Evil AI Talk
Slides from a short talk on Evil AI I gave in February at DC612.
EvilAI Update
EvilAI Update
EvilAI is back at it again! Nothing significant has hanged with the payload or the Node abuse, but the campaign has developed a new Advanced Installer MSI lure that unpacks and executes a WebView2 .Net application loader. This loader creates a temporary directory and downloads the Inno Installer that contains the Node payload and configuration files. Like previous campaigns, the Node payload is executed via Scheduled Task.
Read more...Huorong Security Management Weaponized in ClickFix Attacks
Huorong Security Management Weaponized in ClickFix Attacks
Huorong is a Beijing based security company that offers an Endpoint Security Management Systems suite for enterprise and government customers. In newly observed ClickFix attacks, the Huorong EDR product is abused as an entry point into compromised systems. The Huorong Configuration Manager is bundled into an Advanced Installer MSI and installed on victim devices, giving malicious actors complete control over the device. The installer is deployed through compromised domains serving ClickFix (FakeCAPTCHA) lures.
Read more...KongTuke: ClickFix on Steroids
KongTuke: ClickFix on Steroids
KongTuke is a threat actor that has recently increased their usage of ClickFix and ClickFix-styled attacks. They’ve begun to utilize a branching infection path based on the domain status of an infected device. If the device is domain joined, it will receive a different payload from non-domain joined devices. As Huntress notes, this is likely to identify and target Active Directory environments (also go read that write up, it’s way better than this!).
Read more...SSA AI Phishing
SSA AI Phishing
In another episode of ChatGPT-ass malware, we have this beautiful sample from a Social Security Administration phishing page taken from an incident on January 8th, 2026. If this is your phishing page, you should probably feel bad.
The phishing page itself is hosted on a XAMPP (Apache + MariaDB + PHP + Perl) stack on a Windows server using a free Cloudflare tunnel. Of course, they didn’t put any effort into configuring their server, so the default pages are easily accesible.
Read more...Introduction to Malware Analysis Workshop
Slides from the Introduction to Malware Analysis workshop held on January 3rd, 2026. Samples are linked in the slides, but can also be acquired at Introduction to Malware Analysis Workshop Samples.
AceLauncher
AceLauncher
AceLauncher is a Potentially Unwanted Program (PUP) similar to Wave Browser, OneStart, and OneLaunch. It’s a Chromium based browser that creates several tasks, AppData directories, and registry keys to maintain persistence on a device. While not overtly malicious, users will likely want to remove the browser as it does redirect and serve potentially malicious content. This includes functions that link to ManualsLib domains and references to Wave Browser and Recipe Lister. The browser also uses Yahoo’s Hosted Search platform to serve sponsored content driving revenue to the AceLauncher organization.
Read more...Phishing
Phishing
I recently analyzed the following phishing email. It contains a Microsoft account harvester and has some interesting anti-analysis functions. I didn’t do a full dive on it, but there’s some interesting stuff here.
Examining the email in a text editor revealed that the headers had been manipulated.
The QR code image was extracted from the email via the Base64 encoded string object. This was put into CyberChef for rasterization and analysis.
Read more...LogMeIn Unattended Installer
LogMeIn Unattended Installer
A user received a phishing email that redirected the to hxxps[://]popthecard[.]pages[.]dev. This page claimed that a friend had sent an invitation, and that the user must download and open it on a windows laptop or desktop to view it. The page automatically downloaded the file VelvetPaperCo.exe (in similar incidents, invitation.exe).
The page itself is rather basic, with the following JavaScript code handling the download function. It simply sets a timeout and executes a function that reaches out to a public CloudFlare R2 bucket that hosts the malicious RMM installer.
Read more...Fisher-Price Malware
Fisher-Price Malware
With the rise of AI, Vibe-Coded malware is now an existing threat. Sort of? In the way that a wet noodle could potentially kill you in the right circumstances, Vibe-Coded malware could also pose a threat. It’s just very unlikely. At least, with the current iterations out there.
Enter what I’m calling “Baby’s first malware” AKA “Fisher-Price Malware”. A Vibe-Coded sample found on a users’ device. It’s an “obfuscated” PowerShell loader that pulls a payload that… takes screenshots and uploads them? Kind of? Technically, it works. Sometimes. In perfect conditions.
Read more...
1 of 5
Next Page