and running PowerShell ahead of the file path
mrd0x.com/filefix-clic...
This one works by tricking users into copying a file path in Windows Explorer.
Attackers modify the clipboard, so you're actually pasting and running PowerShell ahead of the file path
mrd0x.com/filefix-clic...
June 24, 2025 at 8:28 AM
There's a new ClickFix variation called FileFix
This one works by tricking users into copying a file path in Windows Explorer.
Attackers modify the clipboard, so you're actually pasting and running PowerShell ahead of the file path
mrd0x.com/filefix-clic...
This one works by tricking users into copying a file path in Windows Explorer.
Attackers modify the clipboard, so you're actually pasting and running PowerShell ahead of the file path
mrd0x.com/filefix-clic...
Reposted by Diogo Fernandes 🤙🏼
NEW @citizenlab.ca report confirms the targeting of two more journalist with #Paragon spyware in the context of 🇮🇹
Details here: citizenlab.ca/2025/06/firs...
@billmarczak.org @jsrailton.bsky.social
Details here: citizenlab.ca/2025/06/firs...
@billmarczak.org @jsrailton.bsky.social
Graphite Caught: First Forensic Confirmation of Paragon’s iOS Mercenary Spyware Finds Journalists Targeted - The Citizen Lab
We conducted a forensic analysis of devices belonging to two journalists who were notified by Apple that they were targeted with advanced spyware.
citizenlab.ca
June 12, 2025 at 12:37 PM
NEW @citizenlab.ca report confirms the targeting of two more journalist with #Paragon spyware in the context of 🇮🇹
Details here: citizenlab.ca/2025/06/firs...
@billmarczak.org @jsrailton.bsky.social
Details here: citizenlab.ca/2025/06/firs...
@billmarczak.org @jsrailton.bsky.social
Reposted by Diogo Fernandes 🤙🏼
The #FBI and #DCIS disrupted #Danabot. #ESET was one of several companies that cooperated in this effort. www.welivesecurity.com/en/eset-rese... 1/6
www.welivesecurity.com
May 22, 2025 at 8:06 PM
The #FBI and #DCIS disrupted #Danabot. #ESET was one of several companies that cooperated in this effort. www.welivesecurity.com/en/eset-rese... 1/6
Reposted by Diogo Fernandes 🤙🏼
Wrote a paper, with Daniel Nakov, on comparing the #quality & the speed of #malware analysis assisted by #r2ai, or without.
Spoiler 1: quality is =, speed is ++.
Spoiler 2: do not expect to get good results in a single question.
arxiv.org/pdf/2504.07574
cc: @radareorg.bsky.social #arxiv #radare2
Spoiler 1: quality is =, speed is ++.
Spoiler 2: do not expect to get good results in a single question.
arxiv.org/pdf/2504.07574
cc: @radareorg.bsky.social #arxiv #radare2
April 14, 2025 at 6:40 AM
Wrote a paper, with Daniel Nakov, on comparing the #quality & the speed of #malware analysis assisted by #r2ai, or without.
Spoiler 1: quality is =, speed is ++.
Spoiler 2: do not expect to get good results in a single question.
arxiv.org/pdf/2504.07574
cc: @radareorg.bsky.social #arxiv #radare2
Spoiler 1: quality is =, speed is ++.
Spoiler 2: do not expect to get good results in a single question.
arxiv.org/pdf/2504.07574
cc: @radareorg.bsky.social #arxiv #radare2
Reposted by Diogo Fernandes 🤙🏼
Malicious VSCode extensions infect Windows with cryptominers #cybersecurity #hacking #news #infosec #security #technology #privacy www.bleepingcomputer...
Malicious VSCode extensions infect Windows with cryptominers
Nine VSCode extensions on Microsoft's Visual Studio Code Marketplace pose as legitimate development tools while infecting users with the XMRig cryptominer for Monero.
www.bleepingcomputer.com
April 14, 2025 at 10:05 AM
Malicious VSCode extensions infect Windows with cryptominers #cybersecurity #hacking #news #infosec #security #technology #privacy www.bleepingcomputer...
Reposted by Diogo Fernandes 🤙🏼
#ESETresearch has discovered a zero day exploit abusing #CVE-2025-24983 vulnerability in Windows Kernel to elevate privileges (#LPE). First seen in the wild in March 2023, the exploit was deployed through #PipeMagic backdoor on the compromised machines. 1/4
March 11, 2025 at 5:15 PM
#ESETresearch has discovered a zero day exploit abusing #CVE-2025-24983 vulnerability in Windows Kernel to elevate privileges (#LPE). First seen in the wild in March 2023, the exploit was deployed through #PipeMagic backdoor on the compromised machines. 1/4
Reposted by Diogo Fernandes 🤙🏼
There's a new Hindsight release!
Hindsight v2025.03 focuses on Extensions - parsing more activity and state records, highlighting Extension permissions, and making it easier to examine Manifests.
🌐 Blog: dfir.blog/hindsight-pa...
🛠️ Tool download: hindsig.ht/release
#DFIR #Chrome #Extensions
Hindsight v2025.03 focuses on Extensions - parsing more activity and state records, highlighting Extension permissions, and making it easier to examine Manifests.
🌐 Blog: dfir.blog/hindsight-pa...
🛠️ Tool download: hindsig.ht/release
#DFIR #Chrome #Extensions
Hindsight v2025.03 Released!
Hindsight v2025.03 focuses on Extensions - parsing more activity and state records, highlighting Extension permissions, and making it easier to examine Manifests.
dfir.blog
March 11, 2025 at 5:08 PM
There's a new Hindsight release!
Hindsight v2025.03 focuses on Extensions - parsing more activity and state records, highlighting Extension permissions, and making it easier to examine Manifests.
🌐 Blog: dfir.blog/hindsight-pa...
🛠️ Tool download: hindsig.ht/release
#DFIR #Chrome #Extensions
Hindsight v2025.03 focuses on Extensions - parsing more activity and state records, highlighting Extension permissions, and making it easier to examine Manifests.
🌐 Blog: dfir.blog/hindsight-pa...
🛠️ Tool download: hindsig.ht/release
#DFIR #Chrome #Extensions
Reposted by Diogo Fernandes 🤙🏼
Chrome 134 is out and there's a new system that automatically blocks unpacked Chrome extensions from running if Developer Mode is not enabled first.
March 5, 2025 at 7:59 PM
Chrome 134 is out and there's a new system that automatically blocks unpacked Chrome extensions from running if Developer Mode is not enabled first.
Reposted by Diogo Fernandes 🤙🏼
No more platform-hopping! 🕵️♂️ Hunt across all abuse.ch platforms with just 1️⃣ simple query. 🔎 Search for any IPv4, domain, URL, or file hash, and instantly see if it’s been identified on any abuse.ch platform!
Start your hunt now 👉 hunting.abuse.ch
Start your hunt now 👉 hunting.abuse.ch
February 26, 2025 at 1:01 PM
No more platform-hopping! 🕵️♂️ Hunt across all abuse.ch platforms with just 1️⃣ simple query. 🔎 Search for any IPv4, domain, URL, or file hash, and instantly see if it’s been identified on any abuse.ch platform!
Start your hunt now 👉 hunting.abuse.ch
Start your hunt now 👉 hunting.abuse.ch
Reposted by Diogo Fernandes 🤙🏼
Comparing Decai decompilation using @anthropic.com 's Claude 3.5 vs 3.7 with a simple strcoll wrapper function #r2ai #radare2
February 25, 2025 at 12:35 PM
Comparing Decai decompilation using @anthropic.com 's Claude 3.5 vs 3.7 with a simple strcoll wrapper function #r2ai #radare2
Reposted by Diogo Fernandes 🤙🏼
You receive a laptop (powered off) in a high-stakes case. You are told the owner is extremely technical but given no useful technical details. The laptop is modern, with chassis intrusion features, and you must assume Secure Boot & BitLocker are in use. How do you proceed? #DFIR
February 18, 2025 at 7:18 PM
You receive a laptop (powered off) in a high-stakes case. You are told the owner is extremely technical but given no useful technical details. The laptop is modern, with chassis intrusion features, and you must assume Secure Boot & BitLocker are in use. How do you proceed? #DFIR
Reposted by Diogo Fernandes 🤙🏼
If you live in the West, it's not often you read about CIA/NSA cyber operations against China. But here's one: "How the NSA Allegedly Hacked China’s Northwestern Polytechnical," a leading Chinese university specializing in aerospace & defence. www.inversecos.com/2025/02/an-i...
An inside look at NSA (Equation Group) TTPs from China’s lense
www.inversecos.com
February 19, 2025 at 10:51 PM
If you live in the West, it's not often you read about CIA/NSA cyber operations against China. But here's one: "How the NSA Allegedly Hacked China’s Northwestern Polytechnical," a leading Chinese university specializing in aerospace & defence. www.inversecos.com/2025/02/an-i...
Reposted by Diogo Fernandes 🤙🏼
In this blog post, I explain how I was able to create a PowerShell console in C/C++, and disable all its security features (AMSI, logging, transcription, execution policy, CLM) in doing so. 💪
👉 blog.scrt.ch/2025/02/18/r...
👉 blog.scrt.ch/2025/02/18/r...
February 19, 2025 at 9:13 AM
In this blog post, I explain how I was able to create a PowerShell console in C/C++, and disable all its security features (AMSI, logging, transcription, execution policy, CLM) in doing so. 💪
👉 blog.scrt.ch/2025/02/18/r...
👉 blog.scrt.ch/2025/02/18/r...
Reposted by Diogo Fernandes 🤙🏼
@volexity.com recently identified multiple Russian threat actors targeting users via #socialengineering + #spearphishing campaigns with Microsoft 365 Device Code authentication (a well-known technique) with alarming success: www.volexity.com/blog/2025/02...
#dfir #threatintel #m365security
#dfir #threatintel #m365security
Multiple Russian Threat Actors Targeting Microsoft Device Code Authentication
Starting in mid-January 2025, Volexity identified several social-engineering and spear-phishing campaigns by Russian threat actors aimed at compromising Microsoft 365 (M365) accounts. These attack cam...
www.volexity.com
February 13, 2025 at 10:39 PM
@volexity.com recently identified multiple Russian threat actors targeting users via #socialengineering + #spearphishing campaigns with Microsoft 365 Device Code authentication (a well-known technique) with alarming success: www.volexity.com/blog/2025/02...
#dfir #threatintel #m365security
#dfir #threatintel #m365security
Reposted by Diogo Fernandes 🤙🏼
YARA-X 0.13.0 is out: github.com/VirusTotal/y...
As always, Victor and the contributors are cranking out quality improvements!
In particular, check out the docs on how to use the formatter and linter and open issues (or tell me somehow) if you hit bugs or have things you want to see.
As always, Victor and the contributors are cranking out quality improvements!
In particular, check out the docs on how to use the formatter and linter and open issues (or tell me somehow) if you hit bugs or have things you want to see.
Release v0.13.0 · VirusTotal/yara-x
Implemented basic linting via the check command.
Refactor the format of JSON output (#281).
Parse Mach-O certificates (#276).
Allow using previously defined variables in with statements (#287).
BUG...
github.com
February 3, 2025 at 6:04 PM
YARA-X 0.13.0 is out: github.com/VirusTotal/y...
As always, Victor and the contributors are cranking out quality improvements!
In particular, check out the docs on how to use the formatter and linter and open issues (or tell me somehow) if you hit bugs or have things you want to see.
As always, Victor and the contributors are cranking out quality improvements!
In particular, check out the docs on how to use the formatter and linter and open issues (or tell me somehow) if you hit bugs or have things you want to see.
Reposted by Diogo Fernandes 🤙🏼
The threat landscape in H2 2024 was quite tumultuous when it comes to some of the most prominent infostealer threats. One of them, the notorious #RedLine Stealer, finally met its demise after being taken down by law enforcement in #OperationMagnus. #ESETresearch 🧵 1/5
February 1, 2025 at 4:36 AM
The threat landscape in H2 2024 was quite tumultuous when it comes to some of the most prominent infostealer threats. One of them, the notorious #RedLine Stealer, finally met its demise after being taken down by law enforcement in #OperationMagnus. #ESETresearch 🧵 1/5
Reposted by Diogo Fernandes 🤙🏼
A "code family" is a basic concept in @vertexproject.bsky.social's approach to tool analysis. Check out the next installment in Mary Beth Lee's malware manifesto as she defines "code family", how it differs from "malware family", and how this aids your #CTI analysis!
vertex.link/blogs/catego...
vertex.link/blogs/catego...
by savage | 2025-01-22
vertex.link
January 27, 2025 at 4:58 PM
A "code family" is a basic concept in @vertexproject.bsky.social's approach to tool analysis. Check out the next installment in Mary Beth Lee's malware manifesto as she defines "code family", how it differs from "malware family", and how this aids your #CTI analysis!
vertex.link/blogs/catego...
vertex.link/blogs/catego...
Reposted by Diogo Fernandes 🤙🏼
#100daysofyara todays rule is detecting patched clr.dll in memory AmsiScanBuffer bypass. My @velocidex Windows.System.VAD artifact can be used to target clr.dll mapped sections for an easy detection.
Rule: github.com/mgreen27/100...
VQL: github.com/mgreen27/100...
Rule: github.com/mgreen27/100...
VQL: github.com/mgreen27/100...
January 22, 2025 at 3:50 AM
#100daysofyara todays rule is detecting patched clr.dll in memory AmsiScanBuffer bypass. My @velocidex Windows.System.VAD artifact can be used to target clr.dll mapped sections for an easy detection.
Rule: github.com/mgreen27/100...
VQL: github.com/mgreen27/100...
Rule: github.com/mgreen27/100...
VQL: github.com/mgreen27/100...
Reposted by Diogo Fernandes 🤙🏼
Here's a video overview of Venture, the cross-platform Windows Event Viewer. Version 0.2.0 now has the ability to join multiple .evtx files into a single view!
www.youtube.com/watc...
Grab Venture here: github.com/mttaggart...
www.youtube.com/watc...
Grab Venture here: github.com/mttaggart...
Venture Windows Log Viewer: Early Alpha Overview
Introducing Venture, a cross-platform viewer for Windows Event Logs! This is an overview of the early alpha at v0.2.0. Grab Venture at https://github.com/mttaggart/venture/releases/latest!
www.youtube.com
January 22, 2025 at 9:02 PM
Here's a video overview of Venture, the cross-platform Windows Event Viewer. Version 0.2.0 now has the ability to join multiple .evtx files into a single view!
www.youtube.com/watc...
Grab Venture here: github.com/mttaggart...
www.youtube.com/watc...
Grab Venture here: github.com/mttaggart...
Reposted by Diogo Fernandes 🤙🏼
Check out this new blog post from @andyrobbins.bsky.social discussing the fundamental components & mechanics that enable the emergence of critical Attack Paths in Microsoft's increasingly popular Intune product. ghst.ly/3Cd5cwH
Intune Attack Paths — Part 1
Intune is an attractive system for adversaries to target…
ghst.ly
January 15, 2025 at 5:48 PM
Check out this new blog post from @andyrobbins.bsky.social discussing the fundamental components & mechanics that enable the emergence of critical Attack Paths in Microsoft's increasingly popular Intune product. ghst.ly/3Cd5cwH
Reposted by Diogo Fernandes 🤙🏼
Reposted by Diogo Fernandes 🤙🏼
You might find this helpful
github.com/Santandersec...
github.com/Santandersec...
GitHub - Santandersecurityresearch/DrHeader: drHEADer helps with the audit of security headers received in response to a single request or a list of requests.
drHEADer helps with the audit of security headers received in response to a single request or a list of requests. - Santandersecurityresearch/DrHeader
github.com
December 21, 2024 at 7:57 AM
You might find this helpful
github.com/Santandersec...
github.com/Santandersec...
Reposted by Diogo Fernandes 🤙🏼
Just put out this research on MiTM PaaS kits labeled Rockstar and Flowerstorm over the past few months. While my name is on this I partnered with two researchers, Josh Rawles and Jordon Olness who did a bulk of the work alongside @thepacketrat.net, and Colin Cowie who are all individually brilliant!
Phishing platform Rockstar 2FA trips, and “FlowerStorm” picks up the pieces
A sudden disruption of a major phishing-as-a-service provider leads to the rise of another…that looks very familiar
news.sophos.com
December 19, 2024 at 4:17 PM
Just put out this research on MiTM PaaS kits labeled Rockstar and Flowerstorm over the past few months. While my name is on this I partnered with two researchers, Josh Rawles and Jordon Olness who did a bulk of the work alongside @thepacketrat.net, and Colin Cowie who are all individually brilliant!
Reposted by Diogo Fernandes 🤙🏼
Did you know that you can conduct an easy local dictionary attack on Linux without lockout times? Wrote a small tool for that, feel free to check it out:
github.com/yo-yo-yo-jbo...
github.com/yo-yo-yo-jbo...
GitHub - yo-yo-yo-jbo/dictiopwn: Unix-based dictionary attack utility
Unix-based dictionary attack utility. Contribute to yo-yo-yo-jbo/dictiopwn development by creating an account on GitHub.
github.com
December 18, 2024 at 6:08 PM
Did you know that you can conduct an easy local dictionary attack on Linux without lockout times? Wrote a small tool for that, feel free to check it out:
github.com/yo-yo-yo-jbo...
github.com/yo-yo-yo-jbo...