mthcht @mthcht2
Threat Hunting - DFIR - Detection Engineering Joined February 2023-
Tweets46
-
Followers63
-
Following339
-
Likes165
A Windows #Clickfix alternative seen in the wild on a mass-spreading malware campaign bypassing traditional Win+R shortcut restrictions User is asked to open the Windows Power User menu (Win+X), open a Powershell terminal and paste and running a malicious Clickfix-style command
Thanks to everyone who came out to see my talk! All of my code and the slides for my ChromeAlone presentation are available now at github.com/praetorian-inc…. If you're interested in developing malicious browser extensions give the code a look! #defcon #chromealone #malware
Red teamers, no need to “pull” clipboard data when Windows already saves it all on disk for you in a neat little file 🗿 (including past clipboard items) inversecos.com/2022/05/how-to…
Red teamers, no need to “pull” clipboard data when Windows already saves it all on disk for you in a neat little file 🗿 (including past clipboard items) inversecos.com/2022/05/how-to… https://t.co/H6zfZDd7J0
Palo Alto Networks' Lior Rochberger looks into a cluster of suspicious activity targeting governmental entities in Southeast Asia. The threat actors behind this campaign use the HazyBeacon backdoor, which leverages AWS Lambda URLs as C2 infrastructure. unit42.paloaltonetworks.com/windows-backdo…
The DFIR Report | KongTuke FileFix Leads to New Interlock RAT Variant thedfirreport.com/2025/07/14/kon…
FileFix - A ClickFix Alternative mrd0x.com/filefix-clickf…
New @TheDFIRReport Hide Your RDP: Password Spray Leads to RansomHub Deployment thedfirreport.com/2025/06/30/hid…
🚨 About CVE-2025-33053 - a crazy Windows execution flow vulnerability This flaw abuses how Windows resolves executable paths when trusted binaries spawn child processes without full paths. For example, a legitimate tool like iediagcmd.exe is launched from a .url file that…
Excellent article from @Synacktiv detailing CVE-2025-33073. It's an easy peasy LPE on any server where SMB signing is not enforced. I have already replicated it and works a charm. If you still aren't enforcing SMB signing... what are you doing?! Harden your environment & patch!
Excellent article from @Synacktiv detailing CVE-2025-33073. It's an easy peasy LPE on any server where SMB signing is not enforced. I have already replicated it and works a charm. If you still aren't enforcing SMB signing... what are you doing?! Harden your environment & patch! https://t.co/FCf3tSNhw9
Zero-Day used by Stealth Falcon APT group in a spear-phishing campaign: 💥 .URL file exploitation (assigned CVE-2025-33053) 🧰 Custom Mythic implants, LOLBins, and custom payloads 🌍 High-profile targets across the Middle East and Africa research.checkpoint.com/2025/stealth-f…
Finally had some time to publish these blogs. Enjoy! Spying On Screen Activity Using Chromium Browsers mrd0x.com/spying-with-ch… Camera and Microphone Spying Using Chromium Browsers mrd0x.com/spying-with-ch…
🚨 APT41 is using malware, TOUGHPROGRESS, that leverages Google Calendar for command and control. Learn more about the campaign, how GTIG disrupted it using custom detection signatures, and how to defend against future attacks: bit.ly/4kCNqU1
nice research & high likely this will be abused ITW, new detections out using new term rule type to alert on first time seen SubjectUserName in last 10 days creating a new dMSA account or modifying the msDS-ManagedAccountPrecededByLink attribute. github.com/elastic/detect…
nice research & high likely this will be abused ITW, new detections out using new term rule type to alert on first time seen SubjectUserName in last 10 days creating a new dMSA account or modifying the msDS-ManagedAccountPrecededByLink attribute. github.com/elastic/detect… https://t.co/8GXHB4ne0I
Late Friday blog drop! @HuntressLabs had some fun with #DefendNot by @es3n1n 😈 This tool shows that defense evasion isn’t just about avoiding tools—it’s about bending them. Here’s how attackers turn your security products into blind spots. 🛡️ huntress.com/blog/defendnot…
Lumma Stealers - 995 sinkholed domains by Microsoft gist.github.com/mthcht/4b16ef0…
MATCH (c1:Computer)-[:MemberOf*1..]->(g:Group) WHERE g.objectsid ENDS WITH '-516' WITH COLLECT(c1[.]name) AS dcs MATCH (c2:Computer) WHERE c2.enabled = true AND (c2.operatingsystem contains '2025') AND (c2[.]name IN dcs) RETURN c2[.]name If this query hits, you're in.
MATCH (c1:Computer)-[:MemberOf*1..]->(g:Group) WHERE g.objectsid ENDS WITH '-516' WITH COLLECT(c1[.]name) AS dcs MATCH (c2:Computer) WHERE c2.enabled = true AND (c2.operatingsystem contains '2025') AND (c2[.]name IN dcs) RETURN c2[.]name If this query hits, you're in.
Criminals are using Teams and impersonating help desk personnel to deliver an #AdaptixC2 beacon. Attackers utilized #QuickAssist to run an update.ps1 file that downloads and runs an AdaptixC2 beacon using tech-system[.]online for its C2 server. Details at bit.ly/3SMlocQ
Another Confluence Bites the Dust: Falling to ELPACO-team Ransomware thedfirreport.com/2025/05/19/ano…
We are very excited to announce that Volatility 3 has reached parity with Volatility 2! With this achievement, Volatility 2 is now deprecated. See the full details in our blog post: volatilityfoundation.org/announcing-the…
I recently found out that Palo Alto’s WildFire antivirus solution saves its detections in a temporary file. This can be useful when a customer is using Palo Alto’s XDR, but we - as incident responders - don’t have access to their console and instead depend on our own deployed…
Syble @syblemontanez38
288 Followers 3K Following
1astWav3 @1astwav3_0010
1 Followers 147 Following
Steve @systeved
240 Followers 243 Following IdentityInfo | where Department=='Cyber' | where JobTitle has_any ('TH','TI') | where CompanyName=='my opinions' | where Tags has_any ('MMA','travel','dogs',++)
ego sum ultra @banpornography
719 Followers 848 Following
Syed Shamsudheen @SyedShamsudheen
24 Followers 639 Following
Defender Ciprian Davi... @CiprianDefender
43 Followers 3K Following
MemeStocksHQ🇺🇸 @Fovirx773678
42 Followers 2K Following 15-30% Monthly | 2 High-Conviction Stocks.Short-Term Gains: 15-20% in Days/Weeks.DM "JOIN" for WhatsApp Alerts. Live Trade Signals • Market Analysis
Dubz @Dubz_vx
291 Followers 747 Following Threat Hunter, Malware Analyst & Cyber Cowboy From France 🇫🇷 #malware #reverse #threathunt
Mariah Rita @mariahrita43
88 Followers 4K Following ⚓️ captain & Explorer 🌎 Travel & Lifestyle, kindly follow back 💞💞❣️💗💖💖💖💖🌹💝
Elastic Security Labs @elasticseclabs
4K Followers 708 Following Elastic Security Labs is democratizing security by sharing knowledge and capabilities necessary to prepare for threats. Spiritually serving humanity since 2019.
Mahmoud @GilM64
122 Followers 744 Following
ProxyCEO @ZinyProxy
1K Followers 6K Following You find data, we take it. Or do it yourself, we sell Proxies & Bots 🤷🏼♂️
Ripic @Ripic046
9 Followers 389 Following
Michelle @michelle_ell4
199 Followers 3K Following
ch0uch w. @ChouchWard
133 Followers 462 Following (He/Him) Cyber Rider #DFIR #RedTeam #ThreatIntelligence #ThreatHunting Content in Arabic🇸🇦 English🇺🇸 & French🇫🇷
Johan @Syndikalist
404 Followers 724 Following Mostly RT interesting stuff. RT != Endorsement and all that jazz. #WeAreNAFO
RugPullSurvivor @EscapedTheRug
626 Followers 560 Following
0xW43L @GhnimiWael
685 Followers 4K Following CTI Researcher | SRT Member @synack | X-Red-Teamer | X-Blue-Teamer | Bug Bounty Hunter | OSEP | eWAPTx | arcX ... Hunt threats, secure systems, learn always.
Zulfazli Ahmad @zulfazliAhmad
830 Followers 5K Following #CyberSecurity Finisher: Bentang Jawa 2022 | H1 Hardcore 100miles 2017 | Rinjani100 2018| GP100 2018| UTMB 100miles 2019 | Tor Des Geants (TDG) 330km 2019
fadz @daf_nalz
2 Followers 5K Following
auistin @AuistinSchauble
15 Followers 233 Following
Adair John Collins @AdairJCollins
28 Followers 589 Following
🕵🏻♂️🔻 @mswelam_
1K Followers 2K Following uncut gems l l DFIR @EG_CERT#cocopollo_author BlackHat MEA2024, 2025
Vxshellew @vxshellew
555 Followers 4K Following
Dennis Kniep @dennis_kniep
238 Followers 242 Following
kenziedolls🎀 @kenzieedollss
1K Followers 7K Following hi hi, i'm just ur baby tgirl who films too much alot of stuff on my lil page's if u wanna text me.😏
Brendan Chamberlain @infosecb
1K Followers 709 Following Threat Detection Engineer | detection & response | automation | macOS security | awesome-detection-engineering, LOOBins, Rulehound
Khoa Dinh @_l0gg
2K Followers 118 Following
RussianPanda 🐼 �... @RussianPanda9xx
16K Followers 533 Following Меня ищет МВД 🚔 | Threat Hunter @HuntressLabs | TRACLabs https://t.co/QNvr2yUuJM | Malware Addict | DFIR
LazyTitan @LazyTitan33
2K Followers 319 Following Pentester | eWPTXv2 | eCPTXv2 | eCPPTv2 | eWPT | CNPen | eJPT CVE-2025-22458: https://t.co/qX6CTzNepe
@zephrfish.yxz.red @ZephrFish
19K Followers 588 Following Photos at @ZephrSnaps | Director at @ZephrSec |Staff on @CuratedIntel | Lab Creation @XintraOrg
Mandiant (part of Goo... @Mandiant
127K Followers 4K Following We’re determined to make organizations secure against cyber threats and confident in their readiness.
Ahmed NB @nu11charb
3K Followers 363 Following Security Research @Confidential. Youtube: https://t.co/K5TdVRtOPY Founder of Ask-Academy: https://t.co/Cq8I2yW96Z
Mauricio Velazco @mvelazco
5K Followers 2K Following Security Research @Microsoft || Purple Team || Noob
Eric Zimmerman @EricRZimmerman
19K Followers 892 Following KAPE, EZTools, forensics, X-Ways. Certified SANS instructor. FFL Please consider supporting me: https://t.co/pIjxED3CMx
volatility @volatility
22K Followers 10 Following Official account of the Volatility Memory Analysis Project and Windows Malware and Memory Forensics Training. https://t.co/A4TZ1FOjpg
Brett Shavers 🙄 @Brett_Shavers
40K Followers 882 Following Fell off a cliff. Swam with sharks. Dined with hitmen. Hung out with crime bosses. Bought and sold a ton of drugs. How the heck am I still here? #DFIR #USMC 🚓
CyberWar - 싸워 @cyberwar_15
7K Followers 100 Following Since. 2001. 8. 8 We have been fighting against North Korean cyber operatives since August 8, 2001.
Ekitji @eki_erk
40 Followers 117 Following
ch0uch w. @ChouchWard
133 Followers 462 Following (He/Him) Cyber Rider #DFIR #RedTeam #ThreatIntelligence #ThreatHunting Content in Arabic🇸🇦 English🇺🇸 & French🇫🇷
Johan @Syndikalist
404 Followers 724 Following Mostly RT interesting stuff. RT != Endorsement and all that jazz. #WeAreNAFO
Shanholo @ShanHolo
2K Followers 366 Following Another blue team member…..#CSIRT #DFIR #Malware #4n6 #ThreatIntel and following the white rabbit...
gmh5225.eth @gmhzxy
3K Followers 969 Following Beautiful vision, trust in the system, institutional constraints, and common prosperity. https://t.co/VoPkucDJdr
es3n1n @es3n1n
3K Followers 484 Following (wanna-be) developer, (wanna-be) reverse engineer, occasionally a (wanna-be) ctf player
hackerfantastic.x @hackerfantastic
104K Followers 5K Following Co-Founder @myhackerhouse. Cybersecurity & #Web3. Hands-on Hacking (ISBN 9781119561453). Offensive Lua. Christ's Red Team. ✝️
Jonathan Peters @cod3nym
777 Followers 102 Following Threat Researcher | Detection Engineer @nextronsystems @nextronresearch #Yara enthusiast | C# Developer
James @James_inthe_box
22K Followers 467 Following
Atsika @_atsika
622 Followers 492 Following Red Team enthusiast | Malware development enjoyer | Adversary Simulation at @quarkslab
Arda Büyükkaya @WhichbufferArda
5K Followers 1K Following Cyber Threat Intelligence Analyst @EclecticIQ | Threat Hunter | Malware Analyst |. (All opinions expressed here are mine only). 🇳🇱
Br3akp0int @tccontre18
2K Followers 955 Following tweets are my own😉 Threat Researcher - interested in: (R.E, Red/Blue/Purple Team, DFIR, ML, Kernel, Exploit Dev) - https://t.co/qJyB5lIuHj
CERT Orange Cyberdefe... @CERTCyberdef
10K Followers 419 Following First Private CERT in Europe. Tweets are about vulnerability and cyber threats. Corporate account: @OrangeCyberDef / @OrangeCyberFR GPG KeyID: 0xBD54B276
crep1x @crep1x
3K Followers 313 Following Lead cybercrime analyst, tracking adversaries activities & infrastructure, at @sekoia_io
ExecuteMalware @executemalware
27K Followers 185 Following #malware hunter & analyst. Opinions are my own.
Squiblydoo @SquiblydooBlog
4K Followers 77 Following Malware Analysis Creator of Debloat, certReport, and https://t.co/w4rAuuB7O0 Want to chat? Join the Debloat discord: https://t.co/ZcWIqa6ZA9
Zero Labs @ZeroNLabs
243 Followers 26 Following Zero Networks Research team, specializing in open source security tools for defenders. Join our slack at https://t.co/wODnpNlq9F
Nevada @nevadaromsdahl
693 Followers 516 Following Professional hacker. Amateur father, husband, hunter, musician, gamer. (he/him) All views and comments are my own opinion.
Simone Margaritelli @evilsocket
47K Followers 2K Following Music, cybersecurity, open source and AI • Author of bettercap, pwnagotchi, opensnitch, bleah, legba and a few other things.
Dennis Kniep @dennis_kniep
238 Followers 242 Following
Allan “Ransomware S... @uuallan
17K Followers 6K Following Back The Press Guardian & The Clock:1942 https://t.co/liXLX2DeQ8
HackTricks @hacktricks_live
15K Followers 202 Following HackTricks offers free quality hacking resources in 17 languages: https://t.co/O1TVFk5r9q, https://t.co/0RhWRaaPIm Paid certs by HT-Training: https://t.co/2C0w8pkq6v
tuckner @tuckner
2K Followers 821 Following Finding bad software extensions at https://t.co/dhLUjMRP1I
JAMESWT @JAMESWT_WT
37K Followers 509 Following #Independent #Malware #Hunter #CyberSecurity #InfoSec https://t.co/KCFBJcHHcW https://t.co/WODUKncjFy
Cybersecurity and Inf... @CISAgov
310K Followers 100 Following Official communications from CISA on X will always originate from this account. No other accounts are authorized to convey info from CISA or senior CISA staff.
Thomas Seigneuret @_zblurx
3K Followers 392 Following Red Teamer & Security researcher Maintainer of #NetExec, #DonPAPI, dploot, certsync, and all the stuff on my github repo bsky: https://t.co/zISpgvDSWc
Luzark @Luzark_
354 Followers 808 Following Useless stuff hacking pro, Sr. Pentester @bishopfox. CEO of me at RedSense I break scammers and cyberharassers asses just for fun. My tweets are tweets.
JS0N Haddix @Jhaddix
167K Followers 7K Following CEO, CISO, Trainer, Hacker, and Speaker. Cybersecurity + Hacking + AI + Sec Leadership @arcanuminfosec
CISA Cyber @CISACyber
286K Followers 72 Following Part of @CISAgov, we respond to major incidents, analyze threats, and exchange critical cybersecurity information with partners around the world.
Trends for United States
You might like
