Internet Storm Center
Sign In
Sign Up
SANS Network Security: Las Vegas Sept 4-9.
Handler on Duty:
Johannes Ullrich
Threat Level:
green
Date
Author
Title
2024-02-18
Guy Bruneau
Mirai-Mirai On The Wall... [Guest Diary]
2024-01-07
Guy Bruneau
Suspicious Prometei Botnet Activity
2023-12-27
Guy Bruneau
Unveiling the Mirai: Insights into Recent DShield Honeypot Activity [Guest Diary]
2023-11-27
Guy Bruneau
Decoding the Patterns: Analyzing DShield Honeypot Activity [Guest Diary]
2023-11-22
Guy Bruneau
CVE-2023-1389: A New Means to Expand Botnets
2023-11-09
Guy Bruneau
Routers Targeted for Gafgyt Botnet [Guest Diary]
2023-06-22
Brad Duncan
Qakbot (Qbot) activity, obama271 distribution tag
2023-04-12
Brad Duncan
Recent IcedID (Bokbot) activity
2023-03-11
Xavier Mertens
Overview of a Mirai Payload Generator
2023-02-28
Brad Duncan
BB17 distribution Qakbot (Qbot) activity
2023-02-24
Brad Duncan
URL files and WebDAV used for IcedID (Bokbot) infection
2022-12-02
Brad Duncan
obama224 distribution Qakbot tries .vhd (virtual hard disk) images
2022-11-02
Brad Duncan
Who put the "Dark" in DarkVNC?
2022-10-16
Didier Stevens
Video: Analysis of a Malicious HTML File (QBot)
2022-10-13
Didier Stevens
Analysis of a Malicious HTML File (QBot)
2022-08-24
Brad Duncan
Monster Libra (TA551/Shathak) --> IcedID (Bokbot) --> Cobalt Strike & DarkVNC
2022-08-12
Brad Duncan
Monster Libra (TA551/Shathak) pushes IcedID (Bokbot) with Dark VNC and Cobalt Strike
2022-07-27
Brad Duncan
IcedID (Bokbot) with Dark VNC and Cobalt Strike
2022-06-30
Brad Duncan
Case Study: Cobalt Strike Server Lives on After Its Domain Is Suspended
2022-06-09
Brad Duncan
TA570 Qakbot (Qbot) tries CVE-2022-30190 (Follina) exploit (ms-msdt)
2022-04-20
Brad Duncan
"aa" distribution Qakbot (Qbot) infection with DarkVNC traffic
2022-03-25
Xavier Mertens
XLSB Files: Because Binary is Stealthier Than XML
2022-03-16
Brad Duncan
Qakbot infection with Cobalt Strike and VNC activity
2022-02-15
Xavier Mertens
Who Are Those Bots?
2022-02-09
Brad Duncan
Example of Cobalt Strike from Emotet infection
2022-01-25
Brad Duncan
Emotet Stops Using 0.0.0.0 in Spambot Traffic
2022-01-07
Xavier Mertens
Custom Python RAT Builder
2021-12-22
Brad Duncan
December 2021 Forensic Contest: Answers and Analysis
2021-12-16
Brad Duncan
How the "Contact Forms" campaign tricks people
2021-12-02
Brad Duncan
TA551 (Shathak) pushes IcedID (Bokbot)
2021-11-26
Guy Bruneau
Searching for Exposed ASUS Routers Vulnerable to CVE-2021-20090
2021-11-16
Brad Duncan
Emotet Returns
2021-11-04
Brad Duncan
October 2021 Forensic Contest: Answers and Analysis
2021-10-04
Johannes Ullrich
Boutique "Dark" Botnet Hunting for Crumbs
2021-09-23
Xavier Mertens
Excel Recipe: Some VBA Code with a Touch of Excel4 Macro
2021-08-13
Brad Duncan
Example of Danabot distributed through malspam
2021-07-24
Xavier Mertens
Agent.Tesla Dropped via a .daa Image and Talking to Telegram
2021-06-30
Brad Duncan
June 2021 Forensic Contest: Answers and Analysis
2021-06-24
Xavier Mertens
Do you Like Cookies? Some are for sale!
2021-04-15
Johannes Ullrich
Why and How You Should be Using an Internal Certificate Authority
2021-04-06
Jan Kopriva
Malspam with Lokibot vs. Outlook and RFCs
2021-03-03
Brad Duncan
Qakbot infection with Cobalt Strike
2021-02-23
Jan Kopriva
Qakbot in a response to Full Disclosure post
2021-02-17
Brad Duncan
Malspam pushing Trickbot gtag rob13
2021-01-26
Brad Duncan
TA551 (Shathak) Word docs push Qakbot (Qbot)
2021-01-20
Brad Duncan
Qakbot activity resumes after holiday break
2020-12-09
Brad Duncan
Recent Qakbot (Qbot) activity
2020-11-03
Brad Duncan
Emotet -> Qakbot -> more Emotet
2020-10-20
Xavier Mertens
Mirai-alike Python Scanner
2020-10-14
Brad Duncan
More TA551 (Shathak) Word docs push IcedID (Bokbot)
2020-08-19
Xavier Mertens
Example of Word Document Delivering Qakbot
2020-08-03
Xavier Mertens
Powershell Bot with Multiple C2 Protocols
2020-08-01
Jan Kopriva
What pages do bad bots look for?
2020-07-15
Brad Duncan
Word docs with macros for IcedID (Bokbot)
2020-06-13
Guy Bruneau
Mirai Botnet Activity
2020-05-20
Brad Duncan
Microsoft Word document with malicious macro pushes IcedID (Bokbot)
2020-04-01
Brad Duncan
Qakbot malspam sent from an infected Windows host
2020-03-21
Guy Bruneau
Honeypot - Scanning and Targeting Devices & Services
2020-03-18
Brad Duncan
Trickbot gtag red5 distributed as a DLL file
2020-01-28
Brad Duncan
Emotet epoch 1 infection with Trickbot gtag mor84
2019-12-24
Brad Duncan
Malspam with links to Word docs pushes IcedID (Bokbot)
2019-12-18
Brad Duncan
Emotet infection with spambot activity
2019-12-11
Brad Duncan
German language malspam pushes yet another wave of Trickbot
2019-11-13
Brad Duncan
An example of malspam pushing Lokibot malware, November 2019
2019-10-30
Xavier Mertens
Keep an Eye on Remote Access to Mailboxes
2019-09-18
Brad Duncan
Emotet malspam is back
2019-09-03
Johannes Ullrich
[Guest Diary] Tricky LNK points to TrickBot
2019-08-14
Brad Duncan
Recent example of MedusaHTTP malware
2019-08-08
Johannes Ullrich
[Guest Diary] The good, the bad and the non-functional, or "how not to do an attack campaign"
2019-07-26
Kevin Shortt
DVRIP Port 34567 - Uptick
2019-03-13
Brad Duncan
Malspam pushes Emotet with Qakbot as the follow-up malware
2019-03-06
Brad Duncan
Malspam with password-protected word docs still pushing IcedID (Bokbot) with Trickbot
2019-02-14
Xavier Mertens
Old H-Worm Delivered Through GitHub
2019-01-16
Brad Duncan
Emotet infections and follow-up malware
2019-01-10
Brad Duncan
Heartbreaking Emails: "Love You" Malspam
2018-12-23
Guy Bruneau
Scanning Activity, end Goal is to add Hosts to Mirai Botnet
2018-12-18
Brad Duncan
Malspam links to password-protected Word docs that push IcedID (Bokbot)
2018-12-05
Brad Duncan
Campaign evolution: Hancitor changes its Word macros
2018-12-04
Brad Duncan
Malspam pushing Lokibot malware
2018-11-14
Brad Duncan
Day in the life of a researcher: Finding a wave of Trickbot malspam
2018-09-26
Brad Duncan
One Emotet infection leads to three follow-up malware infections
2018-05-09
Xavier Mertens
Nice Phishing Sample Delivering Trickbot
2018-03-08
Xavier Mertens
CRIMEB4NK IRC Bot
2017-10-19
Brad Duncan
HSBC-themed malspam uses ISO attachments to push Loki Bot malware
2017-08-15
Brad Duncan
Malspam pushing Trickbot banking Trojan
2017-07-19
Xavier Mertens
Bots Searching for Keys & Config Files
2017-05-08
Renato Marinho
Exploring a P2P Transient Botnet - From Discovery to Enumeration
2016-12-31
Xavier Mertens
Ongoing Scans Below the Radar
2016-12-07
Xavier Mertens
The Passwords You Should Never Use
2016-09-10
Xavier Mertens
Ongoing IMAP Scan, Anyone Else?
2016-07-27
Xavier Mertens
Analyze of a Linux botnet client source code
2015-02-06
Johannes Ullrich
Anthem, TurboTax and How Things "Fit Together" Sometimes
2014-10-09
Johannes Ullrich
CSAM: My servers started speaking IRC, and that is when I started to listen!
2014-08-16
Lenny Zeltser
Web Server Attack Investigation - Installing a Bot and Reverse Shell via a PHP Vulnerability
2014-01-16
Kevin Shortt
Port 4028 - Interesting Activity
2013-12-07
Guy Bruneau
Suspected Active Rovnix Botnet Controller
2013-10-26
Guy Bruneau
Active Perl/Shellbot Trojan
2013-08-11
Bojan Zdrnja
XATattacks (attacks on xat.com)
2012-10-26
Russ McRee
Cyber Security Awareness Month - Day 26 - Attackers use trusted domain to propagate Citadel Zeus variant
2011-08-04
Johannes Ullrich
IRC traffic on non standard ports
2011-05-14
Guy Bruneau
Websense Study Claims Canada Next Hotbed for Cybercrime Web Hosting Activity
2011-02-28
Deborah Hale
Possible Botnet Scanning
2011-01-11
Kevin Shortt
Spam Cannons on Holiday
2010-11-18
Chris Carboni
All of your pages are belonging to us
2010-11-05
Adrien de Beaupre
Bot honeypot
2010-08-19
Daniel Wesemann
Casper the unfriendly ghost
2010-07-29
Rob VandenBrink
FBI, Slovenian and Spanish Police announce more arrests of Mariposa Botnet Creator, Operators
2010-06-14
Manuel Humberto Santander Pelaez
New way of social engineering on IRC
2010-05-07
Johannes Ullrich
Stock market "wipe out" may be due to computer error
2010-05-02
Mari Nichols
Zbot Social Engineering
2010-04-23
Adrien de Beaupre
Shadowserver botnet rules
2010-03-25
Kevin Liston
Zeus wants to do your taxes
2010-03-11
donald smith
Cert write up on Skype IMBot Logic and Functionality.
2010-02-02
Johannes Ullrich
Pushdo Update
2010-01-25
William Salusky
"Bots and Spiders and Crawlers, be gone!" - or - "New Open Source WebAppSec tools, Huzzah!"
2009-12-21
Marcus Sachs
iPhone Botnet Analysis
2009-11-13
Deborah Hale
Pushdo/Cutwail Spambot - A Little Known BIG Problem
2009-11-08
Kevin Liston
FireEye takes on Ozdok and Recovery Ideas
2009-10-10
Tony Carothers
User Notification for Possible Infected Systems
2009-09-16
Raul Siles
IETF Draft for Remediation of Bots in ISP Networks
2009-05-07
Deborah Hale
Botnet hijacking reveals 70GB of stolen data
2008-11-05
donald smith
Bot net hunters get an improved tool from SRI bothunters
2008-09-09
Swa Frantzen
The complaint that's an attack
2008-09-01
John Bambenek
The Number of Machines Controlled by Botnets Has Jumped 4x in Last 3 Months
2008-07-19
William Salusky
A twist in fluxnet operations. Enter Hydraflux
2008-07-15
Maarten Van Horenbeeck
Bot controller mimicry
2008-04-07
John Bambenek
Got Kraken?
2008-04-07
John Bambenek
Kraken Technical Details: UPDATED x3
2006-08-31
Swa Frantzen
NT botnet submitted
2006-08-31
Joel Esler
MS06-040 Worm
Homepage
Diaries
Podcasts
Jobs
Data
TCP/UDP Port Activity
Port Trends
SSH/Telnet Scanning Activity
Weblogs
Threat Feeds Activity
Threat Feeds Map
Useful InfoSec Links
Presentations & Papers
Research Papers
API
Tools
DShield Sensor
DNS Looking Glass
Honeypot (RPi/AWS)
InfoSec Glossary
Contact Us
Contact Us
About Us
Handlers
About Us
Slack Channel
Mastodon
Bluesky
X
Follow updates by subscribing to the handler's
diary RSS feed