Olivia
Online
πΆππππππππ π»
@DanielGallagher
Threat Intel | OSINT | Incident Response | Security Automations | Cat Memes
π₯
@[email protected]
π³οΈπ
Joined October 2008
454 Following
17.9K Followers
12.5K Posts
Has anybody heard of software called `garalt`? This user is probing many large repos with injection attempts to steal a `garalt_secret`. I can only find one reference to that name, and it's another user with the same type of activity:
https://t.co/TibXtzardg
Here's the imposter commit that caused the new wave:
https://t.co/fKfEfY3wKf
And workflow run: https://t.co/OAQnfx3RcS
@wessorh Sorry for the delayed response! Twitter refuses to send me notifications... π Here are the details:
https://t.co/bvTKxhiRBt
@docskele Seismograph: SM-24 geophone β AD8223 instrumentation amp β ADS1219 24-bit ADC
Infrasound: DLHR-F50D differential pressure sensor w/custom backing volume
Timing: ZED-F9T GNSS
Control: Portenta H7 and TuringPi2 cluster running four RK1 modules
Who to follow
Karsten Hahn
@struppigel
MalwareAnalysisForHedgehogs, Principal Malware Researcher at GDATA, he/him π¦ππ³οΈββ§οΈ
x0rz
@x0rz
Cybersecurity & Threat Intelligence. Knowledge is power, France is bacon π₯
hasherezade 
@hasherezade
Programmer, #malware analyst. Author of #PEbear, #PEsieve, #TinyTracer. Private account. All opinions expressed here are mine only (not of my employer etc)
It's wild just what kind of crazy things you can achieve in a home lab. Just as an experiment and to better understand Kubernetes cluster management, I decided to build a Stratum 1 NTP server. 191 nanosecond RMS offset to UTC, served from a home lab cluster running Kubernetes...
@docskele You are welcome! Let me know if you have any additional questions along the way. I iterated through multiple configs and have a good idea of what works now or not. I can also offer insight into the backing volume for the F50D, as that was the most challenging (for me at least)
@docskele The geophone is bolted down to a cement pier that I poured at the base of the underground box to couple to the ground better. The underground box was courtesy of Frontier fiber leaving a box in my yard after putting in new fiber for the neighborhood. Tech told me to keep it. :)
@docskele Seismograph: SM-24 geophone β AD8223 instrumentation amp β ADS1219 24-bit ADC
Infrasound: DLHR-F50D differential pressure sensor w/custom backing volume
Timing: ZED-F9T GNSS
Control: Portenta H7 and TuringPi2 cluster running four RK1 modules
This is what loud thunder looks like from a close lightning strike including my infrasound sensor. 38pa of pressure is crazy.. It also shows up on the seismograph of course and dwarfs any other event around it. (small preceding spike is electrical interference from the lighting!)
Another project I have been working on is a seismometer. It's so sensitive, it not only detects rain (blue) even though it is buried in an underground box, but also individual cars on the main road that is 200+ yards away! (pink) Traffic picks up around 6am. Orange is my AC unit.
This is probably the best look at the shockwaves Iβve seen from the latest Starship flight.
Captured from a GoPro I clamped onto a proper camera to record simultaneous video. (Iβll show you the photo the better camera took in the reply)
Following @greynoiseio's post regarding broad SonicWall scanning, Huntress has observed a sharp increase in compromise of SonicWall SSLVPN devices from IP addresses 173.208.148[.]250 (WholeSale Internet) and 45.86.230[.]72 (Clouvider) π§΅
@infosec_fox Astrophotography, robotics, autoX, guitar, ham radio
maybe iβm just young and brainrotted but the first few seconds of the phone blurrily readjusting to the moon affected me more viscerally than any other photo that came out of Artemis
@Antidiscourse25 I know this is too late to help for this ride, but I am sending you a little something to hopefully help in case there is a next time. Take care my friend :)
@Tr3s0r I know its too late to help for the ride, but I will send something to help your friend for the next time. :)
Yeah, so pretty much this https://t.co/9ASpvhia8M malware is a pain in the ass. I'd have to spend a good bit of time trying to bonk it with a stick and reconstruct some of it. Whoever developed this malware actually cares about evasion and made some intelligent decisions when developing this malware payload.
This appears to only impact HWMonitor 64bit. It appears (based on user reports) cpuid became malicious around 7PM EST, April 10th, 2026. However, it is possible it was much earlier than this, this is just when people began noticing and discussing it online.
From an extremely high-level overview, it appears the ultimate goal of this malware is data theft, specifically browser credentials. However, I could be wrong in that assessment, but I'm fairly confident in it. I'm guessing this is the end goal because when I emulated it I can see it messing with Google Chrome's IElevation COM interface (trying to dump and decrypt saved passwords). However, between this it does a bunch of other stuff too.
1. They (an unknown Threat Actor) compromised https://t.co/9ASpvhia8M to deliver malware from HWMonitor. It impacts the actual installer as well as the portable installer. It downloads stuff from supp0v3-dot-com, the same domain used from a previous malware campaign targeting FileZilla in the beginning of March, 2026 initially reported by MalwareBytes.
2. HWMonitor comes packaged with a malicious CRYPTBASE.dll. CRYPTBASE.dll is a legitimate Windows library, but they made a fake one to blend in (malware masquerading). This DLL is responsible for connecting to their C2 and downloading the other malware stages.
3. It tries to detect emulation and prevent reverse engineering by checking for the presence of specific registry keys on the machine. However, they failed doing this and didn't account for everything. Notably, they only check for VirtualBox (whomp, whomp).
4. It downloads a .cs file from a remote C2 and then compiles it manually on the machine by invoking .NET stuff. This is an interesting strategy. It does all of this via Powershell (LOLBIN nonsense).
5. The .cs file it compiles is a .NET binary with NTDLL exports. The main HWMonitor binary performs process injection using this compiled .NET binary. This is an interesting strategy.
6. Almost everything it does is performed in-memory. I would have to do through this and manually bonk all of this stuff with a stick and determine precisely how it operates. However, I don't think that is necessary because at this point we know this is malware and we know it's trying to steal browser credentials.
+2 points for IElevation COM Interface credential dumping
+1 point for inline Powershell CLI DLL compilation
+1 point for .NET assembly NTDLL export proxying
-1 point for botched anti-emulation
+2 points for website compromise and supply chain attack
+1 point for memory persistence
-3 points for recycling the same C2 from March, 2026 campaign
Overall I give this malware a B-. This is pretty good malware.
Last Seen Users on Sotwe
π₯
Seen from United Kingdom
Jr NTR
Seen from India
Musa
Seen from Turkey
YERLΔ° VΔ°DEO
Seen from Germany
π
Seen from Turkey
ForBBW
Seen from Thailand
@zoomtv
Seen from Pakistan
ι²εΊηδΉθΆ£
Seen from United States
ΰΈΰΈ±ΰΈΰΉΰΈΰΉΰΈΰΈ°ΰΈΰΉΰΈ²ΰΈΰΉΰΉ
Seen from Thailand
ΰΈΰΈΉΰΉ ΰΈΰΈ²ΰΈΰΉΰΈΰΈ
Seen from Thailand
Trends for you
Most Popular Users
Elon Musk
@elonmusk
240.1M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
108.9M followers
Narendra Modi
@narendramodi
107M followers
Rihanna
@rihanna
97.3M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.6M followers
KATY PERRY
@katyperry
86.8M followers
Taylor Swift
@taylorswift13
80.6M followers
Lady Gaga
@ladygaga
72.1M followers
Kim Kardashian
@kimkardashian
69.4M followers
YouTube
@youtube
68.6M followers
Virat Kohli
@imvkohli
68.5M followers
Bill Gates
@billgates
63.4M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
61M followers
X
@x
60.9M followers
CNN Breaking News
@cnnbrk
59.9M followers