⚠️ UPDATE: New Court Files Reveal How Microsoft Helped the FBI Identify Peter Stokes "Bouquet" (Scattered Spider Member)
The court files reveal that Microsoft helped the FBI track Peter Stokes down using GDID — a Global Device Identifier, which is assigned to every Windows installation and cannot be changed unless the OS is wiped. The GDID helped them track:
• IP history
• Full web activity
• Video game activity and games played
• Logged-in social accounts, including Snapchat, Facebook, and Apple
According to the court documents, the critical mistake was using a VPN to create the ngrok account used in the May 2025 Tiffany & Co. hack from the same Windows device associated with his GDID.
Although the account was created from a VPN IP address ending in .168, Microsoft records show that the same GDID (6755467234350028) accessed the ngrok signup page at the exact time the account was created, linking the hack to his personal social accounts.
Wireshark is a great tool but looking at traffic packet by packet can be overwhelming and you may lose the plot of the story.
It's much easier to read a story if it has chapters, a table of contents, and an index.
Check out SO-CRATES as it helps you tell that story! https://t.co/J4tumWEJuS
A full university malware analysis course with every lecture, video, assignment, and lab available for free online.
Malware taxonomy. Static and dynamic analysis. x86 and x86-64 assembly. Ghidra from introduction to scripting to machine learning applications. YARA rules. Runtime debugging. Host exploitation and forensic analysis. Android and Java malware. PDF payload analysis. Sysmon. Volatility memory forensics.
No enrollment. No paywall. No signup. Just a complete course.
Course: https://t.co/GH0nZXRl3C
YouTube Videos: https://t.co/7ziaFvKbyi
Author: @colemankane
#MalwareAnalysis #ReverseEngineering #InfoSec
🎓 Master Malware Analysis & Reverse Engineering with Google's FLARE Learning Hub
FLARE Learning Hub is a free educational platform created by Google's FLARE team, offering high-quality training in reverse engineering and malware analysis. It includes a hands-on Malware Analysis Crash Course, an in-depth Go Reverse Engineering Reference, and a practical introduction to Time Travel Debugging (TTD). Each module comes with labs, sample binaries, scripts, and reference materials, making it an excellent resource for aspiring malware analysts, reverse engineers, DFIR professionals, and CTF players.
🔗 https://t.co/NBZ0rjY3ib
#ReverseEngineering #MalwareAnalysis #DFIR #CyberSecurity #OpenSource
Phrack 72 published the analysis of an actual North Korean APT workstation dump.
Real Kimsuky source code. A kernel-level remote backdoor. A private Cobalt Strike beacon. Android malware. Stolen South Korean government GPKI certificates. Access to the Defense Counterintelligence Command and Ministry of Foreign Affairs.
A South Korean security firm independently confirmed the findings. They matched the leaked rootkit source code to a rootkit found during a real 2022 incident at a South Korean financial institution. Same code, same encryption keys.
Opens with “Dear Kimsuky, you are no hacker.”
https://t.co/kaMJUzmaLr
https://t.co/YJ7glibYHQ
Authors: Saber + cyb0rg
Published in @phrack Issue 72, 40th Anniversary
Follow-up analysis by ENKI White
#ThreatIntel #Malware #InfoSec
Memory bandwidth contention is one of the biggest sources of performance interference in multicore systems. While Linux's MemGuard addresses this problem, its control loop is fundamentally reactive.
MemGuard periodically samples hardware PMU counters to estimate each core's memory bandwidth usage. If a core exceeds its configured bandwidth budget during a regulation period, it is throttled (typically by scheduling an idle thread) until the next period. This effectively protects latency-sensitive or real-time workloads from sustained interference.
The limitation is that congestion has already happened by the time MemGuard reacts. During the current regulation window, memory-intensive tasks may have already saturated the DRAM controller, increased request queue occupancy, and delayed LLC miss servicing for other cores. The throttling only prevents future interference.
LMS-AR extends this idea by making bandwidth regulation predictive instead of reactive. It continuously learns each core's memory access pattern using an adaptive Least Mean Squares (LMS) filter and predicts bandwidth demand for the next regulation interval. Based on these predictions, the regulator proactively redistributes bandwidth quotas before memory contention develops.
The result is a control loop that can reduce transient congestion, improve bandwidth utilization, and provide tighter latency guarantees for real-time applications without waiting for bandwidth violations to occur.
A small algorithmic change from reactive enforcement to online adaptive prediction, can significantly improve memory QoS in multicore systems.
heavener: This is what happens when you can't afford EDR licenses by otter.
TLDR; A modular engine that runs real vendor detection logic from reverse-engineered EDR components against live or replayed Windows telemetry.
Blog:- https://t.co/onZFaO23AR
#edr#detection
found interesting C2 here https://t.co/RL4f2DF2V3
(TAX#TRIDENT) 🥷
below you can see 3 examples of network communications (http, http2, tcp) ⬇️
https://t.co/7FjDQDOBoy
#rat#malware
AI Ghidra and Radare2 : AI-powered reverse engineering.
AI agents that can disassemble, decompile, scan with YARA, and Perfect for malware analysis, vulnerability research, and automated reporting, understands binaries in natural language.
- https://t.co/nbs39c26pw
Master the art of reverse engineering and binary exploitation. Train through an immersive terminal. Progress through the belt system. 📍
Source: https://t.co/enxuULFPeF
Self-hosted Algo on DigitalOcean lets us treat the VPN exit IP as disposable. After investigating malicious infrastructure, destroy the droplet, redeploy in minutes, and the next project starts from a clean IP.
https://t.co/xAx8NSrSuz
MCP is slow for RE-heavy projects and, in some cases, is unstable.
ghidra-rpc is way faster than MCP and scales more efficiently in a multi-agent setup, since it outputs structured JSON.
‼️🚨 BREAKING: Another researcher skipped coordinated disclosure entirely and dropped a critical 1-click GitHub token theft in public because he doesn't want to deal with MSRC. In his own words: "I really don't want to deal with MSRC on VSCode bugs."
The bug: just clicking a link can hand an attacker a GitHub token that reads AND writes to all your repos, including private ones. It lives in github[.]dev, GitHub's browser-based VSCode editor, which passes the browser an OAuth token that isn't scoped to a single repo. That token can touch everything you can.
Researcher Ammar Askar found that VSCode's sandboxed "webviews" leak keyboard events to the main editor. A malicious repo opened via one link can simulate keystrokes, install a local extension that skips VSCode's publisher-trust check, and exfiltrate your token. He published a working proof-of-concept.
He says when he reports github[.]dev bugs, GitHub tells him they're out of scope and to go report to MSRC, and a prior VSCode bug he reported was silently fixed with no credit. One commenter summed up the mood: "MSRC has turned into Feedback Hub."