virustotal.com/gui/file/ab62… Too busy with IR's this week for RE :)

View the long form here: malasada.tech/pdfchampions-y…

YAPA is Yet Another PDF App that Luke Acha (@luke92881) mentions here: blog.lukeacha.com/2025/11/fa…

View the Any Run session here: app.any.run/tasks/07e8ff42-e…

The interesting part about this one is that it has a loader capability. That is - it takes the code that was passed as an argument. It will check its cache to see if it was already compiled. If it wasn't already compiled, it'll compile it into an assembly object on line 56 and add it to the cache on line 57. Note, this remains in memory, and it does not get saved to disk. It executes the code on line 81.

It downloads this mozlz4 file to change the default search engine. The browser hijacker redirects to Google search.

PDFChampions is a YAPA Browser Hijacker with Loader capabilities. 7c5004c9d3ed4325c547ec0127d59205529f4574444a9e74dc108b0783d6e392 pdfchampions[.]com downloadive[.]com champion.pdfchampions[.]com api.mekanfig[.]com more.mariosearch[.]com hxxps[:]//pdfchampions[.]com/pdfchampions hxxps[:]//pdfchampions[.]com/thanks?book=1 hxxps[:]//downloadive[.]com/puoyder/o/PDFChampions.exe hxxps[:]//champion.pdfchampions[.]com hxxps[:]//api.mekanfig[.]com/api/v1/

Fantastic research by @MalasadaTech808 on PDFChampions. Code-signed "Flooencia Media LLC" I don't think code-signing handles Registered Agents well. I keep reporting code-signing certificates for businesses at this address.

#NOVA #Ransomware launched Affiliate Panel for the 2nd time! cceoxb5youzqo2uk7t7274ittlph… Git: github.com/TheRavenFile/Dail… #Malware #Infosec #Security #OSINT #DarkWeb #DeepWeb #ThreatIntel #Hack

3/ However, the #sidewinder still using the same domain and C2 server to continue phishing. ref: hunt.io/blog/operation-south…

2/ Research on #Operation #SouthNet by @Huntio also revealed that same pages was observed at https://mailcbmgovmm[.]pages[.]dev which is now reported as phishing.

#APT #Sidewinder targets #Myanmar Central Bank 1/ Using @Huntio, I have tracked a new operational Fake Zimbra page "https://mailcbmgovmm[.]pages[.]dev/index1" which exfiltrate info to "myanmar-org-mail[.]com/cbm/action1[.]php/". @500mk500 @MichalKoczwara @malwrhunterteam

Tracking a large-scale Booking-themed phishing campaign targeting hotel partners, hundreds of fake domains impersonating Booking.com used to steal credentials and deliver malware. query: urlscan.io/search/#hash%3A78… report: blog.sekoia.io/phishing-camp…

Malicious NuGet packages drop disruptive 'time bombs' - @billtoulas bleepingcomputer.com/news/se… bleepingcomputer.com/news/se…

What are chances a 'fonts.js' file that is actually a MacOS script which has variables like 'removedAsian' and is heavily encoded might just be malicious?

Never a dull day

CVE-2025-64459 - PoC for Django QuerySet _connector SQL Injection #Pruva repro and report: gist.github.com/N3mes1s/2dbc… Advs: djangoproject.com/weblog/202…

Microsoft has discovered a new type of side-channel attack against streaming-mode language models using network packet sizes and timings. msft.it/6018tJAkA An attacker in a position to observe the encrypted traffic could use this type of side-channel attack to conclude language model conversation topics. This could put the privacy of user and enterprise communications with chatbots at risk despite end-to-end encryption via TLS. We worked with multiple cloud providers of language models to mitigate the risk, and ensured that Microsoft-owned language model frameworks are protected. Learn more: