With the shutdown of Lumma Stealer’s infrastructure announced this week by Microsoft’s Digital Crimes Unit (DCU), the US DoJ, and others, it seemed timely to write about the reality of what is actually packaged up when a Lumma (or Redline) stealer runs on a machine and drops the package across the C2 (Command & Control) infrastructure.

TL;DR: It’s the time of year where security vendors post blog posts with charts of how long it takes to bruteforce a given password. As usual this raised a lot of questions from less security-minded people I know regarding the realism of the numbers, and how realistic the exercise now. As pennace for having generated this data in times past for similar marketing pushes, I will discuss why this is acutally a poor way to teach less-technical users about password complexity; and how users should be creating and using credentials.

Today it was discovered that an unknown actor had managed to exploit a vulnerability in Lockbit’s PHPMyAdmin instance (on their console onion site). Apparently they were running PHP 8.1.2 which is vulnerable to an RCE CVE-2024-4577. Which uhh… lol? It probably would have been prudent to do a post-paid penetration test on their own infrastructure at some point.

TL;DR: A number of discussions have been had regarding the stealer log data dump known as Alien_Txtbase. A followup analysis was performed by myself here on April 27, 2025. You can use that writeup to compare to the new data. The alleged shutdown of Breachforums that occured a couple of weeks ago did remove some risk; however, a user named LEAKGOD on another security forum has started sharing new dumps of logs in excess of 100m rows. This data was not explicitly mentioned as more Alien_Txtbase data, however the files were named the appropriate filename, with the Alien_Txtbase header, consistent with previous releases. We will now perform an analysis of the data to investigate how real the threat is (and discuss the records therein).

TL;DR: A number of discussions have been had regarding the stealer log data dump known as Alien_Txtbase. One of these analyses was performed by Specops Software on March 27, 2025. You can use that writeup to compare to the new data. Before Breach Forums was taken down yet again, a number of new records were offered by a forum member, totalling about 126m rows. This data was not explicitly mentioned as more Alien_Txtbase data, however the files were named the appropriate filename, with the Alien_Txtbase header, consistent with previous releases. We will now perform an analysis of the data to investigate how real the threat is (and discuss the records therein).

TL;DR: I was preparing my tools for my first on-site assessment. The scope of the engagement included some possible wifi audit/site survey, figuring the Hak5 Wifi Pineapple (tm) is really popular, I wanted to see about bringing one to try it out in a real engagement. I decided on the Archer AC1750 as the hardware, and with some fighting did manage to get the Tetra firmware flashed over, there are some takeaways though; the documentation kicking around is missing some specificity, and in the end I don’t think the ordeal was really worth it compared to just carrying an Alfa.