imp0rtp3

@imp0rtp3

Security Researcher, Threat Intelligence And Malware Analysis for fun. Keybase: imp0rtp3

Joined June 2021
1 Photo or video Photos and videos

Tweets

You blocked @imp0rtp3

Are you sure you want to view these Tweets? Viewing Tweets won't unblock @imp0rtp3

  1. Pinned Tweet
    25 Nov 2021

    Really excited to finally publish my malware research of SoWaT - APT31's router implant.

    12 replies . 242 retweets 642 likes
    Show this thread
    Show this thread
    Undo
  2. Retweeted
    15 Dec 2021

    . 🇫🇷New publication on . Two publications, the first on on the intrusion set (TTPs etc.) and another on aka ↘️

    1 reply . 15 retweets 49 likes
    Show this thread
    Show this thread
    Undo
  3. Retweeted
    11 Dec 2021

    Log4Shell Detector v0.1 Python based scanner that tries to detect even the most obfuscated versions of the exploit code - first version: I did a few tests, not more - please provide pull requests with improvements

    12 replies . 541 retweets 1,471 likes
    Undo
  4. 25 Nov 2021

    5 likes
    Show this thread
    Show this thread
    Undo
  5. 25 Nov 2021

    Thanks to & for mentioning and attributing the sample and for their excellent APT31 report:)

    2 replies . 1 retweet 10 likes
    Show this thread
    Show this thread
    Undo
  6. 12 Nov 2021

    Added a rule for capstone.js. will alert if any website tries to load it.

    More technical details from and the team on last months exploit and the associated campaign. TAG discovered watering hole attacks targeting visitors to Hong Kong websites for a media outlet and a prominent pro-democracy labor and political group.
    Show this thread
    5 retweets 13 likes
    Undo
  7. Retweeted
    10 Nov 2021

    👌

    3 retweets 16 likes
    Undo
  8. Retweeted
    10 Nov 2021

    , , ... whatever its name, 's team had an in-depth look at this 🇨🇳intrusion set. 🧐Discover our latest research findings on the infrastructure and implants used by APT31:

    1 reply . 83 retweets 138 likes
    Undo
  9. Retweeted
    1 Nov 2021

    published an article (our CEO and co-founder) wrote about a state-sponsored surveillance JS framework found by researchers , , and . Read more =>

    1 reply . 5 retweets 5 likes
    Undo
  10. 28 Oct 2021

    One would think that before declaring to invest $20 Billion on cybersecurity Microsoft could sign their own executables, which are literally shipped with every Windows image.

    I had a dream. In that dream all Windows security components had digital signatures. Then I woke up.
    1 like
    Undo
  11. Retweeted
    28 Oct 2021

    I had a dream. In that dream all Windows security components had digital signatures. Then I woke up.

    12 replies . 54 retweets 313 likes
    Undo
  12. Retweeted
    27 Oct 2021

    Nice research by . We track this as FinickyFrogfish and is used by TA444 🇰🇵 (DPRK actor using CageyChameleon). Throughout 2019 and 2020 this implant was used to manage various TA444 C2s. In at least one case it was deployed via brute-forcing RDP.

    has discovered a unique and undescribed for Windows binaries that, unlike other such loaders, runs as a server and executes received modules in memory. We have named this new malware after one of its DLLs. 1/7
    Show this thread
    1 reply . 28 retweets 68 likes
    Show this thread
    Show this thread
    Undo
  13. Retweeted
    19 Oct 2021

    We have good news — after years OneDrive is finally hosting no malware listed on , and for the first time in history Microsoft have fallen off the top ten malware hosters. All the Bazaloader, BazaISO and Qakbot TR payloads are gone. Keep it up MS. Customers are safer.

    9 replies . 67 retweets 287 likes
    Show this thread
    Show this thread
    Undo
  14. Retweeted
    18 Oct 2021

    I think a lot about detection as being part of a spectrum (™) and that is typically a defensive centric view of logic designed to find evil and resulting tech/data/time/threat density. A diff way to think about it might be to think about a range of adversary control.

    1 reply . 5 retweets 28 likes
    Show this thread
    Show this thread
    Undo
  15. Retweeted
    17 Oct 2021

    In ~80% of the APT cases in the years 2012 to 2019 (when I got out of IR) we found evidence in Antivirus logs of the affected systems (password dumpers, web shells, malicious scripts, malware) It isn't a tool problem. It's an attention problem.

    29 replies . 180 retweets 693 likes
    Show this thread
    Show this thread
    Undo
  16. 13 Oct 2021

    Really nice research by . It's great to see more companies addressing the societal and economical context and connecting it to the TTPs.

    New research out today takes a look at cybercrime in Germany. We showed our work here, listing hypotheses we had going into it and what the data ended up showing. Check it out:
    Show this thread
    1 reply . 2 likes
    Undo
  17. 8 Oct 2021

    Great move by , I hope it will catch on to more companies.

    URLhaus adds more pressure on threat actors that are abusing the domain name space for distributing malware 👮 Today, we started to notify domain registrars and registries about domains that have been setup by threat actors for the sole purpose of distributing malware 📩🛑
    Show this thread
    Undo
  18. 8 Oct 2021

    Really interesting to see the shift of Sofacy from custom made high quality arsenal like , and to "service-reset-password-moderate-digital[.]rf[.]gd"

    A few indicators related to this campaign: service-reset-password-moderate-digital[.]rf[.]gd reset-service-identity-mail[.]42web[.]io digital-email-software[.]great-site[.]net
    4 replies . 4 retweets 5 likes
    Undo
  19. 8 Oct 2021

    Some very nice Linux malware there...

    analyzed , a previously unknown family that utilizes custom and well-designed modules, targeting systems. 1/6
    Show this thread
    1 reply . 3 likes
    Undo
  20. 29 Sep 2021

    If you wonder what's the problem with the industry, describes it here vividly:

    Seriously, I can't even count how many tweets I saw in the past weeks that listed malware source links/C2s/etc - some from "big name" accounts - with domains registered at Namecheap. Some of them was tweeted even weeks before I saw them, yet still not one of the 100s/1000s (1/4)
    Show this thread
    4 retweets 10 likes
    Undo

@imp0rtp3 hasn't Tweeted yet.

Loading seems to be taking a while.

Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.

    You may also like

    ·