![Battling Cryptojacking, Botnets, and IABs [Guest Diary], (Thu, Jan 15th)](https://www.ironcastle.net/wp-content/uploads/2026/01/status-7.gif)
[This is a Guest Diary by Matthew Presnal, an ISC intern as part of the SANS.edu BACS program]
All posts by David
Infection repeatedly adds scheduled tasks and increases traffic to the same C2 domain, (Wed, Jan 14th)
January 2026 Microsoft Patch Tuesday Summary, (Tue, Jan 13th)
AWS Weekly Roundup: AWS Lambda for .NET 10, AWS Client VPN quickstart, Best of AWS re:Invent, and more (January 12, 2026)
This post was originally published on this site
At the beginning of January, I tend to set my top resolutions for the year, a way to focus on what I want to achieve. If AI and cloud computing are on your resolution list, consider creating an AWS Free Tier account to receive up to $200 in credits and have 6 months of risk-free experimentation with AWS services.
During this period, you can explore essential services across compute, storage, databases, and AI/ML, plus access to over 30 always-free services with monthly usage limits. After 6 months, you can decide whether to upgrade to a standard AWS account.
Whether you’re a student exploring career options, a developer expanding your skill set, or a professional building with cloud technologies, this hands-on approach lets you focus on what matters most: developing real expertise in the areas you’re passionate about.
Last week’s launches
Here are the launches that got my attention this week:
- AWS Lambda – Now supports creating serverless applications using .NET 10 both as a managed runtime and a container base image. AWS will automatically apply updates to the managed runtime and base image as they become available. More info in this blog post.
- Amazon ECS – Adds support for tmpfs mounts to Linux tasks running on AWS Fargate and Amazon ECS Managed Instances in addition to the EC2 launch type. With tmpfs, you can create memory-backed file systems for your containerized workloads without writing data to task storage.
- AWS Config – Can now discover, assess, audit, and remediate additional AWS resource types across key services including Amazon EC2, Amazon SageMaker, and Amazon S3 Tables.
- Amazon MQ – Introduces HTTP based authentication for RabbitMQ brokers. You can configure this plugin on brokers by making changes to the associated configuration file. It now also supports certificate based authentication with mutual TLS for RabbitMQ brokers.
- Amazon MWAA – You can now create Apache Airflow version 2.11 environments with Amazon Managed Workflows for Apache Airflow. This version of Apache Airflow introduces changes that help you prepare for upgrading to Apache Airflow 3.
- Amazon EC2 – M8i, C8i and C8i-flex, R8i and R8i-flex, and I7ie instances are now available in additional AWS Regions.
- AWS Client VPN – A new quickstart reduces the number of steps required to set up a Client VPN endpoint.
- Amazon Quick Suite – Added integrations for AI agents and to its built-in actions library. For example, these now include GitHub, Notion, Canva, Box, Linear, Hugging Face, Monday.com, HubSpot, Intercom, and more.
Additional updates
Here are some additional projects, blog posts, and news items that I found interesting:
- Automating AWS SDK for Java v1 to v2 Upgrades with AWS Transform – To help you modernize Java applications efficiently while minimizing manual intervention and potential errors.
- Unlock Amazon Aurora’s Advanced Features with Standard JDBC Driver using AWS Advanced JDBC Wrapper – Enhance an existing application that uses the open source standard JDBC driver and unlock the capabilities of Aurora and the AWS Cloud with minimal code changes.
- Implement multi-Region endpoint routing for Amazon Aurora DSQL – An automated solution for redirecting database traffic to alternate regional endpoints without manual configuration changes.
- Crossmodal search with Amazon Nova Multimodal Embeddings – How to implement a crossmodal search system by generating embeddings, handling queries, and measuring performance with working code examples and tips to add these capabilities to your applications.
Upcoming AWS events
Join us January 28 or 29 (depending on your time zone) for Best of AWS re:Invent, a free virtual event where we bring you the most impactful announcements and top sessions from AWS re:Invent. Jeff Barr, AWS VP and Chief Evangelist, will share his highlights during the opening session.
There is still time until January 21 to compete for $250,000 in prizes and AWS credits in the Global 10,000 AIdeas Competition (yes, the second letter is an I as in Idea, not an L as in like). No code required yet: simply submit your idea, and if you’re selected as a semifinalist, you’ll build your app using Kiro within AWS Free Tier limits. Beyond the cash prizes and potential featured placement at AWS re:Invent 2026, you’ll gain hands-on experience with next-generation AI tools and connect with innovators globally.
If you’re interested in these opportunities, join the AWS Builder Center to learn with builders in the AWS community.
That’s all for this week. Check back next Monday for another Weekly Roundup!
– Danilo
YARA-X 1.11.0 Release: Hash Function Warnings, (Sun, Jan 11th)
This post was originally published on this site
YARA-X's 1.11.0 release brings a new feature: hash function warnings.
When you write a YARA rule to match a cryptographic hash (either the full file content or a part of it), what's actually going on are string comparisons:
Function hash.sha256 returns a string (the hexadecimal SHA256 hash it calculated) and that is compared to a literal string that is the hash you want to find.
If you make a mistake in your literal string hash (for example: unintentionally add an extra space), then the match will fail.
But YARA-X will now show a warning like this:
Another example is where you mixup hashes: you provide a SHA1 literal string hash, and it should be a SHA256.
Didier Stevens
Senior handler
blog.DidierStevens.com
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Malicious Process Environment Block Manipulation, (Fri, Jan 9th)
This post was originally published on this site
Reverse engineers must have a good understanding of the environment where malware are executed (read: the operating system). In a previous diary, I talked about malicious code that could be executed when loading a DLL[1]. Today, I’ll show you how a malware can hide suspicious information related to created processes.
Analysis using Gephi with DShield Sensor Data, (Wed, Jan 7th)
This post was originally published on this site
I'm always looking for new ways of manipulating the data captured by my DShield sensor [1]. This time I used Gephi [2] and Graphiz [3] a popular and powerful tool for visualizing and exploring relationships between nodes, to examine the relationship between the source IP, filename and which sensor got a copy of the file. I queried the past 30 days of data stored in my ELK [4] database in Kibana using ES|QL [5][6] to query and export the data and import the result into Gephi.
A phishing campaign with QR codes rendered using an HTML table, (Wed, Jan 7th)
This post was originally published on this site
Malicious use of QR codes has long been ubiquitous, both in the real world as well as in electronic communication. This is hardly surprising given that a scan of a QR code can lead one to a phishing page as easily as clicking a link in an e-mail.
No more surprising is that vendors of security technologies have, over time, developed mechanisms for detecting and analyzing images containing QR codes that are included in e-mail messages[1,2]. These security mechanisms make QR code-based phishing less viable. However, due to the “cat and mouse” nature of cybersecurity, threat actors continually search for ways of bypassing various security controls, and one technique that can be effective in bypassing QR code detection and analysis in e-mail messages was demonstrated quite well in a recent string of phishing messages which made it into our inbox.
The technique in question is based on the use of imageless QR codes rendered with the help of an HTML table. While it is not new by any stretch[3], it is not too well-known, and I therefore consider it worthy of at least this short post.
Samples of the aforementioned phishing messages I have access to have been sent out between December 22nd and December 26th, and all of them had the same basic layout consisting of only a few lines of text along with the QR code.
Although it looks quite normal (except perhaps for being a little “squished”), the QR code itself was – as we have indicated above – displayed not using an image but rather with the help of an HTML table made up of cells with black and white background colors, as you can see from the following code.
<table role="presentation" border="0" cellpadding="0" cellspacing="0" width="180" height="180" align="center">
<tr height="4">
<td width="4" height="4" bgcolor="#000000"></td>
<td width="4" height="4" bgcolor="#000000"></td>
<td width="4" height="4" bgcolor="#000000"></td>
<td width="4" height="4" bgcolor="#000000"></td>
<td width="4" height="4" bgcolor="#000000"></td>
<td width="4" height="4" bgcolor="#000000"></td>
<td width="4" height="4" bgcolor="#000000"></td>
<td width="4" height="4" bgcolor="#FFFFFF"></td>
<td width="4" height="4" bgcolor="#000000"></td>
<td width="4" height="4" bgcolor="#FFFFFF"></td>
<td width="4" height="4" bgcolor="#000000"></td>
<td width="4" height="4" bgcolor="#000000"></td>
<td width="4" height="4" bgcolor="#FFFFFF"></td>
<td width="4" height="4" bgcolor="#000000"></td>
<td width="4" height="4" bgcolor="#000000"></td>
<td width="4" height="4" bgcolor="#000000"></td>
<td width="4" height="4" bgcolor="#FFFFFF"></td>
<td width="4" height="4" bgcolor="#000000"></td>
<td width="4" height="4" bgcolor="#FFFFFF"></td>
<td width="4" height="4" bgcolor="#FFFFFF"></td>
<td width="4" height="4" bgcolor="#FFFFFF"></td>
<td width="4" height="4" bgcolor="#000000"></td>
<td width="4" height="4" bgcolor="#000000"></td>
<td width="4" height="4" bgcolor="#000000"></td>
<td width="4" height="4" bgcolor="#000000"></td>
...
Links encoded in all QR codes pointed to subdomains of the domain lidoustoo[.]click, and except for the very first sample from December 22nd, which pointed to onedrive[.]lidoustoo[.]click, all the URLs had the following structure:
hxxps[:]//<domain from recipient e-mail><decimal or hexadecimal string>[.]lidoustoo[.]click/<alphanumeric string>/$<recipient e-mail>
While the underlying technique of rendering QR codes using HTML tables is – as we’ve mentioned – not new, its appearance in a real-world phishing campaign is a useful reminder that many defensive controls still implicitly rely on assumptions about how malicious content is represented… And these assumptions might not always be correct.
It is also a good reminder that purely technical security controls can never stop all potentially malicious content – especially content that has a socio-technical dimension – and that even in 2026, we will have to continue improving not just the technical side of security, but also user awareness of current threat landscape.
[1] https://www.proofpoint.com/us/blog/email-and-cloud-threats/malicious-qr-code-detection-takes-giant-leap-forward
[2] https://www.cloudflare.com/learning/security/what-is-quishing/
[3] https://media.defcon.org/DEF%20CON%2032/DEF%20CON%2032%20villages/DEF%20CON%2032%20-%20Adversary%20Vilage%20-%20Melvin%20Langvik%20-%20Evading%20Modern%20Defenses%20When%20Phishing%20with%20Pixels.pdf
———–
Jan Kopriva
LinkedIn
Nettles Consulting
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Tool Review: Tailsnitch, (Tue, Jan 6th)
This post was originally published on this site
In yesterday's podcast, I mentioned "tailsnitch", a new tool to audit Tailscale configurations. Tailscale is an easy-to-use overlay to Wireguard. It is probably best compared to STUN servers in VoIP in that it allows devices behind NAT to connect directly to each other. Tailscale just helps negotiate the setup, and once the connection is established, data will flow directly between the connected devices. I personally use it to provide remote assistance to family members, and it has worked great for this purpose. Tailscale uses a "Freemium" model. For my use case, I do not need to pay, but if you have multiple users or a large number of devices, you may need to pay a monthly fee. There are also a few features that are only available to paid accounts.
Risks of OOB Access via IP KVM Devices, (Mon, Jan 5th)
This post was originally published on this site
Recently, a new "breed" of IP-based KVM devices has been released. In the past, IP-based KVM devices required dedicated "server-grade" hardware using IPMI. They often cost several $100 per server, and are only available for specific systems that support the respective add-on cards. These cards are usually used to provide "Lights Out" access to servers, allowing a complete reboot and interaction with the pre-boot environment via simple web-based tools. In some cases, these IPMI tools can also be used via various enterprise/data center management tools.