Tony Lambert
@forensicitguy.bsky.social
Recovering sysadmin that now chases adversaries instead of uptime. Sr Malware Analyst @redcanary
Reposted by Tony Lambert
As you're planning your week, be sure to sign up for our Red Canary webinar on initial access to hear about common adversary techniques and what to do about them. redcanary.com/resources/we... Don't miss it!
[Webinar] The Detection Series: Initial Access
We explore the Initial Access MITRE ATT&CK® tactic, with a focus on emergent, novel, and prevalent adversary techniques and capabilities.
redcanary.com
May 27, 2025 at 1:17 PM
As you're planning your week, be sure to sign up for our Red Canary webinar on initial access to hear about common adversary techniques and what to do about them. redcanary.com/resources/we... Don't miss it!
Do you miss "@cobaltstrikebot"? If so, here's a blog post showing how you can pull Cobalt Strike SpawnTo and watermark info with @shodanhq.bsky.social and some PowerShell: forensicitguy.github.io/squeezing-co...
Squeezing Cobalt Strike Threat Intelligence from Shodan
One of my favorite Twitter accounts from the last several years was @cobaltstrikebot, mainly because it was an awesome source of threat intelligence for Cobalt Strike beacons in the wild. The account ...
forensicitguy.github.io
May 19, 2025 at 1:37 AM
Do you miss "@cobaltstrikebot"? If so, here's a blog post showing how you can pull Cobalt Strike SpawnTo and watermark info with @shodanhq.bsky.social and some PowerShell: forensicitguy.github.io/squeezing-co...
A fun yearly endeavor for me is contributing to the Red Canary Threat Detection Report, and the 2025 edition is out today! distilled into one report!
Get your free copy of our 2025 Threat Detection Report now. ⬇️
#ThreatReport #SecOps #ThreatIntel
redcanary.com/threat-detec...
Get your free copy of our 2025 Threat Detection Report now. ⬇️
#ThreatReport #SecOps #ThreatIntel
redcanary.com/threat-detec...
Welcome to the Red Canary Threat Detection Report
Our Threat Detection Report takes a close look at the top techniques, threats, and trends to help security teams focus on what matters most.
redcanary.com
March 18, 2025 at 3:55 PM
A fun yearly endeavor for me is contributing to the Red Canary Threat Detection Report, and the 2025 edition is out today! distilled into one report!
Get your free copy of our 2025 Threat Detection Report now. ⬇️
#ThreatReport #SecOps #ThreatIntel
redcanary.com/threat-detec...
Get your free copy of our 2025 Threat Detection Report now. ⬇️
#ThreatReport #SecOps #ThreatIntel
redcanary.com/threat-detec...
"For what it's worth, the curl by itself is likely safe. It's the chmod and nohup bash after it that are the problem"
I saw this on a forum post today, and I swear it's the macOS/Linux version of "it's not the fall that kills, it's the impact"
I saw this on a forum post today, and I swear it's the macOS/Linux version of "it's not the fall that kills, it's the impact"
February 7, 2025 at 2:05 AM
"For what it's worth, the curl by itself is likely safe. It's the chmod and nohup bash after it that are the problem"
I saw this on a forum post today, and I swear it's the macOS/Linux version of "it's not the fall that kills, it's the impact"
I saw this on a forum post today, and I swear it's the macOS/Linux version of "it's not the fall that kills, it's the impact"
Reposted by Tony Lambert
I am working on a public platform to make it even easier for people to report code-signing certificates.
My goal is to continue to raise awareness on the abuse and the impact revocation has on malware distributors. Keep an eye on my socials for more news.
My goal is to continue to raise awareness on the abuse and the impact revocation has on malware distributors. Keep an eye on my socials for more news.
January 28, 2025 at 1:39 PM
I am working on a public platform to make it even easier for people to report code-signing certificates.
My goal is to continue to raise awareness on the abuse and the impact revocation has on malware distributors. Keep an eye on my socials for more news.
My goal is to continue to raise awareness on the abuse and the impact revocation has on malware distributors. Keep an eye on my socials for more news.
New blog post for #100DaysofYARA , in this one I look at a VenomRAT sample and create rules based on PE metadata and an encryption salt value.
forensicitguy.github.io/exploring-ve...
#malware
forensicitguy.github.io/exploring-ve...
#malware
Exploring VenomRAT Metadata and Encryption with YARA - #100DaysOfYara
It’s that time of year again - 100 Days of YARA! In this post I want to walk through how I use YARA to document malware analysis findings. YARA has loads of different use cases:
forensicitguy.github.io
January 3, 2025 at 2:27 AM
New blog post for #100DaysofYARA , in this one I look at a VenomRAT sample and create rules based on PE metadata and an encryption salt value.
forensicitguy.github.io/exploring-ve...
#malware
forensicitguy.github.io/exploring-ve...
#malware
#100daysofyara I like taking the approach of having multiple YARA rules to detect the same thing from different perspectives, like these rules for Cronos Crypter. One looks for just strings, another a string + encryption salt, 3rd for assembly name
January 2, 2025 at 4:30 AM
#100daysofyara I like taking the approach of having multiple YARA rules to detect the same thing from different perspectives, like these rules for Cronos Crypter. One looks for just strings, another a string + encryption salt, 3rd for assembly name
Reposted by Tony Lambert
Mastercard Completes Acquisition of Cybersecurity Firm Recorded Future for $2.6 Billion
Mastercard Completes Acquisition of Cybersecurity Firm Recorded Future for $2.6 Billion
Mastercard (NYSE: MA) has officially finalized the acquisition of Recorded Future, a leading provider of AI-driven threat intelligence.
cybersecuritynews.com
December 21, 2024 at 7:56 PM
Mastercard Completes Acquisition of Cybersecurity Firm Recorded Future for $2.6 Billion
Reposted by Tony Lambert
2024-12-13 (Friday): www.anceltech[.]com compromised with #SmartApeSG leading to #NetSupport #RAT 2 injected scripts. jitcom[.]info and best-net[.]biz.
Pivoting on best-net[.]biz in URLscan show signs of six other compromised sites: urlscan.io/search/#best...
#NetSupportRAT
Pivoting on best-net[.]biz in URLscan show signs of six other compromised sites: urlscan.io/search/#best...
#NetSupportRAT
December 13, 2024 at 6:56 PM
2024-12-13 (Friday): www.anceltech[.]com compromised with #SmartApeSG leading to #NetSupport #RAT 2 injected scripts. jitcom[.]info and best-net[.]biz.
Pivoting on best-net[.]biz in URLscan show signs of six other compromised sites: urlscan.io/search/#best...
#NetSupportRAT
Pivoting on best-net[.]biz in URLscan show signs of six other compromised sites: urlscan.io/search/#best...
#NetSupportRAT
Reposted by Tony Lambert
Malicious Google ad for PayPal
⚠️
https[:]//sites[.]google.com/view/pay-pal-helpcustomerservic/
#malvertising
⚠️
https[:]//sites[.]google.com/view/pay-pal-helpcustomerservic/
#malvertising
December 13, 2024 at 7:10 PM
Malicious Google ad for PayPal
⚠️
https[:]//sites[.]google.com/view/pay-pal-helpcustomerservic/
#malvertising
⚠️
https[:]//sites[.]google.com/view/pay-pal-helpcustomerservic/
#malvertising
Reposted by Tony Lambert
Join @olafhartong.nl in his journey down the rabbit hole in search of new detection opportunities in the #Zeek telemetry embedded in Microsoft's EDR #MDE! Detection engineering is sometimes hard … 😎
falconforce.nl/detection-en...
#detectionengineering #kql #blueteam
falconforce.nl/detection-en...
#detectionengineering #kql #blueteam
December 16, 2024 at 2:40 PM
Join @olafhartong.nl in his journey down the rabbit hole in search of new detection opportunities in the #Zeek telemetry embedded in Microsoft's EDR #MDE! Detection engineering is sometimes hard … 😎
falconforce.nl/detection-en...
#detectionengineering #kql #blueteam
falconforce.nl/detection-en...
#detectionengineering #kql #blueteam
Reposted by Tony Lambert
Hackers Use Corrupted ZIPs and Office Docs to Evade Antivirus and Email Defenses
Hackers Use Corrupted ZIPs and Office Docs to Evade Antivirus and Email Defenses
thehackernews.com
December 4, 2024 at 5:45 AM
Hackers Use Corrupted ZIPs and Office Docs to Evade Antivirus and Email Defenses
Reposted by Tony Lambert
Veeam Issues Patch for Critical RCE Vulnerability in Service Provider Console
Veeam Issues Patch for Critical RCE Vulnerability in Service Provider Console
thehackernews.com
December 4, 2024 at 5:45 AM
Veeam Issues Patch for Critical RCE Vulnerability in Service Provider Console
Reposted by Tony Lambert
China-linked APT Gelsemium uses a new Linux backdoor dubbed WolfsBane
China-linked APT Gelsemium uses a new Linux backdoor dubbed WolfsBane
China-linked APT Gelsemium has been observed using a new Linux backdoor dubbed WolfsBane in attacks targeting East and Southeast Asia.
securityaffairs.com
November 23, 2024 at 1:21 PM
China-linked APT Gelsemium uses a new Linux backdoor dubbed WolfsBane
Reposted by Tony Lambert
certReport 3.1.4
Bugfix - indicators could be printed in duplicate
certReport makes reporting code-signing certs easy. No-one likes spending time reading or writing reports. That is: I just noticed the problem. Maybe someone else did. I don't know. It is gone now.
Bugfix - indicators could be printed in duplicate
certReport makes reporting code-signing certs easy. No-one likes spending time reading or writing reports. That is: I just noticed the problem. Maybe someone else did. I don't know. It is gone now.
November 21, 2024 at 11:40 AM
certReport 3.1.4
Bugfix - indicators could be printed in duplicate
certReport makes reporting code-signing certs easy. No-one likes spending time reading or writing reports. That is: I just noticed the problem. Maybe someone else did. I don't know. It is gone now.
Bugfix - indicators could be printed in duplicate
certReport makes reporting code-signing certs easy. No-one likes spending time reading or writing reports. That is: I just noticed the problem. Maybe someone else did. I don't know. It is gone now.
Reposted by Tony Lambert
Linux Variant of Helldown Ransomware Targets VMware ESxi Systems
Linux Variant of Helldown Ransomware Targets VMware ESxi Systems
Since surfacing in August, the likely LockBit variant has claimed more than two dozen victims and appears poised to strike many more.
www.darkreading.com
November 19, 2024 at 11:02 PM
Linux Variant of Helldown Ransomware Targets VMware ESxi Systems
Reposted by Tony Lambert
More PRC telecom shenanigans. I'd love to say that this sector is so hot right now, but it's always been hot. www.crowdstrike.com/en-us/blog/l...
Unveiling LIMINAL PANDA - Threats to Telecom Sector | CrowdStrike
Cyber threat LIMINAL PANDA has targeted telecommunication entities since at least 2020. Learn key traits, targets and tactics!
www.crowdstrike.com
November 19, 2024 at 5:22 PM
More PRC telecom shenanigans. I'd love to say that this sector is so hot right now, but it's always been hot. www.crowdstrike.com/en-us/blog/l...
Reposted by Tony Lambert
Reminder that in Feb I will teach a special, extended version of my #CTI + #DetectionEngineering & #ThreatHunting course with #OTsecurity examples and case studies at the #S4x25 conference!
s4xevents.com/s4x25-traini...
s4xevents.com/s4x25-traini...
Training
s4xevents.com
November 18, 2024 at 1:59 PM
Reminder that in Feb I will teach a special, extended version of my #CTI + #DetectionEngineering & #ThreatHunting course with #OTsecurity examples and case studies at the #S4x25 conference!
s4xevents.com/s4x25-traini...
s4xevents.com/s4x25-traini...
Reposted by Tony Lambert
May 13, 2024 blogpost
It is common for malware to be signed with code signing certificates.
How is this possible? Impostors receive the cert directly and sign malware.
In this blog-post, we look at 100 certs used by #Solarmarker #malware to learn more.
squiblydoo.blog/2024/05/13/i...
It is common for malware to be signed with code signing certificates.
How is this possible? Impostors receive the cert directly and sign malware.
In this blog-post, we look at 100 certs used by #Solarmarker #malware to learn more.
squiblydoo.blog/2024/05/13/i...
Impostor Certificates
It is common for malware to be signed with code signing certificates. How is this possible? Impostors receive the cert directly and sign malware. In this blog-post, we look at 100 certs used by Sol…
squiblydoo.blog
November 17, 2024 at 1:33 PM
May 13, 2024 blogpost
It is common for malware to be signed with code signing certificates.
How is this possible? Impostors receive the cert directly and sign malware.
In this blog-post, we look at 100 certs used by #Solarmarker #malware to learn more.
squiblydoo.blog/2024/05/13/i...
It is common for malware to be signed with code signing certificates.
How is this possible? Impostors receive the cert directly and sign malware.
In this blog-post, we look at 100 certs used by #Solarmarker #malware to learn more.
squiblydoo.blog/2024/05/13/i...
Reposted by Tony Lambert
Smokeloader keeps crawling its way back into the limelight. If you want a primer on it, I gave a public talk on it 2 years ago
www.youtube.com/watch?v=O69e...
www.youtube.com/watch?v=O69e...
Smokeloader: The Pandora’s box of tricks, payloads and anti-analysis - BSides Portland 2022
YouTube video by BSides Portland
www.youtube.com
November 16, 2024 at 3:42 AM
Smokeloader keeps crawling its way back into the limelight. If you want a primer on it, I gave a public talk on it 2 years ago
www.youtube.com/watch?v=O69e...
www.youtube.com/watch?v=O69e...
Reposted by Tony Lambert
@volexity.bsky.social has published a blog post detailing variants of LIGHTSPY & DEEPDATA malware discovered in the summer of 2024, including exploitation of a vulnerability in FortiClient to extract credentials from memory. Read more here: www.volexity.com/blog/2024/11...
BrazenBamboo Weaponizes FortiClient Vulnerability to Steal VPN Credentials via DEEPDATA
In July 2024, Volexity identified exploitation of a zero-day credential disclosure vulnerability in Fortinet’s Windows VPN client that allowed credentials to be stolen from the memory of the client’s ...
www.volexity.com
November 15, 2024 at 8:02 PM
@volexity.bsky.social has published a blog post detailing variants of LIGHTSPY & DEEPDATA malware discovered in the summer of 2024, including exploitation of a vulnerability in FortiClient to extract credentials from memory. Read more here: www.volexity.com/blog/2024/11...