-
YARA-X 1.17.0 Release, (Sun, May 31st)
YARA-X’s 1.17.0 release brings 5 improvements (several performance improvements) and 1 bugfix. Didier Stevens Senior handler blog.DidierStevens.com (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
-
ISC Stormcast For Friday, May 29th, 2026 https://isc.sans.edu/podcastdetail/9950, (Fri, May 29th)
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
-
Analysis of a Year of Files Uploaded to DShield Sensors, (Wed, May 27th)
Using the data collected over the past year and using Kibana these two ES|QL query to summarize the data, this shows the list of the most uploaded threat to two DShield sensors (local and cloud) over the past year. I have sorted the activity by months that shows the evolution of files uploaded to the sensors…
-
ISC Stormcast For Thursday, May 28th, 2026 https://isc.sans.edu/podcastdetail/9948, (Thu, May 28th)
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
-
Reconstructing an Akira Ransomware Kill Chain from Perimeter and Endpoint Logs, (Wed, May 27th)
Most Akira write-ups focus on the ransom note or the encryption routine. By the time those show up the interesting forensic work is over. The questions that matter to defenders sit earlier. How did they get in. When did they get domain admin. What did they touch before the binary fired. Those answers live in…
-
ISC Stormcast For Wednesday, May 27th, 2026 https://isc.sans.edu/podcastdetail/9946, (Wed, May 27th)
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
-
ISC Stormcast For Tuesday, May 26th, 2026 https://isc.sans.edu/podcastdetail/9944, (Tue, May 26th)
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
-
Possible ACR Stealer From Page Impersonating Claude, (Tue, May 26th)
Introduction In recent weeks, I’ve searched for pages impersonating Claude that distribute malware. In recent weeks, I’ve reliably found these sites through malicious ads in Google searches that lead to these pages, often concealed in URLs for sites.google[.]com, such as this example from 2026-05-11. These fake Claude pages generally show instructions for macOS malware when…
-
Microsoft Access VBA, (Mon, May 25th)
Microsoft Access files (Microsoft Office’s Database) can contain VBA code. But they are not ole or OOXML files. You can’t analyze them with oledump.py: Neither do they contain an embedded OLE file: Microsoft does not publish official documentation for the Microsoft Access file format, like it does for CFB (ole) and OOXML. That inspired me…
-
TeamPCP Supply Chain Campaign: Activity Through 2026-05-24, (Mon, May 25th)
TeamPCP now operates across three package ecosystems in parallel, it reached GitHub’s own internal codebase, it trojanized an officially Microsoft-published Python SDK, and it appears to have open-sourced its own framework on GitHub. Bottom line up front Three escalations stacked inside a single week. First, GitHub’s CISO Alexis Wales publicly named a malicious Nx Console…
