Date Author Title

SKYPE IM BOT

2010-03-11donald smithCert write up on Skype IMBot Logic and Functionality.

SKYPE

2014-01-01/a>Russ McReeHappy New Year from the Syrian Electronic Army - Skype’s Social Media Accounts Hacked
2012-11-14/a>Jim ClausingSkype account hijack vulnerability fixed
2011-05-31/a>Johannes UllrichSkype EasyBits Add-on
2011-05-06/a>Richard PorterUnpatched Exploit: Skype for MAC
2010-12-30/a>Rick WannerObvious Lessons from the Skype outage
2010-03-11/a>donald smithCert write up on Skype IMBot Logic and Functionality.
2008-04-23/a>Mari NicholsWhat's New, Old and Morphing?
2006-12-18/a>Toby KohlenbergSkype worm

IM

2025-02-12/a>Yee Ching TokAn ontology for threats, cybercrime and digital forensic investigation on Smart City Infrastructure
2024-09-18/a>Guy BruneauTime-to-Live Analysis of DShield Data with Vega-Lite
2024-08-30/a>Jesse La GrewSimulating Traffic With Scapy
2023-10-09/a>Didier StevensZIP's DOSTIME & DOSDATE Formats
2023-07-07/a>Xavier MertensDSSuite (Didier's Toolbox) Docker Image Update
2023-05-30/a>Brad DuncanMalspam pushes ModiLoader (DBatLoader) infection for Remcos RAT
2023-02-28/a>Brad DuncanBB17 distribution Qakbot (Qbot) activity
2022-12-30/a>Jan KoprivaSPF and DMARC use on GOV domains in different ccTLDs
2022-12-20/a>Xavier MertensLinux File System Monitoring & Actions
2022-10-24/a>Xavier MertensC2 Communications Through outlook.com
2022-06-26/a>Didier StevensMore Decoding Analysis
2022-04-07/a>Johannes UllrichWhat is BIMI and how is it supposed to help with Phishing.
2022-03-04/a>Johannes UllrichScam E-Mail Impersonating Red Cross
2022-02-05/a>Didier StevensPower over Ethernet and Thermal Imaging
2022-01-29/a>Guy BruneauSIEM In this Decade, Are They Better than the Last?
2021-12-23/a>Johannes UllrichDefending Cloud IMDS Against log4shell (and more)
2021-12-16/a>Brad DuncanHow the "Contact Forms" campaign tricks people
2021-11-04/a>Tom WebbXmount for Disk Images
2021-10-21/a>Brad Duncan"Stolen Images Evidence" campaign pushes Sliver-based malware
2021-06-26/a>Guy BruneauCVE-2019-9670: Zimbra Collaboration Suite XXE vulnerability
2021-04-22/a>Xavier MertensHow Safe Are Your Docker Images?
2021-03-02/a>Russ McReeAdversary Simulation with Sim
2020-10-07/a>Johannes UllrichToday, Nobody is Going to Attack You.
2020-08-12/a>Russ McReeTo the Brim at the Gates of Mordor Pt. 1
2020-04-30/a>Xavier MertensCollecting IOCs from IMAP Folder
2019-12-12/a>Xavier MertensCode & Data Reuse in the Malware Ecosystem
2019-11-02/a>Didier StevensRemark on EML Attachments
2019-10-30/a>Xavier MertensKeep an Eye on Remote Access to Mailboxes
2019-08-22/a>Xavier MertensSimple Mimikatz & RDPWrapper Dropper
2019-05-01/a>Xavier MertensAnother Day, Another Suspicious UDF File
2019-04-17/a>Xavier MertensMalware Sample Delivered Through UDF Image
2019-02-05/a>Rob VandenBrinkMitigations against Mimikatz Style Attacks
2019-01-09/a>Russ McReegganimate: Animate YouR Security Analysis
2018-10-31/a>Brad DuncanMore malspam using password-protected Word docs
2018-06-27/a>Renato MarinhoSilently Profiling Unknown Malware Samples
2018-05-16/a>Mark HofmanEFAIL, a weakness in openPGP and S\MIME
2017-11-25/a>Guy BruneauExim Remote Code Exploit
2017-09-19/a>Jim ClausingNew tool: mac-robber.py
2017-07-12/a>Xavier MertensBackup Scripts, the FIM of the Poor
2017-06-28/a>Brad DuncanCatching up with Blank Slate: a malspam campaign still going strong
2017-06-17/a>Guy BruneauMapping Use Cases to Logs. Which Logs are the Most Important to Collect?
2017-05-10/a>Johannes UllrichRead This If You Are Using a Script to Pull Data From This Site
2017-05-03/a>Bojan ZdrnjaPowershelling with exploits
2017-04-28/a>Russell EubanksKNOW before NO
2017-03-25/a>Russell EubanksDistraction as a Service
2017-03-11/a>Russell EubanksWhat's On Your Not To Do List?
2017-01-24/a>Xavier MertensMalicious SVG Files in the Wild
2016-12-11/a>Russ McReeSteganography in Action: Image Steganography & StegExpose
2016-11-20/a>Pasquale StirparoHow many “Epoch” times? Epocalypse.py timestamp converter
2016-11-13/a>Guy BruneauBitcoin Miner File Upload via FTP
2016-09-10/a>Xavier MertensOngoing IMAP Scan, Anyone Else?
2016-05-14/a>Guy BruneauINetSim as a Basic Honeypot
2016-03-30/a>Xavier MertensWhat to watch with your FIM?
2016-01-24/a>Didier StevensObfuscated MIME Files
2016-01-05/a>Guy BruneauWhat are you Concerned the Most in 2016?
2015-12-14/a>Russ McReeAD Security's Unofficial Guide to Mimikatz & Command Reference
2015-05-15/a>Didier StevensAnother Maldoc? I'm Afraid So...
2015-05-09/a>Didier StevensMalicious Word Document: This Time The Maldoc Is A MIME File
2015-02-10/a>Mark BaggettDetecting Mimikatz Use On Your Network
2014-01-24/a>Johannes UllrichHow to send mass e-mail the right way
2013-11-05/a>Daniel WesemannTIFF images in MS-Office documents used in targeted attacks
2013-08-14/a>Johannes UllrichImaging LUKS Encrypted Drives
2013-05-22/a>Adrien de BeaupreApple QuickTime 7.7.4 for Windows updated, MANY security vulnerabilities: http://support.apple.com/kb/HT1222
2013-04-25/a>Adam SwangerGuest Diary: Dylan Johnson - A week in the life of some Perimeter Firewalls
2013-02-06/a>Johannes UllrichAre you losing system logging information (and don't know it)?
2012-12-22/a>Guy BruneauNew Poll - Which of the following issues impacted the most your business in 2012? - https://isc.sans.edu/poll.html
2012-06-22/a>Kevin ListonInvestigator's Tool-kit: Timeline
2012-06-15/a>Johannes UllrichAuthenticating E-Mail
2012-02-07/a>Johannes UllrichSecure E-Mail Access
2011-11-11/a>Rick WannerAPPLE-SA-2011-11-10-2 Time Capsule and AirPort Base Station (802.11n) Firmware 7.6 update
2011-08-04/a>Jim ClausingApple release Quicktime 7.7 fixes 14 CVEs, see http://support.apple.com/kb/HT1222
2011-08-03/a>Johannes UllrichMalicious Images: What's a QR Code
2011-05-14/a>Guy BruneauWebsense Study Claims Canada Next Hotbed for Cybercrime Web Hosting Activity
2011-05-06/a>Richard PorterUnpatched Exploit: Skype for MAC
2011-04-23/a>Manuel Humberto Santander PelaezImage search can lead to malware download
2010-12-17/a>Johannes UllrichReports of Attacks against EXIM vulnerability
2010-12-12/a>Raul SilesApple Quickime 7.6.9 was released a few days ago (just in case you missed it): http://support.apple.com/kb/HT1222. Update all your web browser plugins!
2010-12-10/a>Mark HofmanEXIM MTA vulnerability
2010-11-08/a>Manuel Humberto Santander PelaezNetwork Security Perimeter: How to choose the correct firewall and IPS for your environment?
2010-11-07/a>Adrien de BeaupreChange your clocks?
2010-09-25/a>Rick WannerGuest Diary: Andrew Hunt - Visualizing the Hosting Patterns of Modern Cybercriminals
2010-08-30/a>Adrien de BeaupreApple QuickTime potential vulnerability/backdoor
2010-08-22/a>Manuel Humberto Santander PelaezSCADA: A big challenge for information security professionals
2010-08-14/a>Tony CarothersFreedom of Information
2010-08-13/a>Guy BruneauQuickTime Security Updates
2010-04-02/a>Guy BruneauApple QuickTime and iTunes Security Update
2010-03-23/a>John BambenekThe Top 10 Riskiest US Cities for Cybercrime
2010-03-11/a>donald smithCert write up on Skype IMBot Logic and Functionality.
2010-01-17/a>Rick WannerBuffer overflow in Quicktime
2009-11-05/a>Swa FrantzenRIM fixes random code execution vulnerability
2009-09-12/a>Jim ClausingApple Updates
2009-09-04/a>Adrien de BeaupreFake anti-virus
2009-07-11/a>Marcus SachsImageshack
2009-06-02/a>Deborah HaleAnother Quicktime Update
2009-02-14/a>Deborah HaleMicrosoft Time Sync Appears to Down
2009-02-06/a>Adrien de BeaupreFake stimulus payments
2008-11-02/a>Adrien de BeaupreDaylight saving time
2008-09-09/a>Swa FrantzenApple updates iTunes+QuickTime
2008-07-15/a>Maarten Van HorenbeeckBlackBerry PDF parsing vulnerability
2008-07-15/a>Maarten Van HorenbeeckBot controller mimicry
2008-06-10/a>Swa FrantzenUpgrade to QuickTime 7.5
2008-04-22/a>donald smithMaximus root kit downloads via MySpace social engineering trick.
2008-04-03/a>Bojan ZdrnjaA bag of vulnerabilities (and fixes) in QuickTime
2006-12-18/a>Toby KohlenbergSkype worm
2006-09-12/a>Swa FrantzenApple Quicktime 7.1.3 released

BOT

2024-02-18/a>Guy BruneauMirai-Mirai On The Wall... [Guest Diary]
2024-01-07/a>Guy BruneauSuspicious Prometei Botnet Activity
2023-12-27/a>Guy BruneauUnveiling the Mirai: Insights into Recent DShield Honeypot Activity [Guest Diary]
2023-11-27/a>Guy BruneauDecoding the Patterns: Analyzing DShield Honeypot Activity [Guest Diary]
2023-11-22/a>Guy BruneauCVE-2023-1389: A New Means to Expand Botnets
2023-11-09/a>Guy BruneauRouters Targeted for Gafgyt Botnet [Guest Diary]
2023-06-22/a>Brad DuncanQakbot (Qbot) activity, obama271 distribution tag
2023-04-12/a>Brad DuncanRecent IcedID (Bokbot) activity
2023-03-11/a>Xavier MertensOverview of a Mirai Payload Generator
2023-02-28/a>Brad DuncanBB17 distribution Qakbot (Qbot) activity
2023-02-24/a>Brad DuncanURL files and WebDAV used for IcedID (Bokbot) infection
2022-12-02/a>Brad Duncanobama224 distribution Qakbot tries .vhd (virtual hard disk) images
2022-11-02/a>Brad DuncanWho put the "Dark" in DarkVNC?
2022-10-16/a>Didier StevensVideo: Analysis of a Malicious HTML File (QBot)
2022-10-13/a>Didier StevensAnalysis of a Malicious HTML File (QBot)
2022-08-24/a>Brad DuncanMonster Libra (TA551/Shathak) --> IcedID (Bokbot) --> Cobalt Strike & DarkVNC
2022-08-12/a>Brad DuncanMonster Libra (TA551/Shathak) pushes IcedID (Bokbot) with Dark VNC and Cobalt Strike
2022-07-27/a>Brad DuncanIcedID (Bokbot) with Dark VNC and Cobalt Strike
2022-06-30/a>Brad DuncanCase Study: Cobalt Strike Server Lives on After Its Domain Is Suspended
2022-06-09/a>Brad DuncanTA570 Qakbot (Qbot) tries CVE-2022-30190 (Follina) exploit (ms-msdt)
2022-04-20/a>Brad Duncan"aa" distribution Qakbot (Qbot) infection with DarkVNC traffic
2022-03-25/a>Xavier MertensXLSB Files: Because Binary is Stealthier Than XML
2022-03-16/a>Brad DuncanQakbot infection with Cobalt Strike and VNC activity
2022-02-15/a>Xavier MertensWho Are Those Bots?
2022-02-09/a>Brad DuncanExample of Cobalt Strike from Emotet infection
2022-01-25/a>Brad DuncanEmotet Stops Using 0.0.0.0 in Spambot Traffic
2022-01-07/a>Xavier MertensCustom Python RAT Builder
2021-12-22/a>Brad DuncanDecember 2021 Forensic Contest: Answers and Analysis
2021-12-16/a>Brad DuncanHow the "Contact Forms" campaign tricks people
2021-12-02/a>Brad DuncanTA551 (Shathak) pushes IcedID (Bokbot)
2021-11-26/a>Guy BruneauSearching for Exposed ASUS Routers Vulnerable to CVE-2021-20090
2021-11-16/a>Brad DuncanEmotet Returns
2021-11-04/a>Brad DuncanOctober 2021 Forensic Contest: Answers and Analysis
2021-10-04/a>Johannes UllrichBoutique "Dark" Botnet Hunting for Crumbs
2021-09-23/a>Xavier MertensExcel Recipe: Some VBA Code with a Touch of Excel4 Macro
2021-08-13/a>Brad DuncanExample of Danabot distributed through malspam
2021-07-24/a>Xavier MertensAgent.Tesla Dropped via a .daa Image and Talking to Telegram
2021-06-30/a>Brad DuncanJune 2021 Forensic Contest: Answers and Analysis
2021-06-24/a>Xavier MertensDo you Like Cookies? Some are for sale!
2021-04-15/a>Johannes UllrichWhy and How You Should be Using an Internal Certificate Authority
2021-04-06/a>Jan KoprivaMalspam with Lokibot vs. Outlook and RFCs
2021-03-03/a>Brad DuncanQakbot infection with Cobalt Strike
2021-02-23/a>Jan KoprivaQakbot in a response to Full Disclosure post
2021-02-17/a>Brad DuncanMalspam pushing Trickbot gtag rob13
2021-01-26/a>Brad DuncanTA551 (Shathak) Word docs push Qakbot (Qbot)
2021-01-20/a>Brad DuncanQakbot activity resumes after holiday break
2020-12-09/a>Brad DuncanRecent Qakbot (Qbot) activity
2020-11-03/a>Brad DuncanEmotet -> Qakbot -> more Emotet
2020-10-20/a>Xavier MertensMirai-alike Python Scanner
2020-10-14/a>Brad DuncanMore TA551 (Shathak) Word docs push IcedID (Bokbot)
2020-08-19/a>Xavier MertensExample of Word Document Delivering Qakbot
2020-08-03/a>Xavier MertensPowershell Bot with Multiple C2 Protocols
2020-08-01/a>Jan KoprivaWhat pages do bad bots look for?
2020-07-15/a>Brad DuncanWord docs with macros for IcedID (Bokbot)
2020-06-13/a>Guy BruneauMirai Botnet Activity
2020-05-20/a>Brad DuncanMicrosoft Word document with malicious macro pushes IcedID (Bokbot)
2020-04-01/a>Brad DuncanQakbot malspam sent from an infected Windows host
2020-03-21/a>Guy BruneauHoneypot - Scanning and Targeting Devices & Services
2020-03-18/a>Brad DuncanTrickbot gtag red5 distributed as a DLL file
2020-01-28/a>Brad DuncanEmotet epoch 1 infection with Trickbot gtag mor84
2019-12-24/a>Brad DuncanMalspam with links to Word docs pushes IcedID (Bokbot)
2019-12-18/a>Brad DuncanEmotet infection with spambot activity
2019-12-11/a>Brad DuncanGerman language malspam pushes yet another wave of Trickbot
2019-11-13/a>Brad DuncanAn example of malspam pushing Lokibot malware, November 2019
2019-10-30/a>Xavier MertensKeep an Eye on Remote Access to Mailboxes
2019-09-18/a>Brad DuncanEmotet malspam is back
2019-09-03/a>Johannes Ullrich[Guest Diary] Tricky LNK points to TrickBot
2019-08-14/a>Brad DuncanRecent example of MedusaHTTP malware
2019-08-08/a>Johannes Ullrich[Guest Diary] The good, the bad and the non-functional, or "how not to do an attack campaign"
2019-07-26/a>Kevin ShorttDVRIP Port 34567 - Uptick
2019-03-13/a>Brad DuncanMalspam pushes Emotet with Qakbot as the follow-up malware
2019-03-06/a>Brad DuncanMalspam with password-protected word docs still pushing IcedID (Bokbot) with Trickbot
2019-02-14/a>Xavier MertensOld H-Worm Delivered Through GitHub
2019-01-16/a>Brad DuncanEmotet infections and follow-up malware
2019-01-10/a>Brad DuncanHeartbreaking Emails: "Love You" Malspam
2018-12-23/a>Guy BruneauScanning Activity, end Goal is to add Hosts to Mirai Botnet
2018-12-18/a>Brad DuncanMalspam links to password-protected Word docs that push IcedID (Bokbot)
2018-12-05/a>Brad DuncanCampaign evolution: Hancitor changes its Word macros
2018-12-04/a>Brad DuncanMalspam pushing Lokibot malware
2018-11-14/a>Brad DuncanDay in the life of a researcher: Finding a wave of Trickbot malspam
2018-09-26/a>Brad DuncanOne Emotet infection leads to three follow-up malware infections
2018-05-09/a>Xavier MertensNice Phishing Sample Delivering Trickbot
2018-03-08/a>Xavier MertensCRIMEB4NK IRC Bot
2017-10-19/a>Brad DuncanHSBC-themed malspam uses ISO attachments to push Loki Bot malware
2017-08-15/a>Brad DuncanMalspam pushing Trickbot banking Trojan
2017-07-19/a>Xavier MertensBots Searching for Keys & Config Files
2017-05-08/a>Renato MarinhoExploring a P2P Transient Botnet - From Discovery to Enumeration
2016-12-31/a>Xavier MertensOngoing Scans Below the Radar
2016-12-07/a>Xavier MertensThe Passwords You Should Never Use
2016-09-10/a>Xavier MertensOngoing IMAP Scan, Anyone Else?
2016-07-27/a>Xavier MertensAnalyze of a Linux botnet client source code
2015-02-06/a>Johannes UllrichAnthem, TurboTax and How Things "Fit Together" Sometimes
2014-10-09/a>Johannes UllrichCSAM: My servers started speaking IRC, and that is when I started to listen!
2014-08-16/a>Lenny ZeltserWeb Server Attack Investigation - Installing a Bot and Reverse Shell via a PHP Vulnerability
2014-01-16/a>Kevin ShorttPort 4028 - Interesting Activity
2013-12-07/a>Guy BruneauSuspected Active Rovnix Botnet Controller
2013-10-26/a>Guy BruneauActive Perl/Shellbot Trojan
2013-08-11/a>Bojan ZdrnjaXATattacks (attacks on xat.com)
2012-10-26/a>Russ McReeCyber Security Awareness Month - Day 26 - Attackers use trusted domain to propagate Citadel Zeus variant
2011-08-04/a>Johannes UllrichIRC traffic on non standard ports
2011-05-14/a>Guy BruneauWebsense Study Claims Canada Next Hotbed for Cybercrime Web Hosting Activity
2011-02-28/a>Deborah HalePossible Botnet Scanning
2011-01-11/a>Kevin ShorttSpam Cannons on Holiday
2010-11-18/a>Chris CarboniAll of your pages are belonging to us
2010-11-05/a>Adrien de BeaupreBot honeypot
2010-08-19/a>Daniel WesemannCasper the unfriendly ghost
2010-07-29/a>Rob VandenBrinkFBI, Slovenian and Spanish Police announce more arrests of Mariposa Botnet Creator, Operators
2010-06-14/a>Manuel Humberto Santander PelaezNew way of social engineering on IRC
2010-05-07/a>Johannes UllrichStock market "wipe out" may be due to computer error
2010-05-02/a>Mari NicholsZbot Social Engineering
2010-04-23/a>Adrien de BeaupreShadowserver botnet rules
2010-03-25/a>Kevin ListonZeus wants to do your taxes
2010-03-11/a>donald smithCert write up on Skype IMBot Logic and Functionality.
2010-02-02/a>Johannes UllrichPushdo Update
2010-01-25/a>William Salusky"Bots and Spiders and Crawlers, be gone!" - or - "New Open Source WebAppSec tools, Huzzah!"
2009-12-21/a>Marcus SachsiPhone Botnet Analysis
2009-11-13/a>Deborah HalePushdo/Cutwail Spambot - A Little Known BIG Problem
2009-11-08/a>Kevin ListonFireEye takes on Ozdok and Recovery Ideas
2009-10-10/a>Tony CarothersUser Notification for Possible Infected Systems
2009-09-16/a>Raul SilesIETF Draft for Remediation of Bots in ISP Networks
2009-05-07/a>Deborah HaleBotnet hijacking reveals 70GB of stolen data
2008-11-05/a>donald smithBot net hunters get an improved tool from SRI bothunters
2008-09-09/a>Swa FrantzenThe complaint that's an attack
2008-09-01/a>John BambenekThe Number of Machines Controlled by Botnets Has Jumped 4x in Last 3 Months
2008-07-19/a>William SaluskyA twist in fluxnet operations. Enter Hydraflux
2008-07-15/a>Maarten Van HorenbeeckBot controller mimicry
2008-04-07/a>John BambenekGot Kraken?
2008-04-07/a>John BambenekKraken Technical Details: UPDATED x3
2006-08-31/a>Swa FrantzenNT botnet submitted
2006-08-31/a>Joel EslerMS06-040 Worm