It’s been a while! I got busy with a bunch of other work, so I haven’t been posting here lately. Going into the new year I hope to improve that, and try to do some streaming and video content as well. We’ll see how that goes; start the new year with a good cadence and make something happen.

I had a discussion yesterday with an acquaintance about some new infostealer leaks; I was talking about verifying whether the credentials are new or not (which was a silly thing to do, I should have known they weren’t in HIBP — for different reasons though) and I went to check if some of the passwords were contained in the HIBP corpus. The acquiantance asked something to the effect of, “why would you put the password into a web form, isn’t that leaking it further?”. This naturally reveals a common misconception regarding how breached password lookups typically work; both in HIBP itself, and competing commercial breached corpuses.

Breachforums, the infamous darkweb hacking and stolen data marketplace recently had another setback when its remaining primary administrators were arrested in France, shutting down yet another iteration of the marketplace. This closes another chapter in a site that has caused immeasurable damage to consumer and enterprise systems alike, facilitating the sale and trade of initial access, credentials, and leaked data.

Last week, a number of news outlets and organizations posted a story (which was then followed by ~ a retraction) of a darkweb password leak comprising 16B records. This immediately triggered a fervor around whether this was really a single leak, where it came from, who and how was exposed and so on – as always occurs around these things.

Not a deep one this week, just a funny story about something that happened to me on Tuesday, July 17. It’ll unfortunately be a short one; one that should probably be turned into a youtube short talking about it, but moving pictures scare me.

Following on the Microsoft and DoJ takedown of Lumma infrastructure, and this week’s news from Sophos discussing a single user hosting over 100 malware github repos, I wanted to spend some time looking into the specific vectors leveraged by some of these repositories. Recently, some of these attacks have included taking screenshots upon execution, which can give us a look into specifically what a user ran that triggered the RAT (Remote Access Trojan) and harvested data from their machine.