Ive been thinking about threat intelligence lately. Specifically: indicators of compromise (IOC), how and where to share them to cause maximum pain to adversaries and help as many organizations as possible protect themselves. I regularly analyze malware traffic from sandboxes such as ANY.RUN, Triage[...] ... Read More

Our TLS inspection proxy PolarProxy has been updated with bug fixes, improved performance and more reliable PCAP output. The recent PolarProxy 2.0 release added musl/Alpine compatibility and support for unencrypted HTTP proxy requests. But there were a few small, yet very important, updates that unf[...] ... Read More

CapLoader has been updated to version 2.1.0. The new release comes with better JA3/JA4 extraction and integration of additional threat-intel and OSINT services. We have also added support for more encapsulation protocols. TLS Client Hello Reassembly TLS handshakes no longer reliably fit in a single[...] ... Read More

A new major release of PolarProxy is out with a self-contained single-file binary, expanded platform support (musl/ARM), and improved container and service plumbing. PolarProxy is a transparent TLS/SSL inspection proxy built for incident responders, malware analysts and security researchers. It decr[...] ... Read More

There is a wonderful little web-based alert and event front-end called EveBox, which renders Eve JSON formatted data to a web UI. This blog post demonstrates how EveBox can be used to show alert and flow information that FlowCarp has extracted from a Remcos malware infection. Remcos RAT The starting[...] ... Read More

I am thrilled to announce the release of a brand new tool called FlowCarp! FlowCarp is a simple command line tool that performs a very complicated task. It identifies the application layer protocol in network traffic without relying on port numbers, static signatures or code that tries to parse the[...] ... Read More

Googles Threat Intelligence Group (GTIG) and Mandiants recent Disrupting the GRIDTIDE Global Cyber Espionage Campaign report is great and it has lots of good Indicators of Compromise (IOC). Many of these IOCs had already been shared by CISA last year as part of their Alert AA25-141A titled Russian G[...] ... Read More

Googles Threat Intelligence Group (GTIG) and Mandiants recent Disrupting the GRIDTIDE Global Cyber Espionage Campaign report is great and it has lots of good Indicators of Compromise (IOC). Many of these IOCs had already been shared by CISA last year as part of their Alert AA25-141A titled Russian G[...] ... Read More

njRAT is a remote access trojan that has been around for more than 10 years and still remains one of the most popular RATs among criminal threat actors. This blog post demonstrates how NetworkMiner Professional can be used to decode the njRAT C2 traffic to extract artifacts like screenshots, command[...] ... Read More

I recently learned that the great folks from The DFIR Report have done a writeup covering the Latrodectus backdoor. Their report is titled From a Single Click: How Lunar Spider Enabled a Near Two-Month Intrusion. I found it particularly interesting that the threat actors used Latrodectus to drop a B[...] ... Read More