Paul Melson's Avatar

Paul Melson

@pmelson.bsky.social

290 Followers  |  131 Following  |  11 Posts  |  Joined: 27.06.2023  |  1.6062

Latest posts by pmelson.bsky.social on Bluesky

Preview
Disrupting active exploitation of on-premises SharePoint vulnerabilities | Microsoft Security Blog Microsoft has observed two named Chinese nation-state actors, Linen Typhoon and Violet Typhoon, exploiting vulnerabilities targeting internet-facing SharePoint servers. In addition, we have observed a...

Don’t miss the use of ngrok for tunneling here. Continue to see malicious actors use this service to hide C2. Ngrok uses AWS IPs across multiple zones for egress NAT. I recommend sinkholing their domains across your network.
ngrok[.]com
ngrok[.]io
ngrok-free[.]app

www.microsoft.com/en-us/securi...

22.07.2025 13:43 β€” πŸ‘ 3    πŸ” 1    πŸ’¬ 0    πŸ“Œ 0
Post image

It’s that time again, apparently.

28.06.2025 16:52 β€” πŸ‘ 1    πŸ” 2    πŸ’¬ 0    πŸ“Œ 0
Post image

Paul Melson's Brief History of Crime[ware] was a lovely (?!) trip down memory lane. I'm old too, @pmelson.bsky.social
#SLEUTHCON #traumamemories

06.06.2025 13:37 β€” πŸ‘ 6    πŸ” 1    πŸ’¬ 0    πŸ“Œ 0
Preview
a man says i did this to myself in a blue shirt ALT: a man says i did this to myself in a blue shirt

This was the predictable outcome of this thread. I should have seen it coming.

04.05.2025 19:18 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Preview
a man sitting at a desk with apparently not written on the screen ALT: a man sitting at a desk with apparently not written on the screen
04.05.2025 19:08 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0

It is my position that Chatham House rules and TLP should extend to any trolling that takes place in those channels and venues.

04.05.2025 15:35 β€” πŸ‘ 3    πŸ” 1    πŸ’¬ 1    πŸ“Œ 0
Post image

New keynote drop: Paul Melson is taking the SLEUTHCON stage to dissect the rise of crime[ware]β€”how it started, how it scaled, and how we shut it down.
23+ yrs defending networks. ScumBots founder. Now VP @ Capital One.
🎀 June 6
πŸ“IRL + virtual
🎟️ Tix moving fast - sleuthcon.com
πŸ—“οΈ CFP closes April 18

14.04.2025 18:02 β€” πŸ‘ 21    πŸ” 8    πŸ’¬ 0    πŸ“Œ 1

So simple, but what a can of worms. It emphasizes why detection pipelines with multiple, conditional rounds are needed. Ideally you’d catch this with a simple string match for the reg key after it’s been through a generic deobfuscation round that drops non-alphanumeric characters.

08.12.2024 00:55 β€” πŸ‘ 2    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Post image

Took this at sunset in Fall in Minnesota:

08.12.2024 00:39 β€” πŸ‘ 2    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Preview
Undulating Clouds This blog provides updated forecasts and comments on current weather or other topics

They’re called Asperitas clouds:

cliffmass.blogspot.com/2024/04/undu...

08.12.2024 00:37 β€” πŸ‘ 2    πŸ” 0    πŸ’¬ 2    πŸ“Œ 0

Today I am thankful for all of the folks working a shift and watching the wires to keep us safe. I see you and I appreciate you.

28.11.2024 14:58 β€” πŸ‘ 1    πŸ” 0    πŸ’¬ 0    πŸ“Œ 1
Preview
The Nearest Neighbor Attack: How A Russian APT Weaponized Nearby Wi-Fi Networks for Covert Access In early February 2022, notably just ahead of the Russian invasion of Ukraine, Volexity made a discovery that led to one of the most fascinating and complex incident investigations Volexity had ever w...

@volexity.com’s latest blog post describes in detail how a Russian APT used a new attack technique, the β€œNearest Neighbor Attack”, to leverage Wi-Fi networks in close proximity to the intended target while the attacker was halfway around the world.Β 
Β 
Read more here: www.volexity.com/blog/2024/11...

22.11.2024 14:58 β€” πŸ‘ 82    πŸ” 41    πŸ’¬ 2    πŸ“Œ 13
Screenshot of malicious spam (malspam) with malware file attachment.

Screenshot of malicious spam (malspam) with malware file attachment.

Traffic from the XLoader (Formbook) infection filtered in Wireshark.

Traffic from the XLoader (Formbook) infection filtered in Wireshark.

2024-11-22 (Friday) #XLoader / #Formbook: I've been fired by my non-existent HR department. At least I got a "salary-receipt.exe" bazaar.abuse.ch/sample/003b5...

Tria.ge and Any.Run don't identify the malware, but Joe Sandbox does: www.joesandbox.com/analysis/156...

Also runs in my lab just fine

22.11.2024 19:42 β€” πŸ‘ 17    πŸ” 10    πŸ’¬ 2    πŸ“Œ 0
Preview
ScumBots (@ScumBots@infosec.exchange) 21 Posts, 0 Following, 83 Followers Β· I drop dox on scumbag bots and RATs

I’m in the process of migrating ScumBots from Twitter to Mastodon / infosec.exchange. You can follow the bot here now: infosec.exchange/@ScumBots

09.11.2024 18:00 β€” πŸ‘ 2    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Preview
Paul Melson (@pmelson@infosec.exchange) Attached: 1 image I found a PDF file that appears to be an exploit for a PHP web app. It contains a valid PDF file header but is not a valid PDF document. It also contains an HTML/PHP document that i...

I posted a writeup analyzing a malicious PDF file containing a heavily obfuscated PHP payload over on infosec[.]exchange:

infosec.exchange/@pmelson/113...

23.10.2024 19:38 β€” πŸ‘ 5    πŸ” 1    πŸ’¬ 0    πŸ“Œ 0

@pmelson is following 20 prominent accounts