| 2022-01-07 | Xavier Mertens | Custom Python RAT Builder |
| 2021-12-22 | Brad Duncan | December 2021 Forensic Contest: Answers and Analysis |
| 2021-12-16 | Brad Duncan | How the "Contact Forms" campaign tricks people |
| 2021-12-02 | Brad Duncan | TA551 (Shathak) pushes IcedID (Bokbot) |
| 2021-11-26 | Guy Bruneau | Searching for Exposed ASUS Routers Vulnerable to CVE-2021-20090 |
| 2021-11-16 | Brad Duncan | Emotet Returns |
| 2021-11-04 | Brad Duncan | October 2021 Forensic Contest: Answers and Analysis |
| 2021-10-04 | Johannes Ullrich | Boutique "Dark" Botnet Hunting for Crumbs |
| 2021-09-23 | Xavier Mertens | Excel Recipe: Some VBA Code with a Touch of Excel4 Macro |
| 2021-08-13 | Brad Duncan | Example of Danabot distributed through malspam |
| 2021-07-24 | Xavier Mertens | Agent.Tesla Dropped via a .daa Image and Talking to Telegram |
| 2021-06-30 | Brad Duncan | June 2021 Forensic Contest: Answers and Analysis |
| 2021-06-24 | Xavier Mertens | Do you Like Cookies? Some are for sale! |
| 2021-04-15 | Johannes Ullrich | Why and How You Should be Using an Internal Certificate Authority |
| 2021-04-06 | Jan Kopriva | Malspam with Lokibot vs. Outlook and RFCs |
| 2021-03-03 | Brad Duncan | Qakbot infection with Cobalt Strike |
| 2021-02-23 | Jan Kopriva | Qakbot in a response to Full Disclosure post |
| 2021-02-17 | Brad Duncan | Malspam pushing Trickbot gtag rob13 |
| 2021-01-26 | Brad Duncan | TA551 (Shathak) Word docs push Qakbot (Qbot) |
| 2021-01-20 | Brad Duncan | Qakbot activity resumes after holiday break |
| 2020-12-09 | Brad Duncan | Recent Qakbot (Qbot) activity |
| 2020-11-03 | Brad Duncan | Emotet -> Qakbot -> more Emotet |
| 2020-10-20 | Xavier Mertens | Mirai-alike Python Scanner |
| 2020-10-14 | Brad Duncan | More TA551 (Shathak) Word docs push IcedID (Bokbot) |
| 2020-08-19 | Xavier Mertens | Example of Word Document Delivering Qakbot |
| 2020-08-03 | Xavier Mertens | Powershell Bot with Multiple C2 Protocols |
| 2020-08-01 | Jan Kopriva | What pages do bad bots look for? |
| 2020-07-15 | Brad Duncan | Word docs with macros for IcedID (Bokbot) |
| 2020-06-13 | Guy Bruneau | Mirai Botnet Activity |
| 2020-05-20 | Brad Duncan | Microsoft Word document with malicious macro pushes IcedID (Bokbot) |
| 2020-04-01 | Brad Duncan | Qakbot malspam sent from an infected Windows host |
| 2020-03-21 | Guy Bruneau | Honeypot - Scanning and Targeting Devices & Services |
| 2020-03-18 | Brad Duncan | Trickbot gtag red5 distributed as a DLL file |
| 2020-01-28 | Brad Duncan | Emotet epoch 1 infection with Trickbot gtag mor84 |
| 2019-12-24 | Brad Duncan | Malspam with links to Word docs pushes IcedID (Bokbot) |
| 2019-12-18 | Brad Duncan | Emotet infection with spambot activity |
| 2019-12-11 | Brad Duncan | German language malspam pushes yet another wave of Trickbot |
| 2019-11-13 | Brad Duncan | An example of malspam pushing Lokibot malware, November 2019 |
| 2019-10-30 | Xavier Mertens | Keep an Eye on Remote Access to Mailboxes |
| 2019-09-18 | Brad Duncan | Emotet malspam is back |
| 2019-09-03 | Johannes Ullrich | [Guest Diary] Tricky LNK points to TrickBot |
| 2019-08-14 | Brad Duncan | Recent example of MedusaHTTP malware |
| 2019-08-08 | Johannes Ullrich | [Guest Diary] The good, the bad and the non-functional, or "how not to do an attack campaign" |
| 2019-07-26 | Kevin Shortt | DVRIP Port 34567 - Uptick |
| 2019-03-13 | Brad Duncan | Malspam pushes Emotet with Qakbot as the follow-up malware |
| 2019-03-06 | Brad Duncan | Malspam with password-protected word docs still pushing IcedID (Bokbot) with Trickbot |
| 2019-02-14 | Xavier Mertens | Old H-Worm Delivered Through GitHub |
| 2019-01-16 | Brad Duncan | Emotet infections and follow-up malware |
| 2019-01-10 | Brad Duncan | Heartbreaking Emails: "Love You" Malspam |
| 2018-12-23 | Guy Bruneau | Scanning Activity, end Goal is to add Hosts to Mirai Botnet |
| 2018-12-18 | Brad Duncan | Malspam links to password-protected Word docs that push IcedID (Bokbot) |
| 2018-12-05 | Brad Duncan | Campaign evolution: Hancitor changes its Word macros |
| 2018-12-04 | Brad Duncan | Malspam pushing Lokibot malware |
| 2018-11-14 | Brad Duncan | Day in the life of a researcher: Finding a wave of Trickbot malspam |
| 2018-09-26 | Brad Duncan | One Emotet infection leads to three follow-up malware infections |
| 2018-05-09 | Xavier Mertens | Nice Phishing Sample Delivering Trickbot |
| 2018-03-08 | Xavier Mertens | CRIMEB4NK IRC Bot |
| 2017-10-19 | Brad Duncan | HSBC-themed malspam uses ISO attachments to push Loki Bot malware |
| 2017-08-15 | Brad Duncan | Malspam pushing Trickbot banking Trojan |
| 2017-07-19 | Xavier Mertens | Bots Searching for Keys & Config Files |
| 2017-05-08 | Renato Marinho | Exploring a P2P Transient Botnet - From Discovery to Enumeration |
| 2016-12-31 | Xavier Mertens | Ongoing Scans Below the Radar |
| 2016-12-07 | Xavier Mertens | The Passwords You Should Never Use |
| 2016-09-10 | Xavier Mertens | Ongoing IMAP Scan, Anyone Else? |
| 2016-07-27 | Xavier Mertens | Analyze of a Linux botnet client source code |
| 2015-02-06 | Johannes Ullrich | Anthem, TurboTax and How Things "Fit Together" Sometimes |
| 2014-10-09 | Johannes Ullrich | CSAM: My servers started speaking IRC, and that is when I started to listen! |
| 2014-08-16 | Lenny Zeltser | Web Server Attack Investigation - Installing a Bot and Reverse Shell via a PHP Vulnerability |
| 2014-01-16 | Kevin Shortt | Port 4028 - Interesting Activity |
| 2013-12-07 | Guy Bruneau | Suspected Active Rovnix Botnet Controller |
| 2013-10-26 | Guy Bruneau | Active Perl/Shellbot Trojan |
| 2013-08-11 | Bojan Zdrnja | XATattacks (attacks on xat.com) |
| 2012-10-26 | Russ McRee | Cyber Security Awareness Month - Day 26 - Attackers use trusted domain to propagate Citadel Zeus variant |
| 2011-08-04 | Johannes Ullrich | IRC traffic on non standard ports |
| 2011-05-14 | Guy Bruneau | Websense Study Claims Canada Next Hotbed for Cybercrime Web Hosting Activity |
| 2011-02-28 | Deborah Hale | Possible Botnet Scanning |
| 2011-01-11 | Kevin Shortt | Spam Cannons on Holiday |
| 2010-11-18 | Chris Carboni | All of your pages are belonging to us |
| 2010-11-05 | Adrien de Beaupre | Bot honeypot |
| 2010-08-19 | Daniel Wesemann | Casper the unfriendly ghost |
| 2010-07-29 | Rob VandenBrink | FBI, Slovenian and Spanish Police announce more arrests of Mariposa Botnet Creator, Operators |
| 2010-06-14 | Manuel Humberto Santander Pelaez | New way of social engineering on IRC |
| 2010-05-07 | Johannes Ullrich | Stock market "wipe out" may be due to computer error |
| 2010-05-02 | Mari Nichols | Zbot Social Engineering |
| 2010-04-23 | Adrien de Beaupre | Shadowserver botnet rules |
| 2010-03-25 | Kevin Liston | Zeus wants to do your taxes |
| 2010-03-11 | donald smith | Cert write up on Skype IMBot Logic and Functionality. |
| 2010-02-02 | Johannes Ullrich | Pushdo Update |
| 2010-01-25 | William Salusky | "Bots and Spiders and Crawlers, be gone!" - or - "New Open Source WebAppSec tools, Huzzah!" |
| 2009-12-21 | Marcus Sachs | iPhone Botnet Analysis |
| 2009-11-13 | Deborah Hale | Pushdo/Cutwail Spambot - A Little Known BIG Problem |
| 2009-11-08 | Kevin Liston | FireEye takes on Ozdok and Recovery Ideas |
| 2009-10-10 | Tony Carothers | User Notification for Possible Infected Systems |
| 2009-09-16 | Raul Siles | IETF Draft for Remediation of Bots in ISP Networks |
| 2009-05-07 | Deborah Hale | Botnet hijacking reveals 70GB of stolen data |
| 2008-11-05 | donald smith | Bot net hunters get an improved tool from SRI bothunters |
| 2008-09-09 | Swa Frantzen | The complaint that's an attack |
| 2008-09-01 | John Bambenek | The Number of Machines Controlled by Botnets Has Jumped 4x in Last 3 Months |
| 2008-07-19 | William Salusky | A twist in fluxnet operations. Enter Hydraflux |
| 2008-07-15 | Maarten Van Horenbeeck | Bot controller mimicry |
| 2008-04-07 | John Bambenek | Got Kraken? |
| 2008-04-07 | John Bambenek | Kraken Technical Details: UPDATED x3 |
| 2006-08-31 | Swa Frantzen | NT botnet submitted |
| 2006-08-31 | Joel Esler | MS06-040 Worm |
https://www.sans.edu
