Tony Lambert's Avatar

Tony Lambert

@forensicitguy.bsky.social

Recovering sysadmin that now chases adversaries instead of uptime. Sr Malware Analyst @redcanary

411 Followers  |  245 Following  |  5 Posts  |  Joined: 10.11.2024  |  1.6546

Latest posts by forensicitguy.bsky.social on Bluesky


Preview
[Webinar] The Detection Series: Initial Access We explore the Initial Access MITRE ATT&CK® tactic, with a focus on emergent, novel, and prevalent adversary techniques and capabilities.

As you're planning your week, be sure to sign up for our Red Canary webinar on initial access to hear about common adversary techniques and what to do about them. redcanary.com/resources/we... Don't miss it!

27.05.2025 13:17 — 👍 6    🔁 1    💬 0    📌 0
Preview
Squeezing Cobalt Strike Threat Intelligence from Shodan One of my favorite Twitter accounts from the last several years was @cobaltstrikebot, mainly because it was an awesome source of threat intelligence for Cobalt Strike beacons in the wild. The account ...

Do you miss "@cobaltstrikebot"? If so, here's a blog post showing how you can pull Cobalt Strike SpawnTo and watermark info with @shodanhq.bsky.social and some PowerShell: forensicitguy.github.io/squeezing-co...

19.05.2025 01:38 — 👍 11    🔁 6    💬 0    📌 0
Preview
Welcome to the Red Canary Threat Detection Report Our Threat Detection Report takes a close look at the top techniques, threats, and trends to help security teams focus on what matters most.

A fun yearly endeavor for me is contributing to the Red Canary Threat Detection Report, and the 2025 edition is out today! distilled into one report!

Get your free copy of our 2025 Threat Detection Report now. ⬇️
#ThreatReport #SecOps #ThreatIntel
redcanary.com/threat-detec...

18.03.2025 15:55 — 👍 3    🔁 1    💬 0    📌 0

"For what it's worth, the curl by itself is likely safe. It's the chmod and nohup bash after it that are the problem"

I saw this on a forum post today, and I swear it's the macOS/Linux version of "it's not the fall that kills, it's the impact"

07.02.2025 02:05 — 👍 1    🔁 0    💬 0    📌 0

I am working on a public platform to make it even easier for people to report code-signing certificates.

My goal is to continue to raise awareness on the abuse and the impact revocation has on malware distributors. Keep an eye on my socials for more news.

28.01.2025 13:39 — 👍 9    🔁 3    💬 0    📌 0
Preview
Exploring VenomRAT Metadata and Encryption with YARA - #100DaysOfYara It’s that time of year again - 100 Days of YARA! In this post I want to walk through how I use YARA to document malware analysis findings. YARA has loads of different use cases:

New blog post for #100DaysofYARA , in this one I look at a VenomRAT sample and create rules based on PE metadata and an encryption salt value.
forensicitguy.github.io/exploring-ve...
#malware

03.01.2025 02:28 — 👍 13    🔁 4    💬 0    📌 1
Post image Post image Post image

#100daysofyara I like taking the approach of having multiple YARA rules to detect the same thing from different perspectives, like these rules for Cronos Crypter. One looks for just strings, another a string + encryption salt, 3rd for assembly name

02.01.2025 04:30 — 👍 8    🔁 3    💬 0    📌 0
Preview
Mastercard Completes Acquisition of Cybersecurity Firm Recorded Future for $2.6 Billion Mastercard (NYSE: MA) has officially finalized the acquisition of Recorded Future, a leading provider of AI-driven threat intelligence.

Mastercard Completes Acquisition of Cybersecurity Firm Recorded Future for $2.6 Billion

21.12.2024 19:56 — 👍 5    🔁 3    💬 0    📌 1
Post image Post image Post image Post image

2024-12-13 (Friday): www.anceltech[.]com compromised with #SmartApeSG leading to #NetSupport #RAT 2 injected scripts. jitcom[.]info and best-net[.]biz.

Pivoting on best-net[.]biz in URLscan show signs of six other compromised sites: urlscan.io/search/#best...

#NetSupportRAT

13.12.2024 18:56 — 👍 8    🔁 5    💬 0    📌 0
Post image

Malicious Google ad for PayPal

⚠️
https[:]//sites[.]google.com/view/pay-pal-helpcustomerservic/

#malvertising

13.12.2024 19:10 — 👍 3    🔁 2    💬 0    📌 0
Post image

Join @olafhartong.nl in his journey down the rabbit hole in search of new detection opportunities in the #Zeek telemetry embedded in Microsoft's EDR #MDE! Detection engineering is sometimes hard … 😎

falconforce.nl/detection-en...

#detectionengineering #kql #blueteam

16.12.2024 14:40 — 👍 5    🔁 3    💬 0    📌 0
Preview
Hackers Use Corrupted ZIPs and Office Docs to Evade Antivirus and Email Defenses

Hackers Use Corrupted ZIPs and Office Docs to Evade Antivirus and Email Defenses

04.12.2024 05:45 — 👍 5    🔁 2    💬 0    📌 0
Preview
Veeam Issues Patch for Critical RCE Vulnerability in Service Provider Console

Veeam Issues Patch for Critical RCE Vulnerability in Service Provider Console

04.12.2024 05:45 — 👍 1    🔁 1    💬 0    📌 0
Preview
China-linked APT Gelsemium uses a new Linux backdoor dubbed WolfsBane China-linked APT Gelsemium has been observed using a new Linux backdoor dubbed WolfsBane in attacks targeting East and Southeast Asia.

China-linked APT Gelsemium uses a new Linux backdoor dubbed WolfsBane

23.11.2024 13:21 — 👍 5    🔁 1    💬 0    📌 0

certReport 3.1.4

Bugfix - indicators could be printed in duplicate

certReport makes reporting code-signing certs easy. No-one likes spending time reading or writing reports. That is: I just noticed the problem. Maybe someone else did. I don't know. It is gone now.

21.11.2024 11:40 — 👍 2    🔁 2    💬 0    📌 0
Preview
Linux Variant of Helldown Ransomware Targets VMware ESxi Systems Since surfacing in August, the likely LockBit variant has claimed more than two dozen victims and appears poised to strike many more.

Linux Variant of Helldown Ransomware Targets VMware ESxi Systems

19.11.2024 23:02 — 👍 9    🔁 4    💬 0    📌 1
Preview
Unveiling LIMINAL PANDA - Threats to Telecom Sector | CrowdStrike Cyber threat LIMINAL PANDA has targeted telecommunication entities since at least 2020. Learn key traits, targets and tactics!

More PRC telecom shenanigans. I'd love to say that this sector is so hot right now, but it's always been hot. www.crowdstrike.com/en-us/blog/l...

19.11.2024 17:16 — 👍 20    🔁 4    💬 1    📌 0
Training

Reminder that in Feb I will teach a special, extended version of my #CTI + #DetectionEngineering & #ThreatHunting course with #OTsecurity examples and case studies at the #S4x25 conference!

s4xevents.com/s4x25-traini...

18.11.2024 13:59 — 👍 34    🔁 9    💬 0    📌 0
Preview
Impostor Certificates It is common for malware to be signed with code signing certificates. How is this possible? Impostors receive the cert directly and sign malware. In this blog-post, we look at 100 certs used by Sol…

May 13, 2024 blogpost
It is common for malware to be signed with code signing certificates.

How is this possible? Impostors receive the cert directly and sign malware.

In this blog-post, we look at 100 certs used by #Solarmarker #malware to learn more.

squiblydoo.blog/2024/05/13/i...

17.11.2024 13:33 — 👍 11    🔁 5    💬 0    📌 0
Smokeloader: The Pandora’s box of tricks, payloads and anti-analysis - BSides Portland 2022
YouTube video by BSides Portland Smokeloader: The Pandora’s box of tricks, payloads and anti-analysis - BSides Portland 2022

Smokeloader keeps crawling its way back into the limelight. If you want a primer on it, I gave a public talk on it 2 years ago

www.youtube.com/watch?v=O69e...

16.11.2024 03:41 — 👍 24    🔁 9    💬 1    📌 0
Preview
BrazenBamboo Weaponizes FortiClient Vulnerability to Steal VPN Credentials via DEEPDATA In July 2024, Volexity identified exploitation of a zero-day credential disclosure vulnerability in Fortinet’s Windows VPN client that allowed credentials to be stolen from the memory of the client’s ...

@volexity.bsky.social has published a blog post detailing variants of LIGHTSPY & DEEPDATA malware discovered in the summer of 2024, including exploitation of a vulnerability in FortiClient to extract credentials from memory. Read more here: www.volexity.com/blog/2024/11...

15.11.2024 20:02 — 👍 37    🔁 27    💬 0    📌 1

@forensicitguy is following 20 prominent accounts