@pmelson.bsky.social
Check out his full talk here:
www.google.com/url?sa=t&sou...
Paul Melson joined us this year as our keynote speaker to talk about the history of crimeware and its evolution through the years.
In his keynote he also gives some good advice to those who are in the field and creating their professional network. Check out what he had to say!
If youβre not already alerting on
CONHOST.EXE spawning CMD.EXE spawning WGET.EXE
or
CONHOST.EXE spawning CONHOST.EXE spawning CONHOST.EXE
youβre gonna want to close that gap today.
Are weekly dental cleanings a thing?
26.09.2025 00:14 β π 1 π 0 π¬ 0 π 0
ICYMI: Paul Melson, VP of Cyber Intelligence Engineering at Capital One, delivered the SLEUTHCON 2025 keynote!
Watch here >> www.youtube.com/watch?v=9FvB...
Thatβs great
30.08.2025 19:19 β π 0 π 0 π¬ 0 π 0
Happy International Dog Day, hope you spent it with your best friends
26.08.2025 23:45 β π 2 π 0 π¬ 0 π 0
Donβt miss the use of ngrok for tunneling here. Continue to see malicious actors use this service to hide C2. Ngrok uses AWS IPs across multiple zones for egress NAT. I recommend sinkholing their domains across your network.
ngrok[.]com
ngrok[.]io
ngrok-free[.]app
www.microsoft.com/en-us/securi...
Itβs that time again, apparently.
28.06.2025 16:52 β π 1 π 2 π¬ 0 π 0
Paul Melson's Brief History of Crime[ware] was a lovely (?!) trip down memory lane. I'm old too, @pmelson.bsky.social
#SLEUTHCON #traumamemories
It is my position that Chatham House rules and TLP should extend to any trolling that takes place in those channels and venues.
04.05.2025 15:35 β π 3 π 1 π¬ 1 π 0
New keynote drop: Paul Melson is taking the SLEUTHCON stage to dissect the rise of crime[ware]βhow it started, how it scaled, and how we shut it down.
23+ yrs defending networks. ScumBots founder. Now VP @ Capital One.
π€ June 6
πIRL + virtual
ποΈ Tix moving fast - sleuthcon.com
ποΈ CFP closes April 18
So simple, but what a can of worms. It emphasizes why detection pipelines with multiple, conditional rounds are needed. Ideally youβd catch this with a simple string match for the reg key after itβs been through a generic deobfuscation round that drops non-alphanumeric characters.
08.12.2024 00:55 β π 2 π 0 π¬ 0 π 0
Took this at sunset in Fall in Minnesota:
08.12.2024 00:39 β π 2 π 0 π¬ 0 π 0
Theyβre called Asperitas clouds:
cliffmass.blogspot.com/2024/04/undu...
Today I am thankful for all of the folks working a shift and watching the wires to keep us safe. I see you and I appreciate you.
28.11.2024 14:58 β π 1 π 0 π¬ 0 π 1
@volexity.comβs latest blog post describes in detail how a Russian APT used a new attack technique, the βNearest Neighbor Attackβ, to leverage Wi-Fi networks in close proximity to the intended target while the attacker was halfway around the world.Β
Β
Read more here: www.volexity.com/blog/2024/11...
Screenshot of malicious spam (malspam) with malware file attachment.
Traffic from the XLoader (Formbook) infection filtered in Wireshark.
2024-11-22 (Friday) #XLoader / #Formbook: I've been fired by my non-existent HR department. At least I got a "salary-receipt.exe" bazaar.abuse.ch/sample/003b5...
Tria.ge and Any.Run don't identify the malware, but Joe Sandbox does: www.joesandbox.com/analysis/156...
Also runs in my lab just fine
Iβm in the process of migrating ScumBots from Twitter to Mastodon / infosec.exchange. You can follow the bot here now: infosec.exchange/@ScumBots
09.11.2024 18:00 β π 2 π 0 π¬ 0 π 0
I posted a writeup analyzing a malicious PDF file containing a heavily obfuscated PHP payload over on infosec[.]exchange:
infosec.exchange/@pmelson/113...
