![bluish_red_'s tweet photo. LET'S GO!
That first query caught another TX today. New domain! Presumably #PHANTOMPULSE.
`https://gfsdjjg33jfk[.]com`
https://t.co/vzkTFwcyNY https://t.co/s5ATABlGC4](https://pbs.twimg.com/media/HF360uAWoAA-wkH.jpg)
Olivia
Online
Andrew Pease
@andythevariable
Elastic Security Labs Technical Lead. Lawful Neutral. Threat Hunting with the Elastic Stack author. Retired CW4.
Joined May 2019
287 Following
1K Followers
514 Posts
Pinned Tweet
I think the really big takeaway from this is the abuse of a legitimate tool's plugin capability to execute💀scripts. Many hours of work over the weekend by @soolidsnakee @DanielStepanic and @SBousseaden.
We have identified a novel social engineering campaign abusing Obsidian, the popular note taking app, to deliver a previously undocumented RAT #PHANTOMPULSE and it’s loader #PHANTOMPULL targeting individuals in finance and crypto.
The attack never exploits a vulnerability. It abuses Obsidian's own plugin ecosystem to execute code the moment a victim opens a shared vault.
Full analysis: https://t.co/y7sGjClCKc
The attempts at environmental anti-tamper techniques to encrypt the payload were clever…just not enough. #tclbanker #ref3076
We uncovered a new Brazilian banking trojan campaign: TCLBANKER.
What makes TCLBANKER notable isn’t just the malware itself, but how it spreads.
The campaign uses compromised WhatsApp and Outlook accounts to propagate through trusted user relationships, deploys targeted banking overlays, and incorporates anti-analysis techniques designed to evade detection.
For defenders, it’s another example of malware increasingly blending into legitimate user behavior and everyday communication channels, making detection harder and trust easier to exploit.
Our latest research breaks down the infection chain, propagation methods, evasion tactics, and detection opportunities observed across the campaign.
Read the full analysis: https://t.co/9z47oaEWdD
Elastic Security Labs warned that attackers are targeting crypto users through Obsidian community plugins that silently install PHANTOMPULSE malware. They lure victims into opening a shared cloud vault in the note-taking app.
Who to follow
Elastic Security Labs 
@elasticseclabs
Elastic Security Labs is democratizing security by sharing knowledge and capabilities necessary to prepare for threats. Spiritually serving humanity since 2019.
Steve YARA Synapse Miller
@stvemillertime
AI threat intelligence @google
writing & sharing on adversary tradecraft, malware, threat detection, AI-nexus intel and all things #yara
Jonny Johnson
@JonnyJohnson_
Principal Windows Security Researcher @HuntressLabs | Windows Internals & Telemetry Research
LET'S GO!
That first query caught another TX today. New domain! Presumably #PHANTOMPULSE.
`https://gfsdjjg33jfk[.]com`
https://t.co/vzkTFwcyNY
![bluish_red_'s tweet photo. LET'S GO!
That first query caught another TX today. New domain! Presumably #PHANTOMPULSE.
`https://gfsdjjg33jfk[.]com`
https://t.co/vzkTFwcyNY https://t.co/s5ATABlGC4](https://pbs.twimg.com/media/HF37GeQasAAGsgw.jpg)
"Salary Slips.exe." "Dont Delete.exe." "Important.exe."
These are the filenames BRUSHWORM copies itself as when spreading across USB drives in a targeted attack on a South Asian financial institution.
Elastic Security Labs uncovered two custom components working together: a modular backdoor and a persistent keylogger masquerading as libcurl.dll.
Full analysis: https://t.co/BOSZHsf8kQ
Bravo for releasing this. There's a reason these are successful: they spend a lot of resources to make them so.
Putting this stuff out in the public is how we raise all ships.
‼️ The axios lead maintainer has gone public on how he was socially engineered into installing the malware behind the npm supply chain attack.
We have example images showing exactly how the attack was staged.
Seeing this tool in action is fantastic, but don’t sleep on the fact that it was also released for your environment https://t.co/pWPr2Mi3T9
One of our researchers built an AI powered supply chain monitoring tool on a Friday afternoon.
The following Monday night it caught the Axios npm compromise before most people knew it existed.
Elastic Security Labs is open sourcing the tool.
Full story by @dez_ here: https://t.co/wjT58qQYNO
New blog post - prioritizing alerts triage with higher-order detection rules
https://t.co/3E11NJCdxC
Analysis of the macho malware used in the Axios supply chain compromise
https://t.co/d0OouEFtUL
Now let's talk attribution. @DefSecSentinel quickly pointed to DPRK 🇰🇵. Remarkable similarities to WAVESHAPER / UNC1069
Not to mention:
@SBousseaden
@RFGroenewoud
@andythevariable
Go follow them too, they do cool shit, constantly.
If you've not seen the work that @dez_, @DefSecSentinel and the whole @elasticseclabs team have published on Axios, you're missing out.
Speaking of finger-pointing...we're lookin' at you #UNC1069
We have discovered a massive supply chain compromise in the Axios npm package.
A backdoored maintainer account delivered a cross-platform RAT for Linux, Windows & macOS, targeting the Axios package, which has ~100M weekly downloads and is in the top five most popular Node.js packages.
We filed a GitHub Security Advisory to coordinate the disclosure, ensuring that the maintainers and the npm registry could act swiftly on the compromised versions.
Full analysis: https://t.co/XFHWdjXJT3
Big work by the whole crew on this. Detections first, then analysis and finger-pointing.
ElasticSecurityLabs detects the Axios npm supply chain attack across Linux, Windows & macOS.
Our behavioral detections caught it without relying on static indicators.
Full malware analysis dropping soon: https://t.co/RLFNCpS6AG
@IceSolst This is *exactly* what I am feeling. But, after I chatting with folks at [un]prompted, it felt like everyone is ahead of me.
The only person I chatted with that was able to concretely describe implementation details was at Elastic, and had access to OS and AI logs.
We are tracking #clickfix campaign hosted and served by two compromised websites. Lua in-memory script loader and a #RAT that we are naming #MimicRat. A blog post will follow soon on @elasticseclabs.
www.ndibstersoft[.]com
d15mawx0xveem1.cloudfront[.]net
xMRi[.]neTwOrk
All Python spin for the Elastic Container Project is available if anyone wants to kick the tires. Probably going to archive the Bash version at the end of 2025(ish) #elasticcontainerproject
https://t.co/Ci1rwbiKYv
New from the developer of #FINALDRAFT: Meet #NANOREMOTE, a newly-discovered Windows backdoor that leverages the Google Drive API for data theft and payload staging.
Get the full analysis and defense strategies: https://t.co/7bJcjzRyL7
Last Seen Users on Sotwe
ArronPeachxx(Nylonfeetslaveformyprincess)
Seen from United Kingdom
݁GUDANG STW
Seen from Singapore
สามบาทห้าสิบ
Seen from Thailand
𝗦𝗵𝗲𝗺𝗮𝗹𝗲 𝗛𝗼𝘂𝘀𝗲⭑🇧🇷 🏳️⚧️
Seen from Singapore
🆔Ĺù𝔰Ƴ ℚ𝓾𝔢𝑒Ⓝ🆔
Seen from Oman
Desi Maal
Seen from India
สายน้ำเหนียวเสียวประจำคำๆนี้ไม่ควรลืม😅😅😅
Seen from Saudi Arabia
Groyas VIP
Seen from Malaysia
Uncle_lover
Seen from India
BekarKadir
Seen from Turkey
Trends for you
Most Popular Users
Elon Musk
@elonmusk
240.1M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
108.8M followers
Narendra Modi
@narendramodi
106.9M followers
Rihanna
@rihanna
97.2M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.5M followers
KATY PERRY
@katyperry
86.7M followers
Taylor Swift
@taylorswift13
80.5M followers
Lady Gaga
@ladygaga
72.1M followers
Kim Kardashian
@kimkardashian
69.3M followers
YouTube
@youtube
68.6M followers
Virat Kohli
@imvkohli
68.4M followers
Bill Gates
@billgates
63.4M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
61M followers
X
@x
60.9M followers
CNN Breaking News
@cnnbrk
59.9M followers