Unit 42's latest research details the process of deobfuscating a new attack chain seen in recent samples of the infostealer DarkCloud Stealer. We elaborate on removing anti-tampering protection and proxy calls, among other details: https://bit.ly/4lG5zkd
How to deobfuscate DarkCloud Stealer attack chain
This title was summarized by AI from the post below.
More Relevant Posts
-
How to Check for CVE-2025-61932: Is Your LANSCOPE Endpoint Manager Vulnerable to the New RCE Attack? Read the full report on - https://lnkd.in/eWcpei-k
-
-
Now at Ekoparty , Sebastián García presenting about DNS4EU, an initiative to provide users with European DNS resolvers and protection, and what it means to do threat detection on billions of queries every week. Learn more: https://www.joindns4.eu
-
-
🐱 New room Man-in-the-Middle Detection from TryHackMe 🐲 Learn what MITM attack is, and how to identify the footprints of this attack in the network traffic. 🥨 Task 1: Introduction 🦈 Task 2: Lab Connection 🦊 Task 3: MITM Attacks - An Overview 🍐 Task 4: Detecting ARP Spoofing 🐧 Task 5: Unmasking DNS Spoofing 🐐 Task 6: Spotting SSL Stripping in Action 🐈 Task 7: Conclusion & Room Wrap-up 🐶 🐅 Room Link: https://lnkd.in/dd5JxUCQ 🐶 🐅 YouTube video walk through: https://lnkd.in/dS69bSzr #tryhackme
-
-
Hacktivist group TwoNet shifted from DDoS attacks to targeting critical infrastructure, exploiting a honeypot water plant via CVE-2021-26829, disabling logs and alarms to disrupt operations. #TwoNet #OTAttacks #USA link: https://ift.tt/gamuv5R
-
-
Ransomware group akira claims to have accessed Natoli Engineering's sensitive data, including financial records and personal info, threatening to leak over 936GB. Impacting proprietary info in the US. #DataLeak #NatoliEngineering #USA link: https://ift.tt/rOcgksn
-
-
"...first things first, to create an alert for malicious activity, we need to ensure that we are logging ADCS events." Learn more: https://lnkd.in/efpFYjgy Detecting ADCS Privilege Escalation by: Alyssa Snow Published: 7/17/2025
-
-
It is insane how layering a first stage AMSI bypass, D/Invoking amsihook.c as a new thread (permanent AMSI bypasses), then loading additional binaries with a old school BYOVD exploit and hiding it with a userland rootkit (just r77), and persisting it with common registry keys was all that was needed to bypass most endpoint protections. Outside of the three final stage binaries, no other implant was dropped to disk except the MSI file to start up the attack chain. But even then, using mass exploitation techniques to replace the MSI spearphishing payload sufficed.
-
𝐅𝐢𝐧𝐝𝐢𝐧𝐠 𝐭𝐡𝐞 𝐧𝐞𝐞𝐝𝐥𝐞 𝐢𝐧 𝐈𝐧𝐭𝐫𝐮𝐝𝐞𝐫'𝐬 𝐡𝐚𝐲𝐬𝐭𝐚𝐜𝐤 👇 Everytime I run Intruder attacks, I see the same pattern Thousands of requests 99,99% irrelevant 1-2 payloads that actually triggered a weird response So how do we make sure we don't miss a vulnerability due to all that noise? One thing I like to do is 1. Sort by length 2. Pay special attention to the place where length size changes 3. Inspect those responses at the "border" of big batches It's easy to look at the extreme cases (longest/shortest lengths) But alot of time, the vulns hide right in the middle of all the requests
-
-
Another productive week exploring Snort, Brother Zeek and NetworkMiner and how they can enhance visibility and detection capabilities across a network.📊❤️ Here is how this can be achieved: 1. Snort runs on live traffic to detect, alert on threats and drop/reject malicious trafficin real-time.✅️ 2. Zeek runs alongside Snort, capturing detailed logs for contextual analysis.✅️ 3. NetworkMiner can be used when you need to investigate a specific PCAP or event (e.g. from Zeek or Snort alerts).✅️ #TryHackMe
-
Thanks for sharing