Alexey Vishnyakov

April, , Barcelona ... Let's dive deeper into high-level threats at @TheSAScon together. See you all! #TheSAS2020pic.twitter.com/hDkpeAE5eu

Suddenly old signed (DUHANEY LIMITED) DnsShellClient under #TA505 group packer 5dedfd0d766de680e5a7bb0612bee53c \\Mac\Home\dev\e-spy\DnsShellClient\bin\Win32\Release\installer.pdb ns1[.]dot[.]net[.]in A few links with #FrameworkPOS https://redcanary.com/blog/frameworkpos-and-the-adequate-persistent-threat/ … #APT #FIN6pic.twitter.com/COz8HtdO2M

A quite convenient approach for choosing the domain name by #StrongPity group: apt5-secure3-state[.]com ab6d150d745053afae1d86f464954c42 a9c7d342359cb7a6180f71c6dc18be2b Fake overlaps with #Manganese and a false trace to China? ... #APT #PROMETHIUMpic.twitter.com/UqWVimvKZp

One more #Bisonal #APT malware from recent attacks against Russia and South Korea. XOR encrypted payload. RC4 encrypted strings and C2 communication remains the same. 221b9de416d42a979288cfa196912af4 15af764731c257caf1ee26d1cfc049a9 etude.servemp3[.]com https://app.any.run/tasks/861c9b52-c59b-4763-8a94-3e64d03e94ed/ …pic.twitter.com/HKjmMt4ch7

New Year wishes from the #TA505 group (with love for russian researchers): MD5: a7cea801e0382676ff8e800187607276 hxxp://jopanovigod.xyz/f8h7ghd8gd8/index.php jopanovigod -> jopa novi god -> ass new year #ServHelperpic.twitter.com/dgaLTXrh6D

The #BronzeUnion/#LuckyMouse/#APT27 infection checker. Possibly from http://cert.ir  MD5: 86c9e95dcf69f6eca2a176407dcb99ff RahaSecIOC-x86.exepic.twitter.com/dthcwWUB2M

A few fresh and rebuilt #ServHelper samples related to #TA505 group. The Vigenere encryption for strings remains the same.pic.twitter.com/S2nDqYYiA1

#TA505 group started using the #AZORult stealer under their packer: ccdc3f83d847daf09e6c10be46b63b2e 185.203.117[.]232pic.twitter.com/KjKfxiZ64W

#DADJOKE loader from Malaysian attacks linked to TEMP.Periscope #APT group: 8a133a382499e08811dceadcbe07357e accountsx.bounceme[.]net https://app.any.run/tasks/ed03d492-688e-4182-9a06-6f65d8cb18fc/ … #Leviathan #APT40pic.twitter.com/0B9chg2FGO

Problems with an office document? Nothing after opening? Seems that suspicious? Try to print out it! 27a10e250f846dbfca0f56b12913d60d #InfoSec #Funpic.twitter.com/fc7e5b1Xed

A funny korean fake_konni.doc with #Russian text and #Ahnlab domain as C2. Some kind of joke? :-) bf27815282d53d4182f54507e83b8c5a hxxp://file.ahnlab.com/1.txtpic.twitter.com/zMlDhJKZlG

One more overlap between groups: #Silence MainModule backdoor under #TA505 packer. A config is compressed with the adaptive #Huffman -based algorithm. 692c4e4db4aaec596dc570b1f12b8c2a 45.84.0[.]201 Special thanks to @immortalp0ny #APTpic.twitter.com/8r3anZLHST