İbrahim BALOĞLU - Siber Güvenlik Paylaşımları

#Malware_analysis 1⃣  Earth Estries/Salt Typhoon https://bartblaze.blogspot.com/2025/10/earth-estries-alive-and-kicking.html 2⃣  A Deep Dive Into Warlock Ransomware Deployed Via ToolShell SharePoint Chained Vulnerabilities https://hybrid-analysis.blogspot.com/2025/10/a-deep-dive-into-warlock-ransomware.html 3⃣  10 npm Typosquatted Packages Deploy Multi-Stage Credential Harvester https://socket.dev/blog/10-npm-typosquatted-packages-deploy-credential-harvester 4⃣  Phishing with Invisible Characters in the Subject Line https://isc.sans.edu/diary/A+phishing+with+invisible+characters+in+the+subject+line/32428

#tools #Offensive_security 1⃣  Indirect Syscall Detector https://github.com/EvilBytecode/Detecting-Indirect-Syscalls // Detection of indirect syscall techniques using hardware breakpoints and vectored exception handling 2⃣  VEH-Based Function Call Obfuscation https://github.com/EvilBytecode/Ebyte-Syscalls // Obfuscating function calls using Vectored Exception Handlers by redirecting execution through exception-based control flow 3⃣ UnderlayCopy PowerShell toolkit https://github.com/kfallahi/UnderlayCopy // PowerShell toolkit that extracts locked Windows files (SAM, SYSTEM, NTDS, ...) using MFT parsing and raw disk reads

Acunetix Premium Plus OnPremise with API Discovery v 25.8.250820089 win64 download

CVE-2025-12044 HashiCorp Vault * Attack script (flood.py)

#Analytics #Threat_Research An analytical review of the main cybersecurity events for the week (October 18-25, 2025) 1⃣ AWS Outages // We've decided to wait for Amazon's official, detailed report on this incident (linked above). The cause is a hidden race condition in DynamoDB's DNS management system 2⃣ Squid Proxy Vulnerability (CVE-2025-62168) // This problem allows a script to bypass Browser security protections and learn the credentials a trusted client uses to authenticate. PoC was released two days ago 3⃣ Exploiting a Patched Adobe Commerce Vulnerability (SessionReaper, CVE-2025-54236) // Deploy the patch or update to the latest version, enable WAF, run a malware scanner to check the system for signs of compromise 4⃣ TARmageddon (CVE-2025-62518) // RCE vulnerability impacts widely-used projects, including uv (Astral's Python package manager), testcontainers, and wasmCloud. This leads to: file overwriting attacks within extraction directories, supply chain attacks via build system and package manager exploitation, BOM bypass for security scanning. For a deeper dive into the security aspects of Rust, a book is available 5⃣ XSS to ATO via Server Size Errors Gadgets // The publication demonstrates how status codes 414 and 431 are used to break redirect chains and intercept sensitive information (session tokens). These status codes still open numerous attack vectors [1, 2, 3] ... Have a great weekend and stay safe!

#Malware_analysis 1. IAmAntimalware: Inject Malicious Code Into Antivirus https://www.zerosalarium.com/2025/10/IAmAntimalware-Inject-Code-Into-Antivirus.html 2. "Beamglea" phishing campaign https://socket.dev/blog/175-malicious-npm-packages-host-phishing-infrastructure 3. Polymorphic Python Malware https://isc.sans.edu/diary/Polymorphic+Python+Malware/32354

#Malware_analysis 1. WARMCOOKIE backdoor https://www.elastic.co/security-labs/revisiting-warmcookie 2. BadIIS / ASP NET Web BackDoor https://blog.talosintelligence.com/uat-8099-chinese-speaking-cybercrime-group-seo-fraud 3. SORVEPOTEL malware campaign https://www.trendmicro.com/en_gb/research/25/j/self-propagating-malware-spreads-via-whatsapp.html 4. Confucius Backdoor https://www.fortinet.com/blog/threat-research/confucius-espionage-from-stealer-to-backdoor 5. ProSpy Android spyware https://www.welivesecurity.com/en/eset-research/new-spyware-campaigns-target-privacy-conscious-android-users-uae

Gelen indirim isteklerine özel bir ay boyunca Siber Olaylara Müdahale Eğitimini indirimli olarak sadece 499,99₺’ye satın alabilirsiniz. 🔥

https://www.udemy.com/course/siber-olaylara-mudahale-egitimi-windows-forensics/?couponCode=0E79BF936A6C0F835C9E

#Purple_Team_Exercises BadSuccessor Is Dead, Long Live BadSuccessor(?) https://www.akamai.com/blog/security-research/badsuccessor-is-dead-analyzing-badsuccessor-patch ]-> BadSuccessor (pre-patch) // Mitigation: - Update your Windows Server 2025 domain controllers for CVE-2025-53779 - Review permissions on OUs, containers, and dMSA objects themselves. Tighten delegations and remove broad rights so that only Tier 0 admins can create or modify dMSAs and their migration link attributes

#WebApp_Security 1. Cache Deception + CSPT: Turning Non Impactful Findings into Account Takeover https://zere.es/posts/cache-deception-cspt-account-takeover/ 2. Smuggling Requests with Chunked Extensions: A New HTTP Desync Trick https://www.imperva.com/blog/smuggling-requests-with-chunked-extensions-a-new-http-desync-trick

#Red_Team_Tactics 1. Can you enable the WebClient service remotely as a low privileged user? https://specterops.io/blog/2025/08/19/will-webclient-start ]-> RPC to WebClient startup 2. Escaping the Matrix: Client-Side Deanonymization Attacks on Privacy Sandbox APIs https://spaceraccoon.dev/client-side-deanonymization-attacks-privacy-sandbox-apis ]-> Privacy Sandbox enrollment attestation model

#Malware_analysis 1. New trends in phishing and scams: how AI and social media are changing the game https://securelist.com/new-phishing-and-scam-trends-in-2025/117217/ 2. Crypto24 ransomware https://www.trendmicro.com/en_gb/research/25/h/crypto24-ransomware-stealth-attacks.html 3. Technical Analysis of Ducex: Packer of Triada Android Malware https://any.run/cybersecurity-blog/ducex-packer-analysis

#Malware_analysis 1. DoubleTrouble Mobile Banking Trojan https://zimperium.com/blog/behind-random-words-doubletrouble-mobile-banking-trojan-revealed 2. From Bing Search to Ransomware: Bumblebee and AdaptixC2 Deliver Akira https://thedfirreport.com/2025/08/05/from-bing-search-to-ransomware-bumblebee-and-adaptixc2-deliver-akira 3. Python-based PXA Stealer and Its Telegram-Powered Ecosystem https://www.sentinelone.com/labs/ghost-in-the-zip-new-pxa-stealer-and-its-telegram-powered-ecosystem

BurpSuite PRO + extentions + Bounty Pro version: 2025.6.1 download #burpPro

CTI Merkezileştirme; OpenCTI https://medium.com/@sergenyanmis/cti-merkezileştirme-opencti-b01310c4112c

#Malware_analysis 1. VELETRIX Loader Dissection https://0x0d4y.blog/telecommunications-supply-chain-china-nexus-threat-technical-analysis-of-veletrix-loaders-strategic-infrastructure-positioning 2. Hiding Payloads in Linux Extended File Attributes https://isc.sans.edu/diary/Hiding%20Payloads%20in%20Linux%20Extended%20File%20Attributes/32116 ]-> PoC 3. DeedRAT Backdoor https://lab52.io/blog/deedrat-backdoor-enhanced-by-chinese-apts-with-advanced-capabilities