Hexastrike Blog
ValleyRAT Exploiting BYOVD to Kill Endpoint Security
During threat-intelligence activities, we identified a new ValleyRAT campaign distributing fake application installers (e.g., WinRAR, Telegram, and others). The installer drops multiple binaries; one stood out: a file named NVIDIA.exe (SHA-256: b4ac2e473c5d6c5e1b8430a87ef4f33b53b9ba0f585d3173365e437de4c816b2), which, during analysis, revealed the presence of an unknown driver used to support its operations. NVIDIA.exe’s main logic is deliberately simple. It defines a fixed list of 20 process/image names and continuously hunts for them: The list comprises Chinese security products, strongly suggesting targeting of Chinese victims, with
Automating CrowdStrike Network Containment
In a previous post, we have shown how Velociraptor and CrowdStrike can work together to speed up the deep‑dive phase of an investigation. One topic left open was containment. When an EDR flags genuinely high‑risk behaviour, isolating the host is often the safest move, and—if your rules are well tuned—doing it automatically is even better. What follows is how we do it: we tag every endpoint, then let Fusion SOAR decide, in real time, whether a particular machine may be
Ivanti Connect Secure CVE-2025-0282 DslogdRAT Analysis
At the beginning of the year, we investigated a cluster of Ivanti Connect Secure gateways that attackers had breached via CVE-2025-0282. If you missed the story, Mandiant’s write-up laid out a polished, multi-stage operation that combined code redirection, web-shell deployment, and meticulous clean-up. Last week, Florian Roth pointed us to a follow-up from JPCERT/CC that zeroes in on an ELF-based remote-access Trojan, dubbed DslogdRAT (1dd64c00f061425d484dd67b359ad99df533aa430632c55fa7e7617b55dab6a8), which surfaced in several of those same Ivanti intrusions. Because the sample was published, we