Jonathan Peters @cod3nym
Threat Researcher | Detection Engineer @nextronsystems @nextronresearch #Yara enthusiast | C# Developer github.com/cod3nym Germany Joined August 2023-
Tweets417
-
Followers883
-
Following107
-
Likes5K
@npmjs author "t-in-one" published multiple credential-harvesting infostealer packages. C2: oob[.]moika[.]tech MacOS second stage payload detected by THOR Sigma rule "NodeJS Execution of JavaScript File" created by @_swachchhanda_: virustotal.com/gui/file/de1a5…
@kravietz2048 @nextronresearch Signed by Microsoft Windows Hardware Compatibility Publisher😁 They should already be aware of it
Following the initial report from @wiz_io on compromised MistralAI packages, our artifact‑scanning pipeline has identified additional Shai Hulud–infected NPM artifacts: mistralai/mistralai-gcp v1.7.3 mistraliai/mistralai-azure v1.7.3 These packages are used for direct cloud deployments, and should be considered compromised as part of the ongoing Mini Shai-Hulud supply-chain campaign. Until the situation is resolved, we recommend treating all recent mistralai releases with caution and reviewing any CI/CD systems where these versions may have been installed. THOR APT Scanner already provides coverage for the currently known Shai Hulud–infected Mistral AI NPM and PyPI artifacts. related: wiz.io/blog/mini-shai… github.com/mistralai/clie…
One more heads-up on the DAEMON Tools supply chain incident: Besides the YARA rules and IoCs, my teammate Swachchhanda also contributed Sigma rules covering several useful detection points - including DNS lookups to the typosquatted C2 domain, execution of compromised DAEMON Tools binaries by known bad file versions, and stage-drop activity such as envchk.exe download and mcrypto payload execution. A nice addition for defenders who want to hunt for traces in telemetry, not just by matching file hashes. github.com/SigmaHQ/sigma/…
Most of you have probably already seen the reports about the DAEMON Tools supply chain compromise According to Kaspersky, the campaign has been active since April 8 and affected victims in more than 100 countries On our side, we took the published indicators and turned them
Most of you have probably already seen the reports about the DAEMON Tools supply chain compromise According to Kaspersky, the campaign has been active since April 8 and affected victims in more than 100 countries On our side, we took the published indicators and turned them into practical detection content The Nextron Research Team shared YARA rules to detect the trojanized packages, added coverage for free scanners like LOKI, Loki RS and THOR Lite, and already made the coverage available in THOR Cloud Lite so users can scan their systems for traces related to this incident The signature-base PR is merged, and the rules should also show up in YARA Forge soon YARA Rules by @MalGamy12 & @cod3nym github.com/Neo23x0/signat… YARA Forge yarahq.github.io THOR Cloud (Lite = Free) nextron-systems.com/thor-cloud/
We released first detection rules for Copy Fail / CVE-2026-31431. YARA rules by me: github.com/Neo23x0/signat… It covers public PoC artifacts, including known payloads, exploit code fragments and URLs seen in shared material. More generic rules for customer environments are still in testing. Sigma rules by @_swachchhanda_: github.com/SigmaHQ/sigma/… They cover suspicious Copy Fail-related exploitation patterns, including setuid binary execution behavior and NULL argv shell execution. More updates soon.
You probably already heard about Copy Fail - the Linux LPE that affects basically every current distro and shared-kernel/container environment I’ll post a few updates here soon copy.fail
Low-detection macOS malware used in job / interview-themed phishing. We recently observed a submitted DMG with only 3 / 62 detections on VirusTotal at the time of analysis: WebEx.dmg SHA256: 5fc61384dd6f15e6bb510e0421000c1301a40d7acf05cedbeb6bc789c0a99d00 THOR APT Scanner detected it with: MAL_MACOS_Phishing_Dropper_Feb26 The sample fits a pattern that has become very common in the last months: - fake job or interview flows - fake Zoom / WebEx meeting links - “audio problem” or “meeting component required” lures - macOS DMGs or scripts pushed as required fixes - user-level execution instead of exploits - follow-up payloads focused on credentials, tokens, browser sessions and developer data This tradecraft has been described in recent public reporting around North Korea-linked activity, including fake Zoom meeting flows and macOS backdoors. A separate public incident write-up also described a fake WebEx interview flow that ended with a malicious macOS DMG. We are not making an attribution claim for this specific sample based on a filename and lure alone. But the detection point is the same: these attacks do not need a 0-day or kernel exploit. A plausible meeting flow, a convincing DMG and one bad Terminal step can be enough. That is why detection needs to cover the boring parts too: - suspicious DMG contents - phishing-style dropper behavior - LaunchAgent persistence - osascript / JXA abuse - staged payload retrieval - fake meeting-tool infrastructure patterns References: thehackernews.com/2025/06/blueno… linkedin.com/pulse/real-mac…
Interesting PAM backdoor pattern worth dissecting The sample was found inside a ZIP archive that contained multiple older variants, patch files and build scripts The ZIP parent was first submitted to VirusTotal on 2020-11-29 (!) Bundled ELF variants: 23315bfc9baf3f732c5801ae229cf9da86f35c22d4e23ed01a6e8f6d36aa6960 - d00mer-1.1.8.so 3d763ccbeafcd7154529b82214dfd7800b12dfff36930078ff36cce0c7034573 - d00mer-1.2.0.so 90e2643e5174feb3030c88cfa1200e2623ad5c4f564a148d878c7be1f270b15b - d00mer-1.2.1.so 6ee22f4d81ab1b7f90c2caacfdd709132abc8ea06bcb54f40c7b26f4254da6ea - d00mer-1.3.0.so 68af3e8a70cbb84ea4632df5675e52a193db88a2f6eee5a69dc49ad30c742f46 - d00mer-1.3.1.so 8d1e5cbf207a812711933e99b7b8e13c596e1e35813b8ed689196982faff71b9 - d00mer-1.3.1.so We also got the patch source code, which makes this one more useful to understand. The backdoor does not use a static hardcoded password. Instead, it accepts a time-based value. The patch calls ctime() and then compares only the first 10 characters: strncmp(p, cts, 10) So the “password” effectively becomes the current day string, for example: Mon Apr 27 If the supplied password does not match that value, normal PAM password verification continues. If it does match, the module returns PAM_SUCCESS. Because PAM sits directly on the authentication boundary, the impact is system-wide: SSH, sudo, login and anything else using PAM. The actual patch is only a few lines added to pam_unix_auth.c. Enough to bypass authentication through the patched PAM module. This ZIP has been around since 2020. The bundled ELF variants still have no AV detections today. Detected by our rule: MAL_LNX_PAM_Backdoor_Aug25
I wrote some of the rules that caught this #PhantomCLR campaign. They are not campaign-specific, they focus on common techniques used by a wide range of threat actors. If you are interested in how defenders can take advantage of code reuse to build better detections, and just how much code is shared across actors, I will be speaking at #Area41 in Zürich this June. I will be looking into code reuse across the .NET malware ecosystem and show some practical detection approaches. This will be my first public talk :) You can check out the conference here: area41.io
#PhantomCLR shows again why generic detections matter in modern attacks. By targeting commonly reused functionality across different threat actors, we can detect and cover new variants from day one. In this case, the sample was already covered by multiple of our generic
@jaydinbas @cyb3rops Yes there are cases where it makes sense, like your Mutex example. But I think Florian means strings where the encoding is well known. For example in .NET binaries metadata like function names are always ASCII and user defined strings are always UTF-16
@Oppenheim3r @cyb3rops If you use ascii and wide YARA will scan for more total variants, now if you apply that to larger rulesets there is unnecessary overhead that will affect scan times.
After Microsoft fixed BlueHammer, another Windows Defender privesc showed up: RedSun. What makes this one interesting is that it’s not a classic memory corruption or logic bug. It looks more like Defender doing something… unexpected. When Defender flags a file as malicious and it has a cloud verdict attached, it can end up writing that file back to its original location instead of removing it. If you can control that file and trigger the right behavior, you basically get Defender to write data for you with its elevated privileges. The RedSun PoC shows that this can be abused to overwrite system files and escalate privileges to SYSTEM. We took a closer look at the exploit and built detections. We’re publishing: - Sigma rules covering different stages of the chain - a YARA rule for the PoC All rules are free on GitHub and also included in the free THOR Lite and THOR Lite Cloud scanner. Sigma rules: github.com/SigmaHQ/sigma/… by @swachchhanda YARA rule: github.com/Neo23x0/signat… by @cod3nym
@_RastaMouse Neat, really cool feature
The CertGraveyard was created in 2025, but never received a proper introduction. We track abused code-signing certificates. When I created the site, we had 600 entries and now we have 2,250. See the blogpost below for a full overview. 1/3
We saw NovaViewer being signed with a new EV certificate "Xiamen Duohanbeiwei Network Co., Ltd". This certificate was reported and revoked before the certificate was used in a BumbleBee campaign. 6d6a861c133ff3e1aa09c8744de52413 Special thanks to @luke92881 and @g0njxa 1/4
AIX is still running critical workloads - but it often sits outside the default endpoint coverage model - THOR runs natively on IBM AIX - actively built + tested on AIX 7.2 / 7.3 - scans for signs of compromise - works as a gap-closer next to AV/EDR nextron-systems.com/2026/03/30/the…
@ReclaimTheNetHQ Not to defend Apple but its not their fault the UK government implemented a shitty law without any proper guidance or official methods for age assurance... Be mad at the right people.
@techxsigil @cyb3rops These detections are only available in the paid version of THOR
Shaym @0xShaym
27 Followers 498 Following I'm just passing by, Night Rabbit for a Pand team Infosec student at ENSIBS 💻
Laura Love @Panopticonomy
23K Followers 10K Following Cyber Criminologist, expert in OSINT and Cybersecurity 🇨🇦🤜🤛🇺🇸 ❤️ ✝️ No DMs pls.
A @asteinbr
50 Followers 481 Following
BG @inverze_io
32 Followers 1K Following
White Coat Black Cat @medsci_yb3r
1K Followers 7K Following #Indigenous Researcher del T8. Completing my MD/MSc. Specialized in: Applied Psych, BioSci, Native Studies, #Neuro & #Cybersecurity. #LongCovid Advocate.
isenhu @isenhu
33 Followers 3K Following
angte maidi @AngteMaidi
1 Followers 817 Following
Tom @zvaratom
10 Followers 304 Following
Faruk SARI @faruksari
1 Followers 2K Following An IT pro, a Turk in Luxembourg, a human loves to learn.
kanqodlcmwmqla @kanqodlcmwmqla
0 Followers 867 Following
ottohersing @ottohersing
12 Followers 259 Following
HackerTech @HackerTech57082
1 Followers 269 Following
Jason Lancaster @JasonBLancaster
534 Followers 4K Following Doing all things cyber security. These are my own thoughts.
Allen Butts @allen_butts
30 Followers 748 Following Infosec | Digital Forensics | Incident Response | Threat Hunter
veryserious @veryseriouseng
30 Followers 206 Following veryserious software, systems, security. B2B SaaS Enjoyer
David El @0xdavidel
125 Followers 234 Following Security Researcher, APT Hunter Let the fun begin! My tweets and opinions are my own
Shakil Hossain @hshakilst
45 Followers 2K Following JavaScript Developer & Cyber Security Enthusiast
Activa Vita @ActivaVita90286
69 Followers 6K Following
Blue I Samurai @Blue_I_Samurai
0 Followers 530 Following
__ @hazzafogom
0 Followers 32 Following
Zanfir Maria @MariaZa96
1 Followers 86 Following
txc @0x747863
28 Followers 203 Following
Benoit Perron @BenoitPerronTw
41 Followers 352 Following
pedrrrri @grrrr_666
37 Followers 608 Following
bsforvt727 @bsforvt727
74 Followers 749 Following Independent Malware Hunter and Analyst https://t.co/zUDEQGwFxq… https://t.co/xwQGWABoCD
svenskithesource @svenskithesour1
5 Followers 17 Following
ElektroKill @elektrokilldev
410 Followers 24 Following 20-year-old self-taught developer (C#/Java) and reverse engineer. Developer of dnSpyEx.
K @K5325863475691
1 Followers 143 Following
Youssef Madkour @M4lB3nder
57 Followers 940 Following Malware Researcher & Detection, Threat Analyst
Francisco Sáa Muñoz @enonethreezed
918 Followers 614 Following Hunt your mistakes like you hunt threats - Casey Smith
maeru @m8r1us
266 Followers 666 Following Offensive & Defensive Security Consultant | @scipag #RedTeam | @m8r1us on most other platforms
borisov @borisov9778321
0 Followers 85 Following
•Fl£xAirTor -�... @FlexAirTor
304 Followers 2K Following Si quieres saber la verdad, nadie te contará la verdad, solo te contarán su versión. Así que si quieres la verdad, Debes buscarla tu mismo.
Sherwin Lacno @lacno29
122 Followers 2K Following I would love to change the world, but they won't give me the source code...
xiu @osint_barbie
2K Followers 563 Following GOOD GIRLZ LUV THREAT INTEL&MAC MALWARE 🤟🏼 opinions and tweets are my own
Sha0linZ @Sha0linZ
11 Followers 1K Following
Samuel Tulach @tulachsam
1K Followers 186 Following web: https://t.co/IcZoSJL1EN git: https://t.co/TKQZNptowX
Florian A. @ExeqZ
215 Followers 687 Following just a cat wearing jeans. interested in infosec and gaming. #AdminRightsAreNotHumanRights - Sami part time professional infosec shit poster
cts🌸 @gf_256
67K Followers 982 Following founder and hacker @zellic_io @v12sec @pb_ctf yt https://t.co/nlNai6iQCn
João Victor @joaoviictorti
576 Followers 233 Following Offensive Security Analyst | Windows Internals | Rust
Kyle Cucci @d4rksystem
6K Followers 569 Following Threat Research @proofpoint | Author of "Evasive Malware" @nostarch | Talks about cybercrime, threat intel, and malware stuff.
Kylm @0xKylm
368 Followers 1K Following reverse fuzzing and maldev / internals enjoyer at @FuzzingLabs 20yo https://t.co/koi6Phdmmf
ShadowOpCode @ShadowOpCode
1K Followers 171 Following Malware analyst & reverse engineer 🧠 Threat intel on stealers, RATs, live campaigns 🕵️ Technical analysis. No buzzwords. 📍DM open for research collabs
MatheuZ @MatheuzSecurity
3K Followers 361 Following Red Team Operator, Cyber Threat Intelligence, Malware Researcher
Thomas Patzke @blubbfiction
5K Followers 440 Following Incident Response, Threat Hunting. Opensource security tool developer (https://t.co/2twMtVpZtL). Moved to @[email protected]
Zero Day Engineering @zerodayalpha
11K Followers 1 Following State-of-the-art vulnerability research & exploit intelligence • @alisaesage @zerodaytraining
Elma @elma_ios
638 Followers 384 Following just an average student in singapore | @NUSGreyhats @r3kapig
Threatray @threatray
608 Followers 1 Following Code-based malware detection and intelligence. Follow @ThreatrayLabs for our latest research, insights and fresh IOCs.
phantinuss @phantinuss
148 Followers 60 Following
Marius Benthin @marius_benthin
389 Followers 400 Following Senior Detection Engineer @NextronResearch @NextronSystems
MalwareHunterTeam @malwrhunterteam
254K Followers 37 Following Official MHT Twitter account. Check out ID Ransomware (created by @demonslay335). More photos & gifs, less malware.
John Hammond @_JohnHammond
320K Followers 3K Following Cybersecurity Researcher @HuntressLabs Just Hacking Training @JustHackingHQ w/ @ethicalhacker https://t.co/UtsNJiyiEk && https://t.co/narO3syzIy
tob mic @_humpalum
250 Followers 145 Following
Mysk 🇨🇦🇩🇪 @mysk_co
20K Followers 522 Following We're two #iOS developers and occasional #security researchers on two continents. #CyberSecurity 📝https://t.co/69k7WAphKl 🇨🇦🇩🇪 Current Project: @psylo_app
Szabolcs Schmidt @smica83
4K Followers 495 Following Threat Intel Specialist and Incident Responder. Private account. All opinions expressed here are mine only. https://t.co/7dQQO1JwUd
Aziz Farghly ⚡ @FarghlyMal
975 Followers 840 Following Threat Researcher @nextronsystems (The thoughts and content I share are personal and not representative of my employer.)
d1rkmtr @d1rkmtr
9K Followers 465 Following
mgeeky | Mariusz Bana... @mariuszbit
14K Followers 950 Following 🔴 Offensive Security Developer @ Outflank, Red Team operator, ex-AV dev, ex- malware researcher 🫖 Green tea lover
x86matthew @x86matthew
23K Followers 203 Following system emulation / reverse-engineering / binary analysis. @the_secret_club
Jammy @jcarndt
873 Followers 228 Following Christian, husband, father, threat intel, Reverse the malware, click the things
Dinohacks @nhegde610
786 Followers 3K Following Researcher. Malware Analyst. Part time threat hunter. Part time blogger and passing interest in AI
Josh Reynolds (jmag) @JershMagersh
2K Followers 434 Following Malware analysis and reverse engineering. Sometimes I write code to do these things. Founder @InvokeReversing. Tweets are my own.
𝙁 𝙀 𝙇 𝙄 �... @felixm_pw
1K Followers 487 Following Lead Developer at https://t.co/lX5jH9MbhI (@ct_tool)
Lena 🏳️🌈�... @LambdaMamba
5K Followers 530 Following Creator of https://t.co/kdXvRaVEEf | Founder of @MalwareVillage | (Un)Natural Scientist | 🇬🇧 with wife ❤️
Rad @rad9800
10K Followers 700 Following ex-founder. building solutions to secure organizations. prev @deceptiq_ (acq.), now at @thinkstcanary All thoughts / opinions (if at all) are my own.
Nextron Research ⚡�... @nextronresearch
3K Followers 13 Following Nextron threat research team. Signatures, rules, and analysis focused on eliminating blind spots.
Cas van Cooten @chvancooten
10K Followers 670 Following @Offensys Co-Founder || Benevolently malicious offensive security enthusiast || OffSec Developer & Malware Linguist
mishap @oopsmishap
263 Followers 105 Following
CODE WHITE GmbH @codewhitesec
7K Followers 44 Following Red Teaming. Security Research. Continuous Penetration Testing. Threat Intelligence.
twosevenzero @twosevenzero
310 Followers 792 Following
Check Point Research @_CPResearch_
25K Followers 120 Following Fighting cyber threats one research at a time. News from Check Point’s (@checkpointSW) Research team.
Lsec @lsecqt
5K Followers 161 Following Doing ethical hacking / red teaming / penetration testing and offensive coding videos. I am OSCP / OSEP / Vulnerability Researcher / Youtuber
You might like
