Butoflex a passive linux backdoor for targeted spying

16.10.2025 00:00

During a joint incident response with Login Sécurité on an APT attack, we faced an attacker that was especially good at hiding their traces on compromised systems, making our investigation a bit more difficult than usual.

To alleviate any risk of us missing something, we decided to perform a Threat Hunting on all computers to identify any potential traces linking to this specific APT and to check if another attacker was present.

Speedrunning malware analysis with Exalyze.io

07.10.2025 00:00

Exalyze.io is a malware analysis platform we developped to help us as well as our fellow malware analysts and reversers during their hunting! Our goal is also to speed-up and streamline the firsts step of a sample analysis.

In this post we will showcase some of its features by analyzing a new strain of malware we dubbed Sentel Agent.

Perfctl malware exploiting exposed Portainer agent and using new SSH persistence

29.11.2024 00:00

During an incident response for one of our clients, we stumbled upon a server compromised by the now relatively documented ¹²³⁴ perfctl malware.

While it’s not uncommon to find documented threats during incident responses, we discovered that the attacker used new initial access and persistence methods. In this blogpost we will share the newly uncovered knowledge about the threat actor Tools Tactics and Procedures.

STUBborn: Activate and call DCOM objects without proxy

01.10.2024 00:00

In the last years, the Local RPC (LRPC) & ALPC have been the subject of scrutiny by some Windows internal enthusiasts and vulnerability researchers.

In this article, we will go a step further to explore what can be done about LocalServer DCOM objects, how to instantiate them and directly connect to their interfaces without using the COM proxy clients normally rely on!

This will give us an excuse to explore some COM internals, understand part of the combase DLL & write more fun python code !

Mélofée: a new alien malware in the Panda's toolset targeting Linux hosts

28.03.2023 00:00

We recently discovered an novel undetected implant family targeting Linux servers, which we dubbed Mélofée.

We linked with high confidence this malware to chinese state sponsored APT groups, in particular the notorious Winnti group.

In this blogpost we will first analyze the capabilities offered by this malware family, which include a kernel mode rootkit, and then deep dive in an infrastructure pivot maze to discover related adversary toolsets.

Tricephalic Hellkeeper: a tale of a passive backdoor

02.05.2022 00:00

We recently found a new passive backdoor targeting Linux and Solaris servers, wich can use TCP, UDP or ICMP packets as it’s triggers.

In this article we will dive into BPF in order to assess it’s capabilities :D