Advanced Runtime Attack Techniques

Analyzing the leaked code from the Vanhelsing Ransomware, it is essentially a highly modular and automated builder, developed in C++, designed to dynamically generate executable binaries (.exe) based on instructions received from a C2 server. The core logic includes a persistent loop (wmain) that continuously polls for new tasks via REST HTTP requests to an attacker-controlled endpoint. When a task is received, the system automatically compiles two binaries: the locker, responsible for encrypting the victim's files, and the decrypter, which allows for data recovery if the correct key is provided. The main payload is encrypted using AES-256-GCM (via libsodium), with a key derived from an X25519 key pair. The compiled locker binary is read, encrypted, converted into a binary header, and embedded into the loader, which is the final stage responsible for decrypting and executing the locker at runtime. The modular architecture allows the same locker to be reused with multiple loaders. File operations are handled directly through low-level Win32 API calls (CreateFileA, ReadFile, MoveFileA, DeleteFileA), with no dependency on external libraries. PowerShell’s Compress-Archive is also used to efficiently package and transmit artifacts via HTTP. There is a clear separation of responsibilities in the build pipeline: reading, encryption, macro substitution, architecture-specific compilation (Win32/x64), binary renaming, and upload to the C2 are all handled in well-defined stages, with error handling and diagnostics performed via GetLastError(). Summary of Evasion Techniques: - Encryption of artifacts using X25519 + AES-256-GCM - Use of fileless-like execution via loader with embedded payload - Per-build uniqueness through dynamic key and ID insertion - Compilation via MSBuild (LOLBin abuse) #redteam #cybersecurity #malware #malwaredevelopment #malwareanalysis

🔍 Day 33/100 — Daily Intel 🚨 New Indirect-Shellcode-Executor Tool Bypasses AV/EDR Using Windows API Quirk A new Rust-based offensive tool, Indirect-Shellcode-Executor, demonstrates a novel EDR bypass technique by abusing a little-known behavior in the Windows API. 🧩 How the bypass works: The tool exploits the ReadProcessMemory function — normally used only for reading — by manipulating the lpNumberOfBytesRead pointer to write bytes into process memory. 🔸 This creates a write primitive using a read API 🔸 Completely sidesteps hooked functions like WriteProcessMemory, memcpy, etc. 🔸 Avoids classic code-injection detection heuristics ⚙️ Key Capabilities (Rust PoC): 🌐 Remote payload execution (C2-hosted shellcode, incl. hiding in PNG/asset files) 💻 Terminal injection (pass raw shellcode via CLI) 📁 File-based injection (payload stored in documents or temp files) 📌 Why this matters: This technique lives below the radar of current EDR visibility. Most vendors hook write-oriented APIs — few monitor unexpected R/W mismatches in ReadProcessMemory. This expands the “living off the Windows API” attack surface for red teams and real adversaries. 🛡️ Defensive Takeaways: º Monitor suspicious ReadProcessMemory calls targeting RWX or executable regions º Flag abnormal lpNumberOfBytesRead pointer usage º Combine API telemetry with memory behavior analytics rather than relying solely on API hooking https://lnkd.in/dnMftwqM #WindowsSecurity #EDRBypass #AVBypass #Shellcode #Rust #RedTeam #ThreatIntel #Malware #DFIR #DetectionEngineering #CyberSecurity #ExploitResearch #Day33of100 #100DaysOfIntel

Deep dive into EDR evasion techniques used by modern attackers - a comprehensive analysis by Mat Cyb3rF0x Fuchs covering everything from LOLBins to kernel-level bypasses. Five key evasion categories: • Living off the Land: Attackers abuse trusted system utilities (PowerShell, WMI, CertUtil) to blend malicious actions with legitimate operations • Process Injection: Hiding malicious code inside legitimate processes like explorer.exe through hollowing and thread injection • Hook Bypassing: Evading EDR visibility by unhooking APIs or using direct/indirect syscalls to circumvent monitoring • In-Memory Evasion: Running payloads entirely in memory with encryption and obfuscation to avoid detection during idle periods • EDR Tampering: Disabling security through "Bring Your Own Vulnerable Driver" (BYOVD) to gain kernel access and terminate protected processes Detailed threat actor examples and practical defensive mitigations included for security teams looking to harden their environments.

THREAT CAMPAIGN: MULTI-STAGE IN-MEMORY LOADER USING STEGANOGRAPHY AND PROCESS INJECTION ℹ️ Researchers have identified a sophisticated commodity malware loader actively used in targeted email campaigns by multiple advanced threat actors. These campaigns show precise regional and sector targeting, especially manufacturing and government organizations in 🇮🇹Italy, 🇫🇮Finland, and 🇸🇦Saudi Arabia. ℹ️ Despite different delivery methods (e.g., weaponized documents, SVGs, ZIP/LNK archives), all use a common loader architecture, suggesting a shared framework or ecosystem among attackers. Emails are crafted to resemble legitimate business communications, such as purchase orders, to trick recipients into executing malicious attachments. 📍 MULTIPLE DELIVERY VECTORS The campaign uses a variety of file types and delivery mechanisms, including: ■ Weaponized Office documents exploiting vulnerabilities like CVE-2017-11882; ■ Malicious SVG files; and ■ Compressed archives with LNK shortcuts. All of these serve as triggers for the loader. 📍 EVASION TECHNIQUES The loader employs several stealthy tactics: ■ Steganography, hiding payloads inside benign image files. ■ Trojanizing open-source libraries so they appear legitimate but contain hidden malicious behavior. ■ A four-stage evasion pipeline, including obfuscation, in-memory execution, and process injection to evade forensic detection. 📍  LOADER The infection chain typically follows these phases: ■ 1. Initial Execution: Email attachment executes obfuscated script (e.g., JavaScript) that spawns PowerShell. ■ 2. Steganographic Payload Retrieval: Payload is pulled from a hosted image and decoded in memory (no disk artifacts). ■ 3. Trojanized Component Loading: A genuine open-source library (e.g., TaskScheduler) is embedded with malicious functions and loaded reflectively. ■ 4. Process Injection & Payload Execution: Malicious code is injected into a legitimate system process to avoid detection and the real malware (e.g., RAT or stealer) is executed. 📍 PAYLOADS DELIVERED The loader can deliver a range of secondary malware, depending on the campaign, such as: ■ Remote Access Trojans (RATs) and ■ Infostealers like PureLog Stealer, Katz Stealer, DC Rat, AsyncRat, Remcos, etc. These payloads are designed to exfiltrate credentials, system information, or enable full remote compromise. 📌 Source: Cyble 🔗 https://lnkd.in/ddnwfYWk #threathunting #threatdetection #threatanalysis #threatintelligence #cyberthreatintelligence #cyberintelligence #cybersecurity #cyberprotection #cyberdefense

A new attack predicts what tool your agent will call next, then substitutes the closest malicious alternative. The agent runs the malicious tool up to 49% of the time. The AdapTools paper introduces adaptive indirect prompt injection attacks against tool-using LLM agents. Two things make this different from prior work: First, the attack learns from failure. An adversarial LLM generates injection payloads, reads the victim agent's Chain-of-Thought reasoning to understand why it was rejected, then iteratively refines its approach. Successful strategies get distilled into a transferable library that works across different agents. This isn't a static template - 𝗶𝘁'𝘀 𝗮𝗻 𝗲𝘃𝗼𝗹𝘃𝗶𝗻𝗴 𝗮𝘁𝘁𝗮𝗰𝗸𝗲𝗿. Second, the attack is context-aware. Instead of randomly calling a malicious tool (delete_files during a coffee order gets flagged instantly), it models the agent's tool-use patterns as a Markov Chain, predicts what tool the agent would naturally invoke next, and 𝘀𝗲𝗹𝗲𝗰𝘁𝘀 𝘁𝗵𝗲 𝘀𝗲𝗺𝗮𝗻𝘁𝗶𝗰𝗮𝗹𝗹𝘆 𝗰𝗹𝗼𝘀𝗲𝘀𝘁 𝗺𝗮𝗹𝗶𝗰𝗶𝗼𝘂𝘀 𝗮𝗹𝘁𝗲𝗿𝗻𝗮𝘁𝗶𝘃𝗲. The attack blends into the agent's reasoning flow. Results: 2x higher attack success rates vs. prior methods. Existing defenses that cut baseline attacks by 3x only reduce AdapTools by 2x. Open-source models hit 44-49% attack success rates. Even GPT-4.1 with reasoning enabled reaches 18.5%. The paper explicitly frames this threat around MCP: 18,000+ servers, majority third-party hosted, no standardized security auditing. A compromised MCP server is modeled as the attacker. This is exactly the governance gap we built Runlayer to close. Static allow/deny lists won't catch an attack that adapts to your agent's reasoning patterns. You need runtime policy enforcement, tool-call auditing, and real time security at the protocol layer. The arms race between agent capabilities and agent security just escalated. We have to keep pace.

𝗗𝗶𝗴𝗶𝘁𝗮𝗹 𝗙𝗼𝗿𝗲𝗻𝘀𝗶𝗰𝘀 𝗧𝗶𝗽: 𝗧𝗵𝗲 𝗣𝗼𝘄𝗲𝗿 𝗼𝗳 𝗦𝗰𝗵𝗲𝗱𝘂𝗹𝗲𝗱 𝗧𝗮𝘀𝗸𝘀 ⏱️ While most artifacts show what's already happened, 𝗪𝗶𝗻𝗱𝗼𝘄𝘀 𝗦𝗰𝗵𝗲𝗱𝘂𝗹𝗲𝗱 𝗧𝗮𝘀𝗸𝘀 are a crucial source of evidence for identifying an attacker’s plan for persistence. This feature is a top target for malicious actors looking to maintain a foothold on a compromised system. 😈 By creating 𝙖 𝙝𝙞𝙙𝙙𝙚𝙣 𝙨𝙘𝙝𝙚𝙙𝙪𝙡𝙚𝙙 𝙩𝙖𝙨𝙠, an attacker can ensure their malware automatically relaunches on system boot or at a specific time. 𝗔 𝗛𝗮𝗰𝗸𝗲𝗿'𝘀 𝗣𝗹𝗮𝘆𝗯𝗼𝗼𝗸: 𝗧𝗵𝗲 𝗦𝗰𝗵𝗲𝗱𝘂𝗹𝗲𝗱 𝗧𝗮𝘀𝗸 𝗦𝗰𝗲𝗻𝗮𝗿𝗶𝗼 🎬 Here’s a common scenario of how an attacker might use this technique: After an initial breach, the attacker doesn't want to leave an obvious executable on the disk that antivirus software might catch. Instead, they create a simple 𝘁𝗲𝘅𝘁 𝗳𝗶𝗹𝗲 on the system, perhaps hidden in a temporary folder. This file contains malicious code that has been encoded in 𝗕𝗮𝘀𝗲𝟲𝟰 or another format. Next, the attacker creates a scheduled task. They set the trigger to activate at system startup, ensuring their code runs every time the machine boots. The action of this task isn't to run an executable, but to execute a 𝗣𝗼𝘄𝗲𝗿𝗦𝗵𝗲𝗹𝗹 or 𝗖𝗼𝗺𝗺𝗮𝗻𝗱 𝗣𝗿𝗼𝗺𝗽𝘁 command. This command does the following: 1. It reads the content of the hidden text file. 2. It decodes the Base64-encoded string back into a malicious binary or script. 3. It executes the decoded code, which then establishes a connection to the attacker's 𝗖𝗼𝗺𝗺𝗮𝗻𝗱 𝗮𝗻𝗱 𝗖𝗼𝗻𝘁𝗿𝗼𝗹 (𝗖𝟮) server. This method is highly effective because the actual malicious payload is never written to the disk in its raw form. 𝗙𝗼𝗿𝗲𝗻𝘀𝗶𝗰 𝗔𝗻𝗮𝗹𝘆𝘀𝗶𝘀: 𝗟𝗶𝘃𝗲 𝘃𝘀. 𝗢𝗳𝗳𝗹𝗶𝗻𝗲 🔎 You can analyze scheduled tasks in two ways: * 𝗟𝗶𝘃𝗲 𝗔𝗻𝗮𝗹𝘆𝘀𝗶𝘀: Use the built-in 𝗧𝗮𝘀𝗸 𝗦𝗰𝗵𝗲𝗱𝘂𝗹𝗲𝗿 graphical tool. This interface lets you browse all tasks on the system and inspect their triggers and actions. For more advanced, automated live response, tools like 𝗩𝗲𝗹𝗼𝗰𝗶𝗿𝗮𝗽𝘁𝗼𝗿 or 𝗼𝘀𝗾𝘂𝗲𝗿𝘆 are highly effective. They allow you to remotely query systems for scheduled tasks and their details, which is essential for large-scale investigations. * 𝗢𝗳𝗳𝗹𝗶𝗻𝗲 𝗔𝗻𝗮𝗹𝘆𝘀𝗶𝘀: For an offline investigation, you can extract the contents of the `𝘾:\𝙒𝙞𝙣𝙙𝙤𝙬𝙨\𝙎𝙮𝙨𝙩𝙚𝙢32\𝙏𝙖𝙨𝙠𝙨` folder from a forensic image. Each XML file is a separate task. You can then open and analyze the plain text contents of these files to look for unusual executable paths or unusual commands. Frameworks like the 𝗦𝗔𝗡𝗦 𝗜𝗻𝘃𝗲𝘀𝘁𝗶𝗴𝗮𝘁𝗶𝘃𝗲 𝗙𝗼𝗿𝗲𝗻𝘀𝗶𝗰 𝗧𝗼𝗼𝗹𝗸𝗶𝘁 (𝗦𝗜𝗙𝗧), which includes tools like 𝗔𝘂𝘁𝗼𝗽𝘀𝘆 and The Sleuth Kit, are excellent for this. #DFIR #IncidentResponse #MalwareAnalysis #ThreatHunting #WindowsForensics #Persistence #DF

In a recent interview, I was asked a very simple but powerful question: 👉 “Can you explain what explorer.exe, svchost.exe, and lsass.exe do — and how they might be abused?” At first glance, these sound like basic Windows processes. But the real test is whether you understand both their legitimate roles and how attackers misuse them: 🖥 explorer.exe – The Windows shell (desktop, taskbar, file browser). ⚠️ Abuse: Attackers may run malware through explorer.exe or drop fake versions to masquerade as the real one. ⚙️ svchost.exe – The “Service Host” process that runs Windows services in the background. ⚠️ Abuse: Common target for process injection, or running rogue services to stay hidden. 🔐 lsass.exe – Handles authentication and stores credentials in memory. ⚠️ Abuse: Attackers dump LSASS memory with tools like Mimikatz to steal passwords and move laterally. 💡 Lesson Learned: It’s not enough to know tools and SIEM dashboards — you need to understand what normal looks like and how attackers twist it. That’s the difference between monitoring and detecting. If you’re preparing for SOC roles, build your own cheat sheet of common processes, their normal behaviors, and related MITRE ATT&CK techniques. Trust me, it will make both interviews and investigations much easier. Happy hunting! 🕵️♂️🔍

We Have EDR & Firewalls… How Did This Happen? That was the reaction of a customer after a Red Team exercise we recently conducted. Their security stack was solid—firewalls, EDR, and multiple preventive controls. And yet, we completely bypassed their defenses, gained access to critical systems, and remained undetected The Reality of Modern Threats Many organizations believe that having preventive security controls (firewalls, endpoint detection & response, email filtering) is enough to keep them safe. But the truth is: 💡 Adversaries don’t play by the rules. They exploit misconfigurations, trust relationships, overlooked attack paths, and human weaknesses. 💡 EDR ≠ Immunity. While EDR is a powerful tool, it’s not a silver bullet. Advanced attackers use living-off-the-land (LOTL) techniques, custom implants, and defense evasion tactics that bypass detection. 💡 Firewalls ≠ Impenetrable Walls. Attackers don’t always “break in” from the outside—they can phish credentials, abuse remote access, or escalate privileges once inside. The Attack: How We Got In & Stayed Undetected During our Red Team engagement, we followed a real-world adversary playbook: 🎯 Initial Access – We compromised a single low-privileged user through a well-crafted payload, no alerts. 🕵️ Persistence & Evasion – We built C2 infrastructure and leveraged our obfuscated payload to operate in memory as much as possible combined with memory evasion strategies. Abusing DLL-Hijacking we could persist on the system. 📡 Lateral Movement & Privilege Escalation – The network relied on default credentials and overprivileged accounts. Within hours, we pivoted to multiple systems without triggering a single EDR alert. 🎭 Exfiltration & Objective Completion – After establishing domain dominance, we extracted sensitive financial data, simulating a stealthy, real-world adversary. The customer had no idea this was happening. So, What’s the Lesson Here? ✅ Assume Breach. No matter how good your security tools are, operate under the assumption that an attacker will eventually find a way in. ✅ Test, Test, Test. Red Teaming helps you uncover gaps, blind spots, and weaknesses before real attackers do. ✅ Go Beyond Prevention – Invest in Detection & Response. Prevention is important, but visibility, threat hunting, and active response strategies are what make the difference when dealing with advanced threats. ✅ Minimize Attack Surface. Every unnecessary privileged account, exposed service, and misconfigured permission is an opportunity for attackers. Regular security assessments, hardening, and least privilege enforcement should be a priority. Red Teaming Is Not Just an Exercise—It’s a Reality Check. If your organization has never undergone a serious, adversary-simulated Red Team assessment, now is the time. You don’t want the first time you experience an advanced attack to be when a real adversary is already inside. Are you confident in your security posture? If not—let’s talk. 🔥