Olivia
Online
Jim Saveker
@Saveker
Security Person @ Perpetual | Catching badness, calming nerves | Opinions mine, detections shared
Austin, TX
Joined August 2007
275 Following
81 Followers
43 Posts
EDRUnChoker😀registers a permanent WMI subscription with a 5-second timer runs embedded VBScript (fileless) that deletes malicious MSFT_NetQosPolicySettingData policies targeting known security products or aggressive app-path throttles.
https://t.co/A1hcrpav2X
Interlock operators are running Volatility... the defender's memory-forensics tool against their own victims. {windows.hashdump} on a dump file → creds extracted, zero LSASS access. RunAsPPL / Credential Guard don't fire. Interesting finding from the DFIR Report.
@cyb3rops I have been playing with it today and it’s both capable and fast. 70+ tps on my MacBook Pro
Claude + Obsidian = 10x usefulness unlocked. Vault goes from static notes to thinking partner overnight. 🤯
I am reasonably reserved with respect to the AI hype train but tmux + Claude agent swarm? Absolute BEAST mode. Got my lead Claude bossing a squad of AI teammates, shared tasks, direct chit-chat via mailboxes, no race condition nightmares. Wow just wow.
This chap is hilarious https://t.co/shl5ezOpG6
A VS Code extension for a "Clawdbot Agent" was fake; it was actually malware that installed ScreenConnect on a target computer to be used as a remote access trojan!
YouTube video walking through the extension source code & Rust-based loader by DLL hijacking: https://t.co/rUmxuvd2dJ
Hat tip to Aikido Security and Charlie Eriksen for catching this thing in the wild -- one of the domains looks to also be hosting a panel for Evelyn Stealer malware, so we reference some other research from Trend Micro and Koi Security as well to note the similarities in the Lightshot EXE and DLL naming & abuse of VS Code extensions for fake AI coding assistants.
While I was recording, the extension was changed and updated to a new version in real-time -- so we take a look at both and actually fire off the sample to see it work.
... it didn't work. (???)
Looking more closely at the syntax of the extension, even recreating how it is invoked, the logic seemed wrong. Was the whole thing vibecoded? Maybe I missed something, so I need your eyes! (Or your Clawdbot Moltbot Robot Botbot bot "eyes"😜)
https://t.co/7SGypThbZL
Attackers are now using Microsoft's own App-V scripts as a LOLBin to proxy PowerShell and slip past your defenses. The payload? Amatera infostealer, served via fake CAPTCHA.
Microsoft really said "here, have a trusted binary" and threat actors said "don't mind if I do." https://t.co/JZ5HMRBUqY
https://t.co/F2xzuAyME4
Prohibited at NYC inauguration: Flipper Zero and Raspberry Pi.
Permitted: Notebook computers running Kali Linux, cellphones with full pentesting toolchains and SDR apps.
Classic security theater: banning specific hobbyist devices while allowing far more capable general-purpose hardware.
https://t.co/z8y44uMhkB
@British_Airways Thank you. Eventually they let us through. The gate agent explained that the cutoff is 4 years old for priority boarding but made an exception for them being 5 years old. It’s very stressful traveling with kids and all their gear.
@British_Airways you are denying me and my two young children priory boarding from London to Austin. This was something we had from Austin to Heathrow. Please have a consistent policy and now it’s really hard boarding with kids. It’s hard enough to travel with kids.
Pushin’ Vibes, not code! https://t.co/hha5sYn8Cl
Graph API: “Trust me bro, here’s global admin.”
Actor tokens: “Say less.”
CVE-2025-55241: the bug that made every tenant a group project. 😬 https://t.co/47THBNNiwz
Threat actors aren’t just recycling old tricks they’re bending them. Fake CAPTCHA, fake Cloudflare Turnstile, disguised MSI’s, Steganography and FileFix-style paths. https://t.co/D7HR05N3kt
TAG-150 speedrunning malware dev: CastleLoader > CastleBot > CastleRAT in months. Multi-tier C2, Python + C implants, abuse of legitimate services. https://t.co/xY9JEPLgiE
If you’re not abusing both DNS and ICMP in your RAT, are you even modern malware? https://t.co/glSNUcx7Zl
@techspence App/binary allow-listing, when paired with strong auth (machine trust cert + WebAuthn key), quietly prevents a lot of bad days. Hugely underrated control imho.
UNC6395 abused compromised OAuth tokens from the Salesloft Drift integration to exfiltrate data from Salesforce, including AWS keys/Snowflake creds. So what: SaaS integrations expand your attack surface as much as your own code, but with far less visibility or control. https://t.co/QqLIJVwfpB
Most Popular Users
Elon Musk
@elonmusk
240.2M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
109.1M followers
Narendra Modi
@narendramodi
107M followers
Rihanna
@rihanna
97.3M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.6M followers
KATY PERRY
@katyperry
86.9M followers
Taylor Swift
@taylorswift13
80.7M followers
Lady Gaga
@ladygaga
72.3M followers
Kim Kardashian
@kimkardashian
69.4M followers
Virat Kohli
@imvkohli
68.7M followers
YouTube
@youtube
68.6M followers
Bill Gates
@billgates
63.5M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
61.3M followers
X
@x
60.9M followers
Selena Gomez
@selenagomez
60M followers