Silas Cutler
@silascutler.bsky.social
You may know me from your server logs.
#Malware, Hacks, Internet Scanning, #CTI
#Malware, Hacks, Internet Scanning, #CTI
New from @DomainTools: Inside the Great Firewall Part 1: The Dump
https://dti.domaintools.com/inside-the-great-firewall-part-1-the-dump/
https://dti.domaintools.com/inside-the-great-firewall-part-1-the-dump/
October 30, 2025 at 7:30 PM
New from @DomainTools: Inside the Great Firewall Part 1: The Dump
https://dti.domaintools.com/inside-the-great-firewall-part-1-the-dump/
https://dti.domaintools.com/inside-the-great-firewall-part-1-the-dump/
New drop from the Three Buddy Problem: Apple’s iOS forensics freeze, WhatsApp zero-click, China outs NSA
https://securityconversations.com/episode/apples-ios-forensics-freeze-whatsapp-zero-click-china-outs-nsa/
https://securityconversations.com/episode/apples-ios-forensics-freeze-whatsapp-zero-click-china-outs-nsa/
October 24, 2025 at 7:41 PM
New drop from the Three Buddy Problem: Apple’s iOS forensics freeze, WhatsApp zero-click, China outs NSA
https://securityconversations.com/episode/apples-ios-forensics-freeze-whatsapp-zero-click-china-outs-nsa/
https://securityconversations.com/episode/apples-ios-forensics-freeze-whatsapp-zero-click-china-outs-nsa/
Unpacking the Oracle EBS Debacle: Industries, Geography, and MOVEit Comparisons #Cl0p
https://censys.com/blog/unpacking-the-oracle-ebs-debacle-industries-geography-and-moveit-comparisons
https://censys.com/blog/unpacking-the-oracle-ebs-debacle-industries-geography-and-moveit-comparisons
October 24, 2025 at 3:00 PM
Unpacking the Oracle EBS Debacle: Industries, Geography, and MOVEit Comparisons #Cl0p
https://censys.com/blog/unpacking-the-oracle-ebs-debacle-industries-geography-and-moveit-comparisons
https://censys.com/blog/unpacking-the-oracle-ebs-debacle-industries-geography-and-moveit-comparisons
Threat Intel: Lessons from the BlackBasta Ransomware Attack on C... https://blog.bushidotoken.net/2025/10/lessons-from-blackbasta-ransomware.html?spref=tw
October 23, 2025 at 3:00 PM
Threat Intel: Lessons from the BlackBasta Ransomware Attack on C... https://blog.bushidotoken.net/2025/10/lessons-from-blackbasta-ransomware.html?spref=tw
I really like the categorization of incidents in @NCSC 's Annual review.
https://www.ncsc.gov.uk/files/ncsc-annual-review-2025.pdf
The framework was created in 2018, full breakdown is available at: https://www.ncsc.gov.uk/information/categorising-uk-cyber-incidents
https://www.ncsc.gov.uk/files/ncsc-annual-review-2025.pdf
The framework was created in 2018, full breakdown is available at: https://www.ncsc.gov.uk/information/categorising-uk-cyber-incidents
October 15, 2025 at 4:46 PM
I really like the categorization of incidents in @NCSC 's Annual review.
https://www.ncsc.gov.uk/files/ncsc-annual-review-2025.pdf
The framework was created in 2018, full breakdown is available at: https://www.ncsc.gov.uk/information/categorising-uk-cyber-incidents
https://www.ncsc.gov.uk/files/ncsc-annual-review-2025.pdf
The framework was created in 2018, full breakdown is available at: https://www.ncsc.gov.uk/information/categorising-uk-cyber-incidents
𝗧𝗵𝗲 𝗖𝗿𝗼𝘄𝗻 𝗣𝗿𝗶𝗻𝗰𝗲, 𝗡𝗲𝘇𝗵𝗮: 𝗔 𝗡𝗲𝘄 𝗧𝗼𝗼𝗹 𝗙𝗮𝘃𝗼𝗿𝗲𝗱 𝗯𝘆 𝗖𝗵𝗶𝗻𝗮-𝗡𝗲𝘅𝘂𝘀 𝗧𝗵𝗿𝗲𝗮𝘁 𝗔𝗰𝘁𝗼𝗿𝘀
https://www.huntress.com/blog/nezha-china-nexus-threat-actor-tool
https://www.huntress.com/blog/nezha-china-nexus-threat-actor-tool
October 8, 2025 at 8:47 PM
𝗧𝗵𝗲 𝗖𝗿𝗼𝘄𝗻 𝗣𝗿𝗶𝗻𝗰𝗲, 𝗡𝗲𝘇𝗵𝗮: 𝗔 𝗡𝗲𝘄 𝗧𝗼𝗼𝗹 𝗙𝗮𝘃𝗼𝗿𝗲𝗱 𝗯𝘆 𝗖𝗵𝗶𝗻𝗮-𝗡𝗲𝘅𝘂𝘀 𝗧𝗵𝗿𝗲𝗮𝘁 𝗔𝗰𝘁𝗼𝗿𝘀
https://www.huntress.com/blog/nezha-china-nexus-threat-actor-tool
https://www.huntress.com/blog/nezha-china-nexus-threat-actor-tool
Not seeing any good connections beyond. While the `banner_hash_sha256` on @censysio shows 4 other hosts, normally a good sign when looking for unique malware, the underlying conditions (content length / server header) are weak in this case.
October 7, 2025 at 1:00 PM
Not seeing any good connections beyond. While the `banner_hash_sha256` on @censysio shows 4 other hosts, normally a good sign when looking for unique malware, the underlying conditions (content length / server header) are weak in this case.
Back in the rest of the #opendir, uploads/ is used by app.py, I don't see where downloads_cache is used, but similar agent-[0-9]+ structure. The SANS PDF "All-books-in-oneSANSSEC670RedTeamingTools-DevelopingCustomToolsforWindows.pdf" may be the inspiration behind app.py/agent.go
October 7, 2025 at 1:00 PM
Back in the rest of the #opendir, uploads/ is used by app.py, I don't see where downloads_cache is used, but similar agent-[0-9]+ structure. The SANS PDF "All-books-in-oneSANSSEC670RedTeamingTools-DevelopingCustomToolsforWindows.pdf" may be the inspiration behind app.py/agent.go
stealer.go (SHA256: bf9bbcc1692140d5aeaabb839a96e90d4c6df9b75e01ef79585ee07324b984ab) is a stand alone tool, for extracting logins. Looks to be custom, debug messages unique.
October 7, 2025 at 1:00 PM
stealer.go (SHA256: bf9bbcc1692140d5aeaabb839a96e90d4c6df9b75e01ef79585ee07324b984ab) is a stand alone tool, for extracting logins. Looks to be custom, debug messages unique.
Case statements in agent.go show a bit of the functionality :
- start_shell
- cd / list_files / delete
- upload / download
- clipboard_on / keylog_on
- shutdown / restart
mouse_move and mouse_click are interesting to see. Less common to see at this level of functionality implementation.
- start_shell
- cd / list_files / delete
- upload / download
- clipboard_on / keylog_on
- shutdown / restart
mouse_move and mouse_click are interesting to see. Less common to see at this level of functionality implementation.
October 7, 2025 at 1:00 PM
Case statements in agent.go show a bit of the functionality :
- start_shell
- cd / list_files / delete
- upload / download
- clipboard_on / keylog_on
- shutdown / restart
mouse_move and mouse_click are interesting to see. Less common to see at this level of functionality implementation.
- start_shell
- cd / list_files / delete
- upload / download
- clipboard_on / keylog_on
- shutdown / restart
mouse_move and mouse_click are interesting to see. Less common to see at this level of functionality implementation.
app.py (SHA256: 707cd46cd390072ba79f2655c562a205cba586f3634ef52e8c034c8a6a607a8c)
looks to be the C2 server and agent.go (SHA256: 8342dd353a95bd8f8884eef0cd1ba5b4e81751f669babf8c91b068e10ea64d99) as the client.
looks to be the C2 server and agent.go (SHA256: 8342dd353a95bd8f8884eef0cd1ba5b4e81751f669babf8c91b068e10ea64d99) as the client.
October 7, 2025 at 1:00 PM
app.py (SHA256: 707cd46cd390072ba79f2655c562a205cba586f3634ef52e8c034c8a6a607a8c)
looks to be the C2 server and agent.go (SHA256: 8342dd353a95bd8f8884eef0cd1ba5b4e81751f669babf8c91b068e10ea64d99) as the client.
looks to be the C2 server and agent.go (SHA256: 8342dd353a95bd8f8884eef0cd1ba5b4e81751f669babf8c91b068e10ea64d99) as the client.
Interesting #OpenDir on #QuasarRat C2 server 185.208.159[.]161:8000 . The open web directory includes source code for a backdoor + misc development artifacts.
https://platform.censys.io/hosts/185.208.159.161
https://search.censys.io/hosts/185.208.159.161
#malware #thread 🧵
https://platform.censys.io/hosts/185.208.159.161
https://search.censys.io/hosts/185.208.159.161
#malware #thread 🧵
October 7, 2025 at 1:00 PM
Interesting #OpenDir on #QuasarRat C2 server 185.208.159[.]161:8000 . The open web directory includes source code for a backdoor + misc development artifacts.
https://platform.censys.io/hosts/185.208.159.161
https://search.censys.io/hosts/185.208.159.161
#malware #thread 🧵
https://platform.censys.io/hosts/185.208.159.161
https://search.censys.io/hosts/185.208.159.161
#malware #thread 🧵
Wild to see Htran being used all these years later. cc: @joestewart.bsky.social
https://unit42.paloaltonetworks.com/phantom-taurus/
https://unit42.paloaltonetworks.com/phantom-taurus/
September 30, 2025 at 4:00 PM
Wild to see Htran being used all these years later. cc: @joestewart.bsky.social
https://unit42.paloaltonetworks.com/phantom-taurus/
https://unit42.paloaltonetworks.com/phantom-taurus/
Disallow: /security-research? Crypto Phishing Sites' Failed Attempt to Block Investigators
https://censys.com/blog/disallow-security-research-crypto-phishing-sites-failed-attempt-to-block-investigators
https://censys.com/blog/disallow-security-research-crypto-phishing-sites-failed-attempt-to-block-investigators
September 29, 2025 at 6:10 PM
Disallow: /security-research? Crypto Phishing Sites' Failed Attempt to Block Investigators
https://censys.com/blog/disallow-security-research-crypto-phishing-sites-failed-attempt-to-block-investigators
https://censys.com/blog/disallow-security-research-crypto-phishing-sites-failed-attempt-to-block-investigators
Pondering my ORB - A look at #PolarEdge Adjacent Infrastructure
https://censys.com/blog/pondering-my-orb-a-look-at-polaredge-adjacent-infrastructure
https://censys.com/blog/pondering-my-orb-a-look-at-polaredge-adjacent-infrastructure
August 28, 2025 at 5:00 PM
Pondering my ORB - A look at #PolarEdge Adjacent Infrastructure
https://censys.com/blog/pondering-my-orb-a-look-at-polaredge-adjacent-infrastructure
https://censys.com/blog/pondering-my-orb-a-look-at-polaredge-adjacent-infrastructure
2025 State of the Internet Report: Summary and Conclusions
https://censys.com/blog/2025-state-of-the-internet-report-summary-and-conclusions
(Screenshot: PolarEdge infections as of 5 August 2025)
https://censys.com/blog/2025-state-of-the-internet-report-summary-and-conclusions
(Screenshot: PolarEdge infections as of 5 August 2025)
August 26, 2025 at 3:00 PM
2025 State of the Internet Report: Summary and Conclusions
https://censys.com/blog/2025-state-of-the-internet-report-summary-and-conclusions
(Screenshot: PolarEdge infections as of 5 August 2025)
https://censys.com/blog/2025-state-of-the-internet-report-summary-and-conclusions
(Screenshot: PolarEdge infections as of 5 August 2025)
August 10, 2025 at 1:00 PM
I'll be on a panel later today at @DEFCONPolicy on ways folks @DEFCON can help support cyber security in K-12 schools
August 9, 2025 at 7:00 PM
I'll be on a panel later today at @DEFCONPolicy on ways folks @DEFCON can help support cyber security in K-12 schools
August 9, 2025 at 1:00 PM
Today's schedule for @defconpolicy.bsky.social
August 8, 2025 at 7:00 PM
Today's schedule for @defconpolicy.bsky.social
Talks for @maritimevillage.bsky.social at @defcon.bsky.social tomorrow #DEFCON
https://maritimehackingvillage.com/dc33
https://maritimehackingvillage.com/dc33
August 8, 2025 at 2:00 AM
Talks for @maritimevillage.bsky.social at @defcon.bsky.social tomorrow #DEFCON
https://maritimehackingvillage.com/dc33
https://maritimehackingvillage.com/dc33
August 6, 2025 at 10:00 PM
lol, you can steal a boat at @DEFCON / @MaritimeVillage
https://maritimehackingvillage.com/dc33/maritime-gta
https://maritimehackingvillage.com/dc33/maritime-gta
August 5, 2025 at 7:00 PM
lol, you can steal a boat at @DEFCON / @MaritimeVillage
https://maritimehackingvillage.com/dc33/maritime-gta
https://maritimehackingvillage.com/dc33/maritime-gta
The Hacker Pager from exploitee.rs came out incredibly well!
https://shop.exploitee.rs/shop/p/the-hacker-pager
https://shop.exploitee.rs/shop/p/the-hacker-pager
July 31, 2025 at 8:30 PM
The Hacker Pager from exploitee.rs came out incredibly well!
https://shop.exploitee.rs/shop/p/the-hacker-pager
https://shop.exploitee.rs/shop/p/the-hacker-pager
Great reporting from @greynoise.io around understanding trends and active exploitation activity spikes
https://www.greynoise.io/blog/greynoise-uncovers-early-warning-signals-emerging-vulnerabilities
https://www.greynoise.io/blog/greynoise-uncovers-early-warning-signals-emerging-vulnerabilities
July 31, 2025 at 7:30 PM
Great reporting from @greynoise.io around understanding trends and active exploitation activity spikes
https://www.greynoise.io/blog/greynoise-uncovers-early-warning-signals-emerging-vulnerabilities
https://www.greynoise.io/blog/greynoise-uncovers-early-warning-signals-emerging-vulnerabilities