TheNote
SANS Internet Storm Center, In... Note
GooglePlay AppStore

SANS Internet Storm Center, InfoCON

The website 'isc.sans.edu' is part of the SANS Institute, one of the most trusted institutions for cybersecurity training and certification. It is predominantly information centered and offers various resources in the field of cybersecurity. The homepage of 'isc.sans.edu' provides real-time updates on cyber threats and vulnerabilities from the SANS Internet Storm Center. This is displayed in the form of a dashboard with latest updates, a threat level graph, and a box score. They offer a diagnostics project, which includes malware signatures, threat feeds, and rule sets for a complete cybersecurity analysis. Moreover, the 'isc.sans.edu' site also offers education and training for cybersecurity professionals, as well as a forum for discussions on cybersecurity topics. The site's main sections include: 1. InfoStorms: It tracks and reports on storms as well as provides steps to mitigate immediate threats. 2. Threats: This category includes current global cyber threats. 3. Free Tools: To test and evaluate systems against cyber threat, there are a number of free tools available on the website. 4. Education: They have a variety of cybersecurity training courses to choose from. 5. Vulnerabilities: This section reveals information about past vulnerabilities and guides on mitigating them.
SANS Internet Storm Center, InfoCON: green isc.sans.edu
RSS isc.sans.edu
RSS Hunter RSS Hunter Aug 19, 2024

Thread Of Notes

From a VHDX File to a Remcos RAT, (Tue, Jun 16th)

Yesterday, a reader reported to us a malicious ZIP archive (SHA256: a0104921a2d37ab87482ac9a9f5c3713479c118846c3e999178e75b81620c094[1]). Once unzipped, it contains a VHDX file that discloses a malicious JavaScript after being mounted (which is automatic on modern Windows OSs):
https://isc.sans.edu/diary/rss/33080 isc.sans.edu
CdXz5zHNQW_ugB8x5PIDr.png
RSS Hunter RSS Hunter Jun 16

How has use of framing protection security headers changed in the past 3 years?, (Wed, Jun 10th)

Back in 2023, I wrote a diary[1] discussing how commonly X-Frame-Options and CSP headers containing the frame-ancestors directive were used on 1 million most popular domains on the internet (based on the Tranco list[2]), and how they were set. Given that three years have passed since then, I thought it might be interesting to repeat the analysis and see what – if anything – has changed in the meantime.
https://isc.sans.edu/diary/rss/33068 isc.sans.edu
CdXz5zHNQW_IdWQNNsK4E.png
RSS Hunter RSS Hunter Jun 10

Microsoft June 2026 Patch Tuesday, (Tue, Jun 9th)

Microsoft today released patches for 204 vulnerabilities. 38 of these vulnerabilities are considered critical, and three have been disclosed before today. Six of the vulnerabilities affect Microsoft cloud solutions and do not require any user action. In addition, Microsoft incorporated 360 different vulnerabilities affecting Chromium into its Edge browser.
https://isc.sans.edu/diary/rss/33064 isc.sans.edu
RSS Hunter RSS Hunter Jun 9

TeamPCP Supply Chain Campaign: Activity Through 2026-06-07, (Mon, Jun 8th)

This diary continues the Internet Storm Center&#;x26;#;39;s tracking of the TeamPCP supply chain campaign, first documented in the SANS white paper When the Security Scanner Became the Weapon and most recently in the handler diary Activity Through 2026-05-24. Since that update, the story moved into two new places: the United States government, which formally caught up to the campaign, and the wider population of attackers now wielding the Mini Shai-Hulud framework that TeamPCP open-sourced last month.
https://isc.sans.edu/diary/rss/33060 isc.sans.edu
RSS Hunter RSS Hunter Jun 8

The Evil MSI Background is Back!, (Fri, Jun 5th)

A few months ago, I wrote a diary about a payload that was embedded into a JPEG picture. It was a MSI-branded background[1]. Yesterday, I spotted another one! It seems that the technic is getting more and more popular. This time, it started with a mail containing a WeTransfer link.
https://isc.sans.edu/diary/rss/33054 isc.sans.edu
CdXz5zHNQW_fvTme5iyKs.png
RSS Hunter RSS Hunter Jun 5

Continuing Scans for swagger.json, (Wed, Jun 3rd)

Enterprise applications often still use complex standards like SOAP for web services. The big advantage of SOAP is its tight and extensive standards, which enable interoperability across an enterprise governed by web services. The disadvantage of SOAP: First, while it is de facto usually used over HTTP, it does not leverage HTTP, leading to unnecessary complexity. Secondly, kids don&#;x26;#;39;t RTFM, and developers these days tend not to appreciate the art of careful system design; they rather throw code at an IDE to see what sticks, if they don&#;x26;#;39;t vibe code it anyway.
https://isc.sans.edu/diary/rss/33044 isc.sans.edu
CdXz5zHNQW_UvMTQ7U5w5.png
RSS Hunter RSS Hunter Jun 3

New Wave Of Phishing Emails with SVG Files, (Tue, Jun 2nd)

For a few days, my SANS ISC mailbox is flooded with emails that delivers SVG files. An SVG ("Scalable Vector Graphic") is a web-friendly vector file format used for graphics and icons. No URL in the body, just “an image”, that's the perfect way to deliver some malicious content. This isn't the first time that we see this technique used by threat actors[1].
https://isc.sans.edu/diary/rss/33040 isc.sans.edu
CdXz5zHNQW_6gsqoqMRul.png
RSS Hunter RSS Hunter Jun 2

Analysis of a Year of Files Uploaded to DShield Sensors, (Wed, May 27th)

Using the data collected over the past year and using Kibana these two ES|QL query to summarize the data, this shows the list of the most uploaded threat to two DShield sensors (local and cloud) over the past year. I have sorted the activity by months that shows the evolution of files uploaded to the sensors each month. The activity peaked during the winter months (Dec 2025 - Feb 2026) and started decreasing in March 2026 for each sensor.
https://isc.sans.edu/diary/rss/33026 isc.sans.edu
CdXz5zHNQW_gsAcMK39gA.png
RSS Hunter RSS Hunter May 28

Reconstructing an Akira Ransomware Kill Chain from Perimeter and Endpoint Logs, (Wed, May 27th)

Most Akira write-ups focus on the ransom note or the encryption routine. By the time those show up the interesting forensic work is over. The questions that matter to defenders sit earlier. How did they get in. When did they get domain admin. What did they touch before the binary fired. Those answers live in the days before impact. They sit in two log sources that almost never get joined. The perimeter firewall and the Windows event channel.
https://isc.sans.edu/diary/rss/33024 isc.sans.edu
CdXz5zHNQW_93IR1k2xiV.png
RSS Hunter RSS Hunter May 27

TeamPCP Supply Chain Campaign: Activity Through 2026-05-24, (Mon, May 25th)

TeamPCP now operates across three package ecosystems in parallel, it reached GitHub&#;x26;#;39;s own internal codebase, it trojanized an officially Microsoft-published Python SDK, and it appears to have open-sourced its own framework on GitHub.
https://isc.sans.edu/diary/rss/33016 isc.sans.edu
RSS Hunter RSS Hunter May 25

TeamPCP Supply Chain Campaign: Activity Through 2026-05-24, (Mon, May 25th)

TeamPCP now operates across three package ecosystems in parallel, it reached GitHub&#;x26;#;39;s own internal codebase, it trojanized an officially Microsoft-published Python SDK, and it appears to have open-sourced its own framework on GitHub.
https://isc.sans.edu/diary/rss/33014 isc.sans.edu
RSS Hunter RSS Hunter May 25

An Example of Stack String in High Level Language, (Sat, May 23rd)

This week, I'm attending the SEC670[1] training (“Red Teaming Tools - Developing Windows Implants, Shellcode, Command and Control”). From my point of view, this training fits perfectly with FOR610 or FOR710 (malware analysis) because it addresses malware from the opposite: Instead of performing reverse engineering, you write malicious code! Always interesting to have another point of view.
https://isc.sans.edu/diary/rss/33008 isc.sans.edu
CdXz5zHNQW_akbFJiIWgF.png
RSS Hunter RSS Hunter May 23

Cross-Platform NPM Stealer, (Fri, May 22nd)

I found a Node.js stealer that looked pretty well obfuscated. The file was not running out-of-the-box because it was uploaded on VT as “extracted-decoded.js” (and reformated). The SHA256 is 049300aa5dd774d6c984779a0570f59610399c71864b5d5c2605906db46ddeb9[1]. It did not run properly in a sandbox so only a static analysis was performed.
https://isc.sans.edu/diary/rss/33006 isc.sans.edu
RSS Hunter RSS Hunter May 22

Selective HTTP Proxying in Linux, (Thu, May 21st)

Recently, Rob wrote about a tool, Proxifier, that can intercept requests from specific processes. Proxifier is available for Windows, macOS, and Android. But I have not seen a generic Linux option yet. The advantage of a tool like Proxifier is the ability to target specific software. For debugging, reverse engineering, and similar tasks, selecting a specific process is quite useful, as it creates less noise to sift through and simplifies analysis.
https://isc.sans.edu/diary/rss/33002 isc.sans.edu
RSS Hunter RSS Hunter May 21

TeamPCP Supply Chain Campaign: Activity Through 2026-05-17, (Mon, May 18th)

Since the last update, the TeamPCP supply chain campaign produced its loudest stretch since the March Trivy disclosure: an officially confirmed Checkmarx Jenkins plugin compromise and a new self-spreading Mini Shai-Hulud worm across npm and PyPI.
https://isc.sans.edu/diary/rss/32994 isc.sans.edu
RSS Hunter RSS Hunter May 18

[Guest Diary] New Malware Libraries means New Signatures, (Fri, May 15th)

&#;xd; &#;xd; :root &#;x7b;&#;xd; --isc-maroon: #;7a1f1f;&#;xd; --isc-maroon-dark: #;5e1717;&#;xd; --isc-link: #;0066cc;&#;xd; --isc-text: #;1a1a1a;&#;xd; --isc-muted: #;555;&#;xd; --isc-rule: #;d0d0d0;&#;xd; --isc-code-bg: #;f4f4f4;&#;xd; --isc-code-text: #;c0392b;&#;xd; --isc-block-bg: #;1e1e1e;&#;xd; --isc-block-text: #;e6e6e6;&#;xd; --isc-callout-bg: #;fafafa;&#;xd; --isc-table-header: #;ececec;&#;xd; }&#;xd;
https://isc.sans.edu/diary/rss/32986 isc.sans.edu
CdXz5zHNQW_GtQ11GEKYa.png
RSS Hunter RSS Hunter May 15

Simple bypass of the link preview function in Outlook Junk folder, (Thu, May 14th)

Besides serving as a place where Microsoft Outlook places suspected spam, the Outlook Junk folder has one additional function that can be quite helpful when it comes to identifying malicious messages. Any e-mail placed in this folder is stripped of all formatting, and destinations of all links included in the message become visible to the user, as you can see in the following images which show the same e-mail when it is placed in the inbox, and when it is placed in the Junk folder.
https://isc.sans.edu/diary/rss/32990 isc.sans.edu
CdXz5zHNQW_G7WCE3NWMv.png
RSS Hunter RSS Hunter May 14

[GUEST DIARY] Tearing apart website fraud to see how it works., (Wed, May 13th)

&#;x26;#;x5b;This is a Guest Diary by Joshua Nikolson, an ISC Intern and part of the SANS.edu Bachelor&#;x26;#;39;s degree in Applied Cybersecurity (BACS) program.]
https://isc.sans.edu/diary/rss/32958 isc.sans.edu
CdXz5zHNQW_fnd24viAg7.png
RSS Hunter RSS Hunter May 13

Cookies help us deliver our Services. By using our Services or clicking I agree, you agree to our use of cookies .