Publications

LinkPro: eBPF rootkit analysis

14/10/2025 During a digital investigation related to the compromise of an AWS-hosted infrastructure, a stealthy backdoor targeting GNU/Linux systems was discovered. This backdoor features functionalities relying on the installation of two eBPF modules, on the one hand to conceal itself, and on the other hand to be remotely activated upon receiving a "magic packet". This article details the capabilities of this rootkit and presents the infection chain observed in this case, which allowed its installation on several nodes of an AWS EKS environment...

Open-source toolset of an Ivanti CSA attacker

12/05/2025 In recent incident responses where the root cause was an Ivanti CSA compromise, Synacktiv's CSIRT came across multiple open-source tools used by threat actors. This article dives into each of these tools, their functionalities and discusses efficient detection capabilities.

Case Study: How Hunters International and friends target your hypervisors

05/03/2025 Hunters International is a Ransomware-as-a-Service (RaaS) operation that surfaced in October 2023, after acquiring the source code and infrastructure of the late Hive ransomware group. Today, according to publicly available statistics, Hunters International and its affiliates have 'hunted' at least 280 organizations, exfiltrating or encrypting data (or both). This article will describe their capabilities in a ransomware case we encountered, with a focus on the large-scale deployment of a VMWare ESXi encryptor.

Forensic analysis of bitwarden self-hosted server

14/10/2024 Bitwarden is a popular password managing software. Being open-source, it offers self-hosting capabilities with ease of use in a controlled office or home environment. Attackers might prioritize targeting this application given the secrets it usually stores. In this article, we will deep dive into the internals of Bitwarden, how it stores encrypted data, and what information is available to whomever controls the server.

Using Veeam metadata for efficient extraction of Backup artefacts (2/3)

30/08/2024 In a previous blogpost, we explored Veeam Backup & Replication's "backup chain metadata" files and how to parse them in a comprehensive Velociraptor artifact. In this article, we complement our findings with metadata embedded directly in VBR's Storage files. Then, we create a Velociraptor pipeline to remotely access relevant forensic artefacts in backed up data. This aims to enable DFIR analysts to extend the time horizon in their investigations using Veeam backups and Velociraptor, while minimizing network bandwidth usage and ext...

LAPSUS$ is dead, long live HexaLocker?

18/08/2024 The LAPSUS$ threat group has been known since 2021 for spear phishing, data theft, and extortion against large companies (e.g., Microsoft, Nvidia, Uber). Although evidence of destruction methods was reported, there was no known use of ransomware. In June 2024, LAPSUS$ announced its closure. However, two months later, a new ransomware called HexaLocker was advertised on Telegram channels. Its "only real" admin and probable developer is ZZART3XX, one of the LAPSUS$ administrators. This article will dissect the HexaLocker ransomware samp...

VMware ESXi Forensic with Velociraptor

28/03/2024 If you are a regular Velociraptor user, you'll no doubt have noticed the introduction of new features since release 0.7.1 that extend its forensic capabilities on various systems. If not, this article will show you how to leverage those new features in order to perform forensic analysis of a VMware ESXi hypervisor.

Using Veeam metadata for efficient extraction of Backup artefacts (1/3)

08/02/2024 Veeam Backup & Replication is a widely-used software suite for creating and managing backups of virtual, physical and cloud machines. In a remote incident response, where efficient data access is key, Veeam metadata files can be used to list and search for Backup objects. This article explores the structure of Veeam metadata and how to use a Velociraptor artifact to restructure this data.

KrustyLoader - Rust malware linked to Ivanti ConnectSecure compromises

29/01/2024 On 10th January 2024, Ivanti disclosed two zero-day critical vulnerabilities affecting Connect Secure VPN product: CVE-2024-21887 and CVE-2023-46805 allowing unauthenticated remote code execution. Volexity and Mandiant published articles reporting how these vulnerabilities were actively exploited by a threat actor. On 18th January, Volexity published new observations including hashes of Rust payloads downloaded on compromised Ivanti Connect Secure instances. This article presents a malware analysis of these unidentified Rust payloads ...

Legitimate exfiltration tools : summary and detection for incident response and threat hunting

27/09/2023 Legitimate data transfer tools are more and more used by threat actors. During our incident response engagements, we often see the use of several administration tools, including tools for transferring data to SFTP servers or directly to the cloud. These are widely used by attackers as means of exfiltration. The issue of exfiltrated data is one of the most important and hardest topic in the case of ransomware incidents. As the subject has already been widely covered, the aim of this article is to centralize the traces left by most com...