Internet Storm Center
Sign In
Sign Up
Handler on Duty:
Xavier Mertens
Threat Level:
green
Date
Author
Title
SKYPE IM BOT
2010-03-11
donald smith
Cert write up on Skype IMBot Logic and Functionality.
SKYPE
2014-01-01/a>
Russ McRee
Happy New Year from the Syrian Electronic Army - Skype’s Social Media Accounts Hacked
2012-11-14/a>
Jim Clausing
Skype account hijack vulnerability fixed
2011-05-31/a>
Johannes Ullrich
Skype EasyBits Add-on
2011-05-06/a>
Richard Porter
Unpatched Exploit: Skype for MAC
2010-12-30/a>
Rick Wanner
Obvious Lessons from the Skype outage
2010-03-11/a>
donald smith
Cert write up on Skype IMBot Logic and Functionality.
2008-04-23/a>
Mari Nichols
What's New, Old and Morphing?
2006-12-18/a>
Toby Kohlenberg
Skype worm
IM
2024-09-18/a>
Guy Bruneau
Time-to-Live Analysis of DShield Data with Vega-Lite
2024-08-30/a>
Jesse La Grew
Simulating Traffic With Scapy
2023-10-09/a>
Didier Stevens
ZIP's DOSTIME & DOSDATE Formats
2023-07-07/a>
Xavier Mertens
DSSuite (Didier's Toolbox) Docker Image Update
2023-05-30/a>
Brad Duncan
Malspam pushes ModiLoader (DBatLoader) infection for Remcos RAT
2023-02-28/a>
Brad Duncan
BB17 distribution Qakbot (Qbot) activity
2022-12-30/a>
Jan Kopriva
SPF and DMARC use on GOV domains in different ccTLDs
2022-12-20/a>
Xavier Mertens
Linux File System Monitoring & Actions
2022-10-24/a>
Xavier Mertens
C2 Communications Through outlook.com
2022-06-26/a>
Didier Stevens
More Decoding Analysis
2022-04-07/a>
Johannes Ullrich
What is BIMI and how is it supposed to help with Phishing.
2022-03-04/a>
Johannes Ullrich
Scam E-Mail Impersonating Red Cross
2022-02-05/a>
Didier Stevens
Power over Ethernet and Thermal Imaging
2022-01-29/a>
Guy Bruneau
SIEM In this Decade, Are They Better than the Last?
2021-12-23/a>
Johannes Ullrich
Defending Cloud IMDS Against log4shell (and more)
2021-12-16/a>
Brad Duncan
How the "Contact Forms" campaign tricks people
2021-11-04/a>
Tom Webb
Xmount for Disk Images
2021-10-21/a>
Brad Duncan
"Stolen Images Evidence" campaign pushes Sliver-based malware
2021-06-26/a>
Guy Bruneau
CVE-2019-9670: Zimbra Collaboration Suite XXE vulnerability
2021-04-22/a>
Xavier Mertens
How Safe Are Your Docker Images?
2021-03-02/a>
Russ McRee
Adversary Simulation with Sim
2020-10-07/a>
Johannes Ullrich
Today, Nobody is Going to Attack You.
2020-08-12/a>
Russ McRee
To the Brim at the Gates of Mordor Pt. 1
2020-04-30/a>
Xavier Mertens
Collecting IOCs from IMAP Folder
2019-12-12/a>
Xavier Mertens
Code & Data Reuse in the Malware Ecosystem
2019-11-02/a>
Didier Stevens
Remark on EML Attachments
2019-10-30/a>
Xavier Mertens
Keep an Eye on Remote Access to Mailboxes
2019-08-22/a>
Xavier Mertens
Simple Mimikatz & RDPWrapper Dropper
2019-05-01/a>
Xavier Mertens
Another Day, Another Suspicious UDF File
2019-04-17/a>
Xavier Mertens
Malware Sample Delivered Through UDF Image
2019-02-05/a>
Rob VandenBrink
Mitigations against Mimikatz Style Attacks
2019-01-09/a>
Russ McRee
gganimate: Animate YouR Security Analysis
2018-10-31/a>
Brad Duncan
More malspam using password-protected Word docs
2018-06-27/a>
Renato Marinho
Silently Profiling Unknown Malware Samples
2018-05-16/a>
Mark Hofman
EFAIL, a weakness in openPGP and S\MIME
2017-11-25/a>
Guy Bruneau
Exim Remote Code Exploit
2017-09-19/a>
Jim Clausing
New tool: mac-robber.py
2017-07-12/a>
Xavier Mertens
Backup Scripts, the FIM of the Poor
2017-06-28/a>
Brad Duncan
Catching up with Blank Slate: a malspam campaign still going strong
2017-06-17/a>
Guy Bruneau
Mapping Use Cases to Logs. Which Logs are the Most Important to Collect?
2017-05-10/a>
Johannes Ullrich
Read This If You Are Using a Script to Pull Data From This Site
2017-05-03/a>
Bojan Zdrnja
Powershelling with exploits
2017-04-28/a>
Russell Eubanks
KNOW before NO
2017-03-25/a>
Russell Eubanks
Distraction as a Service
2017-03-11/a>
Russell Eubanks
What's On Your Not To Do List?
2017-01-24/a>
Xavier Mertens
Malicious SVG Files in the Wild
2016-12-11/a>
Russ McRee
Steganography in Action: Image Steganography & StegExpose
2016-11-20/a>
Pasquale Stirparo
How many “Epoch” times? Epocalypse.py timestamp converter
2016-11-13/a>
Guy Bruneau
Bitcoin Miner File Upload via FTP
2016-09-10/a>
Xavier Mertens
Ongoing IMAP Scan, Anyone Else?
2016-05-14/a>
Guy Bruneau
INetSim as a Basic Honeypot
2016-03-30/a>
Xavier Mertens
What to watch with your FIM?
2016-01-24/a>
Didier Stevens
Obfuscated MIME Files
2016-01-05/a>
Guy Bruneau
What are you Concerned the Most in 2016?
2015-12-14/a>
Russ McRee
AD Security's Unofficial Guide to Mimikatz & Command Reference
2015-05-15/a>
Didier Stevens
Another Maldoc? I'm Afraid So...
2015-05-09/a>
Didier Stevens
Malicious Word Document: This Time The Maldoc Is A MIME File
2015-02-10/a>
Mark Baggett
Detecting Mimikatz Use On Your Network
2014-01-24/a>
Johannes Ullrich
How to send mass e-mail the right way
2013-11-05/a>
Daniel Wesemann
TIFF images in MS-Office documents used in targeted attacks
2013-08-14/a>
Johannes Ullrich
Imaging LUKS Encrypted Drives
2013-05-22/a>
Adrien de Beaupre
Apple QuickTime 7.7.4 for Windows updated, MANY security vulnerabilities: http://support.apple.com/kb/HT1222
2013-04-25/a>
Adam Swanger
Guest Diary: Dylan Johnson - A week in the life of some Perimeter Firewalls
2013-02-06/a>
Johannes Ullrich
Are you losing system logging information (and don't know it)?
2012-12-22/a>
Guy Bruneau
New Poll - Which of the following issues impacted the most your business in 2012? - https://isc.sans.edu/poll.html
2012-06-22/a>
Kevin Liston
Investigator's Tool-kit: Timeline
2012-06-15/a>
Johannes Ullrich
Authenticating E-Mail
2012-02-07/a>
Johannes Ullrich
Secure E-Mail Access
2011-11-11/a>
Rick Wanner
APPLE-SA-2011-11-10-2 Time Capsule and AirPort Base Station (802.11n) Firmware 7.6 update
2011-08-04/a>
Jim Clausing
Apple release Quicktime 7.7 fixes 14 CVEs, see http://support.apple.com/kb/HT1222
2011-08-03/a>
Johannes Ullrich
Malicious Images: What's a QR Code
2011-05-14/a>
Guy Bruneau
Websense Study Claims Canada Next Hotbed for Cybercrime Web Hosting Activity
2011-05-06/a>
Richard Porter
Unpatched Exploit: Skype for MAC
2011-04-23/a>
Manuel Humberto Santander Pelaez
Image search can lead to malware download
2010-12-17/a>
Johannes Ullrich
Reports of Attacks against EXIM vulnerability
2010-12-12/a>
Raul Siles
Apple Quickime 7.6.9 was released a few days ago (just in case you missed it): http://support.apple.com/kb/HT1222. Update all your web browser plugins!
2010-12-10/a>
Mark Hofman
EXIM MTA vulnerability
2010-11-08/a>
Manuel Humberto Santander Pelaez
Network Security Perimeter: How to choose the correct firewall and IPS for your environment?
2010-11-07/a>
Adrien de Beaupre
Change your clocks?
2010-09-25/a>
Rick Wanner
Guest Diary: Andrew Hunt - Visualizing the Hosting Patterns of Modern Cybercriminals
2010-08-30/a>
Adrien de Beaupre
Apple QuickTime potential vulnerability/backdoor
2010-08-22/a>
Manuel Humberto Santander Pelaez
SCADA: A big challenge for information security professionals
2010-08-14/a>
Tony Carothers
Freedom of Information
2010-08-13/a>
Guy Bruneau
QuickTime Security Updates
2010-04-02/a>
Guy Bruneau
Apple QuickTime and iTunes Security Update
2010-03-23/a>
John Bambenek
The Top 10 Riskiest US Cities for Cybercrime
2010-03-11/a>
donald smith
Cert write up on Skype IMBot Logic and Functionality.
2010-01-17/a>
Rick Wanner
Buffer overflow in Quicktime
2009-11-05/a>
Swa Frantzen
RIM fixes random code execution vulnerability
2009-09-12/a>
Jim Clausing
Apple Updates
2009-09-04/a>
Adrien de Beaupre
Fake anti-virus
2009-07-11/a>
Marcus Sachs
Imageshack
2009-06-02/a>
Deborah Hale
Another Quicktime Update
2009-02-14/a>
Deborah Hale
Microsoft Time Sync Appears to Down
2009-02-06/a>
Adrien de Beaupre
Fake stimulus payments
2008-11-02/a>
Adrien de Beaupre
Daylight saving time
2008-09-09/a>
Swa Frantzen
Apple updates iTunes+QuickTime
2008-07-15/a>
Maarten Van Horenbeeck
BlackBerry PDF parsing vulnerability
2008-07-15/a>
Maarten Van Horenbeeck
Bot controller mimicry
2008-06-10/a>
Swa Frantzen
Upgrade to QuickTime 7.5
2008-04-22/a>
donald smith
Maximus root kit downloads via MySpace social engineering trick.
2008-04-03/a>
Bojan Zdrnja
A bag of vulnerabilities (and fixes) in QuickTime
2006-12-18/a>
Toby Kohlenberg
Skype worm
2006-09-12/a>
Swa Frantzen
Apple Quicktime 7.1.3 released
BOT
2024-02-18/a>
Guy Bruneau
Mirai-Mirai On The Wall... [Guest Diary]
2024-01-07/a>
Guy Bruneau
Suspicious Prometei Botnet Activity
2023-12-27/a>
Guy Bruneau
Unveiling the Mirai: Insights into Recent DShield Honeypot Activity [Guest Diary]
2023-11-27/a>
Guy Bruneau
Decoding the Patterns: Analyzing DShield Honeypot Activity [Guest Diary]
2023-11-22/a>
Guy Bruneau
CVE-2023-1389: A New Means to Expand Botnets
2023-11-09/a>
Guy Bruneau
Routers Targeted for Gafgyt Botnet [Guest Diary]
2023-06-22/a>
Brad Duncan
Qakbot (Qbot) activity, obama271 distribution tag
2023-04-12/a>
Brad Duncan
Recent IcedID (Bokbot) activity
2023-03-11/a>
Xavier Mertens
Overview of a Mirai Payload Generator
2023-02-28/a>
Brad Duncan
BB17 distribution Qakbot (Qbot) activity
2023-02-24/a>
Brad Duncan
URL files and WebDAV used for IcedID (Bokbot) infection
2022-12-02/a>
Brad Duncan
obama224 distribution Qakbot tries .vhd (virtual hard disk) images
2022-11-02/a>
Brad Duncan
Who put the "Dark" in DarkVNC?
2022-10-16/a>
Didier Stevens
Video: Analysis of a Malicious HTML File (QBot)
2022-10-13/a>
Didier Stevens
Analysis of a Malicious HTML File (QBot)
2022-08-24/a>
Brad Duncan
Monster Libra (TA551/Shathak) --> IcedID (Bokbot) --> Cobalt Strike & DarkVNC
2022-08-12/a>
Brad Duncan
Monster Libra (TA551/Shathak) pushes IcedID (Bokbot) with Dark VNC and Cobalt Strike
2022-07-27/a>
Brad Duncan
IcedID (Bokbot) with Dark VNC and Cobalt Strike
2022-06-30/a>
Brad Duncan
Case Study: Cobalt Strike Server Lives on After Its Domain Is Suspended
2022-06-09/a>
Brad Duncan
TA570 Qakbot (Qbot) tries CVE-2022-30190 (Follina) exploit (ms-msdt)
2022-04-20/a>
Brad Duncan
"aa" distribution Qakbot (Qbot) infection with DarkVNC traffic
2022-03-25/a>
Xavier Mertens
XLSB Files: Because Binary is Stealthier Than XML
2022-03-16/a>
Brad Duncan
Qakbot infection with Cobalt Strike and VNC activity
2022-02-15/a>
Xavier Mertens
Who Are Those Bots?
2022-02-09/a>
Brad Duncan
Example of Cobalt Strike from Emotet infection
2022-01-25/a>
Brad Duncan
Emotet Stops Using 0.0.0.0 in Spambot Traffic
2022-01-07/a>
Xavier Mertens
Custom Python RAT Builder
2021-12-22/a>
Brad Duncan
December 2021 Forensic Contest: Answers and Analysis
2021-12-16/a>
Brad Duncan
How the "Contact Forms" campaign tricks people
2021-12-02/a>
Brad Duncan
TA551 (Shathak) pushes IcedID (Bokbot)
2021-11-26/a>
Guy Bruneau
Searching for Exposed ASUS Routers Vulnerable to CVE-2021-20090
2021-11-16/a>
Brad Duncan
Emotet Returns
2021-11-04/a>
Brad Duncan
October 2021 Forensic Contest: Answers and Analysis
2021-10-04/a>
Johannes Ullrich
Boutique "Dark" Botnet Hunting for Crumbs
2021-09-23/a>
Xavier Mertens
Excel Recipe: Some VBA Code with a Touch of Excel4 Macro
2021-08-13/a>
Brad Duncan
Example of Danabot distributed through malspam
2021-07-24/a>
Xavier Mertens
Agent.Tesla Dropped via a .daa Image and Talking to Telegram
2021-06-30/a>
Brad Duncan
June 2021 Forensic Contest: Answers and Analysis
2021-06-24/a>
Xavier Mertens
Do you Like Cookies? Some are for sale!
2021-04-15/a>
Johannes Ullrich
Why and How You Should be Using an Internal Certificate Authority
2021-04-06/a>
Jan Kopriva
Malspam with Lokibot vs. Outlook and RFCs
2021-03-03/a>
Brad Duncan
Qakbot infection with Cobalt Strike
2021-02-23/a>
Jan Kopriva
Qakbot in a response to Full Disclosure post
2021-02-17/a>
Brad Duncan
Malspam pushing Trickbot gtag rob13
2021-01-26/a>
Brad Duncan
TA551 (Shathak) Word docs push Qakbot (Qbot)
2021-01-20/a>
Brad Duncan
Qakbot activity resumes after holiday break
2020-12-09/a>
Brad Duncan
Recent Qakbot (Qbot) activity
2020-11-03/a>
Brad Duncan
Emotet -> Qakbot -> more Emotet
2020-10-20/a>
Xavier Mertens
Mirai-alike Python Scanner
2020-10-14/a>
Brad Duncan
More TA551 (Shathak) Word docs push IcedID (Bokbot)
2020-08-19/a>
Xavier Mertens
Example of Word Document Delivering Qakbot
2020-08-03/a>
Xavier Mertens
Powershell Bot with Multiple C2 Protocols
2020-08-01/a>
Jan Kopriva
What pages do bad bots look for?
2020-07-15/a>
Brad Duncan
Word docs with macros for IcedID (Bokbot)
2020-06-13/a>
Guy Bruneau
Mirai Botnet Activity
2020-05-20/a>
Brad Duncan
Microsoft Word document with malicious macro pushes IcedID (Bokbot)
2020-04-01/a>
Brad Duncan
Qakbot malspam sent from an infected Windows host
2020-03-21/a>
Guy Bruneau
Honeypot - Scanning and Targeting Devices & Services
2020-03-18/a>
Brad Duncan
Trickbot gtag red5 distributed as a DLL file
2020-01-28/a>
Brad Duncan
Emotet epoch 1 infection with Trickbot gtag mor84
2019-12-24/a>
Brad Duncan
Malspam with links to Word docs pushes IcedID (Bokbot)
2019-12-18/a>
Brad Duncan
Emotet infection with spambot activity
2019-12-11/a>
Brad Duncan
German language malspam pushes yet another wave of Trickbot
2019-11-13/a>
Brad Duncan
An example of malspam pushing Lokibot malware, November 2019
2019-10-30/a>
Xavier Mertens
Keep an Eye on Remote Access to Mailboxes
2019-09-18/a>
Brad Duncan
Emotet malspam is back
2019-09-03/a>
Johannes Ullrich
[Guest Diary] Tricky LNK points to TrickBot
2019-08-14/a>
Brad Duncan
Recent example of MedusaHTTP malware
2019-08-08/a>
Johannes Ullrich
[Guest Diary] The good, the bad and the non-functional, or "how not to do an attack campaign"
2019-07-26/a>
Kevin Shortt
DVRIP Port 34567 - Uptick
2019-03-13/a>
Brad Duncan
Malspam pushes Emotet with Qakbot as the follow-up malware
2019-03-06/a>
Brad Duncan
Malspam with password-protected word docs still pushing IcedID (Bokbot) with Trickbot
2019-02-14/a>
Xavier Mertens
Old H-Worm Delivered Through GitHub
2019-01-16/a>
Brad Duncan
Emotet infections and follow-up malware
2019-01-10/a>
Brad Duncan
Heartbreaking Emails: "Love You" Malspam
2018-12-23/a>
Guy Bruneau
Scanning Activity, end Goal is to add Hosts to Mirai Botnet
2018-12-18/a>
Brad Duncan
Malspam links to password-protected Word docs that push IcedID (Bokbot)
2018-12-05/a>
Brad Duncan
Campaign evolution: Hancitor changes its Word macros
2018-12-04/a>
Brad Duncan
Malspam pushing Lokibot malware
2018-11-14/a>
Brad Duncan
Day in the life of a researcher: Finding a wave of Trickbot malspam
2018-09-26/a>
Brad Duncan
One Emotet infection leads to three follow-up malware infections
2018-05-09/a>
Xavier Mertens
Nice Phishing Sample Delivering Trickbot
2018-03-08/a>
Xavier Mertens
CRIMEB4NK IRC Bot
2017-10-19/a>
Brad Duncan
HSBC-themed malspam uses ISO attachments to push Loki Bot malware
2017-08-15/a>
Brad Duncan
Malspam pushing Trickbot banking Trojan
2017-07-19/a>
Xavier Mertens
Bots Searching for Keys & Config Files
2017-05-08/a>
Renato Marinho
Exploring a P2P Transient Botnet - From Discovery to Enumeration
2016-12-31/a>
Xavier Mertens
Ongoing Scans Below the Radar
2016-12-07/a>
Xavier Mertens
The Passwords You Should Never Use
2016-09-10/a>
Xavier Mertens
Ongoing IMAP Scan, Anyone Else?
2016-07-27/a>
Xavier Mertens
Analyze of a Linux botnet client source code
2015-02-06/a>
Johannes Ullrich
Anthem, TurboTax and How Things "Fit Together" Sometimes
2014-10-09/a>
Johannes Ullrich
CSAM: My servers started speaking IRC, and that is when I started to listen!
2014-08-16/a>
Lenny Zeltser
Web Server Attack Investigation - Installing a Bot and Reverse Shell via a PHP Vulnerability
2014-01-16/a>
Kevin Shortt
Port 4028 - Interesting Activity
2013-12-07/a>
Guy Bruneau
Suspected Active Rovnix Botnet Controller
2013-10-26/a>
Guy Bruneau
Active Perl/Shellbot Trojan
2013-08-11/a>
Bojan Zdrnja
XATattacks (attacks on xat.com)
2012-10-26/a>
Russ McRee
Cyber Security Awareness Month - Day 26 - Attackers use trusted domain to propagate Citadel Zeus variant
2011-08-04/a>
Johannes Ullrich
IRC traffic on non standard ports
2011-05-14/a>
Guy Bruneau
Websense Study Claims Canada Next Hotbed for Cybercrime Web Hosting Activity
2011-02-28/a>
Deborah Hale
Possible Botnet Scanning
2011-01-11/a>
Kevin Shortt
Spam Cannons on Holiday
2010-11-18/a>
Chris Carboni
All of your pages are belonging to us
2010-11-05/a>
Adrien de Beaupre
Bot honeypot
2010-08-19/a>
Daniel Wesemann
Casper the unfriendly ghost
2010-07-29/a>
Rob VandenBrink
FBI, Slovenian and Spanish Police announce more arrests of Mariposa Botnet Creator, Operators
2010-06-14/a>
Manuel Humberto Santander Pelaez
New way of social engineering on IRC
2010-05-07/a>
Johannes Ullrich
Stock market "wipe out" may be due to computer error
2010-05-02/a>
Mari Nichols
Zbot Social Engineering
2010-04-23/a>
Adrien de Beaupre
Shadowserver botnet rules
2010-03-25/a>
Kevin Liston
Zeus wants to do your taxes
2010-03-11/a>
donald smith
Cert write up on Skype IMBot Logic and Functionality.
2010-02-02/a>
Johannes Ullrich
Pushdo Update
2010-01-25/a>
William Salusky
"Bots and Spiders and Crawlers, be gone!" - or - "New Open Source WebAppSec tools, Huzzah!"
2009-12-21/a>
Marcus Sachs
iPhone Botnet Analysis
2009-11-13/a>
Deborah Hale
Pushdo/Cutwail Spambot - A Little Known BIG Problem
2009-11-08/a>
Kevin Liston
FireEye takes on Ozdok and Recovery Ideas
2009-10-10/a>
Tony Carothers
User Notification for Possible Infected Systems
2009-09-16/a>
Raul Siles
IETF Draft for Remediation of Bots in ISP Networks
2009-05-07/a>
Deborah Hale
Botnet hijacking reveals 70GB of stolen data
2008-11-05/a>
donald smith
Bot net hunters get an improved tool from SRI bothunters
2008-09-09/a>
Swa Frantzen
The complaint that's an attack
2008-09-01/a>
John Bambenek
The Number of Machines Controlled by Botnets Has Jumped 4x in Last 3 Months
2008-07-19/a>
William Salusky
A twist in fluxnet operations. Enter Hydraflux
2008-07-15/a>
Maarten Van Horenbeeck
Bot controller mimicry
2008-04-07/a>
John Bambenek
Got Kraken?
2008-04-07/a>
John Bambenek
Kraken Technical Details: UPDATED x3
2006-08-31/a>
Swa Frantzen
NT botnet submitted
2006-08-31/a>
Joel Esler
MS06-040 Worm
Homepage
Diaries
Podcasts
Jobs
Data
TCP/UDP Port Activity
Port Trends
SSH/Telnet Scanning Activity
Weblogs
Threat Feeds Activity
Threat Feeds Map
Useful InfoSec Links
Presentations & Papers
Research Papers
API
Tools
DShield Sensor
DNS Looking Glass
Honeypot (RPi/AWS)
InfoSec Glossary
Contact Us
Contact Us
About Us
Handlers
About Us
Slack Channel
Mastodon
Bluesky
X
Make the web a better place by
sharing the SANS Internet Storm Center
with others