Ivan Kwiatkowski
@JusticeRage
Followers
10,322
Following
75
Media
282
Statuses
2,884
Lead cyber threat researcher @HarfangLab . Maintainer of Manalyze, Gepetto, and writer. Trolling on a purely personal capacity.
France
Joined April 2014
Don't wanna be here?
Send us removal request.
Explore trending content on Musk Viewer
SEVENTEEN
• 1535141 Tweets
Hanni
• 169941 Tweets
無料クーポン
• 161105 Tweets
Jets
• 121704 Tweets
連休明け
• 93538 Tweets
Carat
• 87635 Tweets
DG X ORM KORNNAPHAT
• 77901 Tweets
अब्दुल कलाम
• 60452 Tweets
पूर्व राष्ट्रपति
• 42349 Tweets
भारत रत्न
• 32619 Tweets
FELIP TAKES ON BBPHSTAGE
• 24619 Tweets
JC BBPH MAINSTAGE
• 23908 Tweets
The Next Prince Q9
• 23618 Tweets
ミンギュ
• 17872 Tweets
金木犀の香り
• 15582 Tweets
バーニス
• 14943 Tweets
मुस्लिम एरिया
• 13980 Tweets
うさぎだらけくじ
• 12881 Tweets
ITZY WORLD IS STILL DIFFERENT
• 11960 Tweets
ジョシュア
• 11896 Tweets
スングァン
• 11446 Tweets
エスクプス
• 11017 Tweets
ドギョム
• 10178 Tweets
Pinned Tweet
I've been working on this for 5 years, and it's finally out! I wrote a dark fantasy book (no computers involved), and it's the hardest thing I have ever done. I'm extremely proud of the final result. (But it's in French, for now.)
27
34
167
Step 1: open a binary in IDA and press F5
Step 2: paste the decompiled code into OpenAI's chatbot
Someone's job just got way easier.
66
880
5K
I wrote an IDA plugin that queries
#ChatGPT
and explains decompiled functions. It's still very bleeding edge, but you can find the code here and try it out:
(Yes, the video was performed on a very basic case for simplicity's sake.)
22
376
1K
Do you know what all lawyers are doing right now? Reading
#CrowdStrike
EULAs.
Let's have a look, shall we? Such documents are super easy to find online, I put one there for reference:
Let's see what happens when something hits the fan. (It's good.) 🧵
37
201
1K
As a reverse engineer, the most difficult part of my job remains to figure out how to format tables in Microsoft Word when I'm writing reports.
32
96
990
Kaspersky released a new blogpost today, documenting an iOS 0day + zero-click exploit used to target cybersecurity researchers. The scope and full victimology are still unknown.
10
236
663
This is a good time to point out how cybersecurity has become a business of transferring accountability to third parties (you don't buy security, you buy someone to blame when it all goes down). But it's largely symbolic since nobody is liable, and this might even be a feature.
12
138
627
Nobody wants to use GPG. Not even Nigerian scammers who have a victim on the hook ☹️
14
234
487
We released two videos for free from our online reverse engineering course. They focus on Go malware (Sunshuttle).
Almost 2 hours of premium IDA Pro entertainment!
5
181
498
We created cheat sheets for IDA Pro and x64dbg for our online course recently, and were authorized to share them with everyone!
The aim was to list all hotkeys that we use on a daily basis, i.e. only those we feel are worth learning.
I hope you find them useful!
5
190
480
@RemyBuisine
J'ai mis en place hier soir au cas où cela se produirait, à afficher avec un téléphone portable !
18
167
426
Interesting trick used by scammers over DMs. They invite you to click on a link which appears to lead to the calendly website, but if you check the resulting URL, you will end up somewhere else (i.e., hxxps://calindaly[.]com/). How does this work?
10
97
441
This fools Twitter's card generation into displaying a false URL.
Long story short, you can't trust Twitter's previews, don't click on links sent by strangers and if you can't help yourself, double check where you land.
6
62
386
I have written a personal statement about the war in Ukraine, recent criticism about Kaspersky and its founder.
Those words were written from the heart. I humbly hope they give you pause.
I am staying in GReAT, and here is why.
(FR version coming soon.)
54
98
379
We're releasing our analysis of the I-Soon leak. As the title implies, it's *extremely* comprehensive.
My longest 🧵 ever follows.
4
141
350
Our online reverse-engineering / malware analysis course (intermediate level) is finally launching!
@legezo
and I have been working on it almost exclusively for 6 months now. 50+h of video, 100h of virtual lab time, 10 real-life APT malware cases.
8
110
330
Problem: deep enough home server racks are super expensive and difficult to source.
Solution: introducing the IKEA GhettoRåck™️, made out of:
- 2x BESTÅ cabinets
- 2x MÖRTVIKEN doors
A 10-ish U rack for under 300€, coming to your garages everywhere.
16
24
317
A lot of the value I bring to any company comes in the form of entertainment, specifically through an endless stream of salty emails. AI just made me obsolete.
All hail our new robot overlords.
7
50
306
10: Whatever damages incur from your use of the product, they're on you. Even if CrowdStrike could have prevented it.
Never use the product in sensitive environments, such as aircraft navigation systems (you can't make this stuff up), nuclear facilities, etc.
11
49
293
A normal request to the website returns HTML content as you would expect (1st screenshot). But if you change your user-agent to TwitterBot (the one used when generating cards), watch what happens (second screenshot).
The server sends a second redirect to the legitimate site.
4
18
264
New blog post about an UEFI firmware bootkit!
Research was led by our dearly missed
@_marklech_
1
125
258
An update to my 0day handling ethics mind-map for cybersecurity researchers.
Version 1.0 did not account for the possibility of becoming accessory to murder.
What a silly oversight on my part.
5
77
238
Personal news: I have resigned from my position in
@Kaspersky
's GReAT team. I'm very grateful for my time there and everything the team accomplished.
I don't have any reason to believe anything I wrote about the company was untrue at the time I wrote it.
I will now take a
26
12
226
New blog post: "The Case for Burning Counterterrorism Operations"
My thoughts on why defenders should always report exploits and operations, even when they originate from "friendly" entities. This follows the recent debate in the community.
4
60
222
Hey Twitter. Did anyone ever find out why TrueCrypt shut down operations back in 2014? We never got answers, but I need closure.
11
55
199
Curl is being introduced as a standard windows command line tool! Malware authors all over the world must be extatic; stage 1s are going to get smaller.
4
132
196
So... I guess a lot will hinge on whether CrowdStrike violated 8.2 by failing to meet industry standards with their update. I expect communication on this subject will not be super forthcoming.
Beyond goodwill gestures to protect their image, I don't think they're liable.
7
12
197
New blog post: a full Process Hollowing / Manalyze tutorial.
0
130
189
RCE in Redis < 7.2.4 (CVE-2023-41056)
I haven't seen a lot of noise about this one. Redis is everywhere (NextCloud, Mastodon, GitLab...) – if you're using it, patch now, but I also expect to see a lot of second-degree exploitation with this one.
2
72
192
New release: a Python script to catch careless intruders on your machines by "booby-trapping" binaries.
1
67
175
Our research on the new(?) mercenary APT DeathStalker is finally out!
Please take a look if you're interested in Evilnum or Janicab!
(cc
@securechicken
)
2
104
172
1
91
161
I intend to write a long-form post about this aspect, stay tuned! /thread
6
4
163
I have the pleasure to announce I'm joining
@HarfangLab
as Lead Cyber Threat Researcher starting tomorrow!
I'll be working on APTs from everywhere, reversing malware, writing FOSS tools and blog posts!
20
5
164
Not to bash on a single individual, which accomplishes nothing - but this is exactly why there is a need for more discussion about ethics in infosec.
Take a minute to think about how your actions have impacted "human and women rights" and "free speech" in 2021.
15
28
161
On March 25, the FBI released an indictment of APT31 hackers. We read it carefully to find new intel, and managed to connect a few dots (including about the RAWDOOR malware family).
Full article and IOCs:
2
77
158
We're very happy that this research is released:
In it,
@felixaime
,
@securechicken
and I discuss the connection between the VHD ransomware and the Lazarus group.
This work was made possible with huge help from Kaspersky's GERT (IR) team.
1
82
152
@ActuPolitiqueN
Dites-donc les gars, traiter la gauche de nazis en utilisant Pétain+Hitler comme exemple pour défendre l'extrême droite, faut vraiment n'avoir aucune conscience historique.
Faut ouvrir des livres des fois, hein
27
5
151
Our team just released a report on
#CharmingKitten
/
#APT35
.
We discovered a new malware family called Cyclops, written in Go. It launches a local web server which exposes a REST API used to control the malware. The port is forwarded to the C2 via SSH.
1
59
150
Hahaha, gotcha
#ChatGPT
!
They've been patching loads of jailbreaks as they are found, but the possibilities are endless.
6
29
144
Okay Twitter 😶
Sorry non-French speakers, I can't translate this tweet considering how heinous it is. Imagine a hatred bingo combining the N-word, call for violence and nazism.
16
60
144
8.6: There is no guarantee that the product will successfully protect all threats, if something still destroys your system, Crowdstrike is not liable.
8.7: The product may have bugs, not do anything or not work at all and there's nothing you can say about that.
1
12
145
A few days ago, I contributed an IDA Pro script which extracts type information from Go binaries to
@juanandres_gs
' AlphaGolang repository.
We just released an article that gives background on how this works:
Code:
0
59
137
I've added a script to Manalyze which plots the compilation timestamps of a PE collection:
Credit goes to
@x0rz
for the pretty charts.
2
38
133
8.2: Crowdstrike pledges that it operates in a professional manner consistent with industry standards.
8.4: Crowdstrike will do its best to fix problems reported. If they can't you get a refund for whatever's left of your subscription.
2
11
131
We're silently moving from a "everyone is vulnerable" world to a "everyone is backdoored" world.
5
14
124
I wrote my first blog post with
@harfanglab
: a primer on reverse engineering .NET AOT applications.
This will be interesting to people who never created FLAIR signatures in IDA.
1
65
125
I feel like there's a need to clarify what is going on here, it's an interesting anti-sandbox trick.
The SeShutdownPrivilege string is constructed on the stack dynamically, in particular the program uses the first letter of its filename as an index in the string.
If you analyze HermeticWiper ( 61b25d11392172e587d8da3045812a66c3385451) and you are a beginner to malware RE, be careful to your sample name. Sometimes, it breaks or modifies the behavior of the malware.
#HermeticWiper
#malware
2
35
136
1
39
123
Ping to all hash crackers:
@trustedsec
has just released a great set of scripts at .
- Wordlist deduplication
- Analysis of already cracked hashes
- Launches all the run-of-the-mill attacks from a single command
And a lot of other goodies.
0
50
117
Hidden gem in
@DonnchaC
's
#37C3
talk on Predator spyware: state actors could generate
@letsencrypt
certificates for any website by using their MitM capabilities at ISP level to complete verification challenges (both HTTP and DNS I expect).
CT may be the only way to detect this.
2
39
115
New research from our team (h/t
@securechicken
):
Compromised routers leveraged as malicious infrastructure to target government organizations in Europe and Caucasus (possible APT28 activity)
2
57
112
In the interest of supporting the discussion on the ethics of releasing PoCs for critical vulnerabilities, I created the following mind map.
It is merely meant as a listing of the available options and associated consequences. No judgement intended.
5
36
108
Spotted: a French website impersonates
@KeePass
at , bundles it with adware () and worst of all (apologies to non-French speaking readers):
12
136
110
If you're using
@Zimbra
, mass-exploitation of CVE-2024-45519 has begun. Patch yesterday.
Malicious emails are coming from 79.124.49[.]86 and attempting to curl a file from that IP.
5
53
109
I have stumbled onto something interesting while working on PE resource timestamps. It seems that a build chain, somewhere, is using local (non-UTC+0) timestamps for resources, which can help determine where the binary is compiled. Is this something known?
2
43
106
New blog post: "So you want to work in cybersecurity".
Every time I post research here, I get DMs asking how to get into cybersecurity. Instead of repeating myself ad nauseam, I wrote down all my thoughts on the subject here:
Personal opinion obviously.
5
39
107
The
#ISoon
leak confirms beyond the shadow of a doubt USG's attribution of APT41 activities to Chengdu 404!
ISoon is quite amused by it too!
0
26
105
A few minutes ago at BotConf, I shared a script to import and export Twitter blocklists. I use it to block advertisers on the platform!
Find my code and current list here:
5
26
103
For the record, this is a clear misrepresentation of my teammates' research.
1) We did *not* attribute these samples to any organization.
2) Lambert is *not* an internal name for the CIA.
If you're going to attribute attacks, do it in your own name.
0
46
100
I hear a lot of people are looking for Pegasus samples. Dear
@ANSSI_FR
, please buy the product, get all 0days patched, leak the tools and infra. Burn them to the ground and I swear I will never ever complain again about how my tax money is spent.
3
14
95
Our reverse-engineering course has been out for a few months now, and the feedback is amazing :)
If you haven't checked it out, there's IDA scripting, mock C2 development, hardcore deobfuscation and even Go. Feel free to DM me with any question!
So after finishing another video from
@kaspersky
malware training, I've implemented the commands from Lazarus sample in the C2 emulator, it was pretty interesting learning about this topic, thanks to
@JusticeRage
for the extra exercise.
2
8
48
3
23
94
7
29
92
To be fair, anti-cheat usually only has a single process to protect, which its developers fully own.
EDR and endpoint solutions have to defend whole systems that they have zero control over, which is a much more difficult task.
We welcome constructive feedback from game hackers!
bypassing anticheat is harder than bypassing EDR
infosec is cucked by cheat engine users
your entire industry is a joke
0
59
384
2
10
95
New release: a python script that uses SMART data to detect evil maid attacks.
0
66
89
Our team has been investigating
#LockerGoga
and we can assess with medium confidence that it is linked to GrimSpider.
We believe a Cobalt Strike / meterpreter combination is used during the post-exploitation phase. C2s use the default SSL certificate on port 443 ;)
5
57
92
This has to be the dumbest "forgotten password" form that was ever written. There aren't enough facepalm gifs in the whole Internet to convey how I feel.
6
28
93
I just realized that XORing a string with 32 (0x20) toggles capitalization. I feel both amazed and stupid.
9
34
90
#100DaysofYARA
I created a web service that allows you to verify on which yara versions your rule compiles.
In the past, shipping rules to customers, I wondered if there were limitations but couldn't find out easily. Now I can.
2
35
90
It just seems easier to get a WPA handshake and bruteforce the password, now that you know it's 10 digits.
2
21
85
List of Ivanti / PulseSecure C2s we discovered (h/t
@securechicken
):
146.0.228[.]66:1080/assets/js/xml.php
146.0.228[.]66:1080/css/chat.jsp
146.0.228[.]66:8111/css/chat.jsp
152.32.128[.]64
154.223.17[.]218
159.65.130[.]146:80
159.65.130[.]146:80/index
35.201.216[.]249:80/index
1
16
82
I added a script which automatically shelljacks (log term) into users who SSH into a box to my repo! cc
@emptymonkey
2
35
78
I just stumbled on to this very interesting Linux post-exploitation talk by
@_ta0
:
It's full of hidden gems, I'll be watching it again so I can take notes.
0
44
80
Alright. Is it maybe time to talk about using *local* password managers instead of cloud-based ones?
Yes, they're better than no password manager, but come on. Don't trust anyone with such sensitive data as your passwords.
7
32
82
This has got to be the best caption I've ever seen in an malware analysis post.
2
20
75
Dear
@HexRaysSA
, considering that you won't allow me to renew my licence, I'd appreciate it if you either:
a) Granted me an OSS dev license, considering the value I bring to your customers for free
b) Refrained from using my work for PR purposes
Cheers
#Gepetto
keeps the first position for the second month in a row! Good job
@JusticeRage
👏
Got a plugin that could be on the top of the chart? Publish it, and let’s see 🌐
#IDAPlugin
#PluginRoundup
#IDAPro
#IDAPython
1
3
18
5
11
75
Our team has been tracking
#DoppelG
änger activities for over a month, and we've just published our research! In total, we share ~250 URLs to disinformation content and ~800 handles of X accounts part of the dissemination network.
1
34
74
Very unhappy and disappointed by this move from
@HexRaysSA
. During trainings, how can I justify the investment for newcomers if now they can't use the software after a year?
7
13
73
@x0rz
*Looks at bio*
"Human & Women's Rights - Free Speech Activist" selling 0days to Zerodium
Yup, that seems about right.
3
8
73
New research: our team at
@harfanglab
just published an investigation into possible Arid Viper (but definitely Hamas-related) activity against 🇮🇱 targets, based on a tip from
@NicoleFishi19
.
We analyzed the malware (including 2 wipers) & IW aspect:
2
31
74
I showed this tip to a friend today, and thought maybe it could be useful to other people.
Problem: how to write Yara rules that match a given ASM snippet? Answer in three steps.
1) Open a random program with x64dbg. Break anywhere, entry point is fine.
7
28
70
@BushidoToken
According to CORRECTIV, she's actually Russian, and linked to Evil Empire / DoppelGänger activities.
100% chance this is a front for 🇷🇺 intelligence if the brokering aspect is even legit.
1
10
67
This tweet was deleted in silent shame, but I feel that it should be recorded somewhere for future generations.
3
34
66
I had a Raspberry sitting in a drawer. Just installed Pi-Hole and it looks great!
4
33
66
When debugging DLLs, I often need to go back and forth between
@x64dbg
and IDA. So far, here is the quickest way I have found to convert addresses. Is there a better one?
7
24
66
Here's an interesting paper on APT campaign modeling:
I like that it focuses on the attacker's lifecycle inside the victim's network.
0
28
67
Pro reverse-engineering tip: don't spend too much time looking at code located in kernel32.dll as this can lead to significant lost time and ridicule on Twitter.
4
5
66