Olivia
Online
Daniel Stepanic
@DanielStepanic
Malwarez at @elasticseclabs | Macrodata Refinement
Joined March 2011
645 Following
1.3K Followers
312 Posts
Pinned Tweet
Our team revisited #BLISTER, a stealthy loader recently tied to #LockBit and #SocGholish. We go through it's different capabilities, and released config extractor.
Blog🔗: https://t.co/HzGszV8eF4
Config extractor 🧰: https://t.co/eMOznDWzqW
#VirusBulletin round 2! 🥊(last one was 2 years ago for me) Me and @k33b0i will be there for #VB2026 presenting how #REF3927 managed to hijack 571+ IIS servers for an SEO fraud network. Swing by and catch up with the Elastic Security Labs team if you're around. https://t.co/MJFn3E71iQ
#vbconference #conference #research
We uncovered a new Brazilian banking trojan campaign: TCLBANKER.
What makes TCLBANKER notable isn’t just the malware itself, but how it spreads.
The campaign uses compromised WhatsApp and Outlook accounts to propagate through trusted user relationships, deploys targeted banking overlays, and incorporates anti-analysis techniques designed to evade detection.
For defenders, it’s another example of malware increasingly blending into legitimate user behavior and everyday communication channels, making detection harder and trust easier to exploit.
Our latest research breaks down the infection chain, propagation methods, evasion tactics, and detection opportunities observed across the campaign.
Read the full analysis: https://t.co/9z47oaEWdD
LLMs have gotten good enough at reverse engineering to recover source code from obfuscated binaries with real accuracy.
So we asked the obvious next question: how fast and cheap is it to use one to build obfuscation specifically designed to beat it?
We benchmarked Claude Opus 4.6 against the Tigress obfuscator across 20 targets first, to map its strengths and failure modes. 40% solve rate. Phase 3 multi-layer combos hit 0%, with cost explosions that killed the runs.
Then we ran a dev/test/refine loop to build 3 purpose-built obfuscation variants targeting the same crackme, iterating directly against the model's known weaknesses.
The finding: LLM-targeted obfuscation is fast and cheap to develop. Context windows, budget caps, and shortcut biases are all exploitable attack surfaces.
The arms race just shifted.
Who to follow
Elastic Security Labs 
@elasticseclabs
Elastic Security Labs is democratizing security by sharing knowledge and capabilities necessary to prepare for threats. Spiritually serving humanity since 2019.
Thomas Roccia 🤘
@fr0gger_
AI Security x Threat Intel · Threat Researcher · Creator of #Unprotect & #NOVA · Malware Warlock · Python 🧡 · Prev @Microsoft @McAfee_Labs
Samir
@SBousseaden
security @Elastic
Mastodon: @[email protected]
Here's a fun one from our latest research:
PHANTOMPULSE resolves its C2 from blockchain transactions. The malware reads the most recent transaction of a wallet to decrypt the input data, and uses it as the C2 URL.
The problem? It doesn't verify the sender. 🧵
We have identified a novel social engineering campaign abusing Obsidian, the popular note taking app, to deliver a previously undocumented RAT #PHANTOMPULSE and it’s loader #PHANTOMPULL targeting individuals in finance and crypto.
The attack never exploits a vulnerability. It abuses Obsidian's own plugin ecosystem to execute code the moment a victim opens a shared vault.
Full analysis: https://t.co/y7sGjClCKc
We published a pair of articles on the axios compromise and deep dive on the malware, alongside detection strategies
https://t.co/uDjrT2GeEW
@soolidsnakee another banger, man
Elastic Security Labs has been observing malicious campaigns delivering a multi-stage infection involving a previously undocumented loader. The SILENTCONNECT loader delivers ScreenConnect - a RMM tool used to control victim machines - as its final payload. https://t.co/hGVbMsGgBl
Patch Diff to SYSTEM - using LLMs to exploit a LPE vuln on Windows. More importantly, some thoughts on model capabilities the implications on our security industry https://t.co/wmPNfoLbt8
@soolidsnakee uncovered a #clickfix campaign using compromised legitimate sites to deliver a five-stage chain ending in #MIMICRAT, a custom native C RAT with malleable C2, token theft, and SOCKS5 tunneling.
Read more here: https://t.co/S79b5OWp4X
Elastic Security Labs uncovered a large-scale SEO poisoning campaign deploying #BADIIS malware on 1,800+ IIS servers worldwide. Compromised systems—spanning government, corporate, and education sectors—are monetized to push gambling and illicit content. Learn more here: https://t.co/WwGEJyL2DF
We are tracking #clickfix campaign hosted and served by two compromised websites. Lua in-memory script loader and a #RAT that we are naming #MimicRat. A blog post will follow soon on @elasticseclabs.
www.ndibstersoft[.]com
d15mawx0xveem1.cloudfront[.]net
xMRi[.]neTwOrk
New from the developer of #FINALDRAFT: Meet #NANOREMOTE, a newly-discovered Windows backdoor that leverages the Google Drive API for data theft and payload staging.
Get the full analysis and defense strategies: https://t.co/7bJcjzRyL7
Nice post by @sysdig! https://t.co/0nJhbSnoZs We���re seeing this implant as well. Looks like there is a worm module too.
#ElasticSecurityLabs uncovers #RONINGLOADER, a multi-stage loader utilizing signed drivers, PPL abuse, CI Policies, and other evasion techniques to deliver #DragonBreath's gh0st RAT variant.
Check it out at https://t.co/Df8JLO6w4d
#ElasticSecurityLabs joins forces with @tamusystem and discloses TOLLBOOTH, an IIS module used for SEO abuse that relies on publicly exposed ASP. NET machine keys: https://t.co/WRpYpPG8J1
Elastic Security Labs publishes nightMARE, a Python library (v0.16) for malware analysis and for building configuration extractors. https://t.co/Cdofl8Lazn
@elasticseclabs is currently researching a new family of IIS malware impacting a large number of organizations globally. With a US university-based MDR provider, we’ve observed a novel attack chain, RMMs, a Godzilla-forked framework, and a malicious driver. Details coming soon.
#ElasticSecurityLabs has kept tabs on #WARMCOOKIE, a backdoor we disclosed in June 2024 that used employment-related phishing lures to infect victims. Learn how this threat’s evolving: https://t.co/53KcLQHdQN
#ElasticSecurityLabs is observing #ValleyRAT infections using the following #LOLBins for execution:
- DeviceCredentialDeployment.exe (proxy execution)
- Tttracer (proxy execution)
- Renames curl[.]exe (masquerade)
- Ttdinject (remote injection)
- Pester (proxy execution)
![elasticseclabs's tweet photo. #ElasticSecurityLabs is observing #ValleyRAT infections using the following #LOLBins for execution:
- DeviceCredentialDeployment.exe (proxy execution)
- Tttracer (proxy execution)
- Renames curl[.]exe (masquerade)
- Ttdinject (remote injection)
- Pester (proxy execution) https://t.co/P7uCbR8aoy](https://pbs.twimg.com/media/G0-StOlXQAAJeIF.jpg)
Last Seen Users on Sotwe
aldi
Seen from Indonesia
Looking For Men
Seen from United Kingdom
Tante dan Keponakan
Seen from Indonesia
JAV MOVIES
Seen from Turkey
aflyindonut
Seen from United States
Tuna Koçaslan
Seen from Turkey
Shelley Walker
Seen from France
Lesbian vids🏳️🌈
Seen from Germany
69 shades of gray
Seen from France
ไบรุกแซ่บๆ
Seen from Thailand
Most Popular Users
Elon Musk
@elonmusk
240.1M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
108.8M followers
Narendra Modi
@narendramodi
106.9M followers
Rihanna
@rihanna
97.2M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.5M followers
KATY PERRY
@katyperry
86.7M followers
Taylor Swift
@taylorswift13
80.5M followers
Lady Gaga
@ladygaga
72.1M followers
Kim Kardashian
@kimkardashian
69.3M followers
YouTube
@youtube
68.6M followers
Virat Kohli
@imvkohli
68.4M followers
Bill Gates
@billgates
63.4M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
60.9M followers
X
@x
60.9M followers
CNN Breaking News
@cnnbrk
59.9M followers