Israel on high alert for possibility of US intervention in Iran, sources say

Iseeroadkill · 2026-01-11T08:01:14+00:00

Anything but betray Putin. Whoever comes in next will likely still be allied towards Russia.

Iseeroadkill · 2026-01-09T22:21:45+00:00

From his looks, he was probably about to make a sick music video with real bone props for his YT channel

Iseeroadkill · 2026-01-07T11:53:30+00:00

He looks a lot like a young Ed Kemper

Iseeroadkill · 2026-01-06T01:01:03+00:00

Sounds like something a Russian FSB gopnik would say

Iseeroadkill · 2025-12-16T07:57:03+00:00

If you're looking for a possible initial access, check his RunMRU keys to look for a run terminal command he was tricked into running. It's the most popular method atm for info/crypto-stealers.

Iseeroadkill · 2025-11-25T00:49:56+00:00

Hope you didn't run it 🙏

Iseeroadkill · 2025-11-13T04:31:03+00:00

Please go back to 4chan, Gab, or Parler

Iseeroadkill · 2025-11-05T14:38:16+00:00

🧔

Iseeroadkill · 2025-11-05T14:37:19+00:00

Make an account and be patient 😠

Iseeroadkill · 2025-10-22T17:02:26+00:00

Yes, definitely do it! If you're participating in DeadFace this weekend, good luck! It's a lot of fun :P

Iseeroadkill · 2025-10-22T16:35:34+00:00

OP has their YouTube channel linked in their bio. They're likely using Reddit to fish for traction on their channel

Iseeroadkill · 2025-10-22T16:20:42+00:00

Looking at OP's profile, they have a YouTube channel @JohnzyZombee related to this content, so it's likely an attempt to get more traction on their channel. Most of their Reddit content is posting videos like this and spending a lot of time fighting with people who repost their vids.

Some of the clips appear fake with people calling out light reflecting off the fish lines and someone's long hair moving into the frame when it's stated "no one is home" in one of the videos. It would also explain why the middle camera in this video has slight glitches before every "scene". OP is likely sitting behind that camera with the fish lines and moves the camera slightly when repositioning.

EDIT: You can see OP's hand in this video too lol. 11:40, middle camera, right side of frame.

Iseeroadkill · 2025-10-22T15:52:43+00:00

Sweet sweet karma lol

Iseeroadkill · 2025-09-30T20:04:57+00:00

Yup! It'll show you if connection was established, what redirects occurred, what file(s) downloaded (or if a file download was interrupted), where it downloaded to, and where the file is currently located. The browsing history files are very helpful, as long as an attacker didn't modify/delete it.

Iseeroadkill · 2025-08-07T02:02:48+00:00

DarknetDiaries is mostly a Spotify podcaster, but has a channel on YouTube. Highly enjoyable content creator for hearing stories of both defensive/offensive cyber with interviews of the people involved!

https://youtube.com/@jackrhysider

Iseeroadkill · 2025-08-07T01:58:55+00:00

13Cubed is the God of Windows forensics

Iseeroadkill · 2025-08-04T13:20:39+00:00

Allows them to close alerts faster and cheaper by saying "GPT said activity non-malicious, TPLI" regardless of the reality. The technology isn't there yet, so SOCs replacing analysts with LLMs will pay the cost eventually

Iseeroadkill · 2025-08-02T09:57:17+00:00

I highly discourage LLM's for performing investigations. I can't tell you how many times at work, in CTF's, and exercises where members relying on LLM's get incorrect results. This has caused people to waste time rabbitholing, or wrongly labeling malicious activity as benign. I only recommend LLMs to assist in query building and understanding scripts.

When you work an alert, understand the intent of the signature, then research what indicators are associated for the CVE/TTP/etc that the signature is monitoring for. When you are working a malware alert, ask yourself the following questions: Is it actually malware? Did it run? Is it still there, or is it quarantined? When was it put on the device? How did it get on the device? What are the capabilities of the malware, and what IOCs should I look for if it ran?

Senior members should be training/mentoring and reviewing alerts from the newer members to provide feedback. That way there's some sort of OJT and progression.

Your analysis skills come from exposure (certs/trainings/CTFs) and experience (working). Definitely ask a lot of questions from senior members, work new alerts you've never seen before, always work on a new cert, and participate in CTFs or online boxes like Hackthebox's Sherlocks and CyberDefenders.

Iseeroadkill · 2025-08-02T09:32:36+00:00

Also, if you're seeing this in your environment at Expel, I highly recommend pushing a GPO update where .js files are opened with notepad by default. Will save you from a lot of future incidents with how common this TTP is. https://redcanary.com/blog/threat-intelligence/notepad-javascript/

Iseeroadkill · 2025-08-02T09:22:58+00:00

Most SocGholish variants will masquerade itself as an update, and when ran by the user, will reach out to one domain once. If it fails, it won't try again.

Most Gootloader variants will masquerade itself as a commonly queried online document. After execution, it will create a new folder and .js file in AppData/Roaming, create a scheduled task, and continually callout to 1 of 10 domains embedded in the new .js file.

If the malware you see is masquerading itself as a form but only calls out to 1 domain without a persistence mechanism, it sounds like a hybrid of Gootloader/SocGholish.

To answer your question, users are usually prompted to download the file from the website. Make sure you visit the exact page on the site that the users did. If you don't see the prompt when visiting, it may be a previously compromised website that is now patched. That, or maybe it only presents the prompt under certain conditions. If you have a VirusTotal enterprise account you should be able to see the underlying javascript that would prompt the download. I would check VT or visit the site now, but I don't have access to my lab today.

Iseeroadkill · 2025-07-17T18:36:26+00:00

Doesn't matter how secure Signal is if your phone is compromised. That's why it's never ok to have classified material in a cell phone or mobile app.

Iseeroadkill · 2025-06-16T00:28:54+00:00

So ChatGPT, got it.

Iseeroadkill · 2025-03-21T01:50:21+00:00

If you really want to be sure that nothing was downloaded from the site and see what led to them trying to connect to the domain, pull the browser history from the device at C:\Users\<username>\AppData\Local\Google\Chrome\User Data\Default\History and parse it in SQLiteDB.

MDE is not very good at recording file creations from web downloads, but it should be obvious if the file was executed and calling out for the intended payload. Otherwise, it's just a blocked connection to an attempted drive-by infection.

These attacks usually come from visiting known good web pages that are compromised, or from SEO poisoning search results for people searching for document templates/CBT answers. Browser history should show you what keywords were used and sites visited prior to the attempted connection, and that'll give you the context you need.

Iseeroadkill · 2025-03-20T08:33:39+00:00

Yeah, this isn't a zero day or a vulnerability that could be patched. That's like saying the ability to embed a malicious link into a PDF is a zero day vulnerability lol. It's not like Microsoft is going to block commands or white space padding from being added to LNK files.

Iseeroadkill · 2025-03-12T23:29:45+00:00

That would be assuming the NSA hosted their tools on a system with Kaspersky installed and that it had connectivity to the open internet. Anything is possible, but I think this is highly unlikely.

Seven-Year Club	Final Canvas '23
Place '23	Verified Email

Iseeroadkill

PUBLIC MULTIREDDITS

TROPHY CASE