Greg Lesnewich

#BREAKING #ESETresearch identified the wiper #DynoWiper used in an attempted disruptive cyberattack against the Polish energy sector on Dec 29, 2025. At this point, no successful disruption is known, but the malware’s design clearly indicates destructive intent. 1/5

You fear innovation

We Are Witnessing the Self-Immolation of a Superpower With Donald Trump’s actions in Greenland, Minneapolis, and Venezuela, a foreign enemy could not invent a better chain of events to wreck the standing of the United States.

"A superpower is choosing to self-immolate and torch its remaining global trust and friendships, including and especially NATO...at the precise moment when it had been reinvigorated and renewed...in the wake of Russia’s large-scale invasion of Ukraine in 2022" - by @vermontgmg.bsky.social

Minneapolis church has delivered more than 12,000 boxes of groceries to families in hiding DHH church has hundreds of volunteers packing and delivering groceries to families who have been too scared to leave their homes during the immigration operation.

They have quite an operation going.
www.mprnews.org/episode/2026...

Appreciate the tip! Will see if it takes down the champ!

We have not! Worth giving a go?

I don’t think we’ve collectively paid enough attention to the fact that Annie’s is now the regent of boxed Mac and cheese

Kraft got their chain snatched and now it just tastes like dog water compared to Annie’s

I for one am excited for the Hoth Takes episode on this one to help me digest this news

#100daysofYARA - day 12
VirusTotal uses CAPE sandbox to identify many malware families and determine if they can extract the malware's configuration. Since they use CAPE, we can often see their logic. Today, we'll suggest edits to a rule for AgentTesla.

Rule at end.
1/10

words don't mean anything anymore

Imagine publishing a blog on "Lazarus" in the year of our lord 2026

#100DaysofYARA - Day 11
In looking at automatic YARA generation, yarGen-Go is a must. Just released by @cyb3rops, it is a rewrite and advancement from the original yarGen.

We'll look at the same malware from day 10; a targeted HavocC2 loader with decoy.

rule at bottom
1/5

100DaysofYARA/Squiblydoo/Day9.yara at main · Squiblydoo/100DaysofYARA Rules shared by the community from 100 Days of YARA 2026 - Squiblydoo/100DaysofYARA

This scripts are deceptive as they contain 10,000 empty lines. BTW #malcat loads scripts like these better than most text editors.

If I get the chance, I may revise it to see how to find ones without the matching text or if you have ideas, hmu.

github.com/Squiblydo...
3/3

Inside the BlueNoroff Web3 macOS Intrusion Analysis | Huntress Learn how DPRK's BlueNoroff group executed a Web3 macOS intrusion. Explore the attack chain, malware, and techniques in our detailed technical report.

The rule is fairly simple but it seems that at least one DPRK team is using the same consistent message in the header. I validated this using ReversingLab's YARA scanning.

A slightly different header is seen in Huntress' analysis: www.huntress.com/blo...
2/3

#100DaysofYARA - Day 9
YARA looks for the header used in a .SCPT file used by BlueNoroff (DPRK) to target MacOS systems.

Script is delivered to victims disguised as a Zoom meeting launcher.
e.g. a7c7d75c33aa809c231f1b22521ae680248986c980b45aa0881e19c19b7b1892

Rule at end
1/3

#100DaysofYARA - Day 8
For many years, many attackers tried to keep their binaries small. However, the others found the opposite works too: extremely large binaries can cause problems with analysis.

What can be done about these large executables?

Rule at end
1/6

The same people spent the last decade justifying Black folks being choked to death on camera… they’ve been practicing

congress should behave like a co equal branch

impeachment
defunding
filing suits
subpoenas
writing laws
hearings, hearings, hearings

what else?

GRU-Linked BlueDelta Evolves Credential Harvesting Insikt Group reveals how GRU-linked BlueDelta evolved credential-harvesting campaigns targeting government, energy, and research organizations across Europe and Eurasia.

Today, we released new @RecordedFuture research detailing BlueDelta’s expanded credential-harvesting activity observed between February and September 2025. #BlueDelta #APT28 #FANCYBEAR #ForestBlizzard #FROZENLAKE #ITG05 #PawnStorm #Sednit #Sofacy #TA422 (1/5) www.recordedfuture.com/research/gru...

#100DaysofYARA - Day 7
@malwrhunterteam identified a suspicious file signed by "Xiamen Jialan Guang Information Technology Service Co., Ltd."

While we have a pretty good idea it'll be abused, it hasn't been yet.
So, lets watch for it to be abused.

Rule at end
1/5

#100DaysofYARA - Day 6
In December and again in January, an unknown actor replaced the download on EmEditor's website with a malicious installer. Each time, the download was a trojan installer with a valid code-signing signature.

How can we detect this?

Rule at end
1/6

YARA-X can dump the certificate details of a MACHO binary.

"yr dump [file]" shows the data produced by the modules
We can output it to JSON and pass it to jq as like this:

yr dump -o=json [file] | jq '.macho.certificates'
3/7

#100DaysofYARA - Day 4
One heavy user of code-signing certificates is Rhysida Ransomware.

In June, I created a YARA rule focusing on their malware to help me find and report their certificates. To do so, I had to create a YARA rule on the Rich PE Header.

Rule at end
1/7

#100DaysofYARA - day 5
The Cert Graveyard project reports and documents abuse code-signing including Apple issued certificates.

When reporting a certificate, we want to ensure Apple has all the identifiers they need to investigate and act.

Rule at end
1/7

Edition 6 – Using RegEx to catch state-sponsored hackers Hi, Hakan here. This one is going to be straightforward. Both Jan and I are using RegEx quite regularly, so this is a how to: using RegEx to find out more...

I really do love|hate RegExes. This week, a short walkthrough on how to use them to find DPRK hackers.

buttondown.com/readwrite/ar...

Cohesive is a great word for it

Before I get asked

would cut these songs:

HT - Pushing Me Away

R - By_myslf

M - easier to run + from the inside

MTM - what I’ve done - V-Day

ATS - none

No skips on from Xero rn either. Haven’t listened to rest of discography recently enough to comment

Now that I think about it, it’s their only album (that I listen to regularly anyway) with no songs I skip

That’s quite the take!!

What’s your favorite song not on A Thousand Suns?

Listening to a lot of A Thousand Suns recently

Not sure why, surely not some subliminal or subconscious reason