Clik here to view.
Knockin' on Neutrino Exploit Kit's door.. Part-1 (where is "that"...
Summary of infection chainsThis is going to be a long writing, but the weekdays has been started.. so does the daily work and they go first in #MalwareMustDie, NPO rules, so please allow me to split...
View ArticleClik here to view.
Suspension announce of 61 unique domains used by Blackhole Exploit Kit...
MalwareMustDie, NPO, during its research activities, is following the process of suspension malware bad domains as important milestones in malware fighting steps. is also publicly releasing some of...
View ArticleClik here to view.
Proof of Concept of "CookieBomb" code injection attack
This writing is actually related to the previously blogged: "A mistery of Malware URL "cnt.php" Redirection" here-->>[MMD-Blog], so I warn you.. is not new stuff, but it seems a bit difficult to...
View ArticleClik here to view.
How bad the Cutwail and other SpamBot can fool (spoof) us?
As per title says, the answer is VERY bad and nasty. I took my bitter pill by analyzing this case, it is important for sharing this information since there are very lack of these in the internet, so I...
View ArticleClik here to view.
#Alert - Kelihos payload download zone in .RU 93 domains still ALIVE - RedKit...
We detected massive infection of RedKit in Japan as per posted by our Japanese team here -->>[0day.jp]The Red Kit attack was targeting innocent popular sites like site of happiness relation of...
View ArticleClik here to view.
Some encoding note(s) on modified #CookieBomb attack's obfuscated injection code
We posted the attack related to this injection code in many web pages as per posted here: -->>[previous post], I called this as #CookieBomb attack, it uses the obfuscation JavaScript to burp the...
View ArticleClik here to view.
What is behind #CookieBomb attack? (by @malm0u53)
You know me as @malm0u53 crusade member of MalwareMustDie. I would write about what #CookieBomb code injection's attack can actually damage and infect our system with this investigation report. I saw a...
View ArticleClik here to view.
The come back of the .RU RunForrestRun's DGA with 365 domains infector (ALIVE!)
I came into infection site spotted in Japan network as per snapshot below:Which is a site to guide and introduce works for the lady workers, and that site is having infection of the obfuscation code of...
View ArticleClik here to view.
Suspension announcement of 97 .RU domains (registered in REGGI.RU) used by...
MalwareMustDie, NPO, during its research activities, is following the process of suspension malware bad domains as important milestones in malware fighting steps. is also publicly releasing some of...
View ArticleClik here to view.
#Alert! #Facebook scam emails that will lead you to #Blackhole EK...
Note: I wrote this post as a quick note to raise tis threat's awareness, a warning for users and also to be used as verdict for shutdown purpose, so I am sorry if you did not find any deep analysis...
View ArticleClik here to view.
"You hacked.. We cracked & You're doomed!" - An IR adventure of an abused "WP...
"I dedicated this post to our members on visit to BlackHat & Def Con 2013, who's helping to present our group in the security community, with deeply regret that I could not make it to go there, no...
View ArticleClik here to view.
The result on 48hours+ in battle with Kelihos < request for FURTHER...
This post is dedicated to many.. so many of wonderful individuals involved with the effort to stand against Kelihos P2P malware infection. This is an example on WHAT CAN BE DONE if InfoSec are gathered...
View ArticleClik here to view.
How Greedy Cyber Scums are.. Leaked Spam Plan & Triple Payload Hits of "Syria...
We've been in a good undercover coordination on fighting comeback botnet (still on it-->HERE) when we spotted this threat. It's related to recent event and malvertisement so I thought better to...
View ArticleClik here to view.
302-Redirector - A (new?) "Cushion Attack", an Attempt to Evade IDS/IPS...
This is a quick post, of current on going web-driven malicious web traffic redirection threat with high possibility to malware infection. I was supervising some surveillance operations for one and a...
View ArticleClik here to view.
...And (again!) ZeroAccess/Sirefef is NOT Dead (yet!)
Is a straight to the point post, for ZeroAccess reference there was posted previously-in -->HERE and-->HERE. Please bear for I will not include the previous exposed details. BackgroundAgain, do...
View ArticleKINS? No! PowerZeuS, yes! Source Code for View & Download
BackgroundFinally announced publicly in social engineering media TODAY that the leaked source code of (updated) what we thought was KINS (/updated) was publicly exposed. We found out later on in the...
View ArticleClik here to view.
Intelligence report. Beware: Trojan7sec, A wolf in sheep's skin
In reversing malware we have to deal with codes and its behavior, thinking backwards. connecting logic on the collected data to go figure how the malicious scheme works.This case is rather unusual, we...
View ArticleClik here to view.
A Disclosure of What's Behind the #w00tw00t Attack
Background..Not so long ago I received this attack came into our web server: #MalwareMustDie! 1st attack attempt came into our new server is by "Romanian AntiSec" from China IP < BIG #FAIL! :-)...
View ArticleClik here to view.
How bad an IP's Reputation can be? A story of: 31.170.179.179 & 62.116.143.18...
Many people often asked me "Can we trust malicious IP report?", and I always answer: "Hell, yes!", because actually behind those reports there are dedicated researchers working hard in proofing its...
View ArticleClik here to view.
RunForrestRun DGA (is alive!!) at 91.233.244.102 (Old Evil Code Come Back...
I was mentioned by our friend the for the detected RunForrestRun DGA obfuscation code as per below tweet (Thank's for the notification, Bart!) : Guess who's back... "RunForestRun"...
View Article