The Gist: Age Verification is an Epic fail From the 21st July 2025, Ireland’s regulator will be enforcing age checks at the door for social media sites in the EU. This is the Gist.

New Gist: Age Verification is an Epic fail

On Bluesky's introduction of age verification, selling us to the Fortnite guys, and how the arrogance of Ireland's regulator has seen it deliver the very outcomes it once called "bonkers".

www.thegist.ie/the-gist-age...

This entire thread is head shot nerd sniping, Greg. I'll brb. Need more time to reply. Keep UNCs. Keep APTs or named actors. There's valid uses but I have strong feelings for how they're used & how people merge groups and/or attribute into a group to say it's them rather than admit it's similar.

We're guilty of it too. It happens. Keeping up to date with the code families &automating the plugin extraction is a full time job. The automation is important but lowering the bar & time required to do the RE to identity plugins & capability is great. Nino's work helped crush that analysis time.

It's always bothered me when I read a report saying "It was <pluggable code family PLUGDOOR>" but not always listing the minimum set of plugins (features) a sample was shipped with. Even if it supports loading further modules, clients should be informed of the minimum a threat actor had to hand.

Thanks. I've spent a lot of time working on pluggable code families like this & SOGU (PlugX). Ultimately the obfuscation defeated me. Nino did such an amazing job. I spent last year working a lot on making sure we can easily identify or at least extract and analyse plugins shipped with pplug.

FreeBSD support · Issue #385 · actions/runner Describe the enhancement Support building the runner on FreeBSD Additional information I think FreeBSD has all the libraries that the runner needs. And while the dotnet-sdk isn't availble from Micr...

@github.com With regards actions could you please review this issue regarding #FreeBSD support. Maybe now that @netflix.com is reporting an impact to them you'll take it seriously. github.com/actions/runn...

Reverse Engineering Survey My name is Max 'Libra' Kersten and I'm a malware analyst. This survey will collect the answers you provide without the need for any personal information. The goal of this survey is to get a better und...

My reverse engineering workflows survey is still ongoing! In less than 3 minutes, you can fill it in and help out: docs.google.com/forms/d/e/1F...

Hackers claim to have breached Gravy Analytics, a US location data broker selling to government agencies.

They shared 3 samples on a Russian forum, exposing millions of location points across the US, Russia, and Europe.

#100DaysofYara Day 5

My first ELF binary:

github.com/augustvansic...

I also learned how to use x64dbg to attach to a process and follow the kernel32.dll WriteProcessMemory stack call to find where the EDR DLL gets a handle on the process.

100-Days-of-YARA-2025/Day5.yara at main · RustyNoob-619/100-Days-of-YARA-2025 100 Days of YARA is a challenge to write a YARA rule every day for 100 days - RustyNoob-619/100-Days-of-YARA-2025

x: @RustyNoob619

#100DaysofYARA Day 5

Added a couple of new YARA rules for TTPs 🐧

First is to detect embedded Windows PE payloads in a file as Base 64 encoding

Second is to spot modification of memory protect flags which is typically used for code injection/unpacking

github.com/RustyNoob-61...

crossposting here #100daysofyara continuing to explore yara-x today I tried to detect a renamed QEMU exe using pe attributes and a dynamic variable.

YouTube video by MalwareAnalysisForHedgehogs Malware Analysis - Writing Code Signatures

🦔 📹 Video: Learn how to write code based signatures
➡️ using privateloader as example
➡️ what to detect
➡️ where to set wildcards
➡️ how to test your rule on unpac me
www.youtube.com/watch?v=oxC9...
#MalwareAnalysisForHedgehogs #privateloader

Exploring VenomRAT Metadata and Encryption with YARA - #100DaysOfYara It’s that time of year again - 100 Days of YARA! In this post I want to walk through how I use YARA to document malware analysis findings. YARA has loads of different use cases:

New blog post for #100DaysofYARA , in this one I look at a VenomRAT sample and create rules based on PE metadata and an encryption salt value.
forensicitguy.github.io/exploring-ve...
#malware

#100DaysofYARA we're brute forcing Steve's prompt with regular expressions :P

github.com/100DaysofYAR...

#100DaysOfYara Day 3

Thought this was an meterpreter implant but I compared it to an implant I made; much more functionality for the ITW sample. Rule = unique win32 api calls, IP’s, imports.

#100daysofyara I like taking the approach of having multiple YARA rules to detect the same thing from different perspectives, like these rules for Cronos Crypter. One looks for just strings, another a string + encryption salt, 3rd for assembly name

#100DaysofYARA day 2 - one cluster in my portfolio, TA427 really likes to use password-protected ZIP files with an MSC file as the only embedded file (used to use .VBS files)

lets look for ZIPs that match those features!

github.com/100DaysofYAR...

#100DaysOfYara Day 2:

LBB.exe, Lockbit 4 PE

github.com/augustvansic...

a man with a beard is making a funny face with his eyes closed and says `` click '' . ALT: a man with a beard is making a funny face with his eyes closed and says `` click '' .

Configured my neovim conform.nvim to run "yr fmt" on save. Looking forward to "yr lint" and hoping someday for a yara-x LSP.

I'm on the same page though. That's why I have tried a few options and always come back to an rcs. I've even worked on deduplication methods but it's not worth it. I have what works for me but experimenting is worth while and fun.

www.gameoftrees.org

Here she is during Christmas after a hard night drinking imperial stout & reviewing yara rules.

Gitea self-hosted at home right now. I guess my playing with a new service was more a yara-x Golang bindings project than anything else. Probably won't be useful to anyone else. I write plenty of rules at homes & my dog reviews them all. She says they're all quality.

Also not sure what platform I'll post on. Shitter, BSky, Mastodon or if I'll just PR on GitHub. I was also working on a new service at home for storing my rules. I tried synapse for rule management but in the end I prefer something standalone / decoupled from everything else.

Gonna take a hangover day & start #100DaysOfYara late. Couldn't keep up last year & I'll see how it goes this year. I don't have the creativity of @greg-l.bsky.social Might do some scripting & play more with yara-x like @stvemillertime.bsky.social I have a half written gRPC service for file scanning

Ok day 1 of #100DaysofYara:

I assigned some strings based on the less common lines from the Lockbit 4 loader that would likely be common in malicious code and not typically in normal admin, as well as a hex string for the PE itself

#100DaysofYARA day 1 - the Amos stealer is regularly evolving and updating its obfuscation techniques

You know what isn't changing?

the dylibs it depends on and the entitlements it requests from the OS. Combined, they give us excellent signal

github.com/100DaysofYAR...

#100DaysofYARA 2025 edition begins tomorrow!

Any #CTI or #detectionengineering folks looking for a self-paced challenge to start the year with a laid back & fun community? Look no further!

The challenge is simple - write a YARA rule every day for 100 days