Following on the Microsoft and DoJ takedown of Lumma infrastructure, and this week’s news from Sophos discussing a single user hosting over 100 malware github repos, I wanted to spend some time looking into the specific vectors leveraged by some of these repositories. Recently, some of these attacks have included taking screenshots upon execution, which can give us a look into specifically what a user ran that triggered the RAT (Remote Access Trojan) and harvested data from their machine.

Recently, a well-known software and security services company posted a blog post titled “Password encryption: What is it and how does it work?” which immediately raises a great deal of discussion points as well as questions. So I figured I’d do a short writeup on the difference between encryption and hashing, and why we do not encrypt passwords; and why it’s dangerous to consider encrypting secrets, rather than hashing them.

With the shutdown of Lumma Stealer’s infrastructure announced this week by Microsoft’s Digital Crimes Unit (DCU), the US DoJ, and others, it seemed timely to write about the reality of what is actually packaged up when a Lumma (or Redline) stealer runs on a machine and drops the package across the C2 (Command & Control) infrastructure.

TL;DR: It’s the time of year where security vendors post blog posts with charts of how long it takes to bruteforce a given password. As usual this raised a lot of questions from less security-minded people I know regarding the realism of the numbers, and how realistic the exercise now. As pennace for having generated this data in times past for similar marketing pushes, I will discuss why this is acutally a poor way to teach less-technical users about password complexity; and how users should be creating and using credentials.

Today it was discovered that an unknown actor had managed to exploit a vulnerability in Lockbit’s PHPMyAdmin instance (on their console onion site). Apparently they were running PHP 8.1.2 which is vulnerable to an RCE CVE-2024-4577. Which uhh… lol? It probably would have been prudent to do a post-paid penetration test on their own infrastructure at some point.

TL;DR: A number of discussions have been had regarding the stealer log data dump known as Alien_Txtbase. A followup analysis was performed by myself here on April 27, 2025. You can use that writeup to compare to the new data. The alleged shutdown of Breachforums that occured a couple of weeks ago did remove some risk; however, a user named LEAKGOD on another security forum has started sharing new dumps of logs in excess of 100m rows. This data was not explicitly mentioned as more Alien_Txtbase data, however the files were named the appropriate filename, with the Alien_Txtbase header, consistent with previous releases. We will now perform an analysis of the data to investigate how real the threat is (and discuss the records therein).