Paul Melson's Avatar

Paul Melson

@pmelson.bsky.social

297 Followers  |  133 Following  |  22 Posts  |  Joined: 27.06.2023  |  1.6371

Latest posts by pmelson.bsky.social on Bluesky

Post image

If you appreciate the under-reported #InfoSec & #DataPrivacy news content I share every week, please support what I do by signing up for my newsletter. sherpaintelligence.substack.com

I'm really proud of the content I provide and subscribers make my work possible.

Repost & share with your network!

01.02.2026 22:39 β€” πŸ‘ 5    πŸ” 5    πŸ’¬ 0    πŸ“Œ 1
Screenshot of my blog post to share information on this Lumma Stealer infection with follow-up malware.

Screenshot of my blog post to share information on this Lumma Stealer infection with follow-up malware.

2025-12-30 (Tuesday): #LummaStealer infection with follow-up malware. A #pcap of the infection traffic, the associated #Lumma with follow-up #malware samples, and some IOCs are available at www.malware-traffic-analysis.net/2025/12/30/i...

31.12.2025 05:37 β€” πŸ‘ 7    πŸ” 3    πŸ’¬ 0    πŸ“Œ 0
Post image Post image

Sunset over a frozen lake

30.12.2025 23:27 β€” πŸ‘ 1    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Video thumbnail

Our Labs love the snow. They’re 11 & 12, and it makes them act like puppies.

29.11.2025 19:58 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Post image 23.11.2025 02:09 β€” πŸ‘ 1    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0

β€œHe got you, didn’t he?”

18.11.2025 22:38 β€” πŸ‘ 1    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Post image Post image

If I won the lottery, I might not tell anyone, but there would be signs.

18.11.2025 01:18 β€” πŸ‘ 3    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0

The back story on how that performance came together is amazing, too. And so many of the songs have cool stories behind them (or after them, like Onyx & Biohazard).

18.11.2025 01:00 β€” πŸ‘ 3    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Post image

I mean, the movie was the excuse to make the soundtrack. But who cares? They made the soundtrack.

18.11.2025 00:57 β€” πŸ‘ 1    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Preview
Evil Corp: 1. Zeus Podcast Episode Β· Cyber Hack Β· S3 E1 Β· 39m

BBC has the goods

podcasts.apple.com/us/podcast/c...

17.11.2025 00:01 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Preview
Keynote | SLEUTHCON 2025 June 6th, SLEUTHCON 2025 in Arlington, VA Presented by Paul Melson

Check out his full talk here:
www.google.com/url?sa=t&sou...

17.10.2025 15:11 β€” πŸ‘ 2    πŸ” 1    πŸ’¬ 0    πŸ“Œ 0
Video thumbnail

Paul Melson joined us this year as our keynote speaker to talk about the history of crimeware and its evolution through the years.

In his keynote he also gives some good advice to those who are in the field and creating their professional network. Check out what he had to say!

17.10.2025 15:11 β€” πŸ‘ 3    πŸ” 1    πŸ’¬ 1    πŸ“Œ 0

If you’re not already alerting on

CONHOST.EXE spawning CMD.EXE spawning WGET.EXE

or

CONHOST.EXE spawning CONHOST.EXE spawning CONHOST.EXE

you’re gonna want to close that gap today.

03.10.2025 16:04 β€” πŸ‘ 1    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0

Are weekly dental cleanings a thing?

26.09.2025 00:14 β€” πŸ‘ 1    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Keynote | SLEUTHCON 2025
YouTube video by SLEUTHCON Keynote | SLEUTHCON 2025

ICYMI: Paul Melson, VP of Cyber Intelligence Engineering at Capital One, delivered the SLEUTHCON 2025 keynote!

Watch here >> www.youtube.com/watch?v=9FvB...

10.09.2025 16:19 β€” πŸ‘ 6    πŸ” 2    πŸ’¬ 0    πŸ“Œ 0

That’s great

30.08.2025 19:19 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Post image

Happy International Dog Day, hope you spent it with your best friends

26.08.2025 23:45 β€” πŸ‘ 2    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Preview
Disrupting active exploitation of on-premises SharePoint vulnerabilities | Microsoft Security Blog Microsoft has observed two named Chinese nation-state actors, Linen Typhoon and Violet Typhoon, exploiting vulnerabilities targeting internet-facing SharePoint servers. In addition, we have observed a...

Don’t miss the use of ngrok for tunneling here. Continue to see malicious actors use this service to hide C2. Ngrok uses AWS IPs across multiple zones for egress NAT. I recommend sinkholing their domains across your network.
ngrok[.]com
ngrok[.]io
ngrok-free[.]app

www.microsoft.com/en-us/securi...

22.07.2025 13:43 β€” πŸ‘ 3    πŸ” 1    πŸ’¬ 0    πŸ“Œ 0
Post image

It’s that time again, apparently.

28.06.2025 16:52 β€” πŸ‘ 1    πŸ” 2    πŸ’¬ 0    πŸ“Œ 0
Post image

Paul Melson's Brief History of Crime[ware] was a lovely (?!) trip down memory lane. I'm old too, @pmelson.bsky.social
#SLEUTHCON #traumamemories

06.06.2025 13:37 β€” πŸ‘ 5    πŸ” 1    πŸ’¬ 0    πŸ“Œ 0
Preview
a man sitting at a desk with apparently not written on the screen ALT: a man sitting at a desk with apparently not written on the screen
04.05.2025 19:08 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0

It is my position that Chatham House rules and TLP should extend to any trolling that takes place in those channels and venues.

04.05.2025 15:35 β€” πŸ‘ 3    πŸ” 1    πŸ’¬ 1    πŸ“Œ 0
Post image

New keynote drop: Paul Melson is taking the SLEUTHCON stage to dissect the rise of crime[ware]β€”how it started, how it scaled, and how we shut it down.
23+ yrs defending networks. ScumBots founder. Now VP @ Capital One.
🎀 June 6
πŸ“IRL + virtual
🎟️ Tix moving fast - sleuthcon.com
πŸ—“οΈ CFP closes April 18

14.04.2025 18:02 β€” πŸ‘ 21    πŸ” 8    πŸ’¬ 0    πŸ“Œ 1

So simple, but what a can of worms. It emphasizes why detection pipelines with multiple, conditional rounds are needed. Ideally you’d catch this with a simple string match for the reg key after it’s been through a generic deobfuscation round that drops non-alphanumeric characters.

08.12.2024 00:55 β€” πŸ‘ 2    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Post image

Took this at sunset in Fall in Minnesota:

08.12.2024 00:39 β€” πŸ‘ 2    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Preview
Undulating Clouds This blog provides updated forecasts and comments on current weather or other topics

They’re called Asperitas clouds:

cliffmass.blogspot.com/2024/04/undu...

08.12.2024 00:37 β€” πŸ‘ 2    πŸ” 0    πŸ’¬ 2    πŸ“Œ 0

Today I am thankful for all of the folks working a shift and watching the wires to keep us safe. I see you and I appreciate you.

28.11.2024 14:58 β€” πŸ‘ 1    πŸ” 0    πŸ’¬ 0    πŸ“Œ 1
Preview
The Nearest Neighbor Attack: How A Russian APT Weaponized Nearby Wi-Fi Networks for Covert Access In early February 2022, notably just ahead of the Russian invasion of Ukraine, Volexity made a discovery that led to one of the most fascinating and complex incident investigations Volexity had ever w...

@volexity.com’s latest blog post describes in detail how a Russian APT used a new attack technique, the β€œNearest Neighbor Attack”, to leverage Wi-Fi networks in close proximity to the intended target while the attacker was halfway around the world.Β 
Β 
Read more here: www.volexity.com/blog/2024/11...

22.11.2024 14:58 β€” πŸ‘ 81    πŸ” 41    πŸ’¬ 2    πŸ“Œ 13
Screenshot of malicious spam (malspam) with malware file attachment.

Screenshot of malicious spam (malspam) with malware file attachment.

Traffic from the XLoader (Formbook) infection filtered in Wireshark.

Traffic from the XLoader (Formbook) infection filtered in Wireshark.

2024-11-22 (Friday) #XLoader / #Formbook: I've been fired by my non-existent HR department. At least I got a "salary-receipt.exe" bazaar.abuse.ch/sample/003b5...

Tria.ge and Any.Run don't identify the malware, but Joe Sandbox does: www.joesandbox.com/analysis/156...

Also runs in my lab just fine

22.11.2024 19:42 β€” πŸ‘ 17    πŸ” 10    πŸ’¬ 2    πŸ“Œ 0
Preview
ScumBots (@ScumBots@infosec.exchange) 21 Posts, 0 Following, 83 Followers Β· I drop dox on scumbag bots and RATs

I’m in the process of migrating ScumBots from Twitter to Mastodon / infosec.exchange. You can follow the bot here now: infosec.exchange/@ScumBots

09.11.2024 18:00 β€” πŸ‘ 2    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0

@pmelson is following 20 prominent accounts