CINXE.COM
Elastic Security Labs
<!DOCTYPE html><html lang="en"><head><meta charSet="utf-8"/><meta name="viewport" content="width=device-width"/><title>Elastic Security Labs</title><meta name="description" content="Elastic Security Labs empowers security teams across the globe with novel security intelligence research and free to use tools."/><meta property="og:title" content="Elastic Security Labs"/><meta property="og:description" content="Elastic Security Labs empowers security teams across the globe with novel security intelligence research and free to use tools."/><meta property="og:image" content="https://www.elastic.co/security-labs/assets/security-labs-thumbnail.png?85af19b3d10a7949f9b98b54be5f21f1"/><meta property="og:image:alt" content="Elastic Security Labs empowers security teams across the globe with novel security intelligence research and free to use tools."/><meta property="og:site_name"/><meta property="og:url" content="https://www.elastic.co/security-labs/"/><meta property="og:type" content="website"/><meta name="twitter:card" content="summary_large_image"/><meta name="twitter:title" content="Elastic Security Labs"/><meta name="twitter:description" content="Elastic Security Labs empowers security teams across the globe with novel security intelligence research and free to use tools."/><meta name="twitter:image" content="https://www.elastic.co/security-labs/assets/security-labs-thumbnail.png?85af19b3d10a7949f9b98b54be5f21f1"/><meta name="twitter:image:alt" content="Elastic Security Labs empowers security teams across the globe with novel security intelligence research and free to use tools."/><link rel="canonical" href="https://www.elastic.co/security-labs/"/><link rel="preload" href="/security-labs/logo.svg" as="image" fetchpriority="high"/><link rel="preload" as="image" imageSrcSet="/security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Felastic-publishes-2024-gtr%2F2024-gtr.png&w=640&q=75 640w, /security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Felastic-publishes-2024-gtr%2F2024-gtr.png&w=750&q=75 750w, /security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Felastic-publishes-2024-gtr%2F2024-gtr.png&w=828&q=75 828w, /security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Felastic-publishes-2024-gtr%2F2024-gtr.png&w=1080&q=75 1080w, /security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Felastic-publishes-2024-gtr%2F2024-gtr.png&w=1200&q=75 1200w, /security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Felastic-publishes-2024-gtr%2F2024-gtr.png&w=1920&q=75 1920w, /security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Felastic-publishes-2024-gtr%2F2024-gtr.png&w=2048&q=75 2048w, /security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Felastic-publishes-2024-gtr%2F2024-gtr.png&w=3840&q=75 3840w" imageSizes="100vw" fetchpriority="high"/><meta name="next-head-count" content="19"/><script src="https://play.vidyard.com/embed/v4.js" type="text/javascript" async=""></script><link rel="icon" href="/security-labs/favicon.svg"/><link rel="mask-icon" href="/security-labs/favicon.svg" color="#1C1E23"/><link rel="apple-touch-icon" href="/security-labs/favicon.svg"/><meta name="theme-color" content="#1C1E23"/><link rel="preload" href="/security-labs/_next/static/media/6d93bde91c0c2823-s.p.woff2" as="font" type="font/woff2" crossorigin="anonymous" data-next-font="size-adjust"/><link rel="preload" href="/security-labs/_next/static/media/a34f9d1faa5f3315-s.p.woff2" as="font" type="font/woff2" crossorigin="anonymous" data-next-font="size-adjust"/><link rel="preload" href="/security-labs/_next/static/media/369c6e283c5acc6e-s.p.woff2" as="font" type="font/woff2" crossorigin="anonymous" data-next-font="size-adjust"/><link rel="preload" href="/security-labs/_next/static/media/92f44bb82993d879-s.p.woff2" as="font" type="font/woff2" crossorigin="anonymous" data-next-font="size-adjust"/><link rel="preload" href="/security-labs/_next/static/media/ee71530a747ff30b-s.p.woff2" as="font" type="font/woff2" crossorigin="anonymous" data-next-font="size-adjust"/><link rel="preload" href="/security-labs/_next/static/media/9fac010bc1f02be0-s.p.woff2" as="font" type="font/woff2" crossorigin="anonymous" data-next-font="size-adjust"/><link rel="preload" href="/security-labs/_next/static/media/cbf5fbad4d73afac-s.p.woff2" as="font" type="font/woff2" crossorigin="anonymous" data-next-font="size-adjust"/><script id="google-tag-manager" data-nscript="beforeInteractive"> (function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start': new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0], j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src= 'https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f); })(window,document,'script','dataLayer','GTM-KNJMG2M'); </script><link rel="preload" href="/security-labs/_next/static/css/265ed7605fd03477.css" as="style"/><link rel="stylesheet" href="/security-labs/_next/static/css/265ed7605fd03477.css" data-n-g=""/><noscript data-n-css=""></noscript><script defer="" nomodule="" src="/security-labs/_next/static/chunks/polyfills-78c92fac7aa8fdd8.js"></script><script src="/security-labs/_next/static/chunks/webpack-7987c6fda769d510.js" defer=""></script><script src="/security-labs/_next/static/chunks/framework-7a7e500878b44665.js" defer=""></script><script src="/security-labs/_next/static/chunks/main-ebd33a9f1cae5951.js" defer=""></script><script src="/security-labs/_next/static/chunks/pages/_app-cb8664d1d3df2511.js" defer=""></script><script src="/security-labs/_next/static/chunks/fec483df-43ee602fabdfe3a4.js" defer=""></script><script src="/security-labs/_next/static/chunks/877-34f408271ef44c22.js" defer=""></script><script src="/security-labs/_next/static/chunks/511-d08fe0fdd6f8a984.js" defer=""></script><script src="/security-labs/_next/static/chunks/402-6099969c8d0667dd.js" defer=""></script><script src="/security-labs/_next/static/chunks/616-0b017b9cfa597392.js" defer=""></script><script src="/security-labs/_next/static/chunks/pages/index-8f2c4d6b113fab6a.js" defer=""></script><script src="/security-labs/_next/static/zgtdq_G6IdLL0e41oqL5l/_buildManifest.js" defer=""></script><script src="/security-labs/_next/static/zgtdq_G6IdLL0e41oqL5l/_ssgManifest.js" defer=""></script></head><body><noscript><iframe src="https://www.googletagmanager.com/ns.html?id=GTM-KNJMG2M" height="0" width="0" style="display:none;visibility:hidden"></iframe></noscript><div id="__next"><main class="__variable_0351a5 __variable_1f211e __variable_a5b5f5 flex flex-col min-h-screen"><div class="scroll-percentage-container invisible"><div class="scroll-percentage-bar" style="width:0%"></div></div><nav class="fixed w-full z-40" data-headlessui-state=""><div class="bg-gradient-to-b from-zinc-900 from-20% h-[200%] to-transparent absolute inset-0 z-0 pointer-events-none"></div><div class="container relative z-10"><div class="flex h-16 items-center justify-between"><div class="flex items-center justify-start w-full"><div><a class="hover:opacity-50 transition" href="/security-labs"><img alt="elastic security labs logo" fetchpriority="high" width="200" height="30" decoding="async" data-nimg="1" style="color:transparent" src="/security-labs/logo.svg"/></a></div><div class="hidden lg:ml-6 lg:block"><div class="flex space-x-4"><a class="flex lg:inline-flex font-light my-1 py-1 px-2 font-display font-semibold lg:text-sm xl:text-base items-center transition hover:hover-link hover:text-white focus:accessible-link-focus" href="/security-labs/about"><span>About</span></a><div class="relative" data-headlessui-state=""><div><button class="flex lg:inline-flex font-light my-1 py-1 px-2 font-display font-semibold lg:text-sm xl:text-base items-center transition hover:hover-link hover:text-white focus:accessible-link-focus" id="headlessui-menu-button-:R2kpm:" type="button" aria-haspopup="menu" aria-expanded="false" data-headlessui-state="">Topics<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 20 20" fill="currentColor" aria-hidden="true" class="ml-1 -mr-1 h-4 w-4 text-zinc-400 relative top-[1px]"><path fill-rule="evenodd" d="M5.23 7.21a.75.75 0 011.06.02L10 11.168l3.71-3.938a.75.75 0 111.08 1.04l-4.25 4.5a.75.75 0 01-1.08 0l-4.25-4.5a.75.75 0 01.02-1.06z" clip-rule="evenodd"></path></svg></button></div></div><a class="flex lg:inline-flex font-light my-1 py-1 px-2 font-display font-semibold lg:text-sm xl:text-base items-center transition hover:hover-link hover:text-white focus:accessible-link-focus" href="/security-labs/category/vulnerability-updates"><span>Vulnerability updates</span></a><a class="flex lg:inline-flex font-light my-1 py-1 px-2 font-display font-semibold lg:text-sm xl:text-base items-center transition hover:hover-link hover:text-white focus:accessible-link-focus" href="/security-labs/category/reports"><span>Reports</span></a><a class="flex lg:inline-flex font-light my-1 py-1 px-2 font-display font-semibold lg:text-sm xl:text-base items-center transition hover:hover-link hover:text-white focus:accessible-link-focus" href="/security-labs/category/tools"><span>Tools</span></a></div></div><div class="hidden lg:ml-auto lg:block"><div class="flex items-center space-x-4"><a class="rounded flex items-center p-4 text-white focus:outline-none focus:ring-0 focus:ring-offset-1 focus:ring-offset-zinc-600 group" href="https://search.elastic.co/?location%5B0%5D=Security%20Labs&referrer=https://www.elastic.co/security-labs/"><div class="flex items-center relative font-display"><svg xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 24 24" stroke-width="1.5" stroke="currentColor" aria-hidden="true" class="h-6 w-6"><path stroke-linecap="round" stroke-linejoin="round" d="M21 21l-5.197-5.197m0 0A7.5 7.5 0 105.196 5.196a7.5 7.5 0 0010.607 10.607z"></path></svg></div></a><a class="flex lg:inline-flex font-light my-1 py-1 px-2 font-display font-semibold lg:text-sm xl:text-base items-center transition hover:hover-link hover:text-white focus:accessible-link-focus" href="https://www.elastic.co/security-labs/rss/feed.xml"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 20 20" fill="currentColor" aria-hidden="true" class="h-4 w-4 mr-1"><path d="M3.75 3a.75.75 0 00-.75.75v.5c0 .414.336.75.75.75H4c6.075 0 11 4.925 11 11v.25c0 .414.336.75.75.75h.5a.75.75 0 00.75-.75V16C17 8.82 11.18 3 4 3h-.25z"></path><path d="M3 8.75A.75.75 0 013.75 8H4a8 8 0 018 8v.25a.75.75 0 01-.75.75h-.5a.75.75 0 01-.75-.75V16a6 6 0 00-6-6h-.25A.75.75 0 013 9.25v-.5zM7 15a2 2 0 11-4 0 2 2 0 014 0z"></path></svg><span class="hidden xl:block">Subscribe</span></a><a class="font-display inline-flex items-center justify-center rounded font-semibold disabled:!select-none disabled:!bg-gray-400 bg-blue-600 text-white hover:bg-blue-500 enabled:hover:text-white/80 transition-colors px-4 py-2 text-sm flex-1 lg:flex-auto" href="https://cloud.elastic.co/registration?cta=cloud-registration&tech=trial&plcmt=navigation&pg=security-labs">Start free trial</a><a class="font-display inline-flex items-center justify-center rounded font-semibold text-white disabled:!select-none disabled:!bg-gray-400 button px-4 py-2 text-sm flex-1 lg:flex-auto" href="https://www.elastic.co/contact">Contact sales</a></div></div></div><div class="-mr-2 flex lg:hidden"><a class="rounded flex items-center p-4 text-white focus:outline-none focus:ring-0 focus:ring-offset-1 focus:ring-offset-zinc-600 group" href="https://search.elastic.co/?location%5B0%5D=Security%20Labs&referrer=https://www.elastic.co/security-labs/"><div class="flex items-center relative font-display"><svg xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 24 24" stroke-width="1.5" stroke="currentColor" aria-hidden="true" class="h-6 w-6"><path stroke-linecap="round" stroke-linejoin="round" d="M21 21l-5.197-5.197m0 0A7.5 7.5 0 105.196 5.196a7.5 7.5 0 0010.607 10.607z"></path></svg></div></a><button class="inline-flex items-center justify-center rounded-md p-2 text-gray-400 hover:bg-gray-700 hover:text-white focus:outline-none focus:ring-2 focus:ring-inset focus:ring-white" id="headlessui-disclosure-button-:R59m:" type="button" aria-expanded="false" data-headlessui-state=""><span class="sr-only">Open navigation menu</span><svg xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 24 24" stroke-width="1.5" stroke="currentColor" aria-hidden="true" class="block h-6 w-6"><path stroke-linecap="round" stroke-linejoin="round" d="M3.75 6.75h16.5M3.75 12h16.5m-16.5 5.25h16.5"></path></svg></button></div></div></div></nav><main class="mb-20 flex-1 flex flex-col"><div class="h-64 md:h-96"><div class="after:absolute after:block after:bg-blue-400 after:blur-3xl after:content-[' '] after:h-96 after:opacity-5 after:right-0 after:rounded-full after:top-20 after:w-1/2 after:z-0 before:absolute before:block before:blur-3xl before:bg-orange-400 before:content-[' '] before:h-96 before:left-0 before:opacity-5 before:rounded-full before:w-1/2 before:z-0 w-full h-full relative"><div class="relative z-10 w-full h-[125%] -top-[25%] bg-no-repeat bg-cover bg-bottom flex items-center justify-center" style="background-image:url(/security-labs/grid.svg)"><h1 class="font-bold leading-tighter text-3xl md:text-5xl text-center max-w-3xl pt-8">Primary threat research from Elastic Security Labs</h1></div></div></div><div class="container grid xl:grid-cols-3 mb-8 lg:mb-20 gap-8 items-center relative z-10"><div class="xl:col-span-2"><div class="bg-zinc-900 border border-zinc-800 drop-shadow-lg p-5 sm:p-8 md:p-10 rounded-3xl"><div class="flex flex-col-reverse justify-between"><div class="flex flex-col justify-between max-w-xl mt-10 pr-10"><div><h4 class="font-bold leading-tight text-lg md:text-2xl mb-3">1 October 2024</h4><h2 class="font-bold text-2xl md:text-4xl mb-5"><a class="hover:text-blue-400 transition" href="/security-labs/elastic-publishes-2024-gtr">Elastic publishes 2024 Global Threat Report</a></h2></div><p class="text-sm md:text-base text-zinc-400">Elastic Security Labs has released the 2024 Elastic Global Threat Report, surfacing the most pressing threats, trends, and recommendations to help keep organizations safe for the upcoming year.</p></div><div class="w-full max-w-full"><a href="/security-labs/elastic-publishes-2024-gtr"><div class="relative w-full rounded-lg overflow-hidden aspect-video"><img alt="placeholder image" fetchpriority="high" decoding="async" data-nimg="fill" class="object-cover absolute h-full w-full" style="position:absolute;height:100%;width:100%;left:0;top:0;right:0;bottom:0;color:transparent" sizes="100vw" srcSet="/security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Felastic-publishes-2024-gtr%2F2024-gtr.png&w=640&q=75 640w, /security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Felastic-publishes-2024-gtr%2F2024-gtr.png&w=750&q=75 750w, /security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Felastic-publishes-2024-gtr%2F2024-gtr.png&w=828&q=75 828w, /security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Felastic-publishes-2024-gtr%2F2024-gtr.png&w=1080&q=75 1080w, /security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Felastic-publishes-2024-gtr%2F2024-gtr.png&w=1200&q=75 1200w, /security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Felastic-publishes-2024-gtr%2F2024-gtr.png&w=1920&q=75 1920w, /security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Felastic-publishes-2024-gtr%2F2024-gtr.png&w=2048&q=75 2048w, /security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Felastic-publishes-2024-gtr%2F2024-gtr.png&w=3840&q=75 3840w" src="/security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Felastic-publishes-2024-gtr%2F2024-gtr.png&w=3840&q=75"/><div class="absolute border border-white/50 inset-0 mix-blend-overlay rounded-lg z-10"></div></div></a></div></div></div></div><div class="col-span-1 flex flex-col gap-4"><div class="flex flex-col space-4"><div class="pb-2 mb-4 border-b border-b-zinc-700"><h2 class="text-xl font-semibold">Featured</h2></div><div class="flex flex-col space-y-4"><a href="/security-labs/abyssworker"><div class="bg-zinc-900 border border-zinc-800 drop-shadow-lg p-5 md:p-2 sm:p-4 md:px-6 md:py-4 rounded-xl hover:bg-zing-950 transition group"><div class="flex flex-col-reverse md:grid md:grid-cols-3 gap-4 items-center"><div class="flex flex-col space-y-1 md:col-span-2"><span class="font-semibold mb-1 group-hover:text-blue-400 transition">Shedding light on the ABYSSWORKER driver</span><span class="text-zinc-400 group-hover:text-zinc-300 text-sm">by <!-- -->Cyril François</span><span class="text-zinc-400 group-hover:text-zinc-300 text-sm">20 March 2025</span></div><div class="relative w-full rounded-lg overflow-hidden aspect-video"><img alt="Shedding light on the ABYSSWORKER driver" loading="lazy" decoding="async" data-nimg="fill" class="object-cover absolute h-full w-full" style="position:absolute;height:100%;width:100%;left:0;top:0;right:0;bottom:0;color:transparent" sizes="100vw" srcSet="/security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Fabyssworker%2Fabyssworker.jpg&w=640&q=75 640w, /security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Fabyssworker%2Fabyssworker.jpg&w=750&q=75 750w, /security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Fabyssworker%2Fabyssworker.jpg&w=828&q=75 828w, /security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Fabyssworker%2Fabyssworker.jpg&w=1080&q=75 1080w, /security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Fabyssworker%2Fabyssworker.jpg&w=1200&q=75 1200w, /security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Fabyssworker%2Fabyssworker.jpg&w=1920&q=75 1920w, /security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Fabyssworker%2Fabyssworker.jpg&w=2048&q=75 2048w, /security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Fabyssworker%2Fabyssworker.jpg&w=3840&q=75 3840w" src="/security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Fabyssworker%2Fabyssworker.jpg&w=3840&q=75"/><div class="absolute border border-white/50 inset-0 mix-blend-overlay rounded-lg z-10"></div></div></div></div></a><a href="/security-labs/aws-sns-abuse"><div class="bg-zinc-900 border border-zinc-800 drop-shadow-lg p-5 md:p-2 sm:p-4 md:px-6 md:py-4 rounded-xl hover:bg-zing-950 transition group"><div class="flex flex-col-reverse md:grid md:grid-cols-3 gap-4 items-center"><div class="flex flex-col space-y-1 md:col-span-2"><span class="font-semibold mb-1 group-hover:text-blue-400 transition">AWS SNS Abuse: Data Exfiltration and Phishing</span><span class="text-zinc-400 group-hover:text-zinc-300 text-sm">by <!-- -->Terrance DeJesus</span><span class="text-zinc-400 group-hover:text-zinc-300 text-sm">13 March 2025</span></div><div class="relative w-full rounded-lg overflow-hidden aspect-video"><img alt="AWS SNS Abuse: Data Exfiltration and Phishing" loading="lazy" decoding="async" data-nimg="fill" class="object-cover absolute h-full w-full" style="position:absolute;height:100%;width:100%;left:0;top:0;right:0;bottom:0;color:transparent" sizes="100vw" srcSet="/security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Faws-sns-abuse%2FSecurity%20Labs%20Images%207.jpg&w=640&q=75 640w, /security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Faws-sns-abuse%2FSecurity%20Labs%20Images%207.jpg&w=750&q=75 750w, /security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Faws-sns-abuse%2FSecurity%20Labs%20Images%207.jpg&w=828&q=75 828w, /security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Faws-sns-abuse%2FSecurity%20Labs%20Images%207.jpg&w=1080&q=75 1080w, /security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Faws-sns-abuse%2FSecurity%20Labs%20Images%207.jpg&w=1200&q=75 1200w, /security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Faws-sns-abuse%2FSecurity%20Labs%20Images%207.jpg&w=1920&q=75 1920w, /security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Faws-sns-abuse%2FSecurity%20Labs%20Images%207.jpg&w=2048&q=75 2048w, /security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Faws-sns-abuse%2FSecurity%20Labs%20Images%207.jpg&w=3840&q=75 3840w" src="/security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Faws-sns-abuse%2FSecurity%20Labs%20Images%207.jpg&w=3840&q=75"/><div class="absolute border border-white/50 inset-0 mix-blend-overlay rounded-lg z-10"></div></div></div></div></a><a href="/security-labs/detecting-hotkey-based-keyloggers"><div class="bg-zinc-900 border border-zinc-800 drop-shadow-lg p-5 md:p-2 sm:p-4 md:px-6 md:py-4 rounded-xl hover:bg-zing-950 transition group"><div class="flex flex-col-reverse md:grid md:grid-cols-3 gap-4 items-center"><div class="flex flex-col space-y-1 md:col-span-2"><span class="font-semibold mb-1 group-hover:text-blue-400 transition">Detecting Hotkey-Based Keyloggers Using an Undocumented Kernel Data Structure</span><span class="text-zinc-400 group-hover:text-zinc-300 text-sm">by <!-- -->Asuka Nakajima</span><span class="text-zinc-400 group-hover:text-zinc-300 text-sm">4 March 2025</span></div><div class="relative w-full rounded-lg overflow-hidden aspect-video"><img alt="Detecting Hotkey-Based Keyloggers Using an Undocumented Kernel Data Structure" loading="lazy" decoding="async" data-nimg="fill" class="object-cover absolute h-full w-full" style="position:absolute;height:100%;width:100%;left:0;top:0;right:0;bottom:0;color:transparent" sizes="100vw" srcSet="/security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Fdetecting-hotkey-based-keyloggers%2FSecurity%20Labs%20Images%2012.jpg&w=640&q=75 640w, /security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Fdetecting-hotkey-based-keyloggers%2FSecurity%20Labs%20Images%2012.jpg&w=750&q=75 750w, /security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Fdetecting-hotkey-based-keyloggers%2FSecurity%20Labs%20Images%2012.jpg&w=828&q=75 828w, /security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Fdetecting-hotkey-based-keyloggers%2FSecurity%20Labs%20Images%2012.jpg&w=1080&q=75 1080w, /security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Fdetecting-hotkey-based-keyloggers%2FSecurity%20Labs%20Images%2012.jpg&w=1200&q=75 1200w, /security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Fdetecting-hotkey-based-keyloggers%2FSecurity%20Labs%20Images%2012.jpg&w=1920&q=75 1920w, /security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Fdetecting-hotkey-based-keyloggers%2FSecurity%20Labs%20Images%2012.jpg&w=2048&q=75 2048w, /security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Fdetecting-hotkey-based-keyloggers%2FSecurity%20Labs%20Images%2012.jpg&w=3840&q=75 3840w" src="/security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Fdetecting-hotkey-based-keyloggers%2FSecurity%20Labs%20Images%2012.jpg&w=3840&q=75"/><div class="absolute border border-white/50 inset-0 mix-blend-overlay rounded-lg z-10"></div></div></div></div></a><a href="/security-labs/the-grand-finale-on-linux-persistence"><div class="bg-zinc-900 border border-zinc-800 drop-shadow-lg p-5 md:p-2 sm:p-4 md:px-6 md:py-4 rounded-xl hover:bg-zing-950 transition group"><div class="flex flex-col-reverse md:grid md:grid-cols-3 gap-4 items-center"><div class="flex flex-col space-y-1 md:col-span-2"><span class="font-semibold mb-1 group-hover:text-blue-400 transition">Linux Detection Engineering - The Grand Finale on Linux Persistence</span><span class="text-zinc-400 group-hover:text-zinc-300 text-sm">by <!-- -->Ruben Groenewoud</span><span class="text-zinc-400 group-hover:text-zinc-300 text-sm">27 February 2025</span></div><div class="relative w-full rounded-lg overflow-hidden aspect-video"><img alt="Linux Detection Engineering - The Grand Finale on Linux Persistence" loading="lazy" decoding="async" data-nimg="fill" class="object-cover absolute h-full w-full" style="position:absolute;height:100%;width:100%;left:0;top:0;right:0;bottom:0;color:transparent" sizes="100vw" srcSet="/security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Fthe-grand-finale-on-linux-persistence%2FSecurity%20Labs%20Images%205.jpg&w=640&q=75 640w, /security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Fthe-grand-finale-on-linux-persistence%2FSecurity%20Labs%20Images%205.jpg&w=750&q=75 750w, /security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Fthe-grand-finale-on-linux-persistence%2FSecurity%20Labs%20Images%205.jpg&w=828&q=75 828w, /security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Fthe-grand-finale-on-linux-persistence%2FSecurity%20Labs%20Images%205.jpg&w=1080&q=75 1080w, /security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Fthe-grand-finale-on-linux-persistence%2FSecurity%20Labs%20Images%205.jpg&w=1200&q=75 1200w, /security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Fthe-grand-finale-on-linux-persistence%2FSecurity%20Labs%20Images%205.jpg&w=1920&q=75 1920w, /security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Fthe-grand-finale-on-linux-persistence%2FSecurity%20Labs%20Images%205.jpg&w=2048&q=75 2048w, /security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Fthe-grand-finale-on-linux-persistence%2FSecurity%20Labs%20Images%205.jpg&w=3840&q=75 3840w" src="/security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Fthe-grand-finale-on-linux-persistence%2FSecurity%20Labs%20Images%205.jpg&w=3840&q=75"/><div class="absolute border border-white/50 inset-0 mix-blend-overlay rounded-lg z-10"></div></div></div></div></a></div></div><a class="flex justify-center items-center font-medium gap-2 py-4 px-6 rounded bg-blue-600 hover:bg-blue-500 hover:text-white" href="https://twitter.com/elasticseclabs"><svg class="w-4 h-4" viewBox="0 0 24 24"><path fill="currentColor" d="M23.954 4.569c-.885.389-1.83.653-2.825.772a4.98 4.98 0 002.187-2.746 9.955 9.955 0 01-3.157 1.204 4.98 4.98 0 00-8.49 4.54A14.128 14.128 0 011.69 3.05a4.98 4.98 0 001.54 6.638A4.94 4.94 0 011.2 8.62v.06a4.98 4.98 0 004 4.87 4.94 4.94 0 01-2.24.086 4.98 4.98 0 004.64 3.45A9.97 9.97 0 010 20.35a14.075 14.075 0 007.59 2.22c9.16 0 14.17-7.583 14.17-14.17 0-.217-.005-.434-.015-.65a10.128 10.128 0 002.485-2.58l-.001-.001z"></path></svg><span>Follow Elastic Security Labs on Twitter</span></a><a target="_blank" class="flex justify-center items-center font-medium gap-2 py-4 px-6 rounded bg-zinc-900 border border-white/20 hover:bg-zinc-700 hover:border-zinc-700 hover:text-white" href="https://www.elastic.co/elastic-security-labs/newsletter?utm_source=security-labs"><svg xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 24 24" stroke-width="1.5" stroke="currentColor" aria-hidden="true" class="w-5 h-5"><path stroke-linecap="round" stroke-linejoin="round" d="M21.75 6.75v10.5a2.25 2.25 0 01-2.25 2.25h-15a2.25 2.25 0 01-2.25-2.25V6.75m19.5 0A2.25 2.25 0 0019.5 4.5h-15a2.25 2.25 0 00-2.25 2.25m19.5 0v.243a2.25 2.25 0 01-1.07 1.916l-7.5 4.615a2.25 2.25 0 01-2.36 0L3.32 8.91a2.25 2.25 0 01-1.07-1.916V6.75"></path></svg><span>Subscribe to the newsletter</span></a></div></div><div class="container"><div class="flex flex-col sm:flex-row items-center justify-between my-10"><h2 class="font-bold text-2xl md:text-4xl mb-5 sm:mb-0">Security Research</h2><a class="button" href="/security-labs/topics/security-research">View all</a></div><div class="grid sm:grid-cols-2 lg:grid-cols-4 gap-8"><a href="/security-labs/aws-sns-abuse"><div class="flex flex-col space-4"><div class="relative w-full rounded-lg overflow-hidden"><img alt="AWS SNS Abuse: Data Exfiltration and Phishing" loading="lazy" width="400" height="300" decoding="async" data-nimg="1" class="object-cover" style="color:transparent" srcSet="/security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Faws-sns-abuse%2FSecurity%20Labs%20Images%207.jpg&w=640&q=75 1x, /security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Faws-sns-abuse%2FSecurity%20Labs%20Images%207.jpg&w=828&q=75 2x" src="/security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Faws-sns-abuse%2FSecurity%20Labs%20Images%207.jpg&w=828&q=75"/><div class="absolute border border-white/50 inset-0 mix-blend-overlay rounded-lg z-10"></div></div><time class="mb-2 mt-5 eyebrow">13 March 2025</time><h3 class="font-bold leading-tight text-xl md:text-3xl mb-2">AWS SNS Abuse: Data Exfiltration and Phishing</h3><p class="text-sm text-zinc-400">During a recent internal collaboration, we dug into publicly known SNS abuse attempts and our knowledge of the data source to develop detection capabilities.</p></div></a><a href="/security-labs/detecting-hotkey-based-keyloggers"><div class="flex flex-col space-4"><div class="relative w-full rounded-lg overflow-hidden"><img alt="Detecting Hotkey-Based Keyloggers Using an Undocumented Kernel Data Structure" loading="lazy" width="400" height="300" decoding="async" data-nimg="1" class="object-cover" style="color:transparent" srcSet="/security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Fdetecting-hotkey-based-keyloggers%2FSecurity%20Labs%20Images%2012.jpg&w=640&q=75 1x, /security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Fdetecting-hotkey-based-keyloggers%2FSecurity%20Labs%20Images%2012.jpg&w=828&q=75 2x" src="/security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Fdetecting-hotkey-based-keyloggers%2FSecurity%20Labs%20Images%2012.jpg&w=828&q=75"/><div class="absolute border border-white/50 inset-0 mix-blend-overlay rounded-lg z-10"></div></div><time class="mb-2 mt-5 eyebrow">4 March 2025</time><h3 class="font-bold leading-tight text-xl md:text-3xl mb-2">Detecting Hotkey-Based Keyloggers Using an Undocumented Kernel Data Structure</h3><p class="text-sm text-zinc-400">In this article, we explore what hotkey-based keyloggers are and how to detect them. Specifically, we explain how these keyloggers intercept keystrokes, then present a detection technique that leverages an undocumented hotkey table in kernel space.</p></div></a><a href="/security-labs/the-grand-finale-on-linux-persistence"><div class="flex flex-col space-4"><div class="relative w-full rounded-lg overflow-hidden"><img alt="Linux Detection Engineering - The Grand Finale on Linux Persistence" loading="lazy" width="400" height="300" decoding="async" data-nimg="1" class="object-cover" style="color:transparent" srcSet="/security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Fthe-grand-finale-on-linux-persistence%2FSecurity%20Labs%20Images%205.jpg&w=640&q=75 1x, /security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Fthe-grand-finale-on-linux-persistence%2FSecurity%20Labs%20Images%205.jpg&w=828&q=75 2x" src="/security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Fthe-grand-finale-on-linux-persistence%2FSecurity%20Labs%20Images%205.jpg&w=828&q=75"/><div class="absolute border border-white/50 inset-0 mix-blend-overlay rounded-lg z-10"></div></div><time class="mb-2 mt-5 eyebrow">27 February 2025</time><h3 class="font-bold leading-tight text-xl md:text-3xl mb-2">Linux Detection Engineering - The Grand Finale on Linux Persistence</h3><p class="text-sm text-zinc-400">By the end of this series, you'll have a robust knowledge of both common and rare Linux persistence techniques; and you'll understand how to effectively engineer detections for common and advanced adversary capabilities.</p></div></a><a href="/security-labs/emulating-aws-s3-sse-c"><div class="flex flex-col space-4"><div class="relative w-full rounded-lg overflow-hidden"><img alt="Emulating AWS S3 SSE-C Ransom for Threat Detection" loading="lazy" width="400" height="300" decoding="async" data-nimg="1" class="object-cover" style="color:transparent" srcSet="/security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Femulating-aws-s3-sse-c%2FSecurity%20Labs%20Images%2011.jpg&w=640&q=75 1x, /security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Femulating-aws-s3-sse-c%2FSecurity%20Labs%20Images%2011.jpg&w=828&q=75 2x" src="/security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Femulating-aws-s3-sse-c%2FSecurity%20Labs%20Images%2011.jpg&w=828&q=75"/><div class="absolute border border-white/50 inset-0 mix-blend-overlay rounded-lg z-10"></div></div><time class="mb-2 mt-5 eyebrow">20 February 2025</time><h3 class="font-bold leading-tight text-xl md:text-3xl mb-2">Emulating AWS S3 SSE-C Ransom for Threat Detection</h3><p class="text-sm text-zinc-400">In this article, we’ll explore how threat actors leverage Amazon S3’s Server-Side Encryption with Customer-Provided Keys (SSE-C) for ransom/extortion operations.</p></div></a></div><div class="flex flex-col sm:flex-row items-center justify-between my-10"><h2 class="font-bold text-2xl md:text-4xl mb-5 sm:mb-0">Malware Analysis</h2><a class="button" href="/security-labs/topics/malware-analysis">View all</a></div><div class="grid sm:grid-cols-2 lg:grid-cols-4 gap-8"><a href="/security-labs/abyssworker"><div class="flex flex-col space-4"><div class="relative w-full rounded-lg overflow-hidden"><img alt="Shedding light on the ABYSSWORKER driver" loading="lazy" width="400" height="300" decoding="async" data-nimg="1" class="object-cover" style="color:transparent" srcSet="/security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Fabyssworker%2Fabyssworker.jpg&w=640&q=75 1x, /security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Fabyssworker%2Fabyssworker.jpg&w=828&q=75 2x" src="/security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Fabyssworker%2Fabyssworker.jpg&w=828&q=75"/><div class="absolute border border-white/50 inset-0 mix-blend-overlay rounded-lg z-10"></div></div><time class="mb-2 mt-5 eyebrow">20 March 2025</time><h3 class="font-bold leading-tight text-xl md:text-3xl mb-2">Shedding light on the ABYSSWORKER driver</h3><p class="text-sm text-zinc-400">Elastic Security Labs describes ABYSSWORKER, a malicious driver used with the MEDUSA ransomware attack-chain to disable anti-malware tools.</p></div></a><a href="/security-labs/finaldraft"><div class="flex flex-col space-4"><div class="relative w-full rounded-lg overflow-hidden"><img alt="You've Got Malware: FINALDRAFT Hides in Your Drafts" loading="lazy" width="400" height="300" decoding="async" data-nimg="1" class="object-cover" style="color:transparent" srcSet="/security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Ffinaldraft%2FSecurity%20Labs%20Images%2013.jpg&w=640&q=75 1x, /security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Ffinaldraft%2FSecurity%20Labs%20Images%2013.jpg&w=828&q=75 2x" src="/security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Ffinaldraft%2FSecurity%20Labs%20Images%2013.jpg&w=828&q=75"/><div class="absolute border border-white/50 inset-0 mix-blend-overlay rounded-lg z-10"></div></div><time class="mb-2 mt-5 eyebrow">13 February 2025</time><h3 class="font-bold leading-tight text-xl md:text-3xl mb-2">You've Got Malware: FINALDRAFT Hides in Your Drafts</h3><p class="text-sm text-zinc-400">During a recent investigation (REF7707), Elastic Security Labs discovered new malware targeting a foreign ministry. The malware includes a custom loader and backdoor with many features including using Microsoft’s Graph API for C2 communications.</p></div></a><a href="/security-labs/under-the-sadbridge-with-gosar"><div class="flex flex-col space-4"><div class="relative w-full rounded-lg overflow-hidden"><img alt="Under the SADBRIDGE with GOSAR: QUASAR Gets a Golang Rewrite" loading="lazy" width="400" height="300" decoding="async" data-nimg="1" class="object-cover" style="color:transparent" srcSet="/security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Funder-the-sadbridge-with-gosar%2FSecurity%20Labs%20Images%2021.jpg&w=640&q=75 1x, /security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Funder-the-sadbridge-with-gosar%2FSecurity%20Labs%20Images%2021.jpg&w=828&q=75 2x" src="/security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Funder-the-sadbridge-with-gosar%2FSecurity%20Labs%20Images%2021.jpg&w=828&q=75"/><div class="absolute border border-white/50 inset-0 mix-blend-overlay rounded-lg z-10"></div></div><time class="mb-2 mt-5 eyebrow">13 December 2024</time><h3 class="font-bold leading-tight text-xl md:text-3xl mb-2">Under the SADBRIDGE with GOSAR: QUASAR Gets a Golang Rewrite</h3><p class="text-sm text-zinc-400">Elastic Security Labs share details about the SADBRIDGE loader and GOSAR backdoor, malware used in campaigns targeting Chinese-speaking victims.</p></div></a><a href="/security-labs/declawing-pumakit"><div class="flex flex-col space-4"><div class="relative w-full rounded-lg overflow-hidden"><img alt="Declawing PUMAKIT" loading="lazy" width="400" height="300" decoding="async" data-nimg="1" class="object-cover" style="color:transparent" srcSet="/security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Fdeclawing-pumakit%2Fpumakit.jpg&w=640&q=75 1x, /security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Fdeclawing-pumakit%2Fpumakit.jpg&w=828&q=75 2x" src="/security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Fdeclawing-pumakit%2Fpumakit.jpg&w=828&q=75"/><div class="absolute border border-white/50 inset-0 mix-blend-overlay rounded-lg z-10"></div></div><time class="mb-2 mt-5 eyebrow">12 December 2024</time><h3 class="font-bold leading-tight text-xl md:text-3xl mb-2">Declawing PUMAKIT</h3><p class="text-sm text-zinc-400">PUMAKIT is a sophisticated loadable kernel module (LKM) rootkit that employs advanced stealth mechanisms to hide its presence and maintain communication with command-and-control servers.</p></div></a></div><div class="flex flex-col sm:flex-row items-center justify-between my-10"><h2 class="font-bold text-2xl md:text-4xl mb-5 sm:mb-0">Campaigns</h2><a class="button" href="/security-labs/topics/campaigns">View all</a></div><div class="grid sm:grid-cols-2 lg:grid-cols-4 gap-8"><a href="/security-labs/fragile-web-ref7707"><div class="flex flex-col space-4"><div class="relative w-full rounded-lg overflow-hidden"><img alt="From South America to Southeast Asia: The Fragile Web of REF7707" loading="lazy" width="400" height="300" decoding="async" data-nimg="1" class="object-cover" style="color:transparent" srcSet="/security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Ffragile-web-ref7707%2Fref7707.jpg&w=640&q=75 1x, /security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Ffragile-web-ref7707%2Fref7707.jpg&w=828&q=75 2x" src="/security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Ffragile-web-ref7707%2Fref7707.jpg&w=828&q=75"/><div class="absolute border border-white/50 inset-0 mix-blend-overlay rounded-lg z-10"></div></div><time class="mb-2 mt-5 eyebrow">13 February 2025</time><h3 class="font-bold leading-tight text-xl md:text-3xl mb-2">From South America to Southeast Asia: The Fragile Web of REF7707</h3><p class="text-sm text-zinc-400">REF7707 targeted a South American foreign ministry using novel malware families. Inconsistent evasion tactics and operational security missteps exposed additional adversary-owned infrastructure.</p></div></a><a href="/security-labs/pikabot-i-choose-you"><div class="flex flex-col space-4"><div class="relative w-full rounded-lg overflow-hidden"><img alt="PIKABOT, I choose you!" loading="lazy" width="400" height="300" decoding="async" data-nimg="1" class="object-cover" style="color:transparent" srcSet="/security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Fpikabot-i-choose-you%2Fphoto-edited-02.png&w=640&q=75 1x, /security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Fpikabot-i-choose-you%2Fphoto-edited-02.png&w=828&q=75 2x" src="/security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Fpikabot-i-choose-you%2Fphoto-edited-02.png&w=828&q=75"/><div class="absolute border border-white/50 inset-0 mix-blend-overlay rounded-lg z-10"></div></div><time class="mb-2 mt-5 eyebrow">24 February 2024</time><h3 class="font-bold leading-tight text-xl md:text-3xl mb-2">PIKABOT, I choose you!</h3><p class="text-sm text-zinc-400">Elastic Security Labs observed new PIKABOT campaigns, including an updated version. PIKABOT is a widely deployed loader malicious actors utilize to distribute additional payloads.</p></div></a><a href="/security-labs/inital-research-of-jokerspy"><div class="flex flex-col space-4"><div class="relative w-full rounded-lg overflow-hidden"><img alt="Initial research exposing JOKERSPY" loading="lazy" width="400" height="300" decoding="async" data-nimg="1" class="object-cover" style="color:transparent" srcSet="/security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Finital-research-of-jokerspy%2Fphoto-edited-04%402x.jpg&w=640&q=75 1x, /security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Finital-research-of-jokerspy%2Fphoto-edited-04%402x.jpg&w=828&q=75 2x" src="/security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Finital-research-of-jokerspy%2Fphoto-edited-04%402x.jpg&w=828&q=75"/><div class="absolute border border-white/50 inset-0 mix-blend-overlay rounded-lg z-10"></div></div><time class="mb-2 mt-5 eyebrow">21 June 2023</time><h3 class="font-bold leading-tight text-xl md:text-3xl mb-2">Initial research exposing JOKERSPY</h3><p class="text-sm text-zinc-400">Explore JOKERSPY, a recently discovered campaign that targets financial institutions with Python backdoors. This article covers reconnaissance, attack patterns, and methods of identifying JOKERSPY in your network.</p></div></a><a href="/security-labs/elastic-charms-spectralviper"><div class="flex flex-col space-4"><div class="relative w-full rounded-lg overflow-hidden"><img alt="Elastic charms SPECTRALVIPER" loading="lazy" width="400" height="300" decoding="async" data-nimg="1" class="object-cover" style="color:transparent" srcSet="/security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Felastic-charms-spectralviper%2Fphoto-edited-10%402x.jpg&w=640&q=75 1x, /security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Felastic-charms-spectralviper%2Fphoto-edited-10%402x.jpg&w=828&q=75 2x" src="/security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Felastic-charms-spectralviper%2Fphoto-edited-10%402x.jpg&w=828&q=75"/><div class="absolute border border-white/50 inset-0 mix-blend-overlay rounded-lg z-10"></div></div><time class="mb-2 mt-5 eyebrow">9 June 2023</time><h3 class="font-bold leading-tight text-xl md:text-3xl mb-2">Elastic charms SPECTRALVIPER</h3><p class="text-sm text-zinc-400">Elastic Security Labs has discovered the P8LOADER, POWERSEAL, and SPECTRALVIPER malware families targeting a national Vietnamese agribusiness. REF2754 shares malware and motivational elements of the REF4322 and APT32 activity groups.</p></div></a></div><div class="flex flex-col sm:flex-row items-center justify-between my-10"><h2 class="font-bold text-2xl md:text-4xl mb-5 sm:mb-0">Groups & Tactics</h2><a class="button" href="/security-labs/topics/groups-and-tactics">View all</a></div><div class="grid sm:grid-cols-2 lg:grid-cols-4 gap-8"><a href="/security-labs/betting-on-bots"><div class="flex flex-col space-4"><div class="relative w-full rounded-lg overflow-hidden"><img alt="Betting on Bots: Investigating Linux malware, crypto mining, and gambling API abuse" loading="lazy" width="400" height="300" decoding="async" data-nimg="1" class="object-cover" style="color:transparent" srcSet="/security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Fbetting-on-bots%2Fbetting-on-bots.jpg&w=640&q=75 1x, /security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Fbetting-on-bots%2Fbetting-on-bots.jpg&w=828&q=75 2x" src="/security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Fbetting-on-bots%2Fbetting-on-bots.jpg&w=828&q=75"/><div class="absolute border border-white/50 inset-0 mix-blend-overlay rounded-lg z-10"></div></div><time class="mb-2 mt-5 eyebrow">27 September 2024</time><h3 class="font-bold leading-tight text-xl md:text-3xl mb-2">Betting on Bots: Investigating Linux malware, crypto mining, and gambling API abuse</h3><p class="text-sm text-zinc-400">The REF6138 campaign involved cryptomining, DDoS attacks, and potential money laundering via gambling APIs, highlighting the attackers' use of evolving malware and stealthy communication channels.</p></div></a><a href="/security-labs/dprk-code-of-conduct"><div class="flex flex-col space-4"><div class="relative w-full rounded-lg overflow-hidden"><img alt="Code of Conduct: DPRK’s Python-fueled intrusions into secured networks" loading="lazy" width="400" height="300" decoding="async" data-nimg="1" class="object-cover" style="color:transparent" srcSet="/security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Fdprk-code-of-conduct%2Fdprk-code-of-conduct.jpg&w=640&q=75 1x, /security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Fdprk-code-of-conduct%2Fdprk-code-of-conduct.jpg&w=828&q=75 2x" src="/security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Fdprk-code-of-conduct%2Fdprk-code-of-conduct.jpg&w=828&q=75"/><div class="absolute border border-white/50 inset-0 mix-blend-overlay rounded-lg z-10"></div></div><time class="mb-2 mt-5 eyebrow">18 September 2024</time><h3 class="font-bold leading-tight text-xl md:text-3xl mb-2">Code of Conduct: DPRK’s Python-fueled intrusions into secured networks</h3><p class="text-sm text-zinc-400">Investigating the DPRK’s strategic use of Python and carefully crafted social engineering, this publication sheds light on how they breach highly secure networks with evolving and effective cyber attacks.</p></div></a><a href="/security-labs/grimresource"><div class="flex flex-col space-4"><div class="relative w-full rounded-lg overflow-hidden"><img alt="GrimResource - Microsoft Management Console for initial access and evasion" loading="lazy" width="400" height="300" decoding="async" data-nimg="1" class="object-cover" style="color:transparent" srcSet="/security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Fgrimresource%2Fgrimresource.jpg&w=640&q=75 1x, /security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Fgrimresource%2Fgrimresource.jpg&w=828&q=75 2x" src="/security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Fgrimresource%2Fgrimresource.jpg&w=828&q=75"/><div class="absolute border border-white/50 inset-0 mix-blend-overlay rounded-lg z-10"></div></div><time class="mb-2 mt-5 eyebrow">22 June 2024</time><h3 class="font-bold leading-tight text-xl md:text-3xl mb-2">GrimResource - Microsoft Management Console for initial access and evasion</h3><p class="text-sm text-zinc-400">Elastic researchers uncovered a new technique, GrimResource, which allows full code execution via specially crafted MSC files. It underscores a trend of well-resourced attackers favoring innovative initial access methods to evade defenses.</p></div></a><a href="/security-labs/invisible-miners-unveiling-ghostengine"><div class="flex flex-col space-4"><div class="relative w-full rounded-lg overflow-hidden"><img alt="Invisible miners: unveiling GHOSTENGINE’s crypto mining operations" loading="lazy" width="400" height="300" decoding="async" data-nimg="1" class="object-cover" style="color:transparent" srcSet="/security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Finvisible-miners-unveiling-ghostengine%2Fghostengine.jpg&w=640&q=75 1x, /security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Finvisible-miners-unveiling-ghostengine%2Fghostengine.jpg&w=828&q=75 2x" src="/security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Finvisible-miners-unveiling-ghostengine%2Fghostengine.jpg&w=828&q=75"/><div class="absolute border border-white/50 inset-0 mix-blend-overlay rounded-lg z-10"></div></div><time class="mb-2 mt-5 eyebrow">22 May 2024</time><h3 class="font-bold leading-tight text-xl md:text-3xl mb-2">Invisible miners: unveiling GHOSTENGINE’s crypto mining operations</h3><p class="text-sm text-zinc-400">Elastic Security Labs has identified REF4578, an intrusion set incorporating several malicious modules and leveraging vulnerable drivers to disable known security solutions (EDRs) for crypto mining.</p></div></a></div><div class="flex flex-col sm:flex-row items-center justify-between my-10"><h2 class="font-bold text-2xl md:text-4xl mb-5 sm:mb-0">Perspectives</h2></div><div class="grid sm:grid-cols-2 lg:grid-cols-4 gap-8"><a href="/security-labs/winvisor-hypervisor-based-emulator"><div class="flex flex-col space-4"><div class="relative w-full rounded-lg overflow-hidden"><img alt="WinVisor – A hypervisor-based emulator for Windows x64 user-mode executables" loading="lazy" width="400" height="300" decoding="async" data-nimg="1" class="object-cover" style="color:transparent" srcSet="/security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Fwinvisor-hypervisor-based-emulator%2Fwinvisor.jpg&w=640&q=75 1x, /security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Fwinvisor-hypervisor-based-emulator%2Fwinvisor.jpg&w=828&q=75 2x" src="/security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Fwinvisor-hypervisor-based-emulator%2Fwinvisor.jpg&w=828&q=75"/><div class="absolute border border-white/50 inset-0 mix-blend-overlay rounded-lg z-10"></div></div><time class="mb-2 mt-5 eyebrow">24 January 2025</time><h3 class="font-bold leading-tight text-xl md:text-3xl mb-2">WinVisor – A hypervisor-based emulator for Windows x64 user-mode executables</h3><p class="text-sm text-zinc-400">WinVisor is a hypervisor-based emulator for Windows x64 user-mode executables that leverages the Windows Hypervisor Platform API to provide a virtualized environment for logging syscalls and enabling memory introspection.</p></div></a><a href="/security-labs/storm-on-the-horizon"><div class="flex flex-col space-4"><div class="relative w-full rounded-lg overflow-hidden"><img alt="Storm on the Horizon: Inside the AJCloud IoT Ecosystem" loading="lazy" width="400" height="300" decoding="async" data-nimg="1" class="object-cover" style="color:transparent" srcSet="/security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Fstorm-on-the-horizon%2Fstorm-on-the-horizon.jpg&w=640&q=75 1x, /security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Fstorm-on-the-horizon%2Fstorm-on-the-horizon.jpg&w=828&q=75 2x" src="/security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Fstorm-on-the-horizon%2Fstorm-on-the-horizon.jpg&w=828&q=75"/><div class="absolute border border-white/50 inset-0 mix-blend-overlay rounded-lg z-10"></div></div><time class="mb-2 mt-5 eyebrow">20 September 2024</time><h3 class="font-bold leading-tight text-xl md:text-3xl mb-2">Storm on the Horizon: Inside the AJCloud IoT Ecosystem</h3><p class="text-sm text-zinc-400">Wi-Fi cameras are popular due to their affordability and convenience but often have security vulnerabilities that can be exploited.</p></div></a><a href="/security-labs/kernel-etw-best-etw"><div class="flex flex-col space-4"><div class="relative w-full rounded-lg overflow-hidden"><img alt="Kernel ETW is the best ETW" loading="lazy" width="400" height="300" decoding="async" data-nimg="1" class="object-cover" style="color:transparent" srcSet="/security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Fkernel-etw-best-etw%2Fkernel-etw-best-etw.jpg&w=640&q=75 1x, /security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Fkernel-etw-best-etw%2Fkernel-etw-best-etw.jpg&w=828&q=75 2x" src="/security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Fkernel-etw-best-etw%2Fkernel-etw-best-etw.jpg&w=828&q=75"/><div class="absolute border border-white/50 inset-0 mix-blend-overlay rounded-lg z-10"></div></div><time class="mb-2 mt-5 eyebrow">13 September 2024</time><h3 class="font-bold leading-tight text-xl md:text-3xl mb-2">Kernel ETW is the best ETW</h3><p class="text-sm text-zinc-400">This research focuses on the importance of native audit logs in secure-by-design software, emphasizing the need for kernel-level ETW logging over user-mode hooks to enhance anti-tamper protections.</p></div></a><a href="/security-labs/forget-vulnerable-drivers-admin-is-all-you-need"><div class="flex flex-col space-4"><div class="relative w-full rounded-lg overflow-hidden"><img alt="Forget vulnerable drivers - Admin is all you need" loading="lazy" width="400" height="300" decoding="async" data-nimg="1" class="object-cover" style="color:transparent" srcSet="/security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Fforget-vulnerable-drivers-admin-is-all-you-need%2Fphoto-edited-09%402x.jpg&w=640&q=75 1x, /security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Fforget-vulnerable-drivers-admin-is-all-you-need%2Fphoto-edited-09%402x.jpg&w=828&q=75 2x" src="/security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Fforget-vulnerable-drivers-admin-is-all-you-need%2Fphoto-edited-09%402x.jpg&w=828&q=75"/><div class="absolute border border-white/50 inset-0 mix-blend-overlay rounded-lg z-10"></div></div><time class="mb-2 mt-5 eyebrow">25 August 2023</time><h3 class="font-bold leading-tight text-xl md:text-3xl mb-2">Forget vulnerable drivers - Admin is all you need</h3><p class="text-sm text-zinc-400">Bring Your Own Vulnerable Driver (BYOVD) is an increasingly popular attacker technique whereby a threat actor brings a known-vulnerable signed driver alongside their malware, loads it into the kernel, then exploits it to perform some action within the kernel that they would not otherwise be able to do. Employed by advanced threat actors for over a decade, BYOVD is becoming increasingly common in ransomware and commodity malware.</p></div></a></div><div class="flex flex-col sm:flex-row items-center justify-between my-10"><h2 class="font-bold text-2xl md:text-4xl mb-5 sm:mb-0">GenerativeAI</h2><a class="button" href="/security-labs/topics/generative-ai">View all</a></div><div class="grid sm:grid-cols-2 lg:grid-cols-4 gap-8"><a href="/security-labs/elastic-advances-llm-security"><div class="flex flex-col space-4"><div class="relative w-full rounded-lg overflow-hidden"><img alt="Elastic Advances LLM Security with Standardized Fields and Integrations" loading="lazy" width="400" height="300" decoding="async" data-nimg="1" class="object-cover" style="color:transparent" srcSet="/security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Felastic-advances-llm-security%2FSecurity%20Labs%20Images%204.jpg&w=640&q=75 1x, /security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Felastic-advances-llm-security%2FSecurity%20Labs%20Images%204.jpg&w=828&q=75 2x" src="/security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Felastic-advances-llm-security%2FSecurity%20Labs%20Images%204.jpg&w=828&q=75"/><div class="absolute border border-white/50 inset-0 mix-blend-overlay rounded-lg z-10"></div></div><time class="mb-2 mt-5 eyebrow">6 May 2024</time><h3 class="font-bold leading-tight text-xl md:text-3xl mb-2">Elastic Advances LLM Security with Standardized Fields and Integrations</h3><p class="text-sm text-zinc-400">Discover Elastic’s latest advancements in LLM security, focusing on standardized field integrations and enhanced detection capabilities. Learn how adopting these standards can safeguard your systems.</p></div></a><a href="/security-labs/embedding-security-in-llm-workflows"><div class="flex flex-col space-4"><div class="relative w-full rounded-lg overflow-hidden"><img alt="Embedding Security in LLM Workflows: Elastic's Proactive Approach" loading="lazy" width="400" height="300" decoding="async" data-nimg="1" class="object-cover" style="color:transparent" srcSet="/security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Fembedding-security-in-llm-workflows%2FSecurity%20Labs%20Images%205.jpg&w=640&q=75 1x, /security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Fembedding-security-in-llm-workflows%2FSecurity%20Labs%20Images%205.jpg&w=828&q=75 2x" src="/security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Fembedding-security-in-llm-workflows%2FSecurity%20Labs%20Images%205.jpg&w=828&q=75"/><div class="absolute border border-white/50 inset-0 mix-blend-overlay rounded-lg z-10"></div></div><time class="mb-2 mt-5 eyebrow">25 April 2024</time><h3 class="font-bold leading-tight text-xl md:text-3xl mb-2">Embedding Security in LLM Workflows: Elastic's Proactive Approach</h3><p class="text-sm text-zinc-400">Dive into Elastic's exploration of embedding security directly within Large Language Models (LLMs). Discover our strategies for detecting and mitigating several of the top OWASP vulnerabilities in LLM applications, ensuring safer and more secure AI-driven applications.</p></div></a><a href="/security-labs/accelerating-elastic-detection-tradecraft-with-llms"><div class="flex flex-col space-4"><div class="relative w-full rounded-lg overflow-hidden"><img alt="Accelerating Elastic detection tradecraft with LLMs" loading="lazy" width="400" height="300" decoding="async" data-nimg="1" class="object-cover" style="color:transparent" srcSet="/security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Faccelerating-elastic-detection-tradecraft-with-llms%2Fphoto-edited-09%402x.jpg&w=640&q=75 1x, /security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Faccelerating-elastic-detection-tradecraft-with-llms%2Fphoto-edited-09%402x.jpg&w=828&q=75 2x" src="/security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Faccelerating-elastic-detection-tradecraft-with-llms%2Fphoto-edited-09%402x.jpg&w=828&q=75"/><div class="absolute border border-white/50 inset-0 mix-blend-overlay rounded-lg z-10"></div></div><time class="mb-2 mt-5 eyebrow">29 September 2023</time><h3 class="font-bold leading-tight text-xl md:text-3xl mb-2">Accelerating Elastic detection tradecraft with LLMs</h3><p class="text-sm text-zinc-400">Learn more about how Elastic Security Labs has been focused on accelerating our detection engineering workflows by tapping into more generative AI capabilities.</p></div></a><a href="/security-labs/using-llms-and-esre-to-find-similar-user-sessions"><div class="flex flex-col space-4"><div class="relative w-full rounded-lg overflow-hidden"><img alt="Using LLMs and ESRE to find similar user sessions" loading="lazy" width="400" height="300" decoding="async" data-nimg="1" class="object-cover" style="color:transparent" srcSet="/security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Fusing-llms-and-esre-to-find-similar-user-sessions%2Fphoto-edited-03%402x.jpg&w=640&q=75 1x, /security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Fusing-llms-and-esre-to-find-similar-user-sessions%2Fphoto-edited-03%402x.jpg&w=828&q=75 2x" src="/security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Fusing-llms-and-esre-to-find-similar-user-sessions%2Fphoto-edited-03%402x.jpg&w=828&q=75"/><div class="absolute border border-white/50 inset-0 mix-blend-overlay rounded-lg z-10"></div></div><time class="mb-2 mt-5 eyebrow">19 September 2023</time><h3 class="font-bold leading-tight text-xl md:text-3xl mb-2">Using LLMs and ESRE to find similar user sessions</h3><p class="text-sm text-zinc-400">In our previous article, we explored using the GPT-4 Large Language Model (LLM) to condense Linux user sessions. In the context of the same experiment, we dedicated some time to examine sessions that shared similarities. These similar sessions can subsequently aid the analysts in identifying related suspicious activities.</p></div></a></div><div class="flex flex-col sm:flex-row items-center justify-between my-10"><h2 class="font-bold text-2xl md:text-4xl mb-5 sm:mb-0">Tools</h2><a class="button" href="/security-labs/topics/tools">View all</a></div><div class="grid sm:grid-cols-2 lg:grid-cols-4 gap-8"><a href="/security-labs/stixy-situations-ecsaping-your-threat-data"><div class="flex flex-col space-4"><div class="relative w-full rounded-lg overflow-hidden"><img alt="STIXy Situations: ECSaping your threat data" loading="lazy" width="400" height="300" decoding="async" data-nimg="1" class="object-cover" style="color:transparent" srcSet="/security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Fstixy-situations-ecsaping-your-threat-data%2Fphoto-edited-07%402x.jpg&w=640&q=75 1x, /security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Fstixy-situations-ecsaping-your-threat-data%2Fphoto-edited-07%402x.jpg&w=828&q=75 2x" src="/security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Fstixy-situations-ecsaping-your-threat-data%2Fphoto-edited-07%402x.jpg&w=828&q=75"/><div class="absolute border border-white/50 inset-0 mix-blend-overlay rounded-lg z-10"></div></div><time class="mb-2 mt-5 eyebrow">9 February 2024</time><h3 class="font-bold leading-tight text-xl md:text-3xl mb-2">STIXy Situations: ECSaping your threat data</h3><p class="text-sm text-zinc-400">Structured threat data is commonly formatted using STIX. To help get this data into Elasticsearch, we’re releasing a Python script that converts STIX to an ECS format to be ingested into your stack.</p></div></a><a href="/security-labs/into-the-weeds-how-we-run-detonate"><div class="flex flex-col space-4"><div class="relative w-full rounded-lg overflow-hidden"><img alt="Into The Weeds: How We Run Detonate" loading="lazy" width="400" height="300" decoding="async" data-nimg="1" class="object-cover" style="color:transparent" srcSet="/security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Finto-the-weeds-how-we-run-detonate%2Fphoto-edited-02%402x.jpg&w=640&q=75 1x, /security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Finto-the-weeds-how-we-run-detonate%2Fphoto-edited-02%402x.jpg&w=828&q=75 2x" src="/security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Finto-the-weeds-how-we-run-detonate%2Fphoto-edited-02%402x.jpg&w=828&q=75"/><div class="absolute border border-white/50 inset-0 mix-blend-overlay rounded-lg z-10"></div></div><time class="mb-2 mt-5 eyebrow">13 June 2023</time><h3 class="font-bold leading-tight text-xl md:text-3xl mb-2">Into The Weeds: How We Run Detonate</h3><p class="text-sm text-zinc-400">Explore the technical implementation of the Detonate system, including sandbox creation, the supporting technology, telemetry collection, and how to blow stuff up.</p></div></a><a href="/security-labs/click-click-boom-automating-protections-testing-with-detonate"><div class="flex flex-col space-4"><div class="relative w-full rounded-lg overflow-hidden"><img alt="Click, Click… Boom! Automating Protections Testing with Detonate" loading="lazy" width="400" height="300" decoding="async" data-nimg="1" class="object-cover" style="color:transparent" srcSet="/security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Fclick-click-boom-automating-protections-testing-with-detonate%2Fblog-thumb-tools-various.jpg&w=640&q=75 1x, /security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Fclick-click-boom-automating-protections-testing-with-detonate%2Fblog-thumb-tools-various.jpg&w=828&q=75 2x" src="/security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Fclick-click-boom-automating-protections-testing-with-detonate%2Fblog-thumb-tools-various.jpg&w=828&q=75"/><div class="absolute border border-white/50 inset-0 mix-blend-overlay rounded-lg z-10"></div></div><time class="mb-2 mt-5 eyebrow">4 May 2023</time><h3 class="font-bold leading-tight text-xl md:text-3xl mb-2">Click, Click… Boom! Automating Protections Testing with Detonate</h3><p class="text-sm text-zinc-400">To automate this process and test our protections at scale, we built Detonate, a system that is used by security research engineers to measure the efficacy of our Elastic Security solution in an automated fashion.</p></div></a><a href="/security-labs/unpacking-icedid"><div class="flex flex-col space-4"><div class="relative w-full rounded-lg overflow-hidden"><img alt="Unpacking ICEDID" loading="lazy" width="400" height="300" decoding="async" data-nimg="1" class="object-cover" style="color:transparent" srcSet="/security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Funpacking-icedid%2Fphoto-edited-07%402x.jpg&w=640&q=75 1x, /security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Funpacking-icedid%2Fphoto-edited-07%402x.jpg&w=828&q=75 2x" src="/security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Funpacking-icedid%2Fphoto-edited-07%402x.jpg&w=828&q=75"/><div class="absolute border border-white/50 inset-0 mix-blend-overlay rounded-lg z-10"></div></div><time class="mb-2 mt-5 eyebrow">4 May 2023</time><h3 class="font-bold leading-tight text-xl md:text-3xl mb-2">Unpacking ICEDID</h3><p class="text-sm text-zinc-400">ICEDID is known to pack its payloads using custom file formats and a custom encryption scheme. We are releasing a set of tools to automate the unpacking process and help analysts and the community respond to ICEDID.</p></div></a></div></div></main><footer class="mt-auto text-xs md:text-sm"><div class="container py-6 flex flex-col md:flex-row gap-2 md:gap-0 justify-between items-center"><div class="text-zinc-300"><nav><ul class="flex space-x-4"><li><a class="hover:text-white font-medium" href="/security-labs/sitemap.xml">Sitemap</a></li><li><a class="hover:text-white font-medium flex items-center space-x-1" href="https://elastic.co?utm_source=elastic-search-labs&utm_medium=referral&utm_campaign=search-labs&utm_content=footer"><svg xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 24 24" stroke-width="1.5" stroke="currentColor" aria-hidden="true" class="inline-block w-3 h-3"><path stroke-linecap="round" stroke-linejoin="round" d="M13.5 6H5.25A2.25 2.25 0 003 8.25v10.5A2.25 2.25 0 005.25 21h10.5A2.25 2.25 0 0018 18.75V10.5m-10.5 6L21 3m0 0h-5.25M21 3v5.25"></path></svg><span>Elastic.co</span></a></li><li><a class="hover:text-white font-medium flex items-center space-x-1" href="https://twitter.com/elasticseclabs"><svg class="w-4 h-4 inline-block w-3 h-3" viewBox="0 0 24 24"><path fill="currentColor" d="M23.954 4.569c-.885.389-1.83.653-2.825.772a4.98 4.98 0 002.187-2.746 9.955 9.955 0 01-3.157 1.204 4.98 4.98 0 00-8.49 4.54A14.128 14.128 0 011.69 3.05a4.98 4.98 0 001.54 6.638A4.94 4.94 0 011.2 8.62v.06a4.98 4.98 0 004 4.87 4.94 4.94 0 01-2.24.086 4.98 4.98 0 004.64 3.45A9.97 9.97 0 010 20.35a14.075 14.075 0 007.59 2.22c9.16 0 14.17-7.583 14.17-14.17 0-.217-.005-.434-.015-.65a10.128 10.128 0 002.485-2.58l-.001-.001z"></path></svg><span>@elasticseclabs</span></a></li></ul></nav></div><div class="flex flex-col space-y-1 text-zinc-300"><p>© <!-- -->2025<!-- -->. Elasticsearch B.V. All Rights Reserved.</p></div></div></footer></main></div><script id="__NEXT_DATA__" type="application/json">{"props":{"pageProps":{}},"page":"/","query":{},"buildId":"zgtdq_G6IdLL0e41oqL5l","assetPrefix":"/security-labs","nextExport":true,"autoExport":true,"isFallback":false,"scriptLoader":[]}</script></body></html>