@re.wtf.bsky.social
sr detection engineer @ huntress • malware enjoyer • macOS security https://alden.io
Hot on the heels of the researched published by @huntress.com, hunting for Zoom-themed lures from DPRK's #BlueNoroff
💥Learn hunting techniques
💥Leverage new Validin features and data
💥Full, unredacted indicator list (domains, IPs, hashes)
www.validin.com/blog/zooming...
LMFAO woah woah it's good by comparison! 😭 we take what we can get in macOS land
18.06.2025 21:04 — 👍 0 🔁 0 💬 0 📌 0
excited bc today @huntress.com is releasing our analysis of a gnarly intrusion into a web3 company by the DPRK's BlueNoroff!! 🤠
we've observed 8 new pieces of macOS malware from implants to infostealers! and they're actually good (for once)!
www.huntress.com/blog/inside-...
finally got around to rewriting the copy as yara binja plugin! 🥰
has a few quality of life improvements (new formats) and address wildcarding is fixed for ARM! (sorry bout that mac homies) ❤️
it's also now available in the plugin repository! 🔥
github.com/ald3ns/copy-...
CVE-2025-2825 or CVE-2025-31161: A vulnerability by any other name is still a threat 😇: We've updated the blog to reflect some new attacker tradecraft observed yesterday
cc @huntress.com @re.wtf @johnhammond.bsky.social
#DFIR #vuln #CVE
www.huntress.com/blog/crushft...
pwning my FTP server is a weird way to say you have a Crush on me but okay 🥰
anyways check out our analysis of some CrushFTP CVE-2025-31161 post exploitation activity!
www.huntress.com/blog/crushft...
Published some new research on how RMMs are taking over as a first-stage payload www.proofpoint.com/us/blog/thre...
11.03.2025 15:24 — 👍 35 🔁 17 💬 0 📌 0
a screenshot of the "Languages" section of a GitHub repo, showing 58.8% C, 28.6% JavaScript, and 12.6% Python
nightmare blunt rotation
08.03.2025 06:24 — 👍 37 🔁 8 💬 2 📌 0
Cool mint zyn containers that are CIA branded
BREAKING: DOGE has uncovered that the CIA spent $10,000,000 on zyns and has been feeding them to analysts to increase productivity! 😱
14.02.2025 18:53 — 👍 7 🔁 0 💬 0 📌 0
our network has raised hundreds of dollars to give firefighters the zyn they need to keep protecting LA from the fires. Thank you!!
14.01.2025 21:59 — 👍 19 🔁 8 💬 1 📌 1🫶
09.01.2025 23:30 — 👍 1 🔁 0 💬 0 📌 0
reminder to say happy new years to the russian espionage groups in ur network 🥰🇷🇺
@nosecurething.bsky.social, @laughingmantis.bsky.social, and I just dropped a new blog detailing a series of redcurl intrusions across several huntress customer environments 😳
www.huntress.com/blog/the-hun...
#100DaysofYARA day 1 - the Amos stealer is regularly evolving and updating its obfuscation techniques
You know what isn't changing?
the dylibs it depends on and the entitlements it requests from the OS. Combined, they give us excellent signal
github.com/100DaysofYAR...
Binary diff'ing is hard. But it's super powerful to apply markup from previous reverse engineering efforts to a new binary.
Binary Ninja is switching up how they match function signatures with WARP.
www.seandeaton.com/binary-ninja...
#binaryninja #reverseengineering #ghidra #ida #decompiler
i gotta step up my whitepaper game smh, my dad is doin numbers
21.12.2024 05:15 — 👍 13 🔁 0 💬 0 📌 0
Our talk from @objective-see.bsky.social is now available online. Check out @re.wtf and I yap about macOS infostealers.
www.youtube.com/watch?v=Hv6A...
since I'm cold and missing #OBTS I wanted to reflect on what
@jacoblatonis.me and Tomas have gifted us with the YARA-X Macho module
the OG YARA macho parsing left a lot to be desired, and the new YARA-X ver has all sorts of goodies
this holiday season
13.12.2024 03:16 — 👍 17 🔁 8 💬 0 📌 1following the recent cleo ITW exploitation, @huntress.com has released our analysis of the full post exploitation chain 🚀
the final java based implant framework is really neat and includes a custom C2 protocol 🔥
huntress.com/blog/cleo-soft…
hotties only want one thing and its the operation triangulation exploit chain
09.12.2024 18:02 — 👍 7 🔁 5 💬 0 📌 0
Yesterday I got to present with the 🐐 @re.wtf. Such a blast talking thru infostealers and the telenovela that they’ve become. #OBTS really is the best, chillest conference out there. Excited for a second day of talks 🤓🍎
06.12.2024 20:22 — 👍 13 🔁 1 💬 0 📌 0🍎🤝🔥
06.12.2024 03:20 — 👍 7 🔁 0 💬 0 📌 0we cookin' for #100DaysofYARA 🤝🔥
27.11.2024 16:41 — 👍 20 🔁 4 💬 0 📌 0
How does the new iOS inactivity reboot work? What does it protect from?
I reverse engineered the kernel extension and the secure enclave processor, where this feature is implemented.
naehrdine.blogspot.com/2024/11/reve...
A redacted view of the SafePay onion website hosting information about compromised machines
Directory listing from the attacker's onion site
Apache Server info page
🧵Today’s blogpost focuses on a newer ransomware variant named SafePay. Needless to say, ransomware sucks. When this new variant appeared, it gained our attention. 👀
Let’s dig into what happened and what makes it tick ⬇️:
I wrote a post on the realities of cloud & webserver ransomware. Check it out to see some of the toolsets & frameworks that can be used for these attacks.
14.11.2024 21:30 — 👍 14 🔁 7 💬 0 📌 0some huntress homies cooked a blog on a new ransom group called safepay
RE was fun until we realized it was ripped lockbit code 💀😭 imagine not being able to write your own ransomware, true skill issue smh
some funny opsec fails too, watch ya status
www.huntress.com/blog/its-not...
thrunting thractors w thrintel
11.10.2023 20:23 — 👍 1 🔁 0 💬 0 📌 0
