The adversary behind Emotet made a really interesting TTP change around 4/22 to use Windows shortcut files, and it definitely got noticed by multiple researchers. #Emotet New TTPs 🚨[+] LNK with em...

Adversaries love using free or cheap RATs or stealers, and I see a lot of RATs such as AsyncRAT during my daily malware analysis tasks. In this detection I want to examine a fairly recent sample fr...

AgentTesla is a .NET stealer that adversaries commonly buy and combine with other malicious products for deployment. In this post I’m tearing into a XLSM document that downloads and executes furthe...

Formbook is one of the threats that I categorize as part of the “background noise of exploitation” on the internet. While targeted attacks occur in scoped areas, anyone can go buy access for Formbo...

In this quick post I’m taking a look at a PowerPoint file with macros on board! According to MalwareBazaar’s tags, it was reported in association with the group “Aggah”. If you want to follow along...

This post is dedicated to Josh Rickard (@MSAdministrator on Twitter) since his feedback on my blog posts has cut my triage time on MSI files down in a massive way! After writing an analysis of a MS...

Just like with RTF documents, adversaries can use XLSX spreadsheets to exploit the Microsoft Office Equation Editor. To add a little bit of complication on top, adversaries also sometimes like to e...

When adversaries buy and deploy threats like AgentTesla you often see this functional and entertaining chain of older exploitation activity with some .NET framework tradecraft you’d expect from som...

In my last post I walked through the analysis of an unusual MSI file that an adversary had tacked a STRRAT Java ARchive file to the end of the MSI contents. In this post, I want to walk through a m...

Adversaries can get really creative with ways to hide and execute payloads. In this post I’ll cover one instance where an adversary appended STRRAT to a MSI file to make it look legitimate during a...