16·
2 days agoI appreciate that you wanted to help people even if it didn’t land how you intended. :)
bcovertigo
- 0 Posts
- 8 Comments
Joined 2 years ago
Cake day: October 24th, 2023
You are not logged in. If you use a Fediverse account that is able to follow users, you can follow this user.
0·4 days agoIf you’re seeing this follow all this idiot’s posts and mass report.
7·8 days agoI can’t sleep :(
Typosquat domain for sure! In a sandbox I’m seeing that all the download links point to the same HTML page on a .ink domain that cloudflare is now refusing to serve.
But our buddy joe already got a copy for us so we can at least view that report for fun: https://www.joesandbox.com/analysis/1763244/1/html
Edit: It pulls down an MSI installer or something it runs with msiexec but disguised with a PDF file extension. It seems to want a copy of cmd.exe to exist in an AutoIT installation (SearchPathW vs “C:\Program Files (x86)\AutoIt3\cmd.exe”) as well as pointing toward the multilanguage (.exe.mui) and other cmd variants. I suspect we’re one step away from a real payload with this report and that’s what we’d see the “Invoke-Obfuscation” powershell the sandbox spotted used for (if that wasn’t a false positive due to the base64 offset string).
6·22 days agoIn my opinion the ps5 controller’s stupid shell and randomly placed torx screwheads makes it hard to open and work on compared to older controllers, and they use a potentiometer that’s cheap and prone to drift. I’ve cleaned some with isopropyl and youtube guides to good effect but you’ll need special screwdrivers to do so if I’m remembering right.
It’s not impossibly hard but mind the plastic bits you can chip off easily if you haven’t done it before!
0·26 days agoFor clarity this is windows malware, not a browser exploit.
Distributed as c++ payload, persists in Startup by writing itself there with the CopyFileA api, uses powershell to pull browser data from file system… This is windows malware that knows what files to look in for various browsers and then exfiltrates via telegram. I wouldn’t have titled it like this since it make it seem like a browser exploit instead of a ball of c++ and powershell but it’s neat that they cast such a wide net I guess. No mention so far of distribution method, initial exploit, or group attribution that I’ve been able to spot.
Original report from July: https://hybrid-analysis.blogspot.com/2025/07/new-advanced-stealer-shuyal-targets.html
Additional info: https://www.pointwild.com/threat-intelligence/shuyal-stealer-advanced-infostealer-targeting-19-browsers
Krisp processing happens on device using your cpu if it’s enabled per their FAQ: https://support.discord.com/hc/en-us/articles/360040843952-Krisp-FAQ