Steganography Analysis With pngdump.py

This article discusses the analysis of a PNG file containing hidden malicious content using the pngdump.py tool. The image, 31744 pixels wide and 1 pixel high, was found to have a PE file embedded in its pixel data. The author demonstrates how to extract the hidden file using various Python tools and techniques, including slicing the raw pixel data to isolate the second channel where the malware was concealed. The extracted PE file, identified as a .NET executable, had 49 detections on VirusTotal, while the original PNG file had none, showcasing the effectiveness of this steganography technique in evading detection.

Pulse ID: 680caa2918e5441a8aab47f8
Pulse Link: https://otx.alienvault.com/pulse/680caa2918e5441a8aab47f8
Pulse Author: AlienVault
Created: 2025-04-26 09:40:57

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

Weaponized Words: Uyghur Language Software Hijacked to Deliver Malware

This analysis details a spearphishing campaign targeting senior members of the World Uyghur Congress (WUC) in March 2025. The attackers used a trojanized version of a legitimate Uyghur language text editor to deliver Windows-based malware for remote surveillance. While not technically advanced, the malware delivery was well-customized to reach the Uyghur community. This incident is part of a broader pattern of digital transnational repression against Uyghur diaspora by actors likely aligned with the Chinese government. The malware profiled systems, sent information to remote servers, and could load additional malicious plugins. The campaign demonstrates the ongoing digital threats facing exiled Uyghur communities and the exploitation of software meant to support marginalized cultures.

Pulse ID: 680f07377e6aaa99a9dafcc4
Pulse Link: https://otx.alienvault.com/pulse/680f07377e6aaa99a9dafcc4
Pulse Author: AlienVault
Created: 2025-04-28 04:42:31

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

France, a trip to Meschers sur Gironde
#France #waterscape #photography #rurallandscape #rurallife #streetphotography #travelphotography
#traveltheworld #TravelAddict #seaside #church #temple #travel #charente #architecture #bluewater #rat #street

Yet another mouse & rat escaped containment!

Catch them here: https://squirrelbite.com/avatars/squirrel

They are free additions if you already own the 'YA Squirrel' avatar!

sleepy... so sleepy...

#rat #rats #ratsOfMastodon #ratsOfFediverse #cute #cuteArt #OCs #OC #OCart #sona

One day I could be a poet,
and I'll try never to blow it,
make writing my aim,
and poems my game,
and one day I'm sure you'll know it.
#Limerick #poetrycommunity #poetrychallenge #poetrytwitter #poetry #rat #Rats #ratrace #ratbizniz

quick little reminder for me and everyone else!

#rat #rats #ratsOfMastodon #ratsOfFediverse #cute #cuteArt #OCs #OC #OCart

The mousest #Mice #Rat #Rats.

Sticker of the Day!

This is my sticker based on my drawing of the Rat from the Chinese Zodiac!

https://www.joyousjoyness.com/collections/stickers

Chinese hackers target Russian govt with upgraded #RAT #malware

https://www.bleepingcomputer.com/news/security/chinese-hackers-target-russian-govt-with-upgraded-rat-malware/

Threat actors misuse Node.js to deliver malware and other malicious payloads

Since October 2024, threat actors have been leveraging Node.js to deliver malware and payloads for information theft and data exfiltration. A recent malvertising campaign uses cryptocurrency trading themes to lure users into downloading malicious installers. The attack chain includes initial access, persistence, defense evasion, data collection, and payload delivery. The malware gathers system information, sets up scheduled tasks, and uses PowerShell for various malicious activities. Another emerging technique involves inline JavaScript execution through Node.js. Recommendations include educating users, monitoring Node.js execution, enforcing PowerShell logging, and implementing endpoint protection.

Pulse ID: 67fec5ac1e94a608250d9aa2
Pulse Link: https://otx.alienvault.com/pulse/67fec5ac1e94a608250d9aa2
Pulse Author: AlienVault
Created: 2025-04-15 20:46:36

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

Newly Registered Domains Distributing SpyNote Malware

Cybercriminals are employing deceptive websites on newly registered domains to distribute AndroidOS SpyNote malware. These sites imitate the Google Chrome install page on the Google Play Store, tricking users into downloading SpyNote, a powerful Android remote access trojan. SpyNote is used for surveillance, data exfiltration, and remote control of infected devices. The investigation uncovered multiple domains, IP addresses, and APK files associated with this campaign. The malware utilizes various C2 endpoints for communication and data exfiltration, with functions designed to retrieve and manipulate device information, contacts, SMS, and applications.

Pulse ID: 67feb504b76dd387be73309b
Pulse Link: https://otx.alienvault.com/pulse/67feb504b76dd387be73309b
Pulse Author: AlienVault
Created: 2025-04-15 19:35:32

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

Chinese snoops use stealth RAT to backdoor US orgs – still active last week
https://www.theregister.com/2025/04/15/chinese_spies_backdoored_us_orgs/

My winning monopoly piece!

Introducing a new #superhero!

Ronin the #rat sets new #landmine-sniffing record
https://buff.ly/PZeqgyn

#character just betting for #moviedeal #graphicnovel!

*thunderous engine noises*
#Rat #Rats.

A Deep Dive into Strela Stealer and how it Targets European Countries

Strela Stealer, an infostealer targeting email clients in specific European countries, has been active since late 2022. It focuses on exfiltrating credentials from Mozilla Thunderbird and Microsoft Outlook. The malware is delivered through phishing campaigns, primarily targeting Spain, Italy, Germany, and Ukraine. Recent attacks involve forwarding legitimate emails with malicious attachments. Strela Stealer employs multi-layer obfuscation and code-flow flattening to complicate analysis. The malware verifies the system's locale before executing, targeting specific German-speaking countries. It searches for email client profile data, encrypts it, and exfiltrates it to a command-and-control server. The infrastructure is linked to Russian bulletproof hosting providers, suggesting potential ties to Russian threat actors.

Pulse ID: 67fb93e88bf6ed070ce7164a
Pulse Link: https://otx.alienvault.com/pulse/67fb93e88bf6ed070ce7164a
Pulse Author: AlienVault
Created: 2025-04-13 10:37:28

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

Guck mal wer sich da im Gestrüpp versteckt

Look, someone is hiding under the bushes

Happy Neil Day, here's my piece from this year! May he bang out the tunes forever and ever