Florian Roth's Avatar

Florian Roth

@cyb3rops.bsky.social

Placeholder profile : https://x.com/cyb3rops | glad to be in this respectful safe space | vi/vim

1,351 Followers  |  3 Following  |  5 Posts  |  Joined: 16.11.2024
Posts Following

Posts by Florian Roth (@cyb3rops.bsky.social)

Preview
Florian Roth ⚑️ on X: "Rapid7 dropped a write-up on the Notepad++ update-chain abuse and - finally - it comes with real IOCs - update.exe downloaded from 95.179.213[.]0 after notepad++.exe -> GUP.exe - file hashes for update.exe / log.dll / BluetoothService.exe / conf.c / libtcc.dll - network IOCs https://t.co/UlLkyZM6eC" / X Rapid7 dropped a write-up on the Notepad++ update-chain abuse and - finally - it comes with real IOCs - update.exe downloaded from 95.179.213[.]0 after notepad++.exe -> GUP.exe - file hashes for update.exe / log.dll / BluetoothService.exe / conf.c / libtcc.dll - network IOCs https://t.co/UlLkyZM6eC

FYI we got some IOCs from @rapid7.com
x.com/cyb3rops/sta...

02.02.2026 16:30 β€” πŸ‘ 4    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0

Write-up says update traffic was selectively redirected to attacker-controlled servers & hints at a CN state group

If that’s the case, there must be at least some infra IOCs: IPs/FQDNs, redirect URL

Even if you don’t have package hashes, can you share infra IOCs so people can check proxy/DNS logs?

02.02.2026 11:08 β€” πŸ‘ 23    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0

Never give up! We got your back

21.11.2024 07:26 β€” πŸ‘ 1    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Post image

🫢😹

20.11.2024 21:02 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Post image 16.11.2024 08:37 β€” πŸ‘ 23    πŸ” 1    πŸ’¬ 0    πŸ“Œ 1