Internet Storm Center
Sign In
Sign Up
Participate: Learn more about our honeypot network
https://isc.sans.edu/tools/honeypot/
Handler on Duty:
Xavier Mertens
Threat Level:
green
Date
Author
Title
2023-03-11
Xavier Mertens
Overview of a Mirai Payload Generator
2023-02-28
Brad Duncan
BB17 distribution Qakbot (Qbot) activity
2023-02-24
Brad Duncan
URL files and WebDAV used for IcedID (Bokbot) infection
2022-12-02
Brad Duncan
obama224 distribution Qakbot tries .vhd (virtual hard disk) images
2022-11-02
Brad Duncan
Who put the "Dark" in DarkVNC?
2022-10-16
Didier Stevens
Video: Analysis of a Malicious HTML File (QBot)
2022-10-13
Didier Stevens
Analysis of a Malicious HTML File (QBot)
2022-08-24
Brad Duncan
Monster Libra (TA551/Shathak) --> IcedID (Bokbot) --> Cobalt Strike & DarkVNC
2022-08-12
Brad Duncan
Monster Libra (TA551/Shathak) pushes IcedID (Bokbot) with Dark VNC and Cobalt Strike
2022-07-27
Brad Duncan
IcedID (Bokbot) with Dark VNC and Cobalt Strike
2022-06-30
Brad Duncan
Case Study: Cobalt Strike Server Lives on After Its Domain Is Suspended
2022-06-09
Brad Duncan
TA570 Qakbot (Qbot) tries CVE-2022-30190 (Follina) exploit (ms-msdt)
2022-04-20
Brad Duncan
"aa" distribution Qakbot (Qbot) infection with DarkVNC traffic
2022-03-25
Xavier Mertens
XLSB Files: Because Binary is Stealthier Than XML
2022-03-16
Brad Duncan
Qakbot infection with Cobalt Strike and VNC activity
2022-02-15
Xavier Mertens
Who Are Those Bots?
2022-02-09
Brad Duncan
Example of Cobalt Strike from Emotet infection
2022-01-25
Brad Duncan
Emotet Stops Using 0.0.0.0 in Spambot Traffic
2022-01-07
Xavier Mertens
Custom Python RAT Builder
2021-12-22
Brad Duncan
December 2021 Forensic Contest: Answers and Analysis
2021-12-16
Brad Duncan
How the "Contact Forms" campaign tricks people
2021-12-02
Brad Duncan
TA551 (Shathak) pushes IcedID (Bokbot)
2021-11-26
Guy Bruneau
Searching for Exposed ASUS Routers Vulnerable to CVE-2021-20090
2021-11-16
Brad Duncan
Emotet Returns
2021-11-04
Brad Duncan
October 2021 Forensic Contest: Answers and Analysis
2021-10-04
Johannes Ullrich
Boutique "Dark" Botnet Hunting for Crumbs
2021-09-23
Xavier Mertens
Excel Recipe: Some VBA Code with a Touch of Excel4 Macro
2021-08-13
Brad Duncan
Example of Danabot distributed through malspam
2021-07-24
Xavier Mertens
Agent.Tesla Dropped via a .daa Image and Talking to Telegram
2021-06-30
Brad Duncan
June 2021 Forensic Contest: Answers and Analysis
2021-06-24
Xavier Mertens
Do you Like Cookies? Some are for sale!
2021-04-15
Johannes Ullrich
Why and How You Should be Using an Internal Certificate Authority
2021-04-06
Jan Kopriva
Malspam with Lokibot vs. Outlook and RFCs
2021-03-03
Brad Duncan
Qakbot infection with Cobalt Strike
2021-02-23
Jan Kopriva
Qakbot in a response to Full Disclosure post
2021-02-17
Brad Duncan
Malspam pushing Trickbot gtag rob13
2021-01-26
Brad Duncan
TA551 (Shathak) Word docs push Qakbot (Qbot)
2021-01-20
Brad Duncan
Qakbot activity resumes after holiday break
2020-12-09
Brad Duncan
Recent Qakbot (Qbot) activity
2020-11-03
Brad Duncan
Emotet -> Qakbot -> more Emotet
2020-10-20
Xavier Mertens
Mirai-alike Python Scanner
2020-10-14
Brad Duncan
More TA551 (Shathak) Word docs push IcedID (Bokbot)
2020-08-19
Xavier Mertens
Example of Word Document Delivering Qakbot
2020-08-03
Xavier Mertens
Powershell Bot with Multiple C2 Protocols
2020-08-01
Jan Kopriva
What pages do bad bots look for?
2020-07-15
Brad Duncan
Word docs with macros for IcedID (Bokbot)
2020-06-13
Guy Bruneau
Mirai Botnet Activity
2020-05-20
Brad Duncan
Microsoft Word document with malicious macro pushes IcedID (Bokbot)
2020-04-01
Brad Duncan
Qakbot malspam sent from an infected Windows host
2020-03-21
Guy Bruneau
Honeypot - Scanning and Targeting Devices & Services
2020-03-18
Brad Duncan
Trickbot gtag red5 distributed as a DLL file
2020-01-28
Brad Duncan
Emotet epoch 1 infection with Trickbot gtag mor84
2019-12-24
Brad Duncan
Malspam with links to Word docs pushes IcedID (Bokbot)
2019-12-18
Brad Duncan
Emotet infection with spambot activity
2019-12-11
Brad Duncan
German language malspam pushes yet another wave of Trickbot
2019-11-13
Brad Duncan
An example of malspam pushing Lokibot malware, November 2019
2019-10-30
Xavier Mertens
Keep an Eye on Remote Access to Mailboxes
2019-09-18
Brad Duncan
Emotet malspam is back
2019-09-03
Johannes Ullrich
[Guest Diary] Tricky LNK points to TrickBot
2019-08-14
Brad Duncan
Recent example of MedusaHTTP malware
2019-08-08
Johannes Ullrich
[Guest Diary] The good, the bad and the non-functional, or "how not to do an attack campaign"
2019-07-26
Kevin Shortt
DVRIP Port 34567 - Uptick
2019-03-13
Brad Duncan
Malspam pushes Emotet with Qakbot as the follow-up malware
2019-03-06
Brad Duncan
Malspam with password-protected word docs still pushing IcedID (Bokbot) with Trickbot
2019-02-14
Xavier Mertens
Old H-Worm Delivered Through GitHub
2019-01-16
Brad Duncan
Emotet infections and follow-up malware
2019-01-10
Brad Duncan
Heartbreaking Emails: "Love You" Malspam
2018-12-23
Guy Bruneau
Scanning Activity, end Goal is to add Hosts to Mirai Botnet
2018-12-18
Brad Duncan
Malspam links to password-protected Word docs that push IcedID (Bokbot)
2018-12-05
Brad Duncan
Campaign evolution: Hancitor changes its Word macros
2018-12-04
Brad Duncan
Malspam pushing Lokibot malware
2018-11-14
Brad Duncan
Day in the life of a researcher: Finding a wave of Trickbot malspam
2018-09-26
Brad Duncan
One Emotet infection leads to three follow-up malware infections
2018-05-09
Xavier Mertens
Nice Phishing Sample Delivering Trickbot
2018-03-08
Xavier Mertens
CRIMEB4NK IRC Bot
2017-10-19
Brad Duncan
HSBC-themed malspam uses ISO attachments to push Loki Bot malware
2017-08-15
Brad Duncan
Malspam pushing Trickbot banking Trojan
2017-07-19
Xavier Mertens
Bots Searching for Keys & Config Files
2017-05-08
Renato Marinho
Exploring a P2P Transient Botnet - From Discovery to Enumeration
2016-12-31
Xavier Mertens
Ongoing Scans Below the Radar
2016-12-07
Xavier Mertens
The Passwords You Should Never Use
2016-09-10
Xavier Mertens
Ongoing IMAP Scan, Anyone Else?
2016-07-27
Xavier Mertens
Analyze of a Linux botnet client source code
2015-02-06
Johannes Ullrich
Anthem, TurboTax and How Things "Fit Together" Sometimes
2014-10-09
Johannes Ullrich
CSAM: My servers started speaking IRC, and that is when I started to listen!
2014-08-16
Lenny Zeltser
Web Server Attack Investigation - Installing a Bot and Reverse Shell via a PHP Vulnerability
2014-01-16
Kevin Shortt
Port 4028 - Interesting Activity
2013-12-07
Guy Bruneau
Suspected Active Rovnix Botnet Controller
2013-10-26
Guy Bruneau
Active Perl/Shellbot Trojan
2013-08-11
Bojan Zdrnja
XATattacks (attacks on xat.com)
2012-10-26
Russ McRee
Cyber Security Awareness Month - Day 26 - Attackers use trusted domain to propagate Citadel Zeus variant
2011-08-04
Johannes Ullrich
IRC traffic on non standard ports
2011-05-14
Guy Bruneau
Websense Study Claims Canada Next Hotbed for Cybercrime Web Hosting Activity
2011-02-28
Deborah Hale
Possible Botnet Scanning
2011-01-11
Kevin Shortt
Spam Cannons on Holiday
2010-11-18
Chris Carboni
All of your pages are belonging to us
2010-11-05
Adrien de Beaupre
Bot honeypot
2010-08-19
Daniel Wesemann
Casper the unfriendly ghost
2010-07-29
Rob VandenBrink
FBI, Slovenian and Spanish Police announce more arrests of Mariposa Botnet Creator, Operators
2010-06-14
Manuel Humberto Santander Pelaez
New way of social engineering on IRC
2010-05-07
Johannes Ullrich
Stock market "wipe out" may be due to computer error
2010-05-02
Mari Nichols
Zbot Social Engineering
2010-04-23
Adrien de Beaupre
Shadowserver botnet rules
2010-03-25
Kevin Liston
Zeus wants to do your taxes
2010-03-11
donald smith
Cert write up on Skype IMBot Logic and Functionality.
2010-02-02
Johannes Ullrich
Pushdo Update
2010-01-25
William Salusky
"Bots and Spiders and Crawlers, be gone!" - or - "New Open Source WebAppSec tools, Huzzah!"
2009-12-21
Marcus Sachs
iPhone Botnet Analysis
2009-11-13
Deborah Hale
Pushdo/Cutwail Spambot - A Little Known BIG Problem
2009-11-08
Kevin Liston
FireEye takes on Ozdok and Recovery Ideas
2009-10-10
Tony Carothers
User Notification for Possible Infected Systems
2009-09-16
Raul Siles
IETF Draft for Remediation of Bots in ISP Networks
2009-05-07
Deborah Hale
Botnet hijacking reveals 70GB of stolen data
2008-11-05
donald smith
Bot net hunters get an improved tool from SRI bothunters
2008-09-09
Swa Frantzen
The complaint that's an attack
2008-09-01
John Bambenek
The Number of Machines Controlled by Botnets Has Jumped 4x in Last 3 Months
2008-07-19
William Salusky
A twist in fluxnet operations. Enter Hydraflux
2008-07-15
Maarten Van Horenbeeck
Bot controller mimicry
2008-04-07
John Bambenek
Got Kraken?
2008-04-07
John Bambenek
Kraken Technical Details: UPDATED x3
2006-08-31
Swa Frantzen
NT botnet submitted
2006-08-31
Joel Esler
MS06-040 Worm
Homepage
Diaries
Podcasts
Jobs
Data
TCP/UDP Port Activity
Port Trends
SSH/Telnet Scanning Activity
Weblogs
Threat Feeds Activity
Threat Feeds Map
Useful InfoSec Links
Presentations & Papers
Research Papers
API
Tools
DShield Sensor
DNS Looking Glass
Honeypot (RPi/AWS)
InfoSec Glossary
Forums
Auditing
Diary Discussions
Forensics
General Discussions
Industry News
Network Security
Penetration Testing
Software Security
Contact Us
Contact Us
About Us
Handlers
Slack Channel
Mastodon
Twitter
Follow updates by subscribing to the handler's
diary RSS feed
