Olivia
Online
Jan Rubín
@JanRubin
Threat Research Team Lead at Gen, leading a specialized team dedicated to data-theft protection. Tweets are my own.
Mastodon: @[email protected]
Joined February 2010
155 Following
178 Followers
386 Posts
Pinned Tweet
From now on, I'll be posting the same (or very similar) content on Mastodon as well!
Don't hesitate to follow: https://t.co/s3dKXFgTRl
#Vidar config extractor by @GenThreatLabs integrated into CAPE 🦾🙏
V1.9 fresh from Malware Bazaar by @abuse_ch
https://t.co/Ar43xZ0pJd
https://t.co/FyVjH5yKo0
As we're observing active development of #Vidar, we're releasing a config extractor for the newest Vidar builds, together with an #IDA string decryption script.
Vidar has been actively developed in recent months, changing its versioning from 18.7 back to 1.0, with the latest builds now at 1.8. But the versioning was not the only thing that changed. Starting from version 1.5, Vidar was reworked, including a new string encryption mechanism, config protection, and additional anti-sandbox checks.
The released config extractor and string decryption script support versions 1.5 and later, as this is where a major rework was done. Previously, each string had its own single-byte XOR key. In versions 1.5+, each string is encrypted with a custom ChaCha-based stream cipher, using a per-string 44-byte key blob and a final single-byte XOR. As for config protection, earlier versions used a custom polyalphabetic substitution over a permuted alphabet with a position-dependent offset, whereas the new versions use a plain 16-byte repeating-key XOR, with the key stored right next to the encrypted blob. Apart from the XOR-encrypted config, Vidar also features a fallback config, which is resolved separately within the encrypted strings.
Vidar configuration extractor ↓
https://t.co/Vx67uGUqoJ
Vidar IDA string decryption script ↓
https://t.co/QnC38IBBmL
IoCs:
af992d4a96d5fcbdf3b0cd1783234ceb5ad9c2037349ec8a82e6d1aa7f2f0148 (Vidar v18.7)
4ed9e2f720e4f23ff0e57a1a032152f0452008da3447b7265d780cee3221c027 (Vidar v1.0) <--- Vidar changed versioning of their builds
ec6f4f05575a6e7401e167a8a0f2506a6755c2d832deb63a0a5ff027d5ee6c5d (Vidar v1.1)
5788e98d4f9dd24f6ff9797832229c9096cadd108aaabef8d6737aad111f77c6 (Vidar v1.2)
f9ef434791a0b9b8b5f2472a666febbbef46dc5bc196706173fa2111909fae10 (Vidar v1.3)
e130a62564efaff95fb43590e431114bb384a2a94215d07da6ce696c7709a369 (Vidar v1.4)
a9dc6cfa821c1c0d75c18fc8e07554bc8ad778ad49c39b0bbe38101c09c289b5 (Vidar v1.5)
296c97d66ac4cb05777f053fa2c17e78b415567e449d169aa3cf683a6565d28a (Vidar v1.5) <--- Vidar reworked (duplicit label v1.5)
16911bd74f0d6751a30a1be56a3752daf7bf333c0d6ec61d8746646dbe2a530d (Vidar v1.6)
27d4ad97468fa0388bc704a32dd5c5e21e6b1de76a160fbd2615530c58aa74a6 (Vidar v1.7)
155f9f56fcdab7dd03740656eaa27000ad68f76a4f7b4933fa57416278e909a7 (Vidar v1.8)
#malware #infostealer #extractor
After our #AuraStealer deep-dive 5 months ago, the authors finally shipped their promised virtualization, claiming it makes their code "securely protected from researchers at the level of AV companies".
The new virtualized builds, tagged as version 1.8.0 (x64-vm), are already ITW. Below is their latest announcement (translated) and a successfully extracted configuration from one of the new virtualized samples.
IoC ↓
748f7707a8128e223b745c9b9117d78643fda25442393e1253a1c1e3e3b6932e
#malware #infostealer
Who to follow
Gen Threat Labs 
@GenThreatLabs
A global network of #cybersecurity researchers at Gen, protecting nearly 500M people through our Cyber Safety brands - @Norton, @Avast, @LifeLock & more.
Michal Salat
@michal_salat
Threat intelligence director @ Avast,
tinkerer, curious person who needs to know how stuff works. Opinions are mine, especially if you disagree ;)
David Jursa
@david_jursa
Network security researcher at @avast
After months of active development, #Amatera has gradually become the most prevalent #infostealer in our userbase. And it's not slowing down – we're now observing fresh Amatera builds newly introducing control-flow flattening and indirect control-flow obfuscation.
IoCs ↓
0bf1eda8374ff2e3eb705e37eac8d65750a4d85454f535346100056399eba16f
e72ec2cbe762ca672a14a7ee660c0cab61ba020267c56f9ab8982e3be1f61a8b
58fe4ed4bc57c28b4da6b9230ff4c9d62528cdc00bba79b9f105d2a742426f4b
#Remus has officially caught up with #Lumma.
Over the past few weeks, our telemetry shows Remus to be already nearly just as active as Lumma.
Remus is a newly rebranded 64-bit variant of Lumma Stealer that emerged from the ashes earlier this year.
More details about Remus ↓
https://t.co/te4c3NjYOV
#malware #infostealer
This is what we’ve been waiting for. In the wake of takedown efforts and doxxing, #Remus is a new 64-bit variant of #Lumma Stealer, one of the most notorious infostealers in the world.
@krejsavojtech21 and me break down technique reuse and new features:
https://t.co/eiMVFtF018
Meet #Remus, a new 64-bit variant of the infamous #Lumma Stealer – emerging in the wake of Lumma's takedown and the doxxing of its alleged core members. Same stealing arsenal, same techniques, new name. Is Remus the Lumma rebrand we've been waiting for?
Main attribution indicators:
→ The same Application-Bound Encryption bypass employed specifically by Remus and Lumma
→ Transitional test builds ("Tenzor") that share a Steam dead drop resolver with confirmed Lumma samples
→ Matching AntiVM cpuid checks against five hypervisor signatures in identical order
→ Shared direct syscall/sysenter architecture
→ Identical per-string obfuscation technique
Remus also introduces notable changes: traditional Steam and Telegram dead drop resolvers are replaced by #EtherHiding, with C2 addresses stored in Ethereum smart contracts, making the infrastructure even more resilient to takedown operations.
Full research ↓
https://t.co/te4c3NjYOV
#infostealer #abe_bypass
The Gen Digital Threat Research Team profiles Torg Grabber, a MaaS credential stealer that is not just another Vidar clone. Early builds used Telegram for exfiltration, while later builds evolved to an encrypted TCP channel and a full REST API backend. https://t.co/TgNVZdPbaW
If your #AI stack talks to #LLMs through #LiteLLM — and a lot of them do — check your version. 1.82.7 and 1.82.8 on PyPI were #backdoored with a payload that vacuums up every secret it can find and, if you're on K8s, deploys privileged pods to every node in the cluster.
Stage1 (25,844 bytes):
• Harvests ~/.ssh/*, AWS/GCP/Azure/K8s creds, crypto wallets, .env, shell history, SSL keys, CI/CD secrets
• AES-256-CBC + hardcoded 4096-bit RSA pubkey → POST to models.litellm[.]cloud
• Installs ~/.config/sysmon/sysmon.py + systemd user service ("System Telemetry Service")
• Backdoor polls checkmarx[.]zone/raw every ~50min for next-stage URL → /tmp/pglog
• If K8s SA token exists: reads all cluster secrets, spawns privileged alpine pods (node-setup-*) in kube-system on every node, mounts host FS, installs backdoor on each
Attacker left two commented-out earlier iterations in the source — went from RC4 string obfuscation (51KB) to plain base64 (25KB). Lazy or confident.
JARM: 27d40d40d00040d00042d43d000000d2e61cae37a985f75ecafb81b33ca523
Both C2s on AS205759 (🇳🇱 NL), Let's Encrypt E7 certs
IoCs:
models.litellm[.]cloud — 46.151.182[.]203
checkmarx[.]zone — 83.142.209[.]11
71e35aef03099cd1f2d6446734273025a163597de93912df321ef118bf135238 (.pth)
d6fc0ff06978742a2ef789304bcdbe69a731693ad066a457db0878279830d6a9 (stage1)
8395c3268d5c5dbae1c7c6d4bb3c318c752ba4608cfcd90eb97ffb94a910eac2 (1.82.7 .whl)
d2a0d5f564628773b6af7b9c11f6b86531a875bd2d186d7081ab62748a800ebb (1.82.8 .whl)
Discovered by https://t.co/uAD8pZNHGD
#SupplyChain #PyPI #InfoStealer #Kubernetes #litellm #Python
![GenThreatLabs's tweet photo. If your #AI stack talks to #LLMs through #LiteLLM — and a lot of them do — check your version. 1.82.7 and 1.82.8 on PyPI were #backdoored with a payload that vacuums up every secret it can find and, if you're on K8s, deploys privileged pods to every node in the cluster.
Stage1 (25,844 bytes):
• Harvests ~/.ssh/*, AWS/GCP/Azure/K8s creds, crypto wallets, .env, shell history, SSL keys, CI/CD secrets
• AES-256-CBC + hardcoded 4096-bit RSA pubkey → POST to models.litellm[.]cloud
• Installs ~/.config/sysmon/sysmon.py + systemd user service ("System Telemetry Service")
• Backdoor polls checkmarx[.]zone/raw every ~50min for next-stage URL → /tmp/pglog
• If K8s SA token exists: reads all cluster secrets, spawns privileged alpine pods (node-setup-*) in kube-system on every node, mounts host FS, installs backdoor on each
Attacker left two commented-out earlier iterations in the source — went from RC4 string obfuscation (51KB) to plain base64 (25KB). Lazy or confident.
JARM: 27d40d40d00040d00042d43d000000d2e61cae37a985f75ecafb81b33ca523
Both C2s on AS205759 (🇳🇱 NL), Let's Encrypt E7 certs
IoCs:
models.litellm[.]cloud — 46.151.182[.]203
checkmarx[.]zone — 83.142.209[.]11
71e35aef03099cd1f2d6446734273025a163597de93912df321ef118bf135238 (.pth)
d6fc0ff06978742a2ef789304bcdbe69a731693ad066a457db0878279830d6a9 (stage1)
8395c3268d5c5dbae1c7c6d4bb3c318c752ba4608cfcd90eb97ffb94a910eac2 (1.82.7 .whl)
d2a0d5f564628773b6af7b9c11f6b86531a875bd2d186d7081ab62748a800ebb (1.82.8 .whl)
Discovered by https://t.co/uAD8pZNHGD
#SupplyChain #PyPI #InfoStealer #Kubernetes #litellm #Python](https://pbs.twimg.com/media/HEMGdFUWMAE55Y8.jpg)
VoidStealer malware steals Chrome master key via debugger trick
https://t.co/ypsLIQ4IOG
https://t.co/ypsLIQ4IOG
🔎New #ABE #bypass spotted ITW
#VoidStealer is the first #infostealer to weaponize a debugger-based technique that extracts the v20_master_key straight from browser memory, requiring neither privilege escalation nor code injection, making it significantly stealthier than existing methods – a truly elegant (and scary) technique.
Full technical analysis ↓
https://t.co/JlbTbyW29R
IoC: f783fde5cf7930e4b3054393efadd3675b505cbef8e9d7ae58aa35b435adeea4
#infostealer #threatresearch #Chrome #malware #abe_bypass
There are 12+ AI agent platforms and zero shared standards for how they talk to security tools. We drafted one - AARTS. Now we're calling on providers and security vendors to help us finalize it and put it into practice. 🤝
https://t.co/cCbAnUigdw
#AgenticAI #AISafety #AARTS @AnthropicAI @bcherny @OpenAI @openclaw @cursor_ai
Fake #OpenClaw site, real #Amatera #stealer. Attackers mimicking the AI agent's install page — paste the command, get owned.
curl|bash on macOS, mshta.exe on Windows. We caught it with #clipboard protection before it ever hit the terminal.
IoCs:
f877590437ead7ce5810f78da829e2abb01de6ec6a733f28fa2e3f46855a140a
dba2ec3b729ee5bf9762851da45ac7fd1998f00f5150aade1502d221c20e4d7d
#Amatera #InfoStealer #OpenClaw
We’ve been tracking a new #infostealer, #ComSuon. Instead of rolling its own tricks, recent samples are wrapped with the #Obfusk8 C++ obfuscator, which ComSuon uses to apply control‑flow flattening, modified AES string encryption, junk code, and opaque predicates. #Fun times in IDA.
IoC: 4c5c91702b83191da6d259f965ed2fcd84f1240879e51de105ee37ca3b766ea5
We observed a #clipboard payload that injects a Telegram bot into @OpenClaw's config — whether intentional attack or not, it demonstrates how easily an AI agent with shell access can be hijacked through a single paste.
#OpenClaw #ClipboardAttack #CyberSecurity
IoC:
https://t.co/aAodjY7LFq
Lazarus is running their payloads through an AI #agent to dodge our detections.
The giveaway? Neatly numbered comments, "Optimized XOR loop" labels, and original code left beside AI-suggested rewrites. A for effort. Still caught.
#Lazarus #APT #ThreatIntel
Yesterday, Gen researchers identified around 300 #skills on #ClawHub that contained prompts to download #malicious #payload. At the time of discovery, that accounted for 12% of available skills. The skills seemed like a weaponized versions of existing skills. All lead to malware.
@Norton and @Avast are already protecting users from threats delivered through these skills. AI “skills” are add-ons that let agents take real actions, like clicking links or downloading files, and attackers are abusing them to turn AI assistants into a new delivery channel.
This new world of AI agents is unfolding before our eyes. We are protecting people today, and we will continue to share what our researchers uncover as this space evolves.
IoCs:
hxxps://glot.io/snippets/hfd3x9ueu5
hxxps://glot.io/snippets/hfdxv8uyaf
hxxps://github.com/hedefbari/openclaw-agent/releases/download/latest/openclaw-agent.zip (pass: openclaw)
Tired of Base64 and XOR? Check out the latest #Wincir's approach to hiding data:
Embed encrypted payload INSIDE x64 instruction immediates.
48 81 E2 E2 00 00 00 ← sets decode key (AND)
48 B8 8A BC 4E 14 __ ← carries 8 bytes (MOV)
State machine in assembly. 14+ polymorphic patterns. Same byte = 50+ encodings.
They heard we like to disassemble, so they put a disassembler in the malware so we can disassemble while it disassembles itself.
IoCs: b78d25290b7a0313d51a66fcc3c1fef8f64179dc51188ff65c469bd9ad417b90
#Threat #Research #Fun
🚨 The Gen Q4/2025 Threat Report is live! 🚨
Here’s what our Threat Labs team uncovered this quarter:
⏱️ 41 scams blocked every second on average in 2025
🛒 Scams increasingly blend into ads, social feeds, and shopping experiences
🎁 Fake online shops surged in Q4, driving the majority of social-origin threats
🪪 Data breaches jumped 176% QoQ, fueling long-tail identity and financial fraud
👆 Modern scams succeed by pushing people to complete the final, familiar step
Read the full report ➡️ https://t.co/KMaWi0O4DF
#ThreatIntel #CyberThreats #Scams #IdentityFraud #AI #Cybersecurity
Most Popular Users
Elon Musk
@elonmusk
240.1M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
109.1M followers
Narendra Modi
@narendramodi
106.9M followers
Rihanna
@rihanna
97.3M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.6M followers
KATY PERRY
@katyperry
86.9M followers
Taylor Swift
@taylorswift13
80.7M followers
Lady Gaga
@ladygaga
72.3M followers
Kim Kardashian
@kimkardashian
69.4M followers
Virat Kohli
@imvkohli
68.7M followers
YouTube
@youtube
68.6M followers
Bill Gates
@billgates
63.4M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
61.3M followers
X
@x
60.9M followers
Selena Gomez
@selenagomez
60M followers