Ross

This is very good malware. This is solid-solid-SOLID B+ malware, very close to A- malware. APT37 is using a old-school playbook. They're doing EPO (Entry Point Obfuscation) on a self-delivered binary for evasion. They also unironically are using something akin to cavity infection ... but on themselves. This is something you saw more in the Windows 95 - Windows XP era, not something you see in 2026. Very cool. I respect it. The multi-staged fragmentation of shellcode phases is also really, really, really cool. This is (once again) a more old-school technique usually reserved for infected binaries, not self-delivered binaries. Despite all of these super cool features, APT37 shoots themselves in the foot immediately. - EAT walking for Kernel32 functionality (???) - XOR decryption is a huge red flag - Allocating with PAGE_EXECUTE_READWRITE (???) - Hardcoded OAuth token (???) - Used external dependency for AES (???) Why not use NT functionality to hook evasion? XOR is easily identified in static analysis, why XOR? Allocating memory with VirtualAlloc with RWX is a MASSIVE RED FLAG. They also hardcode a OAuth token ... they can multi-staged shellcode payload with old-school malware techniques but hardcore AN OAUTH TOKEN? It unironically makes me wonder if they had one old-head malware guy working on it, then they had some newer dude do the non-hardcore stuff. There is a huge gap in skill sets here. Or the old-head hasn't kept up to date on malware stuff since 2005... or they got lazy... I don't know, really weird.

DFIR analysts who use macOS as their daily driver deserve free and native forensic tooling. So I built one. 🍎 Introducing 𝗜𝗥𝗙𝗹𝗼𝘄 𝗧𝗶𝗺𝗲𝗹𝗶𝗻𝗲 — a timeline analysis app built from the ground up for Mac-based DFIR folks, forensic investigators, or SOC analysts. Built in appreciation of, and inspired by, Eric Zimmerman’s Timeline Explorer. Every feature in this tool was shaped by real IR casework. Handling massive timelines, parsing artifacts here and there, and pivoting across logs during active investigations. I built IRFlow Timeline to be the native macOS timeline analyzer that actually keeps up with a live case. Every button and view is intentional; if it’s in the app, it’s because I needed it mid-case and realized the standard tools fell short. No dependencies. Zero setup. Just drag, drop, and analyze. #dfir #incidentresponse #timeline #macos #threathunitng #digitalforensics

Great deep dive from the GitLab team on DPRK’s "Contagious Interview" and illicit IT worker campaign. This isn’t just a surface-level write-up. It shows how a platform can operationalize its own telemetry, extract high-signal intelligence, and convert that into concrete, actionable insights for the broader security community. Seriously impressive work. 👏 Blog: https://t.co/B9pPZwaiuv If you want even more context, the Three Buddy Problem podcast did a great breakdown of the blog and unpacked the tradecraft, detection implications, and what this means for defenders. TBP is basically my go-to weekend running podcast, so it was extra cool to hear them dive into this and appreciate the shoutout me, guys. 🙇‍♂️ TBP Podcast: https://t.co/fFZyUxhFYz

What I learnt today: Mandatory User Profiles Praetorian named their blog "Persistence Through Forgotten Windows Internals", and true, at least I never heard of Mandatory User Profiles before reading this article. In enterprise environments, administrators sometimes want to enforce a specific user profile that resets on each login. To accomplish this, Windows supports a file called NTUSER[.]MAN (the .MAN standing for “mandatory”), which takes precedence over the usual NTUSER.DAT registry hive stored in %USERPROFILE% when a user logs in. Setting up persistence on a copy of NTUSER.DAT using the Offline Registry Library might evade some EDRs. The whole blog post is worth a read, but the TL;DR for defender is: Consider monitoring for NTUSER[.]MAN file creation in user profile directories, especially when it doesn’t come from an enterprise profile management system. Source: https://t.co/9gW16tHL5t

🕵️‍♂️💰 North Korea-linked UNC1069 used deepfake Zoom calls to hack crypto firms. Posing via Telegram, attackers lured victims into fake meetings, triggering ClickFix commands that deployed multi-stage malware on macOS & Windows to steal wallets and credentials. 🔗 Read → https://t.co/vgPAQXtNul

ProfileHound is a post-escalation tool to help find and achieve red-teaming objectives by locating domain user profiles on machines. It uses the BloodHound OpenGraph format to build a new edge called which determines if a user profile exists on a computer. This edge allows operators to make informed decisions about which computers to target for looting secrets. https://t.co/l524stExDt