![Battling Cryptojacking, Botnets, and IABs [Guest Diary], (Thu, Jan 15th)](https://www.ironcastle.net/wp-content/uploads/2026/01/status-7.gif)
[This is a Guest Diary by Matthew Presnal, an ISC intern as part of the SANS.edu BACS program]
Tag Archives: SANS
Infection repeatedly adds scheduled tasks and increases traffic to the same C2 domain, (Wed, Jan 14th)
January 2026 Microsoft Patch Tuesday Summary, (Tue, Jan 13th)
YARA-X 1.11.0 Release: Hash Function Warnings, (Sun, Jan 11th)
This post was originally published on this site
YARA-X's 1.11.0 release brings a new feature: hash function warnings.
When you write a YARA rule to match a cryptographic hash (either the full file content or a part of it), what's actually going on are string comparisons:
Function hash.sha256 returns a string (the hexadecimal SHA256 hash it calculated) and that is compared to a literal string that is the hash you want to find.
If you make a mistake in your literal string hash (for example: unintentionally add an extra space), then the match will fail.
But YARA-X will now show a warning like this:
Another example is where you mixup hashes: you provide a SHA1 literal string hash, and it should be a SHA256.
Didier Stevens
Senior handler
blog.DidierStevens.com
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Malicious Process Environment Block Manipulation, (Fri, Jan 9th)
This post was originally published on this site
Reverse engineers must have a good understanding of the environment where malware are executed (read: the operating system). In a previous diary, I talked about malicious code that could be executed when loading a DLL[1]. Today, I’ll show you how a malware can hide suspicious information related to created processes.
Analysis using Gephi with DShield Sensor Data, (Wed, Jan 7th)
This post was originally published on this site
I'm always looking for new ways of manipulating the data captured by my DShield sensor [1]. This time I used Gephi [2] and Graphiz [3] a popular and powerful tool for visualizing and exploring relationships between nodes, to examine the relationship between the source IP, filename and which sensor got a copy of the file. I queried the past 30 days of data stored in my ELK [4] database in Kibana using ES|QL [5][6] to query and export the data and import the result into Gephi.
A phishing campaign with QR codes rendered using an HTML table, (Wed, Jan 7th)
This post was originally published on this site
Malicious use of QR codes has long been ubiquitous, both in the real world as well as in electronic communication. This is hardly surprising given that a scan of a QR code can lead one to a phishing page as easily as clicking a link in an e-mail.
No more surprising is that vendors of security technologies have, over time, developed mechanisms for detecting and analyzing images containing QR codes that are included in e-mail messages[1,2]. These security mechanisms make QR code-based phishing less viable. However, due to the “cat and mouse” nature of cybersecurity, threat actors continually search for ways of bypassing various security controls, and one technique that can be effective in bypassing QR code detection and analysis in e-mail messages was demonstrated quite well in a recent string of phishing messages which made it into our inbox.
The technique in question is based on the use of imageless QR codes rendered with the help of an HTML table. While it is not new by any stretch[3], it is not too well-known, and I therefore consider it worthy of at least this short post.
Samples of the aforementioned phishing messages I have access to have been sent out between December 22nd and December 26th, and all of them had the same basic layout consisting of only a few lines of text along with the QR code.
Although it looks quite normal (except perhaps for being a little “squished”), the QR code itself was – as we have indicated above – displayed not using an image but rather with the help of an HTML table made up of cells with black and white background colors, as you can see from the following code.
<table role="presentation" border="0" cellpadding="0" cellspacing="0" width="180" height="180" align="center">
<tr height="4">
<td width="4" height="4" bgcolor="#000000"></td>
<td width="4" height="4" bgcolor="#000000"></td>
<td width="4" height="4" bgcolor="#000000"></td>
<td width="4" height="4" bgcolor="#000000"></td>
<td width="4" height="4" bgcolor="#000000"></td>
<td width="4" height="4" bgcolor="#000000"></td>
<td width="4" height="4" bgcolor="#000000"></td>
<td width="4" height="4" bgcolor="#FFFFFF"></td>
<td width="4" height="4" bgcolor="#000000"></td>
<td width="4" height="4" bgcolor="#FFFFFF"></td>
<td width="4" height="4" bgcolor="#000000"></td>
<td width="4" height="4" bgcolor="#000000"></td>
<td width="4" height="4" bgcolor="#FFFFFF"></td>
<td width="4" height="4" bgcolor="#000000"></td>
<td width="4" height="4" bgcolor="#000000"></td>
<td width="4" height="4" bgcolor="#000000"></td>
<td width="4" height="4" bgcolor="#FFFFFF"></td>
<td width="4" height="4" bgcolor="#000000"></td>
<td width="4" height="4" bgcolor="#FFFFFF"></td>
<td width="4" height="4" bgcolor="#FFFFFF"></td>
<td width="4" height="4" bgcolor="#FFFFFF"></td>
<td width="4" height="4" bgcolor="#000000"></td>
<td width="4" height="4" bgcolor="#000000"></td>
<td width="4" height="4" bgcolor="#000000"></td>
<td width="4" height="4" bgcolor="#000000"></td>
...
Links encoded in all QR codes pointed to subdomains of the domain lidoustoo[.]click, and except for the very first sample from December 22nd, which pointed to onedrive[.]lidoustoo[.]click, all the URLs had the following structure:
hxxps[:]//<domain from recipient e-mail><decimal or hexadecimal string>[.]lidoustoo[.]click/<alphanumeric string>/$<recipient e-mail>
While the underlying technique of rendering QR codes using HTML tables is – as we’ve mentioned – not new, its appearance in a real-world phishing campaign is a useful reminder that many defensive controls still implicitly rely on assumptions about how malicious content is represented… And these assumptions might not always be correct.
It is also a good reminder that purely technical security controls can never stop all potentially malicious content – especially content that has a socio-technical dimension – and that even in 2026, we will have to continue improving not just the technical side of security, but also user awareness of current threat landscape.
[1] https://www.proofpoint.com/us/blog/email-and-cloud-threats/malicious-qr-code-detection-takes-giant-leap-forward
[2] https://www.cloudflare.com/learning/security/what-is-quishing/
[3] https://media.defcon.org/DEF%20CON%2032/DEF%20CON%2032%20villages/DEF%20CON%2032%20-%20Adversary%20Vilage%20-%20Melvin%20Langvik%20-%20Evading%20Modern%20Defenses%20When%20Phishing%20with%20Pixels.pdf
———–
Jan Kopriva
LinkedIn
Nettles Consulting
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Tool Review: Tailsnitch, (Tue, Jan 6th)
This post was originally published on this site
In yesterday's podcast, I mentioned "tailsnitch", a new tool to audit Tailscale configurations. Tailscale is an easy-to-use overlay to Wireguard. It is probably best compared to STUN servers in VoIP in that it allows devices behind NAT to connect directly to each other. Tailscale just helps negotiate the setup, and once the connection is established, data will flow directly between the connected devices. I personally use it to provide remote assistance to family members, and it has worked great for this purpose. Tailscale uses a "Freemium" model. For my use case, I do not need to pay, but if you have multiple users or a large number of devices, you may need to pay a monthly fee. There are also a few features that are only available to paid accounts.
Risks of OOB Access via IP KVM Devices, (Mon, Jan 5th)
This post was originally published on this site
Recently, a new "breed" of IP-based KVM devices has been released. In the past, IP-based KVM devices required dedicated "server-grade" hardware using IPMI. They often cost several $100 per server, and are only available for specific systems that support the respective add-on cards. These cards are usually used to provide "Lights Out" access to servers, allowing a complete reboot and interaction with the pre-boot environment via simple web-based tools. In some cases, these IPMI tools can also be used via various enterprise/data center management tools.
Cryptocurrency Scam Emails and Web Pages As We Enter 2026, (Sun, Jan 4th)
This post was originally published on this site
Introduction
In October 2025, a work colleague documented a cryptocurrency scam using a fake chatbot. After investigating this, I was able to receive messages from the campaign, and these emails have continued to land in my honeypot account since then. This diary documents the cryptocurrency scam campaign as it continues in 2026.
Shown above: My honeypot email inbox with several emails from this cryptocurrency scam campaign.
Details
This campaign promises cash payouts on cryptocurrency that potential victims unknowingly have.
This campaign primarily abuses the minimalist publishing platform telegra[.]ph, which anyone can use to publish a simple web page very quickly. Many of these emails have minimal messaging and contain links to these telegra[.]ph pages.
Shown above: Example of an email from this campaign with link to a telegra[.]ph page.
Shown above: Example of a telegra[.]ph page from this campaign.
This campaign is not limited to abusing telegra[.]ph. Many of these emails contain Google Forms pages that lead to the telegra[.]ph page.
Shown above: Example of a Google Forms email from this campaign.
Shown above: Example of a response from the Google Forms link that leads to a telegra[.]ph page for this campaign.
These telegra[.]ph pages generally lead to the same type of cryptocurrency scam, stating you have over $100K in US dollars worth of Bitcoin from an automated Bitcoin mining cloud platform.
Shown above: Example of a page to begin the cryptocurrency scam.
In November 2025, I posted a video on YouTube, where I went through the website step-by-step, interacting with the fake chatbot to get to the actual scam. The scam involves paying a fee to convert the supposed Bitcoin to US dollars, which potential victims would send to a wallet controlled by the criminals.
Final Words
Many free services are easy to abuse for these types of campaigns. While these emails may seem obviously fake, they continue to be cost-effective for criminals to send, and criminals can easily abuse other services to host everything needed for this scam.
Bradley Duncan
brad [at] malware-traffic-analysis.net
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.