Posts

Inside MacSync: The Stealer Silently Backdooring Ledger Wallets

-
  This was a collaboration article with Abdelghafour Bouhdyd (  @1nt3l_hunt  ) about a MacSync Stealer compaign. It can be found on his blog:  https://chaink1ll.wordpress.com/2026/03/07/inside-macsync-the-stealer-silently-backdooring-ledger-wallets/
Post a Comment
Read more

Quirks of an EDR: Usermode

-
Image
Introduction EDR vendors solve the same problems, they just do it differently. This causes logical pitfalls to occur. This is a work in progress article about an EDR. A formal representation of my notes. A static ( not dynamic)  analysis of different parts of an EDR. I'll highlight some remarks on the usermode components. Kernel mode part might come later. I'll try to be concise and on point. Of course, everything I mention here needs dynamic analysis to verify. Hook Installation The EDR installs hooks on a set of API functions in ntdll.dll to log telemetry into ETW by injecting a dll into all processes. Each function meant to be hooked is represented by a 4-part structure whose elements are in order:  The name of the DLL where it resides. The name of the API function A pointer to the original function The "hook" The "hook" is a function that calls the original one and logs telemetry.  The next figure is an example: After calling the original API function by...
Post a Comment
Read more

Another example of an Opsec failure in malware C2 Panels

-
Image
 Introduction This is not going to be a long article. I wrote some article before about blunders in malware infrastractures. Some threat actors make some bad mistakes and that could cost them their infrastructures or logs in case of stealers. - This article shows an example of a simple bug that could cost the threat actors their entire infrastructure https://www.rootkall.com/2025/03/hacking-website-used-to-deliver-malware.html - This one is about a Stealer called Gremlin, the logs were accessible via an "Index Of" page :p https://www.rootkall.com/2025/04/gremlin-stealer-strings-decryption.html I wasn't really sure if I should write about this case but sharing knowledge is always good. As you can see in the screenshot, someone shared a C2 panel, and I love these in the sense that I try to compromise them. I pointed out in an answer to the tweet the blunder error that is made. The C2 Panel is Open source: A quick search of "C2WebServer" in a search engine would yi...
1 comment
Read more