Alireza Gharib Blog

We discovered a Windows rootkit loader [F1] for the malware family FK_Undead. The malware family is known for intercepting user network traffic through manipulation of proxy configurations. To the best of our knowledge the rootkit loader hasn’t been officially analyzed before. As required by any Windows kernel driver, the rootkit loader is validly signed with…

Recently, we uncovered a sophisticated attack campaign employing a multi-stage approach to deliver AsyncRAT via a legitimate platform called Bitbucket.       Go to Source

We break down the full infection chain of the Brazilian-targeted threat BBTok and demonstrate how to deobfuscate the loader DLL using PowerShell, Python, and dnlib.       Go to Source

Automatic sandbox services should not be treated like “antivirus scanners” to determine maliciousness for samples. That’s not their intended use, and they perform poorly in that role. Unfortunately, providing an “overall score” or “verdict” is misleading.       Go to Source

We discovered a new stealer in the wild called ‘”Ailurophile Stealer”. The stealer is coded in PHP and the source code indicates potential Vietnamese origins. It is available for purchase through a subscription model via its own webpage. Through the website’s web panel, its customers are provided the ability to customize and generate malware stubs.…

Ten infection and protection layers to deploy malware sounds impressive and very hard to deal with. However, adding more layers counterintuitively does the opposite for antivirus evasion and is not a sign of sophistication. Why is that so?       Go to Source

Turla, a well-known piece of malware, has taken to weaponising LNK-files to infect computers. We have observed a current example of this. Learn more about the details in this article!       Go to Source

The International Civil Aviation Organization (ICAO) said it was responding to claims of a data breach “allegedly linked to a threat actor known for targeting international organizations.” Go to Source