We have published a new blog analyzing how the FBI identified and arrested an alleged member of Scattered Spider using Microsoft's Global Device Identifier (GDID).
This time, it wasn't an OPSEC failure, a doxxing incident, or a leaked account that exposed the operator.
Instead, investigators relied on built-in Windows telemetry provided by Microsoft through legal process. The court documents reveal that Microsoft telemetry linked a unique GDID to the suspect's web activity, IP addresses, timestamps, and even the use of tools such as ngrok.
The case raises important questions about the telemetry collected by Windows and how it can be leveraged in criminal investigations.
Read the full analysis here: https://t.co/XBEHtNG4GK
#darkatlas #FBI
We've just published an in-depth technical analysis of #Gentlemen Ransomware, examining its architecture, attack methodology, propagation mechanisms, and operational evolution.
The report provides detailed insights into the ransomware's Go-based encryptor, self-propagation capabilities, lateral movement techniques, defense evasion methods, and the broader ecosystem surrounding one of the fastest-growing ransomware operations observed in recent campaigns.
Additionally, the research explores the group's infrastructure, victimology, operational patterns, and emerging trends across multiple sectors and regions.
Read the full analysis here:
https://t.co/qoBYIkdNIb
#darkatlas
Supply chain attacks have become one of the fastest growing threats in modern cybersecurity, targeting the core of today’s software development ecosystem.
Recent incidents involving GitHub Actions, Axios, Trivy, and LiteLLM demonstrate how attackers are increasingly abusing trusted platforms, CI/CD pipelines, package registries, and developer tooling to achieve large-scale compromise.
In our latest blog, we break down the evolution of modern supply chain intrusions, including:
CI/CD and GitHub Actions abuse
npm and dependency poisoning
Credential harvesting from cloud-native environments
GitHub repository and package compromise
Abuse of trusted publishing and build provenance
Modern propagation and persistence techniques
Read the full analysis here: https://t.co/6NuvedYPxr
#darkatlas #github #trivy #axios
We've just published a complete technical analysis of #PlugX (#KorPlug), a modular RAT delivered through an MSI-based DLL sideloading chain abusing a legitimate G DATA binary. The report covers the full infection chain, control-flow flattening obfuscation, encrypted payload staging, reflective DLL loading, RC4 configuration decryption, C2 communication, and persistence mechanisms.
Read the full analysis here: https://t.co/5zCu8GMDzD
#darkatlas #PlugX #Malware_Analysis
We’ve just published an in-depth technical analysis of #SalatStealer, a sophisticated Go-based infostealer featuring resilient C2 communication and advanced data theft capabilities. The report covers its infection chain, persistence mechanisms, credential and browser data theft techniques, operational workflow, and overall malware architecture.
Read the full analysis here: https://t.co/1RiKF3ZoVk
#darkatlas #Salat_Stealer
We’ve just published a comprehensive technical and reverse engineering analysis of the #Banshee InfoStealer—a sophisticated threat targeting macOS users. The report includes IOCs, YARA rules, and actionable security recommendations to help detect and mitigate this threat.
Read it here: https://t.co/yHdKLfIXgm
#darkatlas #infostealer #banshee #macOS
@D0rkerDevil The very strange behavior is that in two different host of two different program was same logs with same size of it
The first one is 1.9MB right?