🇺🇦 Xorhex 🇺🇦

China-nexus APT Targets the Tibetan Community | ThreatLabz China-nexus APT campaign leverages DLL sideloading, multi-stage infection chains, and low-level APIs to deploy Ghost RAT and PhantomNet backdoors against Tibetan targets.

Illusory Wishes: China-nexus APT Targets the Tibetan Community | www.zscaler.com/blogs/securi... @zscalerinc.bsky.social

How China’s Patriotic ‘Honkers’ Became the Nation’s Elite Cyber Spies A new report traces the history of the early wave of Chinese hackers who became the backbone of the state's espionage apparatus.

How did China's top APT hackers come to be? Many were early "Honkers" - patriotic hackers who in late 90s launched low-skill cyberattacks against nations deemed disrespectful to China. But once Honkers developed their skills, PLA/MSS came calling. Based on great research by bsky.app/profile/eube...

The workshop tickets for my Advanced Ghidra Scripting & Automation workshop at @defcon.bsky.social are live now: events.humanitix.com/dc33ws-n260-...

Signed up! The inaugural conference was great - looking forward to the next one 😀

Had a great time on the @malspace.bsky.social podcast with Julien talking about my PIVOTcon presentation from tracking compartmentalized attacks to thoughts on attribution. Fun convo (and I loved the theme song at the end!). 🎶 Thanks for having me!

malspace.com/episodes/mul...

YouTube video by Invoke RE Time Travel Debugging in Binary Ninja with Xusheng Li

We've uploaded our Time Travel Debugging in Binary Ninja stream with Xusheng Li from Vector 35
where we unpacked malware and analyzed anti-analysis capabilities with TTD traces. Enjoy! youtu.be/2v7DRyXb8_c

A side by side comparison of the original output by Ghidra, and the LLM enriched output.

Ghidra, scripting, LLM, automagic automation. That should grab the attention for this thread. If you want to read the complete blog, you can do so here: www.trellix.com/blogs/resear...
1/n

In case you missed it, check out the “Supper is served” technical blog by cyberj3rry on the Supper backdoor c-b.io/2025-06-29+-... it’s well written and provides a great overview of its functionality!

Release v3.4.5 · xorhex/mlget Fix to get Malware Bazaar's new auth requirement working. Plus some additional test cases. https://bazaar.abuse.ch/api/#auth_key

#mlget has been updated to work with Malware Bazaar’s new Auth requirement!

github.com/xorhex/mlget...

The slides from our @reconmtl.bsky.social talk, "Breaking Mixed Boolean-Arithmetic Obfuscation in Real-World Applications" (CC @nicolo.dev ), are now online!

Slides: synthesis.to/presentation...

Plugin: github.com/mrphrazer/ob...

Announcing RE//verse 2026! Website is updated with info for sponsors, trainers, speakers, and more importantly, attendees! Are you ready for another year of high quality reverse engineering talks and networking? Join us the first week of March, 2026!

re-verse.io

I know I've been slacking on contributing to YARA-X, but I've been busy elsewhere. I do run a small keybase group where developers and users hang out. Ideas, features and bugs are discussed there. If you think you would benefit from being part of the discussion just hit me up for an invite.

10 Things I Hate About Attribution: RomCom vs. TransferLoader | Proofpoint US Threat Research would like to acknowledge and thank the Paranoids, Spur, and Pim Trouerbach for their collaboration to identify, track, and disrupt this activity.  Key takeaways

Fun crossover blog about TA829 (RomCom) & TransferLoader with my ecrime pals @selenalarson.bsky.social it’s got it all:

🛰️ Popped routers for sending phish

📊 ACH on attribution

👾 custom protocols

👽 cool malware

🕵️ crime

🎯 espionage

❔many unanswered questions

www.proofpoint.com/us/blog/thre...

Webinar: What is ICS Malware & How We Detect It?  Define what ICS-specific threats are, how they differ from IT threats, and what detection is required to uncover threats targeting industrial control systems. Register now →

Matt Pahl and I are doing a webinar on defining ICS Malware, its distinction from IT threats, and how we search for it using different OT detection strategies. It's a follow-up to the ICS Malware definition work. Hope to see you there!

Registration link:
hub.dragos.com/webin...

Busy Week!

Grateful to SANS ICS for hosting my talk on ICS Malware. It was a great experience.

We released our whitepaper on the subject ( www.dragos.com/resou... ).

We also got word that my talk with Sam Hanson on assessing ICS threats was accepted at Defcon ICS village. Hope to see you there!

Suspicious domains awsonlineserch[.]com and azuronlineserch[.]com were co-registered through Njalla on 6/19/25. Currently resolving to 34.204.12[.]191 and 20.83.167[.]25, respectively.

Inside the BlueNoroff Web3 macOS Intrusion Analysis | Huntress Learn how DPRK's BlueNoroff group executed a Web3 macOS intrusion. Explore the attack chain, malware, and techniques in our detailed technical report.

excited bc today @huntress.com is releasing our analysis of a gnarly intrusion into a web3 company by the DPRK's BlueNoroff!! 🤠

we've observed 8 new pieces of macOS malware from implants to infostealers! and they're actually good (for once)!

www.huntress.com/blog/inside-...

There are currently two roles open at Insikt Group, one Senior Analyst focused on Iran and one Analyst focused on Rest of the World. Reach out if you have questions:

job-boards.greenhouse.io/recordedfutu...

job-boards.greenhouse.io/recordedfutu...

Understanding ICS Malware: Defining a Credible Threat to Industrial Infrastructure | Dragos Learn to distinguish ICS malware from IT threats with Dragos's evidence-based framework. Analyze real attacks like TRISIS & FrostyGoop to defend infrastructure.

We've been working on this one for a while, so I'm excited to finally share our whitepaper on defining ICS Malware. In it, we describe how Dragos identifies and differentiates ICS Malware using three properties: ICS-capability, Malicious Intent, and Adverse Effects.

http://www.dragos.co...

I'm thrilled to be speaking at #VB2025 this September in Berlin! My talk will focus on TAG-124, a widespread traffic distribution system, and its role in the cybercriminal ecosystem, with a particular emphasis on its link to ransomware operations! 👉 tinyurl.com/3hurr52m

GrayAlpha Unmasked: New FIN7-Linked Infrastructure, PowerNet Loader, and Fake Update Attacks Insikt Group exposes GrayAlpha’s evolving infrastructure and infection methods—including PowerNet and MaskBat loaders, fake 7-Zip sites, and the undocumented TAG-124 network—linking the group to FIN7’...

Today we are releasing a report on new infrastructure and tooling linked to GrayAlpha, a financially motivated threat actor overlapping with FIN7 🧵
www.recordedfuture.com/research/gra...

Forgot to mention this the other week - capa v9.2.0/v9.2.1 has been released! This version includes the rules I wrote for detecting COM-based assembly loading and donut shellcode/relevant feature detection.
github.com/mandiant/cap...

Predator Spyware Resurgence: Insikt Group Exposes New Global Infrastructure Despite sanctions and global scrutiny, Predator spyware operations persist. Insikt Group reveals new infrastructure links in Mozambique, Africa, and Europe, highlighting ongoing threats to civil socie...

Today we’re publishing new findings on Predator spyware, still active despite global sanctions, now with a new client and ties to a Czech entity. Here’s what we found 🧵

www.recordedfuture.com/research/pre...

Hi, I’m the author of mlget (bsky.app/profile/xorh...) - is it possible to DM you? I’ve a question about the API response when a file is returned versus when it’s not found.

VxShare’s API is currently returning a 500

Latest test run: For the ones that failed, I either don’t have a current API key to test with or an instance of the service to test against. If folks can test and let me know, I’d be very grateful! Please submit an issue in GitHub if it’s broken. Thanks! 😀

#mlget has been updated - your 1 stop shop for finding malware across different services!

Grab an updated copy at github.com/xorhex/mlget...

Happy to add additional services if folks know of more!

Some services I no longer have access to for testing - see the Alt text for more info.

Was great presenting with @milenkowski.bsky.social at @haguetix.bsky.social yesterday. Big thank you for hosting this incredible event. Looking forward to next year!

New #TinyTracer (v3.0) is out - with many cool features: github.com/hasherezade/... - check them out!

Apparently my lightning talk at @cyberwarcon.bsky.social last year was released. Go watch it for a quick overview. COLDRIVER is still active, and still evolving to this day.

The critical question is do I want to use emojis when I post about them?

picture

Really excited to see this research go live. We found 400 web based HMIs for US Water facilities open on Censys. With the EPA, we helped reduced that exposure by over 94%.

https://censys.com/blog/turning-off-the-information-flow-working-with-the-epa-to-secure-hundreds-of-exposed-water-hmis