Unransomware: From Zero to Full Recovery in a BlinkThis blog post discusses how we, DCSO’s Incident Response Team (DIRT), were able to help an Akira ransomware victim restore their business…Nov 4, 2024Nov 4, 2024
XZ Backdoor: How to check if your systems are affected?A principal software engineer at Microsoft by the name of Andres Freund accidentally stomped upon a backdoor within XZ, the popular…Apr 8, 20241Apr 8, 20241
How Rogue ISPs Tamper With GeofeedsGeofeeds allow ISPs to publish information on the physical location of their networks. But what if a rogue ISP puts false information in…Mar 19, 2024Mar 19, 2024
To Russia With Love: Assessing a KONNI-Backdoored Suspected Russian Consular Software InstallerEarlier this year, DCSO observed an intriguing malware sample that we believe to be part of DPRK-linked activity targeting the Russian MID.Feb 21, 2024Feb 21, 2024
Overview: Evidence Collection of Ivanti Connected Secure AppliancesThis article summarizes methods that can be used to gather forensic evidence from Ivanti appliances.Feb 12, 2024Feb 12, 2024
Reporting on Volt Typhoon’s “JDY” Botnet Administration Via Tor Sparks QuestionsNot all Tor relays are created equal. A closer look at network communication between a Volt Typhoon C2 and a Tor relay prompts questions.Jan 30, 2024Jan 30, 2024
#ShortAndMalicious — DarkGateDissecting DarkGate’s new key log encryption and tools to decrypt key log filesSep 19, 2023Sep 19, 2023
Microsoft Edge Forensics: Screenshot HistoryAccording to a recent article on Neowin, Microsoft Edge has a new feature that allows it to take screenshots of every web page a user…Sep 3, 20231Sep 3, 20231
Hostile Code: Dealing with stack strings in IDAPythonStack strings — A common obfuscation technique used in malware, and how to deal with them using IDAPythonAug 15, 20231Aug 15, 20231
Andariel’s “Jupiter” malware and the case of the curious C2DCSO monitoring caught a “Jupiter” sample configured to fetch commands from the homepage of the National Institute of Virology IndiaMay 16, 2023May 16, 2023
#ShortAndMalicious — PikaBot and the Matanbuchus connectionA brief analysis of the new loader malware PikaBot.Feb 10, 20231Feb 10, 20231
APT41 — The spy who failed to encrypt meThis blog post is based on our recent investigation into one of APT41’s operations against an unnamed German company from the financial…Dec 24, 2022Dec 24, 2022
HZ RAT goes ChinaWalking down the Royal Road as we did in one of our previous posts, another by-catch of our Yara rule caught our attention. Turns out we…Nov 16, 2022Nov 16, 2022
#ShortAndMalicious: StrelaStealer aims for mail credentialsQuick look at a new stealer utilizing polyglot filesNov 8, 2022Nov 8, 2022
Tracking down MaggieDCSO’s Incident Response Team (DIRT) provides insights on how to detect the novel MSSQL malware “Maggie” in your environment.Oct 11, 2022Oct 11, 2022
MSSQL, meet MaggieA novel backdoor for Microsoft SQL servers controlled using SQL queriesOct 4, 20221Oct 4, 20221
Attack Chain Déjà-vu: The infection vector used by SVCReady, Gozi and IcedIDTechnical analysis of the SVCReady, Gozi and IcedID attack chainJul 25, 2022Jul 25, 2022
A deal with the devil: Analysis of a recent Matanbuchus sampleTechnical analysis of the Matanbuchus malware with focus on network traffic and commandsMay 23, 20222May 23, 20222
