Profero

Our team just published research on a malware campaign that hit 25+ organizations, several in Israel. The attacker built it so badly that anyone who opened a sample got kill-switch access to the entire botnet. The malware: WindowsAudit. Runs as LocalSystem on compromised hosts. Discord as C2. The mistake: Discord bot token hardcoded in plaintext inside the binary. No XOR, no encryption, no obfuscation. Same token in every sample on every infected machine. What we did with it: • Authenticated to Discord with the token and pulled the full activity history •Extracted everything the attacker stole from victims: AD dumps, network maps, screenshots, file listings, usernames •Identified 25 distinct victims from the data •Tracked the attacker’s working hours and timezone in real time •Every time a new build got pushed, automation grabbed it, reversed it, and pulled fresh IOCs The architecture is worse: •Every infected host runs the same binary •That binary receives commands from the attacker AND can issue commands to other infected hosts •No command signing, no authentication. If you hold the token, you operate the botnet. •A single command could uninstall the malware from every victim. Accidental kill switch. We didn’t fire it. Any command we sent would surface in the attacker’s Discord and burn the monitoring op. Full IOCs in the writeup. Worth a look if you’re defending an Israeli environment. https://t.co/5msXbQpChV

New research from Profero: a malware campaign affecting 25+ organizations, several in Israel, brought down by the attacker’s own operational security failure. The malware, WindowsAudit, runs as LocalSystem on compromised hosts and uses Discord for command and control. The Discord bot token was hardcoded in plaintext inside the binary, identical across every sample on every infected machine. Our research team used the exposed token to: •Authenticate to the attacker’s Discord and recover the full operation history •Recover all data the attacker had exfiltrated from victims, including AD dumps, network maps, screenshots, and file listings •Identify 25 distinct victim organizations •Profile the attacker’s working hours and timezone in real time •Automatically retrieve, analyze, and extract IOCs from every new build the attacker deployed A flaw in the malware’s design compounded the issue. Every infected host runs the same binary, capable of both receiving commands from the operator and issuing commands to other infected hosts. No signing, no authentication. Anyone holding the token could push a single command and uninstall the malware across the entire botnet. An accidental kill switch. We chose not to use it. Any command we sent would have appeared in the attacker’s own Discord and ended the monitoring operation. Full technical writeup and IOCs available at the link below. Particularly relevant for organizations operating in Israel. https://t.co/dLBnneydcQ

Profero IRT pulled apart "WindowsAudit.exe", a 101MB .NET RAT running as LocalSystem that uses a Discord guild as its primary C2. Two channels inside one guild: one for tasking, one for results. Operators issue slash commands to target agents by hostname, Machine GUID, or broadcast to all. MQTT and Telegram sit as fallbacks. Inside the kit: LSASS dumps, DPAPI browser theft, full AD takeover toolkit, Hell's Gate syscalls, AMSI/ETW patches, EDR kill for 15+ vendors, WireGuard relay for pivoting. This isn't a script-kiddie RAT. Looks like a ransomware crew warming up.

Deep Breach Focus™ is what makes Rapid‑IR: Reforged different. Built entirely in-house from real breach casework, it turns years of incident response experience into continuous scoring, prioritization, and intelligence-without relying on third-party AI. Your data never leaves the platform. Real incident knowledge. Applied where it matters.

When an incident hits at 2 AM, most organizations don't start with response-they start with chaos. PDFs, scattered tools, unclear priorities, and a clock that's already running. That's not rapid response. Years of real casework taught us something simple: the organizations that recover fastest aren't the ones with the biggest teams. They're the ones that were ready before the incident began. That's why we rebuilt Rapid-IR: Reforged, from the ground up-not as a feature update, but as a complete platform built around one conviction: the fastest response starts before the incident. Read the full blog in the first comment.

We don't know exactly how Handala got into Kash Patel's accounts-and we're not going to speculate. But after years tracking MOIS-linked intrusions, the answer is usually far less "zero-day" and far more credential dumps, stealer logs, and old breach data. Read the full breakdown on the blog: https://t.co/1Fg0gIRhKf