🇺🇦 Xorhex 🇺🇦

📣 #PIVOTcon26 Agenda is here 🤟 We are thrilled to announce the lineup for this year's edition!
2⃣ days and 19 talks from leading #ThreatResearch experts.
The agenda link is in the first comment👇, and the talks and speakers are in the thread.🧵
#CTI #ThreatIntel
1/15

😬

Victor just released v1.14.0 - improvements in macho module, tighter code generation in the compiler and the new “deps” command.

Congratulations to everyone involved!

github.com/VirusTotal/y...

a man in a suit and tie stands in front of an amazon prime logo ALT: a man in a suit and tie stands in front of an amazon prime logo

We are still finalising the agenda and the updated website, so the #PIVOTcon26 lineup announcement will be made early next week.
#CTI #ThreatIntel #ThreatResearch
#StayTuned

never ask a researcher for their config parser code because it's gonna be the most spaghetti thing you've ever seen

yr + nushell, cause why not?

Reverse engineers often spend significant time deciphering third-party libraries within firmware. My talk, scheduled for Friday at 5 PM at Reverse, introduces SightHouse, an open-source initiative aimed at automatically identifying third-party functions to enhance analysis efficiency.

RE//verse 2026 - Reverse Engineering Conference Join us March 5-7, 2026 in Orlando, FL. Premier reverse engineering, vulnerability research, and malware analysis conference with world-class trainings and talks.

@re-verse.io has lighting talks 🤔

Wonder if I can dust the cobwebs off of this deob-CFF project and get it working prior to Saturday. Chances are low but going to try 😅 re-verse.io

PlugX is a long-running Remote Access Trojan (RAT) that has been consistently linked to multiple China-aligned threat actors and espionage operations worldwide.
Lab 52 | S2 Grupo
lab52.io/blog/plugx-m...

#MustangPanda

GitLab Threat Intelligence Team reveals North Korean tradecraft Gain threat intelligence about North Korea’s Contagious Interview and fake IT worker campaigns and learn how GitLab disrupted their operations.

Without exaggeration, one of the most epic DPRK reports ever about.gitlab.com/blog/gitlab-...

RationalEdge's #REDS Platform now supports 🍎 Mach-O 🍏( #iOS + #macOS) and Universal (FAT) binary formats.

We now cover:
- #PE, #ELF, #MachO
- x86/64, ARM/AArch64, MIPS, PowerPC, RISC-V (32/64)

@rationaledge.bsky.social rationaledge.io
#ThreatResearch #ThreatIntel #CTI #Malware #OT #Embedded 1/3

GrayCharlie Hijacks Law Firm Sites in Suspected Supply-Chain Attack GrayCharlie turns compromised WordPress sites into malware delivery machines. Discover how this threat actor chains fake browser updates and ClickFix lures to deploy NetSupport RAT, Stealc, and Sectop...

1/ Today, Insikt Group is publishing on GrayCharlie, a threat actor active since mid-2023 that overlaps with SmartApeSG. GrayCharlie compromises WordPress sites and turns them into malware delivery hubs: www.recordedfuture.com/research/gra...

Avalon Linux Bot Malware Analysis with IDA Pro (Stream - 05/02/2026) YouTube video by Invoke RE

We've uploaded our stream from last Thursday where we analyzed the Avalon Linux bot with IDA Pro. Throughout this stream we reversed its persistence, C2 functionality, encryption and command dispatcher. Enjoy! www.youtube.com/watch?v=IaWU...

Decrypted/decoded a payload/binary using the Transform API in #BinaryNinja, but need a place to put it: use this to save it to your current project:

current_project.create_file(decoded_bytes, name="extracted.bin", folder=None, description="Extracted from: <insert hash of current file>")

Exclusive: Palo Alto chose not to tie China to hacking campaign for fear of retaliation from Beijing, sources say Palo Alto Networks opted not to tie China to a global cyberespionage campaign the firm exposed last week over concerns that the cybersecurity company or its clients could face retaliation from Beijing...

Scoop: A report published last week outlined what Palo Alto researchers believed was a China-linked hacking campaign.

But after an intervention from execs, the report's language was changed to refer more vaguely to "a state-aligned group that operates out of Asia."
www.reuters.com/world/china/...

BinYars metrics

binjaextras metrics

Nice to see my #BinaryNinja plugins getting some use

🏋️ 𝗡𝗼𝗿𝘁𝗵𝗦𝗲𝗰 𝟮𝟬𝟮𝟲 𝗙𝗼𝗿𝗺𝗮𝘁𝗶𝗼𝗻𝘀/𝗧𝗿𝗮𝗶𝗻𝗶𝗻𝗴𝘀 (5/12): "Deconstructing Rust Binaries" 𝗽𝗮𝗿/𝗯𝘆 Cindy Xiao

📅 Dates: May 11, 12 and 13, 2026 (3 days)
📊 Difficulty: Medium
🖥️ Mode: Hybrid (on-site & remote)

🔗 Training details: nsec.io/training/202...

#NorthSec #cybersecurity #malwareanalysis #reverseengineering

Release v1.13.0 · VirusTotal/yara-x Add crx and dex modules to Python invoke API (#534). Add Python API for specifying the metadata that should be passed to modules (6bebe34): Output filenames that needs reformatting when using yr fm...

github.com/VirusTotal/y... - Once again, new release with some good bug fixes and nice improvements.

How can we detect malicious documents exploiting CVE-2026-21509, the recent 0-day vulnerability in MS Office ?
I designed a YARA rule for this, which detects all the malicious files that have been reported.
To get the YARA rule and all the explanations: decalage.info/CVE-2026-215...

State-backed phishing attacks targeting military officials and journalists on Signal - Help Net Security Germany warns of attempted phishing of politiians, military officials, diplomats, and investigative journalists across Europe via Signal.

"State-backed #phishing attacks targeting military officials and journalists on Signal" by Zeljka Zorz, Editor-in-Chief, Help Net Security February 6, 2026 www.helpnetsecurity.com/2026/02/06/s...

Great to collaborate with old friend Duy-Phuc Pham at Trellix on this recent APT28 cluster strikeready.com/blog/apt28s-... www.trellix.com/blogs/resear...

Beginner C++ Reverse Engineering - Binary Ninja Live Stream Learn how to recognize and apply types to decompiled C++ that's using virtual functions, inheritance and vtables, recognize and recover missing parameters, a...

Join us today from 3-5pm ET to learn to recognize and apply types to decompiled C++ that's using virtual functions, inheritance, and vtables. We'll recover missing parameters, apply types, clean up decompilation, and everything else you need to get started reversing C++! youtube.com/live/QmsUmvH...

The CertGraveyard is now being leveraged by MagicSword.

MagicSword makes use of certificates we report and blocks them within your environment.

I was really amazed by the work they do to block RMM and bad drivers. Now this further enables orgs to block malicious signers.
x.com/magicswordio/s...

New blog post is live! Xusheng tears apart a tiny Linux binary that really does not want to be reversed. Malformed ELF headers, segment tricks, layered XOR and RC4, plus a bunch of Binary Ninja tricks along the way. Read it here: binary.ninja/2026/01/23/r...

Malware Analysis - Malicious MS Office files without Macros YouTube video by MalwareAnalysisForHedgehogs

🦔 📹 New Video: Can office files be malicious without Macros?

➡️ VSTO Add-Ins
➡️ External Templates
➡️ Checklist for Office analysis
#MalwareAnalysisForHedgehogs
www.youtube.com/watch?v=RtHH...

Awesome, time for me to update #BinYars again 😄

#BREAKING #ESETresearch identified the wiper #DynoWiper used in an attempted disruptive cyberattack against the Polish energy sector on Dec 29, 2025. At this point, no successful disruption is known, but the malware’s design clearly indicates destructive intent. 1/5

Great work by Kim and ESET to get this story out there. The cyber threat has been off the front pages with everything else going on, but is still very real.