Tagged articles

64 articles

Page 1 of 1

May 18, 2026 · Information Security

How Fast16 Sabotaged Iran’s Nuclear Program: Inside the 17‑Year Mystery Unveiled

The article traces the nine‑year journey from the Shadow Brokers leak to the 2026 AI‑assisted reverse‑engineering of Fast16, revealing its three‑layer sabotage architecture, uranium‑density manipulation, targeted industrial simulation software, and its relationship to Stuxnet, while highlighting security lessons for critical infrastructure.

AI-assisted reverse engineeringFast16Stuxnet

0 likes · 11 min read

How Fast16 Sabotaged Iran’s Nuclear Program: Inside the 17‑Year Mystery Unveiled

Black & White Path

May 8, 2026 · Information Security

Why VECT Ransomware Fails to Decrypt Large Files: A Technical Breakdown

Security researchers discovered that VECT ransomware unintentionally embeds the ChaCha20 key and nonce for files under 128 KB, allowing easy decryption, while its chunked encryption of larger files loses three of four nonces, rendering those files permanently unrecoverable even after ransom payment.

ChaCha20VECTencryption bug

0 likes · 5 min read

Why VECT Ransomware Fails to Decrypt Large Files: A Technical Breakdown

Black & White Path

May 7, 2026 · Information Security

How Ransomware Uses QEMU to Hide a Virtual Machine and Evade Security Tools

Sophos researchers discovered that the Payouts King ransomware family deploys a fully hidden Alpine Linux VM via the open‑source QEMU emulator, allowing data theft, C2 communication, and tool deployment to remain invisible to host‑based antivirus and EDR solutions.

Endpoint SecurityQEMUThreat Detection

0 likes · 13 min read

How Ransomware Uses QEMU to Hide a Virtual Machine and Evade Security Tools

Black & White Path

May 1, 2026 · Information Security

Rare‑Earth Bait: Technical Analysis of a Shellcode Loader

The 2025 Malware Hunter sample disguises a password‑protected PDF about rare‑earth governance as bait, then uses SecurityKey.exe to display the password, allocate RWX memory, run a PEB‑traversing, API‑hashing downloader shellcode, impersonate a REIA domain, and finally execute the payload via Windows fibers, with detailed detection recommendations provided.

FNV-1a hashfiber executioninformation security

0 likes · 13 min read

Rare‑Earth Bait: Technical Analysis of a Shellcode Loader

Black & White Path

Apr 25, 2026 · Information Security

Analyzing an AI‑Developed C2 Remote‑Access Trojan Framework

The article details an AI‑crafted C2 remote‑access trojan framework hosted at 101.32.128[.]36:8443, describing its Go implant, Python listener, PowerShell stager, custom 443‑based encryption, Telegram bot exfiltration, the payload delivery chain via paste.rs and GitHub Gist, and provides sample hashes for the binaries.

C2GoPowerShell

0 likes · 2 min read

Analyzing an AI‑Developed C2 Remote‑Access Trojan Framework

Black & White Path

Apr 17, 2026 · Information Security

Threat Alert: Cloud‑Native Cybercrime Group TeamPCP Targets Docker, Kubernetes, and Redis

TeamPCP, a newly identified cloud‑native threat group, has compromised at least 60,000 servers worldwide by exploiting exposed Docker APIs, Kubernetes clusters, Redis instances, and the React2Shell vulnerability, employing automated tools such as proxy.sh, kube.py, and react.py, with detailed MITRE ATT&CK mapping and concrete defense recommendations.

DockerKubernetesMITRE ATT&CK

0 likes · 16 min read

Threat Alert: Cloud‑Native Cybercrime Group TeamPCP Targets Docker, Kubernetes, and Redis

Code Mala Tang

Mar 31, 2026 · Information Security

How Malicious Axios Versions Hijacked NPM: A Deep Supply‑Chain Attack Analysis

StepSecurity uncovered a sophisticated supply‑chain attack on the popular Axios HTTP client where compromised maintainer credentials were used to publish malicious versions that injected a hidden postinstall RAT, evaded detection, and executed platform‑specific payloads before self‑destructing, prompting detailed forensic and remediation guidance.

Harden-RunnerRATaxios

0 likes · 31 min read

How Malicious Axios Versions Hijacked NPM: A Deep Supply‑Chain Attack Analysis

Black & White Path

Mar 27, 2026 · Information Security

Apifox CDN Supply Chain Attack: A Detailed Technical Walkthrough

On March 25, 2026 a malicious script hijacked Apifox's CDN, inflating a 34 KB tracking file to 77 KB and using obfuscated JavaScript, RSA and AES‑256‑GCM encryption to collect system fingerprints, SSH keys, Git credentials and exfiltrate them through a multi‑stage C2 chain.

ApifoxCDNElectron

0 likes · 15 min read

Apifox CDN Supply Chain Attack: A Detailed Technical Walkthrough

Black & White Path

Feb 27, 2026 · Information Security

Warning: AI‑Powered Arkanix Stealer Malware Targets All 22 Browser Wallets

A new AI‑assisted malware called Arkanix Stealer, promoted on dark‑web forums, can steal data from 22 cryptocurrency wallets, browsers, VPN services, and social platforms, offering both a Python‑based basic version and a native C++ advanced version, while highlighting the lowered barrier for cybercrime.

AI-assisted malwareArkanix Stealerbrowser wallet theft

0 likes · 7 min read

Warning: AI‑Powered Arkanix Stealer Malware Targets All 22 Browser Wallets

Black & White Path

Feb 17, 2026 · Information Security

High Salaries Not Enough: 3 Big‑Tech Engineers Caught in fnOS Black‑Market Hacks

Police in Zhejiang dismantled a full‑cycle black‑market operation that stole, cracked and resold rental smartphones, arresting three high‑paid engineers from major internet firms who earned over ten million yuan by exploiting fnOS vulnerabilities, highlighting both technical methods and legal consequences.

IoT securityblack marketdevice hacking

0 likes · 12 min read

High Salaries Not Enough: 3 Big‑Tech Engineers Caught in fnOS Black‑Market Hacks

Black & White Path

Feb 17, 2026 · Information Security

Malicious Chrome Extensions Disguised as AI Assistants Steal Credentials – The AiFrame Campaign

Over 300,000 users have installed 30 malicious Chrome extensions that pose as AI assistants, stealing account credentials, email content and browsing data; the most popular, Gemini AI Sidebar, had 80,000 installs before removal, and the extensions share a common backend infrastructure.

AI assistantsChrome extensionsGmail phishing

0 likes · 5 min read

Malicious Chrome Extensions Disguised as AI Assistants Steal Credentials – The AiFrame Campaign

Black & White Path

Feb 15, 2026 · Information Security

How TA584 Leverages Tsundere Bot and XWorm for Ransomware Attacks

The TA584 threat group, acting as a high‑activity initial‑access broker, now employs the Tsundere Bot and XWorm remote‑access trojans in a multi‑stage phishing chain that culminates in ransomware deployment, with Proofpoint noting a two‑fold activity surge and expanded geographic reach in 2025.

C2 infrastructureTA584Tsundere Bot

0 likes · 5 min read

How TA584 Leverages Tsundere Bot and XWorm for Ransomware Attacks

Efficient Ops

Oct 22, 2025 · Information Security

NSA‑Backed Attack on China’s Time‑keeping Center: Weapons, Tactics, Findings

The Chinese National Time Service Center revealed a sophisticated cyber‑attack attributed to the U.S. NSA, detailing the deployment of multiple custom malware families—including Back_eleven, eHome_0cx, and New_Dsz_Implant—used for data theft, persistent footholds, encrypted tunneling, lateral movement, and command‑and‑control via numerous IP addresses.

Cyber EspionageNSAinformation security

0 likes · 8 min read

NSA‑Backed Attack on China’s Time‑keeping Center: Weapons, Tactics, Findings

Tencent Technical Engineering

Sep 22, 2025 · Information Security

Inside the RapperBot DDoS Botnet: Anatomy, Attack Tactics, and Defense Strategies

An in‑depth investigation reveals the rise and takedown of the RapperBot DDoS botnet, detailing its malware lineage, sample analysis, sophisticated attack techniques, criminal profit models, and practical security recommendations, while showcasing Tencent’s Zeus Shield intelligence platform and AI‑enhanced threat analysis.

BotnetDDoScybersecurity

0 likes · 11 min read

Inside the RapperBot DDoS Botnet: Anatomy, Attack Tactics, and Defense Strategies

Raymond Ops

Mar 5, 2025 · Information Security

Essential Kali Linux Penetration Testing Tools and How to Use Them

Explore the most common Kali Linux penetration testing utilities—including Nmap, Metasploit, Hydra, Wireshark, and more—organized by categories such as information gathering, vulnerability exploitation, password cracking, and network monitoring, with brief usage commands and guidance for each tool.

Kali LinuxNetwork Scanningmalware analysis

0 likes · 11 min read

Essential Kali Linux Penetration Testing Tools and How to Use Them

MaGe Linux Operations

Jun 11, 2024 · Information Security

Essential Kali Linux Penetration Testing Tools and How to Use Them

This guide lists the most common Kali Linux penetration testing utilities—including Nmap, Metasploit, Hydra, Wireshark, and many others—explaining their primary functions and providing concise command‑line examples for quick reference.

Kali LinuxNetwork Scanningmalware analysis

0 likes · 10 min read

Sohu Tech Products

Sep 6, 2023 · Information Security

Unveiling DarkComet: In‑Depth Static & Dynamic Analysis of a Delphi RAT

This article provides a comprehensive technical breakdown of the DarkComet remote‑access trojan, covering its classification, Delphi‑based static characteristics, step‑by‑step dynamic behaviors such as hidden startup, file dropping, registry auto‑run, QQ data harvesting, SMS bombing, plus extracted IOCs and practical mitigation recommendations.

DarkCometDelphiIoC

0 likes · 9 min read

Unveiling DarkComet: In‑Depth Static & Dynamic Analysis of a Delphi RAT

Bilibili Tech

Jan 17, 2023 · Information Security

Botnet Threat Analysis and Detection Strategies: PBot, Xanthe and Countermeasures

The article delivers a technical overview of modern botnet threats, detailing the PBot and Xanthe families, their infection vectors, command‑and‑control operations, and provides practical detection, mitigation, and statistical analysis methods for defending against large‑scale DDoS, spam, and other malicious activities.

BotnetDetectionSuricata

0 likes · 17 min read

Botnet Threat Analysis and Detection Strategies: PBot, Xanthe and Countermeasures

Huolala Safety Emergency Response Center

Dec 2, 2022 · Information Security

How to Detect, Contain, and Eradicate the DarkKomet RAT: A Full Incident Response Walkthrough

This article provides a step‑by‑step technical analysis of the DarkKomet remote‑access trojan, covering its capabilities, infection vectors, detection methods using TTP‑driven EDR, containment actions, eradication procedures, root‑cause forensics, and post‑incident recovery measures.

DarkKometEDRForensics

0 likes · 9 min read

How to Detect, Contain, and Eradicate the DarkKomet RAT: A Full Incident Response Walkthrough

Open Source Linux

Aug 3, 2022 · Information Security

Unmasking a Fake GitHub Leak: From Weak Passwords to a Red Team Backdoor

During a penetration testing exercise, the team discovered a cleverly disguised GitHub repository that leaked credentials, leading to a vulnerable admin interface, a malicious Python‑based VPN client which, after reverse‑engineering with PyInstaller extraction, revealed embedded shellcode hidden in images, allowing the attackers to trace the command‑and‑control server and pinpoint the origin of the intrusion.

gitHub leakageinformation securitymalware analysis

0 likes · 7 min read

Unmasking a Fake GitHub Leak: From Weak Passwords to a Red Team Backdoor

MaGe Linux Operations

Jul 28, 2022 · Information Security

GoodWill Ransomware Forces Victims to Do Good Deeds – How It Works

GoodWill ransomware, discovered by CloudSEK in Mumbai, encrypts all files and demands victims complete three charitable acts and post a personal essay on social media before providing a decryption key, blending malware tactics with forced philanthropy while employing .NET, UPX packing, AES encryption, and location detection.

GoodWillcybersecurityinformation security

0 likes · 6 min read

GoodWill Ransomware Forces Victims to Do Good Deeds – How It Works

MaGe Linux Operations

Jul 24, 2022 · Information Security

When Ransomware Demands Good Deeds: Inside the GoodWill Malware

The GoodWill ransomware, discovered by CloudSEK in Mumbai, forces victims to perform three charitable acts, document them, and post a personal essay before providing a decryption key, while employing .NET, UPX packing, AES encryption, and location‑tracking techniques.

GoodWillcybersecuritymalware analysis

0 likes · 6 min read

When Ransomware Demands Good Deeds: Inside the GoodWill Malware

MaGe Linux Operations

Jun 5, 2022 · Information Security

How a SpringBoot Server Was Hijacked for Crypto Mining – Investigation & Fixes

This article chronicles the discovery of a server breach used for cryptocurrency mining, detailing the malicious code, forensic analysis of the trojan's actions and artifacts, and the step‑by‑step remediation measures taken to secure the system.

Server SecuritySpringBootcrypto mining

0 likes · 11 min read

How a SpringBoot Server Was Hijacked for Crypto Mining – Investigation & Fixes

Open Source Linux

Jun 1, 2022 · Information Security

How a SpringBoot Server Was Hijacked for Crypto Mining and What You Can Do

This article chronicles the discovery of a server breach used for cryptocurrency mining, analyzes the malicious Python payload and its system modifications, and provides concrete remediation steps such as system reinstall, non‑root deployment, firewall hardening, and Nginx authentication.

Cryptocurrency MiningServer SecuritySpringBoot

0 likes · 12 min read

How a SpringBoot Server Was Hijacked for Crypto Mining and What You Can Do

Open Source Linux

Jan 17, 2022 · Information Security

Mastering Incident Response: A Step‑by‑Step Guide for Security Professionals

This comprehensive guide walks security engineers through every phase of an incident response—from initial information gathering, containment, and vulnerability scanning to detailed log, process, and account analysis, culminating in recovery steps and post‑incident hardening recommendations.

ForensicsSecurity OperationsSystem Hardening

0 likes · 28 min read

Mastering Incident Response: A Step‑by‑Step Guide for Security Professionals

MaGe Linux Operations

Nov 13, 2021 · Information Security

Hive Ransomware Targets Linux: Bugs, New Features, and Industry Shift

Security researchers at ESET reveal that the Hive ransomware group has expanded its attacks to Linux and FreeBSD systems, releasing a buggy yet feature‑rich Linux variant written in Go, while noting a broader industry trend of ransomware operators developing Linux encryptors to compromise virtualized server environments.

GoVirtualizationhive

0 likes · 4 min read

Hive Ransomware Targets Linux: Bugs, New Features, and Industry Shift

Efficient Ops

Aug 3, 2021 · Information Security

How a Compromised Server Was Hijacked: Inside the gpg-agentd Malware Attack

This article walks through a real‑world server breach where a disguised gpg‑agentd process was used to install backdoors, download malicious scripts, exploit Redis, and launch mass scans, and then offers concrete hardening steps to prevent similar compromises.

gpg-agentdmalware analysismasscan

0 likes · 12 min read

How a Compromised Server Was Hijacked: Inside the gpg-agentd Malware Attack

MaGe Linux Operations

Jun 24, 2021 · Information Security

Inside a Crypto Mining Botnet: Step-by-Step Server Compromise Analysis

This article walks through a real-world server breach where attackers hijacked SSH access, deployed malicious scripts, leveraged Redis vulnerabilities, and turned the machine into a high‑speed crypto‑mining botnet, while offering detailed forensic clues and remediation advice.

Linux securitycrypto mininggpg-agentd

0 likes · 12 min read

Inside a Crypto Mining Botnet: Step-by-Step Server Compromise Analysis

Java Architect Essentials

Jun 14, 2021 · Information Security

How the Qike PDF Converter Turns PCs into Botnets: Malware Analysis and Prevention

Huorong’s threat intelligence team discovered that the Qike PDF Converter carries a malicious proxy module that silently spreads via download‑site installers, hijacks system processes, persists as a startup service, and can turn infected machines into high‑CPU‑usage botnets, prompting immediate security updates.

BotnetHuorongPersistence

0 likes · 5 min read

How the Qike PDF Converter Turns PCs into Botnets: Malware Analysis and Prevention

Open Source Linux

Apr 25, 2021 · Information Security

Understanding Remote-Control Trojans: Concepts, Deployment, Communication, and APT Threats

This comprehensive guide explains remote‑control trojans—covering their basic concepts, classifications, infection methods, communication techniques, typical functionalities, their role in APT attacks, and practical detection strategies—providing security professionals with essential knowledge to defend against these sophisticated threats.

APTRemote accessmalware analysis

0 likes · 24 min read

Understanding Remote-Control Trojans: Concepts, Deployment, Communication, and APT Threats

Liangxu Linux

Apr 11, 2021 · Information Security

Inside a DIY Ransomware: How a Beginner’s E‑Language Malware Was Analyzed and Defeated

A detailed walkthrough shows how a low‑skill ransomware written in E‑Language was dissected in a VMware VM, revealing hard‑coded admin credentials, simple command‑line user creation, and a plaintext ransom password, followed by practical removal tips such as Safe Mode and bootable USB cleanup.

E-languageVMwareWindows security

0 likes · 8 min read

Inside a DIY Ransomware: How a Beginner’s E‑Language Malware Was Analyzed and Defeated

Laravel Tech Community

Mar 23, 2021 · Information Security

Analysis of Qike PDF Converter Malware and Its Silent Propagation Mechanism

Security researchers discovered that the Qike PDF Converter embeds a malicious proxy module that silently spreads via download‑site installers, hijacks system processes, consumes CPU, persists as a startup service, and originates from a Hangzhou tech company, highlighting the risks of silent promotion in freeware distribution.

Huorongmalware analysispdf converter

0 likes · 4 min read

Analysis of Qike PDF Converter Malware and Its Silent Propagation Mechanism

Java Backend Technology

Mar 16, 2021 · Information Security

Inside the Fake WeChat App That Promotes Porn: Hidden Mechanics Unveiled

Security researchers dissect the counterfeit “Le Bao” app that mimics WeChat, revealing its covert QR‑code group‑joining, custom decoding, member‑paid porn livestreams, embedded payment methods, server infrastructure, and illicit profit models, highlighting its high concealment and the need for aggressive mitigation.

cybercrimeinformation securitymalware analysis

0 likes · 15 min read

Inside the Fake WeChat App That Promotes Porn: Hidden Mechanics Unveiled

Top Architect

Mar 9, 2021 · Information Security

Analysis of the ‘Le Bao’ Fraudulent Chat Application Used for Pornographic Promotion

This report provides a comprehensive technical analysis of the malicious "Le Bao" app that masquerades as a WeChat‑like chat tool, detailing its sample characteristics, hidden QR‑code group joining mechanism, payment flow, server‑side tracing, and profit model, highlighting its covert distribution of pornographic content and associated illicit activities.

information securitymalware analysispayment tracing

0 likes · 12 min read

Analysis of the ‘Le Bao’ Fraudulent Chat Application Used for Pornographic Promotion

Java Architect Essentials

Mar 7, 2021 · Information Security

Security Analysis of the “Le Bao” Fake Chat Application Used for Pornographic Promotion

This report investigates the malicious “Le Bao” Android application that masquerades as a WeChat‑like chat tool, detailing its sample characteristics, hidden QR‑code group‑joining mechanism, membership‑based porn livestream access, promotion methods, profit model, and comprehensive traceability of servers, payment channels, and social accounts.

Mobile SecurityNetwork Trafficapp investigation

0 likes · 13 min read

Security Analysis of the “Le Bao” Fake Chat Application Used for Pornographic Promotion

macrozheng

Feb 2, 2021 · Information Security

How Malware Hides Its Mining Process on Linux and How to Uncover It

An infected Linux server shows high CPU usage but standard tools miss the culprit; this guide explains how mining malware hides its process via /proc tricks, demonstrates detection using network scans, unhide tools, and offers removal steps to eradicate the hidden miner.

Cryptocurrency MiningLinuxinformation security

0 likes · 8 min read

How Malware Hides Its Mining Process on Linux and How to Uncover It

Efficient Ops

Jan 13, 2021 · Information Security

How to Detect and Eradicate a Hidden Linux Mining Botnet: A Step‑by‑Step Analysis

This article walks through a real‑world Linux mining malware infection, detailing how the attacker hid a malicious cron job, used LD_PRELOAD rootkits, propagated via SSH keys, and how the analyst uncovered and removed the threat using busybox, strace, and careful forensic commands.

Cryptocurrency Miningincident responsemalware analysis

0 likes · 12 min read

How to Detect and Eradicate a Hidden Linux Mining Botnet: A Step‑by‑Step Analysis

ITPUB

Dec 4, 2020 · Information Security

Inside the gpg-agentd Malware that Hijacked an Alibaba Cloud Server

A detailed forensic walk‑through reveals how a disguised gpg-agentd binary compromised a CentOS server on Alibaba Cloud, using SSH key injection, malicious cron jobs, Redis abuse, and masscan scanning to spread and mine cryptocurrency.

Linux securitycron abusegpg-agentd

0 likes · 15 min read

Inside the gpg-agentd Malware that Hijacked an Alibaba Cloud Server

Liangxu Linux

Dec 2, 2020 · Information Security

How a Hidden gpg-agentd Process Hijacked a CentOS Server and Spread via Redis and Masscan

A detailed forensic walkthrough reveals how a compromised CentOS server was hijacked via a disguised gpg-agentd process, leveraged cron jobs to download malicious scripts, abused Redis for persistence, and used masscan for rapid scanning, followed by practical security recommendations to harden servers and Redis instances.

Cron Jobsgpg-agentdmalware analysis

0 likes · 14 min read

How a Hidden gpg-agentd Process Hijacked a CentOS Server and Spread via Redis and Masscan

Efficient Ops

Nov 22, 2020 · Information Security

Unmasking the gpg‑agentd Malware: From Server Freeze to Full‑Scale Attack

This article walks through a real‑world compromise of an Alibaba Cloud server, detailing how a disguised gpg‑agentd process was used to install backdoors, hijack SSH keys, exploit Redis, and launch mass scanning with malicious scripts, and it concludes with practical hardening recommendations.

gpg-agentdmalware analysismasscan

0 likes · 15 min read

Unmasking the gpg‑agentd Malware: From Server Freeze to Full‑Scale Attack

Top Architect

Nov 6, 2020 · Information Security

Security Analysis of the “Le Bao” Fake WeChat App Used for Pornographic Promotion

The report investigates the malicious “Le Bao” application that mimics WeChat, detailing its hidden QR‑code group‑joining mechanism, server‑side communication, payment and gambling integration, and the broader illicit promotion and profit model, while providing forensic traces, source‑code decoding, and mitigation recommendations.

Mobile Securityapp spoofinginformation security

0 likes · 13 min read

Security Analysis of the “Le Bao” Fake WeChat App Used for Pornographic Promotion

Programmer DD

Oct 27, 2020 · Information Security

How a Fake WeChat App ‘LeBao’ Fuels Hidden Porn Networks – A Deep Dive

This report analyzes the malicious “LeBao” application that masquerades as a WeChat‑like chat tool, detailing its covert QR‑code group entry, custom decoding, member‑paid porn livestreams, payment fraud, server tracing, and recommended mitigation measures to curb its illicit operations.

app investigationcybercrimeinformation security

0 likes · 11 min read

How a Fake WeChat App ‘LeBao’ Fuels Hidden Porn Networks – A Deep Dive

JD Cloud Developers

Sep 25, 2020 · Information Security

Master Malware Analysis: Build a Cuckoo Sandbox with SystemTap Monitoring

This guide explains sandbox fundamentals, compares Windows and Adobe Reader sandboxes, and provides step‑by‑step instructions for installing and configuring a Cuckoo Linux sandbox on Ubuntu, including SystemTap syscall monitoring and signature creation illustrated with a Gonnacry ransomware case study.

CuckooLinuxSystemTap

0 likes · 11 min read

Master Malware Analysis: Build a Cuckoo Sandbox with SystemTap Monitoring

Programmer DD

Aug 9, 2020 · Information Security

Inside the GPG‑Agentd Malware: How a CentOS Server Was Hijacked and Spread via Redis

A compromised CentOS server was frozen by Alibaba Cloud after malicious outbound traffic; the investigation uncovered a disguised gpg‑agentd process, malicious cron jobs downloading remote scripts, a Redis exploit that injected SSH keys, and mass‑scan tools, illustrating a sophisticated multi‑stage malware infection.

crongpg-agentdinformation security

0 likes · 12 min read

Inside the GPG‑Agentd Malware: How a CentOS Server Was Hijacked and Spread via Redis

Efficient Ops

May 31, 2020 · Information Security

Detecting and Eradicating Hidden Linux Mining Malware via Crontab and LD_PRELOAD

This article walks through a real‑world Linux mining malware incident, detailing how the attacker used a malicious crontab entry and LD_PRELOAD to hide processes, the forensic steps to uncover the payload, and practical remediation and hardening measures to prevent future compromises.

Cryptocurrency MiningLD_PRELOADLinux security

0 likes · 12 min read

Detecting and Eradicating Hidden Linux Mining Malware via Crontab and LD_PRELOAD

ITPUB

Aug 19, 2019 · Information Security

Investigating an SSH Brute‑Force Compromise and Hidden Mining Malware on a Linux Server

A client reported unexpected outbound attack traffic from a server, prompting a step‑by‑step forensic investigation that confirms an SSH brute‑force breach, analyzes logs, identifies malicious network connections and cron jobs, uncovers hidden mining malware, and provides hardening recommendations to secure the Linux host.

ForensicsLinuxSSH brute force

0 likes · 5 min read

Investigating an SSH Brute‑Force Compromise and Hidden Mining Malware on a Linux Server

21CTO

Jun 17, 2019 · Information Security

How a Hidden gpg-agentd Malware Hijacked SSH and Exploited Redis on a Cloud Server

A detailed forensic walk‑through reveals how a compromised Alibaba Cloud server was seized via a weak root password, a disguised gpg-agentd binary, malicious cron jobs, and Redis configuration abuse, ultimately enabling password‑less SSH access and large‑scale network scanning for cryptocurrency mining.

cloud securityincident responsemalware analysis

0 likes · 13 min read

How a Hidden gpg-agentd Malware Hijacked SSH and Exploited Redis on a Cloud Server

ITPUB

Jun 17, 2019 · Information Security

How a Hidden gpg‑agentd Malware Hijacked a CentOS Server and Spread via Redis

A detailed forensic walk‑through shows how a compromised CentOS 6 server was infected by a disguised gpg‑agentd binary, how the attacker used cron jobs to pull malicious scripts, leveraged Redis write‑file vulnerabilities and masscan to scan the Internet, and provides concrete hardening recommendations.

Linux securitycron persistencegpg-agentd

0 likes · 12 min read

How a Hidden gpg‑agentd Malware Hijacked a CentOS Server and Spread via Redis

Efficient Ops

May 20, 2019 · Information Security

How a Hidden gpg-agentd Malware Hijacked an Alibaba Cloud Server

After a routine morning, the author discovers an Alibaba Cloud server frozen due to malicious outbound traffic, then traces a sophisticated malware chain involving a disguised gpg-agentd process, malicious cron jobs, compromised SSH keys, Redis exploitation, and mass scanning, culminating in detailed forensic analysis and security recommendations.

Cron JobsSSH Securitygpg-agentd

0 likes · 13 min read

How a Hidden gpg-agentd Malware Hijacked an Alibaba Cloud Server

Efficient Ops

Dec 18, 2018 · Information Security

How the “DriverLife” Trojan Leverages EternalBlue for Rapid Worm‑Like Spread

On December 14, Tencent's security intelligence team uncovered a “DriverLife” Trojan that exploited the high‑severity EternalBlue vulnerability to propagate like a worm, infecting up to 100,000 users within two hours, and detailed its infection chain, malicious payloads, and mitigation recommendations.

EternalBlueinformation securitymalware analysis

0 likes · 7 min read

How the “DriverLife” Trojan Leverages EternalBlue for Rapid Worm‑Like Spread

Beike Product & Technology

Aug 15, 2018 · Information Security

Malware Incident Response: Analyzing and Removing a Persistent Windows Trojan

This article details a step‑by‑step incident‑response case study of a Windows internal‑network Trojan that exploited SMB port 445, describing how alerts were identified, malicious processes were traced, terminated, and fully removed using tools such as netstat, PChunter, and process monitoring utilities.

Network ScanningWindows securityincident response

0 likes · 6 min read

Malware Incident Response: Analyzing and Removing a Persistent Windows Trojan

ITPUB

May 31, 2018 · Information Security

How Attackers Exploit Unauthenticated Redis to Deploy Worms and Mine Cryptocurrency

This article analyzes the recent surge of Redis unauthenticated attacks that install a worm, use pnscan for lateral scanning, modify system settings, and launch cryptocurrency mining, while providing detailed script breakdowns and remediation steps.

SELinuxcryptominingincident response

0 likes · 16 min read

How Attackers Exploit Unauthenticated Redis to Deploy Worms and Mine Cryptocurrency

Tencent IMWeb Frontend Team

Aug 20, 2017 · Information Security

How a Web‑Ad Trojan Exploits IE to Deploy Crypto Mining

Tencent's security lab uncovered a large‑scale trojan spread via pornographic web ads that exploits the CVE‑2016‑0189 IE vulnerability, installs a backdoor, and runs a Zcash mining program, while also distributing Linux malware and controlling numerous C&C servers across Chinese provinces.

CVE-2016-0189IE vulnerabilitycrypto mining

0 likes · 8 min read

How a Web‑Ad Trojan Exploits IE to Deploy Crypto Mining

MaGe Linux Operations

Aug 19, 2017 · Information Security

How XShell Became a Backdoor: Deep Dive into Its Malicious Shellcode

Tencent Security Lab dissected the compromised XShell remote terminal, revealing a three‑stage malicious process where patched binaries load encrypted shellcode, exfiltrate system information via dynamically generated DGA domains, and ultimately deploy a svchost‑based payload, with detailed IOC listings and remediation advice.

DGAIoCXshell

0 likes · 7 min read

How XShell Became a Backdoor: Deep Dive into Its Malicious Shellcode

360 Zhihui Cloud Developer

May 14, 2017 · Information Security

How to Analyze and Recover from the WannaCry Ransomware Attack

This article summarizes the latest technical analysis of the WannaCry ransomware, offers official prevention guidelines, and provides step‑by‑step recovery tools to help victims restore encrypted files as quickly as possible.

Data RecoveryWannaCrymalware analysis

0 likes · 3 min read

How to Analyze and Recover from the WannaCry Ransomware Attack

MaGe Linux Operations

May 14, 2017 · Information Security

Inside WannaCry: How the Ransomware Infects, Encrypts, and Demands Bitcoin

This article provides a comprehensive technical analysis of the WannaCry ransomware, detailing its exploitation of the MS17‑010 vulnerability, propagation mechanisms, AES‑RSA encryption process, ransom infrastructure, decryption tool, and recommended security mitigations.

MS17-010WannaCryencryption

0 likes · 10 min read

Inside WannaCry: How the Ransomware Infects, Encrypts, and Demands Bitcoin

MaGe Linux Operations

Feb 28, 2017 · Information Security

How to Detect and Remove Linux.BackDoor.Gates.5 Malware: A Step‑by‑Step Guide

This article walks through a real‑world investigation of a Linux server infected with the Linux.BackDoor.Gates.5 backdoor, detailing traffic analysis, process inspection, malicious file identification, manual cleanup commands, and the use of ClamAV to scan and eradicate the threat.

ClamAVLinuxNetwork Monitoring

0 likes · 11 min read

How to Detect and Remove Linux.BackDoor.Gates.5 Malware: A Step‑by‑Step Guide

MaGe Linux Operations

Feb 26, 2017 · Information Security

How We Traced and Stopped a UDP Flood Attack on an Oracle‑Tomcat Server

During the Chinese New Year a client’s Oracle‑Tomcat server was overwhelmed by massive UDP traffic, prompting a forensic investigation that uncovered a hidden Trojan, detailed command‑line analysis, iptables hardening, and the root cause of a weak SSH password left after a hardware upgrade.

Linux forensicsSSH Securityincident response

0 likes · 5 min read

How We Traced and Stopped a UDP Flood Attack on an Oracle‑Tomcat Server

ITPUB

Jul 20, 2016 · Information Security

Dissecting the XOR.DDoS Linux Trojan: Sample, Crontab Abuse, and Defense Steps

This article examines the XOR.DDoS Linux trojan (sample 101), detailing how it hijacks crontab to launch malicious scripts, the forensic clues left in system logs, and a step‑by‑step emergency removal procedure, while also discussing its polymorphic nature and the broader challenges of defending against such malware.

Defense StrategiesLinux trojanXOR.DDoS

0 likes · 10 min read

Dissecting the XOR.DDoS Linux Trojan: Sample, Crontab Abuse, and Defense Steps

ITPUB

Mar 23, 2016 · Information Security

How Malicious ELF Files Evade IDA Pro and What You Can Do About It

The article reveals a novel ELF‑binary manipulation technique that prevents IDA Pro from loading malicious Linux samples, demonstrates reconstruction steps with hex editors, compares other disassemblers, and provides YARA rules and a GitHub script for detection and remediation.

ELFIDA ProLinux security

0 likes · 5 min read

How Malicious ELF Files Evade IDA Pro and What You Can Do About It

Architect

Jan 22, 2016 · Information Security

Analysis of New MD5 Collision Malware and Its Attack Techniques

This article examines the evolution of a malicious MD5 collision campaign from 2014‑2015, detailing the chosen‑prefix collision method, the combination with digital signatures and dual‑signature tricks, the full infection workflow, and the large‑scale propagation and impact on millions of Windows users.

MD5 collisionchosen-prefix collisiondigital signature

0 likes · 15 min read

Analysis of New MD5 Collision Malware and Its Attack Techniques

Architect

Dec 11, 2015 · Information Security

Detailed Analysis of a Targeted Trojan Distributed via a Fake Interview Outline

The article presents a comprehensive technical analysis of a sophisticated Windows trojan that masquerades as a Word document, detailing its delivery method, file extraction process, registry modifications, remote‑control capabilities, and the organized, targeted attack infrastructure behind it.

C2 infrastructureRemote accessWindows

0 likes · 10 min read

Detailed Analysis of a Targeted Trojan Distributed via a Fake Interview Outline

ITPUB

Nov 17, 2015 · Information Security

How the New Upatre Variant Evades Dynamic Sandboxes

The article explains two simple yet effective sandbox‑evasion techniques used by a new Upatre Trojan variant—checking system uptime via GetTickCount and monitoring mouse movement—to bypass dynamic analysis environments and remain undetected by antivirus scanners.

Dynamic analysisGetTickCountUpatre

0 likes · 4 min read

How the New Upatre Variant Evades Dynamic Sandboxes

Tencent TDS Service

Sep 19, 2015 · Information Security

Understanding XcodeGhost: How It Operates and How to Detect It

This article explains the XcodeGhost malware that infected iOS developers, detailing its data‑reporting and command‑issuing capabilities, the potential threats it poses on older iOS versions, and practical steps to detect and remove an infected Xcode installation.

DetectionMobile DevelopmentXcodeGhost

0 likes · 6 min read

Understanding XcodeGhost: How It Operates and How to Detect It