Hexastrike Blog
Monkey Ransomware — Some AI-written Ransomware
A new ransomware family surfaced recently (credit: Gameel Ali). He didn’t plan a deep dive, so we decided to take one. The result is… odd. Dissection was easy; the design is incoherent. Our working theory is that this is largely AI-generated malware. People often ask: “Why analyze ransomware? It’s destructive; by the time analysis happens, it’s too late”. That’s only half true. Analysis matters because sometimes samples exploit bugs to spread or escalate (think WannaCry/EternalBlue), they often ship persistence or
ValleyRAT Exploiting BYOVD to Kill Endpoint Security
During threat-intelligence activities, we identified a new ValleyRAT campaign distributing fake application installers (e.g., WinRAR, Telegram, and others). The installer drops multiple binaries; one stood out: a file named NVIDIA.exe (SHA-256: b4ac2e473c5d6c5e1b8430a87ef4f33b53b9ba0f585d3173365e437de4c816b2), which, during analysis, revealed the presence of an unknown driver used to support its operations. NVIDIA.exe’s main logic is deliberately simple. It defines a fixed list of 20 process/image names and continuously hunts for them: The list comprises Chinese security products, strongly suggesting targeting of Chinese victims, with
Automating CrowdStrike Network Containment
In a previous post, we have shown how Velociraptor and CrowdStrike can work together to speed up the deep‑dive phase of an investigation. One topic left open was containment. When an EDR flags genuinely high‑risk behaviour, isolating the host is often the safest move, and—if your rules are well tuned—doing it automatically is even better. What follows is how we do it: we tag every endpoint, then let Fusion SOAR decide, in real time, whether a particular machine may be