![cyb3rops's tweet photo. Rapid7 dropped a write-up on the Notepad++ update-chain abuse and - finally - it comes with real IOCs
- update.exe downloaded from 95.179.213[.]0 after notepad++.exe -> GUP.exe
- file hashes for update.exe / log.dll / BluetoothService.exe / conf.c / libtcc.dll
- network IOCs incl. api[.]skycloudcenter[.]com (-> 61.4.102[.]97), api[.]wiresguard[.]com, 59.110.7[.]32, 124.222.137[.]114
by @rapid7
https://t.co/rrespJ9Ju0](https://pbs.twimg.com/media/HAKoUZyWsAAUNoZ.jpg)
![cyb3rops's tweet photo. Rapid7 dropped a write-up on the Notepad++ update-chain abuse and - finally - it comes with real IOCs
- update.exe downloaded from 95.179.213[.]0 after notepad++.exe -> GUP.exe
- file hashes for update.exe / log.dll / BluetoothService.exe / conf.c / libtcc.dll
- network IOCs incl. api[.]skycloudcenter[.]com (-> 61.4.102[.]97), api[.]wiresguard[.]com, 59.110.7[.]32, 124.222.137[.]114
by @rapid7
https://t.co/rrespJ9Ju0](https://pbs.twimg.com/media/HAKoUZwXMAIGkD3.jpg)
Olivia
Online
Artsiom Holub
@Mesiagh
Security Research Analyst. Cyber Security Geek. Bookworm.
USA
Joined October 2015
286 Following
3.2K Followers
1.9K Posts
UEFI bootkits are no longer theoretical. BlackLotus. HybridPetya. CosmicStrand as demonstrated by the "Rootkits and Bootkits: Reversing Modern Malware and Next Generation Threats" by @matrosov
Researchers demonstrated the same class of technique against VBS enclaves, the most isolated execution environment Windows offers.
Hooked GetVariable(). Intercepted BlLdrLoadImage(). Injected into hvax64.exe before VBS initialised. Owned the VM-exit handler at ring -1. Read and wrote VTL1 enclave memory directly from the hypervisor.
If your threat model stops at ring-0, it stops too early.
Full PoC included.
https://t.co/JE3bU0o03M
https://t.co/L4lEC99DMd
Author: @tulachsam
#Malware #Infosec #ReverseEngineering
Most people learn security research by reading finished writeups. This one shows the actual process.
The messy, organic, step-by-step reality of reversing an unknown Windows mitigation from scratch. WinDbg. IDA. Hex Rays. Guard page violations. Trap flags. Zero prior knowledge of the target.
If you want to learn how to actually approach unknown Windows internals, start here.
https://t.co/Xq8xbSnG75
Author: @yarden_shafir
#ReverseEngineering #WindowsInternals #InfoSec
Alexandre Borges has published over 700 pages of free security, malware and vulnerability research.
A complete Malware Analysis Series covering Windows, macOS, iOS, Linux and shellcode. An Exploiting Reversing Series covering Windows kernel exploitation, Hyper-V, Chrome, and a three-part deep dive on CVE-2024-30085.
No paywall. No course. Just research. Free as in beer.
https://t.co/x516DQRcB8
Author: @ale_sp_brazil
#ReverseEngineering #MalwareAnalysis #InfoSec
🚨 do you understand what just happened to your passwords
cpuid one of the most trusted sites in PC hardware.
hacked. April 10th, 2026. CPU-Z and HWMonitor. both compromised.
> fake CRYPTBASE.dll ships inside the installer
> connects to C2, downloads a C# file
> compiles it silently using YOUR own Windows tools
> injects into memory. never touches disk. AV sees nothing.
> opens Chrome's password vault. dumps everything.
the chain:
cpuid → HWMonitor installer → DLL hijack
→ supp0v3[.]com → silent .NET compile
→ in-memory injection → Chrome credentials stolen
same group. same C2 domain. hit FileZilla in March 2026.
they got lazy. that's the only reason we caught it.
Rapid7 dropped a write-up on the Notepad++ update-chain abuse and - finally - it comes with real IOCs
- update.exe downloaded from 95.179.213[.]0 after notepad++.exe -> GUP.exe
- file hashes for update.exe / log.dll / BluetoothService.exe / conf.c / libtcc.dll
- network IOCs incl. api[.]skycloudcenter[.]com (-> 61.4.102[.]97), api[.]wiresguard[.]com, 59.110.7[.]32, 124.222.137[.]114
by @rapid7
https://t.co/rrespJ9Ju0
![cyb3rops's tweet photo. Rapid7 dropped a write-up on the Notepad++ update-chain abuse and - finally - it comes with real IOCs
- update.exe downloaded from 95.179.213[.]0 after notepad++.exe -> GUP.exe
- file hashes for update.exe / log.dll / BluetoothService.exe / conf.c / libtcc.dll
- network IOCs incl. api[.]skycloudcenter[.]com (-> 61.4.102[.]97), api[.]wiresguard[.]com, 59.110.7[.]32, 124.222.137[.]114
by @rapid7
https://t.co/rrespJ9Ju0](https://pbs.twimg.com/media/HAKoUZzXMAQFKph.jpg)
At #Pwn2Own Berlin 2025, a full exploit chain against VMware Workstation was demonstrated via a heap overflow in the PVSCSI controller.
Despite Windows 11 LFH mitigations, advanced heap shaping and side-channel techniques enabled a reliable exploit.
🔍 Full technical write-up 👇
https://t.co/R0E5Uqql1E
Think urlscan is only useful for phishing? Think again.
We break down how urlscan Pro can be leveraged to identify exposed malware C2 admin panels and support infrastructure hunting. New intel report published on urlscan Pro now.
To help celebrate @arcanuminfosec Information Security's two-year anniversary, @Jhaddix gave me 5 codes good for any Arcanum course to give away!
Winners will be announced on 1/22.
👍 1 Like = 1 Entry!
♻️ 1 Share = 2 Entries!
In other news, we just dropped a new blog on threat actors leveraging AI to write their half-ass working scripts and payloads. At this point I'm not even mad, just disappointed. 🙃
https://t.co/PrlOT6SfQs
NEW BLOG: The Great VM Escape 💕
We caught threat actors deploying a VMware ESXi exploit toolkit in the wild - potentially was a zero-day developed over a year before VMware's disclosure 👀
If anyone has thoughts on it let me know, but I needed almost a full case of beer to wrap my head around this one 🍺
Full technical breakdown 👇
https://t.co/wXT9c7ytVh
New video dropped! 🤓
Vibe hunting through @ValidinLLC with no preparation at all, just pivoting on whatever looks interesting and seeing where it takes us 🐇🕳️ We stumbled across SmartApe, SmokedHam, Mintsloader ... Also caught up with Kenneth, the mind behind Validin! 🧠
https://t.co/rbANaslmPN
‼️🇰🇵 Meet North Korean recruiter 'Aaron,' who infiltrates Western companies by using AI and posing as a remote IT worker using stolen or rented identities.
He was lured into a sandbox by researchers, who observed the wild APT in a controlled setting to see what he would do.
Introducing RAPTOR, an Autonomous Offensive/Defensive Research Framework based on Anthropic's Claude Code, written by @dcuthbert, @halvarflake, @mbrg0, and myself.
Let's rock. Get it from GitHub, here: https://t.co/giBaCtIexB
👀 A malicious MCP server spotted in the wild!
The Postmark MCP server (used to send and track emails through Postmark API) introduced a suspicious behavior in version 1.0.16.
The attacker cloned the legitimate Postmark MCP code and added a malicious BCC line, then published it on npm under the same name.
Every email sent through this MCP was silently sent to the address of the attacker. Nasty, right?
Report: https://t.co/S9pY20wERM
🌟New report out today!🌟
From a Single Click: How Lunar Spider Enabled a Near Two-Month Intrusion
Analysis/reporting completed by @RussianPanda, Christos Fotopoulos, Salem Salem, reviewed by @svch0st.
Audio: Available on Spotify, Apple, YouTube and more!
Report:⬇️
👀 New Microsoft threat report shows how attackers are using AI for evasion and obfuscation in a phishing campaign!
One part is very interesting, the team spotted 5 AI fingerprints in the code. But instead of hiding the attack (the initial goal), these fingerprints actually became detection artefacts!
Here are the 5 fingerprints you have probably already seen some of them in the wild:
・Overly descriptive and redundant naming
・Modular and over-engineered code structure
・Generic comments
・Formulaic obfuscation techniques
・Unusual use of CDATA and XML declaration
Blog: https://t.co/BJ5XkQ7Seg
I foresee 2026 as a year of FIDO authentication downgrade attacks. 🪝🐟
I discovered a universal method for downgrading secure MFA methods (passkeys, security keys) to less secure alternatives during phishing attacks.
Enjoy the quick demo! 🎬
And here is the complete video of the talk 🤓
https://t.co/CR2gNSc8sb
The latest threat in the wild: A stealthy malvertising campaign spreading a powerful multi-stage malware Talos calls "PS1Bot." Find out what makes this campaign so dangerous and how it’s evolving: https://t.co/qbcAi505Or
Trends for you
Most Popular Users
Elon Musk 
@elonmusk
240.2M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
108.9M followers
Narendra Modi
@narendramodi
107M followers
Rihanna
@rihanna
97.3M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.6M followers
KATY PERRY
@katyperry
86.8M followers
Taylor Swift
@taylorswift13
80.6M followers
Lady Gaga
@ladygaga
72.2M followers
Kim Kardashian
@kimkardashian
69.4M followers
YouTube
@youtube
68.6M followers
Virat Kohli
@imvkohli
68.6M followers
Bill Gates
@billgates
63.4M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
61.1M followers
X
@x
60.9M followers
Selena Gomez
@selenagomez
59.9M followers